• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

taosdata / TDengine / #4983

13 Mar 2026 03:38AM UTC coverage: 68.653% (+0.07%) from 68.587%
#4983

push

travis-ci

web-flow
feat/6641435300-save-audit-in-self (#34738)

434 of 584 new or added lines in 10 files covered. (74.32%)

434 existing lines in 121 files now uncovered.

212745 of 309883 relevant lines covered (68.65%)

134272959.11 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

89.94
/source/libs/parser/src/parAuthenticator.c
1
/*
2
 * Copyright (c) 2019 TAOS Data, Inc. <jhtao@taosdata.com>
3
 *
4
 * This program is free software: you can use, redistribute, and/or modify
5
 * it under the terms of the GNU Affero General Public License, version 3
6
 * or later ("AGPL"), as published by the Free Software Foundation.
7
 *
8
 * This program is distributed in the hope that it will be useful, but WITHOUT
9
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
10
 * FITNESS FOR A PARTICULAR PURPOSE.
11
 *
12
 * You should have received a copy of the GNU Affero General Public License
13
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
14
 */
15

16
#include "catalog.h"
17
#include "cmdnodes.h"
18
#include "parInt.h"
19
#include "tconfig.h"
20

21
typedef struct SAuthCxt {
22
  SParseContext*   pParseCxt;
23
  SParseMetaCache* pMetaCache;
24
  int32_t          errCode;
25
} SAuthCxt;
26

27
typedef struct SSelectAuthCxt {
28
  SAuthCxt*    pAuthCxt;
29
  SSelectStmt* pSelect;
30
} SSelectAuthCxt;
31

32
typedef struct SAuthRewriteCxt {
33
  STableNode* pTarget;
34
} SAuthRewriteCxt;
35

36
extern SConfig* tsCfg;
37

38
static int32_t authQuery(SAuthCxt* pCxt, SNode* pStmt);
39

40
static int32_t setUserAuthInfo(SParseContext* pCxt, const char* pDbName, const char* pTabName, EPrivType privType,
2,108,459✔
41
                               EPrivObjType objType, bool isView, bool effective, SUserAuthInfo* pAuth) {
42
  if (effective) {
2,108,459✔
43
    snprintf(pAuth->user, sizeof(pAuth->user), "%s", pCxt->pEffectiveUser ? pCxt->pEffectiveUser : "");
16,379✔
44
    pAuth->userId = pCxt->effectiveUserId;  // TODO: assign the effective user id
16,379✔
45
  } else {
46
    snprintf(pAuth->user, sizeof(pAuth->user), "%s", pCxt->pUser);
2,092,080✔
47
    pAuth->userId = pCxt->userId;
2,092,080✔
48
  }
49

50
  if (NULL == pTabName) {
2,108,459✔
51
    if (pDbName) {
1,279,378✔
52
      int32_t code = tNameSetDbName(&pAuth->tbName, pCxt->acctId, pDbName, strlen(pDbName));
1,139,664✔
53
      if (TSDB_CODE_SUCCESS != code) return code;
1,139,664✔
54
    } else {
55
      pAuth->tbName.acctId = pCxt->acctId;
139,714✔
56
      pAuth->tbName.type = TSDB_SYS_NAME_T;
139,714✔
57
    }
58
  } else {
59
    toName(pCxt->acctId, pDbName, pTabName, &pAuth->tbName);
829,081✔
60
  }
61
  pAuth->privType = privType;
2,108,459✔
62
  pAuth->objType = objType;
2,108,459✔
63
  pAuth->isView = isView;
2,108,459✔
64
  return TSDB_CODE_SUCCESS;
2,108,459✔
65
}
66

67
static int32_t checkAuthByOwner(SAuthCxt* pCxt, SUserAuthInfo* pAuthInfo, SUserAuthRes* pAuthRes, bool *recheck) {
2,071,805✔
68
  SParseContext*   pParseCxt = pCxt->pParseCxt;
2,071,805✔
69
  const SPrivInfo* pPrivInfo = privInfoGet(pAuthInfo->privType);
2,071,805✔
70
  if (NULL == pPrivInfo) {
2,071,805✔
71
    return TSDB_CODE_PAR_INTERNAL_ERROR;
×
72
  }
73
  int32_t code = 0;
2,071,805✔
74
  if (pPrivInfo->category == PRIV_CATEGORY_OBJECT || pAuthInfo->objType == PRIV_OBJ_DB) {
2,071,805✔
75
    SPrivInfo privInfoDup = *pPrivInfo;
1,497,588✔
76
    if (privInfoDup.objType <= 0) privInfoDup.objType = PRIV_OBJ_DB;
1,497,588✔
77
    switch (privInfoDup.objType) {
1,497,588✔
78
      case PRIV_OBJ_DB: {
1,139,664✔
79
        SDbCfgInfo dbCfgInfo = {0};
1,139,664✔
80
        char       dbFName[TSDB_DB_FNAME_LEN] = {0};
1,139,664✔
81
        (void)tNameGetFullDbName(&pAuthInfo->tbName, dbFName);
1,139,664✔
82
        code = getDbCfgFromCache(pCxt->pMetaCache, dbFName, &dbCfgInfo);
1,139,664✔
83
        if (TSDB_CODE_SUCCESS != code) {
1,139,664✔
84
          return code;
66,230✔
85
        }
86
        // rewrite privilege for audit db
87
        if (dbCfgInfo.isAudit && pAuthInfo->objType == PRIV_OBJ_DB) {
1,073,434✔
88
          if (pAuthInfo->privType == PRIV_DB_USE) {
×
89
            pAuthInfo->useDb = AUTH_OWNED_MASK;
×
90
            if (recheck) *recheck = true;  // recheck since the cached key is changed
×
91
          } else if (pAuthInfo->privType == PRIV_CM_ALTER) {
×
92
            pAuthInfo->privType = PRIV_AUDIT_DB_ALTER;
×
93
            pAuthInfo->objType = PRIV_OBJ_CLUSTER;
×
94
            if (recheck) *recheck = true;  // recheck since the cached key is changed
×
95
          } else if (pAuthInfo->privType == PRIV_CM_DROP) {
×
96
            pAuthInfo->privType = PRIV_AUDIT_DB_DROP;
×
97
            pAuthInfo->objType = PRIV_OBJ_CLUSTER;
×
98
            if (recheck) *recheck = true;  // recheck since the cached key is changed
×
99
          } else if (pAuthInfo->privType == PRIV_TBL_CREATE) {
×
100
            pAuthInfo->privType = PRIV_AUDIT_TBL_CREATE;
×
101
            pAuthInfo->objType = PRIV_OBJ_CLUSTER;
×
102
            if (recheck) *recheck = true;  // recheck since the cached key is changed
×
103
          }
104
          return TSDB_CODE_SUCCESS;
×
105
        }
106
        if (dbCfgInfo.ownerId == pAuthInfo->userId) {
1,073,434✔
107
          pAuthRes->pass[pAuthInfo->isView ? AUTH_RES_VIEW : AUTH_RES_BASIC] = true;
35,621✔
108
          return TSDB_CODE_SUCCESS;
35,621✔
109
        }
110
        break;
1,037,813✔
111
      }
112
      default:
357,924✔
113
        return TSDB_CODE_SUCCESS;
357,924✔
114
    }
115
  }
116
_exit:
574,217✔
117
  return TSDB_CODE_SUCCESS;
1,612,030✔
118
}
119

120
static int32_t checkAuthImpl(SAuthCxt* pCxt, const char* pDbName, const char* pTabName, EPrivType privType,
595,694,718✔
121
                             EPrivObjType objType, SNode** pCond, SArray** pPrivCols, bool isView, bool effective) {
122
  SParseContext* pParseCxt = pCxt->pParseCxt;
595,694,718✔
123
  if (pParseCxt->isSuperUser) {
595,694,784✔
124
    return TSDB_CODE_SUCCESS;
593,602,764✔
125
  }
126

127
  AUTH_RES_TYPE auth_res_type = isView ? AUTH_RES_VIEW : AUTH_RES_BASIC;
2,108,459✔
128
  SUserAuthInfo authInfo = {0};
2,108,459✔
129
  int32_t code = setUserAuthInfo(pCxt->pParseCxt, pDbName, pTabName, privType, objType, isView, effective, &authInfo);
2,108,459✔
130
  if (TSDB_CODE_SUCCESS != code) return code;
2,108,459✔
131
  SUserAuthRes authRes = {0};
2,108,459✔
132
  bool         recheck = false;
2,108,459✔
133
  if (NULL != pCxt->pMetaCache && privType != PRIV_VIEW_SELECT && privType != PRIV_AUDIT_TBL_SELECT) {
2,108,459✔
134
    code = checkAuthByOwner(pCxt, &authInfo, &authRes, &recheck);
2,071,805✔
135
    if (code == TSDB_CODE_SUCCESS && authRes.pass[auth_res_type]) {
2,071,805✔
136
      goto _exit;
35,621✔
137
    }
138
    code = getUserAuthFromCache(pCxt->pMetaCache, &authInfo, &authRes);
2,036,184✔
139
#ifdef TD_ENTERPRISE
140
    if (isView && TSDB_CODE_PAR_INTERNAL_ERROR == code) {
2,036,184✔
141
      authInfo.isView = false;
×
142
      code = getUserAuthFromCache(pCxt->pMetaCache, &authInfo, &authRes);
×
143
    }
144
#endif
145
  } else {
146
    recheck = true;  // recheck since the cached key is changed
36,654✔
147
  }
148
  if (recheck) {  // the priv type of view and audit may be rewritten, need to recheck from catalog
2,072,838✔
149
    SRequestConnInfo conn = {.pTrans = pParseCxt->pTransporter,
73,308✔
150
                             .requestId = pParseCxt->requestId,
36,654✔
151
                             .requestObjRefId = pParseCxt->requestRid,
36,654✔
152
                             .mgmtEps = pParseCxt->mgmtEpSet};
153
    code = catalogChkAuth(pParseCxt->pCatalog, &conn, &authInfo, &authRes);
36,654✔
154
  }
155

156
_exit:
2,108,459✔
157
  if (TSDB_CODE_SUCCESS == code) {
2,108,459✔
158
    if (pCond) *pCond = authRes.pCond[auth_res_type];
2,108,459✔
159
    if (pPrivCols) *pPrivCols = authRes.pCols;
2,108,459✔
160
    if (taosArrayGetSize(authRes.pCols) > 0) {
2,108,459✔
161
      pCxt->pParseCxt->hasPrivCols = 1; // used later in translateCheckPrivCols for select *
5,786✔
162
    }
163
  }
164
  return TSDB_CODE_SUCCESS == code ? (authRes.pass[auth_res_type] ? TSDB_CODE_SUCCESS : TSDB_CODE_PAR_PERMISSION_DENIED)
2,108,459✔
165
                                   : code;
4,216,918✔
166
}
167

