Repository: incubator-trafodion Updated Branches: refs/heads/master f6f4402b5 -> cc13c6cc5
TRAFODION-2441 user has only select privilege on a table can do ... TRAFODION-2409 support privilege control(column privileges) for hive tables TRAFODION-2423 any user can perform 'initialize trafodion, drop' TRAFODION-2435 Any user can perform TRUNCATE on native Hive tables. TRAFODION-2463 Hive: Any user can do update statistics for hive tables Fixed issues found while testing privileges with native Hive. TRAFODION-2441: changed code that initializes owner privileges for views. TRAFODION-2409: returning error message 1328 during attempt to grant unsupported column level privilege on hive table. TRAFODION 2423: added privilege checks for all initialize commands, error 1017 is returned if not DB__ROOT TRAFODION-2435: Returning error 1051 if TRUNCATE is attempted on a hive table where the current user has no privilege TRAFODION-2463: Privilege checks added for Hive table during update statistics Project: http://git-wip-us.apache.org/repos/asf/incubator-trafodion/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-trafodion/commit/db14e392 Tree: http://git-wip-us.apache.org/repos/asf/incubator-trafodion/tree/db14e392 Diff: http://git-wip-us.apache.org/repos/asf/incubator-trafodion/diff/db14e392 Branch: refs/heads/master Commit: db14e3922cb2d0722d0885f5c248cac2af2b904d Parents: 60c0c42 Author: Roberta Marton <rmarton@edev07.esgyn.local> Authored: Mon Feb 13 23:20:54 2017 +0000 Committer: Roberta Marton <rmarton@edev07.esgyn.local> Committed: Mon Feb 13 23:20:54 2017 +0000 ---------------------------------------------------------------------- core/sql/bin/SqlciErrors.txt | 4 +- core/sql/common/ComUser.cpp | 27 +++++++ core/sql/common/ComUser.h | 2 + core/sql/optimizer/BindRelExpr.cpp | 12 +-- core/sql/optimizer/NATable.cpp | 20 +++-- core/sql/optimizer/RelExeUtil.cpp | 30 +++++++ core/sql/regress/privs1/EXPECTED141 | Bin 100853 -> 102260 bytes core/sql/regress/privs1/TEST123 | 2 +- core/sql/regress/privs1/TEST141 | 10 ++- core/sql/regress/privs2/EXPECTED144 | Bin 59409 -> 59453 bytes core/sql/sqlcomp/CmpDescribe.cpp | 9 ++- core/sql/sqlcomp/CmpSeabaseDDLauth.cpp | 103 ++++++++++++++++++++++-- core/sql/sqlcomp/CmpSeabaseDDLauth.h | 1 + core/sql/sqlcomp/CmpSeabaseDDLcommon.cpp | 55 ++++++++++++- core/sql/sqlcomp/CmpSeabaseDDLroutine.cpp | 18 +++++ core/sql/sqlcomp/CmpSeabaseDDLschema.cpp | 33 +++++--- core/sql/sqlcomp/CmpSeabaseDDLtable.cpp | 74 +++++++++++++++++ core/sql/sqlcomp/CmpSeabaseDDLupgrade.cpp | 7 ++ core/sql/sqlcomp/PrivMgr.cpp | 10 +-- core/sql/sqlcomp/PrivMgr.h | 5 +- core/sql/sqlcomp/PrivMgrCommands.cpp | 65 +++++++++++++-- core/sql/sqlcomp/PrivMgrCommands.h | 6 ++ core/sql/sqlcomp/PrivMgrPrivileges.cpp | 26 ++++-- core/sql/sqlcomp/PrivMgrPrivileges.h | 4 +- core/sql/sqlcomp/PrivMgrRoles.cpp | 106 +++++++++++++------------ core/sql/ustat/hs_globals.cpp | 2 +- 26 files changed, 517 insertions(+), 114 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/db14e392/core/sql/bin/SqlciErrors.txt ---------------------------------------------------------------------- diff --git a/core/sql/bin/SqlciErrors.txt b/core/sql/bin/SqlciErrors.txt index 8afa052..fe99787 100644 --- a/core/sql/bin/SqlciErrors.txt +++ b/core/sql/bin/SqlciErrors.txt @@ -222,8 +222,8 @@ 1224 ZZZZZ 99999 BEGINNER MAJOR DBADMIN An invalid data type was specified for routine parameter $0~String0. 1225 ZZZZZ 99999 BEGINNER MAJOR DBADMIN Mixing EXECUTE privilege with other privileges is not allowed. 1226 ZZZZZ 99999 BEGINNER MAJOR DBADMIN No valid combination of privileges was specified. -1227 ZZZZZ 99999 BEGINNER MAJOR DBADMIN Cannot unregister user. User has been granted privileges. -1228 ZZZZZ 99999 BEGINNER MAJOR DBADMIN Cannot drop role. Role has been granted privileges. +1227 ZZZZZ 99999 BEGINNER MAJOR DBADMIN Cannot unregister user. User $0~String0 has been granted privileges on $1~String1. +1228 ZZZZZ 99999 BEGINNER MAJOR DBADMIN Cannot drop role. Role $0~String0 has been granted privileges on $1~String1. 1229 ZZZZZ 99999 BEGINNER MAJOR DBADMIN The $0~string0 option is not supported. 1230 ZZZZZ 99999 BEGINNER MAJOR DBADMIN Object owner must be the schema owner in private schemas. 1231 ZZZZZ 99999 BEGINNER MAJOR DBADMIN User-defined routine $0~String0 could not be created. http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/db14e392/core/sql/common/ComUser.cpp ---------------------------------------------------------------------- diff --git a/core/sql/common/ComUser.cpp b/core/sql/common/ComUser.cpp index 7e7d7ca..925c5eb 100644 --- a/core/sql/common/ComUser.cpp +++ b/core/sql/common/ComUser.cpp @@ -348,6 +348,33 @@ Int16 ComUser::getAuthNameFromAuthID(Int32 authID, return FEOK; } + +// ---------------------------------------------------------------------------- +// method: currentUserHasRole +// +// Searches the list of roles stored for the user to see if passed in role ID +// is found +// +// Returns: true - role found +// false - role not found +// ---------------------------------------------------------------------------- +bool ComUser::currentUserHasRole(Int32 roleID) +{ + Int32 numRoles = 0; + Int32 *roleIDs = 0; + if (SQL_EXEC_GetRoleList(numRoles, roleIDs) < 0) + return false; + + for (Int32 i = 0; i < numRoles; i++) + { + Int32 userRole = roleIDs[i]; + if (userRole == roleID) + return true; + } + return false; +} + + // ---------------------------------------------------------------------------- // method: getRoleList // http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/db14e392/core/sql/common/ComUser.h ---------------------------------------------------------------------- diff --git a/core/sql/common/ComUser.h b/core/sql/common/ComUser.h index ea00c88..645b983 100644 --- a/core/sql/common/ComUser.h +++ b/core/sql/common/ComUser.h @@ -90,6 +90,8 @@ class ComUser static Int16 getAuthIDFromAuthName (const char * authName, Int32 & authID); + static bool currentUserHasRole(Int32 roleID); + static Int32 getRoleList (char *roleList, Int32 &actualLen, const Int32 maxLen, http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/db14e392/core/sql/optimizer/BindRelExpr.cpp ---------------------------------------------------------------------- diff --git a/core/sql/optimizer/BindRelExpr.cpp b/core/sql/optimizer/BindRelExpr.cpp index e1eefe2..15f5e35 100644 --- a/core/sql/optimizer/BindRelExpr.cpp +++ b/core/sql/optimizer/BindRelExpr.cpp @@ -6881,9 +6881,7 @@ NABoolean RelRoot::checkPrivileges(BindWA* bindWA) *CmpCommon::diags() << DgSqlCode( -4400 ); return FALSE; } - retcode = privInterface.getPrivileges( tab->objectUid().get_value(), - tab->getObjectType(), thisUserID, - privInfo); + retcode = privInterface.getPrivileges( tab, thisUserID, privInfo); cmpSBD.switchBackCompiler(); if (retcode != STATUS_GOOD) @@ -7003,9 +7001,7 @@ NABoolean RelRoot::checkPrivileges(BindWA* bindWA) *CmpCommon::diags() << DgSqlCode( -4400 ); return FALSE; } - retcode = privInterface.getPrivileges( tab->objectUid().get_value(), - tab->getObjectType(), thisUserID, - privInfo); + retcode = privInterface.getPrivileges( tab, thisUserID, privInfo); cmpSBD.switchBackCompiler(); if (retcode != STATUS_GOOD) @@ -7062,9 +7058,7 @@ NABoolean RelRoot::checkPrivileges(BindWA* bindWA) *CmpCommon::diags() << DgSqlCode( -4400 ); return FALSE; } - retcode = privInterface.getPrivileges(tab->objectUid().get_value(), - COM_SEQUENCE_GENERATOR_OBJECT, - thisUserID, privInfo); + retcode = privInterface.getPrivileges(tab, thisUserID, privInfo); cmpSBD.switchBackCompiler(); if (retcode != STATUS_GOOD) { http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/db14e392/core/sql/optimizer/NATable.cpp ---------------------------------------------------------------------- diff --git a/core/sql/optimizer/NATable.cpp b/core/sql/optimizer/NATable.cpp index ea15cc4..d734e2e 100644 --- a/core/sql/optimizer/NATable.cpp +++ b/core/sql/optimizer/NATable.cpp @@ -5687,8 +5687,7 @@ NATable::NATable(BindWA *bindWA, schemaOwner_ = SUPER_USER; } - if (hasExternalTable()) - getPrivileges(NULL); + getPrivileges(NULL); // TBD - if authorization is enabled and there is no external table to store // privileges, go get privilege information from HIVE metadata ... @@ -6654,11 +6653,20 @@ void NATable::getPrivileges(TrafDesc * priv_desc) // If current user is root, object owner, or this is a volatile table // automatically have owner default privileges. - if ((!isSeabaseTable() && !isHiveTable()) || + if ((!isSeabaseTable() && !isHiveTable()) || !CmpCommon::context()->isAuthorizationEnabled() || isVolatileTable() || - ComUser::isRootUserID()|| - ComUser::getCurrentUser() == owner_) + (ComUser::isRootUserID() && !isHiveTable()) ) + { + privInfo_ = new(heap_) PrivMgrUserPrivs; + privInfo_->setOwnerDefaultPrivs(); + return; + } + + // Generally, if the current user is the object owner, then the automatically + // have all privs. However, if this is a shared schema then views can be + // owned by the current user but not have all privs + if (ComUser::getCurrentUser() == owner_ && objectType_ != COM_VIEW_OBJECT) { privInfo_ = new(heap_) PrivMgrUserPrivs; privInfo_->setOwnerDefaultPrivs(); @@ -6741,7 +6749,7 @@ void NATable::readPrivileges () std::vector <ComSecurityKey *> secKeyVec; if (testError || (STATUS_GOOD != - privInterface.getPrivileges(objectUid().get_value(), objectType_, + privInterface.getPrivileges((NATable *)this, ComUser::getCurrentUser(), *privInfo_, &secKeyVec))) { if (testError) http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/db14e392/core/sql/optimizer/RelExeUtil.cpp ---------------------------------------------------------------------- diff --git a/core/sql/optimizer/RelExeUtil.cpp b/core/sql/optimizer/RelExeUtil.cpp index 4dedcbc..a7ced3c 100644 --- a/core/sql/optimizer/RelExeUtil.cpp +++ b/core/sql/optimizer/RelExeUtil.cpp @@ -5164,6 +5164,36 @@ RelExpr * ExeUtilHiveTruncate::bindNode(BindWA *bindWA) return NULL; } + // If the current user has been granted the Trafodion Hive/DB root role or + // is DB__ROOT, allow the operation. + // If the current user has select and delete privileges, allow the operation + if (bindWA->currentCmpContext()->isAuthorizationEnabled()) + { + NABoolean found = FALSE; + if (ComUser::isRootUserID() || + ComUser::currentUserHasRole(HIVE_ROLE_ID) || + ComUser::currentUserHasRole(ROOT_ROLE_ID)) + found = TRUE; + + if (!found) + { + PrivMgrUserPrivs *pPrivInfo = naTable->getPrivInfo(); + if (pPrivInfo && + pPrivInfo->hasPriv(SELECT_PRIV) && + pPrivInfo->hasPriv(DELETE_PRIV)) + found = TRUE; + + if (!found) + { + *CmpCommon::diags() + << DgSqlCode( -1051 ) + << DgTableName(naTable->getTableName().getQualifiedNameAsAnsiString()); + bindWA->setErrStatus(); + return NULL; + } + } + } + const HHDFSTableStats* hTabStats = naTable->getClusteringIndex()->getHHDFSTableStats(); http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/db14e392/core/sql/regress/privs1/EXPECTED141 ---------------------------------------------------------------------- diff --git a/core/sql/regress/privs1/EXPECTED141 b/core/sql/regress/privs1/EXPECTED141 index b846af7..7735750 100644 Binary files a/core/sql/regress/privs1/EXPECTED141 and b/core/sql/regress/privs1/EXPECTED141 differ http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/db14e392/core/sql/regress/privs1/TEST123 ---------------------------------------------------------------------- diff --git a/core/sql/regress/privs1/TEST123 b/core/sql/regress/privs1/TEST123 index 366200d..f32cf61 100644 --- a/core/sql/regress/privs1/TEST123 +++ b/core/sql/regress/privs1/TEST123 @@ -1,5 +1,5 @@ -- ============================================================================ --- TEST123 - tests revoke query invalidation +-- TEST123 - tests get statements -- -- @@@ START COPYRIGHT @@@ -- http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/db14e392/core/sql/regress/privs1/TEST141 ---------------------------------------------------------------------- diff --git a/core/sql/regress/privs1/TEST141 b/core/sql/regress/privs1/TEST141 index a605f64..273bfeb 100755 --- a/core/sql/regress/privs1/TEST141 +++ b/core/sql/regress/privs1/TEST141 @@ -202,7 +202,7 @@ sh sqlci -i "TEST141(user3_objects)" -u sql_user3; ?section test_shared_user -- ============================================================================ -- verify someone with CREATE permission can create objects in someone elses --- shared schema. Make sure the schema owner owns the object and the creator +-- shared schema. Make sure the current user owns the object and the creator -- has appropriate privileges. values (user); @@ -243,7 +243,7 @@ execute get_obj_privs; sh sqlci -i "TEST141(user1_objects)" -u sql_user1; -- grant privileges to sql_user1 and retry -grant select on t141_user1.u1t1 to sql_user1; +grant select, insert, delete on t141_user1.u1t1 to sql_user1; grant select on t141_user1.u2t1 to sql_user1; sh sqlci -i "TEST141(user1_objects)" -u sql_user1; execute get_obj_privs; @@ -286,7 +286,7 @@ execute get_obj_privs; ?section test_shared_role -- ============================================================================ -- verify someone with CREATE permission can create objects in someone elses --- shared schema. Make sure the schema owner owns the object and the creator +-- shared schema. Make sure the current user owns the object and the creator -- has appropriate privileges. values (user); @@ -324,7 +324,11 @@ values (user); set schema t141_user1; create view u1v1 as select * from u1t1; +insert into u1v1 values (6,6,6); +delete from u1v1 where c1 = 6; create view u1v2 as select * from u2t1; +insert into u1v2 values (6,6,6); +delete from u1v2 where c1 = 6; create view u1v3(c1, c2) as select u1.c1, u2.c1 from u1t1 u1, u2t1 u2; -- ============================================================================ http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/db14e392/core/sql/regress/privs2/EXPECTED144 ---------------------------------------------------------------------- diff --git a/core/sql/regress/privs2/EXPECTED144 b/core/sql/regress/privs2/EXPECTED144 index d89bd39..70d088f 100644 Binary files a/core/sql/regress/privs2/EXPECTED144 and b/core/sql/regress/privs2/EXPECTED144 differ http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/db14e392/core/sql/sqlcomp/CmpDescribe.cpp ---------------------------------------------------------------------- diff --git a/core/sql/sqlcomp/CmpDescribe.cpp b/core/sql/sqlcomp/CmpDescribe.cpp index 32fdd27..c9e98e3 100644 --- a/core/sql/sqlcomp/CmpDescribe.cpp +++ b/core/sql/sqlcomp/CmpDescribe.cpp @@ -2256,6 +2256,12 @@ short CmpDescribeHiveTable ( // emit an initial newline outputShortLine(space, " "); + if (!CmpDescribeIsAuthorized(SQLOperation::UNKNOWN, + naTable->getPrivInfo(), + COM_BASE_TABLE_OBJECT)) + return -1; + + if (type == 1) { sprintf(buf, "-- Definition of hive table %s\n" @@ -2817,8 +2823,7 @@ short CmpDescribeSeabaseTable ( NABoolean displayPrivilegeGrants = TRUE; if (((CmpCommon::getDefault(SHOWDDL_DISPLAY_PRIVILEGE_GRANTS) == DF_SYSTEM) && sqlmxRegr) || - (CmpCommon::getDefault(SHOWDDL_DISPLAY_PRIVILEGE_GRANTS) == DF_OFF) || - (isExternalTable)) + (CmpCommon::getDefault(SHOWDDL_DISPLAY_PRIVILEGE_GRANTS) == DF_OFF)) displayPrivilegeGrants = FALSE; // display syscols for invoke if not running regrs http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/db14e392/core/sql/sqlcomp/CmpSeabaseDDLauth.cpp ---------------------------------------------------------------------- diff --git a/core/sql/sqlcomp/CmpSeabaseDDLauth.cpp b/core/sql/sqlcomp/CmpSeabaseDDLauth.cpp index ad3c3dd..ea2d3f2 100644 --- a/core/sql/sqlcomp/CmpSeabaseDDLauth.cpp +++ b/core/sql/sqlcomp/CmpSeabaseDDLauth.cpp @@ -265,6 +265,80 @@ CmpSeabaseDDLauth::AuthStatus CmpSeabaseDDLauth::getRoleIDs( } // ---------------------------------------------------------------------------- +// public method: getObjectName +// +// Returns the first object name from the list of passed in objectUIDs. +// +// Input: +// objectUIDs - list of objectUIDs +// +// Output: +// returns the fully qualified object name +// returns NULL string if no objects were found +// ---------------------------------------------------------------------------- +NAString CmpSeabaseDDLauth::getObjectName (const std::vector <int64_t> objectUIDs) +{ + char longBuf [sizeof(int64_t)*8+1]; + bool isFirst = true; + NAString objectList; + NAString objectName; + + if (objectUIDs.size() == 0) + return objectName; + + // convert objectUIDs into an "in" clause list + for (int i = 0; i < objectUIDs.size(); i++) + { + if (isFirst) + objectList = "("; + else + objectList += ", "; + isFirst = false; + sprintf (longBuf, "%ld", objectUIDs[i]); + objectList += longBuf; + } + objectList += ")"; + + NAString sysCat = CmpSeabaseDDL::getSystemCatalogStatic(); + char buf[1000 + objectList.length()]; + str_sprintf(buf, "select [first 1] trim(catalog_name) || '.' || " + "trim(schema_name) || '.' || trim(object_name) " + " from %s.\"%s\".%s where object_uid in %s", + sysCat.data(), SEABASE_MD_SCHEMA, SEABASE_OBJECTS, objectList.data()); + + ExeCliInterface cliInterface(STMTHEAP); + Int32 cliRC = cliInterface.fetchRowsPrologue(buf, true/*no exec*/); + if (cliRC != 0) + { + cliInterface.retrieveSQLDiagnostics(CmpCommon::diags()); + UserException excp (NULL, 0); + throw excp; + } + + cliRC = cliInterface.clearExecFetchClose(NULL, 0); + if (cliRC < 0) + { + cliInterface.retrieveSQLDiagnostics(CmpCommon::diags()); + UserException excp (NULL, 0); + throw excp; + } + + // return an empty string + if (cliRC == 100) + return objectName; + + // get the objectname + char * ptr = NULL; + Lng32 len = 0; + + // object name returned + cliInterface.getPtrAndLen(1,ptr,len); + NAString returnedName(ptr,len); + return returnedName; +} + + +// ---------------------------------------------------------------------------- // method: getUniqueID // // This method is not valid for the base class @@ -985,10 +1059,18 @@ void CmpSeabaseDDLuser::unregisterUser(StmtDDLRegisterUser * pNode) privClasses.push_back(PrivClass::ALL); - if (privMgr.isAuthIDGrantedPrivs(getAuthID(),privClasses)) + std::vector<int64_t> objectUIDs; + if (privMgr.isAuthIDGrantedPrivs(getAuthID(),privClasses, objectUIDs)) { - *CmpCommon::diags() << DgSqlCode(-CAT_NO_UNREG_USER_HAS_PRIVS); - return; + NAString objectName = getObjectName(objectUIDs); + if (objectName.length() > 0) + { + *CmpCommon::diags() << DgSqlCode(-CAT_NO_UNREG_USER_HAS_PRIVS) + << DgString0(dbUserName.data()) + << DgString1(objectName.data()); + + return; + } } // delete the row @@ -1727,11 +1809,18 @@ void CmpSeabaseDDLrole::dropRole(StmtDDLCreateRole * pNode) std::vector<PrivClass> privClasses; privClasses.push_back(PrivClass::ALL); - - if (privMgr.isAuthIDGrantedPrivs(getAuthID(),privClasses)) + std::vector<int64_t> objectUIDs; + + if (privMgr.isAuthIDGrantedPrivs(getAuthID(),privClasses, objectUIDs)) { - *CmpCommon::diags() << DgSqlCode(-CAT_ROLE_HAS_PRIVS_NO_DROP); - return; + NAString objectName = getObjectName(objectUIDs); + if (objectName.length() > 0) + { + *CmpCommon::diags() << DgSqlCode(-CAT_ROLE_HAS_PRIVS_NO_DROP) + << DgString0(roleName.data()) + << DgString1(objectName.data()); + return; + } } // Role has not been granted and no privileges have been granted to http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/db14e392/core/sql/sqlcomp/CmpSeabaseDDLauth.h ---------------------------------------------------------------------- diff --git a/core/sql/sqlcomp/CmpSeabaseDDLauth.h b/core/sql/sqlcomp/CmpSeabaseDDLauth.h index 5ccda8a..7ecf96d 100644 --- a/core/sql/sqlcomp/CmpSeabaseDDLauth.h +++ b/core/sql/sqlcomp/CmpSeabaseDDLauth.h @@ -77,6 +77,7 @@ class CmpSeabaseDDLauth NAString &authText); AuthStatus getRoleIDs (const Int32 authID, std::vector<int32_t> &roleIDs); + NAString getObjectName (const std::vector <int64_t> objectUIDs); // accessors Int32 getAuthCreator() const { return authCreator_; } http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/db14e392/core/sql/sqlcomp/CmpSeabaseDDLcommon.cpp ---------------------------------------------------------------------- diff --git a/core/sql/sqlcomp/CmpSeabaseDDLcommon.cpp b/core/sql/sqlcomp/CmpSeabaseDDLcommon.cpp index f862963..6e69a95 100644 --- a/core/sql/sqlcomp/CmpSeabaseDDLcommon.cpp +++ b/core/sql/sqlcomp/CmpSeabaseDDLcommon.cpp @@ -7005,6 +7005,14 @@ short CmpSeabaseDDL::updateSeabaseAuths( void CmpSeabaseDDL::initSeabaseMD(NABoolean ddlXns, NABoolean minimal) { int breadCrumb = -1; // useful for debugging + + // verify user is authorized + if (!ComUser::isRootUserID()) + { + *CmpCommon::diags() << DgSqlCode(-CAT_NOT_AUTHORIZED); + return; + } + Lng32 retcode = 0; Lng32 cliRC = 0; NABoolean xnWasStartedHere = FALSE; @@ -7289,6 +7297,12 @@ void CmpSeabaseDDL::initSeabaseMD(NABoolean ddlXns, NABoolean minimal) void CmpSeabaseDDL::createSeabaseMDviews() { + if (!ComUser::isRootUserID()) + { + *CmpCommon::diags() << DgSqlCode(-CAT_NOT_AUTHORIZED); + return; + } + Lng32 retcode = 0; Lng32 cliRC = 0; @@ -7311,6 +7325,13 @@ void CmpSeabaseDDL::createSeabaseMDviews() void CmpSeabaseDDL::dropSeabaseMDviews() { + // verify user is authorized + if (!ComUser::isRootUserID()) + { + *CmpCommon::diags() << DgSqlCode(-CAT_NOT_AUTHORIZED); + return; + } + Lng32 retcode = 0; Lng32 cliRC = 0; @@ -7333,6 +7354,12 @@ void CmpSeabaseDDL::dropSeabaseMDviews() void CmpSeabaseDDL::createSeabaseSchemaObjects() { + if (!ComUser::isRootUserID()) + { + *CmpCommon::diags() << DgSqlCode(-CAT_NOT_AUTHORIZED); + return; + } + Lng32 retcode = 0; Lng32 cliRC = 0; @@ -7994,6 +8021,13 @@ short CmpSeabaseDDL::dropSeabaseObjectsFromHbase(const char * pattern, void CmpSeabaseDDL::dropSeabaseMD(NABoolean ddlXns) { + // verify user is authorized + if (!ComUser::isRootUserID()) + { + *CmpCommon::diags() << DgSqlCode(-CAT_NOT_AUTHORIZED); + return; + } + Lng32 cliRC; Lng32 retcode = 0; NABoolean xnWasStartedHere = FALSE; @@ -8377,6 +8411,12 @@ NABoolean CmpSeabaseDDL::deletePrivMgrInfo(const NAString &objectName, short CmpSeabaseDDL::dropMDTable(ExpHbaseInterface *ehi, const char * tab) { + if (!ComUser::isRootUserID()) + { + *CmpCommon::diags() << DgSqlCode(-CAT_NOT_AUTHORIZED); + return -1; + } + Lng32 retcode = 0; HbaseStr hbaseObjStr; @@ -8400,6 +8440,12 @@ short CmpSeabaseDDL::dropMDTable(ExpHbaseInterface *ehi, const char * tab) void CmpSeabaseDDL::updateVersion() { + if (!ComUser::isRootUserID()) + { + *CmpCommon::diags() << DgSqlCode(-CAT_NOT_AUTHORIZED); + return; + } + Lng32 retcode = 0; Lng32 cliRC = 0; @@ -8932,9 +8978,12 @@ short CmpSeabaseDDL::executeSeabaseDDL(DDLExpr * ddlExpr, ExprNode * ddlNode, (ddlExpr->dropRepos()) || (ddlExpr->upgradeRepos())) { - processRepository(ddlExpr->createRepos(), - ddlExpr->dropRepos(), - ddlExpr->upgradeRepos()); + if (!ComUser::isRootUserID()) + *CmpCommon::diags() << DgSqlCode(-CAT_NOT_AUTHORIZED); + else + processRepository(ddlExpr->createRepos(), + ddlExpr->dropRepos(), + ddlExpr->upgradeRepos()); } else { http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/db14e392/core/sql/sqlcomp/CmpSeabaseDDLroutine.cpp ---------------------------------------------------------------------- diff --git a/core/sql/sqlcomp/CmpSeabaseDDLroutine.cpp b/core/sql/sqlcomp/CmpSeabaseDDLroutine.cpp index d444832..67148e1 100644 --- a/core/sql/sqlcomp/CmpSeabaseDDLroutine.cpp +++ b/core/sql/sqlcomp/CmpSeabaseDDLroutine.cpp @@ -1590,6 +1590,12 @@ short CmpSeabaseDDL::validateRoutine(ExeCliInterface *cliInterface, short CmpSeabaseDDL::createSeabaseLibmgr(ExeCliInterface * cliInterface) { + if (!ComUser::isRootUserID()) + { + *CmpCommon::diags() << DgSqlCode(-CAT_NOT_AUTHORIZED); + return -1; + } + Lng32 cliRC = 0; if ((CmpCommon::context()->isUninitializedSeabase()) && @@ -1707,6 +1713,12 @@ short CmpSeabaseDDL::grantLibmgrPrivs(ExeCliInterface *cliInterface) short CmpSeabaseDDL::upgradeSeabaseLibmgr(ExeCliInterface * cliInterface) { + if (!ComUser::isRootUserID()) + { + *CmpCommon::diags() << DgSqlCode(-CAT_NOT_AUTHORIZED); + return -1; + } + Lng32 cliRC = 0; cliRC = existsInSeabaseMDTable(cliInterface, @@ -1730,6 +1742,12 @@ short CmpSeabaseDDL::upgradeSeabaseLibmgr(ExeCliInterface * cliInterface) short CmpSeabaseDDL::dropSeabaseLibmgr(ExeCliInterface *cliInterface) { + if (!ComUser::isRootUserID()) + { + *CmpCommon::diags() << DgSqlCode(-CAT_NOT_AUTHORIZED); + return -1; + } + Lng32 cliRC = 0; char queryBuf[strlen(getSystemCatalog()) + strlen(SEABASE_LIBMGR_SCHEMA) + 100]; http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/db14e392/core/sql/sqlcomp/CmpSeabaseDDLschema.cpp ---------------------------------------------------------------------- diff --git a/core/sql/sqlcomp/CmpSeabaseDDLschema.cpp b/core/sql/sqlcomp/CmpSeabaseDDLschema.cpp index f850449..046ece1 100644 --- a/core/sql/sqlcomp/CmpSeabaseDDLschema.cpp +++ b/core/sql/sqlcomp/CmpSeabaseDDLschema.cpp @@ -249,17 +249,30 @@ void CmpSeabaseDDL::createSeabaseSchema( Int32 objectOwner = NA_UserIdDefault; Int32 schemaOwner = NA_UserIdDefault; - int32_t retCode = verifyDDLCreateOperationAuthorized(&cliInterface, - SQLOperation::CREATE_SCHEMA, - catName, - schName, - schemaClass, - objectOwner, - schemaOwner); - if (retCode != 0) + + // If creating the hive statistics schema, make owners + // the HIVE_ROLE_ID and skip authorization check. + // Schema is being created as part of an update statistics cmd + if (schName == HIVE_STATS_SCHEMA_NO_QUOTES && + Get_SqlParser_Flags(INTERNAL_QUERY_FROM_EXEUTIL)) { - handleDDLCreateAuthorizationError(retCode,catName,schName); - return; + objectOwner = HIVE_ROLE_ID; + schemaOwner = HIVE_ROLE_ID; + } + else + { + int32_t retCode = verifyDDLCreateOperationAuthorized(&cliInterface, + SQLOperation::CREATE_SCHEMA, + catName, + schName, + schemaClass, + objectOwner, + schemaOwner); + if (retCode != 0) + { + handleDDLCreateAuthorizationError(retCode,catName,schName); + return; + } } Int32 schemaOwnerID = NA_UserIdDefault; http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/db14e392/core/sql/sqlcomp/CmpSeabaseDDLtable.cpp ---------------------------------------------------------------------- diff --git a/core/sql/sqlcomp/CmpSeabaseDDLtable.cpp b/core/sql/sqlcomp/CmpSeabaseDDLtable.cpp index 93f16be..4a7d2d9 100644 --- a/core/sql/sqlcomp/CmpSeabaseDDLtable.cpp +++ b/core/sql/sqlcomp/CmpSeabaseDDLtable.cpp @@ -9541,6 +9541,25 @@ void CmpSeabaseDDL::seabaseGrantRevoke( return; } + // If column privs specified for non SELECT ops for Hive native tables, + // return an error + if (cn.isHive() && (colPrivs.size() > 0)) + { + if (hasValue(colPrivs, INSERT_PRIV) || + hasValue(colPrivs, UPDATE_PRIV) || + hasValue(colPrivs, REFERENCES_PRIV)) + { + NAString text1("INSERT, UPDATE, REFERENCES"); + NAString text2("Hive columns on"); + *CmpCommon::diags() << DgSqlCode(-CAT_INVALID_PRIV_FOR_OBJECT) + << DgString0(text1.data()) + << DgString1(text2.data()) + << DgTableName(extTableName); + processReturn(); + return; + } + } + // Prepare to call privilege manager NAString MDLoc; CONCAT_CATSCH(MDLoc, getSystemCatalog(), SEABASE_MD_SCHEMA); @@ -9577,6 +9596,61 @@ void CmpSeabaseDDL::seabaseGrantRevoke( return; } + // for Hive tables, the table must have an external table defined + if (objectUID == 0 && naTable && + (naTable->isHiveTable() && + !naTable->hasExternalTable())) + { + // For native hive tables, grantor must be DB__ROOT or belong + // to one of the admin roles: DB__ROOTROLE, DB__HIVEROLE + // In hive, you must be an admin, DB__ROOTROLE and DB__HIVEROLE + // is the equivalent of an admin. + if (!ComUser::isRootUserID() && + !ComUser::currentUserHasRole(ROOT_ROLE_ID) && + !ComUser::currentUserHasRole(HIVE_ROLE_ID)) + { + *CmpCommon::diags() << DgSqlCode (-CAT_NOT_AUTHORIZED); + processReturn(); + return; + } + + // create an external table for this hive table. + // if the trafodion schema containing hive table descriptions does + // not exists, the "create external" table command creates it. + char query[(ComMAX_ANSI_IDENTIFIER_EXTERNAL_LEN*4) + 100]; + snprintf(query, sizeof(query), + "create external table \"%s\" for %s.\"%s\".\"%s\"", + objectNamePart.data(), + catalogNamePart.data(), + schemaNamePart.data(), + objectNamePart.data()); + Lng32 retcode = cliInterface.executeImmediate(query); + if (retcode < 0) + { + cliInterface.retrieveSQLDiagnostics(CmpCommon::diags()); + return; + } + + // remove NATable and reload it to include external table defn. + ActiveSchemaDB()->getNATableDB()->removeNATable + (cn, + ComQiScope::REMOVE_MINE_ONLY, COM_BASE_TABLE_OBJECT, + FALSE, FALSE); + + naTable = bindWA.getNATable(cn); + if (naTable == NULL) + { + SEABASEDDL_INTERNAL_ERROR("Bad NATable pointer in seabaseGrantRevoke"); + return; + } + + objectUID = (int64_t)naTable->objectUid().get_value(); + objectOwnerID = (int32_t)naTable->getOwner(); + schemaOwnerID = naTable->getSchemaOwner(); + objectType = naTable->getObjectType(); + } + + // for metadata tables, the objectUID is not initialized in the NATable // structure if (objectUID == 0) http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/db14e392/core/sql/sqlcomp/CmpSeabaseDDLupgrade.cpp ---------------------------------------------------------------------- diff --git a/core/sql/sqlcomp/CmpSeabaseDDLupgrade.cpp b/core/sql/sqlcomp/CmpSeabaseDDLupgrade.cpp index 7cdc9aa..5703769 100644 --- a/core/sql/sqlcomp/CmpSeabaseDDLupgrade.cpp +++ b/core/sql/sqlcomp/CmpSeabaseDDLupgrade.cpp @@ -355,6 +355,13 @@ short CmpSeabaseMDupgrade::executeSeabaseMDupgrade(CmpDDLwithStatusInfo *mdui, mdui->setSubstep(0); mdui->setEndStep(TRUE); + if (!ComUser::isRootUserID()) + { + mdui->setMsg("Metadata Upgrade: not authorized"); + mdui->setStep(UPGRADE_FAILED); + mdui->setSubstep(0); + } + if (sendAllControlsAndFlags()) { mdui->setStep(UPGRADE_FAILED); http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/db14e392/core/sql/sqlcomp/PrivMgr.cpp ---------------------------------------------------------------------- diff --git a/core/sql/sqlcomp/PrivMgr.cpp b/core/sql/sqlcomp/PrivMgr.cpp index b75f4b2..817c796 100644 --- a/core/sql/sqlcomp/PrivMgr.cpp +++ b/core/sql/sqlcomp/PrivMgr.cpp @@ -606,9 +606,9 @@ const char * PrivMgr::getSQLOperationDescription(SQLOperation operation) // * * // ***************************************************************************** bool PrivMgr::isAuthIDGrantedPrivs( - int32_t authID, - std::vector<PrivClass> privClasses) - + const int32_t authID, + std::vector<PrivClass> privClasses, + std::vector<int64_t> &objectUIDs) { // Check for empty vector. @@ -626,7 +626,7 @@ bool PrivMgr::isAuthIDGrantedPrivs( { PrivMgrPrivileges objectPrivileges(metadataLocation_,pDiags_); - if (objectPrivileges.isAuthIDGrantedPrivs(authID)) + if (objectPrivileges.isAuthIDGrantedPrivs(authID, objectUIDs)) return true; PrivMgrComponentPrivileges componentPrivileges(metadataLocation_,pDiags_); @@ -646,7 +646,7 @@ bool PrivMgr::isAuthIDGrantedPrivs( { PrivMgrPrivileges objectPrivileges(metadataLocation_,pDiags_); - if (objectPrivileges.isAuthIDGrantedPrivs(authID)) + if (objectPrivileges.isAuthIDGrantedPrivs(authID, objectUIDs)) return true; break; http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/db14e392/core/sql/sqlcomp/PrivMgr.h ---------------------------------------------------------------------- diff --git a/core/sql/sqlcomp/PrivMgr.h b/core/sql/sqlcomp/PrivMgr.h index e7f412e..925a9af 100644 --- a/core/sql/sqlcomp/PrivMgr.h +++ b/core/sql/sqlcomp/PrivMgr.h @@ -168,8 +168,9 @@ class PrivMgr bool isAuthorizationEnabled(void); void setAuthorizationEnabled(PrivMDStatus authStatus) {authorizationEnabled_ = authStatus;} bool isAuthIDGrantedPrivs( - int32_t authID, - std::vector<PrivClass> privClasses); + const int32_t authID, + std::vector<PrivClass> privClasses, + std::vector<int64_t> &objectUIDs); void resetFlags(); void setFlags(); http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/db14e392/core/sql/sqlcomp/PrivMgrCommands.cpp ---------------------------------------------------------------------- diff --git a/core/sql/sqlcomp/PrivMgrCommands.cpp b/core/sql/sqlcomp/PrivMgrCommands.cpp index 30b6eea..38a6539 100644 --- a/core/sql/sqlcomp/PrivMgrCommands.cpp +++ b/core/sql/sqlcomp/PrivMgrCommands.cpp @@ -536,6 +536,62 @@ PrivStatus PrivMgrCommands::getGrantorDetailsForObject( // ---------------------------------------------------------------------------- // method: getPrivileges // +// returns the list of privileges and security keys for the userID given the +// specified objectUID +// +// Input: +// naTable - a pointer to the object +// userID - user to gather privs +// userPrivileges - returns available privileges +// secKeySet - the security keys for the object/user +// +// returns true if results were found, false otherwise +// The Trafodion diags area contains any errors that were encountered +// ---------------------------------------------------------------------------- +PrivStatus PrivMgrCommands::getPrivileges( + NATable *naTable, + const int32_t userID, + PrivMgrUserPrivs &userPrivs, + std::vector <ComSecurityKey *>* secKeySet) +{ + PrivMgrDesc privsOfTheUser; + + // authorization is not enabled, return bitmaps with all bits set + // With all bits set, privilege checks will always succeed + if (!authorizationEnabled()) + { + privsOfTheUser.setAllTableGrantPrivileges(true); + userPrivs.initUserPrivs(privsOfTheUser); + return STATUS_GOOD; + } + + // if a hive table and does not have an external table, assume no privs + if (naTable->isHiveTable() && !naTable->hasExternalTable()) + { + PrivMgrDesc emptyDesc; + userPrivs.initUserPrivs(emptyDesc); + } + else + { + PrivMgrPrivileges objectPrivs (metadataLocation_, pDiags_); + PrivStatus retcode = objectPrivs.getPrivsOnObjectForUser((int64_t)naTable->objectUid().get_value(), + naTable->getObjectType(), + userID, + privsOfTheUser, + secKeySet); + if (retcode != STATUS_GOOD) + return retcode; + + userPrivs.initUserPrivs(privsOfTheUser); + } + + return STATUS_GOOD; +} + + +// ---------------------------------------------------------------------------- +// method: getPrivileges +// // Creates a set of priv descriptors for all user grantees on an object // Used by Trafodion compiler to store as part of the table descriptor. // @@ -595,9 +651,9 @@ PrivStatus PrivMgrCommands::getPrivileges( { PrivMgrPrivileges objectPrivs (metadataLocation_, pDiags_); PrivStatus retcode = objectPrivs.getPrivsOnObjectForUser(objectUID, - objectType, - userID, - privsOfTheUser, + objectType, + userID, + privsOfTheUser, secKeySet); if (retcode != STATUS_GOOD) return retcode; @@ -609,11 +665,10 @@ PrivStatus PrivMgrCommands::getPrivileges( privsOfTheUser.getTablePrivs().setAllPrivAndWgo(true); userPrivs.initUserPrivs(privsOfTheUser); - + return STATUS_GOOD; } - // ---------------------------------------------------------------------------- // method: getRoles // http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/db14e392/core/sql/sqlcomp/PrivMgrCommands.h ---------------------------------------------------------------------- diff --git a/core/sql/sqlcomp/PrivMgrCommands.h b/core/sql/sqlcomp/PrivMgrCommands.h index 74849c3..3ca8510 100644 --- a/core/sql/sqlcomp/PrivMgrCommands.h +++ b/core/sql/sqlcomp/PrivMgrCommands.h @@ -474,6 +474,12 @@ public: std::string &effectiveGrantorName); PrivStatus getPrivileges( + NATable *naTable, + const int32_t granteeUID, + PrivMgrUserPrivs &userPrivileges, + std::vector <ComSecurityKey *>* secKeySet = NULL); + + PrivStatus getPrivileges( const int64_t objectUID, ComObjectType objectType, std::vector<PrivMgrDesc> &userPrivileges); http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/db14e392/core/sql/sqlcomp/PrivMgrPrivileges.cpp ---------------------------------------------------------------------- diff --git a/core/sql/sqlcomp/PrivMgrPrivileges.cpp b/core/sql/sqlcomp/PrivMgrPrivileges.cpp index ba4b82a..016c42b 100644 --- a/core/sql/sqlcomp/PrivMgrPrivileges.cpp +++ b/core/sql/sqlcomp/PrivMgrPrivileges.cpp @@ -1681,7 +1681,8 @@ PrivStatus privStatus = objectPrivsTable.insert(row); // no need to grant privileges. // // This creator grant may be controlled by a CQD in the future. - if (ownerID == creatorID || creatorID == ComUser::getRootUserID()) + if (ownerID == creatorID || creatorID == ComUser::getRootUserID() || + ownerID == HIVE_ROLE_ID || ownerID == HBASE_ROLE_ID) return STATUS_GOOD; // Add a grant from the private schema owner to the creator. @@ -4785,11 +4786,13 @@ PrivStatus PrivMgrPrivileges::updateDependentObjects( // * false: Authorization ID has not been granted any object privileges. // * // ***************************************************************************** -bool PrivMgrPrivileges::isAuthIDGrantedPrivs(const int32_t authID) - +bool PrivMgrPrivileges::isAuthIDGrantedPrivs( + const int32_t authID, + std::vector<int64_t> &objectUIDs) { std::string whereClause(" WHERE GRANTEE_ID = "); + std::string orderByClause (" ORDER BY object_name "); char authIDString[20]; @@ -4800,10 +4803,23 @@ bool PrivMgrPrivileges::isAuthIDGrantedPrivs(const int32_t authID) // set pointer in diags area int32_t diagsMark = pDiags_->mark(); - int64_t rowCount = 0; + std::vector<PrivMgrMDRow *> rowList; ObjectPrivsMDTable myTable(objectTableName_,pDiags_); - PrivStatus privStatus = myTable.selectCountWhere(whereClause,rowCount); + PrivStatus privStatus = myTable.selectWhere(whereClause, orderByClause ,rowList); + if (privStatus != STATUS_GOOD) + { + deleteRowList(rowList); + return privStatus; + } + + int32_t rowCount = rowList.size(); + for (size_t i = 0; i < rowCount; i++) + { + ObjectPrivsMDRow &row = static_cast<ObjectPrivsMDRow &> (*rowList[i]); + objectUIDs.push_back(row.objectUID_); + } + deleteRowList(rowList); if ((privStatus == STATUS_GOOD || privStatus == STATUS_WARNING) && rowCount > 0) http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/db14e392/core/sql/sqlcomp/PrivMgrPrivileges.h ---------------------------------------------------------------------- diff --git a/core/sql/sqlcomp/PrivMgrPrivileges.h b/core/sql/sqlcomp/PrivMgrPrivileges.h index 285f6e1..ede37c1 100644 --- a/core/sql/sqlcomp/PrivMgrPrivileges.h +++ b/core/sql/sqlcomp/PrivMgrPrivileges.h @@ -223,7 +223,9 @@ public: // ------------------------------------------------------------------- // helpers // ------------------------------------------------------------------- - bool isAuthIDGrantedPrivs(const int32_t authID); + bool isAuthIDGrantedPrivs( + const int32_t authID, + std::vector<int64_t> &objectUIDs); protected: http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/db14e392/core/sql/sqlcomp/PrivMgrRoles.cpp ---------------------------------------------------------------------- diff --git a/core/sql/sqlcomp/PrivMgrRoles.cpp b/core/sql/sqlcomp/PrivMgrRoles.cpp index 4419c85..8bf9023 100644 --- a/core/sql/sqlcomp/PrivMgrRoles.cpp +++ b/core/sql/sqlcomp/PrivMgrRoles.cpp @@ -283,30 +283,32 @@ bool PrivMgrRoles::dependentObjectsExist( { -// First, determine if the role has been granted any object privileges. -// Only REFERENCES, SELECT and USAGE are relevant, but for now check all DML. -// If no granted privileges, then there are no objects created by this user -// depending on privileges granted to this role. + // First, determine if the role has been granted any object privileges. + // Only REFERENCES, SELECT and USAGE are relevant, but for now check all DML. + // If no granted privileges, then there are no objects created by this user + // depending on privileges granted to this role. -std::vector<PrivClass> privClass; + std::vector<PrivClass> privClass; privClass.push_back(PrivClass::OBJECT); - if (!isAuthIDGrantedPrivs(roleID,privClass)) + + std::vector<int64_t> objectUIDs; + if (!isAuthIDGrantedPrivs(roleID,privClass, objectUIDs)) return false; -// Second, see if the user owns any objects that are dependent, i.e., views, -// referential integrity (RI) constraints, or UDFs/SPJs. + // Second, see if the user owns any objects that are dependent, i.e., views, + // referential integrity (RI) constraints, or UDFs/SPJs. -std::string whereClause(" WHERE OBJECT_TYPE IN ('RC','SP','UR','VI') AND OBJECT_OWNER = "); + std::string whereClause(" WHERE OBJECT_TYPE IN ('RC','SP','UR','VI') AND OBJECT_OWNER = "); whereClause += authIDToString(userID); -PrivMgrObjects objects(trafMetadataLocation_,pDiags_); + PrivMgrObjects objects(trafMetadataLocation_,pDiags_); -std::vector<UIDAndType> ownedUIDandTypes; + std::vector<UIDAndType> ownedUIDandTypes; -PrivStatus privStatus = objects.fetchUIDandTypes(whereClause,ownedUIDandTypes); + PrivStatus privStatus = objects.fetchUIDandTypes(whereClause,ownedUIDandTypes); if (privStatus == STATUS_ERROR) { @@ -314,30 +316,30 @@ PrivStatus privStatus = objects.fetchUIDandTypes(whereClause,ownedUIDandTypes); return true; } -// If the user does not own any views, user defined functions, or referential -// integrity constraints, they do not have any dependent objects. + // If the user does not own any views, user defined functions, or referential + // integrity constraints, they do not have any dependent objects. if (privStatus == STATUS_NOTFOUND || ownedUIDandTypes.size() == 0) return false; -//TODO: User owns dependent objects and role has been granted privileges. -// But do they correlate? For instance, if a role is granted INSERT, -// losing that privilege does not affect any views the user may own. -// Could get list of privilege types granted the role, and then -// compare with types of dependent objects. If no correlation, -// short-circuit this check. See file private function -// isDependentObjectPrivPair(). + //TODO: User owns dependent objects and role has been granted privileges. + // But do they correlate? For instance, if a role is granted INSERT, + // losing that privilege does not affect any views the user may own. + // Could get list of privilege types granted the role, and then + // compare with types of dependent objects. If no correlation, + // short-circuit this check. See file private function + // isDependentObjectPrivPair(). -// OK, user owns dependent objects and role has been granted privileges. -// One of more of those objects could depend on privileges granted this role. -// Get the name of the role to use in error messages. -int32_t length; + // OK, user owns dependent objects and role has been granted privileges. + // One of more of those objects could depend on privileges granted this role. + // Get the name of the role to use in error messages. + int32_t length; -char roleName[MAX_DBUSERNAME_LEN + 1]; + char roleName[MAX_DBUSERNAME_LEN + 1]; -Int16 retCode = ComUser::getAuthNameFromAuthID(roleID,roleName, + Int16 retCode = ComUser::getAuthNameFromAuthID(roleID,roleName, sizeof(roleName),length); -// Should not fail, role ID was derived from name provided by user. + // Should not fail, role ID was derived from name provided by user. if (retCode != 0) { std::string errorText("Unable to look up role name for role ID "); @@ -347,25 +349,25 @@ Int16 retCode = ComUser::getAuthNameFromAuthID(roleID,roleName, return true; } -// For each owned object, get the objects that the owned objects reference. -// Determine if the user has the requisite privilege on each of the -// referenced objects if the privileges granted to the role are not included. -// If the user has the privilege (either directly or through another role), -// move on to the next referenced object, and then on to the next owned object. -// If any dependency on a privilege granted to this role is found, it is an -// error if the behavior is restrict. For cascade (not yet supported), the -// dependent object is automatically dropped. - -// For each referenced object, get privileges the user has on that object -// either directly or by another role granted to the user, but exclude -// any privileges from the role being revoked. The first part of the query -// can be built once, and the object UID for each referenced object added -// within the loop. -// -// WHERE (GRANTEE_ID = -1 OR GRANTEE_ID = userID OR -// GRANTEE_ID IN (SELECT ROLE_ID FROM ROLE_USAGE WHERE GRANTEE_ID = userID)) AND -// GRANTEE_ID <> roleID AND OBJECT_UID = objectUID; -std::string whereClauseHeader(" WHERE (GRANTEE_ID = -1 OR GRANTEE_ID = "); + // For each owned object, get the objects that the owned objects reference. + // Determine if the user has the requisite privilege on each of the + // referenced objects if the privileges granted to the role are not included. + // If the user has the privilege (either directly or through another role), + // move on to the next referenced object, and then on to the next owned object. + // If any dependency on a privilege granted to this role is found, it is an + // error if the behavior is restrict. For cascade (not yet supported), the + // dependent object is automatically dropped. + + // For each referenced object, get privileges the user has on that object + // either directly or by another role granted to the user, but exclude + // any privileges from the role being revoked. The first part of the query + // can be built once, and the object UID for each referenced object added + // within the loop. + // + // WHERE (GRANTEE_ID = -1 OR GRANTEE_ID = userID OR + // GRANTEE_ID IN (SELECT ROLE_ID FROM ROLE_USAGE WHERE GRANTEE_ID = userID)) AND + // GRANTEE_ID <> roleID AND OBJECT_UID = objectUID; + std::string whereClauseHeader(" WHERE (GRANTEE_ID = -1 OR GRANTEE_ID = "); whereClauseHeader += authIDToString(userID); whereClauseHeader += " OR GRANTEE_ID IN (SELECT RU.ROLE_ID FROM "; @@ -376,12 +378,12 @@ std::string whereClauseHeader(" WHERE (GRANTEE_ID = -1 OR GRANTEE_ID = "); whereClauseHeader += authIDToString(roleID); whereClauseHeader += " AND OBJECT_UID = "; -//TODO: When support is added for schema and column privileges, will need to -// check those privileges as well. + //TODO: When support is added for schema and column privileges, will need to + // check those privileges as well. -// Assume no dependencies exist. -bool dependencyFound = false; -PrivMgrMDAdmin admin(trafMetadataLocation_,metadataLocation_,pDiags_); + // Assume no dependencies exist. + bool dependencyFound = false; + PrivMgrMDAdmin admin(trafMetadataLocation_,metadataLocation_,pDiags_); for (size_t u3 = 0; u3 < ownedUIDandTypes.size(); u3++) { http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/db14e392/core/sql/ustat/hs_globals.cpp ---------------------------------------------------------------------- diff --git a/core/sql/ustat/hs_globals.cpp b/core/sql/ustat/hs_globals.cpp index df0594c..91c7bbf 100644 --- a/core/sql/ustat/hs_globals.cpp +++ b/core/sql/ustat/hs_globals.cpp @@ -3521,7 +3521,7 @@ NABoolean HSGlobalsClass::isAuthorized(NABoolean isShowStats) // no privilege support available for hbase and hive tables HS_ASSERT (objDef->getNATable()); - if (CmpSeabaseDDL::isHbase(objDef->getCatName()) || isHiveCat(objDef->getCatName())) + if (CmpSeabaseDDL::isHbase(objDef->getCatName())) return TRUE; // Let keep track of how long authorization takes