[BugFix] Fix GRANT on ALL VIEWS/MVs failing for external catalogs

VijayShekhawat7 · Vijay Shekhawat · commit f4b556b724a3 · 2026-04-04T16:23:32.000+01:00
ViewPEntryObject and MaterializedViewPEntryObject resolved databases exclusively through the local (internal) metastore, causing "cannot find db" errors when granting on views or materialized views in external catalogs such as Iceberg. The analyzer also did not prepend the current catalog name for VIEW and MATERIALIZED_VIEW object types, unlike TABLE which already did. Mirror the catalog-aware resolution pattern from TablePEntryObject: - Accept 3-element token lists [catalog, db, object] - Resolve catalog ID via CatalogMgr - Use DbPEntryObject.getDatabaseUUID() which returns the DB name directly for external catalogs without local metastore lookup - Return view/MV name directly as UUID for external catalogs Add test cases for GRANT/REVOKE on ALL VIEWS, ALL MATERIALIZED VIEWS, and ALL TABLES in external catalog databases for regression coverage. Fixes #71211 Signed-off-by: Vijay Shekhawat <vijayshekhawat1995@gmail.com> Made-with: Cursor
diff --git a/fe/fe-core/src/main/java/com/starrocks/authorization/MaterializedViewPEntryObject.java b/fe/fe-core/src/main/java/com/starrocks/authorization/MaterializedViewPEntryObject.java
@@ -14,51 +14,81 @@
 
 package com.starrocks.authorization;
 
-import com.starrocks.catalog.Database;
+import com.starrocks.catalog.Catalog;
+import com.starrocks.catalog.InternalCatalog;
 import com.starrocks.catalog.Table;
+import com.starrocks.server.CatalogMgr;
 import com.starrocks.server.GlobalStateMgr;
 
 import java.util.List;
 import java.util.Objects;
 
 public class MaterializedViewPEntryObject extends TablePEntryObject {
 
+    protected MaterializedViewPEntryObject(long catalogId, String dbUUID, String tblUUID) {
+        super(catalogId, dbUUID, tblUUID);
+    }
+
     protected MaterializedViewPEntryObject(String dbUUID, String tblUUID) {
         super(dbUUID, tblUUID);
     }
 
     public static MaterializedViewPEntryObject generate(List<String> tokens)
             throws PrivilegeException {
-        if (tokens.size() != 2) {
-            throw new PrivilegeException("invalid object tokens, should have two: " + tokens);
+        String catalogName = null;
+        long catalogId;
+        if (tokens.size() == 3) {
+            if (tokens.get(0).equals("*")) {
+                return new MaterializedViewPEntryObject(PrivilegeBuiltinConstants.ALL_CATALOGS_ID,
+                        PrivilegeBuiltinConstants.ALL_DATABASES_UUID, PrivilegeBuiltinConstants.ALL_TABLES_UUID);
+            }
+            catalogName = tokens.get(0);
+            tokens = tokens.subList(1, tokens.size());
+        } else if (tokens.size() != 2) {
+            throw new PrivilegeException(
+                    "invalid object tokens, should have two or three elements, current: " + tokens);
         }
-        String dbUUID;
-        String tblUUID;
 
-        if (Objects.equals(tokens.get(0), "*")) {
-            dbUUID = PrivilegeBuiltinConstants.ALL_DATABASES_UUID;
-            tblUUID = PrivilegeBuiltinConstants.ALL_TABLES_UUID;
+        if (catalogName == null || CatalogMgr.isInternalCatalog(catalogName)) {
+            catalogName = InternalCatalog.DEFAULT_INTERNAL_CATALOG_NAME;
+            catalogId = InternalCatalog.DEFAULT_INTERNAL_CATALOG_ID;
         } else {
-            Database database = GlobalStateMgr.getCurrentState().getLocalMetastore().getDb(tokens.get(0));
-            if (database == null) {
-                throw new PrivObjNotFoundException("cannot find db: " + tokens.get(0));
+            Catalog catalog = GlobalStateMgr.getCurrentState().getCatalogMgr().getCatalogByName(catalogName);
+            if (catalog == null) {
+                throw new PrivObjNotFoundException("cannot find catalog: " + catalogName);
             }
-            dbUUID = database.getUUID();
+            catalogId = catalog.getId();
+        }
+
+        if (Objects.equals(tokens.get(0), "*")) {
+            return new MaterializedViewPEntryObject(
+                    catalogId,
+                    PrivilegeBuiltinConstants.ALL_DATABASES_UUID,
+                    PrivilegeBuiltinConstants.ALL_TABLES_UUID);
+        }
+
+        String dbUUID = DbPEntryObject.getDatabaseUUID(catalogName, tokens.get(0));
+        String tblUUID = getMaterializedViewUUID(catalogName, tokens.get(0), tokens.get(1));
+        return new MaterializedViewPEntryObject(catalogId, dbUUID, tblUUID);
+    }
+
+    private static String getMaterializedViewUUID(String catalogName, String dbToken, String mvToken)
+            throws PrivObjNotFoundException {
+        if (mvToken.equals("*")) {
+            return PrivilegeBuiltinConstants.ALL_TABLES_UUID;
+        }
 
-            if (Objects.equals(tokens.get(1), "*")) {
-                tblUUID = PrivilegeBuiltinConstants.ALL_TABLES_UUID;
-            } else {
-                Table table = GlobalStateMgr.getCurrentState().getLocalMetastore()
-                        .getTable(database.getFullName(), tokens.get(1));
-                if (table == null || !table.isMaterializedView()) {
-                    throw new PrivObjNotFoundException(
-                            "cannot find materialized view " + tokens.get(1) + " in db " + tokens.get(0));
-                }
-                tblUUID = table.getUUID();
+        if (CatalogMgr.isInternalCatalog(catalogName)) {
+            Table table = GlobalStateMgr.getCurrentState().getLocalMetastore()
+                    .getTable(dbToken, mvToken);
+            if (table == null || !table.isMaterializedView()) {
+                throw new PrivObjNotFoundException(
+                        "cannot find materialized view " + mvToken + " in db " + dbToken);
             }
+            return table.getUUID();
         }
 
-        return new MaterializedViewPEntryObject(dbUUID, tblUUID);
+        return mvToken;
     }
 
     @Override
@@ -68,6 +98,6 @@ public String toString() {
 
     @Override
     public MaterializedViewPEntryObject clone() {
-        return new MaterializedViewPEntryObject(this.databaseUUID, this.tableUUID);
+        return new MaterializedViewPEntryObject(getCatalogId(), this.databaseUUID, this.tableUUID);
     }
 }
diff --git a/fe/fe-core/src/main/java/com/starrocks/authorization/ViewPEntryObject.java b/fe/fe-core/src/main/java/com/starrocks/authorization/ViewPEntryObject.java
@@ -14,8 +14,10 @@
 
 package com.starrocks.authorization;
 
-import com.starrocks.catalog.Database;
+import com.starrocks.catalog.Catalog;
+import com.starrocks.catalog.InternalCatalog;
 import com.starrocks.catalog.Table;
+import com.starrocks.server.CatalogMgr;
 import com.starrocks.server.GlobalStateMgr;
 
 import java.util.List;
@@ -25,40 +27,68 @@
  * View is a subclass of table, only the table type is different
  */
 public class ViewPEntryObject extends TablePEntryObject {
+    protected ViewPEntryObject(long catalogId, String dbUUID, String tblUUID) {
+        super(catalogId, dbUUID, tblUUID);
+    }
+
     protected ViewPEntryObject(String dbUUID, String tblUUID) {
         super(dbUUID, tblUUID);
     }
 
     public static ViewPEntryObject generate(List<String> tokens) throws PrivilegeException {
-        if (tokens.size() != 2) {
-            throw new PrivilegeException("invalid object tokens, should have two: " + tokens);
+        String catalogName = null;
+        long catalogId;
+        if (tokens.size() == 3) {
+            if (tokens.get(0).equals("*")) {
+                return new ViewPEntryObject(PrivilegeBuiltinConstants.ALL_CATALOGS_ID,
+                        PrivilegeBuiltinConstants.ALL_DATABASES_UUID, PrivilegeBuiltinConstants.ALL_TABLES_UUID);
+            }
+            catalogName = tokens.get(0);
+            tokens = tokens.subList(1, tokens.size());
+        } else if (tokens.size() != 2) {
+            throw new PrivilegeException(
+                    "invalid object tokens, should have two or three elements, current: " + tokens);
         }
-        String dbUUID;
-        String tblUUID;
 
-        if (Objects.equals(tokens.get(0), "*")) {
-            dbUUID = PrivilegeBuiltinConstants.ALL_DATABASES_UUID;
-            tblUUID = PrivilegeBuiltinConstants.ALL_TABLES_UUID;
+        if (catalogName == null || CatalogMgr.isInternalCatalog(catalogName)) {
+            catalogName = InternalCatalog.DEFAULT_INTERNAL_CATALOG_NAME;
+            catalogId = InternalCatalog.DEFAULT_INTERNAL_CATALOG_ID;
         } else {
-            Database database = GlobalStateMgr.getCurrentState().getLocalMetastore().getDb(tokens.get(0));
-            if (database == null) {
-                throw new PrivObjNotFoundException("cannot find db: " + tokens.get(0));
+            Catalog catalog = GlobalStateMgr.getCurrentState().getCatalogMgr().getCatalogByName(catalogName);
+            if (catalog == null) {
+                throw new PrivObjNotFoundException("cannot find catalog: " + catalogName);
             }
-            dbUUID = database.getUUID();
+            catalogId = catalog.getId();
+        }
+
+        if (Objects.equals(tokens.get(0), "*")) {
+            return new ViewPEntryObject(
+                    catalogId,
+                    PrivilegeBuiltinConstants.ALL_DATABASES_UUID,
+                    PrivilegeBuiltinConstants.ALL_TABLES_UUID);
+        }
+
+        String dbUUID = DbPEntryObject.getDatabaseUUID(catalogName, tokens.get(0));
+        String tblUUID = getViewUUID(catalogName, tokens.get(0), tokens.get(1));
+        return new ViewPEntryObject(catalogId, dbUUID, tblUUID);
+    }
+
+    private static String getViewUUID(String catalogName, String dbToken, String viewToken)
+            throws PrivObjNotFoundException {
+        if (viewToken.equals("*")) {
+            return PrivilegeBuiltinConstants.ALL_TABLES_UUID;
+        }
 
-            if (Objects.equals(tokens.get(1), "*")) {
-                tblUUID = PrivilegeBuiltinConstants.ALL_TABLES_UUID;
-            } else {
-                Table table = GlobalStateMgr.getCurrentState().getLocalMetastore()
-                        .getTable(database.getFullName(), tokens.get(1));
-                if (table == null || !table.isOlapView()) {
-                    throw new PrivObjNotFoundException("cannot find view " + tokens.get(1) + " in db " + tokens.get(0));
-                }
-                tblUUID = table.getUUID();
+        if (CatalogMgr.isInternalCatalog(catalogName)) {
+            Table table = GlobalStateMgr.getCurrentState().getLocalMetastore()
+                    .getTable(dbToken, viewToken);
+            if (table == null || !table.isOlapView()) {
+                throw new PrivObjNotFoundException("cannot find view " + viewToken + " in db " + dbToken);
             }
+            return table.getUUID();
         }
 
-        return new ViewPEntryObject(dbUUID, tblUUID);
+        return viewToken;
     }
 
     @Override
@@ -68,6 +98,6 @@ public String toString() {
 
     @Override
     public ViewPEntryObject clone() {
-        return new ViewPEntryObject(this.databaseUUID, this.tableUUID);
+        return new ViewPEntryObject(getCatalogId(), this.databaseUUID, this.tableUUID);
     }
 }
diff --git a/fe/fe-core/src/main/java/com/starrocks/sql/analyzer/AuthorizationAnalyzer.java b/fe/fe-core/src/main/java/com/starrocks/sql/analyzer/AuthorizationAnalyzer.java
@@ -300,8 +300,13 @@ public List<List<String>> analyzeTokens(BaseGrantRevokePrivilegeStmt stmt, Objec
                     }
                     objectTokenList.add(Lists.newArrayList(session.getCurrentCatalog(), tokens.get(0), tokens.get(1)));
                 } else if (ObjectType.VIEW.equals(objectType)
-                        || ObjectType.MATERIALIZED_VIEW.equals(objectType)
-                        || ObjectType.PIPE.equals(objectType)) {
+                        || ObjectType.MATERIALIZED_VIEW.equals(objectType)) {
+                    if (tokens.size() != 2) {
+                        throw new SemanticException(
+                                "Invalid grant statement with error privilege object " + tokens);
+                    }
+                    objectTokenList.add(Lists.newArrayList(session.getCurrentCatalog(), tokens.get(0), tokens.get(1)));
+                } else if (ObjectType.PIPE.equals(objectType)) {
                     if (tokens.size() != 2) {
                         throw new SemanticException(
                                 "Invalid grant statement with error privilege object " + tokens);
@@ -352,8 +357,11 @@ public List<List<String>> analyzeTokens(BaseGrantRevokePrivilegeStmt stmt, Objec
 
                     for (List<String> tokens : stmt.getPrivilegeObjectNameTokensList()) {
                         TableName tableName;
-                        if (tokens.size() == 2) {
+                        if (tokens.size() == 3) {
+                            tableName = new TableName(tokens.get(0), tokens.get(1), tokens.get(2));
+                        } else if (tokens.size() == 2) {
                             tableName = new TableName(tokens.get(0), tokens.get(1));
+                            tableName.normalization(session);
                         } else if (tokens.size() == 1) {
                             tableName = new TableName("", tokens.get(0));
                             tableName.normalization(session);
@@ -362,7 +370,8 @@ public List<List<String>> analyzeTokens(BaseGrantRevokePrivilegeStmt stmt, Objec
                                     "Invalid grant statement with error privilege object " + tokens);
                         }
 
-                        objectTokenList.add(Lists.newArrayList(tableName.getDb(), tableName.getTbl()));
+                        objectTokenList.add(Lists.newArrayList(
+                                tableName.getCatalog(), tableName.getDb(), tableName.getTbl()));
                     }
                 } else if (ObjectType.PIPE.equals(objectType)) {
                     Preconditions.checkArgument(stmt.getPrivilegeObjectNameTokensList() != null);
diff --git a/fe/fe-core/src/test/java/com/starrocks/sql/analyzer/PrivilegeStmtAnalyzerV2Test.java b/fe/fe-core/src/test/java/com/starrocks/sql/analyzer/PrivilegeStmtAnalyzerV2Test.java
@@ -35,6 +35,7 @@
 import com.starrocks.sql.ast.SetRoleType;
 import com.starrocks.sql.ast.StatementBase;
 import com.starrocks.sql.ast.UserRef;
+import com.starrocks.sql.plan.ConnectorPlanTestBase;
 import com.starrocks.utframe.StarRocksAssert;
 import com.starrocks.utframe.UtFrameUtils;
 import org.junit.jupiter.api.AfterAll;
@@ -72,6 +73,7 @@ public static void setUp() throws Exception {
         CreateUserStmt createUserStmt = (CreateUserStmt) UtFrameUtils.parseStmtWithNewParser(
                 "create user test_user", ctx);
         ctx.getGlobalStateMgr().getAuthenticationMgr().createUser(createUserStmt);
+        ConnectorPlanTestBase.mockHiveCatalog(ctx);
     }
 
     @AfterAll
@@ -829,4 +831,64 @@ public void testErrorParam() {
                 "Invalid grant statement with error privilege object");
 
     }
+
+    @Test
+    public void testGrantAllViewsInExternalCatalogDatabase() throws Exception {
+        String previousCatalog = ctx.getCurrentCatalog();
+        try {
+            ctx.setCurrentCatalog("hive0");
+
+            String sql = "grant select on ALL views in database tpch to test_user";
+            Assertions.assertNotNull(UtFrameUtils.parseStmtWithNewParser(sql, ctx));
+
+            sql = "revoke select on ALL views in database tpch from test_user";
+            Assertions.assertNotNull(UtFrameUtils.parseStmtWithNewParser(sql, ctx));
+
+            sql = "grant select on ALL views in all databases to test_user";
+            Assertions.assertNotNull(UtFrameUtils.parseStmtWithNewParser(sql, ctx));
+
+            sql = "revoke select on ALL views in all databases from test_user";
+            Assertions.assertNotNull(UtFrameUtils.parseStmtWithNewParser(sql, ctx));
+        } finally {
+            ctx.setCurrentCatalog(previousCatalog);
+        }
+    }
+
+    @Test
+    public void testGrantAllMaterializedViewsInExternalCatalogDatabase() throws Exception {
+        String previousCatalog = ctx.getCurrentCatalog();
+        try {
+            ctx.setCurrentCatalog("hive0");
+
+            String sql = "grant select on ALL materialized views in database tpch to test_user";
+            Assertions.assertNotNull(UtFrameUtils.parseStmtWithNewParser(sql, ctx));
+
+            sql = "revoke select on ALL materialized views in database tpch from test_user";
+            Assertions.assertNotNull(UtFrameUtils.parseStmtWithNewParser(sql, ctx));
+
+            sql = "grant select on ALL materialized views in all databases to test_user";
+            Assertions.assertNotNull(UtFrameUtils.parseStmtWithNewParser(sql, ctx));
+
+            sql = "revoke select on ALL materialized views in all databases from test_user";
+            Assertions.assertNotNull(UtFrameUtils.parseStmtWithNewParser(sql, ctx));
+        } finally {
+            ctx.setCurrentCatalog(previousCatalog);
+        }
+    }
+
+    @Test
+    public void testGrantAllTablesInExternalCatalogDatabase() throws Exception {
+        String previousCatalog = ctx.getCurrentCatalog();
+        try {
+            ctx.setCurrentCatalog("hive0");
+
+            String sql = "grant select on ALL tables in database tpch to test_user";
+            Assertions.assertNotNull(UtFrameUtils.parseStmtWithNewParser(sql, ctx));
+
+            sql = "revoke select on ALL tables in database tpch from test_user";
+            Assertions.assertNotNull(UtFrameUtils.parseStmtWithNewParser(sql, ctx));
+        } finally {
+            ctx.setCurrentCatalog(previousCatalog);
+        }
+    }
 }
