You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafodion.apache.org by rm...@apache.org on 2017/10/31 15:23:10 UTC
[1/2] incubator-trafodion git commit: Trafodion-2705 user has "SHOW"
privilege can't do 'showddl user'
Repository: incubator-trafodion
Updated Branches:
refs/heads/master 4ff25d987 -> f42450f75
Trafodion-2705 user has "SHOW" privilege can't do 'showddl user'
Showddl code now checks to see if current user matches the user name specified
in the showddl command. It also verifies that the user has SHOW component
privilege.
Simplified privs1/TEST141 as part of goal to make privilege tests run faster.
Project: http://git-wip-us.apache.org/repos/asf/incubator-trafodion/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-trafodion/commit/8f8b0e83
Tree: http://git-wip-us.apache.org/repos/asf/incubator-trafodion/tree/8f8b0e83
Diff: http://git-wip-us.apache.org/repos/asf/incubator-trafodion/diff/8f8b0e83
Branch: refs/heads/master
Commit: 8f8b0e83aa5bbe50e34da04e9872150d82233782
Parents: 371cb71
Author: Roberta Marton <rm...@edev07.esgyn.local>
Authored: Mon Oct 30 04:21:21 2017 +0000
Committer: Roberta Marton <rm...@edev07.esgyn.local>
Committed: Mon Oct 30 04:21:21 2017 +0000
----------------------------------------------------------------------
core/sql/regress/privs1/EXPECTED141 | Bin 102260 -> 38586 bytes
core/sql/regress/privs1/TEST141 | 158 +++++++++-----
core/sql/regress/tools/runregr_privs1.ksh | 2 +-
core/sql/sqlcomp/CmpDescribe.cpp | 10 -
core/sql/sqlcomp/CmpSeabaseDDLauth.cpp | 280 ++++++++++++-------------
core/sql/sqlcomp/CmpSeabaseDDLauth.h | 4 +-
6 files changed, 240 insertions(+), 214 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/8f8b0e83/core/sql/regress/privs1/EXPECTED141
----------------------------------------------------------------------
diff --git a/core/sql/regress/privs1/EXPECTED141 b/core/sql/regress/privs1/EXPECTED141
index 7735750..3f291f0 100644
Binary files a/core/sql/regress/privs1/EXPECTED141 and b/core/sql/regress/privs1/EXPECTED141 differ
http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/8f8b0e83/core/sql/regress/privs1/TEST141
----------------------------------------------------------------------
diff --git a/core/sql/regress/privs1/TEST141 b/core/sql/regress/privs1/TEST141
index 273bfeb..397c9d1 100755
--- a/core/sql/regress/privs1/TEST141
+++ b/core/sql/regress/privs1/TEST141
@@ -27,6 +27,8 @@
--
-- Added in response to JIRA 1100
--
+-- Oct 27 - only run some tests to improve performance of privs1 tests suite
+--
-- Expected files: EXPECTED141
-- ============================================================================
@@ -34,10 +36,10 @@ cqd SHOWDDL_DISPLAY_PRIVILEGE_GRANTS 'ON';
obey TEST141(clean_up);
log LOG141 clear ;
obey TEST141(set_up);
-obey TEST141(test_private_user);
+--obey TEST141(test_private_user);
obey TEST141(test_private_role);
obey TEST141(test_shared_user);
-obey TEST141(test_shared_role);
+--obey TEST141(test_shared_role);
log;
obey TEST141(clean_up);
exit;
@@ -46,20 +48,26 @@ exit;
?section clean_up
-- ============================================================================
-- Cleaning up test environment
-drop schema if exists t141_udr cascade;
drop schema if exists t141_user1 cascade;
drop schema if exists t141_user2 cascade;
drop schema if exists t141_user3 cascade;
revoke component privilege "CREATE" on sql_operations from sql_user2;
-revoke component privilege "CREATE" on sql_operations from user2_role;
+revoke component privilege "CREATE" on sql_operations from t141_role2;
+revoke component privilege "DML_SELECT_METADATA" on sql_operations from "PUBLIC";
+
+revoke role t141_role1 from sql_user1;
+revoke role t141_role2 from sql_user2;
