Skip to content

[fix](priv) skip catalog priv check if using customized access controller#60945

Merged
morningman merged 2 commits intoapache:masterfrom
CalvinKirs:master-catalog-auth-check
Mar 2, 2026
Merged

[fix](priv) skip catalog priv check if using customized access controller#60945
morningman merged 2 commits intoapache:masterfrom
CalvinKirs:master-catalog-auth-check

Conversation

@CalvinKirs
Copy link
Copy Markdown
Member

@CalvinKirs CalvinKirs commented Mar 2, 2026

What problem does this PR solve?

Issue Number: close #xxx

Related PR: #xxx

Problem Summary:

Release note

None

Check List (For Author)

  • Test

    • Regression test
    • Unit Test
    • Manual test (add detailed scripts or steps below)
    • No need to test or manual test. Explain why:
      • This is a refactor/code format and no logic has been changed.
      • Previous test can cover this change.
      • No code files have been changed.
      • Other reason

  • Behavior changed:

    • No.
    • Yes.

  • Does this need documentation?

    • No.
    • Yes.

Check List (For Reviewer who merge this PR)

  • Confirm the release note
  • Confirm test cases
  • Confirm document
  • Add branch pick label

morningman and others added 2 commits March 2, 2026 12:17
@morningman @CalvinKirs
[fix](priv) skip catalog priv check if using customized access contro…
ec2eae2 
…ller

Cherry-pick from enterprise-core commit 2074619

Author: Mingyu Chen (Rayner) <yunyou@selectdb.com>
Date: Fri Oct 24 12:47:05 2025 +0800
@CalvinKirs
[test](priv) add UT for skip catalog priv check
92a8c8c
@Thearas
Copy link
Copy Markdown
Contributor

Thearas commented Mar 2, 2026

Thank you for your contribution to Apache Doris.
Don't know what should be done next? See How to process your PR.

Please clearly describe your PR:

  1. What problem was fixed (it's best to include specific error reporting information). How it was fixed.
  2. Which behaviors were modified. What was the previous behavior, what is it now, why was it modified, and what possible impacts might there be.
  3. What features were added. Why was this function added?
  4. Which code was refactored and why was this part of the code refactored?
  5. Which functions were optimized and what is the difference before and after the optimization?

@CalvinKirs
Copy link
Copy Markdown
Member Author

CalvinKirs commented Mar 2, 2026

run buildall

@doris-robot
Copy link
Copy Markdown

doris-robot commented Mar 2, 2026

TPC-H: Total hot run time: 28841 ms 
machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/tpch-tools
Tpch sf100 test result on commit 92a8c8c5e648e4133d8dd96ddc35e44019b95a02, data reload: false

------ Round 1 ----------------------------------
============================================
q1	17627	4485	4319	4319
q2	q3	10645	770	522	522
q4	4684	373	250	250
q5	7649	1201	1050	1050
q6	180	178	146	146
q7	817	855	663	663
q8	10054	1483	1343	1343
q9	5725	4780	4774	4774
q10	6804	1904	1631	1631
q11	461	243	252	243
q12	713	574	465	465
q13	17758	4271	3381	3381
q14	224	234	226	226
q15	973	805	788	788
q16	742	731	670	670
q17	729	874	419	419
q18	6005	5487	5305	5305
q19	1541	978	623	623
q20	518	499	390	390
q21	4665	1863	1395	1395
q22	340	279	238	238
Total cold run time: 98854 ms
Total hot run time: 28841 ms

----- Round 2, with runtime_filter_mode=off -----
============================================
q1	4528	5391	4352	4352
q2	q3	1778	2175	1721	1721
q4	833	1159	786	786
q5	4030	4336	4348	4336
q6	182	169	138	138
q7	1734	1596	1469	1469
q8	2422	2664	2546	2546
q9	7945	7492	7419	7419
q10	2678	2855	2413	2413
q11	504	444	425	425
q12	488	598	486	486
q13	4082	4402	3658	3658
q14	301	297	277	277
q15	857	841	807	807
q16	734	778	748	748
q17	1151	1572	1353	1353
q18	7142	6678	6614	6614
q19	925	914	891	891
q20	2093	2180	2045	2045
q21	4315	3474	3331	3331
q22	446	435	384	384
Total cold run time: 49168 ms
Total hot run time: 46199 ms

@hello-stephen
Copy link
Copy Markdown
Contributor

hello-stephen commented Mar 2, 2026

FE UT Coverage Report

Increment line coverage 81.82% (9/11) 🎉
Increment coverage report
Complete coverage report

