Set authorization enabled/Sequence generator privs Code to set authorization enabled at startup
Contains changes to check authorization at process startup time and code review comments from previous deliveries
Description of changes to check authorization at process startup time:
At process && compiler context startup time a check has been added to see if authorization is enabled. Based on this check a new flag is set in the compiler context. Any operation wishing to see what the authorization status is, just need to look at this flag.
This code has been reviewed internally by the security team. There will be a subsequent set of changes in the PrivMgr code to return better errors.
Added a new flag containing authorization status and methods that get and set this flag.
In method: NADefaults::readFromSQLTables added code that checks to see if authorization is enabled and sets the flag in CmpContext. It calls CmpSeabaseDDL::isPrivMgrMetadataInitialized to determine privmgr metadata status
Implementation of method isPrivMgrMetadataInitialized Changed isAuthorizationEnabled to look at the CmpContext flag instead of the flag (which was removed) in the CmpSeabaseDDL class Changed initSeabaseAuthorization and dropSeabaseAuthorization to change the flag in the context and kill compiler processes Changed all calls to PrivMgrnnnn::isAuthorizationEnabled to use the CmpSeabaseDDL::isAuthorizationEnabled or directly from CmpContext
Bin/SqlciErrors.txt & sqlcomp/CmpDDLCatErrorCodes.h to create a new error 1234 (currently unused)
Sqlcomp/PrivMgrMD.cpp changed mapping of PrivMDStatus to match what was done in nadefaults.cpp
Optimizer/BindRelExpr.cpp && sqlcomp/nadefaults.cpp to look in CmpContext for authorization enabled flag
Check privileges for Sequence generator
Adds the code in compiler to check for usage privilege for any sequence generators used in a query.
Additional privilege checks, plus
This delivery includes:
Verifying that user had correct privileges to perform all DDL operations. This is performed through a call to isDDDLOperationAuthorized. The signature changed to pass the object owner instead of the object name. This eliminates an I/O and made the method simpler. All callers were changed to use the new signature and all DDL operations now call this method after the NATable structure has been retrieved. A new regression test was added (TEST138).
As part of DDL privilege checking, the ALTER and DELETE component privilege is no longer granted during initialize authorization.
Updated files to address code review checkin for change ID: If7538eee38178c2345fe418172c6196b25a20b33.
Fixed a problem where SHOWDDL was not returning an error when user does not have appropriate privilege.
Made the PRIVMGR_MD schema a reserved schema.
Added code to switch contexts for several PrivMgr operations. This required a change to not grant owner privileges when creating the OBJECT_PRIVILEGES table.
Added a KNOWN diff file for TEST133. There is an issue where rows are not being loaded into OBJECT_PRIVILEGES during an error test.
Changes to support OSS poc. This checkin contains multiple changes that were added to support OSS poc. These changes are enabled through a special cqd mode_special_4 and not yet externalized for general use. A separate spec contains details of these changes. These changes have been contributed and pre-reviewed by Suresh, Jim C, Ravisha, Mike H, Selva and Khaled. All dev regressions have been run and passed.