Changeset: 485057f6d7bf for MonetDB
URL: http://dev.monetdb.org/hg/MonetDB?cmd=changeset;node=485057f6d7bf
Modified Files:
sql/backends/monet5/sql.c
sql/server/rel_psm.c
sql/server/rel_schema.c
sql/server/rel_sequence.c
sql/server/sql_privileges.c
sql/server/sql_privileges.h
Branch: default
Log Message:
schema privileges are now also available for the sysadmin role
So a user with the sysadmin role can create schema's etc
diffs (truncated from 329 to 300 lines):
diff --git a/sql/backends/monet5/sql.c b/sql/backends/monet5/sql.c
--- a/sql/backends/monet5/sql.c
+++ b/sql/backends/monet5/sql.c
@@ -396,7 +396,7 @@ create_table_or_view(mvc *sql, char *sna
if (mvc_bind_table(sql, s, t->base.name)) {
char *cd = (temp == SQL_DECLARED_TABLE) ? "DECLARE" : "CREATE";
return sql_message("42S01!%s TABLE: name '%s' already in use",
cd, t->base.name);
- } else if (temp != SQL_DECLARED_TABLE && (!schema_privs(sql->role_id,
s) && !(isTempSchema(s) && temp == SQL_LOCAL_TEMP))) {
+ } else if (temp != SQL_DECLARED_TABLE && (!mvc_schema_privs(sql, s) &&
!(isTempSchema(s) && temp == SQL_LOCAL_TEMP))) {
return sql_message("42000!CREATE TABLE: insufficient privileges
for user '%s' in schema '%s'", stack_get_string(sql, "current_user"),
s->base.name);
} else if (temp == SQL_DECLARED_TABLE && !list_empty(t->keys.set)) {
return sql_message("42000!DECLARE TABLE: '%s' cannot have
constraints", t->base.name);
@@ -503,7 +503,7 @@ alter_table(mvc *sql, char *sname, sql_t
if ((nt = mvc_bind_table(sql, s, t->base.name)) == NULL) {
return sql_message("42S02!ALTER TABLE: no such table '%s'",
t->base.name);
- } else if (!schema_privs(sql->role_id, s) && !(isTempSchema(s) &&
t->persistence == SQL_LOCAL_TEMP)) {
+ } else if (!mvc_schema_privs(sql, s) && !(isTempSchema(s) &&
t->persistence == SQL_LOCAL_TEMP)) {
return sql_message("42000!ALTER TABLE: insufficient privileges
for user '%s' in schema '%s'", stack_get_string(sql, "current_user"),
s->base.name);
}
@@ -616,7 +616,7 @@ drop_table(mvc *sql, char *sname, char *
return sql_message("42000!DROP TABLE: cannot drop VIEW '%s'",
tname);
} else if (t->system) {
return sql_message("42000!DROP TABLE: cannot drop system table
'%s'", tname);
- } else if (!schema_privs(sql->role_id, s) && !(isTempSchema(s) &&
t->persistence == SQL_LOCAL_TEMP)) {
+ } else if (!mvc_schema_privs(sql, s) && !(isTempSchema(s) &&
t->persistence == SQL_LOCAL_TEMP)) {
return sql_message("42000!DROP TABLE: access denied for %s to
schema ;'%s'", stack_get_string(sql, "current_user"), s->base.name);
}
if (!drop_action && t->keys.set) {
@@ -661,7 +661,7 @@ drop_view(mvc *sql, char *sname, char *t
t = mvc_bind_table(sql, ss, tname);
- if (!schema_privs(sql->role_id, ss) && !(isTempSchema(ss) && t &&
t->persistence == SQL_LOCAL_TEMP)) {
+ if (!mvc_schema_privs(sql, ss) && !(isTempSchema(ss) && t &&
t->persistence == SQL_LOCAL_TEMP)) {
return sql_message("42000!DROP VIEW: access denied for %s to
schema '%s'", stack_get_string(sql, "current_user"), ss->base.name);
