You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-commits@db.apache.org by ba...@apache.org on 2006/02/26 16:52:22 UTC
svn commit: r381109 [1/4] - in /db/derby/code/trunk/java:
engine/org/apache/derby/iapi/db/ engine/org/apache/derby/iapi/reference/
engine/org/apache/derby/iapi/sql/compile/
engine/org/apache/derby/iapi/sql/dictionary/
engine/org/apache/derby/iapi/sql/e...
Author: bandaram
Date: Sun Feb 26 07:52:18 2006
New Revision: 381109
URL: http://svn.apache.org/viewcvs?rev=381109&view=rev
Log:
DERBY-464: Enable Grant and Revoke DML permission checking for tables. Builds on earlier submitted Part I patch.
Previously submitted Part I patch implemented Grant and Revoke DDL statements.
While permissions granted were correctly recorded in system catalogs, no
permission checks were done at execution time. This Part II patch implements
these privilege checking at execution time for TABLE PRIVILEGES only. This
patch does some work for ROUTINE privileges, though not enabled yet. More work
is needed to enforce ROUTINE and TRIGGER privileges.
Bind phase changes
------------------
Bind phase needs to record access to database objects that need required
privileges. No permission checking is done during compilation process. All
checks are done at execution time.
Top level nodes know what type of access is needed (like INSERT or UPDATE) but
don't know on which columns. Lower level nodes (like ResultColumn) know what
columns are being used, but not what type of privilege is needed. So, top level
nodes push their required privilege type at the beginning of their bind phase.
As lower level nodes go through their bind phase, they get current requested
privilege and add required StatementPermission objects.
DMLStatementNode now has now method, getPrivType() which defaults to
SELECT_PRIV. Other DML nodes override this method to request their own default
privilege.
Bind phase changes for nodes:
1) CallStatementNode: Set privType to EXECUTE_PRIV
2) SelectNode: Set privType to SELECT_PRIV
3) ResultColumn: Add column privilege of request type
4) DeleteNode: Add SELECT_PRIV to columns in where clause and DELETE_PRIV to targetTable
5) UpdateNode: Add SELECT_PRIV to columns in where clause and UPDATE_PRIV to columns in SET clause.
There is a problem with this scheme for UpdateNode. While it correctly checks permissions for
UPDATE T set a=2 where b=5 by checking for SELECT_PRIV on b and UPDATE_PRIV on a, current code
incorrectly expects UPDATE_PRIV on c for UPDATE T set a=c where b=5. This can be resolved by
binding on the left and right sides separately, with different default privilege.
6) Change DMLStatementNode to add schema owner check in getSchemaDescriptor().
7) FkConstraintDefinitionNode: Set REFERENCES_PRIV as the privType on list of columns specified.
8) InsertNode: Add SELECT_PRIV to columns in expressions and INSERT_PRIV for targetTable
9) CompilerContextImpl: Add another List to track schema ownership privilege checks. Would this only have
one entry at most?
Dictionary changes
------------------
Phase I already added StatementTablePermission, StatementColumnPermission and StatementRoutinePermission access
descriptors. To check that only a schema owner can issue DDLs in their schema, another access descriptor has been
added, StatementSchemaDescriptor.
Conn package changes
--------------------
Change GenericAuthorizer.authorize() to perform runtime privilege checks right after current legacy checks for READ_ONLY
or FULLUSER.
Execute phase changes
---------------------
Changed GenericResultSetFactory to pass activation when invoking Authorizer.authorize().
Pass access descriptors needed to check for privileges to execute phase.
Other changes
-------------
sqlgrammar.jj: Change grantee to be an authorization identifier (sql-identifier)
DDLStatementNode: Add new method getSchemaDescriptor(ownerCheck)
Some metadata changes. Need testing.
Test changes
------------
1) Moved current test grantRevoke.sql to grantRevokeDDL.sql. I intend to keep this test primarily for testing DDLs. Added
some more tests here, including some DML statements too.
2) Added new multi-user grantRevoke.java test to test DML statements. As the test grants/revokes privileges, it verifies
behavior by invoking metadata, check against system tables and by issuing a DML statement that is expected to raise error.
Plan to add more tests here, as additional privileges are implemented.
Submitted by Satheesh Bandaram (satheesh@sourcery.org)
Added:
db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementSchemaPermission.java (with props)
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/GrantRevoke.out
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/grantRevokeDDL.out
- copied, changed from r378825, db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/grantRevoke.out
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/grantRevoke.java (with props)
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/grantRevokeDDL.sql
- copied, changed from r378825, db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/grantRevoke.sql
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/grantRevokeDDL_app.properties (with props)
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/grantRevoke_derby.properties (with props)
Removed:
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/grantRevoke.out
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/grantRevoke.sql
Modified:
db/derby/code/trunk/java/engine/org/apache/derby/iapi/db/PropertyInfo.java
db/derby/code/trunk/java/engine/org/apache/derby/iapi/reference/Property.java
db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/compile/CompilerContext.java
db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/RoutinePermsDescriptor.java
db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementColumnPermission.java
db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementRoutinePermission.java
db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementTablePermission.java
db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/execute/ExecPreparedStatement.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/jdbc/metadata.properties
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/GenericPreparedStatement.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/GenericStatement.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/catalog/DataDictionaryImpl.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/catalog/PermissionsCacheable.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/CallStatementNode.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/CompilerContextImpl.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/CursorNode.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/DDLStatementNode.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/DMLModStatementNode.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/DMLStatementNode.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/DeleteNode.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/FKConstraintDefinitionNode.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/FromList.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/InsertNode.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/QueryTreeNode.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/ResultColumn.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/SelectNode.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/StaticMethodCallNode.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/UpdateNode.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/sqlgrammar.jj
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/conn/GenericAuthorizer.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/conn/GenericLanguageConnectionFactory.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/GenericResultSetFactory.java
db/derby/code/trunk/java/engine/org/apache/derby/loc/messages_en.properties
db/derby/code/trunk/java/shared/org/apache/derby/shared/common/reference/SQLState.java
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/suites/derbylang.runall
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/copyfiles.ant
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/grantRevoke_app.properties
Modified: db/derby/code/trunk/java/engine/org/apache/derby/iapi/db/PropertyInfo.java
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/iapi/db/PropertyInfo.java?rev=381109&r1=381108&r2=381109&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/iapi/db/PropertyInfo.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/iapi/db/PropertyInfo.java Sun Feb 26 07:52:18 2006
@@ -123,7 +123,7 @@
try {
Authorizer a = lcc.getAuthorizer();
- a.authorize(Authorizer.PROPERTY_WRITE_OP);
+ a.authorize((Activation) null, Authorizer.PROPERTY_WRITE_OP);
// Get the current transaction controller
TransactionController tc = lcc.getTransactionExecute();
Modified: db/derby/code/trunk/java/engine/org/apache/derby/iapi/reference/Property.java
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/iapi/reference/Property.java?rev=381109&r1=381108&r2=381109&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/iapi/reference/Property.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/iapi/reference/Property.java Sun Feb 26 07:52:18 2006
@@ -628,6 +628,9 @@
public static final String
FULL_ACCESS_USERS_PROPERTY = "derby.database.fullAccessUsers";
+ public static final String
+ SQL_AUTHORIZATION = "derby.database.sqlAuthorization";
+
/*
** Authentication
*/
Modified: db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/compile/CompilerContext.java
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/compile/CompilerContext.java?rev=381109&r1=381108&r2=381109&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/compile/CompilerContext.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/compile/CompilerContext.java Sun Feb 26 07:52:18 2006
@@ -529,6 +529,13 @@
public void addRequiredTablePriv( TableDescriptor table);
/**
+ * Add a schema privilege to the list of used privileges.
+ *
+ * @param schemaDescriptor
+ */
+ public void addRequiredSchemaPriv( SchemaDescriptor sd);
+
+ /**
* Add a routine execute privilege to the list of used routine privileges.
*
* @param routine
Modified: db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/RoutinePermsDescriptor.java
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/RoutinePermsDescriptor.java?rev=381109&r1=381108&r2=381109&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/RoutinePermsDescriptor.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/RoutinePermsDescriptor.java Sun Feb 26 07:52:18 2006
@@ -39,7 +39,7 @@
UUID routineUUID,
boolean hasExecutePermission)
{
- super (dd, grantor, grantee);
+ super (dd, grantee, grantor);
this.routineUUID = routineUUID;
this.hasExecutePermission = hasExecutePermission;
}
@@ -49,7 +49,7 @@
String grantor,
UUID routineUUID)
{
- this( dd, grantor, grantee, routineUUID, true);
+ this( dd, grantee, grantor, routineUUID, true);
}
/**
Modified: db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementColumnPermission.java
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementColumnPermission.java?rev=381109&r1=381108&r2=381109&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementColumnPermission.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementColumnPermission.java Sun Feb 26 07:52:18 2006
@@ -28,24 +28,46 @@
import org.apache.derby.iapi.store.access.TransactionController;
/**
- * This class describes a columnpermission used (required) by a statement.
+ * This class describes a column permission used (required) by a statement.
*/
public class StatementColumnPermission extends StatementTablePermission
{
private FormatableBitSet columns;
- public StatementColumnPermission( UUID tableUUID, int privType, FormatableBitSet columns)
+ /**
+ * Constructor for StatementColumnPermission. Creates an instance of column permission requested
+ * for the given access.
+ *
+ * @param tableUUID UUID of the table
+ * @param privType Access privilege requested
+ * @param columns List of columns
+ *
+ */
+ public StatementColumnPermission(UUID tableUUID, int privType, FormatableBitSet columns)
{
super( tableUUID, privType);
this.columns = columns;
}
+ /**
+ * Return list of columns that need access
+ *
+ * @return FormatableBitSet of columns
+ */
public FormatableBitSet getColumns()
{
return columns;
}
+ /**
+ * Method to check if another instance of column access descriptor matches this.
+ * Used to ensure only one access descriptor for a table/columns of given privilege is created.
