Changeset: 223e7375debd for MonetDB
URL: https://dev.monetdb.org/hg/MonetDB/rev/223e7375debd
Branch: strimps-updates
Log Message:
Merge with default
diffs (truncated from 315 to 300 lines):
diff --git a/sql/server/rel_distribute.c b/sql/server/rel_distribute.c
--- a/sql/server/rel_distribute.c
+++ b/sql/server/rel_distribute.c
@@ -69,10 +69,6 @@ rewrite_replica(mvc *sql, list *exps, sq
{
node *n, *m;
sql_rel *r = rel_basetable(sql, p, t->base.name);
- int allowed = 1;
-
- if (!table_privs(sql, p, PRIV_SELECT)) /* Test for privileges */
- allowed = 0;
for (n = exps->h; n; n = n->next) {
sql_exp *e = n->data;
@@ -81,10 +77,6 @@ rewrite_replica(mvc *sql, list *exps, sq
node *nn = ol_find_name(t->columns, nname);
if (nn) {
sql_column *c = nn->data;
-
- if (!allowed && !column_privs(sql, ol_fetch(p->columns,
c->colnr), PRIV_SELECT))
- return sql_error(sql, 02, SQLSTATE(42000) "The
user %s SELECT permissions on table '%s.%s' don't match %s '%s.%s'",
get_string_global_var(sql, "current_user"),
-
p->s->base.name, p->base.name, TABLE_TYPE_DESCRIPTION(t->type, t->properties),
t->s->base.name, t->base.name);
rel_base_use(sql, r, c->colnr);
} else if (strcmp(nname, TID) == 0) {
rel_base_use_tid(sql, r);
diff --git a/sql/server/rel_optimizer.c b/sql/server/rel_optimizer.c
--- a/sql/server/rel_optimizer.c
+++ b/sql/server/rel_optimizer.c
@@ -84,7 +84,7 @@ merge_table_prune_and_unionize(visitor *
sql_part *pd = nt->data;
sql_table *pt = find_sql_table_id(v->sql->session->tr, mt->s,
pd->member);
sqlstore *store = v->sql->session->tr->store;
- int skip = 0, allowed = 1;
+ int skip = 0;
/* At the moment we throw an error in the optimizer, but later
this rewriter should move out from the optimizers */
if ((isMergeTable(pt) || isReplicaTable(pt)) &&
list_empty(pt->members))
@@ -94,9 +94,6 @@ merge_table_prune_and_unionize(visitor *
if (isTable(pt) && pt->access == TABLE_READONLY &&
!store->storage_api.count_col(v->sql->session->tr,
ol_first_node(pt->columns)->data, 10)) /* count active rows only */
continue;
- if (!table_privs(v->sql, pt, PRIV_SELECT)) /* Test for
privileges */
- allowed = 0;
-
for (node *n = mt_rel->exps->h; n && !skip; n = n->next) { /*
for each column of the child table */
sql_exp *e = n->data;
int i = 0;
@@ -112,9 +109,7 @@ merge_table_prune_and_unionize(visitor *
mt_col = ol_find_name(mt->columns, exp_name(e))->data;
col = ol_fetch(pt->columns, mt_col->colnr);
assert(e && e->type == e_column && col);
- if (!allowed && !column_privs(v->sql, col, PRIV_SELECT))
- return sql_error(v->sql, 02, SQLSTATE(42000)
"The user %s SELECT permissions on table '%s.%s' don't match %s '%s.%s'",
get_string_global_var(v->sql, "current_user"),
-
pt->s->base.name, pt->base.name, TABLE_TYPE_DESCRIPTION(mt->type,
mt->properties), mt->s->base.name, mt->base.name);
+
if (isTable(pt) && info && !list_empty(info->cols) &&
ATOMlinear(exp_subtype(e)->type->localtype)) {
for (node *nn = info->cols->h ; nn && !skip; nn
= nn->next) { /* test if it passes all predicates around it */
if (nn->data == e) {
diff --git a/sql/server/rel_select.c b/sql/server/rel_select.c
--- a/sql/server/rel_select.c
+++ b/sql/server/rel_select.c
@@ -1068,7 +1068,7 @@ table_ref(sql_query *query, symbol *tabl
if (sql->emode != m_deps) {
assert(is_project(rel->op));
set_processed(rel);
- if ((is_simple_project(rel->op) ||
is_groupby(rel->op)) && !list_empty(rel->r)) {
+ if ((is_set(rel->op) ||
is_simple_project(rel->op) || is_groupby(rel->op)) && !list_empty(rel->r)) {
/* it's unsafe to set the projection
names because of possible dependent sorting/grouping columns */
rel = rel_project(sql->sa, rel,
rel_projections(sql, rel, NULL, 1, 0));
set_processed(rel);
diff --git a/sql/test/mergetables/Tests/All b/sql/test/mergetables/Tests/All
--- a/sql/test/mergetables/Tests/All
+++ b/sql/test/mergetables/Tests/All
@@ -38,3 +38,6 @@ merge-tables-limitations
mergetable00
mergetable01
+
+mergetable-perms-base
+mergetable-select-perms
diff --git a/sql/test/mergetables/Tests/mergetable-perms-base.test
b/sql/test/mergetables/Tests/mergetable-perms-base.test
new file mode 100644
--- /dev/null
+++ b/sql/test/mergetables/Tests/mergetable-perms-base.test
@@ -0,0 +1,33 @@
+statement ok
+create table part1 (n int, m text)
+
+statement ok
+insert into part1 values (1, 'alice')
+
+statement ok
+create table part2 (n int, m text)
+
+statement ok
+insert into part2 values (2, 'bob')
+
+-- allparts for perms on table
+
+statement ok
+create merge table allparts (n int, m text)
+
+statement ok
+alter table allparts add table part1
+
+statement ok
+alter table allparts add table part2
+
+-- allparts_2 for perms on columns
+
+statement ok
+create merge table allparts_2 (n int, m text)
+
+statement ok
+alter table allparts_2 add table part1
+
+statement ok
+alter table allparts_2 add table part2
diff --git a/sql/test/mergetables/Tests/mergetable-select-perms.reqtests
b/sql/test/mergetables/Tests/mergetable-select-perms.reqtests
new file mode 100644
--- /dev/null
+++ b/sql/test/mergetables/Tests/mergetable-select-perms.reqtests
@@ -0,0 +1,1 @@
+mergetable-perms-base
diff --git a/sql/test/mergetables/Tests/mergetable-select-perms.test
b/sql/test/mergetables/Tests/mergetable-select-perms.test
new file mode 100644
--- /dev/null
+++ b/sql/test/mergetables/Tests/mergetable-select-perms.test
@@ -0,0 +1,96 @@
+-- select * through individual user perms
+
+statement ok
+create user kate with password '123kate' name 'Kate' schema sys
+
+@connection(id=tc, username=kate, password=123kate)
+statement error 42000!SELECT: access denied for kate to table 'sys.allparts'
+select * from allparts
+
+statement ok
+grant select on allparts to kate
+
+@connection(id=tc, username=kate, password=123kate)
+query IT rowsort
+select * from allparts
+----
+1
+alice
+2
+bob
+
+-- select (cols) through individual user perms
+
+@connection(id=tc, username=kate, password=123kate)
+statement error 42000!SELECT: access denied for kate to table 'sys.allparts_2'
+select n from allparts_2
+
+statement ok
+grant select (n) on allparts_2 to kate
+
+@connection(id=tc, username=kate, password=123kate)
+query I rowsort
+select * from allparts_2
+----
+1
+2
+
+@connection(id=tc, username=kate, password=123kate)
+query I rowsort
+select n from allparts_2
+----
+1
+2
+
+@connection(id=tc, username=kate, password=123kate)
+statement error SELECT: identifier 'm' unknown
+select m from allparts_2
+
+-- select * through role
+
+statement ok
+create role reader
+
+statement ok
+grant select on allparts to reader
+
+statement ok
+create user tom with password '123tom' name 'Tom' schema sys
+
+statement ok
+alter user tom default role reader
+
+@connection(id=tc2, username=tom, password=123tom)
+query IT rowsort
+select * from allparts
+----
+1
+alice
+2
+bob
+
+-- select (cols) through role
+
+statement ok
+grant select (n) on allparts_2 to reader
+
+statement ok
+alter user tom default role reader
+
+@connection(id=tc2, username=tom, password=123tom)
+query I rowsort
+select * from allparts_2
+----
+1
+2
+
+@connection(id=tc2, username=tom, password=123tom)
+query I rowsort
+select n from allparts_2
+----
+1
+2
+
+@connection(id=tc2, username=tom, password=123tom)
+statement error SELECT: identifier 'm' unknown
+select m from allparts_2
diff --git a/sql/test/replica/Tests/All b/sql/test/replica/Tests/All
new file mode 100644
--- /dev/null
+++ b/sql/test/replica/Tests/All
@@ -0,0 +1,1 @@
+replica-perms
diff --git a/sql/test/replica/Tests/replica-perms.py
b/sql/test/replica/Tests/replica-perms.py
new file mode 100644
--- /dev/null
+++ b/sql/test/replica/Tests/replica-perms.py
@@ -0,0 +1,79 @@
+import os, sys, tempfile, pymonetdb
+
+try:
+ from MonetDBtesting import process
+except ImportError:
+ import process
+
+with tempfile.TemporaryDirectory() as farm_dir:
+ os.mkdir(os.path.join(farm_dir, 'node1'))
+ os.mkdir(os.path.join(farm_dir, 'node2'))
+
+ # node1 is the worker
+ with process.server(mapiport='0', dbname='node1',
+ dbfarm=os.path.join(farm_dir, 'node1'),
+ stdin=process.PIPE, stdout=process.PIPE,
+ stderr=process.PIPE) as prc1:
+ conn1 = pymonetdb.connect(database='node1', port=prc1.dbport,
autocommit=True)
+ cur1 = conn1.cursor()
+
+ cur1.execute("create table s1 (i int)")
+ if cur1.execute("insert into s1 values (23), (42)") != 2:
+ sys.stderr.write("2 rows inserted expected")
+
+ cur1.close()
+ conn1.close()
+
+ # node2 is the master
+ prc2 = None
+ with process.server(mapiport='0', dbname='node2',
+ dbfarm=os.path.join(farm_dir, 'node2'),
+ stdin=process.PIPE, stdout=process.PIPE,
+ stderr=process.PIPE) as prc2:
+ conn2 = pymonetdb.connect(database='node2', port=prc2.dbport,
autocommit=True)
+ cur2 = conn2.cursor()
+
+ # add s1 from node1 as remote
+ cur2.execute("create remote table s1 (i int) on
'mapi:monetdb://localhost:"+str(prc1.dbport)+"/node1';")
+
+ # create a local s2 identical with the remote s1
+ cur2.execute("create table s2 (i int)")
+ cur2.execute("insert into s2 values (23), (42)")
+
+ # create the replica table with s1 (remote) and s2 (local)
+ cur2.execute("create replica table repS(i int)")
+ cur2.execute("alter table repS add table s1")
+ cur2.execute("alter table repS add table s2")
+
+ # create a new user and give him select perm on the repS
+ cur2.execute("create user tom with password '123tom' name 'Tom'
schema sys")
+ cur2.execute("grant select on reps to tom")
+
+ # close
+ cur2.close()
+ conn2.close()
+
+ # connect as the newly created user
+ conn3 = pymonetdb.connect(database='node2', port=prc2.dbport,
+ username='tom', password='123tom',
+ autocommit=True)
+ cur3 = conn3.cursor()
+
+ # even though the user can only select the repS table they
+ # should NOT be blocked from selecting the data which are in
+ # s2, even though they do not have select perms on s2
_______________________________________________
checkin-list mailing list -- checkin-list@monetdb.org
To unsubscribe send an email to checkin-list-le...@monetdb.org
