apache
diff --git a/‎iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/audit/CNAuditLogger.java‎
Lines changed: 3 additions & 0 deletions b/‎iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/audit/CNAuditLogger.java‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎iotdb-core/datanode/src/main/java/org/apache/iotdb/db/audit/DNAuditLogger.java‎
Lines changed: 15 additions & 7 deletions b/‎iotdb-core/datanode/src/main/java/org/apache/iotdb/db/audit/DNAuditLogger.java‎
Lines changed: 15 additions & 7 deletions
diff --git a/‎iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java‎
Lines changed: 3 additions & 2 deletions b/‎iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java‎
Lines changed: 1 addition & 0 deletions b/‎iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎iotdb-core/datanode/src/main/java/org/apache/iotdb/db/pipe/source/dataregion/realtime/PipeRealtimeDataRegionSource.java‎
Lines changed: 4 additions & 3 deletions b/‎iotdb-core/datanode/src/main/java/org/apache/iotdb/db/pipe/source/dataregion/realtime/PipeRealtimeDataRegionSource.java‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java‎
Lines changed: 11 additions & 1 deletion b/‎iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java‎
Lines changed: 11 additions & 1 deletion
diff --git a/‎iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/ITableAuthCheckerImpl.java‎
Lines changed: 8 additions & 0 deletions b/‎iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/ITableAuthCheckerImpl.java‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckVisitor.java‎
Lines changed: 26 additions & 13 deletions b/‎iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckVisitor.java‎
Lines changed: 26 additions & 13 deletions
diff --git a/‎iotdb-core/datanode/src/main/java/org/apache/iotdb/db/service/DataNode.java‎
Lines changed: 3 additions & 1 deletion b/‎iotdb-core/datanode/src/main/java/org/apache/iotdb/db/service/DataNode.java‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎iotdb-core/datanode/src/main/java/org/apache/iotdb/db/service/DataNodeShutdownHook.java‎
Lines changed: 13 additions & 15 deletions b/‎iotdb-core/datanode/src/main/java/org/apache/iotdb/db/service/DataNodeShutdownHook.java‎
Lines changed: 13 additions & 15 deletions
@@ -49,6 +49,9 @@ public CNAuditLogger(ConfigManager configManager) {
   }
 
   public void log(AuditLogFields auditLogFields, String log) {
+    if (!IS_AUDIT_LOG_ENABLED) {
+      return;
+    }
     if (!checkBeforeLog(auditLogFields)) {
       return;
     }
 
@@ -96,7 +96,6 @@ public class DNAuditLogger extends AbstractAuditLogger {
   private static final String AUDIT_LOG_DEVICE = "root.__audit.log.node_%s.u_%s";
   private static final String AUDIT_LOGIN_LOG_DEVICE = "root.__audit.login.node_%s.u_%s";
   private static final String AUDIT_CN_LOG_DEVICE = "root.__audit.log.node_%s.u_all";
-  private static final Coordinator COORDINATOR = Coordinator.getInstance();
   private static final SessionInfo sessionInfo =
       new SessionInfo(
           0,
@@ -115,6 +114,8 @@ public class DNAuditLogger extends AbstractAuditLogger {
       DataNodeDevicePathCache.getInstance();
   private static final AtomicBoolean tableViewIsInitialized = new AtomicBoolean(false);
 
+  private Coordinator coordinator;
+
   private DNAuditLogger() {
     // Empty constructor
   }
@@ -123,6 +124,10 @@ public static DNAuditLogger getInstance() {
     return DNAuditLoggerHolder.INSTANCE;
   }
 
+  public void setCoordinator(Coordinator coordinator) {
+    DNAuditLoggerHolder.INSTANCE.coordinator = coordinator;
+  }
+
   @NotNull
   private static InsertRowStatement generateInsertStatement(
       AuditLogFields auditLogFields, String log, PartialPath log_device) {
@@ -224,7 +229,7 @@ public void createViewIfNecessary() {
                     + " WITH SCHEMA_REGION_GROUP_NUM=1, DATA_REGION_GROUP_NUM=1",
                 ZoneId.systemDefault());
         ExecutionResult result =
-            COORDINATOR.executeForTreeModel(
+            coordinator.executeForTreeModel(
                 statement,
                 SESSION_MANAGER.requestQueryId(),
                 sessionInfo,
@@ -253,7 +258,7 @@ public void createViewIfNecessary() {
                   ZoneId.systemDefault(),
                   session);
           TSStatus status =
-              COORDINATOR.executeForTableModel(
+              coordinator.executeForTableModel(
                       stmt,
                       relationSqlParser,
                       session,
@@ -287,7 +292,7 @@ public void createViewIfNecessary() {
                   ZoneId.systemDefault(),
                   session);
           status =
-              COORDINATOR.executeForTableModel(
+              coordinator.executeForTableModel(
                       stmt,
                       relationSqlParser,
                       session,
@@ -314,6 +319,9 @@ public void createViewIfNecessary() {
   }
 
