OmniSciDB  1dac507f6e
 All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Friends Macros Pages
Catalog_Namespace::SysCatalog Class Reference

#include <SysCatalog.h>

+ Inheritance diagram for Catalog_Namespace::SysCatalog:
+ Collaboration diagram for Catalog_Namespace::SysCatalog:

Public Member Functions

void init (const std::string &basePath, std::shared_ptr< Data_Namespace::DataMgr > dataMgr, const AuthMetadata &authMetadata, std::shared_ptr< Calcite > calcite, bool is_new_db, bool aggregator, const std::vector< LeafHostInfo > &string_dict_hosts)
 
std::shared_ptr< Cataloglogin (std::string &db, std::string &username, const std::string &password, UserMetadata &user_meta, bool check_password=true)
 
std::shared_ptr< CatalogswitchDatabase (std::string &dbname, const std::string &username)
 
void createUser (const std::string &name, const std::string &passwd, bool issuper, const std::string &dbname)
 
void dropUser (const std::string &name)
 
void alterUser (const int32_t userid, const std::string *passwd, bool *issuper, const std::string *dbname)
 
void renameUser (std::string const &old_name, std::string const &new_name)
 
void createDatabase (const std::string &dbname, int owner)
 
void renameDatabase (std::string const &old_name, std::string const &new_name)
 
void dropDatabase (const DBMetadata &db)
 
bool getMetadataForUser (const std::string &name, UserMetadata &user)
 
bool getMetadataForUserById (const int32_t idIn, UserMetadata &user)
 
bool checkPasswordForUser (const std::string &passwd, std::string &name, UserMetadata &user)
 
void getMetadataWithDefault (std::string &dbname, const std::string &username, Catalog_Namespace::DBMetadata &db_meta, UserMetadata &user_meta)
 
bool getMetadataForDB (const std::string &name, DBMetadata &db)
 
bool getMetadataForDBById (const int32_t idIn, DBMetadata &db)
 
Data_Namespace::DataMgrgetDataMgr () const
 
CalcitegetCalciteMgr () const
 
const std::string & getBasePath () const
 
SqliteConnectorgetSqliteConnector ()
 
std::list< DBMetadatagetAllDBMetadata ()
 
std::list< UserMetadatagetAllUserMetadata ()
 
std::list< UserMetadatagetAllUserMetadata (const int64_t dbId)
 
DBSummaryList getDatabaseListForUser (const UserMetadata &user)
 
void createDBObject (const UserMetadata &user, const std::string &objectName, DBObjectType type, const Catalog_Namespace::Catalog &catalog, int32_t objectId=-1)
 
void grantDBObjectPrivileges (const std::string &grantee, const DBObject &object, const Catalog_Namespace::Catalog &catalog)
 
void grantDBObjectPrivilegesBatch (const std::vector< std::string > &grantees, const std::vector< DBObject > &objects, const Catalog_Namespace::Catalog &catalog)
 
void revokeDBObjectPrivileges (const std::string &grantee, const DBObject &object, const Catalog_Namespace::Catalog &catalog)
 
void revokeDBObjectPrivilegesBatch (const std::vector< std::string > &grantees, const std::vector< DBObject > &objects, const Catalog_Namespace::Catalog &catalog)
 
void revokeDBObjectPrivilegesFromAll (DBObject object, Catalog *catalog)
 
void revokeDBObjectPrivilegesFromAll_unsafe (DBObject object, Catalog *catalog)
 
void getDBObjectPrivileges (const std::string &granteeName, DBObject &object, const Catalog_Namespace::Catalog &catalog) const
 
bool verifyDBObjectOwnership (const UserMetadata &user, DBObject object, const Catalog_Namespace::Catalog &catalog)
 
void createRole (const std::string &roleName, const bool &userPrivateRole=false)
 
void dropRole (const std::string &roleName)
 
void grantRoleBatch (const std::vector< std::string > &roles, const std::vector< std::string > &grantees)
 
void grantRole (const std::string &role, const std::string &grantee)
 
void revokeRoleBatch (const std::vector< std::string > &roles, const std::vector< std::string > &grantees)
 
void revokeRole (const std::string &role, const std::string &grantee)
 
bool hasAnyPrivileges (const UserMetadata &user, std::vector< DBObject > &privObjects)
 
bool checkPrivileges (const UserMetadata &user, const std::vector< DBObject > &privObjects) const
 
bool checkPrivileges (const std::string &userName, const std::vector< DBObject > &privObjects) const
 
GranteegetGrantee (const std::string &name) const
 
RolegetRoleGrantee (const std::string &name) const
 
UsergetUserGrantee (const std::string &name) const
 
std::vector
< ObjectRoleDescriptor * > 
getMetadataForObject (int32_t dbId, int32_t dbType, int32_t objectId) const
 
bool isRoleGrantedToGrantee (const std::string &granteeName, const std::string &roleName, bool only_direct) const
 
std::vector< std::string > getRoles (bool userPrivateRole, bool isSuper, const std::string &userName)
 
std::vector< std::string > getRoles (const std::string &userName, const int32_t dbId)
 
void revokeDashboardSystemRole (const std::string roleName, const std::vector< std::string > grantees)
 
bool isAggregator () const
 
void populateRoleDbObjects (const std::vector< DBObject > &objects)
 
std::string name () const
 
void renameObjectsInDescriptorMap (DBObject &object, const Catalog_Namespace::Catalog &cat)
 
void syncUserWithRemoteProvider (const std::string &user_name, const std::vector< std::string > &roles, bool *issuper)
 
std::unordered_map
< std::string, std::vector
< std::string > > 
getGranteesOfSharedDashboards (const std::vector< std::string > &dashboard_ids)
 

Static Public Member Functions

static SysCataloginstance ()
 

Public Attributes

std::mutex sqliteMutex_
 
mapd_shared_mutex sharedMutex_
 
std::atomic< std::thread::id > thread_holding_sqlite_lock
 
std::atomic< std::thread::id > thread_holding_write_lock
 

Static Public Attributes

static thread_local bool thread_holds_read_lock = false
 

Private Types

typedef std::map< std::string,
Grantee * > 
GranteeMap
 
typedef std::multimap
< std::string,
ObjectRoleDescriptor * > 
ObjectRoleDescriptorMap
 

Private Member Functions

 SysCatalog ()
 
virtual ~SysCatalog ()
 
void initDB ()
 
void buildRoleMap ()
 
void buildUserRoleMap ()
 
void buildObjectDescriptorMap ()
 
void checkAndExecuteMigrations ()
 
void importDataFromOldMapdDB ()
 
void createUserRoles ()
 
void migratePrivileges ()
 
void migratePrivileged_old ()
 
void updateUserSchema ()
 
void updatePasswordsToHashes ()
 
void updateBlankPasswordsToRandom ()
 
void migrateDBAccessPrivileges ()
 
void loginImpl (std::string &username, const std::string &password, UserMetadata &user_meta)
 
bool checkPasswordForUserImpl (const std::string &passwd, std::string &name, UserMetadata &user)
 
void grantDefaultPrivilegesToRole_unsafe (const std::string &name, bool issuper)
 
void createRole_unsafe (const std::string &roleName, const bool &userPrivateRole=false)
 
void dropRole_unsafe (const std::string &roleName)
 
void grantRoleBatch_unsafe (const std::vector< std::string > &roles, const std::vector< std::string > &grantees)
 
void grantRole_unsafe (const std::string &roleName, const std::string &granteeName)
 
void revokeRoleBatch_unsafe (const std::vector< std::string > &roles, const std::vector< std::string > &grantees)
 
void revokeRole_unsafe (const std::string &roleName, const std::string &granteeName)
 
void updateObjectDescriptorMap (const std::string &roleName, DBObject &object, bool roleType, const Catalog_Namespace::Catalog &cat)
 
void deleteObjectDescriptorMap (const std::string &roleName)
 
void deleteObjectDescriptorMap (const std::string &roleName, DBObject &object, const Catalog_Namespace::Catalog &cat)
 
void grantDBObjectPrivilegesBatch_unsafe (const std::vector< std::string > &grantees, const std::vector< DBObject > &objects, const Catalog_Namespace::Catalog &catalog)
 
void grantDBObjectPrivileges_unsafe (const std::string &granteeName, const DBObject object, const Catalog_Namespace::Catalog &catalog)
 
void revokeDBObjectPrivilegesBatch_unsafe (const std::vector< std::string > &grantees, const std::vector< DBObject > &objects, const Catalog_Namespace::Catalog &catalog)
 
void revokeDBObjectPrivileges_unsafe (const std::string &granteeName, DBObject object, const Catalog_Namespace::Catalog &catalog)
 
void grantAllOnDatabase_unsafe (const std::string &roleName, DBObject &object, const Catalog_Namespace::Catalog &catalog)
 
void revokeAllOnDatabase_unsafe (const std::string &roleName, int32_t dbId, Grantee *grantee)
 
bool isDashboardSystemRole (const std::string &roleName)
 
void updateUserRoleName (const std::string &roleName, const std::string &newName)
 
template<typename F , typename... Args>
void execInTransaction (F &&f, Args &&...args)
 
auto yieldTransactionStreamer ()
 
- Private Member Functions inherited from Catalog_Namespace::CommonFileOperations
 CommonFileOperations (std::string const &base_path)
 
void removeCatalogByFullPath (std::string const &full_path)
 
void removeCatalogByName (std::string const &name)
 
auto duplicateAndRenameCatalog (std::string const &current_name, std::string const &new_name)
 
auto assembleCatalogName (std::string const &name)
 

Private Attributes

std::string basePath_
 
GranteeMap granteeMap_
 
ObjectRoleDescriptorMap objectDescriptorMap_
 
std::unique_ptr< SqliteConnectorsqliteConnector_
 
std::shared_ptr
< Data_Namespace::DataMgr
dataMgr_
 
std::unique_ptr< LdapServerldap_server_
 
std::unique_ptr< RestServerrest_server_
 
const AuthMetadataauthMetadata_
 
std::shared_ptr< CalcitecalciteMgr_
 
std::vector< LeafHostInfostring_dict_hosts_
 
bool aggregator_
 

Detailed Description

Definition at line 129 of file SysCatalog.h.

Member Typedef Documentation

typedef std::map<std::string, Grantee*> Catalog_Namespace::SysCatalog::GranteeMap
private

Definition at line 258 of file SysCatalog.h.

Definition at line 259 of file SysCatalog.h.

Constructor & Destructor Documentation

Catalog_Namespace::SysCatalog::SysCatalog ( )
inlineprivate

Definition at line 261 of file SysCatalog.h.

263  , aggregator_(false)
264  , sqliteMutex_()
265  , sharedMutex_()
266  , thread_holding_sqlite_lock(std::thread::id())
267  , thread_holding_write_lock(std::thread::id()) {}
std::atomic< std::thread::id > thread_holding_sqlite_lock
Definition: SysCatalog.h:351
mapd_shared_mutex sharedMutex_
Definition: SysCatalog.h:350
CommonFileOperations(std::string const &base_path)
Definition: SysCatalog.h:112
std::atomic< std::thread::id > thread_holding_write_lock
Definition: SysCatalog.h:352
Catalog_Namespace::SysCatalog::~SysCatalog ( )
privatevirtual

Definition at line 144 of file SysCatalog.cpp.

References granteeMap_, and objectDescriptorMap_.

144  {
145  sys_write_lock write_lock(this);
146  for (auto grantee = granteeMap_.begin(); grantee != granteeMap_.end(); ++grantee) {
147  delete grantee->second;
148  }
149  granteeMap_.clear();
150  for (ObjectRoleDescriptorMap::iterator objectIt = objectDescriptorMap_.begin();
151  objectIt != objectDescriptorMap_.end();) {
152  ObjectRoleDescriptorMap::iterator eraseIt = objectIt++;
153  delete eraseIt->second;
154  }
155  objectDescriptorMap_.clear();
156 }
ObjectRoleDescriptorMap objectDescriptorMap_
Definition: SysCatalog.h:336
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:75

Member Function Documentation

void Catalog_Namespace::SysCatalog::alterUser ( const int32_t  userid,
const std::string *  passwd,
bool *  issuper,
const std::string *  dbname 
)

Definition at line 811 of file SysCatalog.cpp.

References Catalog_Namespace::anonymous_namespace{SysCatalog.cpp}::append_with_commas, Catalog_Namespace::DBMetadata::dbId, getMetadataForDB(), anonymous_namespace{SysCatalog.cpp}::hash_with_bcrypt(), instance(), sqliteConnector_, and to_string().

Referenced by syncUserWithRemoteProvider().

814  {
815  sys_sqlite_lock sqlite_lock(this);
816  sqliteConnector_->query("BEGIN TRANSACTION");
817  try {
818  string sql;
819  std::vector<std::string> values;
820 
821  if (passwd != nullptr) {
822  append_with_commas(sql, "passwd_hash = ?");
823  values.push_back(hash_with_bcrypt(*passwd));
824  }
825 
826  if (issuper != nullptr) {
827  append_with_commas(sql, "issuper = ?");
828  values.push_back(std::to_string(*issuper));
829  }
830 
831  if (dbname != nullptr) {
832  if (!dbname->empty()) {
833  append_with_commas(sql, "default_db = ?");
834  DBMetadata db;
835  if (!SysCatalog::instance().getMetadataForDB(*dbname, db)) {
836  throw runtime_error(string("DEFAULT_DB ") + *dbname + " not found.");
837  }
838  values.push_back(std::to_string(db.dbId));
839  } else {
840  append_with_commas(sql, "default_db = NULL");
841  }
842  }
843 
844  sql = "UPDATE mapd_users SET " + sql + " WHERE userid = ?";
845  values.push_back(std::to_string(userid));
846 
847  sqliteConnector_->query_with_text_params(sql, values);
848  } catch (const std::exception& e) {
849  sqliteConnector_->query("ROLLBACK TRANSACTION");
850  throw;
851  }
852  sqliteConnector_->query("END TRANSACTION");
853 }
std::string to_string(char const *&&v)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:76
static SysCatalog & instance()
Definition: SysCatalog.h:242
std::string hash_with_bcrypt(const std::string &pwd)
Definition: SysCatalog.cpp:61
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:337
bool getMetadataForDB(const std::string &name, DBMetadata &db)

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::buildObjectDescriptorMap ( )
private

Definition at line 2041 of file SysCatalog.cpp.

References ObjectRoleDescriptor::dbId, objectDescriptorMap_, ObjectRoleDescriptor::objectId, ObjectRoleDescriptor::objectName, ObjectRoleDescriptor::objectOwnerId, ObjectRoleDescriptor::objectType, AccessPrivileges::privileges, ObjectRoleDescriptor::privs, ObjectRoleDescriptor::roleName, ObjectRoleDescriptor::roleType, sqliteConnector_, and to_string().

Referenced by init().

2041  {
2042  sys_write_lock write_lock(this);
2043  sys_sqlite_lock sqlite_lock(this);
2044  string objectQuery(
2045  "SELECT roleName, roleType, objectPermissionsType, dbId, objectId, "
2046  "objectPermissions, objectOwnerId, objectName "
2047  "from mapd_object_permissions");
2048  sqliteConnector_->query(objectQuery);
2049  size_t numRows = sqliteConnector_->getNumRows();
2050  for (size_t r = 0; r < numRows; ++r) {
2052  od->roleName = sqliteConnector_->getData<string>(r, 0);
2053  od->roleType = sqliteConnector_->getData<bool>(r, 1);
2054  od->objectType = sqliteConnector_->getData<int>(r, 2);
2055  od->dbId = sqliteConnector_->getData<int>(r, 3);
2056  od->objectId = sqliteConnector_->getData<int>(r, 4);
2057  od->privs.privileges = sqliteConnector_->getData<int>(r, 5);
2058  od->objectOwnerId = sqliteConnector_->getData<int>(r, 6);
2059  od->objectName = sqliteConnector_->getData<string>(r, 7);
2060  objectDescriptorMap_.insert(ObjectRoleDescriptorMap::value_type(
2061  std::to_string(od->dbId) + ":" + std::to_string(od->objectType) + ":" +
2062  std::to_string(od->objectId),
2063  od));
2064  }
2065 }
specifies the object_roles content in-memory of a row in mapd_object_permissions table ...
ObjectRoleDescriptorMap objectDescriptorMap_
Definition: SysCatalog.h:336
std::string to_string(char const *&&v)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:76
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:75
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:337
int64_t privileges
Definition: DBObject.h:126

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::buildRoleMap ( )
private

Definition at line 1923 of file SysCatalog.cpp.

References DatabaseDBObjectType, DBObjectKey::fromString(), getGrantee(), granteeMap_, name(), AccessPrivileges::privileges, sqliteConnector_, and to_upper().

Referenced by init().

1923  {
1924  sys_write_lock write_lock(this);
1925  sys_sqlite_lock sqlite_lock(this);
1926  string roleQuery(
1927  "SELECT roleName, roleType, objectPermissionsType, dbId, objectId, "
1928  "objectPermissions, objectOwnerId, objectName "
1929  "from mapd_object_permissions");
1930  sqliteConnector_->query(roleQuery);
1931  size_t numRows = sqliteConnector_->getNumRows();
1932  std::vector<std::string> objectKeyStr(4);
1933  DBObjectKey objectKey;
1934  AccessPrivileges privs;
1935  bool userPrivateRole(false);
1936  for (size_t r = 0; r < numRows; ++r) {
1937  std::string roleName = sqliteConnector_->getData<string>(r, 0);
1938  userPrivateRole = sqliteConnector_->getData<bool>(r, 1);
1939  DBObjectType permissionType =
1940  static_cast<DBObjectType>(sqliteConnector_->getData<int>(r, 2));
1941  objectKeyStr[0] = sqliteConnector_->getData<string>(r, 2);
1942  objectKeyStr[1] = sqliteConnector_->getData<string>(r, 3);
1943  objectKeyStr[2] = sqliteConnector_->getData<string>(r, 4);
1944  objectKey = DBObjectKey::fromString(objectKeyStr, permissionType);
1945  privs.privileges = sqliteConnector_->getData<int>(r, 5);
1946  int32_t owner = sqliteConnector_->getData<int>(r, 6);
1947  std::string name = sqliteConnector_->getData<string>(r, 7);
1948 
1949  DBObject dbObject(objectKey, privs, owner);
1950  dbObject.setName(name);
1951  if (-1 == objectKey.objectId) {
1952  dbObject.setObjectType(DBObjectType::DatabaseDBObjectType);
1953  } else {
1954  dbObject.setObjectType(permissionType);
1955  }
1956 
1957  auto* rl = getGrantee(roleName);
1958  if (!rl) {
1959  if (userPrivateRole) {
1960  rl = new User(roleName);
1961  } else {
1962  rl = new Role(roleName);
1963  }
1964  granteeMap_[to_upper(roleName)] = rl;
1965  }
1966  rl->grantPrivileges(dbObject);
1967  }
1968 }
DBObjectType
Definition: DBObject.h:42
std::string name() const
Definition: SysCatalog.h:248
Definition: Grantee.h:70
Grantee * getGrantee(const std::string &name) const
Definition: Grantee.h:76
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:76
static DBObjectKey fromString(const std::vector< std::string > &key, const DBObjectType &type)
Definition: DBObject.cpp:228
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:75
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:337
std::string to_upper(const std::string &str)
int64_t privileges
Definition: DBObject.h:126

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::buildUserRoleMap ( )
private

Definition at line 1993 of file SysCatalog.cpp.

