Example 6 with RoleGrantDescriptor
use of org.apache.derby.iapi.sql.dictionary.RoleGrantDescriptor in project derby by apache.
the class GrantRoleConstantAction method executeConstantAction.
// INTERFACE METHODS
/**
* This is the guts of the Execution-time logic for GRANT role.
*
* @see ConstantAction#executeConstantAction
*
* @exception StandardException Thrown on failure
*/
public void executeConstantAction(Activation activation) throws StandardException {
LanguageConnectionContext lcc = activation.getLanguageConnectionContext();
DataDictionary dd = lcc.getDataDictionary();
TransactionController tc = lcc.getTransactionExecute();
DataDescriptorGenerator ddg = dd.getDataDescriptorGenerator();
final String grantor = lcc.getCurrentUserId(activation);
dd.startWriting(lcc);
for (Iterator rIter = roleNames.iterator(); rIter.hasNext(); ) {
String role = (String) rIter.next();
if (role.equals(Authorizer.PUBLIC_AUTHORIZATION_ID)) {
throw StandardException.newException(SQLState.AUTH_PUBLIC_ILLEGAL_AUTHORIZATION_ID);
}
for (Iterator gIter = grantees.iterator(); gIter.hasNext(); ) {
String grantee = (String) gIter.next();
// check that role exists
RoleGrantDescriptor rdDef = dd.getRoleDefinitionDescriptor(role);
if (rdDef == null) {
throw StandardException.newException(SQLState.ROLE_INVALID_SPECIFICATION, role);
}
// :
if (grantor.equals(lcc.getDataDictionary().getAuthorizationDatabaseOwner())) {
// All ok, we are database owner
if (SanityManager.DEBUG) {
SanityManager.ASSERT(rdDef.getGrantee().equals(grantor), "expected database owner in role grant descriptor");
SanityManager.ASSERT(rdDef.isWithAdminOption(), "expected role definition to have ADMIN OPTION");
}
} else {
throw StandardException.newException(SQLState.AUTH_ROLE_DBO_ONLY, "GRANT role");
}
// Has it already been granted?
RoleGrantDescriptor rgd = dd.getRoleGrantDescriptor(role, grantee, grantor);
if (rgd != null && withAdminOption && !rgd.isWithAdminOption()) {
// NOTE: Never called yet, withAdminOption not yet
// implemented.
// Remove old descriptor and add a new one with admin
// option: cf. SQL 2003, section 12.5, general rule 3
rgd.drop(lcc);
rgd.setWithAdminOption(true);
dd.addDescriptor(rgd, // parent
null, DataDictionary.SYSROLES_CATALOG_NUM, // no duplicatesAllowed
false, tc);
} else if (rgd == null) {
// Check if the grantee is a role (if not, it is a user)
RoleGrantDescriptor granteeDef = dd.getRoleDefinitionDescriptor(grantee);
if (granteeDef != null) {
checkCircularity(role, grantee, grantor, tc, dd);
}
rgd = ddg.newRoleGrantDescriptor(dd.getUUIDFactory().createUUID(), role, grantee, // dbo for now
grantor, withAdminOption, // not definition
false);
dd.addDescriptor(rgd, // parent
null, DataDictionary.SYSROLES_CATALOG_NUM, // no duplicatesAllowed
false, tc);
}
// else exists already, no need to add
}
}
}
Also used :
DataDescriptorGenerator(org.apache.derby.iapi.sql.dictionary.DataDescriptorGenerator)
LanguageConnectionContext(org.apache.derby.iapi.sql.conn.LanguageConnectionContext)
Iterator(java.util.Iterator)
RoleClosureIterator(org.apache.derby.iapi.sql.dictionary.RoleClosureIterator)
DataDictionary(org.apache.derby.iapi.sql.dictionary.DataDictionary)
TransactionController(org.apache.derby.iapi.store.access.TransactionController)
RoleGrantDescriptor(org.apache.derby.iapi.sql.dictionary.RoleGrantDescriptor)
Example 7 with RoleGrantDescriptor
use of org.apache.derby.iapi.sql.dictionary.RoleGrantDescriptor in project derby by apache.
the class DropRoleConstantAction method executeConstantAction.
