[fix](auth) fix overwrite logic of user with domain (#27003)

backport #27002
apache · Nov 15, 2023 · 9450a59 · 9450a59
1 parent 7284f8e
commit 9450a59
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 1 deletion.
diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
@@ -453,7 +453,7 @@ private void createUserInternal(UserIdentity userIdent, String roleName, byte[]
 
  // create user
  try {
- //we should not throw AnalysisException at here,so transfer it
+ // we should not throw AnalysisException at here,so transfer it
  userManager.createUser(userIdent, password, null, false);
  } catch (PatternMatcherException e) {
  throw new DdlException("create user failed,", e);

diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/UserManager.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/UserManager.java
@@ -183,6 +183,12 @@ public User createUser(UserIdentity userIdent, byte[] pwd, UserIdentity domainUs
  throws PatternMatcherException {
  if (userIdentityExist(userIdent, true)) {
  User userByUserIdentity = getUserByUserIdentity(userIdent);
+ if (!userByUserIdentity.isSetByDomainResolver() && setByResolver) {
+ // If the user is NOT created by domain resolver,
+ // and the current operation is done by DomainResolver,
+ // we should not override it, just return
+ return userByUserIdentity;
+ }
  userByUserIdentity.setPassword(pwd);
  userByUserIdentity.setSetByDomainResolver(setByResolver);
  return userByUserIdentity;

diff --git a/fe/fe-core/src/test/java/org/apache/doris/mysql/privilege/AuthTest.java b/fe/fe-core/src/test/java/org/apache/doris/mysql/privilege/AuthTest.java
@@ -1470,6 +1470,38 @@ public void test()
  e.printStackTrace();
  Assert.fail();
  }
+
+ // test domain override
+ // 1. create a domain user
+ new Expectations() {
+ {
+ ctx.getCurrentUserIdentity();
+ minTimes = 1;
+ result = UserIdentity.ROOT;
+ }
+ };
+ UserIdentity domainUser = new UserIdentity("test_domain_user", "palo.domain1", true);
+ userDesc = new UserDesc(domainUser, "12345", true);
+ createUserStmt = new CreateUserStmt(false, userDesc, null);
+ createUserStmt.analyze(analyzer);
+ auth.createUser(createUserStmt);
+ // 2. create a normal user with same ip in domain
+ UserIdentity normalUser = new UserIdentity("test_domain_user", "10.1.1.1");
+ userDesc = new UserDesc(normalUser, "12345", true);
+ createUserStmt = new CreateUserStmt(false, userDesc, null);
+ createUserStmt.analyze(analyzer);
+ auth.createUser(createUserStmt);
+ // 3. run resolve
+ resolver.runAfterCatalogReady();
+ // 4. user grant to test that normal user is not overwrite by domain resolve
+ grantStmt = new GrantStmt(normalUser, null, new TablePattern("*", "*", "*"), privileges);
+ try {
+ grantStmt.analyze(analyzer);
+ auth.grant(grantStmt);
+ } catch (UserException e) {
+ e.printStackTrace();
+ Assert.fail();
+ }
  }
 
  @Test