[Refactor] Unify all authentication interfaces to PrivilegeChecker (S…

…tarRocks#28420)

Signed-off-by: HangyuanLiu <[email protected]>

fe/fe-core/src/main/java/com/starrocks/catalog/ResourceMgr.java

@@ -53,7 +53,7 @@
 import com.starrocks.privilege.AccessDeniedException;
 import com.starrocks.qe.ConnectContext;
 import com.starrocks.server.GlobalStateMgr;
-import com.starrocks.sql.analyzer.PrivilegeChecker;
+import com.starrocks.sql.analyzer.Authorizer;
 import com.starrocks.sql.ast.AlterResourceStmt;
 import com.starrocks.sql.ast.CreateResourceStmt;
 import com.starrocks.sql.ast.DropCatalogStmt;
@@ -338,7 +338,7 @@ public ProcResult fetchResult() {
                 }
 
                 try {
-                    PrivilegeChecker.checkAnyActionOnResource(ConnectContext.get().getCurrentUserIdentity(),
+                    Authorizer.checkAnyActionOnResource(ConnectContext.get().getCurrentUserIdentity(),
                             ConnectContext.get().getCurrentRoleIds(), resource.getName());
                 } catch (AccessDeniedException e) {
                     continue;

fe/fe-core/src/main/java/com/starrocks/http/BaseAction.java

@@ -44,7 +44,7 @@
 import com.starrocks.privilege.PrivilegeType;
 import com.starrocks.qe.ConnectContext;
 import com.starrocks.server.GlobalStateMgr;
-import com.starrocks.sql.analyzer.PrivilegeChecker;
+import com.starrocks.sql.analyzer.Authorizer;
 import com.starrocks.sql.ast.UserIdentity;
 import io.netty.buffer.ByteBuf;
 import io.netty.buffer.Unpooled;
@@ -292,7 +292,7 @@ public static ActionAuthorizationInfo of(String fullUserName, String password, S
     // For new RBAC privilege framework
     protected void checkActionOnSystem(UserIdentity currentUser, PrivilegeType... systemActions) {
         for (PrivilegeType systemAction : systemActions) {
-            PrivilegeChecker.checkSystemAction(currentUser, null, systemAction);
+            Authorizer.checkSystemAction(currentUser, null, systemAction);
         }
     }
 
@@ -317,7 +317,7 @@ protected void checkUserOwnsAdminRole(UserIdentity currentUser) throws AccessDen
     }
 
     protected void checkTableAction(ConnectContext context, String db, String tbl, PrivilegeType privType) {
-        PrivilegeChecker.checkTableAction(context.getCurrentUserIdentity(), context.getCurrentRoleIds(), db, tbl, privType);
+        Authorizer.checkTableAction(context.getCurrentUserIdentity(), context.getCurrentRoleIds(), db, tbl, privType);
     }
 
     // return currentUserIdentity from StarRocks auth

fe/fe-core/src/main/java/com/starrocks/http/rest/GetLoadInfoAction.java

@@ -43,7 +43,7 @@
 import com.starrocks.load.Load;
 import com.starrocks.privilege.PrivilegeType;
 import com.starrocks.qe.ConnectContext;
-import com.starrocks.sql.analyzer.PrivilegeChecker;
+import com.starrocks.sql.analyzer.Authorizer;
 import io.netty.handler.codec.http.HttpMethod;
 
 // Get load information of one load job
@@ -75,7 +75,7 @@ public void executeWithoutPassword(BaseRequest request, BaseResponse response)
         }
 
         if (info.tblNames.isEmpty()) {
-            PrivilegeChecker.checkActionInDb(ConnectContext.get().getCurrentUserIdentity(),
+            Authorizer.checkActionInDb(ConnectContext.get().getCurrentUserIdentity(),
                     ConnectContext.get().getCurrentRoleIds(), info.dbName, PrivilegeType.INSERT);
         } else {
             for (String tblName : info.tblNames) {

