taosdata / TDengine / #5071

    mError("secpolicy:%d, failed to encode to raw:%p since %s", pObj->type, pRaw, terrstr());

    sdbFreeRaw(pRaw);

    return NULL;

    terrno = TSDB_CODE_SDB_INVALID_DATA_VER;

    goto _OVER;

    mError("secpolicy:%d, failed to decode from raw:%p since %s", pObj == NULL ? 0 : pObj->type, pRaw, terrstr());

    taosMemoryFreeClear(pRow);

    return NULL;

static int32_t mndSecPolicyActionUpdate(SSdb *pSdb, SSecurityPolicyObj *pOld, SSecurityPolicyObj *pNew) {

  mTrace("secpolicy:%d, perform update action, old row:%p new row:%p", pOld->type, pOld, pNew);

  pOld->updateTime = pNew->updateTime;

  pOld->activateTime = pNew->activateTime;

  pOld->status = pNew->status;

  tstrncpy(pOld->activator, pNew->activator, sizeof(pOld->activator));

  (void)memcpy(pOld->reserve, pNew->reserve, sizeof(pOld->reserve));

  if (pOld->type == TSDB_SECURITY_POLICY_MAC) {

    pSdb->pMnode->macActive = pOld->status;

  return 0;

    sdbFreeRaw(pRaw);

    return code;

    sdbFreeRaw(pRaw);

    return code;

    mError("trans:%d, failed to prepare since %s", pTrans->id, tstrerror(code));

static int32_t mndRetrieveSecurityPolicies(SRpcMsg *pMsg, SShowObj *pShow, SSDataBlock *pBlock, int32_t rows) {

  SMnode             *pMnode = pMsg->info.node;

  SSdb               *pSdb = pMnode->pSdb;

  int32_t             code = 0, lino = 0;

  int32_t             numOfRows = 0;

  SSecurityPolicyObj *pObj = NULL;

  char                buf[128 + VARSTR_HEADER_SIZE] = {0};

  while (numOfRows < rows) {

    pShow->pIter = sdbFetch(pSdb, SDB_SECURITY_POLICY, pShow->pIter, (void **)&pObj);

    if (pShow->pIter == NULL) break;

    int32_t cols = 0;

    if (pObj->type == TSDB_SECURITY_POLICY_SOD) {

      int32_t sodPhase = mndGetSoDPhase(pMnode);

      bool    sodEnabled = (pObj->status == SOD_MODE_ENABLED);

      STR_WITH_MAXSIZE_TO_VARSTR(buf, "SoD", pShow->pMeta->pSchemas[cols].bytes);

      SColumnInfoData *pColInfo = taosArrayGet(pBlock->pDataBlock, cols++);

      COL_DATA_SET_VAL_GOTO(buf, false, pObj, pShow->pIter, _OVER);

      STR_WITH_MAXSIZE_TO_VARSTR(buf, sodEnabled ? "enabled" : _SoDMandatoryInfo[sodPhase][0],

      pColInfo = taosArrayGet(pBlock->pDataBlock, cols++);

      COL_DATA_SET_VAL_GOTO(buf, false, pObj, pShow->pIter, _OVER);

      STR_WITH_MAXSIZE_TO_VARSTR(buf, sodEnabled ? "SYSTEM" : pObj->activator, pShow->pMeta->pSchemas[cols].bytes);

      pColInfo = taosArrayGet(pBlock->pDataBlock, cols++);

      COL_DATA_SET_VAL_GOTO(buf, false, pObj, pShow->pIter, _OVER);

      pColInfo = taosArrayGet(pBlock->pDataBlock, cols++);

      COL_DATA_SET_VAL_GOTO((const char *)&pObj->updateTime, false, pObj, pShow->pIter, _OVER);

      STR_WITH_MAXSIZE_TO_VARSTR(buf, sodEnabled ? "non-mandatory, root not disabled" : _SoDMandatoryInfo[sodPhase][1],

      pColInfo = taosArrayGet(pBlock->pDataBlock, cols++);

      COL_DATA_SET_VAL_GOTO(buf, false, pObj, pShow->pIter, _OVER);

