You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-commits@db.apache.org by rh...@apache.org on 2014/01/08 17:35:07 UTC
svn commit: r1556571 - in /db/derby/code/trunk/java:
engine/org/apache/derby/iapi/sql/compile/
engine/org/apache/derby/iapi/sql/dictionary/
engine/org/apache/derby/impl/sql/compile/
testing/org/apache/derbyTesting/functionTests/tests/lang/
Author: rhillegas
Date: Wed Jan 8 16:35:07 2014
New Revision: 1556571
URL: http://svn.apache.org/r1556571
Log:
DERBY-6434: Correct privileges required for INSERT statements; tests passed cleanly on derby-6434-01-ac-correctInsertPrivs.diff.
Added:
db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/compile/IgnoreFilter.java (with props)
Modified:
db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/ConstraintDescriptor.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/InsertNode.java
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/GeneratedColumnsPermsTest.java
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/GrantRevokeDDLTest.java
Added: db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/compile/IgnoreFilter.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/compile/IgnoreFilter.java?rev=1556571&view=auto
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/compile/IgnoreFilter.java (added)
+++ db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/compile/IgnoreFilter.java Wed Jan 8 16:35:07 2014
@@ -0,0 +1,62 @@
+/*
+
+ Derby - Class org.apache.derby.iapi.sql.compile.IgnoreFilter
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to you under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+ */
+
+package org.apache.derby.iapi.sql.compile;
+
+import java.util.List;
+
+import org.apache.derby.iapi.error.StandardException;
+
+/**
+ * Filter which fails all Visitables.
+ */
+public class IgnoreFilter implements VisitableFilter
+{
+ ///////////////////////////////////////////////////////////////////////////
+ //
+ // CONSTANTS
+ //
+ ///////////////////////////////////////////////////////////////////////////
+
+ ///////////////////////////////////////////////////////////////////////////
+ //
+ // STATE
+ //
+ ///////////////////////////////////////////////////////////////////////////
+
+ ///////////////////////////////////////////////////////////////////////////
+ //
+ // CONSTRUCTOR
+ //
+ ///////////////////////////////////////////////////////////////////////////
+
+ /** Trivial constructor */
+ public IgnoreFilter() {}
+
+ ///////////////////////////////////////////////////////////////////////////
+ //
+ // VisitableFilter BEHAVIOR
+ //
+ ///////////////////////////////////////////////////////////////////////////
+
+ public boolean accept( Visitable visitable ) { return false; }
+
+}
Propchange: db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/compile/IgnoreFilter.java
------------------------------------------------------------------------------
svn:eol-style = native
Modified: db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/ConstraintDescriptor.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/ConstraintDescriptor.java?rev=1556571&r1=1556570&r2=1556571&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/ConstraintDescriptor.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/ConstraintDescriptor.java Wed Jan 8 16:35:07 2014
@@ -609,6 +609,13 @@ public abstract class ConstraintDescript
//can not reference a table/routine.
ConglomerateDescriptor newBackingConglomCD = drop(lcc, true);
+ //
+ // Invalidate every statement which depends on the table.
+ // This causes us to follow the same code path which we pursue
+ // when the CHECK constraint is dropped explicitly.
+ //
+ getDataDictionary().getDependencyManager().invalidateFor( table, DependencyManager.ALTER_TABLE, lcc );
+
lcc.getLastActivation().addWarning(
StandardException.newWarning(
SQLState.LANG_CONSTRAINT_DROPPED,
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/InsertNode.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/InsertNode.java?rev=1556571&r1=1556570&r2=1556571&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/InsertNode.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/InsertNode.java Wed Jan 8 16:35:07 2014
@@ -33,6 +33,7 @@ import org.apache.derby.iapi.services.io
import org.apache.derby.shared.common.sanity.SanityManager;
import org.apache.derby.iapi.sql.StatementType;
import org.apache.derby.iapi.sql.compile.CompilerContext;
+import org.apache.derby.iapi.sql.compile.IgnoreFilter;
import org.apache.derby.iapi.sql.compile.Visitor;
import org.apache.derby.iapi.sql.conn.Authorizer;
import org.apache.derby.iapi.sql.dictionary.ColumnDescriptor;
@@ -258,9 +259,13 @@ public final class InsertNode extends DM
/*
** Get the resultColumnList representing the columns in the base
- ** table or VTI.
