You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafodion.apache.org by su...@apache.org on 2017/02/23 16:58:03 UTC
[1/2] incubator-trafodion git commit: TRAFODION-2441 user has only
select privilege on a table can do ...
Repository: incubator-trafodion
Updated Branches:
refs/heads/master b5e73002b -> b44e5d0d5
TRAFODION-2441 user has only select privilege on a table can do ...
This is the second delivery that updates "get" commands so users can only view
information where they have been granted privileges. This delivery handles:
get components;
get privileges on component;
get privileges on component for <role>;
get privileges on component for <user> [cascade];
cascade returns privileges for user plus any roles the user has been granted
Project: http://git-wip-us.apache.org/repos/asf/incubator-trafodion/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-trafodion/commit/5374d9d1
Tree: http://git-wip-us.apache.org/repos/asf/incubator-trafodion/tree/5374d9d1
Diff: http://git-wip-us.apache.org/repos/asf/incubator-trafodion/diff/5374d9d1
Branch: refs/heads/master
Commit: 5374d9d148b60555652c3e30ca1eb45a2ffba47e
Parents: a7a295e
Author: Roberta Marton <rm...@edev07.esgyn.local>
Authored: Wed Feb 22 16:54:51 2017 +0000
Committer: Roberta Marton <rm...@edev07.esgyn.local>
Committed: Wed Feb 22 16:54:51 2017 +0000
----------------------------------------------------------------------
core/sql/comexe/ComTdbExeUtil.h | 7 +-
core/sql/executor/ExExeUtilGet.cpp | 191 ++++++++++++++++++------------
core/sql/generator/GenRelExeUtil.cpp | 1 +
core/sql/optimizer/RelExeUtil.cpp | 3 +-
core/sql/optimizer/RelExeUtil.h | 4 +
core/sql/parser/sqlparser.y | 33 ++++--
6 files changed, 152 insertions(+), 87 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/5374d9d1/core/sql/comexe/ComTdbExeUtil.h
----------------------------------------------------------------------
diff --git a/core/sql/comexe/ComTdbExeUtil.h b/core/sql/comexe/ComTdbExeUtil.h
index 3abc2a5..2fdbc47 100644
--- a/core/sql/comexe/ComTdbExeUtil.h
+++ b/core/sql/comexe/ComTdbExeUtil.h
@@ -2604,6 +2604,10 @@ public:
{(v ? flags_ |= IS_HBASE : flags_ &= ~IS_HBASE); };
NABoolean isHbase() { return (flags_ & IS_HBASE) != 0; };
+ void setCascade(NABoolean v)
+ {(v ? flags_ |= CASCADE : flags_ & CASCADE) != 0; };
+ NABoolean cascade() { return (flags_ & CASCADE) != 0; };
+
// ---------------------------------------------------------------------
// Used by the internal SHOWPLAN command to get attributes of a TDB.
// ---------------------------------------------------------------------
@@ -2624,7 +2628,8 @@ protected:
IS_INDEX = 0x0200,
IS_MV = 0x0400,
IS_HBASE = 0x0800,
- EXTERNAL_OBJS = 0x1000
+ EXTERNAL_OBJS = 0x1000,
+ CASCADE = 0x2000
};
char * getCat() { return cat_; }
http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/5374d9d1/core/sql/executor/ExExeUtilGet.cpp
----------------------------------------------------------------------
diff --git a/core/sql/executor/ExExeUtilGet.cpp b/core/sql/executor/ExExeUtilGet.cpp