+revoke role t141_role3 from sql_user3;
+drop role t141_role1;
+drop role t141_role2;
+drop role t141_role3;
-revoke role user1_role from sql_user1;
-revoke role user2_role from sql_user2;
-revoke role user3_role from sql_user3;
-drop role user1_role;
-drop role user2_role;
-drop role user3_role;
+revoke select on "_PRIVMGR_MD_".object_Privileges from t141_role_md;
+revoke select on "_PRIVMGR_MD_".column_Privileges from t141_role_md;
+revoke select on "_MD_".objects from t141_role_md;
+revoke role t141_role_md from sql_user1, sql_user2, sql_user3;
+drop role t141_role_md;
-- ============================================================================
@@ -75,24 +83,41 @@ sh sh $$scriptsdir$$/tools/dll-compile.ksh etest141.cpp
set pattern $$DLL$$ etest141.dll;
set pattern $$QUOTE$$ '''';
-create schema t141_udr;
-set schema t141_udr;
-create library t141_l1 file $$QUOTE$$ $$REGRRUNDIR$$/$$DLL$$ $$QUOTE$$ ;
-create function translateBitmap(bitmap largeint) returns (bitmap_string char (20))
-language c parameter style sql external name 'translateBitmap'
-library t141_l1
-deterministic no sql final call allow any parallelism state area size 1024 ;
-grant execute on function t141_udr.translateBitmap to "PUBLIC";
-
-- query to read privs from metadata
prepare get_obj_privs from
select distinct
- substring (object_name,1,40) as object_name,
- object_type as type,
- substring(authname(grantor_id),1,10) as grantor,
- substring(authname(grantee_id),1,10) as grantee,
- t141_udr.translateBitmap(privileges_bitmap) as granted_privs,
- t141_udr.translateBitmap(grantable_bitmap) as grantable_privs
+ cast (substring (object_name,11,35) as char(35) character set iso88591) as object_name,
+ object_type as type,
+ substring(authname(grantor_id),1,10) as grantor,
+ substring(authname(grantee_id),1,10) as grantee,
+ case when bitextract(privileges_bitmap,63,1) = 1 then 'S'
+ else '-' end ||
+ case when bitextract(privileges_bitmap,62,1) = 1 then 'I'
+ else '-' end ||
+ case when bitextract(privileges_bitmap,61,1) = 1 then 'D'
+ else '-' end ||
+ case when bitextract(privileges_bitmap,60,1) = 1 then 'U'
+ else '-' end ||
+ case when bitextract(privileges_bitmap,59,1) = 1 then 'G'
+ else '-' end ||
+ case when bitextract(privileges_bitmap,58,1) = 1 then 'R'
+ else '-' end ||
+ case when bitextract(privileges_bitmap,57,1) = 1 then 'E'
+ else '-' end as granted_privs,
+ case when bitextract(grantable_bitmap,63,1) = 1 then 'S'
+ else '-' end ||
+ case when bitextract(grantable_bitmap,62,1) = 1 then 'I'
+ else '-' end ||
+ case when bitextract(grantable_bitmap,61,1) = 1 then 'D'
+ else '-' end ||
+ case when bitextract(grantable_bitmap,60,1) = 1 then 'U'
+ else '-' end ||
+ case when bitextract(grantable_bitmap,59,1) = 1 then 'G'
+ else '-' end ||
+ case when bitextract(grantable_bitmap,58,1) = 1 then 'R'
+ else '-' end ||
+ case when bitextract(grantable_bitmap,57,1) = 1 then 'E'
+ else '-' end as grantable_privs
from "_PRIVMGR_MD_".object_privileges
where object_uid in
(select object_uid
@@ -103,12 +128,38 @@ where object_uid in
prepare get_col_privs from
select distinct
- substring (object_name,1,40) as object_name,
+ cast(substring (object_name,11,20) as char (20) character set iso88591) as object_name,
column_number,
substring(authname(grantor_id),1,10) as grantor,
substring(authname(grantee_id),1,10) as grantee,
- t141_udr.translateBitmap(privileges_bitmap) as granted_privs,
- t141_udr.translateBitmap(grantable_bitmap) as grantable_privs
+ case when bitextract(privileges_bitmap,63,1) = 1 then 'S'
+ else '-' end ||
+ case when bitextract(privileges_bitmap,62,1) = 1 then 'I'
+ else '-' end ||
+ case when bitextract(privileges_bitmap,61,1) = 1 then 'D'
+ else '-' end ||