fe/fe-core/src/main/java/com/starrocks/load/ExportMgr.java

@@ -56,7 +56,7 @@
 import com.starrocks.privilege.AccessDeniedException;
 import com.starrocks.qe.ConnectContext;
 import com.starrocks.server.GlobalStateMgr;
-import com.starrocks.sql.analyzer.PrivilegeChecker;
+import com.starrocks.sql.analyzer.Authorizer;
 import com.starrocks.sql.ast.CancelExportStmt;
 import com.starrocks.sql.ast.ExportStmt;
 import com.starrocks.sql.common.MetaUtils;
@@ -225,7 +225,7 @@ public List<List<String>> getExportJobInfosByIdOrState(
                     }
 
                     try {
-                        PrivilegeChecker.checkAnyActionOnOrInDb(ConnectContext.get().getCurrentUserIdentity(),
+                        Authorizer.checkAnyActionOnOrInDb(ConnectContext.get().getCurrentUserIdentity(),
                                 ConnectContext.get().getCurrentRoleIds(),
                                 InternalCatalog.DEFAULT_INTERNAL_CATALOG_NAME,
                                 db.getFullName());
@@ -234,7 +234,7 @@ public List<List<String>> getExportJobInfosByIdOrState(
                     }
                 } else {
                     try {
-                        PrivilegeChecker.checkAnyActionOnTable(ConnectContext.get().getCurrentUserIdentity(),
+                        Authorizer.checkAnyActionOnTable(ConnectContext.get().getCurrentUserIdentity(),
                                 ConnectContext.get().getCurrentRoleIds(), tableName);
                     } catch (AccessDeniedException e) {
                         continue;

fe/fe-core/src/main/java/com/starrocks/load/routineload/RoutineLoadFunctionalExprProvider.java

@@ -23,7 +23,7 @@
 import com.starrocks.privilege.AccessDeniedException;
 import com.starrocks.privilege.PrivilegeType;
 import com.starrocks.qe.ConnectContext;
-import com.starrocks.sql.analyzer.PrivilegeChecker;
+import com.starrocks.sql.analyzer.Authorizer;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
@@ -248,7 +248,7 @@ protected ImmutableList<ColumnValueSupplier<RoutineLoadJob>> delegateWhereSuppli
     protected boolean delegatePostRowFilter(ConnectContext cxt, RoutineLoadJob job) {
         try {
             try {
-                PrivilegeChecker.checkTableAction(
+                Authorizer.checkTableAction(
                         cxt.getCurrentUserIdentity(), cxt.getCurrentRoleIds(),
                         job.getDbFullName(),
                         job.getTableName(),

fe/fe-core/src/main/java/com/starrocks/load/streamload/StreamLoadFunctionalExprProvider.java

@@ -20,7 +20,7 @@
 import com.starrocks.privilege.AccessDeniedException;
 import com.starrocks.privilege.PrivilegeType;
 import com.starrocks.qe.ConnectContext;
-import com.starrocks.sql.analyzer.PrivilegeChecker;
+import com.starrocks.sql.analyzer.Authorizer;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
@@ -180,7 +180,7 @@ protected ImmutableList<ColumnValueSupplier<StreamLoadTask>> delegateWhereSuppli
     protected boolean delegatePostRowFilter(ConnectContext cxt, StreamLoadTask task) {
         // validate table privilege at the end of a predicateChain in the `stream().filter()`
         try {
-            PrivilegeChecker.checkTableAction(
+            Authorizer.checkTableAction(
                     cxt.getCurrentUserIdentity(), cxt.getCurrentRoleIds(),
                     task.getDBName(),
                     task.getTableName(),

fe/fe-core/src/main/java/com/starrocks/privilege/SystemAccessControl.java → fe/fe-core/src/main/java/com/starrocks/privilege/AccessControl.java

@@ -21,85 +21,113 @@
 
 import java.util.Set;
 
-public interface SystemAccessControl {
-
+public interface AccessControl {
     default void checkSystemAction(UserIdentity currentUser, Set<Long> roleIds, PrivilegeType privilegeType) {
+        AccessDeniedException.reportAccessDenied(privilegeType.name(), ObjectType.SYSTEM, null);
     }
 
