Repository: trafodion Updated Branches: refs/heads/master 659f59a13 -> 8e38189d4
http://git-wip-us.apache.org/repos/asf/trafodion/blob/adf2b8f2/core/sql/sqlcomp/CmpSeabaseDDLtable.cpp ---------------------------------------------------------------------- diff --git a/core/sql/sqlcomp/CmpSeabaseDDLtable.cpp b/core/sql/sqlcomp/CmpSeabaseDDLtable.cpp index a620624..cd785f6 100644 --- a/core/sql/sqlcomp/CmpSeabaseDDLtable.cpp +++ b/core/sql/sqlcomp/CmpSeabaseDDLtable.cpp @@ -12540,23 +12540,20 @@ ComTdbVirtTablePrivInfo * CmpSeabaseDDL::getSeabasePrivInfo( // Summarize privileges for object PrivStatus privStatus = STATUS_GOOD; - std::vector<PrivMgrDesc> privDescs; + ComTdbVirtTablePrivInfo *privInfo = new (heap_) ComTdbVirtTablePrivInfo(); + privInfo->privmgr_desc_list = new (STMTHEAP) PrivMgrDescList(STMTHEAP); + + // Summarize privileges for object PrivMgrCommands command(std::string(MDLoc.data()), std::string(privMgrMDLoc.data()), CmpCommon::diags()); - if (command.getPrivileges(objUID, objType, privDescs) != STATUS_GOOD) + if (command.getPrivileges(objUID, objType, + *privInfo->privmgr_desc_list) != STATUS_GOOD) { *CmpCommon::diags() << DgSqlCode(-CAT_UNABLE_TO_RETRIEVE_PRIVS); return NULL; } - ComTdbVirtTablePrivInfo *privInfo = new (STMTHEAP) ComTdbVirtTablePrivInfo(); - - // PrivMgrDesc operator= is a deep copy - privInfo->privmgr_desc_list = new (STMTHEAP) NAList<PrivMgrDesc>(STMTHEAP); - for (size_t i = 0; i < privDescs.size(); i++) - privInfo->privmgr_desc_list->insert(privDescs[i]); - return privInfo; } http://git-wip-us.apache.org/repos/asf/trafodion/blob/adf2b8f2/core/sql/sqlcomp/PrivMgr.cpp ---------------------------------------------------------------------- diff --git a/core/sql/sqlcomp/PrivMgr.cpp b/core/sql/sqlcomp/PrivMgr.cpp index 0a5f265..2429b9d 100644 --- a/core/sql/sqlcomp/PrivMgr.cpp +++ b/core/sql/sqlcomp/PrivMgr.cpp @@ -36,6 +36,7 @@ #include "PrivMgrComponentOperations.h" #include "PrivMgrComponentPrivileges.h" #include "PrivMgrPrivileges.h" +#include "PrivMgrRoles.h" // Trafodion includes #include "ComDistribution.h" @@ -154,6 +155,42 @@ PrivMgr::~PrivMgr() resetFlags(); } +// ***************************************************************************** +// * Method: getGranteeIDsForRoleIDs +// * +// * Returns the grantees assigned to the passed in roles +// * role list +// * +// * Parameters: +// * +// * <roleIDs> list of roles to check +// * <granteeIDs> passed back the list (potentially empty) of users granted to +// * the roleIDs +// * +// * Returns: PrivStatus +// * +// * STATUS_GOOD: Role list returned +// * *: Unable to fetch granted roles, see diags. +// * +// ***************************************************************************** +PrivStatus PrivMgr::getGranteeIDsForRoleIDs( + const std::vector<int32_t> & roleIDs, + std::vector<int32_t> & granteeIDs, + bool includeSysGrantor) +{ + std::vector<int32_t> granteeIDsForRoleIDs; + PrivMgrRoles roles(" ",metadataLocation_,pDiags_); + if (roles.fetchGranteesForRoles(roleIDs, granteeIDsForRoleIDs, includeSysGrantor) == STATUS_ERROR) + return STATUS_ERROR; + for (size_t i = 0; i < granteeIDsForRoleIDs.size(); i++) + { + int32_t authID = granteeIDsForRoleIDs[i]; + if (std::find(granteeIDs.begin(), granteeIDs.end(), authID) == granteeIDs.end()) + granteeIDs.insert( std::upper_bound( granteeIDs.begin(), granteeIDs.end(), authID ), authID); + } + return STATUS_GOOD; +} + // ---------------------------------------------------------------------------- // method: authorizationEnabled // http://git-wip-us.apache.org/repos/asf/trafodion/blob/adf2b8f2/core/sql/sqlcomp/PrivMgr.h ---------------------------------------------------------------------- diff --git a/core/sql/sqlcomp/PrivMgr.h b/core/sql/sqlcomp/PrivMgr.h index fd6b8bd..0cd52ce 100644 --- a/core/sql/sqlcomp/PrivMgr.h +++ b/core/sql/sqlcomp/PrivMgr.h @@ -168,6 +168,11 @@ class PrivMgr // ------------------------------------------------------------------- // Accessors and destructors: // ------------------------------------------------------------------- + PrivStatus getGranteeIDsForRoleIDs( + const std::vector<int32_t> & roleIDs, + std::vector<int32_t> & userIDs, + bool includeSysGrantor = true); + inline std::string getMetadataLocation (void) {return metadataLocation_;} inline const std::string & getMetadataLocation (void) const {return metadataLocation_;} inline std::string getTrafMetadataLocation (void) {return trafMetadataLocation_;} http://git-wip-us.apache.org/repos/asf/trafodion/blob/adf2b8f2/core/sql/sqlcomp/PrivMgrCommands.cpp ---------------------------------------------------------------------- diff --git a/core/sql/sqlcomp/PrivMgrCommands.cpp b/core/sql/sqlcomp/PrivMgrCommands.cpp index 499f544..b80b77c 100644 --- a/core/sql/sqlcomp/PrivMgrCommands.cpp +++ b/core/sql/sqlcomp/PrivMgrCommands.cpp @@ -41,6 +41,7 @@ #include "PrivMgrRoles.h" #include "ComSecurityKey.h" #include "ComUser.h" +#include "CmpSeabaseDDL.h" #include <cstdio> #include <algorithm> @@ -396,9 +397,10 @@ PrivStatus PrivMgrCommands::getPrivileges( NATable *naTable, const int32_t userID, PrivMgrUserPrivs &userPrivs, - std::vector <ComSecurityKey *>* secKeySet) + ComSecurityKeySet *secKeySet) { PrivMgrDesc privsOfTheUser; + PrivStatus retcode = STATUS_GOOD; // authorization is not enabled, return bitmaps with all bits set // With all bits set, privilege checks will always succeed @@ -409,35 +411,60 @@ PrivStatus PrivMgrCommands::getPrivileges( return STATUS_GOOD; } - // if a hive table and does not have an external table and is not - // registered in traf metadata, assume no privs - if ((naTable->isHiveTable()) && - (NOT naTable->isRegistered()) && - (!naTable->hasExternalTable())) + // if a native table that is not registered nor has an external table + // assume no privs. No privileges, so no security keys are required + else if ((naTable->isHiveTable() || + naTable->isHbaseCellTable() || + naTable->isHbaseRowTable()) && + (!naTable->isRegistered() && !naTable->hasExternalTable())) { PrivMgrDesc emptyDesc; userPrivs.initUserPrivs(emptyDesc); } - // if an hbase table and is not registered, assume no privs - else if ((naTable->isHbaseCellTable() || naTable->isHbaseRowTable()) && - (!naTable->hasExternalTable() && !naTable->isRegistered())) - { - PrivMgrDesc emptyDesc; - userPrivs.initUserPrivs(emptyDesc); - } + // Check for privileges defined in Trafodion metadata else { - PrivMgrPrivileges objectPrivs (metadataLocation_, pDiags_); - PrivStatus retcode = objectPrivs.getPrivsOnObjectForUser((int64_t)naTable->objectUid().get_value(), - naTable->getObjectType(), - userID, - privsOfTheUser, - secKeySet); - if (retcode != STATUS_GOOD) - return retcode; + int64_t objectUID = (int64_t)naTable->objectUid().get_value(); - userPrivs.initUserPrivs(privsOfTheUser); + // If we are not storing privileges for the object in NATable, go read MD + if (naTable->getPrivDescs() == NULL) + { + PrivMgrPrivileges objectPrivs (metadataLocation_, pDiags_); + retcode = objectPrivs.getPrivsOnObjectForUser(objectUID, + naTable->getObjectType(), + userID, + privsOfTheUser); + if (retcode != STATUS_GOOD) + return retcode; + + userPrivs.initUserPrivs(privsOfTheUser); + + if (secKeySet != NULL) + { + // The PrivMgrDescList destructor deletes memory + PrivMgrDescList descList(naTable->getHeap()); + PrivMgrDesc *tableDesc = new (naTable->getHeap()) PrivMgrDesc(privsOfTheUser); + descList.insert(tableDesc); + if (!userPrivs.setPrivInfoAndKeys(descList, userID, objectUID, secKeySet)) + { + SEABASEDDL_INTERNAL_ERROR("Could not create security keys"); + return STATUS_ERROR; + } + } + } + + // generate privileges from the stored desc list + else + { + NAList<int32_t> roleIDs (naTable->getHeap()); + if (ComUser::getCurrentUserRoles(roleIDs) != 0) + return STATUS_ERROR; + + if (userPrivs.initUserPrivs(roleIDs, naTable->getPrivDescs(), + userID, objectUID, secKeySet) == STATUS_ERROR) + return retcode; + } } return STATUS_GOOD; @@ -464,15 +491,26 @@ PrivStatus PrivMgrCommands::getPrivileges( PrivStatus PrivMgrCommands::getPrivileges( const int64_t objectUID, ComObjectType objectType, - std::vector <PrivMgrDesc > &privDescs) + PrivMgrDescList &privDescs) { - // If authorization is enabled, go get privilege bitmaps from metadata + PrivStatus retcode = STATUS_GOOD; if (authorizationEnabled()) { + std::vector<PrivMgrDesc> privDescList; + PrivMgrPrivileges privInfo (objectUID, metadataLocation_, pDiags_); - return privInfo.getPrivsOnObject(objectType, privDescs); + retcode = privInfo.getPrivsOnObject(objectType, privDescList); + if (retcode == STATUS_ERROR) + return STATUS_ERROR; + + // copy privDescList to privDescs + for (size_t i = 0; i < privDescList.size(); i++) + { + PrivMgrDesc *desc = new (privDescs.getHeap()) PrivMgrDesc(privDescList[i]); + privDescs.insert(desc); + } } - return STATUS_GOOD; + return retcode; } @@ -496,8 +534,7 @@ PrivStatus PrivMgrCommands::getPrivileges( const int64_t objectUID, ComObjectType objectType, const int32_t userID, - PrivMgrUserPrivs &userPrivs, - std::vector <ComSecurityKey *>* secKeySet) + PrivMgrUserPrivs &userPrivs) { PrivMgrDesc privsOfTheUser; @@ -508,8 +545,7 @@ PrivStatus PrivMgrCommands::getPrivileges( PrivStatus retcode = objectPrivs.getPrivsOnObjectForUser(objectUID, objectType, userID, - privsOfTheUser, - secKeySet); + privsOfTheUser); if (retcode != STATUS_GOOD) return retcode; } @@ -524,34 +560,6 @@ PrivStatus PrivMgrCommands::getPrivileges( return STATUS_GOOD; } -// ---------------------------------------------------------------------------- -// method: getRoles -// -// Returns roleIDs for the grantee. -// -// <granteeID> the authorization ID to obtain roles for -// <roleIDs> is the returned list of roles -// -// Returns: PrivStatus -// -// STATUS_GOOD: role list was built -// *: unexpected error occurred, see diags. -// ---------------------------------------------------------------------------- -PrivStatus PrivMgrCommands::getRoles( - const int32_t granteeID, - std::vector <int32_t > &roleIDs) -{ - // If authorization is not enabled, return - if (!authorizationEnabled()) - return STATUS_GOOD; - - PrivMgrRoles roles(" ",metadataLocation_,pDiags_); - std::vector<std::string> roleNames; - std::vector<int32_t> roleDepths; - - return roles.fetchRolesForUser(granteeID,roleNames,roleIDs,roleDepths); -} - // ***************************************************************************** // * * // * Function: PrivMgrCommands::getPrivRowsForObject * http://git-wip-us.apache.org/repos/asf/trafodion/blob/adf2b8f2/core/sql/sqlcomp/PrivMgrCommands.h ---------------------------------------------------------------------- diff --git a/core/sql/sqlcomp/PrivMgrCommands.h b/core/sql/sqlcomp/PrivMgrCommands.h index 312cbab..e5275b6 100644 --- a/core/sql/sqlcomp/PrivMgrCommands.h +++ b/core/sql/sqlcomp/PrivMgrCommands.h @@ -119,28 +119,23 @@ public: NATable *naTable, const int32_t granteeUID, PrivMgrUserPrivs &userPrivileges, - std::vector <ComSecurityKey *>* secKeySet = NULL); + NASet<ComSecurityKey> *secKeySet = NULL); PrivStatus getPrivileges( const int64_t objectUID, ComObjectType objectType, - std::vector<PrivMgrDesc> &userPrivileges); - + PrivMgrDescList &userPrivileges); + PrivStatus getPrivileges( const int64_t objectUID, ComObjectType objectType, const int32_t granteeUID, - PrivMgrUserPrivs &userPrivileges, - std::vector <ComSecurityKey *>* secKeySet = NULL); - + PrivMgrUserPrivs &userPrivileges); + PrivStatus getPrivRowsForObject( const int64_t objectUID, std::vector<ObjectPrivsRow> & objectPrivsRows); - PrivStatus getRoles( - const int32_t grantee, - std::vector<int32_t> &roleIDs); - PrivStatus givePrivForObjects( const int32_t currentOwnerID, const int32_t newOwnerID, http://git-wip-us.apache.org/repos/asf/trafodion/blob/adf2b8f2/core/sql/sqlcomp/PrivMgrComponentPrivileges.cpp ---------------------------------------------------------------------- diff --git a/core/sql/sqlcomp/PrivMgrComponentPrivileges.cpp b/core/sql/sqlcomp/PrivMgrComponentPrivileges.cpp index 257a123..9c85ffe 100644 --- a/core/sql/sqlcomp/PrivMgrComponentPrivileges.cpp +++ b/core/sql/sqlcomp/PrivMgrComponentPrivileges.cpp @@ -1299,11 +1299,13 @@ std::string whereClause(" WHERE COMPONENT_UID = 1 AND (OPERATION_CODE = '"); std::vector<std::string> roleNames; std::vector<int32_t> roleIDs; std::vector<int32_t> grantDepths; + std::vector<int32_t> grantees; PrivMgrRoles roles(" ",metadataLocation_,pDiags_); - PrivStatus privStatus = roles.fetchRolesForUser(authID,roleNames, - roleIDs,grantDepths); + PrivStatus privStatus = roles.fetchRolesForAuth(authID,roleNames, + roleIDs,grantDepths, + grantees); for (size_t r = 0; r < roleIDs.size(); r++) { @@ -1379,11 +1381,13 @@ bool PrivMgrComponentPrivileges::hasWGO( std::vector<std::string> roleNames; std::vector<int32_t> roleIDs; std::vector<int32_t> grantDepths; + std::vector<int32_t> grantees; PrivMgrRoles roles(" ",metadataLocation_,pDiags_); - if (roles.fetchRolesForUser(authID,roleNames, - roleIDs,grantDepths) == STATUS_ERROR) + if (roles.fetchRolesForAuth(authID,roleNames, + roleIDs,grantDepths, + grantees) == STATUS_ERROR) return false; MyTable &myTable = static_cast<MyTable &>(myTable_); http://git-wip-us.apache.org/repos/asf/trafodion/blob/adf2b8f2/core/sql/sqlcomp/PrivMgrDesc.cpp ---------------------------------------------------------------------- diff --git a/core/sql/sqlcomp/PrivMgrDesc.cpp b/core/sql/sqlcomp/PrivMgrDesc.cpp index 6a41978..3cfaf72 100644 --- a/core/sql/sqlcomp/PrivMgrDesc.cpp +++ b/core/sql/sqlcomp/PrivMgrDesc.cpp @@ -483,3 +483,4 @@ bool PrivMgrDesc::limitToGrantable( const PrivMgrDesc& other ) return result; } + http://git-wip-us.apache.org/repos/asf/trafodion/blob/adf2b8f2/core/sql/sqlcomp/PrivMgrDesc.h ---------------------------------------------------------------------- diff --git a/core/sql/sqlcomp/PrivMgrDesc.h b/core/sql/sqlcomp/PrivMgrDesc.h index 0ff26af..d0e94d4 100644 --- a/core/sql/sqlcomp/PrivMgrDesc.h +++ b/core/sql/sqlcomp/PrivMgrDesc.h @@ -580,6 +580,36 @@ private: }; +/* ******************************************************************* + * Class PrivMgrDescList -- A list of PrivMgrDesc pointers + * ****************************************************************** */ + +class PrivMgrDescList : public LIST(PrivMgrDesc *) +{ + public: + + // constructor + PrivMgrDescList(CollHeap *heap) + : LIST(PrivMgrDesc *)(heap), + heap_(heap) + {} + + // virtual destructor + virtual ~PrivMgrDescList() + { + for (CollIndex i = 0; i < entries(); i++) + NADELETE(operator[](i), PrivMgrDesc, heap_); + clear(); + } + + CollHeap *getHeap() { return heap_; } + + private: + + CollHeap *heap_; + +}; // class PrivMgrDescList + #endif // PRIVMGR_DESC_H http://git-wip-us.apache.org/repos/asf/trafodion/blob/adf2b8f2/core/sql/sqlcomp/PrivMgrPrivileges.cpp ---------------------------------------------------------------------- diff --git a/core/sql/sqlcomp/PrivMgrPrivileges.cpp b/core/sql/sqlcomp/PrivMgrPrivileges.cpp index fe2c8d1..1e85905 100644 --- a/core/sql/sqlcomp/PrivMgrPrivileges.cpp +++ b/core/sql/sqlcomp/PrivMgrPrivileges.cpp @@ -462,59 +462,6 @@ PrivMgrPrivileges::~PrivMgrPrivileges() } // ***************************************************************************** -// * Method: buildSecurityKeys -// * -// * Builds security keys for the current object and specified user. -// * -// * Parameters: -// * -// * <granteeID> is the unique identifier for the grantee -// * <privs> is the list of privileges the user has on the object -// * <secKeySet> is the set of security keys to be passed back. Caller is -// * responsible for freeing keys. -// * -// * Returns: PrivStatus -// * -// * STATUS_GOOD: Security keys were built -// * *: Security keys were not built, see diags. -// * -// ***************************************************************************** -PrivStatus PrivMgrPrivileges::buildSecurityKeys( - const int32_t granteeID, - const PrivMgrCoreDesc &privs, - std::vector <ComSecurityKey *> & secKeySet) -{ - if (privs.isNull()) - return STATUS_GOOD; - - // Only need to generate keys for DML privileges - for ( size_t i = FIRST_DML_PRIV; i <= LAST_DML_PRIV; i++ ) - { - if ( privs.getPriv(PrivType(i))) - { - ComSecurityKey *key = NULL; - if (ComUser::isPublicUserID(granteeID)) - key = new ComSecurityKey(granteeID, - ComSecurityKey::OBJECT_IS_SPECIAL_ROLE); - else - key = new ComSecurityKey(granteeID, - objectUID_, - PrivType(i), - ComSecurityKey::OBJECT_IS_OBJECT); - if (key->isValid()) - secKeySet.push_back(key); - else - { - PRIVMGR_INTERNAL_ERROR("ComSecurityKey is null"); - return STATUS_ERROR; - } - } - } - - return STATUS_GOOD; -} - -// ***************************************************************************** // * Method: getPrivsOnObject // * // * Creates a set of priv descriptors for all user grantees on an object @@ -571,7 +518,7 @@ PrivStatus PrivMgrPrivileges::getPrivsOnObject ( // getUserPrivs returns object and column privileges summarized across all // grantors. Just get direct grants to the user (role list is empty) if (getUserPrivs(objectType, userID, emptyRoleIDs, privsOfTheUser, - hasManagePrivileges, NULL ) != STATUS_GOOD) + hasManagePrivileges) != STATUS_GOOD) return STATUS_ERROR; if (!privsOfTheUser.isNull()) @@ -590,7 +537,7 @@ PrivStatus PrivMgrPrivileges::getPrivsOnObject ( // getUserPrivs returns object and column privileges summarized across // all grantors. if (getUserPrivs(objectType, grantee, emptyRoleIDs, privsOfTheUser, - hasManagePrivileges, NULL ) != STATUS_GOOD) + hasManagePrivileges) != STATUS_GOOD) return STATUS_ERROR; if (!privsOfTheUser.isNull()) @@ -1760,7 +1707,7 @@ PrivStatus PrivMgrPrivileges::initGrantRevoke( // get column and object privileges across all grantors bool hasManagePrivileges; retcode = getUserPrivs(objectType, grantorID_, roleIDs, privsOfTheGrantor, - hasManagePrivileges, NULL ); + hasManagePrivileges); if (retcode != STATUS_GOOD) return retcode; @@ -3185,11 +3132,8 @@ PrivStatus PrivMgrPrivileges::revokeColumnPriv( revokedPrivs |= adjustedPrivs.getPrivBitmap(); } else - { - // The row should exist in "grantedColPrivs" - PRIVMGR_INTERNAL_ERROR("Column privilege not found to revoke"); - return STATUS_ERROR; - } + // if column not exist, just continue (ComDiags contains a warning) + continue; if (deleteRow) @@ -3646,8 +3590,9 @@ void PrivMgrPrivileges::scanObjectBranch( const PrivType pType, // in std::vector<int32_t> roleIDs; std::vector<int32_t> userIDs; roleIDs.push_back(thisGrantee); - if (getUserIDsForRoleIDs(roleIDs,userIDs) == STATUS_ERROR) + if (getGranteeIDsForRoleIDs(roleIDs,userIDs) == STATUS_ERROR) return; + for (size_t j = 0; j < userIDs.size(); j++) { granteeAsGrantor = userIDs[j]; @@ -3913,7 +3858,7 @@ void PrivMgrPrivileges::scanColumnBranch( const PrivType pType, std::vector<int32_t> roleIDs; std::vector<int32_t> userIDs; roleIDs.push_back(thisGrantee); - if (getUserIDsForRoleIDs(roleIDs,userIDs) == STATUS_ERROR) + if (getGranteeIDsForRoleIDs(roleIDs,userIDs) == STATUS_ERROR) return; for (size_t j = 0; j < userIDs.size(); j++) { @@ -4004,53 +3949,68 @@ PrivStatus PrivMgrPrivileges::sendSecurityKeysToRMS( const int32_t granteeID, const PrivMgrDesc &revokedPrivs) { + NAList<int32_t> roleGrantees (STMTHEAP); + + // If the privilege is revoked from a role, then need to generate QI keys for + // the users associated with the role. + if (PrivMgr::isRoleID(granteeID)) + { + // Get users granted to role (granteeID) + std::vector<int32_t> roleID; + roleID.push_back(granteeID); + std::vector<int32_t> granteeIDs; + if (getGranteeIDsForRoleIDs(roleID, granteeIDs, false) == STATUS_ERROR) + return STATUS_ERROR; + + for (size_t g = 0; g < granteeIDs.size(); g++) + roleGrantees.insert(granteeIDs[g]); + } + else + roleGrantees.insert(grantorID_); + // Go through the list of table privileges and generate SQL_QIKEYs - std::vector<ComSecurityKey *> keyList; + ComSecurityKeySet keyList(NULL); const PrivMgrCoreDesc &privs = revokedPrivs.getTablePrivs(); - PrivStatus privStatus = buildSecurityKeys(granteeID, - revokedPrivs.getTablePrivs(), - keyList); - if (privStatus != STATUS_GOOD) + if (!buildSecurityKeys(roleGrantees, + granteeID, + objectUID_, + false, /* isColumn */ + revokedPrivs.getTablePrivs(), + keyList)) { - for(size_t k = 0; k < keyList.size(); k++) - delete keyList[k]; - keyList.clear(); - return privStatus; + PRIVMGR_INTERNAL_ERROR("ComSecurityKey is null"); + return STATUS_ERROR; } + for (int i = 0; i < revokedPrivs.getColumnPrivs().entries(); i++) { const NAList<PrivMgrCoreDesc> &columnPrivs = revokedPrivs.getColumnPrivs(); - privStatus = buildSecurityKeys(granteeID, - columnPrivs[i], - keyList); - if (privStatus != STATUS_GOOD) + if (!buildSecurityKeys(roleGrantees, + granteeID, + objectUID_, + true, /* isColumn */ + columnPrivs[i], + keyList)) { - for(size_t k = 0; k < keyList.size(); k++) - delete keyList[k]; - keyList.clear(); - return privStatus; + PRIVMGR_INTERNAL_ERROR("ComSecurityKey is null"); + return STATUS_ERROR; } } - + // Create an array of SQL_QIKEYs - int32_t numKeys = keyList.size(); + int32_t numKeys = keyList.entries(); SQL_QIKEY siKeyList[numKeys]; - for (size_t j = 0; j < keyList.size(); j++) + for (size_t j = 0; j < numKeys; j++) { - ComSecurityKey *pKey = keyList[j]; - siKeyList[j].revokeKey.subject = pKey->getSubjectHashValue(); - siKeyList[j].revokeKey.object = pKey->getObjectHashValue(); + ComSecurityKey key = keyList[j]; + siKeyList[j].revokeKey.subject = key.getSubjectHashValue(); + siKeyList[j].revokeKey.object = key.getObjectHashValue(); std::string actionString; - pKey->getSecurityKeyTypeAsLit(actionString); + key.getSecurityKeyTypeAsLit(actionString); strncpy(siKeyList[j].operation, actionString.c_str(), 2); } - // delete the security list - for(size_t k = 0; k < keyList.size(); k++) - delete keyList[k]; - keyList.clear(); - // Call the CLI to send details to RMS SQL_EXEC_SetSecInvalidKeys(numKeys, siKeyList); @@ -4209,8 +4169,7 @@ PrivStatus PrivMgrPrivileges::getPrivsOnObjectForUser( const int64_t objectUID, ComObjectType objectType, const int32_t userID, - PrivMgrDesc &privsOfTheUser, - std::vector <ComSecurityKey *>* secKeySet) + PrivMgrDesc &privsOfTheUser) { PrivStatus retcode = STATUS_GOOD; @@ -4239,7 +4198,7 @@ PrivStatus PrivMgrPrivileges::getPrivsOnObjectForUser( bool hasManagePrivileges = false; retcode = getUserPrivs(objectType, userID, roleIDs, privsOfTheUser, - hasManagePrivileges, secKeySet); + hasManagePrivileges); return retcode; } @@ -4272,48 +4231,14 @@ PrivStatus retcode = STATUS_GOOD; PrivMgrRoles roles(" ",metadataLocation_,pDiags_); std::vector<std::string> roleNames; std::vector<int32_t> roleDepths; +std::vector<int32_t> grantees; - retcode = roles.fetchRolesForUser(userID,roleNames,roleIDs,roleDepths); + retcode = roles.fetchRolesForAuth(userID,roleNames,roleIDs,roleDepths,grantees); return retcode; } //*************** End of PrivMgrPrivileges::getRoleIDsForUserID **************** // ***************************************************************************** -// * Method: getUserIDsForRoleIDs -// * -// * Returns the userIDs granted to the role passed in role list -// * -// * Parameters: -// * -// * <roleIDs> list of roles to check -// * <userIDs> passed back the list (potentially empty) of users granted to -// * the roleIDs -// * -// * Returns: PrivStatus -// * -// * STATUS_GOOD: Role list returned -// * *: Unable to fetch granted roles, see diags. -// * -// ***************************************************************************** -PrivStatus PrivMgrPrivileges::getUserIDsForRoleIDs( - const std::vector<int32_t> & roleIDs, - std::vector<int32_t> & userIDs) -{ - std::vector<int32_t> userIDsForRoleIDs; - PrivMgrRoles roles(" ",metadataLocation_,pDiags_); - if (roles.fetchUsersForRoles(roleIDs, userIDsForRoleIDs) == STATUS_ERROR) - return STATUS_ERROR; - - for (size_t i = 0; i < userIDsForRoleIDs.size(); i++) - { - int32_t authID = userIDsForRoleIDs[i]; - if (std::find(userIDs.begin(), userIDs.end(), authID) == userIDs.end()) - userIDs.insert( std::upper_bound( userIDs.begin(), userIDs.end(), authID ), authID); - } - return STATUS_GOOD; -} - -// ***************************************************************************** // * Method: getUserPrivs // * // * Accumulates privileges for a user summarized over all grantors @@ -4326,7 +4251,6 @@ PrivStatus PrivMgrPrivileges::getUserIDsForRoleIDs( // * <roleIDs> specifies a list of roles granted to the grantee // * <summarizedPrivs> contains the summarized privileges // * <hasManagePrivileges> returns whether the grantee has MANAGE_PRIVILEGES authority -// * <secKeySet> if not NULL, returns a set of keys for user // * // * Returns: PrivStatus // * @@ -4339,8 +4263,7 @@ PrivStatus PrivMgrPrivileges::getUserPrivs( const int32_t granteeID, const std::vector<int32_t> & roleIDs, PrivMgrDesc &summarizedPrivs, - bool & hasManagePrivileges, - std::vector<ComSecurityKey *>* secKeySet + bool & hasManagePrivileges ) { PrivStatus retcode = STATUS_GOOD; @@ -4351,8 +4274,7 @@ PrivStatus PrivMgrPrivileges::getUserPrivs( granteeID, roleIDs, temp, - hasManagePrivileges, - secKeySet + hasManagePrivileges ); if (retcode != STATUS_GOOD) return retcode; @@ -4390,8 +4312,7 @@ PrivStatus PrivMgrPrivileges::getPrivsFromAllGrantors( const int32_t granteeID, const std::vector<int32_t> & roleIDs, PrivMgrDesc &summarizedPrivs, - bool & hasManagePrivPriv, - std::vector <ComSecurityKey *>* secKeySet + bool & hasManagePrivPriv ) { PrivStatus retcode = STATUS_GOOD; @@ -4429,7 +4350,7 @@ PrivStatus PrivMgrPrivileges::getPrivsFromAllGrantors( // Accumulate object level privileges else { - retcode = getRowsForGrantee(objectUID, granteeID, true, roleIDs, rowList, secKeySet); + retcode = getRowsForGrantee(objectUID, granteeID, true, roleIDs, rowList); if (retcode == STATUS_ERROR) return retcode; @@ -4443,15 +4364,6 @@ PrivStatus PrivMgrPrivileges::getPrivsFromAllGrantors( hasPublicGrantee = true; PrivMgrCoreDesc temp (row.privsBitmap_, row.grantableBitmap_); - if (secKeySet) - { - retcode = buildSecurityKeys(granteeID, - temp, - *secKeySet); - if (retcode == STATUS_ERROR) - return retcode; - } - coreTablePrivs.unionOfPrivs(temp); } @@ -4468,7 +4380,7 @@ PrivStatus PrivMgrPrivileges::getPrivsFromAllGrantors( // Add accumulated column level privileges rowList.clear(); - retcode = getRowsForGrantee(objectUID, granteeID, false, roleIDs, rowList, secKeySet); + retcode = getRowsForGrantee(objectUID, granteeID, false, roleIDs, rowList); if (retcode == STATUS_ERROR) return retcode; @@ -4483,15 +4395,6 @@ PrivStatus PrivMgrPrivileges::getPrivsFromAllGrantors( // See if the ordinal has already been specified PrivMgrCoreDesc temp (row.privsBitmap_, row.grantableBitmap_, row.columnOrdinal_); - if (secKeySet) - { - retcode = buildSecurityKeys(granteeID, - temp, - *secKeySet); - if (retcode == STATUS_ERROR) - return retcode; - } - PrivMgrCoreDesc *coreColumnPriv = findColumnEntry(coreColumnPrivs, row.columnOrdinal_); if (coreColumnPriv) coreColumnPriv->unionOfPrivs(temp); @@ -4576,8 +4479,7 @@ PrivStatus PrivMgrPrivileges::getRowsForGrantee( const int32_t granteeID, const bool isObjectTable, const std::vector<int_32> &roleIDs, - std::vector<PrivMgrMDRow *> &rowList, - std::vector <ComSecurityKey *>* secKeySet) + std::vector<PrivMgrMDRow *> &rowList) { PrivStatus retcode = STATUS_GOOD; @@ -4747,7 +4649,7 @@ PrivStatus PrivMgrPrivileges::summarizeCurrentAndOriginalPrivs( // get OBJECT_PRIVILEGES rows where the grantee has received privileges std::vector<PrivMgrMDRow *> rowList; - retcode = getRowsForGrantee(objectUID, granteeID, true, roleIDs, rowList, NULL); + retcode = getRowsForGrantee(objectUID, granteeID, true, roleIDs, rowList); // rowList contains the original privileges, // listOfChangedPrivs contains any updates to privileges http://git-wip-us.apache.org/repos/asf/trafodion/blob/adf2b8f2/core/sql/sqlcomp/PrivMgrPrivileges.h ---------------------------------------------------------------------- diff --git a/core/sql/sqlcomp/PrivMgrPrivileges.h b/core/sql/sqlcomp/PrivMgrPrivileges.h index e0597a2..5b687a6 100644 --- a/core/sql/sqlcomp/PrivMgrPrivileges.h +++ b/core/sql/sqlcomp/PrivMgrPrivileges.h @@ -110,11 +110,6 @@ public: // ------------------------------------------------------------------- // Public functions: // ------------------------------------------------------------------- - PrivStatus buildSecurityKeys( - const int32_t granteeID, - const PrivMgrCoreDesc &privs, - std::vector <ComSecurityKey *> & secKeySet); - PrivStatus getGrantorDetailsForObject( const bool isGrantedBySpecified, const std::string grantedByName, @@ -135,8 +130,7 @@ public: const int64_t objectUID, ComObjectType objectType, const int32_t userID, - PrivMgrDesc &privsForTheUser, - std::vector <ComSecurityKey *>* secKeySet); + PrivMgrDesc &privsForTheUser); PrivStatus getPrivRowsForObject( const int64_t objectUID, @@ -243,8 +237,7 @@ protected: const int32_t grantee, const std::vector<int32_t> & roleIDs, PrivMgrDesc &privs, - bool & hasManagePrivileges, - std::vector <ComSecurityKey *>* secKeySet = NULL + bool & hasManagePrivileges ); PrivStatus getUserPrivs( @@ -252,8 +245,7 @@ protected: const int32_t grantee, const std::vector<int32_t> & roleIDs, PrivMgrDesc &privs, - bool & hasManagePrivileges, - std::vector <ComSecurityKey *>* secKeySet = NULL + bool & hasManagePrivileges ); private: @@ -359,17 +351,12 @@ private: const int32_t granteeID, const bool isObjectTable, const std::vector<int32_t> & roleIDs, - std::vector<PrivMgrMDRow *> &rowList, - std::vector <ComSecurityKey *>* secKeySet); + std::vector<PrivMgrMDRow *> &rowList); void getTreeOfGrantors( const int32_t granteeID, std::set<int32_t> &listOfGrantors); - PrivStatus getUserIDsForRoleIDs( - const std::vector<int32_t> & roleIDs, - std::vector<int32_t> & userIDs); - PrivStatus givePriv( const int32_t currentOwnerID, const int32_t newOwnerID, http://git-wip-us.apache.org/repos/asf/trafodion/blob/adf2b8f2/core/sql/sqlcomp/PrivMgrRoles.cpp ---------------------------------------------------------------------- diff --git a/core/sql/sqlcomp/PrivMgrRoles.cpp b/core/sql/sqlcomp/PrivMgrRoles.cpp index 882ce93..64644d4 100644 --- a/core/sql/sqlcomp/PrivMgrRoles.cpp +++ b/core/sql/sqlcomp/PrivMgrRoles.cpp @@ -580,7 +580,7 @@ bool PrivMgrRoles::dependentObjectsExist( // ***************************************************************************** // * * -// * Function: PrivMgrRoles::fetchRolesForUser * +// * Function: PrivMgrRoles::fetchRolesForAuth * // * * // * Returns all unique roles granted to an authorization ID. If a role is * // * granted more than once, it is only returned one time. If one or more of * @@ -615,24 +615,22 @@ bool PrivMgrRoles::dependentObjectsExist( // * error. The error is put into the diags area. * // * * // ***************************************************************************** -PrivStatus PrivMgrRoles::fetchRolesForUser( +PrivStatus PrivMgrRoles::fetchRolesForAuth( const int32_t authID, std::vector<std::string> & roleNames, std::vector<int32_t> & roleIDs, - std::vector<int32_t> & grantDepths) - + std::vector<int32_t> & grantDepths, + std::vector<int32_t> & grantees) { - -std::string whereClause(" WHERE GRANTEE_ID = "); - + std::string whereClause(" WHERE GRANTEE_ID = "); whereClause += authIDToString(authID); - -std::vector<MyRow> rows; -MyTable &myTable = static_cast<MyTable &>(myTable_); -std::string orderByClause(" ORDER BY ROLE_ID"); + std::vector<MyRow> rows; + MyTable &myTable = static_cast<MyTable &>(myTable_); -PrivStatus privStatus = myTable.selectAllWhere(whereClause,orderByClause,rows); + std::string orderByClause(" ORDER BY ROLE_ID"); + + PrivStatus privStatus = myTable.selectAllWhere(whereClause,orderByClause,rows); if (privStatus != STATUS_GOOD && privStatus != STATUS_WARNING) return privStatus; @@ -641,28 +639,24 @@ PrivStatus privStatus = myTable.selectAllWhere(whereClause,orderByClause,rows); { MyRow &row = rows[r]; - if (hasValue(roleIDs,row.roleID_)) + if (hasValue(roleIDs,row.roleID_) && + hasValue(grantees, row.granteeID_)) { if (grantDepths.back() == 0) grantDepths.back() = row.grantDepth_; continue; } - roleNames.push_back(row.granteeName_); + roleNames.push_back(row.roleName_); roleIDs.push_back(row.roleID_); + grantees.push_back(row.granteeID_); grantDepths.push_back(row.grantDepth_); } return STATUS_GOOD; - } -//****************** End of PrivMgrRoles::fetchRolesForUser ******************** +//****************** End of PrivMgrRoles::fetchRolesForAuth ******************** + -// ***************************************************************************** -// * * -// * Function: PrivMgrRoles::fetchUsersForRole * -// * * -// * Returns all grantees of a role. * -// * * // ***************************************************************************** // * * // * Parameters: * @@ -688,45 +682,42 @@ PrivStatus privStatus = myTable.selectAllWhere(whereClause,orderByClause,rows); // * A CLI error is put into the diags area. * // * * // ***************************************************************************** -PrivStatus PrivMgrRoles::fetchUsersForRole( + +PrivStatus PrivMgrRoles::fetchGranteesForRole( const int32_t roleID, std::vector<std::string> & granteeNames, std::vector<int32_t> & grantorIDs, std::vector<int32_t> & grantDepths) - { + std::string whereClause(" WHERE ROLE_ID = "); + whereClause += authIDToString(roleID); -std::string whereClause(" WHERE ROLE_ID = "); + std::vector<MyRow> rows; + MyTable &myTable = static_cast<MyTable &>(myTable_); - whereClause += authIDToString(roleID); - -std::vector<MyRow> rows; -MyTable &myTable = static_cast<MyTable &>(myTable_); + std::string orderByClause(" ORDER BY GRANTEE_NAME"); -std::string orderByClause(" ORDER BY GRANTEE_NAME"); + PrivStatus privStatus = myTable.selectAllWhere(whereClause,orderByClause,rows); -PrivStatus privStatus = myTable.selectAllWhere(whereClause,orderByClause,rows); - if (privStatus != STATUS_GOOD && privStatus != STATUS_WARNING) return privStatus; - + for (size_t r = 0; r < rows.size(); r++) { MyRow &row = rows[r]; - + granteeNames.push_back(row.granteeName_); grantorIDs.push_back(row.grantorID_); grantDepths.push_back(row.grantDepth_); } return STATUS_GOOD; - } -//****************** End of PrivMgrRoles::fetchUsersForRole ******************** +//**************** End of PrivMgrRoles::fetchGranteesForRole ******************* // ***************************************************************************** // * * -// * Function: PrivMgrRoles::fetchUsersForRoles * +// * Function: PrivMgrRoles::fetchGranteesForRoles * // * * // * Returns all users granted the list of roles * // * * @@ -737,30 +728,34 @@ PrivStatus privStatus = myTable.selectAllWhere(whereClause,orderByClause,rows); // * <roleIDs> const std::vector<int32_t> & In * // * is a list of roles. * // * * -// * <userIDs> std::vector<std::int32_t> & Out * -// * passes back a list of user grantees for the roles. * +// * <granteeIDs> std::vector<std::int32_t> & Out * +// * passes back a list of user and group grantees for the roles. * // * * // ***************************************************************************** // * * // * Returns: PrivStatus * // * * -// * STATUS_GOOD: Zero or more userIDs were returned * +// * STATUS_GOOD: Zero or more granteeIDs were returned * // * *: Grants for roles were not returned due to SQL error. * // * A CLI error is put into the diags area. * // * * // ***************************************************************************** -PrivStatus PrivMgrRoles::fetchUsersForRoles( - const std::vector<int32_t> & userIDs, - std::vector<std::int32_t> & granteeIDs) +PrivStatus PrivMgrRoles::fetchGranteesForRoles( + const std::vector<int32_t> & roleIDs, + std::vector<std::int32_t> & granteeIDs, + bool includeSysGrantor) { std::string whereClause(" WHERE ROLE_ID IN( "); - for (size_t i = 0; i < userIDs.size(); i++) + for (size_t i = 0; i < roleIDs.size(); i++) { if (i > 0) whereClause += ", "; - whereClause += authIDToString(userIDs[i]); + whereClause += authIDToString(roleIDs[i]); } whereClause += ")"; + + if (!includeSysGrantor) + whereClause += " AND GRANTOR_ID <> -2 "; std::string orderByClause(" ORDER BY GRANTEE_ID"); std::vector<MyRow> rows; @@ -775,14 +770,13 @@ PrivStatus PrivMgrRoles::fetchUsersForRoles( MyRow &row = rows[r]; if (CmpSeabaseDDLauth::isUserID(row.granteeID_)) - granteeIDs.push_back(row.granteeID_); + if (row.grantorID_ != SYSTEM_USER) + granteeIDs.push_back(row.granteeID_); } return STATUS_GOOD; } -//****************** End of PrivMgrRoles::fetchUsersForRole ******************** - - +//**************** End of PrivMgrRoles::fetchGranteesForRoles ****************** // ***************************************************************************** // * * http://git-wip-us.apache.org/repos/asf/trafodion/blob/adf2b8f2/core/sql/sqlcomp/PrivMgrRoles.h ---------------------------------------------------------------------- diff --git a/core/sql/sqlcomp/PrivMgrRoles.h b/core/sql/sqlcomp/PrivMgrRoles.h index 83a9120..354fb22 100644 --- a/core/sql/sqlcomp/PrivMgrRoles.h +++ b/core/sql/sqlcomp/PrivMgrRoles.h @@ -54,22 +54,24 @@ public: // Public functions: // ------------------------------------------------------------------- - PrivStatus fetchRolesForUser( + PrivStatus fetchRolesForAuth( const int32_t authID, std::vector<std::string> & roleNames, std::vector<int32_t> & roleIDs, - std::vector<int32_t> & grantDepths); - - PrivStatus fetchUsersForRole( + std::vector<int32_t> & grantDepths, + std::vector<int32_t> & grantees); + + PrivStatus fetchGranteesForRole( const int32_t roleID, std::vector<std::string> & granteeNames, std::vector<int32_t> & grantorIDs, std::vector<int32_t> & grantDepths); - - PrivStatus fetchUsersForRoles( + + PrivStatus fetchGranteesForRoles( const std::vector<int32_t> & roleIDs, - std::vector<int32_t> & userIDs); - + std::vector<int32_t> & granteeIDs, + bool includeSysGrantor = true); + PrivStatus grantRole( const std::vector<int32_t> & roleIDs, const std::vector<std::string> & roleNames, http://git-wip-us.apache.org/repos/asf/trafodion/blob/adf2b8f2/core/sql/sqlcomp/PrivMgrUserPrivs.cpp ---------------------------------------------------------------------- diff --git a/core/sql/sqlcomp/PrivMgrUserPrivs.cpp b/core/sql/sqlcomp/PrivMgrUserPrivs.cpp index fcdf247..af07694 100644 --- a/core/sql/sqlcomp/PrivMgrUserPrivs.cpp +++ b/core/sql/sqlcomp/PrivMgrUserPrivs.cpp @@ -77,82 +77,101 @@ PrivMgrObjectInfo::PrivMgrObjectInfo( // **************************************************************************** // Class: PrivMgrUserPrivs // **************************************************************************** + +// ---------------------------------------------------------------------------- +// method: initUserPrivs +// +// Creates a PrivMgrUserPrivs object from a PrivMgrDescs list +// ---------------------------------------------------------------------------- bool PrivMgrUserPrivs::initUserPrivs( - const std::vector<int32_t> & roleIDs, - const TrafDesc *priv_desc, + const NAList<Int32> & roleIDs, + PrivMgrDescList *privDescs, const int32_t userID, const int64_t objectUID, - ComSecurityKeySet & secKeySet) + ComSecurityKeySet * secKeySet) { hasPublicPriv_ = false; - // generate PrivMgrUserPrivs from the priv_desc structure - TrafDesc *priv_grantees_desc = priv_desc->privDesc()->privGrantees; - NAList<PrivMgrDesc> descList(NULL); - - // Find relevant descs for the user - while (priv_grantees_desc) + // create a subset of PrivDesc containing privs applicable for the userID + PrivMgrDescList userDescList(privDescs->getHeap()); + for ( CollIndex i = 0; i < privDescs->entries(); i++) { - Int32 grantee = priv_grantees_desc->privGranteeDesc()->grantee; + const PrivMgrDesc *privs = privDescs->operator[](i); + Int32 grantee = privs->getGrantee(); bool addDesc = false; - if (grantee == userID) + if (ComUser::isPublicUserID(grantee)) + { + hasPublicPriv_ = true; + addDesc = true; + } + else if (grantee == userID) addDesc = true; - if (PrivMgr::isRoleID(grantee)) + else if (PrivMgr::isRoleID(grantee)) { - if ((std::find(roleIDs.begin(), roleIDs.end(), grantee)) != roleIDs.end()) + Int32 entry; + if (roleIDs.find(grantee, entry)) addDesc = true; } - if (ComUser::isPublicUserID(grantee)) + if (addDesc) { - addDesc = true; - hasPublicPriv_ = true; + PrivMgrDesc *myPrivs = new (userDescList.getHeap()) PrivMgrDesc (*privs); + userDescList.insert(myPrivs); } + } - // Create a list of PrivMgrDesc contain privileges for user, user's roles, - // and public - if (addDesc) - { - TrafDesc *objectPrivs = priv_grantees_desc->privGranteeDesc()->objectBitmap; - - PrivMgrCoreDesc objectDesc(objectPrivs->privBitmapDesc()->privBitmap, - objectPrivs->privBitmapDesc()->privWGOBitmap); - - TrafDesc *priv_grantee_desc = priv_grantees_desc->privGranteeDesc(); - TrafDesc *columnPrivs = priv_grantee_desc->privGranteeDesc()->columnBitmaps; - NAList<PrivMgrCoreDesc> columnDescs(NULL); - while (columnPrivs) - { - PrivMgrCoreDesc columnDesc(columnPrivs->privBitmapDesc()->privBitmap, - columnPrivs->privBitmapDesc()->privWGOBitmap, - columnPrivs->privBitmapDesc()->columnOrdinal); - columnDescs.insert(columnDesc); - columnPrivs = columnPrivs->next; - } + if (userDescList.entries() > 0) + return setPrivInfoAndKeys(userDescList, userID, objectUID, secKeySet); + return true; +} - PrivMgrDesc privs(priv_grantees_desc->privGranteeDesc()->grantee); - privs.setTablePrivs(objectDesc); - privs.setColumnPrivs(columnDescs); - privs.setHasPublicPriv(hasPublicPriv_); +// ---------------------------------------------------------------------------- +// method: initUserPrivs +// +// Creates a PrivMgrUserPrivs object from a PrivMgrDesc object +// ---------------------------------------------------------------------------- +void PrivMgrUserPrivs::initUserPrivs(PrivMgrDesc &privsOfTheUser) +{ + objectBitmap_ = privsOfTheUser.getTablePrivs().getPrivBitmap(); + grantableBitmap_ = privsOfTheUser.getTablePrivs().getWgoBitmap(); - descList.insert(privs); - } - priv_grantees_desc = priv_grantees_desc->next; + for (int32_t i = 0; i < privsOfTheUser.getColumnPrivs().entries(); i++) + { + const int32_t columnOrdinal = privsOfTheUser.getColumnPrivs()[i].getColumnOrdinal(); + colPrivsList_[columnOrdinal] = privsOfTheUser.getColumnPrivs()[i].getPrivBitmap(); + colGrantableList_[columnOrdinal] = privsOfTheUser.getColumnPrivs()[i].getWgoBitmap(); } + hasPublicPriv_ = privsOfTheUser.getHasPublicPriv(); +} + +// ---------------------------------------------------------------------------- +// method: setPrivInfoAndKeys +// +// Creates a security keys for a list of PrivMgrDescs +// ---------------------------------------------------------------------------- +bool PrivMgrUserPrivs::setPrivInfoAndKeys( + PrivMgrDescList &descList, + const int32_t userID, + const int64_t objectUID, + NASet<ComSecurityKey> *secKeySet) +{ + // Get the list of roleIDs and grantees from cache + NAList<int32_t> roleIDs (descList.getHeap()); + NAList<int32_t> grantees (descList.getHeap()); + if (ComUser::getCurrentUserRoles(roleIDs, grantees) != 0) + return false; - // Union privileges from all grantees together to create a single set of - // bitmaps. Create security invalidation keys for (int i = 0; i < descList.entries(); i++) { - PrivMgrDesc privs = descList[i]; + PrivMgrDesc *privs = descList[i]; // Set up object level privileges - objectBitmap_ |= privs.getTablePrivs().getPrivBitmap(); - grantableBitmap_ |= privs.getTablePrivs().getWgoBitmap(); + objectBitmap_ |= privs->getTablePrivs().getPrivBitmap(); + grantableBitmap_ |= privs->getTablePrivs().getWgoBitmap(); // Set up column level privileges - NAList<PrivMgrCoreDesc> columnPrivs = privs.getColumnPrivs(); + NAList<PrivMgrCoreDesc> columnPrivs = privs->getColumnPrivs(); std::map<size_t,PrivColumnBitmap>::iterator it; for (int j = 0; j < columnPrivs.entries(); j++) { @@ -172,37 +191,60 @@ bool PrivMgrUserPrivs::initUserPrivs( } // set up security invalidation keys - if (!buildSecurityKeys(userID, privs.getGrantee(), objectUID, privs.getTablePrivs(), secKeySet)) + Int32 grantee = privs->getGrantee(); + NAList<Int32> roleGrantees(descList.getHeap()); + + // If the grantee is a role, then get all users that + // have been granted the role. Create a security key for each. + if (PrivMgr::isRoleID(grantee)) + { + for (Int32 j = 0; j < grantees.entries(); j++) + { + if (grantee == roleIDs[j]) + roleGrantees.insert(grantees[j]); + } + } + + // add object security keys + if (!buildSecurityKeys(roleGrantees, grantee, objectUID, false, privs->getTablePrivs(), *secKeySet)) return false; - for (int k = 0; k < colPrivsList_.size(); k++) + // add column security keys + NAList<PrivMgrCoreDesc> colPrivs = privs->getColumnPrivs(); + for (int k = 0; k < colPrivs.entries(); k++) { - PrivMgrCoreDesc colDesc(colPrivsList_[k], colGrantableList_[k]); - if (!buildSecurityKeys(userID, privs.getGrantee(), objectUID, colDesc, secKeySet)) + PrivMgrCoreDesc colDesc = colPrivs[0]; + //PrivMgrCoreDesc colDesc(colPrivs[k], colGrantableList_[k]); + if (!buildSecurityKeys(roleGrantees, grantee, objectUID, true, colDesc, *secKeySet)) return false; } } - // TBD - add schema privilege bitmaps return true; } -// ---------------------------------------------------------------------------- -// method: initUserPrivs + +// ----------------------------------------------------------------------------- +// Method:: print // -// Creates a PrivMgrUserPrivs object from a PrivMgrDesc object -// ---------------------------------------------------------------------------- -void PrivMgrUserPrivs::initUserPrivs(PrivMgrDesc &privsOfTheUser) +// Prints out the bitmaps for the current user +// ----------------------------------------------------------------------------- +std::string PrivMgrUserPrivs::print() { - objectBitmap_ = privsOfTheUser.getTablePrivs().getPrivBitmap(); - grantableBitmap_ = privsOfTheUser.getTablePrivs().getWgoBitmap(); + std::string privList("Obj: "); + privList += objectBitmap_.to_string<char,std::string::traits_type,std::string::allocator_type>(); - for (int32_t i = 0; i < privsOfTheUser.getColumnPrivs().entries(); i++) + privList += ", Col: "; + Int32 bufSize = 100; + char buf[bufSize]; + for (size_t i = 0; i < colPrivsList_.size(); i++) { - const int32_t columnOrdinal = privsOfTheUser.getColumnPrivs()[i].getColumnOrdinal(); - colPrivsList_[columnOrdinal] = privsOfTheUser.getColumnPrivs()[i].getPrivBitmap(); - colGrantableList_[columnOrdinal] = privsOfTheUser.getColumnPrivs()[i].getWgoBitmap(); + std::string bits = colPrivsList_[i].to_string<char,std::string::traits_type,std::string::allocator_type>(); + // Ignore potential buffer overruns + snprintf(buf, bufSize, "%d %s ", (int)i, bits.c_str()); + privList += buf; } - hasPublicPriv_ = privsOfTheUser.getHasPublicPriv(); + + return privList; } http://git-wip-us.apache.org/repos/asf/trafodion/blob/adf2b8f2/core/sql/sqlcomp/PrivMgrUserPrivs.h ---------------------------------------------------------------------- diff --git a/core/sql/sqlcomp/PrivMgrUserPrivs.h b/core/sql/sqlcomp/PrivMgrUserPrivs.h index a5264c5..473e59e 100644 --- a/core/sql/sqlcomp/PrivMgrUserPrivs.h +++ b/core/sql/sqlcomp/PrivMgrUserPrivs.h @@ -28,6 +28,7 @@ #include <vector> #include <bitset> #include "PrivMgrDefs.h" +#include "PrivMgrDesc.h" class ComSecurityKey; class ComDiagsArea; @@ -333,6 +334,11 @@ class PrivMgrUserPrivs return false; } + bool setPrivInfoAndKeys ( PrivMgrDescList &privDescs, + const int32_t userID, + const int64_t objectUID, + NASet<ComSecurityKey> *secKeySet); + PrivColList & getColPrivList() {return colPrivsList_;} void setColPrivList(PrivColList colPrivsList) {colPrivsList_ = colPrivsList;} @@ -379,11 +385,14 @@ class PrivMgrUserPrivs bool getHasPublicPriv() { return hasPublicPriv_; } void setHasPublicPriv(bool hasPublicPriv) {hasPublicPriv_ = hasPublicPriv;} void initUserPrivs (PrivMgrDesc &privsOfTheGrantor); - bool initUserPrivs ( const std::vector<int32_t> &roleIDs, - const TrafDesc *priv_desc, + + bool initUserPrivs ( const NAList<Int32> &roleIDs, + PrivMgrDescList *privDescs, const int32_t userID, const int64_t objectUID, - NASet<ComSecurityKey> & secKeySet); + NASet<ComSecurityKey> *secKeySet = NULL); + + std::string print(); private: PrivObjectBitmap objectBitmap_;