OmniSciDB  c1a53651b2
 All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Friends Macros Groups Pages
SysCatalog.cpp
Go to the documentation of this file.
1 /*
2  * Copyright 2022 HEAVY.AI, Inc.
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  * http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
23 #include "SysCatalog.h"
24 #include <algorithm>
25 #include <cassert>
26 #include <exception>
27 #include <filesystem>
28 #include <list>
29 #include <memory>
30 #include <random>
31 #include <sstream>
32 #include <string_view>
33 #include "Catalog.h"
34 
35 #include "Catalog/AuthMetadata.h"
37 
38 #include <boost/algorithm/string/predicate.hpp>
39 #include <boost/filesystem.hpp>
40 #include <boost/range/adaptor/map.hpp>
41 #include <boost/version.hpp>
42 
43 #include "MapDRelease.h"
44 #include "Parser/ParserNode.h"
45 #include "RWLocks.h"
46 #include "Shared/File.h"
47 #include "Shared/StringTransform.h"
48 #include "Shared/SysDefinitions.h"
49 #include "Shared/measure.h"
50 #include "Shared/misc.h"
51 #include "include/bcrypt.h"
52 
53 using std::list;
54 using std::map;
55 using std::pair;
56 using std::runtime_error;
57 using std::string;
58 using std::vector;
59 
60 using namespace std::string_literals;
61 
62 std::string g_base_path;
65 
66 extern bool g_enable_fsi;
67 extern bool g_read_only;
68 
69 namespace {
70 
71 std::string hash_with_bcrypt(const std::string& pwd) {
72  char salt[BCRYPT_HASHSIZE], hash[BCRYPT_HASHSIZE];
73  CHECK(bcrypt_gensalt(-1, salt) == 0);
74  CHECK(bcrypt_hashpw(pwd.c_str(), salt, hash) == 0);
75  return std::string(hash, BCRYPT_HASHSIZE);
76 }
77 
78 // This catalog copy must take place before any other catalog accesses.
79 std::filesystem::path copy_catalog_if_read_only(std::filesystem::path base_data_path) {
80  std::filesystem::path catalog_base_data_path;
81 
82  // For a read-only server, make a temporary copy of the catalog directory.
83  // This catalog copy must take place before any other catalog accesses.
84  if (!g_read_only) {
85  // Catalog directory will be in the normal location.
86  catalog_base_data_path = base_data_path;
87  } else {
88  // Catalog directory will be in a temporary location.
89  catalog_base_data_path = base_data_path / "temporary";
90 
91  // Delete the temporary directory if it exists.
92  // The name "temporary" is hardcoded so nobody should object to its deletion!
93  CHECK_NE(catalog_base_data_path.string().find("temporary"), std::string::npos);
94  CHECK_NE(catalog_base_data_path, base_data_path);
95  if (std::filesystem::exists(catalog_base_data_path)) {
96  std::filesystem::remove_all(catalog_base_data_path);
97  }
98  std::filesystem::create_directories(catalog_base_data_path);
99 
100  // Make the temporary copy of the catalog.
101  const auto normal_catalog_path = base_data_path / shared::kCatalogDirectoryName;
102  const auto temporary_catalog_path =
103  catalog_base_data_path / shared::kCatalogDirectoryName;
104  LOG(INFO) << "copying catalog from " << normal_catalog_path << " to "
105  << temporary_catalog_path << " for read-only server";
106  std::filesystem::copy(normal_catalog_path,
107  temporary_catalog_path,
108  std::filesystem::copy_options::recursive);
109 
110  // Create a temporary empty directory structure similar to how initheavy would.
111  // Not expected to be used. Created just in case any code tries to access them.
112  try {
113  std::filesystem::create_directories(catalog_base_data_path /
115  } catch (...) {
116  }
117  try {
118  std::filesystem::create_directories(catalog_base_data_path /
120  } catch (...) {
121  }
122  try {
123  std::filesystem::create_directories(catalog_base_data_path /
125  } catch (...) {
126  }
127  try {
128  std::filesystem::create_directories(catalog_base_data_path /
131  } catch (...) {
132  }
133  try {
134  std::filesystem::create_directories(catalog_base_data_path /
137  } catch (...) {
138  }
139  }
140 
141  return catalog_base_data_path;
142 }
143 
144 } // namespace
145 
146 namespace Catalog_Namespace {
147 
148 thread_local bool SysCatalog::thread_holds_read_lock = false;
149 std::mutex SysCatalog::instance_mutex_;
150 std::unique_ptr<SysCatalog> SysCatalog::instance_;
151 
152 using sys_read_lock = read_lock<SysCatalog>;
155 
156 bool g_log_user_id{false}; // --log-user-id
157 
158 std::string UserMetadata::userLoggable() const {
159  return g_log_user_id ? std::to_string(userId) : userName;
160 }
161 
162 auto CommonFileOperations::assembleCatalogName(std::string const& name) {
163  return base_path_ + "/" + shared::kCatalogDirectoryName + "/" + name;
164 };
165 
166 void CommonFileOperations::removeCatalogByFullPath(std::string const& full_path) {
167  boost::filesystem::remove(full_path);
168 }
169 
170 void CommonFileOperations::removeCatalogByName(std::string const& name) {
171  boost::filesystem::remove(assembleCatalogName(name));
172 };
173 
174 auto CommonFileOperations::duplicateAndRenameCatalog(std::string const& current_name,
175  std::string const& new_name) {
176  auto full_current_path = assembleCatalogName(current_name);
177  auto full_new_path = assembleCatalogName(new_name);
178 
179  try {
180  boost::filesystem::copy_file(full_current_path, full_new_path);
181  } catch (std::exception& e) {
182  std::string err_message{"Could not copy file " + full_current_path + " to " +
183  full_new_path + " exception was " + e.what()};
184  LOG(ERROR) << err_message;
185  throw std::runtime_error(err_message);
186  }
187 
188  return std::make_pair(full_current_path, full_new_path);
189 };
190 
191 void SysCatalog::init(const std::string& basePath,
192  std::shared_ptr<Data_Namespace::DataMgr> dataMgr,
193  const AuthMetadata& authMetadata,
194  std::shared_ptr<Calcite> calcite,
195  bool is_new_db,
196  bool aggregator,
197  const std::vector<LeafHostInfo>& string_dict_hosts) {
198  basePath_ = !g_multi_instance ? copy_catalog_if_read_only(basePath).string() : basePath;
199  sqliteConnector_.reset(new SqliteConnector(
201  dcatalogMutex_ = std::make_unique<heavyai::DistributedSharedMutex>(
202  std::filesystem::path(basePath_) / shared::kLockfilesDirectoryName /
204  [this](size_t) {
206  *dsqliteMutex_);
207  buildMapsUnlocked();
208  });
209  dsqliteMutex_ = std::make_unique<heavyai::DistributedSharedMutex>(
210  std::filesystem::path(basePath_) / shared::kLockfilesDirectoryName /
214  dataMgr_ = dataMgr;
215  authMetadata_ = &authMetadata;
216  pki_server_.reset(new PkiServer(*authMetadata_));
217  calciteMgr_ = calcite;
218  string_dict_hosts_ = string_dict_hosts;
219  aggregator_ = aggregator;
221  if (is_new_db) {
222  initDB();
223  } else {
224  bool db_exists =
225  boost::filesystem::exists(basePath_ + "/" + shared::kCatalogDirectoryName + "/" +
227  if (!db_exists) {
228  importDataFromOldMapdDB();
229  }
231  checkAndExecuteMigrations();
233  }
234  }
235  buildMaps(is_new_db);
236  is_initialized_ = true;
237 }
238 
239 bool SysCatalog::isInitialized() const {
240  return is_initialized_;
241 };
242 
243 void SysCatalog::buildMaps(bool is_new_db) {
246 
247  buildMapsUnlocked(is_new_db);
248 }
249 
250 void SysCatalog::buildMapsUnlocked(bool is_new_db) {
251  VLOG(2) << "reloading catalog caches for: " << shared::kSystemCatalogName;
252 
253  // Store permissions for temporary users.
254  std::map<std::string, std::vector<std::string>> tu_map;
255  for (auto& pair : temporary_users_by_name_) {
256  CHECK(pair.second);
257  UserMetadata& user = *pair.second;
258  auto it = granteeMap_.find(to_upper(user.userName));
259  CHECK(it != granteeMap_.end()) << to_upper(user.userName) << " not found";
260 
261  auto user_rl = dynamic_cast<User*>(it->second.get());
262  CHECK(user_rl);
263  std::vector<std::string> current_roles = user_rl->getRoles();
264  auto result = tu_map.emplace(user.userName, std::move(current_roles));
265  CHECK(result.second);
266  }
267 
268  // Forget permissions and reload them from file storage.
269  buildRoleMapUnlocked();
270  buildUserRoleMapUnlocked();
271  buildObjectDescriptorMapUnlocked();
272  if (!is_new_db) {
273  // We don't want to create the information schema db during database initialization
274  // because we don't have the appropriate context to intialize the tables. For
275  // instance if the server is intended to run in distributed mode, initializing the
276  // table as part of initdb will be missing information such as the location of the
277  // string dictionary server.
278  initializeInformationSchemaDb();
279  }
280 
281  // Restore permissions for temporary users that were stored above.
282  for (auto& pair : temporary_users_by_name_) {
283  CHECK(pair.second);
284  UserMetadata& user = *pair.second;
285 
286  createRole_unsafe(user.userName, /*user_private_role*/ true, /*is_temporary*/ true);
287 
288  auto it = tu_map.find(user.userName);
289  CHECK(it != tu_map.end()) << user.userName << " not found";
290  for (const auto& r : it->second) {
291  grantRole_unsafe(r, user.userName, /*is_temporary*/ true);
292  }
293  }
294 }
295 
296 SysCatalog::SysCatalog()
298  , aggregator_{false}
299  , sqliteMutex_{}
300  , sharedMutex_{}
301  , thread_holding_sqlite_lock{std::thread::id()}
302  , thread_holding_write_lock{std::thread::id()}
303  , dummyCatalog_{std::make_shared<Catalog>()} {}
304 
306  // TODO(sy): Need to lock here to wait for other threads to complete before pulling out
307  // the rug from under them. Unfortunately this lock was seen to deadlock because the
308  // HeavyDB shutdown sequence needs cleanup. Do we even need these clear()'s anymore?
309  // sys_write_lock write_lock(this);
310  granteeMap_.clear();
311  objectDescriptorMap_.clear();
312  cat_map_.clear();
313 }
314 
316  if (g_read_only) {
317  throw std::runtime_error("can't init a new database in read-only mode");
318  }
320  sqliteConnector_->query("BEGIN TRANSACTION");
321  try {
322  sqliteConnector_->query(
323  "CREATE TABLE mapd_users (userid integer primary key, name text unique, "
324  "passwd_hash text, issuper boolean, default_db integer references "
325  "mapd_databases, can_login boolean)");
326  sqliteConnector_->query_with_text_params(
327  "INSERT INTO mapd_users VALUES (?, ?, ?, 1, NULL, 1)",
328  std::vector<std::string>{shared::kRootUserIdStr,
331  sqliteConnector_->query(
332  "CREATE TABLE mapd_databases (dbid integer primary key, name text unique, owner "
333  "integer references mapd_users)");
334  sqliteConnector_->query(
335  "CREATE TABLE mapd_roles(roleName text, userName text, UNIQUE(roleName, "
336  "userName))");
337  sqliteConnector_->query(
338  "CREATE TABLE mapd_object_permissions ("
339  "roleName text, "
340  "roleType bool, "
341  "dbId integer references mapd_databases, "
342  "objectName text, "
343  "objectId integer, "
344  "objectPermissionsType integer, "
345  "objectPermissions integer, "
346  "objectOwnerId integer, UNIQUE(roleName, objectPermissionsType, dbId, "
347  "objectId))");
348  } catch (const std::exception&) {
349  sqliteConnector_->query("ROLLBACK TRANSACTION");
350  throw;
351  }
352  sqliteConnector_->query("END TRANSACTION");
355  shared::kRootUsername, /*userPrivateRole=*/true, /*is_temporary=*/false);
356 }
357 
360  createRoles();
364  updateUserSchema(); // must come before updatePasswordsToHashes()
366  updateBlankPasswordsToRandom(); // must come after updatePasswordsToHashes()
370 }
371 
374 
375  // check to see if the new column already exists
376  sqliteConnector_->query("PRAGMA TABLE_INFO(mapd_users)");
377  for (size_t i = 0; i < sqliteConnector_->getNumRows(); i++) {
378  const auto& col_name = sqliteConnector_->getData<std::string>(i, 1);
379  if (col_name == "default_db") {
380  return; // new column already exists
381  }
382  }
383 
384  // create the new column
385  sqliteConnector_->query("BEGIN TRANSACTION");
386  try {
387  sqliteConnector_->query(
388  "ALTER TABLE mapd_users ADD COLUMN default_db INTEGER REFERENCES mapd_databases");
389  } catch (const std::exception& e) {
390  sqliteConnector_->query("ROLLBACK TRANSACTION");
391  throw;
392  }
393  sqliteConnector_->query("END TRANSACTION");
394 }
395 
398  std::string mapd_db_path = basePath_ + "/" + shared::kCatalogDirectoryName + "/mapd";
399  sqliteConnector_->query("ATTACH DATABASE `" + mapd_db_path + "` as old_cat");
400  sqliteConnector_->query("BEGIN TRANSACTION");
401  LOG(INFO) << "Moving global metadata into a separate catalog";
402  try {
403  auto moveTableIfExists = [conn = sqliteConnector_.get()](const std::string& tableName,
404  bool deleteOld = true) {
405  conn->query("SELECT sql FROM old_cat.sqlite_master WHERE type='table' AND name='" +
406  tableName + "'");
407  if (conn->getNumRows() != 0) {
408  conn->query(conn->getData<string>(0, 0));
409  conn->query("INSERT INTO " + tableName + " SELECT * FROM old_cat." + tableName);
410  if (deleteOld) {
411  conn->query("DROP TABLE old_cat." + tableName);
412  }
413  }
414  };
415  moveTableIfExists("mapd_users");
416  moveTableIfExists("mapd_databases");
417  moveTableIfExists("mapd_roles");
418  moveTableIfExists("mapd_object_permissions");
419  moveTableIfExists("mapd_privileges");
420  moveTableIfExists("mapd_version_history", false);
421  } catch (const std::exception& e) {
422  LOG(ERROR) << "Failed to move global metadata into a separate catalog: " << e.what();
423  sqliteConnector_->query("ROLLBACK TRANSACTION");
424  try {
425  sqliteConnector_->query("DETACH DATABASE old_cat");
426  } catch (const std::exception&) {
427  // nothing to do here
428  }
429  throw;
430  }
431  sqliteConnector_->query("END TRANSACTION");
432  const std::string sys_catalog_path =
433  basePath_ + "/" + shared::kCatalogDirectoryName + "/" + shared::kSystemCatalogName;
434  LOG(INFO) << "Global metadata has been successfully moved into a separate catalog: "
435  << sys_catalog_path
436  << ". Using this database with an older version of heavydb "
437  "is now impossible.";
438  try {
439  sqliteConnector_->query("DETACH DATABASE old_cat");
440  } catch (const std::exception&) {
441  // nothing to do here
442  }
443 }
444 
447  sqliteConnector_->query("BEGIN TRANSACTION");
448  try {
449  sqliteConnector_->query(
450  "SELECT name FROM sqlite_master WHERE type='table' AND name='mapd_roles'");
451  if (sqliteConnector_->getNumRows() != 0) {
452  // already done
453  sqliteConnector_->query("END TRANSACTION");
454  return;
455  }
456  sqliteConnector_->query(
457  "CREATE TABLE mapd_roles(roleName text, userName text, UNIQUE(roleName, "
458  "userName))");
459  } catch (const std::exception&) {
460  sqliteConnector_->query("ROLLBACK TRANSACTION");
461  throw;
462  }
463  sqliteConnector_->query("END TRANSACTION");
464 }
465 
466 /*
467  There was an error in how we migrated users from pre-4.0 versions where we would copy
468  all user names into the mapd_roles table. This table should never have usernames in it
469  (the correct migration was to copy users into the mapd_object_permissions table instead)
470  so this migration function prunes such cases out.
