Clone Tools
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
TRAFODION - 3218 User still has privilege after user's role has been revoked ...

Partial support for column level privileges with QI support for:

column select

column insert

column references

column update

Also, as part of this, updated privilege code in a couple of areas:

Changed object caching code in NATable and NARoutine to store all privileges

assigned to the object when the object is cached (privDescs_). During the load

operation, the code creates bitmaps (privInfo_) for the current user. Privilege

checks are performed against the user bitmaps (privInfo_). This is in

anticipation for some performance updates when connecting to Trafodion (mxosrvr)

with different users.

Change getRoleList to include the roleID and the granteeID that granted the

privilege. The grantee can be a user or a role.

When a privilege is revoked from a role, send QI keys for every user that has

been granted to role.

  1. … 40 more files in changeset.
Only expose supported component operations

There is a set of component operations and many are about features that we do

not support such as CREATE_TRIGGER. This checkin no longer returns these

privileges through

get privileges on component sql_operations

showddl component sql_operations

The is_system metadata column in the component_operations table now supports

three values:

Y - it is a system operation

N - it is a user operation

U - it is an unsupported (unused) operation (new)

An "initialize authorization" or fresh installation is required to make these

changes available.

Installating this code version calls initialize authorization

Running regrinit.sql also calls initialize authorization

Some performance enhancements were made to make "initialize authorization" run

faster.

  1. … 17 more files in changeset.
TRAFODION-3046: Privilege support for native HBase tables

-- Grants and revokes against native HBase tables are enforced similar to hive

-- Privilege checking added when creating and dropping native HBase tables

-- Removing dependent Trafodion metadata when native HBase tables are dropped

-- Added regression test (privs2/TEST146)

-- Reorg - split PrivMgrComponents into 2 files:

PrivMgrComponents and PrivMgrUserPrivs

An hbase table can be referenced using one of the following types:

"_CELL_" - references cell data

"_ROW_" - references row data

"_MAP_" - references data defined by the mapped (external) table

Privileges are granted against each of these types, so if you:

select * from hbase."_CELL_".hbase1;

You must have the select privileges on this table

For example: "grant select on hbase."_CELL_".hbase1 to user1"

Likewise for other hbase types, grants are required to gain accessibility

grant select on hbase."_MAP_".hbase1 to user1

grant select on hbase."_ROW_".hbase1 to role1

  1. … 25 more files in changeset.
TRAFODION-2441 user has only select privilege on a table can do ... TRAFODION-2409 support privilege control(column privileges) for hive tables TRAFODION-2423 any user can perform 'initialize trafodion, drop' TRAFODION-2435 Any user can perform TRUNCATE on native Hive tables. TRAFODION-2463 Hive: Any user can do update statistics for hive tables

Fixed issues found while testing privileges with native Hive.

TRAFODION-2441:

changed code that initializes owner privileges for views.

TRAFODION-2409:

returning error message 1328 during attempt to grant unsupported column level

privilege on hive table.

TRAFODION 2423:

added privilege checks for all initialize commands, error 1017 is returned if

not DB__ROOT

TRAFODION-2435:

Returning error 1051 if TRUNCATE is attempted on a hive table where the

current user has no privilege

TRAFODION-2463:

Privilege checks added for Hive table during update statistics

  1. … 25 more files in changeset.
Merge branch 'master' into trafodion-1788

Conflicts:

core/sql/common/ComSmallDefs.h

core/sql/generator/Generator.cpp

core/sql/optimizer/NATable.cpp

core/sql/sqlcat/ReadTableDef.cpp

core/sql/sqlcat/desc.h

  1. … 20 more files in changeset.
[TRAFODION-1882]: Column Privilege: a user can grant column privilege to ... [TRAFODION-1788]: Grant and Revoke on table columns with referencing views ...

The main issue is that the view-col <=> referenced-col usages were not available

from the metadata.

-- create view was changed to add view-col <=> referenced-col usages to the

TEXT table. This allows NATable and privilege management to retrieve this

information. No upgrade is required

-- Privilege management was changed to see if views could still exist based

only on column level privileges.

-- Grants and revokes on referenced columns for objects are now propagated to

to referencing views

-- Fixed an issue during column grants where column ordinals were not checked

correctly [TRAFODION-1882]

-- Fixed an issue where DB__ROOT, acting as schema owner, was able to grant

privileges that the schema owner was not able to grant,

  1. … 15 more files in changeset.
Privilege fixes for TRAFODION-1595

TRAFODION-1595 Privilege manager tables missing from HBase

If initialize authorization fails for any reason, some remnants of the operation

remain around. Once DDL_TRANSACTIONS have been enabled, then this issue goes

away.

Code changes have been made as follows:

- If the initialize operation fails and DDL_TRANSACTIONS is not enabled, go

ahead and cleanup all remnants of the operation.

- Added new option to cleanup after a failed authorization attempt:

INITIALIZE AUTHORIZATION, CLEANUP.

The CLEANUP option can be used to clean up after a failed initialize attempt

when the DROP option fails.

- Added logging into the initialize, drop, and cleanup authorization requests.

  1. … 10 more files in changeset.
Trafodion-1100 Creator of view in private schema unable to select from view

For private schemas, all objects are owned by the schema owner. If an authID

has create component privilege, they can create objects in other schemas.

However, the owner of the new object is still the schema owner.

When the object creator is not the schema owner, then the schema owner

automatically becomes the owner and the object creator is granted all relevant

privileges on the object WGO.

For views, this was not working correctly.

Also found another issue where column privileges were not being handled

correctly when generating the privileges list.

Problem is described in more detail in the JIRA

Changes:

CmpSeabaseDDLview - changed the create view code to add privileges for both the

schema owner and the view creator, and fixes the privilege list issue.

PrivMgr - added a helper function to convert an authID to an authName

PrivMgrCommands - changed the API to send in the grantor ID

PrivMgrPrivileges - changed the code to use the passed in grantor

TEST141 - added a new regression test, it is currently skipped until

trafodion-1087 is resolved.

  1. … 11 more files in changeset.
Changes for JIRA TRAFODION-353, 1200, 1214, and 12

1. JIRA Trafodion-353 (Launchpad 1324716):

.traf_authentication_config syntax errors on blank

corrected

2. JIRA Trafodion-1200 (Launchpad 1447336):

DB__ROOTROLE now equivalent to DB__ROOT (completed

in this delivery).

3. JIRA Trafodion-1214 (Launchpad 1450122):

LDAPSSL (level 1) now uses TLS_CACERTFILE.

4. JIRA Trafodion-12 - grant revoke enhancements including:

Six new component-level privileges: DML_DELETE, DML_INSERT,

DML_REFERENCES, DML_SELECT, DML_UPDATE, and DML_USAGE.

Authorization IDs granted a DML privilege at the system

(SQL_OPERATIONS component-level) have the privilege

on all objects in the Trafodion database.

Users who have the MANAGE_PRIVILEGE component-level privilege

can also grant "WITH GRANT OPTION" any privilege they have.

In addition, they implicitly grant on behalf of the owner when

the GRANTED BY clause is omitted. (Mimics DB__ROOT behavior.)

Tracing had been added (but not yet enabled) to better debug

grant and revoke problems

Column level privilege enforcement has been added and column

level privileges support is enabled.

  1. … 25 more files in changeset.
Part 1 of updates to licensing info in Trafodion source

Added NOTICE.txt file in root directory per ASF guidelines.

Updated copyright text in one directory (core/sql/sqlcomp)

as a test of a tool to update such text. One or more later

check-ins will take care of the remaining directories.

  1. … 63 more files in changeset.
Merge remote branch 'core/master'

  1. … 108 more files in changeset.
Merge remote branch 'core/master'

  1. … 2817 more files in changeset.
Move core into subdir to combine repos

Use: git log --follow -- <file>

to view file history thru renames.

  1. … 10837 more files in changeset.