+ *
+ * @param obj Another instance of StatementPermission
+ *
+ * @return true if match
+ */
public boolean equals( Object obj)
{
if( obj instanceof StatementColumnPermission)
@@ -66,7 +88,7 @@
*
* @exception StandardException if the permission has not been granted
*/
- public void check( TransactionController tc,
+ public void check(TransactionController tc,
DataDictionary dd,
String authorizationId,
boolean forGrant)
@@ -102,6 +124,7 @@
{
if( permittedColumns != null && permittedColumns.get(i))
continue;
+
// No permission on this column.
TableDescriptor td = getTableDescriptor( dd);
ColumnDescriptor cd = td.getColumnDescriptor( i + 1);
Modified: db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementRoutinePermission.java
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementRoutinePermission.java?rev=381109&r1=381108&r2=381109&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementRoutinePermission.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementRoutinePermission.java Sun Feb 26 07:52:18 2006
@@ -70,5 +70,4 @@
ad.getDescriptorName());
}
} // end of check
-
}
Added: db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementSchemaPermission.java
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementSchemaPermission.java?rev=381109&view=auto
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementSchemaPermission.java (added)
+++ db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementSchemaPermission.java Sun Feb 26 07:52:18 2006
@@ -0,0 +1,61 @@
+/*
+
+ Derby - Class org.apache.derby.iapi.sql.dictionary.StatementRoutinePermission
+
+ Copyright 2005 The Apache Software Foundation or its licensors, as applicable.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+ */
+
+package org.apache.derby.iapi.sql.dictionary;
+
+import org.apache.derby.iapi.error.StandardException;
+import org.apache.derby.catalog.UUID;
+import org.apache.derby.iapi.sql.conn.Authorizer;
+import org.apache.derby.iapi.reference.SQLState;
+import org.apache.derby.iapi.sql.dictionary.SchemaDescriptor;
+import org.apache.derby.iapi.store.access.TransactionController;
+
+/**
+ * This class describes a schema permission used (required) by a statement.
+ */
+
+public class StatementSchemaPermission extends StatementPermission
+{
+ protected UUID schemaUUID;
+
+ public StatementSchemaPermission(UUID schemaUUID)
+ {
+ this.schemaUUID = schemaUUID;
+ }
+
+ /**
+ * @param tc the TransactionController
+ * @param dd A DataDictionary
+ * @param authorizationId A user
+ * @param forGrant
+ *
+ * @exception StandardException if schema authorization not granted
+ */
+ public void check(TransactionController tc,
+ DataDictionary dd,
+ String authorizationId,
+ boolean forGrant) throws StandardException
+ {
+ SchemaDescriptor sd = dd.getSchemaDescriptor(schemaUUID, tc);
+ if (!authorizationId.equals(sd.getAuthorizationId()))
+ throw StandardException.newException(SQLState.AUTH_NO_ACCESS_NOT_OWNER,
+ authorizationId, sd.getSchemaName());
+ }
+}
Propchange: db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementSchemaPermission.java
------------------------------------------------------------------------------
svn:eol-style = native
Modified: db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementTablePermission.java
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementTablePermission.java?rev=381109&r1=381108&r2=381109&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementTablePermission.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementTablePermission.java Sun Feb 26 07:52:18 2006
@@ -35,22 +35,49 @@
protected UUID tableUUID;
protected int privType; // One of Authorizer.SELECT_PRIV, UPDATE_PRIV, etc.
- public StatementTablePermission( UUID tableUUID, int privType)
+ /**
+ * Constructor for StatementTablePermission. Creates an instance of table permission requested
+ * for the given access.
+ *
+ * @param tableUUID UUID of the table
+ * @param privType Access privilege requested
+ *
+ */
+ public StatementTablePermission(UUID tableUUID, int privType)
{
this.tableUUID = tableUUID;
this.privType = privType;
}
+ /**
+ * Return privilege access requested for this access descriptor
+ *
+ * @return Privilege access
+ */
public int getPrivType()
{
return privType;
}
+ /**
+ * Return table UUID for this access descriptor
+ *
+ * @return Table UUID
+ */
public UUID getTableUUID()
{
return tableUUID;
}
+ /**
+ * Routine to check if another instance of access descriptor matches this.
+ * Used to ensure only one access descriptor for a table of given privilege is created.
+ * Otherwise, every column reference from a table may create a descriptor for that table.
+ *
+ * @param obj Another instance of StatementPermission
+ *
+ * @return true if match
+ */
public boolean equals( Object obj)
{
if( obj == null)
@@ -63,6 +90,12 @@
return false;
} // end of equals
+ /**
+ * Return hash code for this instance
+ *
+ * @return Hashcode
+ *
+ */
public int hashCode()
{
return privType + tableUUID.hashCode();
@@ -94,22 +127,25 @@
}
} // end of check
- protected TableDescriptor getTableDescriptor( DataDictionary dd) throws StandardException
+ protected TableDescriptor getTableDescriptor(DataDictionary dd) throws StandardException
{
TableDescriptor td = dd.getTableDescriptor( tableUUID);
if( td == null)
- throw StandardException.newException( SQLState.AUTH_INTERNAL_BAD_UUID, "table");
+ throw StandardException.newException(SQLState.AUTH_INTERNAL_BAD_UUID, "table");
return td;
} // end of getTableDescriptor
- protected boolean hasPermissionOnTable( DataDictionary dd, String authorizationId, boolean forGrant)
+ /*
+ * Check if authorizationId has permission on the table
+ */
+ protected boolean hasPermissionOnTable(DataDictionary dd, String authorizationId, boolean forGrant)
throws StandardException
{
return oneAuthHasPermissionOnTable( dd, Authorizer.PUBLIC_AUTHORIZATION_ID, forGrant)
|| oneAuthHasPermissionOnTable( dd, authorizationId, forGrant);
}
- private boolean oneAuthHasPermissionOnTable( DataDictionary dd, String authorizationId, boolean forGrant)
+ private boolean oneAuthHasPermissionOnTable(DataDictionary dd, String authorizationId, boolean forGrant)
throws StandardException
{
TablePermsDescriptor perms = dd.getTablePermissions( tableUUID, authorizationId);
@@ -143,6 +179,11 @@
return "Y".equals(priv) || (!forGrant) && "y".equals( priv);
} // end of hasPermissionOnTable
+ /**
+ * Return privilege needed for this access as string
+ *
+ * @return privilege string
+ */
public String getPrivName( )
{
switch( privType)
Modified: db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/execute/ExecPreparedStatement.java
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/execute/ExecPreparedStatement.java?rev=381109&r1=381108&r2=381109&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/execute/ExecPreparedStatement.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/execute/ExecPreparedStatement.java Sun Feb 26 07:52:18 2006
@@ -29,6 +29,8 @@
import org.apache.derby.iapi.sql.PreparedStatement;
import org.apache.derby.iapi.sql.ResultColumnDescriptor;
+import java.util.List;
+
/**
* Execution extends prepared statement to add methods it needs
* for execution purposes (that should not be on the Database API).
@@ -150,5 +152,11 @@
* Indicate that the statement represents an SPS action
*/
void setSPSAction();
+
+ /**
+ * @return the list of permissions required to execute this statement. May be null if
+ * the database does not use SQL standard authorization
+ */
+ List getRequiredPermissionsList();
}
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/jdbc/metadata.properties
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/impl/jdbc/metadata.properties?rev=381109&r1=381108&r2=381109&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/jdbc/metadata.properties (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/jdbc/metadata.properties Sun Feb 26 07:52:18 2006
@@ -267,42 +267,78 @@
AND (S.SCHEMANAME LIKE ?) AND (T.TABLENAME LIKE ?) AND (C.COLUMNNAME LIKE ?) \
ORDER BY TABLE_SCHEM, TABLE_NAME, ORDINAL_POSITION
-# REMIND: this query is set up to return 0 rows of the right shape, since
-# there are none of these or metadata about them in our system yet.
# parameter 1 = pattern for catalog name
# parameter 2 = pattern for schema name
# parameter 3 = pattern for table name
# parameter 4 = pattern for column name
getColumnPrivileges=\
- SELECT TABLE_CAT, TABLE_SCHEM, TABLE_NAME, COLUMN_NAME, \
- GRANTOR, GRANTEE, PRIVILEGE, IS_GRANTABLE \
- FROM ( VALUES (CAST ('' AS VARCHAR(128)), CAST ('' AS VARCHAR(128)), \
- CAST ('' AS VARCHAR(128)), CAST ('' AS VARCHAR(128)), \
- CAST ('' AS VARCHAR(128)), CAST ('' AS VARCHAR(128)), \
- CAST ('' AS VARCHAR(128)), CAST ('' AS VARCHAR(128))) ) \
- AS COLUMNPRIVILEGES ( TABLE_CAT, TABLE_SCHEM, TABLE_NAME, \
- COLUMN_NAME, GRANTOR, GRANTEE, \
- PRIVILEGE, IS_GRANTABLE ) \
- WHERE (1=0) AND (((1=1) OR ? IS NOT NULL) OR ''=? OR ''=? OR ''=?)
+ SELECT CAST ('' AS VARCHAR(128)) AS TABLE_CAT, \
+ S.SCHEMANAME AS TABLE_SCHEM, \
+ T.TABLENAME AS TABLE_NAME, \
+ C.COLUMNNAME AS COLUMN_NAME, \
+ CAST( P.GRANTOR AS VARCHAR(128)) AS GRANTOR, \
+ CAST( P.GRANTEE AS VARCHAR(128)) AS GRANTEE, \
+ CASE WHEN (P.TYPE = 's' OR P.TYPE = 'S') THEN CAST( 'SELECT' AS VARCHAR(128)) \
+ ELSE CASE WHEN (P.TYPE = 'd' OR P.TYPE = 'D') THEN CAST( 'DELETE' AS VARCHAR(128)) \
+ ELSE CASE WHEN (P.TYPE = 'i' OR P.TYPE = 'I') THEN CAST( 'INSERT' AS VARCHAR(128)) \
+ ELSE CASE WHEN (P.TYPE = 'u' OR P.TYPE = 'U') THEN CAST( 'UPDATE' AS VARCHAR(128)) \
+ ELSE CASE WHEN (P.TYPE = 'r' OR P.TYPE = 'R') THEN CAST( 'REFERENCES' AS VARCHAR(128)) \
+ ELSE CAST( 'TRIGGER' AS VARCHAR(128)) \
+ END \
+ END \
+ END \
+ END \
+ END AS PRIVILEGE, \
+ CASE WHEN (P.TYPE = 's' OR P.TYPE = 'd' OR P.TYPE = 'i' OR P.TYPE = 'u' OR P.TYPE = 'r' OR P.TYPE = 't') \
+ THEN CAST( 'NO' AS VARCHAR(128)) ELSE CAST( 'YES' AS VARCHAR(128)) END AS IS_GRANTABLE \
+ FROM SYS.SYSCOLPERMS P, SYS.SYSCOLUMNS C, SYS.SYSTABLES T, SYS.SYSSCHEMAS S \
+ WHERE P.TABLEID = T.TABLEID AND C.REFERENCEID = T.TABLEID AND S.SCHEMAID = T.SCHEMAID \
+ AND ((1=1) OR ? IS NOT NULL) \
+ AND (S.SCHEMANAME LIKE ?) AND (T.TABLENAME LIKE ?) AND (C.COLUMNNAME LIKE ?) \
+ AND P.COLUMNS.isSet( C.COLUMNNUMBER - 1) \
+ ORDER BY COLUMN_NAME, PRIVILEGE
-# ORDER BY COLUMN_NAME, PRIVILEGE
-
-# REMIND: this query is set up to return 0 rows of the right shape, since
-# there are none of these or metadata about them in our system yet.
# parameter 1 = pattern for catalog name
# parameter 2 = pattern for schema name
# parameter 3 = pattern for table name
getTablePrivileges=\
- SELECT TABLE_CAT, TABLE_SCHEM, TABLE_NAME, \
- GRANTOR, GRANTEE, PRIVILEGE, IS_GRANTABLE \
- FROM ( VALUES (CAST ('' AS VARCHAR(128)), CAST ('' AS VARCHAR(128)), \
- CAST ('' AS VARCHAR(128)), CAST ('' AS VARCHAR(128)), \
- CAST ('' AS VARCHAR(128)), CAST ('' AS VARCHAR(128)), \
- CAST ('' AS VARCHAR(128))) ) \
- AS TABLEPRIVILEGES (TABLE_CAT, TABLE_SCHEM, TABLE_NAME, \
- GRANTOR, GRANTEE, PRIVILEGE, IS_GRANTABLE ) \
- WHERE (1=0) AND (((1=1) OR ? IS NOT NULL) OR ''=? OR ''=?) \
- ORDER BY TABLE_SCHEM, TABLE_NAME, PRIVILEGE
+ SELECT CAST ('' AS VARCHAR(128)) AS TABLE_CAT, \
+ S.SCHEMANAME AS TABLE_SCHEM, \
+ T.TABLENAME AS TABLE_NAME, \
+ CAST( P.GRANTOR AS VARCHAR(128)) AS GRANTOR, \
+ CAST( P.GRANTEE AS VARCHAR(128)) AS GRANTEE, \
+ X.PRIV AS PRIVILEGE, \
+ X.GRANTABLE AS IS_GRANTABLE \
+ FROM SYS.SYSTABLEPERMS P, SYS.SYSTABLES T, SYS.SYSSCHEMAS S, \
+ (VALUES (CAST('SELECT' AS VARCHAR(128)), CAST('YES' AS VARCHAR(128))), \
+ (CAST('SELECT' AS VARCHAR(128)), CAST('NO' AS VARCHAR(128))), \
+ (CAST('DELETE' AS VARCHAR(128)), CAST('NO' AS VARCHAR(128))), \
+ (CAST('DELETE' AS VARCHAR(128)), CAST('YES' AS VARCHAR(128))), \
+ (CAST('INSERT' AS VARCHAR(128)), CAST('NO' AS VARCHAR(128))), \
+ (CAST('INSERT' AS VARCHAR(128)), CAST('YES' AS VARCHAR(128))), \
+ (CAST('UPDATE' AS VARCHAR(128)), CAST('NO' AS VARCHAR(128))), \
+ (CAST('UPDATE' AS VARCHAR(128)), CAST('YES' AS VARCHAR(128))), \
+ (CAST('REFERENCES' AS VARCHAR(128)), CAST('NO' AS VARCHAR(128))), \
+ (CAST('REFERENCES' AS VARCHAR(128)), CAST('YES' AS VARCHAR(128))), \
+ (CAST('TRIGGER' AS VARCHAR(128)), CAST('NO' AS VARCHAR(128))), \
+ (CAST('TRIGGER' AS VARCHAR(128)), CAST('YES' AS VARCHAR(128)))) AS X(PRIV,GRANTABLE) \
+ WHERE P.TABLEID = T.TABLEID AND S.SCHEMAID = T.SCHEMAID \
+ AND ((1=1) OR ? IS NOT NULL) \
+ AND (S.SCHEMANAME LIKE ?) AND (T.TABLENAME LIKE ?) \
+ AND ((P.SELECTPRIV = 'y' AND X.PRIV = 'SELECT' AND X.GRANTABLE = 'NO') \
+ OR (P.SELECTPRIV = 'Y' AND X.PRIV = 'SELECT' AND X.GRANTABLE = 'YES') \
+ OR (P.SELECTPRIV = 'y' AND X.PRIV = 'SELECT' AND X.GRANTABLE = 'NO') \
+ OR (P.DELETEPRIV = 'Y' AND X.PRIV = 'DELETE' AND X.GRANTABLE = 'YES') \
+ OR (P.DELETEPRIV = 'y' AND X.PRIV = 'DELETE' AND X.GRANTABLE = 'NO') \
+ OR (P.INSERTPRIV = 'Y' AND X.PRIV = 'INSERT' AND X.GRANTABLE = 'YES') \
+ OR (P.INSERTPRIV = 'y' AND X.PRIV = 'INSERT' AND X.GRANTABLE = 'NO') \
+ OR (P.UPDATEPRIV = 'Y' AND X.PRIV = 'UPDATE' AND X.GRANTABLE = 'YES') \
+ OR (P.UPDATEPRIV = 'y' AND X.PRIV = 'UPDATE' AND X.GRANTABLE = 'NO') \
+ OR (P.REFERENCESPRIV = 'Y' AND X.PRIV = 'REFERENCES' AND X.GRANTABLE = 'YES') \
+ OR (P.REFERENCESPRIV = 'y' AND X.PRIV = 'REFERENCES' AND X.GRANTABLE = 'NO') \
+ OR (P.TRIGGERPRIV = 'Y' AND X.PRIV = 'TRIGGER' AND X.GRANTABLE = 'YES') \
+ OR (P.TRIGGERPRIV = 'y' AND X.PRIV = 'TRIGGER' AND X.GRANTABLE = 'NO')) \
+ ORDER BY TABLE_SCHEM, TABLE_NAME, PRIVILEGE
# REMIND: this query is set up to return 0 rows of the right shape, since
# there are none of these or metadata about them in our system yet.
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/GenericPreparedStatement.java
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/GenericPreparedStatement.java?rev=381109&r1=381108&r2=381109&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/GenericPreparedStatement.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/GenericPreparedStatement.java Sun Feb 26 07:52:18 2006
@@ -71,6 +71,7 @@
import java.sql.Timestamp;
import java.sql.SQLWarning;
+import java.util.List;
/**
* Basic implementation of prepared statement.
@@ -128,6 +129,7 @@
protected ConstantAction executionConstants;
protected Object[] savedObjects;
+ protected List requiredPermissionsList;
// fields for dependency tracking
protected String UUIDString;
@@ -1187,5 +1189,15 @@
public boolean isStorable() {
return false;
+ }
+
+ public void setRequiredPermissionsList( List requiredPermissionsList)
+ {
+ this.requiredPermissionsList = requiredPermissionsList;
+ }
+
+ public List getRequiredPermissionsList()
+ {
+ return requiredPermissionsList;
}
}
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/GenericStatement.java
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/GenericStatement.java?rev=381109&r1=381108&r2=381109&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/GenericStatement.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/GenericStatement.java Sun Feb 26 07:52:18 2006
@@ -503,6 +503,7 @@
*/
preparedStmt.setConstantAction( qt.makeConstantAction() );
preparedStmt.setSavedObjects( cc.getSavedObjects() );
+ preparedStmt.setRequiredPermissionsList(cc.getRequiredPermissionsList());
preparedStmt.setActivationClass(ac);
preparedStmt.setNeedsSavepoint(qt.needsSavepoint());
preparedStmt.setCursorInfo((CursorInfo)cc.getCursorInfo());
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/catalog/DataDictionaryImpl.java
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/catalog/DataDictionaryImpl.java?rev=381109&r1=381108&r2=381109&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/catalog/DataDictionaryImpl.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/catalog/DataDictionaryImpl.java Sun Feb 26 07:52:18 2006
@@ -9633,7 +9633,7 @@
public RoutinePermsDescriptor getRoutinePermissions( UUID routineUUID, String authorizationId)
throws StandardException
{
- RoutinePermsDescriptor key = new RoutinePermsDescriptor( this, authorizationId, (String) null);
+ RoutinePermsDescriptor key = new RoutinePermsDescriptor( this, authorizationId, (String) null, routineUUID);
return (RoutinePermsDescriptor) getPermissions( key);
} // end of getRoutinePermissions
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/catalog/PermissionsCacheable.java
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/catalog/PermissionsCacheable.java?rev=381109&r1=381108&r2=381109&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/catalog/PermissionsCacheable.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/catalog/PermissionsCacheable.java Sun Feb 26 07:52:18 2006
@@ -123,7 +123,7 @@
routinePermsKey.getGrantee(),
Authorizer.SYSTEM_AUTHORIZATION_ID,
routinePermsKey.getRoutineUUID(),
- false);
+ true);
}
catch( java.sql.SQLException sqle)
{
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/CallStatementNode.java
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/CallStatementNode.java?rev=381109&r1=381108&r2=381109&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/CallStatementNode.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/CallStatementNode.java Sun Feb 26 07:52:18 2006
@@ -38,6 +38,7 @@
import org.apache.derby.iapi.sql.compile.C_NodeTypes;
import org.apache.derby.iapi.sql.conn.LanguageConnectionContext;
+import org.apache.derby.iapi.sql.conn.Authorizer;
import org.apache.derby.iapi.services.loader.GeneratedMethod;
@@ -157,8 +158,9 @@
DataDictionary dd = getDataDictionary();
if (SanityManager.DEBUG)
- SanityManager.ASSERT((dd != null), "Failed to get data dictionary");
+ SanityManager.ASSERT((dd != null), "Failed to get data dictionary");
+ getCompilerContext().pushCurrentPrivType(getPrivType());
methodCall = (JavaToSQLValueNode) methodCall.bindExpression(
(FromList) getNodeFactory().getNode(
C_NodeTypes.FROM_LIST,
@@ -167,6 +169,7 @@
null,
null);
+ getCompilerContext().popCurrentPrivType();
return this;
}
@@ -297,5 +300,12 @@
return returnNode;
}
-}
+ /**
+ * Set default privilege of EXECUTE for this node.
+ */
+ int getPrivType()
+ {
+ return Authorizer.EXECUTE_PRIV;
+ }
+}
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/CompilerContextImpl.java
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/CompilerContextImpl.java?rev=381109&r1=381108&r2=381109&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/CompilerContextImpl.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/CompilerContextImpl.java Sun Feb 26 07:52:18 2006
@@ -37,6 +37,7 @@
import org.apache.derby.iapi.sql.dictionary.TableDescriptor;
import org.apache.derby.iapi.sql.dictionary.AliasDescriptor;
import org.apache.derby.iapi.sql.dictionary.StatementTablePermission;
+import org.apache.derby.iapi.sql.dictionary.StatementSchemaPermission;
import org.apache.derby.iapi.sql.dictionary.StatementColumnPermission;
import org.apache.derby.iapi.sql.dictionary.StatementRoutinePermission;
@@ -684,6 +685,7 @@
privTypeStack.clear();
requiredColumnPrivileges = null;
requiredTablePrivileges = null;
+ requiredSchemaPrivileges = null;
requiredRoutinePrivileges = null;
LanguageConnectionContext lcc = (LanguageConnectionContext)
getContextManager().getContext(LanguageConnectionContext.CONTEXT_ID);
@@ -691,6 +693,7 @@
{
requiredColumnPrivileges = new HashMap();
requiredTablePrivileges = new HashMap();
+ requiredSchemaPrivileges = new HashMap();
requiredRoutinePrivileges = new HashMap();
}
} // end of initRequiredPriv
@@ -739,9 +742,9 @@
tableColumnPrivileges = new StatementColumnPermission( tableUUID,
currPrivType,
new FormatableBitSet( td.getNumberOfColumns()));
- requiredColumnPrivileges.put( key, tableColumnPrivileges);
+ requiredColumnPrivileges.put(key, tableColumnPrivileges);
}
- tableColumnPrivileges.getColumns().set( column.getPosition() - 1);
+ tableColumnPrivileges.getColumns().set(column.getPosition() - 1);
} // end of addRequiredColumnPriv
/**
@@ -755,7 +758,7 @@
return;
StatementTablePermission key = new StatementTablePermission( table.getUUID(), currPrivType);
- requiredTablePrivileges.put( key, key);
+ requiredTablePrivileges.put(key, key);
}
/**
@@ -768,8 +771,26 @@
// routine == null for built in routines
if( requiredRoutinePrivileges == null || routine == null)
return;
- if( requiredRoutinePrivileges.get( routine.getUUID()) == null)
- requiredRoutinePrivileges.put( routine.getUUID(), ReuseFactory.getInteger(1));
+
+ /* GrantRevoke TODO: Implement routine privilege checks. Commented out for now.
+ if (requiredRoutinePrivileges.get(routine.getUUID()) == null)
+ requiredRoutinePrivileges.put(routine.getUUID(), ReuseFactory.getInteger(1));
+ */
+ }
+
+ /**
+ * Add a required schema privilege to the list privileges.
+ *
+ * @param SchemaDescriptor
+ */
+ public void addRequiredSchemaPriv(SchemaDescriptor sd)
+ {
+ if( requiredSchemaPrivileges == null || sd == null)
+ return;
+
+ StatementSchemaPermission key = new StatementSchemaPermission(sd.getUUID());
+
+ requiredSchemaPrivileges.put(key, key);
}
/**
@@ -782,6 +803,8 @@
size += requiredRoutinePrivileges.size();
if( requiredTablePrivileges != null)
size += requiredTablePrivileges.size();
+ if( requiredSchemaPrivileges != null)
+ size += requiredSchemaPrivileges.size();
if( requiredColumnPrivileges != null)
size += requiredColumnPrivileges.size();
@@ -802,6 +825,13 @@
list.add( itr.next());
}
}
+ if( requiredSchemaPrivileges != null)
+ {
+ for( Iterator itr = requiredSchemaPrivileges.values().iterator(); itr.hasNext();)
+ {
+ list.add( itr.next());
+ }
+ }
if( requiredColumnPrivileges != null)
{
for( Iterator itr = requiredColumnPrivileges.values().iterator(); itr.hasNext();)
@@ -857,5 +887,6 @@
private int currPrivType = Authorizer.NULL_PRIV;
private HashMap requiredColumnPrivileges;
private HashMap requiredTablePrivileges;
+ private HashMap requiredSchemaPrivileges;
private HashMap requiredRoutinePrivileges;
} // end of class CompilerContextImpl
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/CursorNode.java
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/CursorNode.java?rev=381109&r1=381108&r2=381109&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/CursorNode.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/CursorNode.java Sun Feb 26 07:52:18 2006
@@ -24,6 +24,9 @@
import org.apache.derby.iapi.sql.compile.C_NodeTypes;
+import org.apache.derby.iapi.sql.conn.Authorizer;
+import org.apache.derby.iapi.sql.conn.LanguageConnectionContext;
+
import org.apache.derby.iapi.error.StandardException;
import org.apache.derby.iapi.reference.SQLState;
@@ -236,35 +239,43 @@
orderByList.pullUpOrderByColumns(resultSet);
}
- FromList fromList = (FromList) getNodeFactory().getNode(
- C_NodeTypes.FROM_LIST,
- getNodeFactory().doJoinOrderOptimization(),
- getContextManager());
-
- /* Check for ? parameters directly under the ResultColums */
- resultSet.rejectParameters();
-
- super.bind(dataDictionary);
-
- // bind the query expression
- resultSet.bindResultColumns(fromList);
-
- // this rejects any untyped nulls in the select list
- // pass in null to indicate that we don't have any
- // types for this node
- resultSet.bindUntypedNullsToResultColumns(null);
-
- // Reject any XML values in the select list; JDBC doesn't
- // define how we bind these out, so we don't allow it.
- resultSet.rejectXMLValues();
-
- /* Verify that all underlying ResultSets reclaimed their FromList */
- if (SanityManager.DEBUG) {
- SanityManager.ASSERT(fromList.size() == 0,
+ getCompilerContext().pushCurrentPrivType(getPrivType());
+ try {
+ FromList fromList = (FromList) getNodeFactory().getNode(
+ C_NodeTypes.FROM_LIST,
+ getNodeFactory().doJoinOrderOptimization(),
+ getContextManager());
+
+ /* Check for ? parameters directly under the ResultColums */
+ resultSet.rejectParameters();
+
+ super.bind(dataDictionary);
+
+ // bind the query expression
+ resultSet.bindResultColumns(fromList);
+
+ // this rejects any untyped nulls in the select list
+ // pass in null to indicate that we don't have any
+ // types for this node
+ resultSet.bindUntypedNullsToResultColumns(null);
+
+ // Reject any XML values in the select list; JDBC doesn't
+ // define how we bind these out, so we don't allow it.
+ resultSet.rejectXMLValues();
+
+ /* Verify that all underlying ResultSets reclaimed their FromList */
+ if (SanityManager.DEBUG) {
+ SanityManager.ASSERT(fromList.size() == 0,
"fromList.size() is expected to be 0, not "
+ fromList.size()
+ " on return from RS.bindExpressions()");
+ }
}
+ finally
+ {
+ getCompilerContext().popCurrentPrivType();
+ }
+
// bind the order by
if (orderByList != null)
{
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/DDLStatementNode.java
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/DDLStatementNode.java?rev=381109&r1=381108&r2=381109&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/DDLStatementNode.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/DDLStatementNode.java Sun Feb 26 07:52:18 2006
@@ -192,6 +192,7 @@
* Get a schema descriptor for this DDL object.
* Uses this.objectName. Always returns a schema,
* we lock in the schema name prior to execution.
+ * Checks if current authorizationID is owner of the schema.
*
* @return Schema Descriptor
*
@@ -200,6 +201,24 @@
*/
protected final SchemaDescriptor getSchemaDescriptor() throws StandardException
{
+ return getSchemaDescriptor(true);
+ }
+
+ /**
+ * Get a schema descriptor for this DDL object.
+ * Uses this.objectName. Always returns a schema,
+ * we lock in the schema name prior to execution.
