You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hawq.apache.org by wl...@apache.org on 2017/02/10 02:21:59 UTC
incubator-hawq git commit: HAWQ-1318. Fix the bug of cannot
start/stop master successfully if ranger is enable and with a wrong RPS
address
Repository: incubator-hawq
Updated Branches:
refs/heads/master 8c9b45a40 -> 63c856280
HAWQ-1318. Fix the bug of cannot start/stop master successfully if ranger is enable and with a wrong RPS address
Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq/commit/63c85628
Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq/tree/63c85628
Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq/diff/63c85628
Branch: refs/heads/master
Commit: 63c856280c1fea655f99a9aea2c2196116cc2ab3
Parents: 8c9b45a
Author: Wen Lin <wl...@pivotal.io>
Authored: Thu Feb 9 16:03:53 2017 +0800
Committer: Wen Lin <wl...@pivotal.io>
Committed: Fri Feb 10 10:18:19 2017 +0800
----------------------------------------------------------------------
src/backend/catalog/aclchk.c | 32 +++++++++++++++++++-------------
1 file changed, 19 insertions(+), 13 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/63c85628/src/backend/catalog/aclchk.c
----------------------------------------------------------------------
diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c
index 3ab3248..416e0c4 100644
--- a/src/backend/catalog/aclchk.c
+++ b/src/backend/catalog/aclchk.c
@@ -2715,9 +2715,9 @@ bool fallBackToNativeCheck(AclObjectKind objkind, Oid obj_oid, Oid roleid)
*/
if (information_schema_namespcace_oid == 0)
{
- information_schema_namespcace_oid = (int)get_namespace_oid("information_schema");
+ information_schema_namespcace_oid = (int)get_namespace_oid("information_schema");
}
- /*for heap table, we fall back to native check.*/
+ /* for heap table, we fall back to native check. */
if (objkind == ACL_KIND_CLASS)
{
char relstorage = get_rel_relstorage(obj_oid);
@@ -2728,21 +2728,26 @@ bool fallBackToNativeCheck(AclObjectKind objkind, Oid obj_oid, Oid roleid)
}
else if (objkind == ACL_KIND_NAMESPACE)
{
- /*native check build-in schemas.*/
+ /* native check build-in schemas. */
if (obj_oid == PG_CATALOG_NAMESPACE || obj_oid == information_schema_namespcace_oid
- || obj_oid == PG_AOSEGMENT_NAMESPACE || obj_oid == PG_TOAST_NAMESPACE
- || obj_oid == PG_BITMAPINDEX_NAMESPACE)
+ || obj_oid == PG_AOSEGMENT_NAMESPACE || obj_oid == PG_TOAST_NAMESPACE
+ || obj_oid == PG_BITMAPINDEX_NAMESPACE)
{
return true;
}
+ else if (obj_oid == PG_PUBLIC_NAMESPACE && superuser())
+ {
+ /* superuser's access to PUBLIC */
+ return true;
+ }
}
else if (objkind == ACL_KIND_PROC)
{
- /*native check functions under build-in schemas.*/
+ /* native check functions under build-in schemas. */
Oid namespaceid = get_func_namespace(obj_oid);
if (namespaceid == PG_CATALOG_NAMESPACE || namespaceid == information_schema_namespcace_oid
- || namespaceid == PG_AOSEGMENT_NAMESPACE || namespaceid == PG_TOAST_NAMESPACE
- || namespaceid == PG_BITMAPINDEX_NAMESPACE)
+ || namespaceid == PG_AOSEGMENT_NAMESPACE || namespaceid == PG_TOAST_NAMESPACE
+ || namespaceid == PG_BITMAPINDEX_NAMESPACE)
{
return true;
}
@@ -2848,16 +2853,17 @@ pg_rangercheck(AclObjectKind objkind, Oid object_oid, Oid roleid,
List* actions = getActionName(mask);
bool isAll = (how == ACLMASK_ALL) ? true: false;
- elog(DEBUG3, "ranger acl check kind: %d, object name: %s, role: %s, mask: %u\n", objkind, objectname, rolename, mask);
+ elog(DEBUG3, "ranger acl check kind: %d, object name: %s, object oid:%d, role: %s, mask: %u\n",
+ objkind, objectname, object_oid, rolename, mask);
List *resultargs = NIL;
- RangerPrivilegeResults *aclresult = (RangerPrivilegeResults *) palloc(sizeof(RangerPrivilegeResults));
- aclresult->result = RANGERCHECK_NO_PRIV;
- aclresult->relOid = object_oid;
+ RangerPrivilegeResults *aclresult = (RangerPrivilegeResults *) palloc(sizeof(RangerPrivilegeResults));
+ aclresult->result = RANGERCHECK_NO_PRIV;
+ aclresult->relOid = object_oid;
/* this two sign fields will be set in function create_ranger_request_json */
aclresult->resource_sign = 0;
aclresult->privilege_sign = 0;
- resultargs = lappend(resultargs, aclresult);
+ resultargs = lappend(resultargs, aclresult);
List *requestargs = NIL;
RangerRequestJsonArgs *requestarg = (RangerRequestJsonArgs *) palloc(sizeof(RangerRequestJsonArgs));