[
https://issues.apache.org/jira/browse/DERBY-4191?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mamta A. Satoor updated DERBY-4191:
-----------------------------------
Attachment: DERBY4191_countStar_privilege_diff_patch1.txt
DERBY4191_ColumnLevelCheckInStatmentTablePerm_diff_patch1.txt
I am attaching a
patch(DERBY4191_ColumnLevelCheckInStatmentTablePerm_diff_patch1.txt) which
resolves this jira's issue(the patch is not ready for commit yet).
I have piggybacked on first and third bullet items of Rick's suggestion. At
this point, I am not planning on optimizing the code by checking if there is
already a SELECT privilege requirement on table or a column in the table, and
if yes, then drop the MINIMAL_SELECT_PRIVILEGE requirement on that same table.
The logic is as follows. At the bind time, The compile time changes went into
SelectNode and AggregateNode to see if we need to add MINIMAL_SELECT_PRIVILEGE
requirement.
a)I check in the SelectNode if all the columns in the select list are
constants. If yes, then I add MINIMAL_SELECT_PRIVILEGE requirement for all the
tables involved in the select. A new method was added for doing the column
constant check. That method went in ResultColumnList.java
b)In the AggregateNode, I check if the aggregate is of the kind count(*) or
count(constant), then we should require MINIMAL_SELECT_PRIVILEGE for all the
tables involved in the select.
c)Then at execute time, in StatementTablePermission, if I don't find a table
level select privilege, then I check if there is atleast one column level
select privilege if we are working with MINIMAL_SELECT_PRIVILEGE requirement.
For this, I had to add a new method, called
checkForAtleastOneSelectColumnPrivilege. The majority of this code is copied
from StatementColumnPermission and this the reason I don't want this patch to
be committed yet. I want to see if I can change the MINIMAL_SELECT_PRIVILEGE
requirement to be at the column level rather than table level. That way, I
might be able to use the existing code in StatementColumnPermission rather than
copying majority of it in StatementTablePermission as a new method.
d)I have added new tests to RolesConferredPrivilegesTest and
GrantRevokeDDLTest.
e)As a next step, I want to focus on utilizing most of existing code in
StatementColumnPermission. Once I have that ready, I will post another patch. I
will appreciate though if someone can review the patch and the logic to see if
I may have missed anything.
The files impacted by the change are as follows
svn stat -q
M java\engine\org\apache\derby\impl\sql\compile\SelectNode.java
M java\engine\org\apache\derby\impl\sql\compile\AggregateNode.java
M java\engine\org\apache\derby\impl\sql\compile\ResultColumnList.java
M java\engine\org\apache\derby\impl\sql\catalog\DataDictionaryImpl.java
M java\engine\org\apache\derby\iapi\sql\conn\Authorizer.java
M
java\engine\org\apache\derby\iapi\sql\dictionary\StatementTablePermission.java
M
java\testing\org\apache\derbyTesting\functionTests\tests\lang\RolesConferredPrivilegesTest.java
M
java\testing\org\apache\derbyTesting\functionTests\tests\lang\GrantRevokeDDLTest.java
I ran all the tests and ran into following failure. I do not think it is
related to my changes but not sure why this error is showing up. I can
consistently reproduce this eror. There was reference to this kind of failure
once on derby-dev list with thread titled "[jira] Issue Comment Edited:
(DERBY-3451) Remove dependency between StandardException class and
org.apache.derby.impl.jdbc classes". I do not think there was any resolution to
that failure.
There were 2 failures:
1) CheckToursDBTest:embeddedjunit.framework.AssertionFailedError:
org/apache/derbyTesting/functionTests/tests/demo/cupisle.gif
at
org.apache.derbyTesting.junit.SupportFilesSetup.copyFiles(SupportFilesSetup.java:174)
at
org.apache.derbyTesting.junit.SupportFilesSetup.access$000(SupportFilesSetup.java:64)
at
org.apache.derbyTesting.junit.SupportFilesSetup$1.run(SupportFilesSetup.java:139)
at
java.security.AccessController.doPrivileged(AccessController.java:251)
at
org.apache.derbyTesting.junit.SupportFilesSetup.privCopyFiles(SupportFilesSetup.java:135)
at
org.apache.derbyTesting.junit.SupportFilesSetup.setUp(SupportFilesSetup.java:120)
at junit.extensions.TestSetup$1.protect(TestSetup.java:18)
at junit.extensions.TestSetup.run(TestSetup.java:23)
2) CheckToursDBTest:clientjunit.framework.AssertionFailedError:
org/apache/derbyTesting/functionTests/tests/demo/cupisle.gif
at
org.apache.derbyTesting.junit.SupportFilesSetup.copyFiles(SupportFilesSetup.java:174)
at
org.apache.derbyTesting.junit.SupportFilesSetup.access$000(SupportFilesSetup.java:64)
at
org.apache.derbyTesting.junit.SupportFilesSetup$1.run(SupportFilesSetup.java:139)
at
java.security.AccessController.doPrivileged(AccessController.java:251)
at rg.apache.derbyTesting.junit.SupportFilesSetup.privCopyFiles
(SupportFilesSetup.java:135)
at
org.apache.derbyTesting.junit.SupportFilesSetup.setUp(SupportFilesSetup.java:120)
at junit.extensions.TestSetup$1.protect(TestSetup.java:18)
at junit.extensions.TestSetup.run(TestSetup.java:23)
at junit.extensions.TestDecorator.basicRun(TestDecorator.java:22)
at junit.extensions.TestSetup$1.protect(TestSetup.java:19)
at junit.extensions.TestSetup.run(TestSetup.java:23)
at
org.apache.derbyTesting.junit.BaseTestSetup.run(BaseTestSetup.java:57)
at junit.extensions.TestDecorator.basicRun(TestDecorator.java:22)
at junit.extensions.TestSetup$1.protect(TestSetup.java:19)
at junit.extensions.TestSetup.run(TestSetup.java:23)
> Lack of SELECT privilege does not prevent SELECT COUNT(*)
> ---------------------------------------------------------
>
> Key: DERBY-4191
> URL: https://issues.apache.org/jira/browse/DERBY-4191
> Project: Derby
> Issue Type: Bug
> Components: SQL
> Affects Versions: 10.4.2.0, 10.5.1.1
> Reporter: Knut Anders Hatlen
> Assignee: Mamta A. Satoor
> Attachments:
> DERBY4191_ColumnLevelCheckInStatmentTablePerm_diff_patch1.txt,
> DERBY4191_countStar_privilege_diff_patch1.txt, repro.sql
>
>
> A user that does not have SELECT privilege on a table can still perform a
> SELECT COUNT(*) on that table. Counting a specific column (e.g., SELECT
> COUNT(X)) is prevented.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
