Insert SQL authentication audit logs for table model (#16450)

Author: CRZbulabula

iotdb-client/cli/src/main/java/org/apache/iotdb/tool/tsfile/ImportTsFile.java

@@ -402,7 +402,9 @@ private static void processSetParams() {
     // ImportTsFileRemotely
     ImportTsFileRemotely.setHost(host);
     ImportTsFileRemotely.setPort(port);
+    // TODO: Figure out how to fetch userId here
     ImportTsFileRemotely.setUsername(username);
+    ImportTsFileRemotely.setCliHostname(host);
     ImportTsFileRemotely.setPassword(password);
     ImportTsFileRemotely.setValidateTsFile(verify);
 

iotdb-client/cli/src/main/java/org/apache/iotdb/tool/tsfile/ImportTsFileRemotely.java

@@ -68,7 +68,9 @@ public class ImportTsFileRemotely extends ImportTsFileBase {
   private static String host;
   private static String port;
 
+  private static String userId = "-1";
   private static String username = SessionConfig.DEFAULT_USER;
+  private static String cliHostname = "";
   private static String password = SessionConfig.DEFAULT_PASSWORD;
   private static boolean validateTsFile;
 
@@ -184,7 +186,9 @@ private Map<String, String> constructParamsMap() {
         PipeTransferHandshakeConstant.HANDSHAKE_KEY_CONVERT_ON_TYPE_MISMATCH,
         Boolean.toString(true));
     params.put(PipeTransferHandshakeConstant.HANDSHAKE_KEY_LOAD_TSFILE_STRATEGY, LOAD_STRATEGY);
+    params.put(PipeTransferHandshakeConstant.HANDSHAKE_KEY_USER_ID, userId);
     params.put(PipeTransferHandshakeConstant.HANDSHAKE_KEY_USERNAME, username);
+    params.put(PipeTransferHandshakeConstant.HANDSHAKE_KEY_CLI_HOSTNAME, cliHostname);
     params.put(PipeTransferHandshakeConstant.HANDSHAKE_KEY_PASSWORD, password);
     params.put(
         PipeTransferHandshakeConstant.HANDSHAKE_KEY_VALIDATE_TSFILE,
@@ -339,10 +343,18 @@ public static void setPort(final String port) {
     ImportTsFileRemotely.port = port;
   }
 
+  public static void setUserId(String userId) {
+    ImportTsFileRemotely.userId = userId;
+  }
+
   public static void setUsername(final String username) {
     ImportTsFileRemotely.username = username;
   }
 
+  public static void setCliHostname(String cliHostname) {
+    ImportTsFileRemotely.cliHostname = cliHostname;
+  }
+
   public static void setPassword(final String password) {
     ImportTsFileRemotely.password = password;
   }

iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/audit/CNAuditLogger.java

@@ -49,6 +49,9 @@ public CNAuditLogger(ConfigManager configManager) {
   }
 
   public void log(AuditLogFields auditLogFields, String log) {
+    if (!IS_AUDIT_LOG_ENABLED) {
+      return;
+    }
     if (!checkBeforeLog(auditLogFields)) {
       return;
     }

iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/pipe/event/PipeConfigRegionSnapshotEvent.java

@@ -110,7 +110,7 @@ public PipeConfigRegionSnapshotEvent() {
 
   public PipeConfigRegionSnapshotEvent(
       final String snapshotPath, final String templateFilePath, final CNSnapshotFileType type) {
-    this(snapshotPath, templateFilePath, type, null, 0, null, null, null, null, true);
+    this(snapshotPath, templateFilePath, type, null, 0, null, null, null, null, null, null, true);
   }
 
   public PipeConfigRegionSnapshotEvent(
@@ -122,15 +122,19 @@ public PipeConfigRegionSnapshotEvent(
       final PipeTaskMeta pipeTaskMeta,
       final TreePattern treePattern,
       final TablePattern tablePattern,
+      final String userId,
       final String userName,
+      final String cliHostname,
       final boolean skipIfNoPrivileges) {
     super(
         pipeName,
         creationTime,
         pipeTaskMeta,
         treePattern,
         tablePattern,
+        userId,
         userName,
+        cliHostname,
         skipIfNoPrivileges,
         PipeConfigNodeResourceManager.snapshot());
     this.snapshotPath = snapshotPath;
@@ -201,7 +205,9 @@ public EnrichedEvent shallowCopySelfAndBindPipeTaskMetaForProgressReport(
       final PipeTaskMeta pipeTaskMeta,
       final TreePattern treePattern,
       final TablePattern tablePattern,
+      final String userId,
       final String userName,
+      final String cliHostname,
       final boolean skipIfNoPrivileges,
       final long startTime,
       final long endTime) {
@@ -215,7 +221,9 @@ public EnrichedEvent shallowCopySelfAndBindPipeTaskMetaForProgressReport(
             pipeTaskMeta,
             treePattern,
             tablePattern,
+            userId,
             userName,
+            cliHostname,
             skipIfNoPrivileges);
     pipeConfigRegionSnapshotEvent.setAuthUserName(authUserName);
     return pipeConfigRegionSnapshotEvent;

iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/pipe/event/PipeConfigRegionWritePlanEvent.java

