You are viewing a plain text version of this content. The canonical link for it is here.
Posted to codereview@trafodion.apache.org by robertamarton <gi...@git.apache.org> on 2016/01/23 01:13:53 UTC

[GitHub] incubator-trafodion pull request: Privilege fixes for TRAFODION-12...

GitHub user robertamarton opened a pull request:

    https://github.com/apache/incubator-trafodion/pull/281

    Privilege fixes for TRAFODION-12, TRAFODION-1761, and TRAFODION-1773

    

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/robertamarton/incubator-trafodion priv-fixes

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/incubator-trafodion/pull/281.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #281
    
----
commit 356925572d80f940fb9e3c08c1db680083b2169f
Author: Roberta Marton <ro...@apache.org>
Date:   2016-01-21T17:19:55Z

    Merge branch 'master' into priv-fixes

commit 8652aeb8294f525ca004ae872bd96d3c4158905b
Author: Roberta Marton <ro...@apache.org>
Date:   2016-01-23T00:12:12Z

    Privilege fixes for TRAFODION-12, TRAFODION-1761, and TRAFODION-1773
    
    TRAFODION-12 Grant Revoke Enhancements
    
    -- Revoke: added code to verify that when column privileges are revoked then
       the remaining grants are is still intact.  It does this by starting at the
       beginning of the privilege tree and rebuilding it from top to bottom with
       the requested privilege changes.  If the revoke causes part of the tree to
       be unaccessible (a broken branch), the revoke operation fails.
    
    TRAFODION-1761 Grant and Revoke on table with referencing views does not work
    
    -- When granting INSERT, UPDATE, or DELETE object privilege(s) on a table that
       is referenced by one or more views, then the privilege should be granted on
       any updatable views that reference the table.  The grant request to the these
       views should be executed as though the current user is _SYSTEM. Similarily
       for revokes.
    
    -- If the grant is performed that adds the WITH GRANT OPTION, then
       the WITH GRANT OPTION is to be added to the referencing views.  The
       grant request should be executed as though the current user is _SYSTEM.
       Similarily for revokes.
    
    -- The problem was caused by the incorrect grantor being processed. So, added
       a new field to the ObjectUsage structure that tells grant/revoke that
       the grantor should be the system user. Also added change to not propagate
       update privileges on non updatable views.
    
    -- The checkin fixes object privileges; however, work is still needed to
       support column level privileges and a mix between column and object level.
    
    TRAFODION-1773 Internal error to revoke role with restrict option when there is
    dependent view
    
    -- There code (PrivMgrRoles) that determines if a specific user that owns
       objects whose existence depend upon a privilege granted to the specified role
       can be revoked.  This code did not consider views as a referenced object type
    
    Cleaned up PrivMgrDesc.h & PrivMgrDesc.cpp:
    
    -- remove unused grantee field
    -- added columnOrdinal which will be used to fix column privs for TRAFODION 1761
    -- replaced std::bitset<NBR_OF_PRIVS> with the define PrivMgrBitmap

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-trafodion pull request: Privilege fixes for TRAFODION-12...

Posted by DaveBirdsall <gi...@git.apache.org>.
Github user DaveBirdsall commented on a diff in the pull request:

    https://github.com/apache/incubator-trafodion/pull/281#discussion_r50744702
  
    --- Diff: core/sql/sqlcomp/PrivMgrMD.cpp ---
    @@ -151,21 +151,19 @@ PrivStatus PrivMgrMDAdmin::initializeComponentPrivileges()
     
     {
     
    -// First, let's start with a clean slate.  Drop all components as well as 
    -// their respective operations and and any privileges granted.  This should be  
    -// a NOP unless PrivMgr metadata was damaged and reintialization is occurring.
    -
    -PrivMgrComponents components(metadataLocation_,pDiags_);
    -
    -   components.dropAll();
    -   
     // Next, register the component.
     
     PrivStatus privStatus = STATUS_GOOD;
     
    +   // First, let's start with a clean slate.  Drop all components as well as 
    --- End diff --
    
    Comments need a little wordsmithing perhaps. (We have "First" coming after "Next.)


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-trafodion pull request: Privilege fixes for TRAFODION-12...

Posted by asfgit <gi...@git.apache.org>.
Github user asfgit closed the pull request at:

    https://github.com/apache/incubator-trafodion/pull/281


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---