   public void log(AuditLogFields auditLogFields, String log) {
+    if (!IS_AUDIT_LOG_ENABLED) {
+      return;
+    }
     createViewIfNecessary();
     if (!checkBeforeLog(auditLogFields)) {
       return;
@@ -335,7 +343,7 @@ public void log(AuditLogFields auditLogFields, String log) {
       logger.error("Failed to log audit events because ", e);
       return;
     }
-    COORDINATOR.executeForTreeModel(
+    coordinator.executeForTreeModel(
         statement,
         SESSION_MANAGER.requestQueryId(),
         sessionInfo,
@@ -352,7 +360,7 @@ public void log(AuditLogFields auditLogFields, String log) {
         logger.error("Failed to log audit login events because ", e);
         return;
       }
-      COORDINATOR.executeForTreeModel(
+      coordinator.executeForTreeModel(
           statement,
           SESSION_MANAGER.requestQueryId(),
           sessionInfo,
@@ -373,7 +381,7 @@ public void logFromCN(AuditLogFields auditLogFields, String log, int nodeId)
             auditLogFields,
             log,
             DEVICE_PATH_CACHE.getPartialPath(String.format(AUDIT_CN_LOG_DEVICE, nodeId)));
-    COORDINATOR.executeForTreeModel(
+    coordinator.executeForTreeModel(
         statement,
         SESSION_MANAGER.requestQueryId(),
         sessionInfo,
 
@@ -23,6 +23,7 @@
 import org.apache.iotdb.commons.auth.AuthException;
 import org.apache.iotdb.commons.auth.entity.PrivilegeType;
 import org.apache.iotdb.commons.conf.CommonDescriptor;
+import org.apache.iotdb.commons.conf.IoTDBConstant;
 import org.apache.iotdb.commons.path.PartialPath;
 import org.apache.iotdb.commons.path.PathPatternTree;
 import org.apache.iotdb.commons.schema.column.ColumnHeader;
@@ -76,8 +77,8 @@ public class AuthorityChecker {
 
   public static final TSStatus SUCCEED = new TSStatus(TSStatusCode.SUCCESS_STATUS.getStatusCode());
 
-  public static int INTERNAL_AUDIT_USER_ID = -1;
-  public static String INTERNAL_AUDIT_USER = "__auditor";
+  public static final int INTERNAL_AUDIT_USER_ID = IoTDBConstant.INTERNAL_AUDIT_USER_ID;
+  public static final String INTERNAL_AUDIT_USER = IoTDBConstant.INTERNAL_AUDIT_USER;
 
   public static String ANY_SCOPE = "any";
 
 
@@ -649,6 +649,7 @@ private boolean checkRoleFromConfigNode(String username, String rolename) {
   /** Cache user. */
   public User cacheUser(TPermissionInfoResp tPermissionInfoResp) {
     User user = new User();
+    user.setUserId(tPermissionInfoResp.getUserInfo().getUserId());
     List<TPathPrivilege> privilegeList =
         tPermissionInfoResp.getUserInfo().getPermissionInfo().getPrivilegeList();
     user.setName(tPermissionInfoResp.getUserInfo().getPermissionInfo().getName());
 