index 7eb6eb1..0964684 100644
--- a/core/sql/executor/ExExeUtilGet.cpp
+++ b/core/sql/executor/ExExeUtilGet.cpp
@@ -246,44 +246,26 @@ static const QueryString getPrivsForAuthsQuery[] =
static const QueryString getComponents[] =
{
- {" select translate(rtrim(component_name) using ucs2toutf8) "},
- {" from %s.\"%s\".%s "},
- {" order by component_name "},
+ {" select distinct translate(rtrim(component_name) using ucs2toutf8) "},
+ {" from %s.\"%s\".%s c, %s.\"%s\".%s p "},
+ {" where c.component_uid = p.component_uid %s "},
+ {" order by 1 "},
{" ; "}
};
-static const QueryString getComponentOperations[] =
+static const QueryString getComponentPrivileges[] =
{
- {" select translate(rtrim(operation_name) using ucs2toutf8), "},
- {" translate(rtrim(operation_code) using ucs2toutf8) from "},
- {" %s.\"%s\".%s c, "},
- {" %s.\"%s\".%s o "},
- {" where (c.component_uid=o.component_uid) and "},
- {" (c.component_name='%s') "},
+ {" select distinct translate(rtrim(operation_name) using ucs2toutf8) "},
+ {" from %s.\"%s\".%s c, %s.\"%s\".%s o, "},
+ {" %s.\"%s\".%s p "},
+ {" where (c.component_uid=o.component_uid) "},
+ {" and (o.component_uid=p.component_uid) "},
+ {" and (o.operation_code=p.operation_code) "},
+ {" and (c.component_name='%s') %s "},
{" order by 1 "},
{" ; "}
};
-static const QueryString getComponentPrivilegesForUser[] =
-{
- {" select distinct translate(rtrim(o.operation_name) using ucs2toutf8), "},
- {" translate(rtrim(o.operation_code) using ucs2toutf8) from "},
- {" %s.\"%s\".%s c, "},
- {" %s.\"%s\".%s o, "},
- {" %s.\"%s\".%s p "},
- {" where (c.component_uid = p.component_uid) and "},
- {" (c.component_uid = o.component_uid) and "},
- {" (c.component_name='%s') and "},
- {" (p.operation_code = o.operation_code) and "},
- {" ((p.grantee_name = '%s') or "},
- {" (p.grantee_name in (select role_name from "},
- {" %s.\"%s\".%s ru "},
- {" where ru.grantee_name = '%s')))"},
- {" order by 1 " },
- {" ; " }
-};
-
-
static const QueryString getTrafTablesInSchemaQuery[] =
{
@@ -1240,30 +1222,32 @@ Int32 ExExeUtilGetMetadataInfoTcb::getAuthID(
const char *schName,
const char *objName)
{
+ if (strcmp(authName, PUBLIC_AUTH_NAME) == 0)
+ return PUBLIC_USER;
+
short rc = 0;
Lng32 cliRC = 0;
sprintf(queryBuf_, "select auth_id from %s.\"%s\".%s where auth_db_name = '%s' ",
catName, schName, objName, authName);
- if (initializeInfoList(infoList_)) return 0;
+ if (initializeInfoList(infoList_)) return NA_UserIdDefault;
numOutputEntries_ = 1;
cliRC = fetchAllRows(infoList_, queryBuf_, numOutputEntries_, FALSE, rc);
if (cliRC < 0)
{
cliInterface()->retrieveSQLDiagnostics(getDiagsArea());
- return 0;
+ return NA_UserIdDefault;
}
infoList_->position();
OutputInfo * vi = (OutputInfo*)infoList_->getCurr();
if (vi)
return *(Lng32*)vi->get(0);
- return 0;
+ return NA_UserIdDefault;
}
-
// ----------------------------------------------------------------------------
// getRoleList
//
@@ -1511,7 +1495,6 @@ short ExExeUtilGetMetadataInfoTcb::work()
// but the schema does not, GET TABLES returns nothing.
step_ = SETUP_HBASE_QUERY_;
-
}
break;
@@ -1948,11 +1931,7 @@ short ExExeUtilGetMetadataInfoTcb::work()
(getMItdb().queryType_ == ComTdbExeUtilGetMetadataInfo::PRIVILEGES_FOR_ROLE_);
// Get the authID associated with the current user
- Int32 authID;
- if (strcmp(getMItdb().getParam1(), PUBLIC_AUTH_NAME) == 0)
- authID = PUBLIC_USER;
- else
- authID = getAuthID(getMItdb().getParam1(), cat, sch, auths);
+ Int32 authID = getAuthID(getMItdb().getParam1(), cat, sch, auths);
// If the authID was not found for various reasons just return
// Other "get" commands continue and return no rows but it is
@@ -2068,50 +2047,116 @@ short ExExeUtilGetMetadataInfoTcb::work()
qs = getComponents;
sizeOfqs = sizeof(getComponents);
+ if (doPrivCheck)
+ {
+ char buf[authList.length() + 100];
+ str_sprintf(buf, " and p.grantee_id in %s", authList.data());
+ privWhereClause = buf;
+ }
+
param_[0] = cat;
param_[1] = pmsch;
param_[2] = components;
+ param_[3] = cat;
+ param_[4] = pmsch;
+ param_[5] = componentPrivileges;
+ param_[6] = (char *) privWhereClause.data();
}
break;
case ComTdbExeUtilGetMetadataInfo::COMPONENT_PRIVILEGES_:
{
-
- if (getMItdb().getParam1()) // Get privileges for auth ID
- {
- qs = getComponentPrivilegesForUser;
- sizeOfqs = sizeof(getComponentPrivilegesForUser);
-
- param_[0] = cat;
- param_[1] = pmsch;
- param_[2] = components;
- param_[3] = cat;
- param_[4] = pmsch;
- param_[5] = componentOperations;
- param_[6] = cat;
- param_[7] = pmsch;
- param_[8] = componentPrivileges;
- param_[9] = getMItdb().getObj();
- param_[10] = getMItdb().getParam1();
- param_[11] = cat;
- param_[12] = pmsch;
- param_[13] = role_usage;
- param_[14] = getMItdb().getParam1();
-
+ qs = getComponentPrivileges;
+ sizeOfqs = sizeof(getComponentPrivileges);
+
+ // Get privileges for auth name
+ if (getMItdb().getParam1())
+ {
+ // Get the authID associated with the request's auth name
+ // If can't find authID, NA_UserIdDefault is returned which
+ // indicates an invalid authID.
+ Int32 authID = getAuthID(getMItdb().getParam1(), cat, sch, auths);
+
+ if (doPrivCheck)
+ {
+ // If asking for privileges for a user that has no privs
+ // authName is invalid
+ // authName is a user and not the current user
+ // authName is a role and not one of the current user roles
+ // add a predicate to make operation fail with no rows
+ // This matches other "get" statement's behavior.
+ NABoolean hasPriv = TRUE;
+ if ((authID == NA_UserIdDefault) ||
+ (CmpSeabaseDDLauth::isUserID(authID) &&
+ (strcmp(getMItdb().getParam1(), currContext->getDatabaseUserName()) != 0)) ||
+ (CmpSeabaseDDLauth::isRoleID(authID) &&
+ !ComUser::currentUserHasRole(authID)))
+ {
+ privWhereClause += "and (grantee_id = -2) ";
+ hasPriv = FALSE;
+ }
+ if (hasPriv)
+ {
+ privWhereClause += "and (grantee_name = '";
+ privWhereClause += getMItdb().getParam1();
+ privWhereClause += "'";
+ if (CmpSeabaseDDLauth::isUserID(authID) && getMItdb().cascade())
+ {
+ privWhereClause += " or grantee_id in ";
+ privWhereClause += authList.data();
+ }
+ privWhereClause += ")";
+ }
+ }
+ else
+ {
+ privWhereClause += "and (grantee_name = '";
+ privWhereClause += getMItdb().getParam1();
+ privWhereClause += "'";
+
+ // if authname is a user and specified cascade, include roles
+ if (CmpSeabaseDDLauth::isUserID(authID) && getMItdb().cascade())
+ {
+ char buf[300 + MAX_AUTHNAME_LEN + 200];
+ str_sprintf(buf, "or p.grantee_id = (select role_id from "
+ "%s.\"%s\".%s where grantee_name = '%s') "
+ "or p.grantee_id = -1",
+ cat, pmsch, role_usage, getMItdb().getParam1());
+ privWhereClause += buf;
+ }
+ privWhereClause += ')';
+ }
}
- else // Get all operations for a component
+
+ // no specific authname specified, get current users results
+ else
{
- qs = getComponentOperations;
- sizeOfqs = sizeof(getComponentOperations);
-
- param_[0] = cat;
- param_[1] = pmsch;
- param_[2] = components;
- param_[3] = cat;
- param_[4] = pmsch;
- param_[5] = componentOperations;
- param_[6] = getMItdb().getObj();
+ // Limit results to current user and current users roles
+ if (getMItdb().cascade())
+ {
+ privWhereClause += " and p.grantee_id in ";
+ privWhereClause += authList.data();
+ }
+ // limit results to current user
+ else
+ {
+ privWhereClause += " and p.grantee_name = '";
+ privWhereClause += currContext->getDatabaseUserName();
+ privWhereClause += "'";
+ }
}
+
+ param_[0] = cat;
+ param_[1] = pmsch;
+ param_[2] = components;
+ param_[3] = cat;
+ param_[4] = pmsch;
+ param_[5] = componentOperations;
+ param_[6] = cat;
+ param_[7] = pmsch;
+ param_[8] = componentPrivileges;
+ param_[9] = getMItdb().getObj();
+ param_[10] = (char *) privWhereClause.data();
}
break;
http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/5374d9d1/core/sql/generator/GenRelExeUtil.cpp
----------------------------------------------------------------------
diff --git a/core/sql/generator/GenRelExeUtil.cpp b/core/sql/generator/GenRelExeUtil.cpp
index 1822725..eeaaacb 100644
--- a/core/sql/generator/GenRelExeUtil.cpp
+++ b/core/sql/generator/GenRelExeUtil.cpp
@@ -2187,6 +2187,7 @@ short ExeUtilGetMetadataInfo::codeGen(Generator * generator)
(ausStr == "EXTERNAL"))
gm_exe_util_tdb->setExternalObjs(TRUE);
gm_exe_util_tdb->setGetVersion(getVersion_);
+ gm_exe_util_tdb->setCascade(cascade_);
if ((queryType == ComTdbExeUtilGetMetadataInfo::PARTITIONS_FOR_TABLE_) ||
(queryType == ComTdbExeUtilGetMetadataInfo::PARTITIONS_FOR_INDEX_))
http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/5374d9d1/core/sql/optimizer/RelExeUtil.cpp
----------------------------------------------------------------------
diff --git a/core/sql/optimizer/RelExeUtil.cpp b/core/sql/optimizer/RelExeUtil.cpp
index a7ced3c..f593a9a 100644
--- a/core/sql/optimizer/RelExeUtil.cpp
+++ b/core/sql/optimizer/RelExeUtil.cpp
@@ -3059,7 +3059,8 @@ ExeUtilGetMetadataInfo::ExeUtilGetMetadataInfo
param1_((param1 ? *param1 : ""), oHeap),
errorInParams_(FALSE),
hiveObjs_(FALSE),
- hbaseObjs_(FALSE)
+ hbaseObjs_(FALSE),
+ cascade_(FALSE)
{
}
http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/5374d9d1/core/sql/optimizer/RelExeUtil.h
----------------------------------------------------------------------
diff --git a/core/sql/optimizer/RelExeUtil.h b/core/sql/optimizer/RelExeUtil.h
index 74d63c0..ba4ff0b 100644
--- a/core/sql/optimizer/RelExeUtil.h
+++ b/core/sql/optimizer/RelExeUtil.h
@@ -1630,6 +1630,9 @@ public:
NABoolean hbaseObjects() { return hbaseObjs_;}
void setHbaseObjects(NABoolean v) { hbaseObjs_ = v; }
+ NABoolean cascade() { return cascade_;}
+ void setCascade(NABoolean v) { cascade_ = v; }
+
private:
NAString ausStr_; // all/user/system objects
NAString infoType_;
@@ -1650,6 +1653,7 @@ private:
NABoolean hiveObjs_;
NABoolean hbaseObjs_;
+ NABoolean cascade_;
};
http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/5374d9d1/core/sql/parser/sqlparser.y
----------------------------------------------------------------------
diff --git a/core/sql/parser/sqlparser.y b/core/sql/parser/sqlparser.y
index 3a2b3aa..513c42a 100755
--- a/core/sql/parser/sqlparser.y
+++ b/core/sql/parser/sqlparser.y
@@ -15675,8 +15675,12 @@ exe_util_get_metadata_info :
NAString iof("ON");
NAString objectType("COMPONENT");
CorrName objectName(*$6);
- NABoolean fullDetails = ($8 == COM_CASCADE_DROP_BEHAVIOR)
- ? TRUE : FALSE;
+
+ PtrPlaceHolder * pph = $9;
+ NAString * noHeader = (NAString *)pph->ptr1_;
+ NAString * pattern = (NAString *)pph->ptr2_;
+ NAString * fullyQualNames = (NAString *)pph->ptr3_;
+
ExeUtilGetMetadataInfo * gmi = new (PARSERHEAP())
ExeUtilGetMetadataInfo
( aus // NAString &
@@ -15684,17 +15688,18 @@ exe_util_get_metadata_info :
, iof // NAString &
, objectType // NAString &
, objectName // CorrName &
- , NULL // NAString * pattern
- , fullDetails // NABoolean returnFullyQualNames
+ , pattern // NAString * pattern
+ , (fullyQualNames ? TRUE : FALSE) // NABoolean returnFullyQualNames
, FALSE // NABoolean getVersion
, $7 // NAString * param1
, PARSERHEAP() // CollHeap * oHeap
);
- PtrPlaceHolder * pph = $9;
- NAString * noHeader = (NAString *)pph->ptr1_;
if (noHeader)
gmi->setNoHeader(TRUE);
+
+ if ($8 == COM_CASCADE_DROP_BEHAVIOR)
+ gmi->setCascade(TRUE);
$$ = gmi;
delete $6; // component_name
@@ -15724,8 +15729,11 @@ exe_util_get_metadata_info :
NAString iof("ON");
NAString objectType("COMPONENT");
CorrName objectName(*$6);
- NABoolean fullDetails = ($8 == COM_CASCADE_DROP_BEHAVIOR)
- ? TRUE : FALSE;
+
+ PtrPlaceHolder * pph = $9;
+ NAString * noHeader = (NAString *)pph->ptr1_;
+ NAString * pattern = (NAString *)pph->ptr2_;
+ NAString * fullyQualNames = (NAString *)pph->ptr3_;
ExeUtilGetMetadataInfo * gmi = new (PARSERHEAP())
ExeUtilGetMetadataInfo
@@ -15734,18 +15742,19 @@ exe_util_get_metadata_info :
, iof // NAString &
, objectType // NAString &
, objectName // CorrName &
- , NULL // NAString * pattern
- , fullDetails // NABoolean returnFullyQualNames
+ , pattern // NAString * pattern
+ , (fullyQualNames ? TRUE : FALSE) // NABoolean returnFullyQualNames
, FALSE // NABoolean getVersion
, $7 // NAString * param1
, PARSERHEAP() // CollHeap * oHeap
);
- PtrPlaceHolder * pph = $9;
- NAString * noHeader = (NAString *)pph->ptr1_;
if (noHeader)
gmi->setNoHeader(TRUE);
+ if ($8 == COM_CASCADE_DROP_BEHAVIOR)
+ gmi->setCascade(TRUE);
+
$$ = gmi;
delete $6; // component_name
delete $7; // user_name
[2/2] incubator-trafodion git commit: Merge [TRAFODION-2441] PR-975
user has only select privilege on a table can do ...
Posted by su...@apache.org.
Merge [TRAFODION-2441] PR-975 user has only select privilege on a table can do ...
Project: http://git-wip-us.apache.org/repos/asf/incubator-trafodion/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-trafodion/commit/b44e5d0d
Tree: http://git-wip-us.apache.org/repos/asf/incubator-trafodion/tree/b44e5d0d
Diff: http://git-wip-us.apache.org/repos/asf/incubator-trafodion/diff/b44e5d0d
Branch: refs/heads/master
Commit: b44e5d0d563bb98441ffd0166853343bb2ec3623
Parents: b5e7300 5374d9d
Author: Suresh Subbiah <su...@apache.org>
Authored: Thu Feb 23 16:57:33 2017 +0000
Committer: Suresh Subbiah <su...@apache.org>
Committed: Thu Feb 23 16:57:33 2017 +0000
----------------------------------------------------------------------
core/sql/comexe/ComTdbExeUtil.h | 7 +-
core/sql/executor/ExExeUtilGet.cpp | 191 ++++++++++++++++++------------
core/sql/generator/GenRelExeUtil.cpp | 1 +
core/sql/optimizer/RelExeUtil.cpp | 3 +-
core/sql/optimizer/RelExeUtil.h | 4 +
core/sql/parser/sqlparser.y | 33 ++++--
6 files changed, 152 insertions(+), 87 deletions(-)
----------------------------------------------------------------------