Enable authorization by default for regress, plus Patch 1:
Added TEST138 to catman1 - skipped files Fixed wording in the traf_authentication_setup script from reviewer comments.
change 1 - Enable authorization during development regression tests change 2 – Added support for create schema IF NOT EXISTS and drop schema IF EXISTS change 3 - Changed traf_authentication_setup script to support a new installation option
change 1 - Enable authorization during development regression tests
Authorization will be enabled during regressions runs Since regressions run mostly as DB__ROOT, there should be few visible differences. Developers may see GRANT statements displayed as part of SHOWDDL requests. This can be controlled by a new CQD:SHOWDDL_DISPLAY_PRIVILEGE_GRANTS
ON - display GRANTS if authorization is enabled OFF - do not display GRANTS SYSTEM if running with SQLMX_REGRESS set, do not display grants otherwise, display grants
regress/tools/init_sb_regr_sql -- execute initialize authorization regress/tools/runregr_catman1.ksh -- turn on TEST138 regress/catman1 -- various test and expected files to set the new SHOWDDL CQD
"Initialize authorization, drop;" can be performed to disable authorization
This file was changed to support a new option "--setup" that only enables authentication This will be used by the installation script when the customer chooses not to initialize trafodion.
This script enables or disables security features for Trafodion
Usage: traf_authentication_setup [options]
Options: --file <loc> Optional location of the OpenLDAP configuration file --help Prints this message --off Disables authentication and authorization --on Enables authentication and authorization --setup Enables authentication --status Returns status of authentication enablement
SHOWDDL, QUERY Cancel, rework This delivery addresses security issues with SHOWDDL, adds initial support for security in query cancel, and implements part of the proposed GIVE commands.
Bug 1414234: SHOWDDL command now check component privileges. SHOW is granted to PUBLIC by default, so effectively there are no new restrictions unless SHOW is revoked from PUBLIC.
SHOWDDL COMPONENT now checks for MANAGE_COMPONENTS or SHOW privilege. SHOWDDL ROLE now checks for MANAGE_ROLES or SHOW privilege. SHOWDDL SCHEMA now checks for SHOW privilege. SHOWDDL USER now checks for MANAGE_USERS or SHOW privilege.
SHOWDDL LIBRARY is implemented. A user must have the USAGE privilege on the library, or the MANAGE_LIBRARY or SHOW privilege.
New function to determine if the user canceling the query has the authority: either DB__ROOT, or the user owns the query, or the user has the QUERY_CANCEL privilege. Note, the code is delivered in an inactive state pending future integration.
Three new component privileges are added: QUERY_ACTIVATE, QUERY_CANCEL, and QUERY_SUSPEND. These will be added if authorization is dropped and reinitialized. A future delivery will add an INITIALIZE AUTHORIZATION,UPDATE command that will add these privileges to an existing instance with authorization enabled.
Support for library objects was added to NATable, but the code is currently not used. May be integrated into CREATE ROUTINE and GRANT for libraries in the future.
Also included is minor rework from delivery 1082, and the GIVE SCHEMA command now updates associated privileges when object ownership is changed. Note, GIVE commands are still prototype. A detailed blueprint for GIVE will be released shortly.
This patch merges with changes from 1177 and addresses a couple of minor comments from the initial submittal.