Fixes for TRAFODION-3194 && TRAFODION-3195
TRAFODION-3194 Revoke grant option on objects revokes more that grant option
changed Privilege Manager to set bitmaps correctly
removed unused methods from PrivMgrDesc
TRAFODION-3195: Fixes for get commands:
get schemas for user <user>:
returns schemas owned by the specified user
if current user does not have elevated privilege,
returns error if current user does not match <user>.
get schemas for role <role>:
returns schemas owned by the role,
if current user does not have elevated privilege,
returns error if current user has not been granted <role>
get [tables | views | indexes | libraries ] for user <user>:
get [functions | table_mapping_functions | procedures] for user <user>:
get [privileges | roles] for user <user>:
returns objects where <user> has at least one privilege
if current user does not have eleveted privilege
returns error if current user does not match <user>.
get [tables | views | indexes | libraries ] for role <role>:
get [functions | table_mapping_functions | procedures] for role <role>:
get [privileges | users] for <role>:
returns objects where <role> has at least one privilege
if current user does not have eleveted privilege
returns error if current user has not been granted <role>
Project: http://git-wip-us.apache.org/repos/asf/trafodion/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafodion/commit/afff9935
Tree: http://git-wip-us.apache.org/repos/asf/trafodion/tree/afff9935
Diff: http://git-wip-us.apache.org/repos/asf/trafodion/diff/afff9935
Branch: refs/heads/master
Commit: afff9935ecd40b0beef8156c773110b40025721f
Parents: 1bc3d1a
Author: Roberta Marton <[email protected]>
Authored: Fri Sep 21 22:29:01 2018 +0000
Committer: Roberta Marton <[email protected]>
Committed: Fri Sep 21 22:29:01 2018 +0000
----------------------------------------------------------------------
core/sql/bin/SqlciErrors.txt | 2 +-
core/sql/executor/ExExeUtilGet.cpp | 1026 ++++++++++++++++++---------
core/sql/regress/privs1/EXPECTED123 | 815 ++++++++++-----------
core/sql/regress/privs1/EXPECTED125 | 251 ++++++-
core/sql/regress/privs1/EXPECTED141 | 143 +++-
core/sql/regress/privs1/TEST123 | 24 +-
core/sql/regress/privs1/TEST125 | 9 +-
core/sql/regress/privs1/TEST141 | 22 +-
core/sql/regress/privs2/EXPECTED135 | 4 +-
core/sql/regress/privs2/EXPECTED144 | 858 +++++++++++++++++++++-
core/sql/regress/privs2/EXPECTED146 | 16 +-
core/sql/regress/privs2/LOG144 | Bin 17980 -> 140175 bytes
core/sql/regress/privs2/TEST144 | 120 +++-
core/sql/sqlcomp/PrivMgrCommands.cpp | 2 +-
core/sql/sqlcomp/PrivMgrDesc.cpp | 122 +---
core/sql/sqlcomp/PrivMgrDesc.h | 97 ++-
core/sql/sqlcomp/PrivMgrPrivileges.cpp | 39 +-
core/sql/sqlcomp/PrivMgrPrivileges.h | 1 +
18 files changed, 2515 insertions(+), 1036 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/trafodion/blob/afff9935/core/sql/bin/SqlciErrors.txt
----------------------------------------------------------------------
diff --git a/core/sql/bin/SqlciErrors.txt b/core/sql/bin/SqlciErrors.txt
index 7032bf7..0de8a4e 100644
--- a/core/sql/bin/SqlciErrors.txt
+++ b/core/sql/bin/SqlciErrors.txt
@@ -334,7 +334,7 @@
1336 ZZZZZ 99999 ADVANCED MAJOR DBADMIN INITIALIZE SQL must specify a
$0~String0 statement for the $1~String1. INITIALIZE SQL fails.
1337 ZZZZZ 99999 BEGINNER MINOR DBADMIN $0~String0 is a reserved authorization
identifier.
1338 ZZZZZ 99999 ADVANCED MAJOR DBADMIN Role $0~string0 is not defined in the
database.
-1339 ZZZZZ 99999 BEGINNER MINOR DBADMIN $0~string0 is not a grantable role.
+1339 ZZZZZ 99999 BEGINNER MINOR DBADMIN $0~string0 is not a role.
1340 ZZZZZ 99999 BEGINNER MINOR DBADMIN $0~string0 is not a user.
1341 ZZZZZ 99999 BEGINNER MINOR DBADMIN --- unused ---
1342 ZZZZZ 99999 BEGINNER MINOR DBADMIN --- unused ---
http://git-wip-us.apache.org/repos/asf/trafodion/blob/afff9935/core/sql/executor/ExExeUtilGet.cpp
----------------------------------------------------------------------
diff --git a/core/sql/executor/ExExeUtilGet.cpp
b/core/sql/executor/ExExeUtilGet.cpp
index b9d4c68..590b068 100644
--- a/core/sql/executor/ExExeUtilGet.cpp
+++ b/core/sql/executor/ExExeUtilGet.cpp
@@ -177,7 +177,7 @@ static const QueryString getRolesForUserQuery[] =
{" select translate(rtrim(RU.role_name) using ucs2toutf8) "},
{" from %s.\"%s\".%s RU "},
{" where (RU.grantor_ID != -2) and "},
- {" (RU.grantee_name='%s') %s "},
+ {" (RU.grantee_name='%s') "},
{" union select * from (values ('PUBLIC')) "},
{" order by 1 "},
{" ; "}
@@ -348,7 +348,7 @@ static const QueryString getTrafIndexesOnTableQuery[] =
{" ; "}
};
-static const QueryString getTrafIndexesForUser[] =
+static const QueryString getTrafIndexesForAuth[] =
{
{" select trim(T2.catalog_name) || '.\"' || trim(T2.schema_name) || '\".' ||
trim(T2.object_name) "},
{" from %s.\"%s\".%s I, "},
@@ -385,20 +385,21 @@ static const QueryString getTrafLibrariesInSchemaQuery[] =
{" ; "}
};
-static const QueryString getTrafLibrariesForUser[] =
+static const QueryString getTrafLibrariesForAuthQuery[] =
{
- {" select distinct object_name from "},
- {" %s.\"%s\".%s T, %s.\"%s\".%s R "},
- {" where T.catalog_name = '%s' and T.object_type = 'LB' and "},
- {" T.object_uid = R.library_uid %s "},
+ {" select distinct trim(catalog_name) || '.\"' || "},
+ {" trim(schema_name) || '\".' || trim(object_name) "},
+ {" from %s.\"%s\".%s "},
+ {" where catalog_name = '%s' and object_type = 'LB' %s "},
{" order by 1 "},
{" ; "}
};
static const QueryString getTrafRoutinesForAuthQuery[] =
{
- {" select distinct object_name from "},
- {" %s.\"%s\".%s T, %s.\"%s\".%s R "},
+ {" select distinct trim(catalog_name) || '.\"' || "},
+ {" trim(schema_name) || '\".' || trim(object_name) "},
+ {" from %s.\"%s\".%s T, %s.\"%s\".%s R "},
{" where T.catalog_name = '%s' and "},
{" T.object_type = 'UR' and "},
{" T.object_uid = R.udr_uid and "},
@@ -536,8 +537,9 @@ static const QueryString getTrafSchemasForAuthIDQuery[] =
{" select T.schema_name "},
{" from %s.\"%s\".%s T, "},
{" %s.\"%s\".%s A "},
- {" where (T.object_type = 'PS' or T.object_type = 'SS') and "},
- {" A.auth_db_name = '%s' and T.object_owner = A.auth_id "},
+ {" where T.object_type in ('PS', 'SS') and "},
+ {" T.object_owner = A.auth_id and "},
+ {" A.auth_id in %s "},
{" order by 1 "},
{" ; "}
};
@@ -1273,7 +1275,7 @@ short ExExeUtilGetMetadataInfoTcb::displayHeading()
break;
case ComTdbExeUtilGetMetadataInfo::LIBRARIES_FOR_ROLE_:
- str_sprintf(headingBuf_,"Libraries for User %s",
getMItdb().getParam1());
+ str_sprintf(headingBuf_,"Libraries for Role %s",
getMItdb().getParam1());
break;
case ComTdbExeUtilGetMetadataInfo::PROCEDURES_FOR_LIBRARY_:
@@ -1308,6 +1310,10 @@ short ExExeUtilGetMetadataInfoTcb::displayHeading()
str_sprintf(headingBuf_,"Roles for User %s",getMItdb().getParam1());
break;
+ case ComTdbExeUtilGetMetadataInfo::SCHEMAS_FOR_ROLE_:
+ str_sprintf(headingBuf_,"Schemas for Role %s",getMItdb().getParam1());
+ break;
+
case ComTdbExeUtilGetMetadataInfo::SCHEMAS_FOR_USER_:
str_sprintf(headingBuf_,"Schemas for User %s",getMItdb().getParam1());
break;
@@ -1507,6 +1513,12 @@ short ExExeUtilGetMetadataInfoTcb::displayHeading()
// Reads the "_MD_".auths table to get the auth_id from the passed in authName.
