From f25365983fd743ebdb5b0123b189a9a72ed539e9 Mon Sep 17 00:00:00 2001 From: Caideyipi <87789683+Caideyipi@users.noreply.github.com> Date: Mon, 29 Jun 2026 19:05:58 +0800 Subject: [PATCH] Fix stale auth cache denial after grants --- .../iotdb/db/auth/ClusterAuthorityFetcher.java | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java index 641ead173d2be..78a7459191278 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java @@ -119,11 +119,21 @@ private TSStatus checkPrivilege( if (remoteCheck) { return checkPrivilegeFromConfigNode(req).getStatus(); } - return RpcUtils.getStatus(TSStatusCode.NO_PERMISSION); + return confirmCachedDenyFromConfigNode(req); } return checkPrivilegeFromConfigNode(req).getStatus(); } + // Cached denials can be stale when login repopulates a user during grant invalidation. + private TSStatus confirmCachedDenyFromConfigNode(TCheckUserPrivilegesReq req) { + TSStatus remoteStatus = checkPrivilegeFromConfigNode(req).getStatus(); + if (remoteStatus.getCode() == TSStatusCode.EXECUTE_STATEMENT_ERROR.getStatusCode() + && CONNECTERROR.equals(remoteStatus.getMessage())) { + return RpcUtils.getStatus(TSStatusCode.NO_PERMISSION); + } + return remoteStatus; + } + @Override public TSStatus checkUserSysPrivilege(String username, PrivilegeType permission) { checkCacheAvailable();