ADD: support sql block rule

docs/.vuepress/sidebar/en.js

@@ -182,6 +182,14 @@ module.exports = [
         ],
         sidebarDepth: 1,
       },
+      {
+        title: "Block Rule",
+        directoryPath: "block-rule/",
+        children: [
+          "sql-block",
+        ],
+        sidebarDepth: 1,
+      },
       "backup-restore",
       "broker",
       "colocation-join",

docs/.vuepress/sidebar/zh-CN.js

@@ -181,6 +181,14 @@ module.exports = [
         ],
         sidebarDepth: 1,
       },
+      {
+        title: "拦截规则",
+        directoryPath: "block-rule/",
+        children: [
+          "sql-block",
+        ],
+        sidebarDepth: 1,
+      },
       "backup-restore",
       "broker",
       "colocation-join",

docs/en/administrator-guide/block-rule/sql-block.md

@@ -0,0 +1,59 @@
+---
+{
+"title": "SQL Block Rule",
+"language": "en"
+}
+---
+
+<!-- 
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+# SQL Block Rule
+
+Support SQL block rule by user level, by regex way to deny specify SQL
+
+## Rule
+
+SQL block rule CRUD
+- create SQL block rule
+    - sql：Regex pattern，Special characters need to be translated
+    - sqlHash: Sql hash value, Used to match exactly, We print it in fe.audit.log
+    - global: Whether global(all users)is in effect, false by default
+    - enable：Whether to enable block rule，true by default
+```
+CREATE SQL_BLOCK_RULE test_rule PROPERTIES("sql"="select \\* from test_table","sqlHash":null,"global"="false","enable"="true")
+```
+- show configured SQL block rules, or show all rules if you do not specify a rule name
+```
+SHOW SQL_BLOCK_RULE [FOR RULE_NAME]
+```
+- alter SQL block rule，Allows changes sql/global/enable anyone
+```
+ALTER SQL_BLOCK_RULE test_rule PROPERTIES("sql"="select \\* from test_table","enable"="true")
+```
+- drop SQL block rule，Support multiple rules, separated by `,`
+```
+DROP SQL_BLOCK_RULE test_rule1,test_rule2
+```
+
+## User bind rules
+If global=false is configured, the rules binding for the specified user needs to be configured, with multiple rules separated by ', '
+```
+SET PROPERTY [FOR 'jack'] 'sql_block_rules' = 'test_rule1,test_rule2'
+```

docs/zh-CN/administrator-guide/block-rule/sql-block.md

@@ -0,0 +1,59 @@
+---
+{
+"title": "SQL黑名单",
+"language": "zh-CN"
+}
+---
+
+<!-- 
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+# SQL黑名单
+
+支持按用户配置SQL黑名单，通过正则匹配的方式拒绝指定SQL
+
+## 规则
+
+对SQL规则增删改查
+- 创建SQL阻止规则
+    - sql：匹配规则(基于正则匹配,特殊字符需要转译)，可选
+    - sqlHash: sql hash值，用于完全匹配，我们会在`fe.audit.log`打印这个值，可选
+    - global：是否全局(所有用户)生效，默认为false  
+    - enable：是否开启阻止规则，默认为true
+```
+CREATE SQL_BLOCK_RULE test_rule PROPERTIES("sql"="select \\* from test_table","sqlHash":null,"enable"="true")
+```
+- 查看已配置的SQL阻止规则，不指定规则名则为查看所有规则
+```
+SHOW SQL_BLOCK_RULE [FOR RULE_NAME]
+```
+- 修改SQL阻止规则，允许对sql/global/enable等每一项进行修改
+```
+ALTER SQL_BLOCK_RULE test_rule PROPERTIES("sql"="select \\* from test_table","enable"="true")
+```
+- 删除SQL阻止规则，支持多规则，以`,`隔开
+```
+DROP SQL_BLOCK_RULE test_rule1,test_rule2
+```
+
+## 用户规则绑定
+如果配置global=false，则需要配置指定用户的规则绑定，多个规则使用`,`分隔
+```
+SET PROPERTY [FOR 'jack'] 'sql_block_rules' = 'test_rule1,test_rule2'
+```

fe/fe-core/src/main/cup/sql_parser.cup

@@ -270,7 +270,7 @@ terminal String KW_ADD, KW_ADMIN, KW_AFTER, KW_AGGREGATE, KW_ALIAS, KW_ALL, KW_A
     KW_UNCOMMITTED, KW_UNBOUNDED, KW_UNION, KW_UNIQUE, KW_UNSIGNED, KW_USE, KW_USER, KW_USING, KW_UNINSTALL,
     KW_VALUE, KW_VALUES, KW_VARCHAR, KW_VARIABLES, KW_VERBOSE, KW_VIEW,
     KW_WARNINGS, KW_WEEK, KW_WHEN, KW_WHITELIST, KW_WHERE, KW_WITH, KW_WORK, KW_WRITE,
-    KW_YEAR;
+    KW_YEAR, KW_SQL_BLOCK_RULE;
 
 terminal COMMA, COLON, DOT, DOTDOTDOT, AT, STAR, LPAREN, RPAREN, SEMICOLON, LBRACKET, RBRACKET, DIVIDE, MOD, ADD, SUBTRACT;
 terminal BITAND, BITOR, BITXOR, BITNOT;
@@ -827,6 +827,11 @@ alter_stmt ::=
     {:
         RESULT = new AlterRoutineLoadStmt(jobLabel, jobProperties, datasourceProperties);
     :}
+    | KW_ALTER KW_SQL_BLOCK_RULE ident:ruleName
+    opt_properties:properties
+    {:
+        RESULT = new AlterSqlBlockRuleStmt(ruleName, properties);
+    :}
     ;
 
 opt_datasource_properties ::=
@@ -1254,6 +1259,11 @@ create_stmt ::=
     {:
         RESULT = new CreateDataSyncJobStmt(jobName, db, channelDescList, binlog, properties);
     :}
+    /* sql_block_rule */
+    | KW_CREATE KW_SQL_BLOCK_RULE ident:ruleName opt_properties:properties
+    {:
+        RESULT = new CreateSqlBlockRuleStmt(ruleName, properties);
+    :}
     ;
 
 channel_desc_list ::=
@@ -1955,6 +1965,10 @@ drop_stmt ::=
     {:
         RESULT = new DropEncryptKeyStmt(keyName);
     :}
+    | KW_DROP KW_SQL_BLOCK_RULE ident_list:ruleNames
+    {:
+        RESULT = new DropSqlBlockRuleStmt(ruleNames);
+    :}
     ;
 
 // Recover statement
@@ -2422,6 +2436,14 @@ show_stmt ::=
     {:
         RESULT = stmt;
     :}
+    | KW_SHOW KW_SQL_BLOCK_RULE KW_FOR ident:ruleName
+    {:
+        RESULT = new ShowSqlBlockRuleStmt(ruleName);
+    :}
+    | KW_SHOW KW_SQL_BLOCK_RULE
+    {:
+        RESULT = new ShowSqlBlockRuleStmt(null);
+    :}
     ;
 
 show_param ::=

fe/fe-core/src/main/java/org/apache/doris/analysis/AlterSqlBlockRuleStmt.java

@@ -0,0 +1,104 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.doris.analysis;
+
+import org.apache.doris.catalog.Catalog;
+import org.apache.doris.common.ErrorCode;
+import org.apache.doris.common.ErrorReport;
+import org.apache.doris.common.UserException;
+import org.apache.doris.common.util.PrintableMap;
+import org.apache.doris.mysql.privilege.PrivPredicate;
+import org.apache.doris.qe.ConnectContext;
+
+import org.apache.commons.lang3.StringUtils;
+
+import java.util.Map;
+
+public class AlterSqlBlockRuleStmt extends DdlStmt {
+
+    private final String ruleName;
+
+    private String sql;
+
+    private String sqlHash;
+
+    private Boolean global;
+
+    private Boolean enable;
+
+    private final Map<String, String> properties;
+
+    public AlterSqlBlockRuleStmt(String ruleName, Map<String, String> properties) {
+        this.ruleName = ruleName;
+        this.properties = properties;
+    }
+
+    @Override
+    public void analyze(Analyzer analyzer) throws UserException {
+        super.analyze(analyzer);
+        // check auth
+        if (!Catalog.getCurrentCatalog().getAuth().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) {
+            ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "ADMIN");
+        }
+        // check properties
+        CreateSqlBlockRuleStmt.checkCommonProperties(properties);
+        setProperties(properties);
+    }
+
+    private void setProperties(Map<String, String> properties) {
+        this.sql = properties.get(CreateSqlBlockRuleStmt.SQL_PROPERTY);
+        this.sqlHash = properties.get(CreateSqlBlockRuleStmt.SQL_HASH_PROPERTY);
+        // allow null, represents no modification
+        String globalStr = properties.get(CreateSqlBlockRuleStmt.GLOBAL_PROPERTY);
+        this.global = StringUtils.isNotEmpty(globalStr) ? Boolean.parseBoolean(globalStr) : null;
+        String enableStr = properties.get(CreateSqlBlockRuleStmt.ENABLE_PROPERTY);
+        this.enable = StringUtils.isNotEmpty(enableStr) ? Boolean.parseBoolean(enableStr) : null;
+    }
+
+    public String getRuleName() {
+        return ruleName;
+    }
+
+    public String getSql() {
+        return sql;
+    }
+
+    public Boolean getGlobal() {
+        return global;
+    }
+
+    public Boolean getEnable() {
+        return enable;
+    }
+
+    public String getSqlHash() {
+        return sqlHash;
+    }
+
+    @Override
+    public String toSql() {
+        // ALTER SQL_BLOCK_RULE test_rule PROPERTIES("sql"="select \\* from test_table","enable"="true")
+        StringBuilder sb = new StringBuilder();
+        sb.append("ALTER SQL_BLOCK_RULE ")
+                .append(ruleName)
+                .append(" \nPROPERTIES(\n")
+                .append(new PrintableMap<>(properties, " = ", true, true, true))
+                .append(")");
+        return sb.toString();
+    }
+}