You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafodion.apache.org by su...@apache.org on 2015/09/01 19:53:49 UTC
[2/4] incubator-trafodion git commit: Changes for JIRA TRAFODION-353,
1200, 1214, and 12
Changes for JIRA TRAFODION-353, 1200, 1214, and 12
1. JIRA Trafodion-353 (Launchpad 1324716):
.traf_authentication_config syntax errors on blank
corrected
2. JIRA Trafodion-1200 (Launchpad 1447336):
DB__ROOTROLE now equivalent to DB__ROOT (completed
in this delivery).
3. JIRA Trafodion-1214 (Launchpad 1450122):
LDAPSSL (level 1) now uses TLS_CACERTFILE.
4. JIRA Trafodion-12 - grant revoke enhancements including:
Six new component-level privileges: DML_DELETE, DML_INSERT,
DML_REFERENCES, DML_SELECT, DML_UPDATE, and DML_USAGE.
Authorization IDs granted a DML privilege at the system
(SQL_OPERATIONS component-level) have the privilege
on all objects in the Trafodion database.
Users who have the MANAGE_PRIVILEGE component-level privilege
can also grant "WITH GRANT OPTION" any privilege they have.
In addition, they implicitly grant on behalf of the owner when
the GRANTED BY clause is omitted. (Mimics DB__ROOT behavior.)
Tracing had been added (but not yet enabled) to better debug
grant and revoke problems
Column level privilege enforcement has been added and column
level privileges support is enabled.
Project: http://git-wip-us.apache.org/repos/asf/incubator-trafodion/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-trafodion/commit/23e24b4a
Tree: http://git-wip-us.apache.org/repos/asf/incubator-trafodion/tree/23e24b4a
Diff: http://git-wip-us.apache.org/repos/asf/incubator-trafodion/diff/23e24b4a
Branch: refs/heads/master
Commit: 23e24b4a0b7657b2dd53ff2c3dff70f071d32ce4
Parents: 5928f31
Author: Roberta Marton <ro...@esgyn.com>
Authored: Fri Aug 28 15:09:08 2015 +0000
Committer: Roberta Marton <ro...@esgyn.com>
Committed: Fri Aug 28 15:09:08 2015 +0000
----------------------------------------------------------------------
core/dbsecurity/auth/src/ldapconfigfile.cpp | 8 +-
core/dbsecurity/auth/src/ldapconfignode.cpp | 11 +-
core/sql/optimizer/BindRelExpr.cpp | 25 +-
core/sql/optimizer/NARoutine.cpp | 8 +-
core/sql/optimizer/NATable.cpp | 4 +-
core/sql/optimizer/OptUtilIncludes.h | 4 +-
core/sql/qmscommon/QRLogger.cpp | 3 +-
core/sql/qmscommon/QRLogger.h | 3 +-
core/sql/regress/catman1/EXPECTED129 | 176 ++++------
core/sql/regress/catman1/EXPECTED133 | 4 +-
core/sql/regress/catman1/EXPECTED137 | 180 +++++++++-
core/sql/regress/catman1/TEST137 | 6 +-
core/sql/sqlcomp/CmpDescribe.cpp | 3 +-
core/sql/sqlcomp/CmpSeabaseDDLroutine.cpp | 3 +-
core/sql/sqlcomp/PrivMgr.cpp | 70 ++++
core/sql/sqlcomp/PrivMgr.h | 11 +
core/sql/sqlcomp/PrivMgrCommands.cpp | 13 +-
core/sql/sqlcomp/PrivMgrCommands.h | 1 +
core/sql/sqlcomp/PrivMgrComponentPrivileges.cpp | 289 ++++++++++++++-
core/sql/sqlcomp/PrivMgrComponentPrivileges.h | 6 +
core/sql/sqlcomp/PrivMgrDefs.h | 41 ++-
core/sql/sqlcomp/PrivMgrMD.h | 42 +++
core/sql/sqlcomp/PrivMgrPrivileges.cpp | 352 +++++++++++++++++--
core/sql/sqlcomp/PrivMgrPrivileges.h | 7 +
core/sql/sqlmxevents/logmxevent_traf.cpp | 22 ++
core/sql/sqlmxevents/logmxevent_traf.h | 7 +
26 files changed, 1110 insertions(+), 189 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/23e24b4a/core/dbsecurity/auth/src/ldapconfigfile.cpp
----------------------------------------------------------------------
diff --git a/core/dbsecurity/auth/src/ldapconfigfile.cpp b/core/dbsecurity/auth/src/ldapconfigfile.cpp
index 5a9eaee..c895652 100755
--- a/core/dbsecurity/auth/src/ldapconfigfile.cpp
+++ b/core/dbsecurity/auth/src/ldapconfigfile.cpp
@@ -940,15 +940,15 @@ char inBuf[300];
while (fgets(inBuf,sizeof(inBuf),fp) != NULL)
{
lineNumber++;
- // Skip comment lines
- if (inBuf[0] == '#' || strlen(inBuf) < 3)
- continue;
-
// Skip over leading blanks
char *ptr = inBuf;
while (*ptr == ' ')
ptr++;
+
+ // Skip comment lines
+ if (ptr[0] == '#' || strlen(ptr) < 3)
+ continue;
// Let's parse that line!
if (readingDefaultLines)
http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/23e24b4a/core/dbsecurity/auth/src/ldapconfignode.cpp
----------------------------------------------------------------------
diff --git a/core/dbsecurity/auth/src/ldapconfignode.cpp b/core/dbsecurity/auth/src/ldapconfignode.cpp
index 2fabd96..eda2cdb 100644
--- a/core/dbsecurity/auth/src/ldapconfignode.cpp
+++ b/core/dbsecurity/auth/src/ldapconfignode.cpp
@@ -1603,8 +1603,9 @@ int ldapderef = LDAP_DEREF_ALWAYS;
}
// LCOV_EXCL_STOP
- // startTLS
- if (self.host_->LDAPConfig_->SSL_Level == YES_TLS)
+ // Setup certificate file
+ if (self.host_->LDAPConfig_->SSL_Level == YES_TLS ||
+ self.host_->LDAPConfig_->SSL_Level == YES_SSL)
{
int demand = LDAP_OPT_X_TLS_DEMAND;
rc = ldap_set_option(ld,LDAP_OPT_X_TLS_REQUIRE_CERT,&demand);
@@ -1629,7 +1630,11 @@ int ldapderef = LDAP_DEREF_ALWAYS;
LOG_AUTH_EVENT(DBS_NO_LDAP_SEARCH_CONNECTION,emsMsg);
return LD_STATUS_RESOURCE_FAILURE;
}
-
+ }
+
+ // startTLS
+ if (self.host_->LDAPConfig_->SSL_Level == YES_TLS)
+ {
rc = ldap_start_tls_s (ld, NULL, NULL);
if (rc != LDAP_SUCCESS)
{
http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/23e24b4a/core/sql/optimizer/BindRelExpr.cpp
----------------------------------------------------------------------
diff --git a/core/sql/optimizer/BindRelExpr.cpp b/core/sql/optimizer/BindRelExpr.cpp
index 6786f35..7cb7b05 100644
--- a/core/sql/optimizer/BindRelExpr.cpp
+++ b/core/sql/optimizer/BindRelExpr.cpp
@@ -6208,14 +6208,15 @@ ItemExpr * RelRoot::removeAssignmentStTree()
}
// LCOV_EXCL_STOP
-bool OptSqlTableOpenInfo::checkColPriv(const PrivType privType)
-
+bool OptSqlTableOpenInfo::checkColPriv(const PrivType privType,
+ const PrivMgrUserPrivs *pPrivInfo)
{
+ CMPASSERT (pPrivInfo);
NATable* table = getTable();
NAString columns = "";
- if (CmpCommon::getDefault(CAT_TEST_BOOL) == DF_OFF || !isColumnPrivType(privType))
+ if (!isColumnPrivType(privType))
{
*CmpCommon::diags() << DgSqlCode(-4481)
<< DgString0(PrivMgrUserPrivs::convertPrivTypeToLiteral(privType).c_str())
@@ -6250,7 +6251,7 @@ bool OptSqlTableOpenInfo::checkColPriv(const PrivType privType)
}
bool collectColumnNames = false;
- if (table->getPrivInfo()->hasAnyColPriv(privType))
+ if (pPrivInfo->hasAnyColPriv(privType))
{
collectColumnNames = true;
columns += "(columns:" ;
@@ -6259,7 +6260,7 @@ bool OptSqlTableOpenInfo::checkColPriv(const PrivType privType)
for(size_t i = 0; i < colList->entries(); i++)
{
size_t columnNumber = (*colList)[i];
- if (!(table->getPrivInfo()->hasColPriv(privType,columnNumber)))
+ if (!(pPrivInfo->hasColPriv(privType,columnNumber)))
{
hasPriv = false;
if (firstColumn && collectColumnNames)
@@ -6422,7 +6423,9 @@ NABoolean RelRoot::checkPrivileges(BindWA* bindWA)
*CmpCommon::diags() << DgSqlCode( -4400 );
return FALSE;
}
- retcode = privInterface.getPrivileges( tab->objectUid().get_value(), thisUserID, privInfo);
+ retcode = privInterface.getPrivileges( tab->objectUid().get_value(),
+ tab->getObjectType(), thisUserID,
+ privInfo);
cmpSBD.switchBackCompiler();
if (retcode != STATUS_GOOD)
@@ -6442,7 +6445,7 @@ NABoolean RelRoot::checkPrivileges(BindWA* bindWA)
{
if (stoi->getPrivAccess((PrivType)i))
{
- if (!pPrivInfo->hasPriv((PrivType)i) && !optStoi->checkColPriv((PrivType)i))
+ if (!pPrivInfo->hasPriv((PrivType)i) && !optStoi->checkColPriv((PrivType)i, pPrivInfo))
RemoveNATableEntryFromCache = TRUE;
else
if (insertQIKeys)
@@ -6542,7 +6545,9 @@ NABoolean RelRoot::checkPrivileges(BindWA* bindWA)
*CmpCommon::diags() << DgSqlCode( -4400 );
return FALSE;
}
- retcode = privInterface.getPrivileges( tab->objectUid().get_value(), thisUserID, privInfo);
+ retcode = privInterface.getPrivileges( tab->objectUid().get_value(),
+ tab->getObjectType(), thisUserID,
+ privInfo);
cmpSBD.switchBackCompiler();
if (retcode != STATUS_GOOD)
@@ -6595,7 +6600,9 @@ NABoolean RelRoot::checkPrivileges(BindWA* bindWA)
*CmpCommon::diags() << DgSqlCode( -4400 );
return FALSE;
}
- retcode = privInterface.getPrivileges(tab->objectUid().get_value(), thisUserID, privInfo);
+ retcode = privInterface.getPrivileges(tab->objectUid().get_value(),
+ COM_SEQUENCE_GENERATOR_OBJECT,
+ thisUserID, privInfo);
cmpSBD.switchBackCompiler();
if (retcode != STATUS_GOOD)
{
http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/23e24b4a/core/sql/optimizer/NARoutine.cpp
----------------------------------------------------------------------
diff --git a/core/sql/optimizer/NARoutine.cpp b/core/sql/optimizer/NARoutine.cpp
index 3233912..d6f9aa1 100644
--- a/core/sql/optimizer/NARoutine.cpp
+++ b/core/sql/optimizer/NARoutine.cpp
@@ -673,8 +673,12 @@ void NARoutine::setupPrivInfo(void)
// gather privileges
std::vector <ComSecurityKey *> secKeyVec;
- if (STATUS_GOOD != privInterface.getPrivileges(objectUID_, ComUser::getCurrentUser(),
- *privInfo_, &secKeyVec))
+ ComObjectType objectType = (UDRType_ == COM_PROCEDURE_TYPE ?
+ COM_STORED_PROCEDURE_OBJECT :
+ COM_USER_DEFINED_ROUTINE_OBJECT);
+ if (STATUS_GOOD != privInterface.getPrivileges(objectUID_, objectType,
+ ComUser::getCurrentUser(),
+ *privInfo_, &secKeyVec))
{
NADELETE(privInfo_, PrivMgrUserPrivs, heap_);
privInfo_ = NULL;
http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/23e24b4a/core/sql/optimizer/NATable.cpp
----------------------------------------------------------------------
diff --git a/core/sql/optimizer/NATable.cpp b/core/sql/optimizer/NATable.cpp
index 2c4745f..1074a0f 100644
--- a/core/sql/optimizer/NATable.cpp
+++ b/core/sql/optimizer/NATable.cpp
@@ -6817,8 +6817,8 @@ void NATable::setupPrivInfo()
return;
}
if (testError || (STATUS_GOOD !=
- privInterface.getPrivileges(objectUid().get_value(), thisUserID,
- *privInfo_, &secKeyVec)))
+ privInterface.getPrivileges(objectUid().get_value(), objectType_,
+ thisUserID, *privInfo_, &secKeyVec)))
{
if (testError)
#ifndef NDEBUG
http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/23e24b4a/core/sql/optimizer/OptUtilIncludes.h
----------------------------------------------------------------------
diff --git a/core/sql/optimizer/OptUtilIncludes.h b/core/sql/optimizer/OptUtilIncludes.h
index 2f9e9c2..9f72ab4 100644
--- a/core/sql/optimizer/OptUtilIncludes.h
+++ b/core/sql/optimizer/OptUtilIncludes.h
@@ -67,7 +67,9 @@ public:
{ if (!updateColList_.contains(col)) updateColList_.insert(col); }
void addSelectColumn(Lng32 col)
{ if (!selectColList_.contains(col)) selectColList_.insert(col); }
- bool checkColPriv(const PrivType privType);
+ bool checkColPriv(
+ const PrivType privType,
+ const PrivMgrUserPrivs *pPrivInfo);
private:
SqlTableOpenInfo * stoi_;
http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/23e24b4a/core/sql/qmscommon/QRLogger.cpp
----------------------------------------------------------------------
diff --git a/core/sql/qmscommon/QRLogger.cpp b/core/sql/qmscommon/QRLogger.cpp
index 859243b..e108e6e 100644
--- a/core/sql/qmscommon/QRLogger.cpp
+++ b/core/sql/qmscommon/QRLogger.cpp
@@ -50,6 +50,7 @@ std::string CAT_SQL_LOB = "SQL.LOB";
std::string CAT_SQL_SSMP = "SQL.SSMP";
std::string CAT_SQL_SSCP = "SQL.SSCP";
std::string CAT_SQL_UDR = "SQL.UDR";
+std::string CAT_SQL_PRIVMGR = "SQL.PRIVMGR";
// hdfs
std::string CAT_SQL_HDFS_JNI_TOP = "SQL.HDFS.JniTop";
std::string CAT_SQL_HDFS_SEQ_FILE_READER = "SQL.HDFS.SeqFileReader";
@@ -295,7 +296,6 @@ std::string &QRLogger::getMyDefaultCat()
case QRL_UDR:
return CAT_SQL_UDR;
break;
-
default:
return CAT_SQL;
}
@@ -359,7 +359,6 @@ void QRLogger::introduceSelf ()
case QRL_UDR:
snprintf (msg, 300, "%s,,, A udrserver process is launched.", procInfo.data());
break;
-
}
LOG4CXX_INFO(myLogger,msg);
http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/23e24b4a/core/sql/qmscommon/QRLogger.h
----------------------------------------------------------------------
diff --git a/core/sql/qmscommon/QRLogger.h b/core/sql/qmscommon/QRLogger.h
index 47af14a..dd7c6b7 100644
--- a/core/sql/qmscommon/QRLogger.h
+++ b/core/sql/qmscommon/QRLogger.h
@@ -58,6 +58,7 @@ extern std::string CAT_SQL_COMP_XML;
extern std::string CAT_SQL_EXE;
extern std::string CAT_SQL_COMP;
extern std::string CAT_SQL_ESP;
+extern std::string CAT_SQL_PRIVMGR;
// HDFS
extern std::string CAT_SQL_HDFS_JNI_TOP;
@@ -169,7 +170,7 @@ public:
QRL_LOB,
QRL_SSMP,
QRL_SSCP,
- QRL_UDR
+ QRL_UDR
};
/**
http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/23e24b4a/core/sql/regress/catman1/EXPECTED129
----------------------------------------------------------------------
diff --git a/core/sql/regress/catman1/EXPECTED129 b/core/sql/regress/catman1/EXPECTED129
index a4ee264..36f0835 100644
--- a/core/sql/regress/catman1/EXPECTED129
+++ b/core/sql/regress/catman1/EXPECTED129
@@ -220,7 +220,7 @@ End of MXCI Session
>>-- As user1, should fail
>>select * from us4.t1 ;
-*** ERROR[4481] The user does not have SELECT privilege on table or view TRAFODION.US4.T1.
+*** ERROR[4481] The user does not have SELECT privilege on table or view TRAFODION.US4.T1(columns: COL1, COL2).
*** ERROR[8822] The statement was not prepared.
@@ -244,13 +244,13 @@ End of MXCI Session
>>update us4.v1 set vc2 = vc1 ;
-*** ERROR[4481] The user does not have UPDATE privilege on table or view TRAFODION.US4.V1.
+*** ERROR[4481] The user does not have UPDATE privilege on table or view TRAFODION.US4.V1(columns: VC2).
*** ERROR[8822] The statement was not prepared.
>>insert into us4.v1(vc1,vc2) values (10,10) ;
-*** ERROR[4481] The user does not have INSERT privilege on table or view TRAFODION.US4.V1.
+*** ERROR[4481] The user does not have INSERT privilege on table or view TRAFODION.US4.V1(columns: VC2).
*** ERROR[8822] The statement was not prepared.
@@ -258,19 +258,16 @@ End of MXCI Session
>>-- As user1, should succeed
>>update us4.t1 set col3 = 2 ;
-*** ERROR[4481] The user does not have SELECT privilege on table or view TRAFODION.US4.T1.
-
-*** ERROR[8822] The statement was not prepared.
-
+--- 4 row(s) updated.
>>select * from us4.v1 order by vc1;
VC1 VC2 VC3
----------- ----------- -----------
- 1 1 1
+ 1 1 2
2 2 2
- 5 5 5
- 7 7 7
+ 5 5 2
+ 7 7 2
--- 4 row(s) selected.
>>insert into us4.t2 values (5,5,5);
@@ -278,16 +275,10 @@ VC1 VC2 VC3
--- 1 row(s) inserted.
>>update us4.v1 set vc1 = vc1 ;
-*** ERROR[4481] The user does not have UPDATE privilege on table or view TRAFODION.US4.V1.
-
-*** ERROR[8822] The statement was not prepared.
-
+--- 4 row(s) updated.
>>insert into us4.v1(vc1) values (10) ;
-*** ERROR[4481] The user does not have INSERT privilege on table or view TRAFODION.US4.V1.
-
-*** ERROR[8822] The statement was not prepared.
-
+--- 1 row(s) inserted.
>>
>>delete all from table(querycache()) ;
@@ -321,7 +312,7 @@ select * from table(natablecache()) ;
>>-- As user1, should fail
>>select * from us4.t1 ;
-*** ERROR[4481] The user does not have SELECT privilege on table or view TRAFODION.US4.T1.
+*** ERROR[4481] The user does not have SELECT privilege on table or view TRAFODION.US4.T1(columns: COL1, COL2).
*** ERROR[8822] The statement was not prepared.
@@ -345,13 +336,13 @@ select * from table(natablecache()) ;
>>update us4.v1 set vc2 = vc1 ;
-*** ERROR[4481] The user does not have UPDATE privilege on table or view TRAFODION.US4.V1.
+*** ERROR[4481] The user does not have UPDATE privilege on table or view TRAFODION.US4.V1(columns: VC2).
*** ERROR[8822] The statement was not prepared.
>>insert into us4.v1(vc1,vc2) values (10,10) ;
-*** ERROR[4481] The user does not have INSERT privilege on table or view TRAFODION.US4.V1.
+*** ERROR[4481] The user does not have INSERT privilege on table or view TRAFODION.US4.V1(columns: VC2).
*** ERROR[8822] The statement was not prepared.
@@ -359,21 +350,19 @@ select * from table(natablecache()) ;
>>-- As user1, should succeed
>>update us4.t1 set col3 = 2 ;
-*** ERROR[4481] The user does not have SELECT privilege on table or view TRAFODION.US4.T1.
-
-*** ERROR[8822] The statement was not prepared.
-
+--- 5 row(s) updated.
>>select * from us4.v1 order by vc1;
VC1 VC2 VC3
----------- ----------- -----------
- 1 1 1
+ 1 1 2
2 2 2
- 5 5 5
- 7 7 7
+ 5 5 2
+ 7 7 2
+ 10 ? 2
---- 4 row(s) selected.
+--- 5 row(s) selected.
>>insert into us4.t2 values (5,5,5);
*** ERROR[8102] The operation is prevented by a unique constraint.
@@ -381,16 +370,12 @@ VC1 VC2 VC3
--- 0 row(s) inserted.
>>update us4.v1 set vc1 = vc1 ;
-*** ERROR[4481] The user does not have UPDATE privilege on table or view TRAFODION.US4.V1.
-
-*** ERROR[8822] The statement was not prepared.
-
+--- 5 row(s) updated.
>>insert into us4.v1(vc1) values (10) ;
-*** ERROR[4481] The user does not have INSERT privilege on table or view TRAFODION.US4.V1.
-
-*** ERROR[8822] The statement was not prepared.
+*** ERROR[8102] The operation is prevented by a unique constraint.
+--- 0 row(s) inserted.
>>
>>delete all from table(querycache()) ;
@@ -442,7 +427,7 @@ select * from table(natablecache()) ;
>>insert into us4.t2 values (1,1,1);
-*** ERROR[4481] The user does not have INSERT privilege on table or view TRAFODION.US4.T2.
+*** ERROR[4481] The user does not have INSERT privilege on table or view TRAFODION.US4.T2(columns: C).
*** ERROR[8822] The statement was not prepared.
@@ -450,50 +435,40 @@ select * from table(natablecache()) ;
>>-- As user2, should succeed
>>update us4.t1 set col3 = 4 ;
-*** ERROR[4481] The user does not have UPDATE privilege on table or view TRAFODION.US4.T1.
-
-*** ERROR[8822] The statement was not prepared.
-
+--- 5 row(s) updated.
>>update us4.t1 set col2 = 3 ;
-*** ERROR[4481] The user does not have UPDATE privilege on table or view TRAFODION.US4.T1.
-
-*** ERROR[8822] The statement was not prepared.
-
+--- 5 row(s) updated.
>>select * from us4.t1 order by col1;
COL1 COL2 COL3
----------- ----------- -----------
- 1 1 1
- 2 2 2
- 5 5 5
- 7 7 7
+ 1 3 4
+ 2 3 4
+ 5 3 4
+ 7 3 4
+ 10 3 4
---- 4 row(s) selected.
+--- 5 row(s) selected.
>>insert into us4.t2(a,b) values (1,1);
-*** ERROR[4481] The user does not have SELECT privilege on table or view TRAFODION.US4.T2.
-
-*** ERROR[4481] The user does not have INSERT privilege on table or view TRAFODION.US4.T2.
-
-*** ERROR[8822] The statement was not prepared.
-
+--- 1 row(s) inserted.
>>log;
>>-- as user3
>>insert into us4.t2(a,b) values (2,2) ;
-*** ERROR[4481] The user does not have SELECT privilege on table or view TRAFODION.US4.T2.
+*** ERROR[4481] The user does not have SELECT privilege on table or view TRAFODION.US4.T2(columns: B).
-*** ERROR[4481] The user does not have INSERT privilege on table or view TRAFODION.US4.T2.
+*** ERROR[4481] The user does not have INSERT privilege on table or view TRAFODION.US4.T2(columns: B).
*** ERROR[8822] The statement was not prepared.
>>update us4.t1 set col2 = col1;
-*** ERROR[4481] The user does not have SELECT privilege on table or view TRAFODION.US4.T1.
+*** ERROR[4481] The user does not have SELECT privilege on table or view TRAFODION.US4.T1(columns: COL2).
-*** ERROR[4481] The user does not have UPDATE privilege on table or view TRAFODION.US4.T1.
+*** ERROR[4481] The user does not have UPDATE privilege on table or view TRAFODION.US4.T1(columns: COL2).
*** ERROR[8822] The statement was not prepared.
@@ -501,117 +476,118 @@ COL1 COL2 COL3
>>
>>insert into us4.t2(a) values (3) ;
-*** ERROR[4481] The user does not have SELECT privilege on table or view TRAFODION.US4.T2.
-
-*** ERROR[4481] The user does not have INSERT privilege on table or view TRAFODION.US4.T2.
-
-*** ERROR[8822] The statement was not prepared.
-
+--- 1 row(s) inserted.
>>update us4.t1 set col1 = col1 + 1;
-*** ERROR[4481] The user does not have SELECT privilege on table or view TRAFODION.US4.T1.
-
-*** ERROR[4481] The user does not have UPDATE privilege on table or view TRAFODION.US4.T1.
-
-*** ERROR[8822] The statement was not prepared.
-
+--- 5 row(s) updated.
>>
>>select col1 from us4.t1 order by 1;
-*** ERROR[4481] The user does not have SELECT privilege on table or view TRAFODION.US4.T1.
+COL1
+-----------
-*** ERROR[8822] The statement was not prepared.
+ 2
+ 3
+ 6
+ 8
+ 11
+--- 5 row(s) selected.
>>select col2 from us4.t1 ;
-*** ERROR[4481] The user does not have SELECT privilege on table or view TRAFODION.US4.T1.
+*** ERROR[4481] The user does not have SELECT privilege on table or view TRAFODION.US4.T1(columns: COL2).
*** ERROR[8822] The statement was not prepared.
>>
>>select col1 from us4.t1 where col2 > 100;
-*** ERROR[4481] The user does not have SELECT privilege on table or view TRAFODION.US4.T1.
+*** ERROR[4481] The user does not have SELECT privilege on table or view TRAFODION.US4.T1(columns: COL2).
*** ERROR[8822] The statement was not prepared.
>>select col1 from us4.t1 where col1 > 100 order by 1;
-*** ERROR[4481] The user does not have SELECT privilege on table or view TRAFODION.US4.T1.
-
-*** ERROR[8822] The statement was not prepared.
-
+--- 0 row(s) selected.
>>
>>select count(*), min(col1) from us4.t1 group by col2;
-*** ERROR[4481] The user does not have SELECT privilege on table or view TRAFODION.US4.T1.
+*** ERROR[4481] The user does not have SELECT privilege on table or view TRAFODION.US4.T1(columns: COL2).
*** ERROR[8822] The statement was not prepared.
>>select count(*), min(col1) from us4.t1 group by col1;
-*** ERROR[4481] The user does not have SELECT privilege on table or view TRAFODION.US4.T1.
+(EXPR) (EXPR)
+-------------------- -----------
-*** ERROR[8822] The statement was not prepared.
+ 1 2
+ 1 3
+ 1 6
+ 1 8
+ 1 11
+--- 5 row(s) selected.
>>
>>select count(*) from us4.t1 group by col1 having min(col2) > 10;
-*** ERROR[4481] The user does not have SELECT privilege on table or view TRAFODION.US4.T1.
+*** ERROR[4481] The user does not have SELECT privilege on table or view TRAFODION.US4.T1(columns: COL2).
*** ERROR[8822] The statement was not prepared.
>>select count(*) from us4.t1 group by col1 having min(col1) > 10;
-*** ERROR[4481] The user does not have SELECT privilege on table or view TRAFODION.US4.T1.
+(EXPR)
+--------------------
-*** ERROR[8822] The statement was not prepared.
+ 1
+--- 1 row(s) selected.
>>
>>select x from us4.t1 transpose col2 as x;
-*** ERROR[4481] The user does not have SELECT privilege on table or view TRAFODION.US4.T1.
+*** ERROR[4481] The user does not have SELECT privilege on table or view TRAFODION.US4.T1(columns: COL2).
*** ERROR[8822] The statement was not prepared.
>>select x from us4.t1 transpose col1 as x order by 1;
-*** ERROR[4481] The user does not have SELECT privilege on table or view TRAFODION.US4.T1.
+X
+-----------
-*** ERROR[8822] The statement was not prepared.
+ 2
+ 3
+ 6
+ 8
+ 11
+--- 5 row(s) selected.
>>
>>select col1 from us4.t1 sample random balance
+>when col2 = 1 then 100 percent else 0 percent end;
-*** ERROR[4481] The user does not have SELECT privilege on table or view TRAFODION.US4.T1.
+*** ERROR[4481] The user does not have SELECT privilege on table or view TRAFODION.US4.T1(columns: COL2).
*** ERROR[8822] The statement was not prepared.
>>select col1 from us4.t1 sample random balance
+>when col1 = 1 then 100 percent else 0 percent end order by 1;
-*** ERROR[4481] The user does not have SELECT privilege on table or view TRAFODION.US4.T1.
-
-*** ERROR[8822] The statement was not prepared.
-
+--- 0 row(s) selected.
>>
>>select col1 from us4.t1 where exists (select 1 from (values (us4.t1.col2)) t2(x) where t2.x = 100);
-*** ERROR[4481] The user does not have SELECT privilege on table or view TRAFODION.US4.T1.
+*** ERROR[4481] The user does not have SELECT privilege on table or view TRAFODION.US4.T1(columns: COL2).
*** ERROR[8822] The statement was not prepared.
>>select col1 from us4.t1 where exists (select 1 from (values (us4.t1.col1)) t2(x) where t2.x = 100) order by 1;
-*** ERROR[4481] The user does not have SELECT privilege on table or view TRAFODION.US4.T1.
-
-*** ERROR[8822] The statement was not prepared.
-
+--- 0 row(s) selected.
>>
>>select * from us4.t1 ;
-*** ERROR[4481] The user does not have SELECT privilege on table or view TRAFODION.US4.T1.
+*** ERROR[4481] The user does not have SELECT privilege on table or view TRAFODION.US4.T1(columns: COL2, COL3).
*** ERROR[8822] The statement was not prepared.
http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/23e24b4a/core/sql/regress/catman1/EXPECTED133
----------------------------------------------------------------------
diff --git a/core/sql/regress/catman1/EXPECTED133 b/core/sql/regress/catman1/EXPECTED133
index f1a48d7..4bd4913 100644
--- a/core/sql/regress/catman1/EXPECTED133
+++ b/core/sql/regress/catman1/EXPECTED133
@@ -318,7 +318,7 @@ SCHEMA_PRIVILEGES
(EXPR)
--------------------
- 50
+ 57
--- 1 row(s) selected.
>>select count (*) from component_privileges;
@@ -326,7 +326,7 @@ SCHEMA_PRIVILEGES
(EXPR)
--------------------
- 102
+ 116
--- 1 row(s) selected.
>>execute get_owner_privs;
http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/23e24b4a/core/sql/regress/catman1/EXPECTED137
----------------------------------------------------------------------
diff --git a/core/sql/regress/catman1/EXPECTED137 b/core/sql/regress/catman1/EXPECTED137
index f16fb97..41c5ebd 100755
--- a/core/sql/regress/catman1/EXPECTED137
+++ b/core/sql/regress/catman1/EXPECTED137
@@ -586,15 +586,11 @@ LIBRARY_USERS LIB_VIEW_USERS SQL_USER3
>>revoke grant option for component privilege lib_view_repository
+> on library_books from DB__ROOTROLE;
-*** ERROR[1025] Request failed. Dependent object exists.
-
---- SQL operation failed with errors.
+--- SQL operation complete.
>>revoke component privilege lib_view_repository
+> on library_books from DB__ROOTROLE;
-*** ERROR[1025] Request failed. Dependent object exists.
-
---- SQL operation failed with errors.
+--- SQL operation complete.
>>
>>-- error: specify the same privilege twice
>>grant component privilege lib_view_repository,
@@ -1308,6 +1304,90 @@ CREATE COMPONENT PRIVILEGE MANAGE_USERS AS 'MU' ON SQL_OPERATIONS SYSTEM DETAIL
WITH GRANT OPTION;
+CREATE COMPONENT PRIVILEGE DML_DELETE AS 'PD' ON SQL_OPERATIONS SYSTEM DETAIL
+ 'Allow grantee to delete rows';
+
+-- GRANT COMPONENT PRIVILEGE DML_DELETE
+ ON SQL_OPERATIONS TO DB__ROOT
+ WITH GRANT OPTION;
+
+ GRANT COMPONENT PRIVILEGE DML_DELETE
+ ON SQL_OPERATIONS TO DB__ROOTROLE
+ WITH GRANT OPTION;
+
+
+CREATE COMPONENT PRIVILEGE DML_EXECUTE AS 'PE' ON SQL_OPERATIONS SYSTEM DETAIL
+ 'Allow grantee to execute functions';
+
+-- GRANT COMPONENT PRIVILEGE DML_EXECUTE
+ ON SQL_OPERATIONS TO DB__ROOT
+ WITH GRANT OPTION;
+
+ GRANT COMPONENT PRIVILEGE DML_EXECUTE
+ ON SQL_OPERATIONS TO DB__ROOTROLE
+ WITH GRANT OPTION;
+
+
+CREATE COMPONENT PRIVILEGE DML_USAGE AS 'PG' ON SQL_OPERATIONS SYSTEM DETAIL
+ 'Allow grantee to use libraries and sequences';
+
+-- GRANT COMPONENT PRIVILEGE DML_USAGE
+ ON SQL_OPERATIONS TO DB__ROOT
+ WITH GRANT OPTION;
+
+ GRANT COMPONENT PRIVILEGE DML_USAGE
+ ON SQL_OPERATIONS TO DB__ROOTROLE
+ WITH GRANT OPTION;
+
+
+CREATE COMPONENT PRIVILEGE DML_INSERT AS 'PI' ON SQL_OPERATIONS SYSTEM DETAIL
+ 'Allow grantee to insert rows';
+
+-- GRANT COMPONENT PRIVILEGE DML_INSERT
+ ON SQL_OPERATIONS TO DB__ROOT
+ WITH GRANT OPTION;
+
+ GRANT COMPONENT PRIVILEGE DML_INSERT
+ ON SQL_OPERATIONS TO DB__ROOTROLE
+ WITH GRANT OPTION;
+
+
+CREATE COMPONENT PRIVILEGE DML_REFERENCES AS 'PR' ON SQL_OPERATIONS SYSTEM
+ DETAIL 'Allow grantee to reference columns';
+
+-- GRANT COMPONENT PRIVILEGE DML_REFERENCES
+ ON SQL_OPERATIONS TO DB__ROOT
+ WITH GRANT OPTION;
+
+ GRANT COMPONENT PRIVILEGE DML_REFERENCES
+ ON SQL_OPERATIONS TO DB__ROOTROLE
+ WITH GRANT OPTION;
+
+
+CREATE COMPONENT PRIVILEGE DML_SELECT AS 'PS' ON SQL_OPERATIONS SYSTEM DETAIL
+ 'Allow grantee to select rows';
+
+-- GRANT COMPONENT PRIVILEGE DML_SELECT
+ ON SQL_OPERATIONS TO DB__ROOT
+ WITH GRANT OPTION;
+
+ GRANT COMPONENT PRIVILEGE DML_SELECT
+ ON SQL_OPERATIONS TO DB__ROOTROLE
+ WITH GRANT OPTION;
+
+
+CREATE COMPONENT PRIVILEGE DML_UPDATE AS 'PU' ON SQL_OPERATIONS SYSTEM DETAIL
+ 'Allow grantee to update rows';
+
+-- GRANT COMPONENT PRIVILEGE DML_UPDATE
+ ON SQL_OPERATIONS TO DB__ROOT
+ WITH GRANT OPTION;
+
+ GRANT COMPONENT PRIVILEGE DML_UPDATE
+ ON SQL_OPERATIONS TO DB__ROOTROLE
+ WITH GRANT OPTION;
+
+
CREATE COMPONENT PRIVILEGE QUERY_ACTIVATE AS 'QA' ON SQL_OPERATIONS SYSTEM
DETAIL 'Allow grantee to activate queries';
@@ -2055,6 +2135,90 @@ CREATE COMPONENT PRIVILEGE MANAGE_USERS AS 'MU' ON SQL_OPERATIONS SYSTEM DETAIL
WITH GRANT OPTION;
+CREATE COMPONENT PRIVILEGE DML_DELETE AS 'PD' ON SQL_OPERATIONS SYSTEM DETAIL
+ 'Allow grantee to delete rows';
+
+-- GRANT COMPONENT PRIVILEGE DML_DELETE
+ ON SQL_OPERATIONS TO DB__ROOT
+ WITH GRANT OPTION;
+
+ GRANT COMPONENT PRIVILEGE DML_DELETE
+ ON SQL_OPERATIONS TO DB__ROOTROLE
+ WITH GRANT OPTION;
+
+
+CREATE COMPONENT PRIVILEGE DML_EXECUTE AS 'PE' ON SQL_OPERATIONS SYSTEM DETAIL
+ 'Allow grantee to execute functions';
+
+-- GRANT COMPONENT PRIVILEGE DML_EXECUTE
+ ON SQL_OPERATIONS TO DB__ROOT
+ WITH GRANT OPTION;
+
+ GRANT COMPONENT PRIVILEGE DML_EXECUTE
+ ON SQL_OPERATIONS TO DB__ROOTROLE
+ WITH GRANT OPTION;
+
+
+CREATE COMPONENT PRIVILEGE DML_USAGE AS 'PG' ON SQL_OPERATIONS SYSTEM DETAIL
+ 'Allow grantee to use libraries and sequences';
+
+-- GRANT COMPONENT PRIVILEGE DML_USAGE
+ ON SQL_OPERATIONS TO DB__ROOT
+ WITH GRANT OPTION;
+
+ GRANT COMPONENT PRIVILEGE DML_USAGE
+ ON SQL_OPERATIONS TO DB__ROOTROLE
+ WITH GRANT OPTION;
+
+
+CREATE COMPONENT PRIVILEGE DML_INSERT AS 'PI' ON SQL_OPERATIONS SYSTEM DETAIL
+ 'Allow grantee to insert rows';
+
+-- GRANT COMPONENT PRIVILEGE DML_INSERT
+ ON SQL_OPERATIONS TO DB__ROOT
+ WITH GRANT OPTION;
+
+ GRANT COMPONENT PRIVILEGE DML_INSERT
+ ON SQL_OPERATIONS TO DB__ROOTROLE
+ WITH GRANT OPTION;
+
+
+CREATE COMPONENT PRIVILEGE DML_REFERENCES AS 'PR' ON SQL_OPERATIONS SYSTEM
+ DETAIL 'Allow grantee to reference columns';
+
+-- GRANT COMPONENT PRIVILEGE DML_REFERENCES
+ ON SQL_OPERATIONS TO DB__ROOT
+ WITH GRANT OPTION;
+
+ GRANT COMPONENT PRIVILEGE DML_REFERENCES
+ ON SQL_OPERATIONS TO DB__ROOTROLE
+ WITH GRANT OPTION;
+
+
+CREATE COMPONENT PRIVILEGE DML_SELECT AS 'PS' ON SQL_OPERATIONS SYSTEM DETAIL
+ 'Allow grantee to select rows';
+
+-- GRANT COMPONENT PRIVILEGE DML_SELECT
+ ON SQL_OPERATIONS TO DB__ROOT
+ WITH GRANT OPTION;
+
+ GRANT COMPONENT PRIVILEGE DML_SELECT
+ ON SQL_OPERATIONS TO DB__ROOTROLE
+ WITH GRANT OPTION;
+
+
+CREATE COMPONENT PRIVILEGE DML_UPDATE AS 'PU' ON SQL_OPERATIONS SYSTEM DETAIL
+ 'Allow grantee to update rows';
+
+-- GRANT COMPONENT PRIVILEGE DML_UPDATE
+ ON SQL_OPERATIONS TO DB__ROOT
+ WITH GRANT OPTION;
+
+ GRANT COMPONENT PRIVILEGE DML_UPDATE
+ ON SQL_OPERATIONS TO DB__ROOTROLE
+ WITH GRANT OPTION;
+
+
CREATE COMPONENT PRIVILEGE QUERY_ACTIVATE AS 'QA' ON SQL_OPERATIONS SYSTEM
DETAIL 'Allow grantee to activate queries';
@@ -2317,9 +2481,7 @@ drop component privilege lib_view_benefactors cascade;
>>revoke component privilege lib_view_repository
+>on library_books from sql_user3;
-*** ERROR[1025] Request failed. Dependent object exists.
-
---- SQL operation failed with errors.
+--- SQL operation complete.
>>log;
>>unregister component Library_books cascade;
http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/23e24b4a/core/sql/regress/catman1/TEST137
----------------------------------------------------------------------
diff --git a/core/sql/regress/catman1/TEST137 b/core/sql/regress/catman1/TEST137
index 2de3a3c..2080a44 100755
--- a/core/sql/regress/catman1/TEST137
+++ b/core/sql/regress/catman1/TEST137
@@ -54,9 +54,9 @@ obey TEST137(drop_privs);
log;
-- run tests as different users
-sh sh runmxci.ksh -i "TEST137(user1_tests)" -u sql_user1;
-sh sh runmxci.ksh -i "TEST137(user4_tests)" -u sql_user4;;
-sh sh runmxci.ksh -i "TEST137(user5_tests)" -u sql_user5;
+sh sqlci -i "TEST137(user1_tests)" -u sql_user1;
+sh sqlci -i "TEST137(user4_tests)" -u sql_user4;;
+sh sqlci -i "TEST137(user5_tests)" -u sql_user5;
-- test the SQL_OPERATIONS privilege
log LOG137;
http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/23e24b4a/core/sql/sqlcomp/CmpDescribe.cpp
----------------------------------------------------------------------
diff --git a/core/sql/sqlcomp/CmpDescribe.cpp b/core/sql/sqlcomp/CmpDescribe.cpp
index b422822..fd2392b 100644
--- a/core/sql/sqlcomp/CmpDescribe.cpp
+++ b/core/sql/sqlcomp/CmpDescribe.cpp
@@ -2642,6 +2642,7 @@ short CmpDescribeSeabaseTable (
}
PrivStatus retcode = privInterface.getPrivileges((int64_t)naTable->objectUid().get_value(),
+ naTable->getObjectType(),
ComUser::getCurrentUser(),
privs);
@@ -3560,7 +3561,7 @@ PrivMgrCommands privInterface(privMgrMDLoc.data(),CmpCommon::diags());
return -1 ;
}
- PrivStatus retcode = privInterface.getPrivileges(libraryUID,
+ PrivStatus retcode = privInterface.getPrivileges(libraryUID, COM_LIBRARY_OBJECT,
ComUser::getCurrentUser(),
privs);
http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/23e24b4a/core/sql/sqlcomp/CmpSeabaseDDLroutine.cpp
----------------------------------------------------------------------
diff --git a/core/sql/sqlcomp/CmpSeabaseDDLroutine.cpp b/core/sql/sqlcomp/CmpSeabaseDDLroutine.cpp
index 7983e5b..726156f 100644
--- a/core/sql/sqlcomp/CmpSeabaseDDLroutine.cpp
+++ b/core/sql/sqlcomp/CmpSeabaseDDLroutine.cpp
@@ -799,7 +799,8 @@ void CmpSeabaseDDL::createSeabaseRoutine(
CONCAT_CATSCH(privMgrMDLoc, getSystemCatalog(), SEABASE_PRIVMGR_SCHEMA);
PrivMgrCommands privInterface(privMgrMDLoc.data(), CmpCommon::diags());
PrivMgrUserPrivs privs;
- PrivStatus retcode = privInterface.getPrivileges(libUID, ComUser::getCurrentUser(), privs);
+ PrivStatus retcode = privInterface.getPrivileges(libUID, COM_LIBRARY_OBJECT,
+ ComUser::getCurrentUser(), privs);
if (retcode != STATUS_GOOD)
{
if (CmpCommon::diags()->getNumber(DgSqlCode::ERROR_) == 0)
http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/23e24b4a/core/sql/sqlcomp/PrivMgr.cpp
----------------------------------------------------------------------
diff --git a/core/sql/sqlcomp/PrivMgr.cpp b/core/sql/sqlcomp/PrivMgr.cpp
index 170ae83..446e38e 100644
--- a/core/sql/sqlcomp/PrivMgr.cpp
+++ b/core/sql/sqlcomp/PrivMgr.cpp
@@ -46,6 +46,8 @@
#include "CmpCommon.h"
#include "CmpContext.h"
#include "CmpDDLCatErrorCodes.h"
+#include "logmxevent_traf.h"
+
// ==========================================================================
// Contains non inline methods in the following classes
@@ -290,6 +292,13 @@ const char * PrivMgr::getSQLOperationName(SQLOperation operation)
case SQLOperation::CREATE_TABLE: return "CREATE_TABLE";
case SQLOperation::CREATE_TRIGGER: return "CREATE_TRIGGER";
case SQLOperation::CREATE_VIEW: return "CREATE_VIEW";
+ case SQLOperation::DML_DELETE: return "DML_DELETE";
+ case SQLOperation::DML_EXECUTE: return "DML_EXECUTE";
+ case SQLOperation::DML_INSERT: return "DML_INSERT";
+ case SQLOperation::DML_REFERENCES: return "DML_REFERENCES";
+ case SQLOperation::DML_SELECT: return "DML_SELECT";
+ case SQLOperation::DML_UPDATE: return "DML_UPDATE";
+ case SQLOperation::DML_USAGE: return "DML_USAGE";
case SQLOperation::DROP: return "DROP";
case SQLOperation::DROP_CATALOG: return "DROP_CATALOG";
case SQLOperation::DROP_INDEX: return "DROP_INDEX";
@@ -376,6 +385,13 @@ const char * PrivMgr::getSQLOperationCode(SQLOperation operation)
case SQLOperation::CREATE_TABLE: return "CT";
case SQLOperation::CREATE_TRIGGER: return "CG";
case SQLOperation::CREATE_VIEW: return "CV";
+ case SQLOperation::DML_DELETE: return "PD";
+ case SQLOperation::DML_EXECUTE: return "PE";
+ case SQLOperation::DML_INSERT: return "PI";
+ case SQLOperation::DML_REFERENCES: return "PR";
+ case SQLOperation::DML_SELECT: return "PS";
+ case SQLOperation::DML_UPDATE: return "PU";
+ case SQLOperation::DML_USAGE: return "PG";
case SQLOperation::DROP: return "D0";
case SQLOperation::DROP_CATALOG: return "DC";
case SQLOperation::DROP_INDEX: return "DI";
@@ -465,6 +481,13 @@ const char * PrivMgr::getSQLOperationDescription(SQLOperation operation)
case SQLOperation::CREATE_TABLE: return "Allow grantee to create tables";
case SQLOperation::CREATE_TRIGGER: return "Allow grantee to create triggers";
case SQLOperation::CREATE_VIEW: return "Allow grantee to create views";
+ case SQLOperation::DML_DELETE: return "Allow grantee to delete rows";
+ case SQLOperation::DML_EXECUTE: return "Allow grantee to execute functions";
+ case SQLOperation::DML_INSERT: return "Allow grantee to insert rows";
+ case SQLOperation::DML_REFERENCES: return "Allow grantee to reference columns";
+ case SQLOperation::DML_SELECT: return "Allow grantee to select rows";
+ case SQLOperation::DML_UPDATE: return "Allow grantee to update rows";
+ case SQLOperation::DML_USAGE: return "Allow grantee to use libraries and sequences";
case SQLOperation::DROP: return "Allow grantee to drop database objects";
case SQLOperation::DROP_CATALOG: return "Allow grantee to drop catalogs";
case SQLOperation::DROP_INDEX: return "Allow grantee to drop indexes";
@@ -829,6 +852,7 @@ ComObjectType PrivMgr::ObjectLitToEnum(const char *objectLiteral)
return COM_UNKNOWN_OBJECT;
}
+
//********************* End of PrivMgr::ObjectLitToEnum ************************
@@ -894,3 +918,49 @@ void PrivMgr::setFlags()
SQL_EXEC_SetParserFlagsForExSqlComp_Internal(INTERNAL_QUERY_FROM_EXEUTIL);
}
+// ----------------------------------------------------------------------------
+// method::log
+//
+// sends a message to log4cxx implementation designed by SQL
+//
+// Input:
+// filename - code file that is performing the request
+// message - the message to log
+// index - index for logging that loops through a list
+//
+// Background
+// Privilege manager code sets up a message and calls this log method
+// This method calls SQLMXLoggingArea::logPrivMgrInfo described in
+// sqlmxevents/logmxevent_traf (.h & .cpp)
+// logPrivMgInfo is a wrapper class around qmscommon/QRLogger (.h & .cpp)
+// log method
+// QRLogger generates a message calls the log method in
+// sqf/commonLogger/CommonLogger (.h & .cpp)
+// CommonLogger interfaces with the log4cxx code which eventually puts
+// a message into a log file called ../sqf/logs/master_exec_0_pid.log.
+// A new master log is created for each new SQL process started.
+//
+// Sometimes it is amazing that things actually work with all these levels
+// of interfaces. Perhaps we can skip a few levels...
+// ----------------------------------------------------------------------------
+void PrivMgr::log(
+ const std::string filename,
+ const std::string message,
+ const int_32 index)
+{
+ // for now, don't log
+ return;
+
+ std::string logMessage (filename);
+ logMessage += ": ";
+ logMessage += message;
+ if (index >= 0)
+ {
+ logMessage += ", index level is ";
+ logMessage += to_string((long long int)index);
+ }
+
+ SQLMXLoggingArea::logPrivMgrInfo("Privilege Manager", 0, logMessage.c_str(), 0);
+
+}
+
http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/23e24b4a/core/sql/sqlcomp/PrivMgr.h
----------------------------------------------------------------------
diff --git a/core/sql/sqlcomp/PrivMgr.h b/core/sql/sqlcomp/PrivMgr.h
index e17f2c2..e710d5a 100644
--- a/core/sql/sqlcomp/PrivMgr.h
+++ b/core/sql/sqlcomp/PrivMgr.h
@@ -67,6 +67,12 @@ class PrivMgr
UNKNOWN_TABLE = 37
};
+ enum PrivCommand { GRANT_OBJECT = 30,
+ REVOKE_OBJECT_RESTRICT = 31,
+ REVOKE_OBJECT_CASCADE = 32,
+ UNKNOWN_PRIV_COMMAND = 33
+ };
+
// -------------------------------------------------------------------
// Static functions:
// -------------------------------------------------------------------
@@ -142,6 +148,11 @@ class PrivMgr
std::vector<PrivClass> privClasses);
void resetFlags();
void setFlags();
+ void log(
+ const std::string filename,
+ const std::string message,
+ const int_32 index);
+
protected:
// Returns status of privilege manager metadata
http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/23e24b4a/core/sql/sqlcomp/PrivMgrCommands.cpp
----------------------------------------------------------------------
diff --git a/core/sql/sqlcomp/PrivMgrCommands.cpp b/core/sql/sqlcomp/PrivMgrCommands.cpp
index 7ea1055..7f985a0 100644
--- a/core/sql/sqlcomp/PrivMgrCommands.cpp
+++ b/core/sql/sqlcomp/PrivMgrCommands.cpp
@@ -404,6 +404,7 @@ PrivStatus PrivMgrCommands::getGrantorDetailsForObject(
//
// Input:
// objectUID - a unique object identifier
+// objectType - the type of the object
// objectName - the name of the object
// privilegeText - the resultant grant text
// secKeySet - the security keys for the object/user
@@ -413,6 +414,7 @@ PrivStatus PrivMgrCommands::getGrantorDetailsForObject(
// ----------------------------------------------------------------------------
PrivStatus PrivMgrCommands::getPrivileges(
const int64_t objectUID,
+ ComObjectType objectType,
const int32_t userID,
PrivMgrUserPrivs &userPrivs,
std::vector <ComSecurityKey *>* secKeySet)
@@ -426,7 +428,8 @@ PrivStatus PrivMgrCommands::getPrivileges(
if (authorizationEnabled())
{
PrivMgrPrivileges objectPrivs (metadataLocation_, pDiags_);
- PrivStatus retcode = objectPrivs.getPrivsOnObjectForUser(objectUID,
+ PrivStatus retcode = objectPrivs.getPrivsOnObjectForUser(objectUID,
+ objectType,
userID,
objPrivs,
grantablePrivs,
@@ -490,7 +493,7 @@ PrivStatus privStatus = STATUS_GOOD;
try
{
PrivMgrPrivileges objectPrivileges(objectUID,getMetadataLocation(),pDiags_);
- privStatus = objectPrivileges.getPrivRowsForObject(objectPrivsRows);
+ privStatus = objectPrivileges.getPrivRowsForObject(objectUID, objectPrivsRows);
}
catch (...)
@@ -875,7 +878,7 @@ PrivStatus privStatus = STATUS_GOOD;
{
PrivMgrPrivileges objectPrivileges(objectUID, getMetadataLocation(),pDiags_);
- privStatus = objectPrivileges.insertPrivRowsForObject(objectPrivsRows);
+ privStatus = objectPrivileges.insertPrivRowsForObject(objectUID, objectPrivsRows);
}
catch (...)
@@ -1046,8 +1049,8 @@ PrivStatus privStatus = STATUS_GOOD;
privStatus = componentPrivileges.revokePrivilege(componentName,
operationNamesList,
grantorID,
- granteeID,0,
- isGOFSpecified,
+ granteeID,
+ isGOFSpecified, 0,
dropBehavior);
}
http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/23e24b4a/core/sql/sqlcomp/PrivMgrCommands.h
----------------------------------------------------------------------
diff --git a/core/sql/sqlcomp/PrivMgrCommands.h b/core/sql/sqlcomp/PrivMgrCommands.h
index 65963a1..ae1a1f6 100644
--- a/core/sql/sqlcomp/PrivMgrCommands.h
+++ b/core/sql/sqlcomp/PrivMgrCommands.h
@@ -460,6 +460,7 @@ public:
PrivStatus getPrivileges(
const int64_t objectUID,
+ ComObjectType objectType,
const int32_t granteeUID,
PrivMgrUserPrivs &userPrivileges,
std::vector <ComSecurityKey *>* secKeySet = NULL);
http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/23e24b4a/core/sql/sqlcomp/PrivMgrComponentPrivileges.cpp
----------------------------------------------------------------------
diff --git a/core/sql/sqlcomp/PrivMgrComponentPrivileges.cpp b/core/sql/sqlcomp/PrivMgrComponentPrivileges.cpp
index 172353a..9b3a13f 100644
--- a/core/sql/sqlcomp/PrivMgrComponentPrivileges.cpp
+++ b/core/sql/sqlcomp/PrivMgrComponentPrivileges.cpp
@@ -21,7 +21,8 @@
// @@@ END COPYRIGHT @@@
//*****************************************************************************
#include "PrivMgrComponentPrivileges.h"
-
+
+#include "PrivMgrDefs.h"
#include "PrivMgrMD.h"
#include "PrivMgrMDTable.h"
#include "PrivMgrComponents.h"
@@ -44,8 +45,22 @@
#include "CmpDDLCatErrorCodes.h"
#include "ComUser.h"
+static bool isSQLDMLPriv(
+ const int64_t componentUID,
+ const std::string operationCode);
+
namespace ComponentPrivileges
{
+
+class DMLPrivData
+{
+public:
+ int32_t granteeID_;
+ std::vector<int32_t> roleIDs_;
+ PrivObjectBitmap DMLBitmap_;
+ bool managePrivileges_;
+};
+
// *****************************************************************************
// * Class: MyRow
// * Description: This class represents a row in the COMPONENT_PRIVILEGES table.
@@ -109,7 +124,12 @@ public:
inline void clear() { lastRowRead_.clear(); };
-
+ PrivStatus fetchDMLPrivInfo(
+ const int32_t granteeID,
+ const std::vector<int32_t> & roleIDs,
+ PrivObjectBitmap & DMLBitmap,
+ bool & hasManagePrivileges);
+
PrivStatus fetchOwner(
const int64_t componentUID,
const std::string & operationCode,
@@ -138,7 +158,7 @@ private:
MyTable();
MyRow lastRowRead_;
-
+ DMLPrivData userDMLPrivs_;
};
}//End namespace ComponentPrivileges
using namespace ComponentPrivileges;
@@ -532,6 +552,52 @@ PrivStatus privStatus = myTable.selectCountWhere(whereClause,rowCount);
//***************** End of PrivMgrComponentPrivileges::getCount ****************
+// *****************************************************************************
+// * *
+// * Function: PrivMgrComponentPrivileges::getSQLDMLPrivileges *
+// * *
+// * Returns the SQL_OPERATION privileges associated with DML privileges *
+// * for the specified authorization ID. *
+// * *
+// *****************************************************************************
+// * *
+// * Parameters: *
+// * *
+// * <granteeID> const int32_t In *
+// * is the authorization ID of the grantee. *
+// * *
+// * <roleIDs> const std::vector<int32_t> & In *
+// * is a list of roleIDs granted to the grantee. *
+// * *
+// * <DMLBitmap> PrivObjectBitmap & In *
+// * passes back the system-level DML privileges granted to the grantee. *
+// * *
+// * <hasManagePrivileges> bool & In *
+// * passes back if the user has MANAGE_PRIVILEGES authority. *
+// * *
+// *****************************************************************************
+void PrivMgrComponentPrivileges::getSQLDMLPrivileges(
+ const int32_t granteeID,
+ const std::vector<int32_t> & roleIDs,
+ PrivObjectBitmap & DMLBitmap,
+ bool & hasManagePrivileges)
+
+{
+
+MyTable &myTable = static_cast<MyTable &>(myTable_);
+
+// set pointer in diags area
+int32_t diagsMark = pDiags_->mark();
+
+PrivStatus privStatus = myTable.fetchDMLPrivInfo(granteeID,roleIDs,DMLBitmap,
+ hasManagePrivileges);
+
+ if (privStatus != STATUS_GOOD)
+ pDiags_->rewind(diagsMark);
+
+}
+//************ End of PrivMgrComponentPrivileges::getSQLDMLPrivileges **********
+
// *****************************************************************************
@@ -1443,6 +1509,15 @@ PrivStatus privStatus = myTable.selectAllWhere(whereClause,orderByClause,rows);
// *****************************************************************************
// * *
+// * Expected NOTFOUND, but if empty list returned, return no error. *
+// * *
+// *****************************************************************************
+
+ if (rows.size() == 0)
+ return STATUS_GOOD;
+
+// *****************************************************************************
+// * *
// * If there are grants and drop behavior is RESTRICT, return an error. *
// * *
// *****************************************************************************
@@ -1655,6 +1730,10 @@ PrivStatus privStatus = STATUS_GOOD;
{
return STATUS_ERROR;
}
+ if (isSQLDMLPriv(componentUID,operations[oc]))
+ { //TODO: QI only supports revoke from objects and users (roles)
+ // Notify QI
+ }
}
MyTable &myTable = static_cast<MyTable &>(myTable_);
@@ -1716,12 +1795,208 @@ bool someNotRevoked = false;
}
//************* End of PrivMgrComponentPrivileges::revokePrivilege *************
-
+
+// *****************************************************************************
+// Private functions
+// *****************************************************************************
+
+// *****************************************************************************
+// * *
+// * Function: PrivMgrComponentPrivileges::isSQLDMLPriv *
+// * *
+// * This function determines if a component-level privilege is a DML *
+// * privilege in the SQL_OPERATIONS component. *
+// * *
+// *****************************************************************************
+// * *
+// * Parameters: *
+// * *
+// * <componentUID> const int64_t In *
+// * is the unique ID associated with the component. *
+// * *
+// * <operationCode> const std::string & In *
+// * is the two character code associated with the component operation. *
+// * *
+// *****************************************************************************
+// * *
+// * Returns: bool *
+// * *
+// * true: This is a SQL_OPERATION DML privilege. *
+// * false: This is NOT a SQL_OPERATION DML privilege. *
+// * *
+// *****************************************************************************
+static bool isSQLDMLPriv(
+ const int64_t componentUID,
+ const std::string operationCode)
+
+{
+
+ if (componentUID != SQL_OPERATIONS_COMPONENT_UID)
+ return false;
+
+ for (SQLOperation operation = SQLOperation::FIRST_DML_PRIV;
+ static_cast<int>(operation) <= static_cast<int>(SQLOperation::LAST_DML_PRIV);
+ operation = static_cast<SQLOperation>(static_cast<int>(operation) + 1))
+ {
+ if (PrivMgr::getSQLOperationCode(operation) == operationCode)
+ return true;
+ }
+
+ return false;
+
+}
+//***************************** End of isSQLDMLPriv ****************************
+
+
// *****************************************************************************
// MyTable methods
// *****************************************************************************
+// *****************************************************************************
+// * *
+// * Function: MyTable::fetchDMLPrivInfo *
+// * *
+// * Reads from the COMPONENT_PRIVILEGES table and returns the *
+// * SQL_OPERATIONS privileges associated with DML privileges. *
+// * *
+// *****************************************************************************
+// * *
+// * Parameters: *
+// * *
+// * <granteeID> int32_t & In *
+// * is the authID whose system-level DML privileges are being fetched. *
+// * *
+// * <roleIDs> const std::vector<int32_t> & In *
+// * is a list of roleIDs granted to the grantee. *
+// * *
+// * <DMLBitmap> PrivObjectBitmap & In *
+// * passes back the system-level DML privileges granted to the grantee. *
+// * *
+// * <hasManagePrivileges> bool & In *
+// * passes back if the user has MANAGE_PRIVILEGES authority. *
+// * *
+// *****************************************************************************
+// * *
+// * Returns: PrivStatus *
+// * *
+// * STATUS_GOOD: Data returned. *
+// * *: Error encountered. *
+// * *
+// *****************************************************************************
+PrivStatus MyTable::fetchDMLPrivInfo(
+ const int32_t granteeID,
+ const std::vector<int32_t> & roleIDs,
+ PrivObjectBitmap & DMLBitmap,
+ bool & hasManagePrivileges)
+
+{
+
+// Check the last grantee data read before reading metadata.
+
+ if (userDMLPrivs_.granteeID_ == granteeID &&
+ userDMLPrivs_.roleIDs_ == roleIDs)
+ {
+ DMLBitmap = userDMLPrivs_.DMLBitmap_;
+ hasManagePrivileges = userDMLPrivs_.managePrivileges_;
+ return STATUS_GOOD;
+ }
+
+// Not found in cache, look for the priv info in metadata.
+// ??? - is the component_uid for SQL_OPERATIONS always going to be 1?
+std::string whereClause("WHERE COMPONENT_UID = 1 AND OPERATION_CODE IN ('");
+
+ for (SQLOperation operation = SQLOperation::FIRST_DML_PRIV;
+ static_cast<int>(operation) <= static_cast<int>(SQLOperation::LAST_DML_PRIV);
+ operation = static_cast<SQLOperation>(static_cast<int>(operation) + 1))
+ {
+ whereClause += PrivMgr::getSQLOperationCode(operation);
+ whereClause += "','";
+ }
+
+ whereClause += PrivMgr::getSQLOperationCode(SQLOperation::MANAGE_PRIVILEGES);
+ whereClause += "') AND GRANTEE_ID IN (";
+ whereClause += PrivMgr::authIDToString(granteeID);
+ whereClause += ",";
+ for (size_t ri = 0; ri < roleIDs.size(); ri++)
+ {
+ whereClause += PrivMgr::authIDToString(roleIDs[ri]);
+ whereClause += ",";
+ }
+ whereClause += PrivMgr::authIDToString(PUBLIC_AUTH_ID);
+ whereClause += ")";
+
+std::string orderByClause;
+
+std::vector<MyRow> rows;
+
+PrivStatus privStatus = selectAllWhere(whereClause,orderByClause,rows);
+
+ if (privStatus != STATUS_GOOD && privStatus != STATUS_WARNING)
+ return privStatus;
+
+// Initialize cache.
+ userDMLPrivs_.granteeID_ = granteeID;
+ userDMLPrivs_.roleIDs_ = roleIDs;
+ userDMLPrivs_.managePrivileges_ = false;
+ userDMLPrivs_.DMLBitmap_.reset();
+
+ for (size_t r = 0; r < rows.size(); r++)
+ {
+ MyRow &row = rows[r];
+
+ if (row.operationCode_ == PrivMgr::getSQLOperationCode(SQLOperation::MANAGE_PRIVILEGES))
+ {
+ userDMLPrivs_.managePrivileges_ = true;
+ continue;
+ }
+
+ if (row.operationCode_ == PrivMgr::getSQLOperationCode(SQLOperation::DML_DELETE))
+ {
+ userDMLPrivs_.DMLBitmap_.set(DELETE_PRIV);
+ continue;
+ }
+
+ if (row.operationCode_ == PrivMgr::getSQLOperationCode(SQLOperation::DML_INSERT))
+ {
+ userDMLPrivs_.DMLBitmap_.set(INSERT_PRIV);
+ continue;
+ }
+
+ if (row.operationCode_ == PrivMgr::getSQLOperationCode(SQLOperation::DML_REFERENCES))
+ {
+ userDMLPrivs_.DMLBitmap_.set(REFERENCES_PRIV);
+ continue;
+ }
+
+ if (row.operationCode_ == PrivMgr::getSQLOperationCode(SQLOperation::DML_SELECT))
+ {
+ userDMLPrivs_.DMLBitmap_.set(SELECT_PRIV);
+ continue;
+ }
+
+ if (row.operationCode_ == PrivMgr::getSQLOperationCode(SQLOperation::DML_UPDATE))
+ {
+ userDMLPrivs_.DMLBitmap_.set(UPDATE_PRIV);
+ continue;
+ }
+
+ if (row.operationCode_ == PrivMgr::getSQLOperationCode(SQLOperation::DML_USAGE))
+ {
+ userDMLPrivs_.DMLBitmap_.set(USAGE_PRIV);
+ continue;
+ }
+ }
+
+ hasManagePrivileges = userDMLPrivs_.managePrivileges_;
+ DMLBitmap = userDMLPrivs_.DMLBitmap_;
+
+ return STATUS_GOOD;
+
+}
+//******************* End of MyTable::fetchDMLPrivInfo *************************
+
+
// *****************************************************************************
// * *
@@ -1805,7 +2080,8 @@ PrivStatus privStatus = selectWhereUnique(whereClause,row);
return STATUS_GOOD;
}
-//********************** End of MyTable::fetchByName ***************************
+//*********************** End of MyTable::fetchOwner ***************************
+
@@ -1900,6 +2176,9 @@ Queue * tableQueue = NULL;
PrivStatus privStatus = executeFetchAll(selectStmt,tableQueue);
+ if (privStatus != STATUS_GOOD || privStatus != STATUS_WARNING)
+ return privStatus;
+
tableQueue->position();
for (int idx = 0; idx < tableQueue->numEntries(); idx++)
{
http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/23e24b4a/core/sql/sqlcomp/PrivMgrComponentPrivileges.h
----------------------------------------------------------------------
diff --git a/core/sql/sqlcomp/PrivMgrComponentPrivileges.h b/core/sql/sqlcomp/PrivMgrComponentPrivileges.h
index 5b9a207..0b798a5 100644
--- a/core/sql/sqlcomp/PrivMgrComponentPrivileges.h
+++ b/core/sql/sqlcomp/PrivMgrComponentPrivileges.h
@@ -80,6 +80,12 @@ public:
int64_t getCount();
+ void getSQLDMLPrivileges(
+ const int32_t granteeID,
+ const std::vector<int32_t> & roleIDs,
+ PrivObjectBitmap & DMLBitmap,
+ bool & hasManagePrivileges);
+
PrivStatus grantPrivilege(
const std::string & componentName,
const std::vector<std::string> & operations,
http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/23e24b4a/core/sql/sqlcomp/PrivMgrDefs.h
----------------------------------------------------------------------
diff --git a/core/sql/sqlcomp/PrivMgrDefs.h b/core/sql/sqlcomp/PrivMgrDefs.h
index af27e17..72c5720 100644
--- a/core/sql/sqlcomp/PrivMgrDefs.h
+++ b/core/sql/sqlcomp/PrivMgrDefs.h
@@ -46,6 +46,30 @@ enum PrivStatus { STATUS_UNKNOWN = 20,
STATUS_ERROR = 24
};
+inline const char * privStatusEnumToLit(PrivStatus privStatus)
+{
+ std::string result;
+ switch (privStatus)
+ {
+ case STATUS_GOOD:
+ result = "GOOD";
+ break;
+ case STATUS_WARNING:
+ result = "WARNING";
+ break;
+ case STATUS_NOTFOUND:
+ result = "NOTFOUND";
+ break;
+ case STATUS_ERROR:
+ result = "ERROR";
+ break;
+ default:
+ result = "UNKNOWN";
+ }
+ return result.c_str();
+}
+
+
enum {SQL_OPERATIONS_COMPONENT_UID = 1};
#define SQL_OPERATION_NAME "SQL_OPERATIONS"
@@ -157,6 +181,13 @@ enum class SQLOperation {
CREATE_TABLE,
CREATE_TRIGGER,
CREATE_VIEW,
+ DML_DELETE,
+ DML_EXECUTE,
+ DML_INSERT,
+ DML_REFERENCES,
+ DML_SELECT,
+ DML_UPDATE,
+ DML_USAGE,
DROP,
DROP_CATALOG,
DROP_INDEX,
@@ -187,7 +218,9 @@ enum class SQLOperation {
FIRST_OPERATION = ALTER,
LAST_OPERATION = USE_ALTERNATE_SCHEMA,
NUMBER_OF_OPERATIONS = LAST_OPERATION - FIRST_OPERATION + 1,
- UNKNOWN
+ UNKNOWN,
+ FIRST_DML_PRIV = DML_DELETE,
+ LAST_DML_PRIV = DML_USAGE
};
enum class PrivDropBehavior {
@@ -195,12 +228,6 @@ enum class PrivDropBehavior {
RESTRICT = 3
};
-enum class PrivCommand {
- GRANT_OBJECT = 2,
- REVOKE_OBJECT_RESTRICT = 3,
- REVOKE_OBJECT_CASCADE = 4
-};
-
enum class PrivLevel {
UNKNOWN = 0,
GLOBAL = 2,
http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/23e24b4a/core/sql/sqlcomp/PrivMgrMD.h
----------------------------------------------------------------------
diff --git a/core/sql/sqlcomp/PrivMgrMD.h b/core/sql/sqlcomp/PrivMgrMD.h
index 8f870aa..017dc9a 100644
--- a/core/sql/sqlcomp/PrivMgrMD.h
+++ b/core/sql/sqlcomp/PrivMgrMD.h
@@ -67,6 +67,20 @@ typedef struct {
ComObjectType objectType;
PrivMgrDesc originalPrivs;
PrivMgrDesc updatedPrivs;
+
+ void describe (std::string &details) const
+ {
+ details = "object usage - type is ";
+ char objectTypeLit[3] = {0};
+ strncpy(objectTypeLit,PrivMgr::ObjectEnumToLit(objectType),2);
+ details += objectTypeLit;
+ details += ", UID is ";
+ details += to_string((long long int) objectUID);
+ details += ", name is ";
+ details += objectName;
+ details += ", owner is ";
+ details += to_string((long long int) objectOwner);
+ }
} ObjectUsage;
typedef struct {
@@ -77,6 +91,20 @@ typedef struct {
bool isInsertable;
PrivMgrDesc originalPrivs;
PrivMgrDesc updatedPrivs;
+
+ void describe (std::string &details) const
+ {
+ details = "view usage - type is VI";
+ details += ", UID is ";
+ details += to_string((long long int) viewUID);
+ details += ", name is ";
+ details += viewName;
+ details += ", viewOwner is ";
+ details += to_string((long long int) viewOwner);
+ details += (isUpdatable) ? ", isUpdatable is Y " : "isUpdateable is N";
+ details += (isInsertable) ? ", isInsertable is Y " : "isInsertable is N";
+ }
+
} ViewUsage;
typedef struct {
@@ -85,6 +113,20 @@ typedef struct {
ComObjectType objectType;
std::string objectName;
PrivMgrDesc updatedPrivs;
+ void describe (std::string &details) const
+ {
+ details = "object reference - type is ";
+ char objectTypeLit[3] = {0};
+ strncpy(objectTypeLit,PrivMgr::ObjectEnumToLit(objectType),2);
+ details += objectTypeLit;
+ details += ", UID is ";
+ details += to_string((long long int) objectUID);
+ details += ", name is ";
+ details += objectName;
+ details += ", owner is ";
+ details += to_string((long long int) objectOwner);
+ }
+
} ObjectReference;