471  */
474  sqliteConnector_->query("BEGIN TRANSACTION");
475  try {
476  sqliteConnector_->query("SELECT name FROM mapd_users");
477  auto num_rows = sqliteConnector_->getNumRows();
478  std::vector<std::string> user_names;
479  for (size_t i = 0; i < num_rows; ++i) {
480  user_names.push_back(sqliteConnector_->getData<std::string>(i, 0));
481  }
482  for (const auto& user_name : user_names) {
483  sqliteConnector_->query_with_text_param("DELETE FROM mapd_roles WHERE roleName = ?",
484  user_name);
485  }
486  } catch (const std::exception&) {
487  sqliteConnector_->query("ROLLBACK TRANSACTION");
488  throw;
489  }
490  sqliteConnector_->query("END TRANSACTION");
491 }
492 
493 namespace {
494 
495 void deleteObjectPrivileges(std::unique_ptr<SqliteConnector>& sqliteConnector,
496  std::string roleName,
497  bool userRole,
498  DBObject& object) {
499  DBObjectKey key = object.getObjectKey();
500 
501  sqliteConnector->query_with_text_params(
502  "DELETE FROM mapd_object_permissions WHERE roleName = ?1 and roleType = ?2 and "
503  "objectPermissionsType = ?3 and "
504  "dbId = "
505  "?4 "
506  "and objectId = ?5",
507  std::vector<std::string>{roleName,
508  std::to_string(userRole),
510  std::to_string(key.dbId),
511  std::to_string(key.objectId)});
512 }
513 
514 void insertOrUpdateObjectPrivileges(std::unique_ptr<SqliteConnector>& sqliteConnector,
515  std::string roleName,
516  bool userRole,
517  const DBObject& object) {
518  CHECK(object.valid());
519  DBObjectKey key = object.getObjectKey();
520 
521  sqliteConnector->query_with_text_params(
522  "INSERT OR REPLACE INTO mapd_object_permissions("
523  "roleName, "
524  "roleType, "
525  "objectPermissionsType, "
526  "dbId, "
527  "objectId, "
528  "objectPermissions, "
529  "objectOwnerId,"
530  "objectName) "
531  "VALUES (?1, ?2, ?3, "
532  "?4, ?5, ?6, ?7, ?8)",
533  std::vector<std::string>{
534  roleName, // roleName
535  userRole ? "1" : "0", // roleType
536  std::to_string(key.permissionType), // permissionType
537  std::to_string(key.dbId), // dbId
538  std::to_string(key.objectId), // objectId
539  std::to_string(object.getPrivileges().privileges), // objectPrivileges
540  std::to_string(object.getOwner()), // objectOwnerId
541  object.getName() // name
542  });
543 }
544 
545 } // namespace
546 
549  sqliteConnector_->query("BEGIN TRANSACTION");
550  try {
551  sqliteConnector_->query(
552  "SELECT name FROM sqlite_master WHERE type='table' AND "
553  "name='mapd_object_permissions'");
554  if (sqliteConnector_->getNumRows() != 0) {
555  // already done
556  sqliteConnector_->query("END TRANSACTION");
557  return;
558  }
559 
560  sqliteConnector_->query(
561  "CREATE TABLE IF NOT EXISTS mapd_object_permissions ("
562  "roleName text, "
563  "roleType bool, "
564  "dbId integer references mapd_databases, "
565  "objectName text, "
566  "objectId integer, "
567  "objectPermissionsType integer, "
568  "objectPermissions integer, "
569  "objectOwnerId integer, UNIQUE(roleName, objectPermissionsType, dbId, "
570  "objectId))");
571 
572  // get the list of databases and their grantees
573  sqliteConnector_->query(
574  "SELECT userid, dbid FROM mapd_privileges WHERE select_priv = 1 and insert_priv "
575  "= 1");
576  size_t numRows = sqliteConnector_->getNumRows();
577  vector<pair<int, int>> db_grantees(numRows);
578  for (size_t i = 0; i < numRows; ++i) {
579  db_grantees[i].first = sqliteConnector_->getData<int>(i, 0);
580  db_grantees[i].second = sqliteConnector_->getData<int>(i, 1);
581  }
582  // map user names to user ids
583  sqliteConnector_->query("select userid, name from mapd_users");
584  numRows = sqliteConnector_->getNumRows();
585  std::unordered_map<int, string> users_by_id;
586  std::unordered_map<int, bool> user_has_privs;
587  for (size_t i = 0; i < numRows; ++i) {
588  users_by_id[sqliteConnector_->getData<int>(i, 0)] =
589  sqliteConnector_->getData<string>(i, 1);
590  user_has_privs[sqliteConnector_->getData<int>(i, 0)] = false;
591  }
592  // map db names to db ids
593  sqliteConnector_->query("select dbid, name from mapd_databases");
594  numRows = sqliteConnector_->getNumRows();
595  std::unordered_map<int, string> dbs_by_id;
596  for (size_t i = 0; i < numRows; ++i) {
597  dbs_by_id[sqliteConnector_->getData<int>(i, 0)] =
598  sqliteConnector_->getData<string>(i, 1);
599  }
600  // migrate old privileges to new privileges: if user had insert access to database, he
601  // was a grantee
602  for (const auto& grantee : db_grantees) {
603  user_has_privs[grantee.first] = true;
604  auto dbName = dbs_by_id[grantee.second];
605  {
606  // table level permissions
608  DBObjectKey key{type, grantee.second};
609  DBObject object(
612  sqliteConnector_, users_by_id[grantee.first], true, object);
613  }
614 
615  {
616  // dashboard level permissions
618  DBObjectKey key{type, grantee.second};
619  DBObject object(dbName,
620  type,
621  key,
625  sqliteConnector_, users_by_id[grantee.first], true, object);
626  }
627 
628  {
629  // view level permissions
631  DBObjectKey key{type, grantee.second};
632  DBObject object(
635  sqliteConnector_, users_by_id[grantee.first], true, object);
636  }
637  }
638  for (auto user : user_has_privs) {
639  auto dbName = dbs_by_id[0];
640  if (user.second == false && user.first != shared::kRootUserId) {
641  {
643  DBObjectKey key{type, 0};
646  sqliteConnector_, users_by_id[user.first], true, object);
647  }
648  }
649  }
650  } catch (const std::exception&) {
651  sqliteConnector_->query("ROLLBACK TRANSACTION");
652  throw;
653  }
654  sqliteConnector_->query("END TRANSACTION");
655 }
656 
659  sqliteConnector_->query("BEGIN TRANSACTION");
660  try {
661  sqliteConnector_->query(
662  "SELECT roleName FROM mapd_object_permissions WHERE roleName = \'" +
663  shared::kRootUsername + "\'");
664  if (sqliteConnector_->getNumRows() != 0) {
665  // already done
666  sqliteConnector_->query("END TRANSACTION");
667  return;
668  }
669 
671  shared::kRootUsername, /*userPrivateRole=*/true, /*is_temporary=*/false);
672  } catch (const std::exception&) {
673  sqliteConnector_->query("ROLLBACK TRANSACTION");
674  throw;
675  }
676  sqliteConnector_->query("END TRANSACTION");
677 }
678 
681  sqliteConnector_->query("BEGIN TRANSACTION");
682  try {
683  sqliteConnector_->query(
684  "SELECT name FROM sqlite_master WHERE type='table' AND name='mapd_users'");
685  if (sqliteConnector_->getNumRows() == 0) {
686  // Nothing to update
687  sqliteConnector_->query("END TRANSACTION");
688  return;
689  }
690  sqliteConnector_->query("PRAGMA TABLE_INFO(mapd_users)");
691  for (size_t i = 0; i < sqliteConnector_->getNumRows(); i++) {
692  const auto& col_name = sqliteConnector_->getData<std::string>(i, 1);
693  if (col_name == "passwd_hash") {
694  sqliteConnector_->query("END TRANSACTION");
695  return;
696  }
697  }
698  // Alas, SQLite can't drop columns so we have to recreate the table
699  // (or, optionally, add the new column and reset the old one to a bunch of nulls)
700  sqliteConnector_->query("SELECT userid, passwd FROM mapd_users");
701  auto numRows = sqliteConnector_->getNumRows();
702  vector<std::string> users, passwords;
703  for (size_t i = 0; i < numRows; i++) {
704  users.push_back(sqliteConnector_->getData<std::string>(i, 0));
705  passwords.push_back(sqliteConnector_->getData<std::string>(i, 1));
706  }
707  sqliteConnector_->query(
708  "CREATE TABLE mapd_users_tmp (userid integer primary key, name text unique, "
709  "passwd_hash text, issuper boolean, default_db integer references "
710  "mapd_databases)");
711  sqliteConnector_->query(
712  "INSERT INTO mapd_users_tmp(userid, name, passwd_hash, issuper, default_db) "
713  "SELECT userid, name, null, issuper, default_db FROM mapd_users");
714  for (size_t i = 0; i < users.size(); ++i) {
715  sqliteConnector_->query_with_text_params(
716  "UPDATE mapd_users_tmp SET passwd_hash = ? WHERE userid = ?",
717  std::vector<std::string>{hash_with_bcrypt(passwords[i]), users[i]});
718  }
719  sqliteConnector_->query("DROP TABLE mapd_users");
720  sqliteConnector_->query("ALTER TABLE mapd_users_tmp RENAME TO mapd_users");
721  } catch (const std::exception& e) {
722  LOG(ERROR) << "Failed to hash passwords: " << e.what();
723  sqliteConnector_->query("ROLLBACK TRANSACTION");
724  throw;
725  }
726  sqliteConnector_->query("END TRANSACTION");
727  sqliteConnector_->query("VACUUM"); // physically delete plain text passwords
728  LOG(INFO) << "Passwords were successfully hashed";
729 }
730 
732  const std::string UPDATE_BLANK_PASSWORDS_TO_RANDOM = "update_blank_passwords_to_random";
733  sqliteConnector_->query_with_text_params(
734  "SELECT migration_history FROM mapd_version_history WHERE migration_history = ?",
735  std::vector<std::string>{UPDATE_BLANK_PASSWORDS_TO_RANDOM});
736  if (sqliteConnector_->getNumRows()) {
737  return;
738  }
739 
741  sqliteConnector_->query("BEGIN TRANSACTION");
742  try {
743  sqliteConnector_->query(
744  "SELECT userid, passwd_hash, name FROM mapd_users WHERE name <> 'mapd'");
745  auto numRows = sqliteConnector_->getNumRows();
746  vector<std::string> users, passwords, names;
747  for (size_t i = 0; i < numRows; i++) {
748  users.push_back(sqliteConnector_->getData<std::string>(i, 0));
749  passwords.push_back(sqliteConnector_->getData<std::string>(i, 1));
750  names.push_back(sqliteConnector_->getData<std::string>(i, 2));
751  }
752  for (size_t i = 0; i < users.size(); ++i) {
753  int pwd_check_result = bcrypt_checkpw("", passwords[i].c_str());
754  // if the check fails there is a good chance that data on disc is broken
755  CHECK(pwd_check_result >= 0);
756  if (pwd_check_result != 0) {
757  continue;
758  }
759  LOG(WARNING) << "resetting blank password for user " << names[i] << " (" << users[i]
760  << ") to a random password";
761  sqliteConnector_->query_with_text_params(
762  "UPDATE mapd_users SET passwd_hash = ? WHERE userid = ?",
763  std::vector<std::string>{hash_with_bcrypt(generate_random_string(72)),
764  users[i]});
765  }
766  sqliteConnector_->query_with_text_params(
767  "INSERT INTO mapd_version_history(version, migration_history) values(?,?)",
768  std::vector<std::string>{std::to_string(MAPD_VERSION),
769  UPDATE_BLANK_PASSWORDS_TO_RANDOM});
770  } catch (const std::exception& e) {
771  LOG(ERROR) << "Failed to fix blank passwords: " << e.what();
772  sqliteConnector_->query("ROLLBACK TRANSACTION");
773  throw;
774  }
775  sqliteConnector_->query("END TRANSACTION");
776 }
777 
779  const std::string UPDATE_SUPPORT_USER_DEACTIVATION = "update_support_user_deactivation";
781  // check to see if the new column already exists
782  sqliteConnector_->query("PRAGMA TABLE_INFO(mapd_users)");
783  for (size_t i = 0; i < sqliteConnector_->getNumRows(); i++) {
784  const auto& col_name = sqliteConnector_->getData<std::string>(i, 1);
785  if (col_name == "can_login") {
786  return; // new column already exists
787  }
788  }
789  sqliteConnector_->query("BEGIN TRANSACTION");
790  try {
791  sqliteConnector_->query("ALTER TABLE mapd_users ADD COLUMN can_login BOOLEAN");
792  sqliteConnector_->query("UPDATE mapd_users SET can_login = true");
793  sqliteConnector_->query_with_text_params(
794  "INSERT INTO mapd_version_history(version, migration_history) values(?,?)",
795  std::vector<std::string>{std::to_string(MAPD_VERSION),
796  UPDATE_SUPPORT_USER_DEACTIVATION});
797  } catch (const std::exception& e) {
798  LOG(ERROR) << "Failed to add support for user deactivation: " << e.what();
799  sqliteConnector_->query("ROLLBACK TRANSACTION");
800  throw;
801  }
802  sqliteConnector_->query("END TRANSACTION");
803 }
804 
807  sqliteConnector_->query("BEGIN TRANSACTION");
808  try {
809  sqliteConnector_->query(
810  "select name from sqlite_master WHERE type='table' AND "
811  "name='mapd_version_history'");
812  if (sqliteConnector_->getNumRows() == 0) {
813  sqliteConnector_->query(
814  "CREATE TABLE mapd_version_history(version integer, migration_history text "
815  "unique)");
816  } else {
817  sqliteConnector_->query(
818  "select * from mapd_version_history where migration_history = "
819  "'db_access_privileges'");
820  if (sqliteConnector_->getNumRows() != 0) {
821  // both privileges migrated
822  // no need for further execution
823  sqliteConnector_->query("END TRANSACTION");
824  return;
825  }
826  }
827  // Insert check for migration
828  sqliteConnector_->query_with_text_params(
829  "INSERT INTO mapd_version_history(version, migration_history) values(?,?)",
830  std::vector<std::string>{std::to_string(MAPD_VERSION), "db_access_privileges"});
831 
832  sqliteConnector_->query("select dbid, name from mapd_databases");
833  std::unordered_map<int, string> databases;
834  for (size_t i = 0; i < sqliteConnector_->getNumRows(); ++i) {
835  databases[sqliteConnector_->getData<int>(i, 0)] =
836  sqliteConnector_->getData<string>(i, 1);
837  }
838 
839  sqliteConnector_->query("select userid, name from mapd_users");
840  std::unordered_map<int, string> users;
841  for (size_t i = 0; i < sqliteConnector_->getNumRows(); ++i) {
842  users[sqliteConnector_->getData<int>(i, 0)] =
843  sqliteConnector_->getData<string>(i, 1);
844  }
845 
846  // All existing users by default will be granted DB Access permissions
847  // and view sql editor privileges
848  DBMetadata dbmeta;
849  for (auto db_ : databases) {
850  CHECK(getMetadataForDB(db_.second, dbmeta));
851  for (auto user : users) {
852  if (user.first != shared::kRootUserId) {
853  {
854  DBObjectKey key;
856  key.dbId = dbmeta.dbId;
857 
858  // access permission;
859  DBObject object_access(key, AccessPrivileges::ACCESS, dbmeta.dbOwner);
861  object_access.setName(dbmeta.dbName);
862  // sql_editor permission
863  DBObject object_editor(
866  object_editor.setName(dbmeta.dbName);
867  object_editor.updatePrivileges(object_access);
869  sqliteConnector_, user.second, true, object_editor);
870  }
871  }
872  }
873  }
874  } catch (const std::exception& e) {
875  LOG(ERROR) << "Failed to migrate db access privileges: " << e.what();
876  sqliteConnector_->query("ROLLBACK TRANSACTION");
877  throw;
878  }
879  sqliteConnector_->query("END TRANSACTION");
880  LOG(INFO) << "Successfully migrated db access privileges";
881 }
882 
885 
886  sqliteConnector_->query("BEGIN TRANSACTION");
887  try {
888  sqliteConnector_->query(
889  "CREATE TABLE IF NOT EXISTS mapd_privileges (userid integer references "
890  "mapd_users, dbid integer references "
891  "mapd_databases, select_priv boolean, insert_priv boolean, UNIQUE(userid, "
892  "dbid))");
893  } catch (const std::exception& e) {
894  sqliteConnector_->query("ROLLBACK TRANSACTION");
895  throw;
896  }
897  sqliteConnector_->query("END TRANSACTION");
898 }
899 
901  static const string duplicate_check_migration{
902  "check_duplicate_case_insensitive_db_names"};
903  if (hasExecutedMigration(duplicate_check_migration)) {
904  return;
905  }
907  sqliteConnector_->query(
908  "SELECT UPPER(name) AS db_name, COUNT(*) AS name_count "
909  "FROM mapd_databases GROUP BY db_name HAVING name_count > 1");
910  auto num_rows = sqliteConnector_->getNumRows();
911  if (num_rows > 0) {
912  std::stringstream error_message;
913  error_message << "Duplicate case insensitive database names encountered:\n";
914  for (size_t row = 0; row < num_rows; row++) {
915  error_message << sqliteConnector_->getData<string>(row, 0) << " ("
916  << sqliteConnector_->getData<int>(row, 1) << ")\n";
917  }
918  throw std::runtime_error{error_message.str()};
919  }
920  recordExecutedMigration(duplicate_check_migration);
921 }
922 
923 std::shared_ptr<Catalog> SysCatalog::login(std::string& dbname,
924  std::string& username,
925  const std::string& password,
926  UserMetadata& user_meta,
927  bool check_password) {
928  // NOTE(sy): The dbname isn't const because getMetadataWithDefaultDB()
929  // can reset it. The username isn't const because SamlServer's
930  // login()/authenticate_user() can reset it.