+ case when bitextract(privileges_bitmap,60,1) = 1 then 'U'
+ else '-' end ||
+ case when bitextract(privileges_bitmap,59,1) = 1 then 'G'
+ else '-' end ||
+ case when bitextract(privileges_bitmap,58,1) = 1 then 'R'
+ else '-' end ||
+ case when bitextract(privileges_bitmap,57,1) = 1 then 'E'
+ else '-' end as granted_privs,
+ case when bitextract(grantable_bitmap,63,1) = 1 then 'S'
+ else '-' end ||
+ case when bitextract(grantable_bitmap,62,1) = 1 then 'I'
+ else '-' end ||
+ case when bitextract(grantable_bitmap,61,1) = 1 then 'D'
+ else '-' end ||
+ case when bitextract(grantable_bitmap,60,1) = 1 then 'U'
+ else '-' end ||
+ case when bitextract(grantable_bitmap,59,1) = 1 then 'G'
+ else '-' end ||
+ case when bitextract(grantable_bitmap,58,1) = 1 then 'R'
+ else '-' end ||
+ case when bitextract(grantable_bitmap,57,1) = 1 then 'E'
+ else '-' end as grantable_privs
from "_PRIVMGR_MD_".column_privileges
where object_uid in
(select object_uid
@@ -118,16 +169,22 @@ where object_uid in
;
-- set up role infrastructure
-create role user1_role;
-create role user2_role;
-create role user3_role;
-grant role user1_role to sql_user1;
-grant role user2_role to sql_user2;
-grant role user3_role to sql_user3;
+create role t141_role1;
+create role t141_role2;
+create role t141_role3;
+grant role t141_role1 to sql_user1;
+grant role t141_role2 to sql_user2;
+grant role t141_role3 to sql_user3;
+
+create role t141_role_md;
+grant select on "_PRIVMGR_MD_".object_Privileges to t141_role_md;
+grant select on "_PRIVMGR_MD_".column_Privileges to t141_role_md;
+grant select on "_MD_".objects to t141_role_md;
+grant role t141_role_md to sql_user1, sql_user2, sql_user3;
-- set up component privilege infrastructure
grant component privilege "CREATE" on sql_operations to sql_user2;
-grant component privilege "CREATE" on sql_operations to user2_role;
+grant component privilege "CREATE" on sql_operations to t141_role2;
-- ============================================================================
?section create_objects
@@ -141,19 +198,19 @@ create table u1t3 (c1 int not null primary key, c2 int, c3 int);
insert into u1t3 values (1,1,1), (2,2,2), (3,3,3), (4,4,4), (5,5,5);
create table u1t4 (c1 int not null primary key, c2 int, c3 int);
insert into u1t4 values (1,1,1), (2,2,2), (3,3,3), (4,4,4), (5,5,5);
-get tables;
+get tables, match 'U1T%';
set schema t141_user2;
create table u2t1 (c1 int not null primary key, c2 int, c3 int);
insert into u2t1 values (1,1,1), (2,2,2), (3,3,3), (4,4,4), (5,5,5);
create table u2t2 (c1 int not null primary key, c2 int, c3 int);
insert into u2t2 values (1,1,1), (2,2,2), (3,3,3), (4,4,4), (5,5,5);
-get tables;
+get tables, match 'U2T%';
set schema t141_user3;
create table u3t1 (c1 int not null primary key, c2 int, c3 int);
insert into u3t1 values (1,1,1), (2,2,2), (3,3,3), (4,4,4), (5,5,5);
-get tables;
+get tables, match 'U3T%';
-- ============================================================================
@@ -263,21 +320,22 @@ values (user);
-- setup database with private schemas owned by roles
drop schema if exists t141_user1 cascade;
-create schema t141_user1 authorization user1_role;
+create schema t141_user1 authorization t141_role1;
drop schema if exists t141_user2 cascade;
-create schema t141_user2 authorization user2_role;
+create schema t141_user2 authorization t141_role2;
drop schema if exists t141_user3 cascade;
-create schema t141_user3 authorization user3_role;
+create schema t141_user3 authorization t141_role3;
showddl schema t141_user1;
showddl schema t141_user2;
+showddl schema t141_user3;
obey TEST141(create_objects);
set schema t141_user1;
execute get_obj_privs;
execute get_col_privs;
--- user2_role has create privilege on all schemas.
