HAWQ-1318. Fix the bug of cannot start/stop master successfully if ranger is enable and with a wrong RPS address
Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq/commit/63c85628 Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq/tree/63c85628 Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq/diff/63c85628 Branch: refs/heads/2.1.0.0-incubating Commit: 63c856280c1fea655f99a9aea2c2196116cc2ab3 Parents: 8c9b45a Author: Wen Lin <[email protected]> Authored: Thu Feb 9 16:03:53 2017 +0800 Committer: Wen Lin <[email protected]> Committed: Fri Feb 10 10:18:19 2017 +0800 ---------------------------------------------------------------------- src/backend/catalog/aclchk.c | 32 +++++++++++++++++++------------- 1 file changed, 19 insertions(+), 13 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/63c85628/src/backend/catalog/aclchk.c ---------------------------------------------------------------------- diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c index 3ab3248..416e0c4 100644 --- a/src/backend/catalog/aclchk.c +++ b/src/backend/catalog/aclchk.c @@ -2715,9 +2715,9 @@ bool fallBackToNativeCheck(AclObjectKind objkind, Oid obj_oid, Oid roleid) */ if (information_schema_namespcace_oid == 0) { - information_schema_namespcace_oid = (int)get_namespace_oid("information_schema"); + information_schema_namespcace_oid = (int)get_namespace_oid("information_schema"); } - /*for heap table, we fall back to native check.*/ + /* for heap table, we fall back to native check. */ if (objkind == ACL_KIND_CLASS) { char relstorage = get_rel_relstorage(obj_oid); @@ -2728,21 +2728,26 @@ bool fallBackToNativeCheck(AclObjectKind objkind, Oid obj_oid, Oid roleid) } else if (objkind == ACL_KIND_NAMESPACE) { - /*native check build-in schemas.*/ + /* native check build-in schemas. */ if (obj_oid == PG_CATALOG_NAMESPACE || obj_oid == information_schema_namespcace_oid - || obj_oid == PG_AOSEGMENT_NAMESPACE || obj_oid == PG_TOAST_NAMESPACE - || obj_oid == PG_BITMAPINDEX_NAMESPACE) + || obj_oid == PG_AOSEGMENT_NAMESPACE || obj_oid == PG_TOAST_NAMESPACE + || obj_oid == PG_BITMAPINDEX_NAMESPACE) { return true; } + else if (obj_oid == PG_PUBLIC_NAMESPACE && superuser()) + { + /* superuser's access to PUBLIC */ + return true; + } } else if (objkind == ACL_KIND_PROC) { - /*native check functions under build-in schemas.*/ + /* native check functions under build-in schemas. */ Oid namespaceid = get_func_namespace(obj_oid); if (namespaceid == PG_CATALOG_NAMESPACE || namespaceid == information_schema_namespcace_oid - || namespaceid == PG_AOSEGMENT_NAMESPACE || namespaceid == PG_TOAST_NAMESPACE - || namespaceid == PG_BITMAPINDEX_NAMESPACE) + || namespaceid == PG_AOSEGMENT_NAMESPACE || namespaceid == PG_TOAST_NAMESPACE + || namespaceid == PG_BITMAPINDEX_NAMESPACE) { return true; } @@ -2848,16 +2853,17 @@ pg_rangercheck(AclObjectKind objkind, Oid object_oid, Oid roleid, List* actions = getActionName(mask); bool isAll = (how == ACLMASK_ALL) ? true: false; - elog(DEBUG3, "ranger acl check kind: %d, object name: %s, role: %s, mask: %u\n", objkind, objectname, rolename, mask); + elog(DEBUG3, "ranger acl check kind: %d, object name: %s, object oid:%d, role: %s, mask: %u\n", + objkind, objectname, object_oid, rolename, mask); List *resultargs = NIL; - RangerPrivilegeResults *aclresult = (RangerPrivilegeResults *) palloc(sizeof(RangerPrivilegeResults)); - aclresult->result = RANGERCHECK_NO_PRIV; - aclresult->relOid = object_oid; + RangerPrivilegeResults *aclresult = (RangerPrivilegeResults *) palloc(sizeof(RangerPrivilegeResults)); + aclresult->result = RANGERCHECK_NO_PRIV; + aclresult->relOid = object_oid; /* this two sign fields will be set in function create_ranger_request_json */ aclresult->resource_sign = 0; aclresult->privilege_sign = 0; - resultargs = lappend(resultargs, aclresult); + resultargs = lappend(resultargs, aclresult); List *requestargs = NIL; RangerRequestJsonArgs *requestarg = (RangerRequestJsonArgs *) palloc(sizeof(RangerRequestJsonArgs));