931 
932  if (check_password) {
933  loginImpl(username, password, user_meta);
934  } else { // not checking for password so user must exist
935  if (!getMetadataForUser(username, user_meta)) {
936  throw std::runtime_error("Invalid credentials.");
937  }
938  }
939  // we should have a user and user_meta by now
940  if (!user_meta.can_login) {
941  throw std::runtime_error("Unauthorized Access: User " + username + " is deactivated");
942  }
944  getMetadataWithDefaultDB(dbname, username, db_meta, user_meta);
945  return getCatalog(db_meta, false);
946 }
947 
948 // loginImpl() with no EE code and no SAML code
949 void SysCatalog::loginImpl(std::string& username,
950  const std::string& password,
951  UserMetadata& user_meta) {
952  if (!checkPasswordForUser(password, username, user_meta)) {
953  throw std::runtime_error("Authentication failure");
954  }
955 }
956 
957 std::shared_ptr<Catalog> SysCatalog::switchDatabase(std::string& dbname,
958  const std::string& username) {
959  DBMetadata db_meta;
960  UserMetadata user_meta;
961 
962  getMetadataWithDefaultDB(dbname, username, db_meta, user_meta);
963 
964  // NOTE(max): register database in Catalog that early to allow ldap
965  // and saml create default user and role privileges on databases
966  auto cat = getCatalog(db_meta, false);
967 
968  DBObject dbObject(dbname, DatabaseDBObjectType);
969  dbObject.loadKey();
971  if (!checkPrivileges(user_meta, std::vector<DBObject>{dbObject})) {
972  throw std::runtime_error("Unauthorized Access: user " + user_meta.userLoggable() +
973  " is not allowed to access database " + dbname + ".");
974  }
975 
976  return cat;
977 }
978 
979 void SysCatalog::check_for_session_encryption(const std::string& pki_cert,
980  std::string& session) {
981  if (!pki_server_->inUse()) {
982  return;
983  }
984  pki_server_->encrypt_session(pki_cert, session);
985 }
986 
988  UserAlterations alts,
989  bool is_temporary) {
992 
993  if (!alts.passwd) {
994  alts.passwd = "";
995  }
996  if (!alts.is_super) {
997  alts.is_super = false;
998  }
999  if (!alts.default_db) {
1000  alts.default_db = "";
1001  }
1002  if (!alts.can_login) {
1003  alts.can_login = true;
1004  }
1005 
1006  UserMetadata user;
1007  if (getMetadataForUser(name, user)) {
1008  throw runtime_error("User " + user.userLoggable() + " already exists.");
1009  }
1010  if (getGrantee(name)) {
1011  std::string const loggable = g_log_user_id ? std::string("") : name + ' ';
1012  throw runtime_error(
1013  "User " + loggable +
1014  "is same as one of existing grantees. User and role names should be unique.");
1015  }
1016  DBMetadata db;
1017  if (!alts.default_db->empty()) {
1018  if (!getMetadataForDB(*alts.default_db, db)) {
1019  throw runtime_error("DEFAULT_DB " + *alts.default_db + " not found.");
1020  }
1021  }
1022 
1023  // Temporary user.
1024  if (is_temporary) {
1025  if (!g_read_only) {
1026  throw std::runtime_error("Temporary users require read-only mode.");
1027  // NOTE(sy): We can remove this restriction when we're confident that
1028  // nothing permanent can depend on a temporary user.
1029  }
1030  auto user2 = std::make_shared<UserMetadata>(next_temporary_user_id_++,
1031  name,
1032  hash_with_bcrypt(*alts.passwd),
1033  *alts.is_super,
1034  !alts.default_db->empty() ? db.dbId : -1,
1035  *alts.can_login,
1036  true);
1037  temporary_users_by_name_[name] = user2;
1038  temporary_users_by_id_[user2->userId] = user2;
1039  createRole_unsafe(name, /*userPrivateRole=*/true, /*is_temporary=*/true);
1040  VLOG(1) << "Created temporary user: " << user2->userLoggable();
1041  return *user2;
1042  }
1043 
1044  // Normal user.
1045  sqliteConnector_->query("BEGIN TRANSACTION");
1046  try {
1047  std::vector<std::string> vals;
1048  if (!alts.default_db->empty()) {
1049  vals = {name,
1050  hash_with_bcrypt(*alts.passwd),
1051  std::to_string(*alts.is_super),
1052  std::to_string(db.dbId),
1053  std::to_string(*alts.can_login)};
1054  sqliteConnector_->query_with_text_params(
1055  "INSERT INTO mapd_users (name, passwd_hash, issuper, default_db, can_login) "
1056  "VALUES (?, ?, ?, ?, ?)",
1057  vals);
1058  } else {
1059  vals = {name,
1060  hash_with_bcrypt(*alts.passwd),
1061  std::to_string(*alts.is_super),
1062  std::to_string(*alts.can_login)};
1063  sqliteConnector_->query_with_text_params(
1064  "INSERT INTO mapd_users (name, passwd_hash, issuper, can_login) "
1065  "VALUES (?, ?, ?, ?)",
1066  vals);
1067  }
1068  createRole_unsafe(name, /*userPrivateRole=*/true, /*is_temporary=*/false);
1069  } catch (const std::exception& e) {
1070  sqliteConnector_->query("ROLLBACK TRANSACTION");
1071  throw;
1072  }
1073  sqliteConnector_->query("END TRANSACTION");
1074  auto u = getUser(name);
1075  CHECK(u);
1076  VLOG(1) << "Created user: " << u->userLoggable();
1077  return *u;
1078 }
1079 
1080 // Can be invoked directly to drop users without sanitization for testing.
1081 void SysCatalog::dropUserUnchecked(const std::string& name, const UserMetadata& user) {
1082  sys_write_lock write_lock(this);
1084 
1085  // Temporary user.
1086  if (user.is_temporary) {
1087  auto it1 = temporary_users_by_name_.find(name);
1088  CHECK(it1 != temporary_users_by_name_.end());
1089  auto it2 = temporary_users_by_id_.find(it1->second->userId);
1090  CHECK(it2 != temporary_users_by_id_.end());
1091  dropRole_unsafe(name, /*is_temporary=*/true);
1093  temporary_users_by_name_.erase(it1);
1094  temporary_users_by_id_.erase(it2);
1095  return;
1096  }
1097 
1098  // Normal user.
1099 
1100  sqliteConnector_->query("BEGIN TRANSACTION");
1101  try {
1102  dropRole_unsafe(name, /*is_temporary=*/false);
1104  const std::string& roleName(name);
1105  sqliteConnector_->query_with_text_param("DELETE FROM mapd_roles WHERE userName = ?",
1106  roleName);
1107  sqliteConnector_->query("DELETE FROM mapd_users WHERE userid = " +
1108  std::to_string(user.userId));
1109  sqliteConnector_->query("DELETE FROM mapd_privileges WHERE userid = " +
1110  std::to_string(user.userId));
1111  } catch (const std::exception& e) {
1112  sqliteConnector_->query("ROLLBACK TRANSACTION");
1113  throw;
1114  }
1115  sqliteConnector_->query("END TRANSACTION");
1116 }
1117 
1118 void SysCatalog::dropUser(const string& name) {
1119  sys_write_lock write_lock(this);
1121 
1122  std::string const loggable = g_log_user_id ? std::string("") : name + ' ';
1123 
1124  UserMetadata user;
1125  if (!getMetadataForUser(name, user)) {
1126  throw runtime_error("Cannot drop user. User " + loggable + "does not exist.");
1127  }
1128 
1129  auto dbs = getAllDBMetadata();
1130  for (const auto& db : dbs) {
1131  if (db.dbOwner == user.userId) {
1132  throw runtime_error("Cannot drop user. User " + loggable + "owns database " +
1133  db.dbName);
1134  }
1135  }
1136 
1137  dropUserUnchecked(name, user);
1138 }
1139 
1140 std::vector<Catalog*> SysCatalog::getCatalogsForAllDbs() {
1141  std::vector<Catalog*> catalogs{};
1142  const auto& db_metadata_list = getAllDBMetadata();
1143  for (const auto& db_metadata : db_metadata_list) {
1144  catalogs.emplace_back(getCatalog(db_metadata, false).get());
1145  }
1146  return catalogs;
1147 }
1148 
1149 namespace { // anonymous namespace
1150 
1151 auto append_with_commas = [](string& s, const string& t) {
1152  if (!s.empty()) {
1153  s += ", ";
1154  }
1155  s += t;
1156 };
1157 
1158 } // anonymous namespace
1159 
1161  if (passwd && hash_with_bcrypt(*passwd) != user.passwd_hash) {
1162  return true;
1163  }
1164  if (is_super && *is_super != user.isSuper) {
1165  return true;
1166  }
1167  if (default_db) {
1168  DBMetadata db;
1169  if (!default_db->empty()) {
1171  throw std::runtime_error(string("DEFAULT_DB ") + *default_db + " not found.");
1172  }
1173  } else {
1174  db.dbId = -1;
1175  }
1176  if (db.dbId != user.defaultDbId) {
1177  return true;
1178  }
1179  }
1180  if (can_login && *can_login != user.can_login) {
1181  return true;
1182  }
1183  return false;
1184 }
1185 
1186 std::string UserAlterations::toString(bool hide_password) const {
1187  std::stringstream ss;
1188  if (passwd) {
1189  if (hide_password) {
1190  ss << "PASSWORD='XXXXXXXX'";
1191  } else {
1192  ss << "PASSWORD='" << *passwd << "'";
1193  }
1194  }
1195  if (is_super) {
1196  if (!ss.str().empty()) {
1197  ss << ", ";
1198  }
1199  ss << "IS_SUPER='" << (*is_super ? "TRUE" : "FALSE") << "'";
1200  }
1201  if (default_db) {
1202  if (!ss.str().empty()) {
1203  ss << ", ";
1204  }
1205  ss << "DEFAULT_DB='" << *default_db << "'";
1206  }
1207  if (can_login) {
1208  if (!ss.str().empty()) {
1209  ss << ", ";
1210  }
1211  ss << "CAN_LOGIN='" << *can_login << "'";
1212  }
1213  return ss.str();
1214 }
1215 
1217  sys_write_lock write_lock(this);
1219 
1220  UserMetadata user;
1221  if (!getMetadataForUser(name, user)) {
1222  std::string const loggable = g_log_user_id ? std::string("") : name + ' ';
1223  throw runtime_error("Cannot alter user. User " + loggable + "does not exist.");
1224  }
1225  if (!alts.wouldChange(user)) {
1226  return user;
1227  }
1228 
1229  // Temporary user.
1230  if (user.is_temporary) {
1231  if (alts.passwd) {
1232  user.passwd_hash = hash_with_bcrypt(*alts.passwd);
1233  }
1234  if (alts.is_super) {
1235  user.isSuper = *alts.is_super;
1236  }
1237  if (alts.default_db) {
1238  if (!alts.default_db->empty()) {
1239  DBMetadata db;
1240  if (!getMetadataForDB(*alts.default_db, db)) {
1241  throw runtime_error(string("DEFAULT_DB ") + *alts.default_db + " not found.");
1242  }
1243  user.defaultDbId = db.dbId;
1244  } else {
1245  user.defaultDbId = -1;
1246  }
1247  }
1248  if (alts.can_login) {
1249  user.can_login = *alts.can_login;
1250  }
1251  *temporary_users_by_name_[name] = user;
1252  return user;
1253  }
1254 
1255  // Normal user.
1256  sqliteConnector_->query("BEGIN TRANSACTION");
1257  try {
1258  string sql;
1259  std::vector<std::string> values;
1260  if (alts.passwd) {
1261  append_with_commas(sql, "passwd_hash = ?");
1262  values.push_back(hash_with_bcrypt(*alts.passwd));
1263  }
1264  if (alts.is_super) {
1265  append_with_commas(sql, "issuper = ?");
1266  values.push_back(std::to_string(*alts.is_super));
1267  }
1268  if (alts.default_db) {
1269  if (!alts.default_db->empty()) {
1270  append_with_commas(sql, "default_db = ?");
1271  DBMetadata db;
1272  if (!getMetadataForDB(*alts.default_db, db)) {
1273  throw runtime_error(string("DEFAULT_DB ") + *alts.default_db + " not found.");
1274  }
1275  values.push_back(std::to_string(db.dbId));
1276  } else {
1277  append_with_commas(sql, "default_db = NULL");
1278  }
1279  }
1280  if (alts.can_login) {
1281  append_with_commas(sql, "can_login = ?");
1282  values.push_back(std::to_string(*alts.can_login));
1283  }
1284 
1285  sql = "UPDATE mapd_users SET " + sql + " WHERE userid = ?";
1286  values.push_back(std::to_string(user.userId));
1287 
1288  sqliteConnector_->query_with_text_params(sql, values);
1289  } catch (const std::exception& e) {
1290  sqliteConnector_->query("ROLLBACK TRANSACTION");
1291  throw;
1292  }
1293  sqliteConnector_->query("END TRANSACTION");
1294  auto u = getUser(name);
1295  CHECK(u);
1296  VLOG(1) << "Altered user: " << u->userLoggable();
1297  return *u;
1298 }
1299 
1301  return
1302  [](auto& db_connector, auto on_success, auto on_failure, auto&&... query_requests) {
1303  auto query_runner = [&db_connector](auto&&... query_reqs) {
1304  [[gnu::unused]] int throw_away[] = {
1305  (db_connector->query_with_text_params(
1306  std::forward<decltype(query_reqs)>(query_reqs)),
1307  0)...};
1308  };
1309 
1310  db_connector->query("BEGIN TRANSACTION");
1311  try {
1312  query_runner(std::forward<decltype(query_requests)>(query_requests)...);
1313  on_success();
1314  } catch (std::exception&) {
1315  db_connector->query("ROLLBACK TRANSACTION");
1316  on_failure();
1317  throw;
1318  }
1319  db_connector->query("END TRANSACTION");
1320  };
1321 }
1322 
1323 void SysCatalog::updateUserRoleName(const std::string& roleName,
1324  const std::string& newName) {
1325  sys_write_lock write_lock(this);
1326 
1327  auto it = granteeMap_.find(to_upper(roleName));
1328  if (it != granteeMap_.end()) {
1329  it->second->setName(newName);
1330  std::swap(granteeMap_[to_upper(newName)], it->second);
1331  granteeMap_.erase(it);
1332  }
1333 
1334  // Also rename in objectDescriptorMap_
1335  for (auto d = objectDescriptorMap_.begin(); d != objectDescriptorMap_.end(); ++d) {
1336  if (d->second->roleName == roleName) {
1337  d->second->roleName = newName;
1338  }
1339  }
1340 }
1341 
1342 void SysCatalog::renameUser(std::string const& old_name, std::string const& new_name) {
1343  using namespace std::string_literals;
1344  sys_write_lock write_lock(this);
1346 
1347  UserMetadata old_user;
1348  if (!getMetadataForUser(old_name, old_user)) {
1349  std::string const loggable = g_log_user_id ? std::string("") : old_name + ' ';
1350  throw std::runtime_error("User " + loggable + "doesn't exist.");
1351  }
1352 
1353  UserMetadata new_user;
1354  if (getMetadataForUser(new_name, new_user)) {
1355  throw std::runtime_error("User " + new_user.userLoggable() + " already exists.");
1356  }
1357 
1358  if (getGrantee(new_name)) {
1359  std::string const loggable = g_log_user_id ? std::string("") : new_name + ' ';
1360  throw runtime_error(
1361  "Username " + loggable +
1362  "is same as one of existing grantees. User and role names should be unique.");
1363  }
1364 
1365  // Temporary user.
1366  if (old_user.is_temporary) {
1367  auto userit = temporary_users_by_name_.find(old_name);
1368  CHECK(userit != temporary_users_by_name_.end());
1369  auto node = temporary_users_by_name_.extract(userit);
1370  node.key() = new_name;
1371  temporary_users_by_name_.insert(std::move(node));
1372  userit->second->userName = new_name;
1373  updateUserRoleName(old_name, new_name);
1374  return;
1375  }
1376 
1377  // Normal user.
1378  auto transaction_streamer = yieldTransactionStreamer();
1379  auto failure_handler = [] {};
1380  auto success_handler = [this, &old_name, &new_name] {
1381  updateUserRoleName(old_name, new_name);
1382  };
1383  auto q1 = {"UPDATE mapd_users SET name=?1 where name=?2;"s, new_name, old_name};
1384  auto q2 = {"UPDATE mapd_object_permissions set roleName=?1 WHERE roleName=?2;"s,
1385  new_name,
1386  old_name};
1387  auto q3 = {"UPDATE mapd_roles set userName=?1 WHERE userName=?2;"s, new_name, old_name};
1388  transaction_streamer(sqliteConnector_, success_handler, failure_handler, q1, q2, q3);
1389 }
1390 
1391 void SysCatalog::changeDatabaseOwner(std::string const& dbname,
1392  const std::string& new_owner) {
1393  using namespace std::string_literals;
1394  sys_write_lock write_lock(this);
1396 
1397  DBMetadata db;
1398  if (!getMetadataForDB(dbname, db)) {
1399  throw std::runtime_error("Database " + dbname + " does not exists.");
1400  }
1401 
1402  Catalog_Namespace::UserMetadata user, original_owner;
1403  if (!getMetadataForUser(new_owner, user)) {
1404  throw std::runtime_error("User with username \"" + new_owner + "\" does not exist. " +
1405  "Database with name \"" + dbname +
1406  "\" can not have owner changed.");
1407  }
1408 
1409  bool original_owner_exists = getMetadataForUserById(db.dbOwner, original_owner);
1410  auto cat = getCatalog(db, true);
1411  DBObject db_object(db.dbName, DBObjectType::DatabaseDBObjectType);
1413  user,
1414  original_owner,
1415  db_object,
1416  *cat,
1417  UpdateQueries{{"UPDATE mapd_databases SET owner=?1 WHERE name=?2;",
1418  {std::to_string(user.userId), db.dbName}}},
1419  original_owner_exists);
1420 }
1421 
1422 void SysCatalog::renameDatabase(std::string const& old_name,
1423  std::string const& new_name) {
1424  using namespace std::string_literals;
1425  sys_write_lock write_lock(this);
1427 
1428  DBMetadata new_db;
1429  if (getMetadataForDB(new_name, new_db)) {
1430  throw std::runtime_error("Database " + new_name + " already exists.");
1431  }
1432  if (to_upper(new_name) == to_upper(shared::kSystemCatalogName)) {
1433  throw std::runtime_error("Database name " + new_name + "is reserved.");
1434  }
1435 
1436  DBMetadata old_db;
1437  if (!getMetadataForDB(old_name, old_db)) {
1438  throw std::runtime_error("Database " + old_name + " does not exists.");
1439  }
1440 
1441  removeCatalog(old_db.dbName);
1442 
1443  std::string old_catalog_path, new_catalog_path;
1444  std::tie(old_catalog_path, new_catalog_path) =
1445  duplicateAndRenameCatalog(old_db.dbName, new_name);
1446 
1447  auto transaction_streamer = yieldTransactionStreamer();
1448  auto failure_handler = [this, new_catalog_path] {
1449  removeCatalogByFullPath(new_catalog_path);
1450  };
1451  auto success_handler = [this, old_catalog_path] {
1452  removeCatalogByFullPath(old_catalog_path);
1453  };
1454 
1455  auto q1 = {
1456  "UPDATE mapd_databases SET name=?1 WHERE name=?2;"s, new_name, old_db.dbName};
1457  auto q2 = {
1458  "UPDATE mapd_object_permissions SET objectName=?1 WHERE objectNAME=?2 and (objectPermissionsType=?3 or objectId = -1) and dbId=?4;"s,
1459  new_name,
1460  old_db.dbName,
1462  std::to_string(old_db.dbId)};
1463 
1464  transaction_streamer(sqliteConnector_, success_handler, failure_handler, q1, q2);
1465 }
1466 
1467 void SysCatalog::createDatabase(const string& name, int owner) {
1468  sys_write_lock write_lock(this);
1470 
1471  DBMetadata db;
1472  if (getMetadataForDB(name, db)) {
1473  throw runtime_error("Database " + name + " already exists.");
1474  }
1476  throw runtime_error("Database name " + name + " is reserved.");
1477  }
1478 
1479  std::unique_ptr<SqliteConnector> dbConn(
1480  new SqliteConnector(name, basePath_ + "/" + shared::kCatalogDirectoryName + "/"));
1481  // NOTE(max): it's okay to run this in a separate transaction. If we fail later
1482  // we delete the database anyways.