    } else if (pObj->type == TSDB_SECURITY_POLICY_MAC) {

      bool macActive = (pObj->status == MAC_MODE_MANDATORY);

      STR_WITH_MAXSIZE_TO_VARSTR(buf, "MAC", pShow->pMeta->pSchemas[cols].bytes);

      SColumnInfoData *pColInfo = taosArrayGet(pBlock->pDataBlock, cols++);

      COL_DATA_SET_VAL_GOTO(buf, false, pObj, pShow->pIter, _OVER);

      STR_WITH_MAXSIZE_TO_VARSTR(buf, macActive ? "mandatory" : "disabled", pShow->pMeta->pSchemas[cols].bytes);

      pColInfo = taosArrayGet(pBlock->pDataBlock, cols++);

      COL_DATA_SET_VAL_GOTO(buf, false, pObj, pShow->pIter, _OVER);

      STR_WITH_MAXSIZE_TO_VARSTR(buf, macActive ? pObj->activator : "SYSTEM", pShow->pMeta->pSchemas[cols].bytes);

      pColInfo = taosArrayGet(pBlock->pDataBlock, cols++);

      COL_DATA_SET_VAL_GOTO(buf, false, pObj, pShow->pIter, _OVER);

      pColInfo = taosArrayGet(pBlock->pDataBlock, cols++);

      COL_DATA_SET_VAL_GOTO((const char *)&pObj->updateTime, false, pObj, pShow->pIter, _OVER);

      STR_WITH_MAXSIZE_TO_VARSTR(buf, macActive ? "security levels 0-4; activated, irreversible" : "not activated",

      pColInfo = taosArrayGet(pBlock->pDataBlock, cols++);

      COL_DATA_SET_VAL_GOTO(buf, false, pObj, pShow->pIter, _OVER);

      sdbRelease(pSdb, pObj);

      continue;

    sdbRelease(pSdb, pObj);

    ++numOfRows;

  pShow->numOfRows += numOfRows;

_OVER:

  if (code != 0) {

    mError("failed to retrieve security policies at line %d since %s", lino, tstrerror(code));

    TAOS_RETURN(code);

  return numOfRows;

static void mndCancelGetNextSecurityPolicy(SMnode *pMnode, void *pIter) {

  SSdb *pSdb = pMnode->pSdb;

  sdbCancelFetchByType(pSdb, pIter, SDB_SECURITY_POLICY);

}

int32_t mndProcessConfigSoDReq(SMnode *pMnode, SRpcMsg *pReq, SMCfgClusterReq *pCfg) {

  int32_t code = 0, lino = 0;

  SSecurityPolicyObj obj = {0};

  STrans            *pTrans = NULL;

  SUserObj          *pRootUser = NULL;

  SUserObj           newRootUser = {0};

  TAOS_CHECK_EXIT(mndCheckOperPrivilege(pMnode, RPC_MSG_USER(pReq), RPC_MSG_TOKEN(pReq), MND_OPER_CONFIG_SOD));

  if (taosStrncasecmp(pCfg->value, "mandatory", 10) != 0) {

    TAOS_CHECK_EXIT(TSDB_CODE_INVALID_CFG_VALUE);

  SSecurityPolicyObj *pObj = mndAcquireSecPolicy(pMnode, TSDB_SECURITY_POLICY_SOD);

  if (!pObj) {

    TAOS_CHECK_EXIT(TSDB_CODE_APP_IS_STARTING);

  if (pObj->status == SOD_MODE_MANDATORY) {

    mndReleaseSecPolicy(pMnode, pObj);

    TAOS_RETURN(0);

  if ((code = mndCheckManagementRoleStatus(pMnode, NULL, 0))) {

    mndReleaseSecPolicy(pMnode, pObj);

    TAOS_CHECK_EXIT(code);

  mInfo("update security policy SoD mode to mandatory by %s", RPC_MSG_USER(pReq));

