You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-commits@db.apache.org by da...@apache.org on 2010/06/07 15:51:09 UTC
svn commit: r952227 [1/2] - in /db/derby/code/trunk/java:
engine/org/apache/derby/catalog/types/ engine/org/apache/derby/iapi/sql/conn/
engine/org/apache/derby/iapi/sql/dictionary/
engine/org/apache/derby/impl/jdbc/ engine/org/apache/derby/impl/sql/cat...
Author: dag
Date: Mon Jun 7 13:51:07 2010
New Revision: 952227
URL: http://svn.apache.org/viewvc?rev=952227&view=rev
Log:
DERBY-4551 Allow database user to execute stored procedures with same permissions as database owner and/or routine definer
Patch derby-4551-4, which implements the specification attached to
this issue for executing routines with definer's right, and also adds
tests for this feature. A separate issue has been filed for
documentation changes needed.
Added:
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/RoutinesDefinersRightsTest.java
Modified:
db/derby/code/trunk/java/engine/org/apache/derby/catalog/types/RoutineAliasInfo.java
db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/conn/Authorizer.java
db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/conn/LanguageConnectionContext.java
db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/conn/SQLSessionContext.java
db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/SchemaDescriptor.java
db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementColumnPermission.java
db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementGenericPermission.java
db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementPermission.java
db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementRolePermission.java
db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementRoutinePermission.java
db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementSchemaPermission.java
db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementTablePermission.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/jdbc/EmbedConnection.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/catalog/DataDictionaryImpl.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/CreateAliasNode.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/DropSchemaNode.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/SpecialFunctionNode.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/StaticMethodCallNode.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/sqlgrammar.jj
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/conn/GenericAuthorizer.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/conn/GenericLanguageConnectionContext.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/conn/SQLSessionContextImpl.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/CreateRoleConstantAction.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/CreateSchemaConstantAction.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/DDLConstantAction.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/GenericPrivilegeInfo.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/GrantRoleConstantAction.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/RevokeRoleConstantAction.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/RoutinePrivilegeInfo.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/SetRoleConstantAction.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/SetSchemaConstantAction.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/TablePrivilegeInfo.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/store/raw/xact/TransactionTableEntry.java
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/DerbyNet/dblook_test_net.out
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/DerbyNet/dblook_test_net_territory.out
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/DerbyNetClient/dblook_test_net.out
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/DerbyNetClient/dblook_test_net_territory.out
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/dblook_test.out
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/dblook_test_territory.out
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/jdbcapi/J2EEDataSourceTest.java
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/SQLSessionContextTest.java
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/_Suite.java
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/tools/dblook_makeDB.sql
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/upgradeTests/Changes10_7.java
db/derby/code/trunk/java/testing/org/apache/derbyTesting/junit/JDBC.java
Modified: db/derby/code/trunk/java/engine/org/apache/derby/catalog/types/RoutineAliasInfo.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/catalog/types/RoutineAliasInfo.java?rev=952227&r1=952226&r2=952227&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/catalog/types/RoutineAliasInfo.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/catalog/types/RoutineAliasInfo.java Mon Jun 7 13:51:07 2010
@@ -57,6 +57,9 @@ public class RoutineAliasInfo extends Me
private static final short SQL_ALLOWED_MASK = (short) 0xF;
private static final short DETERMINISTIC_MASK = (short) 0x10;
+ /** Mask for the SECURITY INVOKER/DEFINER field */
+ private static final short SECURITY_DEFINER_MASK = (short) 0x20;
+
private int parameterCount;
/**
@@ -93,6 +96,7 @@ public class RoutineAliasInfo extends Me
bits 0-3 sqlAllowed = MODIFIES_SQL_DATA, READS_SQL_DATA,CONTAINS_SQL, or NO_SQL
bit 4 on if function is DETERMINISTIC, off otherwise
+ bit 5 on if running with definer's right, off otherwise
*/
private short sqlOptions;
@@ -120,16 +124,35 @@ public class RoutineAliasInfo extends Me
TypeDescriptor[] parameterTypes, int[] parameterModes, int dynamicResultSets, short parameterStyle, short sqlAllowed,
boolean isDeterministic ) {
- this(methodName, parameterCount, parameterNames, parameterTypes, parameterModes,
- dynamicResultSets, parameterStyle, sqlAllowed, isDeterministic, true, (TypeDescriptor) null);
+ this(methodName,
+ parameterCount,
+ parameterNames,
+ parameterTypes,
+ parameterModes,
+ dynamicResultSets,
+ parameterStyle,
+ sqlAllowed,
+ isDeterministic,
+ false /* definersRights*/,
+ true,
+ (TypeDescriptor) null);
}
/**
Create a RoutineAliasInfo for a PROCEDURE or FUNCTION
*/
- public RoutineAliasInfo(String methodName, int parameterCount, String[] parameterNames,
- TypeDescriptor[] parameterTypes, int[] parameterModes, int dynamicResultSets, short parameterStyle, short sqlAllowed,
- boolean isDeterministic, boolean calledOnNullInput, TypeDescriptor returnType)
+ public RoutineAliasInfo(String methodName,
+ int parameterCount,
+ String[] parameterNames,
+ TypeDescriptor[] parameterTypes,
+ int[] parameterModes,
+ int dynamicResultSets,
+ short parameterStyle,
+ short sqlAllowed,
+ boolean isDeterministic,
+ boolean definersRights,
+ boolean calledOnNullInput,
+ TypeDescriptor returnType)
{
super(methodName);
@@ -141,6 +164,11 @@ public class RoutineAliasInfo extends Me
this.parameterStyle = parameterStyle;
this.sqlOptions = (short) (sqlAllowed & SQL_ALLOWED_MASK);
if ( isDeterministic ) { this.sqlOptions = (short) (sqlOptions | DETERMINISTIC_MASK); }
+
+ if (definersRights) {
+ this.sqlOptions = (short) (sqlOptions | SECURITY_DEFINER_MASK);
+ }
+
this.calledOnNullInput = calledOnNullInput;
this.returnType = returnType;
@@ -222,6 +250,11 @@ public class RoutineAliasInfo extends Me
return ( (sqlOptions & DETERMINISTIC_MASK) != 0 );
}
+ public boolean hasDefinersRights()
+ {
+ return ( (sqlOptions & SECURITY_DEFINER_MASK) != 0 );
+ }
+
public boolean calledOnNullInput() {
return calledOnNullInput;
}
@@ -375,7 +408,10 @@ public class RoutineAliasInfo extends Me
if ( isDeterministic() )
{ sb.append( " DETERMINISTIC " ); }
-
+
+ if ( hasDefinersRights())
+ { sb.append( " EXTERNAL SECURITY DEFINER " ); }
+
sb.append(RoutineAliasInfo.SQL_CONTROL[getSQLAllowed()]);
if ((returnType == null) &&
(dynamicResultSets != 0))
Modified: db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/conn/Authorizer.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/conn/Authorizer.java?rev=952227&r1=952226&r2=952227&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/conn/Authorizer.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/conn/Authorizer.java Mon Jun 7 13:51:07 2010
@@ -122,11 +122,6 @@ public interface Authorizer
public void authorize(Activation activation, int operation)
throws StandardException;
- /**
- Get the Authorization ID for this Authorizer.
- */
- public String getAuthorizationId();
-
/**
Get the readOnly status for this authorizer's connection.
*/
Modified: db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/conn/LanguageConnectionContext.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/conn/LanguageConnectionContext.java?rev=952227&r1=952226&r2=952227&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/conn/LanguageConnectionContext.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/conn/LanguageConnectionContext.java Mon Jun 7 13:51:07 2010
@@ -418,12 +418,21 @@ public interface LanguageConnectionConte
*/
LanguageConnectionFactory getLanguageConnectionFactory();
- /**
- * Get the Authorization Id
- *
- * @return String the authorization id
- */
- public String getAuthorizationId();
+ /**
+ * Get the Authorization Id of the current user
+ *
+ * @param a activation
+ * @return String the authorization id
+ */
+ public String getCurrentUserId(Activation a);
+
+ /**
+ * Get the Authorization Id of the session user
+ *
+ * @return String the authorization id
+ */
+ public String getSessionUserId();
+
/**
* Get the default schema (used at compile-time when no activation
@@ -1131,12 +1140,14 @@ public interface LanguageConnectionConte
* This method will read (potentially) the dictionary, so it needs
* a transaction context.
*
+ * @param a activation
* @param role string containing role name
*
* @return true if the role can be set
* @throws StandardException standard exception policy
*/
- public boolean roleIsSettable(String role) throws StandardException;
+ public boolean roleIsSettable(Activation a, String role)
+ throws StandardException;
/**
* Create a new SQL session context for the current activation on the basis
@@ -1155,8 +1166,13 @@ public interface LanguageConnectionConte
* @see #setupSubStatementSessionContext
*
* @param a activation of the statement which performs the call.
+ * @param true if the method should run with definer's rights
+ * @param definer authorization id of the definer
*/
- public void setupNestedSessionContext(Activation a);
+ public void setupNestedSessionContext(Activation a,
+ boolean definersRights,
+ String definer)
+ throws StandardException;
/**
* Get the value of top level session context of the top level connection.
