Security fixes for 144553, 1414125, and 1393529 1445583: showstats command performance slow with security enabled
Several changes were made to improve performance:
Performance optimization: NATable.cpp: NATable::setupPrivs - If the current user is the object owner, then default the privilege bitmap to object Owner values - no need to call PrivMgr to get privileges
Caching optimization: We are now caching privmgr metadata tables in compiler cache when the compiler context is instantiated. This avoids a metadata lookup for these tables.
- Added new methods that return if the table is part of the PrivMgr schema - Adjusted CmpSeabaseDDL::createMDdescs to include privmgr metadata in the cached entries - Adjusted CmpSeabaseDDL::getMDtableInfo to check for privmgr metadata tables from the cached entries - Removed obsolete code CmpSeabaseDDL::alterSeabaseDropColumn - changed CmpSeabaseDDL::getSeabaseTableDesc to check for both system and privmgr metadata from compiler cache - added new method CmpSeabaseDDL::getPKeyInfoForTable that returns the primary key name and UID for a table. This is needed when dropping privmgr metadata tables
Removed extraneous recompilations of HISTOGRAM structures: Today, update statistics and showstats are reloading NATable entries for HISTOGRAM tables on every access. This is because the parserflag ALLOW_SPECIALTABLETYPE is turned on. When this flag is turned, the compiler always reloads the cache entries - see code from CmpMain::sqlcomp:
//if using special tables e.g. using index as base table //select * from table (index_table T018ibc); //then refresh metadata cache if(Get_SqlParser_Flags(ALLOW_SPECIALTABLETYPE) && CmpCommon::context()->schemaDB_->getNATableDB()->cachingMetaData()) CmpCommon::context()->schemaDB_->getNATableDB()->refreshCacheInThisStatement();
Changed code to not set ALLOW_SPECIALTABLETYPE and ALLOW_PHONYCHARACTERS parserflags by default. Individual statements are setting these flags as needed.
1414125: User without priv can view data in metadata tables
The problem is that a user with priv cannot view data in metadata tables. Even when a user had SELECT privilege on a system or privmgr metadata table, the request failed.
The problem is that parameter 2 sent to CmpDescribeIsAuthorized in hs_globals.cpp is NULL so SELECT priv is not checked. If the user has SHOW component privilege, it works. A call was added to getPrivileges for metadata tables before calling CmpDescribeIsAuthorized.
1393529: Core dump accessing MD table descriptors
When "UPDATE STATISTICS LOG [ON, OFF, CLEAR]" is specified by a non DB__ROOT user, a core dump occurred. This happens because the isAuthorized check is performed expecting a NATable structure. This command does not need any special security checks.
Updated traf_authentication_setup script to support a new installation option
Enable authorization by default for regress, plus Patch 1:
Added TEST138 to catman1 - skipped files Fixed wording in the traf_authentication_setup script from reviewer comments.
change 1 - Enable authorization during development regression tests change 2 – Added support for create schema IF NOT EXISTS and drop schema IF EXISTS change 3 - Changed traf_authentication_setup script to support a new installation option
change 1 - Enable authorization during development regression tests
Authorization will be enabled during regressions runs Since regressions run mostly as DB__ROOT, there should be few visible differences. Developers may see GRANT statements displayed as part of SHOWDDL requests. This can be controlled by a new CQD:SHOWDDL_DISPLAY_PRIVILEGE_GRANTS
ON - display GRANTS if authorization is enabled OFF - do not display GRANTS SYSTEM if running with SQLMX_REGRESS set, do not display grants otherwise, display grants
regress/tools/init_sb_regr_sql -- execute initialize authorization regress/tools/runregr_catman1.ksh -- turn on TEST138 regress/catman1 -- various test and expected files to set the new SHOWDDL CQD
"Initialize authorization, drop;" can be performed to disable authorization
This file was changed to support a new option "--setup" that only enables authentication This will be used by the installation script when the customer chooses not to initialize trafodion.
This script enables or disables security features for Trafodion
Usage: traf_authentication_setup [options]
Options: --file <loc> Optional location of the OpenLDAP configuration file --help Prints this message --off Disables authentication and authorization --on Enables authentication and authorization --setup Enables authentication --status Returns status of authentication enablement