[Feature] Support security view

[HangyuanLiu]

Why I'm doing:

What I'm doing:

Fixes #54459

What type of PR is this:

• BugFix
• Feature
• Enhancement
• Refactor
• UT
• Doc
• Tool

Does this PR entail a change in behavior?

• Yes, this PR will result in a change in behavior.
• No, this PR will not result in a change in behavior.

If yes, please specify the type of change:

• Interface/UI changes: syntax, type conversion, expression evaluation, display information
• Parameter changes: default values, similar parameters but with different default values
• Policy changes: use new policy to replace old one, functionality automatically enabled
• Feature removed
• Miscellaneous: upgrade & downgrade compatibility, etc.

Checklist:

• I have added test cases for my bug fix or my new feature
• This pr needs user documentation (for new or modified features or behaviors)
  • I have added documentation for my new feature or new function
• This is a backport pr

Bugfix cherry-pick branch check:

• I have checked the version labels which the pr will be auto-backported to the target branch
  • 3.4
  • 3.3
  • 3.2
  • 3.1
  • 3.0

[starrocks-cr]

The most risky bug in this code is: security field might not be initialized, leading to potential security issues or incorrect behavior when its value is accessed.

You can modify the code like this:

private final boolean security;

to include a default value if security is optional and should default to false:

private final boolean security = false;

Furthermore, ensure that security is always initialized in the constructor. Since it appears security should already be passed as an argument, verify that all calls to the constructor now correctly include the security argument. If any call doesn’t or incorrectly handles security logic elsewhere, make sure to update those instances accordingly.

[starrocks-cr]

The most risky bug in this code is:
The isSecurity flag defaults to false, which may not correctly capture cases where both SECURITY and INVOKER contexts are absent.

You can modify the code like this:

boolean isSecurity = false;
if (context.SECURITY() != null) {
    if (context.NONE() != null) {
        isSecurity = false;
    } else if (context.INVOKER() != null) {
        isSecurity = true;
    } else {
        throw new ParsingException(PARSER_ERROR_MSG.invalidOption("SECURITY"), createPos(context));
    }
}

[starrocks-cr]

The most risky bug in this code is:
Improper handling of null return value from getBasicTable, which may lead to a NullPointerException.

You can modify the code like this:

public static void check(ConnectContext context, QueryStatement stmt, List<TableRef> tableRefs) {
    for (TableRef tableRef : tableRefs) {
        TableName tableName = tableRef.getName();
        Table table = viewAnalyzer.getOrAnalyze(context, tableName);

        if (table instanceof MetadataTable || table instanceof SystemTable) {
            Authorizer.checkTableAction(context.getCurrentUserIdentity(), context.getCurrentRoleIds(),
                    tableName, PrivilegeType.SELECT);
        } else {
            View view = (View) table;
            if (view.isSecurity()) {
                List<TableName> allTables = view.getTableRefs();
                for (TableName t : allTables) {
                    BasicTable basicTable = GlobalStateMgr.getCurrentState().getMetadataMgr().getBasicTable(
                            t.getCatalog(), t.getDb(), t.getTbl());

                    if (basicTable != null) { // Add null check
                        Authorizer.checkAnyActionOnTableLikeObject(context.getCurrentUserIdentity(),
                                null, t.getDb(), basicTable);
                    } else {
                        // Handle the case where basicTable is null, e.g., log an error or throw an exception.
                    }
                }
            }

            Authorizer.checkViewAction(context.getCurrentUserIdentity(), context.getCurrentRoleIds(),
                    tableName, PrivilegeType.SELECT);
        }
    }
}

[sonarqubecloud]

Quality Gate passed

Issues
14 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

[Java-Extensions Incremental Coverage Report]

✅ pass : 0 / 0 (0%)

[github-actions]

[FE Incremental Coverage Report]

❌ fail : 11 / 25 (44.00%)

file detail

	path	covered_line	new_line	coverage	not_covered_line_detail
🔵	com/starrocks/authorization/ColumnPrivilege.java	2	9	22.22%	[154, 155, 156, 157, 159, 160, 161]
🔵	com/starrocks/alter/AlterJobExecutor.java	1	3	33.33%	[211, 212]
🔵	com/starrocks/server/LocalMetastore.java	1	2	50.00%	[4247]
🔵	com/starrocks/sql/analyzer/ViewAnalyzer.java	1	2	50.00%	[84]
🔵	com/starrocks/catalog/View.java	2	4	50.00%	[143, 144]
🔵	com/starrocks/sql/ast/AlterViewStmt.java	2	3	66.67%	[47]
🔵	com/starrocks/sql/ast/CreateViewStmt.java	2	2	100.00%	[]

[github-actions]

[BE Incremental Coverage Report]

✅ pass : 0 / 0 (0%)