OmniSciDB  c1a53651b2
 All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Friends Macros Groups Pages
Catalog_Namespace::SysCatalog Class Reference

#include <SysCatalog.h>

+ Inheritance diagram for Catalog_Namespace::SysCatalog:
+ Collaboration diagram for Catalog_Namespace::SysCatalog:

Classes

struct  UpdateQuery
 

Public Member Functions

void init (const std::string &basePath, std::shared_ptr< Data_Namespace::DataMgr > dataMgr, const AuthMetadata &authMetadata, std::shared_ptr< Calcite > calcite, bool is_new_db, bool aggregator, const std::vector< LeafHostInfo > &string_dict_hosts)
 
bool isInitialized () const
 
std::shared_ptr< Cataloglogin (std::string &db, std::string &username, const std::string &password, UserMetadata &user_meta, bool check_password=true)
 
std::shared_ptr< CatalogswitchDatabase (std::string &dbname, const std::string &username)
 
UserMetadata createUser (std::string const &name, UserAlterations alts, bool is_temporary)
 
void dropUser (const std::string &name)
 
void dropUserUnchecked (const std::string &name, const UserMetadata &user)
 
UserMetadata alterUser (std::string const &name, UserAlterations alts)
 
void renameUser (std::string const &old_name, std::string const &new_name)
 
void createDatabase (const std::string &dbname, int owner)
 
void renameDatabase (std::string const &old_name, std::string const &new_name)
 
void changeDatabaseOwner (std::string const &dbname, const std::string &new_owner)
 
void dropDatabase (const DBMetadata &db)
 
std::optional< UserMetadatagetUser (std::string const &uname)
 
std::optional< UserMetadatagetUser (int32_t const uid)
 
std::optional< DBMetadatagetDB (std::string const &dbname)
 
std::optional< DBMetadatagetDB (int32_t const dbid)
 
bool getMetadataForUser (const std::string &name, UserMetadata &user)
 
bool getMetadataForUserById (const int32_t idIn, UserMetadata &user)
 
bool checkPasswordForUser (const std::string &passwd, std::string &name, UserMetadata &user)
 
bool getMetadataForDB (const std::string &name, DBMetadata &db)
 
bool getMetadataForDBById (const int32_t idIn, DBMetadata &db)
 
Data_Namespace::DataMgrgetDataMgr () const
 
CalcitegetCalciteMgr () const
 
const std::string & getCatalogBasePath () const
 
SqliteConnectorgetSqliteConnector ()
 
std::list< DBMetadatagetAllDBMetadata ()
 
std::list< UserMetadatagetAllUserMetadata ()
 
std::list< UserMetadatagetAllUserMetadata (const int64_t dbId)
 
DBSummaryList getDatabaseListForUser (const UserMetadata &user)
 
void createDBObject (const UserMetadata &user, const std::string &objectName, DBObjectType type, const Catalog_Namespace::Catalog &catalog, int32_t objectId=-1)
 
void renameDBObject (const std::string &objectName, const std::string &newName, DBObjectType type, int32_t objectId, const Catalog_Namespace::Catalog &catalog)
 
void grantDBObjectPrivileges (const std::string &grantee, const DBObject &object, const Catalog_Namespace::Catalog &catalog)
 
void grantDBObjectPrivilegesBatch (const std::vector< std::string > &grantees, const std::vector< DBObject > &objects, const Catalog_Namespace::Catalog &catalog)
 
void revokeDBObjectPrivileges (const std::string &grantee, const DBObject &object, const Catalog_Namespace::Catalog &catalog)
 
void revokeDBObjectPrivilegesBatch (const std::vector< std::string > &grantees, const std::vector< DBObject > &objects, const Catalog_Namespace::Catalog &catalog)
 
void revokeDBObjectPrivilegesFromAll (DBObject object, Catalog *catalog)
 
void revokeDBObjectPrivilegesFromAll_unsafe (DBObject object, Catalog *catalog)
 
void revokeDBObjectPrivilegesFromAllBatch (std::vector< DBObject > &objects, Catalog *catalog)
 
void revokeDBObjectPrivilegesFromAllBatch_unsafe (std::vector< DBObject > &objects, Catalog *catalog)
 
void getDBObjectPrivileges (const std::string &granteeName, DBObject &object, const Catalog_Namespace::Catalog &catalog) const
 
bool verifyDBObjectOwnership (const UserMetadata &user, DBObject object, const Catalog_Namespace::Catalog &catalog)
 
void changeDBObjectOwnership (const UserMetadata &new_owner, const UserMetadata &previous_owner, DBObject object, const Catalog_Namespace::Catalog &catalog, bool revoke_privileges=true)
 
void createRole (const std::string &roleName, const bool user_private_role, const bool is_temporary=false)
 
void dropRole (const std::string &roleName, const bool is_temporary=false)
 
void grantRoleBatch (const std::vector< std::string > &roles, const std::vector< std::string > &grantees)
 
void grantRole (const std::string &role, const std::string &grantee, const bool is_temporary=false)
 
void revokeRoleBatch (const std::vector< std::string > &roles, const std::vector< std::string > &grantees)
 
void revokeRole (const std::string &role, const std::string &grantee, const bool is_temporary=false)
 
bool hasAnyPrivileges (const UserMetadata &user, std::vector< DBObject > &privObjects)
 
bool checkPrivileges (const UserMetadata &user, const std::vector< DBObject > &privObjects) const
 
bool checkPrivileges (const std::string &userName, const std::vector< DBObject > &privObjects) const
 
