You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafodion.apache.org by rm...@apache.org on 2018/04/25 15:25:35 UTC
[1/3] trafodion git commit: [TRAFODION-2542] Grantor is not correct
when granting privileges for a role
Repository: trafodion
Updated Branches:
refs/heads/master 9a90338db -> dd051ea60
[TRAFODION-2542] Grantor is not correct when granting privileges for a role
When granting privileges and the authorization ID is not the current user but
one of roles granted to the current user, then the "granted by" clause is
required. In addition, the grantor of the privileges becomes the role specified
in the grant statement instead of the current user.
Added a CQD ALLOW_WGO_FOR_ROLES that will return an error if the user tries to
grant a privilege as a role.
Added error message (1194) when a component operation is not defined.
Added a check to not allow the WITH GRANT OPTION when granting privileges
to public
Project: http://git-wip-us.apache.org/repos/asf/trafodion/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafodion/commit/03a96998
Tree: http://git-wip-us.apache.org/repos/asf/trafodion/tree/03a96998
Diff: http://git-wip-us.apache.org/repos/asf/trafodion/diff/03a96998
Branch: refs/heads/master
Commit: 03a96998cf1cd872596808c0628a367d66427e5e
Parents: 8c6eebf
Author: Roberta Marton <ro...@apache.org>
Authored: Tue Apr 24 00:20:54 2018 +0000
Committer: Roberta Marton <ro...@apache.org>
Committed: Tue Apr 24 00:20:54 2018 +0000
----------------------------------------------------------------------
core/sql/bin/SqlciErrors.txt | 4 +-
core/sql/regress/core/EXPECTED131 | 8 +-
core/sql/regress/core/TEST131 | 4 +-
core/sql/regress/privs1/EXPECTED120 | 47 +++--
core/sql/regress/privs1/EXPECTED137 | 34 ++--
core/sql/regress/privs1/TEST120 | 23 +--
core/sql/regress/privs1/TEST137 | 24 ++-
core/sql/regress/privs2/EXPECTED140 | 16 +-
core/sql/regress/privs2/EXPECTED143 | 16 +-
core/sql/regress/privs2/EXPECTED144 | 4 +-
core/sql/regress/privs2/TEST143 | 3 +
core/sql/regress/privs2/TEST144 | 2 +-
core/sql/sqlcomp/CmpDDLCatErrorCodes.h | 1 +
core/sql/sqlcomp/CmpSeabaseDDLcommon.cpp | 184 ++++++++-----------
core/sql/sqlcomp/CmpSeabaseDDLtable.cpp | 33 ++++
core/sql/sqlcomp/DefaultConstants.h | 3 +
core/sql/sqlcomp/PrivMgrComponentPrivileges.cpp | 7 +-
core/sql/sqlcomp/PrivMgrPrivileges.cpp | 140 ++++++++++++--
core/sql/sqlcomp/PrivMgrPrivileges.h | 7 +
core/sql/sqlcomp/nadefaults.cpp | 3 +
20 files changed, 351 insertions(+), 212 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/trafodion/blob/03a96998/core/sql/bin/SqlciErrors.txt
----------------------------------------------------------------------
diff --git a/core/sql/bin/SqlciErrors.txt b/core/sql/bin/SqlciErrors.txt
index 86f4c06..8146be4 100644
--- a/core/sql/bin/SqlciErrors.txt
+++ b/core/sql/bin/SqlciErrors.txt
@@ -11,7 +11,7 @@
1009 ZZZZZ 99999 BEGINNER MINOR DBADMIN Column $0~ColumnName does not exist in the specified table.
1010 0A000 99999 ADVANCED MINOR DBADMIN The statement just entered is currently not supported.
1011 ZZZZZ 99999 ADVANCED MINOR DBADMIN Only one grantee per grant or revoke is allowed.
-1012 01007 99999 BEGINNER MAJOR DBADMIN No privileges were granted. You lack grant option on the specified privileges.
+1012 01007 99999 BEGINNER MAJOR DBADMIN No privileges were granted. $0~String0 lacks grant option on the specified privileges. $1~String1
1013 01007 99999 BEGINNER MAJOR DBADMIN Not all privileges were granted. You lack grant option for the $0~string0 privilege.
1014 2B000 99999 BEGINNER MAJOR DBADMIN --- unused ---
1015 01006 99999 BEGINNER MAJOR DBADMIN Not all privileges were revoked. You lack the grant option for the $0~string0 privilege.
@@ -193,7 +193,7 @@
1191 ZZZZZ 99999 BEGINNER MAJOR DBADMIN SERIALIZE option is not yet supported for $0~string0 datatype.
1192 ZZZZZ 99999 BEGINNER MAJOR DBADMIN Failed to retrieve data from Hive metastore. Call to $0~string0 returned error $1~string1($0~int0). Cause: $2~string2.
1193 ZZZZZ 99999 UUUUUUUU UUUUU UUUUUUU The $0~string0 specified in the $1~string1 clause must be identical to the primary key for a Trafodion table.
-1194 ZZZZZ 99999 ADVANCED MAJOR DIALOUT --- unused ---
+1194 ZZZZZ 99999 UUUUUUUU UUUUU UUUUUUU Component operation $0~string0 does not exist for component $1~string1
1195 ZZZZZ 99999 UUUUUUUU UUUUU UUUUUUU Column $0~ColumnName is not allowed as a salt column. Only primary key columns or STORE BY columns are allowed.
1196 ZZZZZ 99999 UUUUUUUU UUUUU UUUUUUU The number of salt partitions must be between $0~int0 and $1~int1 inclusive.
1197 ZZZZZ 99999 UUUUUUUU UUUUU UUUUUUU The location $0~string0 for $1~string1 does not match with another location $2~string2 specified. All location specifications must be identical.
http://git-wip-us.apache.org/repos/asf/trafodion/blob/03a96998/core/sql/regress/core/EXPECTED131
----------------------------------------------------------------------
diff --git a/core/sql/regress/core/EXPECTED131 b/core/sql/regress/core/EXPECTED131
index 57a464d..6ccb718 100644
--- a/core/sql/regress/core/EXPECTED131
+++ b/core/sql/regress/core/EXPECTED131
@@ -320,9 +320,9 @@ SQL_USER7
>>
>>-- expect error 8031 since the query is not running.
>>obey cancel_cmd;
->>control query cancel qid MXID11000007219212324915937583329000000000206U3335600_52_S1;
+>>control query cancel qid MXID11000007322212391194409553273000000000206U3334000_56_S1;
-*** ERROR[8031] Server declined cancel request for query ID MXID11000007219212324915937583329000000000206U3335600_52_S1. The query is not in OPEN or FETCH or EXECUTE state.
+*** ERROR[8031] Server declined cancel request for query ID MXID11000007322212391194409553273000000000206U3334000_56_S1. The query is not in OPEN or FETCH or EXECUTE state.
--- SQL operation failed with errors.
>>
@@ -482,7 +482,7 @@ SQL_USER3
>>
>>-- grant privs to user3, now user3 can execute dml
>>sh sqlci -i"TEST131(grant_hive_privs)" -u"SQL_User4" ;
->>grant select on hive.hive.item to sql_user3;
+>>grant select on hive.hive.item to sql_user3 by DB__HIVEROLE;
--- SQL operation complete.
>>
@@ -502,7 +502,7 @@ End of MXCI Session
>>-- revoke privs from user3, user3 can no longer perform dml
>>-- verify that query invalidate works as designed
>>sh sqlci -i"TEST131(revoke_hive_privs)" -u"SQL_User4" ;
->>revoke select on hive.hive.item from sql_user3;
+>>revoke select on hive.hive.item from sql_user3 by DB__HIVEROLE;
--- SQL operation complete.
>>
http://git-wip-us.apache.org/repos/asf/trafodion/blob/03a96998/core/sql/regress/core/TEST131
----------------------------------------------------------------------
diff --git a/core/sql/regress/core/TEST131 b/core/sql/regress/core/TEST131
index bffa4be..9e1482f 100755
--- a/core/sql/regress/core/TEST131
+++ b/core/sql/regress/core/TEST131
@@ -393,13 +393,13 @@ select count(*) from hive.hive.item;
-- user4 who has been granted DB__HIVEROLE
values (user);
log LOG131;
-grant select on hive.hive.item to sql_user3;
+grant select on hive.hive.item to sql_user3 by DB__HIVEROLE;
?section revoke_hive_privs
-- user4, has been granted DB__HIVEROLE
values (user);
log LOG131;
-revoke select on hive.hive.item from sql_user3;
+revoke select on hive.hive.item from sql_user3 by DB__HIVEROLE;
?section end_of_test
-- end of test.
http://git-wip-us.apache.org/repos/asf/trafodion/blob/03a96998/core/sql/regress/privs1/EXPECTED120
----------------------------------------------------------------------
diff --git a/core/sql/regress/privs1/EXPECTED120 b/core/sql/regress/privs1/EXPECTED120
index 4f0c699..13d19fe 100644
--- a/core/sql/regress/privs1/EXPECTED120
+++ b/core/sql/regress/privs1/EXPECTED120
@@ -364,19 +364,19 @@ SQL_USER3
--- SQL operation complete.
>>
->>grant insert, delete, update(team_contact, team_contact_number) on teams to t120role2;
+>>grant insert, delete, update(team_contact, team_contact_number) on teams to t120role2 by t120role1;
--- SQL operation complete.
->>grant select on teams to sql_user6;
+>>grant select on teams to sql_user6 by t120role1;
--- SQL operation complete.
->>grant select (game_number, game_time) on games to t120role2;
+>>grant select (game_number, game_time) on games to t120role2 by t120role1;
--- SQL operation complete.
->>grant select (game_number, game_time) on games to t120role3;
+>>grant select (game_number, game_time) on games to t120role3 by t120role1;
--- SQL operation complete.
