trafodion-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rmar...@apache.org
Subject [3/4] trafodion git commit: Fixes for TRAFODION-3194 && TRAFODION-3195
Date Wed, 26 Sep 2018 18:20:27 GMT
Fixes for TRAFODION-3194 && TRAFODION-3195

TRAFODION-3194 Revoke grant option on objects revokes more that grant option
  changed Privilege Manager to set bitmaps correctly
  removed unused methods from PrivMgrDesc

TRAFODION-3195: Fixes for get commands:

get schemas for user <user>:
  returns schemas owned by the specified user
  if current user does not have elevated privilege,
   returns error if current user does not match <user>.

get schemas for role <role>:
  returns schemas owned by the role,
  if current user does not have elevated privilege,
    returns error if current user has not been granted <role>

get [tables | views | indexes | libraries ] for user <user>:
get [functions | table_mapping_functions | procedures] for user <user>:
get [privileges | roles] for user <user>:
  returns objects where <user> has at least one privilege
  if current user does not have eleveted privilege
    returns error if current user does not match <user>.

get [tables | views | indexes | libraries ] for role <role>:
get [functions | table_mapping_functions | procedures] for role <role>:
get [privileges | users] for <role>:
  returns objects where <role> has at least one privilege
  if current user does not have eleveted privilege
    returns error if current user has not been granted <role>


Project: http://git-wip-us.apache.org/repos/asf/trafodion/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafodion/commit/afff9935
Tree: http://git-wip-us.apache.org/repos/asf/trafodion/tree/afff9935
Diff: http://git-wip-us.apache.org/repos/asf/trafodion/diff/afff9935

Branch: refs/heads/master
Commit: afff9935ecd40b0beef8156c773110b40025721f
Parents: 1bc3d1a
Author: Roberta Marton <roberta.marton@apache.org>
Authored: Fri Sep 21 22:29:01 2018 +0000
Committer: Roberta Marton <roberta.marton@apache.org>
Committed: Fri Sep 21 22:29:01 2018 +0000

----------------------------------------------------------------------
 core/sql/bin/SqlciErrors.txt           |    2 +-
 core/sql/executor/ExExeUtilGet.cpp     | 1026 ++++++++++++++++++---------
 core/sql/regress/privs1/EXPECTED123    |  815 ++++++++++-----------
 core/sql/regress/privs1/EXPECTED125    |  251 ++++++-
 core/sql/regress/privs1/EXPECTED141    |  143 +++-
 core/sql/regress/privs1/TEST123        |   24 +-
 core/sql/regress/privs1/TEST125        |    9 +-
 core/sql/regress/privs1/TEST141        |   22 +-
 core/sql/regress/privs2/EXPECTED135    |    4 +-
 core/sql/regress/privs2/EXPECTED144    |  858 +++++++++++++++++++++-
 core/sql/regress/privs2/EXPECTED146    |   16 +-
 core/sql/regress/privs2/LOG144         |  Bin 17980 -> 140175 bytes
 core/sql/regress/privs2/TEST144        |  120 +++-
 core/sql/sqlcomp/PrivMgrCommands.cpp   |    2 +-
 core/sql/sqlcomp/PrivMgrDesc.cpp       |  122 +---
 core/sql/sqlcomp/PrivMgrDesc.h         |   97 ++-
 core/sql/sqlcomp/PrivMgrPrivileges.cpp |   39 +-
 core/sql/sqlcomp/PrivMgrPrivileges.h   |    1 +
 18 files changed, 2515 insertions(+), 1036 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/trafodion/blob/afff9935/core/sql/bin/SqlciErrors.txt
----------------------------------------------------------------------
diff --git a/core/sql/bin/SqlciErrors.txt b/core/sql/bin/SqlciErrors.txt
index 7032bf7..0de8a4e 100644
--- a/core/sql/bin/SqlciErrors.txt
+++ b/core/sql/bin/SqlciErrors.txt
@@ -334,7 +334,7 @@
 1336 ZZZZZ 99999 ADVANCED MAJOR DBADMIN INITIALIZE SQL must specify a $0~String0 statement for the $1~String1.  INITIALIZE SQL fails.
 1337 ZZZZZ 99999 BEGINNER MINOR DBADMIN $0~String0 is a reserved authorization identifier.
 1338 ZZZZZ 99999 ADVANCED MAJOR DBADMIN Role $0~string0 is not defined in the database.
-1339 ZZZZZ 99999 BEGINNER MINOR DBADMIN $0~string0 is not a grantable role.
+1339 ZZZZZ 99999 BEGINNER MINOR DBADMIN $0~string0 is not a role.
 1340 ZZZZZ 99999 BEGINNER MINOR DBADMIN $0~string0 is not a user.
 1341 ZZZZZ 99999 BEGINNER MINOR DBADMIN --- unused ---
 1342 ZZZZZ 99999 BEGINNER MINOR DBADMIN --- unused ---

http://git-wip-us.apache.org/repos/asf/trafodion/blob/afff9935/core/sql/executor/ExExeUtilGet.cpp
----------------------------------------------------------------------
diff --git a/core/sql/executor/ExExeUtilGet.cpp b/core/sql/executor/ExExeUtilGet.cpp
index b9d4c68..590b068 100644
--- a/core/sql/executor/ExExeUtilGet.cpp
+++ b/core/sql/executor/ExExeUtilGet.cpp
@@ -177,7 +177,7 @@ static const QueryString getRolesForUserQuery[] =
   {" select translate(rtrim(RU.role_name) using ucs2toutf8) "},
   {"   from %s.\"%s\".%s RU "},
   {" where (RU.grantor_ID != -2) and "},
-  {"       (RU.grantee_name='%s') %s "},
+  {"       (RU.grantee_name='%s') "},
   {" union select * from (values ('PUBLIC')) "},
   {" order by 1 "},
   {" ; "}
@@ -348,7 +348,7 @@ static const QueryString getTrafIndexesOnTableQuery[] =
   {" ; "}
 };
 
-static const QueryString getTrafIndexesForUser[] =
+static const QueryString getTrafIndexesForAuth[] =
 {
   {" select trim(T2.catalog_name) || '.\"' || trim(T2.schema_name) || '\".' || trim(T2.object_name) "},
   {" from %s.\"%s\".%s I, "},
@@ -385,20 +385,21 @@ static const QueryString getTrafLibrariesInSchemaQuery[] =
   {"  ; "}
 };
 
-static const QueryString getTrafLibrariesForUser[] =
+static const QueryString getTrafLibrariesForAuthQuery[] =
 {
-  {" select distinct object_name  from "},
-  {"   %s.\"%s\".%s T, %s.\"%s\".%s R  "},
-  {"  where T.catalog_name = '%s' and T.object_type = 'LB' and "},
-  {"        T.object_uid = R.library_uid %s "},
+  {" select distinct trim(catalog_name) || '.\"' || "},
+  {"     trim(schema_name) || '\".' || trim(object_name) "},
+  {"  from %s.\"%s\".%s "},
+  {"  where catalog_name = '%s' and object_type = 'LB' %s "},
   {"  order by 1 "},
   {"  ; "}
 };
 
 static const QueryString getTrafRoutinesForAuthQuery[] =
 {
-  {" select distinct object_name  from "},
-  {"   %s.\"%s\".%s T, %s.\"%s\".%s R  "},
+  {" select distinct trim(catalog_name) || '.\"' || "},
+  {"     trim(schema_name) || '\".' || trim(object_name) "},
+  {"  from %s.\"%s\".%s T, %s.\"%s\".%s R  "},
   {"  where T.catalog_name = '%s' and "},
   {"        T.object_type = 'UR' and "},
   {"        T.object_uid = R.udr_uid and "},
@@ -536,8 +537,9 @@ static const QueryString getTrafSchemasForAuthIDQuery[] =
   {" select T.schema_name "},
   {"   from %s.\"%s\".%s T, "},
   {"        %s.\"%s\".%s A "},
-  {"  where (T.object_type = 'PS' or T.object_type = 'SS') and "},
-  {"         A.auth_db_name = '%s' and T.object_owner = A.auth_id "},
+  {"  where T.object_type in ('PS', 'SS') and "},
+  {"         T.object_owner = A.auth_id and "},
+  {"         A.auth_id in %s "},
   {" order by 1 "},
   {"  ; "}
 };
@@ -1273,7 +1275,7 @@ short ExExeUtilGetMetadataInfoTcb::displayHeading()
     break;
 
     case ComTdbExeUtilGetMetadataInfo::LIBRARIES_FOR_ROLE_:
-        str_sprintf(headingBuf_,"Libraries for User %s", getMItdb().getParam1());
+        str_sprintf(headingBuf_,"Libraries for Role %s", getMItdb().getParam1());
     break;
 
     case ComTdbExeUtilGetMetadataInfo::PROCEDURES_FOR_LIBRARY_:
@@ -1308,6 +1310,10 @@ short ExExeUtilGetMetadataInfoTcb::displayHeading()
         str_sprintf(headingBuf_,"Roles for User %s",getMItdb().getParam1());
     break;
 
