trafodion-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rmar...@apache.org
Subject [1/3] trafodion git commit: TRAFODION - 3218 User still has privilege after user's role has been revoked ...
Date Wed, 24 Oct 2018 16:20:50 GMT
Repository: trafodion
Updated Branches:
  refs/heads/master 659f59a13 -> 8e38189d4


http://git-wip-us.apache.org/repos/asf/trafodion/blob/adf2b8f2/core/sql/sqlcomp/CmpSeabaseDDLtable.cpp
----------------------------------------------------------------------
diff --git a/core/sql/sqlcomp/CmpSeabaseDDLtable.cpp b/core/sql/sqlcomp/CmpSeabaseDDLtable.cpp
index a620624..cd785f6 100644
--- a/core/sql/sqlcomp/CmpSeabaseDDLtable.cpp
+++ b/core/sql/sqlcomp/CmpSeabaseDDLtable.cpp
@@ -12540,23 +12540,20 @@ ComTdbVirtTablePrivInfo * CmpSeabaseDDL::getSeabasePrivInfo(
 
   // Summarize privileges for object
   PrivStatus privStatus = STATUS_GOOD;
-  std::vector<PrivMgrDesc> privDescs;
+  ComTdbVirtTablePrivInfo *privInfo = new (heap_) ComTdbVirtTablePrivInfo();
+  privInfo->privmgr_desc_list = new (STMTHEAP) PrivMgrDescList(STMTHEAP);
+
+  // Summarize privileges for object
   PrivMgrCommands command(std::string(MDLoc.data()),
                           std::string(privMgrMDLoc.data()),
                           CmpCommon::diags());
-  if (command.getPrivileges(objUID, objType, privDescs) != STATUS_GOOD)
+  if (command.getPrivileges(objUID, objType,
+                            *privInfo->privmgr_desc_list) != STATUS_GOOD)
     {
       *CmpCommon::diags() << DgSqlCode(-CAT_UNABLE_TO_RETRIEVE_PRIVS);
       return NULL;
     }
 
-  ComTdbVirtTablePrivInfo *privInfo = new (STMTHEAP) ComTdbVirtTablePrivInfo();
-
-  // PrivMgrDesc operator= is a deep copy
-  privInfo->privmgr_desc_list = new (STMTHEAP) NAList<PrivMgrDesc>(STMTHEAP);
-  for (size_t i = 0; i < privDescs.size(); i++)
-    privInfo->privmgr_desc_list->insert(privDescs[i]);
-
   return privInfo;
 }
 

http://git-wip-us.apache.org/repos/asf/trafodion/blob/adf2b8f2/core/sql/sqlcomp/PrivMgr.cpp
----------------------------------------------------------------------
diff --git a/core/sql/sqlcomp/PrivMgr.cpp b/core/sql/sqlcomp/PrivMgr.cpp
index 0a5f265..2429b9d 100644
--- a/core/sql/sqlcomp/PrivMgr.cpp
+++ b/core/sql/sqlcomp/PrivMgr.cpp
@@ -36,6 +36,7 @@
 #include "PrivMgrComponentOperations.h"
 #include "PrivMgrComponentPrivileges.h"
 #include "PrivMgrPrivileges.h"
+#include "PrivMgrRoles.h"
 
 // Trafodion includes
 #include "ComDistribution.h"
@@ -154,6 +155,42 @@ PrivMgr::~PrivMgr()
   resetFlags();
 }
 
+// *****************************************************************************
+// * Method: getGranteeIDsForRoleIDs                              
+// *                                                       
+// *    Returns the grantees assigned to the passed in roles
+// *    role list
+// *                                                       
+// *  Parameters:    
+// *                                                                       
+// *  <roleIDs>    list of roles to check
+// *  <granteeIDs> passed back the list (potentially empty) of users granted to 
+// *               the roleIDs
+// *                                                                     
+// * Returns: PrivStatus                                               
+// *                                                                  
+// * STATUS_GOOD: Role list returned
+// *           *: Unable to fetch granted roles, see diags.     
+// *                                                               
+// *****************************************************************************
+PrivStatus PrivMgr::getGranteeIDsForRoleIDs(
+  const std::vector<int32_t>  & roleIDs,
+  std::vector<int32_t> & granteeIDs,
+  bool includeSysGrantor)
+{
+  std::vector<int32_t> granteeIDsForRoleIDs;
+  PrivMgrRoles roles(" ",metadataLocation_,pDiags_);
+  if (roles.fetchGranteesForRoles(roleIDs, granteeIDsForRoleIDs, includeSysGrantor) == STATUS_ERROR)
+    return STATUS_ERROR;
+  for (size_t i = 0; i < granteeIDsForRoleIDs.size(); i++)
+  {
+     int32_t authID = granteeIDsForRoleIDs[i];
+     if (std::find(granteeIDs.begin(), granteeIDs.end(), authID) == granteeIDs.end())
+       granteeIDs.insert( std::upper_bound( granteeIDs.begin(), granteeIDs.end(), authID ), authID);
+  }
+  return STATUS_GOOD;
+}
+
 // ----------------------------------------------------------------------------
 // method:  authorizationEnabled
 //

http://git-wip-us.apache.org/repos/asf/trafodion/blob/adf2b8f2/core/sql/sqlcomp/PrivMgr.h
----------------------------------------------------------------------
diff --git a/core/sql/sqlcomp/PrivMgr.h b/core/sql/sqlcomp/PrivMgr.h
index fd6b8bd..0cd52ce 100644
--- a/core/sql/sqlcomp/PrivMgr.h
+++ b/core/sql/sqlcomp/PrivMgr.h
@@ -168,6 +168,11 @@ class PrivMgr
     // -------------------------------------------------------------------
     // Accessors and destructors:
     // -------------------------------------------------------------------
+    PrivStatus getGranteeIDsForRoleIDs(
+      const std::vector<int32_t> & roleIDs,
+      std::vector<int32_t> & userIDs,
+      bool includeSysGrantor = true);
+
     inline std::string getMetadataLocation (void) {return metadataLocation_;}
     inline const std::string & getMetadataLocation (void) const {return metadataLocation_;}
     inline std::string getTrafMetadataLocation (void) {return trafMetadataLocation_;}

http://git-wip-us.apache.org/repos/asf/trafodion/blob/adf2b8f2/core/sql/sqlcomp/PrivMgrCommands.cpp
----------------------------------------------------------------------
diff --git a/core/sql/sqlcomp/PrivMgrCommands.cpp b/core/sql/sqlcomp/PrivMgrCommands.cpp
index 499f544..b80b77c 100644
--- a/core/sql/sqlcomp/PrivMgrCommands.cpp
+++ b/core/sql/sqlcomp/PrivMgrCommands.cpp
@@ -41,6 +41,7 @@
 #include "PrivMgrRoles.h"
 #include "ComSecurityKey.h"
 #include "ComUser.h"
+#include "CmpSeabaseDDL.h"
 #include <cstdio>
 #include <algorithm>
 
@@ -396,9 +397,10 @@ PrivStatus PrivMgrCommands::getPrivileges(
   NATable *naTable,
   const int32_t userID,
   PrivMgrUserPrivs &userPrivs,
-  std::vector <ComSecurityKey *>* secKeySet)
+  ComSecurityKeySet *secKeySet)
 {
   PrivMgrDesc privsOfTheUser;
+  PrivStatus retcode = STATUS_GOOD;
 
   // authorization is not enabled, return bitmaps with all bits set
   // With all bits set, privilege checks will always succeed
@@ -409,35 +411,60 @@ PrivStatus PrivMgrCommands::getPrivileges(
     return STATUS_GOOD;
   }
 
-  // if a hive table and does not have an external table and is not
-  // registered in traf metadata, assume no privs
-  if ((naTable->isHiveTable()) && 
-      (NOT naTable->isRegistered()) &&
-      (!naTable->hasExternalTable()))
+  // if a native table that is not registered nor has an external table
+  // assume no privs.  No privileges, so no security keys are required
+  else if ((naTable->isHiveTable() ||
+            naTable->isHbaseCellTable() ||
+            naTable->isHbaseRowTable()) &&
+           (!naTable->isRegistered() && !naTable->hasExternalTable()))
   {
     PrivMgrDesc emptyDesc;
     userPrivs.initUserPrivs(emptyDesc);
   }
 