->>grant all on players to sql_user6;
+>>grant all on players to sql_user6 by t120role1;
--- SQL operation complete.
>>grant role t120role2, t120role3, t120role4 to sql_user6;
@@ -385,13 +385,13 @@ SQL_USER3
>>grant role t120role3 to sql_user9;
--- SQL operation complete.
->>grant select on standings to sql_user6;
+>>grant select on standings to sql_user6 by t120role1;
--- SQL operation complete.
->>grant usage on sequence team_seq to t120role3;
+>>grant usage on sequence team_seq to t120role3 by t120role1;
--- SQL operation complete.
->>grant select (team_number, num_players) on stats to "PUBLIC";
+>>grant select (team_number, num_players) on stats to "PUBLIC" by t120role1;
--- SQL operation complete.
>>showddl games;
@@ -415,10 +415,8 @@ ALTER TABLE TRAFODION.T120SCH.GAMES ADD CONSTRAINT
(TRAFODION.T120SCH.GAMES.GAME_NUMBER > 0)
-- GRANT SELECT, INSERT, DELETE, UPDATE, REFERENCES ON TRAFODION.T120SCH.GAMES TO T120ROLE1 WITH GRANT OPTION;
- GRANT SELECT(GAME_NUMBER, GAME_TIME) ON TRAFODION.T120SCH.GAMES TO T120ROLE2
- GRANTED BY SQL_USER3;
-GRANT SELECT(GAME_NUMBER, GAME_TIME) ON
- TRAFODION.T120SCH.GAMES TO T120ROLE3 GRANTED BY SQL_USER3;
+ GRANT SELECT(GAME_NUMBER, GAME_TIME) ON TRAFODION.T120SCH.GAMES TO T120ROLE2;
+ GRANT SELECT(GAME_NUMBER, GAME_TIME) ON TRAFODION.T120SCH.GAMES TO T120ROLE3;
--- SQL operation complete.
>>showddl teams;
@@ -442,11 +440,11 @@ ALTER TABLE TRAFODION.T120SCH.TEAMS ADD CONSTRAINT
0)
-- GRANT SELECT, INSERT, DELETE, UPDATE, REFERENCES ON TRAFODION.T120SCH.TEAMS TO T120ROLE1 WITH GRANT OPTION;
- GRANT SELECT ON TRAFODION.T120SCH.TEAMS TO SQL_USER6 GRANTED BY SQL_USER3;
- GRANT INSERT, DELETE ON TRAFODION.T120SCH.TEAMS TO T120ROLE2 GRANTED BY
- SQL_USER3;
-GRANT UPDATE(TEAM_CONTACT, TEAM_CONTACT_NUMBER) ON
- TRAFODION.T120SCH.TEAMS TO T120ROLE2 GRANTED BY SQL_USER3;
+ GRANT SELECT ON TRAFODION.T120SCH.TEAMS TO SQL_USER6;
+GRANT INSERT, DELETE ON
+ TRAFODION.T120SCH.TEAMS TO T120ROLE2;
+GRANT UPDATE(TEAM_CONTACT,
+ TEAM_CONTACT_NUMBER) ON TRAFODION.T120SCH.TEAMS TO T120ROLE2;
--- SQL operation complete.
>>showddl players;
@@ -472,7 +470,7 @@ ALTER TABLE TRAFODION.T120SCH.PLAYERS ADD CONSTRAINT
-- GRANT SELECT, INSERT, DELETE, UPDATE, REFERENCES ON TRAFODION.T120SCH.PLAYERS TO T120ROLE1 WITH GRANT OPTION;
GRANT SELECT, INSERT, DELETE, UPDATE, REFERENCES ON TRAFODION.T120SCH.PLAYERS
- TO SQL_USER6 GRANTED BY SQL_USER3;
+ TO SQL_USER6;
--- SQL operation complete.
>>showddl standings;
@@ -489,8 +487,7 @@ CREATE TABLE TRAFODION.T120SCH.STANDINGS
;
-- GRANT SELECT, INSERT, DELETE, UPDATE, REFERENCES ON TRAFODION.T120SCH.STANDINGS TO T120ROLE1 WITH GRANT OPTION;
- GRANT SELECT ON TRAFODION.T120SCH.STANDINGS TO SQL_USER6 GRANTED BY
- SQL_USER3;
+ GRANT SELECT ON TRAFODION.T120SCH.STANDINGS TO SQL_USER6;
--- SQL operation complete.
>>showddl sequence team_seq;
@@ -506,8 +503,7 @@ CREATE SEQUENCE TRAFODION.T120SCH.TEAM_SEQ
;
-- GRANT USAGE ON SEQUENCE TRAFODION.T120SCH.TEAM_SEQ TO T120ROLE1 WITH GRANT OPTION;
- GRANT USAGE ON SEQUENCE TRAFODION.T120SCH.TEAM_SEQ TO T120ROLE3 GRANTED BY
- SQL_USER3;
+ GRANT USAGE ON SEQUENCE TRAFODION.T120SCH.TEAM_SEQ TO T120ROLE3;
--- SQL operation complete.
>>showddl role t120role1;
@@ -556,6 +552,7 @@ GRANT ROLE "T120ROLE4" TO
End of MXCI Session
>>
+>>
>>-- Prepare a bunch of queries, all successful
>>prepare select_games from select game_number from games;
@@ -794,7 +791,7 @@ SQL_USER3
--- SQL operation complete.
>>
->>revoke insert, delete on teams from t120role2;
+>>revoke insert, delete on teams from t120role2 by t120role1;
--- SQL operation complete.
>>
@@ -848,7 +845,7 @@ SQL_USER3
--- SQL operation complete.
>>
->>grant insert, delete on teams to t120role2;
+>>grant insert, delete on teams to t120role2 by t120role1;
--- SQL operation complete.
>>
@@ -1313,7 +1310,7 @@ SQL_USER3
--- SQL operation complete.
>>
->>revoke select (team_number, num_players) on stats from "PUBLIC";
+>>revoke select (team_number, num_players) on stats from "PUBLIC" by t120role1;
--- SQL operation complete.
>>showddl stats;
http://git-wip-us.apache.org/repos/asf/trafodion/blob/03a96998/core/sql/regress/privs1/EXPECTED137
----------------------------------------------------------------------
diff --git a/core/sql/regress/privs1/EXPECTED137 b/core/sql/regress/privs1/EXPECTED137
index c2f3d92..f6d15a8 100755
--- a/core/sql/regress/privs1/EXPECTED137
+++ b/core/sql/regress/privs1/EXPECTED137
@@ -43,7 +43,7 @@
+> and p.operation_code = d.operation_code
+> and p.component_uid = d.component_uid
+> and c.component_name like 'LIBRARY%'
-+>order by 1, 2, d.grantor_ID, d.grantee_name, grant_depth
++>order by 1, 2, d.grantee_name, grant_depth
+>for read uncommitted access;
--- SQL command prepared.
@@ -213,14 +213,6 @@ register component user;
*** ERROR[8822] The statement was not prepared.
->>register component "delimited not supported";
-
-*** ERROR[15001] A syntax error occurred at or before:
-register component "delimited not supported";
- ^ (44 characters from start of SQL statement)
-
-*** ERROR[8822] The statement was not prepared.
-
>>register component abi**def;
*** ERROR[15001] A syntax error occurred at or before:
@@ -578,7 +570,7 @@ LIBRARY_USERS LIB_VIEW_USERS SQL_USER3
>>-- error: unknown privilege
>>grant component privilege lib_view_xxx on library_books to sql_user9;
-*** ERROR[1004] Object LIB_VIEW_XXX does not exist or object type is invalid for the current operation.
+*** ERROR[1194] Component operation LIB_VIEW_XXX does not exist for component LIBRARY_BOOKS
--- SQL operation failed with errors.
>>grant component privilege lib_view_checkouts,
@@ -586,7 +578,7 @@ LIBRARY_USERS LIB_VIEW_USERS SQL_USER3
+> lib_view_xxx
+> on library_books to sql_user9;
-*** ERROR[1004] Object LIB_VIEW_XXX does not exist or object type is invalid for the current operation.
+*** ERROR[1194] Component operation LIB_VIEW_XXX does not exist for component LIBRARY_BOOKS
--- SQL operation failed with errors.
>>
@@ -692,13 +684,6 @@ SQL_USER1
--- 1 row(s) selected.
>>-- These tests should succeed
->>-- returns 2 rows
->>showddl role db__rootrole;
-
-CREATE ROLE "DB__ROOTROLE";
- -- GRANT ROLE "DB__ROOTROLE" TO "DB__ROOT" WITH ADMIN OPTION;
-
---- SQL operation complete.
>>execute get_component_operations;
COMPONENT OPERATION_NAME OPERATION_CODE
@@ -827,7 +812,7 @@ SQL_USER5
--- 1 row(s) selected.
>>grant component privilege lib_view_repository on library_books to sql_user7;
-*** ERROR[1004] Object LIB_VIEW_REPOSITORY does not exist or object type is invalid for the current operation.
+*** ERROR[1194] Component operation LIB_VIEW_REPOSITORY does not exist for component LIBRARY_BOOKS
--- SQL operation failed with errors.
>>grant component privilege lib_view_checkouts on library_books to sql_user7;
@@ -852,7 +837,7 @@ SQL_USER5
--- 1 row(s) selected.
>>grant component privilege lib_view_repository on library_books to sql_user7;
-*** ERROR[1004] Object LIB_VIEW_REPOSITORY does not exist or object type is invalid for the current operation.
+*** ERROR[1194] Component operation LIB_VIEW_REPOSITORY does not exist for component LIBRARY_BOOKS
--- SQL operation failed with errors.
>>grant component privilege lib_view_checkouts on library_books to sql_user7;
@@ -884,7 +869,7 @@ SQL_USER5
--- 1 row(s) selected.