+    case ComTdbExeUtilGetMetadataInfo::SCHEMAS_FOR_ROLE_:
+        str_sprintf(headingBuf_,"Schemas for Role %s",getMItdb().getParam1());
+    break;
+
     case ComTdbExeUtilGetMetadataInfo::SCHEMAS_FOR_USER_:
         str_sprintf(headingBuf_,"Schemas for User %s",getMItdb().getParam1());
     break;
@@ -1507,6 +1513,12 @@ short ExExeUtilGetMetadataInfoTcb::displayHeading()
 // Reads the "_MD_".auths table to get the auth_id from the passed in authName.
 // If relationship not found for any reason, return 0, otherwise return
 // the authID.
+//
+// TBD - should replace this with a call to currContext->getAuthIDFromName
+//       this function checks for special authID and looks at cache before
+//       calling metadata.  Currently there is an issue because privilege 
+//       error are returned when trying to read AUTHS table.  Need to set 
+//       parserflag 131072.
 // ----------------------------------------------------------------------------
 Int32 ExExeUtilGetMetadataInfoTcb::getAuthID(
   const char *authName,
@@ -1593,6 +1605,9 @@ char * ExExeUtilGetMetadataInfoTcb::getRoleList(
   const char *schName,
   const char *objName)
 {
+  // Always include PUBLIC
+  NAString roleList("(-1");
+
   short rc      = 0;
   Lng32 cliRC   = 0;
 
@@ -1604,23 +1619,22 @@ char * ExExeUtilGetMetadataInfoTcb::getRoleList(
   numOutputEntries_ = 1;
   cliRC = fetchAllRows(infoList_, queryBuf_, numOutputEntries_, FALSE, rc);
   if (cliRC < 0)
-  {
-    cliInterface()->allocAndRetrieveSQLDiagnostics(diagsArea_);
-    return NULL;
-  }
+    {
+      cliInterface()->allocAndRetrieveSQLDiagnostics(diagsArea_);
+      return NULL;
+    }
 
-  NAString roleList("(-1");
   char buf[30];
   infoList_->position();
   while (NOT infoList_->atEnd())
     {
       OutputInfo * vi = (OutputInfo*)infoList_->getCurr();
       if (vi)
-      {
-        str_sprintf(buf, ", %d", *(Lng32*)vi->get(0));
-        roleList += buf;
-      }
-      infoList_->advance();
+        {
+          str_sprintf(buf, ", %d", *(Lng32*)vi->get(0));
+          roleList += buf;
+        }
+          infoList_->advance();
     }
   str_sprintf(buf, ", %d)", userID);
   roleList += buf;
@@ -1672,8 +1686,7 @@ NABoolean ExExeUtilGetMetadataInfoTcb::checkUserPrivs(
   privMDLoc += "\"";
   PrivMgrComponentPrivileges componentPrivileges(privMDLoc,getDiagsArea());
 
-  if (componentPrivileges.hasSQLPriv(ComUser::getCurrentUser(),SQLOperation::SHOW,true))
-    return FALSE;
+  if (componentPrivileges.hasSQLPriv(ComUser::getCurrentUser(),SQLOperation::SHOW,true)) return FALSE;
 
   // Check component privilege based on QueryType
   switch (queryType)
@@ -1976,6 +1989,7 @@ short ExExeUtilGetMetadataInfoTcb::work()
             // used in a select "IN" clause.  Include the current user
             NAString authList;
             NAString colPrivsStmt;
+            NAString var;
 
             if (CmpCommon::context()->isAuthorizationEnabled())
             {
@@ -2284,8 +2298,8 @@ short ExExeUtilGetMetadataInfoTcb::work()
                   param_[10] = getMItdb().sch_;
                   param_[11] = getMItdb().obj_;
                   if (getMItdb().queryType_ == ComTdbExeUtilGetMetadataInfo::VIEWS_ON_TABLE_)
-                    strcpy(ausStr, " and T1.object_type = 'BT' ");
-                  param_[12] = ausStr;
+                    var = " and T1.object_type = 'BT' ";
+                  param_[12] = (char *)var.data();
                   param_[13] = (char *)privWhereClause.data();
 
 		}
@@ -2306,20 +2320,98 @@ short ExExeUtilGetMetadataInfoTcb::work()
                   param_[4] = (char *) privWhereClause.data();
 		}
 	      break;
+
               case ComTdbExeUtilGetMetadataInfo::SCHEMAS_FOR_USER_:
-		{
-		  qs = getTrafSchemasForAuthIDQuery;
-		  sizeOfqs = sizeof(getTrafSchemasForAuthIDQuery);
+              case ComTdbExeUtilGetMetadataInfo::SCHEMAS_FOR_ROLE_:
+                {
+                  qs = getTrafSchemasForAuthIDQuery;
+                  sizeOfqs = sizeof(getTrafSchemasForAuthIDQuery);
 
-		  param_[0] = cat;
-		  param_[1] = sch;
-		  param_[2] = tab;
-		  param_[3] = cat;
-		  param_[4] = sch;
-		  param_[5] = auths;
-		  param_[6] = getMItdb().getParam1();
+                  bool isRole = (getMItdb().queryType_ == ComTdbExeUtilGetMetadataInfo::SCHEMAS_FOR_ROLE_);
+
+                  Int32 authID = *currContext->getDatabaseUserID();
+                  if (!(strcmp(getMItdb().getParam1(), currContext->getDatabaseUserName()) == 0))
+                    authID = getAuthID(getMItdb().getParam1(), cat, sch, auths);
+
+                  if (isRole)
+                    {
+                      // if incorrect auth type, return error
+                      if (!CmpSeabaseDDLauth::isRoleID(authID) && !ComUser::isPublicUserID(authID))
+                        {
+                          ExRaiseSqlError(getHeap(), &diagsArea_, -CAT_IS_NOT_A_ROLE, 
+                              NULL, NULL, NULL,
+                              getMItdb().getParam1());
+                          step_ = HANDLE_ERROR_;
+                          break;
+                        }
+
+                      // Cannot get schemas if current user not granted role
+                      if (doPrivCheck && !ComUser::currentUserHasRole(authID))
+                        {
+                          ExRaiseSqlError(getHeap(), &diagsArea_, -CAT_NOT_AUTHORIZED);
+                          step_ = HANDLE_ERROR_;
+                          break;
+                        }
+
+                        // Return schemas that are owned by the specified role -> authID = roleID
+                        char buf[30];
+                        str_sprintf(buf, "(%d)", authID);
+                        privWhereClause = buf;
+                    }
+
+                  else /* isUser*/ 
+                    {
+                      // if incorrect auth type, return error
+                      if (!CmpSeabaseDDLauth::isUserID(authID))
+                      {
+                        ExRaiseSqlError(getHeap(), &diagsArea_, -CAT_IS_NOT_A_USER, 
+                          NULL, NULL, NULL,
+                          getMItdb().getParam1());
+                        step_ = HANDLE_ERROR_;
+                        break;
+                      }
+
+                      // Cannot get schemas for user other than the current user
+                      if (doPrivCheck && authID != ComUser::getCurrentUser())
+                        {
+                          ExRaiseSqlError(getHeap(), &diagsArea_, -CAT_NOT_AUTHORIZED);
+                          step_ = HANDLE_ERROR_;
+                          break;
+                        }
+                    
+                      // Get list of roles assigned to user, return all schemas
+                      // owned by user and user's roles
+
+                      if (authID == ComUser::getCurrentUser())
+                        privWhereClause = authList;
+                      else
+                        {
+                          char *userRoleList = getRoleList(authID, cat, pmsch, role_usage);
+                          if (userRoleList)
+                            {
+                              privWhereClause = userRoleList;
+                              NADELETEBASIC(userRoleList, getHeap());
+                            }
+                          else
+                            {
+                              // Unable to read metadata 
+                              ExRaiseSqlError(getHeap(), &diagsArea_, -8001);
+                              step_ = HANDLE_ERROR_;
+                              break;
+                            }
+                        }
+                    }
+
+                  param_[0] = cat;
+                  param_[1] = sch;
+                  param_[2] = tab;
+                  param_[3] = cat;
+                  param_[4] = sch;
+                  param_[5] = auths;
+                  param_[6] = (char *) privWhereClause.data();
 		}
 	      break;
+
               case ComTdbExeUtilGetMetadataInfo::USERS_:
                 {
                   qs = getTrafUsers;
@@ -2422,89 +2514,126 @@ short ExExeUtilGetMetadataInfoTcb::work()
                 break ;
 