1483  // If we run it in the same transaction as SysCatalog functions, then Catalog
1484  // constructor won't find the tables we have just created.
1485  dbConn->query("BEGIN TRANSACTION");
1486  try {
1487  dbConn->query(
1488  "CREATE TABLE mapd_tables (tableid integer primary key, name text unique, userid "
1489  "integer, ncolumns integer, "
1490  "isview boolean, "
1491  "fragments text, frag_type integer, max_frag_rows integer, max_chunk_size "
1492  "bigint, "
1493  "frag_page_size integer, "
1494  "max_rows bigint, partitions text, shard_column_id integer, shard integer, "
1495  "sort_column_id integer default 0, storage_type text default '', "
1496  "max_rollback_epochs integer default -1, "
1497  "is_system_table boolean default 0, "
1498  "num_shards integer, key_metainfo TEXT, version_num "
1499  "BIGINT DEFAULT 1) ");
1500  dbConn->query(
1501  "CREATE TABLE mapd_columns (tableid integer references mapd_tables, columnid "
1502  "integer, name text, coltype "
1503  "integer, colsubtype integer, coldim integer, colscale integer, is_notnull "
1504  "boolean, compression integer, "
1505  "comp_param integer, size integer, chunks text, is_systemcol boolean, "
1506  "is_virtualcol boolean, virtual_expr "
1507  "text, is_deletedcol boolean, version_num BIGINT, default_value text, "
1508  "primary key(tableid, columnid), unique(tableid, name))");
1509  dbConn->query(
1510  "CREATE TABLE mapd_views (tableid integer references mapd_tables, sql text)");
1511  dbConn->query(
1512  "CREATE TABLE mapd_dashboards (id integer primary key autoincrement, name text , "
1513  "userid integer references mapd_users, state text, image_hash text, update_time "
1514  "timestamp, "
1515  "metadata text, UNIQUE(userid, name) )");
1516  dbConn->query(
1517  "CREATE TABLE mapd_links (linkid integer primary key, userid integer references "
1518  "mapd_users, "
1519  "link text unique, view_state text, update_time timestamp, view_metadata text)");
1520  dbConn->query(
1521  "CREATE TABLE mapd_dictionaries (dictid integer primary key, name text unique, "
1522  "nbits int, is_shared boolean, "
1523  "refcount int, version_num BIGINT DEFAULT 1)");
1524  dbConn->query(
1525  "CREATE TABLE mapd_logical_to_physical(logical_table_id integer, "
1526  "physical_table_id "
1527  "integer)");
1528  dbConn->query("CREATE TABLE mapd_record_ownership_marker (dummy integer)");
1529  dbConn->query_with_text_params(
1530  "INSERT INTO mapd_record_ownership_marker (dummy) VALUES (?1)",
1531  std::vector<std::string>{std::to_string(owner)});
1532 
1533  if (g_enable_fsi) {
1534  dbConn->query(Catalog::getForeignServerSchema());
1535  dbConn->query(Catalog::getForeignTableSchema());
1536  }
1537  dbConn->query(Catalog::getCustomExpressionsSchema());
1538  } catch (const std::exception&) {
1539  dbConn->query("ROLLBACK TRANSACTION");
1540  boost::filesystem::remove(basePath_ + "/" + shared::kCatalogDirectoryName + "/" +
1541  name);
1542  throw;
1543  }
1544  dbConn->query("END TRANSACTION");
1545 
1546  std::shared_ptr<Catalog> cat;
1547  // Now update SysCatalog with privileges and the new database
1548  sqliteConnector_->query("BEGIN TRANSACTION");
1549  try {
1550  sqliteConnector_->query_with_text_param(
1551  "INSERT INTO mapd_databases (name, owner) VALUES (?, " + std::to_string(owner) +
1552  ")",
1553  name);
1554  CHECK(getMetadataForDB(name, db));
1555 
1556  cat = getCatalog(db, true);
1557 
1558  if (owner != shared::kRootUserId) {
1560  object.loadKey(*cat);
1561  UserMetadata user;
1562  CHECK(getMetadataForUserById(owner, user));
1563  grantAllOnDatabase_unsafe(user.userName, object, *cat);
1564  }
1565  } catch (const std::exception&) {
1566  sqliteConnector_->query("ROLLBACK TRANSACTION");
1567  boost::filesystem::remove(basePath_ + "/" + shared::kCatalogDirectoryName + "/" +
1568  name);
1569  throw;
1570  }
1571  sqliteConnector_->query("END TRANSACTION");
1572 
1573  // force a migration on the new database
1574  removeCatalog(name);
1575  cat = getCatalog(db, false);
1576 
1577  if (g_enable_fsi) {
1578  try {
1579  cat->createDefaultServersIfNotExists();
1580  } catch (...) {
1581  boost::filesystem::remove(basePath_ + "/" + shared::kCatalogDirectoryName + "/" +
1582  name);
1583  throw;
1584  }
1585  }
1586 }
1587 
1589  auto cat = getCatalog(db, false);
1590  cat->eraseDbPhysicalData();
1591  sys_write_lock write_lock(this);
1593  sqliteConnector_->query("BEGIN TRANSACTION");
1594  try {
1595  // remove this database ID from any users that have it set as their default database
1596  sqliteConnector_->query_with_text_param(
1597  "UPDATE mapd_users SET default_db = NULL WHERE default_db = ?",
1598  std::to_string(db.dbId));
1599  /* revoke object privileges to all tables of the database being dropped */
1600  const auto tables = cat->getAllTableMetadata();
1601  for (const auto table : tables) {
1602  if (table->shard >= 0) {
1603  // skip shards, they're not standalone tables
1604  continue;
1605  }
1607  DBObject(table->tableName, TableDBObjectType), cat.get());
1608  }
1609  const auto dashboards = cat->getAllDashboardsMetadata();
1610  for (const auto dashboard : dashboards) {
1612  DBObject(dashboard->dashboardId, DashboardDBObjectType), cat.get());
1613  }
1614  /* revoke object privileges to the database being dropped */
1615  for (const auto& grantee : granteeMap_) {
1616  if (grantee.second->hasAnyPrivilegesOnDb(db.dbId, true)) {
1618  grantee.second->getName(), db.dbId, grantee.second.get());
1619  }
1620  }
1621  sqliteConnector_->query_with_text_param("DELETE FROM mapd_databases WHERE dbid = ?",
1622  std::to_string(db.dbId));
1623  cat->eraseDbMetadata();
1624  removeCatalog(db.dbName);
1625  } catch (const std::exception&) {
1626  sqliteConnector_->query("ROLLBACK TRANSACTION");
1627  throw;
1628  }
1629  sqliteConnector_->query("END TRANSACTION");
1630 }
1631 
1632 // checkPasswordForUser() with no EE code
1633 bool SysCatalog::checkPasswordForUser(const std::string& passwd,
1634  std::string& name,
1635  UserMetadata& user) {
1636  return checkPasswordForUserImpl(passwd, name, user);
1637 }
1638 
1639 bool SysCatalog::checkPasswordForUserImpl(const std::string& passwd,
1640  std::string& name,
1641  UserMetadata& user) {
1642  sys_read_lock read_lock(this);
1643  if (!getMetadataForUser(name, user)) {
1644  // Check password against some fake hash just to waste time so that response times
1645  // for invalid password and invalid user are similar and a caller can't say the
1646  // difference
1647  char fake_hash[BCRYPT_HASHSIZE];
1648  CHECK(bcrypt_gensalt(-1, fake_hash) == 0);
1649  bcrypt_checkpw(passwd.c_str(), fake_hash);
1650  LOG(WARNING) << "Local login failed";
1651  return false;
1652  }
1653  int pwd_check_result = bcrypt_checkpw(passwd.c_str(), user.passwd_hash.c_str());
1654  // if the check fails there is a good chance that data on disc is broken
1655  CHECK(pwd_check_result >= 0);
1656  return pwd_check_result == 0;
1657 }
1658 
1659 static bool parseUserMetadataFromSQLite(const std::unique_ptr<SqliteConnector>& conn,
1660  UserMetadata& user,
1661  int row) {
1662  int numRows = conn->getNumRows();
1663  if (numRows == 0) {
1664  return false;
1665  }
1666  user.userId = conn->getData<int>(row, 0);
1667  user.userName = conn->getData<string>(row, 1);
1668  user.passwd_hash = conn->getData<string>(row, 2);
1669  user.isSuper = conn->getData<bool>(row, 3);
1670  user.defaultDbId = conn->isNull(row, 4) ? -1 : conn->getData<int>(row, 4);
1671  if (conn->isNull(row, 5)) {
1672  LOG(WARNING)
1673  << "User property 'can_login' not set for user " << user.userLoggable()
1674  << ". Disabling login ability. Set the users login ability with \"ALTER USER "
1675  << (g_log_user_id ? std::string("[username]") : user.userName)
1676  << " (can_login='true');\".";
1677  }
1678  user.can_login = conn->isNull(row, 5) ? false : conn->getData<bool>(row, 5);
1679  return true;
1680 }
1681 
1683  sys_read_lock read_lock(this);
1685  sqliteConnector_->query_with_text_param(
1686  "SELECT userid, name, passwd_hash, issuper, default_db, can_login FROM mapd_users "
1687  "WHERE name = ?",
1688  name);
1689  int numRows = sqliteConnector_->getNumRows();
1690  if (numRows == 0) {
1691  auto userit = temporary_users_by_name_.find(name);
1692  if (userit != temporary_users_by_name_.end()) {
1693  user = *userit->second;
1694  return true;
1695  } else {
1696  return false;
1697  }
1698  }
1700 }
1701 
1702 bool SysCatalog::getMetadataForUserById(const int32_t idIn, UserMetadata& user) {
1704  sqliteConnector_->query_with_text_param(
1705  "SELECT userid, name, passwd_hash, issuper, default_db, can_login FROM mapd_users "
1706  "WHERE userid = ?",
1707  std::to_string(idIn));
1708  int numRows = sqliteConnector_->getNumRows();
1709  if (numRows == 0) {
1710  auto userit = temporary_users_by_id_.find(idIn);
1711  if (userit != temporary_users_by_id_.end()) {
1712  user = *userit->second;
1713  return true;
1714  } else {
1715  return false;
1716  }
1717  }
1719 }
1720 
1721 list<DBMetadata> SysCatalog::getAllDBMetadata() {
1723  sqliteConnector_->query("SELECT dbid, name, owner FROM mapd_databases");
1724  int numRows = sqliteConnector_->getNumRows();
1725  list<DBMetadata> db_list;
1726  for (int r = 0; r < numRows; ++r) {
1727  DBMetadata db;
1728  db.dbId = sqliteConnector_->getData<int>(r, 0);
1729  db.dbName = sqliteConnector_->getData<string>(r, 1);
1730  db.dbOwner = sqliteConnector_->getData<int>(r, 2);
1731  db_list.push_back(db);
1732  }
1733  return db_list;
1734 }
1735 
1736 namespace {
1737 
1738 auto get_users(SysCatalog& syscat,
1739  std::unique_ptr<SqliteConnector>& sqliteConnector,
1740  const int32_t dbId = -1) {
1741  // Normal users.
1742  sqliteConnector->query(
1743  "SELECT userid, name, passwd_hash, issuper, default_db, can_login FROM mapd_users");
1744  int numRows = sqliteConnector->getNumRows();
1745  list<UserMetadata> user_list;
1746  const bool return_all_users = dbId == -1;
1747  auto has_any_privilege = [&return_all_users, &dbId, &syscat](const std::string& name) {
1748  if (!return_all_users) {
1749  const auto grantee = syscat.getUserGrantee(name);
1750  return grantee ? grantee->hasAnyPrivilegesOnDb(dbId, false) : false;
1751  }
1752  return true;
1753  };
1754  for (int r = 0; r < numRows; ++r) {
1756  parseUserMetadataFromSQLite(sqliteConnector, user, r);
1757  if (has_any_privilege(user.userName)) {
1758  user_list.emplace_back(std::move(user));
1759  }
1760  }
1761 
1762  // Temporary users.
1763  for (const auto& [id, userptr] : syscat.temporary_users_by_id_) {
1764  if (has_any_privilege(userptr->userName)) {
1765  user_list.emplace_back(*userptr);
1766  }
1767  }
1768 
1769  return user_list;
1770 }
1771 
1772 } // namespace
1773 
1774 list<UserMetadata> SysCatalog::getAllUserMetadata(const int64_t dbId) {
1775  // this call is to return users that have some form of permissions to objects in the db
1776  // sadly mapd_object_permissions table is also misused to manage user roles.