>>grant component privilege lib_view_repository on library_books to sql_user7;
-*** ERROR[1004] Object LIB_VIEW_REPOSITORY does not exist or object type is invalid for the current operation.
+*** ERROR[1194] Component operation LIB_VIEW_REPOSITORY does not exist for component LIBRARY_BOOKS
--- SQL operation failed with errors.
>>grant component privilege lib_view_checkouts on library_books to sql_user7;
@@ -2000,6 +1985,10 @@ drop component privilege lib_view_benefactors cascade;
*** ERROR[1008] Authorization identifier LIB_ROLE_TEST does not exist.
--- SQL operation failed with errors.
+>>revoke component privilege "SHOW" on sql_operations from "PUBLIC";
+
+--- SQL operation complete.
+>>
>>revoke role lib_role_test from sql_user5;
*** ERROR[1338] Role LIB_ROLE_TEST is not defined in the database.
@@ -2038,6 +2027,9 @@ drop component privilege lib_view_benefactors cascade;
>>
>>-- run tests for revoke.
>>obey TEST137(revoke_comp_privs_setup);
+>>cqd ALLOW_WGO_FOR_ROLES 'on';
+
+--- SQL operation complete.
>>cqd SHOWDDL_DISPLAY_PRIVILEGE_GRANTS 'ON';
--- SQL operation complete.
http://git-wip-us.apache.org/repos/asf/trafodion/blob/03a96998/core/sql/regress/privs1/TEST120
----------------------------------------------------------------------
diff --git a/core/sql/regress/privs1/TEST120 b/core/sql/regress/privs1/TEST120
index 16b7cd5..384dee0 100755
--- a/core/sql/regress/privs1/TEST120
+++ b/core/sql/regress/privs1/TEST120
@@ -207,6 +207,7 @@ sh sqlci -i "TEST120(select_queries)" -u sql_user9;
-- grant privileges
sh sqlci -i "TEST120(grant_all_privs)" -u sql_user3;
+
-- Prepare a bunch of queries, all successful
prepare select_games from select game_number from games;
prepare select_teams from select team_number, team_name from teams;
@@ -315,16 +316,16 @@ cqd SHOWDDL_DISPLAY_PRIVILEGE_GRANTS 'ON';
cqd AUTO_QUERY_RETRY_WARNINGS 'ON';
set schema t120sch;
-grant insert, delete, update(team_contact, team_contact_number) on teams to t120role2;
-grant select on teams to sql_user6;
-grant select (game_number, game_time) on games to t120role2;
-grant select (game_number, game_time) on games to t120role3;
-grant all on players to sql_user6;
+grant insert, delete, update(team_contact, team_contact_number) on teams to t120role2 by t120role1;
+grant select on teams to sql_user6 by t120role1;
+grant select (game_number, game_time) on games to t120role2 by t120role1;
+grant select (game_number, game_time) on games to t120role3 by t120role1;
+grant all on players to sql_user6 by t120role1;
grant role t120role2, t120role3, t120role4 to sql_user6;
grant role t120role3 to sql_user9;
-grant select on standings to sql_user6;
-grant usage on sequence team_seq to t120role3;
-grant select (team_number, num_players) on stats to "PUBLIC";
+grant select on standings to sql_user6 by t120role1;
+grant usage on sequence team_seq to t120role3 by t120role1;
+grant select (team_number, num_players) on stats to "PUBLIC" by t120role1;
showddl games;
showddl teams;
showddl players;
@@ -342,7 +343,7 @@ cqd SHOWDDL_DISPLAY_PRIVILEGE_GRANTS 'ON';
cqd AUTO_QUERY_RETRY_WARNINGS 'ON';
set schema t120sch;
-revoke insert, delete on teams from t120role2;
+revoke insert, delete on teams from t120role2 by t120role1;
?section grant_t120role2p
log LOG120;
@@ -351,7 +352,7 @@ cqd SHOWDDL_DISPLAY_PRIVILEGE_GRANTS 'ON';
cqd AUTO_QUERY_RETRY_WARNINGS 'ON';
set schema t120sch;
-grant insert, delete on teams to t120role2;
+grant insert, delete on teams to t120role2 by t120role1;
?section revoke_t120role2
log LOG120;
@@ -396,7 +397,7 @@ cqd SHOWDDL_DISPLAY_PRIVILEGE_GRANTS 'ON';
cqd AUTO_QUERY_RETRY_WARNINGS 'ON';
set schema t120sch;
-revoke select (team_number, num_players) on stats from "PUBLIC";
+revoke select (team_number, num_players) on stats from "PUBLIC" by t120role1;
showddl stats;
select team_number, num_players from stats;
http://git-wip-us.apache.org/repos/asf/trafodion/blob/03a96998/core/sql/regress/privs1/TEST137
----------------------------------------------------------------------
diff --git a/core/sql/regress/privs1/TEST137 b/core/sql/regress/privs1/TEST137
index 9654fe4..77dae01 100755
--- a/core/sql/regress/privs1/TEST137
+++ b/core/sql/regress/privs1/TEST137
@@ -44,6 +44,8 @@ control query default SKIP_METADATA_VIEWS 'ON';
obey TEST137(clean_up);
cqd SHOWDDL_DISPLAY_PRIVILEGE_GRANTS 'ON';
+cqd ALLOW_WGO_FOR_ROLES 'on';
+grant component privilege "SHOW" on sql_operations to "PUBLIC";
log LOG137 clear;
obey TEST137(set_up);
obey TEST137(create_db);
@@ -108,6 +110,8 @@ revoke role library_ckout_clerks from sql_user3, sql_user4, sql_user5;
drop role library_ckout_clerks;
revoke component privilege lib_view_checkouts on library_books from lib_role_test;
+revoke component privilege "SHOW" on sql_operations from "PUBLIC";
+
revoke role lib_role_test from sql_user5;
revoke role db__rootrole from sql_user5;
drop role lib_role_test;
@@ -158,7 +162,7 @@ where c.component_uid = p.component_uid
and p.operation_code = d.operation_code
and p.component_uid = d.component_uid
and c.component_name like 'LIBRARY%'
-order by 1, 2, d.grantor_ID, d.grantee_name, grant_depth
+order by 1, 2, d.grantee_name, grant_depth
for read uncommitted access;
?section create_db
@@ -222,7 +226,6 @@ execute get_components;
-- fails with a syntax error
register component user;
-register component "delimited not supported";
register component abi**def;
-- fails with component already registered
@@ -465,8 +468,6 @@ cqd SHOWDDL_DISPLAY_PRIVILEGE_GRANTS 'ON';
log LOG137;
values (user);
-- These tests should succeed
--- returns 2 rows
-showddl role db__rootrole;
execute get_component_operations;
grant component privilege lib_view_checkouts on library_books to sql_user4
with grant option;
@@ -508,6 +509,7 @@ log;
-- below is the setup and testing for various scenarios for revoke component privileges
?section revoke_comp_privs_setup
+cqd ALLOW_WGO_FOR_ROLES 'on';
cqd SHOWDDL_DISPLAY_PRIVILEGE_GRANTS 'ON';
log LOG137;
create role library_admin;
@@ -548,6 +550,7 @@ grant component privilege lib_view_repository
log;
?section revoke_comp_privs_setup_user1
+cqd ALLOW_WGO_FOR_ROLES 'on';
cqd SHOWDDL_DISPLAY_PRIVILEGE_GRANTS 'ON';
log LOG137;
grant component privilege lib_view_repository
@@ -555,6 +558,7 @@ on library_books to sql_user2 with grant option;
log;
?section revoke_comp_privs_setup_user2
+cqd ALLOW_WGO_FOR_ROLES 'on';
cqd SHOWDDL_DISPLAY_PRIVILEGE_GRANTS 'ON';
log LOG137;
grant component privilege lib_view_repository
@@ -568,6 +572,7 @@ on library_books to sql_user5;
log;
?section revoke_comp_privs_setup_user3
+cqd ALLOW_WGO_FOR_ROLES 'on';
cqd SHOWDDL_DISPLAY_PRIVILEGE_GRANTS 'ON';
log LOG137;
grant component privilege lib_view_repository
@@ -581,6 +586,7 @@ on library_books to sql_user4 with grant option;
log;
?section revoke_comp_privs_setup_user4
+cqd ALLOW_WGO_FOR_ROLES 'on';
cqd SHOWDDL_DISPLAY_PRIVILEGE_GRANTS 'ON';
log LOG137;
grant component privilege lib_view_repository
@@ -650,4 +656,14 @@ log LOG137;
--create schema t137sch;
log;
+?section metadata_cmds
+cqd SHOWDDL_DISPLAY_PRIVILEGE_GRANTS 'ON';
+log LOG137;
+select auth_id from "_MD_".auths where auth_db_name = 'DB__ROOT';
+select role_id from "_PRIVMGR_MD_".role_usage where role_name = 'DB__ROOTROLE';
+select count(*) from "_REPOS_".metric_query_table where component_id < 0;
+set param ?cmd 'ls';
+-- always fails, EXECUTE privilege is require not DML_SELECT_METADATA
+call "_LIBMGR_".HELP(?cmd);
+log;
http://git-wip-us.apache.org/repos/asf/trafodion/blob/03a96998/core/sql/regress/privs2/EXPECTED140
----------------------------------------------------------------------
diff --git a/core/sql/regress/privs2/EXPECTED140 b/core/sql/regress/privs2/EXPECTED140
index 62e0b5b..81c3fbc 100644
--- a/core/sql/regress/privs2/EXPECTED140
+++ b/core/sql/regress/privs2/EXPECTED140
@@ -4,12 +4,12 @@ Current Environment
----------------------------------
AUTHENTICATION disabled
AUTHORIZATION enabled
-CURRENT DIRECTORY /mnt/rmarton/gitws/incubator-trafodion/core/sql/regress/rundir/privs2
+CURRENT DIRECTORY /mnt/rmarton/gitws/trafodion/core/sql/regress/rundir/privs2
LIST_COUNT 4294967295
LOG FILE LOG140
-MESSAGEFILE /mnt/rmarton/gitws/incubator-trafodion/core/sqf/export/ ...
+MESSAGEFILE /mnt/rmarton/gitws/trafodion/core/sqf/export/bin64d/mxc ...
MESSAGEFILE LANG US English
-MESSAGEFILE VRSN {2016-09-23 23:03 LINUX:EDEV05/rmarton}
+MESSAGEFILE VRSN {2018-04-19 16:37 LINUX:EDEV07.ESGYN.LOCAL/rmarton}
SQL CATALOG TRAFODION
SQL SCHEMA T140_SHARED_VIEWS
SQL USER CONNECTED user not connected
@@ -442,7 +442,7 @@ Zachary
>>-- user2 cannot propagate select privilege on games
>>grant select on games to sql_user3;
-*** ERROR[1012] No privileges were granted. You lack grant option on the specified privileges.
+*** ERROR[1012] No privileges were granted. SQL_USER2 lacks grant option on the specified privileges.
--- SQL operation failed with errors.
>>
@@ -609,7 +609,7 @@ Tom White Socks
>>-- user3 cannot propagate select on table games
>>grant select on games to sql_user4;
-*** ERROR[1012] No privileges were granted. You lack grant option on the specified privileges.
+*** ERROR[1012] No privileges were granted. SQL_USER3 lacks grant option on the specified privileges.
--- SQL operation failed with errors.
>>
@@ -724,12 +724,12 @@ SQL_USER4
>>--user4 cannot grant any privileges
>>grant select on teams to sql_user5;
-*** ERROR[1012] No privileges were granted. You lack grant option on the specified privileges.
+*** ERROR[1012] No privileges were granted. SQL_USER4 lacks grant option on the specified privileges.
--- SQL operation failed with errors.
>>grant insert on players to sql_user5;
-*** ERROR[1012] No privileges were granted. You lack grant option on the specified privileges.
+*** ERROR[1012] No privileges were granted. SQL_USER4 lacks grant option on the specified privileges.
--- SQL operation failed with errors.
>>
@@ -909,7 +909,7 @@ TRAFODION.T140_USER1_PRIVATE.TEAMS
>>-- user6 tries to grant select to user7
>>grant select on games to sql_user7 by sql_user6;
-*** ERROR[1012] No privileges were granted. You lack grant option on the specified privileges.
+*** ERROR[1012] No privileges were granted. SQL_USER6 lacks grant option on the specified privileges.
--- SQL operation failed with errors.
>>
http://git-wip-us.apache.org/repos/asf/trafodion/blob/03a96998/core/sql/regress/privs2/EXPECTED143
----------------------------------------------------------------------
diff --git a/core/sql/regress/privs2/EXPECTED143 b/core/sql/regress/privs2/EXPECTED143
index 203d6a8..35a3a1d 100644
--- a/core/sql/regress/privs2/EXPECTED143
+++ b/core/sql/regress/privs2/EXPECTED143
@@ -613,6 +613,9 @@ T143_USER1.U1T3 3 SQL
DB__ROOT
--- 1 row(s) selected.
+>>cqd ALLOW_WGO_FOR_ROLES 'on';
+
+--- SQL operation complete.
>>
>>-- remove schemas
>>drop schema if exists t143_user1 cascade;
@@ -962,6 +965,9 @@ T143_USER1.U1T3 3 SQL
DB__ROOT
--- 1 row(s) selected.
+>>cqd ALLOW_WGO_FOR_ROLES 'on';
+
+--- SQL operation complete.
>>
>>-- remove schemas
>>drop schema if exists t143_user1 cascade;
@@ -1099,7 +1105,7 @@ T143_USER2.U2V1 1 USE
>>-- fails with no priv
>>grant select (u3v1_c1, u3v1_c2) on t143_user3.u3v1 to sql_user4;
-*** ERROR[1012] No privileges were granted. You lack grant option on the specified privileges.
+*** ERROR[1012] No privileges were granted. SQL_USER3 lacks grant option on the specified privileges.
--- SQL operation failed with errors.
>>
@@ -1159,7 +1165,7 @@ T143_USER3.U3V1 1 SQL
>>-- unfortunately, the returned error is not the best
>>grant insert on t143_user1.u1v1 to user2_role;
-*** ERROR[1012] No privileges were granted. You lack grant option on the specified privileges.
+*** ERROR[1012] No privileges were granted. SQL_USER1 lacks grant option on the specified privileges.
--- SQL operation failed with errors.
>>
@@ -1171,12 +1177,12 @@ T143_USER3.U3V1 1 SQL
>>-- grant privileges by user5, these fail
>>grant select on t143_user5.u5v1 to sql_user4;
-*** ERROR[1012] No privileges were granted. You lack grant option on the specified privileges.
+*** ERROR[1012] No privileges were granted. SQL_USER5 lacks grant option on the specified privileges.
--- SQL operation failed with errors.
>>grant select (u5v1_c1, u5v1_c2, u5v1_c3) on t143_user5.u5v1 to sql_user4;
-*** ERROR[1012] No privileges were granted. You lack grant option on the specified privileges.
+*** ERROR[1012] No privileges were granted. SQL_USER5 lacks grant option on the specified privileges.
--- SQL operation failed with errors.
>>
@@ -1184,7 +1190,7 @@ T143_USER3.U3V1 1 SQL
>>-- columns cannot be split
>>grant select (u5v1_c2) on t143_user5.u5v1 to sql_user4;
-*** ERROR[1012] No privileges were granted. You lack grant option on the specified privileges.
+*** ERROR[1012] No privileges were granted. SQL_USER5 lacks grant option on the specified privileges.
--- SQL operation failed with errors.
>>
http://git-wip-us.apache.org/repos/asf/trafodion/blob/03a96998/core/sql/regress/privs2/EXPECTED144
----------------------------------------------------------------------
diff --git a/core/sql/regress/privs2/EXPECTED144 b/core/sql/regress/privs2/EXPECTED144
index 752618c..6beefa1 100644
--- a/core/sql/regress/privs2/EXPECTED144
+++ b/core/sql/regress/privs2/EXPECTED144
@@ -637,7 +637,7 @@ End of MXCI Session
>>-- user2 does not have WGO on gen_time
>>grant execute on function gen_time to sql_user3 by sql_user2;
-*** ERROR[1012] No privileges were granted. You lack grant option on the specified privileges.
+*** ERROR[1012] No privileges were granted. SQL_USER2 lacks grant option on the specified privileges.
--- SQL operation failed with errors.
>>execute get_privs;
@@ -745,7 +745,7 @@ End of MXCI Session
--- SQL operation complete.
>>grant execute on procedure "_LIBMGR_".help to sql_user5 by sql_user3;
-*** ERROR[1012] No privileges were granted. You lack grant option on the specified privileges.
+*** ERROR[1012] No privileges were granted. SQL_USER3 lacks grant option on the specified privileges.
--- SQL operation failed with errors.
