trafodion-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sure...@apache.org
Subject [1/2] incubator-trafodion git commit: TRAFODION-2441 user has only select privilege on a table can do ...
Date Thu, 23 Feb 2017 16:58:03 GMT
Repository: incubator-trafodion
Updated Branches:
  refs/heads/master b5e73002b -> b44e5d0d5


TRAFODION-2441 user has only select privilege on a table can do ...

This is the second delivery that updates "get" commands so users can only view
information where they have been granted privileges.  This delivery handles:

get components;
get privileges on component;
get privileges on component for <role>;
get privileges on component for <user> [cascade];
  cascade returns privileges for user plus any roles the user has been granted


Project: http://git-wip-us.apache.org/repos/asf/incubator-trafodion/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-trafodion/commit/5374d9d1
Tree: http://git-wip-us.apache.org/repos/asf/incubator-trafodion/tree/5374d9d1
Diff: http://git-wip-us.apache.org/repos/asf/incubator-trafodion/diff/5374d9d1

Branch: refs/heads/master
Commit: 5374d9d148b60555652c3e30ca1eb45a2ffba47e
Parents: a7a295e
Author: Roberta Marton <rmarton@edev07.esgyn.local>
Authored: Wed Feb 22 16:54:51 2017 +0000
Committer: Roberta Marton <rmarton@edev07.esgyn.local>
Committed: Wed Feb 22 16:54:51 2017 +0000

----------------------------------------------------------------------
 core/sql/comexe/ComTdbExeUtil.h      |   7 +-
 core/sql/executor/ExExeUtilGet.cpp   | 191 ++++++++++++++++++------------
 core/sql/generator/GenRelExeUtil.cpp |   1 +
 core/sql/optimizer/RelExeUtil.cpp    |   3 +-
 core/sql/optimizer/RelExeUtil.h      |   4 +
 core/sql/parser/sqlparser.y          |  33 ++++--
 6 files changed, 152 insertions(+), 87 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/5374d9d1/core/sql/comexe/ComTdbExeUtil.h
----------------------------------------------------------------------
diff --git a/core/sql/comexe/ComTdbExeUtil.h b/core/sql/comexe/ComTdbExeUtil.h
index 3abc2a5..2fdbc47 100644
--- a/core/sql/comexe/ComTdbExeUtil.h
+++ b/core/sql/comexe/ComTdbExeUtil.h
@@ -2604,6 +2604,10 @@ public:
   {(v ? flags_ |= IS_HBASE : flags_ &= ~IS_HBASE); };
   NABoolean isHbase() { return (flags_ & IS_HBASE) != 0; };
 
+  void setCascade(NABoolean v)
+  {(v ? flags_ |= CASCADE : flags_ & CASCADE) != 0; };
+  NABoolean cascade() { return (flags_ & CASCADE) != 0; };
+
   // ---------------------------------------------------------------------
   // Used by the internal SHOWPLAN command to get attributes of a TDB.
   // ---------------------------------------------------------------------
@@ -2624,7 +2628,8 @@ protected:
     IS_INDEX     = 0x0200,
     IS_MV        = 0x0400,
     IS_HBASE   = 0x0800,
-    EXTERNAL_OBJS = 0x1000
+    EXTERNAL_OBJS = 0x1000,
+    CASCADE      = 0x2000
   };
 
   char * getCat() { return cat_; }

http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/5374d9d1/core/sql/executor/ExExeUtilGet.cpp
----------------------------------------------------------------------
diff --git a/core/sql/executor/ExExeUtilGet.cpp b/core/sql/executor/ExExeUtilGet.cpp
index 7eb6eb1..0964684 100644
--- a/core/sql/executor/ExExeUtilGet.cpp
+++ b/core/sql/executor/ExExeUtilGet.cpp
@@ -246,44 +246,26 @@ static const QueryString getPrivsForAuthsQuery[] =
 
 static const QueryString getComponents[] =
 {
-  {" select translate(rtrim(component_name) using ucs2toutf8)  "},
-  {"   from %s.\"%s\".%s "},
-  {" order by component_name "},
+  {" select distinct translate(rtrim(component_name) using ucs2toutf8)  "},
+  {"   from %s.\"%s\".%s c, %s.\"%s\".%s p "},
+  {"   where c.component_uid = p.component_uid %s "},
+  {" order by 1 "},
   {" ; "}
 };
 
