[2/3] trafodion git commit: TRAFODION - 3218 User still has privilege after user's role has been revoked ...

2018-10-24 Thread rmarton 
TRAFODION - 3218 User still has privilege after user's role has been revoked ...

Partial support for column level privileges with QI support for:

  column select
  column insert
  column references
  column update

Also, as part of this, updated privilege code in a couple of areas:

Changed object caching code in NATable and NARoutine to store all privileges
assigned to the object when the object is cached (privDescs_).  During the load
operation, the code creates bitmaps (privInfo_) for the current user.  Privilege
checks are performed against the user bitmaps (privInfo_).  This is in
anticipation for some performance updates when connecting to Trafodion (mxosrvr)
with different users.

Change getRoleList to include the roleID and the granteeID that granted the
privilege. The grantee can be a user or a role.

When a privilege is revoked from a role, send QI keys for every user that has
been granted to role.


Project: http://git-wip-us.apache.org/repos/asf/trafodion/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafodion/commit/adf2b8f2
Tree: http://git-wip-us.apache.org/repos/asf/trafodion/tree/adf2b8f2
Diff: http://git-wip-us.apache.org/repos/asf/trafodion/diff/adf2b8f2

Branch: refs/heads/master
Commit: adf2b8f23d87bd3bdcccf64523b730a4c9b57843
Parents: c52b07c
Author: Roberta Marton 
Authored: Wed Oct 3 17:54:39 2018 +
Committer: Roberta Marton 
Committed: Wed Oct 3 17:54:39 2018 +

--
 core/sql/cli/Cli.cpp|   7 +-
 core/sql/cli/Cli.h  |   7 +-
 core/sql/cli/CliExtern.cpp  |  10 +-
 core/sql/cli/Context.cpp|  63 --
 core/sql/cli/Context.h  |   8 +-
 core/sql/cli/SQLCLIdev.h|   5 +-
 core/sql/comexe/ComTdb.h|   2 +-
 core/sql/common/ComDistribution.cpp |   4 +
 core/sql/common/ComSecurityKey.cpp  | 125 +++
 core/sql/common/ComSecurityKey.h|  16 +-
 core/sql/common/ComSmallDefs.h  |   9 +
 core/sql/common/ComUser.cpp |  62 -
 core/sql/common/ComUser.h   |   5 +-
 core/sql/executor/ExExeUtilGet.cpp  |   7 +-
 core/sql/generator/Generator.cpp|  15 +-
 core/sql/optimizer/BindRelExpr.cpp  | 144 
 core/sql/optimizer/NARoutine.cpp|  96 
 core/sql/optimizer/NARoutine.h  |  11 +-
 core/sql/optimizer/NATable.cpp  | 104 ++---
 core/sql/optimizer/NATable.h|  21 +-
 core/sql/optimizer/RelMisc.h|   3 +-
 core/sql/regress/privs1/EXPECTED120 |  15 +-
 core/sql/regress/privs1/TEST120 |   2 +-
 core/sql/regress/privs2/EXPECTED129 | 218 +-
 core/sql/regress/privs2/TEST129 |  32 ++-
 core/sql/sqlcomp/CmpSeabaseDDLauth.cpp  |  40 +++-
 core/sql/sqlcomp/CmpSeabaseDDLauth.h|   3 +-
 core/sql/sqlcomp/CmpSeabaseDDLtable.cpp |  15 +-
 core/sql/sqlcomp/PrivMgr.cpp|  37 +++
 core/sql/sqlcomp/PrivMgr.h  |   5 +
 core/sql/sqlcomp/PrivMgrCommands.cpp| 124 +-
 core/sql/sqlcomp/PrivMgrCommands.h  |  15 +-
 core/sql/sqlcomp/PrivMgrComponentPrivileges.cpp |  12 +-
 core/sql/sqlcomp/PrivMgrDesc.cpp|   1 +
 core/sql/sqlcomp/PrivMgrDesc.h  |  30 +++
 core/sql/sqlcomp/PrivMgrPrivileges.cpp  | 224 ++-
 core/sql/sqlcomp/PrivMgrPrivileges.h|  21 +-
 core/sql/sqlcomp/PrivMgrRoles.cpp   |  92 
 core/sql/sqlcomp/PrivMgrRoles.h |  18 +-
 core/sql/sqlcomp/PrivMgrUserPrivs.cpp   | 174 --
 core/sql/sqlcomp/PrivMgrUserPrivs.h |  15 +-
 41 files changed, 1128 insertions(+), 689 deletions(-)
--


http://git-wip-us.apache.org/repos/asf/trafodion/blob/adf2b8f2/core/sql/cli/Cli.cpp
--
diff --git a/core/sql/cli/Cli.cpp b/core/sql/cli/Cli.cpp
index 3d5f033..9318fa5 100644
--- a/core/sql/cli/Cli.cpp
+++ b/core/sql/cli/Cli.cpp
@@ -6240,8 +6240,9 @@ Int32 SQLCLI_GetAuthState (
 
 Lng32 SQLCLI_GetRoleList(
CliGlobals * cliGlobals,
-   Int32 &numRoles,
-   Int32 *&roleIDs)
+   Int32 &numEntries,
+   Int32 *& roleIDs,
+   Int32 *& granteeIDs)
 
 {
Lng32 retcode = 0;
@@ -6254,7 +6255,7 @@ Lng32 SQLCLI_GetRoleList(
ContextCli &currContext = *(cliGlobals->currContext());
ComDiagsArea &diags = currContext.diags();
 
-   retcode = currContext.getRoleList(numRoles,roleIDs);
+   retcode = currContext.getRoleList(numEntries,roleIDs,granteeIDs);
 
return CliEpilogue(cliGlobals, NULL, retcode);
 

http://git-w

[1/3] trafodion git commit: TRAFODION - 3218 User still has privilege after user's role has been revoked ...

2018-10-24 Thread rmarton 
Repository: trafodion
Updated Branches:
  refs/heads/master 659f59a13 -> 8e38189d4


http://git-wip-us.apache.org/repos/asf/trafodion/blob/adf2b8f2/core/sql/sqlcomp/CmpSeabaseDDLtable.cpp
--
diff --git a/core/sql/sqlcomp/CmpSeabaseDDLtable.cpp 
b/core/sql/sqlcomp/CmpSeabaseDDLtable.cpp
index a620624..cd785f6 100644
--- a/core/sql/sqlcomp/CmpSeabaseDDLtable.cpp
+++ b/core/sql/sqlcomp/CmpSeabaseDDLtable.cpp
@@ -12540,23 +12540,20 @@ ComTdbVirtTablePrivInfo * 
CmpSeabaseDDL::getSeabasePrivInfo(
 
   // Summarize privileges for object
   PrivStatus privStatus = STATUS_GOOD;
-  std::vector privDescs;
+  ComTdbVirtTablePrivInfo *privInfo = new (heap_) ComTdbVirtTablePrivInfo();
+  privInfo->privmgr_desc_list = new (STMTHEAP) PrivMgrDescList(STMTHEAP);
+
+  // Summarize privileges for object
   PrivMgrCommands command(std::string(MDLoc.data()),
   std::string(privMgrMDLoc.data()),
   CmpCommon::diags());
-  if (command.getPrivileges(objUID, objType, privDescs) != STATUS_GOOD)
+  if (command.getPrivileges(objUID, objType,
+*privInfo->privmgr_desc_list) != STATUS_GOOD)
 {
   *CmpCommon::diags() << DgSqlCode(-CAT_UNABLE_TO_RETRIEVE_PRIVS);
   return NULL;
 }
 
-  ComTdbVirtTablePrivInfo *privInfo = new (STMTHEAP) ComTdbVirtTablePrivInfo();
-
-  // PrivMgrDesc operator= is a deep copy
-  privInfo->privmgr_desc_list = new (STMTHEAP) NAList(STMTHEAP);
-  for (size_t i = 0; i < privDescs.size(); i++)
-privInfo->privmgr_desc_list->insert(privDescs[i]);
-
   return privInfo;
 }
 

http://git-wip-us.apache.org/repos/asf/trafodion/blob/adf2b8f2/core/sql/sqlcomp/PrivMgr.cpp
--
diff --git a/core/sql/sqlcomp/PrivMgr.cpp b/core/sql/sqlcomp/PrivMgr.cpp
index 0a5f265..2429b9d 100644
--- a/core/sql/sqlcomp/PrivMgr.cpp
+++ b/core/sql/sqlcomp/PrivMgr.cpp
@@ -36,6 +36,7 @@
 #include "PrivMgrComponentOperations.h"
 #include "PrivMgrComponentPrivileges.h"
 #include "PrivMgrPrivileges.h"
+#include "PrivMgrRoles.h"
 
 // Trafodion includes
 #include "ComDistribution.h"
@@ -154,6 +155,42 @@ PrivMgr::~PrivMgr()
   resetFlags();
 }
 
+// 
*
+// * Method: getGranteeIDsForRoleIDs  
+// *   
+// *Returns the grantees assigned to the passed in roles
+// *role list
+// *   
+// *  Parameters:
+// *   
+// *  list of roles to check
+// *   passed back the list (potentially empty) of users granted 
to 
+// *   the roleIDs
+// * 
+// * Returns: PrivStatus   
+// *  
+// * STATUS_GOOD: Role list returned
+// *   *: Unable to fetch granted roles, see diags. 
+// *   
+// 
*
+PrivStatus PrivMgr::getGranteeIDsForRoleIDs(
+  const std::vector  & roleIDs,
+  std::vector & granteeIDs,
+  bool includeSysGrantor)
+{
+  std::vector granteeIDsForRoleIDs;
+  PrivMgrRoles roles(" ",metadataLocation_,pDiags_);
+  if (roles.fetchGranteesForRoles(roleIDs, granteeIDsForRoleIDs, 
includeSysGrantor) == STATUS_ERROR)
+return STATUS_ERROR;
+  for (size_t i = 0; i < granteeIDsForRoleIDs.size(); i++)
+  {
+ int32_t authID = granteeIDsForRoleIDs[i];
+ if (std::find(granteeIDs.begin(), granteeIDs.end(), authID) == 
granteeIDs.end())
+   granteeIDs.insert( std::upper_bound( granteeIDs.begin(), 
granteeIDs.end(), authID ), authID);
+  }
+  return STATUS_GOOD;
+}
+
 // 
 // method:  authorizationEnabled
 //

http://git-wip-us.apache.org/repos/asf/trafodion/blob/adf2b8f2/core/sql/sqlcomp/PrivMgr.h
--
diff --git a/core/sql/sqlcomp/PrivMgr.h b/core/sql/sqlcomp/PrivMgr.h
index fd6b8bd..0cd52ce 100644
--- a/core/sql/sqlcomp/PrivMgr.h
+++ b/core/sql/sqlcomp/PrivMgr.h
@@ -168,6 +168,11 @@ class PrivMgr
 // ---
 // Accessors and destructors:
 // ---
+PrivStatus getGranteeIDsForRoleIDs(
+  const std::vector & roleIDs,
+  std::vector & userIDs,
+  bool includeSysGrantor = true);
+
 inline std::string getMetadataLocation (void) {return metadataLocation_;}
 inline const std::string & getMetadataLocation (void) const {return 
m

[3/3] trafodion git commit: Merge [TRAFODION-3218] pr 1723 user still has privilege after user's role revoked

2018-10-24 Thread rmarton 
Merge [TRAFODION-3218] pr 1723 user still has privilege after user's role 
revoked


Project: http://git-wip-us.apache.org/repos/asf/trafodion/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafodion/commit/8e38189d
Tree: http://git-wip-us.apache.org/repos/asf/trafodion/tree/8e38189d
Diff: http://git-wip-us.apache.org/repos/asf/trafodion/diff/8e38189d

Branch: refs/heads/master
Commit: 8e38189d43d6abe57f6a2c992ebaeaf79ce92408
Parents: 659f59a adf2b8f
Author: Roberta Marton 
Authored: Wed Oct 24 16:19:42 2018 +
Committer: Roberta Marton 
Committed: Wed Oct 24 16:19:42 2018 +

--
 core/sql/cli/Cli.cpp|   7 +-
 core/sql/cli/Cli.h  |   7 +-
 core/sql/cli/CliExtern.cpp  |  10 +-
 core/sql/cli/Context.cpp|  63 --
 core/sql/cli/Context.h  |   8 +-
 core/sql/cli/SQLCLIdev.h|   5 +-
 core/sql/comexe/ComTdb.h|   2 +-
 core/sql/common/ComDistribution.cpp |   4 +
 core/sql/common/ComSecurityKey.cpp  | 125 +++
 core/sql/common/ComSecurityKey.h|  16 +-
 core/sql/common/ComSmallDefs.h  |   9 +
 core/sql/common/ComUser.cpp |  62 -
 core/sql/common/ComUser.h   |   5 +-
 core/sql/executor/ExExeUtilGet.cpp  |   7 +-
 core/sql/generator/Generator.cpp|  15 +-
 core/sql/optimizer/BindRelExpr.cpp  | 144 
 core/sql/optimizer/NARoutine.cpp|  96 
 core/sql/optimizer/NARoutine.h  |  11 +-
 core/sql/optimizer/NATable.cpp  | 104 ++---
 core/sql/optimizer/NATable.h|  21 +-
 core/sql/optimizer/RelMisc.h|   3 +-
 core/sql/regress/privs1/EXPECTED120 |  15 +-
 core/sql/regress/privs1/TEST120 |   2 +-
 core/sql/regress/privs2/EXPECTED129 | 218 +-
 core/sql/regress/privs2/TEST129 |  32 ++-
 core/sql/sqlcomp/CmpSeabaseDDLauth.cpp  |  40 +++-
 core/sql/sqlcomp/CmpSeabaseDDLauth.h|   3 +-
 core/sql/sqlcomp/CmpSeabaseDDLtable.cpp |  15 +-
 core/sql/sqlcomp/PrivMgr.cpp|  37 +++
 core/sql/sqlcomp/PrivMgr.h  |   5 +
 core/sql/sqlcomp/PrivMgrCommands.cpp| 124 +-
 core/sql/sqlcomp/PrivMgrCommands.h  |  15 +-
 core/sql/sqlcomp/PrivMgrComponentPrivileges.cpp |  12 +-
 core/sql/sqlcomp/PrivMgrDesc.cpp|   1 +
 core/sql/sqlcomp/PrivMgrDesc.h  |  30 +++
 core/sql/sqlcomp/PrivMgrPrivileges.cpp  | 224 ++-
 core/sql/sqlcomp/PrivMgrPrivileges.h|  21 +-
 core/sql/sqlcomp/PrivMgrRoles.cpp   |  92 
 core/sql/sqlcomp/PrivMgrRoles.h |  18 +-
 core/sql/sqlcomp/PrivMgrUserPrivs.cpp   | 174 --
 core/sql/sqlcomp/PrivMgrUserPrivs.h |  15 +-
 41 files changed, 1128 insertions(+), 689 deletions(-)
--


http://git-wip-us.apache.org/repos/asf/trafodion/blob/8e38189d/core/sql/cli/Cli.cpp
--

http://git-wip-us.apache.org/repos/asf/trafodion/blob/8e38189d/core/sql/optimizer/RelMisc.h
--

http://git-wip-us.apache.org/repos/asf/trafodion/blob/8e38189d/core/sql/sqlcomp/PrivMgr.cpp
--