From b602ee67cfc51c7f50a21bf41e326edd61c5cfb3 Mon Sep 17 00:00:00 2001 From: shiwenyan Date: Tue, 9 Dec 2025 18:20:30 +0800 Subject: [PATCH 1/3] Fix OOM problem for PIPE. --- .../db/auth/ClusterAuthorityFetcher.java | 54 ++++++++----------- 1 file changed, 21 insertions(+), 33 deletions(-) diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java index b7b3815cacaf4..6f52de26124df 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java @@ -169,35 +169,32 @@ public List checkUserPathPrivileges( String username, List allPath, PrivilegeType permission) { checkCacheAvailable(); List posList = new ArrayList<>(); - User user = iAuthorCache.getUserCache(username); - if (user != null) { - if (user.isOpenIdUser()) { - return posList; - } - int pos = 0; - for (PartialPath path : allPath) { - if (!user.checkPathPrivilege(path, permission)) { - boolean checkFromRole = false; - for (String rolename : user.getRoleSet()) { - Role cachedRole = iAuthorCache.getRoleCache(rolename); - if (cachedRole == null) { - return checkPathFromConfigNode(username, allPath, permission); - } - if (cachedRole.checkPathPrivilege(path, permission)) { - checkFromRole = true; - break; - } + User user = getUser(username); + if (user.isOpenIdUser()) { + return posList; + } + int pos = 0; + for (PartialPath path : allPath) { + if (!user.checkPathPrivilege(path, permission)) { + boolean checkFromRole = false; + for (String rolename : user.getRoleSet()) { + Role cachedRole = iAuthorCache.getRoleCache(rolename); + if (cachedRole == null) { + checkRoleFromConfigNode(username, rolename); + cachedRole = iAuthorCache.getRoleCache(rolename); } - if (!checkFromRole) { - posList.add(pos); + if (cachedRole.checkPathPrivilege(path, permission)) { + checkFromRole = true; + break; } } - pos++; + if (!checkFromRole) { + posList.add(pos); + } } - return posList; - } else { - return checkPathFromConfigNode(username, allPath, permission); + pos++; } + return posList; } @Override @@ -642,15 +639,6 @@ private TPermissionInfoResp checkPrivilegeFromConfigNode(TCheckUserPrivilegesReq return permissionInfoResp; } - private List checkPathFromConfigNode( - String username, List allPath, PrivilegeType permission) { - TCheckUserPrivilegesReq req = - new TCheckUserPrivilegesReq( - username, PrivilegeModelType.TREE.ordinal(), permission.ordinal(), false); - req.setPaths(AuthUtils.serializePartialPathList(allPath)); - return checkPrivilegeFromConfigNode(req).getFailPos(); - } - private boolean checkRoleFromConfigNode(String username, String rolename) { TAuthorizerReq req = new TAuthorizerReq(); // just reuse authorizer request. only need username and rolename field. From 5b28dc7e3127800c11dc4be40aae9473b01655b2 Mon Sep 17 00:00:00 2001 From: shiwenyan Date: Wed, 10 Dec 2025 10:55:18 +0800 Subject: [PATCH 2/3] Fix IT. --- .../org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java index 6f52de26124df..a2a0cd1216966 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java @@ -167,8 +167,11 @@ public TSStatus checkUserSysPrivilegesGrantOpt(String username, PrivilegeType pe @Override public List checkUserPathPrivileges( String username, List allPath, PrivilegeType permission) { - checkCacheAvailable(); List posList = new ArrayList<>(); + if (username.equals(AuthorityChecker.INTERNAL_AUDIT_USER)) { + return posList; + } + checkCacheAvailable(); User user = getUser(username); if (user.isOpenIdUser()) { return posList; From 4a4d82a309e8b77aeb6f8dcb9c97e9133e70ed9d Mon Sep 17 00:00:00 2001 From: shiwenyan Date: Wed, 10 Dec 2025 17:12:23 +0800 Subject: [PATCH 3/3] Fix potential NPE. --- .../java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java index a2a0cd1216966..2894ce8bb478e 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java @@ -186,7 +186,7 @@ public List checkUserPathPrivileges( checkRoleFromConfigNode(username, rolename); cachedRole = iAuthorCache.getRoleCache(rolename); } - if (cachedRole.checkPathPrivilege(path, permission)) { + if (cachedRole != null && cachedRole.checkPathPrivilege(path, permission)) { checkFromRole = true; break; }