// If relationship not found for any reason, return 0, otherwise return
// the authID.
+//
+// TBD - should replace this with a call to currContext->getAuthIDFromName
+// this function checks for special authID and looks at cache before
+// calling metadata. Currently there is an issue because privilege
+// error are returned when trying to read AUTHS table. Need to set
+// parserflag 131072.
// ----------------------------------------------------------------------------
Int32 ExExeUtilGetMetadataInfoTcb::getAuthID(
const char *authName,
@@ -1593,6 +1605,9 @@ char * ExExeUtilGetMetadataInfoTcb::getRoleList(
const char *schName,
const char *objName)
{
+ // Always include PUBLIC
+ NAString roleList("(-1");
+
short rc = 0;
Lng32 cliRC = 0;
@@ -1604,23 +1619,22 @@ char * ExExeUtilGetMetadataInfoTcb::getRoleList(
numOutputEntries_ = 1;
cliRC = fetchAllRows(infoList_, queryBuf_, numOutputEntries_, FALSE, rc);
if (cliRC < 0)
- {
- cliInterface()->allocAndRetrieveSQLDiagnostics(diagsArea_);
- return NULL;
- }
+ {
+ cliInterface()->allocAndRetrieveSQLDiagnostics(diagsArea_);
+ return NULL;
+ }
- NAString roleList("(-1");
char buf[30];
infoList_->position();
while (NOT infoList_->atEnd())
{
OutputInfo * vi = (OutputInfo*)infoList_->getCurr();
if (vi)
- {
- str_sprintf(buf, ", %d", *(Lng32*)vi->get(0));
- roleList += buf;
- }
- infoList_->advance();
+ {
+ str_sprintf(buf, ", %d", *(Lng32*)vi->get(0));
+ roleList += buf;
+ }
+ infoList_->advance();
}
str_sprintf(buf, ", %d)", userID);
roleList += buf;
@@ -1672,8 +1686,7 @@ NABoolean ExExeUtilGetMetadataInfoTcb::checkUserPrivs(
privMDLoc += "\"";
PrivMgrComponentPrivileges componentPrivileges(privMDLoc,getDiagsArea());
- if
(componentPrivileges.hasSQLPriv(ComUser::getCurrentUser(),SQLOperation::SHOW,true))
- return FALSE;
+ if
(componentPrivileges.hasSQLPriv(ComUser::getCurrentUser(),SQLOperation::SHOW,true))
return FALSE;
// Check component privilege based on QueryType
switch (queryType)
@@ -1976,6 +1989,7 @@ short ExExeUtilGetMetadataInfoTcb::work()
// used in a select "IN" clause. Include the current user
NAString authList;
NAString colPrivsStmt;
+ NAString var;
if (CmpCommon::context()->isAuthorizationEnabled())
{
@@ -2284,8 +2298,8 @@ short ExExeUtilGetMetadataInfoTcb::work()
param_[10] = getMItdb().sch_;
param_[11] = getMItdb().obj_;
if (getMItdb().queryType_ ==
ComTdbExeUtilGetMetadataInfo::VIEWS_ON_TABLE_)
- strcpy(ausStr, " and T1.object_type = 'BT' ");
- param_[12] = ausStr;
+ var = " and T1.object_type = 'BT' ";
+ param_[12] = (char *)var.data();
param_[13] = (char *)privWhereClause.data();
}
@@ -2306,20 +2320,98 @@ short ExExeUtilGetMetadataInfoTcb::work()
param_[4] = (char *) privWhereClause.data();
}
break;
+
case ComTdbExeUtilGetMetadataInfo::SCHEMAS_FOR_USER_:
- {
- qs = getTrafSchemasForAuthIDQuery;
- sizeOfqs = sizeof(getTrafSchemasForAuthIDQuery);
+ case ComTdbExeUtilGetMetadataInfo::SCHEMAS_FOR_ROLE_:
+ {
+ qs = getTrafSchemasForAuthIDQuery;
+ sizeOfqs = sizeof(getTrafSchemasForAuthIDQuery);
- param_[0] = cat;
- param_[1] = sch;
- param_[2] = tab;
- param_[3] = cat;
- param_[4] = sch;
- param_[5] = auths;
- param_[6] = getMItdb().getParam1();
+ bool isRole = (getMItdb().queryType_ ==
ComTdbExeUtilGetMetadataInfo::SCHEMAS_FOR_ROLE_);
+
+ Int32 authID = *currContext->getDatabaseUserID();
+ if (!(strcmp(getMItdb().getParam1(),
currContext->getDatabaseUserName()) == 0))
+ authID = getAuthID(getMItdb().getParam1(), cat, sch,
auths);
+
+ if (isRole)
+ {
+ // if incorrect auth type, return error
+ if (!CmpSeabaseDDLauth::isRoleID(authID) &&
!ComUser::isPublicUserID(authID))
+ {
+ ExRaiseSqlError(getHeap(), &diagsArea_,
-CAT_IS_NOT_A_ROLE,
+ NULL, NULL, NULL,
+ getMItdb().getParam1());
+ step_ = HANDLE_ERROR_;
+ break;
+ }
+
+ // Cannot get schemas if current user not granted role
+ if (doPrivCheck && !ComUser::currentUserHasRole(authID))
+ {
+ ExRaiseSqlError(getHeap(), &diagsArea_,
-CAT_NOT_AUTHORIZED);
+ step_ = HANDLE_ERROR_;
+ break;
+ }
+
+ // Return schemas that are owned by the specified role
-> authID = roleID
+ char buf[30];
+ str_sprintf(buf, "(%d)", authID);
+ privWhereClause = buf;
+ }
+
+ else /* isUser*/
+ {
+ // if incorrect auth type, return error
+ if (!CmpSeabaseDDLauth::isUserID(authID))
+ {
+ ExRaiseSqlError(getHeap(), &diagsArea_,
-CAT_IS_NOT_A_USER,
+ NULL, NULL, NULL,
+ getMItdb().getParam1());
+ step_ = HANDLE_ERROR_;
+ break;
+ }
+
+ // Cannot get schemas for user other than the current
