Repository: incubator-hawq Updated Branches: refs/heads/master fada5f0b2 -> 62392a2bf
HAWQ-1357. Super user also need to check create privilege of public schema from Ranger. Signed-off-by: Hubert Zhang <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq/commit/62392a2b Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq/tree/62392a2b Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq/diff/62392a2b Branch: refs/heads/master Commit: 62392a2bf06ed639105474a046c7cc75f4cefa7a Parents: fada5f0 Author: Chuling Wang <[email protected]> Authored: Thu Feb 23 16:43:40 2017 +0800 Committer: Hubert Zhang <[email protected]> Committed: Thu Feb 23 16:43:40 2017 +0800 ---------------------------------------------------------------------- src/backend/catalog/aclchk.c | 53 ++++++++++++++++++++------------------- src/include/utils/acl.h | 2 +- 2 files changed, 28 insertions(+), 27 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/62392a2b/src/backend/catalog/aclchk.c ---------------------------------------------------------------------- diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c index f6ac590..b968a2f 100644 --- a/src/backend/catalog/aclchk.c +++ b/src/backend/catalog/aclchk.c @@ -228,18 +228,19 @@ restrict_and_check_grant(bool is_grant, AclMode avail_goptions, bool all_privs, */ if (avail_goptions == ACL_NO_RIGHTS && Gp_role != GP_ROLE_EXECUTE) { - if (aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(objkind, objectId, grantorId)) { - if (pg_rangercheck(objkind, objectId, grantorId, - whole_mask | ACL_GRANT_OPTION_FOR(whole_mask), - ACLMASK_ANY) != ACLCHECK_OK) - aclcheck_error(ACLCHECK_NO_PRIV, objkind, objname); - } - else { - if (pg_aclmask(objkind, objectId, grantorId, - whole_mask | ACL_GRANT_OPTION_FOR(whole_mask), - ACLMASK_ANY) == ACL_NO_RIGHTS) - aclcheck_error(ACLCHECK_NO_PRIV, objkind, objname); - } + if (aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(objkind, objectId, + grantorId, whole_mask | ACL_GRANT_OPTION_FOR(whole_mask))) { + if (pg_rangercheck(objkind, objectId, grantorId, + whole_mask | ACL_GRANT_OPTION_FOR(whole_mask), + ACLMASK_ANY) != ACLCHECK_OK) + aclcheck_error(ACLCHECK_NO_PRIV, objkind, objname); + } + else { + if (pg_aclmask(objkind, objectId, grantorId, + whole_mask | ACL_GRANT_OPTION_FOR(whole_mask), + ACLMASK_ANY) == ACL_NO_RIGHTS) + aclcheck_error(ACLCHECK_NO_PRIV, objkind, objname); + } } /* @@ -306,7 +307,7 @@ bool checkACLNative(GrantObjectType type, Oid oid) { return false; } - return fallBackToNativeCheck(kind, oid, GetUserId()); + return fallBackToNativeCheck(kind, oid, GetUserId(), ACL_NO_RIGHTS); } /* @@ -2751,7 +2752,7 @@ bool checkNamespaceFallback(Oid x) } } -bool fallBackToNativeCheck(AclObjectKind objkind, Oid obj_oid, Oid roleid) +bool fallBackToNativeCheck(AclObjectKind objkind, Oid obj_oid, Oid roleid, AclMode mode) { /* get the latest information_schema_namespcace_oid. Since caql access heap table * directly without aclcheck, this function will not be called recursively @@ -2776,7 +2777,7 @@ bool fallBackToNativeCheck(AclObjectKind objkind, Oid obj_oid, Oid roleid) { return true; } - else if (obj_oid == PG_PUBLIC_NAMESPACE && superuser()) + else if (obj_oid == PG_PUBLIC_NAMESPACE && superuser() && mode == ACL_USAGE) { /* superuser's access to PUBLIC */ return true; @@ -2804,7 +2805,7 @@ bool fallBackToNativeChecks(AclObjectKind objkind, List* table_list, Oid roleid) foreach(l, table_list) { RangeTblEntry *rte=(RangeTblEntry *) lfirst(l); - bool ret = fallBackToNativeCheck(ACL_KIND_CLASS, rte->relid, roleid); + bool ret = fallBackToNativeCheck(ACL_KIND_CLASS, rte->relid, roleid, ACL_NO_RIGHTS); if(ret) { return true; @@ -3937,7 +3938,7 @@ pg_class_aclcheck(Oid table_oid, Oid roleid, AclMode mode) if (Gp_role == GP_ROLE_EXECUTE) return ACLCHECK_OK; - if(aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(ACL_KIND_CLASS, table_oid, roleid)) + if(aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(ACL_KIND_CLASS, table_oid, roleid, mode)) { return pg_rangercheck(ACL_KIND_CLASS, table_oid, roleid, mode, ACLMASK_ANY); } @@ -3957,7 +3958,7 @@ pg_database_aclcheck(Oid db_oid, Oid roleid, AclMode mode) if (Gp_role == GP_ROLE_EXECUTE) return ACLCHECK_OK; - if(aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(ACL_KIND_DATABASE, db_oid, roleid)) + if(aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(ACL_KIND_DATABASE, db_oid, roleid, mode)) { return pg_rangercheck(ACL_KIND_DATABASE, db_oid, roleid, mode, ACLMASK_ANY); } @@ -3977,7 +3978,7 @@ pg_proc_aclcheck(Oid proc_oid, Oid roleid, AclMode mode) if (Gp_role == GP_ROLE_EXECUTE) return ACLCHECK_OK; - if(aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(ACL_KIND_PROC, proc_oid, roleid)) + if(aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(ACL_KIND_PROC, proc_oid, roleid, mode)) { return pg_rangercheck(ACL_KIND_PROC, proc_oid, roleid, mode, ACLMASK_ANY); } @@ -3997,7 +3998,7 @@ pg_language_aclcheck(Oid lang_oid, Oid roleid, AclMode mode) if (Gp_role == GP_ROLE_EXECUTE) return ACLCHECK_OK; - if(aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(ACL_KIND_LANGUAGE, lang_oid, roleid)) + if(aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(ACL_KIND_LANGUAGE, lang_oid, roleid, mode)) { return pg_rangercheck(ACL_KIND_LANGUAGE, lang_oid, roleid, mode, ACLMASK_ANY); } @@ -4017,7 +4018,7 @@ pg_namespace_aclcheck(Oid nsp_oid, Oid roleid, AclMode mode) if (Gp_role == GP_ROLE_EXECUTE) return ACLCHECK_OK; - if(aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(ACL_KIND_NAMESPACE, nsp_oid, roleid)) + if(aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(ACL_KIND_NAMESPACE, nsp_oid, roleid, mode)) { return pg_rangercheck(ACL_KIND_NAMESPACE, nsp_oid, roleid, mode, ACLMASK_ANY); } @@ -4037,7 +4038,7 @@ pg_tablespace_aclcheck(Oid spc_oid, Oid roleid, AclMode mode) if (Gp_role == GP_ROLE_EXECUTE) return ACLCHECK_OK; - if(aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(ACL_KIND_TABLESPACE, spc_oid, roleid)) + if(aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(ACL_KIND_TABLESPACE, spc_oid, roleid, mode)) { return pg_rangercheck(ACL_KIND_TABLESPACE, spc_oid, roleid, mode, ACLMASK_ANY); } @@ -4058,7 +4059,7 @@ pg_foreign_data_wrapper_aclcheck(Oid fdw_oid, Oid roleid, AclMode mode) if (Gp_role == GP_ROLE_EXECUTE) return ACLCHECK_OK; - if(aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(ACL_KIND_FDW, fdw_oid, roleid)) + if(aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(ACL_KIND_FDW, fdw_oid, roleid, mode)) { return pg_rangercheck(ACL_KIND_FDW, fdw_oid, roleid, mode, ACLMASK_ANY); } @@ -4079,7 +4080,7 @@ pg_foreign_server_aclcheck(Oid srv_oid, Oid roleid, AclMode mode) if (Gp_role == GP_ROLE_EXECUTE) return ACLCHECK_OK; - if(aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(ACL_KIND_FOREIGN_SERVER, srv_oid, roleid)) + if(aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(ACL_KIND_FOREIGN_SERVER, srv_oid, roleid, mode)) { return pg_rangercheck(ACL_KIND_FOREIGN_SERVER, srv_oid, roleid, mode, ACLMASK_ANY); } @@ -4100,7 +4101,7 @@ pg_extprotocol_aclcheck(Oid ptcid, Oid roleid, AclMode mode) if (Gp_role == GP_ROLE_EXECUTE) return ACLCHECK_OK; - if(aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(ACL_KIND_EXTPROTOCOL, ptcid, roleid)) + if(aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(ACL_KIND_EXTPROTOCOL, ptcid, roleid, mode)) { return pg_rangercheck(ACL_KIND_EXTPROTOCOL, ptcid, roleid, mode, ACLMASK_ANY); } @@ -4120,7 +4121,7 @@ pg_filesystem_aclcheck(Oid fsysid, Oid roleid, AclMode mode) if (Gp_role == GP_ROLE_EXECUTE) return ACLCHECK_OK; - if(aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(ACL_KIND_FILESYSTEM, fsysid, roleid)) + if(aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(ACL_KIND_FILESYSTEM, fsysid, roleid, mode)) { return pg_rangercheck(ACL_KIND_FILESYSTEM, fsysid, roleid, mode, ACLMASK_ANY); } http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/62392a2b/src/include/utils/acl.h ---------------------------------------------------------------------- diff --git a/src/include/utils/acl.h b/src/include/utils/acl.h index d476e4d..e4aa4c9 100644 --- a/src/include/utils/acl.h +++ b/src/include/utils/acl.h @@ -316,7 +316,7 @@ extern List *pg_rangercheck_batch(List *); extern AclResult pg_rangercheck(AclObjectKind objkind, Oid table_oid, Oid roleid, AclMode mask, AclMaskHow how); -extern bool fallBackToNativeCheck(AclObjectKind objkind, Oid table_oid, Oid roleid); +extern bool fallBackToNativeCheck(AclObjectKind objkind, Oid table_oid, Oid roleid, AclMode mode); extern bool fallBackToNativeChecks(AclObjectKind objkind, List* table_list, Oid roleid); extern char *getNameFromOid(AclObjectKind objkind, Oid object_oid); extern char *getClassNameFromOid(Oid object_oid);
