Skip to content

[fix](fe) Cascade revoke privileges when dropping resources#63632

Open
heguanhui wants to merge 1 commit into
apache:masterfrom
heguanhui:fix/drop-cascade-revoke-privs
Open

[fix](fe) Cascade revoke privileges when dropping resources#63632
heguanhui wants to merge 1 commit into
apache:masterfrom
heguanhui:fix/drop-cascade-revoke-privs

Conversation

@heguanhui
Copy link
Copy Markdown
Contributor

@heguanhui heguanhui commented May 25, 2026

What problem does this PR solve?

Issue Number: close #xxx

Problem Summary: When a resource (database, table, resource, workload group, or catalog) is dropped, the corresponding privilege entries in roles are not cleaned up. This causes SHOW GRANTS to display orphan privileges that reference non-existent resources. These orphan entries persist across FE restarts because the original GRANT records are replayed from BDB edit logs without any corresponding cleanup.

Release note

Fix orphan privilege entries displayed by SHOW GRANTS after dropping databases, tables, resources, workload groups, or catalogs. Privileges referencing dropped resources are now cascade-revoked automatically.

Check List (For Author)

  • Test

    • Regression test
    • Unit Test
    • Manual test (add detailed scripts or steps below)
    • No need to test or manual test. Explain why:
      • This is a refactor/code format and no logic has been changed.
      • Previous test can cover this change.
      • No code files have been changed.
      • Other reason

  • Behavior changed:

    • No.
    • Yes. Dropping a database/table/resource/workload group/catalog now cascade-revokes all privilege entries referencing that resource across all roles.

  • Does this need documentation?

    • No.
    • Yes.

Check List (For Reviewer who merge this PR)

  • Confirm the release note
  • Confirm test cases
  • Confirm document
  • Add branch pick label

@hello-stephen
Copy link
Copy Markdown
Contributor

hello-stephen commented May 25, 2026

Thank you for your contribution to Apache Doris.
Don't know what should be done next? See How to process your PR.

Please clearly describe your PR:

  1. What problem was fixed (it's best to include specific error reporting information). How it was fixed.
  2. Which behaviors were modified. What was the previous behavior, what is it now, why was it modified, and what possible impacts might there be.
  3. What features were added. Why was this function added?
  4. Which code was refactored and why was this part of the code refactored?
  5. Which functions were optimized and what is the difference before and after the optimization?

[fix](fe) Cascade revoke privileges when dropping resources
ad9b2b2 
### What problem does this PR solve?

Issue Number: close #xxx

Problem Summary: When a resource (database, table, resource, workload group, or catalog) is dropped, the corresponding privilege entries in roles are not removed. This causes SHOW GRANTS to display orphan privileges referencing non-existent resources.

### Release note

Fixed an issue where dropping a database, table, resource, workload group, or catalog did not cascade-revoke the corresponding privileges from roles, causing SHOW GRANTS to display orphan privilege entries for non-existent resources.

### Check List (For Author)

- Test: Regression test
    - Regression test / Unit Test / Manual test / No need to test (with reason)
- Behavior changed: No / Yes (SHOW GRANTS no longer shows orphan privileges for dropped resources)
- Does this need documentation: No
@heguanhui heguanhui force-pushed the fix/drop-cascade-revoke-privs branch from ab991c4 to ad9b2b2 Compare May 25, 2026 15:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dataroaring dataroaring Awaiting requested review from dataroaring dataroaring is a code owner

@CalvinKirs CalvinKirs Awaiting requested review from CalvinKirs CalvinKirs is a code owner

@morningman morningman Awaiting requested review from morningman morningman is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@heguanhui @hello-stephen