  (void)memcpy(&obj, pObj, sizeof(SSecurityPolicyObj));

  obj.status = SOD_MODE_MANDATORY;

  obj.activateTime = taosGetTimestampMs();

  obj.updateTime = obj.activateTime;

  tstrncpy(obj.activator, RPC_MSG_USER(pReq), sizeof(obj.activator));

  mndReleaseSecPolicy(pMnode, pObj);

  TAOS_CHECK_EXIT(mndAcquireUser(pMnode, "root", &pRootUser));

  TAOS_CHECK_EXIT(mndUserDupObj(pRootUser, &newRootUser));

  newRootUser.enable = 0;

  pTrans = mndTransCreate(pMnode, TRN_POLICY_ROLLBACK, TRN_CONFLICT_ROLE, pReq, "update-sod-mode");

  if (pTrans == NULL) {

    TAOS_CHECK_EXIT(terrno);

  SSdbRaw *pCommitRaw = mndSecPolicyActionEncode(&obj);

  if (pCommitRaw == NULL || mndTransAppendCommitlog(pTrans, pCommitRaw) != 0) {

    if (pCommitRaw) sdbFreeRaw(pCommitRaw);

    TAOS_CHECK_EXIT(terrno);

  TAOS_CHECK_EXIT(sdbSetRawStatus(pCommitRaw, SDB_STATUS_READY));

  SSdbRaw *pCommitRawRoot = mndUserActionEncode(&newRootUser);

  if (pCommitRawRoot == NULL || mndTransAppendCommitlog(pTrans, pCommitRawRoot) != 0) {

    if (pCommitRawRoot) sdbFreeRaw(pCommitRawRoot);

    TAOS_CHECK_EXIT(terrno);

  TAOS_CHECK_EXIT(sdbSetRawStatus(pCommitRawRoot, SDB_STATUS_READY));

  mndSetSoDPhase(pMnode, TSDB_SOD_PHASE_ENFORCE);

  mndTransSetCb(pTrans, 0, TRANS_STOP_FUNC_SOD, NULL, 0);

  if ((code = mndTransPrepare(pMnode, pTrans)) != 0) {

    mndSetSoDPhase(pMnode, TSDB_SOD_PHASE_STABLE);

    TAOS_CHECK_EXIT(code);

_exit:

  if (pRootUser) mndReleaseUser(pMnode, pRootUser);

  mndUserFreeObj(&newRootUser);

  mndTransDrop(pTrans);

  if (code < 0 && code != TSDB_CODE_ACTION_IN_PROGRESS) {

    mError("%s failed at line %d since %s", __func__, lino, tstrerror(code));

  TAOS_RETURN(code);

int32_t mndProcessConfigMacReq(SMnode *pMnode, SRpcMsg *pReq, SMCfgClusterReq *pCfg) {

  int32_t            code = 0, lino = 0;

  SSecurityPolicyObj obj = {0};

  STrans            *pTrans = NULL;

  SUserObj          *pScanUser = NULL;

  void              *pScanIter = NULL;

  TAOS_CHECK_EXIT(mndCheckOperPrivilege(pMnode, RPC_MSG_USER(pReq), RPC_MSG_TOKEN(pReq), MND_OPER_CONFIG_MAC));

  if (taosStrncasecmp(pCfg->value, "mandatory", 10) != 0) {

    TAOS_CHECK_EXIT(TSDB_CODE_INVALID_CFG_VALUE);

  SSecurityPolicyObj *pObj = mndAcquireSecPolicy(pMnode, TSDB_SECURITY_POLICY_MAC);

  if (!pObj) {

    TAOS_CHECK_EXIT(TSDB_CODE_APP_IS_STARTING);

  if (pObj->status == MAC_MODE_MANDATORY) {

    mInfo("cluster MAC is already mandatory, ignoring repeated activation by %s", RPC_MSG_USER(pReq));

    mndReleaseSecPolicy(pMnode, pObj);

    TAOS_RETURN(0);