@@ -42,7 +42,7 @@ public PipeConfigRegionWritePlanEvent() {
 
   public PipeConfigRegionWritePlanEvent(
       final ConfigPhysicalPlan configPhysicalPlan, final boolean isGeneratedByPipe) {
-    this(configPhysicalPlan, null, 0, null, null, null, null, true, isGeneratedByPipe);
+    this(configPhysicalPlan, null, 0, null, null, null, null, null, null, true, isGeneratedByPipe);
   }
 
   public PipeConfigRegionWritePlanEvent(
@@ -52,7 +52,9 @@ public PipeConfigRegionWritePlanEvent(
       final PipeTaskMeta pipeTaskMeta,
       final TreePattern treePattern,
       final TablePattern tablePattern,
+      final String userId,
       final String userName,
+      final String cliHostname,
       final boolean skipIfNoPrivileges,
       final boolean isGeneratedByPipe) {
     super(
@@ -61,7 +63,9 @@ public PipeConfigRegionWritePlanEvent(
         pipeTaskMeta,
         treePattern,
         tablePattern,
+        userId,
         userName,
+        cliHostname,
         skipIfNoPrivileges,
         isGeneratedByPipe);
     this.configPhysicalPlan = configPhysicalPlan;
@@ -78,7 +82,9 @@ public EnrichedEvent shallowCopySelfAndBindPipeTaskMetaForProgressReport(
       final PipeTaskMeta pipeTaskMeta,
       final TreePattern treePattern,
       final TablePattern tablePattern,
+      final String userId,
       final String userName,
+      final String cliHostname,
       final boolean skipIfNoPrivileges,
       final long startTime,
       final long endTime) {
@@ -89,7 +95,9 @@ public EnrichedEvent shallowCopySelfAndBindPipeTaskMetaForProgressReport(
         pipeTaskMeta,
         treePattern,
         tablePattern,
+        userId,
         userName,
+        cliHostname,
         skipIfNoPrivileges,
         false);
   }

iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/pipe/sink/client/IoTDBConfigNodeSyncClientManager.java

@@ -20,6 +20,7 @@
 package org.apache.iotdb.confignode.manager.pipe.sink.client;
 
 import org.apache.iotdb.common.rpc.thrift.TEndPoint;
+import org.apache.iotdb.commons.audit.UserEntity;
 import org.apache.iotdb.commons.conf.CommonDescriptor;
 import org.apache.iotdb.commons.pipe.sink.client.IoTDBSyncClientManager;
 import org.apache.iotdb.commons.pipe.sink.payload.thrift.request.PipeTransferHandshakeV2Req;
@@ -41,7 +42,7 @@ public IoTDBConfigNodeSyncClientManager(
       /* The following parameters are used locally. */
       String loadBalanceStrategy,
       /* The following parameters are used to handshake with the receiver. */
-      String username,
+      UserEntity userEntity,
       String password,
       boolean shouldReceiverConvertOnTypeMismatch,
       String loadTsFileStrategy,
@@ -54,7 +55,7 @@ public IoTDBConfigNodeSyncClientManager(
         trustStorePwd,
         false,
         loadBalanceStrategy,
-        username,
+        userEntity,
         password,
         shouldReceiverConvertOnTypeMismatch,
         loadTsFileStrategy,

iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/pipe/sink/protocol/IoTDBConfigRegionAirGapSink.java