@@ -1184,7 +1200,8 @@ public interface LanguageConnectionConte
* </ul>
* @see #setupNestedSessionContext
*/
- public void setupSubStatementSessionContext(Activation a);
+ public void setupSubStatementSessionContext(Activation a)
+ throws StandardException;
/**
* Create a fresh SQLSessionContext for this connection.
Modified: db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/conn/SQLSessionContext.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/conn/SQLSessionContext.java?rev=952227&r1=952226&r2=952227&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/conn/SQLSessionContext.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/conn/SQLSessionContext.java Mon Jun 7 13:51:07 2010
@@ -70,7 +70,6 @@ public interface SQLSessionContext {
/**
* Set the SQL role of this SQL connection context
- * The empty string is returned if role is NONE.
*/
public void setRole(String role);
@@ -80,6 +79,16 @@ public interface SQLSessionContext {
public String getRole();
/**
+ * Set the SQL current user of this SQL connection context
+ */
+ public void setUser(String user);
+
+ /**
+ * Get the SQL current user of this SQL connection context
+ */
+ public String getCurrentUser();
+
+ /**
* Set the schema of this SQL connection context
*/
public void setDefaultSchema(SchemaDescriptor sd);
Modified: db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/SchemaDescriptor.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/SchemaDescriptor.java?rev=952227&r1=952226&r2=952227&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/SchemaDescriptor.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/SchemaDescriptor.java Mon Jun 7 13:51:07 2010
@@ -172,8 +172,8 @@ public final class SchemaDescriptor exte
*
* @param dataDictionary
* @param name The schema descriptor for this table.
+ * @param aid The authorization id
* @param oid The object id
- * @param aid The authorizatin id
* @param isSystem boolean, true iff this is a system schema, like SYS,
* SYSIBM, SYSCAT, SYSFUN, ....
*/
Modified: db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementColumnPermission.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementColumnPermission.java?rev=952227&r1=952226&r2=952227&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementColumnPermission.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementColumnPermission.java Mon Jun 7 13:51:07 2010
@@ -89,7 +89,6 @@ public class StatementColumnPermission e
* @see StatementPermission#check
*/
public void check( LanguageConnectionContext lcc,
- String authorizationId,
boolean forGrant,
Activation activation)
throws StandardException
@@ -97,11 +96,12 @@ public class StatementColumnPermission e
DataDictionary dd = lcc.getDataDictionary();
ExecPreparedStatement ps = activation.getPreparedStatement();
- if (hasPermissionOnTable(lcc, activation,
- authorizationId, forGrant, ps)) {
+ if (hasPermissionOnTable(lcc, activation, forGrant, ps)) {
return;
}
+ String currentUserId = lcc.getCurrentUserId(activation);
+
FormatableBitSet permittedColumns = null;
if( ! forGrant)
{
@@ -111,7 +111,7 @@ public class StatementColumnPermission e
permittedColumns);
permittedColumns = addPermittedColumns( dd,
false /* non-grantable permissions */,
- authorizationId,
+ currentUserId,
permittedColumns);
}
permittedColumns = addPermittedColumns( dd,
@@ -120,7 +120,7 @@ public class StatementColumnPermission e
permittedColumns);
permittedColumns = addPermittedColumns( dd,
true /* grantable permissions */,
- authorizationId,
+ currentUserId,
permittedColumns);
//DERBY-4191
@@ -162,7 +162,7 @@ public class StatementColumnPermission e
// session, is lazily set to none when it is attempted
// used.
String dbo = dd.getAuthorizationDatabaseOwner();
- rd = dd.getRoleGrantDescriptor(role, authorizationId, dbo);
+ rd = dd.getRoleGrantDescriptor(role, currentUserId, dbo);
if (rd == null) {
rd = dd.getRoleGrantDescriptor
@@ -236,7 +236,7 @@ public class StatementColumnPermission e
if (privType == Authorizer.MIN_SELECT_PRIV)
throw StandardException.newException( forGrant ? SQLState.AUTH_NO_TABLE_PERMISSION_FOR_GRANT
: SQLState.AUTH_NO_TABLE_PERMISSION,
- authorizationId,
+ currentUserId,
getPrivName(),
td.getSchemaName(),
td.getName());
@@ -255,7 +255,7 @@ public class StatementColumnPermission e
(forGrant
? SQLState.AUTH_NO_COLUMN_PERMISSION_FOR_GRANT
: SQLState.AUTH_NO_COLUMN_PERMISSION),
- authorizationId,
+ currentUserId,
getPrivName(),
cd.getColumnName(),
td.getSchemaName(),
Modified: db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementGenericPermission.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementGenericPermission.java?rev=952227&r1=952226&r2=952227&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementGenericPermission.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementGenericPermission.java Mon Jun 7 13:51:07 2010
@@ -64,11 +64,10 @@ public final class StatementGenericPermi
* @see StatementPermission#check
*/
public void check( LanguageConnectionContext lcc,
- String authorizationId,
boolean forGrant,
Activation activation) throws StandardException
{
- genericCheck( lcc, authorizationId, forGrant, activation, _privilege );
+ genericCheck( lcc, forGrant, activation, _privilege );
}
Modified: db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementPermission.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementPermission.java?rev=952227&r1=952226&r2=952227&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementPermission.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementPermission.java Mon Jun 7 13:51:07 2010
@@ -48,14 +48,12 @@ public abstract class StatementPermissio
}
/**
* @param lcc LanguageConnectionContext
- * @param authorizationId AuthorizationId
* @param forGrant
* @param activation activation for statement needing check
*
* @exception StandardException if the permission has not been granted
*/
public abstract void check( LanguageConnectionContext lcc,
- String authorizationId,
boolean forGrant,
Activation activation) throws StandardException;
@@ -108,7 +106,6 @@ public abstract class StatementPermissio
public void genericCheck
(
LanguageConnectionContext lcc,
- String authorizationId,
boolean forGrant,
Activation activation,
String privilegeType )
@@ -117,8 +114,9 @@ public abstract class StatementPermissio
DataDictionary dd = lcc.getDataDictionary();
TransactionController tc = lcc.getTransactionExecute();
ExecPreparedStatement ps = activation.getPreparedStatement();
-
- PermissionsDescriptor perm = getPermissionDescriptor( authorizationId, dd );
+
+ PermissionsDescriptor perm =
+ getPermissionDescriptor( lcc.getCurrentUserId(activation), dd );
if( !isCorrectPermission( perm ) ) { perm = getPermissionDescriptor(Authorizer.PUBLIC_AUTHORIZATION_ID, dd ); }
// if the user has the correct permission, we're done
@@ -138,7 +136,7 @@ public abstract class StatementPermissio
// used.