user
+ if (doPrivCheck && authID != ComUser::getCurrentUser())
+ {
+ ExRaiseSqlError(getHeap(), &diagsArea_,
-CAT_NOT_AUTHORIZED);
+ step_ = HANDLE_ERROR_;
+ break;
+ }
+
+ // Get list of roles assigned to user, return all schemas
+ // owned by user and user's roles
+
+ if (authID == ComUser::getCurrentUser())
+ privWhereClause = authList;
+ else
+ {
+ char *userRoleList = getRoleList(authID, cat, pmsch,
role_usage);
+ if (userRoleList)
+ {
+ privWhereClause = userRoleList;
+ NADELETEBASIC(userRoleList, getHeap());
+ }
+ else
+ {
+ // Unable to read metadata
+ ExRaiseSqlError(getHeap(), &diagsArea_, -8001);
+ step_ = HANDLE_ERROR_;
+ break;
+ }
+ }
+ }
+
+ param_[0] = cat;
+ param_[1] = sch;
+ param_[2] = tab;
+ param_[3] = cat;
+ param_[4] = sch;
+ param_[5] = auths;
+ param_[6] = (char *) privWhereClause.data();
}
break;
+
case ComTdbExeUtilGetMetadataInfo::USERS_:
{
qs = getTrafUsers;
@@ -2422,89 +2514,126 @@ short ExExeUtilGetMetadataInfoTcb::work()
break ;
case ComTdbExeUtilGetMetadataInfo::PROCEDURES_FOR_USER_:
- case ComTdbExeUtilGetMetadataInfo::PROCEDURES_FOR_ROLE_:
case ComTdbExeUtilGetMetadataInfo::FUNCTIONS_FOR_USER_:
- case ComTdbExeUtilGetMetadataInfo::FUNCTIONS_FOR_ROLE_:
case ComTdbExeUtilGetMetadataInfo::TABLE_FUNCTIONS_FOR_USER_:
- case ComTdbExeUtilGetMetadataInfo::TABLE_FUNCTIONS_FOR_ROLE_:
{
- NABoolean isUser =
- (getMItdb().queryType_ ==
ComTdbExeUtilGetMetadataInfo::PROCEDURES_FOR_USER_ ||
- getMItdb().queryType_ ==
ComTdbExeUtilGetMetadataInfo::TABLE_FUNCTIONS_FOR_USER_ ||
- getMItdb().queryType_ ==
ComTdbExeUtilGetMetadataInfo::FUNCTIONS_FOR_USER_);
+ qs = getTrafRoutinesForAuthQuery;
+ sizeOfqs = sizeof(getTrafRoutinesForAuthQuery);
// Get the authID associated with the specified user
Int32 authID = *currContext->getDatabaseUserID();
if (!(strcmp(getMItdb().getParam1(),
currContext->getDatabaseUserName()) == 0))
authID = getAuthID(getMItdb().getParam1(), cat, sch,
auths);
- // Verify that the user is a user, or the role is a role
- if (isUser && !CmpSeabaseDDLauth::isUserID(authID) ||
- !isUser && !CmpSeabaseDDLauth::isRoleID(authID))
+ // If not a user, we are done, don't return data
+ if (!CmpSeabaseDDLauth::isUserID(authID))
{
- NAString type = (isUser ? "user" : "role");
- ExRaiseSqlError(getHeap(), &diagsArea_,
-CAT_IS_NOT_CORRECT_AUTHID,
- NULL, NULL, NULL,
- getMItdb().getParam1(),
- type.data());
+ ExRaiseSqlError(getHeap(), &diagsArea_,
-CAT_IS_NOT_A_USER);
step_ = HANDLE_ERROR_;
break;
}
- qs = getTrafRoutinesForAuthQuery;
- sizeOfqs = sizeof(getTrafRoutinesForAuthQuery);
-
- NAString routineType;
- if ((getMItdb().queryType_ ==
ComTdbExeUtilGetMetadataInfo::PROCEDURES_FOR_USER_) ||
- (getMItdb().queryType_ ==
ComTdbExeUtilGetMetadataInfo::PROCEDURES_FOR_ROLE_))
- routineType = COM_PROCEDURE_TYPE_LIT;
- else if ((getMItdb().queryType_ ==
ComTdbExeUtilGetMetadataInfo::FUNCTIONS_FOR_USER_) ||
- (getMItdb().queryType_ ==
ComTdbExeUtilGetMetadataInfo::FUNCTIONS_FOR_ROLE_))
- routineType = COM_SCALAR_UDF_TYPE_LIT;
- else
- routineType = COM_TABLE_UDF_TYPE_LIT;
+ // Non elevated user cannot view routines for another user
+ if (doPrivCheck && authID != ComUser::getCurrentUser())
+ {
+ ExRaiseSqlError(getHeap(), &diagsArea_,
-CAT_NOT_AUTHORIZED);
+ step_ = HANDLE_ERROR_;
+ break;
+ }
+
+ // Determine routine type
+ if (getMItdb().queryType_ ==
ComTdbExeUtilGetMetadataInfo::PROCEDURES_FOR_USER_)
+ var = COM_PROCEDURE_TYPE_LIT;
+ else if (getMItdb().queryType_ ==
ComTdbExeUtilGetMetadataInfo::FUNCTIONS_FOR_USER_)
+ var = COM_SCALAR_UDF_TYPE_LIT;
+ else
+ var = COM_TABLE_UDF_TYPE_LIT;
- // Getting objects for the current user
- if (strcmp(getMItdb().getParam1(),
currContext->getDatabaseUserName()) == 0)
- privWhereClause = getGrantedPrivCmd(authList, cat,
NAString ("T.object_uid"));
+ // Limit results to privileges allowed for specified user
- // Getting objects for a user other than the current user
+ if (authID == ComUser::getCurrentUser())
+ privWhereClause = getGrantedPrivCmd(authList, cat);
else
{
- if (doPrivCheck)
+ char *userRoleList = getRoleList(authID, cat, pmsch,
role_usage);
+ if (userRoleList)
{
- // User cannot view privileges for another user
- ExRaiseSqlError(getHeap(), &diagsArea_, -1017);
- step_ = HANDLE_ERROR_;
- break;
+ privWhereClause = getGrantedPrivCmd(userRoleList,
cat, NAString ("T.object_uid"));
+ NADELETEBASIC(userRoleList, getHeap());
}
else
{
- // get the list of roles for this other user.
