Security fixes for 144553, 1414125, and 1393529 1445583: showstats command performance slow with security enabled
Several changes were made to improve performance:
Performance optimization: NATable.cpp: NATable::setupPrivs - If the current user is the object owner, then default the privilege bitmap to object Owner values - no need to call PrivMgr to get privileges
Caching optimization: We are now caching privmgr metadata tables in compiler cache when the compiler context is instantiated. This avoids a metadata lookup for these tables.
- Added new methods that return if the table is part of the PrivMgr schema - Adjusted CmpSeabaseDDL::createMDdescs to include privmgr metadata in the cached entries - Adjusted CmpSeabaseDDL::getMDtableInfo to check for privmgr metadata tables from the cached entries - Removed obsolete code CmpSeabaseDDL::alterSeabaseDropColumn - changed CmpSeabaseDDL::getSeabaseTableDesc to check for both system and privmgr metadata from compiler cache - added new method CmpSeabaseDDL::getPKeyInfoForTable that returns the primary key name and UID for a table. This is needed when dropping privmgr metadata tables
Removed extraneous recompilations of HISTOGRAM structures: Today, update statistics and showstats are reloading NATable entries for HISTOGRAM tables on every access. This is because the parserflag ALLOW_SPECIALTABLETYPE is turned on. When this flag is turned, the compiler always reloads the cache entries - see code from CmpMain::sqlcomp:
//if using special tables e.g. using index as base table //select * from table (index_table T018ibc); //then refresh metadata cache if(Get_SqlParser_Flags(ALLOW_SPECIALTABLETYPE) && CmpCommon::context()->schemaDB_->getNATableDB()->cachingMetaData()) CmpCommon::context()->schemaDB_->getNATableDB()->refreshCacheInThisStatement();
Changed code to not set ALLOW_SPECIALTABLETYPE and ALLOW_PHONYCHARACTERS parserflags by default. Individual statements are setting these flags as needed.
1414125: User without priv can view data in metadata tables
The problem is that a user with priv cannot view data in metadata tables. Even when a user had SELECT privilege on a system or privmgr metadata table, the request failed.
The problem is that parameter 2 sent to CmpDescribeIsAuthorized in hs_globals.cpp is NULL so SELECT priv is not checked. If the user has SHOW component privilege, it works. A call was added to getPrivileges for metadata tables before calling CmpDescribeIsAuthorized.
1393529: Core dump accessing MD table descriptors
When "UPDATE STATISTICS LOG [ON, OFF, CLEAR]" is specified by a non DB__ROOT user, a core dump occurred. This happens because the isAuthorized check is performed expecting a NATable structure. This command does not need any special security checks.
Updated traf_authentication_setup script to support a new installation option
Automated collection of necessary statistics When the optimizer requests a histogram for a given column, and that histogram does not exist, it may (depending on the cqds in effect) register a request for the histogram to be created at a later time, or utilize a small sample to generate a rudimentary histogram on the fly. In either case, when a subsequent Update Statistics statements specifies the ON NECESSARY COLUMNS clause, any column of the target table that has been the subject of one of these actions will have a bona fide histogram created.