String dbo = dd.getAuthorizationDatabaseOwner();
RoleGrantDescriptor rd = dd.getRoleGrantDescriptor
- (role, authorizationId, dbo);
+ (role, lcc.getCurrentUserId(activation), dbo);
if (rd == null) {
rd = dd.getRoleGrantDescriptor(
@@ -211,7 +209,7 @@ public abstract class StatementPermissio
(forGrant
? SQLState.AUTH_NO_GENERIC_PERMISSION_FOR_GRANT
: SQLState.AUTH_NO_GENERIC_PERMISSION),
- authorizationId,
+ lcc.getCurrentUserId(activation),
privilegeType,
getObjectType(),
sd.getSchemaName(),
Modified: db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementRolePermission.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementRolePermission.java?rev=952227&r1=952226&r2=952227&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementRolePermission.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementRolePermission.java Mon Jun 7 13:51:07 2010
@@ -54,7 +54,6 @@ public class StatementRolePermission ext
* @see StatementPermission#check
*/
public void check(LanguageConnectionContext lcc,
- String authid,
boolean forGrant,
Activation activation
) throws StandardException
Modified: db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementRoutinePermission.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementRoutinePermission.java?rev=952227&r1=952226&r2=952227&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementRoutinePermission.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementRoutinePermission.java Mon Jun 7 13:51:07 2010
@@ -1,3 +1,4 @@
+
/*
Derby - Class org.apache.derby.iapi.sql.dictionary.StatementRoutinePermission
@@ -60,11 +61,10 @@ public final class StatementRoutinePermi
* @see StatementPermission#check
*/
public void check( LanguageConnectionContext lcc,
- String authorizationId,
boolean forGrant,
Activation activation) throws StandardException
{
- genericCheck( lcc, authorizationId, forGrant, activation, "EXECUTE" );
+ genericCheck( lcc, forGrant, activation, "EXECUTE" );
}
/**
Modified: db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementSchemaPermission.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementSchemaPermission.java?rev=952227&r1=952226&r2=952227&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementSchemaPermission.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementSchemaPermission.java Mon Jun 7 13:51:07 2010
@@ -61,13 +61,12 @@ public class StatementSchemaPermission e
* @see StatementPermission#check
*/
public void check( LanguageConnectionContext lcc,
- String authid,
boolean forGrant,
Activation activation) throws StandardException
{
DataDictionary dd = lcc.getDataDictionary();
TransactionController tc = lcc.getTransactionExecute();
-
+ String currentUserId = lcc.getCurrentUserId(activation);
switch ( privType )
{
case Authorizer.MODIFY_SCHEMA_PRIV:
@@ -79,19 +78,25 @@ public class StatementSchemaPermission e
if (sd == null)
return;
- if (!authid.equals(sd.getAuthorizationId()))
+ if (!currentUserId.equals(sd.getAuthorizationId()))
throw StandardException.newException(
- SQLState.AUTH_NO_ACCESS_NOT_OWNER, authid, schemaName);
+ SQLState.AUTH_NO_ACCESS_NOT_OWNER,
+ currentUserId,
+ schemaName);
break;
case Authorizer.CREATE_SCHEMA_PRIV:
- // Non-DBA Users can only create schemas that match their authid
- // Also allow only DBA to set authid to another user
- // Note that for DBA, check interface wouldn't be called at all
- if ( !schemaName.equals(authid) ||
- (aid != null && !aid.equals(authid)) )
- throw StandardException.newException(
- SQLState.AUTH_NOT_DATABASE_OWNER, authid, schemaName);
+ // Non-DBA Users can only create schemas that match their
+ // currentUserId Also allow only DBA to set currentUserId to
+ // another user Note that for DBA, check interface wouldn't be
+ // called at all
+ if ( !schemaName.equals(currentUserId) ||
+ (aid != null && !aid.equals(currentUserId)) )
+
+ throw StandardException.newException(
+ SQLState.AUTH_NOT_DATABASE_OWNER,
+ currentUserId,
+ schemaName);
break;
default:
Modified: db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementTablePermission.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementTablePermission.java?rev=952227&r1=952226&r2=952227&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementTablePermission.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementTablePermission.java Mon Jun 7 13:51:07 2010
@@ -110,7 +110,6 @@ public class StatementTablePermission ex
* @see StatementPermission#check
*/
public void check( LanguageConnectionContext lcc,
- String authorizationId,
boolean forGrant,
Activation activation)
throws StandardException
@@ -118,15 +117,15 @@ public class StatementTablePermission ex
DataDictionary dd = lcc.getDataDictionary();
ExecPreparedStatement ps = activation.getPreparedStatement();
- if (!hasPermissionOnTable(lcc, activation,
- authorizationId, forGrant, ps)) {
+ if (!hasPermissionOnTable(lcc, activation, forGrant, ps)) {
TableDescriptor td = getTableDescriptor( dd);
- throw StandardException.newException( forGrant ? SQLState.AUTH_NO_TABLE_PERMISSION_FOR_GRANT
- : SQLState.AUTH_NO_TABLE_PERMISSION,
- authorizationId,
- getPrivName(),
- td.getSchemaName(),
- td.getName());
+ throw StandardException.newException(
+ (forGrant ? SQLState.AUTH_NO_TABLE_PERMISSION_FOR_GRANT
+ : SQLState.AUTH_NO_TABLE_PERMISSION),
+ lcc.getCurrentUserId(activation),
+ getPrivName(),
+ td.getSchemaName(),
+ td.getName());
}
} // end of check
@@ -145,26 +144,25 @@ public class StatementTablePermission ex
*
* @param lcc the current language connection context
* @param activation the activation of ps
- * @param authorizationId the id of the current user
* @param forGrant true if FOR GRANT is required
* @param ps the prepared statement for which we are checking necessary
* privileges
*/
protected boolean hasPermissionOnTable(LanguageConnectionContext lcc,
Activation activation,
- String authorizationId,
boolean forGrant,
ExecPreparedStatement ps)
throws StandardException
{
DataDictionary dd = lcc.getDataDictionary();
+ String currentUserId = lcc.getCurrentUserId(activation);
boolean result =
oneAuthHasPermissionOnTable(dd,
Authorizer.PUBLIC_AUTHORIZATION_ID,
forGrant) ||
oneAuthHasPermissionOnTable(dd,
- authorizationId,
+ currentUserId,
forGrant);
if (!result) {
// Since no permission exists for the current user or PUBLIC,
@@ -179,7 +177,7 @@ public class StatementTablePermission ex
// used.
String dbo = dd.getAuthorizationDatabaseOwner();
RoleGrantDescriptor rd = dd.getRoleGrantDescriptor
- (role, authorizationId, dbo);
+ (role, currentUserId, dbo);
if (rd == null) {
rd = dd.getRoleGrantDescriptor(
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/jdbc/EmbedConnection.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/jdbc/EmbedConnection.java?rev=952227&r1=952226&r2=952227&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/jdbc/EmbedConnection.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/jdbc/EmbedConnection.java Mon Jun 7 13:51:07 2010
@@ -1243,7 +1243,7 @@ public abstract class EmbedConnection im
try {
tr.startTransaction();
LanguageConnectionContext lcc = tr.getLcc();
- String username = lcc.getAuthorizationId();
+ String username = lcc.getSessionUserId();
DataDictionary dd = lcc.getDataDictionary();
@@ -1291,7 +1291,7 @@ public abstract class EmbedConnection im
private void checkIsDBOwner(int operation) throws SQLException
{
final LanguageConnectionContext lcc = getLanguageConnection();
- final String actualId = lcc.getAuthorizationId();
+ final String actualId = lcc.getSessionUserId();
final String dbOwnerId = lcc.getDataDictionary().
getAuthorizationDatabaseOwner();
if (!actualId.equals(dbOwnerId)) {
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/catalog/DataDictionaryImpl.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/catalog/DataDictionaryImpl.java?rev=952227&r1=952226&r2=952227&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/catalog/DataDictionaryImpl.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/catalog/DataDictionaryImpl.java Mon Jun 7 13:51:07 2010
@@ -2509,6 +2509,7 @@ public final class DataDictionaryImpl
oldRai.getParameterStyle(),
oldRai.getSQLAllowed(),
oldRai.isDeterministic(),
+ oldRai.hasDefinersRights(),
oldRai.calledOnNullInput(),
newReturnType
);
@@ -7022,6 +7023,7 @@ public final class DataDictionaryImpl
paramCount, paramNames,
pt, paramModes, 0,
RoutineAliasInfo.PS_JAVA, RoutineAliasInfo.NO_SQL, isDeterministic,
+ false, /* hasDefinersRights */
false, rt);
// details[2] = class name
@@ -9839,6 +9841,7 @@ public final class DataDictionaryImpl
// CONTAINS_SQL
// NO_SQL
isDeterministic, // whether the procedure/function is DETERMINISTIC
+ false, // not definer's rights
true, // true - calledOnNullInput
return_type);
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/CreateAliasNode.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/CreateAliasNode.java?rev=952227&r1=952226&r2=952227&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/CreateAliasNode.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/CreateAliasNode.java Mon Jun 7 13:51:07 2010
@@ -64,8 +64,14 @@ public class CreateAliasNode extends DDL
public static final int DETERMINISTIC = SQL_CONTROL + 1;
public static final int NULL_ON_NULL_INPUT = DETERMINISTIC + 1;
public static final int RETURN_TYPE = NULL_ON_NULL_INPUT + 1;
- public static final int ROUTINE_ELEMENT_COUNT = RETURN_TYPE + 1;
-
+ public static final int ROUTINE_SECURITY_DEFINER = RETURN_TYPE + 1;
+
+ // Keep ROUTINE_ELEMENT_COUNT last (determines set cardinality).
+ // Note: Remember to also update the map ROUTINE_CLAUSE_NAMES in
+ // sqlgrammar.jj when elements are added.
+ public static final int ROUTINE_ELEMENT_COUNT =
+ ROUTINE_SECURITY_DEFINER + 1;
+
private String javaClassName;
private String methodName;
private char aliasType;
@@ -198,6 +204,12 @@ public class CreateAliasNode extends DDL
Boolean isDeterministicO = (Boolean) routineElements[DETERMINISTIC];
boolean isDeterministic = (isDeterministicO == null) ? false : isDeterministicO.booleanValue();
+ Boolean definersRightsO =
+ (Boolean) routineElements[ROUTINE_SECURITY_DEFINER];
+ boolean definersRights =
+ (definersRightsO == null) ? false :
+ definersRightsO.booleanValue();
+
Boolean calledOnNullInputO = (Boolean) routineElements[NULL_ON_NULL_INPUT];
boolean calledOnNullInput;
if (calledOnNullInputO == null)
@@ -216,9 +228,20 @@ public class CreateAliasNode extends DDL
returnType = dtd.getCatalogType();
}
- aliasInfo = new RoutineAliasInfo(this.methodName, paramCount, names, types, modes, drs,
- ((Short) routineElements[PARAMETER_STYLE]).shortValue(), // parameter style
- sqlAllowed, isDeterministic, calledOnNullInput, returnType );
+ aliasInfo = new RoutineAliasInfo(
+ this.methodName,
+ paramCount,
+ names,
+ types,
+ modes,
+ drs,
+ // parameter style:
+ ((Short) routineElements[PARAMETER_STYLE]).shortValue(),
+ sqlAllowed,
+ isDeterministic,
+ definersRights,
+ calledOnNullInput,
+ returnType );
implicitCreateSchema = true;
}
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/DropSchemaNode.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/DropSchemaNode.java?rev=952227&r1=952226&r2=952227&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/DropSchemaNode.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/DropSchemaNode.java Mon Jun 7 13:51:07 2010
@@ -24,6 +24,7 @@ package org.apache.derby.impl.sql.compil
import org.apache.derby.iapi.sql.compile.CompilerContext;
import org.apache.derby.iapi.sql.conn.Authorizer;
import org.apache.derby.iapi.sql.conn.LanguageConnectionContext;
+import org.apache.derby.iapi.sql.conn.StatementContext;
import org.apache.derby.iapi.sql.execute.ConstantAction;
import org.apache.derby.iapi.error.StandardException;
@@ -61,7 +62,8 @@ public class DropSchemaNode extends DDLS
{
LanguageConnectionContext lcc = getLanguageConnectionContext();
-
+ StatementContext stx = lcc.getStatementContext();
+ String currentUser = stx.getSQLSessionContext().getCurrentUser();
/*
** Users are not permitted to drop
** the SYS or APP schemas.
@@ -80,7 +82,7 @@ public class DropSchemaNode extends DDLS
if (isPrivilegeCollectionRequired())
{
getCompilerContext().addRequiredSchemaPriv(schemaName,
- lcc.getAuthorizationId(),
+ currentUser,
Authorizer.DROP_SCHEMA_PRIV);
}
}
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/SpecialFunctionNode.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/SpecialFunctionNode.java?rev=952227&r1=952226&r2=952227&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/SpecialFunctionNode.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/SpecialFunctionNode.java Mon Jun 7 13:51:07 2010
@@ -124,16 +124,14 @@ public class SpecialFunctionNode extends
{
case C_NodeTypes.USER_NODE:
case C_NodeTypes.CURRENT_USER_NODE:
- case C_NodeTypes.SESSION_USER_NODE:
case C_NodeTypes.SYSTEM_USER_NODE:
switch (nodeType)
{
case C_NodeTypes.USER_NODE: sqlName = "USER"; break;
case C_NodeTypes.CURRENT_USER_NODE: sqlName = "CURRENT_USER"; break;
- case C_NodeTypes.SESSION_USER_NODE: sqlName = "SESSION_USER"; break;
case C_NodeTypes.SYSTEM_USER_NODE: sqlName = "SYSTEM_USER"; break;
}
- methodName = "getAuthorizationId";
+ methodName = "getCurrentUserId";
methodType = "java.lang.String";
//SQL spec Section 6.4 Syntax Rule 4 says that the collation type
@@ -144,6 +142,13 @@ public class SpecialFunctionNode extends
dtd = DataDictionary.TYPE_SYSTEM_IDENTIFIER;
break;
+ case C_NodeTypes.SESSION_USER_NODE:
+ methodName = "getSessionUserId";
+ methodType = "java.lang.String";
+ sqlName = "SESSION_USER";
+ dtd = DataDictionary.TYPE_SYSTEM_IDENTIFIER;
+ break;
+
case C_NodeTypes.CURRENT_SCHEMA_NODE:
sqlName = "CURRENT SCHEMA";
methodName = "getCurrentSchemaName";
@@ -235,7 +240,8 @@ public class SpecialFunctionNode extends
int argCount = 0;
if (methodName.equals("getCurrentRoleIdDelimited") ||
- methodName.equals("getCurrentSchemaName")) {
+ methodName.equals("getCurrentSchemaName") ||
+ methodName.equals("getCurrentUserId")) {
acb.pushThisAsActivation(mb);
argCount++;
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/StaticMethodCallNode.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/StaticMethodCallNode.java?rev=952227&r1=952226&r2=952227&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/StaticMethodCallNode.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/StaticMethodCallNode.java Mon Jun 7 13:51:07 2010
@@ -129,6 +129,10 @@ public class StaticMethodCallNode extend
*/
private LocalField returnsNullOnNullState;
+ /**
+ * Authorization id of user owning schema in which routine is defined.
+ */
+ private String routineDefiner = null;
AliasDescriptor ad;
@@ -646,6 +650,8 @@ public class StaticMethodCallNode extend
if (sd.isSystemSchema() && (routineInfo.getReturnType() == null) && routineInfo.getSQLAllowed() != RoutineAliasInfo.NO_SQL)
isSystemCode = true;
+ routineDefiner = sd.getAuthorizationId();
+
break;
}
}
@@ -662,8 +668,11 @@ public class StaticMethodCallNode extend
* @param acb activation class builder
* @param mb method builder
*/
- private void generateSetupNestedSessionContext(ActivationClassBuilder acb,
- MethodBuilder mb) {
+ private void generateSetupNestedSessionContext(
+ ActivationClassBuilder acb,
+ MethodBuilder mb,
+ boolean hadDefinersRights,
+ String definer) throws StandardException {
// Generates the following Java code:
// ((Activation)this).getLanguageConnectionContext().
@@ -674,9 +683,11 @@ public class StaticMethodCallNode extend
"getLanguageConnectionContext",
ClassName.LanguageConnectionContext, 0);
acb.pushThisAsActivation(mb);
+ mb.push(hadDefinersRights);
+ mb.push(definer);
mb.callMethod(VMOpcode.INVOKEINTERFACE, null,
"setupNestedSessionContext",
- "void", 1);
+ "void", 3);
}
@@ -945,8 +956,11 @@ public class StaticMethodCallNode extend
// If no SQL, there is no need to setup a nested session
// context.
if (sqlAllowed != RoutineAliasInfo.NO_SQL) {
- generateSetupNestedSessionContext((ActivationClassBuilder) acb,
- mb);
+ generateSetupNestedSessionContext(
+ (ActivationClassBuilder) acb,
+ mb,
+ routineInfo.hasDefinersRights(),
+ routineDefiner);
}
// for a function we need to fetch the current SQL control
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/sqlgrammar.jj
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/sqlgrammar.jj?rev=952227&r1=952226&r2=952227&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/sqlgrammar.jj (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/sqlgrammar.jj Mon Jun 7 13:51:07 2010
@@ -168,8 +168,20 @@ import java.lang.Character;
public class SQLParser
{
private static final String[] SAVEPOINT_CLAUSE_NAMES = {"UNIQUE", "ON ROLLBACK RETAIN LOCKS", "ON ROLLBACK RETAIN CURSORS"};
- private static final String[] ROUTINE_CLAUSE_NAMES =
- {null, "SPECIFIC", "RESULT SET", "LANGUAGE", "EXTERNAL NAME", "PARAMETER STYLE", "SQL", "DETERMINISTIC", "ON NULL INPUT"};
+
+ /* Keep in synch with CreateAliasNode's index constants */
+ private static final String[] ROUTINE_CLAUSE_NAMES =
+ {null,
+ "SPECIFIC",
+ "RESULT SET",
+ "LANGUAGE",
+ "EXTERNAL NAME",
+ "PARAMETER STYLE",
+ "SQL",
+ "DETERMINISTIC",
+ "ON NULL INPUT",
+ "RETURN TYPE",
+ "EXTERNAL SECURITY"};
/**
Clauses required for Java routines. Numbers correspond
to offsets in ROUTINE_CLAUSE_NAMES.
@@ -10632,7 +10644,18 @@ void routineElement(boolean isProcedure,
checkVersion(DataDictionary.DD_VERSION_DERBY_10_5, "DETERMINISTIC");
}
|
- <EXTERNAL> <NAME> clauseValue = string() { clausePosition = CreateAliasNode.EXTERNAL_NAME; }
+ <EXTERNAL>
+ ( <NAME> clauseValue = string()
+ { clausePosition = CreateAliasNode.EXTERNAL_NAME; }
+ |
+ <SECURITY>
+ { checkVersion(DataDictionary.DD_VERSION_DERBY_10_7,
+ "EXTERNAL SECURITY");
+ checkSqlStandardAccess("EXTERNAL SECURITY");
+ clauseValue = new Boolean(routineSecurityClause());
+ clausePosition = CreateAliasNode.ROUTINE_SECURITY_DEFINER;
+ }
+ )
|
<PARAMETER> <STYLE> clauseValue = parameterStyle( isTableFunction ) { clausePosition = CreateAliasNode.PARAMETER_STYLE; }
@@ -10684,6 +10707,21 @@ Boolean calledOnNullInput(boolean isProc
}
}
+boolean routineSecurityClause() throws StandardException :
+{
+ boolean result = false;
+}
+{
+ (
+ <INVOKER> { result = false;}
+ | <DEFINER> { result = true; }
+ )
+ {
+ return result;
+ }
+}
+
+
Short parameterStyle( boolean isTableFunction ) throws StandardException :
{
}
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/conn/GenericAuthorizer.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/conn/GenericAuthorizer.java?rev=952227&r1=952226&r2=952227&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/conn/GenericAuthorizer.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/conn/GenericAuthorizer.java Mon Jun 7 13:51:07 2010
@@ -61,14 +61,10 @@ implements Authorizer
private final LanguageConnectionContext lcc;
- private final String authorizationId; //the userName after parsing by IdUtil
-
- GenericAuthorizer(String authorizationId,
- LanguageConnectionContext lcc)
+ GenericAuthorizer(LanguageConnectionContext lcc)
throws StandardException
{
this.lcc = lcc;
- this.authorizationId = authorizationId;
refresh();
}
@@ -148,7 +144,8 @@ implements Authorizer
// requiredPermissionsList for Database Owner
if( requiredPermissionsList != null &&
!requiredPermissionsList.isEmpty() &&
- !authorizationId.equals(dd.getAuthorizationDatabaseOwner()))
+ !lcc.getCurrentUserId(activation).equals(
+ dd.getAuthorizationDatabaseOwner()))
{
int ddMode = dd.startReading(lcc);
@@ -184,7 +181,7 @@ implements Authorizer
iter.hasNext();)
{
((StatementPermission) iter.next()).check
- (lcc, authorizationId, false, activation);
+ (lcc, false, activation);
}
}
finally
@@ -229,14 +226,6 @@ implements Authorizer
}
- /**
- @see Authorizer#getAuthorizationId
- */
- public String getAuthorizationId()
- {
- return authorizationId;
- }
-
private void getUserAccessLevel() throws StandardException
{
userAccessLevel = NO_ACCESS;
@@ -283,7 +272,7 @@ implements Authorizer
PersistentSet tc = lcc.getTransactionExecute();
String listS = (String)
PropertyUtil.getServiceProperty(tc, listName);
- return IdUtil.idOnList(authorizationId,listS);
+ return IdUtil.idOnList(lcc.getSessionUserId(),listS);
}
/**
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/conn/GenericLanguageConnectionContext.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/conn/GenericLanguageConnectionContext.java?rev=952227&r1=952226&r2=952227&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/conn/GenericLanguageConnectionContext.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/conn/GenericLanguageConnectionContext.java Mon Jun 7 13:51:07 2010
@@ -349,11 +349,19 @@ public class GenericLanguageConnectionCo
triggerTables = new ArrayList();
}
+ /**
+ * In contrast to current user id, which may change (inside a routine
+ * executing with definer's rights), the sessionUser is constant in a
+ * session.
