OmniSciDB  0fdbebe030
 All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Friends Macros Pages
SysCatalog.h
Go to the documentation of this file.
1 /*
2  * Copyright 2019 MapD Technologies, Inc.
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  * http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
29 #ifndef SYS_CATALOG_H
30 #define SYS_CATALOG_H
31 
32 #include <atomic>
33 #include <cstdint>
34 #include <ctime>
35 #include <limits>
36 #include <list>
37 #include <map>
38 #include <mutex>
39 #include <string>
40 #include <unordered_map>
41 #include <utility>
42 #include <vector>
43 
44 #include "Grantee.h"
45 #include "LdapServer.h"
46 #include "ObjectRoleDescriptor.h"
47 #include "PkiServer.h"
48 #include "RestServer.h"
49 
50 #include "../DataMgr/DataMgr.h"
51 #include "../SqliteConnector/SqliteConnector.h"
52 #include "LeafHostInfo.h"
53 
54 #include "../Calcite/Calcite.h"
55 #include "../Shared/mapd_shared_mutex.h"
56 
57 const std::string OMNISCI_SYSTEM_CATALOG = "omnisci_system_catalog";
58 const std::string OMNISCI_DEFAULT_DB = "omnisci";
59 const std::string OMNISCI_ROOT_USER = "admin";
60 const int OMNISCI_ROOT_USER_ID = 0;
61 const std::string OMNISCI_ROOT_USER_ID_STR = "0";
62 const std::string OMNISCI_ROOT_PASSWD_DEFAULT = "HyperInteractive";
63 
64 class Calcite;
65 
66 namespace Catalog_Namespace {
67 
68 /*
69  * @type UserMetadata
70  * @brief metadata for a mapd user
71  */
72 struct UserMetadata {
73  UserMetadata(int32_t u,
74  const std::string& n,
75  const std::string& p,
76  bool s,
77  int32_t d,
78  bool l)
79  : userId(u)
80  , userName(n)
81  , passwd_hash(p)
82  , isSuper(s)
83  , defaultDbId(d)
84  , can_login(l) {}
86  UserMetadata(UserMetadata const& user_meta)
87  : UserMetadata(user_meta.userId,
88  user_meta.userName,
89  user_meta.passwd_hash,
90  user_meta.isSuper.load(),
91  user_meta.defaultDbId,
92  user_meta.can_login) {}
93  int32_t userId;
94  std::string userName;
95  std::string passwd_hash;
96  std::atomic<bool> isSuper{false};
97  int32_t defaultDbId;
98  bool can_login{true};
99 };
100 
101 /*
102  * @type DBMetadata
103  * @brief metadata for a mapd database
104  */
105 struct DBMetadata {
106  DBMetadata() : dbId(0), dbOwner(0) {}
107  int32_t dbId;
108  std::string dbName;
109  int32_t dbOwner;
110 };
111 
112 /*
113  * @type DBSummary
114  * @brief summary info for a mapd database
115  */
116 struct DBSummary {
117  std::string dbName;
118  std::string dbOwnerName;
119 };
120 using DBSummaryList = std::list<DBSummary>;
121 
123  public:
124  CommonFileOperations(std::string const& base_path) : base_path_(base_path) {}
125 
126  inline void removeCatalogByFullPath(std::string const& full_path);
127  inline void removeCatalogByName(std::string const& name);
128  inline auto duplicateAndRenameCatalog(std::string const& current_name,
129  std::string const& new_name);
130  inline auto assembleCatalogName(std::string const& name);
131 
132  private:
133  std::string const& base_path_;
134 };
135 
136 /*
137  * @type SysCatalog
138  * @brief class for the system-wide catalog, currently containing user and database
139  * metadata
140  */
142  public:
143  void init(const std::string& basePath,
144  std::shared_ptr<Data_Namespace::DataMgr> dataMgr,
145  const AuthMetadata& authMetadata,
146  std::shared_ptr<Calcite> calcite,
147  bool is_new_db,
148  bool aggregator,
149  const std::vector<LeafHostInfo>& string_dict_hosts);
150 
156  std::shared_ptr<Catalog> login(std::string& db,
157  std::string& username,
158  const std::string& password,
159  UserMetadata& user_meta,
160  bool check_password = true);
161  std::shared_ptr<Catalog> switchDatabase(std::string& dbname,
162  const std::string& username);
