Package org.apache.derby.iapi.sql.dictionary

Examples of org.apache.derby.iapi.sql.dictionary.RoleGrantDescriptor

126
127
128
129
130
131
132
133
134
135
136
            }

            thisRoleName = IdUtil.parseRoleId(roleId);
        }

        RoleGrantDescriptor rdDef = null;

        try {
            String oldRole = lcc.getCurrentRoleId(activation);

            if (oldRole != null && !oldRole.equals(thisRoleName)) {
View Full Code Here
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
        dd.startWriting(lcc);

        //
        // Check if this role already exists. If it does, throw.
        //
        RoleGrantDescriptor rdDef = dd.getRoleDefinitionDescriptor(roleName);

        if (rdDef != null) {
            throw StandardException.
                newException(SQLState.LANG_OBJECT_ALREADY_EXISTS,
                             rdDef.getDescriptorType(), roleName);
        }

        // Check if the proposed role id exists as a user id in
        // a privilege grant or as a built-in user ("best effort"; we
        // can't guarantee against collision if users are externally
View Full Code Here
3015
3016
3017
3018
3019
3020
3021
3022
3023
3024
3025
3026
3027
3028
3029
3030
3031
3032
3033
3034
3035
3036
3037
3038
3039
3040
3041
3042
3043
3044
3045
3046
      scanQualifier,                //
      (DataValueDescriptor[]) null, // stop position -through last row
      0);                           // stopSearchOperation - none

    ExecRow outRow =  rf.makeEmptyRow();
    RoleGrantDescriptor grantDescr;

    while (sc.fetchNext(outRow.getRowArray())) {
      grantDescr = (RoleGrantDescriptor)rf.buildDescriptor(
        outRow,
        (TupleDescriptor) null,
        this);

      // Next call is potentially inefficient.  We could read in
      // definitions first in a separate hash table limiting
      // this to a 2-pass scan.
      RoleGrantDescriptor granteeDef = getRoleDefinitionDescriptor
        (grantDescr.getGrantee());

      if (granteeDef == null) {
        // not a role, must be user authid, skip
        continue;
      }

      String hashKey;
      if (inverse) {
        hashKey = granteeDef.getRoleName();
      } else {
        hashKey = grantDescr.getRoleName();
      }

      List arcs = (List)hm.get(hashKey);
View Full Code Here
3315
3316
3317
3318
3319
3320
3321
3322
3323
3324
3325
   */
  public boolean roleIsSettable(String role) throws StandardException {
    DataDictionary dd = getDataDictionary();
    String dbo = dd.getAuthorizationDatabaseOwner();

    RoleGrantDescriptor grantDesc = null;

    if (getAuthorizationId().equals(dbo)) {
      grantDesc = dd.getRoleDefinitionDescriptor(role);
    } else {
      grantDesc = dd.getRoleGrantDescriptor
View Full Code Here
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
            for (Iterator gIter = grantees.iterator(); gIter.hasNext();) {
                String grantee = (String)gIter.next();

                // check that role exists
                RoleGrantDescriptor rdDef =
                    dd.getRoleDefinitionDescriptor(role);

                if (rdDef == null) {
                    throw StandardException.
                        newException(SQLState.ROLE_INVALID_SPECIFICATION, role);
                }

                // Check that role is granted to us (or PUBLIC) with
                // WITH ADMIN option so we can grant (and hence
                // revoke) it. For database owner, a role definition
                // always fulfills this requirement.  If we implement
                // granting with WITH ADMIN option later, we need to
                // look for a grant to us or to PUBLIC which has WITH
                // ADMIN. The role definition descriptor will not
                // suffice in that case, so we need something like:
                //
                // rd = dd.findRoleGrantWithAdminToRoleOrPublic(grantor)
                // if (rd != null) {
                //   :
                if (grantor.equals(lcc.getDataDictionary().
                                       getAuthorizationDatabaseOwner())) {
                    // All ok, we are database owner
                    if (SanityManager.DEBUG) {
                        SanityManager.ASSERT(
                            rdDef.getGrantee().equals(grantor),
                            "expected database owner in role grant descriptor");
                        SanityManager.ASSERT(
                            rdDef.isWithAdminOption(),
                            "expected role definition to have ADMIN OPTION");
                    }
                } else {
                    throw StandardException.newException
                        (SQLState.AUTH_ROLE_DBO_ONLY, "REVOKE role");
                }

                RoleGrantDescriptor rd =
                    dd.getRoleGrantDescriptor(role, grantee, grantor);

                if (rd != null && withAdminOption) {
                    // NOTE: Never called yet, withAdminOption not yet
                    // implemented.

                    if (SanityManager.DEBUG) {
                        SanityManager.NOTREACHED();
                    }

                    // revoke only the ADMIN OPTION from grantee
                    //
                    if (rd.isWithAdminOption()) {
                        // Invalidate and remove old descriptor and add a new
                        // one without admin option.
                        //
                        // RoleClosureIterator rci =
                        //     dd.createRoleClosureIterator
                        //     (activation.getTransactionController(),
                        //      role, false);
                        //
                        // String r;
                        // while ((r = rci.next()) != null) {
                        //   rdDef = dd.getRoleDefinitionDescriptor(r);
                        //
                        //   dd.getDependencyManager().invalidateFor
                        //       (rdDef, DependencyManager.REVOKE_ROLE, lcc);
                        // }
                        //
                        // rd.drop(lcc);
                        // rd.setWithAdminOption(false);
                        // dd.addDescriptor(rd,
                        //                  null,  // parent
                        //                  DataDictionary.SYSROLES_CATALOG_NUM,
                        //                  false, // no duplicatesAllowed
                        //                  tc);
                    } else {
                        activation.addWarning
                            (StandardException.newWarning
                             (SQLState.LANG_WITH_ADMIN_OPTION_NOT_REVOKED,
                              role, grantee));
                    }
                } else if (rd != null) {
                    // Normal revoke of role from grantee.
                    //
                    // When a role is revoked, for every role in its grantee
                    // closure, we call the REVOKE_ROLE action. It is used to
                    // invalidate dependent objects (constraints, triggers and
                    // views).  Note that until DERBY-1632 is fixed, we risk
                    // dropping objects not really dependent on this role, but
                    // one some other role just because it inherits from this
                    // one. See also DropRoleConstantAction.
                    RoleClosureIterator rci =
                        dd.createRoleClosureIterator
                        (activation.getTransactionController(),
                         role, false);

                    String r;
                    while ((r = rci.next()) != null) {
                        rdDef = dd.getRoleDefinitionDescriptor(r);

                        dd.getDependencyManager().invalidateFor
                            (rdDef, DependencyManager.REVOKE_ROLE, lcc);
                    }

                    rd.drop(lcc);

                } else {
                    activation.addWarning
                        (StandardException.newWarning
                         (SQLState.LANG_ROLE_NOT_REVOKED, role, grantee));
View Full Code Here
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
        boolean                 wao = false;
        boolean                 isdef = false;

        if (td != null)
        {
            RoleGrantDescriptor rgd = (RoleGrantDescriptor)td;

            roleid = rgd.getRoleName();
            grantee = rgd.getGrantee();
            grantor = rgd.getGrantor();
            wao = rgd.isWithAdminOption();
            isdef = rgd.isDef();
            UUID oid = rgd.getUUID();
            oid_string = oid.toString();
        }

        /* Build the row to insert */
        row = getExecutionFactory().getValueRow(SYSROLES_COLUMN_COUNT);
View Full Code Here
183
184
185
186
187
188
189
190
191
192
193
         TupleDescriptor         parentTupleDescriptor,
         DataDictionary          dd )
        throws StandardException {

        DataValueDescriptor         col;
        RoleGrantDescriptor              descriptor;
        String                      oid_string;
        String                      roleid;
        String                      grantee;
        String                      grantor;
        String                      wao;
View Full Code Here
578
579
580
581
582
583
584
585
586
587
588
      DataDictionary dd = lcc.getDataDictionary();
      DependencyManager dm = dd.getDependencyManager();

      String role =
        lcc.getCurrentRoleId(activation);
      RoleGrantDescriptor rgd =
        dd.getRoleDefinitionDescriptor(role);

      dm.addDependency
        (dependent, rgd,
         lcc.getContextManager());
View Full Code Here
3359
3360
3361
3362
3363
3364
3365
3366
3367
3368
3369
3370
3371
3372
3373
3374
3375
3376
3377
3378
3379
3380
3381
3382
3383
3384
3385
3386
3387
3388
3389
3390
      scanQualifier,                //
      (DataValueDescriptor[]) null, // stop position -through last row
      0);                           // stopSearchOperation - none

    ExecRow outRow =  rf.makeEmptyRow();
    RoleGrantDescriptor grantDescr;

    while (sc.fetchNext(outRow.getRowArray())) {
      grantDescr = (RoleGrantDescriptor)rf.buildDescriptor(
        outRow,
        (TupleDescriptor) null,
        this);

      // Next call is potentially inefficient.  We could read in
      // definitions first in a separate hash table limiting
      // this to a 2-pass scan.
      RoleGrantDescriptor granteeDef = getRoleDefinitionDescriptor
        (grantDescr.getGrantee());

      if (granteeDef == null) {
        // not a role, must be user authid, skip
        continue;
      }

      String hashKey;
      if (inverse) {
        hashKey = granteeDef.getRoleName();
      } else {
        hashKey = grantDescr.getRoleName();
      }

      List<RoleGrantDescriptor> arcs = hm.get(hashKey);
View Full Code Here
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
            for (Iterator gIter = grantees.iterator(); gIter.hasNext();) {
                String grantee = (String)gIter.next();

                // check that role exists
                RoleGrantDescriptor rdDef =
                    dd.getRoleDefinitionDescriptor(role);

                if (rdDef == null) {
                    throw StandardException.
                        newException(SQLState.ROLE_INVALID_SPECIFICATION, role);
                }

                // Check that role is granted to us (or PUBLIC) with
                // WITH ADMIN option so we can grant it. For database
                // owner, a role definition always fulfills this
                // requirement.  If we implement granting with WITH ADMIN
                // option later, we need to look for a grant to us (or
                // PUBLIC) which has WITH ADMIN. The role definition
                // descriptor will not suffice in that case, so we
                // need something like:
                //
                // rdDef = dd.findRoleGrantWithAdminToRoleOrPublic(grantor)
                // if (rdDef != null) {
                //   :
                if (grantor.equals(lcc.getDataDictionary().
                                       getAuthorizationDatabaseOwner())) {
                    // All ok, we are database owner
                    if (SanityManager.DEBUG) {
                        SanityManager.ASSERT(
                            rdDef.getGrantee().equals(grantor),
                            "expected database owner in role grant descriptor");
                        SanityManager.ASSERT(
                            rdDef.isWithAdminOption(),
                            "expected role definition to have ADMIN OPTION");
                    }
                } else {
                    throw StandardException.newException
                        (SQLState.AUTH_ROLE_DBO_ONLY, "GRANT role");
                }

                // Has it already been granted?
                RoleGrantDescriptor rgd =
                    dd.getRoleGrantDescriptor(role, grantee, grantor);

                if (rgd != null &&
                        withAdminOption && !rgd.isWithAdminOption()) {

                    // NOTE: Never called yet, withAdminOption not yet
                    // implemented.

                    // Remove old descriptor and add a new one with admin
                    // option: cf. SQL 2003, section 12.5, general rule 3
                    rgd.drop(lcc);
                    rgd.setWithAdminOption(true);
                    dd.addDescriptor(rgd,
                                     null,  // parent
                                     DataDictionary.SYSROLES_CATALOG_NUM,
                                     false, // no duplicatesAllowed
                                     tc);
                } else if (rgd == null) {
                    // Check if the grantee is a role (if not, it is a user)
                    RoleGrantDescriptor granteeDef =
                        dd.getRoleDefinitionDescriptor(grantee);

                    if (granteeDef != null) {
                        checkCircularity(role, grantee, grantor, tc, dd);
                    }
View Full Code Here
TOP

Related Classes of org.apache.derby.iapi.sql.dictionary.RoleGrantDescriptor

  • org.apache.derby.diag.ContainedRoles
  • org.apache.derby.iapi.store.access.TransactionController
  • org.apache.derby.impl.sql.catalog.DataDictionaryImpl
  • org.apache.derby.impl.sql.catalog.DDdependableFinder
  • org.apache.derby.impl.sql.catalog.RoleClosureIteratorImpl
  • org.apache.derby.impl.sql.catalog.SYSROLESRowFactory
  • org.apache.derby.impl.sql.conn.GenericLanguageConnectionContext
  • org.apache.derby.impl.sql.execute.CreateRoleConstantAction
  • org.apache.derby.impl.sql.execute.DDLConstantAction
  • org.apache.derby.impl.sql.execute.DropRoleConstantAction
    • Copyright © 2018 www.massapicom. All rights reserved.
    All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.