[2/3] trafodion git commit: TRAFODION - 3218 User still has privilege after user's role has been revoked ...
TRAFODION - 3218 User still has privilege after user's role has been revoked ... Partial support for column level privileges with QI support for: column select column insert column references column update Also, as part of this, updated privilege code in a couple of areas: Changed object caching code in NATable and NARoutine to store all privileges assigned to the object when the object is cached (privDescs_). During the load operation, the code creates bitmaps (privInfo_) for the current user. Privilege checks are performed against the user bitmaps (privInfo_). This is in anticipation for some performance updates when connecting to Trafodion (mxosrvr) with different users. Change getRoleList to include the roleID and the granteeID that granted the privilege. The grantee can be a user or a role. When a privilege is revoked from a role, send QI keys for every user that has been granted to role. Project: http://git-wip-us.apache.org/repos/asf/trafodion/repo Commit: http://git-wip-us.apache.org/repos/asf/trafodion/commit/adf2b8f2 Tree: http://git-wip-us.apache.org/repos/asf/trafodion/tree/adf2b8f2 Diff: http://git-wip-us.apache.org/repos/asf/trafodion/diff/adf2b8f2 Branch: refs/heads/master Commit: adf2b8f23d87bd3bdcccf64523b730a4c9b57843 Parents: c52b07c Author: Roberta Marton Authored: Wed Oct 3 17:54:39 2018 + Committer: Roberta Marton Committed: Wed Oct 3 17:54:39 2018 + -- core/sql/cli/Cli.cpp| 7 +- core/sql/cli/Cli.h | 7 +- core/sql/cli/CliExtern.cpp | 10 +- core/sql/cli/Context.cpp| 63 -- core/sql/cli/Context.h | 8 +- core/sql/cli/SQLCLIdev.h| 5 +- core/sql/comexe/ComTdb.h| 2 +- core/sql/common/ComDistribution.cpp | 4 + core/sql/common/ComSecurityKey.cpp | 125 +++ core/sql/common/ComSecurityKey.h| 16 +- core/sql/common/ComSmallDefs.h | 9 + core/sql/common/ComUser.cpp | 62 - core/sql/common/ComUser.h | 5 +- core/sql/executor/ExExeUtilGet.cpp | 7 +- core/sql/generator/Generator.cpp| 15 +- core/sql/optimizer/BindRelExpr.cpp | 144 core/sql/optimizer/NARoutine.cpp| 96 core/sql/optimizer/NARoutine.h | 11 +- core/sql/optimizer/NATable.cpp | 104 ++--- core/sql/optimizer/NATable.h| 21 +- core/sql/optimizer/RelMisc.h| 3 +- core/sql/regress/privs1/EXPECTED120 | 15 +- core/sql/regress/privs1/TEST120 | 2 +- core/sql/regress/privs2/EXPECTED129 | 218 +- core/sql/regress/privs2/TEST129 | 32 ++- core/sql/sqlcomp/CmpSeabaseDDLauth.cpp | 40 +++- core/sql/sqlcomp/CmpSeabaseDDLauth.h| 3 +- core/sql/sqlcomp/CmpSeabaseDDLtable.cpp | 15 +- core/sql/sqlcomp/PrivMgr.cpp| 37 +++ core/sql/sqlcomp/PrivMgr.h | 5 + core/sql/sqlcomp/PrivMgrCommands.cpp| 124 +- core/sql/sqlcomp/PrivMgrCommands.h | 15 +- core/sql/sqlcomp/PrivMgrComponentPrivileges.cpp | 12 +- core/sql/sqlcomp/PrivMgrDesc.cpp| 1 + core/sql/sqlcomp/PrivMgrDesc.h | 30 +++ core/sql/sqlcomp/PrivMgrPrivileges.cpp | 224 ++- core/sql/sqlcomp/PrivMgrPrivileges.h| 21 +- core/sql/sqlcomp/PrivMgrRoles.cpp | 92 core/sql/sqlcomp/PrivMgrRoles.h | 18 +- core/sql/sqlcomp/PrivMgrUserPrivs.cpp | 174 -- core/sql/sqlcomp/PrivMgrUserPrivs.h | 15 +- 41 files changed, 1128 insertions(+), 689 deletions(-) -- http://git-wip-us.apache.org/repos/asf/trafodion/blob/adf2b8f2/core/sql/cli/Cli.cpp -- diff --git a/core/sql/cli/Cli.cpp b/core/sql/cli/Cli.cpp index 3d5f033..9318fa5 100644 --- a/core/sql/cli/Cli.cpp +++ b/core/sql/cli/Cli.cpp @@ -6240,8 +6240,9 @@ Int32 SQLCLI_GetAuthState ( Lng32 SQLCLI_GetRoleList( CliGlobals * cliGlobals, - Int32 &numRoles, - Int32 *&roleIDs) + Int32 &numEntries, + Int32 *& roleIDs, + Int32 *& granteeIDs) { Lng32 retcode = 0; @@ -6254,7 +6255,7 @@ Lng32 SQLCLI_GetRoleList( ContextCli &currContext = *(cliGlobals->currContext()); ComDiagsArea &diags = currContext.diags(); - retcode = currContext.getRoleList(numRoles,roleIDs); + retcode = currContext.getRoleList(numEntries,roleIDs,granteeIDs); return CliEpilogue(cliGlobals, NULL, retcode); http://git-w
[1/3] trafodion git commit: TRAFODION - 3218 User still has privilege after user's role has been revoked ...
Repository: trafodion Updated Branches: refs/heads/master 659f59a13 -> 8e38189d4 http://git-wip-us.apache.org/repos/asf/trafodion/blob/adf2b8f2/core/sql/sqlcomp/CmpSeabaseDDLtable.cpp -- diff --git a/core/sql/sqlcomp/CmpSeabaseDDLtable.cpp b/core/sql/sqlcomp/CmpSeabaseDDLtable.cpp index a620624..cd785f6 100644 --- a/core/sql/sqlcomp/CmpSeabaseDDLtable.cpp +++ b/core/sql/sqlcomp/CmpSeabaseDDLtable.cpp @@ -12540,23 +12540,20 @@ ComTdbVirtTablePrivInfo * CmpSeabaseDDL::getSeabasePrivInfo( // Summarize privileges for object PrivStatus privStatus = STATUS_GOOD; - std::vector privDescs; + ComTdbVirtTablePrivInfo *privInfo = new (heap_) ComTdbVirtTablePrivInfo(); + privInfo->privmgr_desc_list = new (STMTHEAP) PrivMgrDescList(STMTHEAP); + + // Summarize privileges for object PrivMgrCommands command(std::string(MDLoc.data()), std::string(privMgrMDLoc.data()), CmpCommon::diags()); - if (command.getPrivileges(objUID, objType, privDescs) != STATUS_GOOD) + if (command.getPrivileges(objUID, objType, +*privInfo->privmgr_desc_list) != STATUS_GOOD) { *CmpCommon::diags() << DgSqlCode(-CAT_UNABLE_TO_RETRIEVE_PRIVS); return NULL; } - ComTdbVirtTablePrivInfo *privInfo = new (STMTHEAP) ComTdbVirtTablePrivInfo(); - - // PrivMgrDesc operator= is a deep copy - privInfo->privmgr_desc_list = new (STMTHEAP) NAList(STMTHEAP); - for (size_t i = 0; i < privDescs.size(); i++) -privInfo->privmgr_desc_list->insert(privDescs[i]); - return privInfo; } http://git-wip-us.apache.org/repos/asf/trafodion/blob/adf2b8f2/core/sql/sqlcomp/PrivMgr.cpp -- diff --git a/core/sql/sqlcomp/PrivMgr.cpp b/core/sql/sqlcomp/PrivMgr.cpp index 0a5f265..2429b9d 100644 --- a/core/sql/sqlcomp/PrivMgr.cpp +++ b/core/sql/sqlcomp/PrivMgr.cpp @@ -36,6 +36,7 @@ #include "PrivMgrComponentOperations.h" #include "PrivMgrComponentPrivileges.h" #include "PrivMgrPrivileges.h" +#include "PrivMgrRoles.h" // Trafodion includes #include "ComDistribution.h" @@ -154,6 +155,42 @@ PrivMgr::~PrivMgr() resetFlags(); } +// * +// * Method: getGranteeIDsForRoleIDs +// * +// *Returns the grantees assigned to the passed in roles +// *role list +// * +// * Parameters: +// * +// * list of roles to check +// * passed back the list (potentially empty) of users granted to +// * the roleIDs +// * +// * Returns: PrivStatus +// * +// * STATUS_GOOD: Role list returned +// * *: Unable to fetch granted roles, see diags. +// * +// * +PrivStatus PrivMgr::getGranteeIDsForRoleIDs( + const std::vector & roleIDs, + std::vector & granteeIDs, + bool includeSysGrantor) +{ + std::vector granteeIDsForRoleIDs; + PrivMgrRoles roles(" ",metadataLocation_,pDiags_); + if (roles.fetchGranteesForRoles(roleIDs, granteeIDsForRoleIDs, includeSysGrantor) == STATUS_ERROR) +return STATUS_ERROR; + for (size_t i = 0; i < granteeIDsForRoleIDs.size(); i++) + { + int32_t authID = granteeIDsForRoleIDs[i]; + if (std::find(granteeIDs.begin(), granteeIDs.end(), authID) == granteeIDs.end()) + granteeIDs.insert( std::upper_bound( granteeIDs.begin(), granteeIDs.end(), authID ), authID); + } + return STATUS_GOOD; +} + // // method: authorizationEnabled // http://git-wip-us.apache.org/repos/asf/trafodion/blob/adf2b8f2/core/sql/sqlcomp/PrivMgr.h -- diff --git a/core/sql/sqlcomp/PrivMgr.h b/core/sql/sqlcomp/PrivMgr.h index fd6b8bd..0cd52ce 100644 --- a/core/sql/sqlcomp/PrivMgr.h +++ b/core/sql/sqlcomp/PrivMgr.h @@ -168,6 +168,11 @@ class PrivMgr // --- // Accessors and destructors: // --- +PrivStatus getGranteeIDsForRoleIDs( + const std::vector & roleIDs, + std::vector & userIDs, + bool includeSysGrantor = true); + inline std::string getMetadataLocation (void) {return metadataLocation_;} inline const std::string & getMetadataLocation (void) const {return m
[3/3] trafodion git commit: Merge [TRAFODION-3218] pr 1723 user still has privilege after user's role revoked
Merge [TRAFODION-3218] pr 1723 user still has privilege after user's role revoked Project: http://git-wip-us.apache.org/repos/asf/trafodion/repo Commit: http://git-wip-us.apache.org/repos/asf/trafodion/commit/8e38189d Tree: http://git-wip-us.apache.org/repos/asf/trafodion/tree/8e38189d Diff: http://git-wip-us.apache.org/repos/asf/trafodion/diff/8e38189d Branch: refs/heads/master Commit: 8e38189d43d6abe57f6a2c992ebaeaf79ce92408 Parents: 659f59a adf2b8f Author: Roberta Marton Authored: Wed Oct 24 16:19:42 2018 + Committer: Roberta Marton Committed: Wed Oct 24 16:19:42 2018 + -- core/sql/cli/Cli.cpp| 7 +- core/sql/cli/Cli.h | 7 +- core/sql/cli/CliExtern.cpp | 10 +- core/sql/cli/Context.cpp| 63 -- core/sql/cli/Context.h | 8 +- core/sql/cli/SQLCLIdev.h| 5 +- core/sql/comexe/ComTdb.h| 2 +- core/sql/common/ComDistribution.cpp | 4 + core/sql/common/ComSecurityKey.cpp | 125 +++ core/sql/common/ComSecurityKey.h| 16 +- core/sql/common/ComSmallDefs.h | 9 + core/sql/common/ComUser.cpp | 62 - core/sql/common/ComUser.h | 5 +- core/sql/executor/ExExeUtilGet.cpp | 7 +- core/sql/generator/Generator.cpp| 15 +- core/sql/optimizer/BindRelExpr.cpp | 144 core/sql/optimizer/NARoutine.cpp| 96 core/sql/optimizer/NARoutine.h | 11 +- core/sql/optimizer/NATable.cpp | 104 ++--- core/sql/optimizer/NATable.h| 21 +- core/sql/optimizer/RelMisc.h| 3 +- core/sql/regress/privs1/EXPECTED120 | 15 +- core/sql/regress/privs1/TEST120 | 2 +- core/sql/regress/privs2/EXPECTED129 | 218 +- core/sql/regress/privs2/TEST129 | 32 ++- core/sql/sqlcomp/CmpSeabaseDDLauth.cpp | 40 +++- core/sql/sqlcomp/CmpSeabaseDDLauth.h| 3 +- core/sql/sqlcomp/CmpSeabaseDDLtable.cpp | 15 +- core/sql/sqlcomp/PrivMgr.cpp| 37 +++ core/sql/sqlcomp/PrivMgr.h | 5 + core/sql/sqlcomp/PrivMgrCommands.cpp| 124 +- core/sql/sqlcomp/PrivMgrCommands.h | 15 +- core/sql/sqlcomp/PrivMgrComponentPrivileges.cpp | 12 +- core/sql/sqlcomp/PrivMgrDesc.cpp| 1 + core/sql/sqlcomp/PrivMgrDesc.h | 30 +++ core/sql/sqlcomp/PrivMgrPrivileges.cpp | 224 ++- core/sql/sqlcomp/PrivMgrPrivileges.h| 21 +- core/sql/sqlcomp/PrivMgrRoles.cpp | 92 core/sql/sqlcomp/PrivMgrRoles.h | 18 +- core/sql/sqlcomp/PrivMgrUserPrivs.cpp | 174 -- core/sql/sqlcomp/PrivMgrUserPrivs.h | 15 +- 41 files changed, 1128 insertions(+), 689 deletions(-) -- http://git-wip-us.apache.org/repos/asf/trafodion/blob/8e38189d/core/sql/cli/Cli.cpp -- http://git-wip-us.apache.org/repos/asf/trafodion/blob/8e38189d/core/sql/optimizer/RelMisc.h -- http://git-wip-us.apache.org/repos/asf/trafodion/blob/8e38189d/core/sql/sqlcomp/PrivMgr.cpp --