Repository: incubator-trafodion Updated Branches: refs/heads/master ca00ea231 -> b12b45eca
http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/3b437720/core/sql/sqlcomp/CmpSeabaseDDLcommon.cpp ---------------------------------------------------------------------- diff --git a/core/sql/sqlcomp/CmpSeabaseDDLcommon.cpp b/core/sql/sqlcomp/CmpSeabaseDDLcommon.cpp index 4ef16c5..d9b1423 100644 --- a/core/sql/sqlcomp/CmpSeabaseDDLcommon.cpp +++ b/core/sql/sqlcomp/CmpSeabaseDDLcommon.cpp @@ -10356,6 +10356,27 @@ std::string commandString; SEABASEDDL_INTERNAL_ERROR(commandString.c_str()); } + // update the redef timestamp for the role in auths table + char buf[(roleIDs.size()*12) + 500]; + Int64 redefTime = NA_JulianTimestamp(); + std::string roleList; + for (size_t i = 0; i < roleIDs.size(); i++) + { + if (i > 0) + roleList += ", "; + roleList += to_string((long long int)roleIDs[i]); + } + + str_sprintf(buf, "update %s.\"%s\".%s set auth_redef_time = %Ld " + "where auth_id in (%s)", + systemCatalog.c_str(), SEABASE_MD_SCHEMA, SEABASE_AUTHS, + redefTime, roleList.c_str()); + + ExeCliInterface cliInterface(STMTHEAP); + Int32 cliRC = cliInterface.executeImmediate(buf); + if (cliRC < 0) + cliInterface.retrieveSQLDiagnostics(CmpCommon::diags()); + } //********************** End of grantRevokeSeabaseRole ************************* http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/3b437720/core/sql/sqlcomp/PrivMgrCommands.cpp ---------------------------------------------------------------------- diff --git a/core/sql/sqlcomp/PrivMgrCommands.cpp b/core/sql/sqlcomp/PrivMgrCommands.cpp index 550ac64..6faf70b 100644 --- a/core/sql/sqlcomp/PrivMgrCommands.cpp +++ b/core/sql/sqlcomp/PrivMgrCommands.cpp @@ -67,96 +67,138 @@ PrivMgrObjectInfo::PrivMgrObjectInfo( // **************************************************************************** // Class: PrivMgrUserPrivs // **************************************************************************** -PrivMgrUserPrivs::PrivMgrUserPrivs( +bool PrivMgrUserPrivs::initUserPrivs( + const std::vector<int32_t> & roleIDs, const TrafDesc *priv_desc, - const int32_t userID) + const int32_t userID, + const int64_t objectUID, + ComSecurityKeySet & secKeySet) { - assert (priv_desc); + hasPublicPriv_ = false; // generate PrivMgrUserPrivs from the priv_desc structure TrafDesc *priv_grantees_desc = priv_desc->privDesc()->privGrantees; - TrafDesc *priv_grantee_desc = NULL; - TrafDesc *priv_public_desc = NULL; + NAList<PrivMgrDesc> descList; - // Find relevant desc for the user + // Find relevant descs for the user while (priv_grantees_desc) { Int32 grantee = priv_grantees_desc->privGranteeDesc()->grantee; + bool addDesc = false; if (grantee == userID) - priv_grantee_desc = priv_grantees_desc->privGranteeDesc(); + addDesc = true; + + if (PrivMgr::isRoleID(grantee)) + { + if ((std::find(roleIDs.begin(), roleIDs.end(), grantee)) != roleIDs.end()) + addDesc = true; + } if (ComUser::isPublicUserID(grantee)) - priv_public_desc = priv_grantees_desc->privGranteeDesc(); + { + addDesc = true; + hasPublicPriv_ = true; + } - priv_grantees_desc = priv_grantees_desc->next; - } + // Create a list of PrivMgrDesc contain privileges for user, user's roles, + // and public + if (addDesc) + { + TrafDesc *objectPrivs = priv_grantees_desc->privGranteeDesc()->objectBitmap; - // If the user has a privilege in the priv_grantees_desc list, use it to - // create the PrivMgrUserPrivs class. - if (priv_grantee_desc) - { + PrivMgrCoreDesc objectDesc(objectPrivs->privBitmapDesc()->privBitmap, + objectPrivs->privBitmapDesc()->privWGOBitmap); + + TrafDesc *priv_grantee_desc = priv_grantees_desc->privGranteeDesc(); + TrafDesc *columnPrivs = priv_grantee_desc->privGranteeDesc()->columnBitmaps; + NAList<PrivMgrCoreDesc> columnDescs; + while (columnPrivs) + { + PrivMgrCoreDesc columnDesc(columnPrivs->privBitmapDesc()->privBitmap, + columnPrivs->privBitmapDesc()->privWGOBitmap, + columnPrivs->privBitmapDesc()->columnOrdinal); + columnDescs.insert(columnDesc); + columnPrivs = columnPrivs->next; + } - // Set up object level privileges - TrafDesc *objectPrivs = priv_grantee_desc->privGranteeDesc()->objectBitmap; - objectBitmap_ = objectPrivs->privBitmapDesc()->privBitmap; - grantableBitmap_ = objectPrivs->privBitmapDesc()->privWGOBitmap; + PrivMgrDesc privs(priv_grantees_desc->privGranteeDesc()->grantee); + privs.setTablePrivs(objectDesc); + privs.setColumnPrivs(columnDescs); + privs.setHasPublicPriv(hasPublicPriv_); - // Set up column level privileges - // The PrivColList is a key <=> value pair structure, the key is the - // column ordinal (number) and the value is the associated bitmap. - TrafDesc *columnPrivs = priv_grantee_desc->privGranteeDesc()->columnBitmaps; - PrivColList colPrivsList; - PrivColList colGrantableList; - while (columnPrivs) - { - Int32 columnOrdinal = columnPrivs->privBitmapDesc()->columnOrdinal; - colPrivsList[columnOrdinal] = columnPrivs->privBitmapDesc()->privBitmap; - colGrantableList[columnOrdinal] = columnPrivs->privBitmapDesc()->privWGOBitmap; - columnPrivs = columnPrivs->next; + descList.insert(privs); } - colPrivsList_= colPrivsList; - colGrantableList_ = colGrantableList; + priv_grantees_desc = priv_grantees_desc->next; } - // See if there are privileges assigned to public. If so, "or" the public - // list to the user to the current bitmaps. Initially all the bitmap are - // set to 0. - if (priv_public_desc) + // Union privileges from all grantees together to create a single set of + // bitmaps. Create security invalidation keys + for (int i = 0; i < descList.entries(); i++) { + PrivMgrDesc privs = descList[i]; + // Set up object level privileges - TrafDesc *objectPrivs = priv_public_desc->privGranteeDesc()->objectBitmap; - objectBitmap_ |= objectPrivs->privBitmapDesc()->privBitmap; - grantableBitmap_ |= objectPrivs->privBitmapDesc()->privWGOBitmap; + objectBitmap_ |= privs.getTablePrivs().getPrivBitmap(); + grantableBitmap_ |= privs.getTablePrivs().getWgoBitmap(); // Set up column level privileges - // The PrivColList is a key <=> value pair structure, the key is the - // column ordinal (number) and the value is the associated bitmap. - TrafDesc *columnPrivs = priv_public_desc->privGranteeDesc()->columnBitmaps; - PrivColList colPrivsList; - PrivColList colGrantableList; - std::map<size_t,PrivColumnBitmap>::iterator