Move privileges check from execute to access/privilege_access.rs

Author: BohuTANG

src/query/service/src/interpreters/access/privilege_access.rs

@@ -35,64 +35,144 @@ impl PrivilegeAccess {
 
 #[async_trait::async_trait]
 impl AccessChecker for PrivilegeAccess {
-    async fn check(&self, plan: &PlanNode) -> Result<()> {
-        match plan {
-            PlanNode::Empty(_) => {}
-            PlanNode::Stage(_) => {}
-            PlanNode::Broadcast(_) => {}
-            PlanNode::Remote(_) => {}
-            PlanNode::Projection(_) => {}
-            PlanNode::Expression(_) => {}
-            PlanNode::AggregatorPartial(_) => {}
-            PlanNode::AggregatorFinal(_) => {}
-            PlanNode::Filter(_) => {}
-            PlanNode::Having(_) => {}
-            PlanNode::WindowFunc(_) => {}
-            PlanNode::Sort(_) => {}
-            PlanNode::Limit(_) => {}
-            PlanNode::LimitBy(_) => {}
-            PlanNode::ReadSource(_) => {}
-            PlanNode::SubQueryExpression(_) => {}
-            PlanNode::Sink(_) => {}
-            PlanNode::Explain(_) => {}
-            PlanNode::Select(_) => {}
-            PlanNode::Insert(_) => {}
-            PlanNode::Delete(_) => {}
-        }
+    async fn check(&self, _plan: &PlanNode) -> Result<()> {
+        // The old planner *NO* need to check anymore.
         Ok(())
     }
 
     async fn check_new(&self, plan: &Plan) -> Result<()> {
+        let session = self.ctx.get_current_session();
+
         match plan {
             Plan::Query { .. } => {}
             Plan::Explain { .. } => {}
             Plan::Copy(_) => {}
             Plan::Call(_) => {}
+
+            // Database.
             Plan::ShowCreateDatabase(_) => {}
-            Plan::CreateDatabase(_) => {}
-            Plan::DropDatabase(_) => {}
-            Plan::UndropDatabase(_) => {}
-            Plan::RenameDatabase(_) => {}
+            Plan::CreateDatabase(_) => {
+                session
+                    .validate_privilege(&GrantObject::Global, UserPrivilegeType::Create)
+                    .await?;
+            }
+            Plan::DropDatabase(_) => {
+                session
+                    .validate_privilege(&GrantObject::Global, UserPrivilegeType::Drop)
+                    .await?;
+            }
+            Plan::UndropDatabase(_) => {
+                session
+                    .validate_privilege(&GrantObject::Global, UserPrivilegeType::Drop)
+                    .await?;
+            }
+            Plan::RenameDatabase(_) => {
+                session
+                    .validate_privilege(&GrantObject::Global, UserPrivilegeType::Alter)
+                    .await?;
+            }
             Plan::UseDatabase(_) => {}
+
+            // Table.
             Plan::ShowCreateTable(_) => {}
             Plan::DescribeTable(_) => {}
-            Plan::CreateTable(_) => {}
-            Plan::DropTable(_) => {}
-            Plan::UndropTable(_) => {}
+            Plan::CreateTable(plan) => {
+                session
+                    .validate_privilege(
+                        &GrantObject::Database(plan.catalog.clone(), plan.database.clone()),
+                        UserPrivilegeType::Create,
+                    )
+                    .await?;
+            }
+            Plan::DropTable(plan) => {
+                session
+                    .validate_privilege(
+                        &GrantObject::Database(plan.catalog.clone(), plan.database.clone()),
+                        UserPrivilegeType::Drop,
+                    )
+                    .await?;
+            }
+            Plan::UndropTable(plan) => {
+                session
+                    .validate_privilege(
+                        &GrantObject::Database(plan.catalog.clone(), plan.database.clone()),
+                        UserPrivilegeType::Drop,
+                    )
+                    .await?;
+            }
             Plan::RenameTable(_) => {}
-            Plan::AlterTableClusterKey(_) => {}
-            Plan::DropTableClusterKey(_) => {}
-            Plan::ReclusterTable(_) => {}
-            Plan::TruncateTable(_) => {}
+            Plan::AlterTableClusterKey(plan) => {
+                session
+                    .validate_privilege(
+                        &GrantObject::Table(
+                            plan.catalog.clone(),
+                            plan.database.clone(),
+                            plan.table.clone(),
+                        ),
+                        UserPrivilegeType::Alter,
+                    )
+                    .await?;
+            }
+            Plan::DropTableClusterKey(plan) => {
+                session
+                    .validate_privilege(
+                        &GrantObject::Table(
+                            plan.catalog.clone(),
+                            plan.database.clone(),
+                            plan.table.clone(),
+                        ),
+                        UserPrivilegeType::Drop,
+                    )
+                    .await?;
+            }
+            Plan::ReclusterTable(plan) => {
+                session
+                    .validate_privilege(
+                        &GrantObject::Table(
+                            plan.catalog.clone(),
+                            plan.database.clone(),
+                            plan.table.clone(),
+                        ),
+                        UserPrivilegeType::Alter,
+                    )
+                    .await?;
+            }
+            Plan::TruncateTable(plan) => {
+                session
+                    .validate_privilege(
+                        &GrantObject::Table(
+                            plan.catalog.clone(),
+                            plan.database.clone(),
+                            plan.table.clone(),
+                        ),
+                        UserPrivilegeType::Delete,
+                    )
+                    .await?;
+            }
             Plan::OptimizeTable(_) => {}
             Plan::ExistsTable(_) => {}
+
+            // Others.
             Plan::Insert(_) => {}
             Plan::Delete(_) => {}
-            Plan::CreateView(_) => {}
-            Plan::AlterView(_) => {}
+            Plan::CreateView(plan) => {
+                session
+                    .validate_privilege(
+                        &GrantObject::Database(plan.catalog.clone(), plan.database.clone()),
+                        UserPrivilegeType::Alter,
+                    )
+                    .await?;
+            }
+            Plan::AlterView(plan) => {
+                session
+                    .validate_privilege(
+                        &GrantObject::Database(plan.catalog.clone(), plan.database.clone()),
+                        UserPrivilegeType::Alter,
+                    )
+                    .await?;
+            }
             Plan::DropView(plan) => {
-                self.ctx
-                    .get_current_session()
+                session
                     .validate_privilege(
                         &GrantObject::Database(plan.catalog.clone(), plan.database.clone()),
                         UserPrivilegeType::Drop,
@@ -118,7 +198,11 @@ impl AccessChecker for PrivilegeAccess {
             Plan::RemoveStage(_) => {}
             Plan::Presign(_) => {}
             Plan::SetVariable(_) => {}
-            Plan::Kill(_) => {}
+            Plan::Kill(_) => {
+                session
+                    .validate_privilege(&GrantObject::Global, UserPrivilegeType::Super)
+                    .await?;
+            }
             Plan::CreateShare(_) => {}
             Plan::DropShare(_) => {}
             Plan::GrantShareObject(_) => {}