-  // if an hbase table and is not registered, assume no privs
- else if ((naTable->isHbaseCellTable() || naTable->isHbaseRowTable()) &&
-          (!naTable->hasExternalTable() && !naTable->isRegistered()))
-  {
-    PrivMgrDesc emptyDesc;
-    userPrivs.initUserPrivs(emptyDesc);
-  }
+  // Check for privileges defined in Trafodion metadata
   else
   {
-    PrivMgrPrivileges objectPrivs (metadataLocation_, pDiags_);
-    PrivStatus retcode = objectPrivs.getPrivsOnObjectForUser((int64_t)naTable->objectUid().get_value(),
-                                                             naTable->getObjectType(),
-                                                             userID,
-                                                             privsOfTheUser,
-                                                             secKeySet);
-    if (retcode != STATUS_GOOD)
-      return retcode;
+    int64_t objectUID = (int64_t)naTable->objectUid().get_value();
 
-    userPrivs.initUserPrivs(privsOfTheUser);
+    // If we are not storing privileges for the object in NATable, go read MD
+    if (naTable->getPrivDescs() == NULL)
+    {
+      PrivMgrPrivileges objectPrivs (metadataLocation_, pDiags_);
+      retcode = objectPrivs.getPrivsOnObjectForUser(objectUID,
+                                                    naTable->getObjectType(),
+                                                    userID,
+                                                    privsOfTheUser);
+      if (retcode != STATUS_GOOD)
+        return retcode;
+
+      userPrivs.initUserPrivs(privsOfTheUser);
+
+      if (secKeySet != NULL)
+      {
+        // The PrivMgrDescList destructor deletes memory
+        PrivMgrDescList descList(naTable->getHeap());
+        PrivMgrDesc *tableDesc = new (naTable->getHeap()) PrivMgrDesc(privsOfTheUser);
+        descList.insert(tableDesc);
+        if (!userPrivs.setPrivInfoAndKeys(descList, userID, objectUID, secKeySet))
+        {
+          SEABASEDDL_INTERNAL_ERROR("Could not create security keys");
+          return STATUS_ERROR;
+        }
+      }
+    }
+
+    // generate privileges from the stored desc list 
+    else
+    {
+      NAList<int32_t> roleIDs (naTable->getHeap());
+      if (ComUser::getCurrentUserRoles(roleIDs) != 0)
+        return STATUS_ERROR;
+
+      if (userPrivs.initUserPrivs(roleIDs, naTable->getPrivDescs(),
+                                  userID, objectUID, secKeySet) == STATUS_ERROR)
+        return retcode;
+    }
   }
 
   return STATUS_GOOD;
@@ -464,15 +491,26 @@ PrivStatus PrivMgrCommands::getPrivileges(
 PrivStatus PrivMgrCommands::getPrivileges(
   const int64_t objectUID,
   ComObjectType objectType,
-  std::vector <PrivMgrDesc > &privDescs)
+  PrivMgrDescList &privDescs)
 {
-  // If authorization is enabled, go get privilege bitmaps from metadata
+  PrivStatus retcode = STATUS_GOOD;
   if (authorizationEnabled())
   {
+    std::vector<PrivMgrDesc> privDescList;
+
     PrivMgrPrivileges privInfo (objectUID, metadataLocation_, pDiags_);
-    return privInfo.getPrivsOnObject(objectType, privDescs);
+    retcode = privInfo.getPrivsOnObject(objectType, privDescList);
+    if (retcode == STATUS_ERROR)
+      return STATUS_ERROR;
+
+    // copy privDescList to privDescs
+    for (size_t i = 0; i < privDescList.size(); i++)
+    {
+      PrivMgrDesc *desc = new (privDescs.getHeap()) PrivMgrDesc(privDescList[i]);
+      privDescs.insert(desc);
+    }
   }
-  return STATUS_GOOD;
+  return retcode;
 }
 
 
@@ -496,8 +534,7 @@ PrivStatus PrivMgrCommands::getPrivileges(
   const int64_t objectUID,
   ComObjectType objectType,
   const int32_t userID,
-  PrivMgrUserPrivs &userPrivs,
-  std::vector <ComSecurityKey *>* secKeySet)
+  PrivMgrUserPrivs &userPrivs)
 {
   PrivMgrDesc privsOfTheUser;
 
@@ -508,8 +545,7 @@ PrivStatus PrivMgrCommands::getPrivileges(
     PrivStatus retcode = objectPrivs.getPrivsOnObjectForUser(objectUID,
                                                              objectType,
                                                              userID,
-                                                             privsOfTheUser,
-                                                             secKeySet);
+                                                             privsOfTheUser);
     if (retcode != STATUS_GOOD)
       return retcode;
   }
@@ -524,34 +560,6 @@ PrivStatus PrivMgrCommands::getPrivileges(
   return STATUS_GOOD;
 }
 
-// ----------------------------------------------------------------------------
-// method: getRoles
-//
-// Returns roleIDs for the grantee.
-//                                                                       
-//  <granteeID> the authorization ID to obtain roles for
-//  <roleIDs> is the returned list of roles
-//                                                                  
-// Returns: PrivStatus                                               
-//                                                                  
-//   STATUS_GOOD: role list was built
-//             *: unexpected error occurred, see diags.     
-// ----------------------------------------------------------------------------
-PrivStatus PrivMgrCommands::getRoles(
-  const int32_t granteeID,
-  std::vector <int32_t > &roleIDs)
-{
-  // If authorization is not enabled, return
-  if (!authorizationEnabled())
-    return STATUS_GOOD;
-  
-  PrivMgrRoles roles(" ",metadataLocation_,pDiags_);
-  std::vector<std::string> roleNames;
-  std::vector<int32_t> roleDepths;
-
-  return  roles.fetchRolesForUser(granteeID,roleNames,roleIDs,roleDepths);
-}
-
 // *****************************************************************************
 // *                                                                           *
 // * Function: PrivMgrCommands::getPrivRowsForObject                           *

http://git-wip-us.apache.org/repos/asf/trafodion/blob/adf2b8f2/core/sql/sqlcomp/PrivMgrCommands.h
----------------------------------------------------------------------
diff --git a/core/sql/sqlcomp/PrivMgrCommands.h b/core/sql/sqlcomp/PrivMgrCommands.h
index 312cbab..e5275b6 100644
--- a/core/sql/sqlcomp/PrivMgrCommands.h
+++ b/core/sql/sqlcomp/PrivMgrCommands.h
@@ -119,28 +119,23 @@ public:
       NATable *naTable,
       const int32_t granteeUID,
       PrivMgrUserPrivs &userPrivileges,
-      std::vector <ComSecurityKey *>* secKeySet = NULL);
+      NASet<ComSecurityKey> *secKeySet = NULL);
 
    PrivStatus getPrivileges(
       const int64_t objectUID,
       ComObjectType objectType,
-      std::vector<PrivMgrDesc> &userPrivileges);
-     
+      PrivMgrDescList &userPrivileges);
+
    PrivStatus getPrivileges(
       const int64_t objectUID,
       ComObjectType objectType,
       const int32_t granteeUID,
-      PrivMgrUserPrivs &userPrivileges,
-      std::vector <ComSecurityKey *>* secKeySet = NULL);
-     
+      PrivMgrUserPrivs &userPrivileges);
+
    PrivStatus getPrivRowsForObject(
       const int64_t objectUID,
       std::vector<ObjectPrivsRow> & objectPrivsRows);
       
