CmpSeabaseDDLauth.h

Clone Tools
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
TRAFODION - 3218 User still has privilege after user's role has been revoked ...

Partial support for column level privileges with QI support for:

column select

column insert

column references

column update

Also, as part of this, updated privilege code in a couple of areas:

Changed object caching code in NATable and NARoutine to store all privileges

assigned to the object when the object is cached (privDescs_). During the load

operation, the code creates bitmaps (privInfo_) for the current user. Privilege

checks are performed against the user bitmaps (privInfo_). This is in

anticipation for some performance updates when connecting to Trafodion (mxosrvr)

with different users.

Change getRoleList to include the roleID and the granteeID that granted the

privilege. The grantee can be a user or a role.

When a privilege is revoked from a role, send QI keys for every user that has

been granted to role.

  1. … 40 more files in changeset.
Only expose supported component operations

There is a set of component operations and many are about features that we do

not support such as CREATE_TRIGGER. This checkin no longer returns these

privileges through

get privileges on component sql_operations

showddl component sql_operations

The is_system metadata column in the component_operations table now supports

three values:

Y - it is a system operation

N - it is a user operation

U - it is an unsupported (unused) operation (new)

An "initialize authorization" or fresh installation is required to make these

changes available.

Installating this code version calls initialize authorization

Running regrinit.sql also calls initialize authorization

Some performance enhancements were made to make "initialize authorization" run

faster.

  1. … 17 more files in changeset.
Trafodion-2705 user has "SHOW" privilege can't do 'showddl user'

Showddl code now checks to see if current user matches the user name specified

in the showddl command. It also verifies that the user has SHOW component

privilege.

Simplified privs1/TEST141 as part of goal to make privilege tests run faster.

  1. … 5 more files in changeset.
Miscellaneous authorization changes:

- Unregister user does not remove component privileges

- Reuse unused entries from the authID ranges

- Add "changeuser" command to update user credentials in place instead of

requiring a new sqlci session to be started. Changed privs1/TEST132 to use

this change and cut about 5 minutes off the test time.

  1. … 18 more files in changeset.
[TRAFODION-2768] Make Trafodion code base to compile in RH7

  1. … 126 more files in changeset.
TRAFODION-2441 user has only select privilege on a table can do ... TRAFODION-2409 support privilege control(column privileges) for hive tables TRAFODION-2423 any user can perform 'initialize trafodion, drop' TRAFODION-2435 Any user can perform TRUNCATE on native Hive tables. TRAFODION-2463 Hive: Any user can do update statistics for hive tables

Fixed issues found while testing privileges with native Hive.

TRAFODION-2441:

changed code that initializes owner privileges for views.

TRAFODION-2409:

returning error message 1328 during attempt to grant unsupported column level

privilege on hive table.

TRAFODION 2423:

added privilege checks for all initialize commands, error 1017 is returned if

not DB__ROOT

TRAFODION-2435:

Returning error 1051 if TRUNCATE is attempted on a hive table where the

current user has no privilege

TRAFODION-2463:

Privilege checks added for Hive table during update statistics

  1. … 25 more files in changeset.
TRAFODION-2327 Reduce I/O when loading objects into caches

For each authorization ID (user, role, or PUBLIC), a bitmap containing the

accumulated privileges (across all grantors) is stored with the object desc.

When the object desc is loaded into cache, the privilege bitmaps associated

with the current user, PUBLIC, and the current users' roles are extracted and

unioned together to calculate the final set of privileges. This unioned list

is used during privilege checking.

Today, an I/O is performed to retrieve the list of roles granted to the current

user for each object loaded into NATable and NARoutine cache. Since this list

does not change unless the current user changes (a new session with a different

user) or a grant/revoke role for the current user is performed, these extra

I/O's are not needed.

To remove the extra I/O's for each object, the list of roles will be stored in

the ContextCli. Therefore, this in-memory role list can be used instead of

rereading metadata.

This checkin creates two new CLI requests:

- GetRoleList - returns the list of roles associated with the user

If the list exists in ContextCli, it returns the stored values

If the list does not exist, it retrieves them from Metadata, stores

them and returns the values

- ResetRoleList - removes the list of roles from ContextCli

The first time GetRoleList is called in a session, the users' roles are

stored in ContextCli. They remain in memory until the session ends and

restarts as a different user, or another process grants or revokes a role

from the current user.

If another process revokes a role from the current user, a query invalidation

key is created. When the revoke role query invalidation key for the current

user is detected, ResetRoleList is called. The next time GetRoleList is called

an updated role list is retrieved from metadata and stored in ContextCli.

If another process grants a role to the current user, there could be two

outcomes. If the current user already has the privilege from another source

then nothing happens. If the current user does not have the privilege, then

one recompilation is attempted. Prior to performing the retry, code was

added to ResetRoleList. The recompilation then gets the latest role list and

either succeeds or fails depending on the granted privileges.

