Repository: incubator-trafodion
Updated Branches:
refs/heads/master 6155ff1ba -> 1b724a845
TRAFODION-2538 Revoking privileges from role not invoking query invalidation
Fixed a issue where query invalidation keys were not being sent correctly when
a privilege was revoked from a role.
When a table is cached, a list of all the query invalidation keys for the user
are stored. Later, when a query is run, the compiler picks the relevant keys
and places them in the plan. When a revoke occurs, a key is sent to RMS and
the executor processes check for keys at the next execution. If the key affects
any caches, the cache entries are refreshed and plans recompiled.
Incorrect keys were being created when privileges were revoked from roles, so
queries continued to work even though the user had no more privileges.
Project: http://git-wip-us.apache.org/repos/asf/incubator-trafodion/repo
Commit:
http://git-wip-us.apache.org/repos/asf/incubator-trafodion/commit/a78064b8
Tree: http://git-wip-us.apache.org/repos/asf/incubator-trafodion/tree/a78064b8
Diff: http://git-wip-us.apache.org/repos/asf/incubator-trafodion/diff/a78064b8
Branch: refs/heads/master
Commit: a78064b89afce13e12cc70024ca110b17b68c792
Parents: 2aac3f7
Author: Roberta Marton
Authored: Tue Mar 14 23:14:28 2017 +
Committer: Roberta Marton
Committed: Tue Mar 14 23:14:28 2017 +
--
core/sql/common/ComSecurityKey.cpp | 118 +++-
core/sql/common/ComSecurityKey.h| 18 ++--
core/sql/common/ComUser.cpp | 11 +++
core/sql/common/ComUser.h | 1 +
core/sql/optimizer/BindRelExpr.cpp | 31 ++-
core/sql/regress/privs1/EXPECTED120 | 129 ---
core/sql/regress/privs1/TEST120 | 33 ++-
core/sql/sqlcomp/CmpSeabaseDDLtable.cpp | 3 +
core/sql/sqlcomp/PrivMgrCommands.cpp| 8 +-
core/sql/sqlcomp/PrivMgrPrivileges.cpp | 33 ---
core/sql/sqlcomp/PrivMgrPrivileges.h| 1 -
11 files changed, 303 insertions(+), 83 deletions(-)
--
http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/a78064b8/core/sql/common/ComSecurityKey.cpp
--
diff --git a/core/sql/common/ComSecurityKey.cpp
b/core/sql/common/ComSecurityKey.cpp
index f3f52e1..76b88e7 100644
--- a/core/sql/common/ComSecurityKey.cpp
+++ b/core/sql/common/ComSecurityKey.cpp
@@ -37,6 +37,25 @@
#include "PrivMgrDefs.h"
//
+// function: qiSubjectMatchesRole
+//
+// This function compares the subjectKey with the list of roles the current
+// user has been granted. If it matches one of the roles, return TRUE,
+// otherwise it returns FALSE.
+//
+NABoolean qiSubjectMatchesRole(uint32_t subjectKey)
+{
+ NAList roleIDs(NULL);
+ ComUser::getCurrentUserRoles(roleIDs);
+ for (int i = 0; i < roleIDs.entries(); i++)
+ {
+if (subjectKey = ComSecurityKey::generateHash(roleIDs[i]))
+ return TRUE;
+ }
+ return FALSE;
+}
+
+//
// function: qiCheckForInvalidObject
//
// This function compares the list of query invalidate keys that changed to
@@ -83,6 +102,21 @@ NABoolean qiCheckForInvalidObject (const Int32
numInvalidationKeys,
case COM_QI_OBJECT_USAGE:
case COM_QI_OBJECT_REFERENCES:
case COM_QI_OBJECT_EXECUTE:
+for (Int32 j = 0; j < numObjectKeys && !found; j++ )
+{
+ ComSecurityKey keyValue = objectKeys[j];
+ if ( ( invalidationKeys[i].revokeKey.object ==
+ keyValue.getObjectHashValue() ) &&
+ ( invalidationKeyType ==
+ keyValue.getSecurityKeyType() ) )
+ {
+if ( invalidationKeys[i].revokeKey.subject ==
+ keyValue.getSubjectHashValue() ||
+ qiSubjectMatchesRole(invalidationKeys[i].revokeKey.subject) )
+ found = TRUE;
+ }
+}
+break;
case COM_QI_USER_GRANT_SPECIAL_ROLE:
case COM_QI_USER_GRANT_ROLE:
{
@@ -120,48 +154,51 @@ NABoolean qiCheckForInvalidObject (const Int32
numInvalidationKeys,
// SUBJECT_IS_USER - support for granting roles to user
// SUBJECT_IS_ROLE - not supported until we grant roles to roles
//
+// returns false is unable to build keys
//
-bool buildSecurityKeys( const int32_t granteeID,
-const int32_t roleID,
+bool buildSecurityKeys( const int32_t userID,
+const int32_t granteeID,
const int64_t objectUID,
const PrivMgrCoreDesc &pr