@@ -281,10 +281,11 @@ public void customize(
     }
 
     userId =
-        Long.parseLong(
-            parameters.getStringByKeys(
+        parameters.getLongOrDefault(
+            Arrays.asList(
                 PipeSourceConstant.EXTRACTOR_IOTDB_USER_ID,
-                PipeSourceConstant.SOURCE_IOTDB_USER_ID));
+                PipeSourceConstant.SOURCE_IOTDB_USER_ID),
+            -1);
 
     userName =
         parameters.getStringByKeys(
 
@@ -103,6 +103,11 @@ public void checkCanShowOrUseDatabase(
   public void checkCanCreateTable(
       String userName, QualifiedObjectName tableName, IAuditEntity auditEntity) {
     InformationSchemaUtils.checkDBNameInWrite(tableName.getDatabaseName());
+    if (userName.equals(AuthorityChecker.INTERNAL_AUDIT_USER)
+        && tableName.getDatabaseName().equals(TABLE_MODEL_AUDIT_DATABASE)) {
+      // The internal audit user can create new tables in the audit database
+      return;
+    }
     checkAuditDatabase(tableName.getDatabaseName());
     if (hasGlobalPrivilege(userName, PrivilegeType.SYSTEM)) {
       return;
@@ -136,6 +141,11 @@ public void checkCanAlterTable(
   public void checkCanInsertIntoTable(
       String userName, QualifiedObjectName tableName, IAuditEntity auditEntity) {
     InformationSchemaUtils.checkDBNameInWrite(tableName.getDatabaseName());
+    if (userName.equals(AuthorityChecker.INTERNAL_AUDIT_USER)
+        && tableName.getDatabaseName().equals(TABLE_MODEL_AUDIT_DATABASE)) {
+      // Only the internal audit user can insert into the audit table
+      return;
+    }
     checkAuditDatabase(tableName.getDatabaseName());
     authChecker.checkTablePrivilege(userName, tableName, TableModelPrivilege.INSERT, auditEntity);
   }
@@ -410,7 +420,7 @@ public TSStatus checkFullPathWriteDataPermission(
     try {
       PartialPath path = new MeasurementPath(device, measurementId);
       // audit db is read-only
-      if (includeByAuditTreeDB(path)) {
+      if (includeByAuditTreeDB(path) && !userName.equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
         return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
             .setMessage(String.format(READ_ONLY_DB_ERROR_MSG, TREE_MODEL_AUDIT_DATABASE));
       }
 
@@ -118,6 +118,11 @@ public void checkDatabasePrivilege(
       TableModelPrivilege privilege,
       IAuditEntity auditEntity) {
     checkAuditDatabase(userName, privilege, databaseName, auditEntity);
+    if (userName.equals(AuthorityChecker.INTERNAL_AUDIT_USER)
+        && databaseName.equals(TABLE_MODEL_AUDIT_DATABASE)) {
+      // The internal auditor has any privilege to the audit database
+      return;
+    }
 
     if (AuthorityChecker.SUPER_USER.equals(userName)) {
       recordAuditLog(
@@ -153,6 +158,9 @@ private static void checkAuditDatabase(
       TableModelPrivilege privilege,
       String databaseName,
       IAuditEntity auditEntity) {
+    if (userName.equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
+      return;
+    }
     if (TABLE_MODEL_AUDIT_DATABASE.equalsIgnoreCase(databaseName)) {
       if (privilege == TableModelPrivilege.SELECT) {
         checkCanSelectAuditTable(userName, auditEntity);
 
@@ -307,7 +307,8 @@ public TSStatus visitCreateLogicalView(
                     .concatNode(IoTDBConstant.ONE_LEVEL_PATH_WILDCARD));
     for (PartialPath path : paths) {
       // audit db is read-only
-      if (includeByAuditTreeDB(path)) {
+      if (includeByAuditTreeDB(path)
+          && !context.userName.equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
         return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
             .setMessage(String.format(READ_ONLY_DB_ERROR_MSG, TREE_MODEL_AUDIT_DATABASE));
       }
@@ -400,7 +401,8 @@ public TSStatus visitAlterLogicalView(
   public TSStatus visitRenameLogicalView(
       RenameLogicalViewStatement statement, TreeAccessCheckContext context) {
     // audit db is read-only
-    if (includeByAuditTreeDB(statement.getNewName())) {
+    if (includeByAuditTreeDB(statement.getNewName())
+        && !context.userName.equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
       return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
           .setMessage(String.format(READ_ONLY_DB_ERROR_MSG, TREE_MODEL_AUDIT_DATABASE));
     }
@@ -774,7 +776,8 @@ public TSStatus visitInsertBase(InsertBaseStatement statement, TreeAccessCheckCo
 