    SSdb *pSdb = pMnode->pSdb;

    while ((pScanIter = sdbFetch(pSdb, SDB_USER, pScanIter, (void **)&pScanUser)) != NULL) {

      if (pScanUser->superUser) {

        sdbRelease(pSdb, pScanUser);

        pScanUser = NULL;

        continue;

      int8_t floorMaxLevel = mndGetUserRoleFloorMaxLevel(pScanUser->roles);

      int8_t floorMinLevel = mndGetUserRoleFloorMinLevel(pScanUser->roles);

      bool   hasDirectPriv = PRIV_HAS(&pScanUser->sysPrivs, PRIV_SECURITY_POLICY_ALTER);

      if (floorMaxLevel == 0 && floorMinLevel == 0 && !hasDirectPriv) {

        sdbRelease(pSdb, pScanUser);

        pScanUser = NULL;

        continue;

      char   reason[256] = {0};

      int8_t hintMin = 0, hintMax = 0;

      if (pScanUser->maxSecLevel < floorMaxLevel) {

        snprintf(reason, sizeof(reason), "maxSecLevel(%d) < required maxFloor(%d) (role constraint)",

                 (int32_t)pScanUser->maxSecLevel, (int32_t)floorMaxLevel);

        hintMin = floorMinLevel;

        hintMax = floorMaxLevel;

      } else if (pScanUser->minSecLevel < floorMinLevel) {

        snprintf(reason, sizeof(reason), "minSecLevel(%d) < required minFloor(%d) (role constraint)",

                 (int32_t)pScanUser->minSecLevel, (int32_t)floorMinLevel);

        hintMin = floorMinLevel;

        hintMax = floorMaxLevel;

      } else if (hasDirectPriv && pScanUser->maxSecLevel < TSDB_MAX_SECURITY_LEVEL) {

        snprintf(reason, sizeof(reason),

                 (int32_t)pScanUser->maxSecLevel, (int32_t)TSDB_MAX_SECURITY_LEVEL, (int32_t)TSDB_MAX_SECURITY_LEVEL);

        hintMin = pScanUser->minSecLevel;  // min is already acceptable; keep it

        hintMax = TSDB_MAX_SECURITY_LEVEL;

      if (reason[0] != '\0') {

        mError("MAC preflight: user '%s' %s", pScanUser->user, reason);

        char detail[512];

        snprintf(detail, sizeof(detail),

                 pScanUser->user, reason, pScanUser->user, (int32_t)hintMin, (int32_t)hintMax);

        sdbRelease(pSdb, pScanUser);

        pScanUser = NULL;

        sdbCancelFetch(pSdb, pScanIter);

        pScanIter = NULL;

        int32_t detailLen = strlen(detail) + 1;

        void   *pRsp = rpcMallocCont(detailLen);

        if (pRsp != NULL) {

          memcpy(pRsp, detail, detailLen);

          pReq->info.rspLen = detailLen;

          pReq->info.rsp = pRsp;

        mndReleaseSecPolicy(pMnode, pObj);

        code = TSDB_CODE_MAC_PRECHECK_FAILED;

        goto _exit;

      sdbRelease(pSdb, pScanUser);

      pScanUser = NULL;

    pScanIter = NULL;

  mInfo("activating cluster MAC by %s", RPC_MSG_USER(pReq));

  (void)memcpy(&obj, pObj, sizeof(SSecurityPolicyObj));

  obj.status = MAC_MODE_MANDATORY;

  obj.activateTime = taosGetTimestampMs();

  obj.updateTime = obj.activateTime;

  tstrncpy(obj.activator, RPC_MSG_USER(pReq), sizeof(obj.activator));

  mndReleaseSecPolicy(pMnode, pObj);

  pObj = NULL;

  pTrans = mndTransCreate(pMnode, TRN_POLICY_ROLLBACK, TRN_CONFLICT_ROLE, pReq, "activate-mac");

  if (pTrans == NULL) {

    TAOS_CHECK_EXIT(terrno);

  SSdbRaw *pCommitRaw = mndSecPolicyActionEncode(&obj);

  if (pCommitRaw == NULL || mndTransAppendCommitlog(pTrans, pCommitRaw) != 0) {

    if (pCommitRaw) sdbFreeRaw(pCommitRaw);

    TAOS_CHECK_EXIT(terrno);

