[fix](auth)Http api check auth

fe/fe-core/src/main/java/org/apache/doris/httpv2/rest/MetaInfoAction.java

@@ -105,18 +105,18 @@ public Object getAllDatabases(
         for (String fullName : dbNames) {
             final String db = ClusterNamespace.getNameFromFullName(fullName);
             if (!Env.getCurrentEnv().getAccessManager()
-                    .checkDbPriv(ConnectContext.get(), InternalCatalog.INTERNAL_CATALOG_NAME, fullName,
+                    .checkDbPriv(ConnectContext.get(), ns, fullName,
                             PrivPredicate.SHOW)) {
                 continue;
             }
             dbNameSet.add(db);
         }
 
-        Collections.sort(dbNames);
+        Collections.sort(dbNameSet);
 
         // handle limit offset
-        Pair<Integer, Integer> fromToIndex = getFromToIndex(request, dbNames.size());
-        return ResponseEntityBuilder.ok(dbNames.subList(fromToIndex.first, fromToIndex.second));
+        Pair<Integer, Integer> fromToIndex = getFromToIndex(request, dbNameSet.size());
+        return ResponseEntityBuilder.ok(dbNameSet.subList(fromToIndex.first, fromToIndex.second));
     }
 
     /** Get all tables of a database

fe/fe-core/src/main/java/org/apache/doris/httpv2/rest/ShowAction.java

@@ -17,6 +17,7 @@
 
 package org.apache.doris.httpv2.rest;
 
+import org.apache.doris.analysis.UserIdentity;
 import org.apache.doris.catalog.Database;
 import org.apache.doris.catalog.DatabaseIf;
 import org.apache.doris.catalog.Env;
@@ -30,6 +31,7 @@
 import org.apache.doris.common.proc.ProcNodeInterface;
 import org.apache.doris.common.proc.ProcResult;
 import org.apache.doris.common.proc.ProcService;
+import org.apache.doris.datasource.InternalCatalog;
 import org.apache.doris.ha.HAProtocol;
 import org.apache.doris.httpv2.entity.ResponseEntityBuilder;
 import org.apache.doris.mysql.privilege.PrivPredicate;
@@ -212,18 +214,25 @@ public Object show_data(HttpServletRequest request, HttpServletResponse response
 
     @RequestMapping(path = "/api/show_table_data", method = RequestMethod.GET)
     public Object show_table_data(HttpServletRequest request, HttpServletResponse response) {
-        if (Config.enable_all_http_auth) {
-            executeCheckPassword(request, response);
-            checkGlobalAuth(ConnectContext.get().getCurrentUserIdentity(), PrivPredicate.ADMIN);
-        }
+        executeCheckPassword(request, response);
 
         String dbName = request.getParameter(DB_KEY);
         String tableName = request.getParameter(TABLE_KEY);
+
+        if (StringUtils.isEmpty(dbName) && StringUtils.isEmpty(tableName)) {
+            return ResponseEntityBuilder.okWithCommonError("dbName and tableName cannot be empty at the same time");
+        }
+
         String singleReplica = request.getParameter(SINGLE_REPLICA_KEY);
         boolean singleReplicaBool = Boolean.parseBoolean(singleReplica);
         Map<String, Map<String, Long>> oneEntry = Maps.newHashMap();
+        UserIdentity user = ConnectContext.get().getCurrentUserIdentity();
         if (dbName != null) {
             String fullDbName = getFullDbName(dbName);
+            if (!StringUtils.isEmpty(tableName)) {
+                checkTblAuth(user, fullDbName, tableName, PrivPredicate.SHOW);
+            }
+
             DatabaseIf db = Env.getCurrentInternalCatalog().getDbNullable(fullDbName);
             if (db == null) {
                 return ResponseEntityBuilder.okWithCommonError("database " + fullDbName + " not found.");
@@ -236,6 +245,11 @@ public Object show_table_data(HttpServletRequest request, HttpServletResponse re
                 if (db == null || !(db instanceof Database) || ((Database) db) instanceof MysqlCompatibleDatabase) {
                     continue;
                 }
+                if (!Env.getCurrentEnv().getAccessManager()
+                        .checkTblPriv(user, InternalCatalog.INTERNAL_CATALOG_NAME, db.getFullName(), tableName,
+                                PrivPredicate.SHOW)) {
+                    continue;
+                }
                 Map<String, Long> tablesEntry = getDataSizeOfTables(db, tableName, singleReplicaBool);
                 oneEntry.put(ClusterNamespace.getNameFromFullName(db.getFullName()), tablesEntry);
             }
@@ -331,6 +345,12 @@ private Map<String, Long> getDataSizeOfTables(DatabaseIf db, String tableName, b
             if (Strings.isNullOrEmpty(tableName)) {
                 List<Table> tables = db.getTables();
                 for (Table table : tables) {
+                    if (!Env.getCurrentEnv().getAccessManager()
+                            .checkTblPriv(ConnectContext.get(), InternalCatalog.INTERNAL_CATALOG_NAME, db.getFullName(),
+                                    table.getName(),
+                                    PrivPredicate.SHOW)) {
+                        continue;
+                    }
                     Map<String, Long> tableEntry = getDataSizeOfTable(table, singleReplica);
                     oneEntry.putAll(tableEntry);
                 }

