You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hawq.apache.org by wl...@apache.org on 2017/02/10 02:21:59 UTC

incubator-hawq git commit: HAWQ-1318. Fix the bug of cannot start/stop master successfully if ranger is enable and with a wrong RPS address

Repository: incubator-hawq
Updated Branches:
  refs/heads/master 8c9b45a40 -> 63c856280


HAWQ-1318. Fix the bug of cannot start/stop master successfully if ranger is enable and with a wrong RPS address


Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq/commit/63c85628
Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq/tree/63c85628
Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq/diff/63c85628

Branch: refs/heads/master
Commit: 63c856280c1fea655f99a9aea2c2196116cc2ab3
Parents: 8c9b45a
Author: Wen Lin <wl...@pivotal.io>
Authored: Thu Feb 9 16:03:53 2017 +0800
Committer: Wen Lin <wl...@pivotal.io>
Committed: Fri Feb 10 10:18:19 2017 +0800

----------------------------------------------------------------------
 src/backend/catalog/aclchk.c | 32 +++++++++++++++++++-------------
 1 file changed, 19 insertions(+), 13 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/63c85628/src/backend/catalog/aclchk.c
----------------------------------------------------------------------
diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c
index 3ab3248..416e0c4 100644
--- a/src/backend/catalog/aclchk.c
+++ b/src/backend/catalog/aclchk.c
@@ -2715,9 +2715,9 @@ bool fallBackToNativeCheck(AclObjectKind objkind, Oid obj_oid, Oid roleid)
    */
   if (information_schema_namespcace_oid == 0)
   {
-	  information_schema_namespcace_oid = (int)get_namespace_oid("information_schema");
+      information_schema_namespcace_oid = (int)get_namespace_oid("information_schema");
   }
-  /*for heap table, we fall back to native check.*/
+  /* for heap table, we fall back to native check. */
   if (objkind == ACL_KIND_CLASS)
   {
     char relstorage = get_rel_relstorage(obj_oid);
@@ -2728,21 +2728,26 @@ bool fallBackToNativeCheck(AclObjectKind objkind, Oid obj_oid, Oid roleid)
   }
   else if (objkind == ACL_KIND_NAMESPACE)
   {
-	/*native check build-in schemas.*/
+    /* native check build-in schemas. */
     if (obj_oid == PG_CATALOG_NAMESPACE || obj_oid == information_schema_namespcace_oid
-    		|| obj_oid == PG_AOSEGMENT_NAMESPACE || obj_oid == PG_TOAST_NAMESPACE
-			|| obj_oid == PG_BITMAPINDEX_NAMESPACE)
+            || obj_oid == PG_AOSEGMENT_NAMESPACE || obj_oid == PG_TOAST_NAMESPACE
+            || obj_oid == PG_BITMAPINDEX_NAMESPACE)
     {
       return true;
     }
+    else if (obj_oid == PG_PUBLIC_NAMESPACE && superuser())
+    {
+      /* superuser's access to PUBLIC */
+      return true;
+    }
   }
   else if (objkind == ACL_KIND_PROC)
   {
-	/*native check functions under build-in schemas.*/
+    /* native check functions under build-in schemas. */
     Oid namespaceid = get_func_namespace(obj_oid);
     if (namespaceid == PG_CATALOG_NAMESPACE || namespaceid == information_schema_namespcace_oid
-			|| namespaceid == PG_AOSEGMENT_NAMESPACE || namespaceid == PG_TOAST_NAMESPACE
-			|| namespaceid == PG_BITMAPINDEX_NAMESPACE)
+            || namespaceid == PG_AOSEGMENT_NAMESPACE || namespaceid == PG_TOAST_NAMESPACE
+            || namespaceid == PG_BITMAPINDEX_NAMESPACE)
     {
       return true;
     }
@@ -2848,16 +2853,17 @@ pg_rangercheck(AclObjectKind objkind, Oid object_oid, Oid roleid,
 	List* actions = getActionName(mask);
 	bool isAll = (how == ACLMASK_ALL) ? true: false;
 
-	elog(DEBUG3, "ranger acl check kind: %d, object name: %s, role: %s, mask: %u\n", objkind, objectname, rolename, mask);
+	elog(DEBUG3, "ranger acl check kind: %d, object name: %s, object oid:%d, role: %s, mask: %u\n",
+			objkind, objectname, object_oid, rolename, mask);
 
 	List *resultargs = NIL;
-    RangerPrivilegeResults *aclresult = (RangerPrivilegeResults *) palloc(sizeof(RangerPrivilegeResults));
-    aclresult->result = RANGERCHECK_NO_PRIV;
-    aclresult->relOid = object_oid;
+	RangerPrivilegeResults *aclresult = (RangerPrivilegeResults *) palloc(sizeof(RangerPrivilegeResults));
+	aclresult->result = RANGERCHECK_NO_PRIV;
+	aclresult->relOid = object_oid;
 	/* this two sign fields will be set in function create_ranger_request_json */
 	aclresult->resource_sign = 0;
 	aclresult->privilege_sign = 0;
-    resultargs = lappend(resultargs, aclresult);
+	resultargs = lappend(resultargs, aclresult);
 
 	List *requestargs = NIL;
 	RangerRequestJsonArgs *requestarg = (RangerRequestJsonArgs *) palloc(sizeof(RangerRequestJsonArgs));