OmniSciDB  06b3bd477c
 All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Friends Macros Pages
Catalog_Namespace::SysCatalog Class Reference

#include <SysCatalog.h>

+ Inheritance diagram for Catalog_Namespace::SysCatalog:
+ Collaboration diagram for Catalog_Namespace::SysCatalog:

Public Member Functions

void init (const std::string &basePath, std::shared_ptr< Data_Namespace::DataMgr > dataMgr, const AuthMetadata &authMetadata, std::shared_ptr< Calcite > calcite, bool is_new_db, bool aggregator, const std::vector< LeafHostInfo > &string_dict_hosts)
 
std::shared_ptr< Cataloglogin (std::string &db, std::string &username, const std::string &password, UserMetadata &user_meta, bool check_password=true)
 
std::shared_ptr< CatalogswitchDatabase (std::string &dbname, const std::string &username)
 
void createUser (const std::string &name, const std::string &passwd, bool issuper, const std::string &dbname, bool can_login)
 
void dropUser (const std::string &name)
 
void alterUser (const int32_t userid, const std::string *passwd, bool *issuper, const std::string *dbname, bool *can_login)
 
void renameUser (std::string const &old_name, std::string const &new_name)
 
void createDatabase (const std::string &dbname, int owner)
 
void renameDatabase (std::string const &old_name, std::string const &new_name)
 
void dropDatabase (const DBMetadata &db)
 
bool getMetadataForUser (const std::string &name, UserMetadata &user)
 
bool getMetadataForUserById (const int32_t idIn, UserMetadata &user)
 
bool checkPasswordForUser (const std::string &passwd, std::string &name, UserMetadata &user)
 
void getMetadataWithDefaultDB (std::string &dbname, const std::string &username, Catalog_Namespace::DBMetadata &db_meta, UserMetadata &user_meta)
 
bool getMetadataForDB (const std::string &name, DBMetadata &db)
 
bool getMetadataForDBById (const int32_t idIn, DBMetadata &db)
 
Data_Namespace::DataMgrgetDataMgr () const
 
CalcitegetCalciteMgr () const
 
const std::string & getBasePath () const
 
SqliteConnectorgetSqliteConnector ()
 
std::list< DBMetadatagetAllDBMetadata ()
 
std::list< UserMetadatagetAllUserMetadata ()
 
std::list< UserMetadatagetAllUserMetadata (const int64_t dbId)
 
DBSummaryList getDatabaseListForUser (const UserMetadata &user)
 
void createDBObject (const UserMetadata &user, const std::string &objectName, DBObjectType type, const Catalog_Namespace::Catalog &catalog, int32_t objectId=-1)
 
void renameDBObject (const std::string &objectName, const std::string &newName, DBObjectType type, int32_t objectId, const Catalog_Namespace::Catalog &catalog)
 
void grantDBObjectPrivileges (const std::string &grantee, const DBObject &object, const Catalog_Namespace::Catalog &catalog)
 
void grantDBObjectPrivilegesBatch (const std::vector< std::string > &grantees, const std::vector< DBObject > &objects, const Catalog_Namespace::Catalog &catalog)
 
void revokeDBObjectPrivileges (const std::string &grantee, const DBObject &object, const Catalog_Namespace::Catalog &catalog)
 
void revokeDBObjectPrivilegesBatch (const std::vector< std::string > &grantees, const std::vector< DBObject > &objects, const Catalog_Namespace::Catalog &catalog)
 
void revokeDBObjectPrivilegesFromAll (DBObject object, Catalog *catalog)
 
void revokeDBObjectPrivilegesFromAll_unsafe (DBObject object, Catalog *catalog)
 
void revokeDBObjectPrivilegesFromAllBatch (std::vector< DBObject > &objects, Catalog *catalog)
 
void revokeDBObjectPrivilegesFromAllBatch_unsafe (std::vector< DBObject > &objects, Catalog *catalog)
 
void getDBObjectPrivileges (const std::string &granteeName, DBObject &object, const Catalog_Namespace::Catalog &catalog) const
 
bool verifyDBObjectOwnership (const UserMetadata &user, DBObject object, const Catalog_Namespace::Catalog &catalog)
 
void changeDBObjectOwnership (const UserMetadata &new_owner, const UserMetadata &previous_owner, DBObject object, const Catalog_Namespace::Catalog &catalog, bool revoke_privileges=true)
 
void createRole (const std::string &roleName, const bool &userPrivateRole=false)
 
void dropRole (const std::string &roleName)
 
void grantRoleBatch (const std::vector< std::string > &roles, const std::vector< std::string > &grantees)
 
void grantRole (const std::string &role, const std::string &grantee)
 
void revokeRoleBatch (const std::vector< std::string > &roles, const std::vector< std::string > &grantees)
 
void revokeRole (const std::string &role, const std::string &grantee)
 
bool hasAnyPrivileges (const UserMetadata &user, std::vector< DBObject > &privObjects)
 
bool checkPrivileges (const UserMetadata &user, const std::vector< DBObject > &privObjects) const
 
bool checkPrivileges (const std::string &userName, const std::vector< DBObject > &privObjects) const
 
GranteegetGrantee (const std::string &name) const
 
RolegetRoleGrantee (const std::string &name) const
 
UsergetUserGrantee (const std::string &name) const
 
std::vector
< ObjectRoleDescriptor * > 
getMetadataForObject (int32_t dbId, int32_t dbType, int32_t objectId) const
 
bool isRoleGrantedToGrantee (const std::string &granteeName, const std::string &roleName, bool only_direct) const
 
std::vector< std::string > getRoles (bool userPrivateRole, bool isSuper, const std::string &userName)
 
std::vector< std::string > getRoles (const std::string &userName, const int32_t dbId)
 
void revokeDashboardSystemRole (const std::string roleName, const std::vector< std::string > grantees)
 
bool isAggregator () const
 
void populateRoleDbObjects (const std::vector< DBObject > &objects)
 
std::string name () const
 
void renameObjectsInDescriptorMap (DBObject &object, const Catalog_Namespace::Catalog &cat)
 
void syncUserWithRemoteProvider (const std::string &user_name, std::vector< std::string > idp_roles, bool *issuper)
 
std::unordered_map
< std::string, std::vector
< std::string > > 
getGranteesOfSharedDashboards (const std::vector< std::string > &dashboard_ids)
 
void check_for_session_encryption (const std::string &pki_cert, std::string &session)
 

Static Public Member Functions

static SysCataloginstance ()
 

Public Attributes

std::mutex sqliteMutex_
 
mapd_shared_mutex sharedMutex_
 
std::atomic< std::thread::id > thread_holding_sqlite_lock
 
std::atomic< std::thread::id > thread_holding_write_lock
 

Static Public Attributes

static thread_local bool thread_holds_read_lock = false
 

Private Types

using GranteeMap = std::map< std::string, Grantee * >
 
using ObjectRoleDescriptorMap = std::multimap< std::string, ObjectRoleDescriptor * >
 

Private Member Functions

 SysCatalog ()
 
virtual ~SysCatalog ()
 
void initDB ()
 
void buildRoleMap ()
 
void buildUserRoleMap ()
 
void buildObjectDescriptorMap ()
 
void checkAndExecuteMigrations ()
 
void importDataFromOldMapdDB ()
 
void createUserRoles ()
 
void migratePrivileges ()
 
void migratePrivileged_old ()
 
void updateUserSchema ()
 
void updatePasswordsToHashes ()
 
void updateBlankPasswordsToRandom ()
 
void updateSupportUserDeactivation ()
 
void migrateDBAccessPrivileges ()
 
void loginImpl (std::string &username, const std::string &password, UserMetadata &user_meta)
 
bool checkPasswordForUserImpl (const std::string &passwd, std::string &name, UserMetadata &user)
 
void grantDefaultPrivilegesToRole_unsafe (const std::string &name, bool issuper)
 
void createRole_unsafe (const std::string &roleName, const bool &userPrivateRole=false)
 
void dropRole_unsafe (const std::string &roleName)
 
void grantRoleBatch_unsafe (const std::vector< std::string > &roles, const std::vector< std::string > &grantees)
 
void grantRole_unsafe (const std::string &roleName, const std::string &granteeName)
 
void revokeRoleBatch_unsafe (const std::vector< std::string > &roles, const std::vector< std::string > &grantees)
 
void revokeRole_unsafe (const std::string &roleName, const std::string &granteeName)
 
void updateObjectDescriptorMap (const std::string &roleName, DBObject &object, bool roleType, const Catalog_Namespace::Catalog &cat)
 
void deleteObjectDescriptorMap (const std::string &roleName)
 
void deleteObjectDescriptorMap (const std::string &roleName, DBObject &object, const Catalog_Namespace::Catalog &cat)
 
void grantDBObjectPrivilegesBatch_unsafe (const std::vector< std::string > &grantees, const std::vector< DBObject > &objects, const Catalog_Namespace::Catalog &catalog)
 
void grantDBObjectPrivileges_unsafe (const std::string &granteeName, const DBObject object, const Catalog_Namespace::Catalog &catalog)
 
void revokeDBObjectPrivilegesBatch_unsafe (const std::vector< std::string > &grantees, const std::vector< DBObject > &objects, const Catalog_Namespace::Catalog &catalog)
 
void revokeDBObjectPrivileges_unsafe (const std::string &granteeName, DBObject object, const Catalog_Namespace::Catalog &catalog)
 
void grantAllOnDatabase_unsafe (const std::string &roleName, DBObject &object, const Catalog_Namespace::Catalog &catalog)
 
void revokeAllOnDatabase_unsafe (const std::string &roleName, int32_t dbId, Grantee *grantee)
 
bool isDashboardSystemRole (const std::string &roleName)
 
void updateUserRoleName (const std::string &roleName, const std::string &newName)
 
template<typename F , typename... Args>
void execInTransaction (F &&f, Args &&...args)
 
auto yieldTransactionStreamer ()
 
- Private Member Functions inherited from Catalog_Namespace::CommonFileOperations
 CommonFileOperations (std::string const &base_path)
 
void removeCatalogByFullPath (std::string const &full_path)
 
void removeCatalogByName (std::string const &name)
 
auto duplicateAndRenameCatalog (std::string const &current_name, std::string const &new_name)
 
auto assembleCatalogName (std::string const &name)
 

Private Attributes

std::string basePath_
 
GranteeMap granteeMap_
 
ObjectRoleDescriptorMap objectDescriptorMap_
 
std::unique_ptr< SqliteConnectorsqliteConnector_
 
std::shared_ptr
< Data_Namespace::DataMgr
dataMgr_
 
std::unique_ptr< LdapServerldap_server_
 
std::unique_ptr< RestServerrest_server_
 
std::unique_ptr< PkiServerpki_server_
 
const AuthMetadataauthMetadata_
 
std::shared_ptr< CalcitecalciteMgr_
 
std::vector< LeafHostInfostring_dict_hosts_
 
bool aggregator_
 

Detailed Description

Definition at line 141 of file SysCatalog.h.

Member Typedef Documentation

using Catalog_Namespace::SysCatalog::GranteeMap = std::map<std::string, Grantee*>
private

Definition at line 305 of file SysCatalog.h.

Definition at line 306 of file SysCatalog.h.

Constructor & Destructor Documentation

Catalog_Namespace::SysCatalog::SysCatalog ( )
inlineprivate

Definition at line 308 of file SysCatalog.h.

310  , aggregator_(false)
311  , sqliteMutex_()
312  , sharedMutex_()
313  , thread_holding_sqlite_lock(std::thread::id())
314  , thread_holding_write_lock(std::thread::id()) {}
std::atomic< std::thread::id > thread_holding_sqlite_lock
Definition: SysCatalog.h:399
mapd_shared_mutex sharedMutex_
Definition: SysCatalog.h:398
CommonFileOperations(std::string const &base_path)
Definition: SysCatalog.h:124
std::atomic< std::thread::id > thread_holding_write_lock
Definition: SysCatalog.h:400
Catalog_Namespace::SysCatalog::~SysCatalog ( )
privatevirtual

Definition at line 150 of file SysCatalog.cpp.

150  {
152  for (auto grantee = granteeMap_.begin(); grantee != granteeMap_.end(); ++grantee) {
153  delete grantee->second;
154  }
155  granteeMap_.clear();
156  for (ObjectRoleDescriptorMap::iterator objectIt = objectDescriptorMap_.begin();
157  objectIt != objectDescriptorMap_.end();) {
158  ObjectRoleDescriptorMap::iterator eraseIt = objectIt++;
159  delete eraseIt->second;
160  }
161  objectDescriptorMap_.clear();
162 }
ObjectRoleDescriptorMap objectDescriptorMap_
Definition: SysCatalog.h:383
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:80
mapd_unique_lock< mapd_shared_mutex > write_lock

Member Function Documentation

void Catalog_Namespace::SysCatalog::alterUser ( const int32_t  userid,
const std::string *  passwd,
bool *  issuper,
const std::string *  dbname,
bool *  can_login 
)

Definition at line 861 of file SysCatalog.cpp.

References Catalog_Namespace::anonymous_namespace{SysCatalog.cpp}::append_with_commas, Catalog_Namespace::DBMetadata::dbId, anonymous_namespace{SysCatalog.cpp}::hash_with_bcrypt(), and to_string().

865  {
866  sys_sqlite_lock sqlite_lock(this);
867  sqliteConnector_->query("BEGIN TRANSACTION");
868  try {
869  string sql;
870  std::vector<std::string> values;
871  if (passwd != nullptr) {
872  append_with_commas(sql, "passwd_hash = ?");
873  values.push_back(hash_with_bcrypt(*passwd));
874  }
875  if (issuper != nullptr) {
876  append_with_commas(sql, "issuper = ?");
877  values.push_back(std::to_string(*issuper));
878  }
879  if (dbname != nullptr) {
880  if (!dbname->empty()) {
881  append_with_commas(sql, "default_db = ?");
882  DBMetadata db;
883  if (!SysCatalog::instance().getMetadataForDB(*dbname, db)) {
884  throw runtime_error(string("DEFAULT_DB ") + *dbname + " not found.");
885  }
886  values.push_back(std::to_string(db.dbId));
887  } else {
888  append_with_commas(sql, "default_db = NULL");
889  }
890  }
891  if (can_login != nullptr) {
892  append_with_commas(sql, "can_login = ?");
893  values.push_back(std::to_string(*can_login));
894  }
895 
896  sql = "UPDATE mapd_users SET " + sql + " WHERE userid = ?";
897  values.push_back(std::to_string(userid));
898 
899  sqliteConnector_->query_with_text_params(sql, values);
900  } catch (const std::exception& e) {
901  sqliteConnector_->query("ROLLBACK TRANSACTION");
902  throw;
903  }
904  sqliteConnector_->query("END TRANSACTION");
905 }
std::string to_string(char const *&&v)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:81
static SysCatalog & instance()
Definition: SysCatalog.h:288
std::string hash_with_bcrypt(const std::string &pwd)
Definition: SysCatalog.cpp:66
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:384
bool getMetadataForDB(const std::string &name, DBMetadata &db)

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::buildObjectDescriptorMap ( )
private

Definition at line 2191 of file SysCatalog.cpp.

References ObjectRoleDescriptor::dbId, ObjectRoleDescriptor::objectId, ObjectRoleDescriptor::objectName, ObjectRoleDescriptor::objectOwnerId, ObjectRoleDescriptor::objectType, AccessPrivileges::privileges, ObjectRoleDescriptor::privs, ObjectRoleDescriptor::roleName, ObjectRoleDescriptor::roleType, and to_string().

2191  {
2192  sys_write_lock write_lock(this);
2193  sys_sqlite_lock sqlite_lock(this);
2194  string objectQuery(
2195  "SELECT roleName, roleType, objectPermissionsType, dbId, objectId, "
2196  "objectPermissions, objectOwnerId, objectName "
2197  "from mapd_object_permissions");
2198  sqliteConnector_->query(objectQuery);
2199  size_t numRows = sqliteConnector_->getNumRows();
2200  for (size_t r = 0; r < numRows; ++r) {
2202  od->roleName = sqliteConnector_->getData<string>(r, 0);
2203  od->roleType = sqliteConnector_->getData<bool>(r, 1);
2204  od->objectType = sqliteConnector_->getData<int>(r, 2);
2205  od->dbId = sqliteConnector_->getData<int>(r, 3);
2206  od->objectId = sqliteConnector_->getData<int>(r, 4);
2207  od->privs.privileges = sqliteConnector_->getData<int>(r, 5);
2208  od->objectOwnerId = sqliteConnector_->getData<int>(r, 6);
2209  od->objectName = sqliteConnector_->getData<string>(r, 7);
2210  objectDescriptorMap_.insert(ObjectRoleDescriptorMap::value_type(
2211  std::to_string(od->dbId) + ":" + std::to_string(od->objectType) + ":" +
2212  std::to_string(od->objectId),
2213  od));
2214  }
2215 }
specifies the object_roles content in-memory of a row in mapd_object_permissions table ...
ObjectRoleDescriptorMap objectDescriptorMap_
Definition: SysCatalog.h:383
std::string to_string(char const *&&v)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:81
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:80
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:384
mapd_unique_lock< mapd_shared_mutex > write_lock
int64_t privileges
Definition: DBObject.h:134

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::buildRoleMap ( )
private

Definition at line 2073 of file SysCatalog.cpp.

References DatabaseDBObjectType, DBObjectKey::fromString(), AccessPrivileges::privileges, and to_upper().

2073  {
2074  sys_write_lock write_lock(this);
2075  sys_sqlite_lock sqlite_lock(this);
2076  string roleQuery(
2077  "SELECT roleName, roleType, objectPermissionsType, dbId, objectId, "
2078  "objectPermissions, objectOwnerId, objectName "
2079  "from mapd_object_permissions");
2080  sqliteConnector_->query(roleQuery);
2081  size_t numRows = sqliteConnector_->getNumRows();
2082  std::vector<std::string> objectKeyStr(4);
2083  DBObjectKey objectKey;
2084  AccessPrivileges privs;
2085  bool userPrivateRole(false);
2086  for (size_t r = 0; r < numRows; ++r) {
2087  std::string roleName = sqliteConnector_->getData<string>(r, 0);
2088  userPrivateRole = sqliteConnector_->getData<bool>(r, 1);
2089  DBObjectType permissionType =
2090  static_cast<DBObjectType>(sqliteConnector_->getData<int>(r, 2));
2091  objectKeyStr[0] = sqliteConnector_->getData<string>(r, 2);
2092  objectKeyStr[1] = sqliteConnector_->getData<string>(r, 3);
2093  objectKeyStr[2] = sqliteConnector_->getData<string>(r, 4);
2094  objectKey = DBObjectKey::fromString(objectKeyStr, permissionType);
2095  privs.privileges = sqliteConnector_->getData<int>(r, 5);
2096  int32_t owner = sqliteConnector_->getData<int>(r, 6);
2097  std::string name = sqliteConnector_->getData<string>(r, 7);
2098 
2099  DBObject dbObject(objectKey, privs, owner);
2100  dbObject.setName(name);
2101  if (-1 == objectKey.objectId) {
2102  dbObject.setObjectType(DBObjectType::DatabaseDBObjectType);
2103  } else {
2104  dbObject.setObjectType(permissionType);
2105  }
2106 
2107  auto* rl = getGrantee(roleName);
2108  if (!rl) {
2109  if (userPrivateRole) {
2110  rl = new User(roleName);
2111  } else {
2112  rl = new Role(roleName);
2113  }
2114  granteeMap_[to_upper(roleName)] = rl;
2115  }
2116  rl->grantPrivileges(dbObject);
2117  }
2118 }
DBObjectType
Definition: DBObject.h:42
std::string name() const
Definition: SysCatalog.h:294
Definition: Grantee.h:70
Grantee * getGrantee(const std::string &name) const
Definition: Grantee.h:76
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:81
static DBObjectKey fromString(const std::vector< std::string > &key, const DBObjectType &type)
Definition: DBObject.cpp:259
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:80
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:384
std::string to_upper(const std::string &str)
mapd_unique_lock< mapd_shared_mutex > write_lock
int64_t privileges
Definition: DBObject.h:134

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::buildUserRoleMap ( )
private

Definition at line 2143 of file SysCatalog.cpp.