GranteegetGrantee (const std::string &name) const
 
RolegetRoleGrantee (const std::string &name) const
 
UsergetUserGrantee (const std::string &name) const
 
std::vector
< ObjectRoleDescriptor * > 
getMetadataForObject (int32_t dbId, int32_t dbType, int32_t objectId) const
 
std::vector< ObjectRoleDescriptorgetMetadataForAllObjects () const
 
bool isRoleGrantedToGrantee (const std::string &granteeName, const std::string &roleName, bool only_direct) const
 
std::vector< std::string > getRoles (const std::string &user_name, bool effective=true)
 
std::vector< std::string > getRoles (bool include_user_private_role, bool is_super, const std::string &user_name, bool ignore_deleted_user=false)
 
std::vector< std::string > getRoles (const std::string &userName, const int32_t dbId)
 
std::set< std::string > getCreatedRoles () const
 
bool isAggregator () const
 
void populateRoleDbObjects (const std::vector< DBObject > &objects)
 
std::string name () const
 
void renameObjectsInDescriptorMap (DBObject &object, const Catalog_Namespace::Catalog &cat)
 
void syncUserWithRemoteProvider (const std::string &user_name, std::vector< std::string > idp_roles, UserAlterations alts)
 
std::unordered_map
< std::string, std::vector
< std::string > > 
getGranteesOfSharedDashboards (const std::vector< std::string > &dashboard_ids)
 
void check_for_session_encryption (const std::string &pki_cert, std::string &session)
 
std::vector< Catalog * > getCatalogsForAllDbs ()
 
std::shared_ptr< CataloggetDummyCatalog ()
 
std::shared_ptr< CataloggetCatalog (const std::string &dbName)
 
std::shared_ptr< CataloggetCatalog (const int32_t db_id)
 
std::shared_ptr< CataloggetCatalog (const DBMetadata &curDB, bool is_new_db)
 
void removeCatalog (const std::string &dbName)
 
virtual ~SysCatalog ()
 
void reassignObjectOwners (const std::map< int32_t, std::vector< DBObject >> &old_owner_db_objects, int32_t new_owner_id, const Catalog_Namespace::Catalog &catalog)
 
bool hasExecutedMigration (const std::string &migration_name) const
 

Static Public Member Functions

static SysCataloginstance ()
 
static void destroy ()
 

Public Attributes

std::unique_ptr
< heavyai::DistributedSharedMutex
dcatalogMutex_
 
std::unique_ptr
< heavyai::DistributedSharedMutex
dsqliteMutex_
 
std::mutex sqliteMutex_
 
heavyai::shared_mutex sharedMutex_
 
std::atomic< std::thread::id > thread_holding_sqlite_lock
 
std::atomic< std::thread::id > thread_holding_write_lock
 
std::shared_ptr< CatalogdummyCatalog_
 
std::unordered_map
< std::string, std::shared_ptr
< UserMetadata > > 
temporary_users_by_name_
 
std::unordered_map< int32_t,
std::shared_ptr< UserMetadata > > 
temporary_users_by_id_
 
int32_t next_temporary_user_id_ {shared::kTempUserIdRange}
 

Static Public Attributes

static thread_local bool thread_holds_read_lock = false
 

Private Types

using GranteeMap = std::map< std::string, std::unique_ptr< Grantee >>
 
using ObjectRoleDescriptorMap = std::multimap< std::string, std::unique_ptr< ObjectRoleDescriptor >>
 
using UpdateQueries = std::list< UpdateQuery >
 
using dbid_to_cat_map = tbb::concurrent_hash_map< std::string, std::shared_ptr< Catalog >>
 

Private Member Functions

 SysCatalog ()
 
void initDB ()
 
void buildMaps (bool is_new_db=false)
 
void buildMapsUnlocked (bool is_new_db=false)
 
void buildRoleMapUnlocked ()
 
void buildUserRoleMapUnlocked ()
 
void buildObjectDescriptorMapUnlocked ()
 
void rebuildObjectMapsUnlocked ()
 
void checkAndExecuteMigrations ()
 
void importDataFromOldMapdDB ()
 
void createRoles ()
 
void fixRolesMigration ()
 
void addAdminUserRole ()
 
void migratePrivileges ()
 
void migratePrivileged_old ()
 
void updateUserSchema ()
 
void updatePasswordsToHashes ()
 
void updateBlankPasswordsToRandom ()
 
void updateSupportUserDeactivation ()
 
void migrateDBAccessPrivileges ()
 
void loginImpl (std::string &username, const std::string &password, UserMetadata &user_meta)
 
bool checkPasswordForUserImpl (const std::string &passwd, std::string &name, UserMetadata &user)
 
void checkDuplicateCaseInsensitiveDbNames () const
 
void runUpdateQueriesAndChangeOwnership (const UserMetadata &new_owner, const UserMetadata &previous_owner, DBObject object, const Catalog_Namespace::Catalog &catalog, const UpdateQueries &update_queries, bool revoke_privileges=true)
 
void grantDefaultPrivilegesToRole_unsafe (const std::string &name, bool issuper)
 
void createRole_unsafe (const std::string &roleName, const bool userPrivateRole, const bool is_temporary)
 
void dropRole_unsafe (const std::string &roleName, const bool is_temporary)
 
void grantRoleBatch_unsafe (const std::vector< std::string > &roles, const std::vector< std::string > &grantees)
 
void grantRole_unsafe (const std::string &roleName, const std::string &granteeName, const bool is_temporary)
 
void revokeRoleBatch_unsafe (const std::vector< std::string > &roles, const std::vector< std::string > &grantees)
 
void revokeRole_unsafe (const std::string &roleName, const std::string &granteeName, const bool is_temporary)
 
void updateObjectDescriptorMap (const std::string &roleName, DBObject &object, bool roleType, const Catalog_Namespace::Catalog &cat)
 