               case ComTdbExeUtilGetMetadataInfo::PROCEDURES_FOR_USER_:
-              case ComTdbExeUtilGetMetadataInfo::PROCEDURES_FOR_ROLE_:
               case ComTdbExeUtilGetMetadataInfo::FUNCTIONS_FOR_USER_:
-              case ComTdbExeUtilGetMetadataInfo::FUNCTIONS_FOR_ROLE_:
               case ComTdbExeUtilGetMetadataInfo::TABLE_FUNCTIONS_FOR_USER_:
-              case ComTdbExeUtilGetMetadataInfo::TABLE_FUNCTIONS_FOR_ROLE_:
                 {
-                  NABoolean isUser =
-                     (getMItdb().queryType_ == ComTdbExeUtilGetMetadataInfo::PROCEDURES_FOR_USER_ ||
-                      getMItdb().queryType_ == ComTdbExeUtilGetMetadataInfo::TABLE_FUNCTIONS_FOR_USER_ ||
-                      getMItdb().queryType_ == ComTdbExeUtilGetMetadataInfo::FUNCTIONS_FOR_USER_);
+                  qs = getTrafRoutinesForAuthQuery;
+                  sizeOfqs = sizeof(getTrafRoutinesForAuthQuery);
 
                   // Get the authID associated with the specified user
                   Int32 authID = *currContext->getDatabaseUserID();
                   if (!(strcmp(getMItdb().getParam1(), currContext->getDatabaseUserName()) == 0))
                     authID = getAuthID(getMItdb().getParam1(), cat, sch, auths);
 
-                  // Verify that the user is a user, or the role is a role
-                  if (isUser  && !CmpSeabaseDDLauth::isUserID(authID) ||
-                      !isUser && !CmpSeabaseDDLauth::isRoleID(authID))
+                  // If not a user, we are done, don't return data
+                  if (!CmpSeabaseDDLauth::isUserID(authID))
                     {
-                      NAString type = (isUser ? "user" : "role");
-                      ExRaiseSqlError(getHeap(), &diagsArea_, -CAT_IS_NOT_CORRECT_AUTHID,
-                          NULL, NULL, NULL,
-                          getMItdb().getParam1(),
-                          type.data());
+                      ExRaiseSqlError(getHeap(), &diagsArea_, -CAT_IS_NOT_A_USER);
                       step_ = HANDLE_ERROR_;
                       break;
                     }
 
-                  qs = getTrafRoutinesForAuthQuery;
-                  sizeOfqs = sizeof(getTrafRoutinesForAuthQuery);
-
-                  NAString routineType;
-                  if ((getMItdb().queryType_ == ComTdbExeUtilGetMetadataInfo::PROCEDURES_FOR_USER_) ||
-                      (getMItdb().queryType_ == ComTdbExeUtilGetMetadataInfo::PROCEDURES_FOR_ROLE_))
-                    routineType = COM_PROCEDURE_TYPE_LIT;
-                  else if ((getMItdb().queryType_ == ComTdbExeUtilGetMetadataInfo::FUNCTIONS_FOR_USER_) ||
-                      (getMItdb().queryType_ == ComTdbExeUtilGetMetadataInfo::FUNCTIONS_FOR_ROLE_))
-                    routineType = COM_SCALAR_UDF_TYPE_LIT;
-                  else 
-                    routineType = COM_TABLE_UDF_TYPE_LIT;
+                  // Non elevated user cannot view routines for another user
+                  if (doPrivCheck && authID != ComUser::getCurrentUser())
+                    {
+                      ExRaiseSqlError(getHeap(), &diagsArea_, -CAT_NOT_AUTHORIZED);
+                      step_ = HANDLE_ERROR_;
+                      break;
+                    }
+                  
+                  // Determine routine type
+                  if (getMItdb().queryType_ == ComTdbExeUtilGetMetadataInfo::PROCEDURES_FOR_USER_)
+                    var = COM_PROCEDURE_TYPE_LIT;
+                  else if (getMItdb().queryType_ == ComTdbExeUtilGetMetadataInfo::FUNCTIONS_FOR_USER_)
+                    var = COM_SCALAR_UDF_TYPE_LIT;
+                  else
+                    var = COM_TABLE_UDF_TYPE_LIT;
 
-                  // Getting objects for the current user
-                  if (strcmp(getMItdb().getParam1(), currContext->getDatabaseUserName()) == 0)
-                    privWhereClause = getGrantedPrivCmd(authList, cat, NAString ("T.object_uid"));
+                  // Limit results to privileges allowed for specified user
 
-                  // Getting objects for a user other than the current user
+                  if (authID == ComUser::getCurrentUser())
+                    privWhereClause = getGrantedPrivCmd(authList, cat);
                   else
                     {
-                      if (doPrivCheck)
+                      char *userRoleList = getRoleList(authID, cat, pmsch, role_usage);
+                      if (userRoleList)
                         {
-                          // User cannot view privileges for another user
-                          ExRaiseSqlError(getHeap(), &diagsArea_, -1017);
-                          step_ = HANDLE_ERROR_;
-                          break;
+                          privWhereClause = getGrantedPrivCmd(userRoleList, cat, NAString ("T.object_uid"));
+                          NADELETEBASIC(userRoleList, getHeap());
                         }
                       else
                         {
-                          // get the list of roles for this other user.
-                          char *userRoleList = getRoleList(authID, cat, pmsch, role_usage);
-                          if (userRoleList)
-                            {
-                              privWhereClause = getGrantedPrivCmd(userRoleList, cat, NAString ("T.object_uid"));
-                              NADELETEBASIC(userRoleList, getHeap());
-                            }
-                          else
-                            {
-                              // Unable to read metadata
-                              ExRaiseSqlError(getHeap(), &diagsArea_, -8001);
-                              step_ = HANDLE_ERROR_;
-                              break;
-                            }
+                          // Unable to read metadata
+                          ExRaiseSqlError(getHeap(), &diagsArea_, -8001);
+                          step_ = HANDLE_ERROR_;
+                          break;
                         }
                     }
 