} else if (!t) {
return sql_message("42S02!DROP VIEW: unknown view '%s'", tname);
@@ -708,7 +708,7 @@ drop_index(mvc *sql, char *sname, char *
i = mvc_bind_idx(sql, s, iname);
if (!i) {
return sql_message("42S12!DROP INDEX: no such index '%s'",
iname);
- } else if (!schema_privs(sql->role_id, s)) {
+ } else if (!mvc_schema_privs(sql, s)) {
return sql_message("42000!DROP INDEX: access denied for %s to
schema ;'%s'", stack_get_string(sql, "current_user"), s->base.name);
} else {
mvc_drop_idx(sql, s, i);
@@ -727,7 +727,7 @@ create_seq(mvc *sql, char *sname, sql_se
s = cur_schema(sql);
if (find_sql_sequence(s, seq->base.name)) {
return sql_message("42000!CREATE SEQUENCE: name '%s' already in
use", seq->base.name);
- } else if (!schema_privs(sql->role_id, s)) {
+ } else if (!mvc_schema_privs(sql, s)) {
return sql_message("42000!CREATE SEQUENCE: insufficient
privileges for '%s' in schema '%s'", stack_get_string(sql, "current_user"),
s->base.name);
}
sql_trans_create_sequence(sql->session->tr, s, seq->base.name,
seq->start, seq->minvalue, seq->maxvalue, seq->increment, seq->cacheinc,
seq->cycle, seq->bedropped);
@@ -746,7 +746,7 @@ alter_seq(mvc *sql, char *sname, sql_seq
s = cur_schema(sql);
if (!(nseq = find_sql_sequence(s, seq->base.name))) {
return sql_message("42000!ALTER SEQUENCE: no such sequence
'%s'", seq->base.name);
- } else if (!schema_privs(sql->role_id, s)) {
+ } else if (!mvc_schema_privs(sql, s)) {
return sql_message("42000!ALTER SEQUENCE: insufficient
privileges for '%s' in schema '%s'", stack_get_string(sql, "current_user"),
s->base.name);
}
@@ -769,7 +769,7 @@ drop_seq(mvc *sql, char *sname, char *na
s = cur_schema(sql);
if (!(seq = find_sql_sequence(s, name))) {
return sql_message("42M35!DROP SEQUENCE: no such sequence
'%s'", name);
- } else if (!schema_privs(sql->role_id, s)) {
+ } else if (!mvc_schema_privs(sql, s)) {
return sql_message("42000!DROP SEQUENCE: insufficient
privileges for '%s' in schema '%s'", stack_get_string(sql, "current_user"),
s->base.name);
}
if (mvc_check_dependency(sql, seq->base.id, BEDROPPED_DEPENDENCY, NULL))
@@ -799,7 +799,7 @@ drop_func(mvc *sql, char *sname, char *n
if (n) {
sql_func *func = n->data;
- if (!schema_privs(sql->role_id, s)) {
+ if (!mvc_schema_privs(sql, s)) {
return sql_message("DROP %s%s: access denied
for %s to schema ;'%s'", KF, F, stack_get_string(sql, "current_user"),
s->base.name);
}
if (!action && mvc_check_dependency(sql, func->base.id,
!IS_PROC(func) ? FUNC_DEPENDENCY : PROC_DEPENDENCY, NULL))
@@ -811,7 +811,7 @@ drop_func(mvc *sql, char *sname, char *n
node *n = NULL;
list *list_func = schema_bind_func(sql, s, name, type);
- if (!schema_privs(sql->role_id, s)) {
+ if (!mvc_schema_privs(sql, s)) {
list_destroy(list_func);
return sql_message("DROP %s%s: access denied for %s to
schema ;'%s'", KF, F, stack_get_string(sql, "current_user"), s->base.name);
}
@@ -962,7 +962,7 @@ create_trigger(mvc *sql, char *sname, ch
return sql_message("3F000!CREATE TRIGGER: no such schema '%s'",