src/query/service/src/interpreters/interpreter_cluster_key_alter.rs

@@ -16,8 +16,6 @@ use std::sync::Arc;
 
 use common_exception::Result;
 use common_legacy_planners::AlterTableClusterKeyPlan;
-use common_meta_types::GrantObject;
-use common_meta_types::UserPrivilegeType;
 
 use super::Interpreter;
 use crate::pipelines::PipelineBuildResult;
@@ -43,18 +41,6 @@ impl Interpreter for AlterTableClusterKeyInterpreter {
 
     async fn execute2(&self) -> Result<PipelineBuildResult> {
         let plan = &self.plan;
-        self.ctx
-            .get_current_session()
-            .validate_privilege(
-                &GrantObject::Table(
-                    plan.catalog.clone(),
-                    plan.database.clone(),
-                    plan.table.clone(),
-                ),
-                UserPrivilegeType::Alter,
-            )
-            .await?;
-
         let tenant = self.ctx.get_tenant();
         let catalog = self.ctx.get_catalog(&plan.catalog)?;
 

src/query/service/src/interpreters/interpreter_cluster_key_drop.rs

@@ -16,8 +16,6 @@ use std::sync::Arc;
 
 use common_exception::Result;
 use common_legacy_planners::DropTableClusterKeyPlan;
-use common_meta_types::GrantObject;
-use common_meta_types::UserPrivilegeType;
 
 use super::Interpreter;
 use crate::pipelines::PipelineBuildResult;
@@ -43,18 +41,6 @@ impl Interpreter for DropTableClusterKeyInterpreter {
 
     async fn execute2(&self) -> Result<PipelineBuildResult> {
         let plan = &self.plan;
-        self.ctx
-            .get_current_session()
-            .validate_privilege(
-                &GrantObject::Table(
-                    plan.catalog.clone(),
-                    plan.database.clone(),
-                    plan.table.clone(),
-                ),
-                UserPrivilegeType::Alter,
-            )
-            .await?;
-
         let tenant = self.ctx.get_tenant();
         let catalog = self.ctx.get_catalog(&plan.catalog)?;
 

src/query/service/src/interpreters/interpreter_database_create.rs

@@ -17,8 +17,6 @@ use std::sync::Arc;
 use common_exception::ErrorCode;
 use common_exception::Result;
 use common_legacy_planners::CreateDatabasePlan;
-use common_meta_types::GrantObject;
-use common_meta_types::UserPrivilegeType;
 use common_users::UserApiProvider;
 
 use crate::interpreters::Interpreter;
@@ -46,11 +44,6 @@ impl Interpreter for CreateDatabaseInterpreter {
 