-		  param_[0] = cat;
-		  param_[1] = sch;
-		  param_[2] = tab;
+                  param_[0] = cat;
+                  param_[1] = sch;
+                  param_[2] = tab;
                   param_[3] = cat;
-		  param_[4] = sch;
-		  param_[5] = routine;
-		  param_[6] = getMItdb().cat_;
-                  param_[7] = (char *)routineType.data();
+                  param_[4] = sch;
+                  param_[5] = routine;
+                  param_[6] = getMItdb().cat_;
+                  param_[7] = (char *)var.data();
+                  param_[8] = (char *) privWhereClause.data();
+                }
+                break ;
+
+              case ComTdbExeUtilGetMetadataInfo::PROCEDURES_FOR_ROLE_:
+              case ComTdbExeUtilGetMetadataInfo::FUNCTIONS_FOR_ROLE_:
+              case ComTdbExeUtilGetMetadataInfo::TABLE_FUNCTIONS_FOR_ROLE_:
+                {
+                  qs = getTrafRoutinesForAuthQuery;
+                  sizeOfqs = sizeof(getTrafRoutinesForAuthQuery);
+
+                  // Get the authID associated with the specified role
+                  Int32 authID = *currContext->getDatabaseUserID();
+                  if (!(strcmp(getMItdb().getParam1(), currContext->getDatabaseUserName()) == 0))
+                    authID = getAuthID(getMItdb().getParam1(), cat, sch, auths);
+
+                  // If not a role, we are done, don't return data
+                  if (!CmpSeabaseDDLauth::isRoleID(authID) && !ComUser::isPublicUserID(authID)) 
+                    {
+                      ExRaiseSqlError(getHeap(), &diagsArea_, -CAT_IS_NOT_A_ROLE, 
+                          NULL, NULL, NULL,
+                          getMItdb().getParam1());
+                      step_ = HANDLE_ERROR_;
+                      break;
+                    }
+
+                  // non elevated user has to be granted role
+                  if (doPrivCheck && !ComUser::currentUserHasRole(authID))
+                    {
+                      // No priv
+                      ExRaiseSqlError(getHeap(), &diagsArea_, -CAT_NOT_AUTHORIZED);
+                      step_ = HANDLE_ERROR_;
+                      break;
+                    }
+
+                  // determine routine type
+                  if (getMItdb().queryType_ == ComTdbExeUtilGetMetadataInfo::PROCEDURES_FOR_ROLE_)
+                    var = COM_PROCEDURE_TYPE_LIT;
+                  else if (getMItdb().queryType_ == ComTdbExeUtilGetMetadataInfo::FUNCTIONS_FOR_ROLE_)
+                    var = COM_SCALAR_UDF_TYPE_LIT;
+                  else 
+                    var = COM_TABLE_UDF_TYPE_LIT;
+
+                  // Only return rows where role (authID) has been granted privs
+                  char buf[30];
+                  str_sprintf(buf, "(%d)", authID);
+                  privWhereClause = getGrantedPrivCmd(buf, cat, NAString ("T.object_uid"));
+
+                  param_[0] = cat;
+                  param_[1] = sch;
+                  param_[2] = tab;
+                  param_[3] = cat;
+                  param_[4] = sch;
+                  param_[5] = routine;
+                  param_[6] = getMItdb().cat_;
+                  param_[7] = (char *)var.data();
                   param_[8] = (char *) privWhereClause.data();
                 }
                 break ;
@@ -2532,12 +2661,12 @@ short ExExeUtilGetMetadataInfoTcb::work()
                   param_[10] = getMItdb().sch_;
                   param_[11] = getMItdb().obj_;
                   if (getMItdb().queryType_ == ComTdbExeUtilGetMetadataInfo::PROCEDURES_FOR_LIBRARY_)
-                    strcpy(ausStr, " R.udr_type = 'P ' ");
+                    var = " R.udr_type = 'P ' ";
                   else if (getMItdb().queryType_ == ComTdbExeUtilGetMetadataInfo::FUNCTIONS_FOR_LIBRARY_)
-                    strcpy(ausStr, " R.udr_type = 'F ' ");
+                    var = " R.udr_type = 'F ' ";
                   else
-                    strcpy(ausStr, " R.udr_type = 'T ' ");
-                  param_[12] = ausStr;
+                    var = " R.udr_type = 'T ' ";
+                  param_[12] = (char *) var.data();
                   param_[13] = (char *) privWhereClause.data();
                 }
                 break ;
@@ -2550,6 +2679,7 @@ short ExExeUtilGetMetadataInfoTcb::work()
 
                   if (doPrivCheck)
                   {
+                     // return roles granted to current user
                      char buf[authList.length() + 100];
                      str_sprintf(buf, " and auth_id in %s", authList.data());
                      privWhereClause = buf;
@@ -2566,10 +2696,23 @@ short ExExeUtilGetMetadataInfoTcb::work()
                 {
                   qs = getUsersForRoleQuery;
                   sizeOfqs = sizeof(getUsersForRoleQuery);
-                  
-                  // return the name if the role has been granted to the current user
-                  if (doPrivCheck)  
-                     privWhereClause = " and grantee_name = CURRENT_USER ";
+
+                  if (doPrivCheck)
+                    {
+                      // If user not granted role, return an error
+                      Int32 authID = *currContext->getDatabaseUserID();
+                      if (!(strcmp(getMItdb().getParam1(), currContext->getDatabaseUserName()) == 0))
+                        authID = getAuthID(getMItdb().getParam1(), cat, sch, auths);
+                      if (!ComUser::currentUserHasRole(authID))
+                        {
+                           ExRaiseSqlError(getHeap(), &diagsArea_, -CAT_NOT_AUTHORIZED);
+                           step_ = HANDLE_ERROR_;
+                           break;
+                         }
+
+                       // limit users to the current user only
+                       privWhereClause = " and grantee_name = CURRENT_USER ";
+                     }
 
                   param_[0] = cat;
                   param_[1] = pmsch;
@@ -2584,115 +2727,75 @@ short ExExeUtilGetMetadataInfoTcb::work()
                   qs = getRolesForUserQuery;
                   sizeOfqs = sizeof(getRolesForUserQuery);
                   
-                  // return the name if the current user was granted the role
                   if (doPrivCheck)  
-                     privWhereClause = " and CURRENT_USER=RU.grantee_name ";
+                    {
+                      // If user not the current user, return an error
+                      // TBD - the current context contains a list of roles, 
+                      //       return list to avoid metadata I/O
+                      if (strcmp(getMItdb().getParam1(), currContext->getDatabaseUserName()) != 0)
+                       {
+                          ExRaiseSqlError(getHeap(), &diagsArea_, -CAT_NOT_AUTHORIZED);
+                          step_ = HANDLE_ERROR_;
+                          break;
+                        } 
+                    }
+                  else
+                    {
+                      // Get the authID for the request
+                      Int32 authID = *currContext->getDatabaseUserID();
+                      if (!(strcmp(getMItdb().getParam1(), currContext->getDatabaseUserName()) == 0))
+                        authID = getAuthID(getMItdb().getParam1(), cat, sch, auths);
+                      if (!CmpSeabaseDDLauth::isUserID(authID))
+                        {
+                          ExRaiseSqlError(getHeap(), &diagsArea_, -CAT_IS_NOT_A_USER,
+                              NULL, NULL, NULL,
+                              getMItdb().getParam1());
+                          step_ = HANDLE_ERROR_;
+                          break;
+                        }
+                    }
 
                   param_[0] = cat;
                   param_[1] = pmsch;
                   param_[2] = role_usage;
                   param_[3] = getMItdb().getParam1();
-                  param_[4] = (char *) privWhereClause.data();
                 }
               break;
               
               case ComTdbExeUtilGetMetadataInfo::PRIVILEGES_FOR_ROLE_:
-              case ComTdbExeUtilGetMetadataInfo::PRIVILEGES_FOR_USER_:
                 {
-                  NABoolean isRole = 
-                     (getMItdb().queryType_ == ComTdbExeUtilGetMetadataInfo::PRIVILEGES_FOR_ROLE_); 
-              
-                  // Get the authID associated with the current user
-                  Int32 authID = getAuthID(getMItdb().getParam1(), cat, sch, auths);
+                  // Get the authID for the request
+                  Int32 authID = *currContext->getDatabaseUserID();
+                  if (!(strcmp(getMItdb().getParam1(), currContext->getDatabaseUserName()) == 0))
+                    authID = getAuthID(getMItdb().getParam1(), cat, sch, auths);
 
-                  // If the authID was not found for various reasons just return
-                  // Other "get" commands continue and return no rows but it is
-                  // easier to just return with an error.
-                  if (authID == 0)
-                    { 
-                      ExRaiseSqlError(getHeap(), &diagsArea_, -8732,
+                  char buf[authList.length() + 100];
+
+                  // Verify that requested authID is actually a role
+                  if (!CmpSeabaseDDLauth::isRoleID(authID) && !ComUser::isPublicUserID(authID))
+                    {
+                      ExRaiseSqlError(getHeap(), &diagsArea_, -CAT_IS_NOT_A_ROLE,
                           NULL, NULL, NULL,
                           getMItdb().getParam1());
                       step_ = HANDLE_ERROR_;
                       break;
                     }
 
-                  if (isRole)
+                  // Non elevated users need to be granted role
+                  if (doPrivCheck && !ComUser::currentUserHasRole(authID))
                     {
-                       // treating PUBLIC (-1) as a role in this instance, return
-                       // error if authID is not a role
-                       if (!CmpSeabaseDDLauth::isRoleID(authID) && authID != PUBLIC_USER)
-                        {
-                          ExRaiseSqlError(getHeap(), &diagsArea_, -CAT_IS_NOT_A_ROLE, 
-                              NULL, NULL, NULL,
-                              getMItdb().getParam1());
-                          step_ = HANDLE_ERROR_;
-                          break;
-                        }
+                      ExRaiseSqlError(getHeap(), &diagsArea_, -CAT_NOT_AUTHORIZED);
+                      step_ = HANDLE_ERROR_;
+                      break;
                     }
 
