[fix](auth)Fix use encryptkey should check auth (apache#41791)

check PrivPredicate.SHOW of db

fe/fe-core/src/main/java/org/apache/doris/nereids/rules/expression/rules/FoldConstantRuleOnFE.java

@@ -20,7 +20,10 @@
 import org.apache.doris.catalog.EncryptKey;
 import org.apache.doris.catalog.Env;
 import org.apache.doris.cluster.ClusterNamespace;
+import org.apache.doris.common.ErrorCode;
 import org.apache.doris.common.util.DebugUtil;
+import org.apache.doris.datasource.InternalCatalog;
+import org.apache.doris.mysql.privilege.PrivPredicate;
 import org.apache.doris.nereids.exceptions.AnalysisException;
 import org.apache.doris.nereids.rules.expression.AbstractExpressionRewriteRule;
 import org.apache.doris.nereids.rules.expression.ExpressionListenerMatcher;
@@ -226,6 +229,13 @@ public Expression visitEncryptKeyRef(EncryptKeyRef encryptKeyRef, ExpressionRewr
         if ("".equals(dbName)) {
             throw new AnalysisException("DB " + dbName + "not found");
         }
+        if (!Env.getCurrentEnv().getAccessManager()
+                .checkDbPriv(ConnectContext.get(), InternalCatalog.INTERNAL_CATALOG_NAME,
+                        dbName, PrivPredicate.SHOW)) {
+            String message = ErrorCode.ERR_DB_ACCESS_DENIED_ERROR.formatErrorMsg(
+                    PrivPredicate.SHOW.getPrivs().toString(), dbName);
+            throw new AnalysisException(message);
+        }
         org.apache.doris.catalog.Database database =
                 Env.getCurrentEnv().getInternalCatalog().getDbNullable(dbName);
         if (database == null) {

regression-test/suites/auth_p0/test_use_encryptkey_auth.groovy

@@ -0,0 +1,55 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import org.junit.Assert;
+
+suite("test_use_encryptkey_auth","p0,auth") {
+    String suiteName = "test_version_info_mtmv"
+    String dbName = context.config.getDbNameByFile(context.file)
+    String user = "${suiteName}_user"
+    String key = "${suiteName}_key"
+    String pwd = 'C123_567p'
+    try_sql("DROP USER ${user}")
+    try_sql("DROP ENCRYPTKEY ${key}")
+    sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
+    sql """grant select_priv on regression_test to ${user}"""
+    //cloud-mode
+    if (isCloudMode()) {
+        def clusters = sql " SHOW CLUSTERS; "
+        assertTrue(!clusters.isEmpty())
+        def validCluster = clusters[0][0]
+        sql """GRANT USAGE_PRIV ON CLUSTER ${validCluster} TO ${user}""";
+    }
+    sql """CREATE ENCRYPTKEY ${key} AS 'ABCD123456789'"""
+
+    connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+        test {
+              sql """
+                  SELECT HEX(AES_ENCRYPT("Doris is Great", KEY ${dbName}.${key}));
+              """
+              exception "denied"
+          }
+    }
+    sql """grant select_priv on ${dbName} to ${user}"""
+    connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+          sql """
+              SELECT HEX(AES_ENCRYPT("Doris is Great", KEY ${dbName}.${key}));
+          """
+    }
+    try_sql("DROP USER ${user}")
+    try_sql("DROP ENCRYPTKEY ${key}")
+}