Clone Tools
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Fixed regression test issue for privs1/TEST120

[TRAFODION-2626] Fix regressions

* Fix a wrong variable name in regression test code.

* Revert the original changes to monitor redirector that caused loss

of some stdout data.

* Change monitor shell to put persistent process logs in TRAF_LOG.

  1. … 2 more files in changeset.
[TRAFODION-2626] Make logs directory location configurable

Makes path to log directory independent of TRAF_HOME. The default location

is still $TRAF_HOME/logs. The DCS and REST log directories are now

sub-directories of the main TRAF_LOG directory.

  1. … 72 more files in changeset.
TRAFODION - 3218 User still has privilege after user's role has been revoked ...

Partial support for column level privileges with QI support for:

column select

column insert

column references

column update

Also, as part of this, updated privilege code in a couple of areas:

Changed object caching code in NATable and NARoutine to store all privileges

assigned to the object when the object is cached (privDescs_). During the load

operation, the code creates bitmaps (privInfo_) for the current user. Privilege

checks are performed against the user bitmaps (privInfo_). This is in

anticipation for some performance updates when connecting to Trafodion (mxosrvr)

with different users.

Change getRoleList to include the roleID and the granteeID that granted the

privilege. The grantee can be a user or a role.

When a privilege is revoked from a role, send QI keys for every user that has

been granted to role.

  1. … 39 more files in changeset.
Fixes for TRAFODION-3194 && TRAFODION-3195

TRAFODION-3194 Revoke grant option on objects revokes more that grant option

changed Privilege Manager to set bitmaps correctly

removed unused methods from PrivMgrDesc

TRAFODION-3195: Fixes for get commands:

get schemas for user <user>:

returns schemas owned by the specified user

if current user does not have elevated privilege,

returns error if current user does not match <user>.

get schemas for role <role>:

returns schemas owned by the role,

if current user does not have elevated privilege,

returns error if current user has not been granted <role>

get [tables | views | indexes | libraries ] for user <user>:

get [functions | table_mapping_functions | procedures] for user <user>:

get [privileges | roles] for user <user>:

returns objects where <user> has at least one privilege

if current user does not have eleveted privilege

returns error if current user does not match <user>.

get [tables | views | indexes | libraries ] for role <role>:

get [functions | table_mapping_functions | procedures] for role <role>:

get [privileges | users] for <role>:

returns objects where <role> has at least one privilege

if current user does not have eleveted privilege

returns error if current user has not been granted <role>

  1. … 12 more files in changeset.
Only expose supported component operations

There is a set of component operations and many are about features that we do

not support such as CREATE_TRIGGER. This checkin no longer returns these

privileges through

get privileges on component sql_operations

showddl component sql_operations

The is_system metadata column in the component_operations table now supports

three values:

Y - it is a system operation

N - it is a user operation

U - it is an unsupported (unused) operation (new)

An "initialize authorization" or fresh installation is required to make these

changes available.

Installating this code version calls initialize authorization

Running regrinit.sql also calls initialize authorization

Some performance enhancements were made to make "initialize authorization" run

faster.

  1. … 15 more files in changeset.
Fix for TRAFODION-3112

Internal error: get ... for user/role

Heading incorrect for libraries

Parser error: get procedures/table_mapping functions/functions for user/role

  1. … 10 more files in changeset.
fix regression failures

  1. … 7 more files in changeset.
fix regression failures

  1. … 12 more files in changeset.
TRAFODION-1573: Additional GET commands for privileges TRAFODION-3074: Failed to register/unregister user when security disabled

TRAFODION-1573 changes:

- Added support for the following commands:

get privileges on <object>

<object>: [LIBRARY | PROCEDURE | FUNCTION | TABLE_MAPPING FUNCTION | SEQUENCE]

- Added support for the FOR CLAUSE on all supported objects

Removed the need to specify keyword 'USER" before username. If USER is

included, then it is ignored.

get privileges on <object> FOR [USER] <user or role name>

<objects>: [TABLES, VIEWS, LIBRARIES, PROCEDURES, FUNCTIONS,

TABLE_MAPPING FUNCTIONS, SEQUENCES]

- The following get command can only be run by DB__ROOT or a user that has been

granted the DB__ROOTROLE or DB__HIVEROLE role

get <objects> in schema hive.xx.xx;

<objects>: [TABLES, OBJECTS, VIEWS]

- The following get command can only be run by DB__ROOT or a user that has been

granted the DB__ROOTROLE or DB__HBASEROLE role

get external hbase objects;

- The following get commands retrieve privilege details from Trafodion metadata;

users can only see objects where they have been granted at least one privilege

get hive registered tables in catalog trafodion;

get hbase registered tables in catalog trafodion;

- get privileges commands now return owner's privileges in output

- Cleaned up code in the parser.