References getGrantee(), OMNISCI_ROOT_USER, and sqliteConnector_.

Referenced by init().

1993  {
1994  sys_write_lock write_lock(this);
1995  sys_sqlite_lock sqlite_lock(this);
1996  std::vector<std::pair<std::string, std::string>> granteeRooles;
1997  string userRoleQuery("SELECT roleName, userName from mapd_roles");
1998  sqliteConnector_->query(userRoleQuery);
1999  size_t numRows = sqliteConnector_->getNumRows();
2000  for (size_t r = 0; r < numRows; ++r) {
2001  std::string roleName = sqliteConnector_->getData<string>(r, 0);
2002  std::string userName = sqliteConnector_->getData<string>(r, 1);
2003  // required for declared nomenclature before v4.0.0
2004  if ((boost::equals(roleName, "mapd_default_suser_role") &&
2005  boost::equals(userName, OMNISCI_ROOT_USER)) ||
2006  (boost::equals(roleName, "mapd_default_user_role") &&
2007  !boost::equals(userName, "mapd_default_user_role"))) {
2008  // grouprole already exists with roleName==userName in mapd_roles table
2009  // ignore duplicate instances of userRole which exists before v4.0.0
2010  continue;
2011  }
2012  auto* rl = getGrantee(roleName);
2013  if (!rl) {
2014  throw runtime_error("Data inconsistency when building role map. Role " + roleName +
2015  " from db not found in the map.");
2016  }
2017  std::pair<std::string, std::string> roleVecElem(roleName, userName);
2018  granteeRooles.push_back(roleVecElem);
2019  }
2020 
2021  for (size_t i = 0; i < granteeRooles.size(); i++) {
2022  std::string roleName = granteeRooles[i].first;
2023  std::string granteeName = granteeRooles[i].second;
2024  auto* grantee = getGrantee(granteeName);
2025  if (!grantee) {
2026  throw runtime_error("Data inconsistency when building role map. Grantee " +
2027  granteeName + " not found in the map.");
2028  }
2029  if (granteeName == roleName) {
2030  continue;
2031  }
2032  Role* rl = dynamic_cast<Role*>(getGrantee(roleName));
2033  if (!rl) {
2034  throw runtime_error("Data inconsistency when building role map. Role " + roleName +
2035  " not found in the map.");
2036  }
2037  grantee->grantRole(rl);
2038  }
2039 }
Grantee * getGrantee(const std::string &name) const
Definition: Grantee.h:76
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:76
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:75
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:337
const std::string OMNISCI_ROOT_USER
Definition: SysCatalog.h:59

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::checkAndExecuteMigrations ( )
private

Definition at line 196 of file SysCatalog.cpp.

References createUserRoles(), migrateDBAccessPrivileges(), migratePrivileged_old(), migratePrivileges(), updateBlankPasswordsToRandom(), updatePasswordsToHashes(), and updateUserSchema().

Referenced by init().

196  {
198  createUserRoles();
201  updateUserSchema(); // must come before updatePasswordsToHashes()
203  updateBlankPasswordsToRandom(); // must come after updatePasswordsToHashes()
204 }

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

bool Catalog_Namespace::SysCatalog::checkPasswordForUser ( const std::string &  passwd,
std::string &  name,
UserMetadata user 
)

Definition at line 1106 of file SysCatalog.cpp.

References checkPasswordForUserImpl().

Referenced by loginImpl().

1108  {
1109  return checkPasswordForUserImpl(passwd, name, user);
1110 }
std::string name() const
Definition: SysCatalog.h:248
bool checkPasswordForUserImpl(const std::string &passwd, std::string &name, UserMetadata &user)

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

bool Catalog_Namespace::SysCatalog::checkPasswordForUserImpl ( const std::string &  passwd,
std::string &  name,
UserMetadata user 
)
private

Definition at line 1112 of file SysCatalog.cpp.

References CHECK(), getMetadataForUser(), LOG, Catalog_Namespace::UserMetadata::passwd_hash, and logger::WARNING.

Referenced by checkPasswordForUser().

1114  {
1115  if (!getMetadataForUser(name, user)) {
1116  // Check password against some fake hash just to waste time so that response times
1117  // for invalid password and invalid user are similar and a caller can't say the
1118  // difference
1119  char fake_hash[BCRYPT_HASHSIZE];
1120  CHECK(bcrypt_gensalt(-1, fake_hash) == 0);
1121  bcrypt_checkpw(passwd.c_str(), fake_hash);
1122  LOG(WARNING) << "Local login failed";
1123  return false;
1124  }
1125  int pwd_check_result = bcrypt_checkpw(passwd.c_str(), user.passwd_hash.c_str());
1126  // if the check fails there is a good chance that data on disc is broken
1127  CHECK(pwd_check_result >= 0);
1128  if (pwd_check_result != 0) {
1129  LOG(WARNING) << "Local login failed";
1130  return false;
1131  }
1132  return true;
1133 }
#define LOG(tag)
Definition: Logger.h:185
bool getMetadataForUser(const std::string &name, UserMetadata &user)
std::string name() const
Definition: SysCatalog.h:248
CHECK(cgen_state)

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

bool Catalog_Namespace::SysCatalog::checkPrivileges ( const UserMetadata user,
const std::vector< DBObject > &  privObjects 
) const

Definition at line 1784 of file SysCatalog.cpp.

References getUserGrantee(), instance(), Catalog_Namespace::UserMetadata::isSuper, and Catalog_Namespace::UserMetadata::userName.

Referenced by Catalog_Namespace::SessionInfo::checkDBAccessPrivileges(), checkPrivileges(), getDatabaseListForUser(), and switchDatabase().

1785  {
1786  sys_read_lock read_lock(this);
1787  if (user.isSuper) {
1788  return true;
1789  }
1790 
1791  auto* user_rl = instance().getUserGrantee(user.userName);
1792  if (!user_rl) {
1793  throw runtime_error("User " + user.userName + " does not exist.");
1794  }
1795  for (auto& object : privObjects) {
1796  if (!user_rl->checkPrivileges(object)) {
1797  return false;
1798  }
1799  }
1800  return true;
1801 }
read_lock< SysCatalog > sys_read_lock
Definition: SysCatalog.cpp:74
static SysCatalog & instance()
Definition: SysCatalog.h:242
User * getUserGrantee(const std::string &name) const

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

bool Catalog_Namespace::SysCatalog::checkPrivileges ( const std::string &  userName,
const std::vector< DBObject > &  privObjects 
) const

Definition at line 1803 of file SysCatalog.cpp.

References checkPrivileges(), getMetadataForUser(), and instance().

1804  {
1805  UserMetadata user;
1806  if (!instance().getMetadataForUser(userName, user)) {
1807  throw runtime_error("Request to check privileges for user " + userName +
1808  " failed because user with this name does not exist.");
1809  }
1810  return (checkPrivileges(user, privObjects));
1811 }
bool getMetadataForUser(const std::string &name, UserMetadata &user)
bool checkPrivileges(const UserMetadata &user, const std::vector< DBObject > &privObjects) const
static SysCatalog & instance()
Definition: SysCatalog.h:242

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::createDatabase ( const std::string &  dbname,
int  owner 
)

Definition at line 967 of file SysCatalog.cpp.

References basePath_, calciteMgr_, CHECK(), DatabaseDBObjectType, dataMgr_, Catalog_Namespace::Catalog::get(), getMetadataForDB(), getMetadataForUserById(), grantAllOnDatabase_unsafe(), OMNISCI_ROOT_USER_ID, OMNISCI_SYSTEM_CATALOG, sqliteConnector_, string_dict_hosts_, to_string(), to_upper(), and Catalog_Namespace::UserMetadata::userName.

Referenced by initDB().

967  {
968  sys_write_lock write_lock(this);
969  sys_sqlite_lock sqlite_lock(this);
970 
971  DBMetadata db;
972  if (getMetadataForDB(name, db)) {
973  throw runtime_error("Database " + name + " already exists.");
974  }
976  throw runtime_error("Database name " + name + " is reserved.");
977  }
978 
979  std::unique_ptr<SqliteConnector> dbConn(
980  new SqliteConnector(name, basePath_ + "/mapd_catalogs/"));
981  // NOTE(max): it's okay to run this in a separate transaction. If we fail later
982  // we delete the database anyways.
983  // If we run it in the same transaction as SysCatalog functions, then Catalog
984  // constructor won't find the tables we have just created.
985  dbConn->query("BEGIN TRANSACTION");
986  try {
987  dbConn->query(
988  "CREATE TABLE mapd_tables (tableid integer primary key, name text unique, userid "
989  "integer, ncolumns integer, "
990  "isview boolean, "
991  "fragments text, frag_type integer, max_frag_rows integer, max_chunk_size "
992  "bigint, "
993  "frag_page_size integer, "
994  "max_rows bigint, partitions text, shard_column_id integer, shard integer, "
995  "sort_column_id integer default 0, "
996  "num_shards integer, key_metainfo TEXT, version_num "
997  "BIGINT DEFAULT 1) ");
998  dbConn->query(
999  "CREATE TABLE mapd_columns (tableid integer references mapd_tables, columnid "
1000  "integer, name text, coltype "
1001  "integer, colsubtype integer, coldim integer, colscale integer, is_notnull "
1002  "boolean, compression integer, "
1003  "comp_param integer, size integer, chunks text, is_systemcol boolean, "
1004  "is_virtualcol boolean, virtual_expr "
1005  "text, is_deletedcol boolean, version_num BIGINT, "
1006  "primary key(tableid, columnid), unique(tableid, name))");
1007  dbConn->query(
1008  "CREATE TABLE mapd_views (tableid integer references mapd_tables, sql text)");
1009  dbConn->query(
1010  "CREATE TABLE mapd_dashboards (id integer primary key autoincrement, name text , "
1011  "userid integer references mapd_users, state text, image_hash text, update_time "
1012  "timestamp, "
1013  "metadata text, UNIQUE(userid, name) )");
1014  dbConn->query(
1015  "CREATE TABLE mapd_links (linkid integer primary key, userid integer references "
1016  "mapd_users, "
1017  "link text unique, view_state text, update_time timestamp, view_metadata text)");
1018  dbConn->query(
1019  "CREATE TABLE mapd_dictionaries (dictid integer primary key, name text unique, "
1020  "nbits int, is_shared boolean, "
1021  "refcount int, version_num BIGINT DEFAULT 1)");
1022  dbConn->query(
1023  "CREATE TABLE mapd_logical_to_physical(logical_table_id integer, "
1024  "physical_table_id "
1025  "integer)");
1026  dbConn->query("CREATE TABLE mapd_record_ownership_marker (dummy integer)");
1027  dbConn->query_with_text_params(
1028  "INSERT INTO mapd_record_ownership_marker (dummy) VALUES (?1)",
1029  std::vector<std::string>{std::to_string(owner)});
1030  } catch (const std::exception&) {
1031  dbConn->query("ROLLBACK TRANSACTION");
1032  boost::filesystem::remove(basePath_ + "/mapd_catalogs/" + name);
1033  throw;
1034  }
1035  dbConn->query("END TRANSACTION");
1036 
1037  // Now update SysCatalog with privileges and the new database
1038  sqliteConnector_->query("BEGIN TRANSACTION");
1039  try {
1040  sqliteConnector_->query_with_text_param(
1041  "INSERT INTO mapd_databases (name, owner) VALUES (?, " + std::to_string(owner) +
1042  ")",
1043  name);
1044  CHECK(getMetadataForDB(name, db));
1045  auto cat =
1047  if (owner != OMNISCI_ROOT_USER_ID) {
1049  object.loadKey(*cat);
1050  UserMetadata user;
1051  CHECK(getMetadataForUserById(owner, user));
1052  grantAllOnDatabase_unsafe(user.userName, object, *cat);
1053  }
1054  } catch (const std::exception&) {
1055  sqliteConnector_->query("ROLLBACK TRANSACTION");
1056  boost::filesystem::remove(basePath_ + "/mapd_catalogs/" + name);
1057  throw;
1058  }
1059  sqliteConnector_->query("END TRANSACTION");
1060 }
static std::shared_ptr< Catalog > get(const std::string &dbName)
Definition: Catalog.cpp:2990
std::string name() const
Definition: SysCatalog.h:248
const std::string OMNISCI_SYSTEM_CATALOG
Definition: SysCatalog.h:57
bool getMetadataForUserById(const int32_t idIn, UserMetadata &user)
std::string to_string(char const *&&v)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:76
CHECK(cgen_state)
void grantAllOnDatabase_unsafe(const std::string &roleName, DBObject &object, const Catalog_Namespace::Catalog &catalog)
std::shared_ptr< Data_Namespace::DataMgr > dataMgr_
Definition: SysCatalog.h:339
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:75
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:337
std::string to_upper(const std::string &str)
const int OMNISCI_ROOT_USER_ID
Definition: SysCatalog.h:60
std::vector< LeafHostInfo > string_dict_hosts_
Definition: SysCatalog.h:344
std::shared_ptr< Calcite > calciteMgr_
Definition: SysCatalog.h:343
bool getMetadataForDB(const std::string &name, DBMetadata &db)

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::createDBObject ( const UserMetadata user,
const std::string &  objectName,
DBObjectType  type,
const Catalog_Namespace::Catalog catalog,
int32_t  objectId = -1 
)

Definition at line 1319 of file SysCatalog.cpp.

References AccessPrivileges::ALL_DASHBOARD, AccessPrivileges::ALL_DATABASE, AccessPrivileges::ALL_TABLE, DashboardDBObjectType, getUserGrantee(), grantDBObjectPrivileges_unsafe(), instance(), Catalog_Namespace::UserMetadata::isSuper, sqliteConnector_, TableDBObjectType, Catalog_Namespace::UserMetadata::userId, and Catalog_Namespace::UserMetadata::userName.

1323  {
1324  sys_write_lock write_lock(this);
1325  sys_sqlite_lock sqlite_lock(this);
1326 
1327  DBObject object =
1328  objectId == -1 ? DBObject(objectName, type) : DBObject(objectId, type);
1329  object.loadKey(catalog);
1330  switch (type) {
1331  case TableDBObjectType:
1332  object.setPrivileges(AccessPrivileges::ALL_TABLE);
1333  break;
1334  case DashboardDBObjectType:
1335  object.setPrivileges(AccessPrivileges::ALL_DASHBOARD);
1336  break;
1337  default:
1338  object.setPrivileges(AccessPrivileges::ALL_DATABASE);
1339  break;
1340  }
1341  object.setOwner(user.userId);
1342  sqliteConnector_->query("BEGIN TRANSACTION");
1343  try {
1344  if (!user.isSuper) { // no need to grant to suser, has all privs by default
1345  grantDBObjectPrivileges_unsafe(user.userName, object, catalog);
1346  auto* grantee = instance().getUserGrantee(user.userName);
1347  if (!grantee) {
1348  throw runtime_error("User " + user.userName + " does not exist.");
1349  }
1350  grantee->grantPrivileges(object);
1351  }
1352  } catch (std::exception& e) {
1353  sqliteConnector_->query("ROLLBACK TRANSACTION");
1354  throw;
1355  }
1356  sqliteConnector_->query("END TRANSACTION");
1357 }
static const AccessPrivileges ALL_DATABASE
Definition: DBObject.h:144
void grantDBObjectPrivileges_unsafe(const std::string &granteeName, const DBObject object, const Catalog_Namespace::Catalog &catalog)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:76
static SysCatalog & instance()
Definition: SysCatalog.h:242
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:75
User * getUserGrantee(const std::string &name) const
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:337
void loadKey()
Definition: DBObject.cpp:165
static const AccessPrivileges ALL_DASHBOARD
Definition: DBObject.h:162
static const AccessPrivileges ALL_TABLE
Definition: DBObject.h:150

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::createRole ( const std::string &  roleName,
const bool &  userPrivateRole = false 
)

Definition at line 2081 of file SysCatalog.cpp.

References createRole_unsafe(), and execInTransaction().

Referenced by Catalog_Namespace::Catalog::createOrUpdateDashboardSystemRole().

2081  {
2082  execInTransaction(&SysCatalog::createRole_unsafe, roleName, userPrivateRole);
2083 }
void createRole_unsafe(const std::string &roleName, const bool &userPrivateRole=false)
void execInTransaction(F &&f, Args &&...args)

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::createRole_unsafe ( const std::string &  roleName,
const bool &  userPrivateRole = false 
)
private

Definition at line 1556 of file SysCatalog.cpp.

References DatabaseDBObjectType, DBObjectKey::dbId, getGrantee(), granteeMap_, Catalog_Namespace::insertOrUpdateObjectPrivileges(), OMNISCI_DEFAULT_DB, DBObjectKey::permissionType, DBObject::setObjectKey(), sqliteConnector_, and to_upper().

Referenced by createRole(), and createUser().

1557  {
1558  sys_write_lock write_lock(this);
1559 
1560  auto* grantee = getGrantee(roleName);
1561  if (grantee) {
1562  throw std::runtime_error("CREATE ROLE " + roleName +
1563  " failed because grantee with this name already exists.");
1564  }
1565  if (userPrivateRole) {
1566  grantee = new User(roleName);
1567  } else {
1568  grantee = new Role(roleName);
1569  }
1570  granteeMap_[to_upper(roleName)] = grantee;
1571 
1572  // NOTE (max): Why create an empty privileges record for a role?
1573  /* grant none privileges to this role and add it to sqlite DB */
1575  DBObjectKey objKey;
1576  // 0 is an id that does not exist
1577  objKey.dbId = 0;
1579  dbObject.setObjectKey(objKey);
1580  grantee->grantPrivileges(dbObject);
1581 
1582  sys_sqlite_lock sqlite_lock(this);
1583  insertOrUpdateObjectPrivileges(sqliteConnector_, roleName, userPrivateRole, dbObject);
1584 }
Definition: Grantee.h:70
Grantee * getGrantee(const std::string &name) const
Definition: Grantee.h:76
void insertOrUpdateObjectPrivileges(std::unique_ptr< SqliteConnector > &sqliteConnector, std::string roleName, bool userRole, DBObject &object)
Definition: SysCatalog.cpp:334
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:76
const std::string OMNISCI_DEFAULT_DB
Definition: SysCatalog.h:58
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:75
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:337
std::string to_upper(const std::string &str)
int32_t dbId
Definition: DBObject.h:55
int32_t permissionType
Definition: DBObject.h:54

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::createUser ( const std::string &  name,
const std::string &  passwd,
bool  issuper,
const std::string &  dbname 
)

Definition at line 728 of file SysCatalog.cpp.

