github.com/matrixorigin/matrixone@v0.7.0/pkg/frontend/authenticate2.go

github.com/matrixorigin/matrixone@v0.7.0/pkg/frontend/authenticate2.go (about)

     1  // Copyright 2021 Matrix Origin
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //      http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package frontend
    16  
    17  // verifyAccountCanOperateClusterTable determines the account can operate
    18  // the cluster table
    19  func verifyAccountCanOperateClusterTable(account *TenantInfo,
    20  	dbName string,
    21  	clusterTableOperation clusterTableOperationType) bool {
    22  	if account.IsSysTenant() {
    23  		//sys account can do anything on the cluster table.
    24  		if dbName == moCatalog {
    25  			return true
    26  		}
    27  	} else {
    28  		//the general account can only read the cluster table
    29  		if dbName == moCatalog {
    30  			switch clusterTableOperation {
    31  			case clusterTableNone, clusterTableSelect:
    32  				return true
    33  			}
    34  		}
    35  	}
    36  	return false
    37  }
    38  
    39  // verifyLightPrivilege checks the privilege that does not need to
    40  // access the privilege tables.
    41  // case1 : checks if a real user from client is modifying the catalog databases (mo_catalog,information_schema,system,
    42  // system_metric,mysql).
    43  // case2 : checks if the user operates the cluster table.
    44  func verifyLightPrivilege(ses *Session,
    45  	dbName string,
    46  	writeDBTableDirect bool,
    47  	isClusterTable bool,
    48  	clusterTableOperation clusterTableOperationType) bool {
    49  	var ok bool
    50  	if ses.GetFromRealUser() && writeDBTableDirect {
    51  		if len(dbName) == 0 {
    52  			dbName = ses.GetDatabaseName()
    53  		}
    54  		if ok2 := isBannedDatabase(dbName); ok2 {
    55  			if isClusterTable {
    56  				ok = verifyAccountCanOperateClusterTable(ses.GetTenantInfo(), dbName, clusterTableOperation)
    57  			} else {
    58  				ok = false
    59  			}
    60  		} else {
    61  			ok = !isClusterTable
    62  		}
    63  	} else {
    64  		ok = true
    65  	}
    66  	return ok
    67  }