>>
http://git-wip-us.apache.org/repos/asf/trafodion/blob/03a96998/core/sql/regress/privs2/TEST143
----------------------------------------------------------------------
diff --git a/core/sql/regress/privs2/TEST143 b/core/sql/regress/privs2/TEST143
index ca36922..3f7f5b1 100755
--- a/core/sql/regress/privs2/TEST143
+++ b/core/sql/regress/privs2/TEST143
@@ -28,6 +28,7 @@
-- ============================================================================
cqd SHOWDDL_DISPLAY_PRIVILEGE_GRANTS 'ON';
+cqd ALLOW_WGO_FOR_ROLES 'OFF';
cqd traf_store_object_desc 'ON';
cqd traf_read_object_desc 'ON';
obey TEST143(clean_up);
@@ -243,6 +244,7 @@ execute get_col_privs;
?section test_view_role_priv_propagation
-- ============================================================================
values (user);
+cqd ALLOW_WGO_FOR_ROLES 'on';
-- remove schemas
drop schema if exists t143_user1 cascade;
@@ -318,6 +320,7 @@ execute get_col_privs;
-- u3v2 -> u3v1 -> u2v1 -> u1v1 -> u1t1
values (user);
+cqd ALLOW_WGO_FOR_ROLES 'on';
-- remove schemas
drop schema if exists t143_user1 cascade;
http://git-wip-us.apache.org/repos/asf/trafodion/blob/03a96998/core/sql/regress/privs2/TEST144
----------------------------------------------------------------------
diff --git a/core/sql/regress/privs2/TEST144 b/core/sql/regress/privs2/TEST144
index e49d6ef..fd971cf 100755
--- a/core/sql/regress/privs2/TEST144
+++ b/core/sql/regress/privs2/TEST144
@@ -1,5 +1,5 @@
-- ============================================================================
--- TEST144 - tests grant and revoke privileges for RI constraints
+-- TEST144 - tests grant and revoke privileges for UDRs
--
-- @@@ START COPYRIGHT @@@
--
http://git-wip-us.apache.org/repos/asf/trafodion/blob/03a96998/core/sql/sqlcomp/CmpDDLCatErrorCodes.h
----------------------------------------------------------------------
diff --git a/core/sql/sqlcomp/CmpDDLCatErrorCodes.h b/core/sql/sqlcomp/CmpDDLCatErrorCodes.h
index 713690f..b58189e 100644
--- a/core/sql/sqlcomp/CmpDDLCatErrorCodes.h
+++ b/core/sql/sqlcomp/CmpDDLCatErrorCodes.h
@@ -221,6 +221,7 @@ enum CatErrorCode { CAT_FIRST_ERROR = 1000
, CAT_RI_CIRCULAR_DEPENDENCY = 1188
// unused = 1189
+ , CAT_INVALID_COMPONENT_PRIVILEGE = 1194
, CAT_INVALID_NUM_OF_SALT_PARTNS = 1196
, CAT_INVALID_SALTED_UNIQUE_IDX = 1201
, CAT_INVALID_SALT_LIKE_CLAUSE = 1202
http://git-wip-us.apache.org/repos/asf/trafodion/blob/03a96998/core/sql/sqlcomp/CmpSeabaseDDLcommon.cpp
----------------------------------------------------------------------
diff --git a/core/sql/sqlcomp/CmpSeabaseDDLcommon.cpp b/core/sql/sqlcomp/CmpSeabaseDDLcommon.cpp
index fa43caa..314486e 100644
--- a/core/sql/sqlcomp/CmpSeabaseDDLcommon.cpp
+++ b/core/sql/sqlcomp/CmpSeabaseDDLcommon.cpp
@@ -10245,18 +10245,14 @@ static void grantRevokeSeabaseRole(
StmtDDLRoleGrant *pParseNode)
{
-
-NAString trafMDLocation;
-
- CONCAT_CATSCH(trafMDLocation,systemCatalog.c_str(),SEABASE_MD_SCHEMA);
-
-NAString privMgrMDLoc;
-
- CONCAT_CATSCH(privMgrMDLoc,systemCatalog.c_str(),SEABASE_PRIVMGR_SCHEMA);
+ NAString trafMDLocation;
+ CONCAT_CATSCH(trafMDLocation,systemCatalog.c_str(),SEABASE_MD_SCHEMA);
+ NAString privMgrMDLoc;
+ CONCAT_CATSCH(privMgrMDLoc,systemCatalog.c_str(),SEABASE_PRIVMGR_SCHEMA);
-PrivMgrCommands roleCommand(std::string(trafMDLocation.data()),
- std::string(privMgrMDLoc.data()),
- CmpCommon::diags());
+ PrivMgrCommands roleCommand(std::string(trafMDLocation.data()),
+ std::string(privMgrMDLoc.data()),
+ CmpCommon::diags());
if (!CmpCommon::context()->isAuthorizationEnabled())
{
@@ -10264,38 +10260,29 @@ PrivMgrCommands roleCommand(std::string(trafMDLocation.data()),
return;
}
-// *****************************************************************************
-// * *
-// * The GRANT ROLE and REVOKE ROLE commands each take a list of roles *
-// * and a list of grantees (authorization names to grant the role to). *
-// * All items on both lists need to be verified for existence and no *
-// * duplication. The results are stored in two parallel name/ID vectors. *
-// * *
-// * Currently roles may only be granted to users, and may not be granted *
-// * to PUBLIC, so some code takes shortcuts and assumes users, while other *
-// * code is prepared for eventually supporting all authorization types. *
-// * *
-// *****************************************************************************
-
-// *****************************************************************************
-// * *
-// * By default, the user issuing the GRANT or REVOKE ROLE command is *
-// * the grantor. However, if the GRANTED BY clause is specified, *
-// * that authorization ID is the grantor. *
-// * *
-// * If the GRANTED BY clause is NOT specified, and the user is *
-// * DB__ROOT, then the GRANT/REVOKE is assumed to have been *
-// * issued by the owner/creator of the role. So if no GRANTED BY *
-// * clause and grantor is DB__ROOT, note it, so we can look for the *
-// * role creator later. *
-// * *
-// *****************************************************************************
-
-int32_t grantorID = ComUser::getCurrentUser();
-std::string grantorName;
-bool grantorIsRoot = false;
-
-ElemDDLGrantee *grantedBy = pParseNode->getGrantedBy();
+ // The GRANT ROLE and REVOKE ROLE commands each take a list of roles
+ // and a list of grantees (authorization names to grant the role to).
+ // All items on both lists need to be verified for existence and no
+ // duplication. The results are stored in two parallel name/ID vectors.
+ //
+ // Currently roles may only be granted to users, and may not be granted
+ // to PUBLIC, so some code takes shortcuts and assumes users, while other
+ // code is prepared for eventually supporting all authorization types.
+
+ // By default, the user issuing the GRANT or REVOKE ROLE command is
+ // the grantor. However, if the GRANTED BY clause is specified,
+ // that authorization ID is the grantor.
+ //
+ // If the GRANTED BY clause is NOT specified, and the user is
+ // DB__ROOT, then the GRANT/REVOKE is assumed to have been
+ // issued by the owner/creator of the role. So if no GRANTED BY
+ // clause and grantor is DB__ROOT, note it, so we can look for the
+ // role creator later.
+ int32_t grantorID = ComUser::getCurrentUser();
+ std::string grantorName;
+ bool grantorIsRoot = false;
+
+ ElemDDLGrantee *grantedBy = pParseNode->getGrantedBy();
if (grantedBy != NULL)
{
@@ -10315,10 +10302,10 @@ ElemDDLGrantee *grantedBy = pParseNode->getGrantedBy();
// BY clause specified. Determine the grantor
ComString grantedByName = grantedBy->getAuthorizationIdentifier();
+
//TODO: will need to update this if grant role to role is supported,
// i.e., the granted by could be a role. getUserIDFromUserName() only
// supports users.
-
if (ComUser::getUserIDFromUserName(grantedByName.data(),grantorID) != 0)
{
*CmpCommon::diags() << DgSqlCode(-CAT_AUTHID_DOES_NOT_EXIST_ERROR)
@@ -10334,21 +10321,16 @@ ElemDDLGrantee *grantedBy = pParseNode->getGrantedBy();
grantorIsRoot = true;
}
-// *****************************************************************************
-// * *
-// * Next, walk through the list of roles being granted, making sure *
-// * each one exists and none appear more than once. For each role, *
-// * if the grantor is DB__ROOT, determine the creator of the role and *
-// * use that data for the entries in the grantor vectors. *
-// * *
-// *****************************************************************************
+ // Next, walk through the list of roles being granted, making sure
+ // each one exists and none appear more than once. For each role,
+ // if the grantor is DB__ROOT, determine the creator of the role and
+ // use that data for the entries in the grantor vectors.
+ ElemDDLGranteeArray & roles = pParseNode->getRolesArray();
-ElemDDLGranteeArray & roles = pParseNode->getRolesArray();
-
-std::vector<int32_t> grantorIDs;
-std::vector<std::string> grantorNames;
-std::vector<int32_t> roleIDs;
-std::vector<std::string> roleNames;
+ std::vector<int32_t> grantorIDs;
+ std::vector<std::string> grantorNames;
+ std::vector<int32_t> roleIDs;
+ std::vector<std::string> roleNames;
for (size_t r = 0; r < roles.entries(); r++)
{
@@ -10400,18 +10382,12 @@ std::vector<std::string> roleNames;
}
}
-// *****************************************************************************
-// * *
-// * Now, walk throught the list of grantees, making sure they all exist *
-// * and none appear more than once. *
-// * *
-// *****************************************************************************
-
-ElemDDLGranteeArray & grantees = pParseNode->getGranteeArray();
-std::vector<int32_t> granteeIDs;
-std::vector<std::string> granteeNames;
-std::vector<PrivAuthClass> granteeClasses;
-
+ // Now, walk throught the list of grantees, making sure they all exist
+ // and none appear more than once.
+ ElemDDLGranteeArray & grantees = pParseNode->getGranteeArray();
+ std::vector<int32_t> granteeIDs;
+ std::vector<std::string> granteeNames;
+ std::vector<PrivAuthClass> granteeClasses;
for (size_t g = 0; g < grantees.entries(); g++)
{
int32_t granteeID;
@@ -10455,17 +10431,12 @@ std::vector<PrivAuthClass> granteeClasses;
granteeNames.push_back(granteeName.data());
granteeClasses.push_back(PrivAuthClass::USER);
}
-
-// *****************************************************************************
-// * *
-// * The WITH ADMIN option means the grantee can grant the role to another *
-// * authorization ID. In the case of REVOKE, this ability (but not the role *
-// * itself) is being taken from the grantee. *
-// * *
-// *****************************************************************************
-int32_t grantDepth = 0;
-bool withAdminOptionSpecified = false;
+ // The WITH ADMIN option means the grantee can grant the role to another
+ // authorization ID. In the case of REVOKE, this ability (but not the role
+ // itself) is being taken from the grantee.
+ int32_t grantDepth = 0;
+ bool withAdminOptionSpecified = false;
if (pParseNode->isWithAdminOptionSpecified())
{
@@ -10474,23 +10445,18 @@ bool withAdminOptionSpecified = false;
withAdminOptionSpecified = true;
}
-// *****************************************************************************
-// * *
-// * For REVOKE ROLE, the operation can either be RESTRICT, i.e. restrict *
-// * the command if any dependencies exist or CASCADE, in which case any *
-// * dependencies are silently removed. Currently only RESTRICT is supported. *
-// * *
-// *****************************************************************************
-
-PrivDropBehavior privDropBehavior = PrivDropBehavior::RESTRICT;
+ // For REVOKE ROLE, the operation can either be RESTRICT, i.e. restrict
+ // the command if any dependencies exist or CASCADE, in which case any
+ // dependencies are silently removed. Currently only RESTRICT is supported.
+ PrivDropBehavior privDropBehavior = PrivDropBehavior::RESTRICT;
if (pParseNode->getDropBehavior() == COM_CASCADE_DROP_BEHAVIOR)
privDropBehavior = PrivDropBehavior::CASCADE;
else
privDropBehavior = PrivDropBehavior::RESTRICT;
-PrivStatus privStatus = STATUS_GOOD;
-std::string commandString;
+ PrivStatus privStatus = STATUS_GOOD;
+ std::string commandString;
if (pParseNode->isGrantRole())
{
@@ -10574,11 +10540,10 @@ static void grantSeabaseComponentPrivilege(
StmtDDLGrantComponentPrivilege *pParseNode)
{
-
-NAString privMgrMDLoc;
+ NAString privMgrMDLoc;
CONCAT_CATSCH(privMgrMDLoc, systemCatalog.c_str(), SEABASE_PRIVMGR_SCHEMA);
-PrivMgrCommands componentPrivileges(std::string(privMgrMDLoc.data()),CmpCommon::diags());
+ PrivMgrCommands componentPrivileges(std::string(privMgrMDLoc.data()),CmpCommon::diags());
if (!CmpCommon::context()->isAuthorizationEnabled())
{
@@ -10586,11 +10551,11 @@ PrivMgrCommands componentPrivileges(std::string(privMgrMDLoc.data()),CmpCommon::
return;
}
-const std::string componentName = pParseNode->getComponentName().data();
-const ConstStringList & privList = pParseNode->getComponentPrivilegeNameList();
+ const std::string componentName = pParseNode->getComponentName().data();
+ const ConstStringList & privList = pParseNode->getComponentPrivilegeNameList();
-const NAString & granteeName = pParseNode->getUserRoleName();
-int32_t granteeID;
+ const NAString & granteeName = pParseNode->getUserRoleName();
+ int32_t granteeID;
if (ComUser::getAuthIDFromAuthName(granteeName.data(),granteeID) != 0)
{
@@ -10599,10 +10564,10 @@ int32_t granteeID;
return;
}
-int32_t grantorID = ComUser::getCurrentUser();
-std::string grantorName;
+ int32_t grantorID = ComUser::getCurrentUser();
+ std::string grantorName;
-ElemDDLGrantee *grantedBy = pParseNode->getGrantedBy();
+ ElemDDLGrantee *grantedBy = pParseNode->getGrantedBy();
if (grantedBy != NULL)
{
@@ -10636,12 +10601,21 @@ ElemDDLGrantee *grantedBy = pParseNode->getGrantedBy();
else // Grantor is the current user.
grantorName = ComUser::getCurrentUsername();
-int32_t grantDepth = 0;
+ int32_t grantDepth = 0;
if (pParseNode->isWithGrantOptionSpecified())
+ {
+ // Don't allow WGO for roles
+ if (CmpSeabaseDDLauth::isRoleID(granteeID) &&
+ (CmpCommon::getDefault(ALLOW_WGO_FOR_ROLES) == DF_OFF))
+ {
+ *CmpCommon::diags() << DgSqlCode(-CAT_WGO_NOT_ALLOWED);
+ return;
+ }
grantDepth = -1;
-
-vector<std::string> operationNamesList;
+ }
+
+ vector<std::string> operationNamesList;
for (size_t i = 0; i < privList.entries(); i++)
{
@@ -10649,7 +10623,7 @@ vector<std::string> operationNamesList;
operationNamesList.push_back(operationName->data());
}
-PrivStatus retcode = STATUS_GOOD;
+ PrivStatus retcode = STATUS_GOOD;
retcode = componentPrivileges.grantComponentPrivilege(componentName,
operationNamesList,
http://git-wip-us.apache.org/repos/asf/trafodion/blob/03a96998/core/sql/sqlcomp/CmpSeabaseDDLtable.cpp
----------------------------------------------------------------------
diff --git a/core/sql/sqlcomp/CmpSeabaseDDLtable.cpp b/core/sql/sqlcomp/CmpSeabaseDDLtable.cpp
index b9a2c88..a2eb2a4 100644
--- a/core/sql/sqlcomp/CmpSeabaseDDLtable.cpp
+++ b/core/sql/sqlcomp/CmpSeabaseDDLtable.cpp
@@ -9930,6 +9930,14 @@ void CmpSeabaseDDL::seabaseGrantRevoke(
Int32 grantee;
if (pGranteeArray[j]->isPublic())
{
+ // don't allow WGO for public auth ID
+ if (isWGOSpecified)
+ {
+ *CmpCommon::diags() << DgSqlCode(-CAT_WGO_NOT_ALLOWED);
+ processReturn();
+ return;
+ }
+
grantee = PUBLIC_USER;
authName = PUBLIC_AUTH_NAME;
}
@@ -9953,6 +9961,31 @@ void CmpSeabaseDDL::seabaseGrantRevoke(
processReturn();
return;
}
+
+ // Don't allow WGO for roles
+ if (CmpSeabaseDDLauth::isRoleID(grantee) && isWGOSpecified &&
+ CmpCommon::getDefault(ALLOW_WGO_FOR_ROLES) == DF_OFF)
+ {
+ // If grantee is system role, allow grant
+ Int32 numberRoles = sizeof(systemRoles)/sizeof(SystemAuthsStruct);
+ NABoolean isSystemRole = FALSE;
+ for (Int32 i = 0; i < numberRoles; i++)
+ {
+ const SystemAuthsStruct &roleDefinition = systemRoles[i];
+ NAString systemRole = roleDefinition.authName;
+ if (systemRole == authName)
+ {
+ isSystemRole = TRUE;
+ break;
+ }
+ }
+ if (!isSystemRole)
+ {
+ *CmpCommon::diags() << DgSqlCode(-CAT_WGO_NOT_ALLOWED);
+ processReturn();
+ return;
+ }
+ }
}
std::string granteeName (authName.data());
http://git-wip-us.apache.org/repos/asf/trafodion/blob/03a96998/core/sql/sqlcomp/DefaultConstants.h
----------------------------------------------------------------------
diff --git a/core/sql/sqlcomp/DefaultConstants.h b/core/sql/sqlcomp/DefaultConstants.h
index fd110de..f265dcc 100644
--- a/core/sql/sqlcomp/DefaultConstants.h
+++ b/core/sql/sqlcomp/DefaultConstants.h
@@ -3306,6 +3306,9 @@ enum DefaultConstants
SUPPRESS_CHAR_LIMIT_CHECK,
+ // Allow users to grant privileges to roles using the With Grant Option
+ ALLOW_WGO_FOR_ROLES,
+
BMO_MEMORY_ESTIMATE_OUTLIER_FACTOR,
// Use the earlier implementation of HdfsScan via libhdfs
http://git-wip-us.apache.org/repos/asf/trafodion/blob/03a96998/core/sql/sqlcomp/PrivMgrComponentPrivileges.cpp
----------------------------------------------------------------------
diff --git a/core/sql/sqlcomp/PrivMgrComponentPrivileges.cpp b/core/sql/sqlcomp/PrivMgrComponentPrivileges.cpp
index 64e794a..bbf85ee 100644
--- a/core/sql/sqlcomp/PrivMgrComponentPrivileges.cpp
+++ b/core/sql/sqlcomp/PrivMgrComponentPrivileges.cpp
@@ -840,11 +840,12 @@ PrivStatus PrivMgrComponentPrivileges::grantPrivilege(
// more items in the list fail and in cases of "ALL".
if (!componentOperations.nameExists(componentUID,operationName))
{
- *pDiags_ << DgSqlCode(-CAT_TABLE_DOES_NOT_EXIST_ERROR)
- << DgTableName(operationName.c_str());
+ *pDiags_ << DgSqlCode(-CAT_INVALID_COMPONENT_PRIVILEGE)
+ << DgString0(operationName.c_str())
+ << DgString1(componentName.c_str());
return STATUS_ERROR;
}
-
+
std::string operationCode;
bool isSystemOperation = FALSE;
std::string operationDescription;
http://git-wip-us.apache.org/repos/asf/trafodion/blob/03a96998/core/sql/sqlcomp/PrivMgrPrivileges.cpp
----------------------------------------------------------------------
diff --git a/core/sql/sqlcomp/PrivMgrPrivileges.cpp b/core/sql/sqlcomp/PrivMgrPrivileges.cpp
index ba7d00f..46ec01c 100644
--- a/core/sql/sqlcomp/PrivMgrPrivileges.cpp
+++ b/core/sql/sqlcomp/PrivMgrPrivileges.cpp
@@ -1361,7 +1361,7 @@ PrivStatus PrivMgrPrivileges::grantObjectPriv(
PrivMgrDesc privsToGrant(granteeID);
PrivMgrDesc privsOfTheGrantor(grantorID_);
std::vector<int_32> roleIDs;
- retcode = initGrantRevoke(objectType, granteeID,
+ retcode = initGrantRevoke(objectType, granteeID, grantorName,
privsList, colPrivsArray,
isAllSpecified, isWGOSpecified, true,
privsToGrant, privsOfTheGrantor, roleIDs);
@@ -1380,9 +1380,23 @@ PrivStatus PrivMgrPrivileges::grantObjectPriv(
warnNotAll = true;
// If nothing left to grant, we are done.
+ // If one of the users roles has privilege, indicate in error message
if ( privsToGrant.isNull() )
{
- *pDiags_ << DgSqlCode (-CAT_PRIVILEGE_NOT_GRANTED);
+ std::string rolesWithPrivs;
+ if (getRolesToCheck(grantorID_, roleIDs, objectType, rolesWithPrivs)== STATUS_GOOD)
+ {
+ if (rolesWithPrivs.size() > 0)
+ {
+ *pDiags_ << DgSqlCode (-CAT_PRIVILEGE_NOT_GRANTED)
+ << DgString0 (grantorName.c_str())
+ << DgString1 (rolesWithPrivs.c_str());
+ return STATUS_ERROR;
+ }
+ }
+
+ *pDiags_ << DgSqlCode (-CAT_PRIVILEGE_NOT_GRANTED)
+ << DgString0 (grantorName.c_str());
return STATUS_ERROR;
}
@@ -1708,6 +1722,7 @@ PrivStatus privStatus = objectPrivsTable.insert(row);
PrivStatus PrivMgrPrivileges::initGrantRevoke(
const ComObjectType objectType,
const int32_t granteeID,
+ const std::string &grantorName,
const std::vector<PrivType> &privList,
const std::vector<ColPrivSpec> & colPrivsArray,
const bool isAllSpecified,
@@ -1742,11 +1757,6 @@ PrivStatus PrivMgrPrivileges::initGrantRevoke(
if (generateColumnRowList() == STATUS_ERROR)
return STATUS_ERROR;
- // get roleIDs for the grantor
- retcode = getRoleIDsForUserID(grantorID_,roleIDs);
- if (retcode == STATUS_ERROR)
- return retcode;
-
// get column and object privileges across all grantors
bool hasManagePrivileges;
retcode = getUserPrivs(objectType, grantorID_, roleIDs, privsOfTheGrantor,
@@ -1754,10 +1764,28 @@ PrivStatus PrivMgrPrivileges::initGrantRevoke(
if (retcode != STATUS_GOOD)
return retcode;
+ // get roleIDs for the grantor
+ retcode = getRoleIDsForUserID(grantorID_,roleIDs);
+ if (retcode == STATUS_ERROR)
+ return retcode;
+
// If null, the grantor has no privileges
- if ( privsOfTheGrantor.isNull() )
+ if ( privsOfTheGrantor.isNull() )
{
- *pDiags_ << DgSqlCode ((isGrant) ? -CAT_PRIVILEGE_NOT_GRANTED : -CAT_PRIVILEGE_NOT_REVOKED);
+ std::string rolesWithPrivs;
+ if (getRolesToCheck(grantorID_, roleIDs, objectType, rolesWithPrivs)== STATUS_GOOD)
+ {
+ if (rolesWithPrivs.size() > 0)
+ {
+ *pDiags_ << DgSqlCode (-CAT_PRIVILEGE_NOT_GRANTED)
+ << DgString0 (grantorName.c_str())
+ << DgString1 (rolesWithPrivs.c_str());
+ return STATUS_ERROR;
+ }
+ }
+
+ *pDiags_ << DgSqlCode (-CAT_PRIVILEGE_NOT_GRANTED)
+ << DgString0 (grantorName.c_str());
return STATUS_ERROR;
}
@@ -3249,7 +3277,7 @@ PrivStatus PrivMgrPrivileges::revokeObjectPriv (const ComObjectType objectType,
PrivMgrDesc privsToRevoke(granteeID);
PrivMgrDesc privsOfTheGrantor(grantorID_);
std::vector<int_32> roleIDs;
- retcode = initGrantRevoke(objectType, granteeID,
+ retcode = initGrantRevoke(objectType, granteeID, grantorName,
privsList, colPrivsArray,
isAllSpecified, isGOFSpecified, false,
privsToRevoke, privsOfTheGrantor, roleIDs);
@@ -3270,7 +3298,20 @@ PrivStatus PrivMgrPrivileges::revokeObjectPriv (const ComObjectType objectType,
// If nothing left to revoke, we are done.
if ( privsToRevoke.isNull() )
{
- *pDiags_ << DgSqlCode (-CAT_PRIVILEGE_NOT_REVOKED);
+ std::string rolesWithPrivs;
+ if (getRolesToCheck(grantorID_, roleIDs, objectType, rolesWithPrivs)== STATUS_GOOD)
+ {
+ if (rolesWithPrivs.size() > 0)
+ {
+ *pDiags_ << DgSqlCode (-CAT_PRIVILEGE_NOT_GRANTED)
+ << DgString0 (grantorName.c_str())
+ << DgString1 (rolesWithPrivs.c_str());
+ return STATUS_ERROR;
+ }
+ }
+
+ *pDiags_ << DgSqlCode (-CAT_PRIVILEGE_NOT_GRANTED)
+ << DgString0 (grantorName.c_str());
return STATUS_ERROR;
}
@@ -3788,7 +3829,7 @@ bool PrivMgrPrivileges::checkColumnRevokeRestrict (
}
// ----------------------------------------------------------------------------
-// method: scanObjectBranch
+// method: scanColumnBranch
//
// scans the privsList entries for match on Grantor,
// keeping track of which priv/wgo entries have been encountered
@@ -3835,7 +3876,6 @@ void PrivMgrPrivileges::scanColumnBranch( const PrivType pType,
ColumnPrivsMDRow ¤tRow = static_cast<ColumnPrivsMDRow &> (*rowList[i]);
if (currentRow.grantorID_ == grantor)
{
-
// Just look at rows that have had privileges changed
// The listOfColumnOrdinals has this list
PrivMgrCoreDesc current = currentRow.current_;
@@ -3864,15 +3904,33 @@ void PrivMgrPrivileges::scanColumnBranch( const PrivType pType,
if ( ComUser::isPublicUserID(thisGrantee) )
scanPublic( pType, // Deal with PUBLIC grantee wgo.
rowList );
+
else
{
- int32_t granteeAsGrantor(thisGrantee);
+ int32_t granteeAsGrantor;
+ if (isRoleID(thisGrantee))
+ {
+ std::vector<int32_t> roleIDs;
+ std::vector<int32_t> userIDs;
+ roleIDs.push_back(thisGrantee);
+ if (getUserIDsForRoleIDs(roleIDs,userIDs) == STATUS_ERROR)
+ return;
+ for (size_t j = 0; j < userIDs.size(); j++)
+ {
+ granteeAsGrantor = userIDs[j];
+ scanColumnBranch( pType, // Scan for this grantee as grantor.
+ granteeAsGrantor,
+ listOfColumnOrdinals,
+ rowList );
+ }
+ }
+ granteeAsGrantor = thisGrantee;
scanColumnBranch( pType, // Scan for this grantee as grantor.
- granteeAsGrantor,
- listOfColumnOrdinals,
- rowList );
- }
- }
+ granteeAsGrantor,
+ listOfColumnOrdinals,
+ rowList );
+ } // end process non public auth ID
+ } // end visit row
} // end this grantee has wgo
} // end this grantee has this priv
} // correct column ordinal
@@ -4445,6 +4503,50 @@ PrivStatus PrivMgrPrivileges::getPrivsFromAllGrantors(
}
+// ----------------------------------------------------------------------------
+// method: getRolesToCheck
+//
+// This method checks all the roles granted to the user and returns a comma
+// separated list of those roles that have privileges on the target object.
+// ----------------------------------------------------------------------------
+PrivStatus PrivMgrPrivileges::getRolesToCheck(
+ const int32_t grantorID,
+ const std::vector<int32_t> & roleIDs,
+ const ComObjectType objectType,
+ std::string &rolesWithPrivs)
+{
+ int32_t length;
+ char roleName[MAX_DBUSERNAME_LEN + 1];
+ std::vector<int_32> emptyRoleIDs;
+ bool hasManagePrivPriv = false;
+
+ for (size_t r = 0; r < roleIDs.size(); r++)
+ {
+ PrivMgrDesc privsOfTheRole(roleIDs[r],true);
+ if (getUserPrivs(objectType, roleIDs[r], emptyRoleIDs, privsOfTheRole,
+ hasManagePrivPriv) != STATUS_GOOD)
+ return STATUS_ERROR;
+
+ if (!privsOfTheRole.isNull())
+ {
+ // just return what getAuthNameFromAuthID returns
+ ComUser::getAuthNameFromAuthID(roleIDs[r],roleName, sizeof(roleName),length);
+ if (r > 0)
+ rolesWithPrivs += ", ";
+ rolesWithPrivs += roleName;
+ }
+ }
+
+ if (rolesWithPrivs.size() > 0)
+ {
+ rolesWithPrivs.insert (0,"Please retry using the BY clause for one of the following roles (");
+ rolesWithPrivs += ").";
+ }
+
+ return STATUS_GOOD;
+}
+
+
// *****************************************************************************
// * Method: getRowsForGrantee
// *
http://git-wip-us.apache.org/repos/asf/trafodion/blob/03a96998/core/sql/sqlcomp/PrivMgrPrivileges.h
----------------------------------------------------------------------
diff --git a/core/sql/sqlcomp/PrivMgrPrivileges.h b/core/sql/sqlcomp/PrivMgrPrivileges.h
index effec96..e0597a2 100644
--- a/core/sql/sqlcomp/PrivMgrPrivileges.h
+++ b/core/sql/sqlcomp/PrivMgrPrivileges.h
@@ -348,6 +348,12 @@ private:
int32_t userID,
std::vector<int32_t> & roleIDs);
+ PrivStatus getRolesToCheck(
+ const int32_t grantorID,
+ const std::vector<int32_t> & roleIDs,
+ const ComObjectType schemaType,
+ std::string &rolesToCheck);
+
PrivStatus getRowsForGrantee(
const int64_t objectUID,
const int32_t granteeID,
@@ -373,6 +379,7 @@ private:
PrivStatus initGrantRevoke(
const ComObjectType objectType,
const int32_t granteeID,
+ const std::string &grantorName,
const std::vector<PrivType> &privList,
const std::vector<ColPrivSpec> & colPrivsArray,
const bool isAllSpecified,
http://git-wip-us.apache.org/repos/asf/trafodion/blob/03a96998/core/sql/sqlcomp/nadefaults.cpp
----------------------------------------------------------------------
diff --git a/core/sql/sqlcomp/nadefaults.cpp b/core/sql/sqlcomp/nadefaults.cpp
index 244a2bc..f3d2f67 100644
--- a/core/sql/sqlcomp/nadefaults.cpp
+++ b/core/sql/sqlcomp/nadefaults.cpp
@@ -424,6 +424,9 @@ SDDkwd__(ALLOW_DP2_ROW_SAMPLING, "SYSTEM"),
DDkwd__(ALLOW_UNEXTERNALIZED_MAINTAIN_OPTIONS, "OFF"),
+ // Allow users to grant privileges to role using the with grant option
+ DDkwd__(ALLOW_WGO_FOR_ROLES, "ON"),
+
DDSkwd__(ALTPRI_ESP, ""),
DDSkwd__(ALTPRI_MASTER, ""),
[2/3] trafodion git commit: Added new/changed errors to messages
guide. Fixed issue generating error text for error 1012.
Posted by rm...@apache.org.
Added new/changed errors to messages guide.
Fixed issue generating error text for error 1012.
Project: http://git-wip-us.apache.org/repos/asf/trafodion/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafodion/commit/c04fc453
Tree: http://git-wip-us.apache.org/repos/asf/trafodion/tree/c04fc453
Diff: http://git-wip-us.apache.org/repos/asf/trafodion/diff/c04fc453
Branch: refs/heads/master
Commit: c04fc45373802fd40a4a05f2bfa2caeda3c4450d
Parents: 03a9699
Author: Roberta Marton <ro...@apache.org>
Authored: Tue Apr 24 22:15:08 2018 +0000
Committer: Roberta Marton <ro...@apache.org>
Committed: Tue Apr 24 22:15:08 2018 +0000
----------------------------------------------------------------------
core/sql/sqlcomp/PrivMgrPrivileges.cpp | 2 +-
.../src/asciidoc/_chapters/ddl_msgs.adoc | 38 ++++++++++++++++----
2 files changed, 32 insertions(+), 8 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/trafodion/blob/c04fc453/core/sql/sqlcomp/PrivMgrPrivileges.cpp
----------------------------------------------------------------------
diff --git a/core/sql/sqlcomp/PrivMgrPrivileges.cpp b/core/sql/sqlcomp/PrivMgrPrivileges.cpp
index 46ec01c..513a2bd 100644
--- a/core/sql/sqlcomp/PrivMgrPrivileges.cpp
+++ b/core/sql/sqlcomp/PrivMgrPrivileges.cpp
@@ -4531,7 +4531,7 @@ PrivStatus PrivMgrPrivileges::getRolesToCheck(
{
// just return what getAuthNameFromAuthID returns
ComUser::getAuthNameFromAuthID(roleIDs[r],roleName, sizeof(roleName),length);
- if (r > 0)
+ if (rolesWithPrivs.size() > 0)
rolesWithPrivs += ", ";
rolesWithPrivs += roleName;
}
http://git-wip-us.apache.org/repos/asf/trafodion/blob/c04fc453/docs/messages_guide/src/asciidoc/_chapters/ddl_msgs.adoc
----------------------------------------------------------------------
diff --git a/docs/messages_guide/src/asciidoc/_chapters/ddl_msgs.adoc b/docs/messages_guide/src/asciidoc/_chapters/ddl_msgs.adoc
index 5d2b6b3..6c8d5d8 100644
--- a/docs/messages_guide/src/asciidoc/_chapters/ddl_msgs.adoc
+++ b/docs/messages_guide/src/asciidoc/_chapters/ddl_msgs.adoc
@@ -195,9 +195,14 @@ This is currently not supported.
== SQL 1012
```
-No privileges were granted. You lack grant option on the specified privileges.
+No privileges were granted. <auth_id> lacks grant option on the specified privileges. <details>.
```
+Where <auth-id> is a {project-name} user name.
+
+Where <details> suggests roles you can specify in order for the grant to succeed.
+If <auth_id> has not been granted any relevant roles, <details> is omitted.
+
*Cause:* You attempted to grant privileges for which you do not have
grant options.
@@ -1889,6 +1894,26 @@ overlap in meaning. {project-name} requires the former construct to match the la
*Recovery:* Either remove the <clause-name> clause (as it is redundant) or change it to match the primary key. Then resubmit.
+[[SQL-1194]]
+== SQL 1194
+
+```
+Component operation <operation> does not exist for component <component-name>.
+```
+
+Where <operation> is the operation assigned to a component.
+
+Where <component-name> is the name of a valid component.
+
+*Cause:* Components are assigned a set of operations that can be granted privileges. The requested <operation>
+is not assigned to component <component-name>.
+
+*Effect:* The operation fails.
+
+*Recovery:* Perform "get privileges on component <component-name>" to get the list of valid operations (privileges) for the
+component and retry the request.
+
+<<<
[[SQL-1195]]
== SQL 1195
@@ -1904,7 +1929,6 @@ Where <column-name> is the name of a column specified in a SALT clause.
*Recovery:* Correct the column name then resubmit.
-<<<
[[SQL-1196]]
== SQL 1196
@@ -1923,6 +1947,7 @@ Where <upper-bound> is the largest allowable number of salt partitions supported
*Recovery:* Correct the SALT clause then resubmit.
+<<<
[[SQL-1197]]
== SQL 1197
@@ -1941,7 +1966,6 @@ Where <stored-procedure-name> is the name of an internal stored procedure.
*Recovery:* None. Report this error and the associated SQL
operation to the {project-name} User Distribution List.
-<<<
[[SQL-1199]]
== SQL 1199
@@ -1955,6 +1979,7 @@ The PARTITION BY clause is not allowed for a Trafodion table.
*Recovery:* Remove the PARTITION BY clause from the DDL statement and resubmit.
+<<<
[[SQL-1200]]
== SQL 1200
@@ -1973,7 +1998,6 @@ A failure occurred at the HDFS or Hive level. The diagnostics contain more infor
*Recovery:* Address the indicated issue at the HDFS or Hive level, then resubmit.
-<<<
[[SQL-1201]]
== SQL 1201
@@ -1990,6 +2014,7 @@ SALT LIKE TABLE is not allowed for unique indexes.
*Recovery:* Remove either the UNIQUE keyword or the SALT LIKE TABLE clause and resubmit.
+<<<
[[SQL-1202]]
== SQL 1202
@@ -2008,7 +2033,6 @@ a table that is not salted.
*Recovery:* Remove the SALT LIKE TABLE clause and resubmit.
-<<<
[[SQL-1203]]
== SQL 1203
@@ -2025,6 +2049,7 @@ characters of HBase options, exceeding the length limit that {project-name} supp
*Recovery:* Shorten the set of options specified in HBASE_OPTIONS and resubmit.
+<<<
[[SQL-1204]]
== SQL 1204
@@ -2041,7 +2066,6 @@ that {project-name} does not support.
*Recovery:* If the wrong Hive table was referenced, correct the reference and resubmit.
-<<<
[[SQL-1214]]
== SQL 1214
@@ -2060,6 +2084,7 @@ and Hive detected errors in that statement.
*Recovery:* Determine the proper recovery action from the <Hive-exception-info> then resubmit.
+<<<
[[SQL-1215]]
== SQL 1215
@@ -2078,7 +2103,6 @@ about that object.
*Recovery:* Determine the proper recovery action from the <diagnostics> then resubmit.
-<<<
[[SQL-1220]]
== SQL 1220
[3/3] trafodion git commit: Merge [TRAFODION-2542] pr 1536 Grantor is
not correct when granting privileges
Posted by rm...@apache.org.
Merge [TRAFODION-2542] pr 1536 Grantor is not correct when granting privileges
Project: http://git-wip-us.apache.org/repos/asf/trafodion/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafodion/commit/dd051ea6
Tree: http://git-wip-us.apache.org/repos/asf/trafodion/tree/dd051ea6
Diff: http://git-wip-us.apache.org/repos/asf/trafodion/diff/dd051ea6
Branch: refs/heads/master
Commit: dd051ea60bd2881627f7d324dc5ed84236688626
Parents: 9a90338 c04fc45
Author: Roberta Marton <ro...@apache.org>
Authored: Wed Apr 25 15:25:16 2018 +0000
Committer: Roberta Marton <ro...@apache.org>
Committed: Wed Apr 25 15:25:16 2018 +0000
----------------------------------------------------------------------
core/sql/bin/SqlciErrors.txt | 4 +-
core/sql/regress/core/EXPECTED131 | 8 +-
core/sql/regress/core/TEST131 | 4 +-
core/sql/regress/privs1/EXPECTED120 | 47 +++--
core/sql/regress/privs1/EXPECTED137 | 30 +--
core/sql/regress/privs1/TEST120 | 23 +--
core/sql/regress/privs1/TEST137 | 22 ++-
core/sql/regress/privs2/EXPECTED140 | 16 +-
core/sql/regress/privs2/EXPECTED143 | 16 +-
core/sql/regress/privs2/EXPECTED144 | 4 +-
core/sql/regress/privs2/TEST143 | 3 +
core/sql/regress/privs2/TEST144 | 2 +-
core/sql/sqlcomp/CmpDDLCatErrorCodes.h | 1 +
core/sql/sqlcomp/CmpSeabaseDDLcommon.cpp | 184 ++++++++-----------
core/sql/sqlcomp/CmpSeabaseDDLtable.cpp | 33 ++++
core/sql/sqlcomp/DefaultConstants.h | 3 +
core/sql/sqlcomp/PrivMgrComponentPrivileges.cpp | 7 +-
core/sql/sqlcomp/PrivMgrPrivileges.cpp | 140 ++++++++++++--
core/sql/sqlcomp/PrivMgrPrivileges.h | 7 +
core/sql/sqlcomp/nadefaults.cpp | 3 +
.../src/asciidoc/_chapters/ddl_msgs.adoc | 38 +++-
21 files changed, 376 insertions(+), 219 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/trafodion/blob/dd051ea6/core/sql/regress/privs1/EXPECTED137
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/trafodion/blob/dd051ea6/core/sql/regress/privs1/TEST137
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/trafodion/blob/dd051ea6/core/sql/sqlcomp/DefaultConstants.h
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/trafodion/blob/dd051ea6/core/sql/sqlcomp/nadefaults.cpp
----------------------------------------------------------------------