References createRole_unsafe(), Catalog_Namespace::DBMetadata::dbId, getGrantee(), getMetadataForDB(), getMetadataForUser(), anonymous_namespace{SysCatalog.cpp}::hash_with_bcrypt(), instance(), name(), sqliteConnector_, and to_string().

Referenced by syncUserWithRemoteProvider().

731  {
732  sys_write_lock write_lock(this);
733  sys_sqlite_lock sqlite_lock(this);
734 
735  UserMetadata user;
736  if (getMetadataForUser(name, user)) {
737  throw runtime_error("User " + name + " already exists.");
738  }
739  if (getGrantee(name)) {
740  throw runtime_error(
741  "User name " + name +
742  " is same as one of existing grantees. User and role names should be unique.");
743  }
744  sqliteConnector_->query("BEGIN TRANSACTION");
745  try {
746  std::vector<std::string> vals;
747  if (!dbname.empty()) {
748  DBMetadata db;
749  if (!SysCatalog::instance().getMetadataForDB(dbname, db)) {
750  throw runtime_error("DEFAULT_DB " + dbname + " not found.");
751  }
752  vals = {name,
753  hash_with_bcrypt(passwd),
754  std::to_string(issuper),
755  std::to_string(db.dbId)};
756  sqliteConnector_->query_with_text_params(
757  "INSERT INTO mapd_users (name, passwd_hash, issuper, default_db) VALUES (?, ?, "
758  "?, ?)",
759  vals);
760  } else {
761  vals = {name, hash_with_bcrypt(passwd), std::to_string(issuper)};
762  sqliteConnector_->query_with_text_params(
763  "INSERT INTO mapd_users (name, passwd_hash, issuper) VALUES (?, ?, ?)", vals);
764  }
765 
766  createRole_unsafe(name, true);
767  } catch (const std::exception& e) {
768  sqliteConnector_->query("ROLLBACK TRANSACTION");
769  throw;
770  }
771  sqliteConnector_->query("END TRANSACTION");
772 }
bool getMetadataForUser(const std::string &name, UserMetadata &user)
std::string name() const
Definition: SysCatalog.h:248
void createRole_unsafe(const std::string &roleName, const bool &userPrivateRole=false)
Grantee * getGrantee(const std::string &name) const
std::string to_string(char const *&&v)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:76
static SysCatalog & instance()
Definition: SysCatalog.h:242
std::string hash_with_bcrypt(const std::string &pwd)
Definition: SysCatalog.cpp:61
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:75
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:337
bool getMetadataForDB(const std::string &name, DBMetadata &db)

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::createUserRoles ( )
private

Definition at line 279 of file SysCatalog.cpp.

References OMNISCI_ROOT_USER, and sqliteConnector_.

Referenced by checkAndExecuteMigrations().

279  {
280  sys_sqlite_lock sqlite_lock(this);
281  sqliteConnector_->query("BEGIN TRANSACTION");
282  try {
283  sqliteConnector_->query(
284  "SELECT name FROM sqlite_master WHERE type='table' AND name='mapd_roles'");
285  if (sqliteConnector_->getNumRows() != 0) {
286  // already done
287  sqliteConnector_->query("END TRANSACTION");
288  return;
289  }
290  sqliteConnector_->query(
291  "CREATE TABLE mapd_roles(roleName text, userName text, UNIQUE(roleName, "
292  "userName))");
293  // need to account for old conversions where we are building and moving
294  // from pre version 4.0 and 'mapd' was default superuser
295  sqliteConnector_->query("SELECT name FROM mapd_users WHERE name NOT IN ( \'" +
296  OMNISCI_ROOT_USER + "\', 'mapd')");
297  size_t numRows = sqliteConnector_->getNumRows();
298  vector<string> user_names;
299  for (size_t i = 0; i < numRows; ++i) {
300  user_names.push_back(sqliteConnector_->getData<string>(i, 0));
301  }
302  for (const auto& user_name : user_names) {
303  // for each user, create a fake role with the same name
304  sqliteConnector_->query_with_text_params(
305  "INSERT INTO mapd_roles(roleName, userName) VALUES (?, ?)",
306  vector<string>{user_name, user_name});
307  }
308  } catch (const std::exception&) {
309  sqliteConnector_->query("ROLLBACK TRANSACTION");
310  throw;
311  }
312  sqliteConnector_->query("END TRANSACTION");
313 }
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:76
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:337
const std::string OMNISCI_ROOT_USER
Definition: SysCatalog.h:59

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::deleteObjectDescriptorMap ( const std::string &  roleName)
private

Definition at line 1731 of file SysCatalog.cpp.

References objectDescriptorMap_.

Referenced by dropUser(), and revokeDBObjectPrivileges_unsafe().

1731  {
1732  sys_write_lock write_lock(this);
1733 
1734  for (auto d = objectDescriptorMap_.begin(); d != objectDescriptorMap_.end();) {
1735  if (d->second->roleName == roleName) {
1736  delete d->second;
1737  d = objectDescriptorMap_.erase(d);
1738  } else {
1739  d++;
1740  }
1741  }
1742 }
ObjectRoleDescriptorMap objectDescriptorMap_
Definition: SysCatalog.h:336
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:75

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::deleteObjectDescriptorMap ( const std::string &  roleName,
DBObject object,
const Catalog_Namespace::Catalog cat 
)
private

Definition at line 1745 of file SysCatalog.cpp.

References Catalog_Namespace::DBMetadata::dbId, Catalog_Namespace::Catalog::getCurrentDB(), objectDescriptorMap_, and to_string().

1747  {
1748  sys_write_lock write_lock(this);
1749  auto range = objectDescriptorMap_.equal_range(
1750  std::to_string(cat.getCurrentDB().dbId) + ":" +
1751  std::to_string(object.getObjectKey().permissionType) + ":" +
1752  std::to_string(object.getObjectKey().objectId));
1753  for (auto d = range.first; d != range.second;) {
1754  // remove the entry
1755  if (d->second->roleName == roleName) {
1756  delete d->second;
1757  d = objectDescriptorMap_.erase(d);
1758  } else {
1759  d++;
1760  }
1761  }
1762 }
ObjectRoleDescriptorMap objectDescriptorMap_
Definition: SysCatalog.h:336
std::string to_string(char const *&&v)
const DBMetadata & getCurrentDB() const
Definition: Catalog.h:176
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:75

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::dropDatabase ( const DBMetadata db)

Definition at line 1062 of file SysCatalog.cpp.

References basePath_, calciteMgr_, DashboardDBObjectType, dataMgr_, Catalog_Namespace::DBMetadata::dbId, Catalog_Namespace::DBMetadata::dbName, Catalog_Namespace::Catalog::get(), granteeMap_, Catalog_Namespace::Catalog::remove(), revokeAllOnDatabase_unsafe(), revokeDBObjectPrivilegesFromAll_unsafe(), sqliteConnector_, string_dict_hosts_, TableDBObjectType, run_benchmark_import::tables, and to_string().

1062  {
1063  sys_write_lock write_lock(this);
1064  sys_sqlite_lock sqlite_lock(this);
1065  auto cat =
1067  sqliteConnector_->query("BEGIN TRANSACTION");
1068  try {
1069  // remove this database ID from any users that have it set as their default database
1070  sqliteConnector_->query_with_text_param(
1071  "UPDATE mapd_users SET default_db = NULL WHERE default_db = ?",
1072  std::to_string(db.dbId));
1073  /* revoke object privileges to all tables of the database being dropped */
1074  const auto tables = cat->getAllTableMetadata();
1075  for (const auto table : tables) {
1076  if (table->shard >= 0) {
1077  // skip shards, they're not standalone tables
1078  continue;
1079  }
1081  DBObject(table->tableName, TableDBObjectType), cat.get());
1082  }
1083  const auto dashboards = cat->getAllDashboardsMetadata();
1084  for (const auto dashboard : dashboards) {
1086  DBObject(dashboard->dashboardId, DashboardDBObjectType), cat.get());
1087  }
1088  /* revoke object privileges to the database being dropped */
1089  for (const auto& grantee : granteeMap_) {
1090  if (grantee.second->hasAnyPrivilegesOnDb(db.dbId, true)) {
1091  revokeAllOnDatabase_unsafe(grantee.second->getName(), db.dbId, grantee.second);
1092  }
1093  }
1094  sqliteConnector_->query_with_text_param("DELETE FROM mapd_databases WHERE dbid = ?",
1095  std::to_string(db.dbId));
1096  cat->eraseDBData();
1097  Catalog::remove(db.dbName);
1098  } catch (const std::exception&) {
1099  sqliteConnector_->query("ROLLBACK TRANSACTION");
1100  throw;
1101  }
1102  sqliteConnector_->query("END TRANSACTION");
1103 }
void revokeAllOnDatabase_unsafe(const std::string &roleName, int32_t dbId, Grantee *grantee)
static std::shared_ptr< Catalog > get(const std::string &dbName)
Definition: Catalog.cpp:2990
std::string to_string(char const *&&v)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:76
std::shared_ptr< Data_Namespace::DataMgr > dataMgr_
Definition: SysCatalog.h:339
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:75
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:337
static void remove(const std::string &dbName)
Definition: Catalog.cpp:3016
void revokeDBObjectPrivilegesFromAll_unsafe(DBObject object, Catalog *catalog)
std::vector< LeafHostInfo > string_dict_hosts_
Definition: SysCatalog.h:344
std::shared_ptr< Calcite > calciteMgr_
Definition: SysCatalog.h:343

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::dropRole ( const std::string &  roleName)

Definition at line 2085 of file SysCatalog.cpp.

References dropRole_unsafe(), and execInTransaction().

2085  {
2087 }
void execInTransaction(F &&f, Args &&...args)
void dropRole_unsafe(const std::string &roleName)

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::dropRole_unsafe ( const std::string &  roleName)
private

Definition at line 1586 of file SysCatalog.cpp.

References getGrantee(), granteeMap_, sqliteConnector_, and to_upper().

Referenced by dropRole(), and dropUser().

1586  {
1587  sys_write_lock write_lock(this);
1588 
1589  // it may very well be a user "role", so keep it generic
1590  auto* rl = getGrantee(roleName);
1591  if (rl) { // admin super user may not exist in roles
1592  delete rl;
1593  }
1594  granteeMap_.erase(to_upper(roleName));
1595 
1596  sys_sqlite_lock sqlite_lock(this);
1597  sqliteConnector_->query_with_text_param("DELETE FROM mapd_roles WHERE roleName = ?",
1598  roleName);
1599  sqliteConnector_->query_with_text_param(
1600  "DELETE FROM mapd_object_permissions WHERE roleName = ?", roleName);
1601 }
Grantee * getGrantee(const std::string &name) const
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:76
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:75
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:337
std::string to_upper(const std::string &str)

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::dropUser ( const std::string &  name)

Definition at line 774 of file SysCatalog.cpp.

References deleteObjectDescriptorMap(), dropRole_unsafe(), getMetadataForUser(), sqliteConnector_, to_string(), and Catalog_Namespace::UserMetadata::userId.

774  {
775  sys_write_lock write_lock(this);
776  sys_sqlite_lock sqlite_lock(this);
777 
778  sqliteConnector_->query("BEGIN TRANSACTION");
779  try {
780  UserMetadata user;
781  if (!getMetadataForUser(name, user)) {
782  throw runtime_error("User " + name + " does not exist.");
783  }
786  const std::string& roleName(name);
787  sqliteConnector_->query_with_text_param("DELETE FROM mapd_roles WHERE userName = ?",
788  roleName);
789  sqliteConnector_->query("DELETE FROM mapd_users WHERE userid = " +
790  std::to_string(user.userId));
791  sqliteConnector_->query("DELETE FROM mapd_privileges WHERE userid = " +
792  std::to_string(user.userId));
793  } catch (const std::exception& e) {
794  sqliteConnector_->query("ROLLBACK TRANSACTION");
795  throw;
796  }
797  sqliteConnector_->query("END TRANSACTION");
798 }
bool getMetadataForUser(const std::string &name, UserMetadata &user)
std::string name() const
Definition: SysCatalog.h:248
std::string to_string(char const *&&v)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:76
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:75
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:337
void deleteObjectDescriptorMap(const std::string &roleName)
void dropRole_unsafe(const std::string &roleName)

+ Here is the call graph for this function:

template<typename F , typename... Args>
void Catalog_Namespace::SysCatalog::execInTransaction ( F &&  f,
Args &&...  args 
)
private

Definition at line 2068 of file SysCatalog.cpp.

References run_benchmark_import::args, and sqliteConnector_.

Referenced by createRole(), dropRole(), grantDBObjectPrivileges(), grantDBObjectPrivilegesBatch(), grantRole(), grantRoleBatch(), revokeDBObjectPrivileges(), revokeDBObjectPrivilegesBatch(), revokeDBObjectPrivilegesFromAll(), revokeRole(), and revokeRoleBatch().

2068  {
2069  sys_write_lock write_lock(this);
2070  sys_sqlite_lock sqlite_lock(this);
2071  sqliteConnector_->query("BEGIN TRANSACTION");
2072  try {
2073  (this->*f)(std::forward<Args>(args)...);
2074  } catch (std::exception&) {
2075  sqliteConnector_->query("ROLLBACK TRANSACTION");
2076  throw;
2077  }
2078  sqliteConnector_->query("END TRANSACTION");
2079 }
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:76
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:75
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:337

+ Here is the caller graph for this function:

list< DBMetadata > Catalog_Namespace::SysCatalog::getAllDBMetadata ( )

Definition at line 1174 of file SysCatalog.cpp.

References Catalog_Namespace::DBMetadata::dbId, Catalog_Namespace::DBMetadata::dbName, Catalog_Namespace::DBMetadata::dbOwner, and sqliteConnector_.

Referenced by getDatabaseListForUser().

1174  {
1175  sys_sqlite_lock sqlite_lock(this);
1176  sqliteConnector_->query("SELECT dbid, name, owner FROM mapd_databases");
1177  int numRows = sqliteConnector_->getNumRows();
1178  list<DBMetadata> db_list;
1179  for (int r = 0; r < numRows; ++r) {
1180  DBMetadata db;
1181  db.dbId = sqliteConnector_->getData<int>(r, 0);
1182  db.dbName = sqliteConnector_->getData<string>(r, 1);
1183  db.dbOwner = sqliteConnector_->getData<int>(r, 2);
1184  db_list.push_back(db);
1185  }
1186  return db_list;
1187 }
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:76
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:337

+ Here is the caller graph for this function:

list< UserMetadata > Catalog_Namespace::SysCatalog::getAllUserMetadata ( )

Definition at line 1227 of file SysCatalog.cpp.

References Catalog_Namespace::anonymous_namespace{SysCatalog.cpp}::get_users(), and sqliteConnector_.

Referenced by getDatabaseListForUser().

1227  {
1228  sys_sqlite_lock sqlite_lock(this);
1229  return get_users(sqliteConnector_);
1230 }
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:76
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:337
auto get_users(std::unique_ptr< SqliteConnector > &sqliteConnector, const int32_t dbId=-1)

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

list< UserMetadata > Catalog_Namespace::SysCatalog::getAllUserMetadata ( const int64_t  dbId)

return the users associated with the given DB

Definition at line 1220 of file SysCatalog.cpp.

References Catalog_Namespace::anonymous_namespace{SysCatalog.cpp}::get_users(), and sqliteConnector_.

1220  {
1221  // this call is to return users that have some form of permissions to objects in the db
1222  // sadly mapd_object_permissions table is also misused to manage user roles.
1223  sys_sqlite_lock sqlite_lock(this);
1224  return get_users(sqliteConnector_, dbId);
1225 }
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:76
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:337
auto get_users(std::unique_ptr< SqliteConnector > &sqliteConnector, const int32_t dbId=-1)

+ Here is the call graph for this function:

const std::string& Catalog_Namespace::SysCatalog::getBasePath ( ) const
inline

Definition at line 177 of file SysCatalog.h.

References basePath_.

177 { return basePath_; }
Calcite& Catalog_Namespace::SysCatalog::getCalciteMgr ( ) const
inline

Definition at line 176 of file SysCatalog.h.

References calciteMgr_.

176 { return *calciteMgr_; }
std::shared_ptr< Calcite > calciteMgr_
Definition: SysCatalog.h:343
DBSummaryList Catalog_Namespace::SysCatalog::getDatabaseListForUser ( const UserMetadata user)

Definition at line 1295 of file SysCatalog.cpp.

References AccessPrivileges::ACCESS, checkPrivileges(), DatabaseDBObjectType, Catalog_Namespace::DBSummary::dbName, getAllDBMetadata(), getAllUserMetadata(), DBObject::loadKey(), and DBObject::setPrivileges().

1295  {
1296  DBSummaryList ret;
1297 
1298  std::list<Catalog_Namespace::DBMetadata> db_list = getAllDBMetadata();
1299  std::list<Catalog_Namespace::UserMetadata> user_list = getAllUserMetadata();
1300 
1301  for (auto d : db_list) {
1302  DBObject dbObject(d.dbName, DatabaseDBObjectType);
1303  dbObject.loadKey();
1304  dbObject.setPrivileges(AccessPrivileges::ACCESS);
1305  if (!checkPrivileges(user, std::vector<DBObject>{dbObject})) {
1306  continue;
1307  }
1308  for (auto u : user_list) {
1309  if (d.dbOwner == u.userId) {
1310  ret.emplace_back(DBSummary{d.dbName, u.userName});
1311  break;
1312  }
1313  }
1314  }
1315 
1316  return ret;
1317 }
bool checkPrivileges(const UserMetadata &user, const std::vector< DBObject > &privObjects) const
std::list< UserMetadata > getAllUserMetadata()
std::list< DBMetadata > getAllDBMetadata()
static const AccessPrivileges ACCESS
Definition: DBObject.h:146
std::list< DBSummary > DBSummaryList
Definition: SysCatalog.h:108

+ Here is the call graph for this function:

Data_Namespace::DataMgr& Catalog_Namespace::SysCatalog::getDataMgr ( ) const
inline

Definition at line 175 of file SysCatalog.h.

References dataMgr_.

Referenced by Executor::clearMemory().

