OmniSciDB  c07336695a
Grantee Class Referenceabstract

#include <Grantee.h>

+ Inheritance diagram for Grantee:
+ Collaboration diagram for Grantee:

Public Member Functions

 Grantee (const std::string &name)
 
virtual ~Grantee ()
 
virtual bool isUser () const =0
 
virtual void grantPrivileges (const DBObject &object)
 
virtual DBObjectrevokePrivileges (const DBObject &object)
 
virtual void grantRole (Role *role)
 
virtual void revokeRole (Role *role)
 
virtual bool hasAnyPrivileges (const DBObject &objectRequested, bool only_direct) const
 
virtual bool checkPrivileges (const DBObject &objectRequested) const
 
virtual void updatePrivileges ()
 
virtual void updatePrivileges (Role *role)
 
virtual void revokeAllOnDatabase (int32_t dbId)
 
virtual void renameDbObject (const DBObject &object)
 
void getPrivileges (DBObject &object, bool only_direct)
 
DBObjectfindDbObject (const DBObjectKey &objectKey, bool only_direct) const
 
bool hasAnyPrivilegesOnDb (int32_t dbId, bool only_direct) const
 
const std::string & getName () const
 
void setName (const std::string &name)
 
std::vector< std::string > getRoles () const
 
bool hasRole (Role *role, bool only_direct) const
 
const DBObjectMapgetDbObjects (bool only_direct) const
 
void checkCycles (Role *newRole)
 

Protected Attributes

std::string name_
 
std::unordered_set< Role * > roles_
 
DBObjectMap effectivePrivileges_
 
DBObjectMap directPrivileges_
 

Private Types

typedef std::map< DBObjectKey, std::unique_ptr< DBObject > > DBObjectMap
 

Detailed Description

Definition at line 32 of file Grantee.h.

Member Typedef Documentation

◆ DBObjectMap

typedef std::map<DBObjectKey, std::unique_ptr<DBObject> > Grantee::DBObjectMap
private

Definition at line 33 of file Grantee.h.

Constructor & Destructor Documentation

◆ Grantee()

Grantee::Grantee ( const std::string &  name)

Definition at line 23 of file Grantee.cpp.

23 : name_(name) {}
std::string name_
Definition: Grantee.h:62

◆ ~Grantee()

Grantee::~Grantee ( )
virtual

Definition at line 25 of file Grantee.cpp.

References directPrivileges_, effectivePrivileges_, and roles_.

25  {
26  for (auto role : roles_) {
27  role->removeGrantee(this);
28  }
29  effectivePrivileges_.clear();
30  directPrivileges_.clear();
31  roles_.clear();
32 }
DBObjectMap effectivePrivileges_
Definition: Grantee.h:65
std::unordered_set< Role * > roles_
Definition: Grantee.h:63
DBObjectMap directPrivileges_
Definition: Grantee.h:67

Member Function Documentation

◆ checkCycles()

void Grantee::checkCycles ( Role newRole)

Definition at line 293 of file Grantee.cpp.

References CHECK, TestHelpers::g(), Role::getGrantees(), and getName().

Referenced by getDbObjects(), and grantRole().

293  {
294  std::stack<Grantee*> grantees;
295  grantees.push(this);
296  while (!grantees.empty()) {
297  auto* grantee = grantees.top();
298  grantees.pop();
299  if (!grantee->isUser()) {
300  Role* r = dynamic_cast<Role*>(grantee);
301  CHECK(r);
302  if (r == newRole) {
303  throw runtime_error("Granting role " + newRole->getName() + " to " + getName() +
304  " creates cycle in grantee graph.");
305  }
306  for (auto g : r->getGrantees()) {
307  grantees.push(g);
308  }
309  }
310  }
311 }
const std::string & getName() const
Definition: Grantee.h:52
T g(const TargetValue &r)
Definition: TestHelpers.h:118
std::vector< Grantee * > getGrantees() const
Definition: Grantee.cpp:340
Definition: Grantee.h:76
#define CHECK(condition)
Definition: Logger.h:187
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ checkPrivileges()

bool Grantee::checkPrivileges ( const DBObject objectRequested) const
virtual

Definition at line 218 of file Grantee.cpp.

References DBObjectKey::dbId, findDbObject(), DBObject::getObjectKey(), hasEnoughPrivs(), and DBObjectKey::objectId.

