You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-commits@db.apache.org by mi...@apache.org on 2006/09/26 02:10:46 UTC
svn commit: r449869 - in /db/derby/code/trunk/java:
engine/org/apache/derby/iapi/sql/compile/
engine/org/apache/derby/iapi/sql/conn/
engine/org/apache/derby/iapi/sql/dictionary/
engine/org/apache/derby/impl/sql/compile/ testing/org/apache/derbyTesting/...
Author: mikem
Date: Mon Sep 25 17:10:45 2006
New Revision: 449869
URL: http://svn.apache.org/viewvc?view=rev&rev=449869
Log:
DERBY-1858
contributed by Yip Ng
patch: derby1858-trunk-diff02.txt
Fixes problem that DropSchemaNode's bind phase did not add the required schema
privilege for it to check at runtime.
Modified:
db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/compile/CompilerContext.java
db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/conn/Authorizer.java
db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementSchemaPermission.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/CompilerContextImpl.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/DropSchemaNode.java
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/grantRevokeDDL2.out
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/jdk16/grantRevokeDDL2.out
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/grantRevokeDDL2.sql
Modified: db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/compile/CompilerContext.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/compile/CompilerContext.java?view=diff&rev=449869&r1=449868&r2=449869
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/compile/CompilerContext.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/compile/CompilerContext.java Mon Sep 25 17:10:45 2006
@@ -540,9 +540,9 @@
*
* @param schema Schema name of the object that is being accessed
* @param aid Requested authorizationId for new schema
- * @param privType Either CREATE_SCHEMA_PRIV or MODIFY_SCHEMA_PRIV
+ * @param privType CREATE_SCHEMA_PRIV, MODIFY_SCHEMA_PRIV or DROP_SCHEMA_PRIV
*/
- public void addRequiredSchemaPriv(String schema, String aid, boolean privType);
+ public void addRequiredSchemaPriv(String schema, String aid, int privType);
/**
* Add a routine execute privilege to the list of used routine privileges.
Modified: db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/conn/Authorizer.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/conn/Authorizer.java?view=diff&rev=449869&r1=449868&r2=449869
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/conn/Authorizer.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/conn/Authorizer.java Mon Sep 25 17:10:45 2006
@@ -60,9 +60,10 @@
public static final int PRIV_TYPE_COUNT = 7;
/* Used to check who can create schemas or who can modify objects in schema */
- public static final boolean CREATE_SCHEMA_PRIV = false;
- public static final boolean MODIFY_SCHEMA_PRIV = true;
-
+ public static final int CREATE_SCHEMA_PRIV = 16;
+ public static final int MODIFY_SCHEMA_PRIV = 17;
+ public static final int DROP_SCHEMA_PRIV = 18;
+
/**
* The system authorization ID is defined by the SQL2003 spec as the grantor
* of privileges to object owners.
Modified: db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementSchemaPermission.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementSchemaPermission.java?view=diff&rev=449869&r1=449868&r2=449869
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementSchemaPermission.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementSchemaPermission.java Mon Sep 25 17:10:45 2006
@@ -27,6 +27,7 @@
import org.apache.derby.iapi.sql.dictionary.SchemaDescriptor;
import org.apache.derby.iapi.sql.conn.LanguageConnectionContext;
import org.apache.derby.iapi.store.access.TransactionController;
+import org.apache.derby.iapi.services.sanity.SanityManager;
/**
* This class describes a schema permission required by a statement.
@@ -34,11 +35,21 @@
public class StatementSchemaPermission extends StatementPermission
{
+ /**
+ * The schema name
+ */
private String schemaName;
- private String aid;
- private boolean privType;
+ /**
+ * Authorization id
+ */
+ private String aid;
+ /**
+ * One of Authorizer.CREATE_SCHEMA_PRIV, MODIFY_SCHEMA_PRIV,
+ * DROP_SCHEMA_PRIV, etc.
+ */
+ private int privType;
- public StatementSchemaPermission(String schemaName, String aid, boolean privType)
+ public StatementSchemaPermission(String schemaName, String aid, int privType)
{
this.schemaName = schemaName;
this.aid = aid;
@@ -55,26 +66,39 @@
DataDictionary dd = lcc.getDataDictionary();
TransactionController tc = lcc.getTransactionExecute();
- if (privType == Authorizer.MODIFY_SCHEMA_PRIV)
+ switch ( privType )
{
- SchemaDescriptor sd = dd.getSchemaDescriptor(schemaName, tc, false);
- // If schema hasn't been created already, no need to check
- if (sd == null)
- return;
+ case Authorizer.MODIFY_SCHEMA_PRIV:
+ case Authorizer.DROP_SCHEMA_PRIV:
+ SchemaDescriptor sd = dd.getSchemaDescriptor(schemaName, tc, false);
+ // If schema hasn't been created already, no need to check
+ // for drop schema, an exception will be thrown if the schema
+ // does not exists.
+ if (sd == null)
+ return;
- if (!authid.equals(sd.getAuthorizationId()))
- throw StandardException.newException(
- SQLState.AUTH_NO_ACCESS_NOT_OWNER, authid, schemaName);
- }
- else
- {
- // Non-Database Owner Users can only create schemas that match
- // their authid. Also allow only Database Owner to set authid to
- // another user. Note that for Database Owner, check interface
- // wouldn't be called at all
- if (!schemaName.equals(authid) || (aid != null && !aid.equals(authid)))
- throw StandardException.newException(
- SQLState.AUTH_NOT_DATABASE_OWNER, authid, schemaName);
+ if (!authid.equals(sd.getAuthorizationId()))
+ throw StandardException.newException(
+ SQLState.AUTH_NO_ACCESS_NOT_OWNER, authid, schemaName);
+ break;
+
+ case Authorizer.CREATE_SCHEMA_PRIV:
+ // Non-DBA Users can only create schemas that match their authid
+ // Also allow only DBA to set authid to another user
+ // Note that for DBA, check interface wouldn't be called at all
+ if ( !schemaName.equals(authid) ||
+ (aid != null && !aid.equals(authid)) )
+ throw StandardException.newException(
+ SQLState.AUTH_NOT_DATABASE_OWNER, authid, schemaName);
+ break;
+
+ default:
+ if (SanityManager.DEBUG)
+ {
+ SanityManager.THROWASSERT(
+ "Unexpected value (" + privType + ") for privType");
+ }
+ break;
}
}
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/CompilerContextImpl.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/CompilerContextImpl.java?view=diff&rev=449869&r1=449868&r2=449869
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/CompilerContextImpl.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/CompilerContextImpl.java Mon Sep 25 17:10:45 2006
@@ -807,7 +807,7 @@
*
* @see CompilerContext#addRequiredSchemaPriv
*/
- public void addRequiredSchemaPriv(String schemaName, String aid, boolean privType)
+ public void addRequiredSchemaPriv(String schemaName, String aid, int privType)
{
if( requiredSchemaPrivileges == null || schemaName == null)
return;
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/DropSchemaNode.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/DropSchemaNode.java?view=diff&rev=449869&r1=449868&r2=449869
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/DropSchemaNode.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/DropSchemaNode.java Mon Sep 25 17:10:45 2006
@@ -21,6 +21,8 @@
package org.apache.derby.impl.sql.compile;
+import org.apache.derby.iapi.sql.compile.CompilerContext;
+import org.apache.derby.iapi.sql.conn.Authorizer;
import org.apache.derby.iapi.sql.conn.LanguageConnectionContext;
import org.apache.derby.iapi.sql.execute.ConstantAction;
@@ -71,6 +73,18 @@
SQLState.LANG_CANNOT_DROP_SYSTEM_SCHEMAS, this.schemaName));
}
+ /*
+ ** In SQL authorization mode, the current authorization identifier
+ ** must be either the owner of the schema or the database owner
+ ** in order for the schema object to be dropped.
+ */
+ if (isPrivilegeCollectionRequired())
+ {
+ getCompilerContext().addRequiredSchemaPriv(schemaName,
+ lcc.getAuthorizationId(),
+ Authorizer.DROP_SCHEMA_PRIV);
+ }
+
return this;
}
Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/grantRevokeDDL2.out
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/grantRevokeDDL2.out?view=diff&rev=449869&r1=449868&r2=449869
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/grantRevokeDDL2.out (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/grantRevokeDDL2.out Mon Sep 25 17:10:45 2006
@@ -663,7 +663,12 @@
0 rows inserted/updated/deleted
ij(USER1)> CREATE SCHEMA myschema;
0 rows inserted/updated/deleted
-ij(USER1)> -- -------------------------------------------------------------------
+ij(USER1)> -- DERBY-1858
+set connection user5;
+ij(USER5)> -- expect error
+DROP SCHEMA w3 RESTRICT;
+ERROR: Failed with SQLSTATE 2850D
+ij(USER5)> -- -------------------------------------------------------------------
-- views
-- -------------------------------------------------------------------
set connection user1;
@@ -1497,11 +1502,12 @@
ij(USER4)> set connection user1;
ij(USER1)> drop table user4.ttt1;
0 rows inserted/updated/deleted
-ij(USER1)> -- set connection user2;
--- DERBY-1858
+ij(USER1)> set connection user2;
+ij(USER2)> -- DERBY-1858
-- expect error
--- drop schema user4 restrict;
-set connection user1;
+drop schema user4 restrict;
+ERROR: Failed with SQLSTATE 2850D
+ij(USER2)> set connection user1;
ij(USER1)> -- ok
drop schema user4 restrict;
0 rows inserted/updated/deleted
Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/jdk16/grantRevokeDDL2.out
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/jdk16/grantRevokeDDL2.out?view=diff&rev=449869&r1=449868&r2=449869
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/jdk16/grantRevokeDDL2.out (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/jdk16/grantRevokeDDL2.out Mon Sep 25 17:10:45 2006
@@ -657,7 +657,12 @@
0 rows inserted/updated/deleted
ij(USER1)> CREATE SCHEMA myschema;
0 rows inserted/updated/deleted
-ij(USER1)> -- -------------------------------------------------------------------
+ij(USER1)> -- DERBY-1858
+set connection user5;
+ij(USER5)> -- expect error
+DROP SCHEMA w3 RESTRICT;
+ERROR: Failed with SQLSTATE 2850D
+ij(USER5)> -- -------------------------------------------------------------------
-- views
-- -------------------------------------------------------------------
set connection user1;
@@ -1491,11 +1496,12 @@
ij(USER4)> set connection user1;
ij(USER1)> drop table user4.ttt1;
0 rows inserted/updated/deleted
-ij(USER1)> -- set connection user2;
--- DERBY-1858
+ij(USER1)> set connection user2;
+ij(USER2)> -- DERBY-1858
-- expect error
--- drop schema user4 restrict;
-set connection user1;
+drop schema user4 restrict;
+ERROR: Failed with SQLSTATE 2850D
+ij(USER2)> set connection user1;
ij(USER1)> -- ok
drop schema user4 restrict;
0 rows inserted/updated/deleted
Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/grantRevokeDDL2.sql
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/grantRevokeDDL2.sql?view=diff&rev=449869&r1=449868&r2=449869
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/grantRevokeDDL2.sql (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/grantRevokeDDL2.sql Mon Sep 25 17:10:45 2006
@@ -423,6 +423,11 @@
CREATE SCHEMA AUTHORIZATION user6;
CREATE SCHEMA myschema;
+-- DERBY-1858
+set connection user5;
+-- expect error
+DROP SCHEMA w3 RESTRICT;
+
-- -------------------------------------------------------------------
-- views
-- -------------------------------------------------------------------
@@ -979,10 +984,10 @@
set connection user1;
drop table user4.ttt1;
--- set connection user2;
+set connection user2;
-- DERBY-1858
-- expect error
--- drop schema user4 restrict;
+drop schema user4 restrict;
set connection user1;
-- ok