-   PrivStatus getRoles(
-      const int32_t grantee,
-      std::vector<int32_t> &roleIDs);
-
    PrivStatus givePrivForObjects(
          const int32_t currentOwnerID,
          const int32_t newOwnerID,

http://git-wip-us.apache.org/repos/asf/trafodion/blob/adf2b8f2/core/sql/sqlcomp/PrivMgrComponentPrivileges.cpp
----------------------------------------------------------------------
diff --git a/core/sql/sqlcomp/PrivMgrComponentPrivileges.cpp b/core/sql/sqlcomp/PrivMgrComponentPrivileges.cpp
index 257a123..9c85ffe 100644
--- a/core/sql/sqlcomp/PrivMgrComponentPrivileges.cpp
+++ b/core/sql/sqlcomp/PrivMgrComponentPrivileges.cpp
@@ -1299,11 +1299,13 @@ std::string whereClause(" WHERE COMPONENT_UID = 1 AND (OPERATION_CODE = '");
       std::vector<std::string> roleNames;
       std::vector<int32_t> roleIDs;
       std::vector<int32_t> grantDepths;
+      std::vector<int32_t> grantees;
       
       PrivMgrRoles roles(" ",metadataLocation_,pDiags_);
       
-      PrivStatus privStatus = roles.fetchRolesForUser(authID,roleNames,
-                                                      roleIDs,grantDepths);
+      PrivStatus privStatus = roles.fetchRolesForAuth(authID,roleNames,
+                                                      roleIDs,grantDepths,
+                                                      grantees);
       
       for (size_t r = 0; r < roleIDs.size(); r++)
       {
@@ -1379,11 +1381,13 @@ bool PrivMgrComponentPrivileges::hasWGO(
    std::vector<std::string> roleNames;
    std::vector<int32_t> roleIDs;
    std::vector<int32_t> grantDepths;
+   std::vector<int32_t> grantees;
 
    PrivMgrRoles roles(" ",metadataLocation_,pDiags_);
 
-   if (roles.fetchRolesForUser(authID,roleNames,
-                               roleIDs,grantDepths) == STATUS_ERROR)
+   if (roles.fetchRolesForAuth(authID,roleNames,
+                               roleIDs,grantDepths, 
+                               grantees) == STATUS_ERROR)
       return false;
 
    MyTable &myTable = static_cast<MyTable &>(myTable_);

http://git-wip-us.apache.org/repos/asf/trafodion/blob/adf2b8f2/core/sql/sqlcomp/PrivMgrDesc.cpp
----------------------------------------------------------------------
diff --git a/core/sql/sqlcomp/PrivMgrDesc.cpp b/core/sql/sqlcomp/PrivMgrDesc.cpp
index 6a41978..3cfaf72 100644
--- a/core/sql/sqlcomp/PrivMgrDesc.cpp
+++ b/core/sql/sqlcomp/PrivMgrDesc.cpp
@@ -483,3 +483,4 @@ bool PrivMgrDesc::limitToGrantable( const PrivMgrDesc& other )
   return result;
 }
 
+

http://git-wip-us.apache.org/repos/asf/trafodion/blob/adf2b8f2/core/sql/sqlcomp/PrivMgrDesc.h
----------------------------------------------------------------------
diff --git a/core/sql/sqlcomp/PrivMgrDesc.h b/core/sql/sqlcomp/PrivMgrDesc.h
index 0ff26af..d0e94d4 100644
--- a/core/sql/sqlcomp/PrivMgrDesc.h
+++ b/core/sql/sqlcomp/PrivMgrDesc.h
@@ -580,6 +580,36 @@ private:
 };
 
 
+/* *******************************************************************
+ * Class PrivMgrDescList -- A list of PrivMgrDesc pointers
+ * ****************************************************************** */
+
+class PrivMgrDescList : public LIST(PrivMgrDesc *)
+{
+  public:
+
+  // constructor
+  PrivMgrDescList(CollHeap *heap)
+   : LIST(PrivMgrDesc *)(heap),
+     heap_(heap)
+  {}
+
+  // virtual destructor
+  virtual ~PrivMgrDescList()
+  {
+    for (CollIndex i = 0; i < entries(); i++)
+      NADELETE(operator[](i), PrivMgrDesc, heap_);
+    clear();
+  }
+
+  CollHeap *getHeap() { return heap_; }
+
+  private:
+
+  CollHeap *heap_;
+
+}; // class PrivMgrDescList
+
 
 
 #endif // PRIVMGR_DESC_H

http://git-wip-us.apache.org/repos/asf/trafodion/blob/adf2b8f2/core/sql/sqlcomp/PrivMgrPrivileges.cpp
----------------------------------------------------------------------
diff --git a/core/sql/sqlcomp/PrivMgrPrivileges.cpp b/core/sql/sqlcomp/PrivMgrPrivileges.cpp
index fe2c8d1..1e85905 100644
--- a/core/sql/sqlcomp/PrivMgrPrivileges.cpp
+++ b/core/sql/sqlcomp/PrivMgrPrivileges.cpp
@@ -462,59 +462,6 @@ PrivMgrPrivileges::~PrivMgrPrivileges()
 }
 
 // *****************************************************************************
-// * Method: buildSecurityKeys                                
-// *                                                       
-// *    Builds security keys for the current object and specified user.
-// *                                                       
-// *  Parameters:    
-// *                                                                       
-// *  <granteeID> is the unique identifier for the grantee
-// *  <privs> is the list of privileges the user has on the object
-// *  <secKeySet> is the set of security keys to be passed back.  Caller is 
-// *              responsible for freeing keys.
-// *                                                                  
-// * Returns: PrivStatus                                               
-// *                                                                  
-// * STATUS_GOOD: Security keys were built
-// *           *: Security keys were not built, see diags.     
-// *                                                               
-// *****************************************************************************
-PrivStatus PrivMgrPrivileges::buildSecurityKeys(
-  const int32_t granteeID,
-  const PrivMgrCoreDesc &privs,
-  std::vector <ComSecurityKey *> & secKeySet)
-{
-  if (privs.isNull())
-    return STATUS_GOOD;
-
-  // Only need to generate keys for DML privileges
-  for ( size_t i = FIRST_DML_PRIV; i <= LAST_DML_PRIV; i++ )
-  {
-    if ( privs.getPriv(PrivType(i)))
-    {
-      ComSecurityKey *key = NULL;
-      if (ComUser::isPublicUserID(granteeID))
-        key = new ComSecurityKey(granteeID, 
-                                 ComSecurityKey::OBJECT_IS_SPECIAL_ROLE);
-      else
-        key = new ComSecurityKey(granteeID, 
-                                 objectUID_,
-                                 PrivType(i),
-                                 ComSecurityKey::OBJECT_IS_OBJECT);
-      if (key->isValid())
-         secKeySet.push_back(key);
-      else
-      {
-        PRIVMGR_INTERNAL_ERROR("ComSecurityKey is null");
-        return STATUS_ERROR;
-      }
-    }
-  }
-   
-  return STATUS_GOOD;
-}
-
-// *****************************************************************************
 // * Method: getPrivsOnObject                                
 // *                                                       
 // * Creates a set of priv descriptors for all user grantees on an object
@@ -571,7 +518,7 @@ PrivStatus PrivMgrPrivileges::getPrivsOnObject (
     // getUserPrivs returns object and column privileges summarized across all
     // grantors.  Just get direct grants to the user (role list is empty) 
     if (getUserPrivs(objectType, userID, emptyRoleIDs, privsOfTheUser,
-                     hasManagePrivileges, NULL ) != STATUS_GOOD)
+                     hasManagePrivileges) != STATUS_GOOD)
       return STATUS_ERROR;
     
     if (!privsOfTheUser.isNull())
@@ -590,7 +537,7 @@ PrivStatus PrivMgrPrivileges::getPrivsOnObject (
     // getUserPrivs returns object and column privileges summarized across
     // all grantors. 
     if (getUserPrivs(objectType, grantee, emptyRoleIDs, privsOfTheUser,
-                     hasManagePrivileges, NULL ) != STATUS_GOOD)
+                     hasManagePrivileges) != STATUS_GOOD)
       return STATUS_ERROR;
     
     if (!privsOfTheUser.isNull())
@@ -1760,7 +1707,7 @@ PrivStatus PrivMgrPrivileges::initGrantRevoke(
   // get column and object privileges across all grantors 
   bool hasManagePrivileges;
   retcode = getUserPrivs(objectType, grantorID_, roleIDs, privsOfTheGrantor,
-                         hasManagePrivileges, NULL );
+                         hasManagePrivileges);
   if (retcode != STATUS_GOOD)
     return retcode;
 