+ ** table or VTI. We don't bother adding any permission checks here
+ ** because they are assumed by INSERT permission on the table.
*/
+ IgnoreFilter ignorePermissions = new IgnoreFilter();
+ getCompilerContext().addPrivilegeFilter( ignorePermissions );
getResultColumnList();
+ getCompilerContext().removePrivilegeFilter( ignorePermissions );
/* If we have a target column list, then it must have the same # of
* entries as the result set's RCL.
@@ -286,9 +291,9 @@ public final class InsertNode extends DM
{
targetColumnList.bindResultColumnsByName(targetVTI.getResultColumns(), targetVTI,
this);
- }
+ }
getCompilerContext().popCurrentPrivType();
- }
+ }
/* Verify that all underlying ResultSets reclaimed their FromList */
if (SanityManager.DEBUG)
@@ -332,6 +337,20 @@ public final class InsertNode extends DM
*/
super.bindExpressions();
+ //
+ // At this point, we have added permissions checks for the driving query.
+ // Now add a check for INSERT privilege on the target table.
+ //
+ if (isPrivilegeCollectionRequired())
+ {
+ getCompilerContext().pushCurrentPrivType( getPrivType());
+ getCompilerContext().addRequiredTablePriv( targetTableDescriptor );
+ getCompilerContext().popCurrentPrivType();
+ }
+
+ // Now stop adding permissions checks.
+ getCompilerContext().addPrivilegeFilter( ignorePermissions );
+
/*
** If the result set is a union, it could be a table constructor.
** Bind any nulls in the result columns of the table constructor
@@ -517,14 +536,6 @@ public final class InsertNode extends DM
autoincRowLocation =
dd.computeAutoincRowLocations(tc, targetTableDescriptor);
-
- if (isPrivilegeCollectionRequired())
- {
- getCompilerContext().pushCurrentPrivType(getPrivType());
- getCompilerContext().addRequiredTablePriv(targetTableDescriptor);
- getCompilerContext().popCurrentPrivType();
- }
-
}
else
{
Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/GeneratedColumnsPermsTest.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/GeneratedColumnsPermsTest.java?rev=1556571&r1=1556570&r2=1556571&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/GeneratedColumnsPermsTest.java (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/GeneratedColumnsPermsTest.java Wed Jan 8 16:35:07 2014
@@ -310,8 +310,9 @@ public class GeneratedColumnsPermsTest e
/**
* <p>
- * Test that you need execute privilege to run functions mentioned in
- * generation clauses.
+ * Test that you DON'T need execute privilege to run functions mentioned in
+ * generation clauses. That privilege is needed by the user who declared
+ * the generation clause.
* </p>
*/
public void test_002_functionPermissions()
@@ -383,11 +384,9 @@ public class GeneratedColumnsPermsTest e
"update test_dbo.t_fp_1 set a = a + 1"
);
- // this is a wrong result. see DERBY-6434
- expectExecutionError
+ goodStatement
(
janetConnection,
- LACK_EXECUTE_PRIV,
"insert into test_dbo.t_fp_1( a ) values ( 200 )"
);
assertResults
@@ -397,6 +396,7 @@ public class GeneratedColumnsPermsTest e
new String[][]
{
{ "101", "-101", },
+ { "200", "-200", },
},
false
);
@@ -427,6 +427,7 @@ public class GeneratedColumnsPermsTest e
{
{ "102", "-102", },
{ "200", "-200", },
+ { "201", "-201", },
},
false
);
Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/GrantRevokeDDLTest.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/GrantRevokeDDLTest.java?rev=1556571&r1=1556570&r2=1556571&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/GrantRevokeDDLTest.java (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/GrantRevokeDDLTest.java Wed Jan 8 16:35:07 2014
@@ -53,6 +53,7 @@ public final class GrantRevokeDDLTest ex
public static final String NO_GENERIC_PERMISSION = "42504";
public static final String NO_SELECT_OR_UPDATE_PERMISSION = "42502";
+ public static final String NO_TABLE_PERMISSION = "42500";
public static class Permission
{
@@ -11495,4 +11496,256 @@ public final class GrantRevokeDDLTest ex
);
}
+ /**
+ * Test that INSERT statements require the correct privileges as
+ * described on DERBY-6434.