--- have sql_user2 who belongs to user2_role create some tables in
+-- t141_role2 has create privilege on all schemas.
+-- have sql_user2 who belongs to t141_role2 create some tables in
-- t141_user1's schema, also have sql_user2 create some views
sh sqlci -i "TEST141(user2_objects)" -u sql_user2;
execute get_obj_privs;
@@ -290,15 +348,15 @@ execute get_obj_privs;
-- has appropriate privileges.
values (user);
-revoke component privilege "CREATE" on sql_operations from user2_role;
+revoke component privilege "CREATE" on sql_operations from t141_role2;
-- setup database with shared schemas owned by role
drop schema if exists t141_user1 cascade;
-create shared schema t141_user1 authorization user1_role;
+create shared schema t141_user1 authorization t141_role1;
drop schema if exists t141_user2 cascade;
-create shared schema t141_user2 authorization user2_role;
+create shared schema t141_user2 authorization t141_role2;
drop schema if exists t141_user3 cascade;
-create shared schema t141_user3 authorization user3_role;
+create shared schema t141_user3 authorization t141_role3;
showddl schema t141_user1;
showddl schema t141_user2;
@@ -309,7 +367,7 @@ set schema t141_user1;
execute get_obj_privs;
execute get_col_privs;
--- have sql_user2 create some tables in user2_role's schema
+-- have sql_user2 create some tables in t141_role2's schema
-- have sql_user2 create some views, views that reference user1's objects fail
sh sqlci -i "TEST141(user2_objects)" -u sql_user2;
execute get_obj_privs;
@@ -345,7 +403,7 @@ set schema t141_user1;
create table u2t1 (c1 int not null primary key, c2 int, c3 int);
create table u2t2 (c1 int not null primary key, c2 int, c3 int);
-get tables;
+get tables, match 'U2T%';
-- create a view on user1's table
create view u2v1 as select c1, c2 from u2t1;
@@ -394,7 +452,7 @@ create view u3v4 as select c1, c3 from t141_user1.u1t4;
-- following fail
create view u3v5 as select c1, c3 from t141_user1.u1t3;
-get tables;
+get tables, match 'U3T%';
get views;
-- ============================================================================
http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/8f8b0e83/core/sql/regress/tools/runregr_privs1.ksh
----------------------------------------------------------------------
diff --git a/core/sql/regress/tools/runregr_privs1.ksh b/core/sql/regress/tools/runregr_privs1.ksh
index 05fd90c..b1cade3 100755
--- a/core/sql/regress/tools/runregr_privs1.ksh
+++ b/core/sql/regress/tools/runregr_privs1.ksh
@@ -185,7 +185,7 @@ fi
# For now, don't run these tests --
# Add list of tests to script in "skipTheseTests" --
#-------------------------------------------------------
-skipTheseTests=""
+skipTheseTests="TEST133"
testfiles="$prettyfiles"
prettyfiles=
http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/8f8b0e83/core/sql/sqlcomp/CmpDescribe.cpp
----------------------------------------------------------------------
diff --git a/core/sql/sqlcomp/CmpDescribe.cpp b/core/sql/sqlcomp/CmpDescribe.cpp
index 6386ec5..bec4b58 100644
--- a/core/sql/sqlcomp/CmpDescribe.cpp
+++ b/core/sql/sqlcomp/CmpDescribe.cpp
@@ -666,11 +666,6 @@ short CmpDescribe(const char *query, const RelExpr *queryExpr,
// If SHOWDDL USER, go get description and return
if (d->getIsUser())
{
- if (!CmpDescribeIsAuthorized(SQLOperation::MANAGE_USERS))
- {
- rc = -1;
- goto finally;
- }
NAString userText;
CmpSeabaseDDLuser userInfo;
if (!userInfo.describe(d->getAuthIDName(), userText))
@@ -690,11 +685,6 @@ short CmpDescribe(const char *query, const RelExpr *queryExpr,
// If SHOWDDL ROLE, go get description and return
if (d->getIsRole())
{
- if (!CmpDescribeIsAuthorized(SQLOperation::MANAGE_ROLES))
- {
- rc = -1;
- goto finally;
- }
NAString roleText;
