Changeset: bd8ab7d18f70 for MonetDB
URL: https://dev.monetdb.org/hg/MonetDB?cmd=changeset;node=bd8ab7d18f70
Added Files:
sql/test/BugTracker-2019/Tests/grant-select-column.Bug-6765.stable.err
sql/test/BugTracker-2019/Tests/grant-select-column.Bug-6765.stable.out
Modified Files:
sql/server/rel_select.c
sql/test/BugTracker-2019/Tests/All
Branch: Nov2019
Log Message:
fixed bug 6765, make sure we allow access to columns which the users has
SELECT priviliges on.
diffs (229 lines):
diff --git a/sql/server/rel_select.c b/sql/server/rel_select.c
--- a/sql/server/rel_select.c
+++ b/sql/server/rel_select.c
@@ -865,6 +865,27 @@ check_is_lateral(symbol *tableref)
}
}
+static sql_rel *
+rel_reduce_on_column_privileges(mvc *sql, sql_rel *rel, sql_table *t)
+{
+ list *exps = sa_list(sql->sa);
+
+ for (node *n = rel->exps->h, *m = t->columns.set->h; n && m; n =
n->next, m = m->next) {
+ sql_exp *e = n->data;
+ sql_column *c = m->data;
+
+ if (column_privs(sql, c, PRIV_SELECT)) {
+ append(exps, e);
+ }
+ }
+ if (!list_empty(exps)) {
+ rel->exps = exps;
+ return rel;
+ }
+ return NULL;
+}
+
+
sql_rel *
table_ref(sql_query *query, sql_rel *rel, symbol *tableref, int lateral)
{
@@ -878,6 +899,7 @@ table_ref(sql_query *query, sql_rel *rel
sql_rel *temp_table = NULL;
char *sname = qname_schema(name);
sql_schema *s = NULL;
+ int allowed = 1;
tname = qname_table(name);
@@ -903,7 +925,7 @@ table_ref(sql_query *query, sql_rel *rel
if (!t && !temp_table) {
return sql_error(sql, 02, SQLSTATE(42S02) "SELECT: no
such table '%s'", tname);
} else if (!temp_table && !table_privs(sql, t, PRIV_SELECT)) {
- return sql_error(sql, 02, SQLSTATE(42000) "SELECT:
access denied for %s to table '%s.%s'", stack_get_string(sql, "current_user"),
s->base.name, tname);
+ allowed = 0;
}
if (tableref->data.lval->h->next->data.sym) { /* AS */
tname =
tableref->data.lval->h->next->data.sym->data.lval->h->data.sval;
@@ -919,7 +941,9 @@ table_ref(sql_query *query, sql_rel *rel
noninternexp_setname(sql->sa, e, tname, NULL);
set_basecol(e);
}
- return temp_table;
+ if (allowed)
+ return temp_table;
+ return sql_error(sql, 02, SQLSTATE(42000) "SELECT:
access denied for %s to table '%s.%s'", stack_get_string(sql, "current_user"),
s->base.name, tname);
} else if (isView(t)) {
/* instantiate base view */
node *n,*m;
@@ -932,7 +956,6 @@ table_ref(sql_query *query, sql_rel *rel
if (!rel)
return NULL;
-
/* Rename columns of the rel_parse relation */
if (sql->emode != m_deps) {
rel = rel_project(sql->sa, rel,
rel_projections(sql, rel, NULL, 1, 1));
@@ -947,12 +970,20 @@ table_ref(sql_query *query, sql_rel *rel
set_basecol(e);
}
}
- return rel;
+ if (!allowed)
+ rel = rel_reduce_on_column_privileges(sql, rel,
t);
+ if (allowed && rel)
+ return rel;
+ return sql_error(sql, 02, SQLSTATE(42000) "SELECT:
access denied for %s to table '%s.%s'", stack_get_string(sql, "current_user"),
s->base.name, tname);
}
if ((isMergeTable(t) || isReplicaTable(t)) &&
list_empty(t->members.set))
return sql_error(sql, 02, SQLSTATE(42000) "MERGE or
REPLICA TABLE should have at least one table associated");
-
res = rel_basetable(sql, t, tname);
+ if (!allowed) {
+ res = rel_reduce_on_column_privileges(sql, res, t);
+ if (!res)
+ return sql_error(sql, 02, SQLSTATE(42000)
"SELECT: access denied for %s to table '%s.%s'", stack_get_string(sql,
"current_user"), s->base.name, tname);
+ }
if (tableref->data.lval->h->next->data.sym &&
tableref->data.lval->h->next->data.sym->data.lval->h->next->data.lval) /* AS
with column aliases */
res = rel_table_optname(sql, res,
tableref->data.lval->h->next->data.sym);
return res;
diff --git a/sql/test/BugTracker-2019/Tests/All
b/sql/test/BugTracker-2019/Tests/All
--- a/sql/test/BugTracker-2019/Tests/All
+++ b/sql/test/BugTracker-2019/Tests/All
@@ -36,7 +36,7 @@ merge-table-limit.Bug-6756
double-free.Bug-6757
HAVE_LIBPY3?python-loader-string.Bug-6759
select-char.Bug-6761
-KNOWNFAIL?grant-select-column.Bug-6765
+grant-select-column.Bug-6765
next-get-value-bulk.Bug-6766
filter_json_null.Bug-6773
prod-decimals.Bug-6774
diff --git
a/sql/test/BugTracker-2019/Tests/grant-select-column.Bug-6765.stable.err
b/sql/test/BugTracker-2019/Tests/grant-select-column.Bug-6765.stable.err
new file mode 100644
--- /dev/null
+++ b/sql/test/BugTracker-2019/Tests/grant-select-column.Bug-6765.stable.err
@@ -0,0 +1,29 @@
+stderr of test 'grant-select-column.Bug-6765` in directory
'sql/test/BugTracker-2019` itself:
+
+
+# 22:34:40 >
+# 22:34:40 > "/usr/bin/python3" "grant-select-column.Bug-6765.py"
"grant-select-column.Bug-6765"
+# 22:34:40 >
+
+MAPI = (myuser) /var/tmp/mtest-26496/.s.monetdb.31053
+QUERY = SELECT "id", "name" FROM "myschema"."test"; --error, no permission on
column "name"
+ERROR = !SELECT: identifier 'id' unknown
+CODE = 42000
+# builtin opt gdk_dbpath =
/home/niels/scratch/rc-nov2019/Linux-x86_64/var/monetdb5/dbfarm/demo
+# builtin opt mapi_port = 50000
+# builtin opt mapi_open = false
+# builtin opt mapi_ipv6 = false
+# builtin opt mapi_autosense = false
+# builtin opt sql_optimizer = default_pipe
+# builtin opt sql_debug = 0
+# cmdline opt gdk_nr_threads = 0
+# cmdline opt mapi_open = true
+# cmdline opt mapi_port = 31053
+# cmdline opt mapi_usock = /var/tmp/mtest-26496/.s.monetdb.31053
+# cmdline opt gdk_dbpath =
/home/niels/scratch/rc-nov2019/Linux-x86_64/var/MonetDB/mTests_sql_test_BugTracker-2019
+#client4:!ERROR:ParseException:SQLparser:42000!SELECT: identifier 'id' unknown
+
+# 22:34:40 >
+# 22:34:40 > "Done."
+# 22:34:40 >
+
diff --git
a/sql/test/BugTracker-2019/Tests/grant-select-column.Bug-6765.stable.out
b/sql/test/BugTracker-2019/Tests/grant-select-column.Bug-6765.stable.out
new file mode 100644
--- /dev/null
+++ b/sql/test/BugTracker-2019/Tests/grant-select-column.Bug-6765.stable.out
@@ -0,0 +1,88 @@
+stdout of test 'grant-select-column.Bug-6765` in directory
'sql/test/BugTracker-2019` itself:
+
+
+# 22:34:40 >
+# 22:34:40 > "/usr/bin/python3" "grant-select-column.Bug-6765.py"
"grant-select-column.Bug-6765"
+# 22:34:40 >
+
+#CREATE schema "myschema";CREATE TABLE "myschema"."test" ("id" integer,
"name" varchar(20));INSERT INTO "myschema"."test" ("id", "name") VALUES
(1,'Tom'),(2,'Karen');CREATE USER myuser WITH UNENCRYPTED PASSWORD 'Test123'
NAME 'Hulk' SCHEMA "myschema";GRANT SELECT ON "myschema"."test" TO myuser;
+#CREATE schema "myschema";CREATE TABLE "myschema"."test" ("id" integer,
"name" varchar(20));INSERT INTO "myschema"."test" ("id", "name") VALUES
(1,'Tom'),(2,'Karen');CREATE USER myuser WITH UNENCRYPTED PASSWORD 'Test123'
NAME 'Hulk' SCHEMA "myschema";GRANT SELECT ON "myschema"."test" TO myuser;
+#CREATE schema "myschema";CREATE TABLE "myschema"."test" ("id" integer,
"name" varchar(20));INSERT INTO "myschema"."test" ("id", "name") VALUES
(1,'Tom'),(2,'Karen');CREATE USER myuser WITH UNENCRYPTED PASSWORD 'Test123'
NAME 'Hulk' SCHEMA "myschema";GRANT SELECT ON "myschema"."test" TO myuser;
+[ 2 ]
+#CREATE schema "myschema";CREATE TABLE "myschema"."test" ("id" integer,
"name" varchar(20));INSERT INTO "myschema"."test" ("id", "name") VALUES
(1,'Tom'),(2,'Karen');CREATE USER myuser WITH UNENCRYPTED PASSWORD 'Test123'
NAME 'Hulk' SCHEMA "myschema";GRANT SELECT ON "myschema"."test" TO myuser;
+#CREATE schema "myschema";CREATE TABLE "myschema"."test" ("id" integer,
"name" varchar(20));INSERT INTO "myschema"."test" ("id", "name") VALUES
(1,'Tom'),(2,'Karen');CREATE USER myuser WITH UNENCRYPTED PASSWORD 'Test123'
NAME 'Hulk' SCHEMA "myschema";GRANT SELECT ON "myschema"."test" TO myuser;
+#SELECT "id", "name" FROM "myschema"."test";
+% myschema.test, myschema.test # table_name
+% id, name # name
+% int, varchar # type
+% 1, 5 # length
+[ 1, "Tom" ]
+[ 2, "Karen" ]
+#REVOKE SELECT ON "myschema"."test" FROM myuser;GRANT SELECT ("name") ON
"myschema"."test" TO myuser;
+#REVOKE SELECT ON "myschema"."test" FROM myuser;GRANT SELECT ("name") ON
"myschema"."test" TO myuser;
+#SELECT "name" FROM "myschema"."test"; --ok
+% myschema.test # table_name
+% name # name
+% varchar # type
+% 5 # length
+[ "Tom" ]
+[ "Karen" ]
+#DROP USER myuser;DROP SCHEMA "myschema" CASCADE;
+#DROP USER myuser;DROP SCHEMA "myschema" CASCADE;
+# MonetDB 5 server v11.35.0 (hg id: 0563f80544ab)
+# This is an unreleased version
+# Serving database 'mTests_sql_test_BugTracker-2019', using 8 threads
+# Compiled for x86_64-pc-linux-gnu/64bit with 128bit integers
+# Found 15.384 GiB available main-memory of which we use 12.538 GiB
+# Copyright (c) 1993 - July 2008 CWI.
+# Copyright (c) August 2008 - 2019 MonetDB B.V., all rights reserved
+# Visit https://www.monetdb.org/ for further information
+# Listening for connection requests on mapi:monetdb://xps13:31053/
+# Listening for UNIX domain connection requests on
mapi:monetdb:///var/tmp/mtest-26496/.s.monetdb.31053
+# MonetDB/GIS module loaded
+# SQL catalog created, loading sql scripts once
+# loading sql script: 09_like.sql
+# loading sql script: 10_math.sql
+# loading sql script: 12_url.sql
+# loading sql script: 13_date.sql
+# loading sql script: 14_inet.sql
+# loading sql script: 15_querylog.sql
+# loading sql script: 16_tracelog.sql
+# loading sql script: 17_temporal.sql
+# loading sql script: 18_index.sql
+# loading sql script: 20_vacuum.sql
+# loading sql script: 21_dependency_views.sql
+# loading sql script: 22_clients.sql
+# loading sql script: 23_skyserver.sql
+# loading sql script: 25_debug.sql
+# loading sql script: 26_sysmon.sql
+# loading sql script: 27_rejects.sql
+# loading sql script: 39_analytics.sql
+# loading sql script: 39_analytics_hge.sql
+# loading sql script: 40_geom.sql
+# loading sql script: 40_json.sql
+# loading sql script: 40_json_hge.sql
+# loading sql script: 41_md5sum.sql
+# loading sql script: 45_uuid.sql
+# loading sql script: 46_profiler.sql
+# loading sql script: 51_sys_schema_extension.sql
+# loading sql script: 60_wlcr.sql
+# loading sql script: 61_wlcr.sql
+# loading sql script: 72_fits.sql
+# loading sql script: 74_netcdf.sql
+# loading sql script: 75_lidar.sql
+# loading sql script: 75_shp.sql
+# loading sql script: 75_storagemodel.sql
+# loading sql script: 80_statistics.sql
+# loading sql script: 80_udf.sql
+# loading sql script: 80_udf_hge.sql
+# loading sql script: 85_bam.sql
+# loading sql script: 90_generator.sql
+# loading sql script: 90_generator_hge.sql
+# loading sql script: 99_system.sql
+# MonetDB/SQL module loaded
+
+# 22:34:40 >
+# 22:34:40 > "Done."
+# 22:34:40 >
+
_______________________________________________
checkin-list mailing list
checkin-list@monetdb.org
https://www.monetdb.org/mailman/listinfo/checkin-list