168
static int32_t checkAuth(SAuthCxt* pCxt, const char* pDbName, const char* pTabName, EPrivType privType,
595,494,332✔
169
                         EPrivObjType objType, SNode** pCond, SArray** pPrivCols) {
170
#ifdef TD_ENTERPRISE
171
  return checkAuthImpl(pCxt, pDbName, pTabName, privType, objType, pCond, pPrivCols, false, false);
595,494,332✔
172
#else
173
  return TSDB_CODE_SUCCESS;
174
#endif
175
}
176

177
static int32_t authSysPrivileges(SAuthCxt* pCxt, SNode* pStmt, EPrivType type) {
4,952,445✔
178
  return checkAuth(pCxt, NULL, NULL, type, 0, NULL, NULL);
4,952,445✔
179
}
180

181
static int32_t authObjPrivileges(SAuthCxt* pCxt, const char* pDbName, const char* pTabName, EPrivType privType,
535,972,160✔
182
                                 EPrivObjType objType) {
183
  if (!pDbName) {
535,972,160✔
184
    return TSDB_CODE_PAR_INTERNAL_ERROR;
×
185
  }
186

187
  return checkAuth(pCxt, pDbName, pTabName, privType, objType, NULL, NULL);
535,972,160✔
188
}
189

190
static int32_t checkEffectiveAuth(SAuthCxt* pCxt, const char* pDbName, const char* pTabName, EPrivType privType,
13,865✔
191
                                  EPrivObjType objType, SNode** pCond) {
192
  return checkAuthImpl(pCxt, pDbName, pTabName, privType, objType, NULL, NULL, false, true);
13,865✔
193
}
194

195
static int32_t checkViewAuth(SAuthCxt* pCxt, const char* pDbName, const char* pTabName, EPrivType privType,
223,686✔
196
                             EPrivObjType objType, SNode** pCond) {
197
  return checkAuthImpl(pCxt, pDbName, pTabName, privType, objType, pCond, NULL, true, false);
223,686✔
198
}
199

200
static int32_t checkViewEffectiveAuth(SAuthCxt* pCxt, const char* pDbName, const char* pTabName, EPrivType privType,
2,514✔
201
                                      EPrivObjType objType, SNode** pCond) {
202
  return checkAuthImpl(pCxt, pDbName, pTabName, privType, objType, pCond, NULL, true, true);
2,514✔
203
}
204

205
static EDealRes authSubquery(SAuthCxt* pCxt, SNode* pStmt) {
22,925,501✔
206
  return TSDB_CODE_SUCCESS == authQuery(pCxt, pStmt) ? DEAL_RES_CONTINUE : DEAL_RES_ERROR;
22,925,501✔
207
}
208

209
static int32_t mergeStableTagCond(SNode** pWhere, SNode* pTagCond) {
458✔
210
  SLogicConditionNode* pLogicCond = NULL;
458✔
211
  int32_t              code = nodesMakeNode(QUERY_NODE_LOGIC_CONDITION, (SNode**)&pLogicCond);
458✔
212
  if (NULL == pLogicCond) {
458✔
213
    return code;
×
214
  }
215
  pLogicCond->node.resType.type = TSDB_DATA_TYPE_BOOL;
458✔
216
  pLogicCond->node.resType.bytes = tDataTypes[TSDB_DATA_TYPE_BOOL].bytes;
458✔
217
  pLogicCond->condType = LOGIC_COND_TYPE_AND;
458✔
218
  code = nodesListMakeStrictAppend(&pLogicCond->pParameterList, pTagCond);
458✔
219
  if (TSDB_CODE_SUCCESS == code) {
458✔
220
    code = nodesListMakeAppend(&pLogicCond->pParameterList, *pWhere);
458✔
221
  }
222
  if (TSDB_CODE_SUCCESS == code) {
458✔
223
    *pWhere = (SNode*)pLogicCond;
458✔
224
  } else {
225
    nodesDestroyNode((SNode*)pLogicCond);
×
226
  }
227
  return code;
458✔
228
}
229

230
EDealRes rewriteAuthTable(SNode* pNode, void* pContext) {
50,937✔
231
  if (QUERY_NODE_COLUMN == nodeType(pNode)) {
50,937✔
232
    SColumnNode*     pCol = (SColumnNode*)pNode;
15,541✔
233
    SAuthRewriteCxt* pCxt = (SAuthRewriteCxt*)pContext;
15,541✔
234
    tstrncpy(pCol->tableName, pCxt->pTarget->tableName, TSDB_TABLE_NAME_LEN);
15,541✔
235
    tstrncpy(pCol->tableAlias, pCxt->pTarget->tableAlias, TSDB_TABLE_NAME_LEN);
15,541✔
236
    pCol->appendByPrivCond = 1;
15,541✔
237
  }
238

239
  return DEAL_RES_CONTINUE;
50,937✔
240
}
241

242
static int32_t rewriteAppendStableTagCond(SNode** pWhere, SNode* pTagCond, STableNode* pTable) {
11,227✔
243
  SNode*  pTagCondCopy = NULL;
11,227✔
244
  int32_t code = nodesCloneNode(pTagCond, &pTagCondCopy);
11,227✔
245
  if (NULL == pTagCondCopy) {
11,227✔
246
    return code;
×
247
  }
248

249
  SAuthRewriteCxt cxt = {.pTarget = pTable};
11,227✔
250
  nodesWalkExpr(pTagCondCopy, rewriteAuthTable, &cxt);
11,227✔
251

252
  if (NULL == *pWhere) {
11,227✔
253
    *pWhere = pTagCondCopy;
10,615✔
254
    return TSDB_CODE_SUCCESS;
10,615✔
255
  }
256

257
  if (QUERY_NODE_LOGIC_CONDITION == nodeType(*pWhere) &&
612✔
258
      LOGIC_COND_TYPE_AND == ((SLogicConditionNode*)*pWhere)->condType) {
154✔
259
    return nodesListStrictAppend(((SLogicConditionNode*)*pWhere)->pParameterList, pTagCondCopy);
154✔
260
  }
261

262
  return mergeStableTagCond(pWhere, pTagCondCopy);
458✔
263
}
264
#if 0  
265
/**
266
 * @brief Fast fail path if no star(*) specified in select clause
267
 */
268
static int32_t authSelectTblCols(SSelectStmt* pSelect, STableNode* pTable, SArray* pPrivCols) {
269
  int32_t    code = 0;
270
  SNodeList* pRetrievedCols = NULL;
271
  int32_t    nCols = taosArrayGetSize(pPrivCols);
272

273
  if (nCols <= 0) {
274
    goto _return;
275
  }
276

277
  PAR_ERR_JRET(nodesCollectColumns(pSelect, SQL_CLAUSE_FROM, NULL, COLLECT_COL_TYPE_ALL, &pRetrievedCols));
278

279
  int32_t i = 0, j = 0, k = 0;
280
  SNode*  pNode = NULL;
281
  FOREACH(pNode, pRetrievedCols) {
282
    SColumnNode* pColNode = (SColumnNode*)pNode;
283

284
    j = i;
285

286
    // search in the remaining columns first for better performance if ordered
287
    bool found = false;
288
    for (; i < nCols; ++i) {
289
      SColNameFlag* pColNameFlag = (SColNameFlag*)TARRAY_GET_ELEM(pPrivCols, i);
290
      if (strcmp(pColNode->colName, pColNameFlag->colName) == 0) {
291
        found = true;
292
        ++i;
293
        break;
294
      }
295
    }
296
    if (!found) {
297
      for (k = 0; k < j; ++k) {
298
        SColNameFlag* pColNameFlag = (SColNameFlag*)TARRAY_GET_ELEM(pPrivCols, k);
299
        if (strcmp(pColNode->colName, pColNameFlag->colName) == 0) {
300
          found = true;
301
          break;
302
        }
303
      }
304
    }
305
    if (!found) {
306
      code = TSDB_CODE_PAR_COL_PERMISSION_DENIED;
307
      goto _return;
308
    }
309
  }
310
_return:
311
  nodesDestroyList(pRetrievedCols);
312
  return code;
313
}
314
#endif
315

