You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-commits@db.apache.org by mi...@apache.org on 2006/09/26 02:10:46 UTC

svn commit: r449869 - in /db/derby/code/trunk/java: engine/org/apache/derby/iapi/sql/compile/ engine/org/apache/derby/iapi/sql/conn/ engine/org/apache/derby/iapi/sql/dictionary/ engine/org/apache/derby/impl/sql/compile/ testing/org/apache/derbyTesting/...

Author: mikem
Date: Mon Sep 25 17:10:45 2006
New Revision: 449869

URL: http://svn.apache.org/viewvc?view=rev&rev=449869
Log:
DERBY-1858
contributed by Yip Ng
patch: derby1858-trunk-diff02.txt

Fixes problem that DropSchemaNode's bind phase did not add the required schema 
privilege for it to check at runtime.


Modified:
    db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/compile/CompilerContext.java
    db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/conn/Authorizer.java
    db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementSchemaPermission.java
    db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/CompilerContextImpl.java
    db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/DropSchemaNode.java
    db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/grantRevokeDDL2.out
    db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/jdk16/grantRevokeDDL2.out
    db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/grantRevokeDDL2.sql

Modified: db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/compile/CompilerContext.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/compile/CompilerContext.java?view=diff&rev=449869&r1=449868&r2=449869
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/compile/CompilerContext.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/compile/CompilerContext.java Mon Sep 25 17:10:45 2006
@@ -540,9 +540,9 @@
 	 *
 	 * @param schema	Schema name of the object that is being accessed
 	 * @param aid		Requested authorizationId for new schema
-	 * @param privType	Either CREATE_SCHEMA_PRIV or MODIFY_SCHEMA_PRIV
+	 * @param privType	CREATE_SCHEMA_PRIV, MODIFY_SCHEMA_PRIV or DROP_SCHEMA_PRIV
 	 */
-	public void addRequiredSchemaPriv(String schema, String aid, boolean privType);
+	public void addRequiredSchemaPriv(String schema, String aid, int privType);
 
 	/**
 	 * Add a routine execute privilege to the list of used routine privileges.

Modified: db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/conn/Authorizer.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/conn/Authorizer.java?view=diff&rev=449869&r1=449868&r2=449869
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/conn/Authorizer.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/conn/Authorizer.java Mon Sep 25 17:10:45 2006
@@ -60,9 +60,10 @@
 	public static final int PRIV_TYPE_COUNT = 7;
 
 	/* Used to check who can create schemas or who can modify objects in schema */
-	public static final boolean CREATE_SCHEMA_PRIV = false;
-	public static final boolean MODIFY_SCHEMA_PRIV = true;
-
+	public static final int CREATE_SCHEMA_PRIV = 16;
+	public static final int MODIFY_SCHEMA_PRIV = 17;
+	public static final int DROP_SCHEMA_PRIV = 18;
+	
 	/**
 	 * The system authorization ID is defined by the SQL2003 spec as the grantor
 	 * of privileges to object owners.

Modified: db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementSchemaPermission.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementSchemaPermission.java?view=diff&rev=449869&r1=449868&r2=449869
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementSchemaPermission.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementSchemaPermission.java Mon Sep 25 17:10:45 2006
@@ -27,6 +27,7 @@
 import org.apache.derby.iapi.sql.dictionary.SchemaDescriptor;
 import org.apache.derby.iapi.sql.conn.LanguageConnectionContext;
 import org.apache.derby.iapi.store.access.TransactionController;
+import org.apache.derby.iapi.services.sanity.SanityManager;
 
 /**
  * This class describes a schema permission required by a statement.
@@ -34,11 +35,21 @@
 
 public class StatementSchemaPermission extends StatementPermission
 {
+	/**
+	 * The schema name 
+	 */
 	private String schemaName;
-	private String aid;
-	private boolean privType;
+	/**
+	 * Authorization id
+	 */
+	private String aid;  
+	/**	 
+	 * One of Authorizer.CREATE_SCHEMA_PRIV, MODIFY_SCHEMA_PRIV,  
+	 * DROP_SCHEMA_PRIV, etc.
+	 */ 
+	private int privType;  
 
-	public StatementSchemaPermission(String schemaName, String aid, boolean privType)
+	public StatementSchemaPermission(String schemaName, String aid, int privType)
 	{
 		this.schemaName = schemaName;
 		this.aid 	= aid;
@@ -55,26 +66,39 @@
 		DataDictionary dd =	lcc.getDataDictionary();
 		TransactionController tc = lcc.getTransactionExecute();
 	
-		if (privType == Authorizer.MODIFY_SCHEMA_PRIV)
+		switch ( privType )
 		{
-			SchemaDescriptor sd = dd.getSchemaDescriptor(schemaName, tc, false);
-			// If schema hasn't been created already, no need to check
-			if (sd == null)
-				return;
+			case Authorizer.MODIFY_SCHEMA_PRIV:
+			case Authorizer.DROP_SCHEMA_PRIV:
+				SchemaDescriptor sd = dd.getSchemaDescriptor(schemaName, tc, false);
+				// If schema hasn't been created already, no need to check
+				// for drop schema, an exception will be thrown if the schema 
+				// does not exists.
+				if (sd == null)
+					return;
 
-			if (!authid.equals(sd.getAuthorizationId()))
-				throw StandardException.newException(
-					SQLState.AUTH_NO_ACCESS_NOT_OWNER, authid, schemaName);
-		}
-		else
-		{
-			// Non-Database Owner Users can only create schemas that match 
-			// their authid. Also allow only Database Owner to set authid to 
-			// another user. Note that for Database Owner, check interface 
-			// wouldn't be called at all
-			if (!schemaName.equals(authid) || (aid != null && !aid.equals(authid)))
-				throw StandardException.newException(
-					SQLState.AUTH_NOT_DATABASE_OWNER, authid, schemaName);
+				if (!authid.equals(sd.getAuthorizationId()))
+					throw StandardException.newException(
+						SQLState.AUTH_NO_ACCESS_NOT_OWNER, authid, schemaName);
+				break;
+			
+			case Authorizer.CREATE_SCHEMA_PRIV:
+				// Non-DBA Users can only create schemas that match their authid
+				// Also allow only DBA to set authid to another user
+				// Note that for DBA, check interface wouldn't be called at all
+				if ( !schemaName.equals(authid) || 
+						(aid != null && !aid.equals(authid)) )
+					throw StandardException.newException(
+						SQLState.AUTH_NOT_DATABASE_OWNER, authid, schemaName);
+				break;
+			
+			default:
+				if (SanityManager.DEBUG)
+				{
+					SanityManager.THROWASSERT(
+							"Unexpected value (" + privType + ") for privType");
+				}
+				break;
 		}
 	}
 

Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/CompilerContextImpl.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/CompilerContextImpl.java?view=diff&rev=449869&r1=449868&r2=449869
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/CompilerContextImpl.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/CompilerContextImpl.java Mon Sep 25 17:10:45 2006
@@ -807,7 +807,7 @@
 	 *
 	 * @see CompilerContext#addRequiredSchemaPriv
 	 */
-	public void addRequiredSchemaPriv(String schemaName, String aid, boolean privType)
+	public void addRequiredSchemaPriv(String schemaName, String aid, int privType)
 	{
 		if( requiredSchemaPrivileges == null || schemaName == null)
 			return;

Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/DropSchemaNode.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/DropSchemaNode.java?view=diff&rev=449869&r1=449868&r2=449869
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/DropSchemaNode.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/DropSchemaNode.java Mon Sep 25 17:10:45 2006
@@ -21,6 +21,8 @@
 
 package	org.apache.derby.impl.sql.compile;
 
+import org.apache.derby.iapi.sql.compile.CompilerContext;
+import org.apache.derby.iapi.sql.conn.Authorizer;
 import org.apache.derby.iapi.sql.conn.LanguageConnectionContext;
 import org.apache.derby.iapi.sql.execute.ConstantAction;
 
@@ -71,6 +73,18 @@
                     SQLState.LANG_CANNOT_DROP_SYSTEM_SCHEMAS, this.schemaName));
 		}
 		
+        /* 
+        ** In SQL authorization mode, the current authorization identifier
+        ** must be either the owner of the schema or the database owner 
+        ** in order for the schema object to be dropped.
+        */
+        if (isPrivilegeCollectionRequired())
+        {
+            getCompilerContext().addRequiredSchemaPriv(schemaName, 
+                lcc.getAuthorizationId(), 
+                Authorizer.DROP_SCHEMA_PRIV);
+        }
+        
 		return this;
 	}
 

Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/grantRevokeDDL2.out
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/grantRevokeDDL2.out?view=diff&rev=449869&r1=449868&r2=449869
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/grantRevokeDDL2.out (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/grantRevokeDDL2.out Mon Sep 25 17:10:45 2006
@@ -663,7 +663,12 @@
 0 rows inserted/updated/deleted
 ij(USER1)> CREATE SCHEMA myschema;
 0 rows inserted/updated/deleted
-ij(USER1)> -- -------------------------------------------------------------------
+ij(USER1)> -- DERBY-1858
+set connection user5;
+ij(USER5)> -- expect error
+DROP SCHEMA w3 RESTRICT;
+ERROR: Failed with SQLSTATE 2850D
+ij(USER5)> -- -------------------------------------------------------------------
 -- views
 -- -------------------------------------------------------------------
 set connection user1;
@@ -1497,11 +1502,12 @@
 ij(USER4)> set connection user1;
 ij(USER1)> drop table user4.ttt1;
 0 rows inserted/updated/deleted
-ij(USER1)> -- set connection user2;
--- DERBY-1858
+ij(USER1)> set connection user2;
+ij(USER2)> -- DERBY-1858
 -- expect error
--- drop schema user4 restrict;
-set connection user1;
+drop schema user4 restrict;
+ERROR: Failed with SQLSTATE 2850D
+ij(USER2)> set connection user1;
 ij(USER1)> -- ok
 drop schema user4 restrict;
 0 rows inserted/updated/deleted

Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/jdk16/grantRevokeDDL2.out
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/jdk16/grantRevokeDDL2.out?view=diff&rev=449869&r1=449868&r2=449869
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/jdk16/grantRevokeDDL2.out (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/jdk16/grantRevokeDDL2.out Mon Sep 25 17:10:45 2006
@@ -657,7 +657,12 @@
 0 rows inserted/updated/deleted
 ij(USER1)> CREATE SCHEMA myschema;
 0 rows inserted/updated/deleted
-ij(USER1)> -- -------------------------------------------------------------------
+ij(USER1)> -- DERBY-1858
+set connection user5;
+ij(USER5)> -- expect error
+DROP SCHEMA w3 RESTRICT;
+ERROR: Failed with SQLSTATE 2850D
+ij(USER5)> -- -------------------------------------------------------------------
 -- views
 -- -------------------------------------------------------------------
 set connection user1;
@@ -1491,11 +1496,12 @@
 ij(USER4)> set connection user1;
 ij(USER1)> drop table user4.ttt1;
 0 rows inserted/updated/deleted
-ij(USER1)> -- set connection user2;
--- DERBY-1858
+ij(USER1)> set connection user2;
+ij(USER2)> -- DERBY-1858
 -- expect error
--- drop schema user4 restrict;
-set connection user1;
+drop schema user4 restrict;
+ERROR: Failed with SQLSTATE 2850D
+ij(USER2)> set connection user1;
 ij(USER1)> -- ok
 drop schema user4 restrict;
 0 rows inserted/updated/deleted

Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/grantRevokeDDL2.sql
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/grantRevokeDDL2.sql?view=diff&rev=449869&r1=449868&r2=449869
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/grantRevokeDDL2.sql (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/grantRevokeDDL2.sql Mon Sep 25 17:10:45 2006
@@ -423,6 +423,11 @@
 CREATE SCHEMA AUTHORIZATION user6;
 CREATE SCHEMA myschema;
 
+-- DERBY-1858
+set connection user5;
+-- expect error
+DROP SCHEMA w3 RESTRICT;
+
 -- -------------------------------------------------------------------
 -- views
 -- -------------------------------------------------------------------
@@ -979,10 +984,10 @@
 set connection user1;
 drop table user4.ttt1;
 
--- set connection user2;
+set connection user2;
 -- DERBY-1858
 -- expect error
--- drop schema user4 restrict;
+drop schema user4 restrict;
 
 set connection user1;
 -- ok