SHOWDDL, QUERY Cancel, rework This delivery addresses security issues with SHOWDDL, adds initial support for security in query cancel, and implements part of the proposed GIVE commands.
Bug 1414234: SHOWDDL command now check component privileges. SHOW is granted to PUBLIC by default, so effectively there are no new restrictions unless SHOW is revoked from PUBLIC.
SHOWDDL COMPONENT now checks for MANAGE_COMPONENTS or SHOW privilege. SHOWDDL ROLE now checks for MANAGE_ROLES or SHOW privilege. SHOWDDL SCHEMA now checks for SHOW privilege. SHOWDDL USER now checks for MANAGE_USERS or SHOW privilege.
SHOWDDL LIBRARY is implemented. A user must have the USAGE privilege on the library, or the MANAGE_LIBRARY or SHOW privilege.
New function to determine if the user canceling the query has the authority: either DB__ROOT, or the user owns the query, or the user has the QUERY_CANCEL privilege. Note, the code is delivered in an inactive state pending future integration.
Three new component privileges are added: QUERY_ACTIVATE, QUERY_CANCEL, and QUERY_SUSPEND. These will be added if authorization is dropped and reinitialized. A future delivery will add an INITIALIZE AUTHORIZATION,UPDATE command that will add these privileges to an existing instance with authorization enabled.
Support for library objects was added to NATable, but the code is currently not used. May be integrated into CREATE ROUTINE and GRANT for libraries in the future.
Also included is minor rework from delivery 1082, and the GIVE SCHEMA command now updates associated privileges when object ownership is changed. Note, GIVE commands are still prototype. A detailed blueprint for GIVE will be released shortly.
This patch merges with changes from 1177 and addresses a couple of minor comments from the initial submittal.
bin/SqlciErrors.txt - new error message sqlcomp/CmpCatSqlErrorCodes.h - new error message sqlcomp/CmpSeabaseDDLmd.h - new literal describing length of generated HBase name sqlcomp/CmpSeabaseDDLcommon.cpp - new check for maxmum HBase name length
fix 1: privilege checks are not working correctly for UDR's
The method RelRoot::checkPrivileges is called to verify privileges for all object types. However, some UDR objects checks were skipped because they were not added to the UDR Stoi list.
optimizer/BindItemExpr.cpp - add function to Stoi list optimizer/BindRelExpr.cpp - add procedures to Stoi List optimzier/RelMisc.h - signature changes for privilege related work optimizer/BindRelExpr.cpp - rewrote checkPrivileges optimizer/NARoutine.h/NARoutineDB.cpp - added method moveRoutineToDeleteList
fix 2: QI is not working when UDR's are dropped
Code to drop items from NARoutineDB cache was missing. Code to set security keys for the user in the plan was missing Code to set objectUIDs in the plan was missing When security keys were added, they were incorrect
sqlcomp/CmpMain.h (.cpp) - added calls to compare invalidation keys with objects stored in NARoutineDB cache; if found, then remove item from cache by calling helper methods in NARoutineDB class. optimizer/NARoutineDB.h (NARoutine.cpp) - added helper method to remove entries from the cache free_entries_with_QI_key - based off of similar method for table cache ComSecurityKey.h (.cpp) - new method to check invalidation keys shared by tables/routines qiCheckForInvalidObject optimizer/NATable.cpp - rewrote table invalidation code so it could be shared with routines.
generator/GenUdr.cpp - add the routine's object UID to the query plan sqlcomp/CmpSeabaseDDLroutine.cpp - code to send invalidations keys during drop routine
common/ComSmallDefs.h - new QI actions for USAGE and REFERENCES common/ComDistribution.cpp - add EXECUTE as a privilege for QI, also added USAGE and REFERENCES sqlcomp/PrivMgrPrivileges.cpp - not generating correct security keys
fix 3: Routines were not being removed from NARoutineDB cache
Added new fields to the various routine structures for objectOwnerID, schemaOwnerID, and privInfo. Set up the correct routineID in various routine structures At drop time, made sure routine was removed from NARoutineDB cache
comexe/ComTdb.h - added new fields to routine descriptor and TDB generator/Generator.cpp - new fields for routines optimizer/NARoutine.h (.cpp) - new fields for routines removeNARoutine - based off similar method for table cache optimizer/NARoutine.cpp - added new field to store privilege information in NARoutine, which also gets security keys needed for query invalidation sqlcat/desc.h - new fields for routines sqlcomp/CmpSeabaseDDLtable.cpp - set up new values in NARoutine structure
sqlcomp/CmpSeabaseDDLroutine.cpp - code to remove entries from cache at drop time