Roberta Marton <>
on 27 Apr 15
Security fixes for 144553, 1414125, and 1393529
1445583: showstats command performance slow with security enabled

Several changes were made… Show more
Security fixes for 144553, 1414125, and 1393529

1445583: showstats command performance slow with security enabled

Several changes were made to improve performance:

Performance optimization:

NATable.cpp:  NATable::setupPrivs

- If the current user is the object owner, then default the privilege bitmap

  to object Owner values - no need to call PrivMgr to get privileges

Caching optimization:

We are now caching privmgr metadata tables in compiler cache when the compiler

context is instantiated.  This avoids a metadata lookup for these tables.

- Added new methods that return if the table is part of the PrivMgr schema

- Adjusted CmpSeabaseDDL::createMDdescs to include privmgr metadata in the

  cached entries

- Adjusted CmpSeabaseDDL::getMDtableInfo to check for privmgr metadata tables

  from the cached entries

- Removed obsolete code CmpSeabaseDDL::alterSeabaseDropColumn

- changed CmpSeabaseDDL::getSeabaseTableDesc to check for both system and

  privmgr metadata from compiler cache

- added new method CmpSeabaseDDL::getPKeyInfoForTable that returns the

  primary key name and UID for a table.  This is needed when dropping privmgr

  metadata tables

Removed extraneous recompilations of HISTOGRAM structures:

Today, update statistics and showstats are reloading NATable entries

for HISTOGRAM tables on every access.  This is because the parserflag

ALLOW_SPECIALTABLETYPE is turned on.  When this flag is turned, the compiler

always reloads the cache entries - see code from CmpMain::sqlcomp:

   //if using special tables e.g. using index as base table

   //select * from table (index_table T018ibc);

   //then refresh metadata cache

   if(Get_SqlParser_Flags(ALLOW_SPECIALTABLETYPE) &&




parserflags by default.  Individual statements are setting these flags as needed.

1414125: User without priv can view data in metadata tables

The problem is that a user with priv cannot view data in metadata tables.

Even when a user had SELECT privilege on a system or privmgr metadata table,

the request failed.

The problem is that parameter 2 sent to CmpDescribeIsAuthorized in

hs_globals.cpp is NULL so SELECT priv is not checked.  If the user has SHOW

component privilege, it works. A call was added to getPrivileges for metadata

tables before calling CmpDescribeIsAuthorized.

1393529: Core dump accessing MD table descriptors

When "UPDATE STATISTICS LOG [ON, OFF, CLEAR]" is specified by a non DB__ROOT

user, a core dump occurred.  This happens because the isAuthorized check is

performed expecting a NATable structure.  This command does not need any

special security checks.

Updated traf_authentication_setup script to support a new installation option

Change-Id: If7dbf3ec66e5beb7d88bda61ef32611401dd97b9

Show less

default + 8 more