-                  else
-                    {
-                      // Return an error if authID is not a user
-                      if (!CmpSeabaseDDLauth::isUserID(authID))
-                        {
-                          ExRaiseSqlError(getHeap(), &diagsArea_, -CAT_IS_NOT_A_USER, 
-                              NULL, NULL, NULL,
-                              getMItdb().getParam1());
-                          step_ = HANDLE_ERROR_;
-                          break;
-                        }
-                    }
-               
+                  // return all privs for the role
+                  str_sprintf(buf, " = %d ", authID);
+                  privWhereClause = buf;
+
                   qs = getPrivsForAuthsQuery;
                   sizeOfqs = sizeof(getPrivsForAuthsQuery);
 
-                  char buf[authList.length() + 100];
-                  if (isRole)
-                  {
-                    if (doPrivCheck)
-                      // Only return name if current user has been
-                      // granted the role
-                      str_sprintf(buf, " = %d and %d in %s ", 
-                                  authID, authID, authList.data());
-                    else
-                      // return all role grantees
-                      str_sprintf(buf, " = %d ", authID );
-                  }
-                  else
-                  {
-                    if (doPrivCheck)
-                    {
-                      // If asking for privileges for a user other than CURRENT_USER, 
-                      // use -2 (special user called _SYSTEM), privileges can never 
-                      // be granted to _SYSTEM. This returns an empty list 
-                      // which match other "get" statements behavior.
-                      if (strcmp(getMItdb().getParam1(), currContext->getDatabaseUserName()) != 0)
-                        str_sprintf(buf, " = -2 ");
-                      else
-                       // return all privs for the user and the users roles
-                       str_sprintf(buf, " in %s ", authList.data());
-                    }
-
-                    else
-                      if (*currContext->getDatabaseUserID() == authID)
-                        str_sprintf(buf, " in %s ", authList.data());
-                      else
-                        {
-                          // If getting privileges for a user other than the CURRENT USER,
-                          // get the list of roles for this other user.
-                          char *userRoleList = getRoleList(authID, cat, pmsch, role_usage);
-                          if (userRoleList)
-                          {
-                            str_sprintf(buf, " in %s ", userRoleList);
-                            NADELETEBASIC(userRoleList, getHeap());
-                          }
-                          else 
-                            str_sprintf(buf, " = %d ", authID);
-                        }
-                  }
-                  privWhereClause = buf;
-
                   // This request performs a union between 4 entities:
                   //  1. object_privileges table
                   //  2. schema_privileges table
@@ -2726,8 +2829,91 @@ short ExExeUtilGetMetadataInfoTcb::work()
                 }
               break;
 
-
-              case ComTdbExeUtilGetMetadataInfo::PRIVILEGES_ON_TABLE_:
+              case ComTdbExeUtilGetMetadataInfo::PRIVILEGES_FOR_USER_:
+                {
+                  // Get the authID for the request
+                  Int32 authID = *currContext->getDatabaseUserID();
+                  if (!(strcmp(getMItdb().getParam1(), currContext->getDatabaseUserName()) == 0))
+                    authID = getAuthID(getMItdb().getParam1(), cat, sch, auths);
+
+                  // Verify that authID is a user
+                  if (!CmpSeabaseDDLauth::isUserID(authID))
+                    {
+                      ExRaiseSqlError(getHeap(), &diagsArea_, -CAT_IS_NOT_A_USER,
+                          NULL, NULL, NULL,
+                          getMItdb().getParam1());
+                      step_ = HANDLE_ERROR_;
+                      break;
+                    }
+
+                  // Non elevated user cannot get privileges for another user
+                  char buf[authList.length() + 100];
+                  if (doPrivCheck) 
+                    {
+                      if (authID != ComUser::getCurrentUser())
+                        {
+                          ExRaiseSqlError(getHeap(), &diagsArea_, -CAT_NOT_AUTHORIZED);
+                          step_ = HANDLE_ERROR_;
+                          break;
+                        }
+
+                      // return privs for the current user and their roles
+                      str_sprintf(buf, " in %s ", authList.data());
+                    }
+
+                  else
+                    {
+                      // Get role list for requested user
+                      char *userRoleList = getRoleList(authID, cat, pmsch, role_usage);
+                      if (userRoleList)
+                      {
+                        str_sprintf(buf, " in %s ", userRoleList);
+                        NADELETEBASIC(userRoleList, getHeap());
+                      }
+                      else
+                        str_sprintf(buf, " = %d ", authID);
+                    }
+                  privWhereClause = buf;
+
+                  qs = getPrivsForAuthsQuery;
+                  sizeOfqs = sizeof(getPrivsForAuthsQuery);
+
+                  // This request performs a union between 4 entities:
+                  //  1. object_privileges table
+                  //  2. schema_privileges table
+                  //  3. column privileges table
+                  //  4. hive metadata tables to retrieve column details
+                  // The call to colPrivsFrag returns the required the union 
+                  // statement(s) for items 3 and 4. See colPrivsFrag for details
+                  if (colPrivsFrag(getMItdb().getParam1(), cat, privWhereClause, colPrivsStmt) < 0)
+                  {
+                    step_ = HANDLE_ERROR_;
+                    break;
+                  }
+
+                  // Union privileges between object, column and schema
+                  // object privs
+                  param_[0] = cat;
+                  param_[1] = pmsch;
+                  param_[2] = objPrivs;
+                  param_[3] = (char *) privWhereClause.data();
+
+                  // schema privs
+                  param_[4] = cat;
+                  param_[5] = pmsch;
+                  param_[6] = schPrivs;
+                  param_[7] = (char *) privWhereClause.data();
+
+                  // column privs
+                  param_[8] = (char *) colPrivsStmt.data();
+
+                  numOutputEntries_ = 2;
+                }
+              break;
+
+
+
+              case ComTdbExeUtilGetMetadataInfo::PRIVILEGES_ON_TABLE_:
               case ComTdbExeUtilGetMetadataInfo::PRIVILEGES_ON_VIEW_:
               case ComTdbExeUtilGetMetadataInfo::PRIVILEGES_ON_SEQUENCE_:
               case ComTdbExeUtilGetMetadataInfo::PRIVILEGES_ON_LIBRARY_:
@@ -2737,24 +2923,40 @@ short ExExeUtilGetMetadataInfoTcb::work()
                 sizeOfqs = sizeof(getTrafPrivsOnObject);
 
                 // Determine the type of object
-                NAString objType;
                 if (getMItdb().queryType_ == ComTdbExeUtilGetMetadataInfo::PRIVILEGES_ON_TABLE_)
-                  objType = COM_BASE_TABLE_OBJECT_LIT;
+                  var = COM_BASE_TABLE_OBJECT_LIT;
                 else if (getMItdb().queryType_ == ComTdbExeUtilGetMetadataInfo::PRIVILEGES_ON_VIEW_)
-                  objType = COM_VIEW_OBJECT_LIT;
+                  var = COM_VIEW_OBJECT_LIT;
                 else if (getMItdb().queryType_ == ComTdbExeUtilGetMetadataInfo::PRIVILEGES_ON_SEQUENCE_)
-                  objType = COM_SEQUENCE_GENERATOR_OBJECT_LIT;
+                  var = COM_SEQUENCE_GENERATOR_OBJECT_LIT;
                 else if (getMItdb().queryType_ == ComTdbExeUtilGetMetadataInfo::PRIVILEGES_ON_LIBRARY_)
-                  objType = COM_LIBRARY_OBJECT_LIT;
+                  var = COM_LIBRARY_OBJECT_LIT;
                 else
-                  objType = COM_USER_DEFINED_ROUTINE_OBJECT_LIT;
+                  var = COM_USER_DEFINED_ROUTINE_OBJECT_LIT;
 
