Merge pull request #7721 from BohuTANG/dev-privilege-7697

chore(query): Move privilege check to access check

Author: BohuTANG

src/query/service/src/interpreters/access/accessor.rs

@@ -18,6 +18,7 @@ use std::sync::Arc;
 use common_exception::Result;
 use common_legacy_planners::PlanNode;
 
+use crate::interpreters::access::PrivilegeAccess;
 use crate::interpreters::ManagementModeAccess;
 use crate::sessions::QueryContext;
 use crate::sql::plans::Plan;
@@ -39,7 +40,11 @@ pub struct Accessor {
 impl Accessor {
     pub fn create(ctx: Arc<QueryContext>) -> Self {
         let mut accessors: HashMap<String, Box<dyn AccessChecker>> = Default::default();
-        accessors.insert("management".to_string(), ManagementModeAccess::create(ctx));
+        accessors.insert(
+            "management".to_string(),
+            ManagementModeAccess::create(ctx.clone()),
+        );
+        accessors.insert("privilege".to_string(), PrivilegeAccess::create(ctx));
         Accessor { accessors }
     }
 

src/query/service/src/interpreters/access/mod.rs

@@ -14,7 +14,9 @@
 
 mod accessor;
 mod management_mode_access;
+mod privilege_access;
 
 pub use accessor::AccessChecker;
 pub use accessor::Accessor;
 pub use management_mode_access::ManagementModeAccess;
+pub use privilege_access::PrivilegeAccess;