316
static EDealRes authSelectImpl(SNode* pNode, void* pContext) {
1,864,890,567✔
317
  SSelectAuthCxt* pCxt = pContext;
1,864,890,567✔
318
  SAuthCxt*       pAuthCxt = pCxt->pAuthCxt;
1,864,890,567✔
319
  bool            isView = false;
1,864,891,157✔
320
  bool            isAudit = false;
1,864,891,157✔
321
  if (QUERY_NODE_REAL_TABLE == nodeType(pNode)) {
1,864,891,157✔
322
    SNode*      pTagCond = NULL;
186,767,954✔
323
    // SArray*     pPrivCols = NULL;
324
    STableNode* pTable = (STableNode*)pNode;
186,767,960✔
325
    if ((pAuthCxt->pParseCxt->enableSysInfo == 0) && IS_INFORMATION_SCHEMA_DB(pTable->dbName) &&
186,767,960✔
326
        (strcmp(pTable->tableName, TSDB_INS_TABLE_VGROUPS) == 0)) {
21,873✔
327
      pAuthCxt->errCode = TSDB_CODE_PAR_PERMISSION_DENIED;
700✔
328
      return DEAL_RES_ERROR;
700✔
329
    }
330
    if (authObjPrivileges(pAuthCxt, pTable->dbName, NULL, PRIV_DB_USE, PRIV_OBJ_DB) != TSDB_CODE_SUCCESS) {
186,767,047✔
331
      pAuthCxt->errCode = TSDB_CODE_PAR_DB_USE_PERMISSION_DENIED;
4,354✔
332
      return DEAL_RES_ERROR;
4,354✔
333
    }
334
#ifdef TD_ENTERPRISE
335
    SName name = {0};
186,762,623✔
336
    toName(pAuthCxt->pParseCxt->acctId, pTable->dbName, pTable->tableName, &name);
186,762,696✔
337
    STableMeta* pTableMeta = NULL;
186,763,012✔
338
    toName(pAuthCxt->pParseCxt->acctId, pTable->dbName, pTable->tableName, &name);
186,763,014✔
339
    int32_t code = getTargetMetaImpl(pAuthCxt->pParseCxt, pAuthCxt->pMetaCache, &name, &pTableMeta, true);
186,763,097✔
340
    if (TSDB_CODE_SUCCESS == code) {
186,761,987✔
341
      if (pTableMeta->isAudit) {
186,367,115✔
342
        isAudit = true;
408✔
343
      } else if (!pTableMeta->isAudit && (pTableMeta->ownerId == pAuthCxt->pParseCxt->userId)) {
186,366,883✔
344
        // owner has all privileges on the table he owns except audit table
345
        taosMemoryFree(pTableMeta);
180,934,384✔
346
        return DEAL_RES_CONTINUE;
180,933,245✔
347
      }
348
      if (TSDB_VIEW_TABLE == pTableMeta->tableType) {
5,433,287✔
349
        isView = true;
56,520✔
350
      }
351
    }
352
    taosMemoryFree(pTableMeta);
5,827,950✔
353
#endif
354
    if (!isView) {
5,827,971✔
355
      pAuthCxt->errCode =
5,771,451✔
356
          checkAuth(pAuthCxt, pTable->dbName, pTable->tableName, isAudit ? PRIV_AUDIT_TBL_SELECT : PRIV_TBL_SELECT,
5,771,451✔
357
                    PRIV_OBJ_TBL, &pTagCond, NULL);  //&pPrivCols);
358
      if (TSDB_CODE_SUCCESS != pAuthCxt->errCode && NULL != pAuthCxt->pParseCxt->pEffectiveUser) {
5,771,451✔
359
        pAuthCxt->errCode = checkEffectiveAuth(pAuthCxt, pTable->dbName, pTable->tableName,
13,865✔
360
                                               isAudit ? PRIV_AUDIT_TBL_SELECT : PRIV_TBL_SELECT, PRIV_OBJ_TBL, NULL);
361
      }
362
#if 0
363
      if (TSDB_CODE_SUCCESS == pAuthCxt->errCode && NULL != pPrivCols) {
364
        pAuthCxt->errCode = authSelectTblCols(pCxt->pSelect, pTable, pPrivCols);
365
      }
366
#endif
367
      if (TSDB_CODE_SUCCESS == pAuthCxt->errCode && NULL != pTagCond) {
5,771,451✔
368
        pAuthCxt->errCode = rewriteAppendStableTagCond(&pCxt->pSelect->pWhere, pTagCond, pTable);
11,227✔
369
      }
370
    } else {
371
      pAuthCxt->errCode =
56,520✔
372
          checkViewAuth(pAuthCxt, pTable->dbName, pTable->tableName, PRIV_VIEW_SELECT, PRIV_OBJ_VIEW, NULL);
56,520✔
373
      if (TSDB_CODE_SUCCESS != pAuthCxt->errCode && NULL != pAuthCxt->pParseCxt->pEffectiveUser) {
56,520✔
374
        pAuthCxt->errCode =
2,514✔
375
            checkViewEffectiveAuth(pAuthCxt, pTable->dbName, pTable->tableName, PRIV_VIEW_SELECT, PRIV_OBJ_VIEW, NULL);
2,514✔
376
      }
377
    }
378
    return TSDB_CODE_SUCCESS == pAuthCxt->errCode ? DEAL_RES_CONTINUE : DEAL_RES_ERROR;
5,827,971✔
379
  } else if (QUERY_NODE_TEMP_TABLE == nodeType(pNode)) {
1,678,124,548✔
380
    return authSubquery(pAuthCxt, ((STempTableNode*)pNode)->pSubquery);
22,925,383✔
381
  }
382
  return DEAL_RES_CONTINUE;
1,655,199,136✔
383
}
384

385
static int32_t authSelect(SAuthCxt* pCxt, SSelectStmt* pSelect) {
198,987,173✔
386
  SSelectAuthCxt cxt = {.pAuthCxt = pCxt, .pSelect = pSelect};
198,987,173✔
387
  nodesWalkSelectStmt(pSelect, SQL_CLAUSE_FROM, authSelectImpl, &cxt);
198,987,218✔
388
  return pCxt->errCode;
198,987,344✔
389
}
390

391
static int32_t authSetOperator(SAuthCxt* pCxt, SSetOperator* pSetOper) {
8,929,292✔
392
  int32_t code = authQuery(pCxt, pSetOper->pLeft);
8,929,292✔
393
  if (TSDB_CODE_SUCCESS == code) {
8,929,292✔
394
    code = authQuery(pCxt, pSetOper->pRight);
8,927,054✔
395
  }
396
  return code;
8,929,292✔
397
}
398

399
static int32_t authDropUser(SAuthCxt* pCxt, SDropUserStmt* pStmt) {
48,033✔
400
  // if (!pCxt->pParseCxt->isSuperUser || 0 == strcmp(pStmt->userName, TSDB_DEFAULT_USER)) {
401
  //   return TSDB_CODE_PAR_PERMISSION_DENIED;
402
  // }
403
  if (0 == strcmp(pStmt->userName, TSDB_DEFAULT_USER)) {
48,033✔
404
    return TSDB_CODE_PAR_PERMISSION_DENIED;
162✔
405
  }
406
  return authSysPrivileges(pCxt, (void*)pStmt, PRIV_USER_DROP);  // root has SYSDBA role with USER_DROP privilege
47,871✔
407
}
408

409
static int32_t authDelete(SAuthCxt* pCxt, SDeleteStmt* pDelete) {
1,777,617✔
410
  SNode*      pTagCond = NULL;
1,777,617✔
411
  STableNode* pTable = (STableNode*)pDelete->pFromTable;
1,777,617✔
412
  int32_t     code = checkAuth(pCxt, pTable->dbName, NULL, PRIV_DB_USE, PRIV_OBJ_DB, NULL, NULL);
1,777,617✔
413
  if (TSDB_CODE_SUCCESS == code) {
1,777,617✔
414
    code = checkAuth(pCxt, pTable->dbName, pTable->tableName, PRIV_TBL_DELETE, PRIV_OBJ_TBL, &pTagCond, NULL);
1,777,617✔
415
  } else {
416
    code = TSDB_CODE_PAR_DB_USE_PERMISSION_DENIED;
×
417
  }
418
  if (TSDB_CODE_SUCCESS == code && NULL != pTagCond) {
1,777,617✔
419
    code = rewriteAppendStableTagCond(&pDelete->pWhere, pTagCond, pTable);
×
420
  }
421
  return code;
1,777,617✔
422
}
423

424
static int32_t authInsert(SAuthCxt* pCxt, SInsertStmt* pInsert) {
318,566✔
425
  SNode*      pTagCond = NULL;
318,566✔
426
  SArray*     pPrivCols = NULL;
318,566✔
427
  STableNode* pTable = (STableNode*)pInsert->pTable;
318,566✔
428
  // todo check tag condition for subtable
429
  int32_t code = checkAuth(pCxt, pTable->dbName, NULL, PRIV_DB_USE, PRIV_OBJ_DB, NULL, NULL);
318,566✔
430
  if (TSDB_CODE_SUCCESS == code) {
318,566✔
431
    code = checkAuth(pCxt, pTable->dbName, pTable->tableName, PRIV_TBL_INSERT, PRIV_OBJ_TBL, &pTagCond, &pPrivCols);
318,566✔
432
  } else {
433
    code = TSDB_CODE_PAR_DB_USE_PERMISSION_DENIED;
×
434
  }
435
  return code;
318,566✔
436
}
437

438
static int32_t authShowTables(SAuthCxt* pCxt, SShowStmt* pStmt) {
543,736✔
439
  // return checkAuth(pCxt, ((SValueNode*)pStmt->pDbName)->literal, NULL, AUTH_TYPE_READ_OR_WRITE, NULL);
440
  // stb: more check in server, child table(TODO): more check when filter query result
441
  if (authObjPrivileges(pCxt, ((SValueNode*)pStmt->pDbName)->literal, NULL, PRIV_DB_USE, PRIV_OBJ_DB)) {
543,736✔
442
    return TSDB_CODE_PAR_DB_USE_PERMISSION_DENIED;
4,822✔
443
  }
444
  return 0;
538,914✔
445
}
446

447
static int32_t authShowVtables(SAuthCxt* pCxt, SShowStmt* pStmt) { return authShowTables(pCxt, pStmt); }
59,992✔
448

449
static int32_t authShowUsage(SAuthCxt* pCxt, SShowStmt* pStmt) {
325✔
450
  if (authObjPrivileges(pCxt, ((SValueNode*)pStmt->pDbName)->literal, NULL, PRIV_DB_USE, PRIV_OBJ_DB)) {
325✔
451
    return TSDB_CODE_PAR_DB_USE_PERMISSION_DENIED;
×
452
  }
453
  return 0;
325✔
454
}
455

456
static int32_t authShowCreateTable(SAuthCxt* pCxt, SShowCreateTableStmt* pStmt) {
90,137✔
457
  // SNode* pTagCond = NULL;
458
  // todo check tag condition for subtable
459
  // return checkAuth(pCxt, pStmt->dbName, pStmt->tableName, AUTH_TYPE_READ, &pTagCond);
460
  if (authObjPrivileges(pCxt, pStmt->dbName, NULL, PRIV_DB_USE, PRIV_OBJ_DB)) {
90,137✔
461
    return TSDB_CODE_PAR_DB_USE_PERMISSION_DENIED;
3,675✔
462
  }
463
  return authObjPrivileges(pCxt, pStmt->dbName, pStmt->tableName, PRIV_CM_SHOW_CREATE, PRIV_OBJ_TBL);
86,462✔
464
}
465

466
static int32_t authShowCreateView(SAuthCxt* pCxt, SShowCreateViewStmt* pStmt) {
8,270✔
467
#ifndef TD_ENTERPRISE
468
  return TSDB_CODE_OPS_NOT_SUPPORT;
469
#else
470
  int32_t code = authObjPrivileges(pCxt, ((SShowCreateViewStmt*)pStmt)->dbName, NULL, PRIV_DB_USE, PRIV_OBJ_DB);
8,270✔
471
  if (TSDB_CODE_SUCCESS == code) {
8,270✔
472
    code = checkViewAuth(pCxt, ((SShowCreateViewStmt*)pStmt)->dbName, ((SShowCreateViewStmt*)pStmt)->viewName,
8,270✔
473
                         PRIV_CM_SHOW_CREATE, PRIV_OBJ_VIEW, NULL);
474
  } else {
475
    return TSDB_CODE_PAR_DB_USE_PERMISSION_DENIED;
×
476
  }
477
  if (code == 0) pStmt->hasPrivilege = true;
8,270✔
478
  return 0;  // return 0 and check owner later in translateShowCreateView
8,270✔
479
#endif
480
}
481

482
static int32_t authCreateTable(SAuthCxt* pCxt, SCreateTableStmt* pStmt) {
8,427,408✔
483
  // SNode* pTagCond = NULL;
484
  // todo check tag condition for subtable
485
  // return checkAuth(pCxt, pStmt->dbName, NULL, AUTH_TYPE_WRITE, &pTagCond);
486
  if (authObjPrivileges(pCxt, pStmt->dbName, NULL, PRIV_DB_USE, PRIV_OBJ_DB)) {
8,427,408✔
487
    return TSDB_CODE_PAR_DB_USE_PERMISSION_DENIED;
902✔
488
  }
489
  return authObjPrivileges(pCxt, pStmt->dbName, NULL, PRIV_TBL_CREATE, PRIV_OBJ_DB);
8,426,506✔
490
}
491

492
static int32_t authCreateVTable(SAuthCxt* pCxt, SCreateVTableStmt* pStmt) {
174,257✔
493
  if (authObjPrivileges(pCxt, pStmt->dbName, NULL, PRIV_DB_USE, PRIV_OBJ_DB)) {
174,257✔
494
    return TSDB_CODE_PAR_DB_USE_PERMISSION_DENIED;
×
495
  }
496
  PAR_ERR_RET(authObjPrivileges(pCxt, pStmt->dbName, NULL, PRIV_TBL_CREATE, PRIV_OBJ_DB));
174,257✔
497
  SNode* pCol = NULL;
163,873✔
498
  FOREACH(pCol, pStmt->pCols) {
143,016,967✔
499
    SColumnDefNode* pColDef = (SColumnDefNode*)pCol;
142,860,882✔
500
    if (NULL == pColDef) {
142,860,882✔
501
      PAR_ERR_RET(TSDB_CODE_PAR_INVALID_COLUMN);
×
502
    }
503
    SColumnOptions* pOptions = (SColumnOptions*)pColDef->pOptions;
142,860,882✔
504
    if (pOptions && pOptions->hasRef) {
142,860,882✔
505
      if (authObjPrivileges(pCxt, pOptions->refDb, pOptions->refTable, PRIV_TBL_SELECT, PRIV_OBJ_TBL)) {
89,123,655✔
506
        return TSDB_CODE_PAR_TB_SELECT_PERMISSION_DENIED;
7,788✔
507
      }
508
    }
509
  }
510
  return TSDB_CODE_SUCCESS;
156,085✔
511
}
512

513
static int32_t authCreateVSubTable(SAuthCxt* pCxt, SCreateVSubTableStmt* pStmt) {
276,940✔
514
  int32_t    code = TSDB_CODE_SUCCESS;
276,940✔
515
  SNode*     pNode = NULL;
276,940✔
516
  SNodeList* pTmpList = pStmt->pSpecificColRefs ? pStmt->pSpecificColRefs : pStmt->pColRefs;
276,940✔
517
  if (authObjPrivileges(pCxt, pStmt->dbName, NULL, PRIV_DB_USE, PRIV_OBJ_DB)) {
276,940✔
518
    return TSDB_CODE_PAR_DB_USE_PERMISSION_DENIED;
×
519
  }
520
  PAR_ERR_RET(authObjPrivileges(pCxt, pStmt->dbName, NULL, PRIV_TBL_CREATE, PRIV_OBJ_DB));
276,940✔
521
  if (NULL == pTmpList) {
266,556✔
522
    // no column reference
523
    return TSDB_CODE_SUCCESS;
19,662✔
524
  }
525

526
  FOREACH(pNode, pTmpList) {
54,754,538✔
527
    SColumnRefNode* pColRef = (SColumnRefNode*)pNode;
54,515,432✔
528
    if (NULL == pColRef) {
54,515,432✔
529
      PAR_ERR_RET(TSDB_CODE_PAR_INVALID_COLUMN);
×
530
    }
531
    if (authObjPrivileges(pCxt, pColRef->refDbName, pColRef->refTableName, PRIV_TBL_SELECT, PRIV_OBJ_TBL)) {
54,515,432✔
532
      return TSDB_CODE_PAR_TB_SELECT_PERMISSION_DENIED;
7,788✔
533
    }
534
  }
535
  return code;
239,106✔
536
}
537

538
static int32_t authCreateStream(SAuthCxt* pCxt, SCreateStreamStmt* pStmt) {
313,152✔
539
  int32_t code = TSDB_CODE_SUCCESS;
313,152✔
540

541
  if (IS_SYS_DBNAME(pStmt->streamDbName)) {
313,152✔
542
    return TSDB_CODE_PAR_PERMISSION_DENIED;
×
543
  }
544
  if (IS_SYS_DBNAME(pStmt->targetDbName)) {
313,152✔
545
    return TSDB_CODE_PAR_PERMISSION_DENIED;
40✔
546
  }
547
  if (pStmt->pTrigger) {
313,112✔
548
    SStreamTriggerNode* pTrigger = (SStreamTriggerNode*)pStmt->pTrigger;
313,112✔
549
    STableNode*         pTriggerTable = (STableNode*)pTrigger->pTrigerTable;
313,112✔
550
    if (pTriggerTable) {
313,112✔
551
      if (IS_SYS_DBNAME(pTriggerTable->dbName)) return TSDB_CODE_PAR_PERMISSION_DENIED;
308,469✔
552
      if (authObjPrivileges(pCxt, pTriggerTable->dbName, pTriggerTable->tableName, PRIV_TBL_SELECT, PRIV_OBJ_TBL)) {
308,429✔
553
        return TSDB_CODE_PAR_TB_SELECT_PERMISSION_DENIED;
888✔
554
      }
555
      if (authObjPrivileges(pCxt, pTriggerTable->dbName, NULL, PRIV_DB_USE, PRIV_OBJ_DB)) {
307,541✔
556
        return TSDB_CODE_PAR_DB_USE_PERMISSION_DENIED;
×
557
      }
558
    }
559
  }
560

561
  if (authObjPrivileges(pCxt, ((SCreateStreamStmt*)pStmt)->streamDbName, NULL, PRIV_DB_USE, PRIV_OBJ_DB)) {
312,184✔
562
    return TSDB_CODE_PAR_DB_USE_PERMISSION_DENIED;
×
563
  }
564
  PAR_ERR_RET(
312,184✔
565
      authObjPrivileges(pCxt, ((SCreateStreamStmt*)pStmt)->streamDbName, NULL, PRIV_STREAM_CREATE, PRIV_OBJ_DB));
566
  if (pStmt->targetDbName[0] != '\0') {
311,518✔
567
    if (authObjPrivileges(pCxt, ((SCreateStreamStmt*)pStmt)->targetDbName, NULL, PRIV_DB_USE, PRIV_OBJ_DB)) {
308,315✔
568
      return TSDB_CODE_PAR_DB_USE_PERMISSION_DENIED;
×
569
    }
570
    if (authObjPrivileges(pCxt, ((SCreateStreamStmt*)pStmt)->targetDbName, NULL, PRIV_TBL_CREATE, PRIV_OBJ_DB)) {
308,315✔
571
      return TSDB_CODE_PAR_TB_CREATE_PERMISSION_DENIED;
222✔
572
    }
573
  }
574
  if (pStmt->pQuery) {
311,296✔
575
    PAR_ERR_RET(authQuery(pCxt, pStmt->pQuery));
308,093✔
576
  }
577
  return code;
310,852✔
578
}
579

580
static int32_t authCreateTopic(SAuthCxt* pCxt, SCreateTopicStmt* pStmt) {
181,172✔
581
  int32_t code = TSDB_CODE_SUCCESS;
181,172✔
582

583
  if (IS_SYS_DBNAME(pStmt->subDbName)) {
181,172✔
584
    return TSDB_CODE_PAR_PERMISSION_DENIED;
×
585
  }
586
  if (NULL != pStmt->pQuery) {
181,172✔
587
    PAR_ERR_RET(authQuery(pCxt, pStmt->pQuery));
141,214✔
588
  }
589
  if (NULL != pStmt->pWhere) {
180,742✔
590
    if (authObjPrivileges(pCxt, ((SCreateTopicStmt*)pStmt)->subDbName, ((SCreateTopicStmt*)pStmt)->subSTbName,
7,676✔
591
                          PRIV_TBL_SELECT, PRIV_OBJ_TBL)) {
592
      return TSDB_CODE_PAR_TB_SELECT_PERMISSION_DENIED;
×
593
    }
594
  }
595
  if (((SCreateTopicStmt*)pStmt)->subDbName[0] != '\0') {
180,742✔
596
    if (authObjPrivileges(pCxt, ((SCreateTopicStmt*)pStmt)->subDbName, NULL, PRIV_DB_USE, PRIV_OBJ_DB)) {
39,958✔
597
      return TSDB_CODE_PAR_DB_USE_PERMISSION_DENIED;
×
598
    }
599
  }
600

601
  return code;
180,742✔
602
}
603

604
static int32_t authCreateMultiTable(SAuthCxt* pCxt, SCreateMultiTablesStmt* pStmt) {
42,995,787✔
605
  int32_t code = TSDB_CODE_SUCCESS;
42,995,787✔
606
  SNode*  pNode = NULL;
42,995,787✔
607
  FOREACH(pNode, pStmt->pSubTables) {
92,741,645✔
608
    if (pNode->type == QUERY_NODE_CREATE_SUBTABLE_CLAUSE) {
49,741,558✔
609
      SCreateSubTableClause* pClause = (SCreateSubTableClause*)pNode;
49,747,822✔
610
      code = authObjPrivileges(pCxt, pClause->dbName, NULL, PRIV_DB_USE, PRIV_OBJ_DB);
49,747,822✔
611
      if (TSDB_CODE_SUCCESS != code) {
49,741,039✔
612
        code = TSDB_CODE_PAR_DB_USE_PERMISSION_DENIED;
175✔
613
        break;
175✔
614
      }
615
      code = authObjPrivileges(pCxt, pClause->dbName, NULL, PRIV_TBL_CREATE, PRIV_OBJ_DB);
49,740,864✔
616
      if (TSDB_CODE_SUCCESS != code) {
49,743,917✔
617
        break;
×
618
      }
619
    } else {
UNCOV
620
      SCreateSubTableFromFileClause* pClause = (SCreateSubTableFromFileClause*)pNode;
×
UNCOV
621
      code = authObjPrivileges(pCxt, pClause->useDbName, NULL, PRIV_DB_USE, PRIV_OBJ_DB);
×
622
      if (TSDB_CODE_SUCCESS != code) {
×
623
        code = TSDB_CODE_PAR_DB_USE_PERMISSION_DENIED;
×
624
        break;
×
625
      }
626
      code = authObjPrivileges(pCxt, pClause->useDbName, NULL, PRIV_TBL_CREATE, PRIV_OBJ_DB);
×
627
      if (TSDB_CODE_SUCCESS != code) {
1,941✔
628
        break;
×
629
      }
630
    }
631
  }
632
  return code;
43,004,408✔
633
}
634