     #[tracing::instrument(level = "debug", skip(self), fields(ctx.id = self.ctx.get_id().as_str()))]
     async fn execute2(&self) -> Result<PipelineBuildResult> {
-        self.ctx
-            .get_current_session()
-            .validate_privilege(&GrantObject::Global, UserPrivilegeType::Create)
-            .await?;
-
         let tenant = self.plan.tenant.clone();
         let quota_api = UserApiProvider::instance().get_tenant_quota_api_client(&tenant)?;
         let quota = quota_api.get_quota(None).await?.data;

src/query/service/src/interpreters/interpreter_database_drop.rs

@@ -16,8 +16,6 @@ use std::sync::Arc;
 
 use common_exception::Result;
 use common_legacy_planners::DropDatabasePlan;
-use common_meta_types::GrantObject;
-use common_meta_types::UserPrivilegeType;
 
 use crate::interpreters::Interpreter;
 use crate::pipelines::PipelineBuildResult;
@@ -42,11 +40,6 @@ impl Interpreter for DropDatabaseInterpreter {
     }
 
     async fn execute2(&self) -> Result<PipelineBuildResult> {
-        self.ctx
-            .get_current_session()
-            .validate_privilege(&GrantObject::Global, UserPrivilegeType::Drop)
-            .await?;
-
         let catalog = self.ctx.get_catalog(&self.plan.catalog)?;
         catalog.drop_database(self.plan.clone().into()).await?;
 

src/query/service/src/interpreters/interpreter_database_undrop.rs

@@ -16,8 +16,6 @@ use std::sync::Arc;
 
 use common_exception::Result;
 use common_legacy_planners::UndropDatabasePlan;
-use common_meta_types::GrantObject;
-use common_meta_types::UserPrivilegeType;
 
 use crate::interpreters::Interpreter;
 use crate::pipelines::PipelineBuildResult;
@@ -43,16 +41,6 @@ impl Interpreter for UndropDatabaseInterpreter {
 
     async fn execute2(&self) -> Result<PipelineBuildResult> {
         let catalog_name = self.plan.catalog.as_str();
-        let db_name = self.plan.database.as_str();
-
-        self.ctx
-            .get_current_session()
-            .validate_privilege(
-                &GrantObject::Database(catalog_name.into(), db_name.into()),
-                UserPrivilegeType::Drop,
-            )
-            .await?;
-
         let catalog = self.ctx.get_catalog(catalog_name)?;
         catalog.undrop_database(self.plan.clone().into()).await?;
         Ok(PipelineBuildResult::create())

src/query/service/src/interpreters/interpreter_kill.rs

@@ -17,8 +17,6 @@ use std::sync::Arc;
 use common_exception::ErrorCode;
 use common_exception::Result;
 use common_legacy_planners::KillPlan;
-use common_meta_types::GrantObject;
-use common_meta_types::UserPrivilegeType;
 
 use crate::interpreters::Interpreter;
 use crate::pipelines::PipelineBuildResult;
@@ -61,11 +59,6 @@ impl Interpreter for KillInterpreter {
     }
 
     async fn execute2(&self) -> Result<PipelineBuildResult> {
-        self.ctx
-            .get_current_session()
-            .validate_privilege(&GrantObject::Global, UserPrivilegeType::Super)
-            .await?;
-
         let id = &self.plan.id;
         // If press Ctrl + C, MySQL Client will create a new session and send query
         // `kill query mysql_connection_id` to server.

src/query/service/src/interpreters/interpreter_table_create_v2.rs

@@ -18,8 +18,6 @@ use common_datavalues::DataField;
 use common_datavalues::DataSchemaRefExt;
 use common_exception::ErrorCode;
 use common_exception::Result;
-use common_meta_types::GrantObject;
-use common_meta_types::UserPrivilegeType;
 use common_users::UserApiProvider;
 
 use crate::interpreters::InsertInterpreterV2;
@@ -51,14 +49,6 @@ impl Interpreter for CreateTableInterpreterV2 {
     }
 
     async fn execute2(&self) -> Result<PipelineBuildResult> {
-        self.ctx
-            .get_current_session()
-            .validate_privilege(
-                &GrantObject::Database(self.plan.catalog.clone(), self.plan.database.clone()),
-                UserPrivilegeType::Create,
-            )
-            .await?;
-
         let tenant = self.plan.tenant.clone();
         let quota_api = UserApiProvider::instance().get_tenant_quota_api_client(&tenant)?;
         let quota = quota_api.get_quota(None).await?.data;

src/query/service/src/interpreters/interpreter_table_drop.rs

@@ -18,8 +18,6 @@ use common_exception::ErrorCode;
 use common_exception::Result;
 use common_legacy_planners::DropTablePlan;
 use common_legacy_planners::TruncateTablePlan;
-use common_meta_types::GrantObject;
-use common_meta_types::UserPrivilegeType;
 
 use crate::interpreters::Interpreter;
 use crate::pipelines::PipelineBuildResult;
@@ -54,14 +52,6 @@ impl Interpreter for DropTableInterpreter {
             .await
             .ok();
 
-        self.ctx
-            .get_current_session()
-            .validate_privilege(
-                &GrantObject::Database(catalog_name.into(), db_name.into()),
-                UserPrivilegeType::Drop,
-            )
-            .await?;
-
         if let Some(table) = &tbl {
             if table.get_table_info().engine() == VIEW_ENGINE {
                 return Err(ErrorCode::UnexpectedError(format!(