163  void createUser(const std::string& name,
164  const std::string& passwd,
165  bool issuper,
166  const std::string& dbname,
167  bool can_login);
168  void dropUser(const std::string& name);
169  void alterUser(const int32_t userid,
170  const std::string* passwd,
171  bool* issuper,
172  const std::string* dbname,
173  bool* can_login);
174  void renameUser(std::string const& old_name, std::string const& new_name);
175  void createDatabase(const std::string& dbname, int owner);
176  void renameDatabase(std::string const& old_name, std::string const& new_name);
177  void dropDatabase(const DBMetadata& db);
178  bool getMetadataForUser(const std::string& name, UserMetadata& user);
179  bool getMetadataForUserById(const int32_t idIn, UserMetadata& user);
180  bool checkPasswordForUser(const std::string& passwd,
181  std::string& name,
182  UserMetadata& user);
183  void getMetadataWithDefaultDB(std::string& dbname,
184  const std::string& username,
186  UserMetadata& user_meta);
187  bool getMetadataForDB(const std::string& name, DBMetadata& db);
188  bool getMetadataForDBById(const int32_t idIn, DBMetadata& db);
190  Calcite& getCalciteMgr() const { return *calciteMgr_; }
191  const std::string& getBasePath() const { return basePath_; }
193  std::list<DBMetadata> getAllDBMetadata();
194  std::list<UserMetadata> getAllUserMetadata();
198  std::list<UserMetadata> getAllUserMetadata(const int64_t dbId);
200  void createDBObject(const UserMetadata& user,
201  const std::string& objectName,
203  const Catalog_Namespace::Catalog& catalog,
204  int32_t objectId = -1);
205  void grantDBObjectPrivileges(const std::string& grantee,
206  const DBObject& object,
207  const Catalog_Namespace::Catalog& catalog);
208  void grantDBObjectPrivilegesBatch(const std::vector<std::string>& grantees,
209  const std::vector<DBObject>& objects,
210  const Catalog_Namespace::Catalog& catalog);
211  void revokeDBObjectPrivileges(const std::string& grantee,
212  const DBObject& object,
213  const Catalog_Namespace::Catalog& catalog);
214  void revokeDBObjectPrivilegesBatch(const std::vector<std::string>& grantees,
215  const std::vector<DBObject>& objects,
216  const Catalog_Namespace::Catalog& catalog);
217  void revokeDBObjectPrivilegesFromAll(DBObject object, Catalog* catalog);
219  void getDBObjectPrivileges(const std::string& granteeName,
220  DBObject& object,
221  const Catalog_Namespace::Catalog& catalog) const;
222  bool verifyDBObjectOwnership(const UserMetadata& user,
223  DBObject object,
224  const Catalog_Namespace::Catalog& catalog);
225  void createRole(const std::string& roleName, const bool& userPrivateRole = false);
226  void dropRole(const std::string& roleName);
227  void grantRoleBatch(const std::vector<std::string>& roles,
228  const std::vector<std::string>& grantees);
229  void grantRole(const std::string& role, const std::string& grantee);
230  void revokeRoleBatch(const std::vector<std::string>& roles,
231  const std::vector<std::string>& grantees);
232  void revokeRole(const std::string& role, const std::string& grantee);
233  // check if the user has any permissions on all the given objects
234  bool hasAnyPrivileges(const UserMetadata& user, std::vector<DBObject>& privObjects);
235  // check if the user has the requested permissions on all the given objects
236  bool checkPrivileges(const UserMetadata& user,
237  const std::vector<DBObject>& privObjects) const;
238  bool checkPrivileges(const std::string& userName,
239  const std::vector<DBObject>& privObjects) const;
240  Grantee* getGrantee(const std::string& name) const;
241  Role* getRoleGrantee(const std::string& name) const;
242  User* getUserGrantee(const std::string& name) const;
243  std::vector<ObjectRoleDescriptor*> getMetadataForObject(int32_t dbId,
244  int32_t dbType,
245  int32_t objectId) const;
246  bool isRoleGrantedToGrantee(const std::string& granteeName,
247  const std::string& roleName,
248  bool only_direct) const;
249  std::vector<std::string> getRoles(bool userPrivateRole,
250  bool isSuper,
251  const std::string& userName);
252  std::vector<std::string> getRoles(const std::string& userName, const int32_t dbId);
253  void revokeDashboardSystemRole(const std::string roleName,
254  const std::vector<std::string> grantees);
255  bool isAggregator() const { return aggregator_; }
256  static SysCatalog& instance() {
257  static SysCatalog sys_cat{};
258  return sys_cat;
259  }
260 
261  void populateRoleDbObjects(const std::vector<DBObject>& objects);
262  std::string name() const { return OMNISCI_DEFAULT_DB; }
264  const Catalog_Namespace::Catalog& cat);
265  void syncUserWithRemoteProvider(const std::string& user_name,
266  std::vector<std::string> idp_roles,
267  bool* issuper);
268  std::unordered_map<std::string, std::vector<std::string>> getGranteesOfSharedDashboards(
269  const std::vector<std::string>& dashboard_ids);
270  void check_for_session_encryption(const std::string& pki_cert, std::string& session);
271 
272  private:
273  using GranteeMap = std::map<std::string, Grantee*>;
274  using ObjectRoleDescriptorMap = std::multimap<std::string, ObjectRoleDescriptor*>;
275 
278  , aggregator_(false)
279  , sqliteMutex_()
280  , sharedMutex_()
281  , thread_holding_sqlite_lock(std::thread::id())
282  , thread_holding_write_lock(std::thread::id()) {}
283  virtual ~SysCatalog();
284 
285  void initDB();
286  void buildRoleMap();
287  void buildUserRoleMap();
291  void createUserRoles();
292  void migratePrivileges();
293  void migratePrivileged_old();
294  void updateUserSchema();
299 
300  void loginImpl(std::string& username,
301  const std::string& password,
302  UserMetadata& user_meta);
303  bool checkPasswordForUserImpl(const std::string& passwd,
304  std::string& name,
305  UserMetadata& user);
306 
307  // Here go functions not wrapped into transactions (necessary for nested calls)
308  void grantDefaultPrivilegesToRole_unsafe(const std::string& name, bool issuper);
309  void createRole_unsafe(const std::string& roleName,
310  const bool& userPrivateRole = false);
311  void dropRole_unsafe(const std::string& roleName);
312  void grantRoleBatch_unsafe(const std::vector<std::string>& roles,
313  const std::vector<std::string>& grantees);
314  void grantRole_unsafe(const std::string& roleName, const std::string& granteeName);
315  void revokeRoleBatch_unsafe(const std::vector<std::string>& roles,
316  const std::vector<std::string>& grantees);
317  void revokeRole_unsafe(const std::string& roleName, const std::string& granteeName);
318  void updateObjectDescriptorMap(const std::string& roleName,
319  DBObject& object,
320  bool roleType,
321  const Catalog_Namespace::Catalog& cat);
322  void deleteObjectDescriptorMap(const std::string& roleName);
323  void deleteObjectDescriptorMap(const std::string& roleName,
324  DBObject& object,
325  const Catalog_Namespace::Catalog& cat);
326  void grantDBObjectPrivilegesBatch_unsafe(const std::vector<std::string>& grantees,
327  const std::vector<DBObject>& objects,
328  const Catalog_Namespace::Catalog& catalog);
329  void grantDBObjectPrivileges_unsafe(const std::string& granteeName,
330  const DBObject object,
331  const Catalog_Namespace::Catalog& catalog);
332  void revokeDBObjectPrivilegesBatch_unsafe(const std::vector<std::string>& grantees,
333  const std::vector<DBObject>& objects,
334  const Catalog_Namespace::Catalog& catalog);
335  void revokeDBObjectPrivileges_unsafe(const std::string& granteeName,
336  DBObject object,
337  const Catalog_Namespace::Catalog& catalog);
338  void grantAllOnDatabase_unsafe(const std::string& roleName,
339  DBObject& object,
340  const Catalog_Namespace::Catalog& catalog);
341  void revokeAllOnDatabase_unsafe(const std::string& roleName,
342  int32_t dbId,
343  Grantee* grantee);
344  bool isDashboardSystemRole(const std::string& roleName);
345  void updateUserRoleName(const std::string& roleName, const std::string& newName);
346 
347  template <typename F, typename... Args>
348  void execInTransaction(F&& f, Args&&... args);
349 
350  std::string basePath_;
353  std::unique_ptr<SqliteConnector> sqliteConnector_;
354 
355  std::shared_ptr<Data_Namespace::DataMgr> dataMgr_;
356  std::unique_ptr<LdapServer> ldap_server_;
357  std::unique_ptr<RestServer> rest_server_;
358  std::unique_ptr<PkiServer> pki_server_;
360  std::shared_ptr<Calcite> calciteMgr_;
361  std::vector<LeafHostInfo> string_dict_hosts_;
364 
365  public:
366  mutable std::mutex sqliteMutex_;
368  mutable std::atomic<std::thread::id> thread_holding_sqlite_lock;
369  mutable std::atomic<std::thread::id> thread_holding_write_lock;
370  static thread_local bool thread_holds_read_lock;
371 };
372 
373 } // namespace Catalog_Namespace
374 
375 #endif // SYS_CATALOG_H
void revokeAllOnDatabase_unsafe(const std::string &roleName, int32_t dbId, Grantee *grantee)
std::unique_ptr< LdapServer > ldap_server_
Definition: SysCatalog.h:356
void revokeDBObjectPrivilegesBatch_unsafe(const std::vector< std::string > &grantees, const std::vector< DBObject > &objects, const Catalog_Namespace::Catalog &catalog)
std::unique_ptr< RestServer > rest_server_
Definition: SysCatalog.h:357
bool isDashboardSystemRole(const std::string &roleName)
void dropUser(const std::string &name)
Definition: SysCatalog.cpp:824
auto duplicateAndRenameCatalog(std::string const &current_name, std::string const &new_name)
Definition: SysCatalog.cpp:95
SqliteConnector * getSqliteConnector()
Definition: SysCatalog.h:192
class for a per-database catalog. also includes metadata for the current database and the current use...
Definition: Catalog.h:86
DBObjectType
Definition: DBObject.h:42
void revokeDashboardSystemRole(const std::string roleName, const std::vector< std::string > grantees)
std::map< std::string, Grantee * > GranteeMap
Definition: SysCatalog.h:273
void dropRole(const std::string &roleName)
bool checkPasswordForUser(const std::string &passwd, std::string &name, UserMetadata &user)
void revokeDBObjectPrivileges_unsafe(const std::string &granteeName, DBObject object, const Catalog_Namespace::Catalog &catalog)
UserMetadata(UserMetadata const &user_meta)
Definition: SysCatalog.h:86
void revokeDBObjectPrivilegesFromAll(DBObject object, Catalog *catalog)
bool getMetadataForUser(const std::string &name, UserMetadata &user)
void revokeDBObjectPrivileges(const std::string &grantee, const DBObject &object, const Catalog_Namespace::Catalog &catalog)
std::string name() const
Definition: SysCatalog.h:262
std::atomic< std::thread::id > thread_holding_sqlite_lock
Definition: SysCatalog.h:368
ObjectRoleDescriptorMap objectDescriptorMap_
Definition: SysCatalog.h:352
const std::string OMNISCI_SYSTEM_CATALOG
Definition: SysCatalog.h:57
Definition: Grantee.h:70
void createRole_unsafe(const std::string &roleName, const bool &userPrivateRole=false)
Grantee * getGrantee(const std::string &name) const
void dropDatabase(const DBMetadata &db)
void loginImpl(std::string &username, const std::string &password, UserMetadata &user_meta)
Definition: SysCatalog.cpp:733
void createUser(const std::string &name, const std::string &passwd, bool issuper, const std::string &dbname, bool can_login)
Definition: SysCatalog.cpp:772
UserMetadata(int32_t u, const std::string &n, const std::string &p, bool s, int32_t d, bool l)
Definition: SysCatalog.h:73
Definition: Grantee.h:76
bool getMetadataForUserById(const int32_t idIn, UserMetadata &user)
void init(const std::string &basePath, std::shared_ptr< Data_Namespace::DataMgr > dataMgr, const AuthMetadata &authMetadata, std::shared_ptr< Calcite > calcite, bool is_new_db, bool aggregator, const std::vector< LeafHostInfo > &string_dict_hosts)
Definition: SysCatalog.cpp:112
void createDBObject(const UserMetadata &user, const std::string &objectName, DBObjectType type, const Catalog_Namespace::Catalog &catalog, int32_t objectId=-1)
void grantRole_unsafe(const std::string &roleName, const std::string &granteeName)
void getDBObjectPrivileges(const std::string &granteeName, DBObject &object, const Catalog_Namespace::Catalog &catalog) const
void grantDBObjectPrivileges_unsafe(const std::string &granteeName, const DBObject object, const Catalog_Namespace::Catalog &catalog)
void alterUser(const int32_t userid, const std::string *passwd, bool *issuper, const std::string *dbname, bool *can_login)
Definition: SysCatalog.cpp:861
void grantRoleBatch(const std::vector< std::string > &roles, const std::vector< std::string > &grantees)
std::unique_ptr< PkiServer > pki_server_
Definition: SysCatalog.h:358
void revokeDBObjectPrivilegesBatch(const std::vector< std::string > &grantees, const std::vector< DBObject > &objects, const Catalog_Namespace::Catalog &catalog)
const AuthMetadata * authMetadata_
Definition: SysCatalog.h:359
void createRole(const std::string &roleName, const bool &userPrivateRole=false)
void grantRoleBatch_unsafe(const std::vector< std::string > &roles, const std::vector< std::string > &grantees)
Data_Namespace::DataMgr & getDataMgr() const
Definition: SysCatalog.h:189
bool checkPrivileges(const UserMetadata &user, const std::vector< DBObject > &privObjects) const
static SysCatalog & instance()
Definition: SysCatalog.h:256
auto assembleCatalogName(std::string const &name)
Definition: SysCatalog.cpp:83
void getMetadataWithDefaultDB(std::string &dbname, const std::string &username, Catalog_Namespace::DBMetadata &db_meta, UserMetadata &user_meta)
void grantAllOnDatabase_unsafe(const std::string &roleName, DBObject &object, const Catalog_Namespace::Catalog &catalog)
const std::string OMNISCI_DEFAULT_DB
Definition: SysCatalog.h:58
std::shared_timed_mutex mapd_shared_mutex
void renameObjectsInDescriptorMap(DBObject &object, const Catalog_Namespace::Catalog &cat)
bool checkPasswordForUserImpl(const std::string &passwd, std::string &name, UserMetadata &user)
std::shared_ptr< Catalog > login(std::string &db, std::string &username, const std::string &password, UserMetadata &user_meta, bool check_password=true)
Definition: SysCatalog.cpp:705
void revokeRoleBatch_unsafe(const std::vector< std::string > &roles, const std::vector< std::string > &grantees)
void revokeRoleBatch(const std::vector< std::string > &roles, const std::vector< std::string > &grantees)
std::shared_ptr< Data_Namespace::DataMgr > dataMgr_
Definition: SysCatalog.h:355
DBSummaryList getDatabaseListForUser(const UserMetadata &user)
std::shared_ptr< Catalog > switchDatabase(std::string &dbname, const std::string &username)
Definition: SysCatalog.cpp:741
Role * getRoleGrantee(const std::string &name) const
mapd_shared_mutex sharedMutex_
Definition: SysCatalog.h:367
User * getUserGrantee(const std::string &name) const
void grantDBObjectPrivilegesBatch(const std::vector< std::string > &grantees, const std::vector< DBObject > &objects, const Catalog_Namespace::Catalog &catalog)
void grantDBObjectPrivileges(const std::string &grantee, const DBObject &object, const Catalog_Namespace::Catalog &catalog)
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:353
CommonFileOperations(std::string const &base_path)
Definition: SysCatalog.h:124
void updateUserRoleName(const std::string &roleName, const std::string &newName)
Definition: SysCatalog.cpp:930
std::list< UserMetadata > getAllUserMetadata()
void grantDBObjectPrivilegesBatch_unsafe(const std::vector< std::string > &grantees, const std::vector< DBObject > &objects, const Catalog_Namespace::Catalog &catalog)
void execInTransaction(F &&f, Args &&...args)
void check_for_session_encryption(const std::string &pki_cert, std::string &session)
Definition: SysCatalog.cpp:764
void syncUserWithRemoteProvider(const std::string &user_name, std::vector< std::string > idp_roles, bool *issuper)
void renameUser(std::string const &old_name, std::string const &new_name)
Definition: SysCatalog.cpp:942
void revokeRole_unsafe(const std::string &roleName, const std::string &granteeName)
bool isRoleGrantedToGrantee(const std::string &granteeName, const std::string &roleName, bool only_direct) const
bool hasAnyPrivileges(const UserMetadata &user, std::vector< DBObject > &privObjects)
void deleteObjectDescriptorMap(const std::string &roleName)
void removeCatalogByName(std::string const &name)
Definition: SysCatalog.cpp:91
const std::string OMNISCI_ROOT_USER
Definition: SysCatalog.h:59
const std::string OMNISCI_ROOT_PASSWD_DEFAULT
Definition: SysCatalog.h:62
void updateObjectDescriptorMap(const std::string &roleName, DBObject &object, bool roleType, const Catalog_Namespace::Catalog &cat)
void grantRole(const std::string &role, const std::string &grantee)
const int OMNISCI_ROOT_USER_ID
Definition: SysCatalog.h:60
std::list< DBMetadata > getAllDBMetadata()
void renameDatabase(std::string const &old_name, std::string const &new_name)
Definition: SysCatalog.cpp:975
const std::string & getBasePath() const
Definition: SysCatalog.h:191
void revokeDBObjectPrivilegesFromAll_unsafe(DBObject object, Catalog *catalog)
bool verifyDBObjectOwnership(const UserMetadata &user, DBObject object, const Catalog_Namespace::Catalog &catalog)
const std::string OMNISCI_ROOT_USER_ID_STR
Definition: SysCatalog.h:61
std::vector< LeafHostInfo > string_dict_hosts_
Definition: SysCatalog.h:361
bool g_enable_watchdog false
Definition: Execute.cpp:71
std::shared_ptr< Calcite > calciteMgr_
Definition: SysCatalog.h:360
std::unordered_map< std::string, std::vector< std::string > > getGranteesOfSharedDashboards(const std::vector< std::string > &dashboard_ids)
std::list< DBSummary > DBSummaryList
Definition: SysCatalog.h:120
void populateRoleDbObjects(const std::vector< DBObject > &objects)
static thread_local bool thread_holds_read_lock
Definition: SysCatalog.h:370
void grantDefaultPrivilegesToRole_unsafe(const std::string &name, bool issuper)
void revokeRole(const std::string &role, const std::string &grantee)
Calcite & getCalciteMgr() const
Definition: SysCatalog.h:190
std::multimap< std::string, ObjectRoleDescriptor * > ObjectRoleDescriptorMap
Definition: SysCatalog.h:274
bool getMetadataForDBById(const int32_t idIn, DBMetadata &db)
void createDatabase(const std::string &dbname, int owner)
void removeCatalogByFullPath(std::string const &full_path)
Definition: SysCatalog.cpp:87
std::vector< ObjectRoleDescriptor * > getMetadataForObject(int32_t dbId, int32_t dbType, int32_t objectId) const
std::atomic< bool > isSuper
Definition: SysCatalog.h:96
bool getMetadataForDB(const std::string &name, DBMetadata &db)
void dropRole_unsafe(const std::string &roleName)
std::vector< std::string > getRoles(bool userPrivateRole, bool isSuper, const std::string &userName)
std::atomic< std::thread::id > thread_holding_write_lock
Definition: SysCatalog.h:369