-static const QueryString getComponentOperations[] = 
+static const QueryString getComponentPrivileges[] = 
 {
-  {" select translate(rtrim(operation_name) using ucs2toutf8), "},
-  {"        translate(rtrim(operation_code) using ucs2toutf8) from "},
-  {"    %s.\"%s\".%s c, "},
-  {"    %s.\"%s\".%s o "},
-  {" where (c.component_uid=o.component_uid) and "},
-  {"       (c.component_name='%s')  "},
+  {" select distinct translate(rtrim(operation_name) using ucs2toutf8) "},
+  {" from %s.\"%s\".%s c, %s.\"%s\".%s o, "},
+  {"      %s.\"%s\".%s p "},
+  {" where (c.component_uid=o.component_uid) "},
+  {"   and (o.component_uid=p.component_uid) "},
+  {"   and (o.operation_code=p.operation_code) "},
+  {"   and (c.component_name='%s') %s "},
   {" order by 1 "},
   {" ; "}
 };
 
-static const QueryString getComponentPrivilegesForUser[] =
-{
-  {" select distinct translate(rtrim(o.operation_name) using ucs2toutf8), "},
-  {"                 translate(rtrim(o.operation_code) using ucs2toutf8) from "},
-  {"    %s.\"%s\".%s c, "},
-  {"    %s.\"%s\".%s o, "},
-  {"    %s.\"%s\".%s p "},
-  {" where (c.component_uid = p.component_uid) and "},
-  {"       (c.component_uid = o.component_uid) and "},
-  {"       (c.component_name='%s') and "},
-  {"       (p.operation_code = o.operation_code) and "},
-  {"       ((p.grantee_name = '%s') or "},
-  {"        (p.grantee_name in (select role_name from "},
-  {"          %s.\"%s\".%s ru "},
-  {"          where ru.grantee_name = '%s')))"},
-  {" order by 1 " },
-  {" ; " }
-};
-
-
 
 static const QueryString getTrafTablesInSchemaQuery[] =
 {
@@ -1240,30 +1222,32 @@ Int32 ExExeUtilGetMetadataInfoTcb::getAuthID(
   const char *schName, 
   const char *objName)
 {
+  if (strcmp(authName, PUBLIC_AUTH_NAME) == 0)
+    return PUBLIC_USER;
+
   short rc      = 0;
   Lng32 cliRC   = 0;
 
   sprintf(queryBuf_, "select auth_id from %s.\"%s\".%s where auth_db_name = '%s' ",
           catName, schName, objName, authName);
 
-  if (initializeInfoList(infoList_)) return 0;
+  if (initializeInfoList(infoList_)) return NA_UserIdDefault;
 
   numOutputEntries_ = 1;
   cliRC = fetchAllRows(infoList_, queryBuf_, numOutputEntries_, FALSE, rc);
   if (cliRC < 0) 
   {
     cliInterface()->retrieveSQLDiagnostics(getDiagsArea());
-    return 0;
+    return NA_UserIdDefault;
   }
 
   infoList_->position();
   OutputInfo * vi = (OutputInfo*)infoList_->getCurr();
   if (vi)
     return *(Lng32*)vi->get(0);
-  return 0;
+  return NA_UserIdDefault;
 }
 
-
 // ----------------------------------------------------------------------------
 // getRoleList
 //
@@ -1511,7 +1495,6 @@ short ExExeUtilGetMetadataInfoTcb::work()
             // but the schema does not, GET TABLES returns nothing.
 
 	    step_ = SETUP_HBASE_QUERY_;
-	   
 	  }
 	break;
 
@@ -1948,11 +1931,7 @@ short ExExeUtilGetMetadataInfoTcb::work()
                      (getMItdb().queryType_ == ComTdbExeUtilGetMetadataInfo::PRIVILEGES_FOR_ROLE_);