@@ -76,7 +76,9 @@ protected byte[] generateHandShakeV2Payload() throws IOException {
         Boolean.toString(shouldReceiverConvertOnTypeMismatch));
     params.put(
         PipeTransferHandshakeConstant.HANDSHAKE_KEY_LOAD_TSFILE_STRATEGY, loadTsFileStrategy);
+    params.put(PipeTransferHandshakeConstant.HANDSHAKE_KEY_USER_ID, userId);
     params.put(PipeTransferHandshakeConstant.HANDSHAKE_KEY_USERNAME, username);
+    params.put(PipeTransferHandshakeConstant.HANDSHAKE_KEY_CLI_HOSTNAME, cliHostname);
     params.put(PipeTransferHandshakeConstant.HANDSHAKE_KEY_PASSWORD, password);
     params.put(
         PipeTransferHandshakeConstant.HANDSHAKE_KEY_VALIDATE_TSFILE,

iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/pipe/sink/protocol/IoTDBConfigRegionSink.java

@@ -21,6 +21,7 @@
 
 import org.apache.iotdb.common.rpc.thrift.TEndPoint;
 import org.apache.iotdb.common.rpc.thrift.TSStatus;
+import org.apache.iotdb.commons.audit.UserEntity;
 import org.apache.iotdb.commons.pipe.sink.client.IoTDBSyncClient;
 import org.apache.iotdb.commons.pipe.sink.client.IoTDBSyncClientManager;
 import org.apache.iotdb.commons.pipe.sink.payload.thrift.request.PipeTransferFilePieceReq;
@@ -70,7 +71,7 @@ protected IoTDBSyncClientManager constructClient(
       final boolean useLeaderCache,
       final String loadBalanceStrategy,
       /* The following parameters are used to handshake with the receiver. */
-      final String username,
+      final UserEntity userEntity,
       final String password,
       final boolean shouldReceiverConvertOnTypeMismatch,
       final String loadTsFileStrategy,
@@ -82,7 +83,7 @@ protected IoTDBSyncClientManager constructClient(
         Objects.nonNull(trustStorePath) ? ConfigNodeConfig.addHomeDir(trustStorePath) : null,
         trustStorePwd,
         loadBalanceStrategy,
-        username,
+        userEntity,
         password,
         shouldReceiverConvertOnTypeMismatch,
         loadTsFileStrategy,

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/audit/AuditLogger.java

@@ -20,6 +20,7 @@
 package org.apache.iotdb.db.audit;
 
 import org.apache.iotdb.commons.audit.AuditLogOperation;
+import org.apache.iotdb.commons.audit.UserEntity;
 import org.apache.iotdb.commons.conf.IoTDBConstant;
 import org.apache.iotdb.commons.exception.IllegalPathException;
 import org.apache.iotdb.commons.utils.CommonDateTimeUtils;
@@ -65,7 +66,13 @@ public class AuditLogger {
   private static final IoTDBConfig config = IoTDBDescriptor.getInstance().getConfig();
   private static final List<AuditLogStorage> auditLogStorageList = config.getAuditLogStorage();
   private static final SessionInfo sessionInfo =
-      new SessionInfo(0, AuthorityChecker.SUPER_USER, ZoneId.systemDefault());
+      new SessionInfo(
+          0,
+          new UserEntity(
+              AuthorityChecker.SUPER_USER_ID,
+              AuthorityChecker.SUPER_USER,
+              IoTDBDescriptor.getInstance().getConfig().getInternalAddress()),
+          ZoneId.systemDefault());
 
   private static final List<AuditLogOperation> auditLogOperationList =
       config.getAuditableOperationType();

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/audit/DNAuditLogger.java

@@ -25,6 +25,7 @@
 import org.apache.iotdb.commons.audit.AuditLogFields;
 import org.apache.iotdb.commons.audit.AuditLogOperation;
 import org.apache.iotdb.commons.audit.PrivilegeLevel;
+import org.apache.iotdb.commons.audit.UserEntity;
 import org.apache.iotdb.commons.auth.entity.PrivilegeType;
 import org.apache.iotdb.commons.client.IClientManager;
 import org.apache.iotdb.commons.client.exception.ClientManagerException;
@@ -95,9 +96,14 @@ public class DNAuditLogger extends AbstractAuditLogger {
   private static final String AUDIT_LOG_DEVICE = "root.__audit.log.node_%s.u_%s";
   private static final String AUDIT_LOGIN_LOG_DEVICE = "root.__audit.login.node_%s.u_%s";
   private static final String AUDIT_CN_LOG_DEVICE = "root.__audit.log.node_%s.u_all";
-  private static final Coordinator COORDINATOR = Coordinator.getInstance();
   private static final SessionInfo sessionInfo =
-      new SessionInfo(0, AuthorityChecker.SUPER_USER, ZoneId.systemDefault());
+      new SessionInfo(
+          0,
+          new UserEntity(
+              AuthorityChecker.INTERNAL_AUDIT_USER_ID,
+              AuthorityChecker.INTERNAL_AUDIT_USER,
+              IoTDBDescriptor.getInstance().getConfig().getInternalAddress()),
+          ZoneId.systemDefault());
 
   private static final SessionManager SESSION_MANAGER = SessionManager.getInstance();
 