                 char buf[authList.length() + 100];
+
+                Int32 authID = 0;
+                if (getMItdb().getParam1())
+                  {
+                    authID = *currContext->getDatabaseUserID();
+                    if (!(strcmp(getMItdb().getParam1(), currContext->getDatabaseUserName()) == 0))
+                      authID = getAuthID(getMItdb().getParam1(), cat, sch, auths);
+                  }
+
                 if (doPrivCheck)
                   {
-                    if (getMItdb().getParam1() && 
-                        (strcmp(getMItdb().getParam1(), currContext->getDatabaseUserName()) != 0))
-                          str_sprintf(buf, "and grantee_id = -2 ");
+                    if (getMItdb().getParam1())
+                      {
+                        if ((CmpSeabaseDDLauth::isRoleID(authID) && !ComUser::currentUserHasRole(authID)) ||
+                            (CmpSeabaseDDLauth::isUserID(authID) && authID != ComUser::getCurrentUser()))
+                          {
+                            ExRaiseSqlError(getHeap(), &diagsArea_, -CAT_NOT_AUTHORIZED);
+                            step_ = HANDLE_ERROR_;
+                            break;
+                          }     
+                        str_sprintf(buf, " and grantee_id in %s ", authList.data());
+                      }
                     else
                         str_sprintf(buf, " and grantee_id in %s ", authList.data());
                     privWhereClause = buf;
@@ -2767,7 +2969,6 @@ short ExExeUtilGetMetadataInfoTcb::work()
                           str_sprintf(buf, " and grantee_id in %s ", authList.data());
                         else
                           {
-                            Int32 authID = getAuthID(getMItdb().getParam1(), cat, sch, auths);
                             char *userRoleList = getRoleList(authID, cat, pmsch, role_usage);
                             if (userRoleList)
                               {
@@ -2790,7 +2991,7 @@ short ExExeUtilGetMetadataInfoTcb::work()
                 param_[6] = getMItdb().cat_;
                 param_[7] = getMItdb().sch_;
                 param_[8] = getMItdb().obj_;
-                param_[9] = (char *)objType.data();
+                param_[9] = (char *)var.data();
                 param_[10] = (char *)privWhereClause.data();
                 param_[11] = cat;
                 param_[12] = pmsch;
@@ -2801,7 +3002,7 @@ short ExExeUtilGetMetadataInfoTcb::work()
                 param_[17] = getMItdb().cat_;
                 param_[18] = getMItdb().sch_;
                 param_[19] = getMItdb().obj_;
-                param_[20] = (char *)objType.data();
+                param_[20] = (char *)var.data();
                 param_[21] = (char *)privWhereClause.data();
 
                 numOutputEntries_ = 2;
@@ -2809,46 +3010,101 @@ short ExExeUtilGetMetadataInfoTcb::work()
               }
 
               case ComTdbExeUtilGetMetadataInfo::INDEXES_FOR_USER_:
-              case ComTdbExeUtilGetMetadataInfo::INDEXES_FOR_ROLE_:
                 {
-                  qs = getTrafIndexesForUser;
-                  sizeOfqs = sizeof(getTrafIndexesForUser);
+                  qs = getTrafIndexesForAuth;
+                  sizeOfqs = sizeof(getTrafIndexesForAuth);
 
-                  // Getting objects for the current user
-                  if (strcmp(getMItdb().getParam1(), currContext->getDatabaseUserName()) == 0)
-                    privWhereClause = getGrantedPrivCmd(authList, cat, NAString ("T.object_uid"));
+                  // Get the authID associated with the specified user
+                  Int32 authID = *currContext->getDatabaseUserID();
+                  if (!(strcmp(getMItdb().getParam1(), currContext->getDatabaseUserName()) == 0))
+                    authID = getAuthID(getMItdb().getParam1(), cat, sch, auths);
 
-                  // Getting objects for a user other than the current user
+                  // If not a user, we are done, don't return data
+                  if (!CmpSeabaseDDLauth::isUserID(authID))
+                    {
+                      ExRaiseSqlError(getHeap(), &diagsArea_, -CAT_IS_NOT_A_USER, 
+                          NULL, NULL, NULL,
+                          getMItdb().getParam1());
+                      step_ = HANDLE_ERROR_;
+                      break;
+                    }
+
+                  // Non elevated user cannot view indexes for another user
+                  if (doPrivCheck && authID != ComUser::getCurrentUser())
+                    {
+                      ExRaiseSqlError(getHeap(), &diagsArea_, -CAT_NOT_AUTHORIZED);
+                      step_ = HANDLE_ERROR_;
+                      break;
+                    }
+
+                  // Limit results to privileges allowed for specified user
+                  
+                  if (authID == ComUser::getCurrentUser())
+                    privWhereClause = getGrantedPrivCmd(authList, cat, NAString("T.object_uid"));
                   else
                     {
-                      if (doPrivCheck)
+                      char *userRoleList = getRoleList(authID, cat, pmsch, role_usage);
+                      if (userRoleList)
                         {
-                          // User cannot view privileges for another user
-                          ExRaiseSqlError(getHeap(), &diagsArea_, -1017);
-                          step_ = HANDLE_ERROR_;
-                          break;
+                          privWhereClause = getGrantedPrivCmd(userRoleList, cat, NAString ("T.object_uid"));
+                          NADELETEBASIC(userRoleList, getHeap());
                         }
                       else
                         {
-                          // Get the authID associated with the requested user
-                          Int32 authID = getAuthID(getMItdb().getParam1(), cat, sch, auths);
-
-                          // get the list of roles for this other user.
-                          char *userRoleList = getRoleList(authID, cat, pmsch, role_usage);
-                          if (userRoleList)
-                            {
-                              privWhereClause = getGrantedPrivCmd(userRoleList, cat, NAString ("T.object_uid"));
-                              NADELETEBASIC(userRoleList, getHeap());
-                            }
-                          else
-                            {
-                              // Unable to read metadata
-                              ExRaiseSqlError(getHeap(), &diagsArea_, -8001);
-                              step_ = HANDLE_ERROR_;
-                              break;
-                            }
+                          // Unable to read metadata
+                          ExRaiseSqlError(getHeap(), &diagsArea_, -8001);
+                          step_ = HANDLE_ERROR_;
+                          break;
                         }
                     }
+
+                  param_[0] = cat;
+                  param_[1] = sch;
+                  param_[2] = indexes;
+                  param_[3] = cat;
+                  param_[4] = sch;
+                  param_[5] = tab;
+                  param_[6] = cat;
+                  param_[7] = sch;
+                  param_[8] = tab;
+                  param_[9] = getMItdb().cat_;
+                  param_[10] = (char *)privWhereClause.data();
+                }
+                break;
+
+              case ComTdbExeUtilGetMetadataInfo::INDEXES_FOR_ROLE_:
+                {
+                  qs = getTrafIndexesForAuth;
+                  sizeOfqs = sizeof(getTrafIndexesForAuth);
+
+                  // Get the authID associated with the specified role
+                  Int32 authID = *currContext->getDatabaseUserID();
+                  if (!(strcmp(getMItdb().getParam1(), currContext->getDatabaseUserName()) == 0))
+                    authID = getAuthID(getMItdb().getParam1(), cat, sch, auths);
+
+                  // Verify that the authID is actually a role
+                  if (!CmpSeabaseDDLauth::isRoleID(authID) && !ComUser::isPublicUserID(authID))
+                    {
+                      ExRaiseSqlError(getHeap(), &diagsArea_, -CAT_IS_NOT_A_ROLE, 
+                          NULL, NULL, NULL,
+                          getMItdb().getParam1());
+                      step_ = HANDLE_ERROR_;
+                      break;
+                    }
+
+                  // Non elevated users need to be granted role
+                  if (doPrivCheck && !ComUser::currentUserHasRole(authID))
+                    {
+                      ExRaiseSqlError(getHeap(), &diagsArea_, -CAT_NOT_AUTHORIZED);
+                      step_ = HANDLE_ERROR_;
+                      break;
+                    }
+
+                  // Only return indexes that role (authID) has been granted privs
+                  char buf[30];
+                  str_sprintf(buf, "(%d)", authID);
+                  privWhereClause = getGrantedPrivCmd(buf, cat, NAString ("T.object_uid"));
+
                   param_[0] = cat;
                   param_[1] = sch;
                   param_[2] = indexes;
@@ -2863,78 +3119,61 @@ short ExExeUtilGetMetadataInfoTcb::work()
                 }
                 break;
 
+
               case ComTdbExeUtilGetMetadataInfo::TABLES_FOR_USER_:
-              case ComTdbExeUtilGetMetadataInfo::TABLES_FOR_ROLE_:
               case ComTdbExeUtilGetMetadataInfo::VIEWS_FOR_USER_:
-              case ComTdbExeUtilGetMetadataInfo::VIEWS_FOR_ROLE_:
                 {
-                  NABoolean isUser = 
-                     (getMItdb().queryType_ == ComTdbExeUtilGetMetadataInfo::TABLES_FOR_USER_ ||
-                      getMItdb().queryType_ == ComTdbExeUtilGetMetadataInfo::VIEWS_FOR_USER_);
+                  qs = getTrafObjectsForUser;
+                  sizeOfqs = sizeof(getTrafObjectsForUser);
 
                   // Get the authID associated with the specified user
                   Int32 authID = *currContext->getDatabaseUserID();
                   if (!(strcmp(getMItdb().getParam1(), currContext->getDatabaseUserName()) == 0))
                     authID = getAuthID(getMItdb().getParam1(), cat, sch, auths);
 