References OMNISCI_ROOT_USER.

2143  {
2144  sys_write_lock write_lock(this);
2145  sys_sqlite_lock sqlite_lock(this);
2146  std::vector<std::pair<std::string, std::string>> granteeRooles;
2147  string userRoleQuery("SELECT roleName, userName from mapd_roles");
2148  sqliteConnector_->query(userRoleQuery);
2149  size_t numRows = sqliteConnector_->getNumRows();
2150  for (size_t r = 0; r < numRows; ++r) {
2151  std::string roleName = sqliteConnector_->getData<string>(r, 0);
2152  std::string userName = sqliteConnector_->getData<string>(r, 1);
2153  // required for declared nomenclature before v4.0.0
2154  if ((boost::equals(roleName, "mapd_default_suser_role") &&
2155  boost::equals(userName, OMNISCI_ROOT_USER)) ||
2156  (boost::equals(roleName, "mapd_default_user_role") &&
2157  !boost::equals(userName, "mapd_default_user_role"))) {
2158  // grouprole already exists with roleName==userName in mapd_roles table
2159  // ignore duplicate instances of userRole which exists before v4.0.0
2160  continue;
2161  }
2162  auto* rl = getGrantee(roleName);
2163  if (!rl) {
2164  throw runtime_error("Data inconsistency when building role map. Role " + roleName +
2165  " from db not found in the map.");
2166  }
2167  std::pair<std::string, std::string> roleVecElem(roleName, userName);
2168  granteeRooles.push_back(roleVecElem);
2169  }
2170 
2171  for (size_t i = 0; i < granteeRooles.size(); i++) {
2172  std::string roleName = granteeRooles[i].first;
2173  std::string granteeName = granteeRooles[i].second;
2174  auto* grantee = getGrantee(granteeName);
2175  if (!grantee) {
2176  throw runtime_error("Data inconsistency when building role map. Grantee " +
2177  granteeName + " not found in the map.");
2178  }
2179  if (granteeName == roleName) {
2180  continue;
2181  }
2182  Role* rl = dynamic_cast<Role*>(getGrantee(roleName));
2183  if (!rl) {
2184  throw runtime_error("Data inconsistency when building role map. Role " + roleName +
2185  " not found in the map.");
2186  }
2187  grantee->grantRole(rl);
2188  }
2189 }
Grantee * getGrantee(const std::string &name) const
Definition: Grantee.h:76
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:81
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:80
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:384
const std::string OMNISCI_ROOT_USER
Definition: SysCatalog.h:59
mapd_unique_lock< mapd_shared_mutex > write_lock
void Catalog_Namespace::SysCatalog::changeDBObjectOwnership ( const UserMetadata new_owner,
const UserMetadata previous_owner,
DBObject  object,
const Catalog_Namespace::Catalog catalog,
bool  revoke_privileges = true 
)

Change ownership of a DBObject

Parameters
new_owner- new owner of DBObject
previous_owner- previous owner of DBObject
object- DBObject to change ownership of
catalog- Catalog instance object exists in
revoke_privileges- if true, revoke previous_owner's privileges

Definition at line 1640 of file SysCatalog.cpp.

References AccessPrivileges::ALL_DASHBOARD, AccessPrivileges::ALL_DATABASE, AccessPrivileges::ALL_SERVER, AccessPrivileges::ALL_TABLE, AccessPrivileges::ALL_VIEW, DashboardDBObjectType, DatabaseDBObjectType, Catalog_Namespace::UserMetadata::isSuper, ServerDBObjectType, TableDBObjectType, UNREACHABLE, Catalog_Namespace::UserMetadata::userId, Catalog_Namespace::UserMetadata::userName, and ViewDBObjectType.

1644  {
1645  sys_write_lock write_lock(this);
1646  sys_sqlite_lock sqlite_lock(this);
1647  object.loadKey(catalog);
1648  switch (object.getType()) {
1649  case TableDBObjectType:
1650  object.setPrivileges(AccessPrivileges::ALL_TABLE);
1651  break;
1652  case DashboardDBObjectType:
1653  object.setPrivileges(AccessPrivileges::ALL_DASHBOARD);
1654  break;
1655  case ServerDBObjectType:
1656  object.setPrivileges(AccessPrivileges::ALL_SERVER);
1657  break;
1658  case DatabaseDBObjectType:
1659  object.setPrivileges(AccessPrivileges::ALL_DATABASE);
1660  break;
1661  case ViewDBObjectType:
1662  object.setPrivileges(AccessPrivileges::ALL_VIEW);
1663  break;
1664  default:
1665  UNREACHABLE(); // unkown object type
1666  break;
1667  }
1668  sqliteConnector_->query("BEGIN TRANSACTION");
1669  try {
1670  if (!new_owner.isSuper) { // no need to grant to suser, has all privs by default
1671  grantDBObjectPrivileges_unsafe(new_owner.userName, object, catalog);
1672  }
1673  if (!previous_owner.isSuper && revoke_privileges) { // no need to revoke from suser
1674  revokeDBObjectPrivileges_unsafe(previous_owner.userName, object, catalog);
1675  }
1676  } catch (std::exception& e) {
1677  sqliteConnector_->query("ROLLBACK TRANSACTION");
1678  throw;
1679  }
1680  sqliteConnector_->query("END TRANSACTION");
1681  object.setOwner(new_owner.userId); // change owner if no exceptions happen
1682 }
static const AccessPrivileges ALL_DATABASE
Definition: DBObject.h:152
void revokeDBObjectPrivileges_unsafe(const std::string &granteeName, DBObject object, const Catalog_Namespace::Catalog &catalog)
#define UNREACHABLE()
Definition: Logger.h:241
void grantDBObjectPrivileges_unsafe(const std::string &granteeName, const DBObject object, const Catalog_Namespace::Catalog &catalog)
static const AccessPrivileges ALL_VIEW
Definition: DBObject.h:178
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:81
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:80
static const AccessPrivileges ALL_SERVER
Definition: DBObject.h:188
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:384
static const AccessPrivileges ALL_DASHBOARD
Definition: DBObject.h:170
static const AccessPrivileges ALL_TABLE
Definition: DBObject.h:158
mapd_unique_lock< mapd_shared_mutex > write_lock
void Catalog_Namespace::SysCatalog::check_for_session_encryption ( const std::string &  pki_cert,
std::string &  session 
)

Definition at line 764 of file SysCatalog.cpp.

765  {
766  if (!pki_server_->inUse()) {
767  return;
768  }
769  pki_server_->encrypt_session(pki_cert, session);
770 }
std::unique_ptr< PkiServer > pki_server_
Definition: SysCatalog.h:389
void Catalog_Namespace::SysCatalog::checkAndExecuteMigrations ( )
private

Definition at line 202 of file SysCatalog.cpp.

202  {
204  createUserRoles();
207  updateUserSchema(); // must come before updatePasswordsToHashes()
209  updateBlankPasswordsToRandom(); // must come after updatePasswordsToHashes()
211 }
bool Catalog_Namespace::SysCatalog::checkPasswordForUser ( const std::string &  passwd,
std::string &  name,
UserMetadata user 
)

Definition at line 1172 of file SysCatalog.cpp.

1174  {
1175  return checkPasswordForUserImpl(passwd, name, user);
1176 }
std::string name() const
Definition: SysCatalog.h:294
bool checkPasswordForUserImpl(const std::string &passwd, std::string &name, UserMetadata &user)
bool Catalog_Namespace::SysCatalog::checkPasswordForUserImpl ( const std::string &  passwd,
std::string &  name,
UserMetadata user 
)
private

Definition at line 1178 of file SysCatalog.cpp.

References CHECK(), LOG, Catalog_Namespace::UserMetadata::passwd_hash, and logger::WARNING.

1180  {
1181  if (!getMetadataForUser(name, user)) {
1182  // Check password against some fake hash just to waste time so that response times
1183  // for invalid password and invalid user are similar and a caller can't say the
1184  // difference
1185  char fake_hash[BCRYPT_HASHSIZE];
1186  CHECK(bcrypt_gensalt(-1, fake_hash) == 0);
1187  bcrypt_checkpw(passwd.c_str(), fake_hash);
1188  LOG(WARNING) << "Local login failed";
1189  return false;
1190  }
1191  int pwd_check_result = bcrypt_checkpw(passwd.c_str(), user.passwd_hash.c_str());
1192  // if the check fails there is a good chance that data on disc is broken
1193  CHECK(pwd_check_result >= 0);
1194  return pwd_check_result == 0;
1195 }
#define LOG(tag)
Definition: Logger.h:188
bool getMetadataForUser(const std::string &name, UserMetadata &user)
std::string name() const
Definition: SysCatalog.h:294
CHECK(cgen_state)

+ Here is the call graph for this function:

bool Catalog_Namespace::SysCatalog::checkPrivileges ( const UserMetadata user,
const std::vector< DBObject > &  privObjects 
) const

Definition at line 1934 of file SysCatalog.cpp.

References Catalog_Namespace::UserMetadata::isSuper, and Catalog_Namespace::UserMetadata::userName.

Referenced by Catalog_Namespace::SessionInfo::checkDBAccessPrivileges().

1935  {
1936  sys_read_lock read_lock(this);
1937  if (user.isSuper) {
1938  return true;
1939  }
1940 
1941  auto* user_rl = instance().getUserGrantee(user.userName);
1942  if (!user_rl) {
1943  throw runtime_error("User " + user.userName + " does not exist.");
1944  }
1945  for (auto& object : privObjects) {
1946  if (!user_rl->checkPrivileges(object)) {
1947  return false;
1948  }
1949  }
1950  return true;
1951 }
static SysCatalog & instance()
Definition: SysCatalog.h:288
User * getUserGrantee(const std::string &name) const
mapd_shared_lock< mapd_shared_mutex > read_lock
read_lock< SysCatalog > sys_read_lock
Definition: Catalog.cpp:110

+ Here is the caller graph for this function:

bool Catalog_Namespace::SysCatalog::checkPrivileges ( const std::string &  userName,
const std::vector< DBObject > &  privObjects 
) const

Definition at line 1953 of file SysCatalog.cpp.

1954  {
1955  UserMetadata user;
1956  if (!instance().getMetadataForUser(userName, user)) {
1957  throw runtime_error("Request to check privileges for user " + userName +
1958  " failed because user with this name does not exist.");
1959  }
1960  return (checkPrivileges(user, privObjects));
1961 }
bool getMetadataForUser(const std::string &name, UserMetadata &user)
bool checkPrivileges(const UserMetadata &user, const std::vector< DBObject > &privObjects) const
static SysCatalog & instance()
Definition: SysCatalog.h:288
void Catalog_Namespace::SysCatalog::createDatabase ( const std::string &  dbname,
int  owner 
)

Definition at line 1019 of file SysCatalog.cpp.

References cat(), CHECK(), DatabaseDBObjectType, g_enable_fsi, OMNISCI_ROOT_USER_ID, OMNISCI_SYSTEM_CATALOG, to_string(), to_upper(), and Catalog_Namespace::UserMetadata::userName.

1019  {
1020  sys_write_lock write_lock(this);
1021  sys_sqlite_lock sqlite_lock(this);
1022 
1023  DBMetadata db;
1024  if (getMetadataForDB(name, db)) {
1025  throw runtime_error("Database " + name + " already exists.");
1026  }
1028  throw runtime_error("Database name " + name + " is reserved.");
1029  }
1030 
1031  std::unique_ptr<SqliteConnector> dbConn(
1032  new SqliteConnector(name, basePath_ + "/mapd_catalogs/"));
1033  // NOTE(max): it's okay to run this in a separate transaction. If we fail later
1034  // we delete the database anyways.
1035  // If we run it in the same transaction as SysCatalog functions, then Catalog
1036  // constructor won't find the tables we have just created.
1037  dbConn->query("BEGIN TRANSACTION");
1038  try {
1039  dbConn->query(
1040  "CREATE TABLE mapd_tables (tableid integer primary key, name text unique, userid "
1041  "integer, ncolumns integer, "
1042  "isview boolean, "
1043  "fragments text, frag_type integer, max_frag_rows integer, max_chunk_size "
1044  "bigint, "
1045  "frag_page_size integer, "
1046  "max_rows bigint, partitions text, shard_column_id integer, shard integer, "
1047  "sort_column_id integer default 0, storage_type text default '',"
1048  "num_shards integer, key_metainfo TEXT, version_num "
1049  "BIGINT DEFAULT 1) ");
1050  dbConn->query(
1051  "CREATE TABLE mapd_columns (tableid integer references mapd_tables, columnid "
1052  "integer, name text, coltype "
1053  "integer, colsubtype integer, coldim integer, colscale integer, is_notnull "
1054  "boolean, compression integer, "
1055  "comp_param integer, size integer, chunks text, is_systemcol boolean, "
1056  "is_virtualcol boolean, virtual_expr "
1057  "text, is_deletedcol boolean, version_num BIGINT, "
1058  "primary key(tableid, columnid), unique(tableid, name))");
1059  dbConn->query(
1060  "CREATE TABLE mapd_views (tableid integer references mapd_tables, sql text)");
1061  dbConn->query(
1062  "CREATE TABLE mapd_dashboards (id integer primary key autoincrement, name text , "
1063  "userid integer references mapd_users, state text, image_hash text, update_time "
1064  "timestamp, "
1065  "metadata text, UNIQUE(userid, name) )");
1066  dbConn->query(
1067  "CREATE TABLE mapd_links (linkid integer primary key, userid integer references "
1068  "mapd_users, "
1069  "link text unique, view_state text, update_time timestamp, view_metadata text)");
1070  dbConn->query(
1071  "CREATE TABLE mapd_dictionaries (dictid integer primary key, name text unique, "
1072  "nbits int, is_shared boolean, "
1073  "refcount int, version_num BIGINT DEFAULT 1)");
1074  dbConn->query(
1075  "CREATE TABLE mapd_logical_to_physical(logical_table_id integer, "
1076  "physical_table_id "
1077  "integer)");
1078  dbConn->query("CREATE TABLE mapd_record_ownership_marker (dummy integer)");
1079  dbConn->query_with_text_params(
1080  "INSERT INTO mapd_record_ownership_marker (dummy) VALUES (?1)",
1081  std::vector<std::string>{std::to_string(owner)});
1082 
1083  if (g_enable_fsi) {
1084  dbConn->query(Catalog::getForeignServerSchema());
1085  dbConn->query(Catalog::getForeignTableSchema());
1086  }
1087  } catch (const std::exception&) {
1088  dbConn->query("ROLLBACK TRANSACTION");
1089  boost::filesystem::remove(basePath_ + "/mapd_catalogs/" + name);
1090  throw;
1091  }
1092  dbConn->query("END TRANSACTION");
1093 
1094  std::shared_ptr<Catalog> cat;
1095  // Now update SysCatalog with privileges and the new database
1096  sqliteConnector_->query("BEGIN TRANSACTION");
1097  try {
1098  sqliteConnector_->query_with_text_param(
1099  "INSERT INTO mapd_databases (name, owner) VALUES (?, " + std::to_string(owner) +
1100  ")",
1101  name);
1102  CHECK(getMetadataForDB(name, db));
1104  if (owner != OMNISCI_ROOT_USER_ID) {
1106  object.loadKey(*cat);
1107  UserMetadata user;
1108  CHECK(getMetadataForUserById(owner, user));
1109  grantAllOnDatabase_unsafe(user.userName, object, *cat);
1110  }
1111  } catch (const std::exception&) {
1112  sqliteConnector_->query("ROLLBACK TRANSACTION");
1113  boost::filesystem::remove(basePath_ + "/mapd_catalogs/" + name);
1114  throw;
1115  }
1116  sqliteConnector_->query("END TRANSACTION");
1117 
1118  if (g_enable_fsi) {
1119  try {
1120  cat->createDefaultServersIfNotExists();
1121  } catch (...) {
1122  boost::filesystem::remove(basePath_ + "/mapd_catalogs/" + name);
1123  throw;
1124  }
1125  }
1126 }
std::string cat(Ts &&...args)
static std::shared_ptr< Catalog > get(const std::string &dbName)
Definition: Catalog.cpp:3658
std::string name() const
Definition: SysCatalog.h:294
const std::string OMNISCI_SYSTEM_CATALOG
Definition: SysCatalog.h:57
bool getMetadataForUserById(const int32_t idIn, UserMetadata &user)
std::string to_string(char const *&&v)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:81
CHECK(cgen_state)
void grantAllOnDatabase_unsafe(const std::string &roleName, DBObject &object, const Catalog_Namespace::Catalog &catalog)
static const std::string getForeignTableSchema(bool if_not_exists=false)
Definition: Catalog.cpp:679
std::shared_ptr< Data_Namespace::DataMgr > dataMgr_
Definition: SysCatalog.h:386
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:80
static const std::string getForeignServerSchema(bool if_not_exists=false)
Definition: Catalog.cpp:672
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:384
std::string to_upper(const std::string &str)
const int OMNISCI_ROOT_USER_ID
Definition: SysCatalog.h:60
std::vector< LeafHostInfo > string_dict_hosts_
Definition: SysCatalog.h:392
std::shared_ptr< Calcite > calciteMgr_
Definition: SysCatalog.h:391
mapd_unique_lock< mapd_shared_mutex > write_lock
bool g_enable_fsi
Definition: Catalog.cpp:90
bool getMetadataForDB(const std::string &name, DBMetadata &db)

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::createDBObject ( const UserMetadata user,
const std::string &  objectName,
DBObjectType  type,
const Catalog_Namespace::Catalog catalog,
int32_t  objectId = -1 
)

Definition at line 1384 of file SysCatalog.cpp.

References AccessPrivileges::ALL_DASHBOARD, AccessPrivileges::ALL_DATABASE, AccessPrivileges::ALL_SERVER, AccessPrivileges::ALL_TABLE, DashboardDBObjectType, Catalog_Namespace::UserMetadata::isSuper, ServerDBObjectType, TableDBObjectType, Catalog_Namespace::UserMetadata::userId, and Catalog_Namespace::UserMetadata::userName.

Referenced by CreateForeignServerCommand::execute(), and CreateForeignTableCommand::execute().

1388  {
1389  sys_write_lock write_lock(this);
1390  sys_sqlite_lock sqlite_lock(this);
1391 
1392  DBObject object =
1393  objectId == -1 ? DBObject(objectName, type) : DBObject(objectId, type);
1394  object.loadKey(catalog);
1395  switch (type) {
1396  case TableDBObjectType:
1397  object.setPrivileges(AccessPrivileges::ALL_TABLE);
1398  break;
1399  case DashboardDBObjectType:
1400  object.setPrivileges(AccessPrivileges::ALL_DASHBOARD);
1401  break;
1402  case ServerDBObjectType:
1403  object.setPrivileges(AccessPrivileges::ALL_SERVER);
1404  break;
1405  default:
1406  object.setPrivileges(AccessPrivileges::ALL_DATABASE);
1407  break;
1408  }
1409  object.setOwner(user.userId);
1410  sqliteConnector_->query("BEGIN TRANSACTION");
1411  try {
1412  if (!user.isSuper) { // no need to grant to suser, has all privs by default
1413  grantDBObjectPrivileges_unsafe(user.userName, object, catalog);
1414  auto* grantee = instance().getUserGrantee(user.userName);
1415  if (!grantee) {
1416  throw runtime_error("User " + user.userName + " does not exist.");
1417  }
1418  grantee->grantPrivileges(object);
1419  }
1420  } catch (std::exception& e) {
1421  sqliteConnector_->query("ROLLBACK TRANSACTION");
1422  throw;
1423  }
1424  sqliteConnector_->query("END TRANSACTION");
1425 }
static const AccessPrivileges ALL_DATABASE
Definition: DBObject.h:152
void grantDBObjectPrivileges_unsafe(const std::string &granteeName, const DBObject object, const Catalog_Namespace::Catalog &catalog)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:81
static SysCatalog & instance()
Definition: SysCatalog.h:288
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:80
static const AccessPrivileges ALL_SERVER
Definition: DBObject.h:188
User * getUserGrantee(const std::string &name) const
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:384
void loadKey()
Definition: DBObject.cpp:179
static const AccessPrivileges ALL_DASHBOARD
Definition: DBObject.h:170
static const AccessPrivileges ALL_TABLE
Definition: DBObject.h:158
mapd_unique_lock< mapd_shared_mutex > write_lock

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::createRole ( const std::string &  roleName,
const bool &  userPrivateRole = false 
)

Definition at line 2231 of file SysCatalog.cpp.

Referenced by Catalog_Namespace::Catalog::createOrUpdateDashboardSystemRole().

2231  {
2232  execInTransaction(&SysCatalog::createRole_unsafe, roleName, userPrivateRole);
2233 }
void createRole_unsafe(const std::string &roleName, const bool &userPrivateRole=false)
void execInTransaction(F &&f, Args &&...args)

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::createRole_unsafe ( const std::string &  roleName,
const bool &  userPrivateRole = false 
)
private

Definition at line 1706 of file SysCatalog.cpp.

References DatabaseDBObjectType, DBObjectKey::dbId, Catalog_Namespace::insertOrUpdateObjectPrivileges(), OMNISCI_DEFAULT_DB, DBObjectKey::permissionType, DBObject::setObjectKey(), and to_upper().

1707  {
1708  sys_write_lock write_lock(this);
1709 
1710  auto* grantee = getGrantee(roleName);
1711  if (grantee) {
1712  throw std::runtime_error("CREATE ROLE " + roleName +
1713  " failed because grantee with this name already exists.");
1714  }
1715  if (userPrivateRole) {
1716  grantee = new User(roleName);
1717  } else {
1718  grantee = new Role(roleName);
1719  }
1720  granteeMap_[to_upper(roleName)] = grantee;
1721 
1722  // NOTE (max): Why create an empty privileges record for a role?
1723  /* grant none privileges to this role and add it to sqlite DB */
1725  DBObjectKey objKey;
1726  // 0 is an id that does not exist
1727  objKey.dbId = 0;
1729  dbObject.setObjectKey(objKey);
1730  grantee->grantPrivileges(dbObject);
1731 
1732  sys_sqlite_lock sqlite_lock(this);
1733  insertOrUpdateObjectPrivileges(sqliteConnector_, roleName, userPrivateRole, dbObject);
1734 }
Definition: Grantee.h:70
Grantee * getGrantee(const std::string &name) const
Definition: Grantee.h:76
void insertOrUpdateObjectPrivileges(std::unique_ptr< SqliteConnector > &sqliteConnector, std::string roleName, bool userRole, DBObject &object)
Definition: SysCatalog.cpp:341
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:81
const std::string OMNISCI_DEFAULT_DB
Definition: SysCatalog.h:58
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:80
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:384
std::string to_upper(const std::string &str)
int32_t dbId
Definition: DBObject.h:56
int32_t permissionType
Definition: DBObject.h:55
mapd_unique_lock< mapd_shared_mutex > write_lock

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::createUser ( const std::string &  name,
const std::string &  passwd,
bool  issuper,
const std::string &  dbname,
bool  can_login 
)

Definition at line 772 of file SysCatalog.cpp.

References Catalog_Namespace::DBMetadata::dbId, anonymous_namespace{SysCatalog.cpp}::hash_with_bcrypt(), and to_string().

776  {
778  sys_sqlite_lock sqlite_lock(this);
779 
780  UserMetadata user;
781  if (getMetadataForUser(name, user)) {
782  throw runtime_error("User " + name + " already exists.");
783  }
784  if (getGrantee(name)) {
785  throw runtime_error(
786  "User name " + name +
787  " is same as one of existing grantees. User and role names should be unique.");
788  }
789  sqliteConnector_->query("BEGIN TRANSACTION");
790  try {
791  std::vector<std::string> vals;
792  if (!dbname.empty()) {
793  DBMetadata db;
794  if (!SysCatalog::instance().getMetadataForDB(dbname, db)) {
795  throw runtime_error("DEFAULT_DB " + dbname + " not found.");
796  }
797  vals = {name,
798  hash_with_bcrypt(passwd),
799  std::to_string(issuper),
800  std::to_string(db.dbId),
801  std::to_string(can_login)};
802  sqliteConnector_->query_with_text_params(
803  "INSERT INTO mapd_users (name, passwd_hash, issuper, default_db, can_login) "
804  "VALUES (?, ?, ?, ?, ?)",
805  vals);
806  } else {
807  vals = {name,
808  hash_with_bcrypt(passwd),
809  std::to_string(issuper),
810  std::to_string(can_login)};
811  sqliteConnector_->query_with_text_params(
812  "INSERT INTO mapd_users (name, passwd_hash, issuper, can_login) "
813  "VALUES (?, ?, ?, ?)",
814  vals);
815  }
816  createRole_unsafe(name, true);
817  } catch (const std::exception& e) {
818  sqliteConnector_->query("ROLLBACK TRANSACTION");
819  throw;
820  }
821  sqliteConnector_->query("END TRANSACTION");
822 }
bool getMetadataForUser(const std::string &name, UserMetadata &user)
std::string name() const
Definition: SysCatalog.h:294
void createRole_unsafe(const std::string &roleName, const bool &userPrivateRole=false)
Grantee * getGrantee(const std::string &name) const
std::string to_string(char const *&&v)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:81
static SysCatalog & instance()
Definition: SysCatalog.h:288
std::string hash_with_bcrypt(const std::string &pwd)
Definition: SysCatalog.cpp:66
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:80
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:384
mapd_unique_lock< mapd_shared_mutex > write_lock
bool getMetadataForDB(const std::string &name, DBMetadata &db)

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::createUserRoles ( )
private

Definition at line 286 of file SysCatalog.cpp.

References OMNISCI_ROOT_USER.

286  {
287  sys_sqlite_lock sqlite_lock(this);
288  sqliteConnector_->query("BEGIN TRANSACTION");
289  try {
290  sqliteConnector_->query(
291  "SELECT name FROM sqlite_master WHERE type='table' AND name='mapd_roles'");
292  if (sqliteConnector_->getNumRows() != 0) {
293  // already done
294  sqliteConnector_->query("END TRANSACTION");
295  return;
296  }
297  sqliteConnector_->query(
298  "CREATE TABLE mapd_roles(roleName text, userName text, UNIQUE(roleName, "
299  "userName))");
300  // need to account for old conversions where we are building and moving
301  // from pre version 4.0 and 'mapd' was default superuser
302  sqliteConnector_->query("SELECT name FROM mapd_users WHERE name NOT IN ( \'" +
303  OMNISCI_ROOT_USER + "\', 'mapd')");
304  size_t numRows = sqliteConnector_->getNumRows();
305  vector<string> user_names;
306  for (size_t i = 0; i < numRows; ++i) {
307  user_names.push_back(sqliteConnector_->getData<string>(i, 0));
308  }
309  for (const auto& user_name : user_names) {
310  // for each user, create a fake role with the same name
311  sqliteConnector_->query_with_text_params(
312  "INSERT INTO mapd_roles(roleName, userName) VALUES (?, ?)",
313  vector<string>{user_name, user_name});
314  }
315  } catch (const std::exception&) {
316  sqliteConnector_->query("ROLLBACK TRANSACTION");
317  throw;
318  }
319  sqliteConnector_->query("END TRANSACTION");
320 }
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:81
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:384
const std::string OMNISCI_ROOT_USER
Definition: SysCatalog.h:59
void Catalog_Namespace::SysCatalog::deleteObjectDescriptorMap ( const std::string &  roleName)
private

Definition at line 1881 of file SysCatalog.cpp.

1881  {
1882  sys_write_lock write_lock(this);
1883 
1884  for (auto d = objectDescriptorMap_.begin(); d != objectDescriptorMap_.end();) {
1885  if (d->second->roleName == roleName) {
1886  delete d->second;
1887  d = objectDescriptorMap_.erase(d);
1888  } else {
1889  d++;
1890  }
1891  }
1892 }
ObjectRoleDescriptorMap objectDescriptorMap_
Definition: SysCatalog.h:383
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:80
mapd_unique_lock< mapd_shared_mutex > write_lock
void Catalog_Namespace::SysCatalog::deleteObjectDescriptorMap ( const std::string &  roleName,
DBObject object,
const Catalog_Namespace::Catalog cat 
)
private

Definition at line 1895 of file SysCatalog.cpp.

References Catalog_Namespace::DBMetadata::dbId, Catalog_Namespace::Catalog::getCurrentDB(), and to_string().

1897  {
1898  sys_write_lock write_lock(this);
1899  auto range = objectDescriptorMap_.equal_range(
1900  std::to_string(cat.getCurrentDB().dbId) + ":" +
1901  std::to_string(object.getObjectKey().permissionType) + ":" +
1902  std::to_string(object.getObjectKey().objectId));
1903  for (auto d = range.first; d != range.second;) {
1904  // remove the entry
1905  if (d->second->roleName == roleName) {
1906  delete d->second;
1907  d = objectDescriptorMap_.erase(d);
1908  } else {
1909  d++;
1910  }
1911  }
1912 }
ObjectRoleDescriptorMap objectDescriptorMap_
Definition: SysCatalog.h:383
std::string to_string(char const *&&v)
const DBMetadata & getCurrentDB() const
Definition: Catalog.h:194
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:80
mapd_unique_lock< mapd_shared_mutex > write_lock

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::dropDatabase ( const DBMetadata db)

Definition at line 1128 of file SysCatalog.cpp.

References cat(), DashboardDBObjectType, Catalog_Namespace::DBMetadata::dbId, Catalog_Namespace::DBMetadata::dbName, TableDBObjectType, run_benchmark_import::tables, and to_string().

1128  {
1129  sys_write_lock write_lock(this);
1130  sys_sqlite_lock sqlite_lock(this);
1131  auto cat =
1133  sqliteConnector_->query("BEGIN TRANSACTION");
1134  try {
1135  // remove this database ID from any users that have it set as their default database
1136  sqliteConnector_->query_with_text_param(
1137  "UPDATE mapd_users SET default_db = NULL WHERE default_db = ?",
1138  std::to_string(db.dbId));
1139  /* revoke object privileges to all tables of the database being dropped */
1140  const auto tables = cat->getAllTableMetadata();
1141  for (const auto table : tables) {
1142  if (table->shard >= 0) {
1143  // skip shards, they're not standalone tables
1144  continue;
1145  }
1147  DBObject(table->tableName, TableDBObjectType), cat.get());
1148  }
1149  const auto dashboards = cat->getAllDashboardsMetadata();
1150  for (const auto dashboard : dashboards) {
1152  DBObject(dashboard->dashboardId, DashboardDBObjectType), cat.get());
1153  }
1154  /* revoke object privileges to the database being dropped */
1155  for (const auto& grantee : granteeMap_) {
1156  if (grantee.second->hasAnyPrivilegesOnDb(db.dbId, true)) {
1157  revokeAllOnDatabase_unsafe(grantee.second->getName(), db.dbId, grantee.second);
1158  }
1159  }
1160  sqliteConnector_->query_with_text_param("DELETE FROM mapd_databases WHERE dbid = ?",
1161  std::to_string(db.dbId));
1162  cat->eraseDBData();
1163  Catalog::remove(db.dbName);
1164  } catch (const std::exception&) {
1165  sqliteConnector_->query("ROLLBACK TRANSACTION");
1166  throw;
1167  }
1168  sqliteConnector_->query("END TRANSACTION");
1169 }
void revokeAllOnDatabase_unsafe(const std::string &roleName, int32_t dbId, Grantee *grantee)
std::string cat(Ts &&...args)
static std::shared_ptr< Catalog > get(const std::string &dbName)
Definition: Catalog.cpp:3658
std::string to_string(char const *&&v)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:81
std::shared_ptr< Data_Namespace::DataMgr > dataMgr_
Definition: SysCatalog.h:386
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:80
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:384
static void remove(const std::string &dbName)
Definition: Catalog.cpp:3693
void revokeDBObjectPrivilegesFromAll_unsafe(DBObject object, Catalog *catalog)
std::vector< LeafHostInfo > string_dict_hosts_
Definition: SysCatalog.h:392
std::shared_ptr< Calcite > calciteMgr_
Definition: SysCatalog.h:391
mapd_unique_lock< mapd_shared_mutex > write_lock

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::dropRole ( const std::string &  roleName)

Definition at line 2235 of file SysCatalog.cpp.

2235  {
2237 }
void execInTransaction(F &&f, Args &&...args)
void dropRole_unsafe(const std::string &roleName)
void Catalog_Namespace::SysCatalog::dropRole_unsafe ( const std::string &  roleName)
private

Definition at line 1736 of file SysCatalog.cpp.

References to_upper().

1736  {
1737  sys_write_lock write_lock(this);
1738 
1739  // it may very well be a user "role", so keep it generic
1740  auto* rl = getGrantee(roleName);
1741  if (rl) { // admin super user may not exist in roles
1742  delete rl;
1743  }
1744  granteeMap_.erase(to_upper(roleName));
1745 
1746  sys_sqlite_lock sqlite_lock(this);
1747  sqliteConnector_->query_with_text_param("DELETE FROM mapd_roles WHERE roleName = ?",
1748  roleName);
1749  sqliteConnector_->query_with_text_param(
1750  "DELETE FROM mapd_object_permissions WHERE roleName = ?", roleName);
1751 }
Grantee * getGrantee(const std::string &name) const
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:81
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:80
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:384
std::string to_upper(const std::string &str)
mapd_unique_lock< mapd_shared_mutex > write_lock

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::dropUser ( const std::string &  name)

Definition at line 824 of file SysCatalog.cpp.

References to_string(), and Catalog_Namespace::UserMetadata::userId.

824  {
826  sys_sqlite_lock sqlite_lock(this);
827 
828  sqliteConnector_->query("BEGIN TRANSACTION");
829  try {
830  UserMetadata user;
831  if (!getMetadataForUser(name, user)) {
832  throw runtime_error("User " + name + " does not exist.");
833  }
836  const std::string& roleName(name);
837  sqliteConnector_->query_with_text_param("DELETE FROM mapd_roles WHERE userName = ?",
838  roleName);
839  sqliteConnector_->query("DELETE FROM mapd_users WHERE userid = " +
840  std::to_string(user.userId));
841  sqliteConnector_->query("DELETE FROM mapd_privileges WHERE userid = " +
842  std::to_string(user.userId));
843  } catch (const std::exception& e) {
844  sqliteConnector_->query("ROLLBACK TRANSACTION");
845  throw;
846  }
847  sqliteConnector_->query("END TRANSACTION");
848 }
bool getMetadataForUser(const std::string &name, UserMetadata &user)
std::string name() const
Definition: SysCatalog.h:294
std::string to_string(char const *&&v)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:81
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:80
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:384
void deleteObjectDescriptorMap(const std::string &roleName)
mapd_unique_lock< mapd_shared_mutex > write_lock
void dropRole_unsafe(const std::string &roleName)

+ Here is the call graph for this function:

template<typename F , typename... Args>
void Catalog_Namespace::SysCatalog::execInTransaction ( F &&  f,
Args &&...  args 
)
private

Definition at line 2218 of file SysCatalog.cpp.

References run_benchmark_import::args.

2218  {
2219  sys_write_lock write_lock(this);
2220  sys_sqlite_lock sqlite_lock(this);
2221  sqliteConnector_->query("BEGIN TRANSACTION");
2222  try {
2223  (this->*f)(std::forward<Args>(args)...);
2224  } catch (std::exception&) {
2225  sqliteConnector_->query("ROLLBACK TRANSACTION");
2226  throw;
2227  }
2228  sqliteConnector_->query("END TRANSACTION");
2229 }
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:81
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:80
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:384
mapd_unique_lock< mapd_shared_mutex > write_lock
list< DBMetadata > Catalog_Namespace::SysCatalog::getAllDBMetadata ( )

Definition at line 1236 of file SysCatalog.cpp.

References Catalog_Namespace::DBMetadata::dbId, Catalog_Namespace::DBMetadata::dbName, and Catalog_Namespace::DBMetadata::dbOwner.

1236  {
1237  sys_sqlite_lock sqlite_lock(this);
1238  sqliteConnector_->query("SELECT dbid, name, owner FROM mapd_databases");
1239  int numRows = sqliteConnector_->getNumRows();
1240  list<DBMetadata> db_list;
1241  for (int r = 0; r < numRows; ++r) {
1242  DBMetadata db;
1243  db.dbId = sqliteConnector_->getData<int>(r, 0);
1244  db.dbName = sqliteConnector_->getData<string>(r, 1);
1245  db.dbOwner = sqliteConnector_->getData<int>(r, 2);
1246  db_list.push_back(db);
1247  }
1248  return db_list;
1249 }
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:81
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:384
list< UserMetadata > Catalog_Namespace::SysCatalog::getAllUserMetadata ( )

Definition at line 1292 of file SysCatalog.cpp.

References Catalog_Namespace::anonymous_namespace{SysCatalog.cpp}::get_users().

1292  {
1293  sys_sqlite_lock sqlite_lock(this);
1294  return get_users(sqliteConnector_);
1295 }
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:81
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:384
auto get_users(std::unique_ptr< SqliteConnector > &sqliteConnector, const int32_t dbId=-1)

+ Here is the call graph for this function:

list< UserMetadata > Catalog_Namespace::SysCatalog::getAllUserMetadata ( const int64_t  dbId)

return the users associated with the given DB

Definition at line 1285 of file SysCatalog.cpp.

References Catalog_Namespace::anonymous_namespace{SysCatalog.cpp}::get_users().

1285  {
1286  // this call is to return users that have some form of permissions to objects in the db
1287  // sadly mapd_object_permissions table is also misused to manage user roles.
1288  sys_sqlite_lock sqlite_lock(this);
1289  return get_users(sqliteConnector_, dbId);
1290 }
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:81
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:384
auto get_users(std::unique_ptr< SqliteConnector > &sqliteConnector, const int32_t dbId=-1)

+ Here is the call graph for this function:

const std::string& Catalog_Namespace::SysCatalog::getBasePath ( ) const
inline

Definition at line 191 of file SysCatalog.h.

References basePath_.

191 { return basePath_; }
Calcite& Catalog_Namespace::SysCatalog::getCalciteMgr ( ) const
inline

Definition at line 190 of file SysCatalog.h.

References calciteMgr_.

190 { return *calciteMgr_; }
std::shared_ptr< Calcite > calciteMgr_
Definition: SysCatalog.h:391
DBSummaryList Catalog_Namespace::SysCatalog::getDatabaseListForUser ( const UserMetadata user)

Definition at line 1360 of file SysCatalog.cpp.

References AccessPrivileges::ACCESS, DatabaseDBObjectType, Catalog_Namespace::DBSummary::dbName, DBObject::loadKey(), and DBObject::setPrivileges().

Referenced by ShowDatabasesCommand::execute().

1360  {
1361  DBSummaryList ret;
1362 
1363  std::list<Catalog_Namespace::DBMetadata> db_list = getAllDBMetadata();
1364  std::list<Catalog_Namespace::UserMetadata> user_list = getAllUserMetadata();
1365 
1366  for (auto d : db_list) {
1367  DBObject dbObject(d.dbName, DatabaseDBObjectType);
1368  dbObject.loadKey();
1369  dbObject.setPrivileges(AccessPrivileges::ACCESS);
1370  if (!checkPrivileges(user, std::vector<DBObject>{dbObject})) {
1371  continue;
1372  }
1373  for (auto u : user_list) {
1374  if (d.dbOwner == u.userId) {
1375  ret.emplace_back(DBSummary{d.dbName, u.userName});
1376  break;
1377  }
1378  }
1379  }
1380 
1381  return ret;
1382 }
bool checkPrivileges(const UserMetadata &user, const std::vector< DBObject > &privObjects) const
std::list< UserMetadata > getAllUserMetadata()
std::list< DBMetadata > getAllDBMetadata()
static const AccessPrivileges ACCESS
Definition: DBObject.h:154
std::list< DBSummary > DBSummaryList
Definition: SysCatalog.h:120

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

Data_Namespace::DataMgr& Catalog_Namespace::SysCatalog::getDataMgr ( ) const
inline

Definition at line 189 of file SysCatalog.h.

References dataMgr_.

Referenced by Executor::clearMemory(), and Executor::interrupt().

189 { return *dataMgr_; }
std::shared_ptr< Data_Namespace::DataMgr > dataMgr_
Definition: SysCatalog.h:386

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::getDBObjectPrivileges ( const std::string &  granteeName,
DBObject object,
const Catalog_Namespace::Catalog catalog 
) const

Definition at line 1684 of file SysCatalog.cpp.

References Catalog_Namespace::UserMetadata::isSuper.

1686  {
1687  sys_read_lock read_lock(this);
1688  UserMetadata user_meta;
1689 
1690  if (instance().getMetadataForUser(granteeName, user_meta)) {
1691  if (user_meta.isSuper) {
1692  throw runtime_error(
1693  "Request to show privileges from " + granteeName +
1694  " failed because user is super user and has all privileges by default.");
1695  }
1696  }
1697  auto* grantee = instance().getGrantee(granteeName);
1698  if (!grantee) {
1699  throw runtime_error("Request to show privileges for " + granteeName +
1700  " failed because role or user with this name does not exist.");
1701  }
1702  object.loadKey(catalog);
1703  grantee->getPrivileges(object, true);
1704 }
bool getMetadataForUser(const std::string &name, UserMetadata &user)
Grantee * getGrantee(const std::string &name) const
static SysCatalog & instance()
Definition: SysCatalog.h:288
mapd_shared_lock< mapd_shared_mutex > read_lock
read_lock< SysCatalog > sys_read_lock
Definition: Catalog.cpp:110
Grantee * Catalog_Namespace::SysCatalog::getGrantee ( const std::string &  name) const

Definition at line 1963 of file SysCatalog.cpp.

References to_upper().

Referenced by Catalog_Namespace::Catalog::renameTable().

1963  {
1964  sys_read_lock read_lock(this);
1965  auto grantee = granteeMap_.find(to_upper(name));
1966  if (grantee == granteeMap_.end()) { // check to make sure role exists
1967  return nullptr;
1968  }
1969  return grantee->second; // returns pointer to role
1970 }
std::string name() const
Definition: SysCatalog.h:294
std::string to_upper(const std::string &str)
mapd_shared_lock< mapd_shared_mutex > read_lock
read_lock< SysCatalog > sys_read_lock
Definition: Catalog.cpp:110

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

std::unordered_map< std::string, std::vector< std::string > > Catalog_Namespace::SysCatalog::getGranteesOfSharedDashboards ( const std::vector< std::string > &  dashboard_ids)

Definition at line 2356 of file SysCatalog.cpp.

References DashboardDBObjectType, num_rows, and to_string().

Referenced by Catalog_Namespace::Catalog::createDashboardSystemRoles().

2356  {
2357  sys_sqlite_lock sqlite_lock(this);
2358  std::unordered_map<std::string, std::vector<std::string>> active_grantees;
2359  sqliteConnector_->query("BEGIN TRANSACTION");
2360  try {
2361  for (auto dash : dashboard_ids) {
2362  std::vector<std::string> grantees = {};
2363  sqliteConnector_->query_with_text_params(
2364  "SELECT roleName FROM mapd_object_permissions WHERE objectPermissions NOT IN "
2365  "(0,1) AND objectPermissionsType = ? AND objectId = ?",
2366  std::vector<std::string>{
2367  std::to_string(static_cast<int32_t>(DashboardDBObjectType)), dash});
2368  int num_rows = sqliteConnector_->getNumRows();
2369  if (num_rows == 0) {
2370  // no grantees
2371  continue;
2372  } else {
2373  for (size_t i = 0; i < sqliteConnector_->getNumRows(); ++i) {
2374  grantees.push_back(sqliteConnector_->getData<string>(i, 0));
2375  }
2376  active_grantees[dash] = grantees;
2377  }
2378  }
2379  } catch (const std::exception& e) {
2380  sqliteConnector_->query("ROLLBACK TRANSACTION");
2381  throw;
2382  }
2383  sqliteConnector_->query("END TRANSACTION");
2384  return active_grantees;
2385 }
const int8_t const int64_t * num_rows
std::string to_string(char const *&&v)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:81
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:384

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

bool Catalog_Namespace::SysCatalog::getMetadataForDB ( const std::string &  name,
DBMetadata db 
)

Definition at line 1331 of file SysCatalog.cpp.

References Catalog_Namespace::DBMetadata::dbId, Catalog_Namespace::DBMetadata::dbName, and Catalog_Namespace::DBMetadata::dbOwner.

1331  {
1332  sys_sqlite_lock sqlite_lock(this);
1333  sqliteConnector_->query_with_text_param(
1334  "SELECT dbid, name, owner FROM mapd_databases WHERE name = ?", name);
1335  int numRows = sqliteConnector_->getNumRows();
1336  if (numRows == 0) {
1337  return false;
1338  }
1339  db.dbId = sqliteConnector_->getData<int>(0, 0);
1340  db.dbName = sqliteConnector_->getData<string>(0, 1);
1341  db.dbOwner = sqliteConnector_->getData<int>(0, 2);
1342  return true;
1343 }
std::string name() const
Definition: SysCatalog.h:294
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:81
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:384
bool Catalog_Namespace::SysCatalog::getMetadataForDBById ( const int32_t  idIn,
DBMetadata db 
)

Definition at line 1345 of file SysCatalog.cpp.

References Catalog_Namespace::DBMetadata::dbId, Catalog_Namespace::DBMetadata::dbName, Catalog_Namespace::DBMetadata::dbOwner, and to_string().

1345  {
1346  sys_sqlite_lock sqlite_lock(this);
1347  sqliteConnector_->query_with_text_param(
1348  "SELECT dbid, name, owner FROM mapd_databases WHERE dbid = ?",
1349  std::to_string(idIn));
1350  int numRows = sqliteConnector_->getNumRows();
1351  if (numRows == 0) {
1352  return false;
1353  }
1354  db.dbId = sqliteConnector_->getData<int>(0, 0);
1355  db.dbName = sqliteConnector_->getData<string>(0, 1);
1356  db.dbOwner = sqliteConnector_->getData<int>(0, 2);
1357  return true;
1358 }
std::string to_string(char const *&&v)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:81
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:384

+ Here is the call graph for this function:

std::vector< ObjectRoleDescriptor * > Catalog_Namespace::SysCatalog::getMetadataForObject ( int32_t  dbId,
int32_t  dbType,
int32_t  objectId 
) const

Definition at line 1981 of file SysCatalog.cpp.

References to_string().

Referenced by Catalog_Namespace::Catalog::renameTable().

1981  {
1982  sys_read_lock read_lock(this);
1983  std::vector<ObjectRoleDescriptor*> objectsList;
1984 
1985  auto range = objectDescriptorMap_.equal_range(std::to_string(dbId) + ":" +
1986  std::to_string(dbType) + ":" +
1987  std::to_string(objectId));
1988  for (auto d = range.first; d != range.second; ++d) {
1989  objectsList.push_back(d->second);
1990  }
1991  return objectsList; // return pointers to objects
1992 }
ObjectRoleDescriptorMap objectDescriptorMap_
Definition: SysCatalog.h:383
std::string to_string(char const *&&v)
mapd_shared_lock< mapd_shared_mutex > read_lock
read_lock< SysCatalog > sys_read_lock
Definition: Catalog.cpp:110

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

bool Catalog_Namespace::SysCatalog::getMetadataForUser ( const std::string &  name,
UserMetadata user 
)

Definition at line 1218 of file SysCatalog.cpp.

References Catalog_Namespace::parseUserMetadataFromSQLite().

1218  {
1219  sys_sqlite_lock sqlite_lock(this);
1220  sqliteConnector_->query_with_text_param(
1221  "SELECT userid, name, passwd_hash, issuper, default_db, can_login FROM mapd_users "
1222  "WHERE name = ?",
1223  name);
1225 }
std::string name() const
Definition: SysCatalog.h:294
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:81
static bool parseUserMetadataFromSQLite(const std::unique_ptr< SqliteConnector > &conn, UserMetadata &user)
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:384

+ Here is the call graph for this function:

bool Catalog_Namespace::SysCatalog::getMetadataForUserById ( const int32_t  idIn,
UserMetadata user 
)

Definition at line 1227 of file SysCatalog.cpp.

References Catalog_Namespace::parseUserMetadataFromSQLite(), and to_string().

1227  {
1228  sys_sqlite_lock sqlite_lock(this);
1229  sqliteConnector_->query_with_text_param(
1230  "SELECT userid, name, passwd_hash, issuper, default_db, can_login FROM mapd_users "
1231  "WHERE userid = ?",
1232  std::to_string(idIn));
1234 }
std::string to_string(char const *&&v)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:81
static bool parseUserMetadataFromSQLite(const std::unique_ptr< SqliteConnector > &conn, UserMetadata &user)
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:384

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::getMetadataWithDefaultDB ( std::string &  dbname,
const std::string &  username,
Catalog_Namespace::DBMetadata db_meta,
UserMetadata user_meta 
)

Definition at line 1297 of file SysCatalog.cpp.

References Catalog_Namespace::DBMetadata::dbName, Catalog_Namespace::UserMetadata::defaultDbId, OMNISCI_DEFAULT_DB, to_string(), Catalog_Namespace::UserMetadata::userId, and Catalog_Namespace::UserMetadata::userName.

1300  {
1301  if (!getMetadataForUser(username, user_meta)) {
1302  throw std::runtime_error("Invalid credentials.");
1303  }
1304 
1305  if (!dbname.empty()) {
1306  if (!getMetadataForDB(dbname, db_meta)) {
1307  throw std::runtime_error("Database name " + dbname + " does not exist.");
1308  }
1309  // loaded the requested database
1310  } else {
1311  if (user_meta.defaultDbId != -1) {
1312  if (!getMetadataForDBById(user_meta.defaultDbId, db_meta)) {
1313  throw std::runtime_error(
1314  "Server error: User #" + std::to_string(user_meta.userId) + " " +
1315  user_meta.userName + " has invalid default_db #" +
1316  std::to_string(user_meta.defaultDbId) + " which does not exist.");
1317  }
1318  dbname = db_meta.dbName;
1319  // loaded the user's default database
1320  } else {
1321  if (!getMetadataForDB(OMNISCI_DEFAULT_DB, db_meta)) {
1322  throw std::runtime_error(std::string("Database ") + OMNISCI_DEFAULT_DB +
1323  " does not exist.");
1324  }
1325  dbname = OMNISCI_DEFAULT_DB;
1326  // loaded the mapd database by default
1327  }
1328  }
1329 }
bool getMetadataForUser(const std::string &name, UserMetadata &user)
std::string to_string(char const *&&v)
const std::string OMNISCI_DEFAULT_DB
Definition: SysCatalog.h:58
bool getMetadataForDBById(const int32_t idIn, DBMetadata &db)
bool getMetadataForDB(const std::string &name, DBMetadata &db)

+ Here is the call graph for this function:

Role * Catalog_Namespace::SysCatalog::getRoleGrantee ( const std::string &  name) const

Definition at line 1972 of file SysCatalog.cpp.

Referenced by Catalog_Namespace::Catalog::createDashboardSystemRoles(), and Catalog_Namespace::Catalog::createOrUpdateDashboardSystemRole().

1972  {
1973  return dynamic_cast<Role*>(getGrantee(name));
1974 }
std::string name() const
Definition: SysCatalog.h:294
Grantee * getGrantee(const std::string &name) const
Definition: Grantee.h:76

+ Here is the caller graph for this function:

std::vector< std::string > Catalog_Namespace::SysCatalog::getRoles ( bool  userPrivateRole,
bool  isSuper,
const std::string &  userName 
)

Definition at line 2041 of file SysCatalog.cpp.

2043  {
2044  sys_read_lock read_lock(this);
2045  std::vector<std::string> roles;
2046  for (auto& grantee : granteeMap_) {
2047  if (!userPrivateRole && grantee.second->isUser()) {
2048  continue;
2049  }
2050  if (!isSuper && !isRoleGrantedToGrantee(userName, grantee.second->getName(), false)) {
2051  continue;
2052  }
2053  if (isDashboardSystemRole(grantee.second->getName())) {
2054  continue;
2055  }
2056  roles.push_back(grantee.second->getName());
2057  }
2058  return roles;
2059 }
bool isDashboardSystemRole(const std::string &roleName)
bool isRoleGrantedToGrantee(const std::string &granteeName, const std::string &roleName, bool only_direct) const
mapd_shared_lock< mapd_shared_mutex > read_lock
read_lock< SysCatalog > sys_read_lock
Definition: Catalog.cpp:110
std::vector< std::string > Catalog_Namespace::SysCatalog::getRoles ( const std::string &  userName,
const int32_t  dbId 
)

Definition at line 2020 of file SysCatalog.cpp.

References to_string().

2021  {
2022  sys_sqlite_lock sqlite_lock(this);
2023  std::string sql =
2024  "SELECT DISTINCT roleName FROM mapd_object_permissions WHERE "
2025  "objectPermissions<>0 "
2026  "AND roleType=0 AND dbId=" +
2027  std::to_string(dbId);
2028  sqliteConnector_->query(sql);
2029  int numRows = sqliteConnector_->getNumRows();
2030  std::vector<std::string> roles(0);
2031  for (int r = 0; r < numRows; ++r) {
2032  auto roleName = sqliteConnector_->getData<string>(r, 0);
2033  if (isRoleGrantedToGrantee(userName, roleName, false) &&
2034  !isDashboardSystemRole(roleName)) {
2035  roles.push_back(roleName);
2036  }
2037  }
2038  return roles;
2039 }
bool isDashboardSystemRole(const std::string &roleName)
std::string to_string(char const *&&v)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:81
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:384
bool isRoleGrantedToGrantee(const std::string &granteeName, const std::string &roleName, bool only_direct) const

+ Here is the call graph for this function:

SqliteConnector* Catalog_Namespace::SysCatalog::getSqliteConnector ( )
inline

Definition at line 192 of file SysCatalog.h.

References sqliteConnector_.

192 { return sqliteConnector_.get(); }
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:384
User * Catalog_Namespace::SysCatalog::getUserGrantee ( const std::string &  name) const

Definition at line 1976 of file SysCatalog.cpp.

1976  {
1977  return dynamic_cast<User*>(getGrantee(name));
1978 }
std::string name() const
Definition: SysCatalog.h:294
Definition: Grantee.h:70
Grantee * getGrantee(const std::string &name) const
void Catalog_Namespace::SysCatalog::grantAllOnDatabase_unsafe ( const std::string &  roleName,
DBObject object,
const Catalog_Namespace::Catalog catalog 
)
private

Definition at line 1499 of file SysCatalog.cpp.

References AccessPrivileges::ACCESS, AccessPrivileges::ALL_DASHBOARD, AccessPrivileges::ALL_SERVER, AccessPrivileges::ALL_TABLE, AccessPrivileges::ALL_VIEW, DashboardDBObjectType, DatabaseDBObjectType, g_enable_fsi, ServerDBObjectType, DBObject::setPermissionType(), DBObject::setPrivileges(), TableDBObjectType, AccessPrivileges::VIEW_SQL_EDITOR, and ViewDBObjectType.

1501  {
1502  // It's a separate use case because it's easier for implementation to convert ALL ON
1503  // DATABASE into ALL ON DASHBOARDS, ALL ON VIEWS and ALL ON TABLES
1504  // Add DB Access privileges
1505  DBObject tmp_object = object;
1508  grantDBObjectPrivileges_unsafe(roleName, tmp_object, catalog);
1511  grantDBObjectPrivileges_unsafe(roleName, tmp_object, catalog);
1514  grantDBObjectPrivileges_unsafe(roleName, tmp_object, catalog);
1516  tmp_object.setPermissionType(ViewDBObjectType);
1517  grantDBObjectPrivileges_unsafe(roleName, tmp_object, catalog);
1518 
1519  if (g_enable_fsi) {
1522  grantDBObjectPrivileges_unsafe(roleName, tmp_object, catalog);
1523  }
1524 
1527  grantDBObjectPrivileges_unsafe(roleName, tmp_object, catalog);
1528  return;
1529 }
static const AccessPrivileges VIEW_SQL_EDITOR
Definition: DBObject.h:153
void setPrivileges(const AccessPrivileges &privs)
Definition: DBObject.h:217
void grantDBObjectPrivileges_unsafe(const std::string &granteeName, const DBObject object, const Catalog_Namespace::Catalog &catalog)
static const AccessPrivileges ALL_VIEW
Definition: DBObject.h:178
void setPermissionType(const DBObjectType &permissionType)
Definition: DBObject.cpp:149
static const AccessPrivileges ALL_SERVER
Definition: DBObject.h:188
static const AccessPrivileges ALL_DASHBOARD
Definition: DBObject.h:170
static const AccessPrivileges ACCESS
Definition: DBObject.h:154
static const AccessPrivileges ALL_TABLE
Definition: DBObject.h:158
bool g_enable_fsi
Definition: Catalog.cpp:90

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::grantDBObjectPrivileges ( const std::string &  grantee,
const DBObject object,
const Catalog_Namespace::Catalog catalog 
)

Definition at line 2257 of file SysCatalog.cpp.

2259  {
2261  &SysCatalog::grantDBObjectPrivileges_unsafe, grantee, object, catalog);
2262 }
void grantDBObjectPrivileges_unsafe(const std::string &granteeName, const DBObject object, const Catalog_Namespace::Catalog &catalog)
void execInTransaction(F &&f, Args &&...args)
void Catalog_Namespace::SysCatalog::grantDBObjectPrivileges_unsafe ( const std::string &  granteeName,
const DBObject  object,
const Catalog_Namespace::Catalog catalog 
)
private

Definition at line 1462 of file SysCatalog.cpp.

References DatabasePrivileges::ALL, DatabaseDBObjectType, Catalog_Namespace::insertOrUpdateObjectPrivileges(), and Catalog_Namespace::UserMetadata::isSuper.

1465  {
1466  object.loadKey(catalog);
1467  if (object.getPrivileges().hasPermission(DatabasePrivileges::ALL) &&
1468  object.getObjectKey().permissionType == DatabaseDBObjectType) {
1469  return grantAllOnDatabase_unsafe(granteeName, object, catalog);
1470  }
1471 
1472  sys_write_lock write_lock(this);
1473 
1474  UserMetadata user_meta;
1475  if (instance().getMetadataForUser(granteeName, user_meta)) {
1476  if (user_meta.isSuper) {
1477  // super doesn't have explicit privileges so nothing to do
1478  return;
1479  }
1480  }
1481  auto* grantee = instance().getGrantee(granteeName);
1482  if (!grantee) {
1483  throw runtime_error("Request to grant privileges to " + granteeName +
1484  " failed because role or user with this name does not exist.");
1485  }
1486  grantee->grantPrivileges(object);
1487 
1488  /* apply grant privileges statement to sqlite DB */
1489  std::vector<std::string> objectKey = object.toString();
1490  object.resetPrivileges();
1491  grantee->getPrivileges(object, true);
1492 
1493  sys_sqlite_lock sqlite_lock(this);
1495  sqliteConnector_, granteeName, grantee->isUser(), object);
1496  updateObjectDescriptorMap(granteeName, object, grantee->isUser(), catalog);
1497 }
static const int32_t ALL
Definition: DBObject.h:79
bool getMetadataForUser(const std::string &name, UserMetadata &user)
Grantee * getGrantee(const std::string &name) const
void insertOrUpdateObjectPrivileges(std::unique_ptr< SqliteConnector > &sqliteConnector, std::string roleName, bool userRole, DBObject &object)
Definition: SysCatalog.cpp:341
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:81
static SysCatalog & instance()
Definition: SysCatalog.h:288
void grantAllOnDatabase_unsafe(const std::string &roleName, DBObject &object, const Catalog_Namespace::Catalog &catalog)
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:80
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:384
void updateObjectDescriptorMap(const std::string &roleName, DBObject &object, bool roleType, const Catalog_Namespace::Catalog &cat)
mapd_unique_lock< mapd_shared_mutex > write_lock

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::grantDBObjectPrivilegesBatch ( const std::vector< std::string > &  grantees,
const std::vector< DBObject > &  objects,
const Catalog_Namespace::Catalog catalog 
)

Definition at line 2264 of file SysCatalog.cpp.

Referenced by Catalog_Namespace::Catalog::createOrUpdateDashboardSystemRole().

2266  {
2268  &SysCatalog::grantDBObjectPrivilegesBatch_unsafe, grantees, objects, catalog);
2269 }
void grantDBObjectPrivilegesBatch_unsafe(const std::vector< std::string > &grantees, const std::vector< DBObject > &objects, const Catalog_Namespace::Catalog &catalog)
void execInTransaction(F &&f, Args &&...args)

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::grantDBObjectPrivilegesBatch_unsafe ( const std::vector< std::string > &  grantees,
const std::vector< DBObject > &  objects,
const Catalog_Namespace::Catalog catalog 
)
private

Definition at line 1450 of file SysCatalog.cpp.

1453  {
1454  for (const auto& grantee : grantees) {
1455  for (const auto& object : objects) {
1456  grantDBObjectPrivileges_unsafe(grantee, object, catalog);
1457  }
1458  }
1459 }
void grantDBObjectPrivileges_unsafe(const std::string &granteeName, const DBObject object, const Catalog_Namespace::Catalog &catalog)
void Catalog_Namespace::SysCatalog::grantDefaultPrivilegesToRole_unsafe ( const std::string &  name,
bool  issuper 
)
private
void Catalog_Namespace::SysCatalog::grantRole ( const std::string &  role,
const std::string &  grantee 
)

Definition at line 2244 of file SysCatalog.cpp.

2244  {
2246 }
void grantRole_unsafe(const std::string &roleName, const std::string &granteeName)
void execInTransaction(F &&f, Args &&...args)
void Catalog_Namespace::SysCatalog::grantRole_unsafe ( const std::string &  roleName,
const std::string &  granteeName 
)
private

Definition at line 1763 of file SysCatalog.cpp.

1764  {
1765  auto* rl = getRoleGrantee(roleName);
1766  if (!rl) {
1767  throw runtime_error("Request to grant role " + roleName +
1768  " failed because role with this name does not exist.");
1769  }
1770  auto* grantee = getGrantee(granteeName);
1771  if (!grantee) {
1772  throw runtime_error("Request to grant role " + roleName + " failed because grantee " +
1773  granteeName + " does not exist.");
1774  }
1775  sys_write_lock write_lock(this);
1776  if (!grantee->hasRole(rl, true)) {
1777  grantee->grantRole(rl);
1778  sys_sqlite_lock sqlite_lock(this);
1779  sqliteConnector_->query_with_text_params(
1780  "INSERT INTO mapd_roles(roleName, userName) VALUES (?, ?)",
1781  std::vector<std::string>{rl->getName(), grantee->getName()});
1782  }
1783 }
Grantee * getGrantee(const std::string &name) const
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:81
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:80
Role * getRoleGrantee(const std::string &name) const
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:384
mapd_unique_lock< mapd_shared_mutex > write_lock
void Catalog_Namespace::SysCatalog::grantRoleBatch ( const std::vector< std::string > &  roles,
const std::vector< std::string > &  grantees 
)

Definition at line 2239 of file SysCatalog.cpp.

Referenced by Catalog_Namespace::Catalog::createDashboardSystemRoles().

2240  {
2242 }
void grantRoleBatch_unsafe(const std::vector< std::string > &roles, const std::vector< std::string > &grantees)
void execInTransaction(F &&f, Args &&...args)

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::grantRoleBatch_unsafe ( const std::vector< std::string > &  roles,
const std::vector< std::string > &  grantees 
)
private

Definition at line 1753 of file SysCatalog.cpp.

1754  {
1755  for (const auto& role : roles) {
1756  for (const auto& grantee : grantees) {
1757  grantRole_unsafe(role, grantee);
1758  }
1759  }
1760 }
void grantRole_unsafe(const std::string &roleName, const std::string &granteeName)
bool Catalog_Namespace::SysCatalog::hasAnyPrivileges ( const UserMetadata user,
std::vector< DBObject > &  privObjects 
)

Definition at line 1914 of file SysCatalog.cpp.

References Catalog_Namespace::UserMetadata::isSuper, and Catalog_Namespace::UserMetadata::userName.

1915  {
1916  sys_read_lock read_lock(this);
1917  if (user.isSuper) {
1918  return true;
1919  }
1920  auto* user_rl = instance().getUserGrantee(user.userName);
1921  if (!user_rl) {
1922  throw runtime_error("User " + user.userName + " does not exist.");
1923  }
1924  for (std::vector<DBObject>::iterator objectIt = privObjects.begin();
1925  objectIt != privObjects.end();
1926  ++objectIt) {
1927  if (!user_rl->hasAnyPrivileges(*objectIt, false)) {
1928  return false;
1929  }
1930  }
1931  return true;
1932 }
static SysCatalog & instance()
Definition: SysCatalog.h:288
User * getUserGrantee(const std::string &name) const
mapd_shared_lock< mapd_shared_mutex > read_lock
read_lock< SysCatalog > sys_read_lock
Definition: Catalog.cpp:110
void Catalog_Namespace::SysCatalog::importDataFromOldMapdDB ( )
private

Definition at line 237 of file SysCatalog.cpp.

References logger::ERROR, logger::INFO, LOG, and OMNISCI_SYSTEM_CATALOG.

237  {
238  sys_sqlite_lock sqlite_lock(this);
239  std::string mapd_db_path = basePath_ + "/mapd_catalogs/mapd";
240  sqliteConnector_->query("ATTACH DATABASE `" + mapd_db_path + "` as old_cat");
241  sqliteConnector_->query("BEGIN TRANSACTION");
242  LOG(INFO) << "Moving global metadata into a separate catalog";
243  try {
244  auto moveTableIfExists = [conn = sqliteConnector_.get()](const std::string& tableName,
245  bool deleteOld = true) {
246  conn->query("SELECT sql FROM old_cat.sqlite_master WHERE type='table' AND name='" +
247  tableName + "'");
248  if (conn->getNumRows() != 0) {
249  conn->query(conn->getData<string>(0, 0));
250  conn->query("INSERT INTO " + tableName + " SELECT * FROM old_cat." + tableName);
251  if (deleteOld) {
252  conn->query("DROP TABLE old_cat." + tableName);
253  }
254  }
255  };
256  moveTableIfExists("mapd_users");
257  moveTableIfExists("mapd_databases");
258  moveTableIfExists("mapd_roles");
259  moveTableIfExists("mapd_object_permissions");
260  moveTableIfExists("mapd_privileges");
261  moveTableIfExists("mapd_version_history", false);
262  } catch (const std::exception& e) {
263  LOG(ERROR) << "Failed to move global metadata into a separate catalog: " << e.what();
264  sqliteConnector_->query("ROLLBACK TRANSACTION");
265  try {
266  sqliteConnector_->query("DETACH DATABASE old_cat");
267  } catch (const std::exception&) {
268  // nothing to do here
269  }
270  throw;
271  }
272  sqliteConnector_->query("END TRANSACTION");
273  const std::string sys_catalog_path =
274  basePath_ + "/mapd_catalogs/" + OMNISCI_SYSTEM_CATALOG;
275  LOG(INFO) << "Global metadata has been successfully moved into a separate catalog: "
276  << sys_catalog_path
277  << ". Using this database with an older version of omnisci_server "
278  "is now impossible.";
279  try {
280  sqliteConnector_->query("DETACH DATABASE old_cat");
281  } catch (const std::exception&) {
282  // nothing to do here
283  }
284 }
#define LOG(tag)
Definition: Logger.h:188
const std::string OMNISCI_SYSTEM_CATALOG
Definition: SysCatalog.h:57
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:81
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:384
void Catalog_Namespace::SysCatalog::init ( const std::string &  basePath,
std::shared_ptr< Data_Namespace::DataMgr dataMgr,
const AuthMetadata authMetadata,
std::shared_ptr< Calcite calcite,
bool  is_new_db,
bool  aggregator,
const std::vector< LeafHostInfo > &  string_dict_hosts 
)

Definition at line 112 of file SysCatalog.cpp.

References OMNISCI_SYSTEM_CATALOG.

118  {
119  {
121  sys_sqlite_lock sqlite_lock(this);
122 
123  basePath_ = basePath;
124  dataMgr_ = dataMgr;
125  authMetadata_ = &authMetadata;
128  pki_server_.reset(new PkiServer(*authMetadata_));
129  calciteMgr_ = calcite;
130  string_dict_hosts_ = string_dict_hosts;
131  aggregator_ = aggregator;
132  bool db_exists =
133  boost::filesystem::exists(basePath_ + "/mapd_catalogs/" + OMNISCI_SYSTEM_CATALOG);
134  sqliteConnector_.reset(
135  new SqliteConnector(OMNISCI_SYSTEM_CATALOG, basePath_ + "/mapd_catalogs/"));
136  if (is_new_db) {
137  initDB();
138  } else {
139  if (!db_exists) {
141  }
143  }
144  buildRoleMap();
147  }
148 }
std::unique_ptr< LdapServer > ldap_server_
Definition: SysCatalog.h:387
std::unique_ptr< RestServer > rest_server_
Definition: SysCatalog.h:388
const std::string OMNISCI_SYSTEM_CATALOG
Definition: SysCatalog.h:57
std::unique_ptr< PkiServer > pki_server_
Definition: SysCatalog.h:389
const AuthMetadata * authMetadata_
Definition: SysCatalog.h:390
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:81
std::shared_ptr< Data_Namespace::DataMgr > dataMgr_
Definition: SysCatalog.h:386
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:80
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:384
std::vector< LeafHostInfo > string_dict_hosts_
Definition: SysCatalog.h:392
std::shared_ptr< Calcite > calciteMgr_
Definition: SysCatalog.h:391
mapd_unique_lock< mapd_shared_mutex > write_lock
void Catalog_Namespace::SysCatalog::initDB ( )
private

Definition at line 164 of file SysCatalog.cpp.

References anonymous_namespace{SysCatalog.cpp}::hash_with_bcrypt(), OMNISCI_DEFAULT_DB, OMNISCI_ROOT_PASSWD_DEFAULT, OMNISCI_ROOT_USER, OMNISCI_ROOT_USER_ID, and OMNISCI_ROOT_USER_ID_STR.

164  {
165  sys_sqlite_lock sqlite_lock(this);
166  sqliteConnector_->query("BEGIN TRANSACTION");
167  try {
168  sqliteConnector_->query(
169  "CREATE TABLE mapd_users (userid integer primary key, name text unique, "
170  "passwd_hash text, issuper boolean, default_db integer references "
171  "mapd_databases, can_login boolean)");
172  sqliteConnector_->query_with_text_params(
173  "INSERT INTO mapd_users VALUES (?, ?, ?, 1, NULL, 1)",
174  std::vector<std::string>{OMNISCI_ROOT_USER_ID_STR,
177  sqliteConnector_->query(
178  "CREATE TABLE mapd_databases (dbid integer primary key, name text unique, owner "
179  "integer references mapd_users)");
180  sqliteConnector_->query(
181  "CREATE TABLE mapd_roles(roleName text, userName text, UNIQUE(roleName, "
182  "userName))");
183  sqliteConnector_->query(
184  "CREATE TABLE mapd_object_permissions ("
185  "roleName text, "
186  "roleType bool, "
187  "dbId integer references mapd_databases, "
188  "objectName text, "
189  "objectId integer, "
190  "objectPermissionsType integer, "
191  "objectPermissions integer, "
192  "objectOwnerId integer, UNIQUE(roleName, objectPermissionsType, dbId, "
193  "objectId))");
194  } catch (const std::exception&) {
195  sqliteConnector_->query("ROLLBACK TRANSACTION");
196  throw;
197  }
198  sqliteConnector_->query("END TRANSACTION");
200 }
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:81
const std::string OMNISCI_DEFAULT_DB
Definition: SysCatalog.h:58
std::string hash_with_bcrypt(const std::string &pwd)
Definition: SysCatalog.cpp:66
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:384
const std::string OMNISCI_ROOT_USER
Definition: SysCatalog.h:59
const std::string OMNISCI_ROOT_PASSWD_DEFAULT
Definition: SysCatalog.h:62
const int OMNISCI_ROOT_USER_ID
Definition: SysCatalog.h:60
const std::string OMNISCI_ROOT_USER_ID_STR
Definition: SysCatalog.h:61
void createDatabase(const std::string &dbname, int owner)

+ Here is the call graph for this function:

static SysCatalog& Catalog_Namespace::SysCatalog::instance ( )
inlinestatic

Definition at line 288 of file SysCatalog.h.

Referenced by AlterForeignServerCommand::changeForeignServerOwner(), Catalog_Namespace::SessionInfo::checkDBAccessPrivileges(), checkPermissionForTables(), QueryRunner::QueryRunner::clearCpuMemory(), QueryRunner::QueryRunner::clearGpuMemory(), Executor::clearMemory(), Catalog_Namespace::Catalog::createDashboardSystemRoles(), Catalog_Namespace::Catalog::createOrUpdateDashboardSystemRole(), EmbeddedDatabase::DBEngineImpl::DBEngineImpl(), Catalog_Namespace::Catalog::deleteMetadataForDashboards(), Catalog_Namespace::Catalog::doTruncateTable(), Catalog_Namespace::Catalog::dropFsiSchemasAndTables(), Catalog_Namespace::Catalog::dropTable(), CreateForeignServerCommand::execute(), DropForeignServerCommand::execute(), CreateForeignTableCommand::execute(), ShowDatabasesCommand::execute(), QueryRunner::QueryRunner::getExecutor(), Catalog_Namespace::Catalog::getForeignServersForUser(), QueryRunner::QueryRunner::getParsedQueryHintofQuery(), Catalog_Namespace::Catalog::getTableNamesForUser(), Catalog_Namespace::anonymous_namespace{Catalog.cpp}::getUserFromId(), Executor::interrupt(), DBObject::loadKey(), main(), QueryRunner::QueryRunner::QueryRunner(), Catalog_Namespace::Catalog::recordOwnershipOfObjectsInObjectPermissions(), Catalog_Namespace::Catalog::removeTableFromMap(), AlterForeignServerCommand::renameForeignServer(), Catalog_Namespace::Catalog::renameTable(), QueryRunner::QueryRunner::runDDLStatement(), QueryRunner::QueryRunner::runSelectQuery(), QueryRunner::QueryRunner::runSQL(), and QueryRunner::QueryRunner::runSQLWithAllowingInterrupt().

288  {
289  static SysCatalog sys_cat{};
290  return sys_cat;
291  }

+ Here is the caller graph for this function:

bool Catalog_Namespace::SysCatalog::isAggregator ( ) const
inline

Definition at line 287 of file SysCatalog.h.

References aggregator_.

287 { return aggregator_; }
bool Catalog_Namespace::SysCatalog::isDashboardSystemRole ( const std::string &  roleName)
private

Definition at line 2016 of file SysCatalog.cpp.

References SYSTEM_ROLE_TAG().

2016  {
2017  return boost::algorithm::ends_with(roleName, SYSTEM_ROLE_TAG);
2018 }
static const std::string SYSTEM_ROLE_TAG("#dash_system_role")
specifies the content in-memory of a row in the dashboard

+ Here is the call graph for this function:

bool Catalog_Namespace::SysCatalog::isRoleGrantedToGrantee ( const std::string &  granteeName,
const std::string &  roleName,
bool  only_direct 
) const

Definition at line 1994 of file SysCatalog.cpp.

References CHECK().

1996  {
1997  sys_read_lock read_lock(this);
1998  if (roleName == granteeName) {
1999  return true;
2000  }
2001  bool is_role_granted = false;
2002  auto* target_role = instance().getRoleGrantee(roleName);
2003  auto has_role = [&](auto grantee_rl) {
2004  is_role_granted = target_role && grantee_rl->hasRole(target_role, only_direct);
2005  };
2006  if (auto* user_role = instance().getUserGrantee(granteeName); user_role) {
2007  has_role(user_role);
2008  } else if (auto* role = instance().getRoleGrantee(granteeName); role) {
2009  has_role(role);
2010  } else {
2011  CHECK(false);
2012  }
2013  return is_role_granted;
2014 }
static SysCatalog & instance()
Definition: SysCatalog.h:288
CHECK(cgen_state)
Role * getRoleGrantee(const std::string &name) const
User * getUserGrantee(const std::string &name) const
bool hasRole(Role *role, bool only_direct) const
Definition: Grantee.cpp:42
mapd_shared_lock< mapd_shared_mutex > read_lock
read_lock< SysCatalog > sys_read_lock
Definition: Catalog.cpp:110

+ Here is the call graph for this function:

std::shared_ptr< Catalog > Catalog_Namespace::SysCatalog::login ( std::string &  db,
std::string &  username,
const std::string &  password,
UserMetadata user_meta,
bool  check_password = true 
)

logins (connects) a user against a database.

throws a std::exception in all error cases! (including wrong password)

Definition at line 705 of file SysCatalog.cpp.

References Catalog_Namespace::UserMetadata::can_login.

709  {
710  // NOTE(sy): The dbname isn't const because getMetadataWithDefaultDB()
711  // can reset it. The username isn't const because SamlServer's
712  // login()/authenticate_user() can reset it.
713 
715  if (check_password) {
716  loginImpl(username, password, user_meta);
717  } else { // not checking for password so user must exist
718  if (!getMetadataForUser(username, user_meta)) {
719  throw std::runtime_error("Invalid credentials.");
720  }
721  }
722  // we should have a user and user_meta by now
723  if (!user_meta.can_login) {
724  throw std::runtime_error("Unauthorized Access: User " + username + " is deactivated");
725  }
727  getMetadataWithDefaultDB(dbname, username, db_meta, user_meta);
728  return Catalog::get(
729  basePath_, db_meta, dataMgr_, string_dict_hosts_, calciteMgr_, false);
730 }
static std::shared_ptr< Catalog > get(const std::string &dbName)
Definition: Catalog.cpp:3658
bool getMetadataForUser(const std::string &name, UserMetadata &user)
void loginImpl(std::string &username, const std::string &password, UserMetadata &user_meta)
Definition: SysCatalog.cpp:733
void getMetadataWithDefaultDB(std::string &dbname, const std::string &username, Catalog_Namespace::DBMetadata &db_meta, UserMetadata &user_meta)
std::shared_ptr< Data_Namespace::DataMgr > dataMgr_
Definition: SysCatalog.h:386
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:80
std::vector< LeafHostInfo > string_dict_hosts_
Definition: SysCatalog.h:392
std::shared_ptr< Calcite > calciteMgr_
Definition: SysCatalog.h:391
mapd_unique_lock< mapd_shared_mutex > write_lock
void Catalog_Namespace::SysCatalog::loginImpl ( std::string &  username,
const std::string &  password,
UserMetadata user_meta 
)
private

Definition at line 733 of file SysCatalog.cpp.

735  {
736  if (!checkPasswordForUser(password, username, user_meta)) {
737  throw std::runtime_error("Authentication failure");
738  }
739 }
bool checkPasswordForUser(const std::string &passwd, std::string &name, UserMetadata &user)
void Catalog_Namespace::SysCatalog::migrateDBAccessPrivileges ( )
private

Definition at line 610 of file SysCatalog.cpp.

References AccessPrivileges::ACCESS, CHECK(), DatabaseDBObjectType, DBObjectKey::dbId, Catalog_Namespace::DBMetadata::dbId, Catalog_Namespace::DBMetadata::dbName, Catalog_Namespace::DBMetadata::dbOwner, logger::ERROR, logger::INFO, Catalog_Namespace::insertOrUpdateObjectPrivileges(), LOG, MAPD_VERSION, OMNISCI_ROOT_USER_ID, DBObjectKey::permissionType, DBObject::setName(), DBObject::setObjectType(), to_string(), DBObject::updatePrivileges(), and AccessPrivileges::VIEW_SQL_EDITOR.

610  {
611  sys_sqlite_lock sqlite_lock(this);
612  sqliteConnector_->query("BEGIN TRANSACTION");
613  try {
614  sqliteConnector_->query(
615  "select name from sqlite_master WHERE type='table' AND "
616  "name='mapd_version_history'");
617  if (sqliteConnector_->getNumRows() == 0) {
618  sqliteConnector_->query(
619  "CREATE TABLE mapd_version_history(version integer, migration_history text "
620  "unique)");
621  } else {
622  sqliteConnector_->query(
623  "select * from mapd_version_history where migration_history = "
624  "'db_access_privileges'");
625  if (sqliteConnector_->getNumRows() != 0) {
626  // both privileges migrated
627  // no need for further execution
628  sqliteConnector_->query("END TRANSACTION");
629  return;
630  }
631  }
632  // Insert check for migration
633  sqliteConnector_->query_with_text_params(
634  "INSERT INTO mapd_version_history(version, migration_history) values(?,?)",
635  std::vector<std::string>{std::to_string(MAPD_VERSION), "db_access_privileges"});
636 
637  sqliteConnector_->query("select dbid, name from mapd_databases");
638  std::unordered_map<int, string> databases;
639  for (size_t i = 0; i < sqliteConnector_->getNumRows(); ++i) {
640  databases[sqliteConnector_->getData<int>(i, 0)] =
641  sqliteConnector_->getData<string>(i, 1);
642  }
643 
644  sqliteConnector_->query("select userid, name from mapd_users");
645  std::unordered_map<int, string> users;
646  for (size_t i = 0; i < sqliteConnector_->getNumRows(); ++i) {
647  users[sqliteConnector_->getData<int>(i, 0)] =
648  sqliteConnector_->getData<string>(i, 1);
649  }
650 
651  // All existing users by default will be granted DB Access permissions
652  // and view sql editor privileges
653  DBMetadata dbmeta;
654  for (auto db_ : databases) {
655  CHECK(SysCatalog::instance().getMetadataForDB(db_.second, dbmeta));
656  for (auto user : users) {
657  if (user.first != OMNISCI_ROOT_USER_ID) {
658  {
659  DBObjectKey key;
661  key.dbId = dbmeta.dbId;
662 
663  // access permission;
664  DBObject object_access(key, AccessPrivileges::ACCESS, dbmeta.dbOwner);
665  object_access.setObjectType(DBObjectType::DatabaseDBObjectType);
666  object_access.setName(dbmeta.dbName);
667  // sql_editor permission
668  DBObject object_editor(
669  key, AccessPrivileges::VIEW_SQL_EDITOR, dbmeta.dbOwner);
670  object_editor.setObjectType(DBObjectType::DatabaseDBObjectType);
671  object_editor.setName(dbmeta.dbName);
672  object_editor.updatePrivileges(object_access);
674  sqliteConnector_, user.second, true, object_editor);
675  }
676  }
677  }
678  }
679  } catch (const std::exception& e) {
680  LOG(ERROR) << "Failed to migrate db access privileges: " << e.what();
681  sqliteConnector_->query("ROLLBACK TRANSACTION");
682  throw;
683  }
684  sqliteConnector_->query("END TRANSACTION");
685  LOG(INFO) << "Successfully migrated db access privileges";
686 }
static const AccessPrivileges VIEW_SQL_EDITOR
Definition: DBObject.h:153
#define LOG(tag)
Definition: Logger.h:188
void insertOrUpdateObjectPrivileges(std::unique_ptr< SqliteConnector > &sqliteConnector, std::string roleName, bool userRole, DBObject &object)
Definition: SysCatalog.cpp:341
std::string to_string(char const *&&v)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:81
static SysCatalog & instance()
Definition: SysCatalog.h:288
CHECK(cgen_state)
static const int32_t MAPD_VERSION
Definition: release.h:33
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:384
const int OMNISCI_ROOT_USER_ID
Definition: SysCatalog.h:60
int32_t dbId
Definition: DBObject.h:56
static const AccessPrivileges ACCESS
Definition: DBObject.h:154
int32_t permissionType
Definition: DBObject.h:55
bool getMetadataForDB(const std::string &name, DBMetadata &db)

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::migratePrivileged_old ( )
private

Definition at line 688 of file SysCatalog.cpp.

688  {
689  sys_sqlite_lock sqlite_lock(this);
690 
691  sqliteConnector_->query("BEGIN TRANSACTION");
692  try {
693  sqliteConnector_->query(
694  "CREATE TABLE IF NOT EXISTS mapd_privileges (userid integer references "
695  "mapd_users, dbid integer references "
696  "mapd_databases, select_priv boolean, insert_priv boolean, UNIQUE(userid, "
697  "dbid))");
698  } catch (const std::exception& e) {
699  sqliteConnector_->query("ROLLBACK TRANSACTION");
700  throw;
701  }
702  sqliteConnector_->query("END TRANSACTION");
703 }
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:81
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:384
void Catalog_Namespace::SysCatalog::migratePrivileges ( )
private

Definition at line 371 of file SysCatalog.cpp.

References AccessPrivileges::ALL_DASHBOARD_MIGRATE, AccessPrivileges::ALL_TABLE_MIGRATE, AccessPrivileges::ALL_VIEW_MIGRATE, DashboardDBObjectType, DatabaseDBObjectType, DBObjectKey::dbId, Catalog_Namespace::insertOrUpdateObjectPrivileges(), AccessPrivileges::NONE, OMNISCI_ROOT_USER_ID, DBObjectKey::permissionType, TableDBObjectType, and ViewDBObjectType.

371  {
372  sys_sqlite_lock sqlite_lock(this);
373  sqliteConnector_->query("BEGIN TRANSACTION");
374  try {
375  sqliteConnector_->query(
376  "SELECT name FROM sqlite_master WHERE type='table' AND "
377  "name='mapd_object_permissions'");
378  if (sqliteConnector_->getNumRows() != 0) {
379  // already done
380  sqliteConnector_->query("END TRANSACTION");
381  return;
382  }
383 
384  sqliteConnector_->query(
385  "CREATE TABLE IF NOT EXISTS mapd_object_permissions ("
386  "roleName text, "
387  "roleType bool, "
388  "dbId integer references mapd_databases, "
389  "objectName text, "
390  "objectId integer, "
391  "objectPermissionsType integer, "
392  "objectPermissions integer, "
393  "objectOwnerId integer, UNIQUE(roleName, objectPermissionsType, dbId, "
394  "objectId))");
395 
396  // get the list of databases and their grantees
397  sqliteConnector_->query(
398  "SELECT userid, dbid FROM mapd_privileges WHERE select_priv = 1 and insert_priv "
399  "= 1");
400  size_t numRows = sqliteConnector_->getNumRows();
401  vector<pair<int, int>> db_grantees(numRows);
402  for (size_t i = 0; i < numRows; ++i) {
403  db_grantees[i].first = sqliteConnector_->getData<int>(i, 0);
404  db_grantees[i].second = sqliteConnector_->getData<int>(i, 1);
405  }
406  // map user names to user ids
407  sqliteConnector_->query("select userid, name from mapd_users");
408  numRows = sqliteConnector_->getNumRows();
409  std::unordered_map<int, string> users_by_id;
410  std::unordered_map<int, bool> user_has_privs;
411  for (size_t i = 0; i < numRows; ++i) {
412  users_by_id[sqliteConnector_->getData<int>(i, 0)] =
413  sqliteConnector_->getData<string>(i, 1);
414  user_has_privs[sqliteConnector_->getData<int>(i, 0)] = false;
415  }
416  // map db names to db ids
417  sqliteConnector_->query("select dbid, name from mapd_databases");
418  numRows = sqliteConnector_->getNumRows();
419  std::unordered_map<int, string> dbs_by_id;
420  for (size_t i = 0; i < numRows; ++i) {
421  dbs_by_id[sqliteConnector_->getData<int>(i, 0)] =
422  sqliteConnector_->getData<string>(i, 1);
423  }
424  // migrate old privileges to new privileges: if user had insert access to database, he
425  // was a grantee
426  for (const auto& grantee : db_grantees) {
427  user_has_privs[grantee.first] = true;
428  auto dbName = dbs_by_id[grantee.second];
429  {
430  // table level permissions
431  DBObjectKey key;
433  key.dbId = grantee.second;
435  object.setName(dbName);
437  sqliteConnector_, users_by_id[grantee.first], true, object);
438  }
439 
440  {
441  // dashboard level permissions
442  DBObjectKey key;
444  key.dbId = grantee.second;
445  DBObject object(
447  object.setName(dbName);
449  sqliteConnector_, users_by_id[grantee.first], true, object);
450  }
451 
452  {
453  // view level permissions
454  DBObjectKey key;
456  key.dbId = grantee.second;
458  object.setName(dbName);
460  sqliteConnector_, users_by_id[grantee.first], true, object);
461  }
462  }
463  for (auto user : user_has_privs) {
464  auto dbName = dbs_by_id[0];
465  if (user.second == false && user.first != OMNISCI_ROOT_USER_ID) {
466  {
467  DBObjectKey key;
469  key.dbId = 0;
471  object.setName(dbName);
473  sqliteConnector_, users_by_id[user.first], true, object);
474  }
475  }
476  }
477  } catch (const std::exception&) {
478  sqliteConnector_->query("ROLLBACK TRANSACTION");
479  throw;
480  }
481  sqliteConnector_->query("END TRANSACTION");
482 }
static const AccessPrivileges ALL_TABLE_MIGRATE
Definition: DBObject.h:157
void insertOrUpdateObjectPrivileges(std::unique_ptr< SqliteConnector > &sqliteConnector, std::string roleName, bool userRole, DBObject &object)
Definition: SysCatalog.cpp:341
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:81
static const AccessPrivileges ALL_DASHBOARD_MIGRATE
Definition: DBObject.h:169
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:384
static const AccessPrivileges NONE
Definition: DBObject.h:149
static const AccessPrivileges ALL_VIEW_MIGRATE
Definition: DBObject.h:177
const int OMNISCI_ROOT_USER_ID
Definition: SysCatalog.h:60
int32_t dbId
Definition: DBObject.h:56
int32_t permissionType
Definition: DBObject.h:55

+ Here is the call graph for this function:

std::string Catalog_Namespace::SysCatalog::name ( ) const
inline

Definition at line 294 of file SysCatalog.h.

References OMNISCI_DEFAULT_DB.

294 { return OMNISCI_DEFAULT_DB; }
const std::string OMNISCI_DEFAULT_DB
Definition: SysCatalog.h:58
void Catalog_Namespace::SysCatalog::populateRoleDbObjects ( const std::vector< DBObject > &  objects)

Definition at line 2120 of file SysCatalog.cpp.

References CHECK(), Catalog_Namespace::insertOrUpdateObjectPrivileges(), and Catalog_Namespace::UserMetadata::userName.

Referenced by Catalog_Namespace::Catalog::recordOwnershipOfObjectsInObjectPermissions().

2120  {
2121  sys_write_lock write_lock(this);
2122  sys_sqlite_lock sqlite_lock(this);
2123  sqliteConnector_->query("BEGIN TRANSACTION");
2124  try {
2125  for (auto dbobject : objects) {
2126  UserMetadata user;
2127  CHECK(getMetadataForUserById(dbobject.getOwner(), user));
2128  auto* grantee = getUserGrantee(user.userName);
2129  if (grantee) {
2131  sqliteConnector_, grantee->getName(), true, dbobject);
2132  grantee->grantPrivileges(dbobject);
2133  }
2134  }
2135 
2136  } catch (const std::exception& e) {
2137  sqliteConnector_->query("ROLLBACK TRANSACTION");
2138  throw;
2139  }
2140  sqliteConnector_->query("END TRANSACTION");
2141 }
bool getMetadataForUserById(const int32_t idIn, UserMetadata &user)
void insertOrUpdateObjectPrivileges(std::unique_ptr< SqliteConnector > &sqliteConnector, std::string roleName, bool userRole, DBObject &object)
Definition: SysCatalog.cpp:341
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:81
CHECK(cgen_state)
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:80
User * getUserGrantee(const std::string &name) const
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:384
mapd_unique_lock< mapd_shared_mutex > write_lock

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::renameDatabase ( std::string const &  old_name,
std::string const &  new_name 
)

Definition at line 975 of file SysCatalog.cpp.

References DatabaseDBObjectType, OMNISCI_SYSTEM_CATALOG, to_string(), and to_upper().

976  {
977  using namespace std::string_literals;
979  sys_sqlite_lock sqlite_lock(this);
980 
981  DBMetadata new_db;
982  if (getMetadataForDB(new_name, new_db)) {
983  throw std::runtime_error("Database " + new_name + " already exists.");
984  }
985  if (to_upper(new_name) == to_upper(OMNISCI_SYSTEM_CATALOG)) {
986  throw std::runtime_error("Database name " + new_name + "is reserved.");
987  }
988 
989  DBMetadata old_db;
990  if (!getMetadataForDB(old_name, old_db)) {
991  throw std::runtime_error("Database " + old_name + " does not exists.");
992  }
993 
994  Catalog::remove(old_db.dbName);
995 
996  std::string old_catalog_path, new_catalog_path;
997  std::tie(old_catalog_path, new_catalog_path) =
998  duplicateAndRenameCatalog(old_name, new_name);
999 
1000  auto transaction_streamer = yieldTransactionStreamer();
1001  auto failure_handler = [this, new_catalog_path] {
1002  removeCatalogByFullPath(new_catalog_path);
1003  };
1004  auto success_handler = [this, old_catalog_path] {
1005  removeCatalogByFullPath(old_catalog_path);
1006  };
1007 
1008  auto q1 = {"UPDATE mapd_databases SET name=?1 WHERE name=?2;"s, new_name, old_name};
1009  auto q2 = {
1010  "UPDATE mapd_object_permissions SET objectName=?1 WHERE objectNAME=?2 and (objectPermissionsType=?3 or objectId = -1) and dbId=?4;"s,
1011  new_name,
1012  old_name,
1014  std::to_string(old_db.dbId)};
1015 
1016  transaction_streamer(sqliteConnector_, success_handler, failure_handler, q1, q2);
1017 }
auto duplicateAndRenameCatalog(std::string const &current_name, std::string const &new_name)
Definition: SysCatalog.cpp:95
const std::string OMNISCI_SYSTEM_CATALOG
Definition: SysCatalog.h:57
std::string to_string(char const *&&v)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:81
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:80
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:384
std::string to_upper(const std::string &str)
static void remove(const std::string &dbName)
Definition: Catalog.cpp:3693
mapd_unique_lock< mapd_shared_mutex > write_lock
void removeCatalogByFullPath(std::string const &full_path)
Definition: SysCatalog.cpp:87
bool getMetadataForDB(const std::string &name, DBMetadata &db)

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::renameDBObject ( const std::string &  objectName,
const std::string &  newName,
DBObjectType  type,
int32_t  objectId,
const Catalog_Namespace::Catalog catalog 
)

Renames an DBObject

Parameters
objectName- original DBObject name
newName- new name of DBObject
type- type of DBObject
objectId- original DBObject ID
catalog- Catalog instance object exists in

Definition at line 1427 of file SysCatalog.cpp.

References DBObjectKey::dbId, Catalog_Namespace::DBMetadata::dbId, Catalog_Namespace::Catalog::getCurrentDB(), DBObjectKey::objectId, DBObjectKey::permissionType, Grantee::renameDbObject(), DBObject::setObjectKey(), and run_benchmark_import::type.

1431  {
1432  sys_write_lock write_lock(this);
1433  DBObject new_object(newName, type);
1434  DBObjectKey key;
1435  key.dbId = catalog.getCurrentDB().dbId;
1436  key.objectId = objectId;
1437  key.permissionType = type;
1438  new_object.setObjectKey(key);
1439  auto objdescs =
1440  getMetadataForObject(key.dbId, static_cast<int32_t>(type), key.objectId);
1441  for (auto obj : objdescs) {
1442  Grantee* grnt = getGrantee(obj->roleName);
1443  if (grnt) {
1444  grnt->renameDbObject(new_object);
1445  }
1446  }
1447  renameObjectsInDescriptorMap(new_object, catalog);
1448 }
Grantee * getGrantee(const std::string &name) const
int32_t objectId
Definition: DBObject.h:57
const DBMetadata & getCurrentDB() const
Definition: Catalog.h:194
void renameObjectsInDescriptorMap(DBObject &object, const Catalog_Namespace::Catalog &cat)
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:80
int32_t dbId
Definition: DBObject.h:56
int32_t permissionType
Definition: DBObject.h:55
mapd_unique_lock< mapd_shared_mutex > write_lock
std::vector< ObjectRoleDescriptor * > getMetadataForObject(int32_t dbId, int32_t dbType, int32_t objectId) const
virtual void renameDbObject(const DBObject &object)
Definition: Grantee.cpp:108

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::renameObjectsInDescriptorMap ( DBObject object,
const Catalog_Namespace::Catalog cat 
)

Definition at line 1852 of file SysCatalog.cpp.

References Catalog_Namespace::DBMetadata::dbId, Catalog_Namespace::Catalog::getCurrentDB(), and to_string().

Referenced by Catalog_Namespace::Catalog::renameTable().

1853  {
1854  sys_write_lock write_lock(this);
1855  sys_sqlite_lock sqlite_lock(this);
1856  auto range = objectDescriptorMap_.equal_range(
1857  std::to_string(cat.getCurrentDB().dbId) + ":" +
1858  std::to_string(object.getObjectKey().permissionType) + ":" +
1859  std::to_string(object.getObjectKey().objectId));
1860  for (auto d = range.first; d != range.second; ++d) {
1861  // rename object
1862  d->second->objectName = object.getName();
1863  }
1864 
1865  sqliteConnector_->query("BEGIN TRANSACTION");
1866  try {
1867  sqliteConnector_->query_with_text_params(
1868  "UPDATE mapd_object_permissions SET objectName = ?1 WHERE "
1869  "dbId = ?2 AND objectId = ?3",
1870  std::vector<std::string>{object.getName(),
1872  std::to_string(object.getObjectKey().objectId)});
1873  } catch (const std::exception& e) {
1874  sqliteConnector_->query("ROLLBACK TRANSACTION");
1875  throw;
1876  }
1877  sqliteConnector_->query("END TRANSACTION");
1878 }
ObjectRoleDescriptorMap objectDescriptorMap_
Definition: SysCatalog.h:383
std::string to_string(char const *&&v)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:81
const DBMetadata & getCurrentDB() const
Definition: Catalog.h:194
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:80
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:384
mapd_unique_lock< mapd_shared_mutex > write_lock

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::renameUser ( std::string const &  old_name,
std::string const &  new_name 
)

Definition at line 942 of file SysCatalog.cpp.

942  {
943  using namespace std::string_literals;
945  sys_sqlite_lock sqlite_lock(this);
946 
947  UserMetadata old_user;
948  if (!getMetadataForUser(old_name, old_user)) {
949  throw std::runtime_error("User " + old_name + " doesn't exist.");
950  }
951 
952  UserMetadata new_user;
953  if (getMetadataForUser(new_name, new_user)) {
954  throw std::runtime_error("User " + new_name + " already exists.");
955  }
956 
957  if (getGrantee(new_name)) {
958  throw runtime_error(
959  "User name " + new_name +
960  " is same as one of existing grantees. User and role names should be unique.");
961  }
962 
963  auto transaction_streamer = yieldTransactionStreamer();
964  auto failure_handler = [] {};
965  auto success_handler = [this, &old_name, &new_name] {
966  updateUserRoleName(old_name, new_name);
967  };
968  auto q1 = {"UPDATE mapd_users SET name=?1 where name=?2;"s, new_name, old_name};
969  auto q2 = {"UPDATE mapd_object_permissions set roleName=?1 WHERE roleName=?2;"s,
970  new_name,
971  old_name};
972  transaction_streamer(sqliteConnector_, success_handler, failure_handler, q1, q2);
973 }
bool getMetadataForUser(const std::string &name, UserMetadata &user)
Grantee * getGrantee(const std::string &name) const
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:81
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:80
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:384
void updateUserRoleName(const std::string &roleName, const std::string &newName)
Definition: SysCatalog.cpp:930
mapd_unique_lock< mapd_shared_mutex > write_lock
void Catalog_Namespace::SysCatalog::revokeAllOnDatabase_unsafe ( const std::string &  roleName,
int32_t  dbId,
Grantee grantee 
)
private

Definition at line 1589 of file SysCatalog.cpp.

References Grantee::revokeAllOnDatabase(), and to_string().

1591  {
1592  sys_sqlite_lock sqlite_lock(this);
1593  sqliteConnector_->query_with_text_params(
1594  "DELETE FROM mapd_object_permissions WHERE roleName = ?1 and dbId = ?2",
1595  std::vector<std::string>{roleName, std::to_string(dbId)});
1596  grantee->revokeAllOnDatabase(dbId);
1597  for (auto d = objectDescriptorMap_.begin(); d != objectDescriptorMap_.end();) {
1598  if (d->second->roleName == roleName && d->second->dbId == dbId) {
1599  delete d->second;
1600  d = objectDescriptorMap_.erase(d);
1601  } else {
1602  d++;
1603  }
1604  }
1605 }
ObjectRoleDescriptorMap objectDescriptorMap_
Definition: SysCatalog.h:383
std::string to_string(char const *&&v)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:81
virtual void revokeAllOnDatabase(int32_t dbId)
Definition: Grantee.cpp:279
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:384

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::revokeDashboardSystemRole ( const std::string  roleName,
const std::vector< std::string >  grantees 
)

Definition at line 2061 of file SysCatalog.cpp.

2062  {
2063  auto* rl = getRoleGrantee(roleName);
2064  for (auto granteeName : grantees) {
2065  const auto* grantee = SysCatalog::instance().getGrantee(granteeName);
2066  if (rl && grantee->hasRole(rl, true)) {
2067  // Grantees existence have been already validated
2068  SysCatalog::instance().revokeRole(roleName, granteeName);
2069  }
2070  }
2071 }
Grantee * getGrantee(const std::string &name) const
static SysCatalog & instance()
Definition: SysCatalog.h:288
Role * getRoleGrantee(const std::string &name) const
void revokeRole(const std::string &role, const std::string &grantee)
void Catalog_Namespace::SysCatalog::revokeDBObjectPrivileges ( const std::string &  grantee,
const DBObject object,
const Catalog_Namespace::Catalog catalog 
)

Definition at line 2271 of file SysCatalog.cpp.

Referenced by Catalog_Namespace::Catalog::createOrUpdateDashboardSystemRole().

2273  {
2275  &SysCatalog::revokeDBObjectPrivileges_unsafe, grantee, object, catalog);
2276 }
void revokeDBObjectPrivileges_unsafe(const std::string &granteeName, DBObject object, const Catalog_Namespace::Catalog &catalog)
void execInTransaction(F &&f, Args &&...args)

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::revokeDBObjectPrivileges_unsafe ( const std::string &  granteeName,
DBObject  object,
const Catalog_Namespace::Catalog catalog 
)
private

Definition at line 1551 of file SysCatalog.cpp.

References DatabasePrivileges::ALL, DatabaseDBObjectType, Catalog_Namespace::deleteObjectPrivileges(), Catalog_Namespace::insertOrUpdateObjectPrivileges(), and Catalog_Namespace::UserMetadata::isSuper.

1554  {
1555  sys_write_lock write_lock(this);
1556 
1557  UserMetadata user_meta;
1558  if (instance().getMetadataForUser(granteeName, user_meta)) {
1559  if (user_meta.isSuper) {
1560  // super doesn't have explicit privileges so nothing to do
1561  return;
1562  }
1563  }
1564  auto* grantee = getGrantee(granteeName);
1565  if (!grantee) {
1566  throw runtime_error("Request to revoke privileges from " + granteeName +
1567  " failed because role or user with this name does not exist.");
1568  }
1569  object.loadKey(catalog);
1570 
1571  if (object.getPrivileges().hasPermission(DatabasePrivileges::ALL) &&
1572  object.getObjectKey().permissionType == DatabaseDBObjectType) {
1573  return revokeAllOnDatabase_unsafe(granteeName, object.getObjectKey().dbId, grantee);
1574  }
1575 
1576  auto ret_object = grantee->revokePrivileges(object);
1577  if (ret_object) {
1578  sys_sqlite_lock sqlite_lock(this);
1580  sqliteConnector_, granteeName, grantee->isUser(), *ret_object);
1581  updateObjectDescriptorMap(granteeName, *ret_object, grantee->isUser(), catalog);
1582  } else {
1583  sys_sqlite_lock sqlite_lock(this);
1584  deleteObjectPrivileges(sqliteConnector_, granteeName, grantee->isUser(), object);
1585  deleteObjectDescriptorMap(granteeName, object, catalog);
1586  }
1587 }
void revokeAllOnDatabase_unsafe(const std::string &roleName, int32_t dbId, Grantee *grantee)
static const int32_t ALL
Definition: DBObject.h:79
bool getMetadataForUser(const std::string &name, UserMetadata &user)
Grantee * getGrantee(const std::string &name) const
void insertOrUpdateObjectPrivileges(std::unique_ptr< SqliteConnector > &sqliteConnector, std::string roleName, bool userRole, DBObject &object)
Definition: SysCatalog.cpp:341
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:81
static SysCatalog & instance()
Definition: SysCatalog.h:288
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:80
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:384
void deleteObjectPrivileges(std::unique_ptr< SqliteConnector > &sqliteConnector, std::string roleName, bool userRole, DBObject &object)
Definition: SysCatalog.cpp:322
void deleteObjectDescriptorMap(const std::string &roleName)
void updateObjectDescriptorMap(const std::string &roleName, DBObject &object, bool roleType, const Catalog_Namespace::Catalog &cat)
mapd_unique_lock< mapd_shared_mutex > write_lock

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::revokeDBObjectPrivilegesBatch ( const std::vector< std::string > &  grantees,
const std::vector< DBObject > &  objects,
const Catalog_Namespace::Catalog catalog 
)

Definition at line 2278 of file SysCatalog.cpp.

2281  {
2283  &SysCatalog::revokeDBObjectPrivilegesBatch_unsafe, grantees, objects, catalog);
2284 }
void revokeDBObjectPrivilegesBatch_unsafe(const std::vector< std::string > &grantees, const std::vector< DBObject > &objects, const Catalog_Namespace::Catalog &catalog)
void execInTransaction(F &&f, Args &&...args)
void Catalog_Namespace::SysCatalog::revokeDBObjectPrivilegesBatch_unsafe ( const std::vector< std::string > &  grantees,
const std::vector< DBObject > &  objects,
const Catalog_Namespace::Catalog catalog 
)
private

Definition at line 1531 of file SysCatalog.cpp.

1534  {
1535  for (const auto& grantee : grantees) {
1536  for (const auto& object : objects) {
1537  revokeDBObjectPrivileges_unsafe(grantee, object, catalog);
1538  }
1539  }
1540 }
void revokeDBObjectPrivileges_unsafe(const std::string &granteeName, DBObject object, const Catalog_Namespace::Catalog &catalog)
void Catalog_Namespace::SysCatalog::revokeDBObjectPrivilegesFromAll ( DBObject  object,
Catalog catalog 
)

Definition at line 2286 of file SysCatalog.cpp.

Referenced by Catalog_Namespace::Catalog::dropFsiSchemasAndTables(), Catalog_Namespace::Catalog::dropTable(), and DropForeignServerCommand::execute().

2286  {
2288 }
void execInTransaction(F &&f, Args &&...args)
void revokeDBObjectPrivilegesFromAll_unsafe(DBObject object, Catalog *catalog)

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::revokeDBObjectPrivilegesFromAll_unsafe ( DBObject  object,
Catalog catalog 
)

Definition at line 1607 of file SysCatalog.cpp.

References AccessPrivileges::ALL_DASHBOARD, AccessPrivileges::ALL_TABLE, DashboardDBObjectType, DBObject::getObjectKey(), DBObject::loadKey(), DBObjectKey::permissionType, DBObject::setPrivileges(), and TableDBObjectType.

1608  {
1609  sys_write_lock write_lock(this);
1610  dbObject.loadKey(*catalog);
1611  auto privs = (dbObject.getObjectKey().permissionType == TableDBObjectType)
1613  : (dbObject.getObjectKey().permissionType == DashboardDBObjectType)
1616  dbObject.setPrivileges(privs);
1617  for (const auto& grantee : granteeMap_) {
1618  if (grantee.second->findDbObject(dbObject.getObjectKey(), true)) {
1619  revokeDBObjectPrivileges_unsafe(grantee.second->getName(), dbObject, *catalog);
1620  }
1621  }
1622 }
void revokeDBObjectPrivileges_unsafe(const std::string &granteeName, DBObject object, const Catalog_Namespace::Catalog &catalog)
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:80
static const AccessPrivileges ALL_DASHBOARD
Definition: DBObject.h:170
static const AccessPrivileges ALL_TABLE
Definition: DBObject.h:158
mapd_unique_lock< mapd_shared_mutex > write_lock

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::revokeDBObjectPrivilegesFromAllBatch ( std::vector< DBObject > &  objects,
Catalog catalog 
)

Definition at line 2290 of file SysCatalog.cpp.

Referenced by Catalog_Namespace::Catalog::deleteMetadataForDashboards().

2291  {
2294 }
void revokeDBObjectPrivilegesFromAllBatch_unsafe(std::vector< DBObject > &objects, Catalog *catalog)
void execInTransaction(F &&f, Args &&...args)

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::revokeDBObjectPrivilegesFromAllBatch_unsafe ( std::vector< DBObject > &  objects,
Catalog catalog 
)

Definition at line 1542 of file SysCatalog.cpp.

1544  {
1545  for (const auto& object : objects) {
1546  revokeDBObjectPrivilegesFromAll_unsafe(object, catalog);
1547  }
1548 }
void revokeDBObjectPrivilegesFromAll_unsafe(DBObject object, Catalog *catalog)
void Catalog_Namespace::SysCatalog::revokeRole ( const std::string &  role,
const std::string &  grantee 
)

Definition at line 2253 of file SysCatalog.cpp.

2253  {
2255 }
void execInTransaction(F &&f, Args &&...args)
void revokeRole_unsafe(const std::string &roleName, const std::string &granteeName)
void Catalog_Namespace::SysCatalog::revokeRole_unsafe ( const std::string &  roleName,
const std::string &  granteeName 
)
private

Definition at line 1795 of file SysCatalog.cpp.

1796  {
1797  auto* rl = getRoleGrantee(roleName);
1798  if (!rl) {
1799  throw runtime_error("Request to revoke role " + roleName +
1800  " failed because role with this name does not exist.");
1801  }
1802  auto* grantee = getGrantee(granteeName);
1803  if (!grantee) {
1804  throw runtime_error("Request to revoke role from " + granteeName +
1805  " failed because grantee with this name does not exist.");
1806  }
1807  sys_write_lock write_lock(this);
1808  grantee->revokeRole(rl);
1809  sys_sqlite_lock sqlite_lock(this);
1810  sqliteConnector_->query_with_text_params(
1811  "DELETE FROM mapd_roles WHERE roleName = ? AND userName = ?",
1812  std::vector<std::string>{rl->getName(), grantee->getName()});
1813 }
Grantee * getGrantee(const std::string &name) const
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:81
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:80
Role * getRoleGrantee(const std::string &name) const
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:384
mapd_unique_lock< mapd_shared_mutex > write_lock
void Catalog_Namespace::SysCatalog::revokeRoleBatch ( const std::vector< std::string > &  roles,
const std::vector< std::string > &  grantees 
)

Definition at line 2248 of file SysCatalog.cpp.

2249  {
2251 }
void revokeRoleBatch_unsafe(const std::vector< std::string > &roles, const std::vector< std::string > &grantees)
void execInTransaction(F &&f, Args &&...args)
void Catalog_Namespace::SysCatalog::revokeRoleBatch_unsafe ( const std::vector< std::string > &  roles,
const std::vector< std::string > &  grantees 
)
private

Definition at line 1785 of file SysCatalog.cpp.

1786  {
1787  for (const auto& role : roles) {
1788  for (const auto& grantee : grantees) {
1789  revokeRole_unsafe(role, grantee);
1790  }
1791  }
1792 }
void revokeRole_unsafe(const std::string &roleName, const std::string &granteeName)
std::shared_ptr< Catalog > Catalog_Namespace::SysCatalog::switchDatabase ( std::string &  dbname,
const std::string &  username 
)

Definition at line 741 of file SysCatalog.cpp.

References AccessPrivileges::ACCESS, cat(), DatabaseDBObjectType, DBObject::loadKey(), and DBObject::setPrivileges().

742  {
743  DBMetadata db_meta;
744  UserMetadata user_meta;
745 
746  getMetadataWithDefaultDB(dbname, username, db_meta, user_meta);
747 
748  // NOTE(max): register database in Catalog that early to allow ldap
749  // and saml create default user and role privileges on databases
750  auto cat =
752 
753  DBObject dbObject(dbname, DatabaseDBObjectType);
754  dbObject.loadKey();
755  dbObject.setPrivileges(AccessPrivileges::ACCESS);
756  if (!checkPrivileges(user_meta, std::vector<DBObject>{dbObject})) {
757  throw std::runtime_error("Unauthorized Access: user " + username +
758  " is not allowed to access database " + dbname + ".");
759  }
760 
761  return cat;
762 }
std::string cat(Ts &&...args)
static std::shared_ptr< Catalog > get(const std::string &dbName)
Definition: Catalog.cpp:3658
bool checkPrivileges(const UserMetadata &user, const std::vector< DBObject > &privObjects) const
void getMetadataWithDefaultDB(std::string &dbname, const std::string &username, Catalog_Namespace::DBMetadata &db_meta, UserMetadata &user_meta)
std::shared_ptr< Data_Namespace::DataMgr > dataMgr_
Definition: SysCatalog.h:386
static const AccessPrivileges ACCESS
Definition: DBObject.h:154
std::vector< LeafHostInfo > string_dict_hosts_
Definition: SysCatalog.h:392
std::shared_ptr< Calcite > calciteMgr_
Definition: SysCatalog.h:391

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::syncUserWithRemoteProvider ( const std::string &  user_name,
std::vector< std::string >  idp_roles,
bool *  issuper 
)

Definition at line 2296 of file SysCatalog.cpp.

References generate_random_string(), logger::INFO, Catalog_Namespace::UserMetadata::isSuper, join(), LOG, to_upper(), Catalog_Namespace::UserMetadata::userId, and logger::WARNING.

2298  {
2299  UserMetadata user_meta;
2300  bool is_super_user = is_super ? *is_super : false;
2301  if (!getMetadataForUser(user_name, user_meta)) {
2302  createUser(user_name, generate_random_string(72), is_super_user, "", true);
2303  LOG(INFO) << "User " << user_name << " has been created by remote identity provider"
2304  << " with IS_SUPER = " << (is_super_user ? "'TRUE'" : "'FALSE'");
2305  } else if (is_super && is_super_user != user_meta.isSuper) {
2306  alterUser(user_meta.userId, nullptr, is_super, nullptr, nullptr);
2307  LOG(INFO) << "IS_SUPER for user " << user_name << " has been changed to "
2308  << (is_super_user ? "TRUE" : "FALSE") << " by remote identity provider";
2309  }
2310  std::vector<std::string> current_roles = {};
2311  auto* user_rl = getUserGrantee(user_name);
2312  if (user_rl) {
2313  current_roles = user_rl->getRoles();
2314  }
2315  std::transform(
2316  current_roles.begin(), current_roles.end(), current_roles.begin(), to_upper);
2317  std::transform(idp_roles.begin(), idp_roles.end(), idp_roles.begin(), to_upper);
2318  std::list<std::string> roles_revoked, roles_granted;
2319  // first remove obsolete ones
2320  for (auto& current_role_name : current_roles) {
2321  if (std::find(idp_roles.begin(), idp_roles.end(), current_role_name) ==
2322  idp_roles.end()) {
2323  revokeRole(current_role_name, user_name);
2324  roles_revoked.push_back(current_role_name);
2325  }
2326  }
2327  for (auto& role_name : idp_roles) {
2328  if (std::find(current_roles.begin(), current_roles.end(), role_name) ==
2329  current_roles.end()) {
2330  auto* rl = getRoleGrantee(role_name);
2331  if (rl) {
2332  grantRole(role_name, user_name);
2333  roles_granted.push_back(role_name);
2334  } else {
2335  LOG(WARNING) << "Error synchronizing roles for user " << user_name << ": role "
2336  << role_name << " does not exist";
2337  }
2338  }
2339  }
2340  if (roles_granted.empty() && roles_revoked.empty()) {
2341  LOG(INFO) << "Roles for user " << user_name
2342  << " are up to date with remote identity provider";
2343  } else {
2344  if (!roles_revoked.empty()) {
2345  LOG(INFO) << "Roles revoked during synchronization with identity provider for user "
2346  << user_name << ": " << join(roles_revoked, " ");
2347  }
2348  if (!roles_granted.empty()) {
2349  LOG(INFO) << "Roles granted during synchronization with identity provider for user "
2350  << user_name << ": " << join(roles_granted, " ");
2351  }
2352  }
2353 }
#define LOG(tag)
Definition: Logger.h:188
bool getMetadataForUser(const std::string &name, UserMetadata &user)
std::string join(T const &container, std::string const &delim)
void createUser(const std::string &name, const std::string &passwd, bool issuper, const std::string &dbname, bool can_login)
Definition: SysCatalog.cpp:772
void alterUser(const int32_t userid, const std::string *passwd, bool *issuper, const std::string *dbname, bool *can_login)
Definition: SysCatalog.cpp:861
std::string generate_random_string(const size_t len)
Role * getRoleGrantee(const std::string &name) const
User * getUserGrantee(const std::string &name) const
std::string to_upper(const std::string &str)
void grantRole(const std::string &role, const std::string &grantee)
void revokeRole(const std::string &role, const std::string &grantee)

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::updateBlankPasswordsToRandom ( )
private

Definition at line 536 of file SysCatalog.cpp.

References CHECK(), logger::ERROR, generate_random_string(), anonymous_namespace{SysCatalog.cpp}::hash_with_bcrypt(), LOG, MAPD_VERSION, to_string(), and logger::WARNING.

536  {
537  const std::string UPDATE_BLANK_PASSWORDS_TO_RANDOM = "update_blank_passwords_to_random";
538  sqliteConnector_->query_with_text_params(
539  "SELECT migration_history FROM mapd_version_history WHERE migration_history = ?",
540  std::vector<std::string>{UPDATE_BLANK_PASSWORDS_TO_RANDOM});
541  if (sqliteConnector_->getNumRows()) {
542  return;
543  }
544 
545  sys_sqlite_lock sqlite_lock(this);
546  sqliteConnector_->query("BEGIN TRANSACTION");
547  try {
548  sqliteConnector_->query(
549  "SELECT userid, passwd_hash, name FROM mapd_users WHERE name <> 'mapd'");
550  auto numRows = sqliteConnector_->getNumRows();
551  vector<std::string> users, passwords, names;
552  for (size_t i = 0; i < numRows; i++) {
553  users.push_back(sqliteConnector_->getData<std::string>(i, 0));
554  passwords.push_back(sqliteConnector_->getData<std::string>(i, 1));
555  names.push_back(sqliteConnector_->getData<std::string>(i, 2));
556  }
557  for (size_t i = 0; i < users.size(); ++i) {
558  int pwd_check_result = bcrypt_checkpw("", passwords[i].c_str());
559  // if the check fails there is a good chance that data on disc is broken
560  CHECK(pwd_check_result >= 0);
561  if (pwd_check_result != 0) {
562  continue;
563  }
564  LOG(WARNING) << "resetting blank password for user " << names[i] << " (" << users[i]
565  << ") to a random password";
566  sqliteConnector_->query_with_text_params(
567  "UPDATE mapd_users SET passwd_hash = ? WHERE userid = ?",
568  std::vector<std::string>{hash_with_bcrypt(generate_random_string(72)),
569  users[i]});
570  }
571  sqliteConnector_->query_with_text_params(
572  "INSERT INTO mapd_version_history(version, migration_history) values(?,?)",
573  std::vector<std::string>{std::to_string(MAPD_VERSION),
574  UPDATE_BLANK_PASSWORDS_TO_RANDOM});
575  } catch (const std::exception& e) {
576  LOG(ERROR) << "Failed to fix blank passwords: " << e.what();
577  sqliteConnector_->query("ROLLBACK TRANSACTION");
578  throw;
579  }
580  sqliteConnector_->query("END TRANSACTION");
581 }
#define LOG(tag)
Definition: Logger.h:188
std::string to_string(char const *&&v)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:81
CHECK(cgen_state)
std::string generate_random_string(const size_t len)
std::string hash_with_bcrypt(const std::string &pwd)
Definition: SysCatalog.cpp:66
static const int32_t MAPD_VERSION
Definition: release.h:33
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:384

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::updateObjectDescriptorMap ( const std::string &  roleName,
DBObject object,
bool  roleType,
const Catalog_Namespace::Catalog cat 
)
private

Definition at line 1816 of file SysCatalog.cpp.

References ObjectRoleDescriptor::dbId, Catalog_Namespace::DBMetadata::dbId, Catalog_Namespace::Catalog::getCurrentDB(), ObjectRoleDescriptor::objectId, ObjectRoleDescriptor::objectName, ObjectRoleDescriptor::objectOwnerId, ObjectRoleDescriptor::objectType, ObjectRoleDescriptor::privs, ObjectRoleDescriptor::roleName, ObjectRoleDescriptor::roleType, and to_string().

1819  {
1820  bool present = false;
1821  auto privs = object.getPrivileges();
1822  sys_write_lock write_lock(this);
1823  auto range = objectDescriptorMap_.equal_range(
1824  std::to_string(cat.getCurrentDB().dbId) + ":" +
1825  std::to_string(object.getObjectKey().permissionType) + ":" +
1826  std::to_string(object.getObjectKey().objectId));
1827  for (auto d = range.first; d != range.second; ++d) {
1828  if (d->second->roleName == roleName) {
1829  // overwrite permissions
1830  d->second->privs = privs;
1831  present = true;
1832  }
1833  }
1834  if (!present) {
1836  od->roleName = roleName;
1837  od->roleType = roleType;
1838  od->objectType = object.getObjectKey().permissionType;
1839  od->dbId = object.getObjectKey().dbId;
1840  od->objectId = object.getObjectKey().objectId;
1841  od->privs = object.getPrivileges();
1842  od->objectOwnerId = object.getOwner();
1843  od->objectName = object.getName();
1844  objectDescriptorMap_.insert(ObjectRoleDescriptorMap::value_type(
1845  std::to_string(od->dbId) + ":" + std::to_string(od->objectType) + ":" +
1846  std::to_string(od->objectId),
1847  od));
1848  }
1849 }
specifies the object_roles content in-memory of a row in mapd_object_permissions table ...
ObjectRoleDescriptorMap objectDescriptorMap_
Definition: SysCatalog.h:383
std::string to_string(char const *&&v)
const DBMetadata & getCurrentDB() const
Definition: Catalog.h:194
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:80
mapd_unique_lock< mapd_shared_mutex > write_lock

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::updatePasswordsToHashes ( )
private

Definition at line 484 of file SysCatalog.cpp.

References logger::ERROR, anonymous_namespace{SysCatalog.cpp}::hash_with_bcrypt(), logger::INFO, and LOG.

484  {
485  sys_sqlite_lock sqlite_lock(this);
486  sqliteConnector_->query("BEGIN TRANSACTION");
487  try {
488  sqliteConnector_->query(
489  "SELECT name FROM sqlite_master WHERE type='table' AND name='mapd_users'");
490  if (sqliteConnector_->getNumRows() == 0) {
491  // Nothing to update
492  sqliteConnector_->query("END TRANSACTION");
493  return;
494  }
495  sqliteConnector_->query("PRAGMA TABLE_INFO(mapd_users)");
496  for (size_t i = 0; i < sqliteConnector_->getNumRows(); i++) {
497  const auto& col_name = sqliteConnector_->getData<std::string>(i, 1);
498  if (col_name == "passwd_hash") {
499  sqliteConnector_->query("END TRANSACTION");
500  return;
501  }
502  }
503  // Alas, SQLite can't drop columns so we have to recreate the table
504  // (or, optionally, add the new column and reset the old one to a bunch of nulls)
505  sqliteConnector_->query("SELECT userid, passwd FROM mapd_users");
506  auto numRows = sqliteConnector_->getNumRows();
507  vector<std::string> users, passwords;
508  for (size_t i = 0; i < numRows; i++) {
509  users.push_back(sqliteConnector_->getData<std::string>(i, 0));
510  passwords.push_back(sqliteConnector_->getData<std::string>(i, 1));
511  }
512  sqliteConnector_->query(
513  "CREATE TABLE mapd_users_tmp (userid integer primary key, name text unique, "
514  "passwd_hash text, issuper boolean, default_db integer references "
515  "mapd_databases)");
516  sqliteConnector_->query(
517  "INSERT INTO mapd_users_tmp(userid, name, passwd_hash, issuper, default_db) "
518  "SELECT userid, name, null, issuper, default_db FROM mapd_users");
519  for (size_t i = 0; i < users.size(); ++i) {
520  sqliteConnector_->query_with_text_params(
521  "UPDATE mapd_users_tmp SET passwd_hash = ? WHERE userid = ?",
522  std::vector<std::string>{hash_with_bcrypt(passwords[i]), users[i]});
523  }
524  sqliteConnector_->query("DROP TABLE mapd_users");
525  sqliteConnector_->query("ALTER TABLE mapd_users_tmp RENAME TO mapd_users");
526  } catch (const std::exception& e) {
527  LOG(ERROR) << "Failed to hash passwords: " << e.what();
528  sqliteConnector_->query("ROLLBACK TRANSACTION");
529  throw;
530  }
531  sqliteConnector_->query("END TRANSACTION");
532  sqliteConnector_->query("VACUUM"); // physically delete plain text passwords
533  LOG(INFO) << "Passwords were successfully hashed";
534 }
#define LOG(tag)
Definition: Logger.h:188
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:81
std::string hash_with_bcrypt(const std::string &pwd)
Definition: SysCatalog.cpp:66
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:384

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::updateSupportUserDeactivation ( )
private

Definition at line 583 of file SysCatalog.cpp.

References logger::ERROR, LOG, MAPD_VERSION, and to_string().

583  {
584  const std::string UPDATE_SUPPORT_USER_DEACTIVATION = "update_support_user_deactivation";
585  sys_sqlite_lock sqlite_lock(this);
586  // check to see if the new column already exists
587  sqliteConnector_->query("PRAGMA TABLE_INFO(mapd_users)");
588  for (size_t i = 0; i < sqliteConnector_->getNumRows(); i++) {
589  const auto& col_name = sqliteConnector_->getData<std::string>(i, 1);
590  if (col_name == "can_login") {
591  return; // new column already exists
592  }
593  }
594  sqliteConnector_->query("BEGIN TRANSACTION");
595  try {
596  sqliteConnector_->query("ALTER TABLE mapd_users ADD COLUMN can_login BOOLEAN");
597  sqliteConnector_->query("UPDATE mapd_users SET can_login = true");
598  sqliteConnector_->query_with_text_params(
599  "INSERT INTO mapd_version_history(version, migration_history) values(?,?)",
600  std::vector<std::string>{std::to_string(MAPD_VERSION),
601  UPDATE_SUPPORT_USER_DEACTIVATION});
602  } catch (const std::exception& e) {
603  LOG(ERROR) << "Failed to add support for user deactivation: " << e.what();
604  sqliteConnector_->query("ROLLBACK TRANSACTION");
605  throw;
606  }
607  sqliteConnector_->query("END TRANSACTION");
608 }
#define LOG(tag)
Definition: Logger.h:188
std::string to_string(char const *&&v)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:81
static const int32_t MAPD_VERSION
Definition: release.h:33
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:384

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::updateUserRoleName ( const std::string &  roleName,
const std::string &  newName 
)
private

Definition at line 930 of file SysCatalog.cpp.

References to_upper().

931  {
933 
934  auto it = granteeMap_.find(to_upper(roleName));
935  if (it != granteeMap_.end()) {
936  it->second->setName(newName);
937  std::swap(granteeMap_[to_upper(newName)], it->second);
938  granteeMap_.erase(it);
939  }
940 }
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:80
std::string to_upper(const std::string &str)
mapd_unique_lock< mapd_shared_mutex > write_lock

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::updateUserSchema ( )
private

Definition at line 213 of file SysCatalog.cpp.

213  {
214  sys_sqlite_lock sqlite_lock(this);
215 
216  // check to see if the new column already exists
217  sqliteConnector_->query("PRAGMA TABLE_INFO(mapd_users)");
218  for (size_t i = 0; i < sqliteConnector_->getNumRows(); i++) {
219  const auto& col_name = sqliteConnector_->getData<std::string>(i, 1);
220  if (col_name == "default_db") {
221  return; // new column already exists
222  }
223  }
224 
225  // create the new column
226  sqliteConnector_->query("BEGIN TRANSACTION");
227  try {
228  sqliteConnector_->query(
229  "ALTER TABLE mapd_users ADD COLUMN default_db INTEGER REFERENCES mapd_databases");
230  } catch (const std::exception& e) {
231  sqliteConnector_->query("ROLLBACK TRANSACTION");
232  throw;
233  }
234  sqliteConnector_->query("END TRANSACTION");
235 }
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:81
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:384
bool Catalog_Namespace::SysCatalog::verifyDBObjectOwnership ( const UserMetadata user,
DBObject  object,
const Catalog_Namespace::Catalog catalog 
)

Definition at line 1624 of file SysCatalog.cpp.

References Catalog_Namespace::UserMetadata::userId, and Catalog_Namespace::UserMetadata::userName.

1626  {
1627  sys_read_lock read_lock(this);
1628 
1629  auto* grantee = instance().getUserGrantee(user.userName);
1630  if (grantee) {
1631  object.loadKey(catalog);
1632  auto* found_object = grantee->findDbObject(object.getObjectKey(), false);
1633  if (found_object && found_object->getOwner() == user.userId) {
1634  return true;
1635  }
1636  }
1637  return false;
1638 }
DBObject * findDbObject(const DBObjectKey &objectKey, bool only_direct) const
Definition: Grantee.cpp:72
static SysCatalog & instance()
Definition: SysCatalog.h:288
User * getUserGrantee(const std::string &name) const
mapd_shared_lock< mapd_shared_mutex > read_lock
read_lock< SysCatalog > sys_read_lock
Definition: Catalog.cpp:110
auto Catalog_Namespace::SysCatalog::yieldTransactionStreamer ( )
private

Definition at line 907 of file SysCatalog.cpp.

907  {
908  return
909  [](auto& db_connector, auto on_success, auto on_failure, auto&&... query_requests) {
910  auto query_runner = [&db_connector](auto&&... query_reqs) {
911  [[gnu::unused]] int throw_away[] = {
912  (db_connector->query_with_text_params(
913  std::forward<decltype(query_reqs)>(query_reqs)),
914  0)...};
915  };
916 
917  db_connector->query("BEGIN TRANSACTION");
918  try {
919  query_runner(std::forward<decltype(query_requests)>(query_requests)...);
920  on_success();
921  } catch (std::exception&) {
922  db_connector->query("ROLLBACK TRANSACTION");
923  on_failure();
924  throw;
925  }
926  db_connector->query("END TRANSACTION");
927  };
928 }

Member Data Documentation

bool Catalog_Namespace::SysCatalog::aggregator_
private

Definition at line 393 of file SysCatalog.h.

Referenced by isAggregator().

const AuthMetadata* Catalog_Namespace::SysCatalog::authMetadata_
private

Definition at line 390 of file SysCatalog.h.

std::string Catalog_Namespace::SysCatalog::basePath_
private

Definition at line 381 of file SysCatalog.h.

Referenced by getBasePath().

std::shared_ptr<Calcite> Catalog_Namespace::SysCatalog::calciteMgr_
private

Definition at line 391 of file SysCatalog.h.

Referenced by getCalciteMgr().

std::shared_ptr<Data_Namespace::DataMgr> Catalog_Namespace::SysCatalog::dataMgr_
private

Definition at line 386 of file SysCatalog.h.

Referenced by getDataMgr().

GranteeMap Catalog_Namespace::SysCatalog::granteeMap_
private

Definition at line 382 of file SysCatalog.h.

std::unique_ptr<LdapServer> Catalog_Namespace::SysCatalog::ldap_server_
private

Definition at line 387 of file SysCatalog.h.

ObjectRoleDescriptorMap Catalog_Namespace::SysCatalog::objectDescriptorMap_
private

Definition at line 383 of file SysCatalog.h.

std::unique_ptr<PkiServer> Catalog_Namespace::SysCatalog::pki_server_
private

Definition at line 389 of file SysCatalog.h.

std::unique_ptr<RestServer> Catalog_Namespace::SysCatalog::rest_server_
private

Definition at line 388 of file SysCatalog.h.

mapd_shared_mutex Catalog_Namespace::SysCatalog::sharedMutex_
mutable

Definition at line 398 of file SysCatalog.h.

std::unique_ptr<SqliteConnector> Catalog_Namespace::SysCatalog::sqliteConnector_
private

Definition at line 384 of file SysCatalog.h.

Referenced by getSqliteConnector().

std::mutex Catalog_Namespace::SysCatalog::sqliteMutex_
mutable

Definition at line 397 of file SysCatalog.h.

std::vector<LeafHostInfo> Catalog_Namespace::SysCatalog::string_dict_hosts_
private

Definition at line 392 of file SysCatalog.h.

std::atomic<std::thread::id> Catalog_Namespace::SysCatalog::thread_holding_sqlite_lock
mutable

Definition at line 399 of file SysCatalog.h.

std::atomic<std::thread::id> Catalog_Namespace::SysCatalog::thread_holding_write_lock
mutable

Definition at line 400 of file SysCatalog.h.

thread_local bool Catalog_Namespace::SysCatalog::thread_holds_read_lock = false
static

Definition at line 401 of file SysCatalog.h.


The documentation for this class was generated from the following files: