fix

fe/fe-core/src/main/java/com/starrocks/alter/AlterJobExecutor.java

@@ -35,6 +35,7 @@
 import com.starrocks.catalog.RangePartitionInfo;
 import com.starrocks.catalog.Table;
 import com.starrocks.catalog.Type;
+import com.starrocks.catalog.View;
 import com.starrocks.common.AnalysisException;
 import com.starrocks.common.DdlException;
 import com.starrocks.common.ErrorCode;
@@ -205,6 +206,12 @@ public Void visitAlterViewStatement(AlterViewStmt statement, ConnectContext cont
 
         this.db = db;
         this.table = table;
+
+        if (statement.getAlterClause() == null) {
+            ((View) table).setSecurity(statement.isSecurity());
+            return null;
+        }
+
         AlterViewClause alterViewClause = (AlterViewClause) statement.getAlterClause();
         visit(alterViewClause, context);
         return null;

fe/fe-core/src/main/java/com/starrocks/authorization/ColumnPrivilege.java

@@ -154,7 +154,7 @@ public static void check(ConnectContext context, QueryStatement stmt, List<Table
                                 List<TableName> allTables = view.getTableRefs();
                                 for (TableName t : allTables) {
                                     BasicTable basicTable = GlobalStateMgr.getCurrentState().getMetadataMgr().getBasicTable(
-                                            t.getCatalog(), t.getDb(), t.getTbl());
+                                            InternalCatalog.DEFAULT_INTERNAL_CATALOG_NAME, t.getDb(), t.getTbl());
 
                                     Authorizer.checkAnyActionOnTableLikeObject(context.getCurrentUserIdentity(),
                                             null, t.getDb(), basicTable);

fe/fe-core/src/main/java/com/starrocks/sql/analyzer/ViewAnalyzer.java

@@ -80,6 +80,10 @@ public Void visitAlterViewStatement(AlterViewStmt stmt, ConnectContext context)
                 throw new SemanticException("The specified table [" + tableName + "] is not a view");
             }
 
+            if (stmt.getAlterClause() == null) {
+                return null;
+            }
+
             AlterClause alterClause = stmt.getAlterClause();
             AlterViewClause alterViewClause = (AlterViewClause) alterClause;
 

fe/fe-core/src/main/java/com/starrocks/sql/ast/AlterViewStmt.java

@@ -20,11 +20,13 @@
 // Alter view statement
 public class AlterViewStmt extends DdlStmt {
     private final TableName tableName;
+    private final boolean security;
     private final AlterClause alterClause;
 
-    public AlterViewStmt(TableName tableName, AlterClause alterClause, NodePosition pos) {
+    public AlterViewStmt(TableName tableName, boolean security, AlterClause alterClause, NodePosition pos) {
         super(pos);
         this.tableName = tableName;
+        this.security = security;
         this.alterClause = alterClause;
     }
 
@@ -34,13 +36,17 @@ public static AlterViewStmt fromReplaceStmt(CreateViewStmt stmt) {
         alterViewClause.setInlineViewDef(stmt.getInlineViewDef());
         alterViewClause.setColumns(stmt.getColumns());
         alterViewClause.setComment(stmt.getComment());
-        return new AlterViewStmt(stmt.getTableName(), alterViewClause, NodePosition.ZERO);
+        return new AlterViewStmt(stmt.getTableName(), stmt.isSecurity(), alterViewClause, NodePosition.ZERO);
     }
 
     public TableName getTableName() {
         return tableName;
     }
 
+    public boolean isSecurity() {
+        return security;
+    }
+
     public AlterClause getAlterClause() {
         return alterClause;
     }

fe/fe-core/src/main/java/com/starrocks/sql/parser/AstBuilder.java

@@ -1642,13 +1642,25 @@ public ParseNode visitAlterViewStatement(StarRocksParser.AlterViewStatementConte
         TableName targetTableName = qualifiedNameToTableName(qualifiedName);
 
         List<ColWithComment> colWithComments = null;
-        if (context.columnNameWithComment().size() > 0) {
+        if (!context.columnNameWithComment().isEmpty()) {
             colWithComments = visit(context.columnNameWithComment(), ColWithComment.class);
         }
-        QueryStatement queryStatement = (QueryStatement) visit(context.queryStatement());
-        AlterClause alterClause = new AlterViewClause(colWithComments, queryStatement, createPos(context));
 
-        return new AlterViewStmt(targetTableName, alterClause, createPos(context));
+        boolean isSecurity = false;
+        if (context.SECURITY() != null) {
+            if (context.NONE() != null) {
+                isSecurity = false;
+            } else if (context.INVOKER() != null) {
+                isSecurity = true;
+            }
+
+            return new AlterViewStmt(targetTableName, isSecurity, null, createPos(context));
+        } else {
+            QueryStatement queryStatement = (QueryStatement) visit(context.queryStatement());
+            AlterClause alterClause = new AlterViewClause(colWithComments, queryStatement, createPos(context));
+
+            return new AlterViewStmt(targetTableName, isSecurity, alterClause, createPos(context));
+        }
     }
 
     @Override

test/sql/test_view/R/test_security_view

@@ -0,0 +1,107 @@
+-- name: test_security_view
+create table t1(c1 bigint, c2 bigint);
+-- result:
+-- !result
+create table t2(c3 bigint, c4 bigint);
+-- result:
+-- !result
+create view v1 as select * from t1, t2;
+-- result:
+-- !result
+create view v2 security invoker as select * from t1, t2;
+-- result:
+-- !result
+create user if not exists u1;
+-- result:
+-- !result
+grant impersonate on user root to u1;
+-- result:
+-- !result
+grant select on view v1 to user u1;
+-- result:
+-- !result
+grant select on view v2 to user u1;
+-- result:
+-- !result
+create user if not exists u2;
+-- result:
+-- !result
+grant impersonate on user root to u2;
+-- result:
+-- !result
+grant select on table t1 to user u2;
+-- result:
+-- !result
+grant select on table t2 to user u2;
+-- result:
+-- !result
+grant select on view v1 to user u2;
+-- result:
+-- !result
+grant select on view v2 to user u2;
+-- result:
+-- !result
+execute as u1 with no revert;
+-- result:
+-- !result
+select * from v1;
+-- result:
+-- !result
+select * from v2;
+-- result:
+E: (5203, 'Access denied; you need (at least one of) the SELECT privilege(s) on VIEW v2 for this operation. Please ask the admin to grant permission(s) or try activating existing roles using <set [default] role>. Current role(s): NONE. Inactivated role(s): NONE.')
+-- !result
+execute as root with no revert;
+-- result:
+-- !result
+execute as u2 with no revert;
+-- result:
+-- !result
+select * from v1;
+-- result:
+-- !result
+select * from v2;
+-- result:
+-- !result
+execute as root with no revert;
+-- result:
+-- !result
+alter view v1 set security invoker;
+-- result:
+E: (1064, 'Cannot invoke "org.antlr.v4.runtime.tree.ParseTree.accept(org.antlr.v4.runtime.tree.ParseTreeVisitor)" because "tree" is null')
+-- !result
+alter view v2 set security none;
+-- result:
+E: (1064, 'Cannot invoke "org.antlr.v4.runtime.tree.ParseTree.accept(org.antlr.v4.runtime.tree.ParseTreeVisitor)" because "tree" is null')
+-- !result
+execute as u1 with no revert;
+-- result:
+-- !result
+select * from v1;
+-- result:
+-- !result
+select * from v2;
+-- result:
+E: (5203, 'Access denied; you need (at least one of) the SELECT privilege(s) on VIEW v2 for this operation. Please ask the admin to grant permission(s) or try activating existing roles using <set [default] role>. Current role(s): NONE. Inactivated role(s): NONE.')
+-- !result
+execute as root with no revert;
+-- result:
+-- !result
+execute as u2 with no revert;
+-- result:
+-- !result
+select * from v1;
+-- result:
+-- !result
+select * from v2;
+-- result:
+-- !result
+execute as root with no revert;
+-- result:
+-- !result
+drop user u1;
+-- result:
+-- !result
+drop user u2;
+-- result:
+-- !result

test/sql/test_view/T/test_security_view

@@ -0,0 +1,45 @@
+-- name: test_security_view
+
+create table t1(c1 bigint, c2 bigint);
+create table t2(c3 bigint, c4 bigint);
+
+create view v1 as select * from t1, t2;
+create view v2 security invoker as select * from t1, t2;
+
+create user if not exists u1;
+grant impersonate on user root to u1;
+grant select on view v1 to user u1;
+grant select on view v2 to user u1;
+
+create user if not exists u2;
+grant impersonate on user root to u2;
+grant select on table t1 to user u2;
+grant select on table t2 to user u2;
+grant select on view v1 to user u2;
+grant select on view v2 to user u2;
+
+execute as u1 with no revert;
+select * from v1;
+select * from v2;
+execute as root with no revert;
+
+execute as u2 with no revert;
+select * from v1;
+select * from v2;
+execute as root with no revert;
+
+alter view v1 set security invoker;
+alter view v2 set security none;
+
+execute as u1 with no revert;
+select * from v1;
+select * from v2;
+execute as root with no revert;
+
+execute as u2 with no revert;
+select * from v1;
+select * from v2;
+execute as root with no revert;
+
+drop user u1;
+drop user u2;