[
https://issues.apache.org/jira/browse/TRAFODION-2203?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15526855#comment-15526855
]
ASF GitHub Bot commented on TRAFODION-2203:
-------------------------------------------
Github user DaveBirdsall commented on a diff in the pull request:
https://github.com/apache/incubator-trafodion/pull/729#discussion_r80748650
--- Diff: core/sql/sqlcomp/PrivMgrPrivileges.cpp ---
@@ -6134,6 +5870,79 @@ static bool isDelimited( const std::string
&strToScan)
//
*****************************************************************************
+// method: reportPrivWarnings
+//
+// Ansi states that when a grant statement is executed, a set of privilege
+// descriptors (CPD) is created based on existing privileges for the
object and
+// object’s columns. Each CPD contains the grantee, action (privileges),
object,
+// column and grantor. A similar list of privilege descriptors is created
based
+// on the grant/revoke statement (GPD).
+//
+// If there is an element in the GPD (what the user requested) that is not
in
+// the CPD (what was actually granted/revoked), then a warning –
privilege not
+// granted/revoked is displayed.
+//
+// This method compares the list of actual privileges granted/revoked
+// (actualPrivs)to the list privileges requested (origPrivs). If a
privilege
+// was requested but not granted/revoked report a warning.
+//
*****************************************************************************
+void PrivMgrPrivileges::reportPrivWarnings(
+ const PrivMgrDesc &origPrivs,
+ const PrivMgrDesc &actualPrivs,
+ const CatErrorCode warningCode)
+{
+ PrivMgrCoreDesc objPrivsNotApplied = origPrivs.getTablePrivs();
+ objPrivsNotApplied.suppressDuplicatedPrivs(actualPrivs.getTablePrivs());
+ if (!objPrivsNotApplied.isNull())
+ {
+ for ( size_t i = FIRST_DML_PRIV; i <= LAST_DML_PRIV; i++ )
+ {
+ PrivType privType = PrivType(i);
+ if (objPrivsNotApplied.getPriv(privType))
+ {
+ *pDiags_ << DgSqlCode(warningCode)
+ <<
DgString0(PrivMgrUserPrivs::convertPrivTypeToLiteral(privType).c_str());
+ }
+ }
+ }
+
+ NAList<PrivMgrCoreDesc> colPrivs = origPrivs.getColumnPrivs();
+ for (int i = 0; i < colPrivs.entries(); i++)
+ {
+ PrivMgrCoreDesc colPrivsNotApplied = colPrivs[i];
+
+ int index = actualPrivs.getColumnPriv(i);
+ if (index >= 0)
+ {
+ PrivMgrCoreDesc colPrivsActual =
actualPrivs.getColumnPrivs()[index];
+ colPrivsNotApplied.suppressDuplicatedPrivs(colPrivsActual);
+ }
+
+ if (!colPrivsNotApplied.isNull())
+ {
+ for ( size_t j = FIRST_DML_PRIV; j <= LAST_DML_PRIV; j++ )
+ {
+ PrivType privType = PrivType(j);
+ if (colPrivsNotApplied.getPriv(privType))
+ {
+ // would be better to add column name instead of number
+ // would require an I/O to read COLUMNS to get the name
--- End diff --
Might be available in the NATables cache, but I know you don't want that
dependency in this code.
> a user can grant privileges that he doesn’t have to other users/roles
> successfully
> -----------------------------------------------------------------------------------
>
> Key: TRAFODION-2203
> URL: https://issues.apache.org/jira/browse/TRAFODION-2203
> Project: Apache Trafodion
> Issue Type: Bug
> Components: sql-security
> Environment: Centos6.7
> EsgynDB R2.2 0825daily
> Reporter: Gao, Rui-Xian
> Assignee: Roberta Marton
>
> a user can grant privileges that he doesn’t have to other users/roles
> successfully.
> To reproduce --
> root user --
> create role role1;
> create schema mysch;
> set schema mysch;
> create table tab1(a int, b int)no partition;
> grant insert on tab1 to testuser1 with grant option;
> connect as testuser1 --
> set schema mysch;
> SQL>grant select on tab1 to role1;
> *** ERROR[1012] No privileges were granted. You lack grant option on the
> specified privileges. [2016-09-01 15:31:33] //Rachel: this is expected
> SQL>grant insert ,select on tab1 to role1;
> --- SQL operation complete. // should return error, testuser1 doesn’t have
> select privilege on tab1
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
