Search in sources :

Example 1 with ColPermsDescriptor

use of org.apache.derby.iapi.sql.dictionary.ColPermsDescriptor in project derby by apache.

the class DataDictionaryImpl method getColumnPermissions.

/**
 * Get one user's column privileges for a table.
 *
 * @param tableUUID
 * @param privType (as int) Authorizer.SELECT_PRIV, Authorizer.UPDATE_PRIV, or Authorizer.REFERENCES_PRIV
 * @param forGrant
 * @param authorizationId The user name
 *
 * @return a ColPermsDescriptor or null if the user has no separate column
 *         permissions of the specified type on the table. Note that the user may have been granted
 *         permission on all the columns of the table (no column list), in which case this routine
 *         will return null. You must also call getTablePermissions to see if the user has permission
 *         on a set of columns.
 *
 * @exception StandardException
 */
public ColPermsDescriptor getColumnPermissions(UUID tableUUID, int privType, boolean forGrant, String authorizationId) throws StandardException {
    String privTypeStr = forGrant ? colPrivTypeMapForGrant[privType] : colPrivTypeMap[privType];
    if (SanityManager.DEBUG)
        SanityManager.ASSERT(privTypeStr != null, "Invalid column privilege type: " + privType);
    ColPermsDescriptor key = new ColPermsDescriptor(this, authorizationId, (String) null, tableUUID, privTypeStr);
    return (ColPermsDescriptor) getPermissions(key);
}
Also used : ColPermsDescriptor(org.apache.derby.iapi.sql.dictionary.ColPermsDescriptor)

Example 2 with ColPermsDescriptor

use of org.apache.derby.iapi.sql.dictionary.ColPermsDescriptor in project derby by apache.

the class DataDictionaryImpl method rewriteSYSCOLPERMSforAlterTable.

/**
 * Workhorse for ALTER TABLE-driven mods to SYSCOLPERMS
 *
 * This method finds all the SYSCOLPERMS rows for this table. Then it
 * iterates through each row, either adding a new column to the end of
 * the table, or dropping a column from the table, as appropriate. It
 * updates each SYSCOLPERMS row to store the new COLUMNS value.
 *
 * @param tableID	The UUID of the table being altered
 * @param tc		TransactionController for the transaction
 * @param columnDescriptor   Dropped column info, or null if adding
 *
 * @exception StandardException		Thrown on error
 */
private void rewriteSYSCOLPERMSforAlterTable(UUID tableID, TransactionController tc, ColumnDescriptor columnDescriptor) throws StandardException {
    // In Derby authorization mode, permission catalogs may not be present
    if (!usesSqlAuthorization)
        return;
    /* This method has 2 steps to it. First get all the ColPermsDescriptor   
		for given tableid. And next step is to go back to SYSCOLPERMS to find
		unique row corresponding to each of ColPermsDescriptor and update the
		"COLUMNS" column in SYSCOLPERMS. The reason for this 2 step process is
		that SYSCOLPERMS has a non-unique row on "TABLEID" column and hence   
		we can't get a unique handle on each of the affected row in SYSCOLPERMS
		using just the "TABLEID" column */
    // First get all the ColPermsDescriptor for the given tableid from
    // SYSCOLPERMS using getDescriptorViaIndex().
    // all ColPermsDescriptor for given tableid
    List<ColPermsDescriptor> permissionDescriptorsList;
    DataValueDescriptor tableIDOrderable = getIDValueAsCHAR(tableID);
    TabInfoImpl ti = getNonCoreTI(SYSCOLPERMS_CATALOG_NUM);
    SYSCOLPERMSRowFactory rf = (SYSCOLPERMSRowFactory) ti.getCatalogRowFactory();
    ExecIndexRow keyRow = exFactory.getIndexableRow(1);
    keyRow.setColumn(1, tableIDOrderable);
    permissionDescriptorsList = newSList();
    getDescriptorViaIndex(SYSCOLPERMSRowFactory.TABLEID_INDEX_NUM, keyRow, (ScanQualifier[][]) null, ti, (TupleDescriptor) null, permissionDescriptorsList, ColPermsDescriptor.class, false);
    /* Next, using each of the ColPermDescriptor's uuid, get the unique row 
		in SYSCOLPERMS and adjust the "COLUMNS" column in SYSCOLPERMS to 
		accomodate the added or dropped column in the tableid*/
    ExecRow curRow;
    ExecIndexRow uuidKey;
    // Not updating any indexes on SYSCOLPERMS
    boolean[] bArray = new boolean[SYSCOLPERMSRowFactory.TOTAL_NUM_OF_INDEXES];
    int[] colsToUpdate = { SYSCOLPERMSRowFactory.COLUMNS_COL_NUM };
    for (ColPermsDescriptor colPermsDescriptor : permissionDescriptorsList) {
        removePermEntryInCache(colPermsDescriptor);
        uuidKey = rf.buildIndexKeyRow(rf.COLPERMSID_INDEX_NUM, colPermsDescriptor);
        curRow = ti.getRow(tc, uuidKey, rf.COLPERMSID_INDEX_NUM);
        FormatableBitSet columns = (FormatableBitSet) curRow.getColumn(SYSCOLPERMSRowFactory.COLUMNS_COL_NUM).getObject();
        // for the dropped column.
        if (columnDescriptor == null) {
            int currentLength = columns.getLength();
            columns.grow(currentLength + 1);
        } else {
            FormatableBitSet modifiedColumns = new FormatableBitSet(columns);
            modifiedColumns.shrink(columns.getLength() - 1);
            // FormatableBitSet count from 0.
            for (int i = columnDescriptor.getPosition() - 1; i < modifiedColumns.getLength(); i++) {
                if (columns.isSet(i + 1))
                    modifiedColumns.set(i);
                else
                    modifiedColumns.clear(i);
            }
            columns = modifiedColumns;
        }
        curRow.setColumn(SYSCOLPERMSRowFactory.COLUMNS_COL_NUM, new UserType((Object) columns));
        ti.updateRow(uuidKey, curRow, SYSCOLPERMSRowFactory.COLPERMSID_INDEX_NUM, bArray, colsToUpdate, tc);
    }
}
Also used : ExecIndexRow(org.apache.derby.iapi.sql.execute.ExecIndexRow) SQLLongint(org.apache.derby.iapi.types.SQLLongint) ColPermsDescriptor(org.apache.derby.iapi.sql.dictionary.ColPermsDescriptor) ExecRow(org.apache.derby.iapi.sql.execute.ExecRow) FormatableBitSet(org.apache.derby.iapi.services.io.FormatableBitSet) DataValueDescriptor(org.apache.derby.iapi.types.DataValueDescriptor) UserType(org.apache.derby.iapi.types.UserType)