- char *userRoleList = getRoleList(authID, cat, pmsch,
role_usage);
- if (userRoleList)
- {
- privWhereClause =
getGrantedPrivCmd(userRoleList, cat, NAString ("T.object_uid"));
- NADELETEBASIC(userRoleList, getHeap());
- }
- else
- {
- // Unable to read metadata
- ExRaiseSqlError(getHeap(), &diagsArea_, -8001);
- step_ = HANDLE_ERROR_;
- break;
- }
+ // Unable to read metadata
+ ExRaiseSqlError(getHeap(), &diagsArea_, -8001);
+ step_ = HANDLE_ERROR_;
+ break;
}
}
- param_[0] = cat;
- param_[1] = sch;
- param_[2] = tab;
+ param_[0] = cat;
+ param_[1] = sch;
+ param_[2] = tab;
param_[3] = cat;
- param_[4] = sch;
- param_[5] = routine;
- param_[6] = getMItdb().cat_;
- param_[7] = (char *)routineType.data();
+ param_[4] = sch;
+ param_[5] = routine;
+ param_[6] = getMItdb().cat_;
+ param_[7] = (char *)var.data();
+ param_[8] = (char *) privWhereClause.data();
+ }
+ break ;
+
+ case ComTdbExeUtilGetMetadataInfo::PROCEDURES_FOR_ROLE_:
+ case ComTdbExeUtilGetMetadataInfo::FUNCTIONS_FOR_ROLE_:
+ case ComTdbExeUtilGetMetadataInfo::TABLE_FUNCTIONS_FOR_ROLE_:
+ {
+ qs = getTrafRoutinesForAuthQuery;
+ sizeOfqs = sizeof(getTrafRoutinesForAuthQuery);
+
+ // Get the authID associated with the specified role
+ Int32 authID = *currContext->getDatabaseUserID();
+ if (!(strcmp(getMItdb().getParam1(),
currContext->getDatabaseUserName()) == 0))
+ authID = getAuthID(getMItdb().getParam1(), cat, sch,
auths);
+
+ // If not a role, we are done, don't return data
+ if (!CmpSeabaseDDLauth::isRoleID(authID) &&
!ComUser::isPublicUserID(authID))
+ {
+ ExRaiseSqlError(getHeap(), &diagsArea_,
-CAT_IS_NOT_A_ROLE,
+ NULL, NULL, NULL,
+ getMItdb().getParam1());
+ step_ = HANDLE_ERROR_;
+ break;
+ }
+
+ // non elevated user has to be granted role
+ if (doPrivCheck && !ComUser::currentUserHasRole(authID))
+ {
+ // No priv
+ ExRaiseSqlError(getHeap(), &diagsArea_,
-CAT_NOT_AUTHORIZED);
+ step_ = HANDLE_ERROR_;
+ break;
+ }
+
+ // determine routine type
+ if (getMItdb().queryType_ ==
ComTdbExeUtilGetMetadataInfo::PROCEDURES_FOR_ROLE_)
+ var = COM_PROCEDURE_TYPE_LIT;
+ else if (getMItdb().queryType_ ==
ComTdbExeUtilGetMetadataInfo::FUNCTIONS_FOR_ROLE_)
+ var = COM_SCALAR_UDF_TYPE_LIT;
+ else
+ var = COM_TABLE_UDF_TYPE_LIT;
+
+ // Only return rows where role (authID) has been granted
privs
+ char buf[30];
+ str_sprintf(buf, "(%d)", authID);
+ privWhereClause = getGrantedPrivCmd(buf, cat, NAString
("T.object_uid"));
+
+ param_[0] = cat;
+ param_[1] = sch;
+ param_[2] = tab;
+ param_[3] = cat;
+ param_[4] = sch;
+ param_[5] = routine;
+ param_[6] = getMItdb().cat_;
+ param_[7] = (char *)var.data();
param_[8] = (char *) privWhereClause.data();
}
break ;
@@ -2532,12 +2661,12 @@ short ExExeUtilGetMetadataInfoTcb::work()
param_[10] = getMItdb().sch_;
param_[11] = getMItdb().obj_;
if (getMItdb().queryType_ ==
ComTdbExeUtilGetMetadataInfo::PROCEDURES_FOR_LIBRARY_)
- strcpy(ausStr, " R.udr_type = 'P ' ");
+ var = " R.udr_type = 'P ' ";
else if (getMItdb().queryType_ ==
ComTdbExeUtilGetMetadataInfo::FUNCTIONS_FOR_LIBRARY_)
- strcpy(ausStr, " R.udr_type = 'F ' ");
+ var = " R.udr_type = 'F ' ";
else
- strcpy(ausStr, " R.udr_type = 'T ' ");
- param_[12] = ausStr;
+ var = " R.udr_type = 'T ' ";
+ param_[12] = (char *) var.data();
param_[13] = (char *) privWhereClause.data();
}
break ;
@@ -2550,6 +2679,7 @@ short ExExeUtilGetMetadataInfoTcb::work()
if (doPrivCheck)
{
+ // return roles granted to current user
char buf[authList.length() + 100];
str_sprintf(buf, " and auth_id in %s", authList.data());
privWhereClause = buf;
@@ -2566,10 +2696,23 @@ short ExExeUtilGetMetadataInfoTcb::work()
{
qs = getUsersForRoleQuery;
sizeOfqs = sizeof(getUsersForRoleQuery);
-
- // return the name if the role has been granted to the
current user
- if (doPrivCheck)
- privWhereClause = " and grantee_name = CURRENT_USER ";
+
+ if (doPrivCheck)
+ {
+ // If user not granted role, return an error
+ Int32 authID = *currContext->getDatabaseUserID();
+ if (!(strcmp(getMItdb().getParam1(),
currContext->getDatabaseUserName()) == 0))
+ authID = getAuthID(getMItdb().getParam1(), cat, sch,
auths);
+ if (!ComUser::currentUserHasRole(authID))
+ {
+ ExRaiseSqlError(getHeap(), &diagsArea_,
-CAT_NOT_AUTHORIZED);
+ step_ = HANDLE_ERROR_;
+ break;
+ }
+
+ // limit users to the current user only
+ privWhereClause = " and grantee_name = CURRENT_USER ";
+ }
param_[0] = cat;
param_[1] = pmsch;
@@ -2584,115 +2727,75 @@ short ExExeUtilGetMetadataInfoTcb::work()
qs = getRolesForUserQuery;
sizeOfqs = sizeof(getRolesForUserQuery);
- // return the name if the current user was granted the role
if (doPrivCheck)
- privWhereClause = " and CURRENT_USER=RU.grantee_name ";
+ {
+ // If user not the current user, return an error
+ // TBD - the current context contains a list of roles,
+ // return list to avoid metadata I/O
+ if (strcmp(getMItdb().getParam1(),
currContext->getDatabaseUserName()) != 0)
+ {
+ ExRaiseSqlError(getHeap(), &diagsArea_,
-CAT_NOT_AUTHORIZED);
+ step_ = HANDLE_ERROR_;
+ break;
+ }
+ }
+ else
+ {
+ // Get the authID for the request
+ Int32 authID = *currContext->getDatabaseUserID();
+ if (!(strcmp(getMItdb().getParam1(),
currContext->getDatabaseUserName()) == 0))
+ authID = getAuthID(getMItdb().getParam1(), cat, sch,
auths);
+ if (!CmpSeabaseDDLauth::isUserID(authID))
+ {
+ ExRaiseSqlError(getHeap(), &diagsArea_,
-CAT_IS_NOT_A_USER,
+ NULL, NULL, NULL,
+ getMItdb().getParam1());
+ step_ = HANDLE_ERROR_;
+ break;
+ }
+ }
param_[0] = cat;
param_[1] = pmsch;
param_[2] = role_usage;
param_[3] = getMItdb().getParam1();
- param_[4] = (char *) privWhereClause.data();
}
break;
case ComTdbExeUtilGetMetadataInfo::PRIVILEGES_FOR_ROLE_:
- case ComTdbExeUtilGetMetadataInfo::PRIVILEGES_FOR_USER_:
{
- NABoolean isRole =
- (getMItdb().queryType_ ==
ComTdbExeUtilGetMetadataInfo::PRIVILEGES_FOR_ROLE_);
-
- // Get the authID associated with the current user
- Int32 authID = getAuthID(getMItdb().getParam1(), cat, sch,
auths);
+ // Get the authID for the request
+ Int32 authID = *currContext->getDatabaseUserID();
+ if (!(strcmp(getMItdb().getParam1(),
currContext->getDatabaseUserName()) == 0))
+ authID = getAuthID(getMItdb().getParam1(), cat, sch,
auths);
- // If the authID was not found for various reasons just
return
- // Other "get" commands continue and return no rows but it is
- // easier to just return with an error.
- if (authID == 0)
- {
- ExRaiseSqlError(getHeap(), &diagsArea_, -8732,
+ char buf[authList.length() + 100];
+
+ // Verify that requested authID is actually a role
+ if (!CmpSeabaseDDLauth::isRoleID(authID) &&
!ComUser::isPublicUserID(authID))
+ {
+ ExRaiseSqlError(getHeap(), &diagsArea_,
-CAT_IS_NOT_A_ROLE,
NULL, NULL, NULL,
getMItdb().getParam1());
step_ = HANDLE_ERROR_;
break;
}
- if (isRole)
+ // Non elevated users need to be granted role
+ if (doPrivCheck && !ComUser::currentUserHasRole(authID))
{
- // treating PUBLIC (-1) as a role in this instance,
return
- // error if authID is not a role
- if (!CmpSeabaseDDLauth::isRoleID(authID) && authID !=
PUBLIC_USER)
- {
- ExRaiseSqlError(getHeap(), &diagsArea_,
-CAT_IS_NOT_A_ROLE,
- NULL, NULL, NULL,
- getMItdb().getParam1());
- step_ = HANDLE_ERROR_;
- break;
- }
+ ExRaiseSqlError(getHeap(), &diagsArea_,
-CAT_NOT_AUTHORIZED);
+ step_ = HANDLE_ERROR_;
+ break;
}
- else
- {
- // Return an error if authID is not a user
- if (!CmpSeabaseDDLauth::isUserID(authID))
- {
- ExRaiseSqlError(getHeap(), &diagsArea_,
-CAT_IS_NOT_A_USER,
- NULL, NULL, NULL,
- getMItdb().getParam1());
- step_ = HANDLE_ERROR_;
- break;
- }
- }
-
+ // return all privs for the role
+ str_sprintf(buf, " = %d ", authID);
+ privWhereClause = buf;
+
qs = getPrivsForAuthsQuery;
sizeOfqs = sizeof(getPrivsForAuthsQuery);
- char buf[authList.length() + 100];
- if (isRole)
- {
- if (doPrivCheck)
- // Only return name if current user has been
- // granted the role
- str_sprintf(buf, " = %d and %d in %s ",
- authID, authID, authList.data());
- else
- // return all role grantees
- str_sprintf(buf, " = %d ", authID );
- }
- else
- {
- if (doPrivCheck)
- {
- // If asking for privileges for a user other than
CURRENT_USER,
- // use -2 (special user called _SYSTEM), privileges can
never
- // be granted to _SYSTEM. This returns an empty list
- // which match other "get" statements behavior.