218  {
219  DBObjectKey objectKey = objectRequested.getObjectKey();
220  if (hasEnoughPrivs(findDbObject(objectKey, false), &objectRequested)) {
221  return true;
222  }
223 
224  // if we have an object associated -> ignore it
225  if (objectKey.objectId != -1) {
226  objectKey.objectId = -1;
227  if (hasEnoughPrivs(findDbObject(objectKey, false), &objectRequested)) {
228  return true;
229  }
230  }
231 
232  // if we have an
233  if (objectKey.dbId != -1) {
234  objectKey.dbId = -1;
235  if (hasEnoughPrivs(findDbObject(objectKey, false), &objectRequested)) {
236  return true;
237  }
238  }
239  return false;
240 }
DBObject * findDbObject(const DBObjectKey &objectKey, bool only_direct) const
Definition: Grantee.cpp:72
int32_t objectId
Definition: DBObject.h:56
static bool hasEnoughPrivs(const DBObject *real, const DBObject *requested)
Definition: Grantee.cpp:174
DBObjectKey getObjectKey() const
Definition: DBObject.h:196
int32_t dbId
Definition: DBObject.h:55
+ Here is the call graph for this function:

◆ findDbObject()

DBObject * Grantee::findDbObject ( const DBObjectKey objectKey,
bool  only_direct 
) const

Definition at line 72 of file Grantee.cpp.

References directPrivileges_, and effectivePrivileges_.

Referenced by checkPrivileges(), Catalog_Namespace::Catalog::createOrUpdateDashboardSystemRole(), getPrivileges(), grantPrivileges(), MapDHandler::has_object_privilege(), hasAnyPrivileges(), revokePrivileges(), and updatePrivileges().

72  {
73  const DBObjectMap& privs = only_direct ? directPrivileges_ : effectivePrivileges_;
74  DBObject* dbObject = nullptr;
75  auto dbObjectIt = privs.find(objectKey);
76  if (dbObjectIt != privs.end()) {
77  dbObject = dbObjectIt->second.get();
78  }
79  return dbObject;
80 }
DBObjectMap effectivePrivileges_
Definition: Grantee.h:65
std::map< DBObjectKey, std::unique_ptr< DBObject > > DBObjectMap
Definition: Grantee.h:33
DBObjectMap directPrivileges_
Definition: Grantee.h:67
+ Here is the caller graph for this function:

◆ getDbObjects()

const DBObjectMap* Grantee::getDbObjects ( bool  only_direct) const
inline

Definition at line 56 of file Grantee.h.

References checkCycles(), directPrivileges_, and effectivePrivileges_.

Referenced by Catalog_Namespace::Catalog::createOrUpdateDashboardSystemRole(), and updatePrivileges().

56  {
57  return only_direct ? &directPrivileges_ : &effectivePrivileges_;
58  }
DBObjectMap effectivePrivileges_
Definition: Grantee.h:65
DBObjectMap directPrivileges_
Definition: Grantee.h:67
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ getName()

const std::string& Grantee::getName ( ) const
inline

Definition at line 52 of file Grantee.h.

References name_.

Referenced by Role::addGrantee(), checkCycles(), getPrivileges(), grantRole(), Role::removeGrantee(), renameDbObject(), and revokePrivileges().

52 { return name_; }
std::string name_
Definition: Grantee.h:62
+ Here is the caller graph for this function:

◆ getPrivileges()

void Grantee::getPrivileges ( DBObject object,
bool  only_direct 
)

Definition at line 63 of file Grantee.cpp.

References findDbObject(), and getName().

63  {
64  auto dbObject = findDbObject(object.getObjectKey(), only_direct);
65  if (!dbObject) { // not found
66  throw runtime_error("Can not get privileges because " + getName() +
67  " has no privileges to " + object.getName());
68  }
69  object.grantPrivileges(*dbObject);
70 }
const std::string & getName() const
Definition: Grantee.h:52
DBObject * findDbObject(const DBObjectKey &objectKey, bool only_direct) const
Definition: Grantee.cpp:72
+ Here is the call graph for this function:

◆ getRoles()

std::vector< std::string > Grantee::getRoles ( ) const

Definition at line 34 of file Grantee.cpp.

References roles_.

Referenced by setName().

34  {
35  std::vector<std::string> roles;
36  for (const auto role : roles_) {
37  roles.push_back(role->getName());
38  }
39  return roles;
40 }
std::unordered_set< Role * > roles_
Definition: Grantee.h:63
+ Here is the caller graph for this function:

◆ grantPrivileges()

void Grantee::grantPrivileges ( const DBObject object)
virtual

Definition at line 92 of file Grantee.cpp.

