[IOTDB-4153]Grant ALL privileges to different paths return privilege exists (apache#7023)

[IOTDB-4153]Grant ALL privileges to different paths return privilege exists (apache#7023)

Author: yifuzhou

antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/IoTDBSqlParser.g4

@@ -537,7 +537,7 @@ grantUser
 
 // Grant Role Privileges
 grantRole
-    : GRANT ROLE roleName=identifier PRIVILEGES privileges ON prefixPath (COMMA prefixPath)*
+    : GRANT ROLE roleName=identifier PRIVILEGES privileges (ON prefixPath (COMMA prefixPath)*)?
     ;
 
 // Grant User Role
@@ -552,7 +552,7 @@ revokeUser
 
 // Revoke Role Privileges
 revokeRole
-    : REVOKE ROLE roleName=identifier PRIVILEGES privileges ON prefixPath (COMMA prefixPath)*
+    : REVOKE ROLE roleName=identifier PRIVILEGES privileges (ON prefixPath (COMMA prefixPath)*)?
     ;
 
 // Revoke Role From User

docs/UserGuide/Administration-Management/Administration.md

@@ -184,27 +184,29 @@ Eg: IoTDB > DROP ROLE `admin`;
 ```
 GRANT USER <userName> PRIVILEGES <privileges> ON <nodeNames>;  
 Eg: IoTDB > GRANT USER `tempuser` PRIVILEGES INSERT_TIMESERIES, DELETE_TIMESERIES on root.ln.**, root.sgcc.**;
+Eg: IoTDB > GRANT USER `tempuser` PRIVILEGES CREATE_ROLE;
 ```
 
 - Grant User All Privileges
 
 ```
-GRANT USER <userName> PRIVILEGES ALL ON <nodeNames>; 
-Eg: IoTDB > grant user renyuhua privileges all on root.sgcc.**, root.**;
+GRANT USER <userName> PRIVILEGES ALL; 
+Eg: IoTDB > GRANT USER `tempuser` PRIVILEGES ALL;
 ```
 
 * Grant Role Privileges
 
 ```
 GRANT ROLE <roleName> PRIVILEGES <privileges> ON <nodeNames>;  
 Eg: IoTDB > GRANT ROLE `temprole` PRIVILEGES INSERT_TIMESERIES, DELETE_TIMESERIES ON root.sgcc.**, root.ln.**;
+Eg: IoTDB > GRANT ROLE `temprole` PRIVILEGES CREATE_ROLE;
 ```
 
 - Grant Role All Privileges
 
 ```
 GRANT ROLE <roleName> PRIVILEGES ALL ON <nodeNames>;  
-Eg: IoTDB > GRANT ROLE `temprole` PRIVILEGES ALL ON root.ln.**;
+Eg: IoTDB > GRANT ROLE `temprole` PRIVILEGES ALL;
 ```
 
 * Grant User Role
@@ -219,27 +221,29 @@ Eg: IoTDB > GRANT `temprole` TO tempuser;
 ```
 REVOKE USER <userName> PRIVILEGES <privileges> ON <nodeNames>;   
 Eg: IoTDB > REVOKE USER `tempuser` PRIVILEGES DELETE_TIMESERIES on root.ln.**;
+Eg: IoTDB > REVOKE USER `tempuser` PRIVILEGES CREATE_ROLE;
 ```
 
 * Revoke User All Privileges
 
 ```
-REVOKE USER <userName> PRIVILEGES ALL ON <nodeNames>; 
-Eg: IoTDB > REVOKE USER `tempuser` PRIVILEGES ALL on root.ln.**;
+REVOKE USER <userName> PRIVILEGES ALL; 
+Eg: IoTDB > REVOKE USER `tempuser` PRIVILEGES ALL;
 ```
 
 * Revoke Role Privileges
 
 ```
 REVOKE ROLE <roleName> PRIVILEGES <privileges> ON <nodeNames>;  
 Eg: IoTDB > REVOKE ROLE `temprole` PRIVILEGES DELETE_TIMESERIES ON root.ln.**;
+Eg: IoTDB > REVOKE ROLE `temprole` PRIVILEGES CREATE_ROLE;
 ```
 
 * Revoke All Role Privileges
 
 ```
-REVOKE ROLE <roleName> PRIVILEGES ALL ON <nodeNames>;  
-Eg: IoTDB > REVOKE ROLE `temprole` PRIVILEGES ALL ON root.ln.**;
+REVOKE ROLE <roleName> PRIVILEGES ALL;  
+Eg: IoTDB > REVOKE ROLE `temprole` PRIVILEGES ALL;
 ```
 
 * Revoke Role From User
@@ -396,6 +400,8 @@ At the same time, changes to roles are immediately reflected on all users who ow
 |APPLY_TEMPLATE|set, unset and activate schema template; path dependent|Eg1: `set schema template t1 to root.sg.d`<br/>Eg2: `create timeseries of schema template on root.sg.d`
 |READ_TEMPLATE_APPLICATION|show paths set and using schema template; path independent|Eg1: `show paths set schema template t1`<br/>Eg2: `show paths using schema template t1`
 
+Note that path dependent privileges can only be granted or revoked on root.**;
+
 Note that the following SQL statements need to be granted multiple permissions before they can be used：
 
 - Import data: Need to assign `READ_TIMESERIES`，`INSERT_TIMESERIES` two permissions.。

docs/zh/UserGuide/Administration-Management/Administration.md

@@ -183,27 +183,29 @@ Eg: IoTDB > DROP ROLE `admin`;
 ```
 GRANT USER <userName> PRIVILEGES <privileges> ON <nodeNames>;  
 Eg: IoTDB > GRANT USER `tempuser` PRIVILEGES INSERT_TIMESERIES, DELETE_TIMESERIES on root.ln.**, root.sgcc.**;
+Eg: IoTDB > GRANT USER `tempuser` PRIVILEGES CREATE_ROLE;
 ```
 
 - 赋予用户全部的权限
 
 ```
-GRANT USER <userName> PRIVILEGES ALL ON <nodeNames>; 
-Eg: IoTDB > grant user renyuhua privileges all on root.sgcc.**, root.**;
+GRANT USER <userName> PRIVILEGES ALL; 
+Eg: IoTDB > GRANT USER `tempuser` PRIVILEGES ALL;
 ```
 
 * 赋予角色权限
 
 ```
 GRANT ROLE <roleName> PRIVILEGES <privileges> ON <nodeNames>;  
 Eg: IoTDB > GRANT ROLE `temprole` PRIVILEGES INSERT_TIMESERIES, DELETE_TIMESERIES ON root.sgcc.**, root.ln.**;
+Eg: IoTDB > GRANT ROLE `temprole` PRIVILEGES CREATE_ROLE;
 ```
 
 - 赋予角色全部的权限
 
 ```
-GRANT ROLE <roleName> PRIVILEGES ALL ON <nodeNames>;  
-Eg: IoTDB > GRANT ROLE `temprole` PRIVILEGES ALL ON root.ln.**;
+GRANT ROLE <roleName> PRIVILEGES ALL;  
+Eg: IoTDB > GRANT ROLE `temprole` PRIVILEGES ALL;
 ```
 
 * 赋予用户角色
@@ -218,27 +220,29 @@ Eg: IoTDB > GRANT `temprole` TO tempuser;
 ```
 REVOKE USER <userName> PRIVILEGES <privileges> ON <nodeNames>;   
 Eg: IoTDB > REVOKE USER `tempuser` PRIVILEGES DELETE_TIMESERIES on root.ln.**;
+Eg: IoTDB > REVOKE USER `tempuser` PRIVILEGES CREATE_ROLE;
 ```
 
 - 移除用户所有权限
 
 ```
-REVOKE USER <userName> PRIVILEGES ALL ON <nodeNames>; 
-Eg: IoTDB > REVOKE USER `tempuser` PRIVILEGES ALL on root.ln.**;
+REVOKE USER <userName> PRIVILEGES ALL; 
+Eg: IoTDB > REVOKE USER `tempuser` PRIVILEGES ALL;
 ```
 
 * 撤销角色权限
 
 ```
 REVOKE ROLE <roleName> PRIVILEGES <privileges> ON <nodeNames>;  
 Eg: IoTDB > REVOKE ROLE `temprole` PRIVILEGES DELETE_TIMESERIES ON root.ln.**;
+Eg: IoTDB > REVOKE ROLE `temprole` PRIVILEGES CREATE_ROLE;
 ```
 
 - 撤销角色全部的权限
 
 ```
-REVOKE ROLE <roleName> PRIVILEGES ALL ON <nodeNames>;  
-Eg: IoTDB > REVOKE ROLE `temprole` PRIVILEGES ALL ON root.ln.**;
+REVOKE ROLE <roleName> PRIVILEGES ALL;  
+Eg: IoTDB > REVOKE ROLE `temprole` PRIVILEGES ALL;
 ```
 
 * 撤销用户角色
@@ -395,6 +399,8 @@ Eg: IoTDB > ALTER USER `tempuser` SET PASSWORD 'newpwd';
 |APPLY_TEMPLATE|挂载、卸载、激活模板。路径有关。|Eg1: `set schema template t1 to root.sg.d`<br/>Eg2: `create timeseries of schema template on root.sg.d`
 |READ_TEMPLATE_APPLICATION|查看模板的挂载路径和激活路径。路径无关|Eg1: `show paths set schema template t1`<br/>Eg2: `show paths using schema template t1`
 
+注意： 路径无关的权限只能在路径root.**下赋予或撤销；
+
 注意: 下述sql语句需要赋予多个权限才可以使用：
 
 - 导入数据，需要赋予`READ_TIMESERIES`，`INSERT_TIMESERIES`两种权限。

integration/src/test/java/org/apache/iotdb/db/integration/IoTDBAuthorizationIT.java

@@ -1398,4 +1398,94 @@ public void testEmptySetAuthorityCheck() throws ClassNotFoundException, SQLExcep
       assertFalse(resultSet.next());
     }
   }
+
+  @Test
+  public void testCheckGrantRevokePrivileges() throws ClassNotFoundException, SQLException {
+    Class.forName(Config.JDBC_DRIVER_NAME);
+    try (Connection adminCon =
+            DriverManager.getConnection(
+                Config.IOTDB_URL_PREFIX + "127.0.0.1:6667/", "root", "root");
+        Statement adminStmt = adminCon.createStatement()) {
+      adminStmt.execute("CREATE USER tempuser 'temppw'");
+
+      adminStmt.execute("GRANT USER tempuser PRIVILEGES ALL on root.**");
+      adminStmt.execute("REVOKE USER tempuser PRIVILEGES ALL on root.**");
+      adminStmt.execute("GRANT USER tempuser PRIVILEGES ALL");
+      adminStmt.execute(
+          "GRANT USER tempuser PRIVILEGES INSERT_TIMESERIES, READ_TIMESERIES on root.ln.**");
+      adminStmt.execute(
+          "REVOKE USER tempuser PRIVILEGES INSERT_TIMESERIES, READ_TIMESERIES on root.ln.**");
+      boolean caught = false;
+      try {
+        adminStmt.execute("GRANT USER tempuser PRIVILEGES ALL on root.ln.**");
+      } catch (Exception e) {
+        caught = true;
+      }
+      assertTrue(caught);
+
+      caught = false;
+      try {
+        adminStmt.execute("REVOKE USER tempuser PRIVILEGES ALL on root.ln.**");
+      } catch (Exception e) {
+        caught = true;
+      }
+      assertTrue(caught);
+
+      caught = false;
+      try {
+        adminStmt.execute("GRANT USER tempuser PRIVILEGES INSERT_TIMESERIES, ALL on root.ln.**");
+      } catch (Exception e) {
+        caught = true;
+      }
+      assertTrue(caught);
+
+      caught = false;
+      try {
+        adminStmt.execute("REVOKE USER tempuser PRIVILEGES INSERT_TIMESERIES, ALL on root.ln.**");
+      } catch (Exception e) {
+        caught = true;
+      }
+      assertTrue(caught);
+
+      adminStmt.execute("CREATE ROLE temprole");
+      adminStmt.execute("GRANT ROLE temprole PRIVILEGES ALL on root.**");
+      adminStmt.execute("REVOKE ROLE temprole PRIVILEGES ALL on root.**");
+      adminStmt.execute("GRANT ROLE temprole PRIVILEGES ALL");
+      adminStmt.execute(
+          "GRANT ROLE temprole PRIVILEGES INSERT_TIMESERIES, READ_TIMESERIES on root.ln.**");
+      adminStmt.execute(
+          "REVOKE ROLE temprole PRIVILEGES INSERT_TIMESERIES, READ_TIMESERIES on root.ln.**");
+      caught = false;
+      try {
+        adminStmt.execute("GRANT ROLE temprole PRIVILEGES ALL on root.ln.**");
+      } catch (Exception e) {
+        caught = true;
+      }
+      assertTrue(caught);
+
+      caught = false;
+      try {
+        adminStmt.execute("REVOKE ROLE temprole PRIVILEGES ALL on root.ln.**");
+      } catch (Exception e) {
+        caught = true;
+      }
+      assertTrue(caught);
+
+      caught = false;
+      try {
+        adminStmt.execute("GRANT ROLE temprole PRIVILEGES INSERT_TIMESERIES, ALL on root.ln.**");
+      } catch (Exception e) {
+        caught = true;
+      }
+      assertTrue(caught);
+
+      caught = false;
+      try {
+        adminStmt.execute("REVOKE ROLE temprole PRIVILEGES INSERT_TIMESERIES, ALL on root.ln.**");
+      } catch (Exception e) {
+        caught = true;
+      }
+      assertTrue(caught);
+    }
+  }
 }