1778  return get_users(*this, sqliteConnector_, dbId);
1779 }
1780 
1781 list<UserMetadata> SysCatalog::getAllUserMetadata() {
1783  return get_users(*this, sqliteConnector_);
1784 }
1785 
1786 void SysCatalog::getMetadataWithDefaultDB(std::string& dbname,
1787  const std::string& username,
1789  UserMetadata& user_meta) {
1790  sys_read_lock read_lock(this);
1791  if (!getMetadataForUser(username, user_meta)) {
1792  throw std::runtime_error("Invalid credentials.");
1793  }
1794 
1795  if (!dbname.empty()) {
1796  if (!getMetadataForDB(dbname, db_meta)) {
1797  throw std::runtime_error("Database name " + dbname + " does not exist.");
1798  }
1799  // loaded the requested database
1800  } else {
1801  if (user_meta.defaultDbId != -1) {
1802  if (!getMetadataForDBById(user_meta.defaultDbId, db_meta)) {
1803  std::string loggable = g_log_user_id ? std::string("") : ' ' + user_meta.userName;
1804  throw std::runtime_error(
1805  "Server error: User #" + std::to_string(user_meta.userId) + loggable +
1806  " has invalid default_db #" + std::to_string(user_meta.defaultDbId) +
1807  " which does not exist.");
1808  }
1809  dbname = db_meta.dbName;
1810  // loaded the user's default database
1811  } else {
1812  if (!getMetadataForDB(shared::kDefaultDbName, db_meta)) {
1813  throw std::runtime_error(std::string("Database ") + shared::kDefaultDbName +
1814  " does not exist.");
1815  }
1816  dbname = shared::kDefaultDbName;
1817  // loaded the mapd database by default
1818  }
1819  }
1820 }
1821 
1823  sys_read_lock read_lock(this);
1825  sqliteConnector_->query_with_text_param(
1826  "SELECT dbid, name, owner FROM mapd_databases WHERE UPPER(name) = ?",
1827  to_upper(name));
1828  int numRows = sqliteConnector_->getNumRows();
1829  if (numRows == 0) {
1830  return false;
1831  }
1832  db.dbId = sqliteConnector_->getData<int>(0, 0);
1833  db.dbName = sqliteConnector_->getData<string>(0, 1);
1834  db.dbOwner = sqliteConnector_->getData<int>(0, 2);
1835  return true;
1836 }
1837 
1838 bool SysCatalog::getMetadataForDBById(const int32_t idIn, DBMetadata& db) {
1840  sqliteConnector_->query_with_text_param(
1841  "SELECT dbid, name, owner FROM mapd_databases WHERE dbid = ?",
1842  std::to_string(idIn));
1843  int numRows = sqliteConnector_->getNumRows();
1844  if (numRows == 0) {
1845  return false;
1846  }
1847  db.dbId = sqliteConnector_->getData<int>(0, 0);
1848  db.dbName = sqliteConnector_->getData<string>(0, 1);
1849  db.dbOwner = sqliteConnector_->getData<int>(0, 2);
1850  return true;
1851 }
1852 
1854  DBSummaryList ret;
1855 
1856  std::list<Catalog_Namespace::DBMetadata> db_list = getAllDBMetadata();
1857  std::list<Catalog_Namespace::UserMetadata> user_list = getAllUserMetadata();
1858 
1859  std::map<int32_t, std::string> user_id_to_name_map;
1860  for (const auto& user : user_list) {
1861  user_id_to_name_map.emplace(user.userId, user.userName);
1862  }
1863 
1864  for (auto d : db_list) {
1865  DBObject dbObject(d.dbName, DatabaseDBObjectType);
1866  dbObject.loadKey();
1868  if (!checkPrivileges(user, std::vector<DBObject>{dbObject})) {
1869  continue;
1870  }
1871 
1872  if (auto it = user_id_to_name_map.find(d.dbOwner); it != user_id_to_name_map.end()) {
1873  ret.emplace_back(DBSummary{d.dbName, it->second});
1874  } else {
1875  ret.emplace_back(DBSummary{d.dbName, "<DELETED>"});
1876  }
1877  }
1878 
1879  return ret;
1880 }
1881 
1883  const std::string& objectName,
1885  const Catalog_Namespace::Catalog& catalog,
1886  int32_t objectId) {
1887  sys_write_lock write_lock(this);
1889 
1890  DBObject object =
1891  objectId == -1 ? DBObject(objectName, type) : DBObject(objectId, type);
1892  object.loadKey(catalog);
1893  switch (type) {
1894  case TableDBObjectType:
1895  object.setPrivileges(AccessPrivileges::ALL_TABLE);
1896  break;
1897  case DashboardDBObjectType:
1898  object.setPrivileges(AccessPrivileges::ALL_DASHBOARD);
1899  break;
1900  case ServerDBObjectType:
1901  object.setPrivileges(AccessPrivileges::ALL_SERVER);
1902  break;
1903  default:
1904  object.setPrivileges(AccessPrivileges::ALL_DATABASE);
1905  break;
1906  }
1907  object.setOwner(user.userId);
1908  sqliteConnector_->query("BEGIN TRANSACTION");
1909  try {
1910  if (!user.isSuper) { // no need to grant to suser, has all privs by default
1911  grantDBObjectPrivileges_unsafe(user.userName, object, catalog);
1912  auto* grantee = instance().getUserGrantee(user.userName);
1913  if (!grantee) {
1914  throw runtime_error("Cannot create DBObject. User " + user.userLoggable() +
1915  " does not exist.");
1916  }
1917  grantee->grantPrivileges(object);
1918  }
1919  } catch (std::exception& e) {
1920  sqliteConnector_->query("ROLLBACK TRANSACTION");
1921  throw;
1922  }
1923  sqliteConnector_->query("END TRANSACTION");
1924 }
1925 
1926 void SysCatalog::renameDBObject(const std::string& objectName,
1927  const std::string& newName,
1929  int32_t objectId,
1930  const Catalog_Namespace::Catalog& catalog) {
1931  sys_write_lock write_lock(this);
1932  DBObject new_object(newName, type);
1933  DBObjectKey key;
1934  key.dbId = catalog.getCurrentDB().dbId;
1935  key.objectId = objectId;
1936  key.permissionType = type;
1937  new_object.setObjectKey(key);
1938  auto objdescs =
1939  getMetadataForObject(key.dbId, static_cast<int32_t>(type), key.objectId);
1940  for (auto obj : objdescs) {
1941  Grantee* grnt = getGrantee(obj->roleName);
1942  if (grnt) {
1943  grnt->renameDbObject(new_object);
1944  }
1945  }
1946  renameObjectsInDescriptorMap(new_object, catalog);
1947 }
1948 
1950  const vector<string>& grantees,
1951  const vector<DBObject>& objects,
1952  const Catalog_Namespace::Catalog& catalog) {
1953  for (const auto& grantee : grantees) {
1954  for (const auto& object : objects) {
1955  grantDBObjectPrivileges_unsafe(grantee, object, catalog);
1956  }
1957  }
1958 }
1959 
1960 // GRANT INSERT ON TABLE payroll_table TO payroll_dept_role;
1962  const std::string& granteeName,
1963  DBObject object,
1964  const Catalog_Namespace::Catalog& catalog) {
1965  object.loadKey(catalog);
1966  CHECK(object.valid());
1967  if (object.getPrivileges().hasPermission(DatabasePrivileges::ALL) &&
1968  object.getObjectKey().permissionType == DatabaseDBObjectType) {
1969  return grantAllOnDatabase_unsafe(granteeName, object, catalog);
1970  }
1971 
1972  sys_write_lock write_lock(this);
1973 
1974  UserMetadata user_meta;
1975  bool is_temporary_user{false};
1976  if (instance().getMetadataForUser(granteeName, user_meta)) {
1977  if (user_meta.isSuper) {
1978  // super doesn't have explicit privileges so nothing to do
1979  return;
1980  }
1981  is_temporary_user = user_meta.is_temporary;
1982  }
1983  auto* grantee = instance().getGrantee(granteeName);
1984  if (!grantee) {
1985  throw runtime_error("Request to grant privileges to " + granteeName +
1986  " failed because role or user with this name does not exist.");
1987  }
1988  grantee->grantPrivileges(object);
1989 
1990  /* apply grant privileges statement to sqlite DB */
1991  std::vector<std::string> objectKey = object.toString();
1992  object.resetPrivileges();
1993  grantee->getPrivileges(object, true);
1994 
1995  if (!is_temporary_user) {
1998  sqliteConnector_, granteeName, grantee->isUser(), object);
1999  }
2000  updateObjectDescriptorMap(granteeName, object, grantee->isUser(), catalog);
2001 }
2002 
2003 void SysCatalog::grantAllOnDatabase_unsafe(const std::string& roleName,
2004  DBObject& object,
2005  const Catalog_Namespace::Catalog& catalog) {
2006  // It's a separate use case because it's easier for implementation to convert ALL ON
2007  // DATABASE into ALL ON DASHBOARDS, ALL ON VIEWS and ALL ON TABLES
2008  // Add DB Access privileges
2009  DBObject tmp_object = object;
2012  grantDBObjectPrivileges_unsafe(roleName, tmp_object, catalog);
2015  grantDBObjectPrivileges_unsafe(roleName, tmp_object, catalog);
2018  grantDBObjectPrivileges_unsafe(roleName, tmp_object, catalog);
2020  tmp_object.setPermissionType(ViewDBObjectType);
2021  grantDBObjectPrivileges_unsafe(roleName, tmp_object, catalog);
2022 
2023  if (g_enable_fsi) {
2026  grantDBObjectPrivileges_unsafe(roleName, tmp_object, catalog);
2027  }
2028 
2031  grantDBObjectPrivileges_unsafe(roleName, tmp_object, catalog);
2032  return;
2033 }
2034 
2036  const vector<string>& grantees,
2037  const vector<DBObject>& objects,
2038  const Catalog_Namespace::Catalog& catalog) {
2039  for (const auto& grantee : grantees) {
2040  for (const auto& object : objects) {
2041  revokeDBObjectPrivileges_unsafe(grantee, object, catalog);
2042  }
2043  }
2044 }
2045 
2047  vector<DBObject>& objects,
2048  Catalog_Namespace::Catalog* catalog) {
2049  for (const auto& object : objects) {
2050  revokeDBObjectPrivilegesFromAll_unsafe(object, catalog);
2051  }
2052 }
2053 
2054 // REVOKE INSERT ON TABLE payroll_table FROM payroll_dept_role;
2056  const std::string& granteeName,
2057  DBObject object,
2058  const Catalog_Namespace::Catalog& catalog) {
2059  sys_write_lock write_lock(this);
2060 
2061  UserMetadata user_meta;
2062  bool is_temporary_user{false};
2063  if (instance().getMetadataForUser(granteeName, user_meta)) {
2064  if (user_meta.isSuper) {
2065  // super doesn't have explicit privileges so nothing to do
2066  return;
2067  }
2068  is_temporary_user = user_meta.is_temporary;
2069  }
2070  auto* grantee = getGrantee(granteeName);
2071  if (!grantee) {
2072  throw runtime_error("Request to revoke privileges from " + granteeName +
2073  " failed because role or user with this name does not exist.");
2074  }
2075  object.loadKey(catalog);
2076 
2077  if (object.getPrivileges().hasPermission(DatabasePrivileges::ALL) &&
2078  object.getObjectKey().permissionType == DatabaseDBObjectType) {
2079  return revokeAllOnDatabase_unsafe(granteeName, object.getObjectKey().dbId, grantee);
2080  }
2081 
2082  auto ret_object = grantee->revokePrivileges(object);
2083  if (ret_object) {
2084  if (!is_temporary_user) {
2087  sqliteConnector_, granteeName, grantee->isUser(), *ret_object);
2088  }
2089  updateObjectDescriptorMap(granteeName, *ret_object, grantee->isUser(), catalog);
2090  } else {
2091  if (!is_temporary_user) {
2093  deleteObjectPrivileges(sqliteConnector_, granteeName, grantee->isUser(), object);
2094  }
2095  deleteObjectDescriptorMap(granteeName, object, catalog);
2096  }
2097 }
2098 
2099 void SysCatalog::revokeAllOnDatabase_unsafe(const std::string& roleName,
2100  int32_t dbId,
2101  Grantee* grantee) {
2102  bool is_temporary =
2103  (temporary_users_by_name_.find(roleName) != temporary_users_by_name_.end());
2104  if (!is_temporary) {
2106  sqliteConnector_->query_with_text_params(
2107  "DELETE FROM mapd_object_permissions WHERE roleName = ?1 and dbId = ?2",
2108  std::vector<std::string>{roleName, std::to_string(dbId)});
2109  }
2110  grantee->revokeAllOnDatabase(dbId);
2111  for (auto d = objectDescriptorMap_.begin(); d != objectDescriptorMap_.end();) {
2112  if (d->second->roleName == roleName && d->second->dbId == dbId) {
2113  d = objectDescriptorMap_.erase(d);
2114  } else {
2115  d++;
2116  }
2117  }
2118 }
2119 
2121  Catalog* catalog) {
2122  sys_write_lock write_lock(this);
2123  dbObject.loadKey(*catalog);
2124  auto privs = (dbObject.getObjectKey().permissionType == TableDBObjectType)
2129  dbObject.setPrivileges(privs);
2130  for (const auto& grantee : granteeMap_) {
2131  if (grantee.second->findDbObject(dbObject.getObjectKey(), true)) {
2132  revokeDBObjectPrivileges_unsafe(grantee.second->getName(), dbObject, *catalog);
2133  }
2134  }
2135 }
2136 
2138  DBObject object,
2139  const Catalog_Namespace::Catalog& catalog) {
2140  sys_read_lock read_lock(this);
2141 
2142  auto* grantee = instance().getUserGrantee(user.userName);
2143  if (grantee) {
2144  object.loadKey(catalog);
2145  auto* found_object = grantee->findDbObject(object.getObjectKey(), false);
2146  if (found_object && found_object->getOwner() == user.userId) {
2147  return true;
2148  }
2149  }
2150  return false;
2151 }
2152 
2154  const UserMetadata& new_owner,
2155  const UserMetadata& previous_owner,
2156  DBObject object,
2157  const Catalog_Namespace::Catalog& catalog,
2158  const SysCatalog::UpdateQueries& update_queries,
2159  bool revoke_privileges) {
2160  sys_write_lock write_lock(this);
2161  if (new_owner.is_temporary || previous_owner.is_temporary) {
2162  throw std::runtime_error("ownership change not allowed for temporary user(s)");
2163  }
2165  object.loadKey(catalog);
2166  switch (object.getType()) {
2167  case TableDBObjectType:
2168  object.setPrivileges(AccessPrivileges::ALL_TABLE);
2169  break;
2170  case DashboardDBObjectType:
2171  object.setPrivileges(AccessPrivileges::ALL_DASHBOARD);
2172  break;
2173  case ServerDBObjectType:
2174  object.setPrivileges(AccessPrivileges::ALL_SERVER);
2175  break;
2176  case DatabaseDBObjectType:
2177  object.setPrivileges(AccessPrivileges::ALL_DATABASE);
2178  break;
2179  case ViewDBObjectType:
2180  object.setPrivileges(AccessPrivileges::ALL_VIEW);
2181  break;
2182  default:
2183  UNREACHABLE(); // unkown object type
2184  break;
2185  }
2186  sqliteConnector_->query("BEGIN TRANSACTION");
2187  try {
2188  if (!new_owner.isSuper) { // no need to grant to suser, has all privs by default
2189  grantDBObjectPrivileges_unsafe(new_owner.userName, object, catalog);
2190  }
2191  if (!previous_owner.isSuper && revoke_privileges) { // no need to revoke from suser
2192  revokeDBObjectPrivileges_unsafe(previous_owner.userName, object, catalog);
2193  }
2194 
2195  // run update queries if specified
2196  for (const auto& update_query : update_queries) {
2197  sqliteConnector_->query_with_text_params(update_query.query,
2198  update_query.text_params);
2199  }
2200 
2201  auto object_key = object.getObjectKey();
2202  sqliteConnector_->query_with_text_params(
2203  "UPDATE mapd_object_permissions SET objectOwnerId = ? WHERE dbId = ? AND "
2204  "objectId = ? AND objectPermissionsType = ?",
2205  std::vector<std::string>{std::to_string(new_owner.userId),
2206  std::to_string(object_key.dbId),
2207  std::to_string(object_key.objectId),
2208  std::to_string(object_key.permissionType)});
2209 
2210  for (const auto& [user_or_role, grantee] : granteeMap_) {
2211  grantee->reassignObjectOwner(object_key, new_owner.userId);
2212  }
2213 
2214  for (const auto& [map_object_key, map_object_descriptor] : objectDescriptorMap_) {
2215  if (map_object_descriptor->objectId == object_key.objectId &&
2216  map_object_descriptor->objectType == object_key.permissionType &&
2217  map_object_descriptor->dbId == object_key.dbId) {
2218  map_object_descriptor->objectOwnerId = new_owner.userId;
2219  }
2220  }
2221  } catch (std::exception& e) {
2222  sqliteConnector_->query("ROLLBACK TRANSACTION");
2224  throw;
2225  }
2226  sqliteConnector_->query("END TRANSACTION");
2227 }
2228 
2230  const UserMetadata& previous_owner,
2231  DBObject object,
2232  const Catalog_Namespace::Catalog& catalog,
2233  bool revoke_privileges) {
2235  new_owner, previous_owner, object, catalog, {}, revoke_privileges);
2236 }
2237 
2238 void SysCatalog::getDBObjectPrivileges(const std::string& granteeName,
2239  DBObject& object,
2240  const Catalog_Namespace::Catalog& catalog) const {
2241  sys_read_lock read_lock(this);
2242  UserMetadata user_meta;
2243 
2244  if (instance().getMetadataForUser(granteeName, user_meta)) {
2245  if (user_meta.isSuper) {
2246  throw runtime_error(
2247  "Request to show privileges from " + granteeName +
2248  " failed because user is super user and has all privileges by default.");
2249  }
2250  }
2251  auto* grantee = instance().getGrantee(granteeName);
2252  if (!grantee) {
2253  throw runtime_error("Request to show privileges for " + granteeName +
2254  " failed because role or user with this name does not exist.");
2255  }
2256  object.loadKey(catalog);
2257  grantee->getPrivileges(object, true);
2258 }
2259 
2260 void SysCatalog::createRole_unsafe(const std::string& roleName,
2261  const bool user_private_role,
2262  const bool is_temporary) {
2263  sys_write_lock write_lock(this);
2264 
2265  auto* grantee = getGrantee(roleName);
2266  if (grantee) {
2267  throw std::runtime_error("CREATE ROLE " + roleName +
2268  " failed because grantee with this name already exists.");
2269  }
2270  std::unique_ptr<Grantee> g;
2271  if (user_private_role) {
2272  g.reset(new User(roleName));
2273  } else {
2274  g.reset(new Role(roleName));
2275  }
2276  grantee = g.get();
2277  granteeMap_[to_upper(roleName)] = std::move(g);
2278 
2279  // NOTE (max): Why create an empty privileges record for a role?