@@ -106,7 +112,9 @@ public class DNAuditLogger extends AbstractAuditLogger {
 
   private static final DataNodeDevicePathCache DEVICE_PATH_CACHE =
       DataNodeDevicePathCache.getInstance();
-  private static AtomicBoolean tableViewIsInitialized = new AtomicBoolean(false);
+  private static final AtomicBoolean tableViewIsInitialized = new AtomicBoolean(false);
+
+  private Coordinator coordinator;
 
   private DNAuditLogger() {
     // Empty constructor
@@ -116,6 +124,10 @@ public static DNAuditLogger getInstance() {
     return DNAuditLoggerHolder.INSTANCE;
   }
 
+  public void setCoordinator(Coordinator coordinator) {
+    DNAuditLoggerHolder.INSTANCE.coordinator = coordinator;
+  }
+
   @NotNull
   private static InsertRowStatement generateInsertStatement(
       AuditLogFields auditLogFields, String log, PartialPath log_device) {
@@ -217,7 +229,7 @@ public void createViewIfNecessary() {
                     + " WITH SCHEMA_REGION_GROUP_NUM=1, DATA_REGION_GROUP_NUM=1",
                 ZoneId.systemDefault());
         ExecutionResult result =
-            COORDINATOR.executeForTreeModel(
+            coordinator.executeForTreeModel(
                 statement,
                 SESSION_MANAGER.requestQueryId(),
                 sessionInfo,
@@ -232,7 +244,7 @@ public void createViewIfNecessary() {
               new InternalClientSession(
                   String.format(
                       "%s_%s", DNAuditLogger.class.getSimpleName(), SystemConstant.AUDIT_DATABASE));
-          session.setUsername(AuthorityChecker.SUPER_USER);
+          session.setUsername(AuthorityChecker.INTERNAL_AUDIT_USER);
           session.setZoneId(ZoneId.systemDefault());
           session.setClientVersion(IoTDBConstant.ClientVersion.V_1_0);
           session.setDatabaseName(SystemConstant.AUDIT_DATABASE);
@@ -246,7 +258,7 @@ public void createViewIfNecessary() {
                   ZoneId.systemDefault(),
                   session);
           TSStatus status =
-              COORDINATOR.executeForTableModel(
+              coordinator.executeForTableModel(
                       stmt,
                       relationSqlParser,
                       session,
@@ -280,7 +292,7 @@ public void createViewIfNecessary() {
                   ZoneId.systemDefault(),
                   session);
           status =
-              COORDINATOR.executeForTableModel(
+              coordinator.executeForTableModel(
                       stmt,
                       relationSqlParser,
                       session,
@@ -307,11 +319,14 @@ public void createViewIfNecessary() {
   }
 
   public void log(AuditLogFields auditLogFields, String log) {
+    if (!IS_AUDIT_LOG_ENABLED) {
+      return;
+    }
     createViewIfNecessary();
     if (!checkBeforeLog(auditLogFields)) {
       return;
     }
-    int userId = auditLogFields.getUserId();
+    long userId = auditLogFields.getUserId();
     String user = String.valueOf(userId);
     if (userId == -1) {
       user = "none";
@@ -328,7 +343,7 @@ public void log(AuditLogFields auditLogFields, String log) {
       logger.error("Failed to log audit events because ", e);
       return;
     }
-    COORDINATOR.executeForTreeModel(
+    coordinator.executeForTreeModel(
         statement,
         SESSION_MANAGER.requestQueryId(),
         sessionInfo,
@@ -345,7 +360,7 @@ public void log(AuditLogFields auditLogFields, String log) {
         logger.error("Failed to log audit login events because ", e);
         return;
       }
-      COORDINATOR.executeForTreeModel(
+      coordinator.executeForTreeModel(
           statement,
           SESSION_MANAGER.requestQueryId(),
           sessionInfo,
@@ -366,7 +381,7 @@ public void logFromCN(AuditLogFields auditLogFields, String log, int nodeId)
             auditLogFields,
             log,
             DEVICE_PATH_CACHE.getPartialPath(String.format(AUDIT_CN_LOG_DEVICE, nodeId)));
-    COORDINATOR.executeForTreeModel(
+    coordinator.executeForTreeModel(
         statement,
         SESSION_MANAGER.requestQueryId(),
         sessionInfo,