GitHub user robertamarton opened a pull request:

    https://github.com/apache/incubator-trafodion/pull/757

    [TRAFODION-2167]: Invalid query invalidation keys not working properly

    When a user is revoked from a role, invalidation keys are not being
    processed correctly. Therefore, users can still run queries even though
    privileges have been removed.  Query invalidation is complicated when
    table descriptors are stored in metadata.
    
    Changes:
    
    --> The list of priv_descs created (and stored) was changed to include an 
entry
        for each user and each role accumulated across all grantors. (Today, 
each
        priv_desc entry includes the users' direct grants plus grants on their
        active roles.)
    --> When an object is loaded into NATable or NARoutine cache, the priv_desc 
is
        accessed and the privilege bitmap is now generated by combining the 
users'
        privileges with privileges of their active roles. Correct invalidation 
keys
        are now being created and stored with the object. In the first code 
drop,
        the users' active roles are read from the role_usage table. In the next
        code drop, the active roles will be stored and maintained in executor
        globals.
    --> When a plan is compiled, the correct invalidation keys for users, roles,
        and the public authorization are added to the plan.
    --> Changes in the compiler were required to handle the invalidation keys 
for
        revoke role and revoke privilege from "PUBLIC".
    --> Cleaned up the code that manages invalidation keys in privilege manager.
    --> Included the correct create and redef times (if available) in the stored
        object descriptor - today they are always set to 0.
    --> Added new regression test to test all the revoke options.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/robertamarton/incubator-trafodion 
trafodion-2189

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/incubator-trafodion/pull/757.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #757
    
----
commit 3b437720a54de88b6a04e44e0257fac0448f0762
Author: Roberta Marton <rmarton@edev07.esgyn.local>
Date:   2016-10-12T01:48:22Z

    [TRAFODION-2167]: Invalid query invalidation keys not working properly
    
    When a user is revoked from a role, invalidation keys are not being
    processed correctly. Therefore, users can still run queries even though
    privileges have been removed.  Query invalidation is complicated when
    table descriptors are stored in metadata.
    
    Changes:
    
    --> The list of priv_descs created (and stored) was changed to include an 
entry
        for each user and each role accumulated across all grantors. (Today, 
each
        priv_desc entry includes the users' direct grants plus grants on their
        active roles.)
    --> When an object is loaded into NATable or NARoutine cache, the priv_desc 
is
        accessed and the privilege bitmap is now generated by combining the 
users'
        privileges with privileges of their active roles. Correct invalidation 
keys
        are now being created and stored with the object. In the first code 
drop,
        the users' active roles are read from the role_usage table. In the next
        code drop, the active roles will be stored and maintained in executor
        globals.
    --> When a plan is compiled, the correct invalidation keys for users, roles,
        and the public authorization are added to the plan.
    --> Changes in the compiler were required to handle the invalidation keys 
for
        revoke role and revoke privilege from "PUBLIC".
    --> Cleaned up the code that manages invalidation keys in privilege manager.
    --> Included the correct create and redef times (if available) in the stored
        object descriptor - today they are always set to 0.
    --> Added new regression test to test all the revoke options.

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

Reply via email to