2280  /* grant none privileges to this role and add it to sqlite DB */
2282  DBObjectKey objKey;
2283  // 0 is an id that does not exist
2284  objKey.dbId = 0;
2286  dbObject.setObjectKey(objKey);
2287  grantee->grantPrivileges(dbObject);
2288 
2289  if (!is_temporary) {
2292  sqliteConnector_, roleName, user_private_role, dbObject);
2293  }
2294 }
2295 
2296 void SysCatalog::dropRole_unsafe(const std::string& roleName, const bool is_temporary) {
2297  sys_write_lock write_lock(this);
2298 
2299  for (auto d = objectDescriptorMap_.begin(); d != objectDescriptorMap_.end();) {
2300  if (d->second->roleName == roleName) {
2301  d = objectDescriptorMap_.erase(d);
2302  } else {
2303  d++;
2304  }
2305  }
2306  // it may very well be a user "role", so keep it generic
2307  granteeMap_.erase(to_upper(roleName));
2308 
2309  if (!is_temporary) {
2311  sqliteConnector_->query_with_text_param("DELETE FROM mapd_roles WHERE roleName = ?",
2312  roleName);
2313  sqliteConnector_->query_with_text_param(
2314  "DELETE FROM mapd_object_permissions WHERE roleName = ?", roleName);
2315  }
2316 }
2317 
2318 void SysCatalog::grantRoleBatch_unsafe(const std::vector<std::string>& roles,
2319  const std::vector<std::string>& grantees) {
2320  for (const auto& role : roles) {
2321  for (const auto& grantee : grantees) {
2322  bool is_temporary_user{false};
2323  UserMetadata user;
2324  if (getMetadataForUser(grantee, user)) {
2325  is_temporary_user = user.is_temporary;
2326  }
2327  grantRole_unsafe(role, grantee, is_temporary_user);
2328  }
2329  }
2330 }
2331 
2332 // GRANT ROLE payroll_dept_role TO joe;
2333 void SysCatalog::grantRole_unsafe(const std::string& roleName,
2334  const std::string& granteeName,
2335  const bool is_temporary) {
2336  auto* rl = getRoleGrantee(roleName);
2337  if (!rl) {
2338  throw runtime_error("Request to grant role " + roleName +
2339  " failed because role with this name does not exist.");
2340  }
2341  auto* grantee = getGrantee(granteeName);
2342  if (!grantee) {
2343  throw runtime_error("Request to grant role " + roleName + " failed because grantee " +
2344  granteeName + " does not exist.");
2345  }
2346  sys_write_lock write_lock(this);
2347  if (!grantee->hasRole(rl, true)) {
2348  grantee->grantRole(rl);
2349  if (!is_temporary) {
2351  sqliteConnector_->query_with_text_params(
2352  "INSERT INTO mapd_roles(roleName, userName) VALUES (?, ?)",
2353  std::vector<std::string>{rl->getName(), grantee->getName()});
2354  }
2355  }
2356 }
2357 
2358 void SysCatalog::revokeRoleBatch_unsafe(const std::vector<std::string>& roles,
2359  const std::vector<std::string>& grantees) {
2360  for (const auto& role : roles) {
2361  for (const auto& grantee : grantees) {
2362  bool is_temporary_user{false};
2363  UserMetadata user;
2364  if (getMetadataForUser(grantee, user)) {
2365  is_temporary_user = user.is_temporary;
2366  }
2367  revokeRole_unsafe(role, grantee, is_temporary_user);
2368  }
2369  }
2370 }
2371 
2372 // REVOKE ROLE payroll_dept_role FROM joe;
2373 void SysCatalog::revokeRole_unsafe(const std::string& roleName,
2374  const std::string& granteeName,
2375  const bool is_temporary) {
2376  auto* rl = getRoleGrantee(roleName);
2377  if (!rl) {
2378  throw runtime_error("Request to revoke role " + roleName +
2379  " failed because role with this name does not exist.");
2380  }
2381  auto* grantee = getGrantee(granteeName);
2382  if (!grantee) {
2383  throw runtime_error("Request to revoke role from " + granteeName +
2384  " failed because grantee with this name does not exist.");
2385  }
2386  sys_write_lock write_lock(this);
2387  grantee->revokeRole(rl);
2388  if (!is_temporary) {
2390  sqliteConnector_->query_with_text_params(
2391  "DELETE FROM mapd_roles WHERE roleName = ? AND userName = ?",
2392  std::vector<std::string>{rl->getName(), grantee->getName()});
2393  }
2394 }
2395 
2396 // Update or add element in ObjectRoleDescriptorMap
2397 void SysCatalog::updateObjectDescriptorMap(const std::string& roleName,
2398  DBObject& object,
2399  bool roleType,
2401  bool present = false;
2402  auto privs = object.getPrivileges();
2403  sys_write_lock write_lock(this);
2404  auto range = objectDescriptorMap_.equal_range(
2405  std::to_string(cat.getCurrentDB().dbId) + ":" +
2406  std::to_string(object.getObjectKey().permissionType) + ":" +
2407  std::to_string(object.getObjectKey().objectId));
2408  for (auto d = range.first; d != range.second; ++d) {
2409  if (d->second->roleName == roleName) {
2410  // overwrite permissions
2411  d->second->privs = privs;
2412  present = true;
2413  }
2414  }
2415  if (!present) {
2416  auto od = std::make_unique<ObjectRoleDescriptor>();
2417  od->roleName = roleName;
2418  od->roleType = roleType;
2419  od->objectType = object.getObjectKey().permissionType;
2420  od->dbId = object.getObjectKey().dbId;
2421  od->objectId = object.getObjectKey().objectId;
2422  od->privs = object.getPrivileges();
2423  od->objectOwnerId = object.getOwner();
2424  od->objectName = object.getName();
2425  objectDescriptorMap_.insert(ObjectRoleDescriptorMap::value_type(
2426  std::to_string(od->dbId) + ":" + std::to_string(od->objectType) + ":" +
2427  std::to_string(od->objectId),
2428  std::move(od)));
2429  }
2430 }
2431 
2432 // rename object descriptors
2435  sys_write_lock write_lock(this);
2437  auto range = objectDescriptorMap_.equal_range(
2438  std::to_string(cat.getCurrentDB().dbId) + ":" +
2439  std::to_string(object.getObjectKey().permissionType) + ":" +
2440  std::to_string(object.getObjectKey().objectId));
2441  for (auto d = range.first; d != range.second; ++d) {
2442  // rename object
2443  d->second->objectName = object.getName();
2444  }
2445 
2446  sqliteConnector_->query("BEGIN TRANSACTION");
2447  try {
2448  sqliteConnector_->query_with_text_params(
2449  "UPDATE mapd_object_permissions SET objectName = ?1 WHERE "
2450  "dbId = ?2 AND objectId = ?3",
2451  std::vector<std::string>{object.getName(),
2453  std::to_string(object.getObjectKey().objectId)});
2454  } catch (const std::exception& e) {
2455  sqliteConnector_->query("ROLLBACK TRANSACTION");
2456  throw;
2457  }
2458  sqliteConnector_->query("END TRANSACTION");
2459 }
2460 
2461 // Remove user/role from ObjectRoleDescriptorMap
2462 void SysCatalog::deleteObjectDescriptorMap(const std::string& roleName) {
2463  sys_write_lock write_lock(this);
2464 
2465  for (auto d = objectDescriptorMap_.begin(); d != objectDescriptorMap_.end();) {
2466  if (d->second->roleName == roleName) {
2467  d = objectDescriptorMap_.erase(d);
2468  } else {
2469  d++;
2470  }
2471  }
2472 }
2473 
2474 // Remove element from ObjectRoleDescriptorMap
2475 void SysCatalog::deleteObjectDescriptorMap(const std::string& roleName,
2476  DBObject& object,
2477  const Catalog_Namespace::Catalog& cat) {
2478  sys_write_lock write_lock(this);
2479  auto range = objectDescriptorMap_.equal_range(
2480  std::to_string(cat.getCurrentDB().dbId) + ":" +
2481  std::to_string(object.getObjectKey().permissionType) + ":" +
2482  std::to_string(object.getObjectKey().objectId));
2483  for (auto d = range.first; d != range.second;) {
2484  // remove the entry
2485  if (d->second->roleName == roleName) {
2486  d = objectDescriptorMap_.erase(d);
2487  } else {
2488  d++;
2489  }
2490  }
2491 }
2492 
2494  std::vector<DBObject>& privObjects) {
2495  sys_read_lock read_lock(this);
2496  if (user.isSuper) {
2497  return true;
2498  }
2499  auto* user_rl = instance().getUserGrantee(user.userName);
2500  if (!user_rl) {
2501  throw runtime_error("Cannot check privileges. User " + user.userLoggable() +
2502  " does not exist.");
2503  }
2504  for (std::vector<DBObject>::iterator objectIt = privObjects.begin();
2505  objectIt != privObjects.end();
2506  ++objectIt) {
2507  if (!user_rl->hasAnyPrivileges(*objectIt, false)) {
2508  return false;
2509  }
2510  }
2511  return true;
2512 }
2513 
2515  const std::vector<DBObject>& privObjects) const {
2516  sys_read_lock read_lock(this);
2517  if (user.isSuper) {
2518  return true;
2519  }
2520 
2521  auto* user_rl = instance().getUserGrantee(user.userName);
2522  if (!user_rl) {
2523  throw runtime_error("Cannot check privileges. User " + user.userLoggable() +
2524  " does not exist.");
2525  }
2526  for (auto& object : privObjects) {
2527  if (!user_rl->checkPrivileges(object)) {
2528  return false;
2529  }
2530  }
2531  return true;
2532 }
2533 
2534 bool SysCatalog::checkPrivileges(const std::string& userName,
2535  const std::vector<DBObject>& privObjects) const {
2536  UserMetadata user;
2537  if (!instance().getMetadataForUser(userName, user)) {
2538  std::string const loggable = g_log_user_id ? std::string("") : userName + ' ';
2539  throw runtime_error("Request to check privileges for user " + loggable +
2540  "failed because user with this name does not exist.");
2541  }
2542  return (checkPrivileges(user, privObjects));
2543 }
2544 
2545 Grantee* SysCatalog::getGrantee(const std::string& name) const {
2546  sys_read_lock read_lock(this);
2547  auto grantee = granteeMap_.find(to_upper(name));
2548  if (grantee == granteeMap_.end()) { // check to make sure role exists
2549  return nullptr;
2550  }
2551  return grantee->second.get(); // returns pointer to role
2552 }
2553 
2554 Role* SysCatalog::getRoleGrantee(const std::string& name) const {
2555  return dynamic_cast<Role*>(getGrantee(name));
2556 }
2557 
2558 User* SysCatalog::getUserGrantee(const std::string& name) const {
2559  return dynamic_cast<User*>(getGrantee(name));
2560 }
2561 
2562 std::vector<ObjectRoleDescriptor*>
2563 SysCatalog::getMetadataForObject(int32_t dbId, int32_t dbType, int32_t objectId) const {
2564  sys_read_lock read_lock(this);
2565  std::vector<ObjectRoleDescriptor*> objectsList;
2566 
2567  auto range = objectDescriptorMap_.equal_range(std::to_string(dbId) + ":" +
2568  std::to_string(dbType) + ":" +
2569  std::to_string(objectId));
2570  for (auto d = range.first; d != range.second; ++d) {
2571  objectsList.push_back(d->second.get());
2572  }
2573  return objectsList; // return pointers to objects
2574 }
2575 
2576 std::vector<ObjectRoleDescriptor> SysCatalog::getMetadataForAllObjects() const {
2577  sys_read_lock read_lock(this);
2578  std::vector<ObjectRoleDescriptor> objects;
2579  for (const auto& entry : objectDescriptorMap_) {
2580  auto object_role = entry.second.get();
2581  if (object_role->dbId != 0 && !isDashboardSystemRole(object_role->roleName)) {
2582  objects.emplace_back(*object_role);
2583  }
2584  }
2585  return objects;
2586 }
2587 
2588 bool SysCatalog::isRoleGrantedToGrantee(const std::string& granteeName,
2589  const std::string& roleName,
2590  bool only_direct) const {
2591  sys_read_lock read_lock(this);
2592  if (roleName == granteeName) {
2593  return true;
2594  }
2595  bool is_role_granted = false;
2596  auto* target_role = instance().getRoleGrantee(roleName);
2597  auto has_role = [&](auto grantee_rl) {
2598  is_role_granted = target_role && grantee_rl->hasRole(target_role, only_direct);
2599  };
2600  if (auto* user_role = instance().getUserGrantee(granteeName); user_role) {
2601  has_role(user_role);
2602  } else if (auto* role = instance().getRoleGrantee(granteeName); role) {
2603  has_role(role);
2604  } else {
2605  CHECK(false);
2606  }
2607  return is_role_granted;
2608 }
2609 
2610 bool SysCatalog::isDashboardSystemRole(const std::string& roleName) const {
2611  return boost::algorithm::ends_with(roleName, SYSTEM_ROLE_TAG);
2612 }
2613 
2614 std::vector<std::string> SysCatalog::getRoles(const std::string& user_name,
2615  bool effective) {
2616  sys_read_lock read_lock(this);
2617  auto* grantee = getGrantee(user_name);
2618  if (!grantee) {
2619  throw std::runtime_error("user or role not found");
2620  }
2621  return grantee->getRoles(/*only_direct=*/!effective);
2622 }
2623 
2624 std::vector<std::string> SysCatalog::getRoles(const std::string& userName,
2625  const int32_t dbId) {
2626  sys_sqlite_lock sqlite_lock(this);
2627  std::string sql =
2628  "SELECT DISTINCT roleName FROM mapd_object_permissions WHERE "
2629  "objectPermissions<>0 "
2630  "AND roleType=0 AND dbId=" +
2631  std::to_string(dbId);
2632  sqliteConnector_->query(sql);
2633  int numRows = sqliteConnector_->getNumRows();
2634  std::vector<std::string> roles(0);
2635  for (int r = 0; r < numRows; ++r) {
2636  auto roleName = sqliteConnector_->getData<string>(r, 0);
2637  if (isRoleGrantedToGrantee(userName, roleName, false) &&
2638  !isDashboardSystemRole(roleName)) {
2639  roles.push_back(roleName);
2640  }
2641  }
2642  return roles;
2643 }
2644 
2645 std::vector<std::string> SysCatalog::getRoles(bool include_user_private_role,
2646  bool is_super,
2647  const std::string& user_name,
2648  bool ignore_deleted_user) {
2649  sys_read_lock read_lock(this);
2650  if (ignore_deleted_user) {
2651  // In certain cases, it is possible to concurrently call this method while the user is
2652  // being dropped. In such a case, return an empty result.
2653  UserMetadata user;
2654  if (!getMetadataForUser(user_name, user)) {
2655  return {};
2656  }
2657  }
2658  std::vector<std::string> roles;
2659  for (auto& grantee : granteeMap_) {
2660  if (!include_user_private_role && grantee.second->isUser()) {
2661  continue;
2662  }
2663  if (!is_super &&
2664  !isRoleGrantedToGrantee(user_name, grantee.second->getName(), false)) {
2665  continue;
2666  }
2667  if (isDashboardSystemRole(grantee.second->getName())) {
2668  continue;
2669  }
2670  roles.push_back(grantee.second->getName());
2671  }
2672  return roles;
2673 }
2674 
2675 std::set<std::string> SysCatalog::getCreatedRoles() const {
2676  sys_read_lock read_lock(this);
2677  std::set<std::string> roles; // Sorted for human readers.
2678  for (const auto& [key, grantee] : granteeMap_) {
2679  if (!grantee->isUser() && !isDashboardSystemRole(grantee->getName())) {
2680  roles.emplace(grantee->getName());
2681  }
2682  }
2683  return roles;
2684 }
2685 
2687  granteeMap_.clear();
2688  string roleQuery(
2689  "SELECT roleName, roleType, objectPermissionsType, dbId, objectId, "
2690  "objectPermissions, objectOwnerId, objectName "
2691  "from mapd_object_permissions");
2692  sqliteConnector_->query(roleQuery);
2693  size_t numRows = sqliteConnector_->getNumRows();
2694  std::vector<std::string> objectKeyStr(4);
2695  DBObjectKey objectKey;
2696  AccessPrivileges privs;
2697  bool userPrivateRole{false};
2698  for (size_t r = 0; r < numRows; ++r) {
2699  std::string roleName = sqliteConnector_->getData<string>(r, 0);
2700  userPrivateRole = sqliteConnector_->getData<bool>(r, 1);
2701  DBObjectType permissionType =
2702  static_cast<DBObjectType>(sqliteConnector_->getData<int>(r, 2));
2703  objectKeyStr[0] = sqliteConnector_->getData<string>(r, 2);
2704  objectKeyStr[1] = sqliteConnector_->getData<string>(r, 3);
2705  objectKeyStr[2] = sqliteConnector_->getData<string>(r, 4);
2706  objectKey = DBObjectKey::fromString(objectKeyStr, permissionType);
2707  privs.privileges = sqliteConnector_->getData<int>(r, 5);
2708  int32_t owner = sqliteConnector_->getData<int>(r, 6);
2709  std::string name = sqliteConnector_->getData<string>(r, 7);
2710 
2711  DBObject dbObject(objectKey, privs, owner);
2712  dbObject.setName(name);
2713  if (-1 == objectKey.objectId) {
2714  dbObject.setObjectType(DBObjectType::DatabaseDBObjectType);
2715  } else {
2716  dbObject.setObjectType(permissionType);
2717  }
2718 
2719  auto* rl = getGrantee(roleName);
2720  if (!rl) {
2721  std::unique_ptr<Grantee> g;
2722  if (userPrivateRole) {
2723  g.reset(new User(roleName));
2724  } else {
2725  g.reset(new Role(roleName));
2726  }
2727  rl = g.get();
2728  granteeMap_[to_upper(roleName)] = std::move(g);
2729  }
2730  rl->grantPrivileges(dbObject);
2731  }
2732 }
2733 
2734 void SysCatalog::populateRoleDbObjects(const std::vector<DBObject>& objects) {
2735  sys_write_lock write_lock(this);
2736  sys_sqlite_lock sqlite_lock(this);
2737  sqliteConnector_->query("BEGIN TRANSACTION");
2738  try {
2739  for (auto dbobject : objects) {
2740  UserMetadata user;
2741  CHECK(getMetadataForUserById(dbobject.getOwner(), user));
2742  auto* grantee = getUserGrantee(user.userName);
2743  if (grantee) {
2745  sqliteConnector_, grantee->getName(), true, dbobject);
2746  grantee->grantPrivileges(dbobject);
2747  }
2748  }
2749 
2750  } catch (const std::exception& e) {
2751  sqliteConnector_->query("ROLLBACK TRANSACTION");
2752  throw;
2753  }
2754  sqliteConnector_->query("END TRANSACTION");
2755 }
2756 
2758  std::vector<std::pair<std::string, std::string>> granteeRoles;
2759  string userRoleQuery("SELECT roleName, userName from mapd_roles");
2760  sqliteConnector_->query(userRoleQuery);
2761  size_t numRows = sqliteConnector_->getNumRows();
2762  for (size_t r = 0; r < numRows; ++r) {
2763  std::string roleName = sqliteConnector_->getData<string>(r, 0);
2764  std::string userName = sqliteConnector_->getData<string>(r, 1);
2765  // required for declared nomenclature before v4.0.0
2766  if ((boost::equals(roleName, "mapd_default_suser_role") &&
2767  boost::equals(userName, shared::kRootUsername)) ||
2768  (boost::equals(roleName, "mapd_default_user_role") &&
2769  !boost::equals(userName, "mapd_default_user_role"))) {
2770  // grouprole already exists with roleName==userName in mapd_roles table
2771  // ignore duplicate instances of userRole which exists before v4.0.0
2772  continue;
2773  }
2774  auto* rl = getGrantee(roleName);
2775  if (!rl) {
2776  throw runtime_error("Data inconsistency when building role map. Role " + roleName +
2777  " from db not found in the map.");
2778  }
2779  std::pair<std::string, std::string> roleVecElem(roleName, userName);
2780  granteeRoles.push_back(roleVecElem);
2781  }
2782 
2783  for (const auto& [roleName, granteeName] : granteeRoles) {
2784  auto* grantee = getGrantee(granteeName);
2785  if (!grantee) {
2786  throw runtime_error("Data inconsistency when building role map. Grantee " +
2787  granteeName + " not found in the map.");
2788  }
2789  if (granteeName == roleName) {
2790  continue;
2791  }
2792  Role* rl = dynamic_cast<Role*>(getGrantee(roleName));
2793  if (!rl) {
2794  throw runtime_error("Data inconsistency when building role map. Role " + roleName +
2795  " not found in the map.");
2796  }
2797  grantee->grantRole(rl);
2798  }
2799 }
2800 
2802  objectDescriptorMap_.clear();
2803  string objectQuery(
2804  "SELECT roleName, roleType, objectPermissionsType, dbId, objectId, "
2805  "objectPermissions, objectOwnerId, objectName "
2806  "from mapd_object_permissions");
2807  sqliteConnector_->query(objectQuery);
2808  size_t numRows = sqliteConnector_->getNumRows();
2809  for (size_t r = 0; r < numRows; ++r) {
2810  auto od = std::make_unique<ObjectRoleDescriptor>();
2811  od->roleName = sqliteConnector_->getData<string>(r, 0);
2812  od->roleType = sqliteConnector_->getData<bool>(r, 1);
2813  od->objectType = sqliteConnector_->getData<int>(r, 2);
2814  od->dbId = sqliteConnector_->getData<int>(r, 3);
2815  od->objectId = sqliteConnector_->getData<int>(r, 4);
2816  od->privs.privileges = sqliteConnector_->getData<int>(r, 5);
2817  od->objectOwnerId = sqliteConnector_->getData<int>(r, 6);
2818  od->objectName = sqliteConnector_->getData<string>(r, 7);
2819  objectDescriptorMap_.insert(ObjectRoleDescriptorMap::value_type(
2820  std::to_string(od->dbId) + ":" + std::to_string(od->objectType) + ":" +
2821  std::to_string(od->objectId),
2822  std::move(od)));
2823  }
2824 }
2825 
2826 template <typename F, typename... Args>
2827 void SysCatalog::execInTransaction(F&& f, Args&&... args) {
2828  sys_write_lock write_lock(this);
2829  sys_sqlite_lock sqlite_lock(this);
2830  sqliteConnector_->query("BEGIN TRANSACTION");
2831  try {
2832  (this->*f)(std::forward<Args>(args)...);
2833  } catch (std::exception&) {
2834  sqliteConnector_->query("ROLLBACK TRANSACTION");
2835  throw;
2836  }
2837  sqliteConnector_->query("END TRANSACTION");
2838 }
2839 
2840 void SysCatalog::createRole(const std::string& roleName,
2841  const bool user_private_role,
2842  const bool is_temporary) {
2844  &SysCatalog::createRole_unsafe, roleName, user_private_role, is_temporary);
2845 }
2846 
2847 void SysCatalog::dropRole(const std::string& roleName, const bool is_temporary) {
2848  execInTransaction(&SysCatalog::dropRole_unsafe, roleName, is_temporary);
2849 }
2850 
2851 void SysCatalog::grantRoleBatch(const std::vector<std::string>& roles,
2852  const std::vector<std::string>& grantees) {
2854 }
2855 
2856 void SysCatalog::grantRole(const std::string& role,
2857  const std::string& grantee,
2858  const bool is_temporary) {
2859  execInTransaction(&SysCatalog::grantRole_unsafe, role, grantee, is_temporary);
2860 }
2861 
2862 void SysCatalog::revokeRoleBatch(const std::vector<std::string>& roles,
2863  const std::vector<std::string>& grantees) {
2865 }
2866 
2867 void SysCatalog::revokeRole(const std::string& role,
2868  const std::string& grantee,
2869  const bool is_temporary) {
2870  execInTransaction(&SysCatalog::revokeRole_unsafe, role, grantee, is_temporary);
2871 }
2872 
2873 void SysCatalog::grantDBObjectPrivileges(const string& grantee,
2874  const DBObject& object,
2875  const Catalog_Namespace::Catalog& catalog) {
2877  &SysCatalog::grantDBObjectPrivileges_unsafe, grantee, object, catalog);
2878 }
2879 
2880 void SysCatalog::grantDBObjectPrivilegesBatch(const vector<string>& grantees,
2881  const vector<DBObject>& objects,
2882  const Catalog_Namespace::Catalog& catalog) {
2884  &SysCatalog::grantDBObjectPrivilegesBatch_unsafe, grantees, objects, catalog);
2885 }
2886 
2887 void SysCatalog::revokeDBObjectPrivileges(const string& grantee,
2888  const DBObject& object,
2889  const Catalog_Namespace::Catalog& catalog) {
2891  &SysCatalog::revokeDBObjectPrivileges_unsafe, grantee, object, catalog);
2892 }
2893 
2895  const vector<string>& grantees,
2896  const vector<DBObject>& objects,
2897  const Catalog_Namespace::Catalog& catalog) {
2899  &SysCatalog::revokeDBObjectPrivilegesBatch_unsafe, grantees, objects, catalog);
2900 }
2901 
2904 }
2905 
2907  Catalog* catalog) {
2910 }
2911 
2912 void SysCatalog::syncUserWithRemoteProvider(const std::string& user_name,
2913  std::vector<std::string> idp_roles,
2914  UserAlterations alts) {
2915  // need to escalate to a write lock
2916  // need to unlock the read lock
2917  sys_read_lock read_lock(this);
2918  read_lock.unlock();
2919  sys_write_lock write_lock(this);
2920  bool enable_idp_temporary_users{g_enable_idp_temporary_users && g_read_only};
2921  if (auto user = getUser(user_name); !user) {
2922  if (!alts.passwd) {
2923  alts.passwd = generate_random_string(72);
2924  }
2925  user = createUser(user_name, alts, /*is_temporary=*/enable_idp_temporary_users);
2926  LOG(INFO) << "Remote identity provider created user [" << user->userLoggable()
2927  << "] with (" << alts.toString() << ")";
2928  } else if (alts.wouldChange(*user)) {
2929  user = alterUser(user->userName, alts);
2930  LOG(INFO) << "Remote identity provider altered user [" << user->userLoggable()
2931  << "] with (" << alts.toString() << ")";
2932  }
2933  std::vector<std::string> current_roles = {};
2934  auto* user_rl = getUserGrantee(user_name);
2935  if (user_rl) {
2936  current_roles = user_rl->getRoles();
2937  }
2939  current_roles.begin(), current_roles.end(), current_roles.begin(), to_upper);
2940  std::transform(idp_roles.begin(), idp_roles.end(), idp_roles.begin(), to_upper);
2941  std::list<std::string> roles_revoked, roles_granted;
2942  // first remove obsolete ones
2943  for (auto& current_role_name : current_roles) {
2944  if (std::find(idp_roles.begin(), idp_roles.end(), current_role_name) ==
2945  idp_roles.end()) {
2946  revokeRole(current_role_name,
2947  user_name,
2948  /*is_temporary=*/enable_idp_temporary_users);
2949  roles_revoked.push_back(current_role_name);
2950  }
2951  }
2952  for (auto& role_name : idp_roles) {
2953  if (std::find(current_roles.begin(), current_roles.end(), role_name) ==
2954  current_roles.end()) {
2955  auto* rl = getRoleGrantee(role_name);
2956  if (rl) {
2957  grantRole(role_name,
2958  user_name,
2959  /*is_temporary=*/enable_idp_temporary_users);
2960  roles_granted.push_back(role_name);
2961  } else {
2962  LOG(WARNING) << "Error synchronizing roles for user " << user_name << ": role "
2963  << role_name << " does not exist";
2964  }
2965  }
2966  }
2967  if (roles_granted.empty() && roles_revoked.empty()) {
2968  LOG(INFO) << "Roles for user " << user_name
2969  << " are up to date with remote identity provider";
2970  } else {
2971  if (!roles_revoked.empty()) {
2972  LOG(INFO) << "Roles revoked during synchronization with identity provider for user "
2973  << user_name << ": " << join(roles_revoked, " ");
2974  }
2975  if (!roles_granted.empty()) {
2976  LOG(INFO) << "Roles granted during synchronization with identity provider for user "
2977  << user_name << ": " << join(roles_granted, " ");
2978  }
2979  }
2980 }
2981 
2982 std::unordered_map<std::string, std::vector<std::string>>
2983 SysCatalog::getGranteesOfSharedDashboards(const std::vector<std::string>& dashboard_ids) {
2984  sys_sqlite_lock sqlite_lock(this);
2985  std::unordered_map<std::string, std::vector<std::string>> active_grantees;
2986  sqliteConnector_->query("BEGIN TRANSACTION");
2987  try {
2988  for (auto dash : dashboard_ids) {
2989  std::vector<std::string> grantees = {};
2990  sqliteConnector_->query_with_text_params(
2991  "SELECT roleName FROM mapd_object_permissions WHERE objectPermissions NOT IN "
2992  "(0,1) AND objectPermissionsType = ? AND objectId = ?",
2993  std::vector<std::string>{
2994  std::to_string(static_cast<int32_t>(DashboardDBObjectType)), dash});
2995  int num_rows = sqliteConnector_->getNumRows();
2996  if (num_rows == 0) {
2997  // no grantees
2998  continue;
2999  } else {
3000  for (size_t i = 0; i < sqliteConnector_->getNumRows(); ++i) {
3001  grantees.push_back(sqliteConnector_->getData<string>(i, 0));
3002  }
3003  active_grantees[dash] = grantees;
3004  }
3005  }
3006  } catch (const std::exception& e) {
3007  sqliteConnector_->query("ROLLBACK TRANSACTION");
3008  throw;
3009  }
3010  sqliteConnector_->query("END TRANSACTION");
3011  return active_grantees;
3012 }
3013 
3014 std::shared_ptr<Catalog> SysCatalog::getCatalog(const std::string& dbName) {
3015  dbid_to_cat_map::const_accessor cata;
3016  if (cat_map_.find(cata, to_upper(dbName))) {
3017  return cata->second;
3018  } else {
3020  if (getMetadataForDB(dbName, db_meta)) {
3021  return getCatalog(db_meta, false);
3022  } else {
3023  return nullptr;
3024  }
3025  }
3026 }
3027 
3028 std::shared_ptr<Catalog> SysCatalog::getCatalog(const int32_t db_id) {
3029  dbid_to_cat_map::const_accessor cata;
3030  for (dbid_to_cat_map::iterator cat_it = cat_map_.begin(); cat_it != cat_map_.end();
3031  ++cat_it) {
3032  if (cat_it->second->getDatabaseId() == db_id) {
3033  return cat_it->second;
3034  }
3035  }
3036  return nullptr;
3037 }
3038 
3039 std::shared_ptr<Catalog> SysCatalog::getCatalog(const DBMetadata& curDB, bool is_new_db) {
3040  const auto key = to_upper(curDB.dbName);
3041  {
3042  dbid_to_cat_map::const_accessor cata;
3043  if (cat_map_.find(cata, key)) {
3044  return cata->second;
3045  }
3046  }
3047 
3048  // Catalog doesnt exist
3049  // has to be made outside of lock as migration uses cat
3050  auto cat = std::make_shared<Catalog>(
3051  basePath_, curDB, dataMgr_, string_dict_hosts_, calciteMgr_, is_new_db);
3052 
3053  dbid_to_cat_map::accessor cata;
3054 
3055  if (cat_map_.find(cata, key)) {
3056  return cata->second;
3057  }
3058 
3059  cat_map_.insert(cata, key);
3060  cata->second = cat;
3061 
3062  return cat;
3063 }
3064 
3065 void SysCatalog::removeCatalog(const std::string& dbName) {
3066  cat_map_.erase(to_upper(dbName));
3067 }
3068 
3070  const std::map<int32_t, std::vector<DBObject>>& old_owner_db_objects,
3071  int32_t new_owner_id,
3072  const Catalog_Namespace::Catalog& catalog) {
3073  sys_write_lock write_lock(this);
3074  sys_sqlite_lock sqlite_lock(this);
3075 
3076  sqliteConnector_->query("BEGIN TRANSACTION");
3077  try {
3078  UserMetadata new_owner;
3079  CHECK(getMetadataForUserById(new_owner_id, new_owner));
3080  for (const auto& [old_owner_id, db_objects] : old_owner_db_objects) {
3081  UserMetadata old_owner;
3082  CHECK(getMetadataForUserById(old_owner_id, old_owner));
3083  if (!old_owner.isSuper) {
3084  revokeDBObjectPrivilegesBatch_unsafe({old_owner.userName}, db_objects, catalog);
3085  }
3086  if (!new_owner.isSuper) {
3087  grantDBObjectPrivilegesBatch_unsafe({new_owner.userName}, db_objects, catalog);
3088  }
3089  }
3090 
3091  std::set<int32_t> old_owner_ids;
3092  for (const auto& [old_owner_id, db_objects] : old_owner_db_objects) {
3093  old_owner_ids.emplace(old_owner_id);
3094  }
3095 
3096  auto db_id = catalog.getDatabaseId();
3097  for (const auto old_user_id : old_owner_ids) {
3098  sqliteConnector_->query_with_text_params(
3099  "UPDATE mapd_object_permissions SET objectOwnerId = ? WHERE objectOwnerId = ? "
3100  "AND dbId = ? AND objectId != -1",
3101  std::vector<std::string>{std::to_string(new_owner_id),
3102  std::to_string(old_user_id),
3103  std::to_string(db_id)});
3104  }
3105 
3106  for (const auto& [user_or_role, grantee] : granteeMap_) {
3107  grantee->reassignObjectOwners(old_owner_ids, new_owner_id, db_id);
3108  }
3109 
3110  for (const auto& [object_key, object_descriptor] : objectDescriptorMap_) {
3111  if (object_descriptor->objectId != -1 && object_descriptor->dbId == db_id &&
3112  shared::contains(old_owner_ids, object_descriptor->objectOwnerId)) {
3113  object_descriptor->objectOwnerId = new_owner_id;
3114  }
3115  }
3116  } catch (std::exception& e) {
3117  sqliteConnector_->query("ROLLBACK TRANSACTION");
3119  throw;
3120  }
3121  sqliteConnector_->query("END TRANSACTION");
3122 }
3123 
3126  sys_write_lock write_lock(this);
3127  DBMetadata db_metadata;
3128  if (getMetadataForDB(shared::kInfoSchemaDbName, db_metadata)) {
3129  LOG(WARNING) << "A database with name \"" << shared::kInfoSchemaDbName
3130  << "\" already exists. System table creation will be skipped. Rename "
3131  "this database in order to use system tables.";
3132  } else {
3134  try {
3136  } catch (...) {
3138  dropDatabase(db_metadata);
3139  throw;
3140  }
3141  }
3142  }
3143 }
3144 
3145 bool SysCatalog::hasExecutedMigration(const std::string& migration_name) const {
3146  if (hasVersionHistoryTable()) {
3147  sys_sqlite_lock sqlite_lock(this);
3148  sqliteConnector_->query_with_text_params(
3149  "SELECT migration_history FROM mapd_version_history WHERE migration_history = ?",
3150  std::vector<std::string>{migration_name});
3151  return (sqliteConnector_->getNumRows() > 0);
3152  }
3153  return false;
3154 }
3155 
3156 void SysCatalog::recordExecutedMigration(const std::string& migration_name) const {
3157  if (!hasVersionHistoryTable()) {
3159  }
3160  sys_sqlite_lock sqlite_lock(this);
3161  sqliteConnector_->query_with_text_params(
3162  "INSERT INTO mapd_version_history(version, migration_history) values(?, ?)",
3163  std::vector<std::string>{std::to_string(MAPD_VERSION), migration_name});
3164 }
3165 
3167  sys_sqlite_lock sqlite_lock(this);
3168  sqliteConnector_->query(
3169  "select name from sqlite_master WHERE type='table' AND "
3170  "name='mapd_version_history'");
3171  return (sqliteConnector_->getNumRows() > 0);
3172 }
3173 
3175  sys_sqlite_lock sqlite_lock(this);
3176  sqliteConnector_->query(
3177  "CREATE TABLE mapd_version_history(version integer, migration_history text "
3178  "unique)");
3179 }
3180 
3182  // Rebuild updated maps from storage
3183  granteeMap_.clear();
3185  objectDescriptorMap_.clear();
3187 }
3188 
3189 const TableDescriptor* get_metadata_for_table(const ::shared::TableKey& table_key,
3190  bool populate_fragmenter) {
3191  const auto catalog = SysCatalog::instance().getCatalog(table_key.db_id);
3192  CHECK(catalog);
3193  return catalog->getMetadataForTable(table_key.table_id, populate_fragmenter);
3194 }
3195 
3197  const auto catalog = SysCatalog::instance().getCatalog(column_key.db_id);
3198  CHECK(catalog);
3199  return catalog->getMetadataForColumn(column_key.table_id, column_key.column_id);
3200 }
3201 } // namespace Catalog_Namespace
std::optional< std::string > passwd
Definition: SysCatalog.h:117
bool contains(const T &container, const U &element)
Definition: misc.h:195
static const AccessPrivileges VIEW_SQL_EDITOR
Definition: DBObject.h:152
auto get_users(SysCatalog &syscat, std::unique_ptr< SqliteConnector > &sqliteConnector, const int32_t dbId=-1)
void recordExecutedMigration(const std::string &migration_name) const
bool hasAnyPrivilegesOnDb(int32_t dbId, bool only_direct) const
Definition: Grantee.cpp:95
void revokeAllOnDatabase_unsafe(const std::string &roleName, int32_t dbId, Grantee *grantee)
const int kRootUserId
const std::string kDataDirectoryName
void revokeDBObjectPrivilegesBatch_unsafe(const std::vector< std::string > &grantees, const std::vector< DBObject > &objects, const Catalog_Namespace::Catalog &catalog)
std::tuple< int, std::string > ColumnKey
Definition: Types.h:37
void dropUserUnchecked(const std::string &name, const UserMetadata &user)
std::vector< Catalog * > getCatalogsForAllDbs()
bool g_multi_instance
Definition: heavyai_locks.h:21
void dropUser(const std::string &name)
std::string cat(Ts &&...args)
DBObjectKey getObjectKey() const
Definition: DBObject.h:221
auto duplicateAndRenameCatalog(std::string const &current_name, std::string const &new_name)
Definition: SysCatalog.cpp:174
std::optional< std::string > default_db
Definition: SysCatalog.h:119
class for a per-database catalog. also includes metadata for the current database and the current use...
Definition: Catalog.h:132
void changeDBObjectOwnership(const UserMetadata &new_owner, const UserMetadata &previous_owner, DBObject object, const Catalog_Namespace::Catalog &catalog, bool revoke_privileges=true)
heavyai::shared_lock< heavyai::shared_mutex > read_lock
static const AccessPrivileges ALL_DATABASE
Definition: DBObject.h:151
virtual void grantPrivileges(const DBObject &object)
Definition: Grantee.cpp:105
DBObjectType
Definition: DBObject.h:40
std::set< std::string > getCreatedRoles() const
void grantRole(const std::string &role, const std::string &grantee, const bool is_temporary=false)
void updatePrivileges(const DBObject &object)
Definition: DBObject.cpp:152
void revokeRole(const std::string &role, const std::string &grantee, const bool is_temporary=false)
static const AccessPrivileges ALL_TABLE_MIGRATE
Definition: DBObject.h:156
#define LOG(tag)
Definition: Logger.h:285
bool checkPasswordForUser(const std::string &passwd, std::string &name, UserMetadata &user)
static const int32_t ALL
Definition: DBObject.h:77
void revokeDBObjectPrivileges_unsafe(const std::string &granteeName, DBObject object, const Catalog_Namespace::Catalog &catalog)
static void relaxMigrationLock()
std::optional< UserMetadata > getUser(std::string const &uname)
Definition: SysCatalog.h:203
void checkDuplicateCaseInsensitiveDbNames() const
Definition: SysCatalog.cpp:900
void createRole_unsafe(const std::string &roleName, const bool userPrivateRole, const bool is_temporary)
void revokeDBObjectPrivilegesFromAll(DBObject object, Catalog *catalog)
bool getMetadataForUser(const std::string &name, UserMetadata &user)
void revokeDBObjectPrivileges(const std::string &grantee, const DBObject &object, const Catalog_Namespace::Catalog &catalog)
void removeCatalog(const std::string &dbName)
static bool parseUserMetadataFromSQLite(const std::unique_ptr< SqliteConnector > &conn, UserMetadata &user, int row)
std::string name() const
Definition: SysCatalog.h:358
std::string join(T const &container, std::string const &delim)
#define UNREACHABLE()
Definition: Logger.h:337
void createRole(const std::string &roleName, const bool user_private_role, const bool is_temporary=false)
const TableDescriptor * get_metadata_for_table(const ::shared::TableKey &table_key, bool populate_fragmenter)
const std::string kSystemCatalogName
const ColumnDescriptor * get_metadata_for_column(const ::shared::ColumnKey &column_key)
void setObjectKey(const DBObjectKey &objectKey)
Definition: DBObject.h:225
ObjectRoleDescriptorMap objectDescriptorMap_
Definition: SysCatalog.h:507
void changeDatabaseOwner(std::string const &dbname, const std::string &new_owner)
Definition: Grantee.h:75
Grantee * getGrantee(const std::string &name) const
void dropDatabase(const DBMetadata &db)
void loginImpl(std::string &username, const std::string &password, UserMetadata &user_meta)
Definition: SysCatalog.cpp:949
int32_t objectId
Definition: DBObject.h:55
void setName(std::string name)
Definition: DBObject.h:218
Definition: Grantee.h:81
std::vector< ObjectRoleDescriptor > getMetadataForAllObjects() const
heavyai::unique_lock< heavyai::shared_mutex > write_lock
const std::string kDefaultExportDirName
bool getMetadataForUserById(const int32_t idIn, UserMetadata &user)
void setPrivileges(const AccessPrivileges &privs)
Definition: DBObject.h:227
void insertOrUpdateObjectPrivileges(std::unique_ptr< SqliteConnector > &sqliteConnector, std::string roleName, bool userRole, const DBObject &object)
Definition: SysCatalog.cpp:514
const std::string kInfoSchemaDbName
void reassignObjectOwners(const std::map< int32_t, std::vector< DBObject >> &old_owner_db_objects, int32_t new_owner_id, const Catalog_Namespace::Catalog &catalog)
dsqliteMutex_(std::make_unique< heavyai::DistributedSharedMutex >(std::filesystem::path(basePath_)/shared::kLockfilesDirectoryName/shared::kCatalogDirectoryName/(currentDB_.dbName+".sqlite.lockfile")))
std::string toString(bool hide_password=true) const
std::list< UpdateQuery > UpdateQueries
Definition: SysCatalog.h:434
std::optional< bool > is_super
Definition: SysCatalog.h:118
void createDBObject(const UserMetadata &user, const std::string &objectName, DBObjectType type, const Catalog_Namespace::Catalog &catalog, int32_t objectId=-1)
DBObject * findDbObject(const DBObjectKey &objectKey, bool only_direct) const
Definition: Grantee.cpp:85
constexpr double f
Definition: Utm.h:31
std::string to_string(char const *&&v)
void getDBObjectPrivileges(const std::string &granteeName, DBObject &object, const Catalog_Namespace::Catalog &catalog) const
void revokeRole_unsafe(const std::string &roleName, const std::string &granteeName, const bool is_temporary)
bool hasVersionHistoryTable() const
void grantDBObjectPrivileges_unsafe(const std::string &granteeName, const DBObject object, const Catalog_Namespace::Catalog &catalog)
static const AccessPrivileges ALL_VIEW
Definition: DBObject.h:177
void grantRoleBatch(const std::vector< std::string > &roles, const std::vector< std::string > &grantees)
std::unique_ptr< PkiServer > pki_server_
Definition: SysCatalog.h:511
void revokeDBObjectPrivilegesBatch(const std::vector< std::string > &grantees, const std::vector< DBObject > &objects, const Catalog_Namespace::Catalog &catalog)
void grantRoleBatch_unsafe(const std::vector< std::string > &roles, const std::vector< std::string > &grantees)
This file contains the class specification and related data structures for Catalog.
bool checkPrivileges(const UserMetadata &user, const std::vector< DBObject > &privObjects) const
void renameDBObject(const std::string &objectName, const std::string &newName, DBObjectType type, int32_t objectId, const Catalog_Namespace::Catalog &catalog)
static DBObjectKey fromString(const std::vector< std::string > &key, const DBObjectType &type)
Definition: DBObject.cpp:271
static SysCatalog & instance()
Definition: SysCatalog.h:343
This file contains the class specification and related data structures for SysCatalog.
bool g_enable_idp_temporary_users
Definition: SysCatalog.cpp:63
bool wouldChange(UserMetadata const &user_meta) const
Classes representing a parse tree.
void setPermissionType(const DBObjectType &permissionType)
Definition: DBObject.cpp:160
void getMetadataWithDefaultDB(std::string &dbname, const std::string &username, Catalog_Namespace::DBMetadata &db_meta, UserMetadata &user_meta)
const DBMetadata & getCurrentDB() const
Definition: Catalog.h:248
bool g_enable_system_tables
Definition: SysCatalog.cpp:64
const std::string kDefaultDbName
void grantAllOnDatabase_unsafe(const std::string &roleName, DBObject &object, const Catalog_Namespace::Catalog &catalog)
static const std::string getForeignTableSchema(bool if_not_exists=false)
Definition: Catalog.cpp:782
std::string g_base_path
Definition: SysCatalog.cpp:62
void init(LogOptions const &log_opts)
Definition: Logger.cpp:360
std::string generate_random_string(const size_t len)
DEVICE auto copy(ARGS &&...args)
Definition: gpu_enabled.h:51
#define CHECK_NE(x, y)
Definition: Logger.h:302
std::unordered_map< std::string, std::shared_ptr< UserMetadata > > temporary_users_by_name_
Definition: SysCatalog.h:542
virtual void revokeAllOnDatabase(int32_t dbId)
Definition: Grantee.cpp:296
std::string hash_with_bcrypt(const std::string &pwd)
Definition: SysCatalog.cpp:71
void renameObjectsInDescriptorMap(DBObject &object, const Catalog_Namespace::Catalog &cat)
bool checkPasswordForUserImpl(const std::string &passwd, std::string &name, UserMetadata &user)
static bool migrationEnabled()
Definition: MigrationMgr.h:43
std::shared_ptr< Catalog > login(std::string &db, std::string &username, const std::string &password, UserMetadata &user_meta, bool check_password=true)
Definition: SysCatalog.cpp:923
void revokeRoleBatch_unsafe(const std::vector< std::string > &roles, const std::vector< std::string > &grantees)
void grantRole_unsafe(const std::string &roleName, const std::string &granteeName, const bool is_temporary)
void revokeRoleBatch(const std::vector< std::string > &roles, const std::vector< std::string > &grantees)
std::shared_ptr< Data_Namespace::DataMgr > dataMgr_
Definition: SysCatalog.h:510
UserMetadata createUser(std::string const &name, UserAlterations alts, bool is_temporary)
Definition: SysCatalog.cpp:987
std::unique_lock< T > unique_lock
DBSummaryList getDatabaseListForUser(const UserMetadata &user)
static const int32_t MAPD_VERSION
Definition: release.h:32
static const AccessPrivileges ALL_DASHBOARD_MIGRATE
Definition: DBObject.h:168
std::shared_ptr< Catalog > switchDatabase(std::string &dbname, const std::string &username)
Definition: SysCatalog.cpp:957
Role * getRoleGrantee(const std::string &name) const
static const std::string getForeignServerSchema(bool if_not_exists=false)
Definition: Catalog.cpp:775
int getDatabaseId() const
Definition: Catalog.h:304
static const AccessPrivileges ALL_SERVER
Definition: DBObject.h:187
void revokeDBObjectPrivilegesFromAllBatch_unsafe(std::vector< DBObject > &objects, Catalog *catalog)
User * getUserGrantee(const std::string &name) const
void grantDBObjectPrivilegesBatch(const std::vector< std::string > &grantees, const std::vector< DBObject > &objects, const Catalog_Namespace::Catalog &catalog)
void grantDBObjectPrivileges(const std::string &grantee, const DBObject &object, const Catalog_Namespace::Catalog &catalog)
specifies the content in-memory of a row in the column metadata table
OUTPUT transform(INPUT const &input, FUNC const &func)
Definition: misc.h:320
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:508
static const AccessPrivileges NONE
Definition: DBObject.h:148
void updateUserRoleName(const std::string &roleName, const std::string &newName)
std::list< UserMetadata > getAllUserMetadata()
void grantDBObjectPrivilegesBatch_unsafe(const std::vector< std::string > &grantees, const std::vector< DBObject > &objects, const Catalog_Namespace::Catalog &catalog)
static const std::string SYSTEM_ROLE_TAG("#dash_system_role")
specifies the content in-memory of a row in the dashboard
void execInTransaction(F &&f, Args &&...args)
void dropRole_unsafe(const std::string &roleName, const bool is_temporary)
std::string to_upper(const std::string &str)
void check_for_session_encryption(const std::string &pki_cert, std::string &session)
Definition: SysCatalog.cpp:979
void renameUser(std::string const &old_name, std::string const &new_name)
void loadKey()
Definition: DBObject.cpp:190
std::shared_ptr< Catalog > getCatalog(const std::string &dbName)
bool isRoleGrantedToGrantee(const std::string &granteeName, const std::string &roleName, bool only_direct) const
const std::string kRootUsername
void setObjectType(const DBObjectType &objectType)
Definition: DBObject.cpp:163
bool hasAnyPrivileges(const UserMetadata &user, std::vector< DBObject > &privObjects)
void deleteObjectDescriptorMap(const std::string &roleName)
static const AccessPrivileges ALL_VIEW_MIGRATE
Definition: DBObject.h:176
static void takeMigrationLock(const std::string &base_path)
bool g_read_only
Definition: File.cpp:40
void updateObjectDescriptorMap(const std::string &roleName, DBObject &object, bool roleType, const Catalog_Namespace::Catalog &cat)
std::unordered_map< int32_t, std::shared_ptr< UserMetadata > > temporary_users_by_id_
Definition: SysCatalog.h:543
void syncUserWithRemoteProvider(const std::string &user_name, std::vector< std::string > idp_roles, UserAlterations alts)
const std::string kDefaultRootPasswd
void dropRole(const std::string &roleName, const bool is_temporary=false)
void createVersionHistoryTable() const
std::list< DBMetadata > getAllDBMetadata()
static const std::string getCustomExpressionsSchema(bool if_not_exists=false)
Definition: Catalog.cpp:790
void renameDatabase(std::string const &old_name, std::string const &new_name)
int32_t dbId
Definition: DBObject.h:54
void revokeDBObjectPrivilegesFromAll_unsafe(DBObject object, Catalog *catalog)
const std::string kRootUserIdStr
static const AccessPrivileges ALL_DASHBOARD
Definition: DBObject.h:169
static const AccessPrivileges ACCESS
Definition: DBObject.h:153
bool verifyDBObjectOwnership(const UserMetadata &user, DBObject object, const Catalog_Namespace::Catalog &catalog)
static const AccessPrivileges ALL_TABLE
Definition: DBObject.h:157
const std::string kCatalogDirectoryName
std::vector< LeafHostInfo > string_dict_hosts_
Definition: SysCatalog.h:514
bool hasRole(Role *role, bool only_direct) const
Definition: Grantee.cpp:55
std::optional< bool > can_login
Definition: SysCatalog.h:120
#define CHECK(condition)
Definition: Logger.h:291
std::shared_ptr< Calcite > calciteMgr_
Definition: SysCatalog.h:513
std::unordered_map< std::string, std::vector< std::string > > getGranteesOfSharedDashboards(const std::vector< std::string > &dashboard_ids)
void runUpdateQueriesAndChangeOwnership(const UserMetadata &new_owner, const UserMetadata &previous_owner, DBObject object, const Catalog_Namespace::Catalog &catalog, const UpdateQueries &update_queries, bool revoke_privileges=true)
const std::string kLockfilesDirectoryName
std::list< DBSummary > DBSummaryList
Definition: SysCatalog.h:145
int32_t permissionType
Definition: DBObject.h:53
void populateRoleDbObjects(const std::vector< DBObject > &objects)
void deleteObjectPrivileges(std::unique_ptr< SqliteConnector > &sqliteConnector, std::string roleName, bool userRole, DBObject &object)
Definition: SysCatalog.cpp:495
int64_t privileges
Definition: DBObject.h:133
bool isDashboardSystemRole(const std::string &roleName) const
string name
Definition: setup.in.py:72
bool hasExecutedMigration(const std::string &migration_name) const
read_lock< SysCatalog > sys_read_lock
Definition: Catalog.cpp:120
bool g_enable_fsi
Definition: Catalog.cpp:96
std::string userLoggable() const
Definition: SysCatalog.cpp:158
bool getMetadataForDBById(const int32_t idIn, DBMetadata &db)
void createDatabase(const std::string &dbname, int owner)
UserMetadata alterUser(std::string const &name, UserAlterations alts)
void removeCatalogByFullPath(std::string const &full_path)
Definition: SysCatalog.cpp:166
DEVICE void swap(ARGS &&...args)
Definition: gpu_enabled.h:114
const std::string kInfoSchemaMigrationName
std::vector< ObjectRoleDescriptor * > getMetadataForObject(int32_t dbId, int32_t dbType, int32_t objectId) const
std::vector< std::string > getRoles(const std::string &user_name, bool effective=true)
virtual void renameDbObject(const DBObject &object)
Definition: Grantee.cpp:121
A selection of helper methods for File I/O.
#define VLOG(n)
Definition: Logger.h:387
std::filesystem::path copy_catalog_if_read_only(std::filesystem::path base_data_path)
Definition: SysCatalog.cpp:79
std::atomic< bool > isSuper
Definition: SysCatalog.h:107
bool getMetadataForDB(const std::string &name, DBMetadata &db)
void revokeDBObjectPrivilegesFromAllBatch(std::vector< DBObject > &objects, Catalog *catalog)