- if (strcmp(getMItdb().getParam1(),
currContext->getDatabaseUserName()) != 0)
- str_sprintf(buf, " = -2 ");
- else
- // return all privs for the user and the users roles
- str_sprintf(buf, " in %s ", authList.data());
- }
-
- else
- if (*currContext->getDatabaseUserID() == authID)
- str_sprintf(buf, " in %s ", authList.data());
- else
- {
- // If getting privileges for a user other than the
CURRENT USER,
- // get the list of roles for this other user.
- char *userRoleList = getRoleList(authID, cat, pmsch,
role_usage);
- if (userRoleList)
- {
- str_sprintf(buf, " in %s ", userRoleList);
- NADELETEBASIC(userRoleList, getHeap());
- }
- else
- str_sprintf(buf, " = %d ", authID);
- }
- }
- privWhereClause = buf;
-
// This request performs a union between 4 entities:
// 1. object_privileges table
// 2. schema_privileges table
@@ -2726,8 +2829,91 @@ short ExExeUtilGetMetadataInfoTcb::work()
}
break;
-
- case ComTdbExeUtilGetMetadataInfo::PRIVILEGES_ON_TABLE_:
+ case ComTdbExeUtilGetMetadataInfo::PRIVILEGES_FOR_USER_:
+ {
+ // Get the authID for the request
+ Int32 authID = *currContext->getDatabaseUserID();
+ if (!(strcmp(getMItdb().getParam1(),
currContext->getDatabaseUserName()) == 0))
+ authID = getAuthID(getMItdb().getParam1(), cat, sch,
auths);
+
+ // Verify that authID is a user
+ if (!CmpSeabaseDDLauth::isUserID(authID))
+ {
+ ExRaiseSqlError(getHeap(), &diagsArea_,
-CAT_IS_NOT_A_USER,
+ NULL, NULL, NULL,
+ getMItdb().getParam1());
+ step_ = HANDLE_ERROR_;
+ break;
+ }
+
+ // Non elevated user cannot get privileges for another user
+ char buf[authList.length() + 100];
+ if (doPrivCheck)
+ {
+ if (authID != ComUser::getCurrentUser())
+ {
+ ExRaiseSqlError(getHeap(), &diagsArea_,
-CAT_NOT_AUTHORIZED);
+ step_ = HANDLE_ERROR_;
+ break;
+ }
+
+ // return privs for the current user and their roles
+ str_sprintf(buf, " in %s ", authList.data());
+ }
+
+ else
+ {
+ // Get role list for requested user
+ char *userRoleList = getRoleList(authID, cat, pmsch,
role_usage);
+ if (userRoleList)
+ {
+ str_sprintf(buf, " in %s ", userRoleList);
+ NADELETEBASIC(userRoleList, getHeap());
+ }
+ else
+ str_sprintf(buf, " = %d ", authID);
+ }
+ privWhereClause = buf;
+
+ qs = getPrivsForAuthsQuery;
+ sizeOfqs = sizeof(getPrivsForAuthsQuery);
+
+ // This request performs a union between 4 entities:
+ // 1. object_privileges table
+ // 2. schema_privileges table
+ // 3. column privileges table
+ // 4. hive metadata tables to retrieve column details
+ // The call to colPrivsFrag returns the required the union
+ // statement(s) for items 3 and 4. See colPrivsFrag for
details
+ if (colPrivsFrag(getMItdb().getParam1(), cat,
privWhereClause, colPrivsStmt) < 0)
+ {
+ step_ = HANDLE_ERROR_;
+ break;
+ }
+
+ // Union privileges between object, column and schema
+ // object privs
+ param_[0] = cat;
+ param_[1] = pmsch;
+ param_[2] = objPrivs;
+ param_[3] = (char *) privWhereClause.data();
+
+ // schema privs
+ param_[4] = cat;
+ param_[5] = pmsch;
+ param_[6] = schPrivs;
+ param_[7] = (char *) privWhereClause.data();
+
+ // column privs
+ param_[8] = (char *) colPrivsStmt.data();
+
+ numOutputEntries_ = 2;
+ }
+ break;
+
+
+
+ case ComTdbExeUtilGetMetadataInfo::PRIVILEGES_ON_TABLE_:
case ComTdbExeUtilGetMetadataInfo::PRIVILEGES_ON_VIEW_:
case ComTdbExeUtilGetMetadataInfo::PRIVILEGES_ON_SEQUENCE_:
case ComTdbExeUtilGetMetadataInfo::PRIVILEGES_ON_LIBRARY_:
@@ -2737,24 +2923,40 @@ short ExExeUtilGetMetadataInfoTcb::work()
sizeOfqs = sizeof(getTrafPrivsOnObject);
// Determine the type of object
- NAString objType;
if (getMItdb().queryType_ ==
ComTdbExeUtilGetMetadataInfo::PRIVILEGES_ON_TABLE_)
- objType = COM_BASE_TABLE_OBJECT_LIT;
+ var = COM_BASE_TABLE_OBJECT_LIT;
else if (getMItdb().queryType_ ==
ComTdbExeUtilGetMetadataInfo::PRIVILEGES_ON_VIEW_)
- objType = COM_VIEW_OBJECT_LIT;
+ var = COM_VIEW_OBJECT_LIT;
else if (getMItdb().queryType_ ==
ComTdbExeUtilGetMetadataInfo::PRIVILEGES_ON_SEQUENCE_)
- objType = COM_SEQUENCE_GENERATOR_OBJECT_LIT;
+ var = COM_SEQUENCE_GENERATOR_OBJECT_LIT;
else if (getMItdb().queryType_ ==
ComTdbExeUtilGetMetadataInfo::PRIVILEGES_ON_LIBRARY_)
- objType = COM_LIBRARY_OBJECT_LIT;
+ var = COM_LIBRARY_OBJECT_LIT;
else
- objType = COM_USER_DEFINED_ROUTINE_OBJECT_LIT;
+ var = COM_USER_DEFINED_ROUTINE_OBJECT_LIT;
char buf[authList.length() + 100];
+
+ Int32 authID = 0;
+ if (getMItdb().getParam1())
+ {
+ authID = *currContext->getDatabaseUserID();
+ if (!(strcmp(getMItdb().getParam1(),
currContext->getDatabaseUserName()) == 0))
+ authID = getAuthID(getMItdb().getParam1(), cat, sch,
auths);
+ }
+
if (doPrivCheck)
{
- if (getMItdb().getParam1() &&
- (strcmp(getMItdb().getParam1(),
currContext->getDatabaseUserName()) != 0))
- str_sprintf(buf, "and grantee_id = -2 ");
+ if (getMItdb().getParam1())
+ {
+ if ((CmpSeabaseDDLauth::isRoleID(authID) &&
!ComUser::currentUserHasRole(authID)) ||
+ (CmpSeabaseDDLauth::isUserID(authID) && authID !=
ComUser::getCurrentUser()))
+ {
+ ExRaiseSqlError(getHeap(), &diagsArea_,
-CAT_NOT_AUTHORIZED);
+ step_ = HANDLE_ERROR_;
+ break;
+ }
+ str_sprintf(buf, " and grantee_id in %s ",
authList.data());
+ }
else
str_sprintf(buf, " and grantee_id in %s ",
authList.data());
privWhereClause = buf;
@@ -2767,7 +2969,6 @@ short ExExeUtilGetMetadataInfoTcb::work()
str_sprintf(buf, " and grantee_id in %s ",
authList.data());
else
{
- Int32 authID = getAuthID(getMItdb().getParam1(),
cat, sch, auths);
char *userRoleList = getRoleList(authID, cat,
pmsch, role_usage);
if (userRoleList)
{
@@ -2790,7 +2991,7 @@ short ExExeUtilGetMetadataInfoTcb::work()
param_[6] = getMItdb().cat_;
param_[7] = getMItdb().sch_;