it; - while (columnPrivs) + NAList<PrivMgrCoreDesc> columnPrivs = privs.getColumnPrivs(); + std::map<size_t,PrivColumnBitmap>::iterator it; + for (int j = 0; j < columnPrivs.entries(); j++) { - Int32 columnOrdinal = columnPrivs->privBitmapDesc()->columnOrdinal; + PrivMgrCoreDesc colDesc = columnPrivs[j]; + Int32 columnOrdinal = colDesc.getColumnOrdinal(); it = colPrivsList_.find(columnOrdinal); if (it == colPrivsList_.end()) { - colPrivsList_[columnOrdinal] = columnPrivs->privBitmapDesc()->privBitmap; - colGrantableList[columnOrdinal] = columnPrivs->privBitmapDesc()->privWGOBitmap; + colPrivsList_[columnOrdinal] = colDesc.getPrivBitmap(); + colGrantableList_[columnOrdinal] = colDesc.getWgoBitmap(); } else { - colPrivsList_[columnOrdinal] |= columnPrivs->privBitmapDesc()->privBitmap; - colGrantableList[columnOrdinal] |= columnPrivs->privBitmapDesc()->privWGOBitmap; + colPrivsList_[columnOrdinal] |= colDesc.getPrivBitmap(); + colGrantableList_[columnOrdinal] |= colDesc.getWgoBitmap(); } + } + + // set up security invalidation keys + Int32 grantee = privs.getGrantee(); + Int32 role = (ComUser::isPublicUserID(grantee) || PrivMgr::isRoleID(grantee)) + ? grantee : NA_UserIdDefault; - columnPrivs = columnPrivs->next; + if (!buildSecurityKeys(userID, role, objectUID, privs.getTablePrivs(), secKeySet)) + return false; + + for (int k = 0; k < colPrivsList_.size(); k++) + { + PrivMgrCoreDesc colDesc(colPrivsList_[k], colGrantableList_[k]); + if (!buildSecurityKeys(userID, role, objectUID, colDesc, secKeySet)) + return false; } } // TBD - add schema privilege bitmaps + return true; } +// ---------------------------------------------------------------------------- +// method: initUserPrivs +// +// Creates a PrivMgrUserPrivs object from a PrivMgrDesc object +// ---------------------------------------------------------------------------- +void PrivMgrUserPrivs::initUserPrivs(PrivMgrDesc &privsOfTheUser) +{ + objectBitmap_ = privsOfTheUser.getTablePrivs().getPrivBitmap(); + grantableBitmap_ = privsOfTheUser.getTablePrivs().getWgoBitmap(); + + for (int32_t i = 0; i < privsOfTheUser.getColumnPrivs().entries(); i++) + { + const int32_t columnOrdinal = privsOfTheUser.getColumnPrivs()[i].getColumnOrdinal(); + colPrivsList_[columnOrdinal] = privsOfTheUser.getColumnPrivs()[i].getPrivBitmap(); + colGrantableList_[columnOrdinal] = privsOfTheUser.getColumnPrivs()[i].getWgoBitmap(); + } + hasPublicPriv_ = privsOfTheUser.getHasPublicPriv(); +} // **************************************************************************** // Class: PrivMgrCommands @@ -546,10 +588,7 @@ PrivStatus PrivMgrCommands::getPrivileges( PrivMgrUserPrivs &userPrivs, std::vector <ComSecurityKey *>* secKeySet) { - PrivMgrBitmap objPrivs; - PrivMgrBitmap grantablePrivs; - PrivColList colPrivsList; - PrivColList colGrantableList; + PrivMgrDesc privsOfTheUser; // If authorization is enabled, go get privilege bitmaps from metadata if (authorizationEnabled()) @@ -558,10 +597,7 @@ PrivStatus PrivMgrCommands::getPrivileges( PrivStatus retcode = objectPrivs.getPrivsOnObjectForUser(objectUID, objectType, userID, - objPrivs, - grantablePrivs, - colPrivsList, - colGrantableList, + privsOfTheUser, secKeySet); if (retcode != STATUS_GOOD) return retcode; @@ -570,20 +606,42 @@ PrivStatus PrivMgrCommands::getPrivileges( // authorization is not enabled, return bitmaps with all bits set // With all bits set, privilege checks will always succeed else - { - objPrivs.set(); - grantablePrivs.set(); - } + privsOfTheUser.getTablePrivs().setAllPrivAndWgo(true); - userPrivs.setObjectBitmap(objPrivs); - userPrivs.setGrantableBitmap(grantablePrivs); - userPrivs.setColPrivList(colPrivsList); - userPrivs.setColGrantableList(colGrantableList); + userPrivs.initUserPrivs(privsOfTheUser); return STATUS_GOOD; } +// ---------------------------------------------------------------------------- +// method: getRoles +// +// Returns roleIDs for the grantee. +// +// <granteeID> the authorization ID to obtain roles for +// <roleIDs> is the returned list of roles +// +// Returns: PrivStatus +// +// STATUS_GOOD: role list was built +// *: unexpected error occurred, see diags. +// ---------------------------------------------------------------------------- +PrivStatus PrivMgrCommands::getRoles( + const int32_t granteeID, + std::vector <int32_t > &roleIDs) +{ + // If authorization is not enabled, return + if (!authorizationEnabled()) + return STATUS_GOOD; + + PrivMgrRoles roles(" ",metadataLocation_,pDiags_); + std::vector<std::string> roleNames; + std::vector<int32_t> roleDepths; + + return roles.fetchRolesForUser(granteeID,roleNames,roleIDs,roleDepths); +} + // ***************************************************************************** // * * // * Function: PrivMgrCommands::getPrivRowsForObject * http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/3b437720/core/sql/sqlcomp/PrivMgrCommands.h ---------------------------------------------------------------------- diff --git a/core/sql/sqlcomp/PrivMgrCommands.h b/core/sql/sqlcomp/PrivMgrCommands.h index cf281e8..74849c3 100644 --- a/core/sql/sqlcomp/PrivMgrCommands.h +++ b/core/sql/sqlcomp/PrivMgrCommands.h @@ -31,6 +31,7 @@ #include "PrivMgrMD.h" #include "PrivMgrDefs.h" #include "TrafDDLdesc.h" +#include "ComSecurityKey.h" class ComDiagsArea; class ComSecurityKey; @@ -130,10 +131,9 @@ class PrivMgrUserPrivs { public: - PrivMgrUserPrivs(const int32_t nbrCols = 0){}; - PrivMgrUserPrivs( - const TrafDesc *priv_desc, - const int32_t userID); + PrivMgrUserPrivs() + : hasPublicPriv_(false) + {} static std::string convertPrivTypeToLiteral(PrivType which) { @@ -392,6 +392,14 @@ class PrivMgrUserPrivs void setSchemaGrantableBitmap (PrivSchemaBitmap schemaGrantableBitmap) {schemaGrantableBitmap_ = schemaGrantableBitmap;} + bool getHasPublicPriv() { return hasPublicPriv_; } + void setHasPublicPriv(bool hasPublicPriv) {hasPublicPriv_ = hasPublicPriv;} + void initUserPrivs (PrivMgrDesc &privsOfTheGrantor); + bool initUserPrivs ( const std::vector<int32_t> &roleIDs, + const TrafDesc *priv_desc, + const int32_t userID, + const int64_t objectUID, + NASet<ComSecurityKey> & secKeySet); private: PrivObjectBitmap objectBitmap_; @@ -401,8 +409,10 @@ class PrivMgrUserPrivs PrivSchemaBitmap schemaPrivBitmap_; PrivSchemaBitmap schemaGrantableBitmap_; PrivColumnBitmap