  1. … 16 more files in changeset.
update

  1. … 298 more files in changeset.
TRAFODION [1879] - Integrate Library Management into Trafodion Metadata

The initial release of library management has been delivered to Trafodion. This

is follow-on work that integrates library management operations into the

existing Trafodion infrastructure. Currently, with the initial release of

library management, the consumer needs to run a special script to set up

everything. This delivery incorporates the steps into existing SQL commands and

removes the need for the script.

This delivery contains:

-> Support for three new INITIALIZE TRAFODION options

-> Support for a new role (plus infrastructure to make it easier to add roles)

-> Change initialize authorization to handle upgrade better

-> Fixed couple issues found while testing

-> New regression test (udr/TEST102)

*** Support for three new INITIALIZE TRAFODION options:

Three new INITIALIZE TRAFODION options have been added:

CREATE LIBRARY MANAGEMENT - create and populates the libmgr schema

DROP LIBRARY MANAGEMENT - drops the libmgr schema

UPGRADE LIBRARY MANAGEMENT - adds new procedures to the libmgr library

Parser was changed to support these new options, a new keyword - MANAGEMENT

was added.

(parser/ParKeyWords.cpp/sqlparser.y)

DDL compiler was changed to recognize the new options and call implementation

methods.

(optimizer/RelExeUtil, sqlcomp/CmpSeabaseDDLcommon.cpp)

The following implementation methods were added:

createSeabaseLibmgr (code for create library management)

dropSeabaseLibmgr (code for drop library management)

upgradeSeabaseLibmgr(code for upgrade library management)

createLibmgrProcs – a helper method called by create and upgrade code to

create libmgr procedures

grantLibmgrPrivs – a helper method called by createLibmgrProcs and

initialize authorization that add grants to procedures for

the new DB__LIBMGRROLE role.

(CmpSeabaseDDL.h/CmpSeabaseDDLroutine.cpp)

Changes were made to define the new schema, library and procedures.

(common/ComSmallDefs.h, CmpSeabaseDDLroutine.h)

All procedures are defined in a new file called sqlcomp/CmpSeabaseDDLroutine.h.

This file is based on similar support for system metadata tables

(CmpSeabaseDDLmd.h). It contains the text of all the procedures. During

"create library management" and "upgrade library management" operations, this

list is used to create/add procedures.

*** Support for a new role:

Initialize authorization code was changed to create the new DB__LIBMGRROLE role.

As part of this change, role infrastructure was modified to make it easier to

add system roles in the future. The initialize code checks to see what roles

have not been added, and adds them.

(common/NAUserId.h, common/ComUser, sqlcomp/PrivMgrMD,

sqlcomp/CmpSeabaseDDLauth, sqlcomp/PrivMgrRoles)

In addition, a check is made – if the SEABASE_LIBMGR_SCHEMA exists, then

grants are performed on the procedures to allow DB__LIBMGRROLE execute

privilege.

(sqlcomp/CmpSeabaseDDLcommon.cpp)

*** Change initialize authorization to handle upgrade better:

Changes were made so initialize authorization performs an upgrade operation if

called and component privileges already exists.

(sqlcomp/PrivMgrComponentOperations, sqlcomp/PrivMgrComponentPrivileges,

sqlcomp/PrivMgrMD)

*** Fixed couple of issues found while testing:

Invalid role ID generation. Role ID generation code was using the wrong range

to determine the next role ID.

(CmpSeabaseDDLauth.cpp)

Drop schema issues with libraries. Drop library cascade fails when the order

of libraries and functions is incorrect. If you drop function, drop library it

fails with missing procedure.

(CmpSeabaseDDLschema.cpp)

  1. … 26 more files in changeset.
TRAFODION-1754 Showddl component does not display grants correctly

Showddl should be displaying grants on an operation in a manner that allows

the privileges to be recreated. Currently, they are returned in the order

in which they are read from the metadata.

While working on this JIRA, several issues were fixed including:

- Consolidated privilege values into one location - NAUserId.h. They used to be

stored in NAUserId.h, ComSmallDefs.h, and PrivMgrDefs.h

- The check for getting the next available role ID was not correct.

- PrivMgrPrivileges::hasColWGO has incorrect indexing

- PrivMgrComponentPrivileges::selectAllWhere has incorrect error checking

  1. … 16 more files in changeset.
TRAFODION-1031: PUBLIC" is not recognized in some statements

Fixed a couple of issues where PUBLIC was not returned. With this check-in we

will treat PUBLIC as a special role.

  1. … 5 more files in changeset.
Part 1 of updates to licensing info in Trafodion source

Added NOTICE.txt file in root directory per ASF guidelines.

Updated copyright text in one directory (core/sql/sqlcomp)

as a test of a tool to update such text. One or more later

check-ins will take care of the remaining directories.

  1. … 63 more files in changeset.
Move core into subdir to combine repos

    • -0
    • +214
    ./CmpSeabaseDDLauth.h
  1. … 10768 more files in changeset.
Move core into subdir to combine repos

    • -0
    • +214
    ./CmpSeabaseDDLauth.h
  1. … 10622 more files in changeset.
Move core into subdir to combine repos

Use: git log --follow -- <file>

to view file history thru renames.

    • -0
    • +214
    ./CmpSeabaseDDLauth.h
  1. … 10837 more files in changeset.