sname);
if (!s)
s = cur_schema(sql);
- if (!schema_privs(sql->role_id, s))
+ if (!mvc_schema_privs(sql, s))
return sql_message("3F000!CREATE TRIGGER: access denied for %s
to schema ;'%s'", stack_get_string(sql, "current_user"), s->base.name);
if (mvc_bind_trigger(sql, s, triggername) != NULL)
return sql_message("3F000!CREATE TRIGGER: name '%s' already in
use", triggername);
@@ -1012,7 +1012,7 @@ drop_trigger(mvc *sql, char *sname, char
if (!s)
s = cur_schema(sql);
assert(s);
- if (!schema_privs(sql->role_id, s))
+ if (!mvc_schema_privs(sql, s))
return sql_message("3F000!DROP TRIGGER: access denied for %s to
schema ;'%s'", stack_get_string(sql, "current_user"), s->base.name);
if ((tri = mvc_bind_trigger(sql, s, tname)) == NULL)
@@ -1197,7 +1197,7 @@ SQLcatalog(Client cntxt, MalBlkPtr mb, M
if (!s) {
msg = sql_message("3F000!DROP SCHEMA: name %s does not
exist", sname);
- } else if (!schema_privs(sql->role_id, s)) {
+ } else if (!mvc_schema_privs(sql, s)) {
msg = sql_message("42000!DROP SCHEMA: access denied for
%s to schema ;'%s'", stack_get_string(sql, "current_user"), s->base.name);
} else if (s == cur_schema(sql)) {
msg = sql_message("42000!DROP SCHEMA: cannot drop
current schema");
diff --git a/sql/server/rel_psm.c b/sql/server/rel_psm.c
--- a/sql/server/rel_psm.c
+++ b/sql/server/rel_psm.c
@@ -727,7 +727,7 @@ rel_create_func(mvc *sql, dlist *qname,
}
} else {
list_destroy(type_list);
- if (create && !schema_privs(sql->role_id, s)) {
+ if (create && !mvc_schema_privs(sql, s)) {
return sql_error(sql, 02, "CREATE %s%s: insufficient
privileges "
"for user '%s' in schema '%s'", KF, F,
stack_get_string(sql, "current_user"),
s->base.name);
@@ -1032,7 +1032,7 @@ create_trigger(mvc *sql, dlist *qname, i
new_name = n;
}
}
- if (create && !schema_privs(sql->role_id, ss))
+ if (create && !mvc_schema_privs(sql, ss))
return sql_error(sql, 02, "CREATE TRIGGER: access denied for %s
to schema ;'%s'", stack_get_string(sql, "current_user"), ss->base.name);
if (create && mvc_bind_trigger(sql, ss, tname) != NULL)
return sql_error(sql, 02, "CREATE TRIGGER: name '%s' already in
use", tname);
@@ -1092,7 +1092,7 @@ drop_trigger(mvc *sql, dlist *qname)
char *tname = qname_table(qname);
sql_schema *ss = cur_schema(sql);
- if (!schema_privs(sql->role_id, ss))
+ if (!mvc_schema_privs(sql, ss))
return sql_error(sql, 02, "DROP TRIGGER: access denied for %s
to schema ;'%s'", stack_get_string(sql, "current_user"), ss->base.name);
return rel_drop_trigger(sql, ss->base.name, tname);
}
diff --git a/sql/server/rel_schema.c b/sql/server/rel_schema.c
--- a/sql/server/rel_schema.c
+++ b/sql/server/rel_schema.c
@@ -857,7 +857,7 @@ rel_create_table(mvc *sql, sql_schema *s
if (mvc_bind_table(sql, s, name)) {
char *cd = (temp == SQL_DECLARED_TABLE)?"DECLARE":"CREATE";
return sql_error(sql, 02, "42S01!%s TABLE: name '%s' already in
use", cd, name);
- } else if (temp != SQL_DECLARED_TABLE && (!schema_privs(sql->role_id,
