GitHub user robertamarton opened a pull request:
https://github.com/apache/incubator-trafodion/pull/757
[TRAFODION-2167]: Invalid query invalidation keys not working properly
When a user is revoked from a role, invalidation keys are not being
processed correctly. Therefore, users can still run queries even though
privileges have been removed. Query invalidation is complicated when
table descriptors are stored in metadata.
Changes:
--> The list of priv_descs created (and stored) was changed to include an
entry
for each user and each role accumulated across all grantors. (Today,
each
priv_desc entry includes the users' direct grants plus grants on their
active roles.)
--> When an object is loaded into NATable or NARoutine cache, the priv_desc
is
accessed and the privilege bitmap is now generated by combining the
users'
privileges with privileges of their active roles. Correct invalidation
keys
are now being created and stored with the object. In the first code
drop,
the users' active roles are read from the role_usage table. In the next
code drop, the active roles will be stored and maintained in executor
globals.
--> When a plan is compiled, the correct invalidation keys for users, roles,
and the public authorization are added to the plan.
--> Changes in the compiler were required to handle the invalidation keys
for
revoke role and revoke privilege from "PUBLIC".
--> Cleaned up the code that manages invalidation keys in privilege manager.
--> Included the correct create and redef times (if available) in the stored
object descriptor - today they are always set to 0.
--> Added new regression test to test all the revoke options.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/robertamarton/incubator-trafodion
trafodion-2189
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/incubator-trafodion/pull/757.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #757
----
commit 3b437720a54de88b6a04e44e0257fac0448f0762
Author: Roberta Marton <rmarton@edev07.esgyn.local>
Date: 2016-10-12T01:48:22Z
[TRAFODION-2167]: Invalid query invalidation keys not working properly
When a user is revoked from a role, invalidation keys are not being
processed correctly. Therefore, users can still run queries even though
privileges have been removed. Query invalidation is complicated when
table descriptors are stored in metadata.
Changes:
--> The list of priv_descs created (and stored) was changed to include an
entry
for each user and each role accumulated across all grantors. (Today,
each
priv_desc entry includes the users' direct grants plus grants on their
active roles.)
--> When an object is loaded into NATable or NARoutine cache, the priv_desc
is
accessed and the privilege bitmap is now generated by combining the
users'
privileges with privileges of their active roles. Correct invalidation
keys
are now being created and stored with the object. In the first code
drop,
the users' active roles are read from the role_usage table. In the next
code drop, the active roles will be stored and maintained in executor
globals.
--> When a plan is compiled, the correct invalidation keys for users, roles,
and the public authorization are added to the plan.
--> Changes in the compiler were required to handle the invalidation keys
for
revoke role and revoke privilege from "PUBLIC".
--> Cleaned up the code that manages invalidation keys in privilege manager.
--> Included the correct create and redef times (if available) in the stored
object descriptor - today they are always set to 0.
--> Added new regression test to test all the revoke options.
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