-    default void checkCatalogAction(UserIdentity currentUser, Set<Long> roleIds, String name, PrivilegeType privilegeType) {
+    default void checkCatalogAction(UserIdentity currentUser, Set<Long> roleIds, String catalogName,
+                                    PrivilegeType privilegeType) {
+        AccessDeniedException.reportAccessDenied(privilegeType.name(), ObjectType.CATALOG, catalogName);
     }
 
     default void checkAnyActionOnCatalog(UserIdentity currentUser, Set<Long> roleIds, String catalogName) {
+        AccessDeniedException.reportAccessDenied("ANY", ObjectType.CATALOG, catalogName);
     }
 
     default void checkDbAction(UserIdentity currentUser, Set<Long> roleIds, String catalogName, String db,
                                PrivilegeType privilegeType) {
+        AccessDeniedException.reportAccessDenied(privilegeType.name(), ObjectType.DATABASE, catalogName);
     }
 
     default void checkAnyActionOnDb(UserIdentity currentUser, Set<Long> roleIds, String catalogName, String db) {
+        AccessDeniedException.reportAccessDenied("ANY", ObjectType.DATABASE, catalogName);
     }
 
     default void checkTableAction(UserIdentity currentUser, Set<Long> roleIds, TableName tableName, PrivilegeType privilegeType) {
+        AccessDeniedException.reportAccessDenied(privilegeType.name(), ObjectType.TABLE, tableName.getTbl());
     }
 
     default void checkAnyActionOnTable(UserIdentity currentUser, Set<Long> roleIds, TableName tableName) {
+        AccessDeniedException.reportAccessDenied("ANY", ObjectType.TABLE, tableName.getTbl());
     }
 
-    default void checkViewAction(UserIdentity currentUser, Set<Long> roleIds, TableName tableName, PrivilegeType privilegeType) {
+    default void checkAnyActionOnAnyTable(UserIdentity currentUser, Set<Long> roleIds, String catalog, String db) {
+        AccessDeniedException.reportAccessDenied("ANY", ObjectType.TABLE, "ANY");
+    }
 
+    default void checkViewAction(UserIdentity currentUser, Set<Long> roleIds, TableName tableName, PrivilegeType privilegeType) {
+        AccessDeniedException.reportAccessDenied(privilegeType.name(), ObjectType.VIEW, tableName.getTbl());
     }
 
     default void checkAnyActionOnView(UserIdentity currentUser, Set<Long> roleIds, TableName tableName) {
+        AccessDeniedException.reportAccessDenied("ANY", ObjectType.VIEW, tableName.getTbl());
+    }
+
+    default void checkAnyActionOnAnyView(UserIdentity currentUser, Set<Long> roleIds, String db) {
+        AccessDeniedException.reportAccessDenied("ANY", ObjectType.VIEW, "ANY");
     }
 
     default void checkMaterializedViewAction(UserIdentity currentUser, Set<Long> roleIds, TableName tableName,
                                              PrivilegeType privilegeType) {
+        AccessDeniedException.reportAccessDenied(privilegeType.name(), ObjectType.MATERIALIZED_VIEW, tableName.getTbl());
     }
 
     default void checkAnyActionOnMaterializedView(UserIdentity currentUser, Set<Long> roleIds, TableName tableName) {
+        AccessDeniedException.reportAccessDenied("ANY", ObjectType.MATERIALIZED_VIEW, tableName.getTbl());
+    }
+
+    default void checkAnyActionOnAnyMaterializedView(UserIdentity currentUser, Set<Long> roleIds, String db) {
+        AccessDeniedException.reportAccessDenied("ANY", ObjectType.MATERIALIZED_VIEW, "ANY");
     }
 
     default void checkFunctionAction(UserIdentity currentUser, Set<Long> roleIds, Database database, Function function,
                                      PrivilegeType privilegeType) {
+        AccessDeniedException.reportAccessDenied(privilegeType.name(), ObjectType.FUNCTION, function.getSignature());
+    }
+
+    default void checkAnyActionOnFunction(UserIdentity currentUser, Set<Long> roleIds, String database, Function function) {
+        AccessDeniedException.reportAccessDenied("ANY", ObjectType.FUNCTION, function.getSignature());
     }
 