emptyBitmap_; + bool hasPublicPriv_; }; + // ***************************************************************************** // * // * Class: PrivMgrCommands @@ -479,6 +489,10 @@ public: const int64_t objectUID, std::vector<ObjectPrivsRow> & objectPrivsRows); + PrivStatus getRoles( + const int32_t grantee, + std::vector<int32_t> &roleIDs); + PrivStatus givePrivForObjects( const int32_t currentOwnerID, const int32_t newOwnerID, http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/3b437720/core/sql/sqlcomp/PrivMgrDesc.h ---------------------------------------------------------------------- diff --git a/core/sql/sqlcomp/PrivMgrDesc.h b/core/sql/sqlcomp/PrivMgrDesc.h index 832255b..dc72474 100644 --- a/core/sql/sqlcomp/PrivMgrDesc.h +++ b/core/sql/sqlcomp/PrivMgrDesc.h @@ -382,7 +382,8 @@ public: PrivMgrDesc(const PrivMgrDesc&other) // copy constructor : tableLevel_(other.tableLevel_), columnLevel_(other.columnLevel_), - grantee_(other.grantee_) + grantee_(other.grantee_), + hasPublicPriv_(other.hasPublicPriv_) {} PrivMgrDesc(const int32_t grantee, @@ -390,20 +391,23 @@ public: ) : tableLevel_(), columnLevel_(), - grantee_(grantee) + grantee_(grantee), + hasPublicPriv_(false) {} PrivMgrDesc(const PrivMgrDesc &privs, // preset constructor const int32_t grantee) : tableLevel_(privs.tableLevel_), columnLevel_(privs.columnLevel_), - grantee_(privs.grantee_) + grantee_(privs.grantee_), + hasPublicPriv_(privs.hasPublicPriv_) {} PrivMgrDesc(void) : tableLevel_(), columnLevel_(), - grantee_(0) + grantee_(0), + hasPublicPriv_(false) {} virtual ~PrivMgrDesc() // destructor @@ -419,6 +423,7 @@ public: tableLevel_ = other.tableLevel_; columnLevel_ = other.columnLevel_; grantee_ = other.grantee_; + hasPublicPriv_ = other.hasPublicPriv_; return *this; } @@ -431,6 +436,7 @@ public: if ( this == &other ) return TRUE; + // Not checking all members, should be okay return ( ( columnLevel_ == other.columnLevel_ ) && ( tableLevel_ == other.tableLevel_ ) && @@ -519,27 +525,6 @@ public: void resetTablePrivs() { tableLevel_.setAllPrivAndWgo(0); } void setColumnPrivs(const NAList<PrivMgrCoreDesc> &privs) { columnLevel_ = privs; } -#if 0 - void setColumnPriv(const PrivType which, - const bool value, - const int32_t ordinal - ); - void setColumnWgo(const PrivType which, - const bool value, - const int32_t ordinal - ); - - void setOneColOrdPriv(const PrivMgrCoreDesc& privs, - const int32_t ordinal - ); - void setAllColsPriv(const PrivType which, - const bool value - ); - void setAllColsWgo(const PrivType which, - const bool value - ); -#endif - // This will replace setAllDMLGrantPrivileges for the table level. This function // is also used to set a view's privileges as well. void setAllTableGrantPrivileges(const bool wgo) @@ -582,68 +567,27 @@ public: void setAllUdrRevokePrivileges(const bool grantOption); void setAllSequenceRevokePrivileges(const bool grantOption); - - /* - * These six functions are called by CatAccessPrivs to perform GRANT/REVOKEs on the actual - * PrivMgrCoreDesc members of the PrivMgrDesc. Previously, these members were accessed directly - * via friend declarations. - */ + bool getHasPublicPriv() { return hasPublicPriv_; } + void setHasPublicPriv(bool hasPublicPriv) { hasPublicPriv_ = hasPublicPriv; } PrivMgrCoreDesc::PrivResult grantTablePrivs(PrivMgrCoreDesc& priv) { return tableLevel_.grantPrivs(priv); } //PrivMgrCoreDesc::PrivResult grantColumnPrivs(PrivMgrCoreDesc& priv, const int32_t ordinal); - + PrivMgrCoreDesc::PrivResult revokeTablePrivs(PrivMgrCoreDesc& priv) { return tableLevel_.revokePrivs(priv); } //PrivMgrCoreDesc::PrivResult revokeColumnPrivs(PrivMgrCoreDesc& priv, const int32_t ordinal); -#if 0 - /* - * Apply the privileges in this descriptor to a target object, - * as grants from the specified Grantor. - * Modify the privilege settings in the descriptor to carry only the - * privileges newly granted. - * Return ALL/SOME/NONE, according to how many specified privileges - * were actually granted. - */ -CatPrivs::PrivResult applyTableGrants(const int64_t objectUID, - const int32_t& theGrantor - ); - /* - * Apply the privileges in this descriptor to a target object, - * as revokes from the specified Grantor. - * Modify the privilege settings in the descriptor to carry only the - * privileges newly granted. - * Return ALL/SOME/NONE, according to how many specified privileges - * were actually granted. - */ - - - /* - * Apply the privileges in this descriptor to a target object, - * as revokes from the specified Grantor. - * Modify the privilege settings in the descriptor to carry only the - * privileges newly granted. - * Return ALL/SOME/NONE, according to how many specified privileges - * were actually granted. - */ - - - PrivMgrCoreDesc::PrivResult applyTableRevokes(CatRWTableValued* targetObjectP, - const int32_t& theGrantor - ); - void pTrace() const; // Debug trace -#endif // Data members private: - PrivMgrCoreDesc tableLevel_; NAList<PrivMgrCoreDesc> columnLevel_; int32_t grantee_; + bool hasPublicPriv_; }; http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/3b437720/core/sql/sqlcomp/PrivMgrPrivileges.cpp ---------------------------------------------------------------------- diff --git a/core/sql/sqlcomp/PrivMgrPrivileges.cpp b/core/sql/sqlcomp/PrivMgrPrivileges.cpp index 0dbb45b..f18dacc 100644 --- a/core/sql/sqlcomp/PrivMgrPrivileges.cpp +++ b/core/sql/sqlcomp/PrivMgrPrivileges.cpp @@ -337,17 +337,6 @@ void static buildGrantText( const int32_t ownerID, std::string & grantText); -static PrivStatus buildColumnSecurityKeys( - const int64_t objectUID, - const PrivColList & colPrivsList, - const int32_t userID, - std::vector<ComSecurityKey *> & secKeySet); - -static PrivStatus buildUserSecurityKeys( - const std::vector<int32_t> & roleIDs, - const int32_t userID, - std::vector <ComSecurityKey *> & secKeySet); - void static closeColumnList(std::string & columnList); static void deleteRowList(std::vector<PrivMgrMDRow *> & rowList); @@ -356,13 +345,6 @@ static PrivMgrCoreDesc * findColumnEntry( NAList<PrivMgrCoreDesc> & colPrivsToGrant, const int32_t columnsOrdinal); -static PrivStatus getColRowsForGrantee( - const std::vector <PrivMgrMDRow *> &columnRowList, - const int32_t granteeID, - const std::vector<int32_t> & roleIDs, - std::vector<ColumnPrivsMDRow> &rowList, - std::vector <ComSecurityKey *>* secKeySet); - static void getColRowsForGranteeGrantor( const std::vector <PrivMgrMDRow *> & columnRowList, const int32_t granteeID, @@ -498,20 +480,31 @@ PrivMgrPrivileges::~PrivMgrPrivileges() // * // ***************************************************************************** PrivStatus PrivMgrPrivileges::buildSecurityKeys( - const int32_t granteeID, - const PrivMgrCoreDesc &privs, - std::vector <ComSecurityKey *> & secKeySet) - + const int32_t granteeID, + const int32_t roleID, + const PrivMgrCoreDesc &privs, + std::vector <ComSecurityKey *> & secKeySet) { + if (privs.isNull()) + return STATUS_GOOD; + // Only need to generate keys for DML privileges for ( size_t i = FIRST_DML_PRIV; i <= LAST_DML_PRIV; i++ ) { if ( privs.getPriv(PrivType(i))) { - ComSecurityKey *key = new ComSecurityKey(granteeID, - objectUID_, - PrivType(i), - ComSecurityKey::OBJECT_IS_OBJECT); + ComSecurityKey *key = NULL; + if (roleID != NA_UserIdDefault && ComUser::isPublicUserID(roleID)) + key = new ComSecurityKey(granteeID, + ComSecurityKey::OBJECT_IS_SPECIAL_ROLE); + else if (roleID != NA_UserIdDefault && isRoleID(roleID)) + key = new ComSecurityKey(granteeID, roleID, + ComSecurityKey::SUBJECT_IS_USER); + else + key = new ComSecurityKey(granteeID, + objectUID_, + PrivType(i), + ComSecurityKey::OBJECT_IS_OBJECT); if (key->isValid()) secKeySet.push_back(key); else @@ -562,95 +555,57 @@ PrivStatus PrivMgrPrivileges::getPrivsOnObject ( if (generateColumnRowList() == STATUS_ERROR) return STATUS_ERROR; - // Gets all the grantees (userIDs) from the object and column lists - // The public auth ID is also included in this list + // Gets all the user grantees (userIDs) for the object and column lists + // Gets all the role grantees (roleIDs) for the object and column lists + // The public auth ID is included in the userIDs list std::vector<int32_t> userIDs; - if (getDistinctUserIDs(objectRowList_, columnRowList_, userIDs) == STATUS_ERROR) + std::vector<int32_t> roleIDs; + if (getDistinctIDs(objectRowList_, columnRowList_, userIDs, roleIDs) == STATUS_ERROR) return STATUS_ERROR; + // Gather privilege descriptors for each user for (size_t i = 0; i < userIDs.size(); i++) { int32_t userID = userIDs[i]; PrivMgrDesc privsOfTheUser(userID); bool hasManagePrivileges = false; - std::vector <int32_t> roleIDs; + std::vector <int32_t> emptyRoleIDs; - // Public is not granted roles, skip to avoid extra I/O - if (!ComUser::isPublicUserID(userID)) - { - if (getRoleIDsForUserID(userID,roleIDs) == STATUS_ERROR) - return STATUS_ERROR; - } - + // getUserPrivs returns object and column privileges summarized across all + // grantors. Just get direct grants to the user (role list is empty) + if (getUserPrivs(objectType, userID, emptyRoleIDs, privsOfTheUser, + hasManagePrivileges, NULL ) != STATUS_GOOD) + return STATUS_ERROR; + + if (!privsOfTheUser.isNull()) + privDescs.push_back(privsOfTheUser); + } + + // Attach roles to priv lists + for (size_t i = 0; i < roleIDs.size(); i++) + { + int32_t grantee = roleIDs[i]; + + PrivMgrDesc privsOfTheUser(grantee); + bool hasManagePrivileges = false; + std::vector <int32_t> emptyRoleIDs; + // getUserPrivs returns object and column privileges summarized across // all grantors. - if (getUserPrivs(objectType, userID, roleIDs, privsOfTheUser, + if (getUserPrivs(objectType, grantee, emptyRoleIDs, privsOfTheUser, hasManagePrivileges, NULL ) != STATUS_GOOD) return STATUS_ERROR; - privDescs.push_back(privsOfTheUser); + if (!privsOfTheUser.isNull()) + privDescs.push_back(privsOfTheUser); } + return STATUS_GOOD; } // ***************************************************************************** -// * Method: getColPrivsForUser -// * -// * Returns the column privileges a user has been granted on the object. -// * -// * Parameters: -// * -// * <granteeID> is the unique identifier for the grantee -// * <roleIDs> specifies a list of roles granted to the grantee -// * <colPrivsList> passes back the list of privs granted -// * <colGrantableList> passes back the list the user has WGO for -// * <secKeySet> if not NULL, returns a set of keys for user -// * -// * Returns: PrivStatus -// * -// * STATUS_GOOD: Privileges were returned -// * *: Unable to lookup privileges, see diags. -// * -// ***************************************************************************** -PrivStatus PrivMgrPrivileges::getColPrivsForUser( - const int32_t granteeID, - const std::vector<int32_t> & roleIDs, - PrivColList & colPrivsList, - PrivColList & colGrantableList, - std::vector <ComSecurityKey *>* secKeySet) - -{ - - std::vector<ColumnPrivsMDRow> rowList; - - // Get the privileges for the columns of the object granted to the grantee - PrivStatus privStatus = getColRowsForGrantee(columnRowList_,granteeID,roleIDs, - rowList,secKeySet); - - if (privStatus == STATUS_ERROR) - return privStatus; - - for (int32_t i = 0; i < rowList.size();++i) - { - const int32_t columnOrdinal = rowList[i].columnOrdinal_; - colPrivsList[columnOrdinal] = rowList[i].privsBitmap_; - colGrantableList[columnOrdinal] = rowList[i].grantableBitmap_; - - if (secKeySet != NULL) - { - privStatus = buildColumnSecurityKeys(objectUID_,colPrivsList, - rowList[i].granteeID_,*secKeySet); - if (privStatus != STATUS_GOOD) - return privStatus; - } - } - - return STATUS_GOOD; -} - -// ***************************************************************************** // Function: getColRowsForGranteeOrdinal // // Returns the list of column privileges granted for the object that have @@ -691,22 +646,20 @@ void PrivMgrPrivileges::getColRowsForGranteeOrdinal( } // ***************************************************************************** -// * Method: getDistinctUserIDs +// * Method: getDistinctIDs +// * +// * Finds all the userIDs that have been granted at least one privilege on +// * object. This list includes the public authorization ID // * -// * Finds all the usersIDs that have been granted at least one privilege on -// * object. These userIDs include direct grants: -// * grant <privilege> on <object> to <user> <== user added to list -// * Or indirect grants through role: -// * grant <privilege> on <object> to <role> -// * grant <role> to <user> <== user added to list -// * Includes public in the returned list -// ***************************************************************************** -PrivStatus