Changeset: ad3bcdb51d60 for MonetDB
URL: https://dev.monetdb.org/hg/MonetDB?cmd=changeset;node=ad3bcdb51d60
Modified Files:
sql/backends/monet5/sql_upgrades.c
sql/backends/monet5/sql_user.c
sql/server/rel_updates.c
sql/server/sql_privileges.c
sql/server/sql_privileges.h
sql/storage/sql_storage.h
sql/storage/store.c
Branch: linear-hashing
Log Message:
Merged with Nov2019
diffs (truncated from 533 to 300 lines):
diff --git a/sql/backends/monet5/sql_upgrades.c
b/sql/backends/monet5/sql_upgrades.c
--- a/sql/backends/monet5/sql_upgrades.c
+++ b/sql/backends/monet5/sql_upgrades.c
@@ -2611,7 +2611,7 @@ SQLupgrades(Client c, mvc *m)
#endif
f = sql_bind_func_(m->sa, s, "env", NULL, F_UNION);
- if (!res && f && sql_privilege(m, ROLE_PUBLIC, f->func->base.id,
PRIV_EXECUTE, 0) != PRIV_EXECUTE) {
+ if (!res && f && sql_privilege(m, ROLE_PUBLIC, f->func->base.id,
PRIV_EXECUTE) != PRIV_EXECUTE) {
sql_table *privs = find_sql_table(s, "privileges");
int pub = ROLE_PUBLIC, p = PRIV_EXECUTE, zero = 0;
diff --git a/sql/backends/monet5/sql_user.c b/sql/backends/monet5/sql_user.c
--- a/sql/backends/monet5/sql_user.c
+++ b/sql/backends/monet5/sql_user.c
@@ -203,7 +203,6 @@ monet5_create_privileges(ptr _mvc, sql_s
{
sql_table *t, *uinfo;
mvc *m = (mvc *) _mvc;
- char *err = NULL;
sqlid schema_id = 0;
str monetdbuser = "monetdb";
list *res, *ops;
@@ -215,7 +214,6 @@ monet5_create_privileges(ptr _mvc, sql_s
mvc_create_column_(m, t, "default_schema", "int", 9);
uinfo = t;
- (void) err;
res = sa_list(m->sa);
list_append(res, sql_create_arg(m->sa, "name", sql_bind_subtype(m->sa,
"varchar", 2048, 0), ARG_OUT));
diff --git a/sql/server/rel_updates.c b/sql/server/rel_updates.c
--- a/sql/server/rel_updates.c
+++ b/sql/server/rel_updates.c
@@ -921,7 +921,7 @@ update_check_column(mvc *sql, sql_table
rel_destroy(r);
return sql_error(sql, 02, SQLSTATE(42S22) "%s: no such column
'%s.%s'", action, t->base.name, cname);
}
- if (!table_privs(sql, t, PRIV_UPDATE) && !sql_privilege(sql,
sql->user_id, c->base.id, PRIV_UPDATE, 0))
+ if (!table_privs(sql, t, PRIV_UPDATE) && !sql_privilege(sql,
sql->user_id, c->base.id, PRIV_UPDATE))
return sql_error(sql, 02, SQLSTATE(42000) "%s: insufficient
privileges for user '%s' to update table '%s' on column '%s'", action,
stack_get_string(sql, "current_user"), t->base.name, cname);
if (!v || (v = rel_check_type(sql, &c->type, r, v, type_equal)) ==
NULL) {
rel_destroy(r);
diff --git a/sql/server/sql_privileges.c b/sql/server/sql_privileges.c
--- a/sql/server/sql_privileges.c
+++ b/sql/server/sql_privileges.c
@@ -110,7 +110,7 @@ sql_grant_global_privs( mvc *sql, char *
allowed = admin_privs(grantor);
if (!allowed)
- allowed = sql_grantable(sql, grantor, GLOBAL_OBJID, privs, 0)
== 1;
+ allowed = sql_grantable(sql, grantor, GLOBAL_OBJID, privs) == 1;
if (!allowed)
throw(SQL,"sql.grant_global",SQLSTATE(0L000) "GRANT: Grantor
'%s' is not allowed to grant global privileges",
stack_get_string(sql,"current_user"));
@@ -119,7 +119,7 @@ sql_grant_global_privs( mvc *sql, char *
if (grantee_id <= 0)
throw(SQL,"sql.grant_global",SQLSTATE(42M32) "GRANT: User/role
'%s' unknown", grantee);
/* first check if privilege isn't already given */
- if ((sql_privilege(sql, grantee_id, GLOBAL_OBJID, privs, 0)))
+ if ((sql_privilege(sql, grantee_id, GLOBAL_OBJID, privs)))
throw(SQL,"sql.grant_global",SQLSTATE(42M32) "GRANT: User/role
'%s' already has this privilege", grantee);
sql_insert_priv(sql, grantee_id, GLOBAL_OBJID, privs, grantor, grant);
tr->schema_updates++;
@@ -148,7 +148,7 @@ sql_grant_table_privs( mvc *sql, char *g
if (!cname) {
if (!allowed)
- allowed = sql_grantable(sql, grantor, t->base.id,
privs, 0) == 1;
+ allowed = sql_grantable(sql, grantor, t->base.id,
privs) == 1;
if (!allowed)
throw(SQL,"sql.grant_table", SQLSTATE(0L000) "GRANT:
Grantor '%s' is not allowed to grant privileges for table '%s'",
stack_get_string(sql,"current_user"), tname);
@@ -159,7 +159,7 @@ sql_grant_table_privs( mvc *sql, char *g
throw(SQL,"sql.grant_table",SQLSTATE(42S22) "GRANT:
Table '%s' has no column '%s'", tname, cname);
/* allowed on column */
if (!allowed)
- allowed = sql_grantable(sql, grantor, c->base.id,
privs, 0) == 1;
+ allowed = sql_grantable(sql, grantor, c->base.id,
privs) == 1;
if (!allowed)
throw(SQL, "sql.grant_table", SQLSTATE(0L000) "GRANT:
Grantor '%s' is not allowed to grant privilege %s for table '%s'",
stack_get_string(sql, "current_user"), priv2string(privs), tname);
@@ -170,13 +170,13 @@ sql_grant_table_privs( mvc *sql, char *g
throw(SQL,"sql.grant_table", SQLSTATE(42M32) "GRANT: User/role
'%s' unknown", grantee);
/* first check if privilege isn't already given */
if ((privs == all &&
- (sql_privilege(sql, grantee_id, t->base.id, PRIV_SELECT, 0) ||
- sql_privilege(sql, grantee_id, t->base.id, PRIV_UPDATE, 0) ||
- sql_privilege(sql, grantee_id, t->base.id, PRIV_INSERT, 0) ||
- sql_privilege(sql, grantee_id, t->base.id, PRIV_DELETE, 0) ||
- sql_privilege(sql, grantee_id, t->base.id, PRIV_TRUNCATE, 0))) ||
- (privs != all && !c && sql_privilege(sql, grantee_id, t->base.id,
privs, 0)) ||
- (privs != all && c && sql_privilege(sql, grantee_id, c->base.id,
privs, 0))) {
+ (sql_privilege(sql, grantee_id, t->base.id, PRIV_SELECT) ||
+ sql_privilege(sql, grantee_id, t->base.id, PRIV_UPDATE) ||
+ sql_privilege(sql, grantee_id, t->base.id, PRIV_INSERT) ||
+ sql_privilege(sql, grantee_id, t->base.id, PRIV_DELETE) ||
+ sql_privilege(sql, grantee_id, t->base.id, PRIV_TRUNCATE))) ||
+ (privs != all && !c && sql_privilege(sql, grantee_id, t->base.id,
privs)) ||
+ (privs != all && c && sql_privilege(sql, grantee_id, c->base.id,
privs))) {
throw(SQL, "sql.grant", SQLSTATE(42M32) "GRANT: User/role '%s'
already has this privilege", grantee);
}
if (privs == all) {
@@ -210,7 +210,7 @@ sql_grant_func_privs( mvc *sql, char *gr
allowed = schema_privs(grantor, f->s);
if (!allowed)
- allowed = sql_grantable(sql, grantor, f->base.id, privs, 0) ==
1;
+ allowed = sql_grantable(sql, grantor, f->base.id, privs) == 1;
if (!allowed)
throw(SQL, "sql.grant_func", SQLSTATE(0L000) "GRANT: Grantor
'%s' is not allowed to grant privileges for function '%s'",
stack_get_string(sql,"current_user"), f->base.name);
@@ -219,7 +219,7 @@ sql_grant_func_privs( mvc *sql, char *gr
if (grantee_id <= 0)
throw(SQL, "sql.grant_func", SQLSTATE(42M32) "GRANT: User/role
'%s' unknown", grantee);
/* first check if privilege isn't already given */
- if (sql_privilege(sql, grantee_id, f->base.id, privs, 0))
+ if (sql_privilege(sql, grantee_id, f->base.id, privs))
throw(SQL,"sql.grant", SQLSTATE(42M32) "GRANT: User/role '%s'
already has this privilege", grantee);
sql_insert_priv(sql, grantee_id, f->base.id, privs, grantor, grant);
tr->schema_updates++;
@@ -259,7 +259,7 @@ sql_revoke_global_privs( mvc *sql, char
allowed = admin_privs(grantor);
if (!allowed)
- allowed = sql_grantable(sql, grantor, GLOBAL_OBJID, privs, 0)
== 1;
+ allowed = sql_grantable(sql, grantor, GLOBAL_OBJID, privs) == 1;
if (!allowed)
throw(SQL, "sql.revoke_global", SQLSTATE(0L000) "REVOKE:
Grantor '%s' is not allowed to revoke global privileges",
stack_get_string(sql,"current_user"));
@@ -291,7 +291,7 @@ sql_revoke_table_privs( mvc *sql, char *
allowed = schema_privs(grantor, t->s);
if (!allowed)
- allowed = sql_grantable(sql, grantor, t->base.id, privs, 0) ==
1;
+ allowed = sql_grantable(sql, grantor, t->base.id, privs) == 1;
if (!allowed)
throw(SQL, "sql.revoke_table", SQLSTATE(0L000) "REVOKE: Grantor
'%s' is not allowed to revoke privileges for table '%s'",
stack_get_string(sql,"current_user"), tname);
@@ -302,7 +302,7 @@ sql_revoke_table_privs( mvc *sql, char *
throw(SQL,"sql.revoke_table", SQLSTATE(42S22) "REVOKE:
table '%s' has no column '%s'", tname, cname);
/* allowed on column */
if (!allowed)
- allowed = sql_grantable(sql, grantor, c->base.id,
privs, 0) == 1;
+ allowed = sql_grantable(sql, grantor, c->base.id,
privs) == 1;
if (!allowed)
throw(SQL, "sql.revoke_table", SQLSTATE(0L000) "REVOKE:
Grantor '%s' is not allowed to revoke privilege %s for table '%s'",
stack_get_string(sql, "current_user"), priv2string(privs), tname);
@@ -344,7 +344,7 @@ sql_revoke_func_privs( mvc *sql, char *g
assert(f);
allowed = schema_privs(grantor, f->s);
if (!allowed)
- allowed = sql_grantable(sql, grantor, f->base.id, privs, 0) ==
1;
+ allowed = sql_grantable(sql, grantor, f->base.id, privs) == 1;
if (!allowed)
throw(SQL, "sql.revoke_func", SQLSTATE(0L000) "REVOKE: Grantor
'%s' is not allowed to revoke privileges for function '%s'",
stack_get_string(sql,"current_user"), f->base.name);
@@ -396,21 +396,32 @@ sql_create_role(mvc *m, str auth, sqlid
str
sql_drop_role(mvc *m, str auth)
{
- oid rid;
+ sqlid role_id = sql_find_auth(m, auth);
sql_schema *sys = find_sql_schema(m->session->tr, "sys");
- sql_table *auths = find_sql_table(sys, "auths");
- sql_column *auth_name = find_sql_column(auths, "name");
+ sql_table *auths = mvc_bind_table(m, sys, "auths");
+ sql_table *user_roles = mvc_bind_table(m, sys, "user_role");
+ sql_trans *tr = m->session->tr;
+ rids *A;
+ oid rid;
- rid = table_funcs.column_find_row(m->session->tr, auth_name, auth,
NULL);
+ rid = table_funcs.column_find_row(tr, find_sql_column(auths, "name"),
auth, NULL);
if (is_oid_nil(rid))
throw(SQL, "sql.drop_role", SQLSTATE(0P000) "DROP ROLE: no such
role '%s'", auth);
table_funcs.table_delete(m->session->tr, auths, rid);
- m->session->tr->schema_updates++;
+
+ /* select user roles of this role_id */
+ A = table_funcs.rids_select(tr, find_sql_column(user_roles, "role_id"),
&role_id, &role_id, NULL);
+ /* remove them */
+ for(rid = table_funcs.rids_next(A); !is_oid_nil(rid); rid =
table_funcs.rids_next(A))
+ table_funcs.table_delete(tr, user_roles, rid);
+ table_funcs.rids_destroy(A);
+
+ tr->schema_updates++;
return NULL;
}
static oid
-sql_privilege_rid(mvc *m, sqlid auth_id, sqlid obj_id, int priv, int sub)
+sql_privilege_rid(mvc *m, sqlid auth_id, sqlid obj_id, int priv)
{
sql_schema *sys = find_sql_schema(m->session->tr, "sys");
sql_table *privs = find_sql_table(sys, "privileges");
@@ -418,14 +429,13 @@ sql_privilege_rid(mvc *m, sqlid auth_id,
sql_column *priv_auth = find_sql_column(privs, "auth_id");
sql_column *priv_priv = find_sql_column(privs, "privileges");
- (void) sub;
return table_funcs.column_find_row(m->session->tr, priv_obj, &obj_id,
priv_auth, &auth_id, priv_priv, &priv, NULL);
}
int
-sql_privilege(mvc *m, sqlid auth_id, sqlid obj_id, int priv, int sub)
+sql_privilege(mvc *m, sqlid auth_id, sqlid obj_id, int priv)
{
- oid rid = sql_privilege_rid(m, auth_id, obj_id, priv, sub);
+ oid rid = sql_privilege_rid(m, auth_id, obj_id, priv);
int res = 0;
if (!is_oid_nil(rid)) {
@@ -439,9 +449,9 @@ int
global_privs(mvc *m, int priv)
{
if (admin_privs(m->user_id) || admin_privs(m->role_id) ||
- sql_privilege(m, m->user_id, GLOBAL_OBJID, priv, 0) == priv ||
- sql_privilege(m, m->role_id, GLOBAL_OBJID, priv, 0) == priv ||
- sql_privilege(m, ROLE_PUBLIC, GLOBAL_OBJID, priv, 0) == priv) {
+ sql_privilege(m, m->user_id, GLOBAL_OBJID, priv) == priv ||
+ sql_privilege(m, m->role_id, GLOBAL_OBJID, priv) == priv ||
+ sql_privilege(m, ROLE_PUBLIC, GLOBAL_OBJID, priv) == priv) {
return 1;
}
return 0;
@@ -457,9 +467,9 @@ table_privs(mvc *m, sql_table *t, int pr
return 1;
if (admin_privs(m->user_id) || admin_privs(m->role_id) ||
(t->s && (m->user_id == t->s->auth_id || m->role_id ==
t->s->auth_id)) ||
- sql_privilege(m, m->user_id, t->base.id, priv, 0) == priv ||
- sql_privilege(m, m->role_id, t->base.id, priv, 0) == priv ||
- sql_privilege(m, ROLE_PUBLIC, t->base.id, priv, 0) == priv) {
+ sql_privilege(m, m->user_id, t->base.id, priv) == priv ||
+ sql_privilege(m, m->role_id, t->base.id, priv) == priv ||
+ sql_privilege(m, ROLE_PUBLIC, t->base.id, priv) == priv) {
return 1;
}
return 0;
@@ -476,9 +486,9 @@ column_privs(mvc *m, sql_column *c, int
return 1;
if (admin_privs(m->user_id) || admin_privs(m->role_id) ||
(c->t->s && (m->user_id == c->t->s->auth_id || m->role_id ==
c->t->s->auth_id)) ||
- sql_privilege(m, m->user_id, c->base.id, priv, 0) == priv ||
- sql_privilege(m, m->role_id, c->base.id, priv, 0) == priv ||
- sql_privilege(m, ROLE_PUBLIC, c->base.id, priv, 0) == priv) {
+ sql_privilege(m, m->user_id, c->base.id, priv) == priv ||
+ sql_privilege(m, m->role_id, c->base.id, priv) == priv ||
+ sql_privilege(m, ROLE_PUBLIC, c->base.id, priv) == priv) {
return 1;
}
return 0;
@@ -493,9 +503,9 @@ execute_priv(mvc *m, sql_func *f)
return 1;
if (m->user_id == f->s->auth_id || m->role_id == f->s->auth_id)
return 1;
- if (sql_privilege(m, m->user_id, f->base.id, priv, 0) == priv ||
- sql_privilege(m, m->role_id, f->base.id, priv, 0) == priv ||
- sql_privilege(m, ROLE_PUBLIC, f->base.id, priv, 0) == priv)
+ if (sql_privilege(m, m->user_id, f->base.id, priv) == priv ||
+ sql_privilege(m, m->role_id, f->base.id, priv) == priv ||
+ sql_privilege(m, ROLE_PUBLIC, f->base.id, priv) == priv)
return 1;
return 0;
}
@@ -515,7 +525,7 @@ role_granting_privs(mvc *m, oid role_rid
if (owner_id == grantor_id)
return true;
- if (sql_privilege(m, grantor_id, role_id, PRIV_ROLE_ADMIN, 0))
+ if (sql_privilege(m, grantor_id, role_id, PRIV_ROLE_ADMIN))
return true;
/* check for grant rights in the privs table */
return false;
@@ -603,7 +613,7 @@ sql_revoke_role(mvc *m, str grantee, str
else
throw(SQL,"sql.revoke_role", SQLSTATE(42M32) "REVOKE:
User '%s' does not have ROLE '%s'", grantee, role);
} else {
- rid = sql_privilege_rid(m, grantee_id, role_id,
PRIV_ROLE_ADMIN, 0);
+ rid = sql_privilege_rid(m, grantee_id, role_id,
PRIV_ROLE_ADMIN);
if (!is_oid_nil(rid))
table_funcs.table_delete(m->session->tr, roles, rid);
else
@@ -666,7 +676,7 @@ sql_schema_has_user(mvc *m, sql_schema *
}
static int
-sql_grantable_(mvc *m, sqlid grantorid, sqlid obj_id, int privs, int sub)
+sql_grantable_(mvc *m, sqlid grantorid, sqlid obj_id, int privs)
{
oid rid;
sql_schema *sys = find_sql_schema(m->session->tr, "sys");
@@ -677,7 +687,6 @@ sql_grantable_(mvc *m, sqlid grantorid,
sql_column *priv_allowed = find_sql_column(prvs, "grantable");
int priv;
- (void) sub;
for (priv = 1; priv <= privs; priv <<= 1) {
if (!(priv & privs))
continue;
_______________________________________________
checkin-list mailing list
[email protected]
https://www.monetdb.org/mailman/listinfo/checkin-list