-                  // Verify that the user is a user, or the role is a role
-                  NABoolean validAuth = FALSE;
-                  if (isUser  && CmpSeabaseDDLauth::isUserID(authID))
-                    validAuth = TRUE;
-                  if (!isUser && CmpSeabaseDDLauth::isRoleID(authID))
-                    validAuth = TRUE;
-
-                  if (!validAuth)
+                  // Verify that the authID is actually a user
+                  if (!CmpSeabaseDDLauth::isUserID(authID))
                     {
-                      NAString authName = (isUser) ? "user" : "role";
-                      ExRaiseSqlError(getHeap(), &diagsArea_, -CAT_IS_NOT_CORRECT_AUTHID,
+                      ExRaiseSqlError(getHeap(), &diagsArea_, -CAT_IS_NOT_A_USER, 
                           NULL, NULL, NULL,
-                          getMItdb().getParam1(),
-                          authName.data());
+                          getMItdb().getParam1());
                       step_ = HANDLE_ERROR_;
                       break;
                     }
   
-                  qs = getTrafObjectsForUser;
-                  sizeOfqs = sizeof(getTrafObjectsForUser);
+                  // Non elevated user cannot view objects for another user
+                  if (doPrivCheck && authID != ComUser::getCurrentUser())
+                    {
+                      ExRaiseSqlError(getHeap(), &diagsArea_, -CAT_NOT_AUTHORIZED);
+                      step_ = HANDLE_ERROR_;
+                      break;
+                    }
 
-                  NAString objType;
-                  if ((getMItdb().queryType_ == ComTdbExeUtilGetMetadataInfo::TABLES_FOR_USER_) ||
-                      (getMItdb().queryType_ == ComTdbExeUtilGetMetadataInfo::TABLES_FOR_ROLE_))
-                    objType = COM_BASE_TABLE_OBJECT_LIT;
+                  if (getMItdb().queryType_ == ComTdbExeUtilGetMetadataInfo::TABLES_FOR_USER_)
+                    var = COM_BASE_TABLE_OBJECT_LIT;
                   else
-                    objType = COM_VIEW_OBJECT_LIT;
+                    var = COM_VIEW_OBJECT_LIT;
 
-                  // Getting objects for the current user
-                  if (strcmp(getMItdb().getParam1(), currContext->getDatabaseUserName()) == 0)
+                  // Limit results to privileges allowed for specified user
+                  
+                  if (authID == ComUser::getCurrentUser())
                     privWhereClause = getGrantedPrivCmd(authList, cat, NAString ("T.object_uid"));
 
                   // Getting objects for a user other than the current user
                   else
                     {
-                      if (doPrivCheck)
+                      char *userRoleList = getRoleList(authID, cat, pmsch, role_usage);
+                      if (userRoleList)
                         {
-                          // User cannot view privileges for another user
-                          ExRaiseSqlError(getHeap(), &diagsArea_, -1017);
-                          step_ = HANDLE_ERROR_;
-                          break;
+                          privWhereClause = getGrantedPrivCmd(userRoleList, cat, NAString ("T.object_uid"));
+                          NADELETEBASIC(userRoleList, getHeap());
                         }
-                      else
+                      else 
                         {
-                          // get the list of roles for this other user.
-                          char *userRoleList = getRoleList(authID, cat, pmsch, role_usage);
-                          if (userRoleList)
-                            {
-                              privWhereClause = getGrantedPrivCmd(userRoleList, cat, NAString ("T.object_uid"));
-                              NADELETEBASIC(userRoleList, getHeap());
-                            }
-                          else 
-                            {
-                              // Unable to read metadata
-                              ExRaiseSqlError(getHeap(), &diagsArea_, -8001);
-                              step_ = HANDLE_ERROR_;
-                              break;
-                            }
+                          // Unable to read metadata
+                          ExRaiseSqlError(getHeap(), &diagsArea_, -8001);
+                          step_ = HANDLE_ERROR_;
+                          break;
                         }
                     }
 
@@ -2942,84 +3181,172 @@ short ExExeUtilGetMetadataInfoTcb::work()
                   param_[1] = sch;
                   param_[2] = tab;
                   param_[3] = getMItdb().cat_;
-                  param_[4] = (char *)objType.data();
+                  param_[4] = (char *)var.data();
                   param_[5] = (char *)privWhereClause.data();
                 }
               break;
 
-              case ComTdbExeUtilGetMetadataInfo::LIBRARIES_FOR_USER_:
-              case ComTdbExeUtilGetMetadataInfo::LIBRARIES_FOR_ROLE_:
+              case ComTdbExeUtilGetMetadataInfo::TABLES_FOR_ROLE_:
+              case ComTdbExeUtilGetMetadataInfo::VIEWS_FOR_ROLE_:
                 {
-                  NABoolean isUser =
-                     (getMItdb().queryType_ == ComTdbExeUtilGetMetadataInfo::LIBRARIES_FOR_USER_);
+                  qs = getTrafObjectsForUser;
+                  sizeOfqs = sizeof(getTrafObjectsForUser);
 
                   // Get the authID associated with the specified user
                   Int32 authID = *currContext->getDatabaseUserID();
                   if (!(strcmp(getMItdb().getParam1(), currContext->getDatabaseUserName()) == 0))
                     authID = getAuthID(getMItdb().getParam1(), cat, sch, auths);
 
-                  // Verify that the user is a user, or the role is a role
-                  NABoolean validAuth = FALSE;
-                  if (isUser  && CmpSeabaseDDLauth::isUserID(authID))
-                    validAuth = TRUE;
-                  if (!isUser && CmpSeabaseDDLauth::isRoleID(authID))
-                    validAuth = TRUE;
-
-                  if (!validAuth)
+                  // Verify that the specified authID is actually a role
+                  if (!CmpSeabaseDDLauth::isRoleID(authID) && !ComUser::isPublicUserID(authID)) 
                     {
-                      NAString authName = (isUser) ? "user" : "role";
-                      ExRaiseSqlError(getHeap(), &diagsArea_, -CAT_IS_NOT_CORRECT_AUTHID,
+                      ExRaiseSqlError(getHeap(), &diagsArea_, -CAT_IS_NOT_A_ROLE, 
                           NULL, NULL, NULL,
-                          getMItdb().getParam1(),
-                          authName.data());
+                          getMItdb().getParam1());
+                      step_ = HANDLE_ERROR_;
+                      break;
+                    }
+
+                  // Non elevated users must be granted the specified role
+                  if (doPrivCheck && !ComUser::currentUserHasRole(authID))
+                    {
+                      ExRaiseSqlError(getHeap(), &diagsArea_, -CAT_NOT_AUTHORIZED);
                       step_ = HANDLE_ERROR_;
                       break;
                     }
 
-                  qs = getTrafLibrariesForUser;
-                  sizeOfqs = sizeof(getTrafLibrariesForUser);
+                  if (getMItdb().queryType_ == ComTdbExeUtilGetMetadataInfo::TABLES_FOR_ROLE_)
+                    var = COM_BASE_TABLE_OBJECT_LIT;
+                  else
+                    var = COM_VIEW_OBJECT_LIT;
 
-                  // Getting libraries for the current user
-                  if (strcmp(getMItdb().getParam1(), currContext->getDatabaseUserName()) == 0)
-                    privWhereClause += getGrantedPrivCmd(authList, cat, NAString("R.udr_uid"));
+                  // Only return objects where role (authID) has been granted privs 
+                  char buf[30];
+                  str_sprintf(buf, "(%d)", authID);
+                  privWhereClause = getGrantedPrivCmd(buf, cat, NAString ("T.object_uid"));
+
+                  param_[0] = cat;
+                  param_[1] = sch;
+                  param_[2] = tab;
+                  param_[3] = getMItdb().cat_;
+                  param_[4] = (char *)var.data();
+                  param_[5] = (char *)privWhereClause.data();
+                }
+              break;
+
+              case ComTdbExeUtilGetMetadataInfo::LIBRARIES_FOR_USER_:
+                {
+                  qs = getTrafLibrariesForAuthQuery;
+                  sizeOfqs = sizeof(getTrafLibrariesForAuthQuery);
 