Example 3 with ColPermsDescriptor

use of org.apache.derby.iapi.sql.dictionary.ColPermsDescriptor in project derby by apache.

the class PermissionsCacheable method setIdentity.

/* Cacheable interface */
public Cacheable setIdentity(Object key) throws StandardException {
    // to access that column subset.
    if (key instanceof TablePermsDescriptor) {
        TablePermsDescriptor tablePermsKey = (TablePermsDescriptor) key;
        permissions = dd.getUncachedTablePermsDescriptor(tablePermsKey);
        if (permissions == null) {
            // The owner has all privileges unless they have been revoked.
            TableDescriptor td = dd.getTableDescriptor(tablePermsKey.getTableUUID());
            SchemaDescriptor sd = td.getSchemaDescriptor();
            if (sd.isSystemSchema()) {
                // RESOLVE The access to system tables is hard coded to SELECT only to everyone.
                // Is this the way we want Derby to work? Should we allow revocation of read access
                // to system tables? If so we must explicitly add a row to the SYS.SYSTABLEPERMISSIONS
                // table for each system table when a database is created.
                permissions = new TablePermsDescriptor(dd, tablePermsKey.getGrantee(), (String) null, tablePermsKey.getTableUUID(), "Y", "N", "N", "N", "N", "N");
                // give the permission the same UUID as the system table
                ((TablePermsDescriptor) permissions).setUUID(tablePermsKey.getTableUUID());
            } else if (tablePermsKey.getGrantee().equals(sd.getAuthorizationId())) {
                permissions = new TablePermsDescriptor(dd, tablePermsKey.getGrantee(), Authorizer.SYSTEM_AUTHORIZATION_ID, tablePermsKey.getTableUUID(), "Y", "Y", "Y", "Y", "Y", "Y");
            } else {
                permissions = new TablePermsDescriptor(dd, tablePermsKey.getGrantee(), (String) null, tablePermsKey.getTableUUID(), "N", "N", "N", "N", "N", "N");
            }
        }
    } else if (key instanceof ColPermsDescriptor) {
        ColPermsDescriptor colPermsKey = (ColPermsDescriptor) key;
        permissions = dd.getUncachedColPermsDescriptor(colPermsKey);
        if (permissions == null)
            permissions = new ColPermsDescriptor(dd, colPermsKey.getGrantee(), (String) null, colPermsKey.getTableUUID(), colPermsKey.getType(), (FormatableBitSet) null);
    } else if (key instanceof RoutinePermsDescriptor) {
        RoutinePermsDescriptor routinePermsKey = (RoutinePermsDescriptor) key;
        permissions = dd.getUncachedRoutinePermsDescriptor(routinePermsKey);
        if (permissions == null) {
            // The owner has all privileges unless they have been revoked.
            try {
                AliasDescriptor ad = dd.getAliasDescriptor(routinePermsKey.getRoutineUUID());
                SchemaDescriptor sd = dd.getSchemaDescriptor(ad.getSchemaUUID(), ConnectionUtil.getCurrentLCC().getTransactionExecute());
                if (sd.isSystemSchema() && !sd.isSchemaWithGrantableRoutines())
                    permissions = new RoutinePermsDescriptor(dd, routinePermsKey.getGrantee(), (String) null, routinePermsKey.getRoutineUUID(), true);
                else if (routinePermsKey.getGrantee().equals(sd.getAuthorizationId()))
                    permissions = new RoutinePermsDescriptor(dd, routinePermsKey.getGrantee(), Authorizer.SYSTEM_AUTHORIZATION_ID, routinePermsKey.getRoutineUUID(), true);
            } catch (java.sql.SQLException sqle) {
                throw StandardException.plainWrapException(sqle);
            }
        }
    } else if (key instanceof PermDescriptor) {
        PermDescriptor permKey = (PermDescriptor) key;
        permissions = dd.getUncachedGenericPermDescriptor(permKey);
        if (permissions == null) {
            // The owner has all privileges unless they have been revoked.
            String objectType = permKey.getObjectType();
            String privilege = permKey.getPermission();
            UUID protectedObjectsID = permKey.getPermObjectId();
            PrivilegedSQLObject pso = PermDescriptor.getProtectedObject(dd, protectedObjectsID, objectType);
            SchemaDescriptor sd = pso.getSchemaDescriptor();
            if (permKey.getGrantee().equals(sd.getAuthorizationId())) {
                permissions = new PermDescriptor(dd, null, objectType, pso.getUUID(), privilege, Authorizer.SYSTEM_AUTHORIZATION_ID, permKey.getGrantee(), true);
            }
        }
    } else {
        if (SanityManager.DEBUG)
            SanityManager.NOTREACHED();
        return null;
    }
    if (permissions != null) {
        return this;
    }
    return null;
}
Also used : SchemaDescriptor(org.apache.derby.iapi.sql.dictionary.SchemaDescriptor) PrivilegedSQLObject(org.apache.derby.iapi.sql.dictionary.PrivilegedSQLObject) PermDescriptor(org.apache.derby.iapi.sql.dictionary.PermDescriptor) TableDescriptor(org.apache.derby.iapi.sql.dictionary.TableDescriptor) ColPermsDescriptor(org.apache.derby.iapi.sql.dictionary.ColPermsDescriptor) AliasDescriptor(org.apache.derby.iapi.sql.dictionary.AliasDescriptor) FormatableBitSet(org.apache.derby.iapi.services.io.FormatableBitSet) RoutinePermsDescriptor(org.apache.derby.iapi.sql.dictionary.RoutinePermsDescriptor) UUID(org.apache.derby.catalog.UUID) TablePermsDescriptor(org.apache.derby.iapi.sql.dictionary.TablePermsDescriptor)

Example 4 with ColPermsDescriptor

use of org.apache.derby.iapi.sql.dictionary.ColPermsDescriptor in project derby by apache.

the class DDLConstantAction method storeConstraintDependenciesOnPrivileges.

