Column-level privileges - part 2 Support for column-level privileges will be in multiple deliveries.
This delivery add the following portions: 1. DML operations (SELECT, INSERT, UPDATE) now recognize granted column-level privileges. 2. CREATE VIEW now recognizes granted column-level privileges. 3. Revoke of object-level privileges now revokes the corresponding column-level privilege.
Missing functionality: 1. Privileges can be granted to roles and revoked from roles, but REVOKE ROLE does not consider column-level privileges when determining if an object depends on a role's granted privileges. 2. Column-level revoke does not enforce RESTRICT, i.e., privileges may be revoked even if there are dependent privileges. 3. ALTER TABLE DROP COLUMN does not remove associated column-level privileges, nor does it check for dependent objects.
Turned on privilege features, reorg'd PrivMgr code Turned on GRANTED BY, WITH GRANT OPTION, GRANT OPTION FOR clauses
For GRANTED BY -> showddl now displays the GRANTED BY clause when --> the current user is not the object owner and --> the current user is not DB ROOT
added object_owner and schema_owner to the SeabaseLibraryDesc ComTdb.h Generator.cpp desc.h CmpSeabaseDDLtable.cpp ->getSeabaseLibraryDesc
added object owner in calls to PrivMgrPrivileges::getPrivTextForObject CmpDescribe.cpp PrivMgrCommands.cpp/.h PrivMgrPrivileges.cpp/.h
Changed object grant and revoke to store the list of privileges associated with the object and columns in the PrivMgrPrivileges class. --> added new methods generateObjectRowList and generateColumnRowList, changed the destructor to remove these lists, changed code to call these new methods, and removed extra I/Os --> removed member trafMetadataLocation_ (it is already stored in parent)
For WITH GRANT OPTION clause at GRANT time: --> added checks at grant time to: --> check for potential circular grants (error 1036) --> added new method getTreeOfGrants to get list of grantors that have previously granted to the current grantee
For GRANT OPTION FOR clause at REVOKE time: --> changed error messages returned to be more meaningful --> moved and activated call checkRevokeRestrict after call to getAffectedObjects
Added new columns to the COLUMN_PRIVILEGES and SCHEMA_PRIVILEGES tables to include the object_name, grantor_name, and grantee_name to match OBJECT_PRIVILEGES, ROLE_USAGES, and COMPONENT_PRIVILEGES;
Reorganized the contents of PrivMgr files: --> PrivMgr document exists that describes the .h/.cpp structure --> Added new files PrivMgr.h/PrivMgr.cpp that describes the parent class for all PrivMgr requests --> moved existing defines, classes, etc around to match the PrivMgr document
Fixed a couple of issues: --> Fixed a bug in initialize authorization where the WGO was not set up correctly for UDR's --> Fixed a bug in PrivMgrObject::selectAllWhere where an error condition was not returned --> Fixed a bug in seabaseGrantRevoke where the incorrect object type was sent for views --> Fixed a bug in update statistics privilege checking that was not handling HBase tables correctly
Added two regression tests (skipped until catman1 test directory is split up) --> TEST132 - tests for privilege checking on libraries, populate index, showddl, invoke, update statistics, and showstats --> TEST140 - tests for WITH GRANT OPTION and GRANTED by option