635
static int32_t authDropTable(SAuthCxt* pCxt, SDropTableStmt* pStmt) {
2,285,995✔
636
  int32_t code = TSDB_CODE_SUCCESS;
2,285,995✔
637
  if (pStmt->withOpt && !pCxt->pParseCxt->isSuperUser) {
2,285,995✔
638
    return TSDB_CODE_PAR_PERMISSION_DENIED;
248✔
639
  }
640
  SNode* pNode = NULL;
2,285,747✔
641
  FOREACH(pNode, pStmt->pTables) {
4,679,712✔
642
    SDropTableClause* pClause = (SDropTableClause*)pNode;
2,395,315✔
643
    if (checkAuth(pCxt, pClause->dbName, NULL, PRIV_DB_USE, PRIV_OBJ_DB, NULL, NULL)) {
2,395,315✔
644
      code = TSDB_CODE_PAR_DB_USE_PERMISSION_DENIED;
462✔
645
      break;
462✔
646
    }
647

648
    if (!pStmt->withOpt) {
2,394,853✔
649
      // for child table, check privileges of its super table later
650
      if (checkAuth(pCxt, pClause->dbName, pClause->tableName, PRIV_CM_DROP, PRIV_OBJ_TBL, NULL, NULL)) {
2,255,933✔
651
        code = TSDB_CODE_PAR_PERMISSION_DENIED;
888✔
652
        break;
888✔
653
      }
654
    }
655
  }
656

657
  return code;
2,285,747✔
658
}
659

660
static int32_t authDropStable(SAuthCxt* pCxt, SDropSuperTableStmt* pStmt) {
82,893✔
661
  if (pStmt->withOpt && !pCxt->pParseCxt->isSuperUser) {
82,893✔
662
    return TSDB_CODE_PAR_PERMISSION_DENIED;
124✔
663
  }
664
  if (checkAuth(pCxt, pStmt->dbName, NULL, PRIV_DB_USE, PRIV_OBJ_DB, NULL, NULL)) {
82,769✔
665
    return TSDB_CODE_PAR_DB_USE_PERMISSION_DENIED;
×
666
  }
667
  if (!pStmt->withOpt) {
82,769✔
668
    PAR_ERR_RET(checkAuth(pCxt, pStmt->dbName, pStmt->tableName, PRIV_CM_DROP, PRIV_OBJ_TBL, NULL, NULL));
30,423✔
669
  }
670
  return 0;
82,769✔
671
}
672

673
static int32_t authDropVtable(SAuthCxt* pCxt, SDropVirtualTableStmt* pStmt) {
73,394✔
674
  if (pStmt->withOpt && !pCxt->pParseCxt->isSuperUser) {
73,394✔
675
    return TSDB_CODE_PAR_PERMISSION_DENIED;
×
676
  }
677
  if (checkAuth(pCxt, pStmt->dbName, NULL, PRIV_DB_USE, PRIV_OBJ_DB, NULL, NULL)) {
73,394✔
678
    return TSDB_CODE_PAR_DB_USE_PERMISSION_DENIED;
×
679
  }
680
  if (!pStmt->withOpt) {
73,394✔
681
    PAR_ERR_RET(checkAuth(pCxt, pStmt->dbName, pStmt->tableName, PRIV_CM_DROP, PRIV_OBJ_TBL, NULL, NULL));
73,394✔
682
  }
683
  return 0;
62,994✔
684
}
685

686
static int32_t authAlterTable(SAuthCxt* pCxt, SAlterTableStmt* pStmt) {
19,033,994✔
687
  SNode* pTagCond = NULL;
19,033,994✔
688
  // todo check tag condition for subtable
689
  if (checkAuth(pCxt, pStmt->dbName, NULL, PRIV_DB_USE, PRIV_OBJ_DB, NULL, NULL)) {
19,033,994✔
690
    return TSDB_CODE_PAR_DB_USE_PERMISSION_DENIED;
900✔
691
  }
692
  return checkAuth(pCxt, pStmt->dbName, pStmt->tableName, PRIV_CM_ALTER, PRIV_OBJ_TBL, NULL, NULL);
19,033,094✔
693
}
694

695
static int32_t authAlterVTable(SAuthCxt* pCxt, SAlterTableStmt* pStmt) {
390,748✔
696
  if (checkAuth(pCxt, pStmt->dbName, NULL, PRIV_DB_USE, PRIV_OBJ_DB, NULL, NULL)) {
390,748✔
697
    return TSDB_CODE_PAR_DB_USE_PERMISSION_DENIED;
×
698
  }
699
  PAR_ERR_RET(checkAuth(pCxt, pStmt->dbName, pStmt->tableName, PRIV_CM_ALTER, PRIV_OBJ_TBL, NULL, NULL));
390,748✔
700
  if (pStmt->alterType == TSDB_ALTER_TABLE_ADD_COLUMN_WITH_COLUMN_REF ||
333,548✔
701
      pStmt->alterType == TSDB_ALTER_TABLE_ALTER_COLUMN_REF) {
303,221✔
702
    if (checkAuth(pCxt, pStmt->refDbName, NULL, PRIV_DB_USE, PRIV_OBJ_DB, NULL, NULL)) {
129,200✔
703
      return TSDB_CODE_PAR_DB_USE_PERMISSION_DENIED;
×
704
    }
705
    if (checkAuth(pCxt, pStmt->refDbName, pStmt->refTableName, PRIV_TBL_SELECT, PRIV_OBJ_TBL, NULL, NULL)) {
129,200✔
706
      return TSDB_CODE_PAR_TB_SELECT_PERMISSION_DENIED;
20,800✔
707
    }
708
  }
709
  PAR_RET(TSDB_CODE_SUCCESS);
312,748✔
710
}
711

712
static int32_t authCreateView(SAuthCxt* pCxt, SCreateViewStmt* pStmt) {
212,267✔
713
#ifndef TD_ENTERPRISE
714
  return TSDB_CODE_OPS_NOT_SUPPORT;
715
#else
716
  int32_t code = checkAuth(pCxt, pStmt->dbName, NULL, PRIV_DB_USE, PRIV_OBJ_DB, NULL, NULL);
212,267✔
717
  if (TSDB_CODE_SUCCESS == code) {
212,267✔
718
    code = checkAuth(pCxt, pStmt->dbName, NULL, PRIV_VIEW_CREATE, PRIV_OBJ_DB, NULL, NULL);
212,267✔
719
    if (code != TSDB_CODE_SUCCESS && pStmt->orReplace) {
212,267✔
720
      code = checkAuth(pCxt, pStmt->dbName, pStmt->viewName, PRIV_CM_ALTER, PRIV_OBJ_VIEW, NULL, NULL);
276✔
721
    }
722
  } else {
723
    code = TSDB_CODE_PAR_DB_USE_PERMISSION_DENIED;
×
724
  }
725
  if (TSDB_CODE_SUCCESS == code) {
212,267✔
726
    if ((code = authQuery(pCxt, pStmt->pQuery))) {
208,351✔
727
      if (code == TSDB_CODE_PAR_PERMISSION_DENIED) code = TSDB_CODE_PAR_TB_SELECT_PERMISSION_DENIED;
3,640✔
728
    }
729
  }
730
  return code;
212,267✔
731
#endif
732
}
733

734
static int32_t authDropView(SAuthCxt* pCxt, SDropViewStmt* pStmt) {
158,896✔
735
#ifndef TD_ENTERPRISE
736
  return TSDB_CODE_OPS_NOT_SUPPORT;
737
#else
738
  int32_t code = checkAuth(pCxt, pStmt->dbName, NULL, PRIV_DB_USE, PRIV_OBJ_DB, NULL, NULL);
158,896✔
739
  if (TSDB_CODE_SUCCESS == code) {
158,896✔
740
    code = checkViewAuth(pCxt, pStmt->dbName, pStmt->viewName, PRIV_CM_DROP, PRIV_OBJ_VIEW, NULL);
158,896✔
741
  } else {
742
    return TSDB_CODE_PAR_DB_USE_PERMISSION_DENIED;
×
743
  }
744
  if (code == 0) {
158,896✔
745
    pStmt->hasPrivilege = true;
148,477✔
746
  } else {
747
    code = 0;  // check owner in parTranslater
10,419✔
748
  }
749
  return code;
158,896✔
750
#endif
751
}
752

753
static int32_t authCreateIndex(SAuthCxt* pCxt, SCreateIndexStmt* pStmt) {
21,274✔
754
  int32_t code = authObjPrivileges(pCxt, ((SCreateIndexStmt*)pStmt)->dbName, NULL, PRIV_DB_USE, PRIV_OBJ_DB);
21,274✔
755

756
  if (TSDB_CODE_SUCCESS == code) {
21,274✔
757
    if (authObjPrivileges(pCxt, ((SCreateIndexStmt*)pStmt)->dbName, ((SCreateIndexStmt*)pStmt)->tableName,
21,274✔
758
                          PRIV_TBL_SELECT, PRIV_OBJ_TBL)) {
UNCOV
759
      code = TSDB_CODE_PAR_TB_SELECT_PERMISSION_DENIED;
×
760
    }
761
  } else {
762
    code = TSDB_CODE_PAR_DB_USE_PERMISSION_DENIED;
×
763
  }
764

765
  if (TSDB_CODE_SUCCESS == code) {
21,274✔
766
    code = authObjPrivileges(pCxt, ((SCreateIndexStmt*)pStmt)->dbName, ((SCreateIndexStmt*)pStmt)->tableName,
21,274✔
767
                             PRIV_IDX_CREATE, PRIV_OBJ_TBL);
768
  }
769

770
  return code;
21,274✔
771
}
772

773
static int32_t authDropIndex(SAuthCxt* pCxt, SDropIndexStmt* pStmt) {
9,591✔
774
  int32_t code = authObjPrivileges(pCxt, ((SDropIndexStmt*)pStmt)->indexDbName, NULL, PRIV_DB_USE, PRIV_OBJ_DB);
9,591✔
775
  if (TSDB_CODE_SUCCESS == code) {
9,591✔
776
    code = authObjPrivileges(pCxt, ((SDropIndexStmt*)pStmt)->indexDbName, ((SDropIndexStmt*)pStmt)->indexName,
9,591✔
777
                             PRIV_CM_DROP, PRIV_OBJ_IDX);
778
  } else {
779
    code = TSDB_CODE_PAR_DB_USE_PERMISSION_DENIED;
×
780
  }
781
  return code;
9,591✔
782
}
783

