Authorization checks for DDL & utilities Fixed issues from code comments.
LOAD/UNLOAD authorization checks:
Code was added during code generation to make sure user has privileges, if the user had necessary privileges, then the EXEUTIL parser flag is turned on to avoid further privilege checks. When load/unload completes, the parser flag is reset.
Update/showstats Statistics authorization checks:
Added a new error message Changed hs_globals to support a new isAuthorized method and store parser flags when class is instantiated and reset them when done Changed hs_cli.cpp to use new IF NOT EXISTS syntax when creating histogram tables, make owner of histogram tables DB__ROOT (will need to adjust when schema privileges happen), and clean up CreateHistTables method to remove old authorization mechanism Changed hs_update.cpp which controls the update and showstats operation to add authorization checks
Purgedata and populate index changes:
Changed CmpSeabaseDDLcommon.cpp to check privileges for purgedata Changed CmpSeabaseDDLindex.cpp to check privileges for popindex
Additional component privileges and checks:
Added support for new component privileges in PrivMgrMD.h/.cpp Added support for MANAGE_COMPONENTS Added support for CREATE_INDEX and DROP_INDEX component privs
Fixes from last delivery that were postponed:
Context.cpp - fix for previous code review CmpSeabaseDDLtable - added calls to deallocEHI PrivMgrMD - fixed wording in a comment
ComUser - added new convenience method - isRootUserID() NATable.cpp (setupPrivInfo) to always set up privInfo_ and to call the embedded compiler while extracting privileges Privilege adjustments to take advantage of privInfo stored in NATable: Added code to mark and rewind errors in diags.
Query Invalidation triggered by DDL, phase 1 This first check-in implements most of the framework which will be used to complete the QI DDL feature. It redefines the old security invalidation key (SQL_SIKEY) to handle DDL operations in addition to REVOKE. In a limited number of DDL operations, the object UIDs of affected Seabase objects are propagated to all nodes for use by the compiler to invalidate NATable cache entries, as well as a limited number of types of cached queries. Later this month, the framework will be complete by allowing prepared queries that have already been returned from the compiler to be invalidated. Then the next step for the framework will be support for invalidating the HTable cache. Finally an effort will be made to cover all of the necessary DDL operations and all types of cached queries.
The check-in include a new regression test (executor/TEST122) that demonstrates the cases that are covered. Specifically, a table will be dropped and recreated with the same name but different definition in one sqlci session. In another session, which has already populated NATable cache and query cache for INSERT, UPDATE, DELETE, SELECT, SELECT COUNT(*), INVOKE and SHOWDDL statements, those some types of statements will be resubmitted and correctly compiled.