+ */
+ private String sessionUser = null;
+
public void initialize() throws StandardException
{
+ sessionUser = IdUtil.getUserAuthorizationId(userName);
//
//Creating the authorizer authorizes the connection.
- authorizer = new GenericAuthorizer(IdUtil.getUserAuthorizationId(userName),this);
+ authorizer = new GenericAuthorizer(this);
/*
** Set the authorization id. User shouldn't
@@ -362,7 +370,7 @@ public class GenericLanguageConnectionCo
*/
if (SanityManager.DEBUG)
{
- if (getAuthorizationId() == null)
+ if (getSessionUserId() == null)
{
SanityManager.THROWASSERT("User name is null," +
" check the connection manager to make sure it is set" +
@@ -393,14 +401,18 @@ public class GenericLanguageConnectionCo
*/
if (cachedInitialDefaultSchemaDescr == null) {
DataDictionary dd = getDataDictionary();
- String authorizationId = getAuthorizationId();
+ String authorizationId = getSessionUserId();
SchemaDescriptor sd =
dd.getSchemaDescriptor(
- authorizationId, getTransactionCompile(), false);
+ getSessionUserId(), getTransactionCompile(), false);
if (sd == null) {
sd = new SchemaDescriptor(
- dd, authorizationId, authorizationId, (UUID) null, false);
+ dd,
+ getSessionUserId(),
+ getSessionUserId(),
+ (UUID) null,
+ false);
}
cachedInitialDefaultSchemaDescr = sd;
@@ -639,6 +651,9 @@ public class GenericLanguageConnectionCo
// Reset the current role
getCurrentSQLSessionContext().setRole(null);
+
+ // Reset the current user
+ getCurrentSQLSessionContext().setUser(getSessionUserId());
}
// debug methods
@@ -1872,15 +1887,15 @@ public class GenericLanguageConnectionCo
return false;
}
- /**
- * Get the Authorization Id (user)
- *
- * @return String the authorization id
- */
- public String getAuthorizationId()
- {
- return authorizer.getAuthorizationId();
- }
+ /**
+ * Get the session user
+ *
+ * @return String the authorization id of the session user.
+ */
+ public String getSessionUserId()
+ {
+ return sessionUser;
+ }
/**
* @see LanguageConnectionContext#getDefaultSchema
@@ -3324,6 +3339,14 @@ public class GenericLanguageConnectionCo
}
+ /**
+ * @see LanguageConnectionContext#getCurrentUserId(Activation a)
+ */
+ public String getCurrentUserId(Activation a) {
+ return getCurrentSQLSessionContext(a).getCurrentUser();
+ }
+
+
/**
* @see LanguageConnectionContext#getCurrentRoleIdDelimited(Activation a)
*/
@@ -3336,7 +3359,7 @@ public class GenericLanguageConnectionCo
beginNestedTransaction(true);
try {
- if (!roleIsSettable(role)) {
+ if (!roleIsSettable(a, role)) {
// invalid role, so lazily reset it.
setCurrentRole(a, null);
role = null;
@@ -3357,17 +3380,20 @@ public class GenericLanguageConnectionCo
/**
* @see LanguageConnectionContext#roleIsSettable(String role)
*/
- public boolean roleIsSettable(String role) throws StandardException {
- DataDictionary dd = getDataDictionary();
+ public boolean roleIsSettable(Activation a, String role)
+ throws StandardException {
+
+ DataDictionary dd = getDataDictionary();
String dbo = dd.getAuthorizationDatabaseOwner();
RoleGrantDescriptor grantDesc = null;
+ String currentUser = getCurrentUserId(a);
- if (getAuthorizationId().equals(dbo)) {
+ if (currentUser.equals(dbo)) {
grantDesc = dd.getRoleDefinitionDescriptor(role);
} else {
grantDesc = dd.getRoleGrantDescriptor
- (role, getAuthorizationId(), dbo);
+ (role, currentUser, dbo);
if (grantDesc == null) {
// or if not, via PUBLIC?
@@ -3430,25 +3456,70 @@ public class GenericLanguageConnectionCo
/**
* @see LanguageConnectionContext#setupNestedSessionContext(Activation a)
*/
- public void setupNestedSessionContext(Activation a) {
- setupSessionContextMinion(a, true);
- }
+ public void setupNestedSessionContext(
+ Activation a,
+ boolean definersRights,
+ String definer) throws StandardException {
+
+ setupSessionContextMinion(a, true, definersRights, definer);
+ }
+
+ private void setupSessionContextMinion(
+ Activation a,
+ boolean push,
+ boolean definersRights,
+ String definer) throws StandardException {
+
+ if (SanityManager.DEBUG) {
+ if (definersRights) {
+ SanityManager.ASSERT(push);
+ }
+ }
- private void setupSessionContextMinion(Activation a,
- boolean push) {
- SQLSessionContext sc = a.setupSQLSessionContextForChildren(push);
-
- // Semantics for roles dictate (SQL 4.34.1.1 and 4.27.3.) that the
- // role is initially inherited from the current session
- // context. (Since we always run with INVOKER security
- // characteristic. Derby can't yet run with DEFINER's rights).
- //
- sc.setRole(getCurrentRoleId(a));
+ SQLSessionContext sc = a.setupSQLSessionContextForChildren(push);
+
+ if (definersRights) {
+ sc.setUser(definer);
+ } else {
+ // A priori: invoker's rights: Current user
+ sc.setUser(getCurrentUserId(a));
+ }
- // Inherit current default schema. The initial value of the
- // default schema is implementation defined. In Derby we
- // inherit it when we invoke stored procedures and functions.
- sc.setDefaultSchema(getDefaultSchema(a));
+
+ if (definersRights) {
+ // No role a priori. Cf. SQL 2008, section 10.4 <routine
+ // invocation>, GR 5 j) i) 1) B) "If the external security
+ // characteristic of R is DEFINER, then the top cell of the
+ // authorization stack of RSC is set to contain only the routine
+ // authorization identifier of R.
+
+ sc.setRole(null);
+ } else {
+ // Semantics for roles dictate (SQL 4.34.1.1 and 4.27.3.) that the
+ // role is initially inherited from the current session context
+ // when we run with INVOKER security characteristic.
+ sc.setRole(getCurrentRoleId(a));
+ }
+
+
+ if (definersRights) {
+ SchemaDescriptor sd = getDataDictionary().getSchemaDescriptor(
+ definer,
+ getTransactionExecute(),
+ false);
+
+ if (sd == null) {
+ sd = new SchemaDescriptor(
+ getDataDictionary(), definer, definer, (UUID) null, false);
+ }
+
+ sc.setDefaultSchema(sd);
+ } else {
+ // Inherit current default schema. The initial value of the
+ // default schema is implementation defined. In Derby we
+ // inherit it when we invoke stored procedures and functions.