               
                   // Get the authID associated with the current user
-                  Int32 authID;
-                  if (strcmp(getMItdb().getParam1(), PUBLIC_AUTH_NAME) == 0)
-                    authID = PUBLIC_USER; 
-                  else
-                    authID = getAuthID(getMItdb().getParam1(), cat, sch, auths);
+                  Int32 authID = getAuthID(getMItdb().getParam1(), cat, sch, auths);
 
                   // If the authID was not found for various reasons just return
                   // Other "get" commands continue and return no rows but it is
@@ -2068,50 +2047,116 @@ short ExExeUtilGetMetadataInfoTcb::work()
                 qs = getComponents;
                 sizeOfqs = sizeof(getComponents);
 
+                if (doPrivCheck)
+                  {
+                     char buf[authList.length() + 100];
+                     str_sprintf(buf, " and p.grantee_id in %s", authList.data());
+                     privWhereClause = buf;
+                  }
+
                 param_[0] = cat;
                 param_[1] = pmsch;
                 param_[2] = components;
+                param_[3] = cat;
+                param_[4] = pmsch;
+                param_[5] = componentPrivileges;
+                param_[6] = (char *) privWhereClause.data();
               }
               break;
 
               case ComTdbExeUtilGetMetadataInfo::COMPONENT_PRIVILEGES_:
               {
-              
-                if (getMItdb().getParam1()) // Get privileges for auth ID
-                {
-                   qs = getComponentPrivilegesForUser;
-                   sizeOfqs = sizeof(getComponentPrivilegesForUser);
-
-                   param_[0] = cat;
-                   param_[1] = pmsch;
-                   param_[2] = components;
-                   param_[3] = cat;
-                   param_[4] = pmsch;
-                   param_[5] = componentOperations;
-                   param_[6] = cat;
-                   param_[7] = pmsch;
-                   param_[8] = componentPrivileges;
-                   param_[9] = getMItdb().getObj();
-                   param_[10] = getMItdb().getParam1();
-                   param_[11] = cat;
-                   param_[12] = pmsch;
-                   param_[13] = role_usage;
-                   param_[14] = getMItdb().getParam1();
-                   
+                 qs = getComponentPrivileges;
+                 sizeOfqs = sizeof(getComponentPrivileges);
+
+                 // Get privileges for auth name
+                 if (getMItdb().getParam1()) 
+                 {
+                    // Get the authID associated with the request's auth name
+                    // If can't find authID, NA_UserIdDefault is returned which 
+                    // indicates an invalid authID.
+                    Int32 authID = getAuthID(getMItdb().getParam1(), cat, sch, auths);
+
+                    if (doPrivCheck)
+                    {
+                       // If asking for privileges for a user that has no privs
+                       //   authName is invalid
+                       //   authName is a user and not the current user
+                       //   authName is a role and not one of the current user roles
+                       // add a predicate to make operation fail with no rows
+                       // This matches other "get" statement's behavior.
+                       NABoolean hasPriv = TRUE;
+                       if ((authID == NA_UserIdDefault) ||
+                           (CmpSeabaseDDLauth::isUserID(authID) &&
+                             (strcmp(getMItdb().getParam1(), currContext->getDatabaseUserName())
!= 0)) || 
+                           (CmpSeabaseDDLauth::isRoleID(authID) &&
+                             !ComUser::currentUserHasRole(authID)))
+                       {
+                          privWhereClause += "and (grantee_id = -2) ";
+                          hasPriv = FALSE;
+                       }
+                       if (hasPriv)
+                       {
+                          privWhereClause += "and (grantee_name = '";
+                          privWhereClause += getMItdb().getParam1();
+                          privWhereClause += "'";
+                          if (CmpSeabaseDDLauth::isUserID(authID) && getMItdb().cascade())
+                          {
+                              privWhereClause += " or grantee_id in ";
+                              privWhereClause += authList.data();
+                          }
+                          privWhereClause += ")";
+                       }
+                    }
+                    else
+                    { 
+                       privWhereClause += "and (grantee_name = '";
+                       privWhereClause += getMItdb().getParam1();
+                       privWhereClause += "'";
+
+                       // if authname is a user and specified cascade, include roles
+                       if (CmpSeabaseDDLauth::isUserID(authID) && getMItdb().cascade())
+                       {
+                          char buf[300 + MAX_AUTHNAME_LEN + 200];
+                          str_sprintf(buf, "or p.grantee_id = (select role_id from "
+                                           "%s.\"%s\".%s where grantee_name = '%s') "
+                                           "or p.grantee_id = -1",
+                                      cat, pmsch, role_usage, getMItdb().getParam1());
+                          privWhereClause += buf;
+                       }
+                       privWhereClause += ')';  
+                    }
                  }
-                 else  // Get all operations for a component
+
+                 // no specific authname specified, get current users results
+                 else
                  {
-                    qs = getComponentOperations;
-                    sizeOfqs = sizeof(getComponentOperations);
-
-                    param_[0] = cat;
-                    param_[1] = pmsch;
-                    param_[2] = components;
-                    param_[3] = cat;
-                    param_[4] = pmsch;
-                    param_[5] = componentOperations;
-                    param_[6] = getMItdb().getObj();
+                    // Limit results to current user and current users roles
+                    if (getMItdb().cascade())
+                    {
+                       privWhereClause += " and p.grantee_id in ";
+                       privWhereClause += authList.data();
+                    }
+                    // limit results to current user
+                    else
+                    {
+                       privWhereClause += " and p.grantee_name = '";
+                       privWhereClause += currContext->getDatabaseUserName();
+                       privWhereClause += "'";
+                    }
                  }
+
+                 param_[0] = cat;
+                 param_[1] = pmsch;
+                 param_[2] = components;
+                 param_[3] = cat;
+                 param_[4] = pmsch;
+                 param_[5] = componentOperations;
+                 param_[6] = cat;
+                 param_[7] = pmsch;
+                 param_[8] = componentPrivileges;
+                 param_[9] = getMItdb().getObj();
+                 param_[10] = (char *) privWhereClause.data();
               }
               break;
 

http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/5374d9d1/core/sql/generator/GenRelExeUtil.cpp
----------------------------------------------------------------------
diff --git a/core/sql/generator/GenRelExeUtil.cpp b/core/sql/generator/GenRelExeUtil.cpp
index 1822725..eeaaacb 100644
--- a/core/sql/generator/GenRelExeUtil.cpp
+++ b/core/sql/generator/GenRelExeUtil.cpp
@@ -2187,6 +2187,7 @@ short ExeUtilGetMetadataInfo::codeGen(Generator * generator)
            (ausStr == "EXTERNAL"))
     gm_exe_util_tdb->setExternalObjs(TRUE);
   gm_exe_util_tdb->setGetVersion(getVersion_);
+  gm_exe_util_tdb->setCascade(cascade_);
   
   if ((queryType == ComTdbExeUtilGetMetadataInfo::PARTITIONS_FOR_TABLE_) ||
       (queryType == ComTdbExeUtilGetMetadataInfo::PARTITIONS_FOR_INDEX_))

http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/5374d9d1/core/sql/optimizer/RelExeUtil.cpp
----------------------------------------------------------------------
diff --git a/core/sql/optimizer/RelExeUtil.cpp b/core/sql/optimizer/RelExeUtil.cpp
index a7ced3c..f593a9a 100644
--- a/core/sql/optimizer/RelExeUtil.cpp
+++ b/core/sql/optimizer/RelExeUtil.cpp
@@ -3059,7 +3059,8 @@ ExeUtilGetMetadataInfo::ExeUtilGetMetadataInfo
        param1_((param1 ? *param1 : ""), oHeap),
        errorInParams_(FALSE),
        hiveObjs_(FALSE),
-       hbaseObjs_(FALSE)
+       hbaseObjs_(FALSE),
+       cascade_(FALSE)
 {
 }
 

http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/5374d9d1/core/sql/optimizer/RelExeUtil.h
----------------------------------------------------------------------
diff --git a/core/sql/optimizer/RelExeUtil.h b/core/sql/optimizer/RelExeUtil.h
index 74d63c0..ba4ff0b 100644
--- a/core/sql/optimizer/RelExeUtil.h
+++ b/core/sql/optimizer/RelExeUtil.h
@@ -1630,6 +1630,9 @@ public:
   NABoolean hbaseObjects() { return hbaseObjs_;}
   void setHbaseObjects(NABoolean v) { hbaseObjs_ = v; }
   
+  NABoolean cascade() { return cascade_;}
+  void setCascade(NABoolean v) { cascade_ = v; }
+
 private:
   NAString ausStr_; // all/user/system objects
   NAString infoType_;
@@ -1650,6 +1653,7 @@ private:
 
   NABoolean hiveObjs_;
   NABoolean hbaseObjs_;
+  NABoolean cascade_;
 };
 
 

http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/5374d9d1/core/sql/parser/sqlparser.y
----------------------------------------------------------------------
diff --git a/core/sql/parser/sqlparser.y b/core/sql/parser/sqlparser.y
index 3a2b3aa..513c42a 100755
--- a/core/sql/parser/sqlparser.y
+++ b/core/sql/parser/sqlparser.y
@@ -15675,8 +15675,12 @@ exe_util_get_metadata_info :
             NAString iof("ON");       
             NAString objectType("COMPONENT");
             CorrName objectName(*$6);
-            NABoolean fullDetails = ($8 == COM_CASCADE_DROP_BEHAVIOR) 
-                                       ? TRUE : FALSE; 
+
+            PtrPlaceHolder * pph = $9;
+            NAString * noHeader = (NAString *)pph->ptr1_;
+            NAString * pattern = (NAString *)pph->ptr2_;
+            NAString * fullyQualNames = (NAString *)pph->ptr3_;
+
             ExeUtilGetMetadataInfo * gmi = new (PARSERHEAP())
               ExeUtilGetMetadataInfo
               ( aus          // NAString & 
@@ -15684,17 +15688,18 @@ exe_util_get_metadata_info :
               , iof          // NAString &
               , objectType   // NAString &
               , objectName   // CorrName &
-              , NULL         // NAString * pattern
-              , fullDetails  // NABoolean returnFullyQualNames
+              , pattern         // NAString * pattern
+              , (fullyQualNames ? TRUE : FALSE)  // NABoolean returnFullyQualNames
               , FALSE        // NABoolean getVersion
               , $7           // NAString * param1
               , PARSERHEAP() // CollHeap * oHeap
               );
 
-            PtrPlaceHolder * pph      = $9;
-            NAString * noHeader       = (NAString *)pph->ptr1_;
             if (noHeader)
               gmi->setNoHeader(TRUE);
+            
+            if ($8 == COM_CASCADE_DROP_BEHAVIOR)
+               gmi->setCascade(TRUE);
 
             $$ = gmi;
             delete $6; // component_name
@@ -15724,8 +15729,11 @@ exe_util_get_metadata_info :
             NAString iof("ON");
             NAString objectType("COMPONENT");
             CorrName objectName(*$6);
-            NABoolean fullDetails = ($8 == COM_CASCADE_DROP_BEHAVIOR) 
-                                       ? TRUE : FALSE; 
+
+            PtrPlaceHolder * pph = $9;
+            NAString * noHeader = (NAString *)pph->ptr1_;
+            NAString * pattern = (NAString *)pph->ptr2_;
+            NAString * fullyQualNames = (NAString *)pph->ptr3_;
 
             ExeUtilGetMetadataInfo * gmi = new (PARSERHEAP())
               ExeUtilGetMetadataInfo
@@ -15734,18 +15742,19 @@ exe_util_get_metadata_info :
               , iof          // NAString &
               , objectType   // NAString &
               , objectName   // CorrName &
-              , NULL         // NAString * pattern
-              , fullDetails  // NABoolean returnFullyQualNames
+              , pattern         // NAString * pattern
+              , (fullyQualNames ? TRUE : FALSE)  // NABoolean returnFullyQualNames
               , FALSE        // NABoolean getVersion
               , $7           // NAString * param1
               , PARSERHEAP() // CollHeap * oHeap
               );
 
-            PtrPlaceHolder * pph      = $9;
-            NAString * noHeader       = (NAString *)pph->ptr1_;
             if (noHeader)
               gmi->setNoHeader(TRUE);
 
+            if ($8 == COM_CASCADE_DROP_BEHAVIOR)
+               gmi->setCascade(TRUE);
+
             $$ = gmi;
             delete $6; // component_name
             delete $7; // user_name


Mime
View raw message