@@ -3185,11 +3132,8 @@ PrivStatus PrivMgrPrivileges::revokeColumnPriv(
          revokedPrivs |= adjustedPrivs.getPrivBitmap(); 
       }
       else
-      {
-         // The row should exist in "grantedColPrivs" 
-         PRIVMGR_INTERNAL_ERROR("Column privilege not found to revoke");
-         return STATUS_ERROR;
-      }   
+         // if column not exist, just continue (ComDiags contains a warning)
+         continue;
 
       
       if (deleteRow)
@@ -3646,8 +3590,9 @@ void PrivMgrPrivileges::scanObjectBranch( const PrivType pType, // in
                       std::vector<int32_t> roleIDs;
                       std::vector<int32_t> userIDs;
                       roleIDs.push_back(thisGrantee);
-                      if (getUserIDsForRoleIDs(roleIDs,userIDs) == STATUS_ERROR)
+                      if (getGranteeIDsForRoleIDs(roleIDs,userIDs) == STATUS_ERROR)
                         return;
+
                       for (size_t j = 0; j < userIDs.size(); j++)
                       {
                          granteeAsGrantor = userIDs[j];
@@ -3913,7 +3858,7 @@ void PrivMgrPrivileges::scanColumnBranch( const PrivType pType,
                   std::vector<int32_t> roleIDs;
                   std::vector<int32_t> userIDs;
                   roleIDs.push_back(thisGrantee);
-                  if (getUserIDsForRoleIDs(roleIDs,userIDs) == STATUS_ERROR)
+                  if (getGranteeIDsForRoleIDs(roleIDs,userIDs) == STATUS_ERROR)
                     return;
                   for (size_t j = 0; j < userIDs.size(); j++)
                   {
@@ -4004,53 +3949,68 @@ PrivStatus PrivMgrPrivileges::sendSecurityKeysToRMS(
   const int32_t granteeID, 
   const PrivMgrDesc &revokedPrivs)
 {
+  NAList<int32_t> roleGrantees (STMTHEAP);
+
+  // If the privilege is revoked from a role, then need to generate QI keys for 
+  // the users associated with the role.
+  if (PrivMgr::isRoleID(granteeID))
+  {
+    // Get users granted to role (granteeID)
+    std::vector<int32_t> roleID;
+    roleID.push_back(granteeID);
+    std::vector<int32_t> granteeIDs;
+    if (getGranteeIDsForRoleIDs(roleID, granteeIDs, false) == STATUS_ERROR)
+      return STATUS_ERROR;
+
+    for (size_t g = 0; g < granteeIDs.size(); g++)
+      roleGrantees.insert(granteeIDs[g]);
+  }
+  else
+    roleGrantees.insert(grantorID_);
+
   // Go through the list of table privileges and generate SQL_QIKEYs
-  std::vector<ComSecurityKey *> keyList;
+  ComSecurityKeySet keyList(NULL);
   const PrivMgrCoreDesc &privs = revokedPrivs.getTablePrivs();
-  PrivStatus privStatus = buildSecurityKeys(granteeID,
-                                            revokedPrivs.getTablePrivs(),
-                                            keyList);
-  if (privStatus != STATUS_GOOD)
+  if (!buildSecurityKeys(roleGrantees,
+                         granteeID,
+                         objectUID_,
+                         false, /* isColumn */
+                         revokedPrivs.getTablePrivs(),
+                         keyList))
   {
-    for(size_t k = 0; k < keyList.size(); k++)
-     delete keyList[k]; 
-    keyList.clear();
-    return privStatus;
+    PRIVMGR_INTERNAL_ERROR("ComSecurityKey is null");
+    return STATUS_ERROR;
   }
 
+
   for (int i = 0; i < revokedPrivs.getColumnPrivs().entries(); i++)
   {
     const NAList<PrivMgrCoreDesc> &columnPrivs = revokedPrivs.getColumnPrivs();
-    privStatus = buildSecurityKeys(granteeID,
-                                   columnPrivs[i],
-                                   keyList);
-    if (privStatus != STATUS_GOOD)
+    if (!buildSecurityKeys(roleGrantees,
+                           granteeID,
+                           objectUID_,
+                           true, /* isColumn */
+                           columnPrivs[i],
+                           keyList))
     {
-      for(size_t k = 0; k < keyList.size(); k++)
-       delete keyList[k]; 
-      keyList.clear();
-      return privStatus;
+      PRIVMGR_INTERNAL_ERROR("ComSecurityKey is null");
+      return STATUS_ERROR;
     }
   }
-  
+
   // Create an array of SQL_QIKEYs
-  int32_t numKeys = keyList.size();
+  int32_t numKeys = keyList.entries();
   SQL_QIKEY siKeyList[numKeys];
-  for (size_t j = 0; j < keyList.size(); j++)
+  for (size_t j = 0; j < numKeys; j++)
   {
-    ComSecurityKey *pKey = keyList[j];
-    siKeyList[j].revokeKey.subject = pKey->getSubjectHashValue();
-    siKeyList[j].revokeKey.object = pKey->getObjectHashValue();
+    ComSecurityKey key = keyList[j];
+    siKeyList[j].revokeKey.subject = key.getSubjectHashValue();
+    siKeyList[j].revokeKey.object = key.getObjectHashValue();
     std::string actionString;
-    pKey->getSecurityKeyTypeAsLit(actionString);
+    key.getSecurityKeyTypeAsLit(actionString);
     strncpy(siKeyList[j].operation, actionString.c_str(), 2);
   }
   
-  // delete the security list
-  for(size_t k = 0; k < keyList.size(); k++)
-   delete keyList[k]; 
-  keyList.clear();
-
   // Call the CLI to send details to RMS
   SQL_EXEC_SetSecInvalidKeys(numKeys, siKeyList);
 
@@ -4209,8 +4169,7 @@ PrivStatus PrivMgrPrivileges::getPrivsOnObjectForUser(
   const int64_t objectUID,
   ComObjectType objectType,
   const int32_t userID,
-  PrivMgrDesc &privsOfTheUser,
-  std::vector <ComSecurityKey *>* secKeySet)
+  PrivMgrDesc &privsOfTheUser)
 {
   PrivStatus retcode = STATUS_GOOD;
   
@@ -4239,7 +4198,7 @@ PrivStatus PrivMgrPrivileges::getPrivsOnObjectForUser(
   bool hasManagePrivileges = false;
   
   retcode = getUserPrivs(objectType, userID, roleIDs, privsOfTheUser, 
-                         hasManagePrivileges, secKeySet);
+                         hasManagePrivileges);
 
   return retcode;
 }
@@ -4272,48 +4231,14 @@ PrivStatus retcode = STATUS_GOOD;
 PrivMgrRoles roles(" ",metadataLocation_,pDiags_);
 std::vector<std::string> roleNames;
 std::vector<int32_t> roleDepths;
+std::vector<int32_t> grantees;
   
-   retcode =  roles.fetchRolesForUser(userID,roleNames,roleIDs,roleDepths);
+   retcode =  roles.fetchRolesForAuth(userID,roleNames,roleIDs,roleDepths,grantees);
    return retcode;
 }
 //*************** End of PrivMgrPrivileges::getRoleIDsForUserID ****************
 