// INTERFACE METHODS
/**
* This is the guts of the Execution-time logic for DROP ROLE.
*
* @see org.apache.derby.iapi.sql.execute.ConstantAction#executeConstantAction
*/
public void executeConstantAction(Activation activation) throws StandardException {
LanguageConnectionContext lcc = activation.getLanguageConnectionContext();
DataDictionary dd = lcc.getDataDictionary();
TransactionController tc = lcc.getTransactionExecute();
/*
** Inform the data dictionary that we are about to write to it.
** There are several calls to data dictionary "get" methods here
** that might be done in "read" mode in the data dictionary, but
** it seemed safer to do this whole operation in "write" mode.
**
** We tell the data dictionary we're done writing at the end of
** the transaction.
*/
dd.startWriting(lcc);
RoleGrantDescriptor rdDef = dd.getRoleDefinitionDescriptor(roleName);
if (rdDef == null) {
throw StandardException.newException(SQLState.ROLE_INVALID_SPECIFICATION, roleName);
}
// When a role is dropped, for every role in its grantee closure, we
// call the REVOKE_ROLE action. It is used to invalidate dependent
// objects (constraints, triggers and views). Note that until
// DERBY-1632 is fixed, we risk dropping objects not really dependent
// on this role, but one some other role just because it inherits from
// this one. See also RevokeRoleConstantAction.
RoleClosureIterator rci = dd.createRoleClosureIterator(activation.getTransactionController(), roleName, false);
String role;
while ((role = rci.next()) != null) {
RoleGrantDescriptor r = dd.getRoleDefinitionDescriptor(role);
dd.getDependencyManager().invalidateFor(r, DependencyManager.REVOKE_ROLE, lcc);
}
rdDef.drop(lcc);
/*
* We dropped a role, now drop all dependents:
* - role grants to this role
* - grants of this role to other roles or users
* - privilege grants to this role
*/
dd.dropRoleGrantsByGrantee(roleName, tc);
dd.dropRoleGrantsByName(roleName, tc);
dd.dropAllPermsByGrantee(roleName, tc);
}
Also used :
LanguageConnectionContext(org.apache.derby.iapi.sql.conn.LanguageConnectionContext)
RoleClosureIterator(org.apache.derby.iapi.sql.dictionary.RoleClosureIterator)
DataDictionary(org.apache.derby.iapi.sql.dictionary.DataDictionary)
TransactionController(org.apache.derby.iapi.store.access.TransactionController)
RoleGrantDescriptor(org.apache.derby.iapi.sql.dictionary.RoleGrantDescriptor)
Example 8 with RoleGrantDescriptor
use of org.apache.derby.iapi.sql.dictionary.RoleGrantDescriptor in project derby by apache.
the class SetRoleConstantAction method executeConstantAction.
// INTERFACE METHODS
/**
* This is the guts of the Execution-time logic for SET ROLE.
*
* @see ConstantAction#executeConstantAction
*
* @exception StandardException Thrown on failure
*/
public void executeConstantAction(Activation activation) throws StandardException {
LanguageConnectionContext lcc;
DataDictionary dd;
// find the language context.
lcc = activation.getLanguageConnectionContext();
dd = lcc.getDataDictionary();
String thisRoleName = roleName;
final String currentAuthId = lcc.getCurrentUserId(activation);
final String dbo = lcc.getDataDictionary().getAuthorizationDatabaseOwner();
TransactionController tc = lcc.getTransactionExecute();
// SQL 2003, section 18.3, General rule 1:
if (!tc.isIdle()) {
throw StandardException.newException(SQLState.INVALID_TRANSACTION_STATE_ACTIVE_CONNECTION);
}
if (type == StatementType.SET_ROLE_DYNAMIC) {
ParameterValueSet pvs = activation.getParameterValueSet();
DataValueDescriptor dvs = pvs.getParameter(0);
// SQL 2003, section 18.3, GR2: trim whitespace first, and
// interpret as identifier, then we convert it to case normal form
// here.
String roleId = dvs.getString();
if (roleId == null) {
throw StandardException.newException(SQLState.ID_PARSE_ERROR);
}
thisRoleName = IdUtil.parseRoleId(roleId);
}
RoleGrantDescriptor rdDef = null;
try {
String oldRole = lcc.getCurrentRoleId(activation);
if (oldRole != null && !oldRole.equals(thisRoleName)) {
rdDef = dd.getRoleDefinitionDescriptor(oldRole);
if (rdDef != null) {
dd.getDependencyManager().invalidateFor(rdDef, DependencyManager.RECHECK_PRIVILEGES, lcc);
}
// else: old role else no longer exists, so ignore.
}
if (thisRoleName != null) {
rdDef = dd.getRoleDefinitionDescriptor(thisRoleName);
// SQL 2003, section 18.3, General rule 4:
if (rdDef == null) {
throw StandardException.newException(SQLState.ROLE_INVALID_SPECIFICATION, thisRoleName);
}
if (!lcc.roleIsSettable(activation, thisRoleName)) {
throw StandardException.newException(SQLState.ROLE_INVALID_SPECIFICATION_NOT_GRANTED, thisRoleName);
}
}
} finally {
// reading above changes idle state, so reestablish it
lcc.userCommit();
}
lcc.setCurrentRole(activation, rdDef != null ? thisRoleName : null);
}
Also used :
ParameterValueSet(org.apache.derby.iapi.sql.ParameterValueSet)
LanguageConnectionContext(org.apache.derby.iapi.sql.conn.LanguageConnectionContext)
DataValueDescriptor(org.apache.derby.iapi.types.DataValueDescriptor)
DataDictionary(org.apache.derby.iapi.sql.dictionary.DataDictionary)
TransactionController(org.apache.derby.iapi.store.access.TransactionController)
RoleGrantDescriptor(org.apache.derby.iapi.sql.dictionary.RoleGrantDescriptor)
Example 9 with RoleGrantDescriptor
use of org.apache.derby.iapi.sql.dictionary.RoleGrantDescriptor in project derby by apache.
the class CreateRoleConstantAction method executeConstantAction.
// INTERFACE METHODS
/**
* This is the guts of the Execution-time logic for CREATE ROLE.
*
* @see ConstantAction#executeConstantAction
*
* @exception StandardException Thrown on failure
*/
public void executeConstantAction(Activation activation) throws StandardException {
LanguageConnectionContext lcc = activation.getLanguageConnectionContext();
DataDictionary dd = lcc.getDataDictionary();
TransactionController tc = lcc.getTransactionExecute();
DataDescriptorGenerator ddg = dd.getDataDescriptorGenerator();
if (roleName.equals(Authorizer.PUBLIC_AUTHORIZATION_ID)) {
throw StandardException.newException(SQLState.AUTH_PUBLIC_ILLEGAL_AUTHORIZATION_ID);
}
// currentAuthId is currently always the database owner since
// role definition is a database owner power. This may change
// in the future since this SQL is more liberal.
//
final String currentAuthId = lcc.getCurrentUserId(activation);
dd.startWriting(lcc);
//
// Check if this role already exists. If it does, throw.
//
RoleGrantDescriptor rdDef = dd.getRoleDefinitionDescriptor(roleName);
if (rdDef != null) {
throw StandardException.newException(SQLState.LANG_OBJECT_ALREADY_EXISTS, rdDef.getDescriptorType(), roleName);
}
// defined or added later).
if (knownUser(roleName, currentAuthId, lcc, dd, tc)) {
throw StandardException.newException(SQLState.LANG_OBJECT_ALREADY_EXISTS, "User", roleName);
}
rdDef = ddg.newRoleGrantDescriptor(dd.getUUIDFactory().createUUID(), roleName, // grantee
currentAuthId, // grantor
Authorizer.SYSTEM_AUTHORIZATION_ID, // with admin option
true, // is definition
true);
dd.addDescriptor(rdDef, // parent
null, DataDictionary.SYSROLES_CATALOG_NUM, // duplicatesAllowed
false, tc);
}
Also used :
DataDescriptorGenerator(org.apache.derby.iapi.sql.dictionary.DataDescriptorGenerator)
LanguageConnectionContext(org.apache.derby.iapi.sql.conn.LanguageConnectionContext)
DataDictionary(org.apache.derby.iapi.sql.dictionary.DataDictionary)
TransactionController(org.apache.derby.iapi.store.access.TransactionController)
RoleGrantDescriptor(org.apache.derby.iapi.sql.dictionary.RoleGrantDescriptor)
Example 10 with RoleGrantDescriptor
use of org.apache.derby.iapi.sql.dictionary.RoleGrantDescriptor in project derby by apache.
the class ContainedRoles method next.
/**
* @see java.sql.ResultSet#next
*/
public boolean next() throws SQLException {
try {
// activation.
if (!initialized) {
initialized = true;
LanguageConnectionContext lcc = ConnectionUtil.getCurrentLCC();
DataDictionary dd = lcc.getDataDictionary();
RoleGrantDescriptor rdDef = dd.getRoleDefinitionDescriptor(role);
if (rdDef != null) {
lcc.beginNestedTransaction(true);
try {
int mode = dd.startReading(lcc);
try {
rci = dd.createRoleClosureIterator(lcc.getLastActivation().getTransactionController(), role, !inverse);
} finally {
dd.doneReading(mode, lcc);
}
} finally {
// make sure we commit; otherwise, we will end up with
// mismatch nested level in the language connection
// context.
lcc.commitNestedTransaction();
}
}
}
return rci != null && ((nextRole = rci.next()) != null);
} catch (StandardException e) {
throw PublicAPI.wrapStandardException(e);
}
}
Also used :
StandardException(org.apache.derby.shared.common.error.StandardException)
LanguageConnectionContext(org.apache.derby.iapi.sql.conn.LanguageConnectionContext)
DataDictionary(org.apache.derby.iapi.sql.dictionary.DataDictionary)
RoleGrantDescriptor(org.apache.derby.iapi.sql.dictionary.RoleGrantDescriptor)
Aggregations
RoleGrantDescriptor (org.apache.derby.iapi.sql.dictionary.RoleGrantDescriptor)12
DataDictionary (org.apache.derby.iapi.sql.dictionary.DataDictionary)8
LanguageConnectionContext (org.apache.derby.iapi.sql.conn.LanguageConnectionContext)7
TransactionController (org.apache.derby.iapi.store.access.TransactionController)5
DataDescriptorGenerator (org.apache.derby.iapi.sql.dictionary.DataDescriptorGenerator)3
RoleClosureIterator (org.apache.derby.iapi.sql.dictionary.RoleClosureIterator)3
DataValueDescriptor (org.apache.derby.iapi.types.DataValueDescriptor)3
ArrayList (java.util.ArrayList)2
Iterator (java.util.Iterator)2
List (java.util.List)2
ExecRow (org.apache.derby.iapi.sql.execute.ExecRow)2
SQLVarchar (org.apache.derby.iapi.types.SQLVarchar)2
HashMap (java.util.HashMap)1
LinkedList (java.util.LinkedList)1
UUID (org.apache.derby.catalog.UUID)1
ParameterValueSet (org.apache.derby.iapi.sql.ParameterValueSet)1
DependencyManager (org.apache.derby.iapi.sql.depend.DependencyManager)1
ColumnDescriptorList (org.apache.derby.iapi.sql.dictionary.ColumnDescriptorList)1
ConglomerateDescriptorList (org.apache.derby.iapi.sql.dictionary.ConglomerateDescriptorList)1
ConstraintDescriptorList (org.apache.derby.iapi.sql.dictionary.ConstraintDescriptorList)1
