Example 1 with StatementRoutinePermission
use of org.apache.derby.iapi.sql.dictionary.StatementRoutinePermission in project derby by apache.
the class SecurityUtil method authorize.
/**
* Raise an exception if the current user does not have permission
* to perform the indicated operation.
*/
public static void authorize(Securable operation) throws StandardException {
LanguageConnectionContext lcc = (LanguageConnectionContext) getContextOrNull(LanguageConnectionContext.CONTEXT_ID);
if (lcc.usesSqlAuthorization()) {
Authorizer authorizer = lcc.getAuthorizer();
DataDictionary dd = lcc.getDataDictionary();
AliasDescriptor ad = dd.getRoutineList(operation.routineSchemaID, operation.routineName, operation.routineType).get(0);
ArrayList<StatementPermission> requiredPermissions = new ArrayList<StatementPermission>();
StatementRoutinePermission executePermission = new StatementRoutinePermission(ad.getObjectID());
requiredPermissions.add(executePermission);
authorizer.authorize(requiredPermissions, lcc.getLastActivation());
}
}
Also used :
StatementPermission(org.apache.derby.iapi.sql.dictionary.StatementPermission)
LanguageConnectionContext(org.apache.derby.iapi.sql.conn.LanguageConnectionContext)
Authorizer(org.apache.derby.iapi.sql.conn.Authorizer)
AliasDescriptor(org.apache.derby.iapi.sql.dictionary.AliasDescriptor)
ArrayList(java.util.ArrayList)
DataDictionary(org.apache.derby.iapi.sql.dictionary.DataDictionary)
StatementRoutinePermission(org.apache.derby.iapi.sql.dictionary.StatementRoutinePermission)
Example 2 with StatementRoutinePermission
use of org.apache.derby.iapi.sql.dictionary.StatementRoutinePermission in project derby by apache.
the class CompilerContextImpl method getRequiredPermissionsList.
/**
* @return The list of required privileges.
*/
public List<StatementPermission> getRequiredPermissionsList() {
int size = 0;
if (requiredRoutinePrivileges != null) {
size += requiredRoutinePrivileges.size();
}
if (requiredUsagePrivileges != null) {
size += requiredUsagePrivileges.size();
}
if (requiredTablePrivileges != null) {
size += requiredTablePrivileges.size();
}
if (requiredSchemaPrivileges != null) {
size += requiredSchemaPrivileges.size();
}
if (requiredColumnPrivileges != null) {
size += requiredColumnPrivileges.size();
}
if (requiredRolePrivileges != null) {
size += requiredRolePrivileges.size();
}
ArrayList<StatementPermission> list = new ArrayList<StatementPermission>(size);
if (requiredRoutinePrivileges != null) {
for (Iterator<UUID> itr = requiredRoutinePrivileges.keySet().iterator(); itr.hasNext(); ) {
UUID routineUUID = itr.next();
list.add(new StatementRoutinePermission(routineUUID));
}
}
if (requiredUsagePrivileges != null) {
for (Iterator<UUID> itr = requiredUsagePrivileges.keySet().iterator(); itr.hasNext(); ) {
UUID objectID = itr.next();
list.add(new StatementGenericPermission(objectID, requiredUsagePrivileges.get(objectID), PermDescriptor.USAGE_PRIV));
}
}
if (requiredTablePrivileges != null) {
for (Iterator<StatementTablePermission> itr = requiredTablePrivileges.values().iterator(); itr.hasNext(); ) {
list.add(itr.next());
}
}
if (requiredSchemaPrivileges != null) {
for (Iterator<StatementSchemaPermission> itr = requiredSchemaPrivileges.values().iterator(); itr.hasNext(); ) {
list.add(itr.next());
}
}
if (requiredColumnPrivileges != null) {
for (Iterator<StatementColumnPermission> itr = requiredColumnPrivileges.values().iterator(); itr.hasNext(); ) {
list.add(itr.next());
}
}
if (requiredRolePrivileges != null) {
for (Iterator<StatementRolePermission> itr = requiredRolePrivileges.values().iterator(); itr.hasNext(); ) {
list.add(itr.next());
}
}
return list;
}
Also used :
ArrayList(java.util.ArrayList)
StatementSchemaPermission(org.apache.derby.iapi.sql.dictionary.StatementSchemaPermission)
StatementRoutinePermission(org.apache.derby.iapi.sql.dictionary.StatementRoutinePermission)
StatementGenericPermission(org.apache.derby.iapi.sql.dictionary.StatementGenericPermission)
StatementColumnPermission(org.apache.derby.iapi.sql.dictionary.StatementColumnPermission)
StatementPermission(org.apache.derby.iapi.sql.dictionary.StatementPermission)
UUID(org.apache.derby.catalog.UUID)
StatementTablePermission(org.apache.derby.iapi.sql.dictionary.StatementTablePermission)
StatementRolePermission(org.apache.derby.iapi.sql.dictionary.StatementRolePermission)
Example 3 with StatementRoutinePermission
use of org.apache.derby.iapi.sql.dictionary.StatementRoutinePermission in project derby by apache.
the class DDLConstantAction method storeConstraintDependenciesOnPrivileges.
/**
* This method saves dependencies of constraints on privileges in the
* dependency system. It gets called by CreateConstraintConstantAction.
* Views and triggers and constraints run with definer's privileges. If
* one of the required privileges is revoked from the definer, the
* dependent view/trigger/constraint on that privilege will be dropped
* automatically. In order to implement this behavior, we need to save
* view/trigger/constraint dependencies on required privileges in the
* dependency system. Following method accomplishes that part of the
* equation for constraints only. The dependency collection for
* constraints is not same as for views and triggers and hence
* constraints are handled by this special method.
*
* Views and triggers can depend on many different kind of privileges
* where as constraints only depend on REFERENCES privilege on a table
* (FOREIGN KEY constraints) or EXECUTE privileges on one or more
* functions (CHECK constraints).
*
* Another difference is only one view or trigger can be defined by a
* sql statement and hence all the dependencies collected for the sql
* statement apply to the view or trigger in question. As for constraints,
* one sql statement can defined multiple constraints and hence the
* all the privileges required by the statement are not necessarily
* required by all the constraints defined by that sql statement. We need
* to identify right privileges for right constraints for a given sql
* statement. Because of these differences between constraints and views
* (and triggers), there are 2 different methods in this class to save
* their privileges in the dependency system.
*
* For each required privilege, we now register a dependency on a role if
* that role was required to find an applicable privilege.
*
* @param activation The execution environment for this constant action.
* @param dependent Make this object depend on required privileges
* @param refTableUUID Make sure we are looking for REFERENCES privilege
* for right table
* @param providers set of providers for this constraint
* @exception StandardException Thrown on failure
*/
protected void storeConstraintDependenciesOnPrivileges(Activation activation, Dependent dependent, UUID refTableUUID, ProviderInfo[] providers) throws StandardException {
LanguageConnectionContext lcc = activation.getLanguageConnectionContext();
DataDictionary dd = lcc.getDataDictionary();
DependencyManager dm = dd.getDependencyManager();
String currentUser = lcc.getCurrentUserId(activation);
SettableBoolean roleDepAdded = new SettableBoolean();
// access any objects without any restrictions
if (!currentUser.equals(dd.getAuthorizationDatabaseOwner())) {
PermissionsDescriptor permDesc;
// Now, it is time to add into dependency system the FOREIGN
// constraint's dependency on REFERENCES privilege, or, if it is a
// CHECK constraint, any EXECUTE or USAGE privileges. If the REFERENCES is
// revoked from the constraint owner, the constraint will get
// dropped automatically.
List<StatementPermission> requiredPermissionsList = activation.getPreparedStatement().getRequiredPermissionsList();
if (requiredPermissionsList != null && !requiredPermissionsList.isEmpty()) {
for (StatementPermission statPerm : requiredPermissionsList) {
// are not required for a foreign key constraint.
if (statPerm instanceof StatementTablePermission) {
// It is a table/column level privilege
StatementTablePermission statementTablePermission = (StatementTablePermission) statPerm;
// required privileges list
if (statementTablePermission.getPrivType() != Authorizer.REFERENCES_PRIV)
continue;
// privilege in the required privileges list
if (!statementTablePermission.getTableUUID().equals(refTableUUID))
continue;
} else if (statPerm instanceof StatementSchemaPermission || statPerm instanceof StatementRolePermission || statPerm instanceof StatementGenericPermission) {
continue;
} else {
if (SanityManager.DEBUG) {
SanityManager.ASSERT(statPerm instanceof StatementRoutinePermission, "only StatementRoutinePermission expected");
}
// skip if this permission concerns a function not
// referenced by this constraint
StatementRoutinePermission rp = (StatementRoutinePermission) statPerm;
if (!inProviderSet(providers, rp.getRoutineUUID())) {
continue;
}
}
// We know that we are working with a REFERENCES, EXECUTE, or USAGE
// privilege. Find all the PermissionDescriptors for this
// privilege and make constraint depend on it through
// dependency manager. The REFERENCES privilege could be
// defined at the table level or it could be defined at
// individual column levels. In addition, individual column
// REFERENCES privilege could be available at the user
// level, PUBLIC or role level. EXECUTE and USAGE privileges could be
// available at the user level, PUBLIC or role level.
permDesc = statPerm.getPermissionDescriptor(currentUser, dd);
if (permDesc == null) {
// No privilege exists for given user. The privilege
// has to exist at at PUBLIC level....
permDesc = statPerm.getPermissionDescriptor(Authorizer.PUBLIC_AUTHORIZATION_ID, dd);
// .... or at the role level. Additionally, for column
// level privileges, even if *some* were available at
// the PUBLIC level others may be still be missing,
// hence the call in the test below to
// allColumnsCoveredByUserOrPUBLIC.
boolean roleUsed = false;
if (permDesc == null || ((permDesc instanceof ColPermsDescriptor) && !((StatementColumnPermission) statPerm).allColumnsCoveredByUserOrPUBLIC(currentUser, dd))) {
roleUsed = true;
permDesc = findRoleUsage(activation, statPerm);
}
// for the owner.
if (!permDesc.checkOwner(currentUser)) {
dm.addDependency(dependent, permDesc, lcc.getContextManager());
if (roleUsed) {
// We had to rely on role, so track that
// dependency, too.
trackRoleDependency(activation, dependent, roleDepAdded);
}
}
} else // object's privilege dependency in the dependency system
if (!permDesc.checkOwner(currentUser)) {
dm.addDependency(dependent, permDesc, lcc.getContextManager());
if (permDesc instanceof ColPermsDescriptor) {
// The if statement above means we found a
// REFERENCES privilege at column level for the
// given authorizer. If this privilege doesn't
// cover all the column , then there has to exisit
// REFERENCES for the remaining columns at PUBLIC
// level or at role level. Get that permission
// descriptor and save it in dependency system
StatementColumnPermission statementColumnPermission = (StatementColumnPermission) statPerm;
permDesc = statementColumnPermission.getPUBLIClevelColPermsDescriptor(currentUser, dd);
// into the dependency system
if (permDesc != null && permDesc.getObjectID() != null) {
// User did not have all required column
// permissions and at least one column is
// covered by PUBLIC.
dm.addDependency(dependent, permDesc, lcc.getContextManager());
}
// upon.
if (!statementColumnPermission.allColumnsCoveredByUserOrPUBLIC(currentUser, dd)) {
// Role has been relied upon, so register a
// dependency.
trackRoleDependency(activation, dependent, roleDepAdded);
}
}
}
if (!(statPerm instanceof StatementRoutinePermission)) {
// for this sql statement.
break;
} else {
// For EXECUTE privilege there may be several functions
// referenced in the constraint, so continue looking.
}
}
}
}
}
Also used :
PermissionsDescriptor(org.apache.derby.iapi.sql.dictionary.PermissionsDescriptor)
DependencyManager(org.apache.derby.iapi.sql.depend.DependencyManager)
StatementSchemaPermission(org.apache.derby.iapi.sql.dictionary.StatementSchemaPermission)
DataDictionary(org.apache.derby.iapi.sql.dictionary.DataDictionary)
StatementRoutinePermission(org.apache.derby.iapi.sql.dictionary.StatementRoutinePermission)
StatementGenericPermission(org.apache.derby.iapi.sql.dictionary.StatementGenericPermission)
StatementColumnPermission(org.apache.derby.iapi.sql.dictionary.StatementColumnPermission)
StatementPermission(org.apache.derby.iapi.sql.dictionary.StatementPermission)
ColPermsDescriptor(org.apache.derby.iapi.sql.dictionary.ColPermsDescriptor)
LanguageConnectionContext(org.apache.derby.iapi.sql.conn.LanguageConnectionContext)
StatementTablePermission(org.apache.derby.iapi.sql.dictionary.StatementTablePermission)
StatementRolePermission(org.apache.derby.iapi.sql.dictionary.StatementRolePermission)
Aggregations
StatementPermission (org.apache.derby.iapi.sql.dictionary.StatementPermission)3
StatementRoutinePermission (org.apache.derby.iapi.sql.dictionary.StatementRoutinePermission)3
ArrayList (java.util.ArrayList)2
LanguageConnectionContext (org.apache.derby.iapi.sql.conn.LanguageConnectionContext)2
DataDictionary (org.apache.derby.iapi.sql.dictionary.DataDictionary)2
StatementColumnPermission (org.apache.derby.iapi.sql.dictionary.StatementColumnPermission)2
StatementGenericPermission (org.apache.derby.iapi.sql.dictionary.StatementGenericPermission)2
StatementRolePermission (org.apache.derby.iapi.sql.dictionary.StatementRolePermission)2
StatementSchemaPermission (org.apache.derby.iapi.sql.dictionary.StatementSchemaPermission)2
StatementTablePermission (org.apache.derby.iapi.sql.dictionary.StatementTablePermission)2
UUID (org.apache.derby.catalog.UUID)1
Authorizer (org.apache.derby.iapi.sql.conn.Authorizer)1
DependencyManager (org.apache.derby.iapi.sql.depend.DependencyManager)1
AliasDescriptor (org.apache.derby.iapi.sql.dictionary.AliasDescriptor)1
ColPermsDescriptor (org.apache.derby.iapi.sql.dictionary.ColPermsDescriptor)1
PermissionsDescriptor (org.apache.derby.iapi.sql.dictionary.PermissionsDescriptor)1