regression-test/suites/auth_p0/test_http_meta_databases_auth.groovy

@@ -0,0 +1,54 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import org.junit.Assert;
+
+suite("test_http_meta_databases_auth","p0,auth") {
+    String suiteName = "test_http_meta_databases_auth"
+    String dbName = context.config.getDbNameByFile(context.file)
+    String tableName = "${suiteName}_table"
+    String user = "${suiteName}_user"
+    String pwd = 'C123_567p'
+    try_sql("DROP USER ${user}")
+    sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
+
+    def getDatabases = { check_func ->
+        httpTest {
+            basicAuthorization "${user}","${pwd}"
+            endpoint "${context.config.feHttpAddress}"
+            uri "/api/meta/namespaces/default_cluster/databases"
+            op "get"
+            check check_func
+        }
+    }
+
+    getDatabases.call() {
+        respCode, body ->
+            log.info("body:${body}")
+            assertFalse("${body}".contains("${dbName}"))
+    }
+
+    sql """grant select_priv on ${dbName} to ${user}"""
+
+    getDatabases.call() {
+        respCode, body ->
+            log.info("body:${body}")
+            assertTrue("${body}".contains("${dbName}"))
+    }
+
+    try_sql("DROP USER ${user}")
+}

regression-test/suites/auth_p0/test_http_meta_tables_auth.groovy

@@ -0,0 +1,65 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import org.junit.Assert;
+
+suite("test_http_meta_tables_auth","p0,auth") {
+    String suiteName = "test_http_meta_tables_auth"
+    String dbName = context.config.getDbNameByFile(context.file)
+    String tableName = "${suiteName}_table"
+    String user = "${suiteName}_user"
+    String pwd = 'C123_567p'
+    try_sql("DROP USER ${user}")
+    sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
+    sql """drop table if exists `${tableName}`"""
+    sql """
+        CREATE TABLE `${tableName}` (
+          `k1` int,
+          `k2` int
+        ) ENGINE=OLAP
+        DISTRIBUTED BY random BUCKETS auto
+        PROPERTIES ('replication_num' = '1') ;
+        """
+
+
+    def getTables = { check_func ->
+        httpTest {
+            basicAuthorization "${user}","${pwd}"
+            endpoint "${context.config.feHttpAddress}"
+            uri "/api/meta/namespaces/default_cluster/databases/${dbName}/tables"
+            op "get"
+            check check_func
+        }
+    }
+
+    getTables.call() {
+        respCode, body ->
+            log.info("body:${body}")
+            assertFalse("${body}".contains("${tableName}"))
+    }
+
+    sql """grant select_priv on ${dbName}.${tableName} to ${user}"""
+
+    getTables.call() {
+        respCode, body ->
+            log.info("body:${body}")
+            assertTrue("${body}".contains("${tableName}"))
+    }
+
+    sql """drop table if exists `${tableName}`"""
+    try_sql("DROP USER ${user}")
+}

regression-test/suites/auth_p0/test_http_meta_tables_schema_auth.groovy

@@ -0,0 +1,65 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import org.junit.Assert;
+
+suite("test_http_meta_tables_schema_auth","p0,auth") {
+    String suiteName = "test_http_meta_tables_schema_auth"
+    String dbName = context.config.getDbNameByFile(context.file)
+    String tableName = "${suiteName}_table"
+    String user = "${suiteName}_user"
+    String pwd = 'C123_567p'
+    try_sql("DROP USER ${user}")
+    sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
+    sql """drop table if exists `${tableName}`"""
+    sql """
+        CREATE TABLE `${tableName}` (
+          `k1` int,
+          `k2` int
+        ) ENGINE=OLAP
+        DISTRIBUTED BY random BUCKETS auto
+        PROPERTIES ('replication_num' = '1') ;
+        """
+
+
+    def getSchema = { check_func ->
+        httpTest {
+            basicAuthorization "${user}","${pwd}"
+            endpoint "${context.config.feHttpAddress}"
+            uri "/api/meta/namespaces/default_cluster/databases/${dbName}/tables/${tableName}/schema"
+            op "get"
+            check check_func
+        }
+    }
+
+    getSchema.call() {
+        respCode, body ->
+            log.info("body:${body}")
+            assertTrue("${body}".contains("401"))
+    }
+
+    sql """grant select_priv on ${dbName}.${tableName} to ${user}"""
+
+    getSchema.call() {
+        respCode, body ->
+            log.info("body:${body}")
+            assertTrue("${body}".contains("${tableName}"))
+    }
+
+    sql """drop table if exists `${tableName}`"""
+    try_sql("DROP USER ${user}")
+}

regression-test/suites/auth_p0/test_http_table_count_auth.groovy

@@ -0,0 +1,65 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import org.junit.Assert;
+
+suite("test_http_table_count_auth","p0,auth") {
+    String suiteName = "test_http_table_count_auth"
+    String dbName = context.config.getDbNameByFile(context.file)
+    String tableName = "${suiteName}_table"
+    String user = "${suiteName}_user"
+    String pwd = 'C123_567p'
+    try_sql("DROP USER ${user}")
+    sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
+    sql """drop table if exists `${tableName}`"""
+    sql """
+        CREATE TABLE `${tableName}` (
+          `k1` int,
+          `k2` int
+        ) ENGINE=OLAP
+        DISTRIBUTED BY random BUCKETS auto
+        PROPERTIES ('replication_num' = '1') ;
+        """
+    sql """insert into ${tableName} values(1,1)"""
+
+    def getCount = { check_func ->
+        httpTest {
+            basicAuthorization "${user}","${pwd}"
+            endpoint "${context.config.feHttpAddress}"
+            uri "/api/${dbName}/${tableName}/_count"
+            op "get"
+            check check_func
+        }
+    }
+
+    getCount.call() {
+        respCode, body ->
+            log.info("body:${body}")
+            assertTrue("${body}".contains("401"))
+    }
+
+    sql """grant select_priv on ${dbName}.${tableName} to ${user}"""
+
+    getCount.call() {
+        respCode, body ->
+            log.info("body:${body}")
+            assertFalse("${body}".contains("401"))
+    }
+
+    sql """drop table if exists `${tableName}`"""
+    try_sql("DROP USER ${user}")
+}