s) && !(isTempSchema(s) && temp == SQL_LOCAL_TEMP))){
+ } else if (temp != SQL_DECLARED_TABLE && (!mvc_schema_privs(sql, s) &&
!(isTempSchema(s) && temp == SQL_LOCAL_TEMP))){
return sql_error(sql, 02, "42000!CREATE TABLE: insufficient
privileges for user '%s' in schema '%s'", stack_get_string(sql,
"current_user"), s->base.name);
} else if (table_elements_or_subquery->token == SQL_CREATE_TABLE) {
/* table element list */
@@ -928,7 +928,7 @@ rel_create_view(mvc *sql, sql_schema *ss
if (create && mvc_bind_table(sql, s, name) != NULL) {
return sql_error(sql, 02, "42S01!CREATE VIEW: name '%s' already
in use", name);
- } else if (create && (!schema_privs(sql->role_id, s) &&
!(isTempSchema(s) && persistent == SQL_LOCAL_TEMP))) {
+ } else if (create && (!mvc_schema_privs(sql, s) && !(isTempSchema(s) &&
persistent == SQL_LOCAL_TEMP))) {
return sql_error(sql, 02, "42000!CREATE VIEW: access denied for
%s to schema ;'%s'", stack_get_string(sql, "current_user"), s->base.name);
} else if (query) {
sql_rel *sq = NULL;
diff --git a/sql/server/rel_sequence.c b/sql/server/rel_sequence.c
--- a/sql/server/rel_sequence.c
+++ b/sql/server/rel_sequence.c
@@ -93,7 +93,7 @@ rel_create_seq(
return sql_error(sql, 02,
"CREATE SEQUENCE: "
"name '%s' already in use", name);
- } else if (!schema_privs(sql->role_id, s)) {
+ } else if (!mvc_schema_privs(sql, s)) {
return sql_error(sql, 02,
"CREATE SEQUENCE: insufficient privileges "
"for '%s' in schema '%s'",
stack_get_string(sql, "current_user"), s->base.name);
@@ -223,7 +223,7 @@ rel_alter_seq(
"ALTER SEQUENCE: "
"no such sequence '%s'", name);
}
- if (!schema_privs(sql->role_id, s)) {
+ if (!mvc_schema_privs(sql, s)) {
return sql_error(sql, 02,
"ALTER SEQUENCE: insufficient privileges "
"for '%s' in schema '%s'",
stack_get_string(sql, "current_user"), s->base.name);
diff --git a/sql/server/sql_privileges.c b/sql/server/sql_privileges.c
--- a/sql/server/sql_privileges.c
+++ b/sql/server/sql_privileges.c
@@ -66,21 +66,37 @@ sql_insert_all_privs(mvc *sql, int auth_
static int
admin_privs(int grantor)
{
- if (grantor == USER_MONETDB) {
+ if (grantor == USER_MONETDB || grantor == ROLE_SYSADMIN) {
return 1;
}
return 0;
}
int
+mvc_schema_privs(mvc *m, sql_schema *s)
+{
+ if (admin_privs(m->user_id) || admin_privs(m->role_id))
+ return 1;
+ if (!s)
+ return 0;
+ if (m->user_id == s->auth_id || m->role_id == s->auth_id)
+ return 1;
+ return 0;
+}
+
+static int
schema_privs(int grantor, sql_schema *s)
{
- if (admin_privs(grantor) || grantor == s->auth_id) {
+ if (admin_privs(grantor))
return 1;
- }
+ if (!s)
+ return 0;
+ if (grantor == s->auth_id)
+ return 1;
return 0;
}
+
char *
sql_grant_global_privs( mvc *sql, char *grantee, int privs, int grant, int
grantor)
{
@@ -288,7 +304,7 @@ sql_create_role(mvc *m, str auth, int gr
sql_table *auths = find_sql_table(sys, "auths");
sql_column *auth_name = find_sql_column(auths, "name");
- if (grantor != USER_MONETDB)
+ if (admin_privs(grantor))
return sql_message("0P000!CREATE ROLE: insufficient privileges