     for (PartialPath path : statement.getDevicePaths()) {
       // audit db is read-only
-      if (includeByAuditTreeDB(path)) {
+      if (includeByAuditTreeDB(path)
+          && !context.userName.equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
         return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
             .setMessage(String.format(READ_ONLY_DB_ERROR_MSG, TREE_MODEL_AUDIT_DATABASE));
       }
@@ -792,7 +795,8 @@ public TSStatus visitInsertBase(InsertBaseStatement statement, TreeAccessCheckCo
   @Override
   public TSStatus visitInsert(InsertStatement statement, TreeAccessCheckContext context) {
     // audit db is read-only
-    if (includeByAuditTreeDB(statement.getDevice())) {
+    if (includeByAuditTreeDB(statement.getDevice())
+        && !context.userName.equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
       return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
           .setMessage(String.format(READ_ONLY_DB_ERROR_MSG, TREE_MODEL_AUDIT_DATABASE));
     }
@@ -810,7 +814,8 @@ public TSStatus visitLoadFile(LoadTsFileStatement statement, TreeAccessCheckCont
   public TSStatus visitDeleteData(DeleteDataStatement statement, TreeAccessCheckContext context) {
     for (PartialPath path : statement.getPaths()) {
       // audit db is read-only
-      if (includeByAuditTreeDB(path)) {
+      if (includeByAuditTreeDB(path)
+          && !context.userName.equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
         return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
             .setMessage(String.format(READ_ONLY_DB_ERROR_MSG, TREE_MODEL_AUDIT_DATABASE));
       }
@@ -857,7 +862,8 @@ public static TSStatus checkTimeSeriesPermission(
   public TSStatus visitCreateTimeseries(
       CreateTimeSeriesStatement statement, TreeAccessCheckContext context) {
     // audit db is read-only
-    if (includeByAuditTreeDB(statement.getPath())) {
+    if (includeByAuditTreeDB(statement.getPath())
+        && !context.userName.equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
       return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
           .setMessage(String.format(READ_ONLY_DB_ERROR_MSG, TREE_MODEL_AUDIT_DATABASE));
     }
@@ -869,7 +875,8 @@ public TSStatus visitCreateTimeseries(
   public TSStatus visitCreateAlignedTimeseries(
       CreateAlignedTimeSeriesStatement statement, TreeAccessCheckContext context) {
     // audit db is read-only
-    if (includeByAuditTreeDB(statement.getDevicePath())) {
+    if (includeByAuditTreeDB(statement.getDevicePath())
+        && !context.userName.equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
       return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
           .setMessage(String.format(READ_ONLY_DB_ERROR_MSG, TREE_MODEL_AUDIT_DATABASE));
     }
@@ -882,7 +889,8 @@ public TSStatus visitCreateMultiTimeSeries(
       CreateMultiTimeSeriesStatement statement, TreeAccessCheckContext context) {
     // audit db is read-only
     for (PartialPath path : statement.getPaths()) {
-      if (includeByAuditTreeDB(path)) {
+      if (includeByAuditTreeDB(path)
+          && !context.userName.equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
         return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
             .setMessage(String.format(READ_ONLY_DB_ERROR_MSG, TREE_MODEL_AUDIT_DATABASE));
       }
@@ -897,7 +905,8 @@ public TSStatus visitInternalCreateMultiTimeSeries(
       InternalCreateMultiTimeSeriesStatement statement, TreeAccessCheckContext context) {
     // audit db is read-only
     for (PartialPath path : statement.getDeviceMap().keySet()) {
-      if (includeByAuditTreeDB(path)) {
+      if (includeByAuditTreeDB(path)
+          && !context.userName.equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
         return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
             .setMessage(String.format(READ_ONLY_DB_ERROR_MSG, TREE_MODEL_AUDIT_DATABASE));
       }
@@ -910,7 +919,8 @@ public TSStatus visitInternalCreateMultiTimeSeries(
   public TSStatus visitInternalCreateTimeseries(
       InternalCreateTimeSeriesStatement statement, TreeAccessCheckContext context) {
     // audit db is read-only
-    if (includeByAuditTreeDB(statement.getDevicePath())) {
+    if (includeByAuditTreeDB(statement.getDevicePath())
+        && !context.userName.equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
       return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
           .setMessage(String.format(READ_ONLY_DB_ERROR_MSG, TREE_MODEL_AUDIT_DATABASE));
     }
@@ -1012,7 +1022,8 @@ public TSStatus visitShowChildPaths(
   public TSStatus visitAlterTimeSeries(
       AlterTimeSeriesStatement statement, TreeAccessCheckContext context) {
     // audit db is read-only
-    if (includeByAuditTreeDB(statement.getPath())) {
+    if (includeByAuditTreeDB(statement.getPath())
+        && !context.userName.equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
       return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
           .setMessage(String.format(READ_ONLY_DB_ERROR_MSG, TREE_MODEL_AUDIT_DATABASE));
     }
@@ -1025,7 +1036,8 @@ public TSStatus visitDeleteTimeSeries(
       DeleteTimeSeriesStatement statement, TreeAccessCheckContext context) {
     // audit db is read-only
     for (PartialPath path : statement.getPathPatternList()) {
-      if (includeByAuditTreeDB(path)) {
+      if (includeByAuditTreeDB(path)
+          && !context.userName.equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
         return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
             .setMessage(String.format(READ_ONLY_DB_ERROR_MSG, TREE_MODEL_AUDIT_DATABASE));
       }
@@ -1387,7 +1399,8 @@ protected boolean checkHasGlobalAuth(String userName, PrivilegeType requiredPriv
   }
 