@doris-robot
Copy link
Copy Markdown

doris-robot commented Mar 2, 2026

TPC-DS: Total hot run time: 184930 ms 
machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/tpcds-tools
TPC-DS sf100 test result on commit 92a8c8c5e648e4133d8dd96ddc35e44019b95a02, data reload: false

query5	4714	645	554	554
query6	330	220	209	209
query7	4223	472	280	280
query8	337	241	218	218
query9	8713	2742	2743	2742
query10	509	376	347	347
query11	17035	17604	17527	17527
query12	181	139	137	137
query13	1599	503	366	366
query14	6387	3347	3071	3071
query14_1	2916	2893	2864	2864
query15	205	196	177	177
query16	1022	492	470	470
query17	1557	755	625	625
query18	2963	479	336	336
query19	210	235	194	194
query20	139	145	131	131
query21	212	142	119	119
query22	5499	5587	5097	5097
query23	17212	16805	16641	16641
query23_1	16651	16709	16700	16700
query24	7200	1609	1220	1220
query24_1	1204	1233	1226	1226
query25	532	450	396	396
query26	1230	263	152	152
query27	2786	472	290	290
query28	4505	1851	1878	1851
query29	796	575	469	469
query30	313	249	207	207
query31	881	710	655	655
query32	78	73	69	69
query33	511	342	282	282
query34	921	915	562	562
query35	654	673	593	593
query36	1067	1120	937	937
query37	127	94	87	87
query38	2935	2896	2869	2869
query39	891	994	849	849
query39_1	856	801	815	801
query40	242	160	137	137
query41	62	61	59	59
query42	108	101	101	101
query43	370	385	357	357
query44	
query45	198	196	185	185
query46	886	992	615	615
query47	2097	2131	2066	2066
query48	321	307	246	246
query49	626	475	380	380
query50	676	280	219	219
query51	4118	4141	4076	4076
query52	104	107	94	94
query53	293	341	276	276
query54	293	264	261	261
query55	89	86	84	84
query56	311	313	302	302
query57	1332	1327	1284	1284
query58	288	275	284	275
query59	2587	2671	2574	2574
query60	345	334	333	333
query61	152	150	152	150
query62	620	603	544	544
query63	324	283	275	275
query64	4927	1367	1103	1103
query65	
query66	1467	476	364	364
query67	16348	16324	16279	16279
query68	
query69	401	326	295	295
query70	1006	983	974	974
query71	330	326	309	309
query72	2922	2806	2612	2612
query73	562	546	325	325
query74	10021	9940	9760	9760
query75	2847	2771	2463	2463
query76	2308	1041	685	685
query77	368	400	318	318
query78	11219	11472	10705	10705
query79	2563	790	619	619
query80	1762	612	533	533
query81	562	293	252	252
query82	989	151	116	116
query83	342	262	243	243
query84	254	115	101	101
query85	909	473	439	439
query86	427	320	303	303
query87	3115	3190	3028	3028
query88	3497	2669	2640	2640
query89	423	375	340	340
query90	1986	179	177	177
query91	160	157	138	138
query92	82	76	74	74
query93	1200	842	503	503
query94	655	324	314	314
query95	612	390	325	325
query96	635	517	229	229
query97	2470	2517	2481	2481
query98	224	210	218	210
query99	1035	999	909	909
Total cold run time: 256647 ms
Total hot run time: 184930 ms

@github-actions github-actions Bot added the approved Indicates a PR has been approved by one committer. label Mar 2, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Mar 2, 2026

PR approved by at least one committer and no changes requested.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Mar 2, 2026

PR approved by anyone and no changes requested.

@morningman morningman merged commit 2dbb0c7 into apache:master Mar 2, 2026
31 of 33 checks passed
github-actions Bot pushed a commit that referenced this pull request Mar 2, 2026
@CalvinKirs
[fix](priv) skip catalog priv check if using customized access contro…
e59ef83 
…ller (#60945)
@github-actions github-actions Bot mentioned this pull request Mar 2, 2026
Merged
yiguolei pushed a commit that referenced this pull request Mar 3, 2026
@github-actions @CalvinKirs
branch-4.0: [fix](priv) skip catalog priv check if using customized a…
0875f9b 
…ccess controller #60945 (#60962)

Cherry-picked from #60945

Co-authored-by: Calvin Kirs <guoqiang@selectdb.com>
@CalvinKirs CalvinKirs mentioned this pull request Mar 9, 2026
Merged
16 tasks
CalvinKirs added a commit that referenced this pull request Mar 10, 2026
@CalvinKirs
[fix](auth) restrict skip_catalog_priv_check to SHOW and SELECT on c…
711ef9e 
…atalog privilege checks (#61147)

followup #60945

  ## What problem does this PR solve?

When `skip_catalog_priv_check` is enabled,
`AccessControllerManager#checkCtlPriv()` currently skips
catalog privilege checks for external catalogs with a custom access
controller.

This behavior is too broad because it also affects non-read-only catalog
privileges such as `CREATE`
and `LOAD`, which should still be validated by the default internal
access controller.
github-actions Bot pushed a commit that referenced this pull request Mar 10, 2026
@CalvinKirs
[fix](auth) restrict skip_catalog_priv_check to SHOW and SELECT on c…
0f76639 
…atalog privilege checks (#61147)

followup #60945

  ## What problem does this PR solve?

When `skip_catalog_priv_check` is enabled,
`AccessControllerManager#checkCtlPriv()` currently skips
catalog privilege checks for external catalogs with a custom access
controller.

This behavior is too broad because it also affects non-read-only catalog
privileges such as `CREATE`
and `LOAD`, which should still be validated by the default internal
access controller.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@morningman morningman morningman approved these changes

@zhangstar333 zhangstar333 zhangstar333 approved these changes

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by one committer. dev/3.1.x dev/4.0.4-merged reviewed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@CalvinKirs @Thearas @doris-robot @hello-stephen @morningman @zhangstar333 @yiguolei