src/query/service/src/interpreters/access/privilege_access.rs

@@ -0,0 +1,219 @@
+// Copyright 2022 Datafuse Labs.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+use std::sync::Arc;
+
+use common_exception::Result;
+use common_legacy_planners::PlanNode;
+use common_meta_types::GrantObject;
+use common_meta_types::UserPrivilegeType;
+
+use crate::interpreters::access::AccessChecker;
+use crate::sessions::QueryContext;
+use crate::sql::plans::Plan;
+
+pub struct PrivilegeAccess {
+    ctx: Arc<QueryContext>,
+}
+
+impl PrivilegeAccess {
+    pub fn create(ctx: Arc<QueryContext>) -> Box<dyn AccessChecker> {
+        Box::new(PrivilegeAccess { ctx })
+    }
+}
+
+#[async_trait::async_trait]
+impl AccessChecker for PrivilegeAccess {
+    async fn check(&self, _plan: &PlanNode) -> Result<()> {
+        // The old planner *NO* need to check anymore.
+        Ok(())
+    }
+
+    async fn check_new(&self, plan: &Plan) -> Result<()> {
+        let session = self.ctx.get_current_session();
+
+        match plan {
+            Plan::Query { .. } => {}
+            Plan::Explain { .. } => {}
+            Plan::Copy(_) => {}
+            Plan::Call(_) => {}
+
+            // Database.
+            Plan::ShowCreateDatabase(_) => {}
+            Plan::CreateDatabase(_) => {
+                session
+                    .validate_privilege(&GrantObject::Global, UserPrivilegeType::Create)
+                    .await?;
+            }
+            Plan::DropDatabase(_) => {
+                session
+                    .validate_privilege(&GrantObject::Global, UserPrivilegeType::Drop)
+                    .await?;
+            }
+            Plan::UndropDatabase(_) => {
+                session
+                    .validate_privilege(&GrantObject::Global, UserPrivilegeType::Drop)
+                    .await?;
+            }
+            Plan::RenameDatabase(_) => {
+                session
+                    .validate_privilege(&GrantObject::Global, UserPrivilegeType::Alter)
+                    .await?;
+            }
+            Plan::UseDatabase(_) => {}
+
+            // Table.
+            Plan::ShowCreateTable(_) => {}
+            Plan::DescribeTable(_) => {}
+            Plan::CreateTable(plan) => {
+                session
+                    .validate_privilege(
+                        &GrantObject::Database(plan.catalog.clone(), plan.database.clone()),
+                        UserPrivilegeType::Create,
+                    )
+                    .await?;
+            }
+            Plan::DropTable(plan) => {
+                session
+                    .validate_privilege(
+                        &GrantObject::Database(plan.catalog.clone(), plan.database.clone()),
+                        UserPrivilegeType::Drop,
+                    )
+                    .await?;
+            }
+            Plan::UndropTable(plan) => {
+                session
+                    .validate_privilege(
+                        &GrantObject::Database(plan.catalog.clone(), plan.database.clone()),
+                        UserPrivilegeType::Drop,
+                    )
+                    .await?;
+            }
+            Plan::RenameTable(_) => {}
+            Plan::AlterTableClusterKey(plan) => {
+                session
+                    .validate_privilege(
+                        &GrantObject::Table(
+                            plan.catalog.clone(),
+                            plan.database.clone(),
+                            plan.table.clone(),
+                        ),
+                        UserPrivilegeType::Alter,
+                    )
+                    .await?;
+            }
+            Plan::DropTableClusterKey(plan) => {
+                session
+                    .validate_privilege(
+                        &GrantObject::Table(
+                            plan.catalog.clone(),
+                            plan.database.clone(),
+                            plan.table.clone(),
+                        ),
+                        UserPrivilegeType::Drop,
+                    )
+                    .await?;
+            }
+            Plan::ReclusterTable(plan) => {
+                session
+                    .validate_privilege(
+                        &GrantObject::Table(
+                            plan.catalog.clone(),
+                            plan.database.clone(),
+                            plan.table.clone(),
+                        ),
+                        UserPrivilegeType::Alter,
+                    )
+                    .await?;
+            }
+            Plan::TruncateTable(plan) => {
+                session
+                    .validate_privilege(
+                        &GrantObject::Table(
+                            plan.catalog.clone(),
+                            plan.database.clone(),
+                            plan.table.clone(),
+                        ),
+                        UserPrivilegeType::Delete,
+                    )
+                    .await?;
+            }
+            Plan::OptimizeTable(_) => {}
+            Plan::ExistsTable(_) => {}
+
+            // Others.
+            Plan::Insert(_) => {}
+            Plan::Delete(_) => {}
+            Plan::CreateView(plan) => {
+                session
+                    .validate_privilege(
+                        &GrantObject::Database(plan.catalog.clone(), plan.database.clone()),
+                        UserPrivilegeType::Alter,
+                    )
+                    .await?;
+            }
+            Plan::AlterView(plan) => {
+                session
+                    .validate_privilege(
+                        &GrantObject::Database(plan.catalog.clone(), plan.database.clone()),
+                        UserPrivilegeType::Alter,
+                    )
+                    .await?;
+            }
+            Plan::DropView(plan) => {
+                session
+                    .validate_privilege(
+                        &GrantObject::Database(plan.catalog.clone(), plan.database.clone()),
+                        UserPrivilegeType::Drop,
+                    )
+                    .await?;
+            }
+            Plan::AlterUser(_) => {}
+            Plan::CreateUser(_) => {}
+            Plan::DropUser(_) => {}
+            Plan::CreateUDF(_) => {}
+            Plan::AlterUDF(_) => {}
+            Plan::DropUDF(_) => {}
+            Plan::CreateRole(_) => {}
+            Plan::DropRole(_) => {}
+            Plan::GrantRole(_) => {}
+            Plan::GrantPriv(_) => {}
+            Plan::ShowGrants(_) => {}
+            Plan::RevokePriv(_) => {}
+            Plan::RevokeRole(_) => {}
+            Plan::ListStage(_) => {}
+            Plan::CreateStage(_) => {}
+            Plan::DropStage(_) => {}
+            Plan::RemoveStage(_) => {}
+            Plan::Presign(_) => {}
+            Plan::SetVariable(_) => {}
+            Plan::Kill(_) => {
+                session
+                    .validate_privilege(&GrantObject::Global, UserPrivilegeType::Super)
+                    .await?;
+            }
+            Plan::CreateShare(_) => {}
+            Plan::DropShare(_) => {}
+            Plan::GrantShareObject(_) => {}
+            Plan::RevokeShareObject(_) => {}
+            Plan::AlterShareTenants(_) => {}
+            Plan::DescShare(_) => {}
+            Plan::ShowShares(_) => {}
+            Plan::ShowObjectGrantPrivileges(_) => {}
+            Plan::ShowGrantTenantsOfShare(_) => {}
+        }
+
+        Ok(())
+    }
+}

src/query/service/src/interpreters/interpreter_cluster_key_alter.rs

@@ -16,8 +16,6 @@ use std::sync::Arc;
 
 use common_exception::Result;
 use common_legacy_planners::AlterTableClusterKeyPlan;
-use common_meta_types::GrantObject;
-use common_meta_types::UserPrivilegeType;
 
 use super::Interpreter;
 use crate::pipelines::PipelineBuildResult;
@@ -43,18 +41,6 @@ impl Interpreter for AlterTableClusterKeyInterpreter {
 
     async fn execute2(&self) -> Result<PipelineBuildResult> {
         let plan = &self.plan;
-        self.ctx
-            .get_current_session()
-            .validate_privilege(
-                &GrantObject::Table(
-                    plan.catalog.clone(),
-                    plan.database.clone(),
-                    plan.table.clone(),
-                ),
-                UserPrivilegeType::Alter,
-            )
-            .await?;
-
         let tenant = self.ctx.get_tenant();
         let catalog = self.ctx.get_catalog(&plan.catalog)?;
 

src/query/service/src/interpreters/interpreter_cluster_key_drop.rs

@@ -16,8 +16,6 @@ use std::sync::Arc;
 
