diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java index 641ead173d2be..78a7459191278 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java @@ -119,11 +119,21 @@ private TSStatus checkPrivilege( if (remoteCheck) { return checkPrivilegeFromConfigNode(req).getStatus(); } - return RpcUtils.getStatus(TSStatusCode.NO_PERMISSION); + return confirmCachedDenyFromConfigNode(req); } return checkPrivilegeFromConfigNode(req).getStatus(); } + // Cached denials can be stale when login repopulates a user during grant invalidation. + private TSStatus confirmCachedDenyFromConfigNode(TCheckUserPrivilegesReq req) { + TSStatus remoteStatus = checkPrivilegeFromConfigNode(req).getStatus(); + if (remoteStatus.getCode() == TSStatusCode.EXECUTE_STATEMENT_ERROR.getStatusCode() + && CONNECTERROR.equals(remoteStatus.getMessage())) { + return RpcUtils.getStatus(TSStatusCode.NO_PERMISSION); + } + return remoteStatus; + } + @Override public TSStatus checkUserSysPrivilege(String username, PrivilegeType permission) { checkCacheAvailable();