 // *****************************************************************************
-// * Method: getUserIDsForRoleIDs                              
-// *                                                       
-// *    Returns the userIDs granted to the role passed in role list
-// *                                                       
-// *  Parameters:    
-// *                                                                       
-// *  <roleIDs> list of roles to check
-// *  <userIDs> passed back the list (potentially empty) of users granted to 
-// *            the roleIDs
-// *                                                                     
-// * Returns: PrivStatus                                               
-// *                                                                  
-// * STATUS_GOOD: Role list returned
-// *           *: Unable to fetch granted roles, see diags.     
-// *                                                               
-// *****************************************************************************
-PrivStatus PrivMgrPrivileges::getUserIDsForRoleIDs(
-  const std::vector<int32_t>  & roleIDs,
-  std::vector<int32_t> & userIDs)
-{
-  std::vector<int32_t> userIDsForRoleIDs;
-  PrivMgrRoles roles(" ",metadataLocation_,pDiags_);
-  if (roles.fetchUsersForRoles(roleIDs, userIDsForRoleIDs) == STATUS_ERROR)
-    return STATUS_ERROR;
-
-  for (size_t i = 0; i < userIDsForRoleIDs.size(); i++)
-  {
-     int32_t authID = userIDsForRoleIDs[i];
-     if (std::find(userIDs.begin(), userIDs.end(), authID) == userIDs.end())
-       userIDs.insert( std::upper_bound( userIDs.begin(), userIDs.end(), authID ), authID);
-  }
-  return STATUS_GOOD;
-}
-
-// *****************************************************************************
 // * Method: getUserPrivs                                
 // *                                                       
 // *    Accumulates privileges for a user summarized over all grantors
@@ -4326,7 +4251,6 @@ PrivStatus PrivMgrPrivileges::getUserIDsForRoleIDs(
 // *  <roleIDs> specifies a list of roles granted to the grantee
 // *  <summarizedPrivs> contains the summarized privileges
 // *  <hasManagePrivileges> returns whether the grantee has MANAGE_PRIVILEGES authority
-// *  <secKeySet> if not NULL, returns a set of keys for user
 // *                                                                     
 // * Returns: PrivStatus                                               
 // *                                                                  
@@ -4339,8 +4263,7 @@ PrivStatus PrivMgrPrivileges::getUserPrivs(
   const int32_t granteeID,
   const std::vector<int32_t> & roleIDs,
   PrivMgrDesc &summarizedPrivs,
-  bool & hasManagePrivileges,
-  std::vector<ComSecurityKey *>* secKeySet 
+  bool & hasManagePrivileges
   )
 {
    PrivStatus retcode = STATUS_GOOD;
@@ -4351,8 +4274,7 @@ PrivStatus PrivMgrPrivileges::getUserPrivs(
                                       granteeID,
                                       roleIDs,
                                       temp,
-                                      hasManagePrivileges,
-                                      secKeySet
+                                      hasManagePrivileges
                                       );
    if (retcode != STATUS_GOOD)
     return retcode;
@@ -4390,8 +4312,7 @@ PrivStatus PrivMgrPrivileges::getPrivsFromAllGrantors(
    const int32_t granteeID,
    const std::vector<int32_t> & roleIDs,
    PrivMgrDesc &summarizedPrivs,
-   bool & hasManagePrivPriv,
-   std::vector <ComSecurityKey *>* secKeySet 
+   bool & hasManagePrivPriv
    )
 {
   PrivStatus retcode = STATUS_GOOD;
@@ -4429,7 +4350,7 @@ PrivStatus PrivMgrPrivileges::getPrivsFromAllGrantors(
   // Accumulate object level privileges
   else
   {
-    retcode = getRowsForGrantee(objectUID, granteeID, true, roleIDs, rowList, secKeySet);
+    retcode = getRowsForGrantee(objectUID, granteeID, true, roleIDs, rowList);
     if (retcode == STATUS_ERROR)
       return retcode; 
 
@@ -4443,15 +4364,6 @@ PrivStatus PrivMgrPrivileges::getPrivsFromAllGrantors(
         hasPublicGrantee = true;
 
       PrivMgrCoreDesc temp (row.privsBitmap_, row.grantableBitmap_);
-      if (secKeySet)
-      {
-        retcode = buildSecurityKeys(granteeID,
-                                    temp,
-                                    *secKeySet);
-        if (retcode == STATUS_ERROR)
-          return retcode;
-      }
-
       coreTablePrivs.unionOfPrivs(temp);
     }
   
@@ -4468,7 +4380,7 @@ PrivStatus PrivMgrPrivileges::getPrivsFromAllGrantors(
 
   // Add accumulated column level privileges
   rowList.clear();
-  retcode = getRowsForGrantee(objectUID, granteeID, false, roleIDs, rowList, secKeySet);
+  retcode = getRowsForGrantee(objectUID, granteeID, false, roleIDs, rowList);
   if (retcode == STATUS_ERROR)
     return retcode;
 
@@ -4483,15 +4395,6 @@ PrivStatus PrivMgrPrivileges::getPrivsFromAllGrantors(
 
     // See if the ordinal has already been specified
     PrivMgrCoreDesc temp (row.privsBitmap_, row.grantableBitmap_, row.columnOrdinal_);
-    if (secKeySet)
-    {
-      retcode = buildSecurityKeys(granteeID,
-                                  temp,
-                                  *secKeySet);
-      if (retcode == STATUS_ERROR)
-        return retcode;
-    }
-
     PrivMgrCoreDesc *coreColumnPriv = findColumnEntry(coreColumnPrivs, row.columnOrdinal_);
     if (coreColumnPriv)
       coreColumnPriv->unionOfPrivs(temp);
@@ -4576,8 +4479,7 @@ PrivStatus PrivMgrPrivileges::getRowsForGrantee(
   const int32_t granteeID,
   const bool isObjectTable,
   const std::vector<int_32> &roleIDs,
-  std::vector<PrivMgrMDRow *> &rowList,
-  std::vector <ComSecurityKey *>* secKeySet) 
+  std::vector<PrivMgrMDRow *> &rowList)
 {
   PrivStatus retcode = STATUS_GOOD;
 
@@ -4747,7 +4649,7 @@ PrivStatus PrivMgrPrivileges::summarizeCurrentAndOriginalPrivs(
 
   // get OBJECT_PRIVILEGES rows where the grantee has received privileges
   std::vector<PrivMgrMDRow *> rowList;
-  retcode = getRowsForGrantee(objectUID, granteeID, true, roleIDs, rowList, NULL);
+  retcode = getRowsForGrantee(objectUID, granteeID, true, roleIDs, rowList);
 
   // rowList contains the original privileges, 
   // listOfChangedPrivs contains any updates to privileges

http://git-wip-us.apache.org/repos/asf/trafodion/blob/adf2b8f2/core/sql/sqlcomp/PrivMgrPrivileges.h
----------------------------------------------------------------------
diff --git a/core/sql/sqlcomp/PrivMgrPrivileges.h b/core/sql/sqlcomp/PrivMgrPrivileges.h
index e0597a2..5b687a6 100644
--- a/core/sql/sqlcomp/PrivMgrPrivileges.h
+++ b/core/sql/sqlcomp/PrivMgrPrivileges.h
@@ -110,11 +110,6 @@ public:
   // -------------------------------------------------------------------
   // Public functions:
   // -------------------------------------------------------------------
-   PrivStatus buildSecurityKeys(
-      const int32_t granteeID, 
-      const PrivMgrCoreDesc &privs,
-      std::vector <ComSecurityKey *> & secKeySet);
-      
    PrivStatus getGrantorDetailsForObject(
       const bool isGrantedBySpecified,
       const std::string grantedByName,
@@ -135,8 +130,7 @@ public:
       const int64_t objectUID,
       ComObjectType objectType,
       const int32_t userID,
-      PrivMgrDesc &privsForTheUser,
-      std::vector <ComSecurityKey *>* secKeySet);
+      PrivMgrDesc &privsForTheUser);
 
    PrivStatus getPrivRowsForObject(
       const int64_t objectUID,
@@ -243,8 +237,7 @@ protected:
      const int32_t grantee,
      const std::vector<int32_t> & roleIDs,
      PrivMgrDesc &privs,
-     bool & hasManagePrivileges,
-     std::vector <ComSecurityKey *>* secKeySet = NULL
+     bool & hasManagePrivileges
      );
           
    PrivStatus getUserPrivs(
@@ -252,8 +245,7 @@ protected:
      const int32_t grantee,
      const std::vector<int32_t> & roleIDs,
      PrivMgrDesc &privs,
-     bool & hasManagePrivileges,
-     std::vector <ComSecurityKey *>* secKeySet = NULL
+     bool & hasManagePrivileges
      );
      
 private: 
@@ -359,17 +351,12 @@ private:
     const int32_t granteeID,
     const bool isObjectTable,
     const std::vector<int32_t> & roleIDs,
-    std::vector<PrivMgrMDRow *> &rowList,
-    std::vector <ComSecurityKey *>* secKeySet); 
+    std::vector<PrivMgrMDRow *> &rowList);
     
   void getTreeOfGrantors(
     const int32_t granteeID,
     std::set<int32_t> &listOfGrantors);
 