-    default void checkAnyActionOnFunction(UserIdentity currentUser, Set<Long> roleIds, long databaseId, long functionSig) {
+    default void checkAnyActionOnAnyFunction(UserIdentity currentUser, Set<Long> roleIds, String database) {
+        AccessDeniedException.reportAccessDenied("ANY", ObjectType.FUNCTION, "ANY");
     }
 
     default void checkGlobalFunctionAction(UserIdentity currentUser, Set<Long> roleIds, Function function,
                                            PrivilegeType privilegeType) {
-
+        AccessDeniedException.reportAccessDenied(privilegeType.name(), ObjectType.GLOBAL_FUNCTION, function.getSignature());
     }
 
-    default void checkAnyActionOnGlobalFunction(UserIdentity currentUser, Set<Long> roleIds, Long functionId) {
-
+    default void checkAnyActionOnGlobalFunction(UserIdentity currentUser, Set<Long> roleIds, Function function) {
+        AccessDeniedException.reportAccessDenied("ANY", ObjectType.GLOBAL_FUNCTION, function.getSignature());
     }
 
     /**
      * Check whether current user has specified privilege action on any object(table/view/mv) in the db.
      */
     default void checkActionInDb(UserIdentity userIdentity, Set<Long> roleIds, String db, PrivilegeType privilegeType) {
-
+        AccessDeniedException.reportAccessDenied("ANY", ObjectType.DATABASE, db);
     }
 
     default void checkResourceAction(UserIdentity currentUser, Set<Long> roleIds, String name, PrivilegeType privilegeType) {
-
+        AccessDeniedException.reportAccessDenied(privilegeType.name(), ObjectType.RESOURCE, name);
     }
 
     default void checkAnyActionOnResource(UserIdentity currentUser, Set<Long> roleIds, String name) {
-
+        AccessDeniedException.reportAccessDenied("ANY", ObjectType.RESOURCE, name);
     }
 
     default void checkResourceGroupAction(UserIdentity currentUser, Set<Long> roleIds, String name, PrivilegeType privilegeType) {
-
+        AccessDeniedException.reportAccessDenied(privilegeType.name(), ObjectType.RESOURCE_GROUP, name);
     }
 
     default void checkStorageVolumeAction(UserIdentity currentUser, Set<Long> roleIds, String storageVolume,
                                           PrivilegeType privilegeType) {
-
+        AccessDeniedException.reportAccessDenied(privilegeType.name(), ObjectType.STORAGE_VOLUME, storageVolume);
     }
 
-    default void checkAnyActionOnStorageVolume(UserIdentity currentUser, Set<Long> roleIds, String name) {
-
+    default void checkAnyActionOnStorageVolume(UserIdentity currentUser, Set<Long> roleIds, String storageVolume) {
+        AccessDeniedException.reportAccessDenied("ANY", ObjectType.STORAGE_VOLUME, storageVolume);
     }
 }

fe/fe-core/src/main/java/com/starrocks/privilege/AccessControlProvider.java

@@ -0,0 +1,35 @@
+// Copyright 2021-present StarRocks, Inc. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.starrocks.privilege;
+
+import com.starrocks.sql.analyzer.AuthorizerStmtVisitor;
+
+public class AccessControlProvider {
+    protected final AuthorizerStmtVisitor privilegeCheckerVisitor;
+    protected final AccessControl accessControl;
+
+    public AccessControlProvider(AuthorizerStmtVisitor privilegeCheckerVisitor, AccessControl accessControl) {
+        this.privilegeCheckerVisitor = privilegeCheckerVisitor;
+        this.accessControl = accessControl;
+    }
+
+    public AuthorizerStmtVisitor getPrivilegeCheckerVisitor() {
+        return privilegeCheckerVisitor;
+    }
+
+    public AccessControl getAccessControlOrDefault(String catalogName) {
+        return this.accessControl;
+    }
+}