175 { return *dataMgr_; }
std::shared_ptr< Data_Namespace::DataMgr > dataMgr_
Definition: SysCatalog.h:339

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::getDBObjectPrivileges ( const std::string &  granteeName,
DBObject object,
const Catalog_Namespace::Catalog catalog 
) const

Definition at line 1534 of file SysCatalog.cpp.

References getGrantee(), getMetadataForUser(), instance(), and Catalog_Namespace::UserMetadata::isSuper.

1536  {
1537  sys_read_lock read_lock(this);
1538  UserMetadata user_meta;
1539 
1540  if (instance().getMetadataForUser(granteeName, user_meta)) {
1541  if (user_meta.isSuper) {
1542  throw runtime_error(
1543  "Request to show privileges from " + granteeName +
1544  " failed because user is super user and has all privileges by default.");
1545  }
1546  }
1547  auto* grantee = instance().getGrantee(granteeName);
1548  if (!grantee) {
1549  throw runtime_error("Request to show privileges for " + granteeName +
1550  " failed because role or user with this name does not exist.");
1551  }
1552  object.loadKey(catalog);
1553  grantee->getPrivileges(object, true);
1554 }
read_lock< SysCatalog > sys_read_lock
Definition: SysCatalog.cpp:74
bool getMetadataForUser(const std::string &name, UserMetadata &user)
Grantee * getGrantee(const std::string &name) const
static SysCatalog & instance()
Definition: SysCatalog.h:242

+ Here is the call graph for this function:

Grantee * Catalog_Namespace::SysCatalog::getGrantee ( const std::string &  name) const

Definition at line 1813 of file SysCatalog.cpp.

References granteeMap_, and to_upper().

Referenced by buildRoleMap(), buildUserRoleMap(), createRole_unsafe(), createUser(), dropRole_unsafe(), getDBObjectPrivileges(), getRoleGrantee(), getUserGrantee(), grantDBObjectPrivileges_unsafe(), grantRole_unsafe(), Catalog_Namespace::Catalog::renameTable(), renameUser(), revokeDashboardSystemRole(), revokeDBObjectPrivileges_unsafe(), and revokeRole_unsafe().

1813  {
1814  sys_read_lock read_lock(this);
1815  auto grantee = granteeMap_.find(to_upper(name));
1816  if (grantee == granteeMap_.end()) { // check to make sure role exists
1817  return nullptr;
1818  }
1819  return grantee->second; // returns pointer to role
1820 }
read_lock< SysCatalog > sys_read_lock
Definition: SysCatalog.cpp:74
std::string name() const
Definition: SysCatalog.h:248
std::string to_upper(const std::string &str)

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

std::unordered_map< std::string, std::vector< std::string > > Catalog_Namespace::SysCatalog::getGranteesOfSharedDashboards ( const std::vector< std::string > &  dashboard_ids)

Definition at line 2179 of file SysCatalog.cpp.

References DashboardDBObjectType, num_rows, sqliteConnector_, and to_string().

Referenced by Catalog_Namespace::Catalog::createDashboardSystemRoles().

2179  {
2180  sys_sqlite_lock sqlite_lock(this);
2181  std::unordered_map<std::string, std::vector<std::string>> active_grantees;
2182  sqliteConnector_->query("BEGIN TRANSACTION");
2183  try {
2184  for (auto dash : dashboard_ids) {
2185  std::vector<std::string> grantees = {};
2186  sqliteConnector_->query_with_text_params(
2187  "SELECT roleName FROM mapd_object_permissions WHERE objectPermissions NOT IN "
2188  "(0,1) AND objectPermissionsType = ? AND objectId = ?",
2189  std::vector<std::string>{
2190  std::to_string(static_cast<int32_t>(DashboardDBObjectType)), dash});
2191  int num_rows = sqliteConnector_->getNumRows();
2192  if (num_rows == 0) {
2193  // no grantees
2194  continue;
2195  } else {
2196  for (size_t i = 0; i < sqliteConnector_->getNumRows(); ++i) {
2197  grantees.push_back(sqliteConnector_->getData<string>(i, 0));
2198  }
2199  active_grantees[dash] = grantees;
2200  }
2201  }
2202  } catch (const std::exception& e) {
2203  sqliteConnector_->query("ROLLBACK TRANSACTION");
2204  throw;
2205  }
2206  sqliteConnector_->query("END TRANSACTION");
2207  return active_grantees;
2208 }
const int8_t const int64_t * num_rows
std::string to_string(char const *&&v)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:76
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:337

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

bool Catalog_Namespace::SysCatalog::getMetadataForDB ( const std::string &  name,
DBMetadata db 
)

Definition at line 1266 of file SysCatalog.cpp.

References Catalog_Namespace::DBMetadata::dbId, Catalog_Namespace::DBMetadata::dbName, Catalog_Namespace::DBMetadata::dbOwner, and sqliteConnector_.

Referenced by alterUser(), createDatabase(), createUser(), getMetadataWithDefault(), migrateDBAccessPrivileges(), and renameDatabase().

1266  {
1267  sys_sqlite_lock sqlite_lock(this);
1268  sqliteConnector_->query_with_text_param(
1269  "SELECT dbid, name, owner FROM mapd_databases WHERE name = ?", name);
1270  int numRows = sqliteConnector_->getNumRows();
1271  if (numRows == 0) {
1272  return false;
1273  }
1274  db.dbId = sqliteConnector_->getData<int>(0, 0);
1275  db.dbName = sqliteConnector_->getData<string>(0, 1);
1276  db.dbOwner = sqliteConnector_->getData<int>(0, 2);
1277  return true;
1278 }
std::string name() const
Definition: SysCatalog.h:248
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:76
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:337

+ Here is the caller graph for this function:

bool Catalog_Namespace::SysCatalog::getMetadataForDBById ( const int32_t  idIn,
DBMetadata db 
)

Definition at line 1280 of file SysCatalog.cpp.

References Catalog_Namespace::DBMetadata::dbId, Catalog_Namespace::DBMetadata::dbName, Catalog_Namespace::DBMetadata::dbOwner, sqliteConnector_, and to_string().

Referenced by getMetadataWithDefault().

1280  {
1281  sys_sqlite_lock sqlite_lock(this);
1282  sqliteConnector_->query_with_text_param(
1283  "SELECT dbid, name, owner FROM mapd_databases WHERE dbid = ?",
1284  std::to_string(idIn));
1285  int numRows = sqliteConnector_->getNumRows();
1286  if (numRows == 0) {
1287  return false;
1288  }
1289  db.dbId = sqliteConnector_->getData<int>(0, 0);
1290  db.dbName = sqliteConnector_->getData<string>(0, 1);
1291  db.dbOwner = sqliteConnector_->getData<int>(0, 2);
1292  return true;
1293 }
std::string to_string(char const *&&v)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:76
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:337

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

std::vector< ObjectRoleDescriptor * > Catalog_Namespace::SysCatalog::getMetadataForObject ( int32_t  dbId,
int32_t  dbType,
int32_t  objectId 
) const

Definition at line 1831 of file SysCatalog.cpp.

References objectDescriptorMap_, and to_string().

Referenced by Catalog_Namespace::Catalog::renameTable().

1831  {
1832  sys_read_lock read_lock(this);
1833  std::vector<ObjectRoleDescriptor*> objectsList;
1834 
1835  auto range = objectDescriptorMap_.equal_range(std::to_string(dbId) + ":" +
1836  std::to_string(dbType) + ":" +
1837  std::to_string(objectId));
1838  for (auto d = range.first; d != range.second; ++d) {
1839  objectsList.push_back(d->second);
1840  }
1841  return objectsList; // return pointers to objects
1842 }
read_lock< SysCatalog > sys_read_lock
Definition: SysCatalog.cpp:74
ObjectRoleDescriptorMap objectDescriptorMap_
Definition: SysCatalog.h:336
std::string to_string(char const *&&v)

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

bool Catalog_Namespace::SysCatalog::getMetadataForUser ( const std::string &  name,
UserMetadata user 
)

Definition at line 1135 of file SysCatalog.cpp.

References Catalog_Namespace::UserMetadata::defaultDbId, logger::INFO, Catalog_Namespace::UserMetadata::isSuper, LOG, name(), Catalog_Namespace::UserMetadata::passwd_hash, sqliteConnector_, Catalog_Namespace::UserMetadata::userId, and Catalog_Namespace::UserMetadata::userName.

Referenced by checkPasswordForUserImpl(), checkPrivileges(), createUser(), dropUser(), getDBObjectPrivileges(), getMetadataWithDefault(), grantDBObjectPrivileges_unsafe(), login(), renameUser(), revokeDBObjectPrivileges_unsafe(), and syncUserWithRemoteProvider().

1135  {
1136  LOG(INFO) << "getMetadataForUser " << name;
1137  sys_sqlite_lock sqlite_lock(this);
1138  sqliteConnector_->query_with_text_param(
1139  "SELECT userid, name, passwd_hash, issuper, default_db FROM mapd_users WHERE name "
1140  "= ?",
1141  name);
1142  int numRows = sqliteConnector_->getNumRows();
1143  if (numRows == 0) {
1144  return false;
1145  }
1146  user.userId = sqliteConnector_->getData<int>(0, 0);
1147  user.userName = sqliteConnector_->getData<string>(0, 1);
1148  user.passwd_hash = sqliteConnector_->getData<string>(0, 2);
1149  user.isSuper = sqliteConnector_->getData<bool>(0, 3);
1150  user.defaultDbId =
1151  sqliteConnector_->isNull(0, 4) ? -1 : sqliteConnector_->getData<int>(0, 4);
1152  return true;
1153 }
#define LOG(tag)
Definition: Logger.h:185
std::string name() const
Definition: SysCatalog.h:248
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:76
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:337

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

bool Catalog_Namespace::SysCatalog::getMetadataForUserById ( const int32_t  idIn,
UserMetadata user 
)

Definition at line 1155 of file SysCatalog.cpp.

References Catalog_Namespace::UserMetadata::defaultDbId, Catalog_Namespace::UserMetadata::isSuper, Catalog_Namespace::UserMetadata::passwd_hash, sqliteConnector_, to_string(), Catalog_Namespace::UserMetadata::userId, and Catalog_Namespace::UserMetadata::userName.

Referenced by createDatabase(), and populateRoleDbObjects().

1155  {
1156  sys_sqlite_lock sqlite_lock(this);
1157  sqliteConnector_->query_with_text_param(
1158  "SELECT userid, name, passwd_hash, issuper, default_db FROM mapd_users WHERE "
1159  "userid = ?",
1160  std::to_string(idIn));
1161  int numRows = sqliteConnector_->getNumRows();
1162  if (numRows == 0) {
1163  return false;
1164  }
1165  user.userId = sqliteConnector_->getData<int>(0, 0);
1166  user.userName = sqliteConnector_->getData<string>(0, 1);
1167  user.passwd_hash = sqliteConnector_->getData<string>(0, 2);
1168  user.isSuper = sqliteConnector_->getData<bool>(0, 3);
1169  user.defaultDbId =
1170  sqliteConnector_->isNull(0, 4) ? -1 : sqliteConnector_->getData<int>(0, 4);
1171  return true;
1172 }
std::string to_string(char const *&&v)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:76
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:337

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::getMetadataWithDefault ( std::string &  dbname,
const std::string &  username,
Catalog_Namespace::DBMetadata db_meta,
UserMetadata user_meta 
)

Definition at line 1232 of file SysCatalog.cpp.

References Catalog_Namespace::DBMetadata::dbName, Catalog_Namespace::UserMetadata::defaultDbId, getMetadataForDB(), getMetadataForDBById(), getMetadataForUser(), OMNISCI_DEFAULT_DB, to_string(), Catalog_Namespace::UserMetadata::userId, and Catalog_Namespace::UserMetadata::userName.

Referenced by login(), and switchDatabase().

1235  {
1236  if (!getMetadataForUser(username, user_meta)) {
1237  throw std::runtime_error("Invalid credentials.");
1238  }
1239 
1240  if (!dbname.empty()) {
1241  if (!getMetadataForDB(dbname, db_meta)) {
1242  throw std::runtime_error("Database name " + dbname + " does not exist.");
1243  }
1244  // loaded the requested database
1245  } else {
1246  if (user_meta.defaultDbId != -1) {
1247  if (!getMetadataForDBById(user_meta.defaultDbId, db_meta)) {
1248  throw std::runtime_error(
1249  "Server error: User #" + std::to_string(user_meta.userId) + " " +
1250  user_meta.userName + " has invalid default_db #" +
1251  std::to_string(user_meta.defaultDbId) + " which does not exist.");
1252  }
1253  dbname = db_meta.dbName;
1254  // loaded the user's default database
1255  } else {
1256  if (!getMetadataForDB(OMNISCI_DEFAULT_DB, db_meta)) {
1257  throw std::runtime_error(std::string("Database ") + OMNISCI_DEFAULT_DB +
1258  " does not exist.");
1259  }
1260  dbname = OMNISCI_DEFAULT_DB;
1261  // loaded the mapd database by default
1262  }
1263  }
1264 }
bool getMetadataForUser(const std::string &name, UserMetadata &user)
std::string to_string(char const *&&v)
const std::string OMNISCI_DEFAULT_DB
Definition: SysCatalog.h:58
bool getMetadataForDBById(const int32_t idIn, DBMetadata &db)
bool getMetadataForDB(const std::string &name, DBMetadata &db)

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

Role * Catalog_Namespace::SysCatalog::getRoleGrantee ( const std::string &  name) const

Definition at line 1822 of file SysCatalog.cpp.

References getGrantee().

Referenced by Catalog_Namespace::Catalog::createDashboardSystemRoles(), Catalog_Namespace::Catalog::createOrUpdateDashboardSystemRole(), grantRole_unsafe(), isRoleGrantedToGrantee(), revokeDashboardSystemRole(), revokeRole_unsafe(), and syncUserWithRemoteProvider().

1822  {
1823  return dynamic_cast<Role*>(getGrantee(name));
1824 }
std::string name() const
Definition: SysCatalog.h:248
Grantee * getGrantee(const std::string &name) const
Definition: Grantee.h:76

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

std::vector< std::string > Catalog_Namespace::SysCatalog::getRoles ( bool  userPrivateRole,
bool  isSuper,
const std::string &  userName 
)

Definition at line 1891 of file SysCatalog.cpp.

References granteeMap_, isDashboardSystemRole(), and isRoleGrantedToGrantee().

1893  {
1894  sys_read_lock read_lock(this);
1895  std::vector<std::string> roles;
1896  for (auto& grantee : granteeMap_) {
1897  if (!userPrivateRole && grantee.second->isUser()) {
1898  continue;
1899  }
1900  if (!isSuper && !isRoleGrantedToGrantee(userName, grantee.second->getName(), false)) {
1901  continue;
1902  }
1903  if (isDashboardSystemRole(grantee.second->getName())) {
1904  continue;
1905  }
1906  roles.push_back(grantee.second->getName());
1907  }
1908  return roles;
1909 }
read_lock< SysCatalog > sys_read_lock
Definition: SysCatalog.cpp:74
bool isDashboardSystemRole(const std::string &roleName)
bool isRoleGrantedToGrantee(const std::string &granteeName, const std::string &roleName, bool only_direct) const

+ Here is the call graph for this function:

std::vector< std::string > Catalog_Namespace::SysCatalog::getRoles ( const std::string &  userName,
const int32_t  dbId 
)

Definition at line 1870 of file SysCatalog.cpp.

References isDashboardSystemRole(), isRoleGrantedToGrantee(), sqliteConnector_, and to_string().

1871  {
1872  sys_sqlite_lock sqlite_lock(this);
1873  std::string sql =
1874  "SELECT DISTINCT roleName FROM mapd_object_permissions WHERE "
1875  "objectPermissions<>0 "
1876  "AND roleType=0 AND dbId=" +
1877  std::to_string(dbId);
1878  sqliteConnector_->query(sql);
1879  int numRows = sqliteConnector_->getNumRows();
1880  std::vector<std::string> roles(0);
1881  for (int r = 0; r < numRows; ++r) {
1882  auto roleName = sqliteConnector_->getData<string>(r, 0);
1883  if (isRoleGrantedToGrantee(userName, roleName, false) &&
1884  !isDashboardSystemRole(roleName)) {
1885  roles.push_back(roleName);
1886  }
1887  }
1888  return roles;
1889 }
bool isDashboardSystemRole(const std::string &roleName)
std::string to_string(char const *&&v)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:76
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:337
bool isRoleGrantedToGrantee(const std::string &granteeName, const std::string &roleName, bool only_direct) const

+ Here is the call graph for this function:

SqliteConnector* Catalog_Namespace::SysCatalog::getSqliteConnector ( )
inline

Definition at line 178 of file SysCatalog.h.

References sqliteConnector_.

178 { return sqliteConnector_.get(); }
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:337
User * Catalog_Namespace::SysCatalog::getUserGrantee ( const std::string &  name) const

Definition at line 1826 of file SysCatalog.cpp.

References getGrantee().

Referenced by checkPrivileges(), createDBObject(), Catalog_Namespace::anonymous_namespace{SysCatalog.cpp}::get_users(), hasAnyPrivileges(), isRoleGrantedToGrantee(), populateRoleDbObjects(), syncUserWithRemoteProvider(), and verifyDBObjectOwnership().

1826  {
1827  return dynamic_cast<User*>(getGrantee(name));
1828 }
std::string name() const
Definition: SysCatalog.h:248
Definition: Grantee.h:70
Grantee * getGrantee(const std::string &name) const

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::grantAllOnDatabase_unsafe ( const std::string &  roleName,
DBObject object,
const Catalog_Namespace::Catalog catalog 
)
private

Definition at line 1408 of file SysCatalog.cpp.

References AccessPrivileges::ACCESS, AccessPrivileges::ALL_DASHBOARD, AccessPrivileges::ALL_TABLE, AccessPrivileges::ALL_VIEW, DashboardDBObjectType, DatabaseDBObjectType, grantDBObjectPrivileges_unsafe(), DBObject::setPermissionType(), DBObject::setPrivileges(), TableDBObjectType, AccessPrivileges::VIEW_SQL_EDITOR, and ViewDBObjectType.

Referenced by createDatabase(), and grantDBObjectPrivileges_unsafe().