PrivMgrPrivileges::getDistinctUserIDs( +// * Finds all the roleIDs that have been granted at least one privilege on +// * object +// ***************************************************************************** +PrivStatus PrivMgrPrivileges::getDistinctIDs( const std::vector <PrivMgrMDRow *> &objectRowList, const std::vector <PrivMgrMDRow *> &columnRowList, - std::vector<int32_t> &userIDs) + std::vector<int32_t> &userIDs, + std::vector<int32_t> &roleIDs) { - std::vector<int32_t> roleIDs; int32_t authID; // DB__ROOTROLE is a special role. If the current user has been granted @@ -715,15 +668,13 @@ PrivStatus PrivMgrPrivileges::getDistinctUserIDs( roleIDs.push_back(ROOT_ROLE_ID); // The direct object grants are stored in memory (objectRowList) so no I/O - // Save grants to roles for further processing for (size_t i = 0; i < objectRowList.size(); i++) { ObjectPrivsMDRow &row = static_cast<ObjectPrivsMDRow &> (*objectRowList[i]); authID = row.granteeID_; // insert authID into correct list, if not already present - if (ComUser::isPublicUserID(authID) || - CmpSeabaseDDLauth::isUserID(authID)) + if (ComUser::isPublicUserID(authID) || CmpSeabaseDDLauth::isUserID(authID)) { if (std::find(userIDs.begin(), userIDs.end(), authID) == userIDs.end()) userIDs.insert( std::upper_bound( userIDs.begin(), userIDs.end(), authID ), authID); @@ -756,22 +707,6 @@ PrivStatus PrivMgrPrivileges::getDistinctUserIDs( } } - // Get the list of users that have been granted one or more of the roles in - // the role list. A query that retrieves all userIDs granted to the list of - // roles (roleIDs) is performed. - if (roleIDs.size() > 0) - { - std::vector<int32_t> userIDsForRoleIDs; - if (getUserIDsForRoleIDs(roleIDs, userIDsForRoleIDs) == STATUS_ERROR) - return STATUS_ERROR; - - for (size_t i = 0; i < userIDsForRoleIDs.size(); i++) - { - authID = userIDsForRoleIDs[i]; - if (std::find(userIDs.begin(), userIDs.end(), authID) == userIDs.end()) - userIDs.insert( std::upper_bound( userIDs.begin(), userIDs.end(), authID ), authID); - } - } return STATUS_GOOD; } @@ -3270,29 +3205,6 @@ PrivStatus PrivMgrPrivileges::revokeColumnPriv( rowRevoked = true; } - // Send revoked privs to RMS - SQL_QIKEY siKeyList[NBR_DML_COL_PRIVS]; - size_t siIndex = 0; - - for (size_t i = FIRST_DML_COL_PRIV; i <= LAST_DML_COL_PRIV; i++ ) - { - if (!revokedPrivs.test(PrivType(i))) - continue; - - ComSecurityKey secKey(granteeID,objectUID_,PrivType(i), - ComSecurityKey::OBJECT_IS_OBJECT); - - siKeyList[siIndex].revokeKey.subject = secKey.getSubjectHashValue(); - siKeyList[siIndex].revokeKey.object = secKey.getObjectHashValue(); - std::string actionString; - secKey.getSecurityKeyTypeAsLit(actionString); - strncpy(siKeyList[siIndex].operation,actionString.c_str(),2); - siIndex++; - } - - if (siIndex > 0) - SQL_EXEC_SetSecInvalidKeys(siIndex,siKeyList); - // if (!rowRevoked) // Warning @@ -3377,6 +3289,11 @@ PrivStatus PrivMgrPrivileges::revokeObjectPriv (const ComObjectType objectType, // If only column-level privileges were specified, no problem. if (privsToRevoke.getTablePrivs().isNull()) { + // Send a message to the Trafodion RMS process about the revoke operation. + // RMS will contact all master executors and ask that cached privilege + // information be re-calculated + retcode = sendSecurityKeysToRMS(granteeID, privsToRevoke); + // report any privs not granted if (warnNotAll) reportPrivWarnings(origPrivsToRevoke, @@ -4005,7 +3922,7 @@ void PrivMgrPrivileges::scanColumnPublic( // input: // granteeID - the UID of the user losing privileges // the granteeID is stored in the PrivMgrDesc class - extra? -// listOfRevokePrivileges - the list of privileges that were revoked +// revokedPrivs - the list of privileges that were revoked // // Returns: PrivStatus // @@ -4014,43 +3931,39 @@ void PrivMgrPrivileges::scanColumnPublic( // **************************************************************************** PrivStatus PrivMgrPrivileges::sendSecurityKeysToRMS( const int32_t granteeID, - const PrivMgrDesc &listOfRevokedPrivileges) + const PrivMgrDesc &revokedPrivs) { // Go through the list of table privileges and generate SQL_QIKEYs -#if 0 - // Only need to generate keys for SELECT, INSERT, UPDATE, and DELETE std::vector<ComSecurityKey *> keyList; - PrivMgrCoreDesc privs = listOfRevokedPrivileges.getTablePrivs(); - for ( size_t i = 0; i < NBR_OF_PRIVS; i++ ) + int32_t roleID = (ComUser::isPublicUserID(granteeID)) ? PUBLIC_USER : NA_UserIdDefault; + const PrivMgrCoreDesc &privs = revokedPrivs.getTablePrivs(); + PrivStatus privStatus = buildSecurityKeys(granteeID, + roleID, + revokedPrivs.getTablePrivs(), + keyList); + if (privStatus != STATUS_GOOD) { - PrivType pType = PrivType(i); - if (pType == SELECT_PRIV || pType == INSERT_PRIV || - pType == UPDATE_PRIV || pType == DELETE_PRIV) + for(size_t k = 0; k < keyList.size(); k++) + delete keyList[k]; + keyList.clear(); + return privStatus; + } + + for (int i = 0; i < revokedPrivs.getColumnPrivs().entries(); i++) + { + const NAList<PrivMgrCoreDesc> &columnPrivs = revokedPrivs.getColumnPrivs(); + privStatus = buildSecurityKeys(granteeID, + roleID, + columnPrivs[i], + keyList); + if (privStatus != STATUS_GOOD) { - if (privs.getPriv(pType)) - { - ComSecurityKey *key = new ComSecurityKey(granteeID, - objectUID_, - pType, - ComSecurityKey::OBJECT_IS_OBJECT); - if (key->isValid()) - keyList.push_back(key); - else - { - // Probably should report a different error. Is an error possible? - *pDiags_ << DgSqlCode (-CAT_NOT_AUTHORIZED); - return STATUS_ERROR; - } - } + for(size_t k = 0; k < keyList.size(); k++) + delete keyList[k]; + keyList.clear(); + return privStatus; } } -#endif - std::vector<ComSecurityKey *> keyList; - PrivMgrCoreDesc privs = listOfRevokedPrivileges.getTablePrivs(); - PrivStatus privStatus = buildSecurityKeys(granteeID,privs,keyList); - if (privStatus != STATUS_GOOD) - return privStatus; - // TDB: add column privileges // Create an array of SQL_QIKEYs int32_t numKeys = keyList.size(); @@ -4216,10 +4129,7 @@ PrivStatus PrivMgrPrivileges::getPrivTextForObject( // * // * <objectUID> identifies the object // * <userID> identifies the user -// * <userPrivs> the list of privileges is returned -// * <grantablePrivs> the list of grantable privileges is returned -// * <colPrivsList> the list of column-level privileges