 use common_exception::Result;
 use common_legacy_planners::DropTableClusterKeyPlan;
-use common_meta_types::GrantObject;
-use common_meta_types::UserPrivilegeType;
 
 use super::Interpreter;
 use crate::pipelines::PipelineBuildResult;
@@ -43,18 +41,6 @@ impl Interpreter for DropTableClusterKeyInterpreter {
 
     async fn execute2(&self) -> Result<PipelineBuildResult> {
         let plan = &self.plan;
-        self.ctx
-            .get_current_session()
-            .validate_privilege(
-                &GrantObject::Table(
-                    plan.catalog.clone(),
-                    plan.database.clone(),
-                    plan.table.clone(),
-                ),
-                UserPrivilegeType::Alter,
-            )
-            .await?;
-
         let tenant = self.ctx.get_tenant();
         let catalog = self.ctx.get_catalog(&plan.catalog)?;
 

src/query/service/src/interpreters/interpreter_database_create.rs

@@ -17,8 +17,6 @@ use std::sync::Arc;
 use common_exception::ErrorCode;
 use common_exception::Result;
 use common_legacy_planners::CreateDatabasePlan;
-use common_meta_types::GrantObject;
-use common_meta_types::UserPrivilegeType;
 use common_users::UserApiProvider;
 
 use crate::interpreters::Interpreter;
@@ -46,11 +44,6 @@ impl Interpreter for CreateDatabaseInterpreter {
 
     #[tracing::instrument(level = "debug", skip(self), fields(ctx.id = self.ctx.get_id().as_str()))]
     async fn execute2(&self) -> Result<PipelineBuildResult> {
-        self.ctx
-            .get_current_session()
-            .validate_privilege(&GrantObject::Global, UserPrivilegeType::Create)
-            .await?;
-
         let tenant = self.plan.tenant.clone();
         let quota_api = UserApiProvider::instance().get_tenant_quota_api_client(&tenant)?;
         let quota = quota_api.get_quota(None).await?.data;

src/query/service/src/interpreters/interpreter_database_drop.rs

@@ -16,8 +16,6 @@ use std::sync::Arc;
 
 use common_exception::Result;
 use common_legacy_planners::DropDatabasePlan;
-use common_meta_types::GrantObject;
-use common_meta_types::UserPrivilegeType;
 
 use crate::interpreters::Interpreter;
 use crate::pipelines::PipelineBuildResult;
@@ -42,11 +40,6 @@ impl Interpreter for DropDatabaseInterpreter {
     }
 
     async fn execute2(&self) -> Result<PipelineBuildResult> {
-        self.ctx
-            .get_current_session()
-            .validate_privilege(&GrantObject::Global, UserPrivilegeType::Drop)
-            .await?;
-
         let catalog = self.ctx.get_catalog(&self.plan.catalog)?;
         catalog.drop_database(self.plan.clone().into()).await?;
 

src/query/service/src/interpreters/interpreter_database_undrop.rs

@@ -16,8 +16,6 @@ use std::sync::Arc;
 
 use common_exception::Result;
 use common_legacy_planners::UndropDatabasePlan;
-use common_meta_types::GrantObject;
-use common_meta_types::UserPrivilegeType;
 
 use crate::interpreters::Interpreter;
 use crate::pipelines::PipelineBuildResult;
@@ -43,16 +41,6 @@ impl Interpreter for UndropDatabaseInterpreter {
 
     async fn execute2(&self) -> Result<PipelineBuildResult> {
         let catalog_name = self.plan.catalog.as_str();
-        let db_name = self.plan.database.as_str();
-
-        self.ctx
-            .get_current_session()
-            .validate_privilege(
-                &GrantObject::Database(catalog_name.into(), db_name.into()),
-                UserPrivilegeType::Drop,
-            )
-            .await?;
-
         let catalog = self.ctx.get_catalog(catalog_name)?;
         catalog.undrop_database(self.plan.clone().into()).await?;
         Ok(PipelineBuildResult::create())

src/query/service/src/interpreters/interpreter_kill.rs

@@ -17,8 +17,6 @@ use std::sync::Arc;
 use common_exception::ErrorCode;
 use common_exception::Result;
 use common_legacy_planners::KillPlan;
-use common_meta_types::GrantObject;
-use common_meta_types::UserPrivilegeType;
 
 use crate::interpreters::Interpreter;
 use crate::pipelines::PipelineBuildResult;
@@ -61,11 +59,6 @@ impl Interpreter for KillInterpreter {
     }
 
     async fn execute2(&self) -> Result<PipelineBuildResult> {
-        self.ctx
-            .get_current_session()
-            .validate_privilege(&GrantObject::Global, UserPrivilegeType::Super)
-            .await?;
-
         let id = &self.plan.id;
         // If press Ctrl + C, MySQL Client will create a new session and send query
         // `kill query mysql_connection_id` to server.