/**
 *	This method saves dependencies of constraints on privileges in the
 *  dependency system. It gets called by CreateConstraintConstantAction.
 *  Views and triggers and constraints run with definer's privileges. If
 *  one of the required privileges is revoked from the definer, the
 *  dependent view/trigger/constraint on that privilege will be dropped
 *  automatically. In order to implement this behavior, we need to save
 *  view/trigger/constraint dependencies on required privileges in the
 *  dependency system. Following method accomplishes that part of the
 *  equation for constraints only. The dependency collection for
 *  constraints is not same as for views and triggers and hence
 *  constraints are handled by this special method.
 *
 * 	Views and triggers can depend on many different kind of privileges
 *  where as constraints only depend on REFERENCES privilege on a table
 *  (FOREIGN KEY constraints) or EXECUTE privileges on one or more
 *  functions (CHECK constraints).
 *
 *  Another difference is only one view or trigger can be defined by a
 *  sql statement and hence all the dependencies collected for the sql
 *  statement apply to the view or trigger in question. As for constraints,
 *  one sql statement can defined multiple constraints and hence the
 *  all the privileges required by the statement are not necessarily
 *  required by all the constraints defined by that sql statement. We need
 *  to identify right privileges for right constraints for a given sql
 *  statement. Because of these differences between constraints and views
 *  (and triggers), there are 2 different methods in this class to save
 *  their privileges in the dependency system.
 *
 *  For each required privilege, we now register a dependency on a role if
 *  that role was required to find an applicable privilege.
 *
 *  @param activation The execution environment for this constant action.
 *  @param dependent Make this object depend on required privileges
 *  @param refTableUUID Make sure we are looking for REFERENCES privilege
 * 		for right table
 *  @param providers set of providers for this constraint
 * @exception StandardException		Thrown on failure
 */
protected void storeConstraintDependenciesOnPrivileges(Activation activation, Dependent dependent, UUID refTableUUID, ProviderInfo[] providers) throws StandardException {
    LanguageConnectionContext lcc = activation.getLanguageConnectionContext();
    DataDictionary dd = lcc.getDataDictionary();
    DependencyManager dm = dd.getDependencyManager();
    String currentUser = lcc.getCurrentUserId(activation);
    SettableBoolean roleDepAdded = new SettableBoolean();
    // access any objects without any restrictions
    if (!currentUser.equals(dd.getAuthorizationDatabaseOwner())) {
        PermissionsDescriptor permDesc;
        // Now, it is time to add into dependency system the FOREIGN
        // constraint's dependency on REFERENCES privilege, or, if it is a
        // CHECK constraint, any EXECUTE or USAGE privileges. If the REFERENCES is
        // revoked from the constraint owner, the constraint will get
        // dropped automatically.
        List<StatementPermission> requiredPermissionsList = activation.getPreparedStatement().getRequiredPermissionsList();
        if (requiredPermissionsList != null && !requiredPermissionsList.isEmpty()) {
            for (StatementPermission statPerm : requiredPermissionsList) {
                // are not required for a foreign key constraint.
                if (statPerm instanceof StatementTablePermission) {
                    // It is a table/column level privilege
                    StatementTablePermission statementTablePermission = (StatementTablePermission) statPerm;
                    // required privileges list
                    if (statementTablePermission.getPrivType() != Authorizer.REFERENCES_PRIV)
                        continue;
                    // privilege in the required privileges list
                    if (!statementTablePermission.getTableUUID().equals(refTableUUID))
                        continue;
                } else if (statPerm instanceof StatementSchemaPermission || statPerm instanceof StatementRolePermission || statPerm instanceof StatementGenericPermission) {
                    continue;
                } else {
                    if (SanityManager.DEBUG) {
                        SanityManager.ASSERT(statPerm instanceof StatementRoutinePermission, "only StatementRoutinePermission expected");
                    }
                    // skip if this permission concerns a function not
                    // referenced by this constraint
                    StatementRoutinePermission rp = (StatementRoutinePermission) statPerm;
                    if (!inProviderSet(providers, rp.getRoutineUUID())) {
                        continue;
                    }
                }
                // We know that we are working with a REFERENCES, EXECUTE, or USAGE
                // privilege. Find all the PermissionDescriptors for this
                // privilege and make constraint depend on it through
                // dependency manager.  The REFERENCES privilege could be
                // defined at the table level or it could be defined at
                // individual column levels. In addition, individual column
                // REFERENCES privilege could be available at the user
                // level, PUBLIC or role level.  EXECUTE and USAGE privileges could be
                // available at the user level, PUBLIC or role level.
                permDesc = statPerm.getPermissionDescriptor(currentUser, dd);
                if (permDesc == null) {
                    // No privilege exists for given user. The privilege
                    // has to exist at at PUBLIC level....
                    permDesc = statPerm.getPermissionDescriptor(Authorizer.PUBLIC_AUTHORIZATION_ID, dd);
                    // .... or at the role level. Additionally, for column
                    // level privileges, even if *some* were available at
                    // the PUBLIC level others may be still be missing,
                    // hence the call in the test below to
                    // allColumnsCoveredByUserOrPUBLIC.
                    boolean roleUsed = false;
                    if (permDesc == null || ((permDesc instanceof ColPermsDescriptor) && !((StatementColumnPermission) statPerm).allColumnsCoveredByUserOrPUBLIC(currentUser, dd))) {
                        roleUsed = true;
                        permDesc = findRoleUsage(activation, statPerm);
                    }
                    // for the owner.
                    if (!permDesc.checkOwner(currentUser)) {
                        dm.addDependency(dependent, permDesc, lcc.getContextManager());
                        if (roleUsed) {
                            // We had to rely on role, so track that
                            // dependency, too.
                            trackRoleDependency(activation, dependent, roleDepAdded);
                        }
                    }
                } else // object's privilege dependency in the dependency system
                if (!permDesc.checkOwner(currentUser)) {
                    dm.addDependency(dependent, permDesc, lcc.getContextManager());
                    if (permDesc instanceof ColPermsDescriptor) {
                        // The if statement above means we found a
                        // REFERENCES privilege at column level for the
                        // given authorizer. If this privilege doesn't
                        // cover all the column , then there has to exisit
                        // REFERENCES for the remaining columns at PUBLIC
                        // level or at role level.  Get that permission
                        // descriptor and save it in dependency system
                        StatementColumnPermission statementColumnPermission = (StatementColumnPermission) statPerm;
                        permDesc = statementColumnPermission.getPUBLIClevelColPermsDescriptor(currentUser, dd);
                        // into the dependency system
                        if (permDesc != null && permDesc.getObjectID() != null) {
                            // User did not have all required column
                            // permissions and at least one column is
                            // covered by PUBLIC.
                            dm.addDependency(dependent, permDesc, lcc.getContextManager());
                        }
                        // upon.
                        if (!statementColumnPermission.allColumnsCoveredByUserOrPUBLIC(currentUser, dd)) {
                            // Role has been relied upon, so register a
                            // dependency.
                            trackRoleDependency(activation, dependent, roleDepAdded);
                        }
                    }
                }
                if (!(statPerm instanceof StatementRoutinePermission)) {
                    // for this sql statement.
                    break;
                } else {
                // For EXECUTE privilege there may be several functions
                // referenced in the constraint, so continue looking.
                }
            }
        }
    }
}
Also used : PermissionsDescriptor(org.apache.derby.iapi.sql.dictionary.PermissionsDescriptor) DependencyManager(org.apache.derby.iapi.sql.depend.DependencyManager) StatementSchemaPermission(org.apache.derby.iapi.sql.dictionary.StatementSchemaPermission) DataDictionary(org.apache.derby.iapi.sql.dictionary.DataDictionary) StatementRoutinePermission(org.apache.derby.iapi.sql.dictionary.StatementRoutinePermission) StatementGenericPermission(org.apache.derby.iapi.sql.dictionary.StatementGenericPermission) StatementColumnPermission(org.apache.derby.iapi.sql.dictionary.StatementColumnPermission) StatementPermission(org.apache.derby.iapi.sql.dictionary.StatementPermission) ColPermsDescriptor(org.apache.derby.iapi.sql.dictionary.ColPermsDescriptor) LanguageConnectionContext(org.apache.derby.iapi.sql.conn.LanguageConnectionContext) StatementTablePermission(org.apache.derby.iapi.sql.dictionary.StatementTablePermission) StatementRolePermission(org.apache.derby.iapi.sql.dictionary.StatementRolePermission)

Example 5 with ColPermsDescriptor

use of org.apache.derby.iapi.sql.dictionary.ColPermsDescriptor in project derby by apache.

the class DDLConstantAction method storeViewTriggerDependenciesOnPrivileges.

/**
 *	This method saves dependencies of views and triggers on privileges in
 *  the dependency system. It gets called by CreateViewConstantAction
 *  and CreateTriggerConstantAction. Views and triggers and constraints
 *  run with definer's privileges. If one of the required privileges is
 *  revoked from the definer, the dependent view/trigger/constraint on
 *  that privilege will be dropped automatically. In order to implement
 *  this behavior, we need to save view/trigger/constraint dependencies
 *  on required privileges in the dependency system. Following method
 *  accomplishes that part of the equation for views and triggers. The
 *  dependency collection for constraints is not same as for views and
 *  triggers and hence constraints are not covered by this method.
 *  Views and triggers can depend on many different kind of privileges
 *  where as constraints only depend on REFERENCES privilege on a table.
 *  Another difference is only one view or trigger can be defined by a
 *  sql statement and hence all the dependencies collected for the sql
 *  statement apply to the view or trigger in question. As for constraints,
 *  one sql statement can defined multiple constraints and hence the
 *  all the privileges required by the statement are not necessarily
 *  required by all the constraints defined by that sql statement. We need
 *  to identify right privileges for right constraints for a given sql
 *  statement. Because of these differences between constraints and views
 *  (and triggers), there are 2 different methods in this class to save
 *  their privileges in the dependency system.
 *
 *  For each required privilege, we now register of a dependency on a role
 *  if that role was required to find an applicable privilege.
 *
 *  @param activation The execution environment for this constant action.
 *  @param dependent Make this object depend on required privileges
 *
 * @exception StandardException		Thrown on failure
 */
protected void storeViewTriggerDependenciesOnPrivileges(Activation activation, Dependent dependent) throws StandardException {
    LanguageConnectionContext lcc = activation.getLanguageConnectionContext();
    DataDictionary dd = lcc.getDataDictionary();
    DependencyManager dm = dd.getDependencyManager();
    String dbo = dd.getAuthorizationDatabaseOwner();
    String currentUser = lcc.getCurrentUserId(activation);
    SettableBoolean roleDepAdded = new SettableBoolean();
    // access any objects without any restrictions.
    if (!currentUser.equals(dbo)) {
        PermissionsDescriptor permDesc;
        List<StatementPermission> requiredPermissionsList = activation.getPreparedStatement().getRequiredPermissionsList();
        if (requiredPermissionsList != null && !requiredPermissionsList.isEmpty()) {
            for (StatementPermission statPerm : requiredPermissionsList) {
                // Also, StatementRolePermission should not occur here.
                if (statPerm instanceof StatementSchemaPermission || statPerm instanceof StatementRolePermission) {
                    if (SanityManager.DEBUG) {
                        if (statPerm instanceof StatementRolePermission) {
                            SanityManager.THROWASSERT("Unexpected StatementRolePermission");
                        }
                    }
                    continue;
                }
                // See if we can find the required privilege for given authorizer?
                permDesc = statPerm.getPermissionDescriptor(currentUser, dd);
                if (// privilege not found for given authorizer
                permDesc == null) {
                    // The if condition above means that required privilege does
                    // not exist at the user level. The privilege has to exist at
                    // PUBLIC level... ,
                    permDesc = statPerm.getPermissionDescriptor(Authorizer.PUBLIC_AUTHORIZATION_ID, dd);
                    boolean roleUsed = false;
                    // .. or at role level
                    if (permDesc == null || ((permDesc instanceof ColPermsDescriptor) && !((StatementColumnPermission) statPerm).allColumnsCoveredByUserOrPUBLIC(currentUser, dd))) {
                        roleUsed = true;
                        permDesc = findRoleUsage(activation, statPerm);
                    }
                    // owner.
                    if (!permDesc.checkOwner(currentUser)) {
                        dm.addDependency(dependent, permDesc, lcc.getContextManager());
                        // dependency, too.
                        if (roleUsed) {
                            trackRoleDependency(activation, dependent, roleDepAdded);
                        }
                    }
                    continue;
                }
                // object's privilege dependency in the dependency system
                if (!permDesc.checkOwner(currentUser)) {
                    dm.addDependency(dependent, permDesc, lcc.getContextManager());
                    if (permDesc instanceof ColPermsDescriptor) {
                        // For a given table, the table owner can give privileges
                        // on some columns at individual user level and privileges
                        // on some columns at PUBLIC level. Hence, when looking for
                        // column level privileges, we need to look both at user
                        // level as well as PUBLIC level(only if user level column
                        // privileges do not cover all the columns accessed by this
                        // object). We have finished adding dependency for user level
                        // columns, now we are checking if some required column
                        // level privileges are at PUBLIC level.
                        // A specific eg of a view
                        // user1
                        // create table t11(c11 int, c12 int);
                        // grant select(c11) on t1 to user2;
                        // grant select(c12) on t1 to PUBLIC;
                        // user2
                        // create view v1 as select c11 from user1.t11 where c12=2;
                        // For the view above, there are 2 column level privilege
                        // depencies, one for column c11 which exists directly
                        // for user2 and one for column c12 which exists at PUBLIC level.
                        StatementColumnPermission statementColumnPermission = (StatementColumnPermission) statPerm;
                        permDesc = statementColumnPermission.getPUBLIClevelColPermsDescriptor(currentUser, dd);
                        if (permDesc != null && permDesc.getObjectID() != null) {
                            // User did not have all required column
                            // permissions and at least one column is
                            // covered by PUBLIC.
                            dm.addDependency(dependent, permDesc, lcc.getContextManager());
                        }
                        // upon?
                        if (!statementColumnPermission.allColumnsCoveredByUserOrPUBLIC(currentUser, dd)) {
                            trackRoleDependency(activation, dependent, roleDepAdded);
                        }
                    }
                }
            }
        }
    }
}
Also used : PermissionsDescriptor(org.apache.derby.iapi.sql.dictionary.PermissionsDescriptor) DependencyManager(org.apache.derby.iapi.sql.depend.DependencyManager) StatementSchemaPermission(org.apache.derby.iapi.sql.dictionary.StatementSchemaPermission) DataDictionary(org.apache.derby.iapi.sql.dictionary.DataDictionary) StatementColumnPermission(org.apache.derby.iapi.sql.dictionary.StatementColumnPermission) StatementPermission(org.apache.derby.iapi.sql.dictionary.StatementPermission) ColPermsDescriptor(org.apache.derby.iapi.sql.dictionary.ColPermsDescriptor) LanguageConnectionContext(org.apache.derby.iapi.sql.conn.LanguageConnectionContext) StatementRolePermission(org.apache.derby.iapi.sql.dictionary.StatementRolePermission)

Aggregations

ColPermsDescriptor (org.apache.derby.iapi.sql.dictionary.ColPermsDescriptor)11 FormatableBitSet (org.apache.derby.iapi.services.io.FormatableBitSet)6 UUID (org.apache.derby.catalog.UUID)3 LanguageConnectionContext (org.apache.derby.iapi.sql.conn.LanguageConnectionContext)3 DataDictionary (org.apache.derby.iapi.sql.dictionary.DataDictionary)3 DependencyManager (org.apache.derby.iapi.sql.depend.DependencyManager)2 PermissionsDescriptor (org.apache.derby.iapi.sql.dictionary.PermissionsDescriptor)2 SchemaDescriptor (org.apache.derby.iapi.sql.dictionary.SchemaDescriptor)2 StatementColumnPermission (org.apache.derby.iapi.sql.dictionary.StatementColumnPermission)2 StatementPermission (org.apache.derby.iapi.sql.dictionary.StatementPermission)2 StatementRolePermission (org.apache.derby.iapi.sql.dictionary.StatementRolePermission)2 StatementSchemaPermission (org.apache.derby.iapi.sql.dictionary.StatementSchemaPermission)2 TablePermsDescriptor (org.apache.derby.iapi.sql.dictionary.TablePermsDescriptor)2 ExecIndexRow (org.apache.derby.iapi.sql.execute.ExecIndexRow)2 ExecRow (org.apache.derby.iapi.sql.execute.ExecRow)2 DataValueDescriptor (org.apache.derby.iapi.types.DataValueDescriptor)2 SQLChar (org.apache.derby.iapi.types.SQLChar)2 UserType (org.apache.derby.iapi.types.UserType)2 Iterator (java.util.Iterator)1 AliasDescriptor (org.apache.derby.iapi.sql.dictionary.AliasDescriptor)1