784
static int32_t authShowIndexes(SAuthCxt* pCxt, SShowStmt* pStmt) { return authShowTables(pCxt, pStmt); }
6,101✔
785

786
static int32_t authCreateTsma(SAuthCxt* pCxt, SCreateTSMAStmt* pStmt) {
6,842✔
787
  int32_t code = authObjPrivileges(pCxt, ((SCreateTSMAStmt*)pStmt)->dbName, NULL, PRIV_DB_USE, PRIV_OBJ_DB);
6,842✔
788
  if (TSDB_CODE_SUCCESS == code) {
6,842✔
789
    if (authObjPrivileges(pCxt, ((SCreateTSMAStmt*)pStmt)->dbName, NULL, PRIV_TBL_CREATE, PRIV_OBJ_DB)) {
6,842✔
790
      code = TSDB_CODE_PAR_TB_CREATE_PERMISSION_DENIED;
276✔
791
    }
792
  } else {
793
    code = TSDB_CODE_PAR_DB_USE_PERMISSION_DENIED;
×
794
  }
795
  if (!pStmt->pOptions->recursiveTsma) {
6,842✔
796
    if (TSDB_CODE_SUCCESS == code) {
5,825✔
797
      if (authObjPrivileges(pCxt, ((SCreateTSMAStmt*)pStmt)->dbName, ((SCreateTSMAStmt*)pStmt)->tableName,
5,549✔
798
                            PRIV_TBL_SELECT, PRIV_OBJ_TBL)) {
799
        code = TSDB_CODE_PAR_TB_SELECT_PERMISSION_DENIED;
×
800
      }
801
    }
802

803
    if (TSDB_CODE_SUCCESS == code) {
5,825✔
804
      if (authObjPrivileges(pCxt, ((SCreateTSMAStmt*)pStmt)->dbName, NULL, PRIV_STREAM_CREATE, PRIV_OBJ_DB)) {
5,549✔
805
        code = TSDB_CODE_PAR_STREAM_CREATE_PERMISSION_DENIED;
276✔
806
      }
807
    }
808
    if (TSDB_CODE_SUCCESS == code) {
5,825✔
809
      code = authObjPrivileges(pCxt, ((SCreateTSMAStmt*)pStmt)->dbName, ((SCreateTSMAStmt*)pStmt)->tableName,
5,273✔
810
                               PRIV_TSMA_CREATE, PRIV_OBJ_TBL);
811
    }
812
  }
813

814
  return code;
6,842✔
815
}
816

817
static int32_t authDropTsma(SAuthCxt* pCxt, SDropTSMAStmt* pStmt) {
2,561✔
818
  int32_t code = authObjPrivileges(pCxt, ((SDropTSMAStmt*)pStmt)->dbName, NULL, PRIV_DB_USE, PRIV_OBJ_DB);
2,561✔
819
  if (TSDB_CODE_SUCCESS == code) {
2,561✔
820
    code = authObjPrivileges(pCxt, ((SDropTSMAStmt*)pStmt)->dbName, ((SDropTSMAStmt*)pStmt)->tsmaName, PRIV_CM_DROP,
2,561✔
821
                             PRIV_OBJ_TSMA);
822
  } else {
823
    code = TSDB_CODE_PAR_DB_USE_PERMISSION_DENIED;
×
824
  }
825
  return code;
2,561✔
826
}
827

828
static int32_t authCreateRsma(SAuthCxt* pCxt, SCreateRsmaStmt* pStmt) {
111,804✔
829
  int32_t code = authObjPrivileges(pCxt, ((SCreateRsmaStmt*)pStmt)->dbName, NULL, PRIV_DB_USE, PRIV_OBJ_DB);
111,804✔
830
  if (TSDB_CODE_SUCCESS == code) {
111,804✔
831
    if (authObjPrivileges(pCxt, ((SCreateRsmaStmt*)pStmt)->dbName, ((SCreateRsmaStmt*)pStmt)->tableName,
111,804✔
832
                          PRIV_TBL_SELECT, PRIV_OBJ_TBL)) {
833
      code = TSDB_CODE_PAR_TB_SELECT_PERMISSION_DENIED;
×
834
    }
835
  } else {
836
    code = TSDB_CODE_PAR_DB_USE_PERMISSION_DENIED;
×
837
  }
838
  if (TSDB_CODE_SUCCESS == code) {
111,804✔
839
    if (authObjPrivileges(pCxt, ((SCreateRsmaStmt*)pStmt)->dbName, ((SCreateRsmaStmt*)pStmt)->tableName,
111,804✔
840
                          PRIV_TBL_INSERT, PRIV_OBJ_TBL)) {
841
      code = TSDB_CODE_PAR_TB_INSERT_PERMISSION_DENIED;
138✔
842
    }
843
  }
844
  if (TSDB_CODE_SUCCESS == code) {
111,804✔
845
    code = authObjPrivileges(pCxt, ((SCreateRsmaStmt*)pStmt)->dbName, ((SCreateRsmaStmt*)pStmt)->tableName,
111,666✔
846
                             PRIV_RSMA_CREATE, PRIV_OBJ_TBL);
847
  }
848
  return code;
111,804✔
849
}
850

851
static int32_t authDropRsma(SAuthCxt* pCxt, SDropRsmaStmt* pStmt) {
10,284✔
852
  int32_t code = authObjPrivileges(pCxt, ((SDropRsmaStmt*)pStmt)->dbName, NULL, PRIV_DB_USE, PRIV_OBJ_DB);
10,284✔
853
  if (TSDB_CODE_SUCCESS == code) {
10,284✔
854
    code = authObjPrivileges(pCxt, ((SDropRsmaStmt*)pStmt)->dbName, ((SDropRsmaStmt*)pStmt)->rsmaName, PRIV_CM_DROP,
10,284✔
855
                             PRIV_OBJ_RSMA);
856
  } else {
857
    code = TSDB_CODE_PAR_DB_USE_PERMISSION_DENIED;
×
858
  }
859
  return code;
10,284✔
860
}
861

862
static int32_t authShowCreateRsma(SAuthCxt* pCxt, SShowCreateRsmaStmt* pStmt) {
3,180✔
863
#ifndef TD_ENTERPRISE
864
  return TSDB_CODE_OPS_NOT_SUPPORT;
865
#else
866
  int32_t code = authObjPrivileges(pCxt, ((SShowCreateRsmaStmt*)pStmt)->dbName, NULL, PRIV_DB_USE, PRIV_OBJ_DB);
3,180✔
867
  if (TSDB_CODE_SUCCESS == code) {
3,180✔
868
    code = authObjPrivileges(pCxt, ((SShowCreateRsmaStmt*)pStmt)->dbName, ((SShowCreateRsmaStmt*)pStmt)->rsmaName,
3,180✔
869
                             PRIV_CM_SHOW_CREATE, PRIV_OBJ_RSMA);
870
  } else {
871
    return TSDB_CODE_PAR_DB_USE_PERMISSION_DENIED;
×
872
  }
873
  if (code == 0) pStmt->hasPrivilege = true;
3,180✔
874
  return 0;  // return 0 and check owner later in translateShowCreateRsma since rsma ctgCatalog not available yet
3,180✔
875
#endif
876
}
877

878
static int32_t authCreateDatabase(SAuthCxt* pCxt, SCreateDatabaseStmt* pStmt) {
1,433,437✔
879
  return authSysPrivileges(pCxt, (SNode*)pStmt, PRIV_DB_CREATE);
1,433,437✔
880
}
881

882
static int32_t authAlterDatabase(SAuthCxt* pCxt, SAlterDatabaseStmt* pStmt) {
186,697✔
883
  return authObjPrivileges(pCxt, ((SAlterDatabaseStmt*)pStmt)->dbName, NULL, PRIV_CM_ALTER, PRIV_OBJ_DB);
186,697✔
884
}
885

886
static int32_t authAlterLocal(SAuthCxt* pCxt, SAlterLocalStmt* pStmt) {
433,877✔
887
  int32_t privType = cfgGetPrivType(tsCfg, pStmt->config, 0);
433,877✔
888
  return authSysPrivileges(pCxt, (void*)pStmt, privType);
433,877✔
889
}
890

891
static int32_t authDropRole(SAuthCxt* pCxt, SDropRoleStmt* pStmt) {
1,518✔
892
  return authSysPrivileges(pCxt, (SNode*)pStmt, PRIV_ROLE_DROP);
1,518✔
893
}
894

895
static int32_t authDropDatabase(SAuthCxt* pCxt, SDropDatabaseStmt* pStmt) {
1,177,650✔
896
  return authObjPrivileges(pCxt, ((SDropDatabaseStmt*)pStmt)->dbName, NULL, PRIV_CM_DROP, PRIV_OBJ_DB);
1,177,650✔
897
}
898

899
static int32_t authUseDatabase(SAuthCxt* pCxt, SUseDatabaseStmt* pStmt) {
81,844,634✔
900
  return authObjPrivileges(pCxt, ((SUseDatabaseStmt*)pStmt)->dbName, NULL, PRIV_DB_USE, PRIV_OBJ_DB);
81,844,634✔
901
}
902

903
static int32_t authGrant(SAuthCxt* pCxt, SGrantStmt* pStmt) {
877,084✔
904
  if (pStmt->optrType == TSDB_ALTER_ROLE_ROLE) {
877,084✔
905
    if (IS_SYS_PREFIX(pStmt->roleName)) {
6,374✔
906
      if (strcmp(pStmt->roleName, TSDB_ROLE_SYSDBA) == 0) {
5,806✔
907
        return authSysPrivileges(pCxt, (void*)pStmt, PRIV_GRANT_SYSDBA);
1,672✔
908
      }
909
      if (strcmp(pStmt->roleName, TSDB_ROLE_SYSSEC) == 0) {
4,134✔
910
        return authSysPrivileges(pCxt, (void*)pStmt, PRIV_GRANT_SYSSEC);
1,120✔
911
      }
912
      if (strcmp(pStmt->roleName, TSDB_ROLE_SYSAUDIT) == 0) {
3,014✔
913
        return authSysPrivileges(pCxt, (void*)pStmt, PRIV_GRANT_SYSAUDIT);
1,120✔
914
      }
915
    }
916
  }
917
  return authSysPrivileges(pCxt, (void*)pStmt, PRIV_GRANT_PRIVILEGE);
873,172✔
918
}
919