CmpSeabaseDDLrole roleInfo(ActiveSchemaDB()->getDefaults().getValue(SEABASE_CATALOG));
if (!roleInfo.describe(d->getAuthIDName(),roleText))
http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/8f8b0e83/core/sql/sqlcomp/CmpSeabaseDDLauth.cpp
----------------------------------------------------------------------
diff --git a/core/sql/sqlcomp/CmpSeabaseDDLauth.cpp b/core/sql/sqlcomp/CmpSeabaseDDLauth.cpp
index f15c113..8f3a10d 100644
--- a/core/sql/sqlcomp/CmpSeabaseDDLauth.cpp
+++ b/core/sql/sqlcomp/CmpSeabaseDDLauth.cpp
@@ -882,6 +882,48 @@ Int32 CmpSeabaseDDLauth::selectMaxAuthID(const NAString &whereClause)
return static_cast<Int32>(maxValue);
}
+// ----------------------------------------------------------------------------
+// method: verifyAuthority
+//
+// makes sure user has privilege to perform the operation
+//
+// Input: none
+//
+// Output:
+// true - authority granted
+// false - no authority or unexpected error
+// ----------------------------------------------------------------------------
+bool CmpSeabaseDDLauth::verifyAuthority(const SQLOperation operation)
+{
+
+ // If authorization is not enabled, just return with no error
+ if (!CmpCommon::context()->isAuthorizationEnabled())
+ return true;
+
+ int32_t currentUser = ComUser::getCurrentUser();
+
+ // Root user has authority to manage users.
+ if (currentUser == ComUser::getRootUserID())
+ return true;
+
+ NAString systemCatalog = CmpSeabaseDDL::getSystemCatalogStatic();
+ std::string privMDLoc(systemCatalog.data());
+
+ privMDLoc += std::string(".\"") +
+ std::string(SEABASE_PRIVMGR_SCHEMA) +
+ std::string("\"");
+
+ PrivMgrComponentPrivileges componentPrivileges(privMDLoc,CmpCommon::diags());
+
+ // See if non-root user has authority to manage users.
+ if (componentPrivileges.hasSQLPriv(currentUser, operation, true))
+ {
+ return true;
+ }
+
+ return false;
+}
+
// ****************************************************************************
// Class CmpSeabaseDDLuser methods
// ****************************************************************************
@@ -975,7 +1017,12 @@ void CmpSeabaseDDLuser::registerUser(StmtDDLRegisterUser * pNode)
try
{
// Verify user is authorized to perform REGISTER USER requests
- verifyAuthority();
+ if (!verifyAuthority(SQLOperation::MANAGE_USERS))
+ {
+ // No authority. We're outta here.
+ *CmpCommon::diags() << DgSqlCode(-CAT_NOT_AUTHORIZED);
+ return;
+ }
// Verify that the specified user name is not reserved
setAuthDbName(pNode->getDbUserName());
@@ -1113,8 +1160,6 @@ void CmpSeabaseDDLuser::unregisterUser(StmtDDLRegisterUser * pNode)
{
try
{
- verifyAuthority();
-
// CASCADE option not yet supported
if (pNode->getDropBehavior() == COM_CASCADE_DROP_BEHAVIOR)
{
@@ -1142,6 +1187,13 @@ void CmpSeabaseDDLuser::unregisterUser(StmtDDLRegisterUser * pNode)
return;
}
+ if (ComUser::getCurrentUser() != getAuthCreator() &&
+ !verifyAuthority(SQLOperation::MANAGE_USERS))
+ {
+ *CmpCommon::diags() << DgSqlCode(-CAT_NOT_AUTHORIZED);
+ return;
+ }
+
NAString whereClause(" WHERE AUTH_TYPE = 'R' AND AUTH_CREATOR = ");
char authIDString[20];
@@ -1249,9 +1301,6 @@ void CmpSeabaseDDLuser::alterUser (StmtDDLAlterUser * pNode)
{
try
{
- StmtDDLAlterUser::AlterUserCmdSubType cmdSubType = pNode->getAlterUserCmdSubType();
- verifyAuthority(cmdSubType == StmtDDLAlterUser::SET_EXTERNAL_NAME);
-
// read user details from the AUTHS table
const NAString dbUserName(pNode->getDatabaseUsername());
CmpSeabaseDDLauth::AuthStatus retcode = getUserDetails(dbUserName);
@@ -1264,9 +1313,17 @@ void CmpSeabaseDDLuser::alterUser (StmtDDLAlterUser * pNode)
return;
}
+ if ((ComUser::getCurrentUser() != getAuthCreator()) &&
+ !verifyAuthority(SQLOperation::MANAGE_USERS))
+ {
+ // No authority. We're outta here.
+ *CmpCommon::diags() << DgSqlCode(-CAT_NOT_AUTHORIZED);
+ return;
+ }
+
// Process the requested operation
NAString setClause("set ");
- switch (cmdSubType)
+ switch (pNode->getAlterUserCmdSubType())
{
case StmtDDLAlterUser::SET_EXTERNAL_NAME:
{
@@ -1435,105 +1492,48 @@ DBUserAuth::CheckUserResult chkUserRslt = DBUserAuth::UserDoesNotExist;
//-----------------------------------------------------------------------------
bool CmpSeabaseDDLuser::describe (const NAString &authName, NAString &authText)
{
- try
+ // If current user matches authName, allow request
+ NAString currentUserName (ComUser::getCurrentUsername());
+ if ((currentUserName != authName) && !verifyAuthority(SQLOperation::SHOW))
{
- CmpSeabaseDDLauth::AuthStatus retcode = getUserDetails(authName.data());
-
- // If the user was not found, set up an error
- if (retcode == STATUS_NOTFOUND)
- {
- *CmpCommon::diags() << DgSqlCode(-CAT_USER_NOT_EXIST)
- << DgString0(authName.data());
- return false;
- }
-
- // If an error was detected, throw an exception so the catch handler will
- // put a value in ComDiags area in case no message exists
- if (retcode == STATUS_ERROR)
- {
- UserException excp (NULL, 0);
- throw excp;
- }
-
- // Generate output text
- authText = "REGISTER USER \"";
- authText += getAuthExtName();
- if (getAuthExtName() != getAuthDbName())
- {
- authText += "\" AS \"";
- authText += getAuthDbName();
- }
- authText += "\";\n";
-
- if (!isAuthValid())
- {
- authText += "ALTER USER \"";
- authText += getAuthDbName();
- authText += "\" SET OFFLINE;\n";
- }
+ // No authority. We're outta here.
+ *CmpCommon::diags() << DgSqlCode(-CAT_NOT_AUTHORIZED);
+ return false;
}
- catch (...)
+ CmpSeabaseDDLauth::AuthStatus retcode = getUserDetails(authName.data());
+ // If the user was not found, set up an error
+ if (retcode == STATUS_NOTFOUND)
{
- // At this time, an error should be in the diags area.
- // If there is no error, set up an internal error
- if (CmpCommon::diags()->getNumber(DgSqlCode::ERROR_) == 0)
- SEABASEDDL_INTERNAL_ERROR("Switch statement in CmpSeabaseDDLuser::describe");
+ *CmpCommon::diags() << DgSqlCode(-CAT_USER_NOT_EXIST)
+ << DgString0(authName.data());
+ return false;
+ }
+
+ // If an error was detected, return
+ if (retcode == STATUS_ERROR)
return false;
+
+ // Generate output text
+ authText = "REGISTER USER \"";
+ authText += getAuthExtName();
+ if (getAuthExtName() != getAuthDbName())
+ {
+ authText += "\" AS \"";
+ authText += getAuthDbName();
}
+ authText += "\";\n";
+ if (!isAuthValid())
+ {
+ authText += "ALTER USER \"";
+ authText += getAuthDbName();
+ authText += "\" SET OFFLINE;\n";
+ }
return true;
}
//------------------------------ End of describe -------------------------------
-// ----------------------------------------------------------------------------
-// method: verifyAuthority
-//
-// makes sure user has privilege to perform user operation
-//
-// Input: none
-//
-// Output: an exception is generated if user does not have authority
-// ----------------------------------------------------------------------------
-void CmpSeabaseDDLuser::verifyAuthority(bool isRemapUser)
-
-{
-
- // If authorization is not enabled, just return with no error
- if (!CmpCommon::context()->isAuthorizationEnabled())
- return;
-
- int32_t currentUser = ComUser::getCurrentUser();
-
- // Root user has authority to manage users.
- if (currentUser == ComUser::getRootUserID())
- return;
-
- // Verify authorization is enabled. If not, no restrictions.