1410  {
1411  // It's a separate use case because it's easier for implementation to convert ALL ON
1412  // DATABASE into ALL ON DASHBOARDS, ALL ON VIEWS and ALL ON TABLES
1413  // Add DB Access privileges
1414  DBObject tmp_object = object;
1417  grantDBObjectPrivileges_unsafe(roleName, tmp_object, catalog);
1420  grantDBObjectPrivileges_unsafe(roleName, tmp_object, catalog);
1423  grantDBObjectPrivileges_unsafe(roleName, tmp_object, catalog);
1425  tmp_object.setPermissionType(ViewDBObjectType);
1426  grantDBObjectPrivileges_unsafe(roleName, tmp_object, catalog);
1429  grantDBObjectPrivileges_unsafe(roleName, tmp_object, catalog);
1430  return;
1431 }
static const AccessPrivileges VIEW_SQL_EDITOR
Definition: DBObject.h:145
void setPrivileges(const AccessPrivileges &privs)
Definition: DBObject.h:203
void grantDBObjectPrivileges_unsafe(const std::string &granteeName, const DBObject object, const Catalog_Namespace::Catalog &catalog)
static const AccessPrivileges ALL_VIEW
Definition: DBObject.h:170
void setPermissionType(const DBObjectType &permissionType)
Definition: DBObject.cpp:136
static const AccessPrivileges ALL_DASHBOARD
Definition: DBObject.h:162
static const AccessPrivileges ACCESS
Definition: DBObject.h:146
static const AccessPrivileges ALL_TABLE
Definition: DBObject.h:150

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::grantDBObjectPrivileges ( const std::string &  grantee,
const DBObject object,
const Catalog_Namespace::Catalog catalog 
)

Definition at line 2107 of file SysCatalog.cpp.

References execInTransaction(), and grantDBObjectPrivileges_unsafe().

2109  {
2111  &SysCatalog::grantDBObjectPrivileges_unsafe, grantee, object, catalog);
2112 }
void grantDBObjectPrivileges_unsafe(const std::string &granteeName, const DBObject object, const Catalog_Namespace::Catalog &catalog)
void execInTransaction(F &&f, Args &&...args)

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::grantDBObjectPrivileges_unsafe ( const std::string &  granteeName,
const DBObject  object,
const Catalog_Namespace::Catalog catalog 
)
private

Definition at line 1371 of file SysCatalog.cpp.

References DatabasePrivileges::ALL, DatabaseDBObjectType, getGrantee(), getMetadataForUser(), grantAllOnDatabase_unsafe(), Catalog_Namespace::insertOrUpdateObjectPrivileges(), instance(), Catalog_Namespace::UserMetadata::isSuper, sqliteConnector_, and updateObjectDescriptorMap().

Referenced by createDBObject(), grantAllOnDatabase_unsafe(), grantDBObjectPrivileges(), and grantDBObjectPrivilegesBatch_unsafe().

1374  {
1375  object.loadKey(catalog);
1376  if (object.getPrivileges().hasPermission(DatabasePrivileges::ALL) &&
1377  object.getObjectKey().permissionType == DatabaseDBObjectType) {
1378  return grantAllOnDatabase_unsafe(granteeName, object, catalog);
1379  }
1380 
1381  sys_write_lock write_lock(this);
1382 
1383  UserMetadata user_meta;
1384  if (instance().getMetadataForUser(granteeName, user_meta)) {
1385  if (user_meta.isSuper) {
1386  // super doesn't have explicit privileges so nothing to do
1387  return;
1388  }
1389  }
1390  auto* grantee = instance().getGrantee(granteeName);
1391  if (!grantee) {
1392  throw runtime_error("Request to grant privileges to " + granteeName +
1393  " failed because role or user with this name does not exist.");
1394  }
1395  grantee->grantPrivileges(object);
1396 
1397  /* apply grant privileges statement to sqlite DB */
1398  std::vector<std::string> objectKey = object.toString();
1399  object.resetPrivileges();
1400  grantee->getPrivileges(object, true);
1401 
1402  sys_sqlite_lock sqlite_lock(this);
1404  sqliteConnector_, granteeName, grantee->isUser(), object);
1405  updateObjectDescriptorMap(granteeName, object, grantee->isUser(), catalog);
1406 }
static const int32_t ALL
Definition: DBObject.h:78
bool getMetadataForUser(const std::string &name, UserMetadata &user)
Grantee * getGrantee(const std::string &name) const
void insertOrUpdateObjectPrivileges(std::unique_ptr< SqliteConnector > &sqliteConnector, std::string roleName, bool userRole, DBObject &object)
Definition: SysCatalog.cpp:334
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:76
static SysCatalog & instance()
Definition: SysCatalog.h:242
void grantAllOnDatabase_unsafe(const std::string &roleName, DBObject &object, const Catalog_Namespace::Catalog &catalog)
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:75
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:337
void updateObjectDescriptorMap(const std::string &roleName, DBObject &object, bool roleType, const Catalog_Namespace::Catalog &cat)

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::grantDBObjectPrivilegesBatch ( const std::vector< std::string > &  grantees,
const std::vector< DBObject > &  objects,
const Catalog_Namespace::Catalog catalog 
)

Definition at line 2114 of file SysCatalog.cpp.

References execInTransaction(), and grantDBObjectPrivilegesBatch_unsafe().

Referenced by Catalog_Namespace::Catalog::createOrUpdateDashboardSystemRole().

2116  {
2118  &SysCatalog::grantDBObjectPrivilegesBatch_unsafe, grantees, objects, catalog);
2119 }
void grantDBObjectPrivilegesBatch_unsafe(const std::vector< std::string > &grantees, const std::vector< DBObject > &objects, const Catalog_Namespace::Catalog &catalog)
void execInTransaction(F &&f, Args &&...args)

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::grantDBObjectPrivilegesBatch_unsafe ( const std::vector< std::string > &  grantees,
const std::vector< DBObject > &  objects,
const Catalog_Namespace::Catalog catalog 
)
private

Definition at line 1359 of file SysCatalog.cpp.

References grantDBObjectPrivileges_unsafe().

Referenced by grantDBObjectPrivilegesBatch().

1362  {
1363  for (const auto& grantee : grantees) {
1364  for (const auto& object : objects) {
1365  grantDBObjectPrivileges_unsafe(grantee, object, catalog);
1366  }
1367  }
1368 }
void grantDBObjectPrivileges_unsafe(const std::string &granteeName, const DBObject object, const Catalog_Namespace::Catalog &catalog)

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::grantDefaultPrivilegesToRole_unsafe ( const std::string &  name,
bool  issuper 
)
private
void Catalog_Namespace::SysCatalog::grantRole ( const std::string &  role,
const std::string &  grantee 
)

Definition at line 2094 of file SysCatalog.cpp.

References execInTransaction(), and grantRole_unsafe().

Referenced by syncUserWithRemoteProvider().

2094  {
2096 }
void grantRole_unsafe(const std::string &roleName, const std::string &granteeName)
void execInTransaction(F &&f, Args &&...args)

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::grantRole_unsafe ( const std::string &  roleName,
const std::string &  granteeName 
)
private

Definition at line 1613 of file SysCatalog.cpp.

References getGrantee(), getRoleGrantee(), and sqliteConnector_.

Referenced by grantRole(), and grantRoleBatch_unsafe().

1614  {
1615  auto* rl = getRoleGrantee(roleName);
1616  if (!rl) {
1617  throw runtime_error("Request to grant role " + roleName +
1618  " failed because role with this name does not exist.");
1619  }
1620  auto* grantee = getGrantee(granteeName);
1621  if (!grantee) {
1622  throw runtime_error("Request to grant role " + roleName + " failed because grantee " +
1623  granteeName + " does not exist.");
1624  }
1625  sys_write_lock write_lock(this);
1626  if (!grantee->hasRole(rl, true)) {
1627  grantee->grantRole(rl);
1628  sys_sqlite_lock sqlite_lock(this);
1629  sqliteConnector_->query_with_text_params(
1630  "INSERT INTO mapd_roles(roleName, userName) VALUES (?, ?)",
1631  std::vector<std::string>{rl->getName(), grantee->getName()});
1632  }
1633 }
Grantee * getGrantee(const std::string &name) const
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:76
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:75
Role * getRoleGrantee(const std::string &name) const
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:337

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::grantRoleBatch ( const std::vector< std::string > &  roles,
const std::vector< std::string > &  grantees 
)

Definition at line 2089 of file SysCatalog.cpp.

References execInTransaction(), and grantRoleBatch_unsafe().

Referenced by Catalog_Namespace::Catalog::createDashboardSystemRoles().

2090  {
2092 }
void grantRoleBatch_unsafe(const std::vector< std::string > &roles, const std::vector< std::string > &grantees)
void execInTransaction(F &&f, Args &&...args)

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::grantRoleBatch_unsafe ( const std::vector< std::string > &  roles,
const std::vector< std::string > &  grantees 
)
private

Definition at line 1603 of file SysCatalog.cpp.

References grantRole_unsafe().

Referenced by grantRoleBatch().

1604  {
1605  for (const auto& role : roles) {
1606  for (const auto& grantee : grantees) {
1607  grantRole_unsafe(role, grantee);
1608  }
1609  }
1610 }
void grantRole_unsafe(const std::string &roleName, const std::string &granteeName)

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

bool Catalog_Namespace::SysCatalog::hasAnyPrivileges ( const UserMetadata user,
std::vector< DBObject > &  privObjects 
)

Definition at line 1764 of file SysCatalog.cpp.

References getUserGrantee(), instance(), Catalog_Namespace::UserMetadata::isSuper, and Catalog_Namespace::UserMetadata::userName.

1765  {
1766  sys_read_lock read_lock(this);
1767  if (user.isSuper) {
1768  return true;
1769  }
1770  auto* user_rl = instance().getUserGrantee(user.userName);
1771  if (!user_rl) {
1772  throw runtime_error("User " + user.userName + " does not exist.");
1773  }
1774  for (std::vector<DBObject>::iterator objectIt = privObjects.begin();
1775  objectIt != privObjects.end();
1776  ++objectIt) {
1777  if (!user_rl->hasAnyPrivileges(*objectIt, false)) {
1778  return false;
1779  }
1780  }
1781  return true;
1782 }
read_lock< SysCatalog > sys_read_lock
Definition: SysCatalog.cpp:74
static SysCatalog & instance()
Definition: SysCatalog.h:242
User * getUserGrantee(const std::string &name) const

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::importDataFromOldMapdDB ( )
private

Definition at line 230 of file SysCatalog.cpp.

References basePath_, logger::ERROR, logger::INFO, LOG, OMNISCI_SYSTEM_CATALOG, and sqliteConnector_.

Referenced by init().

230  {
231  sys_sqlite_lock sqlite_lock(this);
232  std::string mapd_db_path = basePath_ + "/mapd_catalogs/mapd";
233  sqliteConnector_->query("ATTACH DATABASE `" + mapd_db_path + "` as old_cat");
234  sqliteConnector_->query("BEGIN TRANSACTION");
235  LOG(INFO) << "Moving global metadata into a separate catalog";
236  try {
237  auto moveTableIfExists = [conn = sqliteConnector_.get()](const std::string& tableName,
238  bool deleteOld = true) {
239  conn->query("SELECT sql FROM old_cat.sqlite_master WHERE type='table' AND name='" +
240  tableName + "'");
241  if (conn->getNumRows() != 0) {
242  conn->query(conn->getData<string>(0, 0));
243  conn->query("INSERT INTO " + tableName + " SELECT * FROM old_cat." + tableName);
244  if (deleteOld) {
245  conn->query("DROP TABLE old_cat." + tableName);
246  }
247  }
248  };
249  moveTableIfExists("mapd_users");
250  moveTableIfExists("mapd_databases");
251  moveTableIfExists("mapd_roles");
252  moveTableIfExists("mapd_object_permissions");
253  moveTableIfExists("mapd_privileges");
254  moveTableIfExists("mapd_version_history", false);
255  } catch (const std::exception& e) {
256  LOG(ERROR) << "Failed to move global metadata into a separate catalog: " << e.what();
257  sqliteConnector_->query("ROLLBACK TRANSACTION");
258  try {
259  sqliteConnector_->query("DETACH DATABASE old_cat");
260  } catch (const std::exception&) {
261  // nothing to do here
262  }
263  throw;
264  }
265  sqliteConnector_->query("END TRANSACTION");
266  const std::string sys_catalog_path =
267  basePath_ + "/mapd_catalogs/" + OMNISCI_SYSTEM_CATALOG;
268  LOG(INFO) << "Global metadata has been successfully moved into a separate catalog: "
269  << sys_catalog_path
270  << ". Using this database with an older version of omnisci_server "
271  "is now impossible.";
272  try {
273  sqliteConnector_->query("DETACH DATABASE old_cat");
274  } catch (const std::exception&) {
275  // nothing to do here
276  }
277 }
#define LOG(tag)
Definition: Logger.h:185
const std::string OMNISCI_SYSTEM_CATALOG
Definition: SysCatalog.h:57
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:76
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:337

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::init ( const std::string &  basePath,
std::shared_ptr< Data_Namespace::DataMgr dataMgr,
const AuthMetadata authMetadata,
std::shared_ptr< Calcite calcite,
bool  is_new_db,
bool  aggregator,
const std::vector< LeafHostInfo > &  string_dict_hosts 
)

Definition at line 107 of file SysCatalog.cpp.

References aggregator_, authMetadata_, basePath_, buildObjectDescriptorMap(), buildRoleMap(), buildUserRoleMap(), calciteMgr_, checkAndExecuteMigrations(), dataMgr_, importDataFromOldMapdDB(), initDB(), ldap_server_, OMNISCI_SYSTEM_CATALOG, rest_server_, sqliteConnector_, and string_dict_hosts_.

113  {
114  {
115  sys_write_lock write_lock(this);
116  sys_sqlite_lock sqlite_lock(this);
117 
118  basePath_ = basePath;
119  dataMgr_ = dataMgr;
120  authMetadata_ = &authMetadata;
123  calciteMgr_ = calcite;
124  string_dict_hosts_ = string_dict_hosts;
125  aggregator_ = aggregator;
126  bool db_exists =
127  boost::filesystem::exists(basePath_ + "/mapd_catalogs/" + OMNISCI_SYSTEM_CATALOG);
128  sqliteConnector_.reset(
129  new SqliteConnector(OMNISCI_SYSTEM_CATALOG, basePath_ + "/mapd_catalogs/"));
130  if (is_new_db) {
131  initDB();
132  } else {
133  if (!db_exists) {
135  }
137  }
138  buildRoleMap();
141  }
142 }
std::unique_ptr< LdapServer > ldap_server_
Definition: SysCatalog.h:340
std::unique_ptr< RestServer > rest_server_
Definition: SysCatalog.h:341
const std::string OMNISCI_SYSTEM_CATALOG
Definition: SysCatalog.h:57
const AuthMetadata * authMetadata_
Definition: SysCatalog.h:342
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:76
std::shared_ptr< Data_Namespace::DataMgr > dataMgr_
Definition: SysCatalog.h:339
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:75
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:337
std::vector< LeafHostInfo > string_dict_hosts_
Definition: SysCatalog.h:344
std::shared_ptr< Calcite > calciteMgr_
Definition: SysCatalog.h:343

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::initDB ( )
private

Definition at line 158 of file SysCatalog.cpp.

References createDatabase(), anonymous_namespace{SysCatalog.cpp}::hash_with_bcrypt(), OMNISCI_DEFAULT_DB, OMNISCI_ROOT_PASSWD_DEFAULT, OMNISCI_ROOT_USER, OMNISCI_ROOT_USER_ID, OMNISCI_ROOT_USER_ID_STR, and sqliteConnector_.

Referenced by init().

158  {
159  sys_sqlite_lock sqlite_lock(this);
160  sqliteConnector_->query("BEGIN TRANSACTION");
161  try {
162  sqliteConnector_->query(
163  "CREATE TABLE mapd_users (userid integer primary key, name text unique, "
164  "passwd_hash text, issuper boolean, default_db integer references "
165  "mapd_databases)");
166  sqliteConnector_->query_with_text_params(
167  "INSERT INTO mapd_users VALUES (?, ?, ?, 1, NULL)",
168  std::vector<std::string>{OMNISCI_ROOT_USER_ID_STR,
171  sqliteConnector_->query(
172  "CREATE TABLE mapd_databases (dbid integer primary key, name text unique, owner "
173  "integer references mapd_users)");
174  sqliteConnector_->query(
175  "CREATE TABLE mapd_roles(roleName text, userName text, UNIQUE(roleName, "
176  "userName))");
177  sqliteConnector_->query(
178  "CREATE TABLE mapd_object_permissions ("
179  "roleName text, "
180  "roleType bool, "
181  "dbId integer references mapd_databases, "
182  "objectName text, "
183  "objectId integer, "
184  "objectPermissionsType integer, "
185  "objectPermissions integer, "
186  "objectOwnerId integer, UNIQUE(roleName, objectPermissionsType, dbId, "
187  "objectId))");
188  } catch (const std::exception&) {
189  sqliteConnector_->query("ROLLBACK TRANSACTION");
190  throw;
191  }
192  sqliteConnector_->query("END TRANSACTION");
194 }
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:76
const std::string OMNISCI_DEFAULT_DB
Definition: SysCatalog.h:58
std::string hash_with_bcrypt(const std::string &pwd)
Definition: SysCatalog.cpp:61
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:337
const std::string OMNISCI_ROOT_USER
Definition: SysCatalog.h:59
const std::string OMNISCI_ROOT_PASSWD_DEFAULT
Definition: SysCatalog.h:62
const int OMNISCI_ROOT_USER_ID
Definition: SysCatalog.h:60
const std::string OMNISCI_ROOT_USER_ID_STR
Definition: SysCatalog.h:61
void createDatabase(const std::string &dbname, int owner)
Definition: SysCatalog.cpp:967

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

static SysCatalog& Catalog_Namespace::SysCatalog::instance ( )
inlinestatic

Definition at line 242 of file SysCatalog.h.

Referenced by alterUser(), Catalog_Namespace::SessionInfo::checkDBAccessPrivileges(), checkPermissionForTables(), checkPrivileges(), QueryRunner::QueryRunner::clearCpuMemory(), QueryRunner::QueryRunner::clearGpuMemory(), Executor::clearMemory(), Catalog_Namespace::Catalog::createDashboardSystemRoles(), createDBObject(), Catalog_Namespace::Catalog::createOrUpdateDashboardSystemRole(), createUser(), Catalog_Namespace::Catalog::deleteMetadataForDashboard(), Catalog_Namespace::Catalog::doTruncateTable(), Catalog_Namespace::Catalog::dropTable(), Executor::execute(), Catalog_Namespace::anonymous_namespace{SysCatalog.cpp}::get_users(), getDBObjectPrivileges(), Catalog_Namespace::anonymous_namespace{Catalog.cpp}::getUserFromId(), grantDBObjectPrivileges_unsafe(), hasAnyPrivileges(), isRoleGrantedToGrantee(), DBObject::loadKey(), main(), migrateDBAccessPrivileges(), QueryRunner::QueryRunner::QueryRunner(), Catalog_Namespace::Catalog::recordOwnershipOfObjectsInObjectPermissions(), Catalog_Namespace::Catalog::removeTableFromMap(), Catalog_Namespace::Catalog::renameTable(), revokeDashboardSystemRole(), revokeDBObjectPrivileges_unsafe(), QueryRunner::QueryRunner::runDDLStatement(), QueryRunner::QueryRunner::runSelectQuery(), QueryRunner::QueryRunner::runSQL(), and verifyDBObjectOwnership().

