From 3bb51887b628677ec2e94bf7407e109cb5415369 Mon Sep 17 00:00:00 2001
From: Harbor Liu <460660596@qq.com>
Date: Thu, 2 Jan 2025 19:30:43 +0800
Subject: [PATCH] fix

---
 .../com/starrocks/alter/AlterJobExecutor.java |   7 ++
 .../authorization/ColumnPrivilege.java        |   2 +-
 .../starrocks/sql/analyzer/ViewAnalyzer.java  |   4 +
 .../com/starrocks/sql/ast/AlterViewStmt.java  |  10 +-
 .../com/starrocks/sql/parser/AstBuilder.java  |  20 +++-
 .../R/test_alter_view                         |   0
 test/sql/test_view/R/test_security_view       | 107 ++++++++++++++++++
 .../T/test_alter_view                         |   0
 test/sql/test_view/T/test_security_view       |  45 ++++++++
 9 files changed, 188 insertions(+), 7 deletions(-)
 rename test/sql/{test_alter_view => test_view}/R/test_alter_view (100%)
 create mode 100644 test/sql/test_view/R/test_security_view
 rename test/sql/{test_alter_view => test_view}/T/test_alter_view (100%)
 create mode 100644 test/sql/test_view/T/test_security_view

diff --git a/fe/fe-core/src/main/java/com/starrocks/alter/AlterJobExecutor.java b/fe/fe-core/src/main/java/com/starrocks/alter/AlterJobExecutor.java
index b363d7e5abd1cf..126271f8f8f974 100644
--- a/fe/fe-core/src/main/java/com/starrocks/alter/AlterJobExecutor.java
+++ b/fe/fe-core/src/main/java/com/starrocks/alter/AlterJobExecutor.java
@@ -35,6 +35,7 @@
 import com.starrocks.catalog.RangePartitionInfo;
 import com.starrocks.catalog.Table;
 import com.starrocks.catalog.Type;
+import com.starrocks.catalog.View;
 import com.starrocks.common.AnalysisException;
 import com.starrocks.common.DdlException;
 import com.starrocks.common.ErrorCode;
@@ -205,6 +206,12 @@ public Void visitAlterViewStatement(AlterViewStmt statement, ConnectContext cont
 
         this.db = db;
         this.table = table;
+
+        if (statement.getAlterClause() == null) {
+            ((View) table).setSecurity(statement.isSecurity());
+            return null;
+        }
+
         AlterViewClause alterViewClause = (AlterViewClause) statement.getAlterClause();
         visit(alterViewClause, context);
         return null;
diff --git a/fe/fe-core/src/main/java/com/starrocks/authorization/ColumnPrivilege.java b/fe/fe-core/src/main/java/com/starrocks/authorization/ColumnPrivilege.java
index 49af867c6d0672..4b3c8a949e79b7 100644
--- a/fe/fe-core/src/main/java/com/starrocks/authorization/ColumnPrivilege.java
+++ b/fe/fe-core/src/main/java/com/starrocks/authorization/ColumnPrivilege.java
@@ -154,7 +154,7 @@ public static void check(ConnectContext context, QueryStatement stmt, List<Table
                                 List<TableName> allTables = view.getTableRefs();
                                 for (TableName t : allTables) {
                                     BasicTable basicTable = GlobalStateMgr.getCurrentState().getMetadataMgr().getBasicTable(
-                                            t.getCatalog(), t.getDb(), t.getTbl());
+                                            InternalCatalog.DEFAULT_INTERNAL_CATALOG_NAME, t.getDb(), t.getTbl());
 
                                     Authorizer.checkAnyActionOnTableLikeObject(context.getCurrentUserIdentity(),
                                             null, t.getDb(), basicTable);
diff --git a/fe/fe-core/src/main/java/com/starrocks/sql/analyzer/ViewAnalyzer.java b/fe/fe-core/src/main/java/com/starrocks/sql/analyzer/ViewAnalyzer.java
index 1d1df0f360a3d5..6725d700eca829 100644
--- a/fe/fe-core/src/main/java/com/starrocks/sql/analyzer/ViewAnalyzer.java
+++ b/fe/fe-core/src/main/java/com/starrocks/sql/analyzer/ViewAnalyzer.java
@@ -80,6 +80,10 @@ public Void visitAlterViewStatement(AlterViewStmt stmt, ConnectContext context)
                 throw new SemanticException("The specified table [" + tableName + "] is not a view");
             }
 
+            if (stmt.getAlterClause() == null) {
+                return null;
+            }
+
             AlterClause alterClause = stmt.getAlterClause();
             AlterViewClause alterViewClause = (AlterViewClause) alterClause;
 
diff --git a/fe/fe-core/src/main/java/com/starrocks/sql/ast/AlterViewStmt.java b/fe/fe-core/src/main/java/com/starrocks/sql/ast/AlterViewStmt.java
index 80def814b45011..eaee17cd61c853 100644
--- a/fe/fe-core/src/main/java/com/starrocks/sql/ast/AlterViewStmt.java
+++ b/fe/fe-core/src/main/java/com/starrocks/sql/ast/AlterViewStmt.java
@@ -20,11 +20,13 @@
 // Alter view statement
 public class AlterViewStmt extends DdlStmt {
     private final TableName tableName;
+    private final boolean security;
     private final AlterClause alterClause;
 
-    public AlterViewStmt(TableName tableName, AlterClause alterClause, NodePosition pos) {
+    public AlterViewStmt(TableName tableName, boolean security, AlterClause alterClause, NodePosition pos) {
         super(pos);
         this.tableName = tableName;
+        this.security = security;
         this.alterClause = alterClause;
     }
 
@@ -34,13 +36,17 @@ public static AlterViewStmt fromReplaceStmt(CreateViewStmt stmt) {
         alterViewClause.setInlineViewDef(stmt.getInlineViewDef());
         alterViewClause.setColumns(stmt.getColumns());
         alterViewClause.setComment(stmt.getComment());
-        return new AlterViewStmt(stmt.getTableName(), alterViewClause, NodePosition.ZERO);
+        return new AlterViewStmt(stmt.getTableName(), stmt.isSecurity(), alterViewClause, NodePosition.ZERO);
     }
 
     public TableName getTableName() {
         return tableName;
     }
 
+    public boolean isSecurity() {
+        return security;
+    }
+
     public AlterClause getAlterClause() {
         return alterClause;
     }
diff --git a/fe/fe-core/src/main/java/com/starrocks/sql/parser/AstBuilder.java b/fe/fe-core/src/main/java/com/starrocks/sql/parser/AstBuilder.java
index 48463a476e4dcb..281df72d0b80e1 100644
--- a/fe/fe-core/src/main/java/com/starrocks/sql/parser/AstBuilder.java
+++ b/fe/fe-core/src/main/java/com/starrocks/sql/parser/AstBuilder.java
@@ -1642,13 +1642,25 @@ public ParseNode visitAlterViewStatement(StarRocksParser.AlterViewStatementConte
         TableName targetTableName = qualifiedNameToTableName(qualifiedName);
 
         List<ColWithComment> colWithComments = null;
-        if (context.columnNameWithComment().size() > 0) {
+        if (!context.columnNameWithComment().isEmpty()) {
             colWithComments = visit(context.columnNameWithComment(), ColWithComment.class);
         }
-        QueryStatement queryStatement = (QueryStatement) visit(context.queryStatement());
-        AlterClause alterClause = new AlterViewClause(colWithComments, queryStatement, createPos(context));
 
-        return new AlterViewStmt(targetTableName, alterClause, createPos(context));
+        boolean isSecurity = false;
+        if (context.SECURITY() != null) {
+            if (context.NONE() != null) {
+                isSecurity = false;
+            } else if (context.INVOKER() != null) {
+                isSecurity = true;
+            }
+
+            return new AlterViewStmt(targetTableName, isSecurity, null, createPos(context));
+        } else {
+            QueryStatement queryStatement = (QueryStatement) visit(context.queryStatement());
+            AlterClause alterClause = new AlterViewClause(colWithComments, queryStatement, createPos(context));
+
+            return new AlterViewStmt(targetTableName, isSecurity, alterClause, createPos(context));
+        }
     }
 
     @Override
diff --git a/test/sql/test_alter_view/R/test_alter_view b/test/sql/test_view/R/test_alter_view
similarity index 100%
rename from test/sql/test_alter_view/R/test_alter_view
rename to test/sql/test_view/R/test_alter_view
diff --git a/test/sql/test_view/R/test_security_view b/test/sql/test_view/R/test_security_view
new file mode 100644
index 00000000000000..60317cdfe48f40
--- /dev/null
+++ b/test/sql/test_view/R/test_security_view
@@ -0,0 +1,107 @@
+-- name: test_security_view
+create table t1(c1 bigint, c2 bigint);
+-- result:
+-- !result
+create table t2(c3 bigint, c4 bigint);
+-- result:
+-- !result
+create view v1 as select * from t1, t2;
+-- result:
+-- !result
+create view v2 security invoker as select * from t1, t2;
+-- result:
+-- !result
+create user if not exists u1;
+-- result:
+-- !result
+grant impersonate on user root to u1;
+-- result:
+-- !result
+grant select on view v1 to user u1;
+-- result:
+-- !result
+grant select on view v2 to user u1;
+-- result:
+-- !result
+create user if not exists u2;
+-- result:
+-- !result
+grant impersonate on user root to u2;
+-- result:
+-- !result
+grant select on table t1 to user u2;
+-- result:
+-- !result
+grant select on table t2 to user u2;
+-- result:
+-- !result
+grant select on view v1 to user u2;
+-- result:
+-- !result
+grant select on view v2 to user u2;
+-- result:
+-- !result
+execute as u1 with no revert;
+-- result:
+-- !result
+select * from v1;
+-- result:
+-- !result
+select * from v2;
+-- result:
+E: (5203, 'Access denied; you need (at least one of) the SELECT privilege(s) on VIEW v2 for this operation. Please ask the admin to grant permission(s) or try activating existing roles using <set [default] role>. Current role(s): NONE. Inactivated role(s): NONE.')
+-- !result
+execute as root with no revert;
+-- result:
+-- !result
+execute as u2 with no revert;
+-- result:
+-- !result
+select * from v1;
+-- result:
+-- !result
+select * from v2;
+-- result:
+-- !result
+execute as root with no revert;
+-- result:
+-- !result
+alter view v1 set security invoker;
+-- result:
+E: (1064, 'Cannot invoke "org.antlr.v4.runtime.tree.ParseTree.accept(org.antlr.v4.runtime.tree.ParseTreeVisitor)" because "tree" is null')
+-- !result
+alter view v2 set security none;
+-- result:
+E: (1064, 'Cannot invoke "org.antlr.v4.runtime.tree.ParseTree.accept(org.antlr.v4.runtime.tree.ParseTreeVisitor)" because "tree" is null')
+-- !result
+execute as u1 with no revert;
+-- result:
+-- !result
+select * from v1;
+-- result:
+-- !result
+select * from v2;
+-- result:
+E: (5203, 'Access denied; you need (at least one of) the SELECT privilege(s) on VIEW v2 for this operation. Please ask the admin to grant permission(s) or try activating existing roles using <set [default] role>. Current role(s): NONE. Inactivated role(s): NONE.')
+-- !result
+execute as root with no revert;
+-- result:
+-- !result
+execute as u2 with no revert;
+-- result:
+-- !result
+select * from v1;
+-- result:
+-- !result
+select * from v2;
+-- result:
+-- !result
+execute as root with no revert;
+-- result:
+-- !result
+drop user u1;
+-- result:
+-- !result
+drop user u2;
+-- result:
+-- !result
\ No newline at end of file
diff --git a/test/sql/test_alter_view/T/test_alter_view b/test/sql/test_view/T/test_alter_view
similarity index 100%
rename from test/sql/test_alter_view/T/test_alter_view
rename to test/sql/test_view/T/test_alter_view
diff --git a/test/sql/test_view/T/test_security_view b/test/sql/test_view/T/test_security_view
new file mode 100644
index 00000000000000..b926495defd4b8
--- /dev/null
+++ b/test/sql/test_view/T/test_security_view
@@ -0,0 +1,45 @@
+-- name: test_security_view
+
+create table t1(c1 bigint, c2 bigint);
+create table t2(c3 bigint, c4 bigint);
+
+create view v1 as select * from t1, t2;
+create view v2 security invoker as select * from t1, t2;
+
+create user if not exists u1;
+grant impersonate on user root to u1;
+grant select on view v1 to user u1;
+grant select on view v2 to user u1;
+
+create user if not exists u2;
+grant impersonate on user root to u2;
+grant select on table t1 to user u2;
+grant select on table t2 to user u2;
+grant select on view v1 to user u2;
+grant select on view v2 to user u2;
+
+execute as u1 with no revert;
+select * from v1;
+select * from v2;
+execute as root with no revert;
+
+execute as u2 with no revert;
+select * from v1;
+select * from v2;
+execute as root with no revert;
+
+alter view v1 set security invoker;
+alter view v2 set security none;
+
+execute as u1 with no revert;
+select * from v1;
+select * from v2;
+execute as root with no revert;
+
+execute as u2 with no revert;
+select * from v1;
+select * from v2;
+execute as root with no revert;
+
+drop user u1;
+drop user u2;
\ No newline at end of file