+ */
+ public void test_6434_tables()
+ throws Exception
+ {
+ Connection dboConnection = openUserConnection( TEST_DBO );
+ Connection ruthConnection = openUserConnection( RUTH );
+
+ //
+ // Schema
+ //
+ goodStatement
+ (
+ dboConnection,
+ "create type GenerationType_6434 external name 'java.util.HashMap' language java"
+ );
+ goodStatement
+ (
+ dboConnection,
+ "create type CheckType_6434 external name 'java.util.HashMap' language java"
+ );
+ goodStatement
+ (
+ dboConnection,
+ "create type SelectType_6434 external name 'java.util.HashMap' language java"
+ );
+ goodStatement
+ (
+ dboConnection,
+ "create function generationFunction_6434( hashMap GenerationType_6434, hashKey varchar( 32672 ) ) returns int\n" +
+ "language java parameter style java deterministic no sql\n" +
+ "external name 'org.apache.derbyTesting.functionTests.tests.lang.UDTTest.getIntValue'\n"
+ );
+ goodStatement
+ (
+ dboConnection,
+ "create function checkFunction_6434( hashMap CheckType_6434, hashKey varchar( 32672 ) ) returns int\n" +
+ "language java parameter style java deterministic no sql\n" +
+ "external name 'org.apache.derbyTesting.functionTests.tests.lang.UDTTest.getIntValue'\n"
+ );
+ goodStatement
+ (
+ dboConnection,
+ "create function selectFunction_6434( hashMap SelectType_6434, hashKey varchar( 32672 ) ) returns int\n" +
+ "language java parameter style java deterministic no sql\n" +
+ "external name 'org.apache.derbyTesting.functionTests.tests.lang.UDTTest.getIntValue'\n"
+ );
+ goodStatement
+ (
+ dboConnection,
+ "create derby aggregate selectAggregate_6434 for int\n" +
+ "external name 'org.apache.derbyTesting.functionTests.tests.lang.ModeAggregate'\n"
+ );
+ goodStatement
+ (
+ dboConnection,
+ "create sequence sequence_6434"
+ );
+ goodStatement
+ (
+ dboConnection,
+ "create procedure addHistoryRow_6434\n" +
+ "(\n" +
+ " actionString varchar( 20 ),\n" +
+ " actionValue int\n" +
+ ")\n" +
+ "language java parameter style java reads sql data\n" +
+ "external name 'org.apache.derbyTesting.functionTests.tests.lang.MergeStatementTest.addHistoryRow'\n"
+ );
+ goodStatement
+ (
+ dboConnection,
+ "create table primaryTable_6434\n" +
+ "(\n" +
+ " key1 int primary key\n" +
+ ")\n"
+ );
+ goodStatement
+ (
+ dboConnection,
+ "create table selectTable_6434\n" +
+ "(\n" +
+ " selectColumn int,\n" +
+ " selectColumn2 SelectType_6434\n" +
+ ")\n"
+ );
+ goodStatement
+ (
+ dboConnection,
+ "create table insertTable_6434\n" +
+ "(\n" +
+ " insertColumn int references primaryTable_6434( key1 ),\n" +
+ " privatePrimaryColumn int primary key,\n" +
+ " privateGenerationSource GenerationType_6434,\n" +
+ " privateForeignSource int,\n" +
+ " privateCheckSource CheckType_6434,\n" +
+ " privateBeforeTriggerSource int,\n" +
+ " privateAfterTriggerSource int,\n" +
+ " generatedColumn generated always as ( insertColumn + generationFunction_6434( privateGenerationSource, 'foo' ) ),\n" +
+ " check ( insertColumn > checkFunction_6434( privateCheckSource, 'foo' ) )\n" +
+ ")\n"
+ );
+ goodStatement
+ (
+ dboConnection,
+ "create table foreignTable_6434\n" +
+ "(\n" +
+ " key1 int references insertTable_6434( privatePrimaryColumn )\n" +
+ ")\n"
+ );
+ goodStatement
+ (
+ dboConnection,
+ "create trigger beforeInsertTrigger_6434\n" +