242  {
243  static SysCatalog sys_cat{};
244  return sys_cat;
245  }

+ Here is the caller graph for this function:

bool Catalog_Namespace::SysCatalog::isAggregator ( ) const
inline

Definition at line 241 of file SysCatalog.h.

References aggregator_.

241 { return aggregator_; }
bool Catalog_Namespace::SysCatalog::isDashboardSystemRole ( const std::string &  roleName)
private

Definition at line 1866 of file SysCatalog.cpp.

References SYSTEM_ROLE_TAG().

Referenced by getRoles().

1866  {
1867  return boost::algorithm::ends_with(roleName, SYSTEM_ROLE_TAG);
1868 }
static const std::string SYSTEM_ROLE_TAG("#dash_system_role")
specifies the content in-memory of a row in the dashboard

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

bool Catalog_Namespace::SysCatalog::isRoleGrantedToGrantee ( const std::string &  granteeName,
const std::string &  roleName,
bool  only_direct 
) const

Definition at line 1844 of file SysCatalog.cpp.

References CHECK(), getRoleGrantee(), getUserGrantee(), Grantee::hasRole(), and instance().

Referenced by getRoles().

1846  {
1847  sys_read_lock read_lock(this);
1848  if (roleName == granteeName) {
1849  return true;
1850  }
1851  bool is_role_granted = false;
1852  auto* target_role = instance().getRoleGrantee(roleName);
1853  auto has_role = [&](auto grantee_rl) {
1854  is_role_granted = target_role && grantee_rl->hasRole(target_role, only_direct);
1855  };
1856  if (auto* user_role = instance().getUserGrantee(granteeName); user_role) {
1857  has_role(user_role);
1858  } else if (auto* role = instance().getRoleGrantee(granteeName); role) {
1859  has_role(role);
1860  } else {
1861  CHECK(false);
1862  }
1863  return is_role_granted;
1864 }
read_lock< SysCatalog > sys_read_lock
Definition: SysCatalog.cpp:74
static SysCatalog & instance()
Definition: SysCatalog.h:242
CHECK(cgen_state)
Role * getRoleGrantee(const std::string &name) const
User * getUserGrantee(const std::string &name) const
bool hasRole(Role *role, bool only_direct) const
Definition: Grantee.cpp:42

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

std::shared_ptr< Catalog > Catalog_Namespace::SysCatalog::login ( std::string &  db,
std::string &  username,
const std::string &  password,
UserMetadata user_meta,
bool  check_password = true 
)

logins (connects) a user against a database.

throws a std::exception in all error cases! (including wrong password)

Definition at line 669 of file SysCatalog.cpp.

References basePath_, calciteMgr_, dataMgr_, Catalog_Namespace::Catalog::get(), getMetadataForUser(), getMetadataWithDefault(), loginImpl(), and string_dict_hosts_.

673  {
674  // NOTE: The dbname isn't const because getMetadataWithDefault() can
675  // reset it. The username isn't const because SamlServer's
676  // login()/authenticate_user() can reset it.
677 
678  sys_write_lock write_lock(this);
679 
680  if (check_password) {
681  loginImpl(username, password, user_meta);
682  } else { // not checking for password so user must exist
683  if (!getMetadataForUser(username, user_meta)) {
684  throw std::runtime_error("Invalid credentials.");
685  }
686  }
687  // we should have a user and user_meta by now
688 
690 
691  getMetadataWithDefault(dbname, username, db_meta, user_meta);
692 
693  return Catalog::get(
694  basePath_, db_meta, dataMgr_, string_dict_hosts_, calciteMgr_, false);
695 }
static std::shared_ptr< Catalog > get(const std::string &dbName)
Definition: Catalog.cpp:2990
bool getMetadataForUser(const std::string &name, UserMetadata &user)
void loginImpl(std::string &username, const std::string &password, UserMetadata &user_meta)
Definition: SysCatalog.cpp:698
std::shared_ptr< Data_Namespace::DataMgr > dataMgr_
Definition: SysCatalog.h:339
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:75
void getMetadataWithDefault(std::string &dbname, const std::string &username, Catalog_Namespace::DBMetadata &db_meta, UserMetadata &user_meta)
std::vector< LeafHostInfo > string_dict_hosts_
Definition: SysCatalog.h:344
std::shared_ptr< Calcite > calciteMgr_
Definition: SysCatalog.h:343

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::loginImpl ( std::string &  username,
const std::string &  password,
UserMetadata user_meta 
)
private

Definition at line 698 of file SysCatalog.cpp.

References checkPasswordForUser().

Referenced by login().

700  {
701  if (!checkPasswordForUser(password, username, user_meta)) {
702  throw std::runtime_error("Invalid credentials.");
703  }
704 }
bool checkPasswordForUser(const std::string &passwd, std::string &name, UserMetadata &user)

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::migrateDBAccessPrivileges ( )
private

Definition at line 574 of file SysCatalog.cpp.

References AccessPrivileges::ACCESS, CHECK(), DatabaseDBObjectType, DBObjectKey::dbId, Catalog_Namespace::DBMetadata::dbId, Catalog_Namespace::DBMetadata::dbName, Catalog_Namespace::DBMetadata::dbOwner, logger::ERROR, getMetadataForDB(), logger::INFO, Catalog_Namespace::insertOrUpdateObjectPrivileges(), instance(), LOG, MAPD_VERSION, OMNISCI_ROOT_USER_ID, DBObjectKey::permissionType, DBObject::setName(), DBObject::setObjectType(), sqliteConnector_, to_string(), DBObject::updatePrivileges(), and AccessPrivileges::VIEW_SQL_EDITOR.

Referenced by checkAndExecuteMigrations().

574  {
575  sys_sqlite_lock sqlite_lock(this);
576  sqliteConnector_->query("BEGIN TRANSACTION");
577  try {
578  sqliteConnector_->query(
579  "select name from sqlite_master WHERE type='table' AND "
580  "name='mapd_version_history'");
581  if (sqliteConnector_->getNumRows() == 0) {
582  sqliteConnector_->query(
583  "CREATE TABLE mapd_version_history(version integer, migration_history text "
584  "unique)");
585  } else {
586  sqliteConnector_->query(
587  "select * from mapd_version_history where migration_history = "
588  "'db_access_privileges'");
589  if (sqliteConnector_->getNumRows() != 0) {
590  // both privileges migrated
591  // no need for further execution
592  sqliteConnector_->query("END TRANSACTION");
593  return;
594  }
595  }
596  // Insert check for migration
597  sqliteConnector_->query_with_text_params(
598  "INSERT INTO mapd_version_history(version, migration_history) values(?,?)",
599  std::vector<std::string>{std::to_string(MAPD_VERSION), "db_access_privileges"});
600 
601  sqliteConnector_->query("select dbid, name from mapd_databases");
602  std::unordered_map<int, string> databases;
603  for (size_t i = 0; i < sqliteConnector_->getNumRows(); ++i) {
604  databases[sqliteConnector_->getData<int>(i, 0)] =
605  sqliteConnector_->getData<string>(i, 1);
606  }
607 
608  sqliteConnector_->query("select userid, name from mapd_users");
609  std::unordered_map<int, string> users;
610  for (size_t i = 0; i < sqliteConnector_->getNumRows(); ++i) {
611  users[sqliteConnector_->getData<int>(i, 0)] =
612  sqliteConnector_->getData<string>(i, 1);
613  }
614 
615  // All existing users by default will be granted DB Access permissions
616  // and view sql editor privileges
617  DBMetadata dbmeta;
618  for (auto db_ : databases) {
619  CHECK(SysCatalog::instance().getMetadataForDB(db_.second, dbmeta));
620  for (auto user : users) {
621  if (user.first != OMNISCI_ROOT_USER_ID) {
622  {
623  DBObjectKey key;
625  key.dbId = dbmeta.dbId;
626 
627  // access permission;
628  DBObject object_access(key, AccessPrivileges::ACCESS, dbmeta.dbOwner);
629  object_access.setObjectType(DBObjectType::DatabaseDBObjectType);
630  object_access.setName(dbmeta.dbName);
631  // sql_editor permission
632  DBObject object_editor(
633  key, AccessPrivileges::VIEW_SQL_EDITOR, dbmeta.dbOwner);
634  object_editor.setObjectType(DBObjectType::DatabaseDBObjectType);
635  object_editor.setName(dbmeta.dbName);
636  object_editor.updatePrivileges(object_access);
638  sqliteConnector_, user.second, true, object_editor);
639  }
640  }
641  }
642  }
643  } catch (const std::exception& e) {
644  LOG(ERROR) << "Failed to migrate db access privileges: " << e.what();
645  sqliteConnector_->query("ROLLBACK TRANSACTION");
646  throw;
647  }
648  sqliteConnector_->query("END TRANSACTION");
649  LOG(INFO) << "Successfully migrated db access privileges";
650 }
static const AccessPrivileges VIEW_SQL_EDITOR
Definition: DBObject.h:145
#define LOG(tag)
Definition: Logger.h:185
void insertOrUpdateObjectPrivileges(std::unique_ptr< SqliteConnector > &sqliteConnector, std::string roleName, bool userRole, DBObject &object)
Definition: SysCatalog.cpp:334
std::string to_string(char const *&&v)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:76
static SysCatalog & instance()
Definition: SysCatalog.h:242
CHECK(cgen_state)
static const int32_t MAPD_VERSION
Definition: release.h:33
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:337
const int OMNISCI_ROOT_USER_ID
Definition: SysCatalog.h:60
int32_t dbId
Definition: DBObject.h:55
static const AccessPrivileges ACCESS
Definition: DBObject.h:146
int32_t permissionType
Definition: DBObject.h:54
bool getMetadataForDB(const std::string &name, DBMetadata &db)

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::migratePrivileged_old ( )
private

Definition at line 652 of file SysCatalog.cpp.

References sqliteConnector_.

Referenced by checkAndExecuteMigrations().

652  {
653  sys_sqlite_lock sqlite_lock(this);
654 
655  sqliteConnector_->query("BEGIN TRANSACTION");
656  try {
657  sqliteConnector_->query(
658  "CREATE TABLE IF NOT EXISTS mapd_privileges (userid integer references "
659  "mapd_users, dbid integer references "
660  "mapd_databases, select_priv boolean, insert_priv boolean, UNIQUE(userid, "
661  "dbid))");
662  } catch (const std::exception& e) {
663  sqliteConnector_->query("ROLLBACK TRANSACTION");
664  throw;
665  }
666  sqliteConnector_->query("END TRANSACTION");
667 }
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:76
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:337

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::migratePrivileges ( )
private

Definition at line 364 of file SysCatalog.cpp.

References AccessPrivileges::ALL_DASHBOARD_MIGRATE, AccessPrivileges::ALL_TABLE_MIGRATE, AccessPrivileges::ALL_VIEW_MIGRATE, DashboardDBObjectType, DatabaseDBObjectType, DBObjectKey::dbId, Catalog_Namespace::insertOrUpdateObjectPrivileges(), AccessPrivileges::NONE, OMNISCI_ROOT_USER_ID, DBObjectKey::permissionType, sqliteConnector_, TableDBObjectType, and ViewDBObjectType.

Referenced by checkAndExecuteMigrations().

364  {
365  sys_sqlite_lock sqlite_lock(this);
366  sqliteConnector_->query("BEGIN TRANSACTION");
367  try {
368  sqliteConnector_->query(
369  "SELECT name FROM sqlite_master WHERE type='table' AND "
370  "name='mapd_object_permissions'");
371  if (sqliteConnector_->getNumRows() != 0) {
372  // already done
373  sqliteConnector_->query("END TRANSACTION");
374  return;
375  }
376 
377  sqliteConnector_->query(
378  "CREATE TABLE IF NOT EXISTS mapd_object_permissions ("
379  "roleName text, "
380  "roleType bool, "
381  "dbId integer references mapd_databases, "
382  "objectName text, "
383  "objectId integer, "
384  "objectPermissionsType integer, "
385  "objectPermissions integer, "
386  "objectOwnerId integer, UNIQUE(roleName, objectPermissionsType, dbId, "
387  "objectId))");
388 
389  // get the list of databases and their grantees
390  sqliteConnector_->query(
391  "SELECT userid, dbid FROM mapd_privileges WHERE select_priv = 1 and insert_priv "
392  "= 1");
393  size_t numRows = sqliteConnector_->getNumRows();
394  vector<pair<int, int>> db_grantees(numRows);
395  for (size_t i = 0; i < numRows; ++i) {
396  db_grantees[i].first = sqliteConnector_->getData<int>(i, 0);
397  db_grantees[i].second = sqliteConnector_->getData<int>(i, 1);
398  }
399  // map user names to user ids
400  sqliteConnector_->query("select userid, name from mapd_users");
401  numRows = sqliteConnector_->getNumRows();
402  std::unordered_map<int, string> users_by_id;
403  std::unordered_map<int, bool> user_has_privs;
404  for (size_t i = 0; i < numRows; ++i) {
405  users_by_id[sqliteConnector_->getData<int>(i, 0)] =
406  sqliteConnector_->getData<string>(i, 1);
407  user_has_privs[sqliteConnector_->getData<int>(i, 0)] = false;
408  }
409  // map db names to db ids
410  sqliteConnector_->query("select dbid, name from mapd_databases");
411  numRows = sqliteConnector_->getNumRows();
412  std::unordered_map<int, string> dbs_by_id;
413  for (size_t i = 0; i < numRows; ++i) {
414  dbs_by_id[sqliteConnector_->getData<int>(i, 0)] =
415  sqliteConnector_->getData<string>(i, 1);
416  }
417  // migrate old privileges to new privileges: if user had insert access to database, he
418  // was a grantee
419  for (const auto& grantee : db_grantees) {
420  user_has_privs[grantee.first] = true;
421  auto dbName = dbs_by_id[grantee.second];
422  {
423  // table level permissions
424  DBObjectKey key;
426  key.dbId = grantee.second;
428  object.setName(dbName);
430  sqliteConnector_, users_by_id[grantee.first], true, object);
431  }
432 
433  {
434  // dashboard level permissions
435  DBObjectKey key;
437  key.dbId = grantee.second;
438  DBObject object(
440  object.setName(dbName);
442  sqliteConnector_, users_by_id[grantee.first], true, object);
443  }
444 
445  {
446  // view level permissions
447  DBObjectKey key;
449  key.dbId = grantee.second;
451  object.setName(dbName);
453  sqliteConnector_, users_by_id[grantee.first], true, object);
454  }
455  }
456  for (auto user : user_has_privs) {
457  auto dbName = dbs_by_id[0];
458  if (user.second == false && user.first != OMNISCI_ROOT_USER_ID) {
459  {
460  DBObjectKey key;
462  key.dbId = 0;
464  object.setName(dbName);
466  sqliteConnector_, users_by_id[user.first], true, object);
467  }
468  }
469  }
470  } catch (const std::exception&) {
471  sqliteConnector_->query("ROLLBACK TRANSACTION");
472  throw;
473  }
474  sqliteConnector_->query("END TRANSACTION");
475 }
static const AccessPrivileges ALL_TABLE_MIGRATE
Definition: DBObject.h:149
void insertOrUpdateObjectPrivileges(std::unique_ptr< SqliteConnector > &sqliteConnector, std::string roleName, bool userRole, DBObject &object)
Definition: SysCatalog.cpp:334
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:76
static const AccessPrivileges ALL_DASHBOARD_MIGRATE
Definition: DBObject.h:161
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:337
static const AccessPrivileges NONE
Definition: DBObject.h:141
static const AccessPrivileges ALL_VIEW_MIGRATE
Definition: DBObject.h:169
const int OMNISCI_ROOT_USER_ID
Definition: SysCatalog.h:60
int32_t dbId
Definition: DBObject.h:55
int32_t permissionType
Definition: DBObject.h:54

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

std::string Catalog_Namespace::SysCatalog::name ( ) const
inline

Definition at line 248 of file SysCatalog.h.

References OMNISCI_DEFAULT_DB.

Referenced by buildRoleMap(), createUser(), Catalog_Namespace::anonymous_namespace{SysCatalog.cpp}::get_users(), and getMetadataForUser().

248 { return OMNISCI_DEFAULT_DB; }
const std::string OMNISCI_DEFAULT_DB
Definition: SysCatalog.h:58

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::populateRoleDbObjects ( const std::vector< DBObject > &  objects)

Definition at line 1970 of file SysCatalog.cpp.

References CHECK(), getMetadataForUserById(), getUserGrantee(), Catalog_Namespace::insertOrUpdateObjectPrivileges(), sqliteConnector_, and Catalog_Namespace::UserMetadata::userName.

Referenced by Catalog_Namespace::Catalog::recordOwnershipOfObjectsInObjectPermissions().

1970  {
1971  sys_write_lock write_lock(this);
1972  sys_sqlite_lock sqlite_lock(this);
1973  sqliteConnector_->query("BEGIN TRANSACTION");
1974  try {
1975  for (auto dbobject : objects) {
1976  UserMetadata user;
1977  CHECK(getMetadataForUserById(dbobject.getOwner(), user));
1978  auto* grantee = getUserGrantee(user.userName);
1979  if (grantee) {
1981  sqliteConnector_, grantee->getName(), true, dbobject);
1982  grantee->grantPrivileges(dbobject);
1983  }
1984  }
1985 
1986  } catch (const std::exception& e) {
1987  sqliteConnector_->query("ROLLBACK TRANSACTION");
1988  throw;
1989  }
1990  sqliteConnector_->query("END TRANSACTION");
1991 }
bool getMetadataForUserById(const int32_t idIn, UserMetadata &user)
void insertOrUpdateObjectPrivileges(std::unique_ptr< SqliteConnector > &sqliteConnector, std::string roleName, bool userRole, DBObject &object)
Definition: SysCatalog.cpp:334
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:76
CHECK(cgen_state)
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:75
User * getUserGrantee(const std::string &name) const
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:337

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::renameDatabase ( std::string const &  old_name,
std::string const &  new_name 
)

Definition at line 923 of file SysCatalog.cpp.

References DatabaseDBObjectType, Catalog_Namespace::CommonFileOperations::duplicateAndRenameCatalog(), getMetadataForDB(), OMNISCI_SYSTEM_CATALOG, Catalog_Namespace::Catalog::remove(), Catalog_Namespace::CommonFileOperations::removeCatalogByFullPath(), sqliteConnector_, to_string(), to_upper(), and yieldTransactionStreamer().

924  {
925  using namespace std::string_literals;
926  sys_write_lock write_lock(this);
927  sys_sqlite_lock sqlite_lock(this);
928 
929  DBMetadata new_db;
930  if (getMetadataForDB(new_name, new_db)) {
931  throw std::runtime_error("Database " + new_name + " already exists.");
932  }
933  if (to_upper(new_name) == to_upper(OMNISCI_SYSTEM_CATALOG)) {
934  throw std::runtime_error("Database name " + new_name + "is reserved.");
935  }
936 
937  DBMetadata old_db;
938  if (!getMetadataForDB(old_name, old_db)) {
939  throw std::runtime_error("Database " + old_name + " does not exists.");
940  }
941 
942  Catalog::remove(old_db.dbName);
943 
944  std::string old_catalog_path, new_catalog_path;
945  std::tie(old_catalog_path, new_catalog_path) =
946  duplicateAndRenameCatalog(old_name, new_name);
947 
948  auto transaction_streamer = yieldTransactionStreamer();
949  auto failure_handler = [this, new_catalog_path] {
950  removeCatalogByFullPath(new_catalog_path);
951  };
952  auto success_handler = [this, old_catalog_path] {
953  removeCatalogByFullPath(old_catalog_path);
954  };
955 
956  auto q1 = {"UPDATE mapd_databases SET name=?1 WHERE name=?2;"s, new_name, old_name};
957  auto q2 = {
958  "UPDATE mapd_object_permissions SET objectName=?1 WHERE objectNAME=?2 and (objectPermissionsType=?3 or objectId = -1) and dbId=?4;"s,
959  new_name,
960  old_name,
962  std::to_string(old_db.dbId)};
963 
964  transaction_streamer(sqliteConnector_, success_handler, failure_handler, q1, q2);
965 }
auto duplicateAndRenameCatalog(std::string const &current_name, std::string const &new_name)
Definition: SysCatalog.cpp:90
const std::string OMNISCI_SYSTEM_CATALOG
Definition: SysCatalog.h:57
std::string to_string(char const *&&v)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:76
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:75
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:337
std::string to_upper(const std::string &str)
static void remove(const std::string &dbName)
Definition: Catalog.cpp:3016
void removeCatalogByFullPath(std::string const &full_path)
Definition: SysCatalog.cpp:82
bool getMetadataForDB(const std::string &name, DBMetadata &db)

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::renameObjectsInDescriptorMap ( DBObject object,
const Catalog_Namespace::Catalog cat 
)

Definition at line 1702 of file SysCatalog.cpp.

References Catalog_Namespace::DBMetadata::dbId, Catalog_Namespace::Catalog::getCurrentDB(), objectDescriptorMap_, sqliteConnector_, and to_string().

Referenced by Catalog_Namespace::Catalog::renameTable().

1703  {
1704  sys_write_lock write_lock(this);
1705  sys_sqlite_lock sqlite_lock(this);
1706  auto range = objectDescriptorMap_.equal_range(
1707  std::to_string(cat.getCurrentDB().dbId) + ":" +
1708  std::to_string(object.getObjectKey().permissionType) + ":" +
1709  std::to_string(object.getObjectKey().objectId));
1710  for (auto d = range.first; d != range.second; ++d) {
1711  // rename object
1712  d->second->objectName = object.getName();
1713  }
1714 
1715  sqliteConnector_->query("BEGIN TRANSACTION");
1716  try {
1717  sqliteConnector_->query_with_text_params(
1718  "UPDATE mapd_object_permissions SET objectName = ?1 WHERE "
1719  "dbId = ?2 AND objectId = ?3",
1720  std::vector<std::string>{object.getName(),
1722  std::to_string(object.getObjectKey().objectId)});
1723  } catch (const std::exception& e) {
1724  sqliteConnector_->query("ROLLBACK TRANSACTION");
1725  throw;
1726  }
1727  sqliteConnector_->query("END TRANSACTION");
1728 }
ObjectRoleDescriptorMap objectDescriptorMap_
Definition: SysCatalog.h:336
std::string to_string(char const *&&v)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:76
const DBMetadata & getCurrentDB() const
Definition: Catalog.h:176
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:75
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:337

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::renameUser ( std::string const &  old_name,
std::string const &  new_name 
)

Definition at line 890 of file SysCatalog.cpp.

References getGrantee(), getMetadataForUser(), sqliteConnector_, updateUserRoleName(), and yieldTransactionStreamer().

890  {
891  using namespace std::string_literals;
892  sys_write_lock write_lock(this);
893  sys_sqlite_lock sqlite_lock(this);
894 
895  UserMetadata old_user;
896  if (!getMetadataForUser(old_name, old_user)) {
897  throw std::runtime_error("User " + old_name + " doesn't exist.");
898  }
899 
900  UserMetadata new_user;
901  if (getMetadataForUser(new_name, new_user)) {
902  throw std::runtime_error("User " + new_name + " already exists.");
903  }
904 
905  if (getGrantee(new_name)) {
906  throw runtime_error(
907  "User name " + new_name +
908  " is same as one of existing grantees. User and role names should be unique.");
909  }
910 
911  auto transaction_streamer = yieldTransactionStreamer();
912  auto failure_handler = [] {};
913  auto success_handler = [this, &old_name, &new_name] {
914  updateUserRoleName(old_name, new_name);
915  };
916  auto q1 = {"UPDATE mapd_users SET name=?1 where name=?2;"s, new_name, old_name};
917  auto q2 = {"UPDATE mapd_object_permissions set roleName=?1 WHERE roleName=?2;"s,
918  new_name,
919  old_name};
920  transaction_streamer(sqliteConnector_, success_handler, failure_handler, q1, q2);
921 }
bool getMetadataForUser(const std::string &name, UserMetadata &user)
Grantee * getGrantee(const std::string &name) const
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:76
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:75
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:337
void updateUserRoleName(const std::string &roleName, const std::string &newName)
Definition: SysCatalog.cpp:878

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::revokeAllOnDatabase_unsafe ( const std::string &  roleName,
int32_t  dbId,
Grantee grantee 
)
private

Definition at line 1483 of file SysCatalog.cpp.

References objectDescriptorMap_, Grantee::revokeAllOnDatabase(), sqliteConnector_, and to_string().

Referenced by dropDatabase(), and revokeDBObjectPrivileges_unsafe().

1485  {
1486  sys_sqlite_lock sqlite_lock(this);
1487  sqliteConnector_->query_with_text_params(
1488  "DELETE FROM mapd_object_permissions WHERE roleName = ?1 and dbId = ?2",
1489  std::vector<std::string>{roleName, std::to_string(dbId)});
1490  grantee->revokeAllOnDatabase(dbId);
1491  for (auto d = objectDescriptorMap_.begin(); d != objectDescriptorMap_.end();) {
1492  if (d->second->roleName == roleName && d->second->dbId == dbId) {
1493  delete d->second;
1494  d = objectDescriptorMap_.erase(d);
1495  } else {
1496  d++;
1497  }
1498  }
1499 }
ObjectRoleDescriptorMap objectDescriptorMap_
Definition: SysCatalog.h:336
std::string to_string(char const *&&v)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:76
virtual void revokeAllOnDatabase(int32_t dbId)
Definition: Grantee.cpp:279
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:337

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::revokeDashboardSystemRole ( const std::string  roleName,
const std::vector< std::string >  grantees 
)

Definition at line 1911 of file SysCatalog.cpp.

References getGrantee(), getRoleGrantee(), instance(), and revokeRole().

1912  {
1913  auto* rl = getRoleGrantee(roleName);
1914  for (auto granteeName : grantees) {
1915  const auto* grantee = SysCatalog::instance().getGrantee(granteeName);
1916  if (rl && grantee->hasRole(rl, true)) {
1917  // Grantees existence have been already validated
1918  SysCatalog::instance().revokeRole(roleName, granteeName);
1919  }
1920  }
1921 }
Grantee * getGrantee(const std::string &name) const
static SysCatalog & instance()
Definition: SysCatalog.h:242
Role * getRoleGrantee(const std::string &name) const
void revokeRole(const std::string &role, const std::string &grantee)

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::revokeDBObjectPrivileges ( const std::string &  grantee,
const DBObject object,
const Catalog_Namespace::Catalog catalog 
)

Definition at line 2121 of file SysCatalog.cpp.

References execInTransaction(), and revokeDBObjectPrivileges_unsafe().

Referenced by Catalog_Namespace::Catalog::createOrUpdateDashboardSystemRole().

2123  {
2125  &SysCatalog::revokeDBObjectPrivileges_unsafe, grantee, object, catalog);
2126 }
void revokeDBObjectPrivileges_unsafe(const std::string &granteeName, DBObject object, const Catalog_Namespace::Catalog &catalog)
void execInTransaction(F &&f, Args &&...args)

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::revokeDBObjectPrivileges_unsafe ( const std::string &  granteeName,
DBObject  object,
const Catalog_Namespace::Catalog catalog 
)
private

Definition at line 1445 of file SysCatalog.cpp.

References DatabasePrivileges::ALL, DatabaseDBObjectType, deleteObjectDescriptorMap(), Catalog_Namespace::deleteObjectPrivileges(), getGrantee(), getMetadataForUser(), Catalog_Namespace::insertOrUpdateObjectPrivileges(), instance(), Catalog_Namespace::UserMetadata::isSuper, revokeAllOnDatabase_unsafe(), sqliteConnector_, and updateObjectDescriptorMap().

Referenced by revokeDBObjectPrivileges(), revokeDBObjectPrivilegesBatch_unsafe(), and revokeDBObjectPrivilegesFromAll_unsafe().

1448  {
1449  sys_write_lock write_lock(this);
1450 
1451  UserMetadata user_meta;
1452  if (instance().getMetadataForUser(granteeName, user_meta)) {
1453  if (user_meta.isSuper) {
1454  // super doesn't have explicit privileges so nothing to do
1455  return;
1456  }
1457  }
1458  auto* grantee = getGrantee(granteeName);
1459  if (!grantee) {
1460  throw runtime_error("Request to revoke privileges from " + granteeName +
1461  " failed because role or user with this name does not exist.");
1462  }
1463  object.loadKey(catalog);
1464 
1465  if (object.getPrivileges().hasPermission(DatabasePrivileges::ALL) &&
1466  object.getObjectKey().permissionType == DatabaseDBObjectType) {
1467  return revokeAllOnDatabase_unsafe(granteeName, object.getObjectKey().dbId, grantee);
1468  }
1469 
1470  auto ret_object = grantee->revokePrivileges(object);
1471  if (ret_object) {
1472  sys_sqlite_lock sqlite_lock(this);
1474  sqliteConnector_, granteeName, grantee->isUser(), *ret_object);
1475  updateObjectDescriptorMap(granteeName, *ret_object, grantee->isUser(), catalog);
1476  } else {
1477  sys_sqlite_lock sqlite_lock(this);
1478  deleteObjectPrivileges(sqliteConnector_, granteeName, grantee->isUser(), object);
1479  deleteObjectDescriptorMap(granteeName, object, catalog);
1480  }
1481 }
void revokeAllOnDatabase_unsafe(const std::string &roleName, int32_t dbId, Grantee *grantee)
static const int32_t ALL
Definition: DBObject.h:78
bool getMetadataForUser(const std::string &name, UserMetadata &user)
Grantee * getGrantee(const std::string &name) const
void insertOrUpdateObjectPrivileges(std::unique_ptr< SqliteConnector > &sqliteConnector, std::string roleName, bool userRole, DBObject &object)
Definition: SysCatalog.cpp:334
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:76
static SysCatalog & instance()
Definition: SysCatalog.h:242
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:75
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:337
void deleteObjectPrivileges(std::unique_ptr< SqliteConnector > &sqliteConnector, std::string roleName, bool userRole, DBObject &object)
Definition: SysCatalog.cpp:315
void deleteObjectDescriptorMap(const std::string &roleName)
void updateObjectDescriptorMap(const std::string &roleName, DBObject &object, bool roleType, const Catalog_Namespace::Catalog &cat)

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::revokeDBObjectPrivilegesBatch ( const std::vector< std::string > &  grantees,
const std::vector< DBObject > &  objects,
const Catalog_Namespace::Catalog catalog 
)

Definition at line 2128 of file SysCatalog.cpp.

References execInTransaction(), and revokeDBObjectPrivilegesBatch_unsafe().

2131  {
2133  &SysCatalog::revokeDBObjectPrivilegesBatch_unsafe, grantees, objects, catalog);
2134 }
void revokeDBObjectPrivilegesBatch_unsafe(const std::vector< std::string > &grantees, const std::vector< DBObject > &objects, const Catalog_Namespace::Catalog &catalog)
void execInTransaction(F &&f, Args &&...args)

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::revokeDBObjectPrivilegesBatch_unsafe ( const std::vector< std::string > &  grantees,
const std::vector< DBObject > &  objects,
const Catalog_Namespace::Catalog catalog 
)
private

Definition at line 1433 of file SysCatalog.cpp.

References revokeDBObjectPrivileges_unsafe().

Referenced by revokeDBObjectPrivilegesBatch().

1436  {
1437  for (const auto& grantee : grantees) {
1438  for (const auto& object : objects) {
1439  revokeDBObjectPrivileges_unsafe(grantee, object, catalog);
1440  }
1441  }
1442 }
void revokeDBObjectPrivileges_unsafe(const std::string &granteeName, DBObject object, const Catalog_Namespace::Catalog &catalog)

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::revokeDBObjectPrivilegesFromAll ( DBObject  object,
Catalog catalog 
)

Definition at line 2136 of file SysCatalog.cpp.

References execInTransaction(), and revokeDBObjectPrivilegesFromAll_unsafe().

Referenced by Catalog_Namespace::Catalog::deleteMetadataForDashboard(), and Catalog_Namespace::Catalog::dropTable().

2136  {
2138 }
void execInTransaction(F &&f, Args &&...args)
void revokeDBObjectPrivilegesFromAll_unsafe(DBObject object, Catalog *catalog)

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::revokeDBObjectPrivilegesFromAll_unsafe ( DBObject  object,
Catalog catalog 
)

Definition at line 1501 of file SysCatalog.cpp.

References AccessPrivileges::ALL_DASHBOARD, AccessPrivileges::ALL_TABLE, DashboardDBObjectType, DBObject::getObjectKey(), granteeMap_, DBObject::loadKey(), DBObjectKey::permissionType, revokeDBObjectPrivileges_unsafe(), DBObject::setPrivileges(), and TableDBObjectType.

Referenced by dropDatabase(), and revokeDBObjectPrivilegesFromAll().

1502  {
1503  sys_write_lock write_lock(this);
1504  dbObject.loadKey(*catalog);
1505  auto privs = (dbObject.getObjectKey().permissionType == TableDBObjectType)
1507  : (dbObject.getObjectKey().permissionType == DashboardDBObjectType)
1510  dbObject.setPrivileges(privs);
1511  for (const auto& grantee : granteeMap_) {
1512  if (grantee.second->findDbObject(dbObject.getObjectKey(), true)) {
1513  revokeDBObjectPrivileges_unsafe(grantee.second->getName(), dbObject, *catalog);
1514  }
1515  }
1516 }
void revokeDBObjectPrivileges_unsafe(const std::string &granteeName, DBObject object, const Catalog_Namespace::Catalog &catalog)
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:75
static const AccessPrivileges ALL_DASHBOARD
Definition: DBObject.h:162
static const AccessPrivileges ALL_TABLE
Definition: DBObject.h:150

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::revokeRole ( const std::string &  role,
const std::string &  grantee 
)

Definition at line 2103 of file SysCatalog.cpp.

References execInTransaction(), and revokeRole_unsafe().

Referenced by revokeDashboardSystemRole(), and syncUserWithRemoteProvider().

2103  {
2105 }
void execInTransaction(F &&f, Args &&...args)
void revokeRole_unsafe(const std::string &roleName, const std::string &granteeName)

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::revokeRole_unsafe ( const std::string &  roleName,
const std::string &  granteeName 
)
private

Definition at line 1645 of file SysCatalog.cpp.

References getGrantee(), getRoleGrantee(), and sqliteConnector_.

Referenced by revokeRole(), and revokeRoleBatch_unsafe().

1646  {
1647  auto* rl = getRoleGrantee(roleName);
1648  if (!rl) {
1649  throw runtime_error("Request to revoke role " + roleName +
1650  " failed because role with this name does not exist.");
1651  }
1652  auto* grantee = getGrantee(granteeName);
1653  if (!grantee) {
1654  throw runtime_error("Request to revoke role from " + granteeName +
1655  " failed because grantee with this name does not exist.");
1656  }
1657  sys_write_lock write_lock(this);
1658  grantee->revokeRole(rl);
1659  sys_sqlite_lock sqlite_lock(this);
1660  sqliteConnector_->query_with_text_params(
1661  "DELETE FROM mapd_roles WHERE roleName = ? AND userName = ?",
1662  std::vector<std::string>{rl->getName(), grantee->getName()});
1663 }
Grantee * getGrantee(const std::string &name) const
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:76
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:75
Role * getRoleGrantee(const std::string &name) const
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:337

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::revokeRoleBatch ( const std::vector< std::string > &  roles,
const std::vector< std::string > &  grantees 
)

Definition at line 2098 of file SysCatalog.cpp.

References execInTransaction(), and revokeRoleBatch_unsafe().

2099  {
2101 }
void revokeRoleBatch_unsafe(const std::vector< std::string > &roles, const std::vector< std::string > &grantees)
void execInTransaction(F &&f, Args &&...args)

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::revokeRoleBatch_unsafe ( const std::vector< std::string > &  roles,
const std::vector< std::string > &  grantees 
)
private

Definition at line 1635 of file SysCatalog.cpp.

References revokeRole_unsafe().

Referenced by revokeRoleBatch().

1636  {
1637  for (const auto& role : roles) {
1638  for (const auto& grantee : grantees) {
1639  revokeRole_unsafe(role, grantee);
1640  }
1641  }
1642 }
void revokeRole_unsafe(const std::string &roleName, const std::string &granteeName)

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

std::shared_ptr< Catalog > Catalog_Namespace::SysCatalog::switchDatabase ( std::string &  dbname,
const std::string &  username 
)

Definition at line 706 of file SysCatalog.cpp.

References AccessPrivileges::ACCESS, basePath_, calciteMgr_, checkPrivileges(), DatabaseDBObjectType, dataMgr_, Catalog_Namespace::Catalog::get(), getMetadataWithDefault(), DBObject::loadKey(), DBObject::setPrivileges(), and string_dict_hosts_.

707  {
708  DBMetadata db_meta;
709  UserMetadata user_meta;
710 
711  getMetadataWithDefault(dbname, username, db_meta, user_meta);
712 
713  // NOTE(max): register database in Catalog that early to allow ldap
714  // and saml create default user and role privileges on databases
715  auto cat =
717 
718  DBObject dbObject(dbname, DatabaseDBObjectType);
719  dbObject.loadKey();
720  dbObject.setPrivileges(AccessPrivileges::ACCESS);
721  if (!checkPrivileges(user_meta, std::vector<DBObject>{dbObject})) {
722  throw std::runtime_error("Invalid credentials.");
723  }
724 
725  return cat;
726 }
static std::shared_ptr< Catalog > get(const std::string &dbName)
Definition: Catalog.cpp:2990
bool checkPrivileges(const UserMetadata &user, const std::vector< DBObject > &privObjects) const
std::shared_ptr< Data_Namespace::DataMgr > dataMgr_
Definition: SysCatalog.h:339
void getMetadataWithDefault(std::string &dbname, const std::string &username, Catalog_Namespace::DBMetadata &db_meta, UserMetadata &user_meta)
static const AccessPrivileges ACCESS
Definition: DBObject.h:146
std::vector< LeafHostInfo > string_dict_hosts_
Definition: SysCatalog.h:344
std::shared_ptr< Calcite > calciteMgr_
Definition: SysCatalog.h:343

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::syncUserWithRemoteProvider ( const std::string &  user_name,
const std::vector< std::string > &  roles,
bool *  issuper 
)

Definition at line 2140 of file SysCatalog.cpp.

References alterUser(), createUser(), generate_random_string(), getMetadataForUser(), getRoleGrantee(), getUserGrantee(), grantRole(), logger::INFO, Catalog_Namespace::UserMetadata::isSuper, LOG, revokeRole(), to_upper(), Catalog_Namespace::UserMetadata::userId, and logger::WARNING.

2142  {
2143  UserMetadata user_meta;
2144  if (!getMetadataForUser(user_name, user_meta)) {
2145  createUser(user_name, generate_random_string(72), is_super ? *is_super : false, "");
2146  } else if (is_super && *is_super != user_meta.isSuper) {
2147  alterUser(user_meta.userId, nullptr, is_super, nullptr);
2148  }
2149  std::vector<std::string> current_roles = {};
2150  auto* user_rl = getUserGrantee(user_name);
2151  if (user_rl) {
2152  current_roles = user_rl->getRoles();
2153  }
2154  std::for_each(current_roles.begin(), current_roles.end(), to_upper);
2155  std::for_each(roles.begin(), roles.end(), to_upper);
2156  // first remove obsolete ones
2157  for (auto& current_role_name : current_roles) {
2158  if (std::find(roles.begin(), roles.end(), current_role_name) == roles.end()) {
2159  revokeRole(current_role_name, user_name);
2160  }
2161  }
2162  // now re-add them
2163  std::stringstream ss;
2164  ss << "Roles synchronized for user " << user_name << ": ";
2165  for (auto& role_name : roles) {
2166  auto* rl = getRoleGrantee(role_name);
2167  if (rl) {
2168  grantRole(role_name, user_name);
2169  ss << role_name << " ";
2170  } else {
2171  LOG(WARNING) << "Error synchronizing roles for user " << user_name << ": role "
2172  << role_name << " does not exist.";
2173  }
2174  }
2175  LOG(INFO) << ss.str();
2176 }
#define LOG(tag)
Definition: Logger.h:185
bool getMetadataForUser(const std::string &name, UserMetadata &user)
void alterUser(const int32_t userid, const std::string *passwd, bool *issuper, const std::string *dbname)
Definition: SysCatalog.cpp:811
void createUser(const std::string &name, const std::string &passwd, bool issuper, const std::string &dbname)
Definition: SysCatalog.cpp:728
std::string generate_random_string(const size_t len)
Role * getRoleGrantee(const std::string &name) const
User * getUserGrantee(const std::string &name) const
std::string to_upper(const std::string &str)
void grantRole(const std::string &role, const std::string &grantee)
void revokeRole(const std::string &role, const std::string &grantee)

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::updateBlankPasswordsToRandom ( )
private

Definition at line 528 of file SysCatalog.cpp.

References CHECK(), logger::ERROR, generate_random_string(), anonymous_namespace{SysCatalog.cpp}::hash_with_bcrypt(), LOG, MAPD_VERSION, sqliteConnector_, to_string(), and logger::WARNING.

Referenced by checkAndExecuteMigrations().

528  {
529  const std::string UPDATE_BLANK_PASSWORDS_TO_RANDOM = "update_blank_passwords_to_random";
530  sqliteConnector_->query_with_text_params(
531  "SELECT migration_history FROM mapd_version_history WHERE migration_history = ?",
532  std::vector<std::string>{UPDATE_BLANK_PASSWORDS_TO_RANDOM});
533  if (sqliteConnector_->getNumRows()) {
534  return;
535  }
536 
537  sqliteConnector_->query("BEGIN TRANSACTION");
538  try {
539  sqliteConnector_->query(
540  "SELECT userid, passwd_hash, name FROM mapd_users WHERE name <> 'mapd'");
541  auto numRows = sqliteConnector_->getNumRows();
542  vector<std::string> users, passwords, names;
543  for (size_t i = 0; i < numRows; i++) {
544  users.push_back(sqliteConnector_->getData<std::string>(i, 0));
545  passwords.push_back(sqliteConnector_->getData<std::string>(i, 1));
546  names.push_back(sqliteConnector_->getData<std::string>(i, 2));
547  }
548  for (size_t i = 0; i < users.size(); ++i) {
549  int pwd_check_result = bcrypt_checkpw("", passwords[i].c_str());
550  // if the check fails there is a good chance that data on disc is broken
551  CHECK(pwd_check_result >= 0);
552  if (pwd_check_result != 0) {
553  continue;
554  }
555  LOG(WARNING) << "resetting blank password for user " << names[i] << " (" << users[i]
556  << ") to a random password";
557  sqliteConnector_->query_with_text_params(
558  "UPDATE mapd_users SET passwd_hash = ? WHERE userid = ?",
559  std::vector<std::string>{hash_with_bcrypt(generate_random_string(72)),
560  users[i]});
561  }
562  sqliteConnector_->query_with_text_params(
563  "INSERT INTO mapd_version_history(version, migration_history) values(?,?)",
564  std::vector<std::string>{std::to_string(MAPD_VERSION),
565  UPDATE_BLANK_PASSWORDS_TO_RANDOM});
566  } catch (const std::exception& e) {
567  LOG(ERROR) << "Failed to fix blank passwords: " << e.what();
568  sqliteConnector_->query("ROLLBACK TRANSACTION");
569  throw;
570  }
571  sqliteConnector_->query("END TRANSACTION");
572 }
#define LOG(tag)
Definition: Logger.h:185
std::string to_string(char const *&&v)
CHECK(cgen_state)
std::string generate_random_string(const size_t len)
std::string hash_with_bcrypt(const std::string &pwd)
Definition: SysCatalog.cpp:61
static const int32_t MAPD_VERSION
Definition: release.h:33
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:337

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::updateObjectDescriptorMap ( const std::string &  roleName,
DBObject object,
bool  roleType,
const Catalog_Namespace::Catalog cat 
)
private

Definition at line 1666 of file SysCatalog.cpp.

References ObjectRoleDescriptor::dbId, Catalog_Namespace::DBMetadata::dbId, Catalog_Namespace::Catalog::getCurrentDB(), objectDescriptorMap_, ObjectRoleDescriptor::objectId, ObjectRoleDescriptor::objectName, ObjectRoleDescriptor::objectOwnerId, ObjectRoleDescriptor::objectType, ObjectRoleDescriptor::privs, ObjectRoleDescriptor::roleName, ObjectRoleDescriptor::roleType, and to_string().

Referenced by grantDBObjectPrivileges_unsafe(), and revokeDBObjectPrivileges_unsafe().

1669  {
1670  bool present = false;
1671  auto privs = object.getPrivileges();
1672  sys_write_lock write_lock(this);
1673  auto range = objectDescriptorMap_.equal_range(
1674  std::to_string(cat.getCurrentDB().dbId) + ":" +
1675  std::to_string(object.getObjectKey().permissionType) + ":" +
1676  std::to_string(object.getObjectKey().objectId));
1677  for (auto d = range.first; d != range.second; ++d) {
1678  if (d->second->roleName == roleName) {
1679  // overwrite permissions
1680  d->second->privs = privs;
1681  present = true;
1682  }
1683  }
1684  if (!present) {
1686  od->roleName = roleName;
1687  od->roleType = roleType;
1688  od->objectType = object.getObjectKey().permissionType;
1689  od->dbId = object.getObjectKey().dbId;
1690  od->objectId = object.getObjectKey().objectId;
1691  od->privs = object.getPrivileges();
1692  od->objectOwnerId = object.getOwner();
1693  od->objectName = object.getName();
1694  objectDescriptorMap_.insert(ObjectRoleDescriptorMap::value_type(
1695  std::to_string(od->dbId) + ":" + std::to_string(od->objectType) + ":" +
1696  std::to_string(od->objectId),
1697  od));
1698  }
1699 }
specifies the object_roles content in-memory of a row in mapd_object_permissions table ...
ObjectRoleDescriptorMap objectDescriptorMap_
Definition: SysCatalog.h:336
std::string to_string(char const *&&v)
const DBMetadata & getCurrentDB() const
Definition: Catalog.h:176
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:75

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::updatePasswordsToHashes ( )
private

Definition at line 477 of file SysCatalog.cpp.

References logger::ERROR, anonymous_namespace{SysCatalog.cpp}::hash_with_bcrypt(), logger::INFO, LOG, and sqliteConnector_.

Referenced by checkAndExecuteMigrations().

477  {
478  sqliteConnector_->query("BEGIN TRANSACTION");
479  try {
480  sqliteConnector_->query(
481  "SELECT name FROM sqlite_master WHERE type='table' AND name='mapd_users'");
482  if (sqliteConnector_->getNumRows() == 0) {
483  // Nothing to update
484  sqliteConnector_->query("END TRANSACTION");
485  return;
486  }
487  sqliteConnector_->query("PRAGMA TABLE_INFO(mapd_users)");
488  for (size_t i = 0; i < sqliteConnector_->getNumRows(); i++) {
489  const auto& col_name = sqliteConnector_->getData<std::string>(i, 1);
490  if (col_name == "passwd_hash") {
491  sqliteConnector_->query("END TRANSACTION");
492  return;
493  }
494  }
495  // Alas, SQLite can't drop columns so we have to recreate the table
496  // (or, optionally, add the new column and reset the old one to a bunch of nulls)
497  sqliteConnector_->query("SELECT userid, passwd FROM mapd_users");
498  auto numRows = sqliteConnector_->getNumRows();
499  vector<std::string> users, passwords;
500  for (size_t i = 0; i < numRows; i++) {
501  users.push_back(sqliteConnector_->getData<std::string>(i, 0));
502  passwords.push_back(sqliteConnector_->getData<std::string>(i, 1));
503  }
504  sqliteConnector_->query(
505  "CREATE TABLE mapd_users_tmp (userid integer primary key, name text unique, "
506  "passwd_hash text, issuper boolean, default_db integer references "
507  "mapd_databases)");
508  sqliteConnector_->query(
509  "INSERT INTO mapd_users_tmp(userid, name, passwd_hash, issuper, default_db) "
510  "SELECT userid, name, null, issuper, default_db FROM mapd_users");
511  for (size_t i = 0; i < users.size(); ++i) {
512  sqliteConnector_->query_with_text_params(
513  "UPDATE mapd_users_tmp SET passwd_hash = ? WHERE userid = ?",
514  std::vector<std::string>{hash_with_bcrypt(passwords[i]), users[i]});
515  }
516  sqliteConnector_->query("DROP TABLE mapd_users");
517  sqliteConnector_->query("ALTER TABLE mapd_users_tmp RENAME TO mapd_users");
518  } catch (const std::exception& e) {
519  LOG(ERROR) << "Failed to hash passwords: " << e.what();
520  sqliteConnector_->query("ROLLBACK TRANSACTION");
521  throw;
522  }
523  sqliteConnector_->query("END TRANSACTION");
524  sqliteConnector_->query("VACUUM"); // physically delete plain text passwords
525  LOG(INFO) << "Passwords were successfully hashed";
526 }
#define LOG(tag)
Definition: Logger.h:185
std::string hash_with_bcrypt(const std::string &pwd)
Definition: SysCatalog.cpp:61
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:337

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::updateUserRoleName ( const std::string &  roleName,
const std::string &  newName 
)
private

Definition at line 878 of file SysCatalog.cpp.

References granteeMap_, and to_upper().

Referenced by renameUser().

879  {
880  sys_write_lock write_lock(this);
881 
882  auto it = granteeMap_.find(to_upper(roleName));
883  if (it != granteeMap_.end()) {
884  it->second->setName(newName);
885  std::swap(granteeMap_[to_upper(newName)], it->second);
886  granteeMap_.erase(it);
887  }
888 }
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:75
std::string to_upper(const std::string &str)

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::updateUserSchema ( )
private

Definition at line 206 of file SysCatalog.cpp.

References sqliteConnector_.

Referenced by checkAndExecuteMigrations().

206  {
207  sys_sqlite_lock sqlite_lock(this);
208 
209  // check to see if the new column already exists
210  sqliteConnector_->query("PRAGMA TABLE_INFO(mapd_users)");
211  for (size_t i = 0; i < sqliteConnector_->getNumRows(); i++) {
212  const auto& col_name = sqliteConnector_->getData<std::string>(i, 1);
213  if (col_name == "default_db") {
214  return; // new column already exists
215  }
216  }
217 
218  // create the new column
219  sqliteConnector_->query("BEGIN TRANSACTION");
220  try {
221  sqliteConnector_->query(
222  "ALTER TABLE mapd_users ADD COLUMN default_db INTEGER REFERENCES mapd_databases");
223  } catch (const std::exception& e) {
224  sqliteConnector_->query("ROLLBACK TRANSACTION");
225  throw;
226  }
227  sqliteConnector_->query("END TRANSACTION");
228 }
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:76
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:337

+ Here is the caller graph for this function:

bool Catalog_Namespace::SysCatalog::verifyDBObjectOwnership ( const UserMetadata user,
DBObject  object,
const Catalog_Namespace::Catalog catalog 
)

Definition at line 1518 of file SysCatalog.cpp.

References Grantee::findDbObject(), getUserGrantee(), instance(), Catalog_Namespace::UserMetadata::userId, and Catalog_Namespace::UserMetadata::userName.

1520  {
1521  sys_read_lock read_lock(this);
1522 
1523  auto* grantee = instance().getUserGrantee(user.userName);
1524  if (grantee) {
1525  object.loadKey(catalog);
1526  auto* found_object = grantee->findDbObject(object.getObjectKey(), false);
1527  if (found_object && found_object->getOwner() == user.userId) {
1528  return true;
1529  }
1530  }
1531  return false;
1532 }
read_lock< SysCatalog > sys_read_lock
Definition: SysCatalog.cpp:74
DBObject * findDbObject(const DBObjectKey &objectKey, bool only_direct) const
Definition: Grantee.cpp:72
static SysCatalog & instance()
Definition: SysCatalog.h:242
User * getUserGrantee(const std::string &name) const

+ Here is the call graph for this function:

auto Catalog_Namespace::SysCatalog::yieldTransactionStreamer ( )
private

Definition at line 855 of file SysCatalog.cpp.

Referenced by renameDatabase(), and renameUser().

855  {
856  return
857  [](auto& db_connector, auto on_success, auto on_failure, auto&&... query_requests) {
858  auto query_runner = [&db_connector](auto&&... query_reqs) {
859  [[gnu::unused]] int throw_away[] = {
860  (db_connector->query_with_text_params(
861  std::forward<decltype(query_reqs)>(query_reqs)),
862  0)...};
863  };
864 
865  db_connector->query("BEGIN TRANSACTION");
866  try {
867  query_runner(std::forward<decltype(query_requests)>(query_requests)...);
868  on_success();
869  } catch (std::exception&) {
870  db_connector->query("ROLLBACK TRANSACTION");
871  on_failure();
872  throw;
873  }
874  db_connector->query("END TRANSACTION");
875  };
876 }

+ Here is the caller graph for this function:

Member Data Documentation

bool Catalog_Namespace::SysCatalog::aggregator_
private

Definition at line 345 of file SysCatalog.h.

Referenced by init(), and isAggregator().

const AuthMetadata* Catalog_Namespace::SysCatalog::authMetadata_
private

Definition at line 342 of file SysCatalog.h.

Referenced by init().

std::string Catalog_Namespace::SysCatalog::basePath_
private
std::shared_ptr<Calcite> Catalog_Namespace::SysCatalog::calciteMgr_
private

Definition at line 343 of file SysCatalog.h.

Referenced by createDatabase(), dropDatabase(), getCalciteMgr(), init(), login(), and switchDatabase().

std::shared_ptr<Data_Namespace::DataMgr> Catalog_Namespace::SysCatalog::dataMgr_
private

Definition at line 339 of file SysCatalog.h.

Referenced by createDatabase(), dropDatabase(), getDataMgr(), init(), login(), and switchDatabase().

std::unique_ptr<LdapServer> Catalog_Namespace::SysCatalog::ldap_server_
private

Definition at line 340 of file SysCatalog.h.

Referenced by init().

std::unique_ptr<RestServer> Catalog_Namespace::SysCatalog::rest_server_
private

Definition at line 341 of file SysCatalog.h.

Referenced by init().

mapd_shared_mutex Catalog_Namespace::SysCatalog::sharedMutex_
mutable

Definition at line 350 of file SysCatalog.h.

std::mutex Catalog_Namespace::SysCatalog::sqliteMutex_
mutable

Definition at line 349 of file SysCatalog.h.

std::vector<LeafHostInfo> Catalog_Namespace::SysCatalog::string_dict_hosts_
private

Definition at line 344 of file SysCatalog.h.

Referenced by createDatabase(), dropDatabase(), init(), login(), and switchDatabase().

std::atomic<std::thread::id> Catalog_Namespace::SysCatalog::thread_holding_sqlite_lock
mutable

Definition at line 351 of file SysCatalog.h.

std::atomic<std::thread::id> Catalog_Namespace::SysCatalog::thread_holding_write_lock
mutable

Definition at line 352 of file SysCatalog.h.

thread_local bool Catalog_Namespace::SysCatalog::thread_holds_read_lock = false
static

Definition at line 353 of file SysCatalog.h.


The documentation for this class was generated from the following files: