You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hawq.apache.org by zhangh43 <gi...@git.apache.org> on 2017/01/16 02:58:50 UTC
[GitHub] incubator-hawq pull request #1087: HAWQ-1275. Check build-in catalogs, table...
GitHub user zhangh43 opened a pull request:
https://github.com/apache/incubator-hawq/pull/1087
HAWQ-1275. Check build-in catalogs, tables and functions in native aclcheck.
We plan to do privilege check in hawq side for build-in catalogs, tables and functions. The reasons are two folds;
1 Ranger mainly manage the user data, but build-in catalogs and tables are not related to user data(note that some of them contain statistics information of user data such as catalog table pg_aoseg_*).
2 We haven't finish the code of merge of all the privilege check requests into one big request. Without it query such as "\d" and "analyze" will lead to hundreds of RPS request.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/zhangh43/incubator-hawq hawq1275
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/incubator-hawq/pull/1087.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #1087
----
commit 9efd765bfcc2d0d71415956d5e3339734334d112
Author: hubertzhang <hu...@apache.org>
Date: 2017-01-16T02:53:35Z
HAWQ-1275. Check build-in catalogs, tables and functions in native aclcheck.
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-hawq pull request #1087: HAWQ-1275. Check build-in catalogs, table...
Posted by zhangh43 <gi...@git.apache.org>.
Github user zhangh43 commented on a diff in the pull request:
https://github.com/apache/incubator-hawq/pull/1087#discussion_r96174643
--- Diff: src/backend/catalog/aclchk.c ---
@@ -2670,28 +2670,50 @@ List *getActionName(AclMode mask)
bool fallBackToNativeCheck(AclObjectKind objkind, Oid obj_oid, Oid roleid)
{
//for heap table, we fall back to native check.
- if(objkind == ACL_KIND_CLASS)
+ if (objkind == ACL_KIND_CLASS)
{
char relstorage = get_rel_relstorage(obj_oid);
- if(relstorage == 'h')
+ if (relstorage == 'h')
{
return true;
}
}
+ else if (objkind == ACL_KIND_NAMESPACE)
+ {
+ //native check build-in schemas.
+ if (obj_oid == PG_CATALOG_NAMESPACE || obj_oid == PG_INFORMATION_SCHEMA_NAMESPACE
+ || obj_oid == PG_AOSEGMENT_NAMESPACE || obj_oid == PG_TOAST_NAMESPACE
+ || obj_oid == PG_BITMAPINDEX_NAMESPACE)
+ {
+ return true;
+ }
+ }
+ else if (objkind == ACL_KIND_PROC)
+ {
+ //native check functions under build-in schemas.
+ Oid namespaceid = get_func_namespace(obj_oid);
+ if (namespaceid == PG_CATALOG_NAMESPACE || namespaceid == PG_INFORMATION_SCHEMA_NAMESPACE
+ || namespaceid == PG_AOSEGMENT_NAMESPACE || namespaceid == PG_TOAST_NAMESPACE
+ || namespaceid == PG_BITMAPINDEX_NAMESPACE)
+ {
+ return true;
+ }
+ }
+
return false;
}
bool fallBackToNativeChecks(AclObjectKind objkind, List* table_list, Oid roleid)
{
- //for heap table, we fall back to native check.
- if(objkind == ACL_KIND_CLASS)
+ //we only have range table here
--- End diff --
fixed
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-hawq pull request #1087: HAWQ-1275. Check build-in catalogs, table...
Posted by linwen <gi...@git.apache.org>.
Github user linwen commented on a diff in the pull request:
https://github.com/apache/incubator-hawq/pull/1087#discussion_r96171072
--- Diff: src/backend/catalog/aclchk.c ---
@@ -2670,28 +2670,50 @@ List *getActionName(AclMode mask)
bool fallBackToNativeCheck(AclObjectKind objkind, Oid obj_oid, Oid roleid)
{
//for heap table, we fall back to native check.
- if(objkind == ACL_KIND_CLASS)
+ if (objkind == ACL_KIND_CLASS)
{
char relstorage = get_rel_relstorage(obj_oid);
- if(relstorage == 'h')
+ if (relstorage == 'h')
{
return true;
}
}
+ else if (objkind == ACL_KIND_NAMESPACE)
+ {
+ //native check build-in schemas.
+ if (obj_oid == PG_CATALOG_NAMESPACE || obj_oid == PG_INFORMATION_SCHEMA_NAMESPACE
+ || obj_oid == PG_AOSEGMENT_NAMESPACE || obj_oid == PG_TOAST_NAMESPACE
+ || obj_oid == PG_BITMAPINDEX_NAMESPACE)
+ {
+ return true;
+ }
+ }
+ else if (objkind == ACL_KIND_PROC)
+ {
+ //native check functions under build-in schemas.
