Examples with RoleGrantDescriptor org.apache.derby.iapi.sql.dictionary.RoleGrantDescriptor used on opensource projects

Example 1 with RoleGrantDescriptor

use of org.apache.derby.iapi.sql.dictionary.RoleGrantDescriptor in project derby by apache.

the class RoleClosureIteratorImpl method next.

public String next() throws StandardException {
    if (initial) {
        // Optimization so we don't compute the closure for the current
        // role if unnecessary (when next is only called once).
        initial = false;
        seenSoFar.put(root, null);
        return root;
    } else if (graph == null) {
        // We get here the second time next is called.
        graph = dd.getRoleGrantGraph(tc, inverse);
        List<RoleGrantDescriptor> outArcs = graph.get(root);
        if (outArcs != null) {
            currNodeIter = outArcs.iterator();
        }
    }
    RoleGrantDescriptor result = null;
    while (result == null) {
        while (currNodeIter.hasNext()) {
            RoleGrantDescriptor r = (RoleGrantDescriptor) currNodeIter.next();
            if (seenSoFar.containsKey(inverse ? r.getRoleName() : r.getGrantee())) {
                continue;
            } else {
                lifo.add(r);
                result = r;
                break;
            }
        }
        if (result == null) {
            // not more candidates located outgoing from the
            // latest found node, pick another and continue
            RoleGrantDescriptor newNode = null;
            currNodeIter = null;
            while (lifo.size() > 0 && currNodeIter == null) {
                newNode = lifo.remove(lifo.size() - 1);
                // In the example (see interface doc), the
                // iterator of outgoing arcs for f (grant inverse)
                // would contain {e,c,d}.
                List<RoleGrantDescriptor> outArcs = graph.get(inverse ? newNode.getRoleName() : newNode.getGrantee());
                if (outArcs != null) {
                    currNodeIter = outArcs.iterator();
                }
            // else: leaf node, pop next candidate, if any
            }
            if (currNodeIter == null) {
                // candidate stack is empty, done
                currNodeIter = null;
                break;
            }
        }
    }
    if (result != null) {
        String role = inverse ? result.getRoleName() : result.getGrantee();
        seenSoFar.put(role, null);
        return role;
    } else {
        return null;
    }
}

Example 2 with RoleGrantDescriptor

use of org.apache.derby.iapi.sql.dictionary.RoleGrantDescriptor in project derby by apache.

the class SYSROLESRowFactory method buildDescriptor.

// /////////////////////////////////////////////////////////////////////////
// 
// ABSTRACT METHODS TO BE IMPLEMENTED BY CHILDREN OF CatalogRowFactory
// 
// /////////////////////////////////////////////////////////////////////////
/**
 * Make an  Tuple Descriptor out of a SYSROLES row
 *
 * @param row                   a SYSROLES row
 * @param parentTupleDescriptor unused
 * @param dd                    dataDictionary
 *
 * @return  a  descriptor equivalent to a SYSROLES row
 *
 * @exception   StandardException thrown on failure
 */
public TupleDescriptor buildDescriptor(ExecRow row, TupleDescriptor parentTupleDescriptor, DataDictionary dd) throws StandardException {
    DataValueDescriptor col;
    RoleGrantDescriptor descriptor;
    String oid_string;
    String roleid;
    String grantee;
    String grantor;
    String wao;
    String isdef;
    DataDescriptorGenerator ddg = dd.getDataDescriptorGenerator();
    if (SanityManager.DEBUG) {
        SanityManager.ASSERT(row.nColumns() == SYSROLES_COLUMN_COUNT, "Wrong number of columns for a SYSROLES row");
    }
    // first column is uuid of this role grant descriptor (char(36))
    col = row.getColumn(1);
    oid_string = col.getString();
    // second column is roleid (varchar(128))
    col = row.getColumn(2);
    roleid = col.getString();
    // third column is grantee (varchar(128))
    col = row.getColumn(3);
    grantee = col.getString();
    // fourth column is grantor (varchar(128))
    col = row.getColumn(4);
    grantor = col.getString();
    // fifth column is withadminoption (char(1))
    col = row.getColumn(5);
    wao = col.getString();
    // sixth column is isdef (char(1))
    col = row.getColumn(6);
    isdef = col.getString();
    descriptor = ddg.newRoleGrantDescriptor(getUUIDFactory().recreateUUID(oid_string), roleid, grantee, grantor, wao.equals("Y") ? true : false, isdef.equals("Y") ? true : false);
    return descriptor;
}

Example 3 with RoleGrantDescriptor

use of org.apache.derby.iapi.sql.dictionary.RoleGrantDescriptor in project derby by apache.

the class GenericLanguageConnectionContext method roleIsSettable.

/**
 * @see LanguageConnectionContext#roleIsSettable(Activation a, String role)
 */
public boolean roleIsSettable(Activation a, String role) throws StandardException {
    DataDictionary dd = getDataDictionary();
    String dbo = dd.getAuthorizationDatabaseOwner();
    RoleGrantDescriptor grantDesc;
    String currentUser = getCurrentUserId(a);
    if (currentUser.equals(dbo)) {
        grantDesc = dd.getRoleDefinitionDescriptor(role);
    } else {
        grantDesc = dd.getRoleGrantDescriptor(role, currentUser, dbo);
        if (grantDesc == null) {
            // or if not, via PUBLIC?
            grantDesc = dd.getRoleGrantDescriptor(role, Authorizer.PUBLIC_AUTHORIZATION_ID, dbo);
        }
    }
    return grantDesc != null;
}

Example 4 with RoleGrantDescriptor

use of org.apache.derby.iapi.sql.dictionary.RoleGrantDescriptor in project derby by apache.

the class RevokeRoleConstantAction method executeConstantAction.

// INTERFACE METHODS
/**
 * This is the guts of the Execution-time logic for REVOKE role.
 *
 * @see org.apache.derby.iapi.sql.execute.ConstantAction#executeConstantAction
 */
public void executeConstantAction(Activation activation) throws StandardException {
    LanguageConnectionContext lcc = activation.getLanguageConnectionContext();
    DataDictionary dd = lcc.getDataDictionary();
    TransactionController tc = lcc.getTransactionExecute();
    final String grantor = lcc.getCurrentUserId(activation);
    dd.startWriting(lcc);
    for (Iterator rIter = roleNames.iterator(); rIter.hasNext(); ) {
        String role = (String) rIter.next();
        if (role.equals(Authorizer.PUBLIC_AUTHORIZATION_ID)) {
            throw StandardException.newException(SQLState.AUTH_PUBLIC_ILLEGAL_AUTHORIZATION_ID);
        }
        for (Iterator gIter = grantees.iterator(); gIter.hasNext(); ) {
            String grantee = (String) gIter.next();
            // check that role exists
            RoleGrantDescriptor rdDef = dd.getRoleDefinitionDescriptor(role);
            if (rdDef == null) {
                throw StandardException.newException(SQLState.ROLE_INVALID_SPECIFICATION, role);
            }
            // :
            if (grantor.equals(lcc.getDataDictionary().getAuthorizationDatabaseOwner())) {
                // All ok, we are database owner
                if (SanityManager.DEBUG) {
                    SanityManager.ASSERT(rdDef.getGrantee().equals(grantor), "expected database owner in role grant descriptor");
                    SanityManager.ASSERT(rdDef.isWithAdminOption(), "expected role definition to have ADMIN OPTION");
                }
            } else {
                throw StandardException.newException(SQLState.AUTH_ROLE_DBO_ONLY, "REVOKE role");
            }
            RoleGrantDescriptor rd = dd.getRoleGrantDescriptor(role, grantee, grantor);
            if (rd != null && withAdminOption) {
                if (SanityManager.DEBUG) {
                    SanityManager.NOTREACHED();
                }
                // 
                if (rd.isWithAdminOption()) {
                // Invalidate and remove old descriptor and add a new
                // one without admin option.
                // 
                // RoleClosureIterator rci =
                // dd.createRoleClosureIterator
                // (activation.getTransactionController(),
                // role, false);
                // 
                // String r;
                // while ((r = rci.next()) != null) {
                // rdDef = dd.getRoleDefinitionDescriptor(r);
                // 
                // dd.getDependencyManager().invalidateFor
                // (rdDef, DependencyManager.REVOKE_ROLE, lcc);
                // }
                // 
                // rd.drop(lcc);
                // rd.setWithAdminOption(false);
                // dd.addDescriptor(rd,
                // null,  // parent
                // DataDictionary.SYSROLES_CATALOG_NUM,
                // false, // no duplicatesAllowed
                // tc);
                } else {
                    activation.addWarning(StandardException.newWarning(SQLState.LANG_WITH_ADMIN_OPTION_NOT_REVOKED, role, grantee));
                }
            } else if (rd != null) {
                // Normal revoke of role from grantee.
                // 
                // When a role is revoked, for every role in its grantee
                // closure, we call the REVOKE_ROLE action. It is used to
                // invalidate dependent objects (constraints, triggers and
                // views).  Note that until DERBY-1632 is fixed, we risk
                // dropping objects not really dependent on this role, but
                // one some other role just because it inherits from this
                // one. See also DropRoleConstantAction.
                RoleClosureIterator rci = dd.createRoleClosureIterator(activation.getTransactionController(), role, false);
                String r;
                while ((r = rci.next()) != null) {
                    rdDef = dd.getRoleDefinitionDescriptor(r);
                    dd.getDependencyManager().invalidateFor(rdDef, DependencyManager.REVOKE_ROLE, lcc);
                }
                rd.drop(lcc);
            } else {
                activation.addWarning(StandardException.newWarning(SQLState.LANG_ROLE_NOT_REVOKED, role, grantee));
            }
        }
    }
}

Example 5 with RoleGrantDescriptor

use of org.apache.derby.iapi.sql.dictionary.RoleGrantDescriptor in project derby by apache.

the class DDLConstantAction method trackRoleDependency.

/**
 * The statement permission needed for dependent has been found to rely on
 * the current role. If not already done, register the dependency so that
 * if the current role (or any of the roles it inherits) is revoked (or
 * dropped), we can invalidate dependent.
 *
 * @param activation the current activation
 * @param dependent the view, constraint or trigger that is dependent on the
 *        current role for some privilege.
 * @param roleDepAdded keeps track of whether a dependency on the
 *        current role has already been registered.
 */
private static void trackRoleDependency(Activation activation, Dependent dependent, SettableBoolean roleDepAdded) throws StandardException {
    // fails for triggers at least).
    if (!roleDepAdded.get()) {
        LanguageConnectionContext lcc = activation.getLanguageConnectionContext();
        DataDictionary dd = lcc.getDataDictionary();
        DependencyManager dm = dd.getDependencyManager();
        String role = lcc.getCurrentRoleId(activation);
        RoleGrantDescriptor rgd = dd.getRoleDefinitionDescriptor(role);
        dm.addDependency(dependent, rgd, lcc.getContextManager());
        roleDepAdded.set(true);
    }
}