Skip to content

branch-4.0: [fix](fe) Fix Ranger column-level privilege bypass when CTE combined #61741#63047

Open
github-actions[bot] wants to merge 1 commit intobranch-4.0from
auto-pick-61741-branch-4.0
Open

branch-4.0: [fix](fe) Fix Ranger column-level privilege bypass when CTE combined #61741#63047
github-actions[bot] wants to merge 1 commit intobranch-4.0from
auto-pick-61741-branch-4.0

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot commented May 7, 2026

Cherry-picked from #61741

@smith1000
[fix](fe) Fix Ranger column-level privilege bypass when CTE combined (#…
e0d3425 
…61741)

### What problem does this PR solve?

Issue Number: close #61631

Problem Summary: When a CTE (WITH ... AS) is referenced multiple times
in a
JOIN query and is not inlined (due to inlineCTEReferencedThreshold), the
CheckPrivileges rule does not traverse the CTE producer subtree because
LogicalCTEConsumer is a leaf node in the plan tree. This means
column-level
privileges on the CTE's underlying tables are never checked, allowing
users
without proper column access to bypass Ranger authorization.

The fix adds a `visitLogicalCTEConsumer` override in `CheckPrivileges`
that
explicitly retrieves the CTE producer plan (stored by
`RewriteCteChildren`)
and traverses it for privilege checking. The `privChecked` flag remains
on
`StatementContext` to preserve the view permission passthrough
mechanism.

### Release note

Fixed a security issue where Ranger column-level privileges could be
bypassed
when using CTE (WITH ... AS) combined with JOIN queries. Users without
proper
column access permissions could read restricted columns through CTE+JOIN
patterns.

### Check List (For Author)

- Test: Unit Test / Manual test (verified with Ranger 2.7.0 + Doris
4.0.2 environment)
- Behavior changed: No
- Does this need documentation: No

---------

Co-authored-by: geshengli <geshengli@wps.cn>
@hello-stephen
Copy link
Copy Markdown
Contributor

hello-stephen commented May 7, 2026

Thank you for your contribution to Apache Doris.
Don't know what should be done next? See How to process your PR.

Please clearly describe your PR:

  1. What problem was fixed (it's best to include specific error reporting information). How it was fixed.
  2. Which behaviors were modified. What was the previous behavior, what is it now, why was it modified, and what possible impacts might there be.
  3. What features were added. Why was this function added?
  4. Which code was refactored and why was this part of the code refactored?
  5. Which functions were optimized and what is the difference before and after the optimization?

@hello-stephen hello-stephen reopened this May 7, 2026
@hello-stephen
Copy link
Copy Markdown
Contributor

hello-stephen commented May 7, 2026

run buildall

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yiguolei yiguolei Awaiting requested review from yiguolei yiguolei is a code owner

@morningman morningman Awaiting requested review from morningman morningman is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hello-stephen @smith1000