+ Oid namespaceid = get_func_namespace(obj_oid);
+ if (namespaceid == PG_CATALOG_NAMESPACE || namespaceid == PG_INFORMATION_SCHEMA_NAMESPACE
+ || namespaceid == PG_AOSEGMENT_NAMESPACE || namespaceid == PG_TOAST_NAMESPACE
+ || namespaceid == PG_BITMAPINDEX_NAMESPACE)
+ {
+ return true;
+ }
+ }
+
return false;
}
bool fallBackToNativeChecks(AclObjectKind objkind, List* table_list, Oid roleid)
{
- //for heap table, we fall back to native check.
- if(objkind == ACL_KIND_CLASS)
+ //we only have range table here
--- End diff --
should use this kind of comments: /* */
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-hawq pull request #1087: HAWQ-1275. Check build-in catalogs, table...
Posted by linwen <gi...@git.apache.org>.
Github user linwen commented on a diff in the pull request:
https://github.com/apache/incubator-hawq/pull/1087#discussion_r96171062
--- Diff: src/backend/catalog/aclchk.c ---
@@ -2670,28 +2670,50 @@ List *getActionName(AclMode mask)
bool fallBackToNativeCheck(AclObjectKind objkind, Oid obj_oid, Oid roleid)
{
//for heap table, we fall back to native check.
- if(objkind == ACL_KIND_CLASS)
+ if (objkind == ACL_KIND_CLASS)
{
char relstorage = get_rel_relstorage(obj_oid);
- if(relstorage == 'h')
+ if (relstorage == 'h')
{
return true;
}
}
+ else if (objkind == ACL_KIND_NAMESPACE)
+ {
+ //native check build-in schemas.
+ if (obj_oid == PG_CATALOG_NAMESPACE || obj_oid == PG_INFORMATION_SCHEMA_NAMESPACE
+ || obj_oid == PG_AOSEGMENT_NAMESPACE || obj_oid == PG_TOAST_NAMESPACE
+ || obj_oid == PG_BITMAPINDEX_NAMESPACE)
+ {
+ return true;
+ }
+ }
+ else if (objkind == ACL_KIND_PROC)
+ {
+ //native check functions under build-in schemas.
--- End diff --
should use this kind of comments: /* */ and fix indent.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-hawq pull request #1087: HAWQ-1275. Check build-in catalogs, table...
Posted by zhangh43 <gi...@git.apache.org>.
Github user zhangh43 closed the pull request at:
https://github.com/apache/incubator-hawq/pull/1087
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-hawq pull request #1087: HAWQ-1275. Check build-in catalogs, table...
Posted by linwen <gi...@git.apache.org>.
Github user linwen commented on a diff in the pull request:
https://github.com/apache/incubator-hawq/pull/1087#discussion_r96171046
--- Diff: src/backend/catalog/aclchk.c ---
@@ -2670,28 +2670,50 @@ List *getActionName(AclMode mask)
bool fallBackToNativeCheck(AclObjectKind objkind, Oid obj_oid, Oid roleid)
{
//for heap table, we fall back to native check.
- if(objkind == ACL_KIND_CLASS)
+ if (objkind == ACL_KIND_CLASS)
{
char relstorage = get_rel_relstorage(obj_oid);
- if(relstorage == 'h')
+ if (relstorage == 'h')
{
return true;
}
}
+ else if (objkind == ACL_KIND_NAMESPACE)
+ {
+ //native check build-in schemas.
--- End diff --
should use this kind of comments: /* */
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-hawq pull request #1087: HAWQ-1275. Check build-in catalogs, table...
Posted by zhangh43 <gi...@git.apache.org>.
Github user zhangh43 commented on a diff in the pull request:
https://github.com/apache/incubator-hawq/pull/1087#discussion_r96174625
--- Diff: src/backend/catalog/aclchk.c ---
@@ -2670,28 +2670,50 @@ List *getActionName(AclMode mask)
bool fallBackToNativeCheck(AclObjectKind objkind, Oid obj_oid, Oid roleid)
{
//for heap table, we fall back to native check.
- if(objkind == ACL_KIND_CLASS)
+ if (objkind == ACL_KIND_CLASS)
{
char relstorage = get_rel_relstorage(obj_oid);
- if(relstorage == 'h')
+ if (relstorage == 'h')
{
return true;
}
}
+ else if (objkind == ACL_KIND_NAMESPACE)
+ {
+ //native check build-in schemas.
+ if (obj_oid == PG_CATALOG_NAMESPACE || obj_oid == PG_INFORMATION_SCHEMA_NAMESPACE
--- End diff --
I think gp_toolkit should be managed by Ranger.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-hawq pull request #1087: HAWQ-1275. Check build-in catalogs, table...
Posted by interma <gi...@git.apache.org>.