-  PrivStatus getUserIDsForRoleIDs(
-    const std::vector<int32_t> & roleIDs,
-    std::vector<int32_t> & userIDs);
-
   PrivStatus givePriv(
      const int32_t currentOwnerID,
      const int32_t newOwnerID,

http://git-wip-us.apache.org/repos/asf/trafodion/blob/adf2b8f2/core/sql/sqlcomp/PrivMgrRoles.cpp
----------------------------------------------------------------------
diff --git a/core/sql/sqlcomp/PrivMgrRoles.cpp b/core/sql/sqlcomp/PrivMgrRoles.cpp
index 882ce93..64644d4 100644
--- a/core/sql/sqlcomp/PrivMgrRoles.cpp
+++ b/core/sql/sqlcomp/PrivMgrRoles.cpp
@@ -580,7 +580,7 @@ bool PrivMgrRoles::dependentObjectsExist(
 
 // *****************************************************************************
 // *                                                                           *
-// * Function: PrivMgrRoles::fetchRolesForUser                                 *
+// * Function: PrivMgrRoles::fetchRolesForAuth                                 *
 // *                                                                           *
 // *    Returns all unique roles granted to an authorization ID.  If a role is *
 // * granted more than once, it is only returned one time.  If one or more of  *
@@ -615,24 +615,22 @@ bool PrivMgrRoles::dependentObjectsExist(
 // *              error.  The error is put into the diags area.                *
 // *                                                                           *
 // *****************************************************************************
-PrivStatus PrivMgrRoles::fetchRolesForUser(
+PrivStatus PrivMgrRoles::fetchRolesForAuth(
    const int32_t authID,
    std::vector<std::string> & roleNames,
    std::vector<int32_t> & roleIDs,
-   std::vector<int32_t> & grantDepths)
-
+   std::vector<int32_t> & grantDepths,
+   std::vector<int32_t> & grantees)
 {
-
-std::string whereClause(" WHERE GRANTEE_ID = ");
-
+   std::string whereClause(" WHERE GRANTEE_ID = ");
    whereClause += authIDToString(authID);
-   
-std::vector<MyRow> rows;
-MyTable &myTable = static_cast<MyTable &>(myTable_);
 
-std::string orderByClause(" ORDER BY ROLE_ID");
+   std::vector<MyRow> rows;
+   MyTable &myTable = static_cast<MyTable &>(myTable_);
 
-PrivStatus privStatus = myTable.selectAllWhere(whereClause,orderByClause,rows);
+   std::string orderByClause(" ORDER BY ROLE_ID");
+
+   PrivStatus privStatus = myTable.selectAllWhere(whereClause,orderByClause,rows);
    
    if (privStatus != STATUS_GOOD && privStatus != STATUS_WARNING)
       return privStatus;
@@ -641,28 +639,24 @@ PrivStatus privStatus = myTable.selectAllWhere(whereClause,orderByClause,rows);
    {
       MyRow &row = rows[r];
       
-      if (hasValue(roleIDs,row.roleID_))
+      if (hasValue(roleIDs,row.roleID_) &&
+          hasValue(grantees, row.granteeID_))
       {
          if (grantDepths.back() == 0)
             grantDepths.back() = row.grantDepth_;
          continue;
       }
-      roleNames.push_back(row.granteeName_);
+      roleNames.push_back(row.roleName_);
       roleIDs.push_back(row.roleID_);
+      grantees.push_back(row.granteeID_);
       grantDepths.push_back(row.grantDepth_);
    }
 
    return STATUS_GOOD;
-
 }
-//****************** End of PrivMgrRoles::fetchRolesForUser ********************
+//****************** End of PrivMgrRoles::fetchRolesForAuth ********************
+
 
-// *****************************************************************************
-// *                                                                           *
-// * Function: PrivMgrRoles::fetchUsersForRole                                 *
-// *                                                                           *
-// *    Returns all grantees of a role.                                        *
-// *                                                                           *
 // *****************************************************************************
 // *                                                                           *
 // *  Parameters:                                                              *
@@ -688,45 +682,42 @@ PrivStatus privStatus = myTable.selectAllWhere(whereClause,orderByClause,rows);
 // *              A CLI error is put into the diags area.                      *
 // *                                                                           *
 // *****************************************************************************
-PrivStatus PrivMgrRoles::fetchUsersForRole(
+
+PrivStatus PrivMgrRoles::fetchGranteesForRole(
    const int32_t roleID,
    std::vector<std::string> & granteeNames,
    std::vector<int32_t> & grantorIDs,
    std::vector<int32_t> & grantDepths)
-
 {
+  std::string whereClause(" WHERE ROLE_ID = ");
+   whereClause += authIDToString(roleID);
 
-std::string whereClause(" WHERE ROLE_ID = ");
+  std::vector<MyRow> rows;
+  MyTable &myTable = static_cast<MyTable &>(myTable_);
 
-   whereClause += authIDToString(roleID);
-   
-std::vector<MyRow> rows;
-MyTable &myTable = static_cast<MyTable &>(myTable_);
+  std::string orderByClause(" ORDER BY GRANTEE_NAME");
 
-std::string orderByClause(" ORDER BY GRANTEE_NAME");
+  PrivStatus privStatus = myTable.selectAllWhere(whereClause,orderByClause,rows);
 
-PrivStatus privStatus = myTable.selectAllWhere(whereClause,orderByClause,rows);
-   
    if (privStatus != STATUS_GOOD && privStatus != STATUS_WARNING)
       return privStatus;
-   
+
    for (size_t r = 0; r < rows.size(); r++)
    {
       MyRow &row = rows[r];
-      
+
       granteeNames.push_back(row.granteeName_);
       grantorIDs.push_back(row.grantorID_);
       grantDepths.push_back(row.grantDepth_);
    }
 
    return STATUS_GOOD;
-
 }
-//****************** End of PrivMgrRoles::fetchUsersForRole ********************
+//**************** End of PrivMgrRoles::fetchGranteesForRole *******************
 
 // *****************************************************************************
 // *                                                                           *
-// * Function: PrivMgrRoles::fetchUsersForRoles                                *
+// * Function: PrivMgrRoles::fetchGranteesForRoles                             *
 // *                                                                           *
 // *    Returns all users granted the list of roles                            *
 // *                                                                           *
@@ -737,30 +728,34 @@ PrivStatus privStatus = myTable.selectAllWhere(whereClause,orderByClause,rows);
 // *  <roleIDs>                       const std::vector<int32_t> &    In       *
 // *    is a list of roles.                                                    *
 // *                                                                           *
-// *  <userIDs>                       std::vector<std::int32_t> &     Out      *
-// *    passes back a list of user grantees for the roles.                     *
+// *  <granteeIDs>                    std::vector<std::int32_t> &     Out      *
+// *    passes back a list of user and group grantees for the roles.           *
 // *                                                                           *
 // *****************************************************************************
 // *                                                                           *
 // * Returns: PrivStatus                                                       *
 // *                                                                           *
-// *   STATUS_GOOD: Zero or more userIDs were returned                         *
+// *   STATUS_GOOD: Zero or more granteeIDs were returned                      *
 // *             *: Grants for roles were not returned due to SQL error.       *
 // *                A CLI error is put into the diags area.                    *
 // *                                                                           *
 // *****************************************************************************
-PrivStatus PrivMgrRoles::fetchUsersForRoles(
-   const std::vector<int32_t> & userIDs,
-   std::vector<std::int32_t> & granteeIDs)
+PrivStatus PrivMgrRoles::fetchGranteesForRoles(
+   const std::vector<int32_t> & roleIDs,
+   std::vector<std::int32_t> & granteeIDs,
+   bool includeSysGrantor)
 {
    std::string whereClause(" WHERE ROLE_ID IN( ");
-   for (size_t i = 0; i < userIDs.size(); i++)
+   for (size_t i = 0; i < roleIDs.size(); i++)
    {
       if (i > 0)
         whereClause += ", ";
-      whereClause += authIDToString(userIDs[i]);
+      whereClause += authIDToString(roleIDs[i]);
    }
    whereClause += ")";
+
+   if (!includeSysGrantor)
+     whereClause += " AND GRANTOR_ID <> -2 ";
    std::string orderByClause(" ORDER BY GRANTEE_ID");
 
    std::vector<MyRow> rows;
@@ -775,14 +770,13 @@ PrivStatus PrivMgrRoles::fetchUsersForRoles(
       MyRow &row = rows[r];
 
       if (CmpSeabaseDDLauth::isUserID(row.granteeID_))
-         granteeIDs.push_back(row.granteeID_);
+         if (row.grantorID_ != SYSTEM_USER)
+           granteeIDs.push_back(row.granteeID_);
    }
 
    return STATUS_GOOD;
 }
-//****************** End of PrivMgrRoles::fetchUsersForRole ********************
-
-
+//**************** End of PrivMgrRoles::fetchGranteesForRoles ******************
 