+ "no cascade before insert on insertTable_6434\n" +
+ "referencing new as new\n" +
+ "for each row\n" +
+ "call addHistoryRow_6434( 'before', new.insertColumn + new.privateBeforeTriggerSource )\n"
+ );
+ goodStatement
+ (
+ dboConnection,
+ "create trigger afterInsertTrigger_6434\n" +
+ "after insert on insertTable_6434\n" +
+ "referencing new as new\n" +
+ "for each row\n" +
+ "call addHistoryRow_6434( 'before', new.insertColumn + new.privateAfterTriggerSource )\n"
+ );
+
+ //
+ // Privileges
+ //
+ Permission[] permissions = new Permission[]
+ {
+ new Permission( "insert on insertTable_6434", NO_TABLE_PERMISSION ),
+ new Permission( "usage on sequence sequence_6434", NO_GENERIC_PERMISSION ),
+ new Permission( "execute on function selectFunction_6434", NO_GENERIC_PERMISSION ),
+ new Permission( "usage on derby aggregate selectAggregate_6434", NO_GENERIC_PERMISSION ),
+ new Permission( "select on selectTable_6434", NO_SELECT_OR_UPDATE_PERMISSION ),
+ };
+ for ( Permission permission : permissions )
+ {
+ grant_6429( dboConnection, permission.text );
+ }
+
+ //
+ // Try adding and dropping privileges.
+ //
+ String insert =
+ "insert into test_dbo.insertTable_6434( insertColumn, privatePrimaryColumn )\n" +
+ " select next value for test_dbo.sequence_6434, test_dbo.selectFunction_6434( selectColumn2, 'foo' )\n" +
+ " from test_dbo.selectTable_6434\n" +
+ " where selectColumn > ( select test_dbo.selectAggregate_6434( selectColumn ) from test_dbo.selectTable_6434 )\n";
+
+ // fails because ruth doesn't have USAGE permission on type SelectType_6434
+ expectExecutionError( ruthConnection, NO_GENERIC_PERMISSION, insert );
+
+ // succeeds after granting that permission
+ grant_6429( dboConnection, "usage on type SelectType_6434" );
+ goodStatement( ruthConnection, insert );
+
+ //
+ // Verify that revoking each permission in isolation raises
+ // the correct error.
+ //
+ for ( Permission permission : permissions )
+ {
+ vetPermission_6429( permission, dboConnection, ruthConnection, insert );
+ }
+
+ //
+ // Drop schema
+ //
+ goodStatement
+ (
+ dboConnection,
+ "drop trigger afterInsertTrigger_6434"
+ );
+ goodStatement
+ (
+ dboConnection,
+ "drop trigger beforeInsertTrigger_6434"
+ );
+ goodStatement
+ (
+ dboConnection,
+ "drop table selectTable_6434"
+ );
+ goodStatement
+ (
+ dboConnection,
+ "drop table foreignTable_6434"
+ );
+ goodStatement
+ (
+ dboConnection,
+ "drop table insertTable_6434"
+ );
+ goodStatement
+ (
+ dboConnection,
+ "drop table primaryTable_6434"
+ );
+ goodStatement
+ (
+ dboConnection,
+ "drop procedure addHistoryRow_6434"
+ );
+ goodStatement
+ (
+ dboConnection,
+ "drop sequence sequence_6434 restrict"
+ );
+ goodStatement
+ (
+ dboConnection,
+ "drop derby aggregate selectAggregate_6434 restrict"
+ );
+ goodStatement
+ (
+ dboConnection,
+ "drop function selectFunction_6434"
+ );
+ goodStatement
+ (
+ dboConnection,
+ "drop function checkFunction_6434"
+ );
+ goodStatement
+ (
+ dboConnection,
+ "drop function generationFunction_6434"
+ );
+ goodStatement
+ (
+ dboConnection,
+ "drop type SelectType_6434 restrict"
+ );
+ goodStatement
+ (
+ dboConnection,
+ "drop type CheckType_6434 restrict"
+ );
+ goodStatement
+ (
+ dboConnection,
+ "drop type GenerationType_6434 restrict"
+ );
+ }
+
}