[fix](auth) Fix test failures in CTE privilege check tests

seawinde · Copilot · seawinde · commit 2a7e7f71bd9a · 2026-04-13T15:48:04.000+08:00
### What problem does this PR solve? Issue Number: N/A Related PR: apache#62339 Problem Summary: Fix two test failures introduced in the CTE privilege bypass fix: 1. **test_cte_privilege_check.groovy**: The regression test user lacked database-level access to `regression_test`, causing `connect()` to fail before any CTE query was executed. Added `grant select_priv on regression_test` to the test setup. 2. **TestCheckPrivileges.testCtePrivilegeCheck**: The new test method called `useUser("test_cte_privilege_user")` on the shared `connectContext` but never restored it. When `testPrivilegesAndPolicies` ran afterward, the unprivileged user caused `createCatalog` to throw `AnalysisException` instead of the expected `DdlException`. Wrapped the test body in try-finally to restore root user. ### Release note None ### Check List (For Author) - Test: Unit Test / Regression test fix - Behavior changed: No - Does this need documentation: No Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
diff --git a/fe/fe-core/src/test/java/org/apache/doris/nereids/privileges/TestCheckPrivileges.java b/fe/fe-core/src/test/java/org/apache/doris/nereids/privileges/TestCheckPrivileges.java
@@ -254,43 +254,47 @@ public void testCtePrivilegeCheck() throws Exception {
         addUser(user, true);
         useUser(user);
 
-        List<MakeTablePrivileges> privileges = ImmutableList.of(
-                MakePrivileges.table("internal", cteDb, "allowed_tbl").allowSelectTable(user)
-        );
-
-        AccessControllerManager accessManager = Env.getCurrentEnv().getAccessManager();
-        CatalogAccessController catalogAccessController = accessManager.getAccessControllerOrDefault(catalog);
-        new Expectations(accessManager) {
-            {
-                accessManager.getAccessControllerOrDefault("internal");
-                minTimes = 0;
-                result = catalogAccessController;
-            }
-        };
-
-        withPrivileges(privileges, () -> {
-            // CTE with authorized table should succeed
-            query("with cte as (select * from allowed_tbl) select * from cte");
-
-            // CTE with unauthorized table should fail (this was the bug:
-            // consumer was checked first, setting privChecked=true on shared StatementContext,
-            // so producer's CheckPrivileges was skipped)
-            Assertions.assertThrows(AnalysisException.class, () ->
-                    query("with cte as (select * from denied_tbl) select * from cte")
-            );
-
-            // CTE referenced twice forces no-inline path through RewriteCteChildren
-            Assertions.assertThrows(AnalysisException.class, () ->
-                    query("with cte as (select * from denied_tbl) "
-                            + "select * from cte union all select * from cte")
+        try {
+            List<MakeTablePrivileges> privileges = ImmutableList.of(
+                    MakePrivileges.table("internal", cteDb, "allowed_tbl").allowSelectTable(user)
             );
 
-            // CTE authorized + direct unauthorized table should fail
-            Assertions.assertThrows(AnalysisException.class, () ->
-                    query("with cte as (select * from allowed_tbl) "
-                            + "select * from cte union all select * from denied_tbl")
-            );
-        });
+            AccessControllerManager accessManager = Env.getCurrentEnv().getAccessManager();
+            CatalogAccessController catalogAccessController = accessManager.getAccessControllerOrDefault(catalog);
+            new Expectations(accessManager) {
+                {
+                    accessManager.getAccessControllerOrDefault("internal");
+                    minTimes = 0;
+                    result = catalogAccessController;
+                }
+            };
+
+            withPrivileges(privileges, () -> {
+                // CTE with authorized table should succeed
+                query("with cte as (select * from allowed_tbl) select * from cte");
+
+                // CTE with unauthorized table should fail (this was the bug:
+                // consumer was checked first, setting privChecked=true on shared StatementContext,
+                // so producer's CheckPrivileges was skipped)
+                Assertions.assertThrows(AnalysisException.class, () ->
+                        query("with cte as (select * from denied_tbl) select * from cte")
+                );
+
+                // CTE referenced twice forces no-inline path through RewriteCteChildren
+                Assertions.assertThrows(AnalysisException.class, () ->
+                        query("with cte as (select * from denied_tbl) "
+                                + "select * from cte union all select * from cte")
+                );
+
+                // CTE authorized + direct unauthorized table should fail
+                Assertions.assertThrows(AnalysisException.class, () ->
+                        query("with cte as (select * from allowed_tbl) "
+                                + "select * from cte union all select * from denied_tbl")
+                );
+            });
+        } finally {
+            useUser("root");
+        }
     }
 
     private void query(String sql) {
diff --git a/regression-test/suites/auth_p0/test_cte_privilege_check.groovy b/regression-test/suites/auth_p0/test_cte_privilege_check.groovy
@@ -69,6 +69,7 @@ suite("test_cte_privilege_check","p0,auth") {
     sql """insert into ${dbName}.${tableName2} values (3, 'charlie'), (4, 'dave')"""
 
     // Grant select only on tableName1, NOT on tableName2
+    sql """grant select_priv on regression_test to ${user}"""
     sql """grant select_priv on ${dbName}.${tableName1} to ${user}"""
 
     // Case 1: CTE references unauthorized table -> should fail