Github user interma commented on a diff in the pull request:
https://github.com/apache/incubator-hawq/pull/1087#discussion_r96161630
--- Diff: src/backend/catalog/aclchk.c ---
@@ -2670,28 +2670,50 @@ List *getActionName(AclMode mask)
bool fallBackToNativeCheck(AclObjectKind objkind, Oid obj_oid, Oid roleid)
{
//for heap table, we fall back to native check.
- if(objkind == ACL_KIND_CLASS)
+ if (objkind == ACL_KIND_CLASS)
{
char relstorage = get_rel_relstorage(obj_oid);
- if(relstorage == 'h')
+ if (relstorage == 'h')
{
return true;
}
}
+ else if (objkind == ACL_KIND_NAMESPACE)
+ {
+ //native check build-in schemas.
+ if (obj_oid == PG_CATALOG_NAMESPACE || obj_oid == PG_INFORMATION_SCHEMA_NAMESPACE
--- End diff --
Is there need to add gp_toolkit schema? Seems need?
_`gp_toolkit` is an administrative schema that contains external tables, views, and functions that you can access with SQL commands. All database users can access gp_toolkit to view and query the system log files and other system metrics._
refer: http://hdb.docs.pivotal.io/201/hawq/ddl/ddl-schema.html
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-hawq pull request #1087: HAWQ-1275. Check build-in catalogs, table...
Posted by ictmalili <gi...@git.apache.org>.
Github user ictmalili commented on a diff in the pull request:
https://github.com/apache/incubator-hawq/pull/1087#discussion_r96171295
--- Diff: src/include/catalog/pg_namespace.h ---
@@ -123,7 +123,7 @@ DESCR("Standard public schema");
DATA(insert OID = 6104 ( "pg_aoseg" PGUID _null_ 0));
DESCR("Reserved schema for Append Only segment list and eof tables");
#define PG_AOSEGMENT_NAMESPACE 6104
-
+#define PG_INFORMATION_SCHEMA_NAMESPACE 10671
--- End diff --
Is the oid for information_schema schema fixed? I thought it was created during hawq init procedure, so the oid might be not fixed at the value 10671. Can we get it firstly as a global variable by running "select oid from pg_namespace where nspname = 'information_schema'" ?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-hawq pull request #1087: HAWQ-1275. Check build-in catalogs, table...
Posted by zhangh43 <gi...@git.apache.org>.
Github user zhangh43 commented on a diff in the pull request:
https://github.com/apache/incubator-hawq/pull/1087#discussion_r96174690
--- Diff: src/include/catalog/pg_namespace.h ---
@@ -123,7 +123,7 @@ DESCR("Standard public schema");
DATA(insert OID = 6104 ( "pg_aoseg" PGUID _null_ 0));
DESCR("Reserved schema for Append Only segment list and eof tables");
#define PG_AOSEGMENT_NAMESPACE 6104
-
+#define PG_INFORMATION_SCHEMA_NAMESPACE 10671
--- End diff --
I use caql to get the latest information_schema_namespace oid instead
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-hawq pull request #1087: HAWQ-1275. Check build-in catalogs, table...
Posted by ictmalili <gi...@git.apache.org>.
Github user ictmalili commented on a diff in the pull request:
https://github.com/apache/incubator-hawq/pull/1087#discussion_r96171369
--- Diff: src/backend/catalog/aclchk.c ---
@@ -2670,28 +2670,50 @@ List *getActionName(AclMode mask)
bool fallBackToNativeCheck(AclObjectKind objkind, Oid obj_oid, Oid roleid)
{
//for heap table, we fall back to native check.
- if(objkind == ACL_KIND_CLASS)
+ if (objkind == ACL_KIND_CLASS)
{
char relstorage = get_rel_relstorage(obj_oid);
- if(relstorage == 'h')
+ if (relstorage == 'h')
{
return true;
}
}
+ else if (objkind == ACL_KIND_NAMESPACE)
+ {
+ //native check build-in schemas.
+ if (obj_oid == PG_CATALOG_NAMESPACE || obj_oid == PG_INFORMATION_SCHEMA_NAMESPACE
--- End diff --
Yes, I think so
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-hawq issue #1087: HAWQ-1275. Check build-in catalogs, tables and f...
Posted by stanlyxiang <gi...@git.apache.org>.
Github user stanlyxiang commented on the issue:
https://github.com/apache/incubator-hawq/pull/1087
+1
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-hawq issue #1087: HAWQ-1275. Check build-in catalogs, tables and f...
Posted by interma <gi...@git.apache.org>.
Github user interma commented on the issue:
https://github.com/apache/incubator-hawq/pull/1087
+1
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-hawq issue #1087: HAWQ-1275. Check build-in catalogs, tables and f...
Posted by linwen <gi...@git.apache.org>.
Github user linwen commented on the issue:
https://github.com/apache/incubator-hawq/pull/1087
+1
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---