hawq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From xunzh...@apache.org
Subject incubator-hawq git commit: Package oids inside one query to requestt RPS.
Date Mon, 05 Dec 2016 11:14:39 GMT
Repository: incubator-hawq
Updated Branches:
  refs/heads/ranger b22d20887 -> 125d013d3


Package oids inside one query to requestt RPS.


Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq/commit/125d013d
Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq/tree/125d013d
Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq/diff/125d013d

Branch: refs/heads/ranger
Commit: 125d013d317fa46c7ea1904788a803b91e9a3f8b
Parents: b22d208
Author: xunzhang <xunzhangthu@gmail.com>
Authored: Mon Dec 5 19:12:18 2016 +0800
Committer: xunzhang <xunzhangthu@gmail.com>
Committed: Mon Dec 5 19:12:18 2016 +0800

----------------------------------------------------------------------
 src/backend/catalog/aclchk.c        | 49 ++++++++++++++++++-
 src/backend/cdb/cdbutil.c           |  1 +
 src/backend/libpq/rangerrest.c      |  4 ++
 src/backend/libpq/rangerrest.h      | 39 ---------------
 src/backend/parser/parse_relation.c | 82 +++++++++++++++++++++++++++++++-
 src/include/parser/parse_relation.h |  1 +
 src/include/utils/acl.h             | 16 +++++++
 src/include/utils/rangerrest.h      | 39 +++++++++++++++
 8 files changed, 190 insertions(+), 41 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/125d013d/src/backend/catalog/aclchk.c
----------------------------------------------------------------------
diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c
index 06f20f3..e6dfa46 100644
--- a/src/backend/catalog/aclchk.c
+++ b/src/backend/catalog/aclchk.c
@@ -227,6 +227,7 @@ restrict_and_check_grant(bool is_grant, AclMode avail_goptions, bool all_privs,
 	if (avail_goptions == ACL_NO_RIGHTS)
 	{
 	  if (enable_ranger) {
+	    elog(LOG, "restrict_and_check_grant: here\n");
 	    if (pg_rangercheck(objkind, objectId, grantorId,
 	        whole_mask | ACL_GRANT_OPTION_FOR(whole_mask),
 	        ACLMASK_ANY) != ACLCHECK_OK)
@@ -2664,10 +2665,47 @@ List *getActionName(AclMode mask)
   return actions;
 }
 
+List *pg_rangercheck_batch(List *arg_list)
+{
+  List *aclresults = NIL;
+  ListCell *arg = NULL;
+  foreach(arg, arg_list) {
+    RangerPrivilegeArgs *arg_ptr = (RangerPrivilegeArgs *)lfirst(arg);
+    AclObjectKind objkind = arg_ptr->objkind;
+    Oid object_oid = arg_ptr->object_oid;
+    char *objectname = getNameFromOid(objkind, object_oid);
+    char *rolename = getRoleName(arg_ptr->roleid);
+    List* actions = getActionName(arg_ptr->mask);
+    bool isAll = (arg_ptr->how == ACLMASK_ALL) ? true: false;
+    RangerPrivilegeResults *aclresult = (RangerPrivilegeResults *) palloc(sizeof(RangerPrivilegeResults));
+    aclresult->result = check_privilege_from_ranger(rolename, objkind, objectname, actions,
isAll);
+    aclresult->relOid = object_oid; 
+    aclresults = lappend(aclresults, aclresult);
+    
+    if (objectname)
+    {
+      pfree(objectname);
+      objectname = NULL;
+    }
+    if(rolename)
+    {
+      pfree(rolename);
+      rolename = NULL;
+    }
+    if(actions)
+    {
+      list_free_deep(actions);
+      actions = NIL;
+    }
+  } // foreach
+  return aclresults;
+}
+
 AclResult
 pg_rangercheck(AclObjectKind objkind, Oid object_oid, Oid roleid,
          AclMode mask, AclMaskHow how)
 {
+  elog(LOG, "pg_rangercheck: here\n");
   char* objectname = getNameFromOid(objkind, object_oid);
   char* rolename = getRoleName(roleid);
   List* actions = getActionName(mask);
@@ -2691,7 +2729,6 @@ pg_rangercheck(AclObjectKind objkind, Oid object_oid, Oid roleid,
   return ACLCHECK_OK;
 }
 
-
 /*
  * Relay for the various pg_*_mask routines depending on object kind
  */
@@ -3678,6 +3715,7 @@ pg_class_aclcheck(Oid table_oid, Oid roleid, AclMode mode)
 {
   if(enable_ranger)
   {
+    elog(LOG, "pg_class_aclcheck: here\n");
     return pg_rangercheck(ACL_KIND_CLASS, table_oid, roleid, mode, ACLMASK_ANY);
   }
   else
@@ -3694,6 +3732,7 @@ pg_database_aclcheck(Oid db_oid, Oid roleid, AclMode mode)
 {
   if(enable_ranger)
    {
+     elog(LOG, "pg_database_aclcheck: here\n");
      return pg_rangercheck(ACL_KIND_DATABASE, db_oid, roleid, mode, ACLMASK_ANY);
    }
    else
@@ -3710,6 +3749,7 @@ pg_proc_aclcheck(Oid proc_oid, Oid roleid, AclMode mode)
 {
   if(enable_ranger)
   {
+    elog(LOG, "pg_proc_aclcheck: here\n");
     return pg_rangercheck(ACL_KIND_PROC, proc_oid, roleid, mode, ACLMASK_ANY);
   }
   else
@@ -3726,6 +3766,7 @@ pg_language_aclcheck(Oid lang_oid, Oid roleid, AclMode mode)
 {
   if(enable_ranger)
   {
+    elog(LOG, "pg_language_aclcheck: here\n");
     return pg_rangercheck(ACL_KIND_LANGUAGE, lang_oid, roleid, mode, ACLMASK_ANY);
   }
   else
@@ -3742,6 +3783,7 @@ pg_namespace_aclcheck(Oid nsp_oid, Oid roleid, AclMode mode)
 {
   if(enable_ranger)
   {
+    elog(LOG, "pg_namespace_aclcheck: here\n");
     return pg_rangercheck(ACL_KIND_NAMESPACE, nsp_oid, roleid, mode, ACLMASK_ANY);
   }
   else
@@ -3758,6 +3800,7 @@ pg_tablespace_aclcheck(Oid spc_oid, Oid roleid, AclMode mode)
 {
   if(enable_ranger)
   {
+    elog(LOG, "pg_tablespace_aclcheck: here\n");
     return pg_rangercheck(ACL_KIND_TABLESPACE, spc_oid, roleid, mode, ACLMASK_ANY);
   }
   else
@@ -3775,6 +3818,7 @@ pg_foreign_data_wrapper_aclcheck(Oid fdw_oid, Oid roleid, AclMode mode)
 {
   if(enable_ranger)
   {
+    elog(LOG, "pg_foreign_data_wrapper_aclcheck: here\n");
     return pg_rangercheck(ACL_KIND_FDW, fdw_oid, roleid, mode, ACLMASK_ANY);
   }
   else
@@ -3792,6 +3836,7 @@ pg_foreign_server_aclcheck(Oid srv_oid, Oid roleid, AclMode mode)
 {
   if(enable_ranger)
   {
+    elog(LOG, "pg_foreign_server_aclcheck: here\n");
     return pg_rangercheck(ACL_KIND_FOREIGN_SERVER, srv_oid, roleid, mode, ACLMASK_ANY);
   }
   else
@@ -3809,6 +3854,7 @@ pg_extprotocol_aclcheck(Oid ptcid, Oid roleid, AclMode mode)
 {
   if(enable_ranger)
   {
+    elog(LOG, "pg_extprotocol_aclcheck: here\n");
     return pg_rangercheck(ACL_KIND_EXTPROTOCOL, ptcid, roleid, mode, ACLMASK_ANY);
   }
   else
@@ -3825,6 +3871,7 @@ pg_filesystem_aclcheck(Oid fsysid, Oid roleid, AclMode mode)
 {
   if(enable_ranger)
   {
+    elog(LOG, "pg_filesystem_aclcheck: here\n");
     return pg_rangercheck(ACL_KIND_FILESYSTEM, fsysid, roleid, mode, ACLMASK_ANY);
   }
   else

http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/125d013d/src/backend/cdb/cdbutil.c
----------------------------------------------------------------------
diff --git a/src/backend/cdb/cdbutil.c b/src/backend/cdb/cdbutil.c
index 0391881..03395a9 100644
--- a/src/backend/cdb/cdbutil.c
+++ b/src/backend/cdb/cdbutil.c
@@ -585,6 +585,7 @@ cdb_setup(void)
 
 	if (Gp_role == GP_ROLE_DISPATCH)
 	{
+		elog(LOG, "cdb_setup: here\n");
 		/* check mirrored entry db configuration */
 		buildMirrorQDDefinition();
 

http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/125d013d/src/backend/libpq/rangerrest.c
----------------------------------------------------------------------
diff --git a/src/backend/libpq/rangerrest.c b/src/backend/libpq/rangerrest.c
index 032a6c0..d677b05 100644
--- a/src/backend/libpq/rangerrest.c
+++ b/src/backend/libpq/rangerrest.c
@@ -280,10 +280,14 @@ void call_ranger_rest(CURL_HANDLE curl_handle, char* request)
     // curl_easy_setopt(curl_handle, CURLOPT_POSTFIELDS, request);
 
     /* send all data to this function  */
+    elog(LOG, "debug xxx\n");
     curl_easy_setopt(curl_handle->curl_handle, CURLOPT_WRITEFUNCTION, write_callback);
+    elog(LOG, "debug yyy\n");
     curl_easy_setopt(curl_handle->curl_handle, CURLOPT_WRITEDATA, (void *)curl_handle);
+    elog(LOG, "debug zzz\n");
 
     res = curl_easy_perform(curl_handle->curl_handle);
+    elog(LOG, "debug ttt\n");
 
     /* check for errors */
     if(res != CURLE_OK)

http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/125d013d/src/backend/libpq/rangerrest.h
----------------------------------------------------------------------
diff --git a/src/backend/libpq/rangerrest.h b/src/backend/libpq/rangerrest.h
deleted file mode 100644
index 4b73f46..0000000
--- a/src/backend/libpq/rangerrest.h
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-/*-------------------------------------------------------------------------
- *
- * rangerrest.h
- *	routines to interact with Ranger REST API
- *
- *-------------------------------------------------------------------------
- */
-#ifndef RANGERREST_H
-#define RANGERREST_H
-
-#include <curl/curl.h>
-
-typedef enum
-{
-    RANGERCHECK_OK = 0,
-    RANGERCHECK_NO_PRIV,
-    RANGERCHECK_UNKNOWN
-} RangerACLResult;
-
-#endif

http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/125d013d/src/backend/parser/parse_relation.c
----------------------------------------------------------------------
diff --git a/src/backend/parser/parse_relation.c b/src/backend/parser/parse_relation.c
index 811d2e2..9d58b73 100644
--- a/src/backend/parser/parse_relation.c
+++ b/src/backend/parser/parse_relation.c
@@ -2712,15 +2712,94 @@ warnAutoRange(ParseState *pstate, RangeVar *relation, int location)
 void
 ExecCheckRTPerms(List *rangeTable)
 {
+  /*
+  if (enable_ranger)
+  {
+    ExecCheckRTPermsWithRanger(rangeTable);
+    return;
+  }
+  */
 	ListCell   *l;
 
+  int i = 0;
 	foreach(l, rangeTable)
 	{
+	  printf("xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx%d\n", i);
 		ExecCheckRTEPerms((RangeTblEntry *) lfirst(l));
+	  i ++;
 	}
 }
 
 /*
+ * ExecCheckRTPerms
+ *   Batch implementation: Check access permissions for all relations listed in a range table
with enable_ranger is true.
+ */
+void
+ExecCheckRTPermsWithRanger(List *rangeTable)
+{
+  List *ranger_check_args = NIL;
+  ListCell *l;
+  foreach(l, rangeTable)
+  {
+    RangeTblEntry *rte = (RangeTblEntry *) lfirst(l);
+
+    AclMode requiredPerms;
+    Oid relOid;
+    Oid userid;
+
+    if (rte->rtekind != RTE_RELATION)
+      return;
+    requiredPerms = rte->requiredPerms;
+    if (requiredPerms == 0)
+      return;
+    
+    relOid = rte->relid;
+    userid = rte->checkAsUser ? rte->checkAsUser : GetUserId();
+
+    RangerPrivilegeArgs *ranger_check_arg = (RangerPrivilegeArgs *) palloc(sizeof(RangerPrivilegeArgs));
+    ranger_check_arg->objkind = ACL_KIND_CLASS;
+    ranger_check_arg->object_oid = relOid;
+    ranger_check_arg->roleid = userid;
+    ranger_check_arg->mask = requiredPerms;
+    ranger_check_arg->how = ACLMASK_ALL;
+    ranger_check_args = lappend(ranger_check_args, ranger_check_arg);
+
+  } // foreach
+
+  // ranger ACL check with package Oids
+  List *aclresults = pg_rangercheck_batch(ranger_check_args);
+  if (aclresults == NIL)
+  {
+    printf("bugggggggggggggggg\n");
+    return;
+  }
+
+  // check result
+  ListCell *result;
+  foreach(result, aclresults)
+  {
+    RangerPrivilegeResults *result_ptr = (RangerPrivilegeResults *)lfirst(result);
+    if(result_ptr->result != RANGERCHECK_OK)
+    {
+      Oid relOid = result_ptr->relOid;
+      const char *rel_name = get_rel_name_partition(relOid);
+      aclcheck_error(ACLCHECK_NO_PRIV, ACL_KIND_CLASS, rel_name);
+    }
+  }
+  
+  if (ranger_check_args)
+  {
+    list_free_deep(ranger_check_args);
+    ranger_check_args = NIL;
+  }
+  if (aclresults)
+  {
+    list_free_deep(aclresults);
+    aclresults = NIL;
+  }
+}
+
+/*
  * ExecCheckRTEPerms
  *		Check access permissions for a single RTE.
  */
@@ -2763,9 +2842,10 @@ ExecCheckRTEPerms(RangeTblEntry *rte)
 	 */
 	if (enable_ranger)
 	{
+	  elog(LOG, "ExecCheckRTEPerms: here");
 	  /* ranger check required permission should all be approved.*/
     if (pg_rangercheck(ACL_KIND_CLASS, relOid, userid, requiredPerms, ACLMASK_ALL)
-        != ACLCHECK_OK)
+        != RANGERCHECK_OK)
     {
       /*
        * If the table is a partition, return an error message that includes

http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/125d013d/src/include/parser/parse_relation.h
----------------------------------------------------------------------
diff --git a/src/include/parser/parse_relation.h b/src/include/parser/parse_relation.h
index 4c13a79..3af717f 100644
--- a/src/include/parser/parse_relation.h
+++ b/src/include/parser/parse_relation.h
@@ -101,6 +101,7 @@ extern Name attnumAttName(Relation rd, int attid);
 extern Oid	attnumTypeId(Relation rd, int attid);
 
 extern void ExecCheckRTPerms(List *rangeTable);
+extern void ExecCheckRTPermsWithRanger(List *);
 extern void ExecCheckRTEPerms(RangeTblEntry *rte);
 
 #endif   /* PARSE_RELATION_H */

http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/125d013d/src/include/utils/acl.h
----------------------------------------------------------------------
diff --git a/src/include/utils/acl.h b/src/include/utils/acl.h
index b0ddde9..b0c7438 100644
--- a/src/include/utils/acl.h
+++ b/src/include/utils/acl.h
@@ -26,6 +26,7 @@
 
 #include "nodes/parsenodes.h"
 #include "utils/array.h"
+#include "utils/rangerrest.h"
 
 
 /*
@@ -339,4 +340,19 @@ extern bool pg_conversion_ownercheck(Oid conv_oid, Oid roleid);
 extern bool pg_foreign_server_ownercheck(Oid srv_oid, Oid roleid);
 extern bool pg_extprotocol_ownercheck(Oid ptc_oid, Oid roleid);
 
+typedef struct RangerPrivilegeArgs
+{
+  AclObjectKind objkind;
+  Oid        object_oid;
+  Oid            roleid;
+  AclMode          mask;
+  AclMaskHow        how;
+} RangerPrivilegeArgs;
+
+typedef struct RangerPrivilegeResults
+{
+  RangerACLResult result;
+  Oid relOid;
+} RangerPrivilegeResults;
+
 #endif   /* ACL_H */

http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/125d013d/src/include/utils/rangerrest.h
----------------------------------------------------------------------
diff --git a/src/include/utils/rangerrest.h b/src/include/utils/rangerrest.h
new file mode 100644
index 0000000..4b73f46
--- /dev/null
+++ b/src/include/utils/rangerrest.h
@@ -0,0 +1,39 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+/*-------------------------------------------------------------------------
+ *
+ * rangerrest.h
+ *	routines to interact with Ranger REST API
+ *
+ *-------------------------------------------------------------------------
+ */
+#ifndef RANGERREST_H
+#define RANGERREST_H
+
+#include <curl/curl.h>
+
+typedef enum
+{
+    RANGERCHECK_OK = 0,
+    RANGERCHECK_NO_PRIV,
+    RANGERCHECK_UNKNOWN
+} RangerACLResult;
+
+#endif


Mime
View raw message