References directPrivileges_, effectivePrivileges_, findDbObject(), and updatePrivileges().

92  {
93  auto* dbObject = findDbObject(object.getObjectKey(), false);
94  if (!dbObject) { // not found
95  effectivePrivileges_[object.getObjectKey()] = boost::make_unique<DBObject>(object);
96  } else { // found
97  dbObject->grantPrivileges(object);
98  }
99  dbObject = findDbObject(object.getObjectKey(), true);
100  if (!dbObject) { // not found
101  directPrivileges_[object.getObjectKey()] = boost::make_unique<DBObject>(object);
102  } else { // found
103  dbObject->grantPrivileges(object);
104  }
106 }
DBObjectMap effectivePrivileges_
Definition: Grantee.h:65
virtual void updatePrivileges()
Definition: Grantee.cpp:255
DBObject * findDbObject(const DBObjectKey &objectKey, bool only_direct) const
Definition: Grantee.cpp:72
DBObjectMap directPrivileges_
Definition: Grantee.h:67
+ Here is the call graph for this function:

◆ grantRole()

void Grantee::grantRole ( Role role)
virtual

Definition at line 150 of file Grantee.cpp.

References Role::addGrantee(), checkCycles(), getName(), name_, roles_, and updatePrivileges().

150  {
151  bool found = false;
152  for (const auto* granted_role : roles_) {
153  if (role == granted_role) {
154  found = true;
155  break;
156  }
157  }
158  if (found) {
159  throw runtime_error("Role " + role->getName() + " have been granted to " + name_ +
160  " already.");
161  }
162  checkCycles(role);
163  roles_.insert(role);
164  role->addGrantee(this);
166 }
const std::string & getName() const
Definition: Grantee.h:52
virtual void updatePrivileges()
Definition: Grantee.cpp:255
virtual void addGrantee(Grantee *grantee)
Definition: Grantee.cpp:322
std::unordered_set< Role * > roles_
Definition: Grantee.h:63
void checkCycles(Role *newRole)
Definition: Grantee.cpp:293
std::string name_
Definition: Grantee.h:62
+ Here is the call graph for this function:

◆ hasAnyPrivileges()

bool Grantee::hasAnyPrivileges ( const DBObject objectRequested,
bool  only_direct 
) const
virtual

Definition at line 194 of file Grantee.cpp.

References DBObjectKey::dbId, findDbObject(), DBObject::getObjectKey(), hasAnyPrivs(), and DBObjectKey::objectId.

194  {
195  DBObjectKey objectKey = objectRequested.getObjectKey();
196  if (hasAnyPrivs(findDbObject(objectKey, only_direct), &objectRequested)) {
197  return true;
198  }
199 
200  // if we have an object associated -> ignore it
201  if (objectKey.objectId != -1) {
202  objectKey.objectId = -1;
203  if (hasAnyPrivs(findDbObject(objectKey, only_direct), &objectRequested)) {
204  return true;
205  }
206  }
207 
208  // if we have an
209  if (objectKey.dbId != -1) {
210  objectKey.dbId = -1;
211  if (hasAnyPrivs(findDbObject(objectKey, only_direct), &objectRequested)) {
212  return true;
213  }
214  }
215  return false;
216 }
DBObject * findDbObject(const DBObjectKey &objectKey, bool only_direct) const
Definition: Grantee.cpp:72
int32_t objectId
Definition: DBObject.h:56
static bool hasAnyPrivs(const DBObject *real, const DBObject *)
Definition: Grantee.cpp:186
DBObjectKey getObjectKey() const
Definition: DBObject.h:196
int32_t dbId
Definition: DBObject.h:55
+ Here is the call graph for this function:

◆ hasAnyPrivilegesOnDb()

bool Grantee::hasAnyPrivilegesOnDb ( int32_t  dbId,
bool  only_direct 
) const

Definition at line 82 of file Grantee.cpp.

References directPrivileges_, and effectivePrivileges_.

Referenced by Catalog_Namespace::anonymous_namespace{SysCatalog.cpp}::get_users().

82  {
83  const DBObjectMap& privs = only_direct ? directPrivileges_ : effectivePrivileges_;
84  for (const auto& priv : privs) {
85  if (priv.second->getObjectKey().dbId == dbId) {
86  return true;
87  }
88  }
89  return false;
90 }
DBObjectMap effectivePrivileges_
Definition: Grantee.h:65
std::map< DBObjectKey, std::unique_ptr< DBObject > > DBObjectMap
Definition: Grantee.h:33
DBObjectMap directPrivileges_
Definition: Grantee.h:67
+ Here is the caller graph for this function:

◆ hasRole()

bool Grantee::hasRole ( Role role,
bool  only_direct 
) const

Definition at line 42 of file Grantee.cpp.

References roles_.

Referenced by setName().

42  {
43  if (only_direct) {
44  return roles_.find(role) != roles_.end();
45  } else {
46  std::stack<const Grantee*> roles;
47  roles.push(this);
48  while (!roles.empty()) {
49  auto r = roles.top();
50  roles.pop();
51  if (r == role) {
52  return true;
53  } else {
54  for (auto granted_role : r->roles_) {
55  roles.push(granted_role);
56  }
57  }
58  }
59  return false;
60  }
61 }
std::unordered_set< Role * > roles_
Definition: Grantee.h:63
+ Here is the caller graph for this function:

◆ isUser()

virtual bool Grantee::isUser ( ) const
pure virtual

Implemented in Role, and User.

◆ renameDbObject()

void Grantee::renameDbObject ( const DBObject object)
virtual

Reimplemented in Role.

Definition at line 108 of file Grantee.cpp.

References directPrivileges_, effectivePrivileges_, and getName().

Referenced by Role::isUser(), Role::renameDbObject(), and Catalog_Namespace::Catalog::renameTable().

108  {
109  // rename direct and effective objects
110  auto directIt = directPrivileges_.find(object.getObjectKey());
111  if (directIt != directPrivileges_.end()) {
112  directIt->second->setName(object.getName());
113  }
114 
115  auto effectiveIt = effectivePrivileges_.find(object.getObjectKey());
116  if (effectiveIt != effectivePrivileges_.end()) {
117  effectiveIt->second->setName(object.getName());
118  }
119 }
DBObjectMap effectivePrivileges_
Definition: Grantee.h:65
const std::string & getName() const
Definition: Grantee.h:52
DBObjectMap directPrivileges_
Definition: Grantee.h:67
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ revokeAllOnDatabase()

void Grantee::revokeAllOnDatabase ( int32_t  dbId)
virtual

Reimplemented in Role.

Definition at line 279 of file Grantee.cpp.

References directPrivileges_, effectivePrivileges_, and updatePrivileges().

Referenced by Role::isUser(), Role::revokeAllOnDatabase(), and Catalog_Namespace::SysCatalog::revokeAllOnDatabase_unsafe().

279  {
280  std::vector<DBObjectMap*> sources = {&effectivePrivileges_, &directPrivileges_};
281  for (auto privs : sources) {
282  for (auto iter = privs->begin(); iter != privs->end();) {
283  if (iter->first.dbId == dbId) {
284  iter = privs->erase(iter);
285  } else {
286  ++iter;
287  }
288  }
289  }
291 }
DBObjectMap effectivePrivileges_
Definition: Grantee.h:65
virtual void updatePrivileges()
Definition: Grantee.cpp:255
DBObjectMap directPrivileges_
Definition: Grantee.h:67
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ revokePrivileges()

DBObject * Grantee::revokePrivileges ( const DBObject object)
virtual

Definition at line 123 of file Grantee.cpp.

References directPrivileges_, effectivePrivileges_, findDbObject(), getName(), and updatePrivileges().

123  {
124  auto dbObject = findDbObject(object.getObjectKey(), true);
125  if (!dbObject ||
126  !dbObject->getPrivileges().hasAny()) { // not found or has none of privileges set
127  throw runtime_error("Can not revoke privileges because " + getName() +
128  " has no privileges to " + object.getName());
129  }
130  bool object_removed = false;
131  dbObject->revokePrivileges(object);
132  if (!dbObject->getPrivileges().hasAny()) {
133  directPrivileges_.erase(object.getObjectKey());
134  object_removed = true;
135  }
136 
137  auto* cachedDbObject = findDbObject(object.getObjectKey(), false);
138  if (cachedDbObject && cachedDbObject->getPrivileges().hasAny()) {
139  cachedDbObject->revokePrivileges(object);
140  if (!cachedDbObject->getPrivileges().hasAny()) {
141  effectivePrivileges_.erase(object.getObjectKey());
142  }
143  }
144 
146 
147  return object_removed ? nullptr : dbObject;
148 }
DBObjectMap effectivePrivileges_
Definition: Grantee.h:65
const std::string & getName() const
Definition: Grantee.h:52
virtual void updatePrivileges()
Definition: Grantee.cpp:255
DBObject * findDbObject(const DBObjectKey &objectKey, bool only_direct) const
Definition: Grantee.cpp:72
DBObjectMap directPrivileges_
Definition: Grantee.h:67
+ Here is the call graph for this function:

◆ revokeRole()

void Grantee::revokeRole ( Role role)
virtual

Definition at line 168 of file Grantee.cpp.

References Role::removeGrantee(), roles_, and updatePrivileges().

168  {
169  roles_.erase(role);
170  role->removeGrantee(this);
172 }
virtual void updatePrivileges()
Definition: Grantee.cpp:255
virtual void removeGrantee(Grantee *grantee)
Definition: Grantee.cpp:331
std::unordered_set< Role * > roles_
Definition: Grantee.h:63
+ Here is the call graph for this function:

◆ setName()

void Grantee::setName ( const std::string &  name)
inline

Definition at line 53 of file Grantee.h.

References getRoles(), hasRole(), and name_.

53 { name_ = name; }
std::string name_
Definition: Grantee.h:62
+ Here is the call graph for this function:

◆ updatePrivileges() [1/2]

void Grantee::updatePrivileges ( )
virtual

Reimplemented in Role.

Definition at line 255 of file Grantee.cpp.

References directPrivileges_, effectivePrivileges_, and roles_.

Referenced by grantPrivileges(), grantRole(), Role::isUser(), revokeAllOnDatabase(), revokePrivileges(), revokeRole(), and Role::updatePrivileges().

255  {
256  for (auto& dbObject : effectivePrivileges_) {
257  dbObject.second->resetPrivileges();
258  }
259  for (auto it = directPrivileges_.begin(); it != directPrivileges_.end(); ++it) {
260  if (effectivePrivileges_.find(it->first) != effectivePrivileges_.end()) {
261  effectivePrivileges_[it->first]->updatePrivileges(*it->second);
262  }
263  }
264  for (auto role : roles_) {
265  if (role->getDbObjects(false)->size() > 0) {
266  updatePrivileges(role);
267  }
268  }
269  for (auto dbObjectIt = effectivePrivileges_.begin();
270  dbObjectIt != effectivePrivileges_.end();) {
271  if (!dbObjectIt->second->getPrivileges().hasAny()) {
272  dbObjectIt = effectivePrivileges_.erase(dbObjectIt);
273  } else {
274  ++dbObjectIt;
275  }
276  }
277 }
DBObjectMap effectivePrivileges_
Definition: Grantee.h:65
virtual void updatePrivileges()
Definition: Grantee.cpp:255
std::unordered_set< Role * > roles_
Definition: Grantee.h:63
DBObjectMap directPrivileges_
Definition: Grantee.h:67
+ Here is the caller graph for this function:

◆ updatePrivileges() [2/2]

void Grantee::updatePrivileges ( Role role)
virtual

Definition at line 242 of file Grantee.cpp.

References effectivePrivileges_, findDbObject(), and getDbObjects().

242  {
243  for (auto& roleDbObject : *role->getDbObjects(false)) {
244  auto dbObject = findDbObject(roleDbObject.first, false);
245  if (dbObject) { // found
246  dbObject->updatePrivileges(*roleDbObject.second);
247  } else { // not found
248  effectivePrivileges_[roleDbObject.first] =
249  boost::make_unique<DBObject>(*roleDbObject.second.get());
250  }
251  }
252 }
DBObjectMap effectivePrivileges_
Definition: Grantee.h:65
DBObject * findDbObject(const DBObjectKey &objectKey, bool only_direct) const
Definition: Grantee.cpp:72
const DBObjectMap * getDbObjects(bool only_direct) const
Definition: Grantee.h:56
+ Here is the call graph for this function:

Member Data Documentation

◆ directPrivileges_

◆ effectivePrivileges_

◆ name_

std::string Grantee::name_
protected

Definition at line 62 of file Grantee.h.

Referenced by getName(), grantRole(), and setName().

◆ roles_

std::unordered_set<Role*> Grantee::roles_
protected

Definition at line 63 of file Grantee.h.

Referenced by getRoles(), grantRole(), hasRole(), revokeRole(), updatePrivileges(), and ~Grantee().


The documentation for this class was generated from the following files: