[ https://issues.apache.org/jira/browse/TRAFODION-1856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15173933#comment-15173933 ]
ASF GitHub Bot commented on TRAFODION-1856: ------------------------------------------- Github user robertamarton commented on a diff in the pull request: https://github.com/apache/incubator-trafodion/pull/349#discussion_r54586561 --- Diff: core/sql/sqlcomp/PrivMgrMD.h --- @@ -130,7 +149,70 @@ typedef struct { details += to_string((long long int) objectOwner); } -} ObjectReference; +}; + +class ObjectUsage +{ + public: + + ObjectUsage() + : objectUID (0), + granteeID (NA_UserIdDefault), + grantorIsSystem(false), + objectType (COM_UNKNOWN_OBJECT), + columnReferences(NULL), + originalPrivs(), + updatedPrivs() + {} + + virtual ~ObjectUsage ( void ) + { + if (columnReferences) + { + while(!columnReferences->empty()) + delete columnReferences->back(), columnReferences->pop_back(); + delete columnReferences; + } + } + + int64_t objectUID; + int32_t granteeID; + bool grantorIsSystem; + std::string objectName; + ComObjectType objectType; + std::vector<ColumnReference *> *columnReferences; + PrivMgrDesc originalPrivs; + PrivMgrDesc updatedPrivs; + + ColumnReference * findColumn (int32_t columnOrdinal) + { + if (columnReferences == NULL) + return NULL; + for (int i = 0; i < columnReferences->size(); i++) + { + ColumnReference *pRef = (*columnReferences)[i]; + if (pRef->columnOrdinal == columnOrdinal) --- End diff -- I will note this and look at it for a subsequent commit. > Revoke - object and column privilege checks not integrated for constraints > -------------------------------------------------------------------------- > > Key: TRAFODION-1856 > URL: https://issues.apache.org/jira/browse/TRAFODION-1856 > Project: Apache Trafodion > Issue Type: Bug > Components: sql-security > Reporter: Roberta Marton > Assignee: Roberta Marton > > Today, when revoking the object REFERENCES privilege, the revoke fails if > there > are any RI constraints that require the privilege. However, there may be > column > level privileges that exist that would still allow the constraint to be > present. > Conversely, when revoking column REFERENCES privilege, the revoke does not > check to see if REFERENCES privilege has been granted at the object level. > In fact, the revoke operation does not check for dependencies on constraints > correctly. > For example: > user1: > create table dept( dept_no int not null primary key, dept_name char(50)); > grant references on table dept to user2; > grant references(dept_no) to user2; > user2: > create table empl(empl_no int not null primary key, dept_no int not null); > alter table empl add constraint empl_dept > foreign key (dept_no) references dept; > user1 should be able to "revoke references on table dept from user2" because > user2 still has the references privileges on column dept_no. Vice versa, > user1 > should be able to "revoke references(dept_no) on dept from user2" because > user2 > still has the references privilege on table dept. -- This message was sent by Atlassian JIRA (v6.3.4#6332)