TRAFODION-3074 changes

- register user - fixed query to find next available authID

- unregister user - added checks to not read privilege metadata if authorization

is not enabled

  1. … 16 more files in changeset.
TRAFODION-3046: Privilege support for native HBase tables

-- Grants and revokes against native HBase tables are enforced similar to hive

-- Privilege checking added when creating and dropping native HBase tables

-- Removing dependent Trafodion metadata when native HBase tables are dropped

-- Added regression test (privs2/TEST146)

-- Reorg - split PrivMgrComponents into 2 files:

PrivMgrComponents and PrivMgrUserPrivs

An hbase table can be referenced using one of the following types:

"_CELL_" - references cell data

"_ROW_" - references row data

"_MAP_" - references data defined by the mapped (external) table

Privileges are granted against each of these types, so if you:

select * from hbase."_CELL_".hbase1;

You must have the select privileges on this table

For example: "grant select on hbase."_CELL_".hbase1 to user1"

Likewise for other hbase types, grants are required to gain accessibility

grant select on hbase."_MAP_".hbase1 to user1

grant select on hbase."_ROW_".hbase1 to role1

  1. … 24 more files in changeset.
Merge [TRAFODION-2542] pr 1536 Grantor is not correct when granting privileges

  1. … 2 more files in changeset.
[TRAFODION-2542] Grantor is not correct when granting privileges for a role

When granting privileges and the authorization ID is not the current user but

one of roles granted to the current user, then the "granted by" clause is

required. In addition, the grantor of the privileges becomes the role specified

in the grant statement instead of the current user.

Added a CQD ALLOW_WGO_FOR_ROLES that will return an error if the user tries to

grant a privilege as a role.

Added error message (1194) when a component operation is not defined.

Added a check to not allow the WITH GRANT OPTION when granting privileges

to public

  1. … 16 more files in changeset.
JIRA TRAFODION-3027 Enhance jenkins checktests to include more tests.

Details in jira.

  1. … 30 more files in changeset.
[TRAFODION-2600] Unable to create view ... but user has SELECT privilege

Query invalidation is not resetting the role list when a user is granted a role.

For DML operations, we always retry the request once, and between retries, the

role list is reset. So DML works on a retry.

However, DDL operations are not retried, so the role list is not reset and the

create view fails.

An analogous issue exists when the role is revoked from a user and the role

list is not reset. In this case, the user can still create views even though

they no longer have the privilege.

Changes:

- Grant role: sends a new query invalidation key

- Revoke role: forces a query invalidation check even if the key is not present

- Displays query invalidation keys when debug option DBUSER_DEBUG is set, e.g:

set envvar DBUSER_DEBUG 1;

  1. … 10 more files in changeset.
Get statement enhancements

Added support and privilege checks for the following commands:

get functions for library

get procedures for library

get table_mapping functions for library

get indexes on table

get objects on table

get views on table

get views on view

get libraries in schema

get objects in view

get tables in view

get views in view

get indexes for user

get tables for user

get libraries for user

get views for user

Changed "get libraries for schema" to include libraries where the current user

has execute privilege on one of the libraries routines (functions, procedures,

or table_mapping functions).

Addressed a performance issue when determining if the user has column level

privileges. If the user has granted privileges against native Hive tables

through EsgynDB, we need to get the column name from Hive. The call to get the

column, by calling hivemd, is very expensive. This change checks to see if the

requested user has been granted any column level privileges on a hive table.

If so, we will go ahead and do the mapping (call hivemd). If not, then we will

not include the hivemd fragment for the query. Since we are scanning the column

privileges table anyway, we also see if the requested user (or their roles) has

been granted any privileges. If so, we include the column privileges check in

the query.

Commented out get statements that we do not support at this time.

  1. … 5 more files in changeset.
[TRAFODION-2853] memory leak of ComDiagsArea in CmpContext heap of mxosrvr

Fix for the regression failures seen with commit 07f41ddb3042ac039252bd09955fb59bb80c8f9a

  1. … 4 more files in changeset.
[TRAFODION-2974] Update expected files

New privileges granted to public caused several tests to fail.

  1. … 1 more file in changeset.
[TRAFODION-2805] Add "or edition" to error info 4222

  1. … 4 more files in changeset.
new COMMENT-ON SQL statement: init

1. new SQL syntax: COMMENT ON

2. new component privilege: SQL_OPERATIONS::COMMENT

3. MD table changes: add new column for tables "_MD_".OBJECTS and

"_MD_".COLUMNS

4. SHOWDDL changes: add COMMENT-ON output for each object

5. new build-in views: "_MD_".OBJECT_COMMENT_VIEW and

"_MD_".COLUMN_COMMENT_VIEW

  1. … 24 more files in changeset.
Trafodion-2705 user has "SHOW" privilege can't do 'showddl user'

Showddl code now checks to see if current user matches the user name specified

in the showddl command. It also verifies that the user has SHOW component

privilege.

Simplified privs1/TEST141 as part of goal to make privilege tests run faster.

  1. … 4 more files in changeset.
Miscellaneous authorization changes:

- Unregister user does not remove component privileges

- Reuse unused entries from the authID ranges

- Add "changeuser" command to update user credentials in place instead of

requiring a new sqlci session to be started. Changed privs1/TEST132 to use

this change and cut about 5 minutes off the test time.

  1. … 17 more files in changeset.
Fix TEST125 expected results

Update expected results file for priv1/TEST125

Add java files needed for TEST125

TRAFODION [2641] User who has MANAGE_STATISTICS privilege can't do update statistics on HIVE tables

TRAFODION [2175] a user should only see specific schemas/tables that he has

privileges to

Updated the following get commands:

get schemas (in catalog)

get tables, indexes (in schema)

get sequences, views (in schema, in catalog)

get libraries, procedures, functions, table mapping functions

TRAFODION [1573] Additional GET commands for privileges

get privileges on table

get privileges on view

New regression test privs1/TEST125

Fixed bug: user granted MANAGE privilege does not have MANAGE sub-privs

Changed REGISTER_HIVE_OBJECT to be treated as a sub-priv under CREATE

Changed UNREGISTER_HIVE_OBJECT to be treaed as a sub-priv under DROP

  1. … 5 more files in changeset.
[TRAFODION-2294] Fix permissions hole in Explain

  1. … 11 more files in changeset.
[TRAFODION-2584] Add support to register hive objects in traf metadata

Syntax:

register hive table/view [if not exists] <object-name> [cascade]

unregister hive table/view [if exists] <object-name> [cascade]

cascade option: register/unregister all underlying objects that are

part of the specified view

update statistics, grant/revoke, traf views or external table creation

on hive objects will automatically and internally register those objects

in trafodion metadata.

invoke/showddl will show if this object is registered and whether

that registration was internal or explicit.

Get command extensions:

get hive registered tables/view/objects in catalog trafodion;

get hive external tables in catalog trafodion;

Cleanup command extensions:

cleanup metadata command will clean up inconsistent hive objects

(underlying hive object is missing but object is registered or

an external table exists)

cleanup [hive table | hive view] on <object-name>;

Existing hive objects that had implicit or explicit external tables

created prior to this checkin will have no change in behavior.

ObjectUID of those external tables will continue to be used for

relevant operations.

One can drop those external tables and explicitly register them,

or a subsequent operation(upd stats, grant, etc) that needs objectUID will

automatically register them.

minor changes based on review comments of previous checkin

get all objects command on hive metadata no longer fails.

get views on objects return 3-part name that could be used to

differentiate between a traf and hive view.

regress/hive/TEST007 has been extended.

TBD: Add register/unregister privileges

  1. … 51 more files in changeset.
TRAFODION-2538 Revoking privileges from role not invoking query invalidation

Fixed a issue where query invalidation keys were not being sent correctly when

a privilege was revoked from a role.

When a table is cached, a list of all the query invalidation keys for the user

are stored. Later, when a query is run, the compiler picks the relevant keys

and places them in the plan. When a revoke occurs, a key is sent to RMS and

the executor processes check for keys at the next execution. If the key affects

any caches, the cache entries are refreshed and plans recompiled.

Incorrect keys were being created when privileges were revoked from roles, so

queries continued to work even though the user had no more privileges.

  1. … 9 more files in changeset.
TRAFODION-2441 user has only select privilege on a table can do ... TRAFODION-2409 support privilege control(column privileges) for hive tables TRAFODION-2423 any user can perform 'initialize trafodion, drop' TRAFODION-2435 Any user can perform TRUNCATE on native Hive tables. TRAFODION-2463 Hive: Any user can do update statistics for hive tables

Fixed issues found while testing privileges with native Hive.

TRAFODION-2441:

changed code that initializes owner privileges for views.

TRAFODION-2409:

returning error message 1328 during attempt to grant unsupported column level

privilege on hive table.

TRAFODION 2423:

added privilege checks for all initialize commands, error 1017 is returned if

not DB__ROOT

TRAFODION-2435:

Returning error 1051 if TRUNCATE is attempted on a hive table where the

current user has no privilege

TRAFODION-2463:

Privilege checks added for Hive table during update statistics

  1. … 23 more files in changeset.