+ *
+ * @param ownerCheck If check for schema owner is needed
+ *
+ * @return Schema Descriptor
+ *
+ * @exception StandardException throws on schema name
+ * that doesn't exist
+ */
+ protected final SchemaDescriptor getSchemaDescriptor(boolean ownerCheck)
+ throws StandardException
+ {
String schemaName = objectName.getSchemaName();
//boolean needError = !(implicitCreateSchema || (schemaName == null));
boolean needError = !implicitCreateSchema;
@@ -214,6 +233,9 @@
sd = new SchemaDescriptor(getDataDictionary(), schemaName,
(String) null, (UUID)null, false);
}
+
+ if (ownerCheck)
+ getCompilerContext().addRequiredSchemaPriv(sd);
/*
** Catch the system schema here.
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/DMLModStatementNode.java
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/DMLModStatementNode.java?rev=381109&r1=381108&r2=381109&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/DMLModStatementNode.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/DMLModStatementNode.java Sun Feb 26 07:52:18 2006
@@ -38,6 +38,8 @@
import org.apache.derby.iapi.sql.compile.C_NodeTypes;
import org.apache.derby.iapi.sql.compile.NodeFactory;
+import org.apache.derby.iapi.sql.conn.Authorizer;
+
import org.apache.derby.iapi.reference.ClassName;
import org.apache.derby.iapi.reference.SQLState;
@@ -477,33 +479,40 @@
return null;
}
-
- getAllRelevantConstraints(dataDictionary,
+ // Donot need privileges to execute constraints
+ getCompilerContext().pushCurrentPrivType( Authorizer.NULL_PRIV);
+ try {
+ getAllRelevantConstraints(dataDictionary,
targetTableDescriptor,
skipCheckConstraints,
changedColumnIds);
- createConstraintDependencies(dataDictionary, relevantCdl, dependent);
- generateFKInfo(relevantCdl, dataDictionary, targetTableDescriptor, readColsBitSet);
+ createConstraintDependencies(dataDictionary, relevantCdl, dependent);
+ generateFKInfo(relevantCdl, dataDictionary, targetTableDescriptor, readColsBitSet);
- getAllRelevantTriggers(dataDictionary, targetTableDescriptor,
+ getAllRelevantTriggers(dataDictionary, targetTableDescriptor,
changedColumnIds, includeTriggers);
- createTriggerDependencies(relevantTriggers, dependent);
- generateTriggerInfo(relevantTriggers, targetTableDescriptor, changedColumnIds);
+ createTriggerDependencies(relevantTriggers, dependent);
+ generateTriggerInfo(relevantTriggers, targetTableDescriptor, changedColumnIds);
- if (skipCheckConstraints)
- {
- return null;
- }
+ if (skipCheckConstraints)
+ {
+ return null;
+ }
- checkConstraints = generateCheckTree(relevantCdl,
+ checkConstraints = generateCheckTree(relevantCdl,
targetTableDescriptor);
- if (checkConstraints != null)
- {
- bindCheckConstraint(nodeFactory,
+ if (checkConstraints != null)
+ {
+ bindCheckConstraint(nodeFactory,
targetTableDescriptor,
sourceRCL,
checkConstraints);
+ }
+ }
+ finally
+ {
+ getCompilerContext().popCurrentPrivType();
}
return checkConstraints;
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/DMLStatementNode.java
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/DMLStatementNode.java?rev=381109&r1=381108&r2=381109&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/DMLStatementNode.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/DMLStatementNode.java Sun Feb 26 07:52:18 2006
@@ -29,6 +29,7 @@
import org.apache.derby.iapi.sql.compile.C_NodeTypes;
import org.apache.derby.iapi.sql.conn.LanguageConnectionContext;
+import org.apache.derby.iapi.sql.conn.Authorizer;
import org.apache.derby.iapi.sql.execute.ExecutionContext;
import org.apache.derby.iapi.sql.ResultColumnDescriptor;
import org.apache.derby.iapi.sql.ParameterValueSet;
@@ -147,14 +148,22 @@
public QueryTreeNode bind(DataDictionary dataDictionary)
throws StandardException
{
- /*
- ** Bind the tables before binding the expressions, so we can
- ** use the results of table binding to look up columns.
- */
- bindTables(dataDictionary);
+ // We just need select privilege on most columns and tables
+ getCompilerContext().pushCurrentPrivType(getPrivType());
+ try {
+ /*
+ ** Bind the tables before binding the expressions, so we can
+ ** use the results of table binding to look up columns.
+ */
+ bindTables(dataDictionary);
- /* Bind the expressions */
- bindExpressions();
+ /* Bind the expressions */
+ bindExpressions();
+ }
+ finally
+ {
+ getCompilerContext().popCurrentPrivType();
+ }
return this;
}
@@ -465,5 +474,16 @@
}
return this;
+ }
+
+ /**
+ * Return default privilege needed for this node. Other DML nodes can override
+ * this method to set their own default privilege.
+ *
+ * @return true if the statement is atomic
+ */
+ int getPrivType()
+ {
+ return Authorizer.SELECT_PRIV;
}
}
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/DeleteNode.java
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/DeleteNode.java?rev=381109&r1=381108&r2=381109&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/DeleteNode.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/DeleteNode.java Sun Feb 26 07:52:18 2006
@@ -25,6 +25,7 @@
import org.apache.derby.iapi.reference.SQLState;
import org.apache.derby.iapi.error.StandardException;
+import org.apache.derby.iapi.sql.conn.Authorizer;
import org.apache.derby.iapi.sql.dictionary.DataDictionary;
import org.apache.derby.iapi.sql.dictionary.ColumnDescriptor;
import org.apache.derby.iapi.sql.dictionary.TableDescriptor;
@@ -145,168 +146,169 @@
public QueryTreeNode bind() throws StandardException
{
- FromList fromList =
- (FromList) getNodeFactory().getNode(
+ // We just need select privilege on the where clause tables
+ getCompilerContext().pushCurrentPrivType( Authorizer.SELECT_PRIV);
+ try
+ {
+ FromList fromList = (FromList) getNodeFactory().getNode(
C_NodeTypes.FROM_LIST,
getNodeFactory().doJoinOrderOptimization(),
getContextManager());
- ResultColumn rowLocationColumn = null;
- CurrentRowLocationNode rowLocationNode;
- TableName cursorTargetTableName = null;
- CurrentOfNode currentOfNode = null;
+ ResultColumn rowLocationColumn = null;
+ CurrentRowLocationNode rowLocationNode;
+ TableName cursorTargetTableName = null;
+ CurrentOfNode currentOfNode = null;
- DataDictionary dataDictionary = getDataDictionary();
- super.bindTables(dataDictionary);
+ DataDictionary dataDictionary = getDataDictionary();
+ super.bindTables(dataDictionary);
- // wait to bind named target table until the underlying
- // cursor is bound, so that we can get it from the
- // cursor if this is a positioned delete.
-
- // for positioned delete, get the cursor's target table.
- if (SanityManager.DEBUG)
- SanityManager.ASSERT(resultSet != null && resultSet instanceof SelectNode,
- "Delete must have a select result set");
-
- SelectNode sel;
- sel = (SelectNode)resultSet;
- targetTable = (FromTable) sel.fromList.elementAt(0);
- if (targetTable instanceof CurrentOfNode)
- {
- currentOfNode = (CurrentOfNode) targetTable;
+ // wait to bind named target table until the underlying
+ // cursor is bound, so that we can get it from the
+ // cursor if this is a positioned delete.
- cursorTargetTableName = currentOfNode.getBaseCursorTargetTableName();
- // instead of an assert, we might say the cursor is not updatable.
+ // for positioned delete, get the cursor's target table.
if (SanityManager.DEBUG)
- SanityManager.ASSERT(cursorTargetTableName != null);
- }
+ SanityManager.ASSERT(resultSet != null && resultSet instanceof SelectNode,
+ "Delete must have a select result set");
- if (targetTable instanceof FromVTI)
- {
- targetVTI = (FromVTI) targetTable;
- targetVTI.setTarget();
- }
- else
- {
- // positioned delete can leave off the target table.
- // we get it from the cursor supplying the position.
- if (targetTableName == null)
+ SelectNode sel;
+ sel = (SelectNode)resultSet;
+ targetTable = (FromTable) sel.fromList.elementAt(0);
+ if (targetTable instanceof CurrentOfNode)
{
- // verify we have current of
+ currentOfNode = (CurrentOfNode) targetTable;
+
+ cursorTargetTableName = currentOfNode.getBaseCursorTargetTableName();
+ // instead of an assert, we might say the cursor is not updatable.
if (SanityManager.DEBUG)
- SanityManager.ASSERT(cursorTargetTableName!=null);
+ SanityManager.ASSERT(cursorTargetTableName != null);
+ }
- targetTableName = cursorTargetTableName;
+ if (targetTable instanceof FromVTI)
+ {
+ targetVTI = (FromVTI) targetTable;
+ targetVTI.setTarget();
}
- // for positioned delete, we need to verify that
- // the named table is the same as the cursor's target (base table name).
- else if (cursorTargetTableName != null)
+ else
{
- // this match requires that the named table in the delete
- // be the same as a base name in the cursor.
- if ( !targetTableName.equals(cursorTargetTableName))
+ // positioned delete can leave off the target table.
+ // we get it from the cursor supplying the position.
+ if (targetTableName == null)
+ {
+ // verify we have current of
+ if (SanityManager.DEBUG)
+ SanityManager.ASSERT(cursorTargetTableName!=null);
+
+ targetTableName = cursorTargetTableName;
+ }
+ // for positioned delete, we need to verify that
+ // the named table is the same as the cursor's target (base table name).
+ else if (cursorTargetTableName != null)
{
- throw StandardException.newException(SQLState.LANG_CURSOR_DELETE_MISMATCH,
- targetTableName,
- currentOfNode.getCursorName());
+ // this match requires that the named table in the delete
+ // be the same as a base name in the cursor.
+ if ( !targetTableName.equals(cursorTargetTableName))
+ {
+ throw StandardException.newException(SQLState.LANG_CURSOR_DELETE_MISMATCH,
+ targetTableName,
+ currentOfNode.getCursorName());
+ }
}
}
-
-
- }
- // descriptor must exist, tables already bound.
- verifyTargetTable();
+ // descriptor must exist, tables already bound.
+ verifyTargetTable();
- /* Generate a select list for the ResultSetNode - CurrentRowLocation(). */
- if (SanityManager.DEBUG)
- SanityManager.ASSERT((resultSet.resultColumns == null),
+ /* Generate a select list for the ResultSetNode - CurrentRowLocation(). */
+ if (SanityManager.DEBUG)
+ SanityManager.ASSERT((resultSet.resultColumns == null),
"resultColumns is expected to be null until bind time");
- if (targetTable instanceof FromVTI)
- {
- getResultColumnList();
- resultColumnList = targetTable.getResultColumnsForList(null, resultColumnList, null);
+ if (targetTable instanceof FromVTI)
+ {
+ getResultColumnList();
+ resultColumnList = targetTable.getResultColumnsForList(null,
+ resultColumnList, null);
- /* Set the new result column list in the result set */
- resultSet.setResultColumns(resultColumnList);
- }
- else
- {
- /*
- ** Start off assuming no columns from the base table
- ** are needed in the rcl.
- */
+ /* Set the new result column list in the result set */
+ resultSet.setResultColumns(resultColumnList);
+ }
+ else
+ {
+ /*
+ ** Start off assuming no columns from the base table
+ ** are needed in the rcl.
+ */
- resultColumnList = new ResultColumnList();
+ resultColumnList = new ResultColumnList();
- FromBaseTable fbt = getResultColumnList(resultColumnList);
+ FromBaseTable fbt = getResultColumnList(resultColumnList);
- readColsBitSet = getReadMap(dataDictionary,
+ readColsBitSet = getReadMap(dataDictionary,
targetTableDescriptor);
- resultColumnList = fbt.addColsToList(resultColumnList, readColsBitSet);
+ resultColumnList = fbt.addColsToList(resultColumnList, readColsBitSet);
- /*
- ** If all bits are set, then behave as if we chose all
- ** in the first place
- */
- int i = 1;
- int size = targetTableDescriptor.getMaxColumnID();
- for (; i <= size; i++)
- {
- if (!readColsBitSet.get(i))
+ /*
+ ** If all bits are set, then behave as if we chose all
+ ** in the first place
+ */
+ int i = 1;
+ int size = targetTableDescriptor.getMaxColumnID();
+ for (; i <= size; i++)
{
- break;
+ if (!readColsBitSet.get(i))
+ {
+ break;
+ }
}
- }
- if (i > size)
- {
- readColsBitSet = null;
- }
+ if (i > size)
+ {
+ readColsBitSet = null;
+ }
- /*
- ** Construct an empty heap row for use in our constant action.
- */
- emptyHeapRow = targetTableDescriptor.getEmptyExecRow(getContextManager());
+ /*
+ ** Construct an empty heap row for use in our constant action.
+ */
+ emptyHeapRow = targetTableDescriptor.getEmptyExecRow(getContextManager());
- /* Generate the RowLocation column */
- rowLocationNode = (CurrentRowLocationNode) getNodeFactory().getNode(
+ /* Generate the RowLocation column */
+ rowLocationNode = (CurrentRowLocationNode) getNodeFactory().getNode(
C_NodeTypes.CURRENT_ROW_LOCATION_NODE,
getContextManager());
- rowLocationColumn =
- (ResultColumn) getNodeFactory().getNode(
+ rowLocationColumn =
+ (ResultColumn) getNodeFactory().getNode(
C_NodeTypes.RESULT_COLUMN,
COLUMNNAME,
rowLocationNode,
getContextManager());
- rowLocationColumn.markGenerated();
+ rowLocationColumn.markGenerated();
- /* Append to the ResultColumnList */
- resultColumnList.addResultColumn(rowLocationColumn);
+ /* Append to the ResultColumnList */
+ resultColumnList.addResultColumn(rowLocationColumn);
- /* Force the added columns to take on the table's correlation name, if any */
- correlateAddedColumns( resultColumnList, targetTable );
+ /* Force the added columns to take on the table's correlation name, if any */
+ correlateAddedColumns( resultColumnList, targetTable );
- /* Set the new result column list in the result set */
- resultSet.setResultColumns(resultColumnList);
- }
+ /* Set the new result column list in the result set */
+ resultSet.setResultColumns(resultColumnList);
+ }
- /* Bind the expressions before the ResultColumns are bound */
- super.bindExpressions();
+ /* Bind the expressions before the ResultColumns are bound */
+ super.bindExpressions();
- /* Bind untyped nulls directly under the result columns */
- resultSet.
- getResultColumns().
+ /* Bind untyped nulls directly under the result columns */
+ resultSet.getResultColumns().
bindUntypedNullsToResultColumns(resultColumnList);
- if (! (targetTable instanceof FromVTI))
- {
- /* Bind the new ResultColumn */
- rowLocationColumn.bindResultColumnToExpression();
+ if (! (targetTable instanceof FromVTI))
+ {
+ /* Bind the new ResultColumn */
+ rowLocationColumn.bindResultColumnToExpression();
- bindConstraints(dataDictionary,
+ bindConstraints(dataDictionary,
getNodeFactory(),
targetTableDescriptor,
null,
@@ -316,82 +318,94 @@
false,
true); /* we alway include triggers in core language */
- /* If the target table is also a source table, then
- * the delete will have to be in deferred mode
- * For deletes, this means that the target table appears in a
- * subquery. Also, self-referencing foreign key deletes
- * are deferred. And triggers cause the delete to be deferred.
- */
- if (resultSet.subqueryReferencesTarget(
+ /* If the target table is also a source table, then
+ * the delete will have to be in deferred mode
+ * For deletes, this means that the target table appears in a
+ * subquery. Also, self-referencing foreign key deletes
+ * are deferred. And triggers cause the delete to be deferred.
+ */
+ if (resultSet.subqueryReferencesTarget(
targetTableDescriptor.getName(), true) ||
- requiresDeferredProcessing())
- {
- deferred = true;
+ requiresDeferredProcessing())
+ {
+ deferred = true;
+ }
}
- }
- else
- {
- deferred = VTIDeferModPolicy.deferIt( DeferModification.DELETE_STATEMENT,
+ else
+ {
+ deferred = VTIDeferModPolicy.deferIt( DeferModification.DELETE_STATEMENT,
targetVTI,
null,
sel.getWhereClause());
- }
- sel = null; // done with sel
-
- /* Verify that all underlying ResultSets reclaimed their FromList */
- if (SanityManager.DEBUG)
- {
- SanityManager.ASSERT(fromList.size() == 0,
- "fromList.size() is expected to be 0, not " +
- fromList.size() +
- " on return from RS.bindExpressions()");
- }
-
-
- //In case of cascade delete , create nodes for
- //the ref action dependent tables and bind them.
- if(fkTableNames != null)
- {
- String currentTargetTableName =
- targetTableDescriptor.getSchemaName() + "." + targetTableDescriptor.getName();
+ }
+ sel = null; // done with sel
- if(!isDependentTable){
- //graph node
- graphHashTable = new Hashtable();
+ /* Verify that all underlying ResultSets reclaimed their FromList */
+ if (SanityManager.DEBUG)
+ {
+ SanityManager.ASSERT(fromList.size() == 0,
+ "fromList.size() is expected to be 0, not " +
+ fromList.size() +
+ " on return from RS.bindExpressions()");
}
- /*Check whether the current tatget is already been explored.
- *If we are seeing the same table name which we binded earlier
- *means we have cyclic references.
- */
- if(!graphHashTable.containsKey(currentTargetTableName))
+ //In case of cascade delete , create nodes for
+ //the ref action dependent tables and bind them.
+ if(fkTableNames != null)
{
- cascadeDelete = true;
- int noDependents = fkTableNames.length;
- dependentNodes = new QueryTreeNode[noDependents];
- graphHashTable.put(currentTargetTableName, new Integer(noDependents));
- for(int i =0 ; i < noDependents ; i ++)
+ String currentTargetTableName = targetTableDescriptor.getSchemaName() +
+ "." + targetTableDescriptor.getName();
+
+ if(!isDependentTable){
+ //graph node
+ graphHashTable = new Hashtable();
+ }
+
+ /*Check whether the current tatget is already been explored.
+ *If we are seeing the same table name which we binded earlier
+ *means we have cyclic references.
+ */
+ if(!graphHashTable.containsKey(currentTargetTableName))
{
- dependentNodes[i] = getDependentTableNode(fkTableNames[i],
+ cascadeDelete = true;
+ int noDependents = fkTableNames.length;
+ dependentNodes = new QueryTreeNode[noDependents];
+ graphHashTable.put(currentTargetTableName, new Integer(noDependents));
+ for(int i =0 ; i < noDependents ; i ++)
+ {
+ dependentNodes[i] = getDependentTableNode(fkTableNames[i],
fkRefActions[i],
fkColDescriptors[i]);
- dependentNodes[i].bind();
+ dependentNodes[i].bind();
+ }
}
}
- }else
- {
- //case where current dependent table does not have dependent tables
- if(isDependentTable)
+ else
{
- String currentTargetTableName =
- targetTableDescriptor.getSchemaName() + "." + targetTableDescriptor.getName();
- graphHashTable.put(currentTargetTableName, new Integer(0));
+ //case where current dependent table does not have dependent tables
+ if(isDependentTable)
+ {
+ String currentTargetTableName = targetTableDescriptor.getSchemaName()
+ + "." + targetTableDescriptor.getName();
+ graphHashTable.put(currentTargetTableName, new Integer(0));
+ }
}
-
+ getCompilerContext().pushCurrentPrivType( getPrivType());
+ getCompilerContext().addRequiredTablePriv( targetTableDescriptor);
+ getCompilerContext().popCurrentPrivType();
+ }
+ finally
+ {
+ getCompilerContext().popCurrentPrivType();
}
return this;
} // end of bind
+
+ int getPrivType()
+ {
+ return Authorizer.DELETE_PRIV;
+ }
/**
* Return true if the node references SESSION schema tables (temporary or permanent)
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/FKConstraintDefinitionNode.java
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/FKConstraintDefinitionNode.java?rev=381109&r1=381108&r2=381109&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/FKConstraintDefinitionNode.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/FKConstraintDefinitionNode.java Sun Feb 26 07:52:18 2006
@@ -23,6 +23,9 @@
import org.apache.derby.iapi.types.TypeId;
import org.apache.derby.iapi.sql.dictionary.DataDictionary;
import org.apache.derby.iapi.sql.dictionary.SchemaDescriptor;
+import org.apache.derby.iapi.sql.dictionary.TableDescriptor;
+import org.apache.derby.iapi.sql.dictionary.ColumnDescriptor;
+import org.apache.derby.iapi.sql.conn.Authorizer;
import org.apache.derby.iapi.error.StandardException;
import org.apache.derby.iapi.services.sanity.SanityManager;
@@ -80,7 +83,6 @@
*/
protected void bind(DDLStatementNode ddlNode, DataDictionary dd) throws StandardException
{
-
super.bind(ddlNode, dd);
refTableSd = getSchemaDescriptor(refTableName.getSchemaName());
@@ -91,17 +93,50 @@
}
// check the referenced table, unless this is a self-referencing constraint
- if (!refTableName.equals(ddlNode.getObjectName())) {
+ if (refTableName.equals(ddlNode.getObjectName()))
+ return;
- // clear error when the referenced table does not exist
- if (getTableDescriptor(refTableName.getTableName(), refTableSd) == null)
- throw StandardException.newException(SQLState.LANG_INVALID_FK_NO_REF_TAB,
+ // error when the referenced table does not exist
+ TableDescriptor td = getTableDescriptor(refTableName.getTableName(), refTableSd);
+ if (td == null)
+ throw StandardException.newException(SQLState.LANG_INVALID_FK_NO_REF_TAB,
getConstraintMoniker(),
refTableName.getTableName());
-
- // now check any other limitations
- ddlNode.getTableDescriptor(refTableName);
+
+ // Verify if REFERENCES_PRIV is granted to columns referenced
+ getCompilerContext().pushCurrentPrivType(getPrivType());
+
+ // If references clause doesn't have columnlist, get primary key info
+ if (refRcl.size()==0 && (td.getPrimaryKey() != null))
+ {
+ // Get the primary key columns
+ int[] refCols = td.getPrimaryKey().getReferencedColumns();
+ for (int i=0; i<refCols.length; i++)
+ {
+ ColumnDescriptor cd = td.getColumnDescriptor(refCols[i]);
+ // Set tableDescriptor for this column descriptor. Needed for adding required table
+ // access permission. Column descriptors may not have this set already.
+ cd.setTableDescriptor(td);
+ getCompilerContext().addRequiredColumnPriv(cd);
+ }
+
}
+ else
+ {
+ for (int i=0; i<refRcl.size(); i++)
+ {
+ ResultColumn rc = (ResultColumn) refRcl.elementAt(i);
+ ColumnDescriptor cd = td.getColumnDescriptor(rc.getName());
+ if (cd != null)
+ {
+ // Set tableDescriptor for this column descriptor. Needed for adding required table
+ // access permission. Column descriptors may not have this set already.
+ cd.setTableDescriptor(td);
+ getCompilerContext().addRequiredColumnPriv(cd);
+ }
+ }
+ }
+ getCompilerContext().popCurrentPrivType();
}
public ConstraintInfo getReferencedConstraintInfo()
@@ -118,17 +153,8 @@
public TableName getRefTableName() { return refTableName; }
+ int getPrivType()
+ {
+ return Authorizer.REFERENCES_PRIV;
+ }
}
-
-
-
-
-
-
-
-
-
-
-
-
-
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/FromList.java
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/FromList.java?rev=381109&r1=381108&r2=381109&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/FromList.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/FromList.java Sun Feb 26 07:52:18 2006
@@ -578,6 +578,9 @@
columnReference.setNestingLevel(((FromTable) elementAt(0)).getLevel());
columnReference.setSourceLevel(currentLevel);
columnNameMatch = true;
+
+ CompilerContext cc = getCompilerContext();
+ cc.addRequiredColumnPriv( resultColumn.getTableColumnDescriptor());
}
else
{
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/InsertNode.java
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/InsertNode.java?rev=381109&r1=381108&r2=381109&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/InsertNode.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/InsertNode.java Sun Feb 26 07:52:18 2006
@@ -32,6 +32,8 @@
import org.apache.derby.iapi.sql.compile.C_NodeTypes;
+import org.apache.derby.iapi.sql.conn.Authorizer;
+
import org.apache.derby.iapi.sql.conn.LanguageConnectionContext;
import org.apache.derby.iapi.sql.compile.Visitable;
import org.apache.derby.iapi.sql.compile.Visitor;
@@ -225,6 +227,9 @@
public QueryTreeNode bind() throws StandardException
{
+ // We just need select privilege on the expressions
+ getCompilerContext().pushCurrentPrivType( Authorizer.SELECT_PRIV);
+
FromList fromList = (FromList) getNodeFactory().getNode(
C_NodeTypes.FROM_LIST,
getNodeFactory().doJoinOrderOptimization(),
@@ -260,6 +265,7 @@
if (targetColumnList != null)
{
/* Bind the target column list */
+ getCompilerContext().pushCurrentPrivType( getPrivType());
if (targetTableDescriptor != null)
{
targetColumnList.bindResultColumnsByName(targetTableDescriptor,
@@ -270,7 +276,7 @@
targetColumnList.bindResultColumnsByName(targetVTI.getResultColumns(), targetVTI,
this);
}
-
+ getCompilerContext().popCurrentPrivType();
}
/* Verify that all underlying ResultSets reclaimed their FromList */
@@ -496,6 +502,10 @@
autoincRowLocation =
dd.computeAutoincRowLocations(tc, targetTableDescriptor);
+
+ getCompilerContext().pushCurrentPrivType(getPrivType());
+ getCompilerContext().addRequiredTablePriv(targetTableDescriptor);
+ getCompilerContext().popCurrentPrivType();
}
else
{
@@ -505,7 +515,13 @@
resultSet);
}
+ getCompilerContext().popCurrentPrivType();
return this;
+ }
+
+ int getPrivType()
+ {
+ return Authorizer.INSERT_PRIV;
}
/**
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/QueryTreeNode.java
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/QueryTreeNode.java?rev=381109&r1=381108&r2=381109&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/QueryTreeNode.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/QueryTreeNode.java Sun Feb 26 07:52:18 2006
@@ -1587,9 +1587,10 @@
mb.callMethod(VMOpcode.INVOKEINTERFACE, null, "getAuthorizer",
ClassName.Authorizer, 0);
+ acb.pushThisAsActivation(mb);
mb.push(sqlOperation);
mb.callMethod(VMOpcode.INVOKEINTERFACE, null, "authorize",
- "void", 1);
+ "void", 2);
}
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/ResultColumn.java
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/ResultColumn.java?rev=381109&r1=381108&r2=381109&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/ResultColumn.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/ResultColumn.java Sun Feb 26 07:52:18 2006
@@ -678,6 +678,7 @@
setColumnDescriptor(tableDescriptor, columnDescriptor);
setVirtualColumnId(columnId);
+ getCompilerContext().addRequiredColumnPriv( columnDescriptor);
}
/**
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/SelectNode.java
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/SelectNode.java?rev=381109&r1=381108&r2=381109&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/SelectNode.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/SelectNode.java Sun Feb 26 07:52:18 2006
@@ -26,6 +26,8 @@
import org.apache.derby.iapi.sql.compile.Visitor;
import org.apache.derby.iapi.sql.compile.C_NodeTypes;
+import org.apache.derby.iapi.sql.conn.Authorizer;
+
import org.apache.derby.iapi.sql.dictionary.DataDictionary;
import org.apache.derby.iapi.sql.dictionary.TableDescriptor;
@@ -542,6 +544,7 @@
getContextManager());
if (whereClause != null)
{
+ getCompilerContext().pushCurrentPrivType( Authorizer.SELECT_PRIV);
whereClause = whereClause.bindExpression(fromListParam,
whereSubquerys,
whereAggregates);
@@ -570,6 +573,7 @@
throw StandardException.newException(SQLState.LANG_NON_BOOLEAN_WHERE_CLAUSE, "PARAMETER" );
whereClause = whereClause.checkIsBoolean();
+ getCompilerContext().popCurrentPrivType();
}
/* Restore fromList */
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/StaticMethodCallNode.java
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/StaticMethodCallNode.java?rev=381109&r1=381108&r2=381109&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/StaticMethodCallNode.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/StaticMethodCallNode.java Sun Feb 26 07:52:18 2006
@@ -281,6 +281,7 @@
}
}
+ getCompilerContext().addRequiredRoutinePriv(ad);
return this;
}
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/UpdateNode.java
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/UpdateNode.java?rev=381109&r1=381108&r2=381109&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/UpdateNode.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/UpdateNode.java Sun Feb 26 07:52:18 2006
@@ -27,6 +27,7 @@
import org.apache.derby.iapi.services.compiler.MethodBuilder;
import org.apache.derby.impl.sql.compile.ActivationClassBuilder;
+import org.apache.derby.iapi.sql.conn.Authorizer;
import org.apache.derby.iapi.sql.conn.LanguageConnectionContext;
import org.apache.derby.impl.sql.execute.FKInfo;
import org.apache.derby.iapi.services.compiler.MethodBuilder;
@@ -186,6 +187,9 @@
public QueryTreeNode bind() throws StandardException
{
+ // We just need select privilege on the expressions
+ getCompilerContext().pushCurrentPrivType( Authorizer.SELECT_PRIV);
+
FromList fromList = (FromList) getNodeFactory().getNode(
C_NodeTypes.FROM_LIST,
getNodeFactory().doJoinOrderOptimization(),
@@ -340,10 +344,13 @@
/* Bind the original result columns by column name */
normalizeCorrelatedColumns( resultSet.resultColumns, targetTable );
- resultSet.bindResultColumns(targetTableDescriptor,
- targetVTI,
- resultSet.resultColumns, this,
- fromList);
+
+ getCompilerContext().pushCurrentPrivType(getPrivType()); // Update privilege
+ resultSet.bindResultColumns(targetTableDescriptor,
+ targetVTI,
+ resultSet.resultColumns, this,
+ fromList);
+ getCompilerContext().popCurrentPrivType();
LanguageConnectionContext lcc = getLanguageConnectionContext();
if (lcc.getAutoincrementUpdate() == false)
@@ -426,36 +433,44 @@
*/
if (!allColumns && targetVTI == null)
{
- readColsBitSet = new FormatableBitSet();
- FromBaseTable fbt = getResultColumnList(resultSet.getResultColumns());
- afterColumns = resultSet.getResultColumns().copyListAndObjects();
+ getCompilerContext().pushCurrentPrivType( Authorizer.NULL_PRIV);
+ try
+ {
+ readColsBitSet = new FormatableBitSet();
+ FromBaseTable fbt = getResultColumnList(resultSet.getResultColumns());
+ afterColumns = resultSet.getResultColumns().copyListAndObjects();
- readColsBitSet = getReadMap(dataDictionary,
+ readColsBitSet = getReadMap(dataDictionary,
targetTableDescriptor,
afterColumns);
- afterColumns = fbt.addColsToList(afterColumns, readColsBitSet);
- resultColumnList = fbt.addColsToList(resultColumnList, readColsBitSet);
+ afterColumns = fbt.addColsToList(afterColumns, readColsBitSet);
+ resultColumnList = fbt.addColsToList(resultColumnList, readColsBitSet);
- /*
- ** If all bits are set, then behave as if we chose all
- ** in the first place
- */
- int i = 1;
- int size = targetTableDescriptor.getMaxColumnID();
- for (; i <= size; i++)
- {
- if (!readColsBitSet.get(i))
+ /*
+ ** If all bits are set, then behave as if we chose all
+ ** in the first place
+ */
+ int i = 1;
+ int size = targetTableDescriptor.getMaxColumnID();
+ for (; i <= size; i++)
{
- break;
+ if (!readColsBitSet.get(i))
+ {
+ break;
+ }
}
- }
- if (i > size)
+ if (i > size)
+ {
+ readColsBitSet = null;
+ allColumns = true;
+ }
+ }
+ finally
{
- readColsBitSet = null;
- allColumns = true;
- }
+ getCompilerContext().popCurrentPrivType();
+ }
}
if (targetVTI == null)
@@ -505,7 +520,9 @@
resultSet.setResultColumns(resultColumnList);
/* Bind the expressions */
+ getCompilerContext().pushCurrentPrivType(getPrivType()); // Update privilege
super.bindExpressions();
+ getCompilerContext().popCurrentPrivType();
/* Bind untyped nulls directly under the result columns */
resultSet.