-                  // Getting libraries for a user other than the current user
+                  // Get the authID associated with the specified user
+                  Int32 authID = *currContext->getDatabaseUserID();
+                  if (!(strcmp(getMItdb().getParam1(), currContext->getDatabaseUserName()) == 0))
+                    authID = getAuthID(getMItdb().getParam1(), cat, sch, auths);
+
+                  // Verify that the specified authID is actually a user
+                  if (!CmpSeabaseDDLauth::isUserID(authID))
+                    {
+                      ExRaiseSqlError(getHeap(), &diagsArea_, -CAT_IS_NOT_A_USER, 
+                          NULL, NULL, NULL,
+                          getMItdb().getParam1());
+                      step_ = HANDLE_ERROR_;
+                      break;
+                    }
+
+                  // Non elevated user cannot view libraries for another user
+                  if (doPrivCheck && authID != ComUser::getCurrentUser())
+                    {
+                      ExRaiseSqlError(getHeap(), &diagsArea_, -CAT_NOT_AUTHORIZED);
+                      step_ = HANDLE_ERROR_;
+                      break;
+                    }
+                  
+                  // Return libraries that are owned by the user/user's roles
+                  // or that the user/user's role have been granted privileges
+                    
+                  if (authID == ComUser::getCurrentUser())
+                    privWhereClause += getGrantedPrivCmd(authList, cat);
                   else
                     {
-                      if (doPrivCheck)
+                      char *userRoleList = getRoleList(authID, cat, pmsch, role_usage);
+                      if (userRoleList)
                         {
-                          // User cannot view privileges for another user
-                          ExRaiseSqlError(getHeap(), &diagsArea_, -1017);
+                          privWhereClause = getGrantedPrivCmd(userRoleList, cat);
+                          NADELETEBASIC(userRoleList, getHeap());
+                        }
+                      else
+                        {
+                          // Unable to read metadata 
+                          ExRaiseSqlError(getHeap(), &diagsArea_, -8001);
                           step_ = HANDLE_ERROR_;
                           break;
                         }
+                    }
+
+                  param_[0] = cat;
+                  param_[1] = sch;
+                  param_[2] = tab;
+                  param_[3] = getMItdb().cat_;
+                  param_[4] = (char *) privWhereClause.data();
+                }
+                break ;
+
+              case ComTdbExeUtilGetMetadataInfo::LIBRARIES_FOR_ROLE_:
+                {
+                  qs = getTrafLibrariesForAuthQuery;
+                  sizeOfqs = sizeof(getTrafLibrariesForAuthQuery);
+
+                  // Get the authID associated with the specified role
+                  Int32 authID = *currContext->getDatabaseUserID();
+                  if (!(strcmp(getMItdb().getParam1(), currContext->getDatabaseUserName()) == 0))
+                    authID = getAuthID(getMItdb().getParam1(), cat, sch, auths);
+
+                  // Verify that the specified authID is actually a role
+                  if (!CmpSeabaseDDLauth::isRoleID(authID) && !ComUser::isPublicUserID(authID)) 
+                    {
+                      ExRaiseSqlError(getHeap(), &diagsArea_, -CAT_IS_NOT_A_ROLE, 
+                          NULL, NULL, NULL,
+                          getMItdb().getParam1());
+                      step_ = HANDLE_ERROR_;
+                      break;
+                    }
+
+                  // Non elevated users must be granted role
+                  if (doPrivCheck && !ComUser::currentUserHasRole(authID))
+                    {
+                      ExRaiseSqlError(getHeap(), &diagsArea_, -CAT_NOT_AUTHORIZED);
+                      step_ = HANDLE_ERROR_;
+                      break;
+                    }
+
+                  // Return libraries that are owned by the user/user's roles
+                  // or that the user/user's role have been granted privileges
+
+                  if (authID == ComUser::getCurrentUser())
+                    privWhereClause += getGrantedPrivCmd(authList, cat);
+                  else
+                    {
+                      char *userRoleList = getRoleList(authID, cat, pmsch, role_usage);
+                      if (userRoleList)
+                        {
+                          privWhereClause = getGrantedPrivCmd(userRoleList, cat);
+                          NADELETEBASIC(userRoleList, getHeap());
+                        }
                       else
                         {
-                          // Get the list of roles for this other user.
-                          char *userRoleList = getRoleList(authID, cat, pmsch, role_usage);
-                          if (userRoleList)
-                            {
-                              privWhereClause = getGrantedPrivCmd(userRoleList, cat, NAString ("R.udr_uid"));
-                              NADELETEBASIC(userRoleList, getHeap());
-                            }
-                          else // return error?
-                            {
-                              // Unable to read metadata
-                              ExRaiseSqlError(getHeap(), &diagsArea_, -8001);
-                              step_ = HANDLE_ERROR_;
-                              break;
-                            }
+                          // Unable to read metadata 
+                          ExRaiseSqlError(getHeap(), &diagsArea_, -8001);
+                          step_ = HANDLE_ERROR_;
+                          break;
                         }
                     }
 
                   param_[0] = cat;
                   param_[1] = sch;
                   param_[2] = tab;
-                  param_[3] = cat;
-                  param_[4] = sch;
-                  param_[5] = routine;
-                  param_[6] = getMItdb().cat_;
-                  param_[7] = (char *) privWhereClause.data();
+                  param_[3] = getMItdb().cat_;
+                  param_[4] = (char *) privWhereClause.data();
                 }
                 break ;
 
@@ -3056,38 +3383,41 @@ short ExExeUtilGetMetadataInfoTcb::work()
                     // Get the authID associated with the request's auth name
                     // If can't find authID, NA_UserIdDefault is returned which 
                     // indicates an invalid authID.
-                    Int32 authID = getAuthID(getMItdb().getParam1(), cat, sch, auths);
+                    Int32 authID = *currContext->getDatabaseUserID();
+                    if (!(strcmp(getMItdb().getParam1(), currContext->getDatabaseUserName()) == 0))
+                      authID = getAuthID(getMItdb().getParam1(), cat, sch, auths);
+
+                    // if incorrect auth type, return error
+                    if (!CmpSeabaseDDLauth::isRoleID(authID) && !CmpSeabaseDDLauth::isUserID(authID) &&
+                        !ComUser::isPublicUserID(authID))
+                    {
+                      ExRaiseSqlError(getHeap(), &diagsArea_, -CAT_IS_NOT_CORRECT_AUTHID,
+                          NULL, NULL, NULL,
+                          getMItdb().getParam1(), "user or role");
+                      step_ = HANDLE_ERROR_;
+                      break;
+                    }
 
                     if (doPrivCheck)
                     {
-                       // If asking for privileges for a user that has no privs
-                       //   authName is invalid
-                       //   authName is a user and not the current user
-                       //   authName is a role and not one of the current user roles
-                       // add a predicate to make operation fail with no rows
-                       // This matches other "get" statement's behavior.
-                       NABoolean hasPriv = TRUE;
-                       if ((authID == NA_UserIdDefault) ||
-                           (CmpSeabaseDDLauth::isUserID(authID) &&
-                             (strcmp(getMItdb().getParam1(), currContext->getDatabaseUserName()) != 0)) || 
-                           (CmpSeabaseDDLauth::isRoleID(authID) &&
-                             !ComUser::currentUserHasRole(authID)))
-                       {
-                          privWhereClause += "and (grantee_id = -2) ";
-                          hasPriv = FALSE;
-                       }
-                       if (hasPriv)
-                       {
-                          privWhereClause += "and (grantee_name = '";
-                          privWhereClause += getMItdb().getParam1();
-                          privWhereClause += "'";
-                          if (CmpSeabaseDDLauth::isUserID(authID) && getMItdb().cascade())
-                          {
-                              privWhereClause += " or grantee_id in ";
-                              privWhereClause += authList.data();
-                          }
-                          privWhereClause += ")";
+                      // If asking for privileges for a user that has no privs, return error
+                      if ((CmpSeabaseDDLauth::isRoleID(authID) && !ComUser::currentUserHasRole(authID)) ||
+                          (CmpSeabaseDDLauth::isUserID(authID) && authID != ComUser::getCurrentUser()))
+                      {
+                        ExRaiseSqlError(getHeap(), &diagsArea_, -CAT_NOT_AUTHORIZED);
+                        step_ = HANDLE_ERROR_;
+                        break;
                        }
+
+                       privWhereClause += "and (grantee_name = '";
+                       privWhereClause += getMItdb().getParam1();
+                       privWhereClause += "'";
+                       if (CmpSeabaseDDLauth::isUserID(authID) && getMItdb().cascade())
+                         {
+                            privWhereClause += " or grantee_id in ";
+                            privWhereClause += authList.data();
+                         }
+                        privWhereClause += ")";
                     }
                     else
                     { 


Mime
View raw message