- NAString systemCatalog = CmpSeabaseDDL::getSystemCatalogStatic();
- std::string privMDLoc(systemCatalog.data());
-
- privMDLoc += std::string(".\"") +
- std::string(SEABASE_PRIVMGR_SCHEMA) +
- std::string("\"");
-
- PrivMgrComponentPrivileges componentPrivileges(privMDLoc,CmpCommon::diags());
-
- // See if non-root user has authority to manage users.
- if (componentPrivileges.hasSQLPriv(currentUser,SQLOperation::MANAGE_USERS,true))
- {
- if (!isRemapUser)
- return;
- if (componentPrivileges.hasSQLPriv(currentUser,SQLOperation::REMAP_USER,true))
- return;
- }
-
- // No authority. We're outta here.
- *CmpCommon::diags() << DgSqlCode(-CAT_NOT_AUTHORIZED);
- UserException excp (NULL, 0);
- throw excp;
-
-}
// ****************************************************************************
// Class CmpSeabaseDDLrole methods
@@ -1582,11 +1582,16 @@ void CmpSeabaseDDLrole::createRole(StmtDDLCreateRole * pNode)
return;
}
-// Set up a global try/catch loop to catch unexpected errors
+ // Verify user is authorized to perform CREATE ROLE requests
+ if (!verifyAuthority(SQLOperation::MANAGE_ROLES))
+ {
+ *CmpCommon::diags() << DgSqlCode(-CAT_NOT_AUTHORIZED);
+ return;
+ }
+
+ // Set up a global try/catch loop to catch unexpected errors
try
{
- // Verify user is authorized to perform CREATE ROLE requests
- verifyAuthority();
// Verify that the specified role name is not reserved
setAuthDbName(pNode->getRoleName());
@@ -1736,6 +1741,18 @@ bool CmpSeabaseDDLrole::describe(
try
{
+ // Can current user perform request
+ Int32 roleID = NA_UserIdDefault;
+ if (ComUser::getAuthIDFromAuthName(roleName.data(), roleID) != 0)
+ roleID = NA_UserIdDefault;
+
+ if (!ComUser::currentUserHasRole(roleID) && !verifyAuthority(SQLOperation::SHOW))
+ {
+ // No authority. We're outta here.
+ *CmpCommon::diags() << DgSqlCode(-CAT_NOT_AUTHORIZED);
+ return false;
+ }
+
CmpSeabaseDDLauth::AuthStatus retcode = getRoleDetails(roleName.data());
// If the role was not found, set up an error
@@ -1749,11 +1766,8 @@ bool CmpSeabaseDDLrole::describe(
// If an error was detected, throw an exception so the catch handler will
// put a value in ComDiags area in case no message exists
if (retcode == STATUS_ERROR)
- {
- UserException excp (NULL, 0);
- throw excp;
- }
-
+ return false;
+
// Generate output text
roleText = "CREATE ROLE \"";
roleText += getAuthDbName();
@@ -1910,10 +1924,19 @@ void CmpSeabaseDDLrole::dropRole(StmtDDLCreateRole * pNode)
return;
}
- // Verify user is authorized to perform DROP ROLE requests
if (ComUser::getCurrentUser() != getAuthCreator())
- verifyAuthority();
-
+ {
+ // If the user does not have privilege, allow the drop if
+ // the user has been granted an admin role and
+ // the role being dropped is not an admin role and
+ // the authCreator of the role being dropped matches the admin role
+ if (verifyAuthority(SQLOperation::MANAGE_ROLES) == false)
+ {
+ *CmpCommon::diags() << DgSqlCode(-CAT_NOT_AUTHORIZED);
+ return;
+ }
+ }
+
NAString privMgrMDLoc;
CONCAT_CATSCH(privMgrMDLoc,systemCatalog_.data(),SEABASE_PRIVMGR_SCHEMA);
@@ -2071,48 +2094,3 @@ CmpSeabaseDDLauth::AuthStatus authStatus = getAuthDetails(roleName,false);
}
-
-// ----------------------------------------------------------------------------
-// method: verifyAuthority
-//
-// makes sure user has privilege to perform role operation
-//
-// Input: none
-//
-// Output: an exception is generated if user does not have authority
-// ----------------------------------------------------------------------------
-void CmpSeabaseDDLrole::verifyAuthority()
-
-{
-
- // If authorization is not enabled then role has privilege, just return
- if (!CmpCommon::context()->isAuthorizationEnabled())
- return;
-
- int32_t currentUser = ComUser::getCurrentUser();
-
- // Root user has authority to manage roles.