920
static int32_t authRevoke(SAuthCxt* pCxt, SRevokeStmt* pStmt) {
473,216✔
921
  if (pStmt->optrType == TSDB_ALTER_ROLE_ROLE) {
473,216✔
922
    if (IS_SYS_PREFIX(pStmt->roleName)) {
5,418✔
923
      if (strcmp(pStmt->roleName, TSDB_ROLE_SYSDBA) == 0) {
5,280✔
924
        return authSysPrivileges(pCxt, (void*)pStmt, PRIV_REVOKE_SYSDBA);
138✔
925
      }
926
      if (strcmp(pStmt->roleName, TSDB_ROLE_SYSSEC) == 0) {
5,142✔
927
        return authSysPrivileges(pCxt, (void*)pStmt, PRIV_REVOKE_SYSSEC);
138✔
928
      }
929
      if (strcmp(pStmt->roleName, TSDB_ROLE_SYSAUDIT) == 0) {
5,004✔
930
        return authSysPrivileges(pCxt, (void*)pStmt, PRIV_REVOKE_SYSAUDIT);
138✔
931
      }
932
    }
933
  }
934
  return authSysPrivileges(pCxt, (void*)pStmt, PRIV_REVOKE_PRIVILEGE);
472,802✔
935
}
936

937
static int32_t authQuery(SAuthCxt* pCxt, SNode* pStmt) {
465,566,570✔
938
  int32_t code = TSDB_CODE_SUCCESS;
465,566,570✔
939
#ifdef TD_ENTERPRISE
940
  switch (nodeType(pStmt)) {
465,566,570✔
941
    case QUERY_NODE_SET_OPERATOR:
8,929,292✔
942
      return authSetOperator(pCxt, (SSetOperator*)pStmt);
8,929,292✔
943
    case QUERY_NODE_SELECT_STMT:
198,986,509✔
944
      return authSelect(pCxt, (SSelectStmt*)pStmt);
198,986,509✔
945
    case QUERY_NODE_CREATE_ROLE_STMT:
2,086✔
946
      return authSysPrivileges(pCxt, pStmt, PRIV_ROLE_CREATE);
2,086✔
947
    case QUERY_NODE_DROP_ROLE_STMT:
1,518✔
948
      return authDropRole(pCxt, (SDropRoleStmt*)pStmt);
1,518✔
949
    case QUERY_NODE_CREATE_USER_STMT:
98,729✔
950
      return authSysPrivileges(pCxt, pStmt, PRIV_USER_CREATE);
98,729✔
951
    case QUERY_NODE_ALTER_USER_STMT:
49,396✔
952
      return authSysPrivileges(pCxt, pStmt, PRIV_USER_ALTER);
49,396✔
953
    case QUERY_NODE_DROP_USER_STMT:
48,033✔
954
      return authDropUser(pCxt, (SDropUserStmt*)pStmt);
48,033✔
955
    case QUERY_NODE_DELETE_STMT:
1,777,617✔
956
      return authDelete(pCxt, (SDeleteStmt*)pStmt);
1,777,617✔
957
    case QUERY_NODE_INSERT_STMT:
318,566✔
958
      return authInsert(pCxt, (SInsertStmt*)pStmt);
318,566✔
959
    case QUERY_NODE_CREATE_TABLE_STMT:
8,427,408✔
960
      return authCreateTable(pCxt, (SCreateTableStmt*)pStmt);
8,427,408✔
961
    case QUERY_NODE_CREATE_VIRTUAL_TABLE_STMT:
174,257✔
962
      return authCreateVTable(pCxt, (SCreateVTableStmt*)pStmt);
174,257✔
963
    case QUERY_NODE_CREATE_VIRTUAL_SUBTABLE_STMT:
276,940✔
964
      return authCreateVSubTable(pCxt, (SCreateVSubTableStmt*)pStmt);
276,940✔
965
    case QUERY_NODE_CREATE_MULTI_TABLES_STMT:
42,995,047✔
966
      return authCreateMultiTable(pCxt, (SCreateMultiTablesStmt*)pStmt);
42,995,047✔
967
    case QUERY_NODE_CREATE_STREAM_STMT:
313,152✔
968
      return authCreateStream(pCxt, (SCreateStreamStmt*)pStmt);
313,152✔
969
    case QUERY_NODE_CREATE_TOPIC_STMT:
181,172✔
970
      return authCreateTopic(pCxt, (SCreateTopicStmt*)pStmt);
181,172✔
971
    case QUERY_NODE_DROP_TABLE_STMT:
2,285,995✔
972
      return authDropTable(pCxt, (SDropTableStmt*)pStmt);
2,285,995✔
973
    case QUERY_NODE_DROP_SUPER_TABLE_STMT:
82,893✔
974
      return authDropStable(pCxt, (SDropSuperTableStmt*)pStmt);
82,893✔
975
    case QUERY_NODE_DROP_VIRTUAL_TABLE_STMT:
73,394✔
976
      return authDropVtable(pCxt, (SDropVirtualTableStmt*)pStmt);
73,394✔
977
    case QUERY_NODE_ALTER_TABLE_STMT:
19,033,994✔
978
    case QUERY_NODE_ALTER_SUPER_TABLE_STMT:
979
      return authAlterTable(pCxt, (SAlterTableStmt*)pStmt);
19,033,994✔
980
    case QUERY_NODE_ALTER_VIRTUAL_TABLE_STMT:
390,748✔
981
      return authAlterVTable(pCxt, (SAlterTableStmt*)pStmt);
390,748✔
982
    case QUERY_NODE_SHOW_MODULES_STMT:
109,591✔
983
    case QUERY_NODE_SHOW_BACKUP_NODES_STMT:
984
    case QUERY_NODE_SHOW_DB_ALIVE_STMT:
985
    // case QUERY_NODE_SHOW_CLUSTER_ALIVE_STMT:
986
    case QUERY_NODE_SHOW_CREATE_DATABASE_STMT:
987
    case QUERY_NODE_SHOW_TABLE_DISTRIBUTED_STMT:  // TODO: check in mnode
988
    // case QUERY_NODE_SHOW_LOCAL_VARIABLES_STMT: // not check local variables
989
    case QUERY_NODE_SHOW_DNODE_VARIABLES_STMT:
990
    case QUERY_NODE_SHOW_SCORES_STMT:
991
    case QUERY_NODE_SHOW_ARBGROUPS_STMT:
992
    case QUERY_NODE_SHOW_ENCRYPTIONS_STMT:
993
    case QUERY_NODE_SHOW_MOUNTS_STMT:
994
    case QUERY_NODE_SHOW_ENCRYPT_ALGORITHMS_STMT:
995
    case QUERY_NODE_SHOW_ENCRYPT_STATUS_STMT:
996
      return !pCxt->pParseCxt->enableSysInfo ? TSDB_CODE_PAR_PERMISSION_DENIED : TSDB_CODE_SUCCESS;
109,591✔
997
    case QUERY_NODE_SHOW_USERS_STMT:
107,857✔
998
    case QUERY_NODE_SHOW_USERS_FULL_STMT:
999
      return authSysPrivileges(pCxt, pStmt, PRIV_USER_SHOW);
107,857✔
1000
    case QUERY_NODE_SHOW_ROLES_STMT:
982✔
1001
      return authSysPrivileges(pCxt, pStmt, PRIV_ROLE_SHOW);
982✔
1002
    case QUERY_NODE_SHOW_USER_PRIVILEGES_STMT:
4,115✔
1003
    case QUERY_NODE_SHOW_ROLE_PRIVILEGES_STMT:
1004
    case QUERY_NODE_SHOW_ROLE_COL_PRIVILEGES_STMT:
1005
      return authSysPrivileges(pCxt, pStmt, PRIV_SHOW_PRIVILEGES);
4,115✔
1006
    case QUERY_NODE_SHOW_DNODES_STMT:
465,069✔
1007
    case QUERY_NODE_SHOW_MNODES_STMT:
1008
    case QUERY_NODE_SHOW_QNODES_STMT:
1009
    case QUERY_NODE_SHOW_SNODES_STMT:
1010
    case QUERY_NODE_SHOW_BNODES_STMT:
1011
      return authSysPrivileges(pCxt, pStmt, PRIV_NODES_SHOW);
465,069✔
1012
    case QUERY_NODE_SHOW_ANODES_STMT:
10,647✔
1013
    case QUERY_NODE_SHOW_ANODES_FULL_STMT:
1014
    case QUERY_NODE_SHOW_XNODES_STMT:
1015
    case QUERY_NODE_SHOW_XNODE_TASKS_STMT:
1016
    case QUERY_NODE_SHOW_XNODE_AGENTS_STMT:
1017
    case QUERY_NODE_SHOW_XNODE_JOBS_STMT:
1018
      return TSDB_CODE_SUCCESS;
10,647✔
1019
    case QUERY_NODE_SHOW_CLUSTER_MACHINES_STMT:
3,850✔
1020
    // case QUERY_NODE_SHOW_LICENCES_STMT: // do not check auth for basic licence info since it's used for taos logon
1021
    case QUERY_NODE_SHOW_GRANTS_FULL_STMT:
1022
    case QUERY_NODE_SHOW_GRANTS_LOGS_STMT:
1023
      return authSysPrivileges(pCxt, pStmt, PRIV_GRANTS_SHOW);
3,850✔
1024
    case QUERY_NODE_SHOW_TABLES_STMT:
477,643✔
1025
    case QUERY_NODE_SHOW_STABLES_STMT:
1026
      return authShowTables(pCxt, (SShowStmt*)pStmt);
477,643✔
1027
    case QUERY_NODE_SHOW_VTABLES_STMT:
59,992✔
1028
      return authShowVtables(pCxt, (SShowStmt*)pStmt);
59,992✔
1029
    case QUERY_NODE_SHOW_CREATE_TABLE_STMT:
90,137✔
1030
    case QUERY_NODE_SHOW_CREATE_VTABLE_STMT:
1031
    case QUERY_NODE_SHOW_CREATE_STABLE_STMT:
1032
      return authShowCreateTable(pCxt, (SShowCreateTableStmt*)pStmt);
90,137✔
1033
    case QUERY_NODE_SHOW_CREATE_VIEW_STMT:
8,270✔
1034
      return authShowCreateView(pCxt, (SShowCreateViewStmt*)pStmt);
8,270✔
1035
    case QUERY_NODE_CREATE_VIEW_STMT:
212,267✔
1036
      return authCreateView(pCxt, (SCreateViewStmt*)pStmt);
212,267✔
1037
    case QUERY_NODE_DROP_VIEW_STMT:
158,896✔
1038
      return authDropView(pCxt, (SDropViewStmt*)pStmt);
158,896✔
1039
    case QUERY_NODE_CREATE_INDEX_STMT:
21,274✔
1040
      return authCreateIndex(pCxt, (SCreateIndexStmt*)pStmt);
21,274✔
1041
    case QUERY_NODE_DROP_INDEX_STMT:
9,591✔
1042
      return authDropIndex(pCxt, (SDropIndexStmt*)pStmt);
9,591✔
1043
    case QUERY_NODE_SHOW_INDEXES_STMT:
6,101✔
1044
      return authShowIndexes(pCxt, (SShowStmt*)pStmt);
6,101✔
1045
    case QUERY_NODE_CREATE_TSMA_STMT:
6,842✔
1046
      return authCreateTsma(pCxt, (SCreateTSMAStmt*)pStmt);
6,842✔
1047
    case QUERY_NODE_DROP_TSMA_STMT:
2,561✔
1048
      return authDropTsma(pCxt, (SDropTSMAStmt*)pStmt);
2,561✔
1049
    case QUERY_NODE_CREATE_RSMA_STMT:
111,804✔
1050
      return authCreateRsma(pCxt, (SCreateRsmaStmt*)pStmt);
111,804✔
1051
    case QUERY_NODE_DROP_RSMA_STMT:
10,284✔
1052
      return authDropRsma(pCxt, (SDropRsmaStmt*)pStmt);
10,284✔
1053
    case QUERY_NODE_ALTER_RSMA_STMT:
20,754✔
1054
      return authObjPrivileges(pCxt, ((SAlterRsmaStmt*)pStmt)->dbName, ((SAlterRsmaStmt*)pStmt)->rsmaName,
20,754✔
1055
                               PRIV_CM_ALTER, PRIV_OBJ_RSMA);
1056
    case QUERY_NODE_SHOW_CREATE_RSMA_STMT:
3,180✔
1057
      return authShowCreateRsma(pCxt, (SShowCreateRsmaStmt*)pStmt);
3,180✔
1058
    case QUERY_NODE_CREATE_DATABASE_STMT:
1,433,437✔
1059
      return authCreateDatabase(pCxt, (SCreateDatabaseStmt*)pStmt);
1,433,437✔
1060
    case QUERY_NODE_BALANCE_VGROUP_STMT:
11,505✔
1061
      return authSysPrivileges(pCxt, pStmt, PRIV_VG_BALANCE);
11,505✔
1062
    case QUERY_NODE_BALANCE_VGROUP_LEADER_DATABASE_STMT:
2,877✔
1063
    case QUERY_NODE_BALANCE_VGROUP_LEADER_STMT:
1064
      return authSysPrivileges(pCxt, pStmt, PRIV_VG_BALANCE_LEADER);
2,877✔
1065
    case QUERY_NODE_MERGE_VGROUP_STMT:
×
1066
      return authSysPrivileges(pCxt, pStmt, PRIV_VG_MERGE);
×
1067
    case QUERY_NODE_SPLIT_VGROUP_STMT:
17,651✔
1068
      return authSysPrivileges(pCxt, pStmt, PRIV_VG_SPLIT);
17,651✔
1069
    case QUERY_NODE_REDISTRIBUTE_VGROUP_STMT:
45,934✔
1070
      return authSysPrivileges(pCxt, pStmt, PRIV_VG_REDISTRIBUTE);
45,934✔
1071
    case QUERY_NODE_CREATE_FUNCTION_STMT:
14,080✔
1072
      return authSysPrivileges(pCxt, pStmt, PRIV_FUNC_CREATE);
14,080✔
1073
    case QUERY_NODE_DROP_FUNCTION_STMT:
8,649✔
1074
      return authSysPrivileges(pCxt, pStmt, PRIV_FUNC_DROP);
8,649✔
1075
    case QUERY_NODE_SHOW_FUNCTIONS_STMT:
11,038✔
1076
      return authSysPrivileges(pCxt, pStmt, PRIV_FUNC_SHOW);
11,038✔
1077
    case QUERY_NODE_GRANT_STMT:
877,084✔
1078
      return authGrant(pCxt, (SGrantStmt*)pStmt);
877,084✔
1079
    case QUERY_NODE_REVOKE_STMT:
473,216✔
1080
      return authRevoke(pCxt, (SRevokeStmt*)pStmt);
473,216✔
1081
    case QUERY_NODE_CREATE_DNODE_STMT:
291,729✔
1082
    case QUERY_NODE_CREATE_MNODE_STMT:
1083
    case QUERY_NODE_CREATE_QNODE_STMT:
1084
    case QUERY_NODE_CREATE_SNODE_STMT:
1085
    case QUERY_NODE_CREATE_BNODE_STMT:
1086
    case QUERY_NODE_CREATE_ANODE_STMT:
1087
    case QUERY_NODE_CREATE_XNODE_STMT:
1088
      return authSysPrivileges(pCxt, pStmt, PRIV_NODE_CREATE);
291,729✔
1089
    case QUERY_NODE_DROP_DNODE_STMT:
106,181✔
1090
    case QUERY_NODE_DROP_MNODE_STMT:
1091
    case QUERY_NODE_DROP_QNODE_STMT:
1092
    case QUERY_NODE_DROP_SNODE_STMT:
1093
    case QUERY_NODE_DROP_BNODE_STMT:
1094
    case QUERY_NODE_DROP_ANODE_STMT:
1095
    case QUERY_NODE_DROP_XNODE_STMT:
1096
      return authSysPrivileges(pCxt, pStmt, PRIV_NODE_DROP);
106,181✔
1097
    case QUERY_NODE_SHOW_TRANSACTIONS_STMT:
436,347✔
1098
    case QUERY_NODE_SHOW_TRANSACTION_DETAILS_STMT:
1099
      return authSysPrivileges(pCxt, pStmt, PRIV_TRANS_SHOW);
436,347✔
1100
    case QUERY_NODE_KILL_TRANSACTION_STMT:
626✔
1101
      return authSysPrivileges(pCxt, pStmt, PRIV_TRANS_KILL);
626✔
1102
    case QUERY_NODE_SHOW_QUERIES_STMT:
1,814✔
1103
      return authSysPrivileges(pCxt, pStmt, PRIV_QUERY_SHOW);
1,814✔
1104
    case QUERY_NODE_KILL_QUERY_STMT:
222✔
1105
      return authSysPrivileges(pCxt, pStmt, PRIV_QUERY_KILL);
222✔
1106
    case QUERY_NODE_KILL_CONNECTION_STMT:
313✔
1107
      return authSysPrivileges(pCxt, pStmt, PRIV_CONN_KILL);
313✔
1108
    case QUERY_NODE_ALTER_DATABASE_STMT:
186,697✔
1109
      return authAlterDatabase(pCxt, (SAlterDatabaseStmt*)pStmt);
186,697✔
1110
    case QUERY_NODE_ALTER_LOCAL_STMT:
433,877✔
1111
      return authAlterLocal(pCxt, (SAlterLocalStmt*)pStmt);
433,877✔
1112
    case QUERY_NODE_DROP_DATABASE_STMT:
1,177,650✔
1113
      return authDropDatabase(pCxt, (SDropDatabaseStmt*)pStmt);
1,177,650✔
1114
    case QUERY_NODE_USE_DATABASE_STMT:
81,844,507✔
1115
      return authUseDatabase(pCxt, (SUseDatabaseStmt*)pStmt);
81,844,507✔
1116
    case QUERY_NODE_FLUSH_DATABASE_STMT:
1,835,136✔
1117
      return authObjPrivileges(pCxt, ((SFlushDatabaseStmt*)pStmt)->dbName, NULL, PRIV_DB_FLUSH, PRIV_OBJ_DB);
1,835,136✔
1118
    case QUERY_NODE_COMPACT_DATABASE_STMT:
28,450✔
1119
      return authObjPrivileges(pCxt, ((SCompactDatabaseStmt*)pStmt)->dbName, NULL, PRIV_DB_COMPACT, PRIV_OBJ_DB);
28,450✔
1120
    case QUERY_NODE_TRIM_DATABASE_STMT:
8,893✔
1121
      return authObjPrivileges(pCxt, ((STrimDatabaseStmt*)pStmt)->dbName, NULL, PRIV_DB_TRIM, PRIV_OBJ_DB);
8,893✔
1122
    case QUERY_NODE_ROLLUP_DATABASE_STMT:
9,870✔
1123
      return authObjPrivileges(pCxt, ((SRollupDatabaseStmt*)pStmt)->dbName, NULL, PRIV_DB_ROLLUP, PRIV_OBJ_DB);
9,870✔
1124
    case QUERY_NODE_SCAN_DATABASE_STMT:
800✔
1125
      return authObjPrivileges(pCxt, ((SScanDatabaseStmt*)pStmt)->dbName, NULL, PRIV_DB_SCAN, PRIV_OBJ_DB);
800✔
1126
    case QUERY_NODE_SSMIGRATE_DATABASE_STMT:
3,042✔
1127
      return authObjPrivileges(pCxt, ((SSsMigrateDatabaseStmt*)pStmt)->dbName, NULL, PRIV_DB_SSMIGRATE, PRIV_OBJ_DB);
3,042✔
1128
    case QUERY_NODE_SHOW_USAGE_STMT:  // disk info
325✔
1129
      return authShowUsage(pCxt, (SShowStmt*)pStmt);
325✔
1130
    case QUERY_NODE_SHOW_APPS_STMT:
1,814✔
1131
      return authSysPrivileges(pCxt, pStmt, PRIV_APPS_SHOW);
1,814✔
1132
    case QUERY_NODE_SHOW_CLUSTER_STMT:
11,421✔
1133
      return authSysPrivileges(pCxt, pStmt, PRIV_CLUSTER_SHOW);
11,421✔
1134
      // check in mnode
1135
    case QUERY_NODE_SHOW_VGROUPS_STMT:
725,908✔
1136
    case QUERY_NODE_SHOW_VNODES_STMT:
1137
    case QUERY_NODE_SHOW_COMPACTS_STMT:
1138
    case QUERY_NODE_SHOW_RETENTIONS_STMT:
1139
    case QUERY_NODE_SHOW_SCANS_STMT:
1140
    case QUERY_NODE_SHOW_SSMIGRATES_STMT:
1141
      return TSDB_CODE_SUCCESS;
725,908✔
1142
    default:
89,221,362✔
1143
      break;
89,221,362✔
1144
  }
1145
#endif
1146
  return code;
89,221,362✔
1147
}
1148

1149
int32_t authenticate(SParseContext* pParseCxt, SQuery* pQuery, SParseMetaCache* pMetaCache) {
424,125,111✔
1150
  SAuthCxt cxt = {.pParseCxt = pParseCxt, .pMetaCache = pMetaCache, .errCode = TSDB_CODE_SUCCESS};
424,125,111✔
1151
  return authQuery(&cxt, pQuery->pRoot);
424,133,895✔
1152
}
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc