[enhance](auth)modify priv of refresh catalog/db/table (apache#39008)

change priv of refresh catalog/db/table to `PrivPredicate.SHOW`

fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshCatalogStmt.java

@@ -67,9 +67,9 @@ public void analyze(Analyzer analyzer) throws UserException {
         }
 
         if (!Env.getCurrentEnv().getAccessManager().checkCtlPriv(
-                ConnectContext.get(), catalogName, PrivPredicate.ALTER)) {
-            ErrorReport.reportAnalysisException(ErrorCode.ERR_CATALOG_ACCESS_DENIED,
-                    analyzer.getQualifiedUser(), catalogName);
+                ConnectContext.get(), catalogName, PrivPredicate.SHOW)) {
+            ErrorReport.reportAnalysisException(ErrorCode.ERR_CATALOG_ACCESS_DENIED_ERROR,
+                    PrivPredicate.SHOW.getPrivs().toString(), catalogName);
         }
 
         // Set to false only if user set the property "invalid_cache"="false"

fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshDbStmt.java

@@ -87,14 +87,9 @@ public void analyze(Analyzer analyzer) throws AnalysisException, UserException {
         }
         // check access
         if (!Env.getCurrentEnv().getAccessManager().checkDbPriv(ConnectContext.get(), catalogName,
-                dbName, PrivPredicate.DROP)) {
-            ErrorReport.reportAnalysisException(ErrorCode.ERR_DBACCESS_DENIED_ERROR,
-                    ConnectContext.get().getQualifiedUser(), dbName);
-        }
-        if (!Env.getCurrentEnv().getAccessManager().checkDbPriv(ConnectContext.get(), catalogName,
-                dbName, PrivPredicate.CREATE)) {
-            ErrorReport.reportAnalysisException(
-                    ErrorCode.ERR_DBACCESS_DENIED_ERROR, analyzer.getQualifiedUser(), dbName);
+                dbName, PrivPredicate.SHOW)) {
+            ErrorReport.reportAnalysisException(ErrorCode.ERR_DB_ACCESS_DENIED_ERROR,
+                    PrivPredicate.SHOW.getPrivs().toString(), dbName);
         }
         String invalidConfig = properties == null ? null : properties.get(INVALID_CACHE);
         // Default is to invalid cache.

fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshTableStmt.java

@@ -60,14 +60,9 @@ public void analyze(Analyzer analyzer) throws UserException {
         // check access
         if (!Env.getCurrentEnv().getAccessManager().checkTblPriv(ConnectContext.get(),
                 tableName.getCtl(), tableName.getDb(),
-                tableName.getTbl(), PrivPredicate.DROP)) {
-            ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "DROP");
-        }
-
-        if (!Env.getCurrentEnv().getAccessManager().checkTblPriv(ConnectContext.get(),
-                tableName.getCtl(), tableName.getDb(),
-                tableName.getTbl(), PrivPredicate.CREATE)) {
-            ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "CREATE");
+                tableName.getTbl(), PrivPredicate.SHOW)) {
+            ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLE_ACCESS_DENIED_ERROR,
+                    PrivPredicate.SHOW.getPrivs().toString(), tableName.getTbl());
         }
     }
 

fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java

@@ -75,6 +75,8 @@ public enum ErrorCode {
             + "(current value: %d)"),
     ERR_SPECIFIC_ACCESS_DENIED_ERROR(1227, new byte[]{'4', '2', '0', '0', '0'}, "Access denied; you need (at least "
             + "one of) the (%s) privilege(s) for this operation"),
+    ERR_CATALOG_ACCESS_DENIED_ERROR(1221, new byte[]{'4', '2', '0', '0', '0'}, "Access denied; you need (at least "
+            + "one of) the (%s) privilege(s) on catalog %s for this operation"),
     ERR_DB_ACCESS_DENIED_ERROR(1225, new byte[]{'4', '2', '0', '0', '0'}, "Access denied; you need (at least "
             + "one of) the (%s) privilege(s) on database %s for this operation"),
 

fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshDbTest.java

@@ -120,23 +120,19 @@ public void testRefreshPriv() throws Exception {
         // create user1
         auth.createUser((CreateUserStmt) parseAndAnalyzeStmt(
                 "create user 'user1'@'%' identified by 'pwd1';", rootCtx));
-        // grant only create_priv to user1 on test1.db1.tbl11
-        GrantStmt grantStmt = (GrantStmt) parseAndAnalyzeStmt(
-                "grant create_priv on test1.db1.* to 'user1'@'%';", rootCtx);
-        auth.grant(grantStmt);
 
         // mock login user1
         UserIdentity user1 = new UserIdentity("user1", "%");
         user1.analyze();
         ConnectContext user1Ctx = createCtx(user1, "127.0.0.1");
         ExceptionChecker.expectThrowsWithMsg(AnalysisException.class,
-                "Access denied for user 'user1' to database 'db1'",
+                "Access denied",
                 () -> parseAndAnalyzeStmt("refresh database test1.db1", user1Ctx));
         ConnectContext.remove();
 
         // add drop priv to user1
         rootCtx.setThreadLocalInfo();
-        grantStmt = (GrantStmt) parseAndAnalyzeStmt(
+        GrantStmt grantStmt = (GrantStmt) parseAndAnalyzeStmt(
                 "grant drop_priv on test1.db1.* to 'user1'@'%';", rootCtx);
         auth.grant(grantStmt);
         ConnectContext.remove();

fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshTableTest.java

@@ -128,10 +128,6 @@ public void testRefreshPriv() throws Exception {
         // create user1
         auth.createUser((CreateUserStmt) parseAndAnalyzeStmt(
                 "create user 'user1'@'%' identified by 'pwd1';", rootCtx));
-        // grant only create_priv to user1 on test1.db1.tbl11
-        GrantStmt grantStmt = (GrantStmt) parseAndAnalyzeStmt(
-                "grant create_priv on test1.db1.tbl11 to 'user1'@'%';", rootCtx);
-        auth.grant(grantStmt);
 
         // mock login user1
         UserIdentity user1 = new UserIdentity("user1", "%");
@@ -144,7 +140,7 @@ public void testRefreshPriv() throws Exception {
 
         // add drop priv to user1
         rootCtx.setThreadLocalInfo();
-        grantStmt = (GrantStmt) parseAndAnalyzeStmt(
+        GrantStmt grantStmt = (GrantStmt) parseAndAnalyzeStmt(
                 "grant drop_priv on test1.db1.tbl11 to 'user1'@'%';", rootCtx);
         auth.grant(grantStmt);
         ConnectContext.remove();