- if (currentUser == ComUser::getRootUserID())
- return;
-
- NAString systemCatalog = CmpSeabaseDDL::getSystemCatalogStatic();
- std::string privMDLoc(systemCatalog.data());
-
- privMDLoc += std::string(".\"") +
- std::string(SEABASE_PRIVMGR_SCHEMA) +
- std::string("\"");
-
- PrivMgrComponentPrivileges componentPrivileges(privMDLoc,CmpCommon::diags());
-
- // Authorization enabled. See if non-root user has authority to manage roles.
- if (componentPrivileges.hasSQLPriv(currentUser,SQLOperation::MANAGE_ROLES,true))
- return;
-
- // No authority. We're outta here.
- *CmpCommon::diags() << DgSqlCode(-CAT_NOT_AUTHORIZED);
- UserException excp (NULL, 0);
- throw excp;
-
- Int32 rc;
-}
-
http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/8f8b0e83/core/sql/sqlcomp/CmpSeabaseDDLauth.h
----------------------------------------------------------------------
diff --git a/core/sql/sqlcomp/CmpSeabaseDDLauth.h b/core/sql/sqlcomp/CmpSeabaseDDLauth.h
index a340f3e..1fc6d42 100644
--- a/core/sql/sqlcomp/CmpSeabaseDDLauth.h
+++ b/core/sql/sqlcomp/CmpSeabaseDDLauth.h
@@ -36,6 +36,7 @@
// *****************************************************************************
#include "ComSmallDefs.h"
+#include "PrivMgrDefs.h"
#include "NAUserId.h"
#include <vector>
@@ -136,6 +137,7 @@ class CmpSeabaseDDLauth
AuthStatus selectExactRow (const NAString &cmd);
Int64 selectCount (const NAString & whereClause);
Int32 selectMaxAuthID(const NAString &whereClause);
+ bool verifyAuthority(const SQLOperation operation);
NAString systemCatalog_;
NAString MDSchema_; /* Qualified metadata schema */
@@ -186,7 +188,6 @@ class CmpSeabaseDDLuser : public CmpSeabaseDDLauth
protected:
- void verifyAuthority(bool isRemapUser = false);
};
@@ -227,7 +228,6 @@ class CmpSeabaseDDLrole : public CmpSeabaseDDLauth
protected:
- void verifyAuthority (void);
};
#endif // _CMP_SEABASE_DDL_AUTH_H_
[2/2] incubator-trafodion git commit: Merge [TRAFODION-2705] pr 1282
User with SHOW privilege cannot do showddl user
Posted by rm...@apache.org.
Merge [TRAFODION-2705] pr 1282 User with SHOW privilege cannot do showddl user
Project: http://git-wip-us.apache.org/repos/asf/incubator-trafodion/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-trafodion/commit/f42450f7
Tree: http://git-wip-us.apache.org/repos/asf/incubator-trafodion/tree/f42450f7
Diff: http://git-wip-us.apache.org/repos/asf/incubator-trafodion/diff/f42450f7
Branch: refs/heads/master
Commit: f42450f75073d26f5f90468b82662b17d206b39c
Parents: 4ff25d9 8f8b0e8
Author: Roberta Marton <rm...@edev07.esgyn.local>
Authored: Tue Oct 31 15:22:48 2017 +0000
Committer: Roberta Marton <rm...@edev07.esgyn.local>
Committed: Tue Oct 31 15:22:48 2017 +0000
----------------------------------------------------------------------
core/sql/regress/privs1/EXPECTED141 | Bin 102260 -> 38586 bytes
core/sql/regress/privs1/TEST141 | 158 +++++++++-----
core/sql/regress/tools/runregr_privs1.ksh | 2 +-
core/sql/sqlcomp/CmpDescribe.cpp | 10 -
core/sql/sqlcomp/CmpSeabaseDDLauth.cpp | 280 ++++++++++++-------------
core/sql/sqlcomp/CmpSeabaseDDLauth.h | 4 +-
6 files changed, 240 insertions(+), 214 deletions(-)
----------------------------------------------------------------------