 // *****************************************************************************
 // *                                                                           *

http://git-wip-us.apache.org/repos/asf/trafodion/blob/adf2b8f2/core/sql/sqlcomp/PrivMgrRoles.h
----------------------------------------------------------------------
diff --git a/core/sql/sqlcomp/PrivMgrRoles.h b/core/sql/sqlcomp/PrivMgrRoles.h
index 83a9120..354fb22 100644
--- a/core/sql/sqlcomp/PrivMgrRoles.h
+++ b/core/sql/sqlcomp/PrivMgrRoles.h
@@ -54,22 +54,24 @@ public:
 // Public functions:
 // -------------------------------------------------------------------
    
-   PrivStatus fetchRolesForUser(
+   PrivStatus fetchRolesForAuth(
       const int32_t authID,
       std::vector<std::string> & roleNames,
       std::vector<int32_t> & roleIDs,
-      std::vector<int32_t> & grantDepths);
-   
-   PrivStatus fetchUsersForRole(
+      std::vector<int32_t> & grantDepths,
+      std::vector<int32_t> & grantees);
+
+   PrivStatus fetchGranteesForRole(
       const int32_t roleID,
       std::vector<std::string> & granteeNames,
       std::vector<int32_t> & grantorIDs,
       std::vector<int32_t> & grantDepths);
-   
-   PrivStatus fetchUsersForRoles(
+
+   PrivStatus fetchGranteesForRoles(
       const std::vector<int32_t> & roleIDs,
-      std::vector<int32_t> & userIDs);
-   
+      std::vector<int32_t> & granteeIDs,
+      bool includeSysGrantor = true);
+
    PrivStatus grantRole(
       const std::vector<int32_t> & roleIDs,
       const std::vector<std::string> & roleNames,

http://git-wip-us.apache.org/repos/asf/trafodion/blob/adf2b8f2/core/sql/sqlcomp/PrivMgrUserPrivs.cpp
----------------------------------------------------------------------
diff --git a/core/sql/sqlcomp/PrivMgrUserPrivs.cpp b/core/sql/sqlcomp/PrivMgrUserPrivs.cpp
index fcdf247..af07694 100644
--- a/core/sql/sqlcomp/PrivMgrUserPrivs.cpp
+++ b/core/sql/sqlcomp/PrivMgrUserPrivs.cpp
@@ -77,82 +77,101 @@ PrivMgrObjectInfo::PrivMgrObjectInfo(
 // ****************************************************************************
 // Class: PrivMgrUserPrivs
 // ****************************************************************************
+
+// ----------------------------------------------------------------------------
+// method: initUserPrivs
+//
+// Creates a PrivMgrUserPrivs object from a PrivMgrDescs list
+// ----------------------------------------------------------------------------
 bool PrivMgrUserPrivs::initUserPrivs(
-  const std::vector<int32_t> & roleIDs,
-  const TrafDesc *priv_desc,
+  const NAList<Int32> & roleIDs,
+  PrivMgrDescList *privDescs,
   const int32_t userID,
   const int64_t objectUID,
-  ComSecurityKeySet & secKeySet)
+  ComSecurityKeySet * secKeySet)
 {
   hasPublicPriv_ = false;
 
-  // generate PrivMgrUserPrivs from the priv_desc structure
-  TrafDesc *priv_grantees_desc = priv_desc->privDesc()->privGrantees;
-  NAList<PrivMgrDesc> descList(NULL);
-
-  // Find relevant descs for the user
-  while (priv_grantees_desc)
+  // create a subset of PrivDesc containing privs applicable for the userID
+  PrivMgrDescList userDescList(privDescs->getHeap());
+  for ( CollIndex i = 0; i < privDescs->entries(); i++)
   {
-    Int32 grantee = priv_grantees_desc->privGranteeDesc()->grantee;
+    const PrivMgrDesc *privs = privDescs->operator[](i);
+    Int32 grantee = privs->getGrantee();
     bool addDesc = false;
-    if (grantee == userID)
+    if (ComUser::isPublicUserID(grantee))
+    {
+      hasPublicPriv_ = true;
+      addDesc = true;
+    }
+    else if (grantee == userID)
       addDesc = true;
 
-    if (PrivMgr::isRoleID(grantee))
+    else if (PrivMgr::isRoleID(grantee))
     {
-      if ((std::find(roleIDs.begin(), roleIDs.end(), grantee)) != roleIDs.end())
+      Int32 entry;
+      if (roleIDs.find(grantee, entry))
         addDesc = true;
     }
 
-    if (ComUser::isPublicUserID(grantee))
+    if (addDesc)
     {
-      addDesc = true;
-      hasPublicPriv_ = true;
+      PrivMgrDesc *myPrivs = new (userDescList.getHeap()) PrivMgrDesc (*privs);
+      userDescList.insert(myPrivs);
     }
+  }
 
-    // Create a list of PrivMgrDesc contain privileges for user, user's roles,
-    // and public
-    if (addDesc)
-    {
-      TrafDesc *objectPrivs = priv_grantees_desc->privGranteeDesc()->objectBitmap;
-
-      PrivMgrCoreDesc objectDesc(objectPrivs->privBitmapDesc()->privBitmap,
-                                 objectPrivs->privBitmapDesc()->privWGOBitmap);
-      
-      TrafDesc *priv_grantee_desc = priv_grantees_desc->privGranteeDesc();
-      TrafDesc *columnPrivs = priv_grantee_desc->privGranteeDesc()->columnBitmaps;
-      NAList<PrivMgrCoreDesc> columnDescs(NULL);
-      while (columnPrivs)
-      {
-        PrivMgrCoreDesc columnDesc(columnPrivs->privBitmapDesc()->privBitmap,
-                                   columnPrivs->privBitmapDesc()->privWGOBitmap,
-                                   columnPrivs->privBitmapDesc()->columnOrdinal);
-        columnDescs.insert(columnDesc);
-        columnPrivs = columnPrivs->next;
-      }
+  if (userDescList.entries() > 0)
+    return setPrivInfoAndKeys(userDescList, userID, objectUID, secKeySet);
+  return true;
+}
 
-      PrivMgrDesc privs(priv_grantees_desc->privGranteeDesc()->grantee);
-      privs.setTablePrivs(objectDesc);
-      privs.setColumnPrivs(columnDescs);
-      privs.setHasPublicPriv(hasPublicPriv_);
+// ----------------------------------------------------------------------------
+// method: initUserPrivs
+//
+// Creates a PrivMgrUserPrivs object from a PrivMgrDesc object
+// ----------------------------------------------------------------------------
+void PrivMgrUserPrivs::initUserPrivs(PrivMgrDesc &privsOfTheUser)
+{
+  objectBitmap_ = privsOfTheUser.getTablePrivs().getPrivBitmap();
+  grantableBitmap_ = privsOfTheUser.getTablePrivs().getWgoBitmap();
 