@@ -587,8 +604,15 @@
}
}
+ getCompilerContext().popCurrentPrivType();
+
return this;
} // end of bind()
+
+ int getPrivType()
+ {
+ return Authorizer.UPDATE_PRIV;
+ }
/**
* Return true if the node references SESSION schema tables (temporary or permanent)
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/sqlgrammar.jj
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/sqlgrammar.jj?rev=381109&r1=381108&r2=381109&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/sqlgrammar.jj (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/sqlgrammar.jj Sun Feb 26 07:52:18 2006
@@ -12090,31 +12090,18 @@
void
grantee( List list) throws StandardException :
{
- Token tok;
String str;
}
{
- tok = <IDENTIFIER>
+ str = identifier(Limits.MAX_IDENTIFIER_LENGTH, true)
{
- checkAuthorizationLength( tok.image);
- list.add( tok.image);
+ checkAuthorizationLength(str);
+ list.add(str);
}
|
- tok = <PUBLIC>
+ <PUBLIC>
{
list.add( Authorizer.PUBLIC_AUTHORIZATION_ID);
- }
-|
- str = delimitedIdentifier()
- {
- checkAuthorizationLength( str);
- list.add( str);
- }
-|
- str = nonReservedKeyword()
- {
- checkAuthorizationLength( str);
- list.add( str);
}
}
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/conn/GenericAuthorizer.java
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/conn/GenericAuthorizer.java?rev=381109&r1=381108&r2=381109&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/conn/GenericAuthorizer.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/conn/GenericAuthorizer.java Sun Feb 26 07:52:18 2006
@@ -146,9 +146,7 @@
if( activation != null)
{
- List requiredPermissionsList = null;
- // GrantRevoke TODO: Need this logic for enforcing permissions later.
- // List requiredPermissionsList = activation.getPreparedStatement().getRequiredPermissionsList();
+ List requiredPermissionsList = activation.getPreparedStatement().getRequiredPermissionsList();
if( requiredPermissionsList != null && ! requiredPermissionsList.isEmpty())
{
DataDictionary dd = lcc.getDataDictionary();
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/conn/GenericLanguageConnectionFactory.java
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/conn/GenericLanguageConnectionFactory.java?rev=381109&r1=381108&r2=381109&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/conn/GenericLanguageConnectionFactory.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/conn/GenericLanguageConnectionFactory.java Sun Feb 26 07:52:18 2006
@@ -398,8 +398,9 @@
if (value_s != null &&
!StringUtil.SQLEqualsIgnoreCase(value_s, Property.NO_ACCESS) &&
!StringUtil.SQLEqualsIgnoreCase(value_s, Property.READ_ONLY_ACCESS) &&
- !StringUtil.SQLEqualsIgnoreCase(value_s, Property.FULL_ACCESS))
- throw StandardException.newException(SQLState.AUTH_INVALID_AUTHORIZATION_PROPERTY , key,value_s);
+ !StringUtil.SQLEqualsIgnoreCase(value_s, Property.FULL_ACCESS) &&
+ !StringUtil.SQLEqualsIgnoreCase(value_s, Property.SQL_STANDARD_ACCESS))
+ throw StandardException.newException(SQLState.AUTH_INVALID_AUTHORIZATION_PROPERTY, key, value_s);
return true;
}
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/GenericResultSetFactory.java
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/GenericResultSetFactory.java?rev=381109&r1=381108&r2=381109&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/GenericResultSetFactory.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/GenericResultSetFactory.java Sun Feb 26 07:52:18 2006
@@ -91,7 +91,7 @@
throws StandardException
{
Activation activation = source.getActivation();
- getAuthorizer(activation).authorize(Authorizer.SQL_WRITE_OP);
+ getAuthorizer(activation).authorize(activation, Authorizer.SQL_WRITE_OP);
return new InsertResultSet(source, checkGM, activation );
}
@@ -105,7 +105,7 @@
throws StandardException
{
Activation activation = source.getActivation();
- getAuthorizer(activation).authorize(Authorizer.SQL_WRITE_OP);
+ getAuthorizer(activation).authorize(activation, Authorizer.SQL_WRITE_OP);
return new InsertVTIResultSet(source, vtiRS, activation );
}
@@ -117,7 +117,7 @@
throws StandardException
{
Activation activation = source.getActivation();
- getAuthorizer(activation).authorize(Authorizer.SQL_WRITE_OP);
+ getAuthorizer(activation).authorize(activation, Authorizer.SQL_WRITE_OP);
return new DeleteVTIResultSet(source, activation);
}
@@ -129,7 +129,7 @@
throws StandardException
{
Activation activation = source.getActivation();
- getAuthorizer(activation).authorize(Authorizer.SQL_WRITE_OP);
+ getAuthorizer(activation).authorize(activation, Authorizer.SQL_WRITE_OP);
return new DeleteResultSet(source, activation );
}
@@ -145,7 +145,7 @@
throws StandardException
{
Activation activation = source.getActivation();
- getAuthorizer(activation).authorize(Authorizer.SQL_WRITE_OP);
+ getAuthorizer(activation).authorize(activation, Authorizer.SQL_WRITE_OP);
return new DeleteCascadeResultSet(source, activation,
constantActionItem,
dependentResultSets,
@@ -174,7 +174,7 @@
{
SanityManager.ASSERT(getAuthorizer(activation) != null, "Authorizer is null");
}
- getAuthorizer(activation).authorize(Authorizer.SQL_WRITE_OP);
+ getAuthorizer(activation).authorize(activation, Authorizer.SQL_WRITE_OP);
return new UpdateResultSet(source, checkGM, activation);
}
@@ -186,7 +186,7 @@
throws StandardException
{
Activation activation = source.getActivation();
- getAuthorizer(activation).authorize(Authorizer.SQL_WRITE_OP);
+ getAuthorizer(activation).authorize(activation, Authorizer.SQL_WRITE_OP);
return new UpdateVTIResultSet(source, activation);
}
@@ -203,7 +203,7 @@
throws StandardException
{
Activation activation = source.getActivation();
- getAuthorizer(activation).authorize(Authorizer.SQL_WRITE_OP);
+ getAuthorizer(activation).authorize(activation, Authorizer.SQL_WRITE_OP);
return new UpdateResultSet(source, checkGM, activation,
constantActionItem, rsdItem);
}
@@ -217,7 +217,7 @@
Activation activation)
throws StandardException
{
- getAuthorizer(activation).authorize(Authorizer.SQL_CALL_OP);
+ getAuthorizer(activation).authorize(activation, Authorizer.SQL_CALL_OP);
return new CallStatementResultSet(methodCall, activation);
}
@@ -927,7 +927,7 @@
public ResultSet getSetTransactionResultSet(Activation activation)
throws StandardException
{
- getAuthorizer(activation).authorize(Authorizer.SQL_ARBITARY_OP);
+ getAuthorizer(activation).authorize(activation, Authorizer.SQL_ARBITARY_OP);
return new SetTransactionResultSet(activation);
}
@@ -1017,7 +1017,7 @@
public ResultSet getDDLResultSet(Activation activation)
throws StandardException
{
- getAuthorizer(activation).authorize(Authorizer.SQL_DDL_OP);
+ getAuthorizer(activation).authorize(activation, Authorizer.SQL_DDL_OP);
return getMiscResultSet( activation);
}
@@ -1028,7 +1028,7 @@
public ResultSet getMiscResultSet(Activation activation)
throws StandardException
{
- getAuthorizer(activation).authorize(Authorizer.SQL_ARBITARY_OP);
+ getAuthorizer(activation).authorize(activation, Authorizer.SQL_ARBITARY_OP);
return new MiscResultSet(activation);
}
Modified: db/derby/code/trunk/java/engine/org/apache/derby/loc/messages_en.properties
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/loc/messages_en.properties?rev=381109&r1=381108&r2=381109&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/loc/messages_en.properties (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/loc/messages_en.properties Sun Feb 26 07:52:18 2006
@@ -1058,6 +1058,7 @@
2850A=User ''{0}'' does not have execute permission on {1} ''{2}''.''{3}''.
2850B=User ''{0}'' does not have execute permission on {1} ''{2}''.''{3}'' for grant.
2850C=User ''{0}'' is not the owner of {1} ''{2}''.''{3}''.
+2850D=User ''{0}'' can not perform the operation in schema ''{1}''.
04501.C=Database connection refused.