  TAOS_CHECK_EXIT(sdbSetRawStatus(pCommitRaw, SDB_STATUS_READY));

  if ((code = mndTransPrepare(pMnode, pTrans)) != 0) {

    TAOS_CHECK_EXIT(code);

_exit:

  if (pScanIter) sdbCancelFetch(pMnode->pSdb, pScanIter);

  if (pScanUser) sdbRelease(pMnode->pSdb, pScanUser);

  mndTransDrop(pTrans);

  if (code < 0 && code != TSDB_CODE_ACTION_IN_PROGRESS) {

    mError("%s failed at line %d since %s", __func__, lino, tstrerror(code));

  TAOS_RETURN(code);

void mndSodTransStop(SMnode *pMnode, void *param, int32_t paramLen) {

  mInfo("SoD trans stop, set SoD phase to %d", TSDB_SOD_PHASE_STABLE);

  mndSetSoDPhase(pMnode, TSDB_SOD_PHASE_STABLE);

}

void mndSodGrantRoleStop(SMnode *pMnode, void *param, int32_t paramLen) {

  if (mndGetSoDPhase(pMnode) != TSDB_SOD_PHASE_INITIAL) {

    return;

  if (mndCheckManagementRoleStatus(pMnode, NULL, 0) == 0) {

    mInfo("SoD role check completed, all mandatory roles satisfied, trigger enforce SoD");

    (void)mndProcessEnforceSodImpl(pMnode);

static int32_t mndProcessEnforceSodImpl(SMnode *pMnode) {

  int32_t code = 0, lino = 0;

  int32_t contLen = 0;

  void   *pCont = NULL;

  SMCfgClusterReq cfgReq = {0};

  tsnprintf(cfgReq.config, sizeof(cfgReq.config), "SoD");

  tsnprintf(cfgReq.value, sizeof(cfgReq.value), "mandatory");

  contLen = tSerializeSMCfgClusterReq(NULL, 0, &cfgReq);

  TAOS_CHECK_EXIT(contLen);

  if (!(pCont = rpcMallocCont(contLen))) {

    TAOS_CHECK_EXIT(TSDB_CODE_OUT_OF_MEMORY);

  if ((code = tSerializeSMCfgClusterReq(pCont, contLen, &cfgReq)) != contLen) {

    rpcFreeCont(pCont);

    TAOS_CHECK_EXIT(code);

  SRpcMsg rpcMsg = {.pCont = pCont,

  SEpSet  epSet = {0};

  mndGetMnodeEpSet(pMnode, &epSet);

  TAOS_CHECK_EXIT(tmsgSendReq(&epSet, &rpcMsg));

_exit:

  if (code < 0) {

    mError("failed at line %d to enforce SoD since %s", lino, tstrerror(code));

  TAOS_RETURN(code);

int32_t mndProcessEnforceSod(SMnode *pMnode) {

  int32_t code = 0, lino = 0;

  SSecurityPolicyObj *pObj = mndAcquireSecPolicy(pMnode, TSDB_SECURITY_POLICY_SOD);

  if (pObj == NULL) {

    TAOS_CHECK_EXIT(terrno);

  if (pObj->status == SOD_MODE_MANDATORY) {

    mInfo("cluster is already in SoD mandatory mode");

    mndReleaseSecPolicy(pMnode, pObj);

    TAOS_RETURN(0);

  mndSetSoDPhase(pMnode, TSDB_SOD_PHASE_INITIAL);

  mInfo("start to enforce SoD from initial phase, secpolicy type:%d", pObj->type);

  if ((code = mndCheckManagementRoleStatus(pMnode, NULL, 0))) {

    mndReleaseSecPolicy(pMnode, pObj);

    TAOS_CHECK_EXIT(code);

  mndReleaseSecPolicy(pMnode, pObj);

  TAOS_CHECK_EXIT(mndProcessEnforceSodImpl(pMnode));

  code = TSDB_CODE_ACTION_IN_PROGRESS;

_exit:

  if (code < 0 && code != TSDB_CODE_ACTION_IN_PROGRESS) {

    mError("failed to enforce SoD at line %d since %s", lino, tstrerror(code));

  TAOS_RETURN(code);