Repository: incubator-hawq Updated Branches: refs/heads/master 97104833e -> 63894f061
HAWQ-1367. HAWQ can access to user tables that have no permission with fallback check table. Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq/commit/63894f06 Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq/tree/63894f06 Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq/diff/63894f06 Branch: refs/heads/master Commit: 63894f061bfeb795cc252f490ff5aa8c694bf133 Parents: 9710483 Author: Chunling Wang <[email protected]> Authored: Tue Feb 28 18:18:22 2017 +0800 Committer: Wen Lin <[email protected]> Committed: Wed Mar 1 13:51:48 2017 +0800 ---------------------------------------------------------------------- src/backend/catalog/aclchk.c | 20 -------------------- src/backend/parser/parse_relation.c | 7 ++++++- src/include/utils/acl.h | 1 - 3 files changed, 6 insertions(+), 22 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/63894f06/src/backend/catalog/aclchk.c ---------------------------------------------------------------------- diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c index b361beb..16e00c1 100644 --- a/src/backend/catalog/aclchk.c +++ b/src/backend/catalog/aclchk.c @@ -2749,26 +2749,6 @@ bool fallBackToNativeCheck(AclObjectKind objkind, Oid obj_oid, Oid roleid, AclMo return false; } -bool fallBackToNativeChecks(AclObjectKind objkind, List* table_list, Oid roleid) -{ - /*we only have range table here*/ - if (objkind == ACL_KIND_CLASS) - { - ListCell *l; - foreach(l, table_list) - { - RangeTblEntry *rte=(RangeTblEntry *) lfirst(l); - bool ret = fallBackToNativeCheck(ACL_KIND_CLASS, rte->relid, roleid, ACL_NO_RIGHTS); - if(ret) - { - return true; - } - } - - } - return false; -} - /* * check whether rte is a sequence. */ http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/63894f06/src/backend/parser/parse_relation.c ---------------------------------------------------------------------- diff --git a/src/backend/parser/parse_relation.c b/src/backend/parser/parse_relation.c index d21ea01..e1be951 100644 --- a/src/backend/parser/parse_relation.c +++ b/src/backend/parser/parse_relation.c @@ -2714,7 +2714,7 @@ warnAutoRange(ParseState *pstate, RangeVar *relation, int location) void ExecCheckRTPerms(List *rangeTable) { - if (aclType == HAWQ_ACL_RANGER && !fallBackToNativeChecks(ACL_KIND_CLASS,rangeTable,GetUserId())) + if (aclType == HAWQ_ACL_RANGER) { if(rangeTable!=NULL) ExecCheckRTPermsWithRanger(rangeTable); @@ -2750,6 +2750,11 @@ ExecCheckRTPermsWithRanger(List *rangeTable) requiredPerms = rte->requiredPerms; if (requiredPerms == 0) continue; + bool ret = fallBackToNativeCheck(ACL_KIND_CLASS, rte->relid, GetUserId(), ACL_NO_RIGHTS); + if (ret) { + ExecCheckRTEPerms((RangeTblEntry *) lfirst(l)); + continue; + } relOid = rte->relid; userid = rte->checkAsUser ? rte->checkAsUser : GetUserId(); http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/63894f06/src/include/utils/acl.h ---------------------------------------------------------------------- diff --git a/src/include/utils/acl.h b/src/include/utils/acl.h index 9f2407f..378b3e2 100644 --- a/src/include/utils/acl.h +++ b/src/include/utils/acl.h @@ -317,7 +317,6 @@ extern AclResult pg_rangercheck(AclObjectKind objkind, Oid table_oid, Oid roleid, AclMode mask, AclMaskHow how); extern bool fallBackToNativeCheck(AclObjectKind objkind, Oid table_oid, Oid roleid, AclMode mode); -extern bool fallBackToNativeChecks(AclObjectKind objkind, List* table_list, Oid roleid); extern char *getNameFromOid(AclObjectKind objkind, Oid object_oid); extern char *getClassNameFromOid(Oid object_oid); extern char *getDatabaseNameFromOid(Oid object_oid);
