Clone
Roberta Marton <roberta.marton@hp.com>
committed
on 24 Feb 15
Fixes for security gaps
Fix summary:

1389791 – Create table with 128 character-long schema & table names hangs on HortonWorks

fix 1 - Priv… Show more
Fixes for security gaps

Fix summary:

1389791 – Create table with 128 character-long schema & table names hangs on HortonWorks

fix 1 - Privilege checks not working for UDRs

fix 2 - QI not working when UDR's are involved

fix 3 - Routines are not being removed from NARoutineDB cache

Code cleanup

Miscellaneous changes

1389791: Create table with 128 character-long schema & table names hangs on HortonWorks

Check to make sure the total name length is not longer than supported value,

see: https://issues.apache.org/jira/browse/HDFS-6055

  bin/SqlciErrors.txt - new error message

  sqlcomp/CmpCatSqlErrorCodes.h - new error message

  sqlcomp/CmpSeabaseDDLmd.h - new literal describing length of generated HBase name

  sqlcomp/CmpSeabaseDDLcommon.cpp - new check for maxmum HBase name length

fix 1: privilege checks are not working correctly for UDR's

The method RelRoot::checkPrivileges is called to verify privileges for all object types.

However, some UDR objects checks were skipped because they were not added to the UDR Stoi list.

  optimizer/BindItemExpr.cpp - add function to Stoi list

  optimizer/BindRelExpr.cpp - add procedures to Stoi List

  optimzier/RelMisc.h - signature changes for privilege related work

  optimizer/BindRelExpr.cpp - rewrote checkPrivileges

  optimizer/NARoutine.h/NARoutineDB.cpp - added method

      moveRoutineToDeleteList

fix 2:  QI is not working when UDR's are dropped

Code to drop items from NARoutineDB cache was missing.

Code to set security keys for the user in the plan was missing

Code to set objectUIDs in the plan was missing

When security keys were added, they were incorrect

  sqlcomp/CmpMain.h (.cpp) - added calls to compare invalidation keys with objects stored in

                             NARoutineDB cache; if found, then remove item from cache by

                             calling helper methods in NARoutineDB class.

  optimizer/NARoutineDB.h (NARoutine.cpp) - added helper method to remove entries from the cache

      free_entries_with_QI_key - based off of similar method for table cache

  ComSecurityKey.h (.cpp) - new method to check invalidation keys shared by tables/routines

      qiCheckForInvalidObject

  optimizer/NATable.cpp - rewrote table invalidation code so it could be shared with routines.

  generator/GenUdr.cpp - add the routine's object UID to the query plan

  sqlcomp/CmpSeabaseDDLroutine.cpp - code to send invalidations keys during drop routine

  common/ComSmallDefs.h - new QI actions for USAGE and REFERENCES

  common/ComDistribution.cpp - add EXECUTE as a privilege for QI, also added USAGE and REFERENCES

  sqlcomp/PrivMgrPrivileges.cpp - not generating correct security keys

fix 3: Routines were not being removed from NARoutineDB cache

Added new fields to the various routine structures for objectOwnerID, schemaOwnerID, and privInfo.

Set up the correct routineID in various routine structures

At drop time, made sure routine was removed from NARoutineDB cache

  comexe/ComTdb.h - added new fields to routine descriptor and TDB

  generator/Generator.cpp - new fields for routines

  optimizer/NARoutine.h (.cpp) - new fields for routines

      removeNARoutine - based off similar method for table cache

  optimizer/NARoutine.cpp - added new field to store privilege information in NARoutine,

                            which also gets security keys needed for query invalidation

  sqlcat/desc.h - new fields for routines

  sqlcomp/CmpSeabaseDDLtable.cpp - set up new values in NARoutine structure

  sqlcomp/CmpSeabaseDDLroutine.cpp - code to remove entries from cache at drop time

Other changes:

  sqlcomp/PrivMgrCommand.h (.cpp) - performance change, don't check authorization enabled

  sqlcomp/PrivMgrMD.h (.cpp) -  performance change, don't check authorization enabled

  sqlcomp/PrivMgrDesc.cpp - missing object_type

  parser/sqlparser.y - incorrect object type set for grant/revoke on UDRs

  ustat/hs_globals.cpp - incorrect error returned

Code cleanup:

  cli/Statement.h - remove obsolete code

  cli/Statement.cpp - remove obsolete code

  common/Collections.h - remove obsolete code

  generator/GenRelMisc.cpp - remove obsolete code

  optimizer/ItemCache.cpp - remove obsolete code

  optimizer/RelCache.cpp - remove obsolete code

  optimizer/NARoutine.h - remove obsolete code

  optimizer/NARoutine.cpp - remove obsolete code

  executor/SqlTableOpenInfo.h - new helper methods to check privileges

  sqlcomp/PrivMgrMD.h - new helper methods to check privileges and get text for error

  sqlcomp/PrivMgrDefs.h - simplification of code for checkPrivileges method

Change-Id: I981ad7f094b79a25f5e0aca30dedea4601b424ea

Show less

default + 9 more