param_[8] = getMItdb().obj_;
- param_[9] = (char *)objType.data();
+ param_[9] = (char *)var.data();
param_[10] = (char *)privWhereClause.data();
param_[11] = cat;
param_[12] = pmsch;
@@ -2801,7 +3002,7 @@ short ExExeUtilGetMetadataInfoTcb::work()
param_[17] = getMItdb().cat_;
param_[18] = getMItdb().sch_;
param_[19] = getMItdb().obj_;
- param_[20] = (char *)objType.data();
+ param_[20] = (char *)var.data();
param_[21] = (char *)privWhereClause.data();
numOutputEntries_ = 2;
@@ -2809,46 +3010,101 @@ short ExExeUtilGetMetadataInfoTcb::work()
}
case ComTdbExeUtilGetMetadataInfo::INDEXES_FOR_USER_:
- case ComTdbExeUtilGetMetadataInfo::INDEXES_FOR_ROLE_:
{
- qs = getTrafIndexesForUser;
- sizeOfqs = sizeof(getTrafIndexesForUser);
+ qs = getTrafIndexesForAuth;
+ sizeOfqs = sizeof(getTrafIndexesForAuth);
- // Getting objects for the current user
- if (strcmp(getMItdb().getParam1(),
currContext->getDatabaseUserName()) == 0)
- privWhereClause = getGrantedPrivCmd(authList, cat,
NAString ("T.object_uid"));
+ // Get the authID associated with the specified user
+ Int32 authID = *currContext->getDatabaseUserID();
+ if (!(strcmp(getMItdb().getParam1(),
currContext->getDatabaseUserName()) == 0))
+ authID = getAuthID(getMItdb().getParam1(), cat, sch,
auths);
- // Getting objects for a user other than the current user
+ // If not a user, we are done, don't return data
+ if (!CmpSeabaseDDLauth::isUserID(authID))
+ {
+ ExRaiseSqlError(getHeap(), &diagsArea_,
-CAT_IS_NOT_A_USER,
+ NULL, NULL, NULL,
+ getMItdb().getParam1());
+ step_ = HANDLE_ERROR_;
+ break;
+ }
+
+ // Non elevated user cannot view indexes for another user
+ if (doPrivCheck && authID != ComUser::getCurrentUser())
+ {
+ ExRaiseSqlError(getHeap(), &diagsArea_,
-CAT_NOT_AUTHORIZED);
+ step_ = HANDLE_ERROR_;
+ break;
+ }
+
+ // Limit results to privileges allowed for specified user
+
+ if (authID == ComUser::getCurrentUser())
+ privWhereClause = getGrantedPrivCmd(authList, cat,
NAString("T.object_uid"));
else
{
- if (doPrivCheck)
+ char *userRoleList = getRoleList(authID, cat, pmsch,
role_usage);
+ if (userRoleList)
{
- // User cannot view privileges for another user
- ExRaiseSqlError(getHeap(), &diagsArea_, -1017);
- step_ = HANDLE_ERROR_;
- break;
+ privWhereClause = getGrantedPrivCmd(userRoleList,
cat, NAString ("T.object_uid"));
+ NADELETEBASIC(userRoleList, getHeap());
}
else
{
- // Get the authID associated with the requested user
- Int32 authID = getAuthID(getMItdb().getParam1(),
cat, sch, auths);
-
- // get the list of roles for this other user.
- char *userRoleList = getRoleList(authID, cat, pmsch,
role_usage);
- if (userRoleList)
- {
- privWhereClause =
getGrantedPrivCmd(userRoleList, cat, NAString ("T.object_uid"));
- NADELETEBASIC(userRoleList, getHeap());
- }
- else
- {
- // Unable to read metadata
- ExRaiseSqlError(getHeap(), &diagsArea_, -8001);
- step_ = HANDLE_ERROR_;
- break;
- }
+ // Unable to read metadata
+ ExRaiseSqlError(getHeap(), &diagsArea_, -8001);
+ step_ = HANDLE_ERROR_;
+ break;
}
}
+
+ param_[0] = cat;
+ param_[1] = sch;
+ param_[2] = indexes;
+ param_[3] = cat;
+ param_[4] = sch;
+ param_[5] = tab;
+ param_[6] = cat;
+ param_[7] = sch;
+ param_[8] = tab;
+ param_[9] = getMItdb().cat_;
+ param_[10] = (char *)privWhereClause.data();
+ }
+ break;
+
+ case ComTdbExeUtilGetMetadataInfo::INDEXES_FOR_ROLE_:
+ {
+ qs = getTrafIndexesForAuth;
+ sizeOfqs = sizeof(getTrafIndexesForAuth);
+
+ // Get the authID associated with the specified role
+ Int32 authID = *currContext->getDatabaseUserID();
+ if (!(strcmp(getMItdb().getParam1(),
currContext->getDatabaseUserName()) == 0))
+ authID = getAuthID(getMItdb().getParam1(), cat, sch,
auths);
+
+ // Verify that the authID is actually a role
+ if (!CmpSeabaseDDLauth::isRoleID(authID) &&
!ComUser::isPublicUserID(authID))
+ {
+ ExRaiseSqlError(getHeap(), &diagsArea_,
-CAT_IS_NOT_A_ROLE,
+ NULL, NULL, NULL,
+ getMItdb().getParam1());
+ step_ = HANDLE_ERROR_;
+ break;
+ }
+
+ // Non elevated users need to be granted role
+ if (doPrivCheck && !ComUser::currentUserHasRole(authID))
+ {
+ ExRaiseSqlError(getHeap(), &diagsArea_,
-CAT_NOT_AUTHORIZED);
+ step_ = HANDLE_ERROR_;
+ break;
+ }
+
+ // Only return indexes that role (authID) has been granted
privs
+ char buf[30];
+ str_sprintf(buf, "(%d)", authID);
+ privWhereClause = getGrantedPrivCmd(buf, cat, NAString
("T.object_uid"));
+
param_[0] = cat;
param_[1] = sch;
param_[2] = indexes;
@@ -2863,78 +3119,61 @@ short ExExeUtilGetMetadataInfoTcb::work()
}
break;
+
case ComTdbExeUtilGetMetadataInfo::TABLES_FOR_USER_:
- case ComTdbExeUtilGetMetadataInfo::TABLES_FOR_ROLE_:
case ComTdbExeUtilGetMetadataInfo::VIEWS_FOR_USER_:
- case ComTdbExeUtilGetMetadataInfo::VIEWS_FOR_ROLE_:
{
- NABoolean isUser =
- (getMItdb().queryType_ ==
ComTdbExeUtilGetMetadataInfo::TABLES_FOR_USER_ ||
- getMItdb().queryType_ ==
ComTdbExeUtilGetMetadataInfo::VIEWS_FOR_USER_);
+ qs = getTrafObjectsForUser;
+ sizeOfqs = sizeof(getTrafObjectsForUser);
// Get the authID associated with the specified user
Int32 authID = *currContext->getDatabaseUserID();
if (!(strcmp(getMItdb().getParam1(),
currContext->getDatabaseUserName()) == 0))
authID = getAuthID(getMItdb().getParam1(), cat, sch,
auths);
- // Verify that the user is a user, or the role is a role
- NABoolean validAuth = FALSE;
- if (isUser && CmpSeabaseDDLauth::isUserID(authID))
- validAuth = TRUE;
- if (!isUser && CmpSeabaseDDLauth::isRoleID(authID))
- validAuth = TRUE;
-
- if (!validAuth)
+ // Verify that the authID is actually a user
+ if (!CmpSeabaseDDLauth::isUserID(authID))
{
- NAString authName = (isUser) ? "user" : "role";
- ExRaiseSqlError(getHeap(), &diagsArea_,
-CAT_IS_NOT_CORRECT_AUTHID,
+ ExRaiseSqlError(getHeap(), &diagsArea_,
-CAT_IS_NOT_A_USER,
NULL, NULL, NULL,
- getMItdb().getParam1(),
- authName.data());
+ getMItdb().getParam1());
step_ = HANDLE_ERROR_;
break;
}
- qs = getTrafObjectsForUser;
- sizeOfqs = sizeof(getTrafObjectsForUser);
+ // Non elevated user cannot view objects for another user
+ if (doPrivCheck && authID != ComUser::getCurrentUser())
+ {
+ ExRaiseSqlError(getHeap(), &diagsArea_,
-CAT_NOT_AUTHORIZED);
+ step_ = HANDLE_ERROR_;
+ break;
+ }
- NAString objType;
- if ((getMItdb().queryType_ ==
ComTdbExeUtilGetMetadataInfo::TABLES_FOR_USER_) ||
- (getMItdb().queryType_ ==
ComTdbExeUtilGetMetadataInfo::TABLES_FOR_ROLE_))
- objType = COM_BASE_TABLE_OBJECT_LIT;
+ if (getMItdb().queryType_ ==
ComTdbExeUtilGetMetadataInfo::TABLES_FOR_USER_)
+ var = COM_BASE_TABLE_OBJECT_LIT;
else
- objType = COM_VIEW_OBJECT_LIT;
+ var = COM_VIEW_OBJECT_LIT;
- // Getting objects for the current user
- if (strcmp(getMItdb().getParam1(),
currContext->getDatabaseUserName()) == 0)
+ // Limit results to privileges allowed for specified user
+
+ if (authID == ComUser::getCurrentUser())
privWhereClause = getGrantedPrivCmd(authList, cat,
NAString ("T.object_uid"));
// Getting objects for a user other than the current user
else
{
- if (doPrivCheck)
+ char *userRoleList = getRoleList(authID, cat, pmsch,
role_usage);
+ if (userRoleList)
{
- // User cannot view privileges for another user
- ExRaiseSqlError(getHeap(), &diagsArea_, -1017);
- step_ = HANDLE_ERROR_;
- break;
+ privWhereClause = getGrantedPrivCmd(userRoleList,
cat, NAString ("T.object_uid"));
+ NADELETEBASIC(userRoleList, getHeap());
}
- else
+ else
{
- // get the list of roles for this other user.
- char *userRoleList = getRoleList(authID, cat, pmsch,
role_usage);
- if (userRoleList)
- {
- privWhereClause =
getGrantedPrivCmd(userRoleList, cat, NAString ("T.object_uid"));
- NADELETEBASIC(userRoleList, getHeap());
- }
- else
- {
- // Unable to read metadata
- ExRaiseSqlError(getHeap(), &diagsArea_, -8001);
- step_ = HANDLE_ERROR_;
- break;
- }
+ // Unable to read metadata
+ ExRaiseSqlError(getHeap(), &diagsArea_, -8001);
+ step_ = HANDLE_ERROR_;
+ break;
}
}
@@ -2942,84 +3181,172 @@ short ExExeUtilGetMetadataInfoTcb::work()
param_[1] = sch;
param_[2] = tab;
param_[3] = getMItdb().cat_;
- param_[4] = (char *)objType.data();
+ param_[4] = (char *)var.data();
param_[5] = (char *)privWhereClause.data();
}
break;
- case ComTdbExeUtilGetMetadataInfo::LIBRARIES_FOR_USER_:
- case ComTdbExeUtilGetMetadataInfo::LIBRARIES_FOR_ROLE_:
+ case ComTdbExeUtilGetMetadataInfo::TABLES_FOR_ROLE_:
+ case ComTdbExeUtilGetMetadataInfo::VIEWS_FOR_ROLE_:
{
- NABoolean isUser =
- (getMItdb().queryType_ ==
ComTdbExeUtilGetMetadataInfo::LIBRARIES_FOR_USER_);
+ qs = getTrafObjectsForUser;
+ sizeOfqs = sizeof(getTrafObjectsForUser);
// Get the authID associated with the specified user
Int32 authID = *currContext->getDatabaseUserID();
if (!(strcmp(getMItdb().getParam1(),
currContext->getDatabaseUserName()) == 0))
authID = getAuthID(getMItdb().getParam1(), cat, sch,
auths);
- // Verify that the user is a user, or the role is a role
- NABoolean validAuth = FALSE;
- if (isUser && CmpSeabaseDDLauth::isUserID(authID))
- validAuth = TRUE;
- if (!isUser && CmpSeabaseDDLauth::isRoleID(authID))
- validAuth = TRUE;
-
- if (!validAuth)
+ // Verify that the specified authID is actually a role
+ if (!CmpSeabaseDDLauth::isRoleID(authID) &&
!ComUser::isPublicUserID(authID))
{
- NAString authName = (isUser) ? "user" : "role";
- ExRaiseSqlError(getHeap(), &diagsArea_,
-CAT_IS_NOT_CORRECT_AUTHID,
+ ExRaiseSqlError(getHeap(), &diagsArea_,
-CAT_IS_NOT_A_ROLE,
NULL, NULL, NULL,
- getMItdb().getParam1(),
- authName.data());
+ getMItdb().getParam1());
+ step_ = HANDLE_ERROR_;
+ break;
+ }
+
+ // Non elevated users must be granted the specified role
+ if (doPrivCheck && !ComUser::currentUserHasRole(authID))
+ {
+ ExRaiseSqlError(getHeap(), &diagsArea_,
-CAT_NOT_AUTHORIZED);
step_ = HANDLE_ERROR_;
break;
}
- qs = getTrafLibrariesForUser;
- sizeOfqs = sizeof(getTrafLibrariesForUser);
+ if (getMItdb().queryType_ ==
ComTdbExeUtilGetMetadataInfo::TABLES_FOR_ROLE_)
+ var = COM_BASE_TABLE_OBJECT_LIT;
+ else
+ var = COM_VIEW_OBJECT_LIT;
- // Getting libraries for the current user
- if (strcmp(getMItdb().getParam1(),
currContext->getDatabaseUserName()) == 0)
- privWhereClause += getGrantedPrivCmd(authList, cat,
NAString("R.udr_uid"));
+ // Only return objects where role (authID) has been granted
privs
+ char buf[30];
+ str_sprintf(buf, "(%d)", authID);
+ privWhereClause = getGrantedPrivCmd(buf, cat, NAString
("T.object_uid"));
+
+ param_[0] = cat;
+ param_[1] = sch;
+ param_[2] = tab;
+ param_[3] = getMItdb().cat_;
+ param_[4] = (char *)var.data();
+ param_[5] = (char *)privWhereClause.data();
+ }
+ break;
+
+ case ComTdbExeUtilGetMetadataInfo::LIBRARIES_FOR_USER_:
+ {
+ qs = getTrafLibrariesForAuthQuery;
+ sizeOfqs = sizeof(getTrafLibrariesForAuthQuery);
- // Getting libraries for a user other than the current user
+ // Get the authID associated with the specified user
+ Int32 authID = *currContext->getDatabaseUserID();
+ if (!(strcmp(getMItdb().getParam1(),
currContext->getDatabaseUserName()) == 0))
+ authID = getAuthID(getMItdb().getParam1(), cat, sch,
auths);
+
+ // Verify that the specified authID is actually a user
+ if (!CmpSeabaseDDLauth::isUserID(authID))
+ {
+ ExRaiseSqlError(getHeap(), &diagsArea_,
-CAT_IS_NOT_A_USER,
+ NULL, NULL, NULL,
+ getMItdb().getParam1());
+ step_ = HANDLE_ERROR_;
+ break;
+ }
+
+ // Non elevated user cannot view libraries for another user
+ if (doPrivCheck && authID != ComUser::getCurrentUser())
+ {
+ ExRaiseSqlError(getHeap(), &diagsArea_,
-CAT_NOT_AUTHORIZED);
+ step_ = HANDLE_ERROR_;
+ break;
+ }
+
+ // Return libraries that are owned by the user/user's roles
+ // or that the user/user's role have been granted privileges
+
+ if (authID == ComUser::getCurrentUser())
+ privWhereClause += getGrantedPrivCmd(authList, cat);
else
{
- if (doPrivCheck)
+ char *userRoleList = getRoleList(authID, cat, pmsch,
role_usage);
+ if (userRoleList)
{
- // User cannot view privileges for another user
- ExRaiseSqlError(getHeap(), &diagsArea_, -1017);
+ privWhereClause = getGrantedPrivCmd(userRoleList,
cat);
+ NADELETEBASIC(userRoleList, getHeap());
+ }
+ else
+ {
+ // Unable to read metadata
+ ExRaiseSqlError(getHeap(), &diagsArea_, -8001);
step_ = HANDLE_ERROR_;
break;
}
+ }
+
+ param_[0] = cat;
+ param_[1] = sch;
+ param_[2] = tab;
+ param_[3] = getMItdb().cat_;
+ param_[4] = (char *) privWhereClause.data();
+ }
+ break ;
+
+ case ComTdbExeUtilGetMetadataInfo::LIBRARIES_FOR_ROLE_:
+ {
+ qs = getTrafLibrariesForAuthQuery;
+ sizeOfqs = sizeof(getTrafLibrariesForAuthQuery);
+
+ // Get the authID associated with the specified role
+ Int32 authID = *currContext->getDatabaseUserID();
+ if (!(strcmp(getMItdb().getParam1(),
currContext->getDatabaseUserName()) == 0))
+ authID = getAuthID(getMItdb().getParam1(), cat, sch,
auths);
+
+ // Verify that the specified authID is actually a role
+ if (!CmpSeabaseDDLauth::isRoleID(authID) &&
!ComUser::isPublicUserID(authID))
+ {
+ ExRaiseSqlError(getHeap(), &diagsArea_,
-CAT_IS_NOT_A_ROLE,
+ NULL, NULL, NULL,
+ getMItdb().getParam1());
+ step_ = HANDLE_ERROR_;
+ break;
+ }
+
+ // Non elevated users must be granted role
+ if (doPrivCheck && !ComUser::currentUserHasRole(authID))
+ {
+ ExRaiseSqlError(getHeap(), &diagsArea_,
-CAT_NOT_AUTHORIZED);
+ step_ = HANDLE_ERROR_;
+ break;
+ }
+
+ // Return libraries that are owned by the user/user's roles
+ // or that the user/user's role have been granted privileges
+
+ if (authID == ComUser::getCurrentUser())
+ privWhereClause += getGrantedPrivCmd(authList, cat);
+ else
+ {
+ char *userRoleList = getRoleList(authID, cat, pmsch,
role_usage);
+ if (userRoleList)
+ {
+ privWhereClause = getGrantedPrivCmd(userRoleList,
cat);
+ NADELETEBASIC(userRoleList, getHeap());
+ }
else
{
- // Get the list of roles for this other user.
- char *userRoleList = getRoleList(authID, cat, pmsch,
role_usage);
- if (userRoleList)
- {
- privWhereClause =
getGrantedPrivCmd(userRoleList, cat, NAString ("R.udr_uid"));
- NADELETEBASIC(userRoleList, getHeap());
- }
- else // return error?
- {
- // Unable to read metadata
- ExRaiseSqlError(getHeap(), &diagsArea_, -8001);
- step_ = HANDLE_ERROR_;
- break;
- }
+ // Unable to read metadata
+ ExRaiseSqlError(getHeap(), &diagsArea_, -8001);
+ step_ = HANDLE_ERROR_;
+ break;
}
}
param_[0] = cat;
param_[1] = sch;
param_[2] = tab;
- param_[3] = cat;
- param_[4] = sch;
- param_[5] = routine;
- param_[6] = getMItdb().cat_;
- param_[7] = (char *) privWhereClause.data();
+ param_[3] = getMItdb().cat_;
+ param_[4] = (char *) privWhereClause.data();
}
break ;
@@ -3056,38 +3383,41 @@ short ExExeUtilGetMetadataInfoTcb::work()
// Get the authID associated with the request's auth name
// If can't find authID, NA_UserIdDefault is returned
which
// indicates an invalid authID.
- Int32 authID = getAuthID(getMItdb().getParam1(), cat, sch,
auths);
+ Int32 authID = *currContext->getDatabaseUserID();
+ if (!(strcmp(getMItdb().getParam1(),
currContext->getDatabaseUserName()) == 0))
+ authID = getAuthID(getMItdb().getParam1(), cat, sch,
auths);
+
+ // if incorrect auth type, return error
+ if (!CmpSeabaseDDLauth::isRoleID(authID) &&
!CmpSeabaseDDLauth::isUserID(authID) &&
+ !ComUser::isPublicUserID(authID))
+ {
+ ExRaiseSqlError(getHeap(), &diagsArea_,
-CAT_IS_NOT_CORRECT_AUTHID,
+ NULL, NULL, NULL,
+ getMItdb().getParam1(), "user or role");
+ step_ = HANDLE_ERROR_;
+ break;
+ }
if (doPrivCheck)
{
- // If asking for privileges for a user that has no privs
- // authName is invalid
- // authName is a user and not the current user
- // authName is a role and not one of the current user
roles
- // add a predicate to make operation fail with no rows
- // This matches other "get" statement's behavior.
- NABoolean hasPriv = TRUE;
- if ((authID == NA_UserIdDefault) ||
- (CmpSeabaseDDLauth::isUserID(authID) &&
- (strcmp(getMItdb().getParam1(),
currContext->getDatabaseUserName()) != 0)) ||
- (CmpSeabaseDDLauth::isRoleID(authID) &&
- !ComUser::currentUserHasRole(authID)))
- {
- privWhereClause += "and (grantee_id = -2) ";
- hasPriv = FALSE;
- }
- if (hasPriv)
- {
- privWhereClause += "and (grantee_name = '";
- privWhereClause += getMItdb().getParam1();
- privWhereClause += "'";
- if (CmpSeabaseDDLauth::isUserID(authID) &&
getMItdb().cascade())
- {
- privWhereClause += " or grantee_id in ";
- privWhereClause += authList.data();
- }
- privWhereClause += ")";
+ // If asking for privileges for a user that has no
privs, return error
+ if ((CmpSeabaseDDLauth::isRoleID(authID) &&
!ComUser::currentUserHasRole(authID)) ||
+ (CmpSeabaseDDLauth::isUserID(authID) && authID !=
ComUser::getCurrentUser()))
+ {
+ ExRaiseSqlError(getHeap(), &diagsArea_,
-CAT_NOT_AUTHORIZED);
+ step_ = HANDLE_ERROR_;
+ break;
}
+
+ privWhereClause += "and (grantee_name = '";
+ privWhereClause += getMItdb().getParam1();
+ privWhereClause += "'";
+ if (CmpSeabaseDDLauth::isUserID(authID) &&
getMItdb().cascade())
+ {
+ privWhereClause += " or grantee_id in ";
+ privWhereClause += authList.data();
+ }
+ privWhereClause += ")";
}
else
{