-      descList.insert(privs);
-    }
-    priv_grantees_desc = priv_grantees_desc->next;
+  for (int32_t i = 0; i < privsOfTheUser.getColumnPrivs().entries(); i++)
+  {
+    const int32_t columnOrdinal = privsOfTheUser.getColumnPrivs()[i].getColumnOrdinal();
+    colPrivsList_[columnOrdinal] = privsOfTheUser.getColumnPrivs()[i].getPrivBitmap();
+    colGrantableList_[columnOrdinal] = privsOfTheUser.getColumnPrivs()[i].getWgoBitmap();
   }
+  hasPublicPriv_ = privsOfTheUser.getHasPublicPriv();
+}
+
+// ----------------------------------------------------------------------------
+// method: setPrivInfoAndKeys
+//
+// Creates a security keys for a list of PrivMgrDescs
+// ----------------------------------------------------------------------------
+bool PrivMgrUserPrivs::setPrivInfoAndKeys(
+  PrivMgrDescList &descList,
+  const int32_t userID,
+  const int64_t objectUID,
+  NASet<ComSecurityKey> *secKeySet)
+{
+  // Get the list of roleIDs and grantees from cache
+  NAList<int32_t> roleIDs (descList.getHeap());
+  NAList<int32_t> grantees (descList.getHeap());
+  if (ComUser::getCurrentUserRoles(roleIDs, grantees) != 0)
+    return false;
 
-  // Union privileges from all grantees together to create a single set of
-  // bitmaps.  Create security invalidation keys
   for (int i = 0; i < descList.entries(); i++)
   {
-    PrivMgrDesc privs = descList[i];
+    PrivMgrDesc *privs = descList[i];
 
     // Set up object level privileges
-    objectBitmap_ |= privs.getTablePrivs().getPrivBitmap();
-    grantableBitmap_ |= privs.getTablePrivs().getWgoBitmap();
+    objectBitmap_ |= privs->getTablePrivs().getPrivBitmap();
+    grantableBitmap_ |= privs->getTablePrivs().getWgoBitmap();
 
     // Set up column level privileges
-    NAList<PrivMgrCoreDesc> columnPrivs = privs.getColumnPrivs();
+    NAList<PrivMgrCoreDesc> columnPrivs = privs->getColumnPrivs();
     std::map<size_t,PrivColumnBitmap>::iterator it;
     for (int j = 0; j < columnPrivs.entries(); j++)
     {
@@ -172,37 +191,60 @@ bool PrivMgrUserPrivs::initUserPrivs(
     }
 
     // set up security invalidation keys
-    if (!buildSecurityKeys(userID, privs.getGrantee(), objectUID, privs.getTablePrivs(), secKeySet))
+    Int32 grantee = privs->getGrantee();
+    NAList<Int32> roleGrantees(descList.getHeap());
+
+    // If the grantee is a role, then get all users that
+    // have been granted the role.  Create a security key for each.
+    if (PrivMgr::isRoleID(grantee))
+    {
+      for (Int32 j = 0; j < grantees.entries(); j++)
+      {
+         if (grantee == roleIDs[j])
+           roleGrantees.insert(grantees[j]);
+      }
+    }
+
+    // add object security keys
+    if (!buildSecurityKeys(roleGrantees, grantee, objectUID, false, privs->getTablePrivs(), *secKeySet))
       return false;
 
-    for (int k = 0; k < colPrivsList_.size(); k++)
+    // add column security keys
+    NAList<PrivMgrCoreDesc> colPrivs = privs->getColumnPrivs();
+    for (int k = 0; k < colPrivs.entries(); k++)
     {
-      PrivMgrCoreDesc colDesc(colPrivsList_[k], colGrantableList_[k]);
-      if (!buildSecurityKeys(userID, privs.getGrantee(), objectUID, colDesc, secKeySet))
+      PrivMgrCoreDesc colDesc = colPrivs[0];
+      //PrivMgrCoreDesc colDesc(colPrivs[k], colGrantableList_[k]);
+      if (!buildSecurityKeys(roleGrantees, grantee, objectUID, true, colDesc, *secKeySet))
         return false;
     }
   }
 
-  // TBD - add schema privilege bitmaps
   return true;
 }
 
-// ----------------------------------------------------------------------------
-// method: initUserPrivs
+
+// -----------------------------------------------------------------------------
+// Method:: print
 //
-// Creates a PrivMgrUserPrivs object from a PrivMgrDesc object
-// ----------------------------------------------------------------------------
-void PrivMgrUserPrivs::initUserPrivs(PrivMgrDesc &privsOfTheUser)
+// Prints out the bitmaps for the current user
+// -----------------------------------------------------------------------------
+std::string PrivMgrUserPrivs::print()
 {
-  objectBitmap_ = privsOfTheUser.getTablePrivs().getPrivBitmap();
-  grantableBitmap_ = privsOfTheUser.getTablePrivs().getWgoBitmap();
+  std::string privList("Obj: ");
+  privList += objectBitmap_.to_string<char,std::string::traits_type,std::string::allocator_type>();
 
-  for (int32_t i = 0; i < privsOfTheUser.getColumnPrivs().entries(); i++)
+  privList += ", Col: ";
+  Int32 bufSize = 100;
+  char buf[bufSize];
+  for (size_t i = 0; i < colPrivsList_.size(); i++)
   {
-    const int32_t columnOrdinal = privsOfTheUser.getColumnPrivs()[i].getColumnOrdinal();
-    colPrivsList_[columnOrdinal] = privsOfTheUser.getColumnPrivs()[i].getPrivBitmap();
-    colGrantableList_[columnOrdinal] = privsOfTheUser.getColumnPrivs()[i].getWgoBitmap();
+    std::string bits = colPrivsList_[i].to_string<char,std::string::traits_type,std::string::allocator_type>();
+    // Ignore potential buffer overruns
+    snprintf(buf, bufSize, "%d %s ", (int)i, bits.c_str());
+    privList += buf;
   }
-  hasPublicPriv_ = privsOfTheUser.getHasPublicPriv();
+
+  return privList;
 }
 

http://git-wip-us.apache.org/repos/asf/trafodion/blob/adf2b8f2/core/sql/sqlcomp/PrivMgrUserPrivs.h
----------------------------------------------------------------------
diff --git a/core/sql/sqlcomp/PrivMgrUserPrivs.h b/core/sql/sqlcomp/PrivMgrUserPrivs.h
index a5264c5..473e59e 100644
--- a/core/sql/sqlcomp/PrivMgrUserPrivs.h
+++ b/core/sql/sqlcomp/PrivMgrUserPrivs.h
@@ -28,6 +28,7 @@
 #include <vector>
 #include <bitset>
 #include "PrivMgrDefs.h"
+#include "PrivMgrDesc.h"
 
 class ComSecurityKey;
 class ComDiagsArea;
@@ -333,6 +334,11 @@ class PrivMgrUserPrivs
     return false;
   }
 
+  bool setPrivInfoAndKeys ( PrivMgrDescList &privDescs,
+                            const int32_t userID,
+                            const int64_t objectUID,
+                            NASet<ComSecurityKey> *secKeySet);
+
   PrivColList & getColPrivList() {return colPrivsList_;}
   void setColPrivList(PrivColList colPrivsList)
      {colPrivsList_ = colPrivsList;}
@@ -379,11 +385,14 @@ class PrivMgrUserPrivs
   bool getHasPublicPriv() { return hasPublicPriv_; }
   void setHasPublicPriv(bool hasPublicPriv) {hasPublicPriv_ = hasPublicPriv;}
   void initUserPrivs (PrivMgrDesc &privsOfTheGrantor);
-  bool initUserPrivs ( const std::vector<int32_t> &roleIDs,
-                       const TrafDesc *priv_desc,
+
+  bool initUserPrivs ( const NAList<Int32> &roleIDs,
+                       PrivMgrDescList *privDescs,
                        const int32_t userID,
                        const int64_t objectUID,
-                       NASet<ComSecurityKey> & secKeySet);
+                       NASet<ComSecurityKey> *secKeySet = NULL);
+
+  std::string print();
 
  private:
    PrivObjectBitmap objectBitmap_;


Mime
View raw message