+ sc.setDefaultSchema(getDefaultSchema(a));
+ }
StatementContext stmctx = getStatementContext();
@@ -3472,8 +3543,10 @@ public class GenericLanguageConnectionCo
/**
* @see LanguageConnectionContext#setupSubStatementSessionContext(Activation a)
*/
- public void setupSubStatementSessionContext(Activation a) {
- setupSessionContextMinion(a, false);
+ public void setupSubStatementSessionContext(Activation a)
+ throws StandardException {
+
+ setupSessionContextMinion(a, false, false, null);
}
@@ -3483,7 +3556,8 @@ public class GenericLanguageConnectionCo
public SQLSessionContext getTopLevelSQLSessionContext() {
if (topLevelSSC == null) {
topLevelSSC = new SQLSessionContextImpl(
- getInitialDefaultSchemaDescriptor());
+ getInitialDefaultSchemaDescriptor(),
+ getSessionUserId());
}
return topLevelSSC;
}
@@ -3494,7 +3568,8 @@ public class GenericLanguageConnectionCo
*/
public SQLSessionContext createSQLSessionContext() {
return new SQLSessionContextImpl(
- getInitialDefaultSchemaDescriptor());
+ getInitialDefaultSchemaDescriptor(),
+ getSessionUserId() /* a priori */);
}
/**
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/conn/SQLSessionContextImpl.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/conn/SQLSessionContextImpl.java?rev=952227&r1=952226&r2=952227&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/conn/SQLSessionContextImpl.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/conn/SQLSessionContextImpl.java Mon Jun 7 13:51:07 2010
@@ -27,12 +27,14 @@ import org.apache.derby.iapi.sql.diction
public class SQLSessionContextImpl implements SQLSessionContext {
+ private String currentUser;
private String currentRole;
private SchemaDescriptor currentDefaultSchema;
- public SQLSessionContextImpl (SchemaDescriptor sd) {
+ public SQLSessionContextImpl (SchemaDescriptor sd, String currentUser) {
currentRole = null;
currentDefaultSchema = sd;
+ this.currentUser = currentUser;
}
public void setRole(String role) {
@@ -43,6 +45,14 @@ public class SQLSessionContextImpl imple
return currentRole;
}
+ public void setUser(String user) {
+ currentUser = user;
+ }
+
+ public String getCurrentUser() {
+ return currentUser;
+ }
+
public void setDefaultSchema(SchemaDescriptor sd) {
currentDefaultSchema = sd;
}
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/CreateRoleConstantAction.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/CreateRoleConstantAction.java?rev=952227&r1=952226&r2=952227&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/CreateRoleConstantAction.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/CreateRoleConstantAction.java Mon Jun 7 13:51:07 2010
@@ -88,7 +88,7 @@ class CreateRoleConstantAction extends D
// role definition is a database owner power. This may change
// in the future since this SQL is more liberal.
//
- final String currentAuthId = lcc.getAuthorizationId();
+ final String currentAuthId = lcc.getCurrentUserId(activation);
dd.startWriting(lcc);
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/CreateSchemaConstantAction.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/CreateSchemaConstantAction.java?rev=952227&r1=952226&r2=952227&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/CreateSchemaConstantAction.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/CreateSchemaConstantAction.java Mon Jun 7 13:51:07 2010
@@ -149,7 +149,7 @@ class CreateSchemaConstantAction extends
String thisAid = aid;
if (thisAid == null)
{
- thisAid = lcc.getAuthorizationId();
+ thisAid = lcc.getCurrentUserId(activation);
}
/*
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/DDLConstantAction.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/DDLConstantAction.java?rev=952227&r1=952226&r2=952227&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/DDLConstantAction.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/DDLConstantAction.java Mon Jun 7 13:51:07 2010
@@ -322,13 +322,13 @@ abstract class DDLConstantAction impleme
DataDictionary dd = lcc.getDataDictionary();
DependencyManager dm = dd.getDependencyManager();
String dbo = dd.getAuthorizationDatabaseOwner();
- String authId = lcc.getAuthorizationId();
+ String currentUser = lcc.getCurrentUserId(activation);
SettableBoolean roleDepAdded = new SettableBoolean();
//If the Database Owner is creating this constraint, then no need to
//collect any privilege dependencies because the Database Owner can
//access any objects without any restrictions
- if (!(lcc.getAuthorizationId().equals(dd.getAuthorizationDatabaseOwner())))
+ if (! currentUser.equals( dd.getAuthorizationDatabaseOwner()) )
{
PermissionsDescriptor permDesc;
// Now, it is time to add into dependency system the FOREIGN
@@ -391,7 +391,9 @@ abstract class DDLConstantAction impleme
// REFERENCES privilege could be available at the user
// level, PUBLIC or role level. EXECUTE and USAGE privileges could be
// available at the user level, PUBLIC or role level.
- permDesc = statPerm.getPermissionDescriptor(lcc.getAuthorizationId(), dd);
+ permDesc = statPerm.getPermissionDescriptor(
+ currentUser, dd);
+
if (permDesc == null)
{
// No privilege exists for given user. The privilege
@@ -407,9 +409,9 @@ abstract class DDLConstantAction impleme
if (permDesc == null ||
((permDesc instanceof ColPermsDescriptor) &&
- !(((StatementColumnPermission)statPerm).
- allColumnsCoveredByUserOrPUBLIC
- (lcc.getAuthorizationId(), dd)))) {
+ ! ((StatementColumnPermission)statPerm).
+ allColumnsCoveredByUserOrPUBLIC(
+ currentUser, dd))) {
roleUsed = true;
permDesc = findRoleUsage(activation, statPerm);
}
@@ -417,8 +419,9 @@ abstract class DDLConstantAction impleme
// If the user accessing the object is the owner of
// that object, then no privilege tracking is needed
// for the owner.
- if (!(permDesc.checkOwner(lcc.getAuthorizationId()))) {
- dm.addDependency(dependent, permDesc,
+ if (! permDesc.checkOwner(currentUser) ) {
+
+ dm.addDependency(dependent, permDesc,
lcc.getContextManager());
if (roleUsed) {
@@ -432,7 +435,7 @@ abstract class DDLConstantAction impleme
//if the object on which permission is required is owned by the
//same user as the current user, then no need to keep that
//object's privilege dependency in the dependency system
- if (!(permDesc.checkOwner(lcc.getAuthorizationId())))
+ if (! permDesc.checkOwner(currentUser))
{
dm.addDependency(dependent, permDesc, lcc.getContextManager());
if (permDesc instanceof ColPermsDescriptor)
@@ -448,8 +451,8 @@ abstract class DDLConstantAction impleme
statementColumnPermission = (
StatementColumnPermission)statPerm;
permDesc = statementColumnPermission.
- getPUBLIClevelColPermsDescriptor
- (lcc.getAuthorizationId(), dd);
+ getPUBLIClevelColPermsDescriptor(
+ currentUser, dd);
//Following if checks if some column level privileges
//exist only at public level. If so, then the public
//level column privilege dependency is added
@@ -465,8 +468,8 @@ abstract class DDLConstantAction impleme
// Possibly, the current role has also been relied
// upon.
if (!statementColumnPermission.
- allColumnsCoveredByUserOrPUBLIC
- (lcc.getAuthorizationId(), dd)) {
+ allColumnsCoveredByUserOrPUBLIC(
+ currentUser, dd)) {
// Role has been relied upon, so register a
// dependency.
trackRoleDependency
@@ -510,7 +513,7 @@ abstract class DDLConstantAction impleme
RoleGrantDescriptor rootGrant = null;
String role = lcc.getCurrentRoleId(activation);
String dbo = dd.getAuthorizationDatabaseOwner();
- String authId = lcc.getAuthorizationId();
+ String currentUser = lcc.getCurrentUserId(activation);
PermissionsDescriptor permDesc = null;
if (SanityManager.DEBUG) {
@@ -521,7 +524,7 @@ abstract class DDLConstantAction impleme
// determine how we got to be able use this role
rootGrant =
- dd.getRoleGrantDescriptor(role, authId, dbo);
+ dd.getRoleGrantDescriptor(role, currentUser, dbo);
if (rootGrant == null) {
rootGrant = dd.getRoleGrantDescriptor(
@@ -638,13 +641,13 @@ abstract class DDLConstantAction impleme
DataDictionary dd = lcc.getDataDictionary();
DependencyManager dm = dd.getDependencyManager();
String dbo = dd.getAuthorizationDatabaseOwner();
- String authId = lcc.getAuthorizationId();
+ String currentUser = lcc.getCurrentUserId(activation);
SettableBoolean roleDepAdded = new SettableBoolean();
// If the Database Owner is creating this view/trigger, then no need to
// collect any privilege dependencies because the Database Owner can
// access any objects without any restrictions.
- if (!authId.equals(dbo))
+ if (! currentUser.equals(dbo))
{
PermissionsDescriptor permDesc;
List requiredPermissionsList = activation.getPreparedStatement().getRequiredPermissionsList();
@@ -674,7 +677,8 @@ abstract class DDLConstantAction impleme
}
//See if we can find the required privilege for given authorizer?
- permDesc = statPerm.getPermissionDescriptor(lcc.getAuthorizationId(), dd);
+ permDesc = statPerm.
+ getPermissionDescriptor(currentUser, dd);
if (permDesc == null)//privilege not found for given authorizer
{
//The if condition above means that required privilege does
@@ -688,9 +692,9 @@ abstract class DDLConstantAction impleme
// .. or at role level
if (permDesc == null ||
((permDesc instanceof ColPermsDescriptor) &&
- !(((StatementColumnPermission)statPerm).
- allColumnsCoveredByUserOrPUBLIC
- (lcc.getAuthorizationId(), dd)))) {
+ ! ((StatementColumnPermission)statPerm).
+ allColumnsCoveredByUserOrPUBLIC(
+ currentUser, dd)) ) {
roleUsed = true;
permDesc = findRoleUsage(activation, statPerm);
}
@@ -698,7 +702,8 @@ abstract class DDLConstantAction impleme
//If the user accessing the object is the owner of that
//object, then no privilege tracking is needed for the
//owner.
- if (!(permDesc.checkOwner(lcc.getAuthorizationId()))) {
+ if (! permDesc.checkOwner(currentUser) ) {
+
dm.addDependency(dependent, permDesc, lcc.getContextManager());
// We had to rely on role, so track that
@@ -713,7 +718,7 @@ abstract class DDLConstantAction impleme
//if the object on which permission is required is owned by the
//same user as the current user, then no need to keep that
//object's privilege dependency in the dependency system
- if (!(permDesc.checkOwner(lcc.getAuthorizationId())))
+ if (! permDesc.checkOwner(currentUser) )
{
dm.addDependency(dependent, permDesc, lcc.getContextManager());
if (permDesc instanceof ColPermsDescriptor)
@@ -738,7 +743,9 @@ abstract class DDLConstantAction impleme
//depencies, one for column c11 which exists directly
//for user2 and one for column c12 which exists at PUBLIC level.
StatementColumnPermission statementColumnPermission = (StatementColumnPermission) statPerm;
- permDesc = statementColumnPermission.getPUBLIClevelColPermsDescriptor(lcc.getAuthorizationId(), dd);
+ permDesc = statementColumnPermission.
+ getPUBLIClevelColPermsDescriptor(
+ currentUser, dd);
//Following if checks if some column level privileges
//exist only at public level. If so, then the public
//level column privilege, if any, dependency of
@@ -756,8 +763,8 @@ abstract class DDLConstantAction impleme
// Has the the current role has also been relied
// upon?
if (!statementColumnPermission.
- allColumnsCoveredByUserOrPUBLIC
- (lcc.getAuthorizationId(), dd)) {
+ allColumnsCoveredByUserOrPUBLIC(
+ currentUser, dd)) {
trackRoleDependency
(activation, dependent, roleDepAdded);
}
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/GenericPrivilegeInfo.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/GenericPrivilegeInfo.java?rev=952227&r1=952226&r2=952227&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/GenericPrivilegeInfo.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/GenericPrivilegeInfo.java Mon Jun 7 13:51:07 2010
@@ -99,7 +99,7 @@ public class GenericPrivilegeInfo extend
// Check that the current user has permission to grant the privileges.
LanguageConnectionContext lcc = activation.getLanguageConnectionContext();
DataDictionary dd = lcc.getDataDictionary();
- String currentUser = lcc.getAuthorizationId();
+ String currentUser = lcc.getCurrentUserId(activation);
TransactionController tc = lcc.getTransactionExecute();
SchemaDescriptor sd = _tupleDescriptor.getSchemaDescriptor();
UUID objectID = _tupleDescriptor.getUUID();
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/GrantRoleConstantAction.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/GrantRoleConstantAction.java?rev=952227&r1=952226&r2=952227&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/GrantRoleConstantAction.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/GrantRoleConstantAction.java Mon Jun 7 13:51:07 2010
@@ -82,7 +82,7 @@ class GrantRoleConstantAction extends DD
TransactionController tc = lcc.getTransactionExecute();
DataDescriptorGenerator ddg = dd.getDataDescriptorGenerator();
- final String grantor = lcc.getAuthorizationId();
+ final String grantor = lcc.getCurrentUserId(activation);
dd.startWriting(lcc);
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/RevokeRoleConstantAction.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/RevokeRoleConstantAction.java?rev=952227&r1=952226&r2=952227&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/RevokeRoleConstantAction.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/RevokeRoleConstantAction.java Mon Jun 7 13:51:07 2010
@@ -75,7 +75,7 @@ class RevokeRoleConstantAction extends D
DataDictionary dd = lcc.getDataDictionary();
TransactionController tc = lcc.getTransactionExecute();
- final String grantor = lcc.getAuthorizationId();
+ final String grantor = lcc.getCurrentUserId(activation);
dd.startWriting(lcc);
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/RoutinePrivilegeInfo.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/RoutinePrivilegeInfo.java?rev=952227&r1=952226&r2=952227&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/RoutinePrivilegeInfo.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/RoutinePrivilegeInfo.java Mon Jun 7 13:51:07 2010
@@ -62,7 +62,7 @@ public class RoutinePrivilegeInfo extend
// Check that the current user has permission to grant the privileges.
LanguageConnectionContext lcc = activation.getLanguageConnectionContext();
DataDictionary dd = lcc.getDataDictionary();
- String currentUser = lcc.getAuthorizationId();
+ String currentUser = lcc.getCurrentUserId(activation);
TransactionController tc = lcc.getTransactionExecute();
// Check that the current user has permission to grant the privileges.
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/SetRoleConstantAction.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/SetRoleConstantAction.java?rev=952227&r1=952226&r2=952227&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/SetRoleConstantAction.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/SetRoleConstantAction.java Mon Jun 7 13:51:07 2010
@@ -101,7 +101,7 @@ class SetRoleConstantAction implements C
dd = lcc.getDataDictionary();
String thisRoleName = roleName;
- final String currentAuthId = lcc.getAuthorizationId();
+ final String currentAuthId = lcc.getCurrentUserId(activation);
final String dbo = lcc.getDataDictionary().
getAuthorizationDatabaseOwner();
@@ -153,7 +153,7 @@ class SetRoleConstantAction implements C
(SQLState.ROLE_INVALID_SPECIFICATION, thisRoleName);
}
- if (!lcc.roleIsSettable(thisRoleName)) {
+ if (!lcc.roleIsSettable(activation, thisRoleName)) {
throw StandardException.newException
(SQLState. ROLE_INVALID_SPECIFICATION_NOT_GRANTED,
thisRoleName);
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/SetSchemaConstantAction.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/SetSchemaConstantAction.java?rev=952227&r1=952226&r2=952227&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/SetSchemaConstantAction.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/SetSchemaConstantAction.java Mon Jun 7 13:51:07 2010
@@ -116,7 +116,7 @@ class SetSchemaConstantAction implements
}
else if (type == StatementType.SET_SCHEMA_USER)
{
- thisSchemaName = lcc.getAuthorizationId();
+ thisSchemaName = lcc.getCurrentUserId(activation);
}
SchemaDescriptor sd = dd.getSchemaDescriptor(thisSchemaName,
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/TablePrivilegeInfo.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/TablePrivilegeInfo.java?rev=952227&r1=952226&r2=952227&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/TablePrivilegeInfo.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/TablePrivilegeInfo.java Mon Jun 7 13:51:07 2010
@@ -197,7 +197,7 @@ public class TablePrivilegeInfo extends
{
LanguageConnectionContext lcc = activation.getLanguageConnectionContext();
DataDictionary dd = lcc.getDataDictionary();
- String currentUser = lcc.getAuthorizationId();
+ String currentUser = lcc.getCurrentUserId(activation);
TransactionController tc = lcc.getTransactionExecute();
SchemaDescriptor sd = td.getSchemaDescriptor();
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/store/raw/xact/TransactionTableEntry.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/store/raw/xact/TransactionTableEntry.java?rev=952227&r1=952226&r2=952227&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/store/raw/xact/TransactionTableEntry.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/store/raw/xact/TransactionTableEntry.java Mon Jun 7 13:51:07 2010
@@ -466,7 +466,7 @@ public class TransactionTableEntry imple
SanityManager.ASSERT(isClone, "Should only call method on a clone");
getlcc();
- return (lcc == null) ? null : lcc.getAuthorizationId();
+ return (lcc == null) ? null : lcc.getSessionUserId();
}
public String getTransactionTypeString()
Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/DerbyNet/dblook_test_net.out
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/DerbyNet/dblook_test_net.out?rev=952227&r1=952226&r2=952227&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/DerbyNet/dblook_test_net.out (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/DerbyNet/dblook_test_net.out Mon Jun 7 13:51:07 2010
@@ -23,6 +23,16 @@ inoutparams3(INOUT A CHAR(10),IN B INTEG
<systemname>
-----
<systemid>
+F_DEFINERS_RIGHTS
+APP
+foo.bar
+F
+F
+false
+wibble() RETURNS INTEGER LANGUAGE JAVA PARAMETER STYLE JAVA EXTERNAL SECURITY DEFINER NO SQL CALLED ON NULL INPUT
+<systemname>
+-----
+<systemid>
F_DETERMINISTIC
APP
foo.bar
@@ -93,6 +103,16 @@ sqlControl(OUT E1 VARCHAR(128),OUT E2 VA
<systemname>
-----
<systemid>
+P_DEFINERS_RIGHTS
+APP
+foo.bar
+P
+P
+false
+wibble() LANGUAGE JAVA PARAMETER STYLE JAVA EXTERNAL SECURITY DEFINER MODIFIES SQL DATA
+<systemname>
+-----
+<systemid>
P_DETERMINISTIC
APP
foo.bar
Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/DerbyNet/dblook_test_net_territory.out
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/DerbyNet/dblook_test_net_territory.out?rev=952227&r1=952226&r2=952227&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/DerbyNet/dblook_test_net_territory.out (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/DerbyNet/dblook_test_net_territory.out Mon Jun 7 13:51:07 2010
@@ -23,6 +23,16 @@ inoutparams3(INOUT A CHAR(10),IN B INTEG
<systemname>
-----
<systemid>
+F_DEFINERS_RIGHTS
+APP
+foo.bar
+F
+F
+false
+wibble() RETURNS INTEGER LANGUAGE JAVA PARAMETER STYLE JAVA EXTERNAL SECURITY DEFINER NO SQL CALLED ON NULL INPUT
+<systemname>
+-----
+<systemid>
F_DETERMINISTIC
APP
foo.bar
@@ -93,6 +103,16 @@ sqlControl(OUT E1 VARCHAR(128),OUT E2 VA
<systemname>
-----
<systemid>
+P_DEFINERS_RIGHTS
+APP
+foo.bar
+P
+P
+false
+wibble() LANGUAGE JAVA PARAMETER STYLE JAVA EXTERNAL SECURITY DEFINER MODIFIES SQL DATA
+<systemname>
+-----
+<systemid>
P_DETERMINISTIC
APP
foo.bar
Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/DerbyNetClient/dblook_test_net.out
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/DerbyNetClient/dblook_test_net.out?rev=952227&r1=952226&r2=952227&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/DerbyNetClient/dblook_test_net.out (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/DerbyNetClient/dblook_test_net.out Mon Jun 7 13:51:07 2010
@@ -23,6 +23,16 @@ inoutparams3(INOUT A CHAR(10),IN B INTEG
<systemname>
-----
<systemid>
+F_DEFINERS_RIGHTS
+APP
+foo.bar
+F
+F
+false
+wibble() RETURNS INTEGER LANGUAGE JAVA PARAMETER STYLE JAVA EXTERNAL SECURITY DEFINER NO SQL CALLED ON NULL INPUT
+<systemname>
+-----
+<systemid>
F_DETERMINISTIC
APP
foo.bar
@@ -93,6 +103,16 @@ sqlControl(OUT E1 VARCHAR(128),OUT E2 VA
<systemname>
-----
<systemid>
+P_DEFINERS_RIGHTS
+APP
+foo.bar
+P
+P
+false
+wibble() LANGUAGE JAVA PARAMETER STYLE JAVA EXTERNAL SECURITY DEFINER MODIFIES SQL DATA
+<systemname>
+-----
+<systemid>
P_DETERMINISTIC
APP
foo.bar
Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/DerbyNetClient/dblook_test_net_territory.out
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/DerbyNetClient/dblook_test_net_territory.out?rev=952227&r1=952226&r2=952227&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/DerbyNetClient/dblook_test_net_territory.out (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/DerbyNetClient/dblook_test_net_territory.out Mon Jun 7 13:51:07 2010
@@ -23,6 +23,16 @@ inoutparams3(INOUT A CHAR(10),IN B INTEG
<systemname>
-----
<systemid>
+F_DEFINERS_RIGHTS
+APP
+foo.bar
+F
+F
+false
+wibble() RETURNS INTEGER LANGUAGE JAVA PARAMETER STYLE JAVA EXTERNAL SECURITY DEFINER NO SQL CALLED ON NULL INPUT
+<systemname>
+-----
+<systemid>
F_DETERMINISTIC
APP
foo.bar
@@ -93,6 +103,16 @@ sqlControl(OUT E1 VARCHAR(128),OUT E2 VA
<systemname>
-----
<systemid>
+P_DEFINERS_RIGHTS
+APP
+foo.bar
+P
+P
+false
+wibble() LANGUAGE JAVA PARAMETER STYLE JAVA EXTERNAL SECURITY DEFINER MODIFIES SQL DATA
+<systemname>
+-----
+<systemid>
P_DETERMINISTIC
APP
foo.bar
Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/dblook_test.out
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/dblook_test.out?rev=952227&r1=952226&r2=952227&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/dblook_test.out (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/dblook_test.out Mon Jun 7 13:51:07 2010
@@ -16,6 +16,16 @@ inoutparams3(INOUT A CHAR(10),IN B INTEG
<systemname>
----
<systemid>
+F_DEFINERS_RIGHTS
+APP
+foo.bar
+F
+F
+false
+wibble() RETURNS INTEGER LANGUAGE JAVA PARAMETER STYLE JAVA EXTERNAL SECURITY DEFINER NO SQL CALLED ON NULL INPUT
+<systemname>
+----
+<systemid>
F_DETERMINISTIC
APP
foo.bar
@@ -86,6 +96,16 @@ sqlControl(OUT E1 VARCHAR(128),OUT E2 VA
<systemname>
----
<systemid>
+P_DEFINERS_RIGHTS
+APP
+foo.bar
+P
+P
+false
+wibble() LANGUAGE JAVA PARAMETER STYLE JAVA EXTERNAL SECURITY DEFINER MODIFIES SQL DATA
+<systemname>
+----
+<systemid>
P_DETERMINISTIC
APP
foo.bar
@@ -2178,6 +2198,16 @@ inoutparams3(INOUT A CHAR(10),IN B INTEG
<systemname>
----
<systemid>
+F_DEFINERS_RIGHTS
+APP
+foo.bar
+F
+F
+false
+wibble() RETURNS INTEGER LANGUAGE JAVA PARAMETER STYLE JAVA EXTERNAL SECURITY DEFINER NO SQL CALLED ON NULL INPUT
+<systemname>
+----
+<systemid>
F_DETERMINISTIC
APP
foo.bar
@@ -2248,6 +2278,16 @@ sqlControl(OUT E1 VARCHAR(128),OUT E2 VA
<systemname>
----
<systemid>
+P_DEFINERS_RIGHTS
+APP
+foo.bar
+P
+P
+false
+wibble() LANGUAGE JAVA PARAMETER STYLE JAVA EXTERNAL SECURITY DEFINER MODIFIES SQL DATA
+<systemname>
+----
+<systemid>
P_DETERMINISTIC
APP
foo.bar
Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/dblook_test_territory.out
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/dblook_test_territory.out?rev=952227&r1=952226&r2=952227&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/dblook_test_territory.out (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/dblook_test_territory.out Mon Jun 7 13:51:07 2010
@@ -16,6 +16,16 @@ inoutparams3(INOUT A CHAR(10),IN B INTEG
<systemname>
----
<systemid>
+F_DEFINERS_RIGHTS
+APP
+foo.bar
+F
+F
+false
+wibble() RETURNS INTEGER LANGUAGE JAVA PARAMETER STYLE JAVA EXTERNAL SECURITY DEFINER NO SQL CALLED ON NULL INPUT
+<systemname>
+----
+<systemid>
F_DETERMINISTIC
APP
foo.bar
@@ -86,6 +96,16 @@ sqlControl(OUT E1 VARCHAR(128),OUT E2 VA
<systemname>
----
<systemid>
+P_DEFINERS_RIGHTS
+APP
+foo.bar
+P
+P
+false
+wibble() LANGUAGE JAVA PARAMETER STYLE JAVA EXTERNAL SECURITY DEFINER MODIFIES SQL DATA
+<systemname>
+----
+<systemid>
P_DETERMINISTIC
APP
foo.bar
@@ -2178,6 +2198,16 @@ inoutparams3(INOUT A CHAR(10),IN B INTEG
<systemname>
----
<systemid>
+F_DEFINERS_RIGHTS
+APP
+foo.bar
+F
+F
+false
+wibble() RETURNS INTEGER LANGUAGE JAVA PARAMETER STYLE JAVA EXTERNAL SECURITY DEFINER NO SQL CALLED ON NULL INPUT
+<systemname>
+----
+<systemid>
F_DETERMINISTIC
APP
foo.bar
@@ -2248,6 +2278,16 @@ sqlControl(OUT E1 VARCHAR(128),OUT E2 VA
<systemname>
----
<systemid>
+P_DEFINERS_RIGHTS
+APP
+foo.bar
+P
+P
+false
+wibble() LANGUAGE JAVA PARAMETER STYLE JAVA EXTERNAL SECURITY DEFINER MODIFIES SQL DATA
+<systemname>
+----
+<systemid>
P_DETERMINISTIC
APP
foo.bar
Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/jdbcapi/J2EEDataSourceTest.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/jdbcapi/J2EEDataSourceTest.java?rev=952227&r1=952226&r2=952227&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/jdbcapi/J2EEDataSourceTest.java (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/jdbcapi/J2EEDataSourceTest.java Mon Jun 7 13:51:07 2010
@@ -1998,8 +1998,8 @@ public class J2EEDataSourceTest extends
}
/**
- * Executes a test sequence to make sure the schema is reset between
- * logical connections.
+ * Executes a test sequence to make sure the schema (and with DERBY-4551,
+ * current user) is correctly reset between logical connections.
*
* @param pc pooled connection to get logical connections from
* @param userSchema name of the default schema for the connection (user)
@@ -2009,20 +2009,24 @@ public class J2EEDataSourceTest extends
throws SQLException {
Connection con1 = pc.getConnection();
JDBC.assertCurrentSchema(con1, userSchema);
+ JDBC.assertCurrentUser(con1, userSchema);
Statement stmt1 = con1.createStatement();
// Change the schema.
stmt1.execute("set schema APP");
stmt1.close();
JDBC.assertCurrentSchema(con1, "APP");
+ JDBC.assertCurrentUser(con1, userSchema);
// Close the logical connection and get a new one.
con1.close();
Connection con2 = pc.getConnection();
// Make sure the schema has been reset from APP to the user name.
JDBC.assertCurrentSchema(con2, userSchema);
+ JDBC.assertCurrentUser(con2, userSchema);
con2.close();
// Try a third time, but don't change the schema now.
Connection con3 = pc.getConnection();
JDBC.assertCurrentSchema(con3, userSchema);
+ JDBC.assertCurrentUser(con3, userSchema);
con3.close();
pc.close();
}