oceanbase · MarkPotato777 · Sep 10, 2023 · Sep 10, 2023
diff --git a/server/odc-service/src/main/java/com/oceanbase/odc/service/connection/ConnectionService.java b/server/odc-service/src/main/java/com/oceanbase/odc/service/connection/ConnectionService.java
@@ -577,13 +577,16 @@ public ConnectionConfig getForConnectionSkipPermissionCheck(@NotNull Long id) {
  @Transactional(rollbackFor = Exception.class)
  @PreAuthenticate(actions = "update", resourceType = "ODC_CONNECTION", indexOfIdParam = 0)
  public ConnectionConfig getForConnect(@NotNull Long id) {
- return getForConnectionSkipPermissionCheck(id);
+ ConnectionConfig connection = getForConnectionSkipPermissionCheck(id);
+ permissionValidator.checkCurrentOrganization(connection);
+ return connection;
  }
 
  @SkipAuthorize("check permission inside")
  public boolean checkPermission(@NotNull Long connectionId, @NotEmpty List<String> actions) {
  try {
  ConnectionConfig connection = internalGetSkipUserCheck(connectionId, false);
+ permissionValidator.checkCurrentOrganization(connection);
  securityManager.checkPermission(
  securityManager.getPermissionByActions(connection, actions));
  } catch (Exception ex) {

diff --git a/...-service/src/main/java/com/oceanbase/odc/service/connection/database/DatabaseService.java b/...-service/src/main/java/com/oceanbase/odc/service/connection/database/DatabaseService.java
@@ -51,6 +51,7 @@
 import com.oceanbase.odc.core.authority.util.SkipAuthorize;
 import com.oceanbase.odc.core.session.ConnectionSession;
 import com.oceanbase.odc.core.session.ConnectionSessionConstants;
+import com.oceanbase.odc.core.shared.constant.ConnectionVisibleScope;
 import com.oceanbase.odc.core.shared.constant.ErrorCodes;
 import com.oceanbase.odc.core.shared.constant.OrganizationType;
 import com.oceanbase.odc.core.shared.constant.ResourceRoleName;
@@ -77,6 +78,7 @@
 import com.oceanbase.odc.service.connection.model.ConnectionConfig;
 import com.oceanbase.odc.service.db.DBIdentitiesService;
 import com.oceanbase.odc.service.db.DBSchemaService;
+import com.oceanbase.odc.service.iam.HorizontalDataPermissionValidator;
 import com.oceanbase.odc.service.iam.auth.AuthenticationFacade;
 import com.oceanbase.odc.service.iam.auth.AuthorizationFacade;
 import com.oceanbase.odc.service.session.factory.DefaultConnectSessionFactory;
@@ -128,6 +130,9 @@ public class DatabaseService {
  @Autowired
  private JdbcLockRegistry jdbcLockRegistry;
 
+ @Autowired
+ private HorizontalDataPermissionValidator horizontalDataPermissionValidator;
+
  @Transactional(rollbackFor = Exception.class)
  @SkipAuthorize("internal authenticated")
  public Database detail(@NonNull Long id) {
@@ -154,7 +159,9 @@ public Page<Database> listDatabasesByDataSource(@NonNull Long id, String name, @
  .connectionIdEquals(id)
  .and(DatabaseSpecs.nameLike(name));
  Page<DatabaseEntity> entities = databaseRepository.findAll(specs, pageable);
- return entitiesToModels(entities);
+ Page<Database> databases = entitiesToModels(entities);
+ horizontalDataPermissionValidator.checkCurrentOrganization(databases.getContent());
+ return databases;
  }
 
  @Transactional(rollbackFor = Exception.class)
@@ -364,9 +371,11 @@ public Boolean internalSyncDataSourceSchemas(@NonNull Long dataSourceId) throws
  return false;
  }
  ConnectionConfig connection = connectionService.getForConnectionSkipPermissionCheck(dataSourceId);
- if (connection.getEnvironmentId().longValue() == -1L) {
+ if (connection.getEnvironmentId().longValue() == -1L
+ || connection.getVisibleScope() == ConnectionVisibleScope.PRIVATE) {
  return false;
  }
+ horizontalDataPermissionValidator.checkCurrentOrganization(connection);
  DefaultConnectSessionFactory factory = new DefaultConnectSessionFactory(connection);
  connectionSession = factory.generateSession();
  List<DatabaseEntity> latestDatabases =

diff --git a/...er/odc-service/src/main/java/com/oceanbase/odc/service/session/ConnectSessionService.java b/...er/odc-service/src/main/java/com/oceanbase/odc/service/session/ConnectSessionService.java
@@ -79,6 +79,7 @@
 import com.oceanbase.odc.service.db.DBCharsetService;
 import com.oceanbase.odc.service.db.session.DBSessionService;
 import com.oceanbase.odc.service.feature.VersionDiffConfigService;
+import com.oceanbase.odc.service.iam.HorizontalDataPermissionValidator;
 import com.oceanbase.odc.service.iam.auth.AuthenticationFacade;
 import com.oceanbase.odc.service.iam.auth.AuthorizationFacade;
 import com.oceanbase.odc.service.lab.model.LabProperties;
@@ -131,6 +132,8 @@ public class ConnectSessionService {
  private DBSessionService dbSessionService;
  @Autowired
  private EnvironmentRepository environmentRepository;
+ @Autowired
+ private HorizontalDataPermissionValidator horizontalDataPermissionValidator;
 
  @PostConstruct
  public void init() {
@@ -212,6 +215,7 @@ private ConnectionSession create(@NotNull Long dataSourceId, String schemaName)
  preCheckSessionLimit();
 
  ConnectionConfig connection = connectionService.getForConnectionSkipPermissionCheck(dataSourceId);
+ horizontalDataPermissionValidator.checkCurrentOrganization(connection);
  log.info("Begin to create session, connection id={}, name={}", connection.id(), connection.getName());
  Set<String> actions = authorizationFacade.getAllPermittedActions(authenticationFacade.currentUser(),
  ResourceType.ODC_CONNECTION, "" + dataSourceId);