   protected TSStatus checkWriteOnReadOnlyPath(PartialPath path) {
-    if (includeByAuditTreeDB(path)) {
+    if (includeByAuditTreeDB(path)
+        && !AuthorityChecker.INTERNAL_AUDIT_USER.equals(path.getFullPath())) {
       return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
           .setMessage(String.format(READ_ONLY_DB_ERROR_MSG, TREE_MODEL_AUDIT_DATABASE));
     }
 
@@ -86,6 +86,7 @@
 import org.apache.iotdb.db.qp.sql.SqlLexer;
 import org.apache.iotdb.db.queryengine.execution.exchange.MPPDataExchangeService;
 import org.apache.iotdb.db.queryengine.execution.schedule.DriverScheduler;
+import org.apache.iotdb.db.queryengine.plan.Coordinator;
 import org.apache.iotdb.db.queryengine.plan.analyze.cache.schema.DataNodeTTLCache;
 import org.apache.iotdb.db.queryengine.plan.parser.ASTVisitor;
 import org.apache.iotdb.db.queryengine.plan.parser.StatementGenerator;
@@ -266,8 +267,9 @@ protected void start() {
       logger.info("IoTDB configuration: {}", config.getConfigMessage());
       logger.info("Congratulations, IoTDB DataNode is set up successfully. Now, enjoy yourself!");
 
-      // Start the Audit Service
+      // Start the Audit Service when necessary
       if (CommonDescriptor.getInstance().getConfig().isEnableAuditLog()) {
+        DNAuditLogger.getInstance().setCoordinator(Coordinator.getInstance());
         AuditLogFields fields =
             new AuditLogFields(
                 null,
 
@@ -95,21 +95,19 @@ private void startWatcher() {
   @Override
   public void run() {
     logger.info("DataNode exiting...");
-    if (CommonDescriptor.getInstance().getConfig().isEnableAuditLog()) {
-      AuditLogFields fields =
-          new AuditLogFields(
-              null,
-              -1,
-              null,
-              AuditEventType.DN_SHUTDOWN,
-              AuditLogOperation.CONTROL,
-              PrivilegeType.SYSTEM,
-              true,
-              null,
-              null);
-      String logMessage = String.format("DataNode %s exiting...", nodeLocation);
-      DNAuditLogger.getInstance().log(fields, logMessage);
-    }
+    AuditLogFields fields =
+        new AuditLogFields(
+            null,
+            -1,
+            null,
+            AuditEventType.DN_SHUTDOWN,
+            AuditLogOperation.CONTROL,
+            PrivilegeType.SYSTEM,
+            true,
+            null,
+            null);
+    String logMessage = String.format("DataNode %s exiting...", nodeLocation);
+    DNAuditLogger.getInstance().log(fields, logMessage);
 
     startWatcher();
     // Stop external rpc service firstly.
Original file line number	Diff line number	Diff line change
`@@ -49,6 +49,9 @@ public CNAuditLogger(ConfigManager configManager) {`
`49`	`49`	`}`
`50`	`50`
`51`	`51`	`public void log(AuditLogFields auditLogFields, String log) {`
	`52`	`+ if (!IS_AUDIT_LOG_ENABLED) {`
	`53`	`+ return;`
	`54`	`+ }`
`52`	`55`	`if (!checkBeforeLog(auditLogFields)) {`
`53`	`56`	`return;`
`54`	`57`	`}`