is returned -// * <colGrantableList> the list of grantable column-level privileges is returned +// * <privsOfTheUser> the list of privileges is returned // * // * Returns: PrivStatus // * @@ -4231,10 +4141,7 @@ PrivStatus PrivMgrPrivileges::getPrivsOnObjectForUser( const int64_t objectUID, ComObjectType objectType, const int32_t userID, - PrivObjectBitmap &userPrivs, - PrivObjectBitmap &grantablePrivs, - PrivColList & colPrivsList, - PrivColList & colGrantableList, + PrivMgrDesc &privsOfTheUser, std::vector <ComSecurityKey *>* secKeySet) { PrivStatus retcode = STATUS_GOOD; @@ -4253,41 +4160,19 @@ PrivStatus PrivMgrPrivileges::getPrivsOnObjectForUser( // generate the list of column-level privileges granted to the object and store in class if (generateColumnRowList() == STATUS_ERROR) return STATUS_ERROR; + + // generate the list of roles for the user + std::vector<int32_t> roleIDs; + if (getRoleIDsForUserID(userID,roleIDs) == STATUS_ERROR) + return STATUS_ERROR; - objectUID_ = objectUID; - PrivMgrDesc privsOfTheUser(userID); + // generate the list of privileges for the user + privsOfTheUser.setGrantee(userID); bool hasManagePrivileges = false; - std::vector<int32_t> roleIDs; - retcode = getRoleIDsForUserID(userID,roleIDs); - if (retcode == STATUS_ERROR) - return retcode; - retcode = getUserPrivs(objectType, userID, roleIDs, privsOfTheUser, hasManagePrivileges, secKeySet); - if (retcode != STATUS_GOOD) - return retcode; - - if (hasManagePrivileges && hasAllDMLPrivs(objectType,privsOfTheUser.getTablePrivs().getPrivBitmap())) - { - userPrivs = privsOfTheUser.getTablePrivs().getPrivBitmap(); - grantablePrivs = userPrivs; - return STATUS_GOOD; - } - - userPrivs = privsOfTheUser.getTablePrivs().getPrivBitmap(); - if (hasManagePrivileges) - grantablePrivs = userPrivs; - else - grantablePrivs = privsOfTheUser.getTablePrivs().getWgoBitmap(); - - // Create the column bitmaps as stored in privsOfTheUser - for (int32_t i = 0; i < privsOfTheUser.getColumnPrivs().entries(); i++) - { - const int32_t columnOrdinal = privsOfTheUser.getColumnPrivs()[i].getColumnOrdinal(); - colPrivsList[columnOrdinal] = privsOfTheUser.getColumnPrivs()[i].getPrivBitmap(); - colGrantableList[columnOrdinal] = privsOfTheUser.getColumnPrivs()[i].getWgoBitmap(); - } + return retcode; } @@ -4406,7 +4291,7 @@ PrivStatus PrivMgrPrivileges::getUserPrivs( summarizedPrivs = temp; - // TBD - set all column granted if the table level privilege is set + return retcode; } @@ -4443,6 +4328,7 @@ PrivStatus PrivMgrPrivileges::getPrivsFromAllGrantors( { PrivStatus retcode = STATUS_GOOD; hasManagePrivileges = false; + bool hasPublicGrantee = false; // Check to see if the granteeID is the system user // if so, the system user has all privileges. Set up appropriately @@ -4482,15 +4368,20 @@ PrivStatus PrivMgrPrivileges::getPrivsFromAllGrantors( { ObjectPrivsMDRow &row = static_cast<ObjectPrivsMDRow &> (*rowList[i]); - if (secKeySet != NULL) + if (ComUser::isPublicUserID(row.granteeID_)) + hasPublicGrantee = true; + + PrivMgrCoreDesc temp (row.privsBitmap_, row.grantableBitmap_); + if (secKeySet) { - PrivMgrCoreDesc privs(row.privsBitmap_,0); - retcode = buildSecurityKeys(row.granteeID_,privs,*secKeySet); - if (retcode != STATUS_GOOD) - return retcode; + retcode = buildSecurityKeys(granteeID, + row.granteeID_, + temp, + *secKeySet); + if (retcode == STATUS_ERROR) + return retcode; } - PrivMgrCoreDesc temp (row.privsBitmap_, row.grantableBitmap_); coreTablePrivs.unionOfPrivs(temp); } @@ -4516,26 +4407,31 @@ PrivStatus PrivMgrPrivileges::getPrivsFromAllGrantors( { ColumnPrivsMDRow &row = static_cast<ColumnPrivsMDRow &> (*rowList[i]); + if (ComUser::isPublicUserID(row.granteeID_)) + hasPublicGrantee = true; + + // See if the ordinal has already been specified PrivMgrCoreDesc temp (row.privsBitmap_, row.grantableBitmap_, row.columnOrdinal_); + if (secKeySet) + { + retcode = buildSecurityKeys(granteeID, + row.granteeID_, + temp, + *secKeySet); + if (retcode == STATUS_ERROR) + return retcode; + } + PrivMgrCoreDesc *coreColumnPriv = findColumnEntry(coreColumnPrivs, row.columnOrdinal_); if (coreColumnPriv) coreColumnPriv->unionOfPrivs(temp); else coreColumnPrivs.insert(temp); - - // set up security keys, if required - if (secKeySet != NULL) - { - PrivColList privColList; - privColList[row.columnOrdinal_] = row.privsBitmap_; - retcode = buildColumnSecurityKeys(objectUID_,privColList, row.granteeID_,*secKeySet); - if (retcode != STATUS_GOOD) - return retcode; - } } summarizedPrivs.setColumnPrivs(coreColumnPrivs); + summarizedPrivs.setHasPublicPriv(hasPublicGrantee); return STATUS_GOOD; } @@ -4572,26 +4468,6 @@ PrivStatus PrivMgrPrivileges::getRowsForGrantee( { PrivStatus retcode = STATUS_GOOD; -#if 0 - if (isObjectTable) - { - if (objectRowList_.size() == 0) - { - PRIVMGR_INTERNAL_ERROR("privilege list for object has not been created"); - return STATUS_ERROR; - } - } - - else // isColumnTable - { - if (columnRowList_.size() == 0) - { - PRIVMGR_INTERNAL_ERROR("privilege list for columns have not been created"); - return STATUS_ERROR; - } - } -#endif - // create the list of row pointers std::vector<int32_t> authIDs = roleIDs; authIDs.push_back(granteeID); @@ -4628,16 +4504,6 @@ PrivStatus PrivMgrPrivileges::getRowsForGrantee( rowList.push_back(privRowList[i]); } - if (rowList.size() > 0 && secKeySet != NULL) - { - retcode = buildUserSecurityKeys(roleIDs,granteeID,*secKeySet); - if (retcode == STATUS_ERROR) - { - PRIVMGR_INTERNAL_ERROR("Unable to build user security key"); - return STATUS_ERROR; - } - } - return STATUS_GOOD; } @@ -5432,132 +5298,6 @@ void static buildGrantText( } //*************************** End of buildGrantText **************************** -// ***************************************************************************** -// * Function: buildColumnSecurityKeys * -// * * -// * Builds security keys for privileges granted on one or more columns of * -// * an object. * -// * * -// * * -// ***************************************************************************** -// * * -// * Parameters: * -// * * -// * * -// * <objectUID> const int64_t In * -// * is the unique ID of the object. * -// * * -// * <roleIDs> const PrivColList & colPrivsList In * -// * is a list of the column privileges granted on this object to the * -// * specified grantee. * -// * * -// * <granteeID> const int32_t In * -// * is the ID of the user granted the column privilege(s). * -// * * -// * <secKeySet> std::vector <ComSecurityKey *> & Out * -// * passes back a list of SUBJECT_IS_OBJECT security keys for each of the * -// * privileges granted on the object to the grantee. * -// * * -// ***************************************************************************** -// * * -// * Returns: PrivStatus * -// * * -// * STATUS_GOOD: Security keys were built * -// * *: Security keys were not built, see diags. * -// * * -// ***************************************************************************** -static PrivStatus buildColumnSecurityKeys( - const int64_t objectUID, - const PrivColList & colPrivsList, - const int32_t granteeID, - std::vector<ComSecurityKey *> & secKeySet) - -{ - -// ***************************************************************************** -// * * -// * Optimizer currently does not support OBJECT_IS_COLUMN, so we combine * -// * all column-level privileges to one priv bitmap and create a key for * -// * each priv type the grantee has on the object. * -// * * -// ***************************************************************************** - -PrivColumnBitmap privBitmap; - - for (PrivColIterator columnIterator = colPrivsList.begin(); - columnIterator != colPrivsList.end(); ++columnIterator) - privBitmap |= columnIterator->second; - - for (size_t i = FIRST_DML_COL_PRIV; i <= LAST_DML_COL_PRIV; i++ ) - { - if (!privBitmap.test(PrivType(i))) - continue; - - ComSecurityKey *key = new ComSecurityKey(granteeID, - objectUID, - PrivType(i), - ComSecurityKey::OBJECT_IS_OBJECT); - if (!key->isValid()) - return STATUS_ERROR; - - secKeySet.push_back(key); - } - - return STATUS_GOOD; - -} -//********************** End of buildColumnSecurityKeys ************************ - -// ***************************************************************************** -// * Function: buildUserSecurityKeys * -// * * -// * Builds security keys for a user and the roles granted to the user. * -// * * -// ***************************************************************************** -// * * -// * Parameters: * -// * * -// * * -// * <roleIDs> const std::vector<int32_t> & In * -// * is a reference to a vector of roleIDs that have been granted to the * -// * user. * -// * * -// * * -// * <userID> const int32_t In * -// * is the ID of the user granted the role(s). * -// * * -// * <secKeySet> std::vector <ComSecurityKey *> & Out * -// * passes back a list of SUBJECT_IS_USER security keys for each of the * -// * roles granted to the user. * -// * * -// ***************************************************************************** -// * * -// * Returns: PrivStatus * -// * * -// * STATUS_GOOD: Security keys were built * -// * *: Security keys were not built, see diags. * -// * * -// ***************************************************************************** -static PrivStatus buildUserSecurityKeys( - const std::vector<int32_t> & roleIDs, - const int32_t userID, - std::vector<ComSecurityKey *> & secKeySet) - -{ - - for ( size_t i = 0; i < roleIDs.size(); i++ ) - { - ComSecurityKey *key = new ComSecurityKey(userID,roleIDs[i], - ComSecurityKey::SUBJECT_IS_USER); - if (key->isValid()) - secKeySet.push_back(key); - else - return STATUS_ERROR; - } - - return STATUS_GOOD; -} -//*********************** End of buildUserSecurityKeys ************************* // ***************************************************************************** // * Function: closeColumnList * @@ -5658,77 +5398,6 @@ static PrivMgrCoreDesc * findColumnEntry( //************************** End of findColumnEntry **************************** - -// ***************************************************************************** -// * Function: getColRowsForGrantee * -// * * -// * Returns the list of column privileges granted for the object that have * -// * been granted to the granteeID. * -// * * -// ***************************************************************************** -// * * -// * Parameters: * -// * * -// * <columnRowList> std::vector<PrivMgrMDRow *> & In * -// * is the list of column privileges granted on the object. * -// * * -// * <granteeID> const int32_t In * -// * is the authID granted the privileges. * -// * * -// * <roleIDs> const std::vector<int32_t> & In * -// * is a list of roles granted to the grantee. * -// * * -// * <rowList> std::vector<PrivMgrMDRow *> & Out * -// * passes back a list rows representing the privileges granted. * -// * * -// * <secKeySet> std::vector <ComSecurityKey *> & Out * -// * passes back a list of SUBJECT_IS_USER security keys for each of the * -// * roles granted to the grantee. * -// * * -// ***************************************************************************** -// * Returns: PrivStatus * -// * * -// * STATUS_GOOD: Row returned. * -// * STATUS_NOTFOUND: No matching rows were found * -// ***************************************************************************** -static PrivStatus getColRowsForGrantee( - const std::vector <PrivMgrMDRow *> &columnRowList, - const int32_t granteeID, - const std::vector<int32_t> & roleIDs, - std::vector<ColumnPrivsMDRow> & rowList, - std::vector <ComSecurityKey *>* secKeySet) - -{ - - std::vector<int32_t> authIDs = roleIDs; - authIDs.push_back(granteeID); - authIDs.push_back(PUBLIC_USER); - std::vector<int32_t>::iterator it; - - std::vector<PrivMgrMDRow *> privRowList; - - // returns the list of rows for the grantee, roles that the grantee has been - // granted, and PUBLIC - for (size_t i = 0; i < columnRowList.size(); i++) - { - ColumnPrivsMDRow &row = static_cast<ColumnPrivsMDRow &> (*columnRowList[i]); - it = std::find(authIDs.begin(), authIDs.end(), row.granteeID_); - if (it != authIDs.end()) - rowList.push_back(row); - } - - if (rowList.empty()) - return STATUS_NOTFOUND; - - if (secKeySet != NULL) - return buildUserSecurityKeys(roleIDs,granteeID,*secKeySet); - - return STATUS_GOOD; - -} -//*********************** End of getColRowsForGrantee ************************** - - // ***************************************************************************** // * Function: getColRowsForGranteeGrantor * // * * @@ -5869,6 +5538,7 @@ static bool isDelimited( const std::string &strToScan) //*********************** End of isDelimited *********************************** + // ***************************************************************************** // method: reportPrivWarnings // @@ -5940,8 +5610,6 @@ void PrivMgrPrivileges::reportPrivWarnings( } } - - // ***************************************************************************** // ObjectPrivsMDRow methods // ***************************************************************************** http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/3b437720/core/sql/sqlcomp/PrivMgrPrivileges.h ---------------------------------------------------------------------- diff --git a/core/sql/sqlcomp/PrivMgrPrivileges.h b/core/sql/sqlcomp/PrivMgrPrivileges.h index a3a132c..285f6e1 100644 --- a/core/sql/sqlcomp/PrivMgrPrivileges.h +++ b/core/sql/sqlcomp/PrivMgrPrivileges.h @@ -112,20 +112,10 @@ public: // ------------------------------------------------------------------- PrivStatus buildSecurityKeys( const int32_t granteeID, + const int32_t roleID, const PrivMgrCoreDesc &privs, std::vector <ComSecurityKey *> & secKeySet); - PrivStatus getPrivsOnObject ( - const ComObjectType objectType, - std::vector<PrivMgrDesc> & privDescs ); - - PrivStatus getColPrivsForUser( - const int32_t granteeID, - const std::vector<int32_t> & roleIDs, - PrivColList & colPrivsList, - PrivColList & colGrantableList, - std::vector <ComSecurityKey *>* secKeySet); - PrivStatus getGrantorDetailsForObject( const bool isGrantedBySpecified, const std::string grantedByName, @@ -138,6 +128,17 @@ public: const std::string & orderByClause, std::vector<PrivObjectBitmap> & privBitmaps); + PrivStatus getPrivsOnObject ( + const ComObjectType objectType, + std::vector<PrivMgrDesc> & privDescs ); + + PrivStatus getPrivsOnObjectForUser( + const int64_t objectUID, + ComObjectType objectType, + const int32_t userID, + PrivMgrDesc &privsForTheUser, + std::vector <ComSecurityKey *>* secKeySet); + PrivStatus getPrivRowsForObject( const int64_t objectUID, std::vector<ObjectPrivsRow> & objectPrivsRows); @@ -146,16 +147,6 @@ public: const PrivMgrObjectInfo &objectInfo, std::string &privilegeText); - PrivStatus getPrivsOnObjectForUser( - const int64_t objectUID, - ComObjectType objectType, - const int32_t userID, - PrivObjectBitmap &userPrivs, - PrivObjectBitmap &grantablePrivs, - PrivColList & colPrivsList, - PrivColList & colGrantableList, - std::vector <ComSecurityKey *>* secKeySet); - PrivStatus givePrivForObjects( const int32_t currentOwnerID, const int32_t newOwnerID, @@ -334,10 +325,11 @@ private: const int64_t objectUID, std::vector<PrivMgrMDRow *> &columnRows); - PrivStatus getDistinctUserIDs( + PrivStatus getDistinctIDs( const std::vector <PrivMgrMDRow *> &objectRowList, const std::vector <PrivMgrMDRow *> &columnRowList, - std::vector<int32_t> &userIDs); + std::vector<int32_t> &userIDs, + std::vector<int32_t> &roleIDs); PrivStatus getGrantedPrivs( const int32_t granteeID, http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/3b437720/core/sql/sqlcomp/PrivMgrRoles.cpp ---------------------------------------------------------------------- diff --git a/core/sql/sqlcomp/PrivMgrRoles.cpp b/core/sql/sqlcomp/PrivMgrRoles.cpp index 12861fd..4419c85 100644 --- a/core/sql/sqlcomp/PrivMgrRoles.cpp +++ b/core/sql/sqlcomp/PrivMgrRoles.cpp @@ -1664,7 +1664,7 @@ PrivStatus PrivMgrRoles::revokeRole( const std::vector<int32_t> & grantorIDs, const bool isGOFSpecified, const int32_t newGrantDepth, - PrivDropBehavior dropBehavior) + PrivDropBehavior dropBehavior) { @@ -1676,7 +1676,7 @@ PrivStatus PrivMgrRoles::revokeRole( return STATUS_ERROR; } -PrivStatus privStatus = STATUS_GOOD; + PrivStatus privStatus = STATUS_GOOD; for (size_t r = 0; r < roleIDs.size(); r++) { @@ -1758,10 +1758,10 @@ PrivStatus privStatus = STATUS_GOOD; } } -// All checks completed, all dependent grants revoked, and when CASCADE is -// supported, all dependent objects dropped. It's now safe to revoke the roles. + // All checks completed, all dependent grants revoked, and when CASCADE is + // supported, all dependent objects dropped. It's now safe to revoke the roles. -std::string setClause("SET GRANT_DEPTH = "); + std::string setClause("SET GRANT_DEPTH = "); if (isGOFSpecified) { @@ -1771,9 +1771,9 @@ std::string setClause("SET GRANT_DEPTH = "); setClause += grantDepthString; } -int32_t numKeys = roleIDs.size() * granteeIDs.size(); -SQL_QIKEY siKeyList[numKeys]; -size_t siIndex = 0; + int32_t numKeys = roleIDs.size() * granteeIDs.size(); + SQL_QIKEY siKeyList[numKeys]; + size_t siIndex = 0; for (size_t r2 = 0; r2 < roleIDs.size(); r2++) { @@ -1808,9 +1808,9 @@ size_t siIndex = 0; return STATUS_ERROR; } - ComSecurityKey secKey(granteeIDs[g2],roleIDs[r2], + ComSecurityKey secKey(granteeIDs[g2],roleIDs[r2], ComSecurityKey::SUBJECT_IS_USER); - + siKeyList[siIndex].revokeKey.subject = secKey.getSubjectHashValue(); siKeyList[siIndex].revokeKey.object = secKey.getObjectHashValue(); std::string actionString; @@ -1820,7 +1820,7 @@ size_t siIndex = 0; } } -// Call the CLI to send details to RMS + // Call the CLI to send details to RMS SQL_EXEC_SetSecInvalidKeys(siIndex,siKeyList); return STATUS_GOOD; http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/3b437720/core/sql/sqlcomp/QCache.cpp ---------------------------------------------------------------------- diff --git a/core/sql/sqlcomp/QCache.cpp b/core/sql/sqlcomp/QCache.cpp index 2478922..90a1593 100644 --- a/core/sql/sqlcomp/QCache.cpp +++ b/core/sql/sqlcomp/QCache.cpp @@ -2643,15 +2643,18 @@ void QCache::free_entries_with_QI_keys( Int32 pNumKeys, SQL_QIKEY * pSiKeyEntry { // this key passed in as a param is for REVOKE so look // thru the plan's revoke keys. - for ( CollIndex ii = 0; ii < numPlanSecKeys && - !found; ii ++ ) + for ( CollIndex ii = 0; ii < numPlanSecKeys && !found; ii ++ ) { - if ( ( (pSiKeyEntry[jj]).revokeKey.subject == - planSet[ii].getSubjectHashValue() ) && - ( (pSiKeyEntry[jj]).revokeKey.object == - planSet[ii].getObjectHashValue() ) && - ( siKeyType == planSet[ii].getSecurityKeyType() ) ) - found = TRUE; + // If user ID's (subjects match) + if ( (pSiKeyEntry[jj]).revokeKey.subject == + planSet[ii].getSubjectHashValue() ) + { + // Remove all plans for user + if ( ( pSiKeyEntry[jj]).revokeKey.object == + planSet[ii].getObjectHashValue() && + ( siKeyType == planSet[ii].getSecurityKeyType() ) ) + found = TRUE; + } } } } // end loop thru the keys passed as params