[
https://issues.apache.org/jira/browse/TRAFODION-1856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15173933#comment-15173933
]
ASF GitHub Bot commented on TRAFODION-1856:
-------------------------------------------
Github user robertamarton commented on a diff in the pull request:
https://github.com/apache/incubator-trafodion/pull/349#discussion_r54586561
--- Diff: core/sql/sqlcomp/PrivMgrMD.h ---
@@ -130,7 +149,70 @@ typedef struct {
details += to_string((long long int) objectOwner);
}
-} ObjectReference;
+};
+
+class ObjectUsage
+{
+ public:
+
+ ObjectUsage()
+ : objectUID (0),
+ granteeID (NA_UserIdDefault),
+ grantorIsSystem(false),
+ objectType (COM_UNKNOWN_OBJECT),
+ columnReferences(NULL),
+ originalPrivs(),
+ updatedPrivs()
+ {}
+
+ virtual ~ObjectUsage ( void )
+ {
+ if (columnReferences)
+ {
+ while(!columnReferences->empty())
+ delete columnReferences->back(), columnReferences->pop_back();
+ delete columnReferences;
+ }
+ }
+
+ int64_t objectUID;
+ int32_t granteeID;
+ bool grantorIsSystem;
+ std::string objectName;
+ ComObjectType objectType;
+ std::vector<ColumnReference *> *columnReferences;
+ PrivMgrDesc originalPrivs;
+ PrivMgrDesc updatedPrivs;
+
+ ColumnReference * findColumn (int32_t columnOrdinal)
+ {
+ if (columnReferences == NULL)
+ return NULL;
+ for (int i = 0; i < columnReferences->size(); i++)
+ {
+ ColumnReference *pRef = (*columnReferences)[i];
+ if (pRef->columnOrdinal == columnOrdinal)
--- End diff --
I will note this and look at it for a subsequent commit.
> Revoke - object and column privilege checks not integrated for constraints
> --------------------------------------------------------------------------
>
> Key: TRAFODION-1856
> URL: https://issues.apache.org/jira/browse/TRAFODION-1856
> Project: Apache Trafodion
> Issue Type: Bug
> Components: sql-security
> Reporter: Roberta Marton
> Assignee: Roberta Marton
>
> Today, when revoking the object REFERENCES privilege, the revoke fails if
> there
> are any RI constraints that require the privilege. However, there may be
> column
> level privileges that exist that would still allow the constraint to be
> present.
> Conversely, when revoking column REFERENCES privilege, the revoke does not
> check to see if REFERENCES privilege has been granted at the object level.
> In fact, the revoke operation does not check for dependencies on constraints
> correctly.
> For example:
> user1:
> create table dept( dept_no int not null primary key, dept_name char(50));
> grant references on table dept to user2;
> grant references(dept_no) to user2;
> user2:
> create table empl(empl_no int not null primary key, dept_no int not null);
> alter table empl add constraint empl_dept
> foreign key (dept_no) references dept;
> user1 should be able to "revoke references on table dept from user2" because
> user2 still has the references privileges on column dept_no. Vice versa,
> user1
> should be able to "revoke references(dept_no) on dept from user2" because
> user2
> still has the references privilege on table dept.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