to create role '%s'", auth);
if (table_funcs.column_find_row(m->session->tr, auth_name, auth, NULL)
!= oid_nil)
@@ -345,7 +361,7 @@ sql_privilege(mvc *m, int auth_id, int o
int
global_privs(mvc *m, int priv)
{
- if (m->user_id == USER_MONETDB ||
+ if (admin_privs(m->user_id) || admin_privs(m->role_id) ||
sql_privilege(m, m->user_id, GLOBAL_OBJID, priv, 0) == priv ||
sql_privilege(m, m->role_id, GLOBAL_OBJID, priv, 0) == priv ||
sql_privilege(m, ROLE_PUBLIC, GLOBAL_OBJID, priv, 0) == priv) {
@@ -360,7 +376,7 @@ table_privs(mvc *m, sql_table *t, int pr
/* temporary tables are owned by the session user */
if (t->persistence != SQL_PERSIST || t->commit_action)
return 1;
- if (m->user_id == USER_MONETDB || m->user_id == t->s->auth_id ||
m->role_id == t->s->auth_id || sql_privilege(m, m->user_id, t->base.id, priv,
0) == priv || sql_privilege(m, m->role_id, t->base.id, priv, 0) == priv ||
sql_privilege(m, ROLE_PUBLIC, t->base.id, priv, 0) == priv) {
+ if (admin_privs(m->user_id) || admin_privs(m->role_id) || m->user_id ==
t->s->auth_id || m->role_id == t->s->auth_id || sql_privilege(m, m->user_id,
t->base.id, priv, 0) == priv || sql_privilege(m, m->role_id, t->base.id, priv,
0) == priv || sql_privilege(m, ROLE_PUBLIC, t->base.id, priv, 0) == priv) {
return 1;
}
return 0;
@@ -407,7 +423,7 @@ sql_grant_role(mvc *m, str grantee, str
auth_id = *(int*)val;
_DELETE(val);
- if (grantor != USER_MONETDB && !role_granting_privs(m, rid, auth_id,
grantor))
+ if (!admin_privs(grantor) && !role_granting_privs(m, rid, auth_id,
grantor))
return sql_message("0P000!GRANT: insufficient privileges to
grant ROLE '%s'", auth);
rid = table_funcs.column_find_row(m->session->tr, auths_name, grantee,
NULL);
if (rid == oid_nil)
@@ -455,7 +471,7 @@ sql_revoke_role(mvc *m, str grantee, str
val = table_funcs.column_find_value(m->session->tr, auths_id, rid);
auth_id = *(int*)val;
_DELETE(val);
- if (grantor != USER_MONETDB && !role_granting_privs(m, rid, auth_id,
grantor))
+ if (!admin_privs(grantor) && !role_granting_privs(m, rid, auth_id,
grantor))
return sql_message("0P000!GRANT: insufficient privileges to
grant ROLE '%s'", auth);
if (!admin) {
@@ -558,7 +574,7 @@ sql_grantable_(mvc *m, int grantorid, in
int
sql_grantable(mvc *m, int grantorid, int obj_id, int privs, int sub)
{
- if (m->user_id == USER_MONETDB)
+ if (admin_privs(m->user_id) || admin_privs(m->role_id))
return 1;
return sql_grantable_(m, grantorid, obj_id, privs, sub);
}
@@ -626,7 +642,7 @@ sql_create_user(mvc *sql, char *user, ch
char *err;
int schema_id = 0;
- if (sql->user_id != USER_MONETDB)
+ if (!admin_privs(sql->user_id) && !admin_privs(sql->role_id))
return sql_message("42M31!CREATE USER: insufficient privileges
to create user '%s'", user);
if (backend_find_user(sql, user) >= 0) {
@@ -679,7 +695,7 @@ sql_alter_user(mvc *sql, char *user, cha
_______________________________________________
checkin-list mailing list
[email protected]
https://www.monetdb.org/mailman/listinfo/checkin-list