void deleteObjectDescriptorMap (const std::string &roleName)
 
void deleteObjectDescriptorMap (const std::string &roleName, DBObject &object, const Catalog_Namespace::Catalog &cat)
 
void grantDBObjectPrivilegesBatch_unsafe (const std::vector< std::string > &grantees, const std::vector< DBObject > &objects, const Catalog_Namespace::Catalog &catalog)
 
void grantDBObjectPrivileges_unsafe (const std::string &granteeName, const DBObject object, const Catalog_Namespace::Catalog &catalog)
 
void revokeDBObjectPrivilegesBatch_unsafe (const std::vector< std::string > &grantees, const std::vector< DBObject > &objects, const Catalog_Namespace::Catalog &catalog)
 
void revokeDBObjectPrivileges_unsafe (const std::string &granteeName, DBObject object, const Catalog_Namespace::Catalog &catalog)
 
void grantAllOnDatabase_unsafe (const std::string &roleName, DBObject &object, const Catalog_Namespace::Catalog &catalog)
 
void revokeAllOnDatabase_unsafe (const std::string &roleName, int32_t dbId, Grantee *grantee)
 
bool isDashboardSystemRole (const std::string &roleName) const
 
void updateUserRoleName (const std::string &roleName, const std::string &newName)
 
void getMetadataWithDefaultDB (std::string &dbname, const std::string &username, Catalog_Namespace::DBMetadata &db_meta, UserMetadata &user_meta)
 
bool allowLocalLogin () const
 
template<typename F , typename... Args>
void execInTransaction (F &&f, Args &&...args)
 
void initializeInformationSchemaDb ()
 
void recordExecutedMigration (const std::string &migration_name) const
 
bool hasVersionHistoryTable () const
 
void createVersionHistoryTable () const
 
auto yieldTransactionStreamer ()
 
- Private Member Functions inherited from Catalog_Namespace::CommonFileOperations
 CommonFileOperations (std::string const &base_path)
 
void removeCatalogByFullPath (std::string const &full_path)
 
void removeCatalogByName (std::string const &name)
 
auto duplicateAndRenameCatalog (std::string const &current_name, std::string const &new_name)
 
auto assembleCatalogName (std::string const &name)
 

Private Attributes

std::string basePath_
 
GranteeMap granteeMap_
 
ObjectRoleDescriptorMap objectDescriptorMap_
 
std::unique_ptr< SqliteConnectorsqliteConnector_
 
std::shared_ptr
< Data_Namespace::DataMgr
dataMgr_
 
std::unique_ptr< PkiServerpki_server_
 
const AuthMetadataauthMetadata_
 
std::shared_ptr< CalcitecalciteMgr_
 
std::vector< LeafHostInfostring_dict_hosts_
 
bool aggregator_
 
dbid_to_cat_map cat_map_
 
bool is_initialized_ {false}
 

Static Private Attributes

static std::mutex instance_mutex_
 
static std::unique_ptr
< SysCatalog
instance_
 

Detailed Description

Definition at line 166 of file SysCatalog.h.

Member Typedef Documentation

using Catalog_Namespace::SysCatalog::dbid_to_cat_map = tbb::concurrent_hash_map<std::string, std::shared_ptr<Catalog>>
private

Definition at line 521 of file SysCatalog.h.

using Catalog_Namespace::SysCatalog::GranteeMap = std::map<std::string, std::unique_ptr<Grantee>>
private

Definition at line 396 of file SysCatalog.h.

using Catalog_Namespace::SysCatalog::ObjectRoleDescriptorMap = std::multimap<std::string, std::unique_ptr<ObjectRoleDescriptor>>
private

Definition at line 398 of file SysCatalog.h.

Definition at line 434 of file SysCatalog.h.

Constructor & Destructor Documentation

Catalog_Namespace::SysCatalog::~SysCatalog ( )
virtual

Definition at line 305 of file SysCatalog.cpp.

References cat_map_, granteeMap_, and objectDescriptorMap_.

305  {
306  // TODO(sy): Need to lock here to wait for other threads to complete before pulling out
307  // the rug from under them. Unfortunately this lock was seen to deadlock because the
308  // HeavyDB shutdown sequence needs cleanup. Do we even need these clear()'s anymore?
309  // sys_write_lock write_lock(this);
310  granteeMap_.clear();
311  objectDescriptorMap_.clear();
312  cat_map_.clear();
313 }
ObjectRoleDescriptorMap objectDescriptorMap_
Definition: SysCatalog.h:507
Catalog_Namespace::SysCatalog::SysCatalog ( )
private

Definition at line 296 of file SysCatalog.cpp.

References basePath_.

Referenced by instance().

298  , aggregator_{false}
299  , sqliteMutex_{}
300  , sharedMutex_{}
301  , thread_holding_sqlite_lock{std::thread::id()}
302  , thread_holding_write_lock{std::thread::id()}
303  , dummyCatalog_{std::make_shared<Catalog>()} {}
std::atomic< std::thread::id > thread_holding_sqlite_lock
Definition: SysCatalog.h:537
heavyai::shared_mutex sharedMutex_
Definition: SysCatalog.h:536
CommonFileOperations(std::string const &base_path)
Definition: SysCatalog.h:149
std::shared_ptr< Catalog > dummyCatalog_
Definition: SysCatalog.h:541
std::atomic< std::thread::id > thread_holding_write_lock
Definition: SysCatalog.h:538

+ Here is the caller graph for this function:

Member Function Documentation

void Catalog_Namespace::SysCatalog::addAdminUserRole ( )
private

Definition at line 657 of file SysCatalog.cpp.

References createRole_unsafe(), shared::kRootUsername, and sqliteConnector_.

Referenced by checkAndExecuteMigrations().

657  {
658  sys_sqlite_lock sqlite_lock(this);
659  sqliteConnector_->query("BEGIN TRANSACTION");
660  try {
661  sqliteConnector_->query(
662  "SELECT roleName FROM mapd_object_permissions WHERE roleName = \'" +
663  shared::kRootUsername + "\'");
664  if (sqliteConnector_->getNumRows() != 0) {
665  // already done
666  sqliteConnector_->query("END TRANSACTION");
667  return;
668  }
669 
671  shared::kRootUsername, /*userPrivateRole=*/true, /*is_temporary=*/false);
672  } catch (const std::exception&) {
673  sqliteConnector_->query("ROLLBACK TRANSACTION");
674  throw;
675  }
676  sqliteConnector_->query("END TRANSACTION");
677 }
void createRole_unsafe(const std::string &roleName, const bool userPrivateRole, const bool is_temporary)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:154
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:508
const std::string kRootUsername

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

bool Catalog_Namespace::SysCatalog::allowLocalLogin ( ) const
private

For servers configured to use external authentication providers, determine whether users will be allowed to fallback to local login accounts. If no external providers are configured, returns true.

UserMetadata Catalog_Namespace::SysCatalog::alterUser ( std::string const &  name,
UserAlterations  alts 
)

Definition at line 1216 of file SysCatalog.cpp.

References Catalog_Namespace::anonymous_namespace{SysCatalog.cpp}::append_with_commas, Catalog_Namespace::UserMetadata::can_login, Catalog_Namespace::UserAlterations::can_login, CHECK, Catalog_Namespace::DBMetadata::dbId, Catalog_Namespace::UserAlterations::default_db, Catalog_Namespace::UserMetadata::defaultDbId, Catalog_Namespace::g_log_user_id, getMetadataForDB(), getMetadataForUser(), getUser(), anonymous_namespace{SysCatalog.cpp}::hash_with_bcrypt(), Catalog_Namespace::UserAlterations::is_super, Catalog_Namespace::UserMetadata::is_temporary, Catalog_Namespace::UserMetadata::isSuper, name(), Catalog_Namespace::UserAlterations::passwd, Catalog_Namespace::UserMetadata::passwd_hash, sqliteConnector_, temporary_users_by_name_, to_string(), Catalog_Namespace::UserMetadata::userId, VLOG, and Catalog_Namespace::UserAlterations::wouldChange().

Referenced by syncUserWithRemoteProvider().

1216  {
1217  sys_write_lock write_lock(this);
1218  sys_sqlite_lock sqlite_lock(this);
1219 
1220  UserMetadata user;
1221  if (!getMetadataForUser(name, user)) {
1222  std::string const loggable = g_log_user_id ? std::string("") : name + ' ';
1223  throw runtime_error("Cannot alter user. User " + loggable + "does not exist.");
1224  }
1225  if (!alts.wouldChange(user)) {
1226  return user;
1227  }
1228 
1229  // Temporary user.
1230  if (user.is_temporary) {
1231  if (alts.passwd) {
1232  user.passwd_hash = hash_with_bcrypt(*alts.passwd);
1233  }
1234  if (alts.is_super) {
1235  user.isSuper = *alts.is_super;
1236  }
1237  if (alts.default_db) {
1238  if (!alts.default_db->empty()) {
1239  DBMetadata db;
1240  if (!getMetadataForDB(*alts.default_db, db)) {
1241  throw runtime_error(string("DEFAULT_DB ") + *alts.default_db + " not found.");
1242  }
1243  user.defaultDbId = db.dbId;
1244  } else {
1245  user.defaultDbId = -1;
1246  }
1247  }
1248  if (alts.can_login) {
1249  user.can_login = *alts.can_login;
1250  }
1251  *temporary_users_by_name_[name] = user;
1252  return user;
1253  }
1254 
1255  // Normal user.
1256  sqliteConnector_->query("BEGIN TRANSACTION");
1257  try {
1258  string sql;
1259  std::vector<std::string> values;
1260  if (alts.passwd) {
1261  append_with_commas(sql, "passwd_hash = ?");
1262  values.push_back(hash_with_bcrypt(*alts.passwd));
1263  }
1264  if (alts.is_super) {
1265  append_with_commas(sql, "issuper = ?");
1266  values.push_back(std::to_string(*alts.is_super));
1267  }
1268  if (alts.default_db) {
1269  if (!alts.default_db->empty()) {
1270  append_with_commas(sql, "default_db = ?");
1271  DBMetadata db;
1272  if (!getMetadataForDB(*alts.default_db, db)) {
1273  throw runtime_error(string("DEFAULT_DB ") + *alts.default_db + " not found.");
1274  }
1275  values.push_back(std::to_string(db.dbId));
1276  } else {
1277  append_with_commas(sql, "default_db = NULL");
1278  }
1279  }
1280  if (alts.can_login) {
1281  append_with_commas(sql, "can_login = ?");
1282  values.push_back(std::to_string(*alts.can_login));
1283  }
1284 
1285  sql = "UPDATE mapd_users SET " + sql + " WHERE userid = ?";
1286  values.push_back(std::to_string(user.userId));
1287 
1288  sqliteConnector_->query_with_text_params(sql, values);
1289  } catch (const std::exception& e) {
1290  sqliteConnector_->query("ROLLBACK TRANSACTION");
1291  throw;
1292  }
1293  sqliteConnector_->query("END TRANSACTION");
1294  auto u = getUser(name);
1295  CHECK(u);
1296  VLOG(1) << "Altered user: " << u->userLoggable();
1297  return *u;
1298 }
std::optional< UserMetadata > getUser(std::string const &uname)
Definition: SysCatalog.h:203
bool getMetadataForUser(const std::string &name, UserMetadata &user)
std::string name() const
Definition: SysCatalog.h:358
heavyai::unique_lock< heavyai::shared_mutex > write_lock
std::string to_string(char const *&&v)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:154
std::unordered_map< std::string, std::shared_ptr< UserMetadata > > temporary_users_by_name_
Definition: SysCatalog.h:542
std::string hash_with_bcrypt(const std::string &pwd)
Definition: SysCatalog.cpp:71
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:153
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:508
#define CHECK(condition)
Definition: Logger.h:291
#define VLOG(n)
Definition: Logger.h:387
bool getMetadataForDB(const std::string &name, DBMetadata &db)

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::buildMaps ( bool  is_new_db = false)
private

Definition at line 243 of file SysCatalog.cpp.

243  {
245  sys_sqlite_lock sqlite_lock(this);
246 
247  buildMapsUnlocked(is_new_db);
248 }
heavyai::unique_lock< heavyai::shared_mutex > write_lock
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:154
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:153
void buildMapsUnlocked(bool is_new_db=false)
Definition: SysCatalog.cpp:250
void Catalog_Namespace::SysCatalog::buildMapsUnlocked ( bool  is_new_db = false)
private

Definition at line 250 of file SysCatalog.cpp.

References CHECK, shared::kSystemCatalogName, run_benchmark_import::result, to_upper(), Catalog_Namespace::UserMetadata::userName, and VLOG.

250  {
251  VLOG(2) << "reloading catalog caches for: " << shared::kSystemCatalogName;
252 
253  // Store permissions for temporary users.
254  std::map<std::string, std::vector<std::string>> tu_map;
255  for (auto& pair : temporary_users_by_name_) {
256  CHECK(pair.second);
257  UserMetadata& user = *pair.second;
258  auto it = granteeMap_.find(to_upper(user.userName));
259  CHECK(it != granteeMap_.end()) << to_upper(user.userName) << " not found";
260 
261  auto user_rl = dynamic_cast<User*>(it->second.get());
262  CHECK(user_rl);
263  std::vector<std::string> current_roles = user_rl->getRoles();
264  auto result = tu_map.emplace(user.userName, std::move(current_roles));
265  CHECK(result.second);
266  }
267 
268  // Forget permissions and reload them from file storage.
272  if (!is_new_db) {
273  // We don't want to create the information schema db during database initialization
274  // because we don't have the appropriate context to intialize the tables. For
275  // instance if the server is intended to run in distributed mode, initializing the
276  // table as part of initdb will be missing information such as the location of the
277  // string dictionary server.
279  }
280 
281  // Restore permissions for temporary users that were stored above.
282  for (auto& pair : temporary_users_by_name_) {
283  CHECK(pair.second);
284  UserMetadata& user = *pair.second;
285 
286  createRole_unsafe(user.userName, /*user_private_role*/ true, /*is_temporary*/ true);
287 
288  auto it = tu_map.find(user.userName);
289  CHECK(it != tu_map.end()) << user.userName << " not found";
290  for (const auto& r : it->second) {
291  grantRole_unsafe(r, user.userName, /*is_temporary*/ true);
292  }
293  }
294 }
void createRole_unsafe(const std::string &roleName, const bool userPrivateRole, const bool is_temporary)
const std::string kSystemCatalogName
Definition: Grantee.h:75
std::unordered_map< std::string, std::shared_ptr< UserMetadata > > temporary_users_by_name_
Definition: SysCatalog.h:542
void grantRole_unsafe(const std::string &roleName, const std::string &granteeName, const bool is_temporary)
std::string to_upper(const std::string &str)
#define CHECK(condition)
Definition: Logger.h:291
#define VLOG(n)
Definition: Logger.h:387

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::buildObjectDescriptorMapUnlocked ( )
private

Definition at line 2801 of file SysCatalog.cpp.

References objectDescriptorMap_, sqliteConnector_, and to_string().

Referenced by rebuildObjectMapsUnlocked().

2801  {
2802  objectDescriptorMap_.clear();
2803  string objectQuery(
2804  "SELECT roleName, roleType, objectPermissionsType, dbId, objectId, "
2805  "objectPermissions, objectOwnerId, objectName "
2806  "from mapd_object_permissions");
2807  sqliteConnector_->query(objectQuery);
2808  size_t numRows = sqliteConnector_->getNumRows();
2809  for (size_t r = 0; r < numRows; ++r) {
2810  auto od = std::make_unique<ObjectRoleDescriptor>();
2811  od->roleName = sqliteConnector_->getData<string>(r, 0);
2812  od->roleType = sqliteConnector_->getData<bool>(r, 1);
2813  od->objectType = sqliteConnector_->getData<int>(r, 2);
2814  od->dbId = sqliteConnector_->getData<int>(r, 3);
2815  od->objectId = sqliteConnector_->getData<int>(r, 4);
2816  od->privs.privileges = sqliteConnector_->getData<int>(r, 5);
2817  od->objectOwnerId = sqliteConnector_->getData<int>(r, 6);
2818  od->objectName = sqliteConnector_->getData<string>(r, 7);
2819  objectDescriptorMap_.insert(ObjectRoleDescriptorMap::value_type(
2820  std::to_string(od->dbId) + ":" + std::to_string(od->objectType) + ":" +
2821  std::to_string(od->objectId),
2822  std::move(od)));
2823  }
2824 }
ObjectRoleDescriptorMap objectDescriptorMap_
Definition: SysCatalog.h:507
std::string to_string(char const *&&v)
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:508

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::buildRoleMapUnlocked ( )
private

Definition at line 2686 of file SysCatalog.cpp.

References DatabaseDBObjectType, DBObjectKey::fromString(), getGrantee(), granteeMap_, name(), AccessPrivileges::privileges, sqliteConnector_, and to_upper().

Referenced by rebuildObjectMapsUnlocked().

2686  {
2687  granteeMap_.clear();
2688  string roleQuery(
2689  "SELECT roleName, roleType, objectPermissionsType, dbId, objectId, "
2690  "objectPermissions, objectOwnerId, objectName "
2691  "from mapd_object_permissions");
2692  sqliteConnector_->query(roleQuery);
2693  size_t numRows = sqliteConnector_->getNumRows();
2694  std::vector<std::string> objectKeyStr(4);
2695  DBObjectKey objectKey;
2696  AccessPrivileges privs;
2697  bool userPrivateRole{false};
2698  for (size_t r = 0; r < numRows; ++r) {
2699  std::string roleName = sqliteConnector_->getData<string>(r, 0);
2700  userPrivateRole = sqliteConnector_->getData<bool>(r, 1);
2701  DBObjectType permissionType =
2702  static_cast<DBObjectType>(sqliteConnector_->getData<int>(r, 2));
2703  objectKeyStr[0] = sqliteConnector_->getData<string>(r, 2);
2704  objectKeyStr[1] = sqliteConnector_->getData<string>(r, 3);
2705  objectKeyStr[2] = sqliteConnector_->getData<string>(r, 4);
2706  objectKey = DBObjectKey::fromString(objectKeyStr, permissionType);
2707  privs.privileges = sqliteConnector_->getData<int>(r, 5);
2708  int32_t owner = sqliteConnector_->getData<int>(r, 6);
2709  std::string name = sqliteConnector_->getData<string>(r, 7);
2710 
2711  DBObject dbObject(objectKey, privs, owner);
2712  dbObject.setName(name);
2713  if (-1 == objectKey.objectId) {
2714  dbObject.setObjectType(DBObjectType::DatabaseDBObjectType);
2715  } else {
2716  dbObject.setObjectType(permissionType);
2717  }
2718 
2719  auto* rl = getGrantee(roleName);
2720  if (!rl) {
2721  std::unique_ptr<Grantee> g;
2722  if (userPrivateRole) {
2723  g.reset(new User(roleName));
2724  } else {
2725  g.reset(new Role(roleName));
2726  }
2727  rl = g.get();
2728  granteeMap_[to_upper(roleName)] = std::move(g);
2729  }
2730  rl->grantPrivileges(dbObject);
2731  }
2732 }
DBObjectType
Definition: DBObject.h:40
std::string name() const
Definition: SysCatalog.h:358
Definition: Grantee.h:75
Grantee * getGrantee(const std::string &name) const
Definition: Grantee.h:81
static DBObjectKey fromString(const std::vector< std::string > &key, const DBObjectType &type)
Definition: DBObject.cpp:271
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:508
std::string to_upper(const std::string &str)
int64_t privileges
Definition: DBObject.h:133

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::buildUserRoleMapUnlocked ( )
private

Definition at line 2757 of file SysCatalog.cpp.

References getGrantee(), shared::kRootUsername, and sqliteConnector_.

2757  {
2758  std::vector<std::pair<std::string, std::string>> granteeRoles;
2759  string userRoleQuery("SELECT roleName, userName from mapd_roles");
2760  sqliteConnector_->query(userRoleQuery);
2761  size_t numRows = sqliteConnector_->getNumRows();
2762  for (size_t r = 0; r < numRows; ++r) {
2763  std::string roleName = sqliteConnector_->getData<string>(r, 0);
2764  std::string userName = sqliteConnector_->getData<string>(r, 1);
2765  // required for declared nomenclature before v4.0.0
2766  if ((boost::equals(roleName, "mapd_default_suser_role") &&
2767  boost::equals(userName, shared::kRootUsername)) ||
2768  (boost::equals(roleName, "mapd_default_user_role") &&
2769  !boost::equals(userName, "mapd_default_user_role"))) {
2770  // grouprole already exists with roleName==userName in mapd_roles table
2771  // ignore duplicate instances of userRole which exists before v4.0.0
2772  continue;
2773  }
2774  auto* rl = getGrantee(roleName);
2775  if (!rl) {
2776  throw runtime_error("Data inconsistency when building role map. Role " + roleName +
2777  " from db not found in the map.");
2778  }
2779  std::pair<std::string, std::string> roleVecElem(roleName, userName);
2780  granteeRoles.push_back(roleVecElem);
2781  }
2782 
2783  for (const auto& [roleName, granteeName] : granteeRoles) {
2784  auto* grantee = getGrantee(granteeName);
2785  if (!grantee) {
2786  throw runtime_error("Data inconsistency when building role map. Grantee " +
2787  granteeName + " not found in the map.");
2788  }
2789  if (granteeName == roleName) {
2790  continue;
2791  }
2792  Role* rl = dynamic_cast<Role*>(getGrantee(roleName));
2793  if (!rl) {
2794  throw runtime_error("Data inconsistency when building role map. Role " + roleName +
2795  " not found in the map.");
2796  }
2797  grantee->grantRole(rl);
2798  }
2799 }
Grantee * getGrantee(const std::string &name) const
Definition: Grantee.h:81
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:508
const std::string kRootUsername

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::changeDatabaseOwner ( std::string const &  dbname,
const std::string &  new_owner 
)

Definition at line 1391 of file SysCatalog.cpp.

References cat(), DatabaseDBObjectType, getCatalog(), getMetadataForDB(), getMetadataForUser(), getMetadataForUserById(), runUpdateQueriesAndChangeOwnership(), and to_string().

1392  {
1393  using namespace std::string_literals;
1394  sys_write_lock write_lock(this);
1395  sys_sqlite_lock sqlite_lock(this);
1396 
1397  DBMetadata db;
1398  if (!getMetadataForDB(dbname, db)) {
1399  throw std::runtime_error("Database " + dbname + " does not exists.");
1400  }
1401 
1402  Catalog_Namespace::UserMetadata user, original_owner;
1403  if (!getMetadataForUser(new_owner, user)) {
1404  throw std::runtime_error("User with username \"" + new_owner + "\" does not exist. " +
1405  "Database with name \"" + dbname +
1406  "\" can not have owner changed.");
1407  }
1408 
1409  bool original_owner_exists = getMetadataForUserById(db.dbOwner, original_owner);
1410  auto cat = getCatalog(db, true);
1411  DBObject db_object(db.dbName, DBObjectType::DatabaseDBObjectType);
1413  user,
1414  original_owner,
1415  db_object,
1416  *cat,
1417  UpdateQueries{{"UPDATE mapd_databases SET owner=?1 WHERE name=?2;",
1418  {std::to_string(user.userId), db.dbName}}},
1419  original_owner_exists);
1420 }
std::string cat(Ts &&...args)
bool getMetadataForUser(const std::string &name, UserMetadata &user)
heavyai::unique_lock< heavyai::shared_mutex > write_lock
bool getMetadataForUserById(const int32_t idIn, UserMetadata &user)
std::list< UpdateQuery > UpdateQueries
Definition: SysCatalog.h:434
std::string to_string(char const *&&v)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:154
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:153
std::shared_ptr< Catalog > getCatalog(const std::string &dbName)
void runUpdateQueriesAndChangeOwnership(const UserMetadata &new_owner, const UserMetadata &previous_owner, DBObject object, const Catalog_Namespace::Catalog &catalog, const UpdateQueries &update_queries, bool revoke_privileges=true)
bool getMetadataForDB(const std::string &name, DBMetadata &db)

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::changeDBObjectOwnership ( const UserMetadata new_owner,
const UserMetadata previous_owner,
DBObject  object,
const Catalog_Namespace::Catalog catalog,
bool  revoke_privileges = true 
)

Change ownership of a DBObject

Parameters
new_owner- new owner of DBObject
previous_owner- previous owner of DBObject
object- DBObject to change ownership of
catalog- Catalog instance object exists in
revoke_privileges- if true, revoke previous_owner's privileges

Definition at line 2229 of file SysCatalog.cpp.

References runUpdateQueriesAndChangeOwnership().

2233  {
2235  new_owner, previous_owner, object, catalog, {}, revoke_privileges);
2236 }
void runUpdateQueriesAndChangeOwnership(const UserMetadata &new_owner, const UserMetadata &previous_owner, DBObject object, const Catalog_Namespace::Catalog &catalog, const UpdateQueries &update_queries, bool revoke_privileges=true)

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::check_for_session_encryption ( const std::string &  pki_cert,
std::string &  session 
)

Definition at line 979 of file SysCatalog.cpp.

References pki_server_.

980  {
981  if (!pki_server_->inUse()) {
982  return;
983  }
984  pki_server_->encrypt_session(pki_cert, session);
985 }
std::unique_ptr< PkiServer > pki_server_
Definition: SysCatalog.h:511
void Catalog_Namespace::SysCatalog::checkAndExecuteMigrations ( )
private

Definition at line 358 of file SysCatalog.cpp.

References addAdminUserRole(), checkDuplicateCaseInsensitiveDbNames(), createRoles(), fixRolesMigration(), migrateDBAccessPrivileges(), migratePrivileged_old(), migratePrivileges(), updateBlankPasswordsToRandom(), updatePasswordsToHashes(), updateSupportUserDeactivation(), and updateUserSchema().

358  {
360  createRoles();
364  updateUserSchema(); // must come before updatePasswordsToHashes()
366  updateBlankPasswordsToRandom(); // must come after updatePasswordsToHashes()
370 }
void checkDuplicateCaseInsensitiveDbNames() const
Definition: SysCatalog.cpp:900

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::checkDuplicateCaseInsensitiveDbNames ( ) const
private

Definition at line 900 of file SysCatalog.cpp.

References hasExecutedMigration(), recordExecutedMigration(), and sqliteConnector_.

Referenced by checkAndExecuteMigrations().

900  {
901  static const string duplicate_check_migration{
902  "check_duplicate_case_insensitive_db_names"};
903  if (hasExecutedMigration(duplicate_check_migration)) {
904  return;
905  }
906  sys_sqlite_lock sqlite_lock(this);
907  sqliteConnector_->query(
908  "SELECT UPPER(name) AS db_name, COUNT(*) AS name_count "
909  "FROM mapd_databases GROUP BY db_name HAVING name_count > 1");
910  auto num_rows = sqliteConnector_->getNumRows();
911  if (num_rows > 0) {
912  std::stringstream error_message;
913  error_message << "Duplicate case insensitive database names encountered:\n";
914  for (size_t row = 0; row < num_rows; row++) {
915  error_message << sqliteConnector_->getData<string>(row, 0) << " ("
916  << sqliteConnector_->getData<int>(row, 1) << ")\n";
917  }
918  throw std::runtime_error{error_message.str()};
919  }
920  recordExecutedMigration(duplicate_check_migration);
921 }
void recordExecutedMigration(const std::string &migration_name) const
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:154
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:508
bool hasExecutedMigration(const std::string &migration_name) const

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

bool Catalog_Namespace::SysCatalog::checkPasswordForUser ( const std::string &  passwd,
std::string &  name,
UserMetadata user 
)

Definition at line 1633 of file SysCatalog.cpp.

References checkPasswordForUserImpl().

Referenced by loginImpl().

1635  {
1636  return checkPasswordForUserImpl(passwd, name, user);
1637 }
std::string name() const
Definition: SysCatalog.h:358
bool checkPasswordForUserImpl(const std::string &passwd, std::string &name, UserMetadata &user)

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

bool Catalog_Namespace::SysCatalog::checkPasswordForUserImpl ( const std::string &  passwd,
std::string &  name,
UserMetadata user 
)
private

Definition at line 1639 of file SysCatalog.cpp.

References CHECK, getMetadataForUser(), LOG, Catalog_Namespace::UserMetadata::passwd_hash, and logger::WARNING.

Referenced by checkPasswordForUser().

1641  {
1642  sys_read_lock read_lock(this);
1643  if (!getMetadataForUser(name, user)) {
1644  // Check password against some fake hash just to waste time so that response times
1645  // for invalid password and invalid user are similar and a caller can't say the
1646  // difference
1647  char fake_hash[BCRYPT_HASHSIZE];
1648  CHECK(bcrypt_gensalt(-1, fake_hash) == 0);
1649  bcrypt_checkpw(passwd.c_str(), fake_hash);
1650  LOG(WARNING) << "Local login failed";
1651  return false;
1652  }
1653  int pwd_check_result = bcrypt_checkpw(passwd.c_str(), user.passwd_hash.c_str());
1654  // if the check fails there is a good chance that data on disc is broken
1655  CHECK(pwd_check_result >= 0);
1656  return pwd_check_result == 0;
1657 }
heavyai::shared_lock< heavyai::shared_mutex > read_lock
#define LOG(tag)
Definition: Logger.h:285
bool getMetadataForUser(const std::string &name, UserMetadata &user)
std::string name() const
Definition: SysCatalog.h:358
#define CHECK(condition)
Definition: Logger.h:291
read_lock< SysCatalog > sys_read_lock
Definition: Catalog.cpp:120

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

bool Catalog_Namespace::SysCatalog::checkPrivileges ( const UserMetadata user,
const std::vector< DBObject > &  privObjects 
) const

Definition at line 2514 of file SysCatalog.cpp.

References getUserGrantee(), instance(), Catalog_Namespace::UserMetadata::isSuper, Catalog_Namespace::UserMetadata::userLoggable(), and Catalog_Namespace::UserMetadata::userName.

Referenced by Catalog_Namespace::SessionInfo::checkDBAccessPrivileges(), checkPrivileges(), getDatabaseListForUser(), and switchDatabase().

2515  {
2516  sys_read_lock read_lock(this);
2517  if (user.isSuper) {
2518  return true;
2519  }
2520 
2521  auto* user_rl = instance().getUserGrantee(user.userName);
2522  if (!user_rl) {
2523  throw runtime_error("Cannot check privileges. User " + user.userLoggable() +
2524  " does not exist.");
2525  }
2526  for (auto& object : privObjects) {
2527  if (!user_rl->checkPrivileges(object)) {
2528  return false;
2529  }
2530  }
2531  return true;
2532 }
heavyai::shared_lock< heavyai::shared_mutex > read_lock
static SysCatalog & instance()
Definition: SysCatalog.h:343
User * getUserGrantee(const std::string &name) const
read_lock< SysCatalog > sys_read_lock
Definition: Catalog.cpp:120

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

bool Catalog_Namespace::SysCatalog::checkPrivileges ( const std::string &  userName,
const std::vector< DBObject > &  privObjects 
) const

Definition at line 2534 of file SysCatalog.cpp.

References checkPrivileges(), Catalog_Namespace::g_log_user_id, getMetadataForUser(), and instance().

2535  {
2536  UserMetadata user;
2537  if (!instance().getMetadataForUser(userName, user)) {
2538  std::string const loggable = g_log_user_id ? std::string("") : userName + ' ';
2539  throw runtime_error("Request to check privileges for user " + loggable +
2540  "failed because user with this name does not exist.");
2541  }
2542  return (checkPrivileges(user, privObjects));
2543 }
bool getMetadataForUser(const std::string &name, UserMetadata &user)
bool checkPrivileges(const UserMetadata &user, const std::vector< DBObject > &privObjects) const
static SysCatalog & instance()
Definition: SysCatalog.h:343

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::createDatabase ( const std::string &  dbname,
int  owner 
)

Definition at line 1467 of file SysCatalog.cpp.

References basePath_, cat(), CHECK, DatabaseDBObjectType, g_enable_fsi, getCatalog(), Catalog_Namespace::Catalog::getCustomExpressionsSchema(), Catalog_Namespace::Catalog::getForeignServerSchema(), Catalog_Namespace::Catalog::getForeignTableSchema(), getMetadataForDB(), getMetadataForUserById(), grantAllOnDatabase_unsafe(), shared::kCatalogDirectoryName, shared::kRootUserId, shared::kSystemCatalogName, removeCatalog(), sqliteConnector_, to_string(), to_upper(), and Catalog_Namespace::UserMetadata::userName.

Referenced by initDB(), and initializeInformationSchemaDb().

1467  {
1468  sys_write_lock write_lock(this);
1469  sys_sqlite_lock sqlite_lock(this);
1470 
1471  DBMetadata db;
1472  if (getMetadataForDB(name, db)) {
1473  throw runtime_error("Database " + name + " already exists.");
1474  }
1476  throw runtime_error("Database name " + name + " is reserved.");
1477  }
1478 
1479  std::unique_ptr<SqliteConnector> dbConn(
1481  // NOTE(max): it's okay to run this in a separate transaction. If we fail later
1482  // we delete the database anyways.
1483  // If we run it in the same transaction as SysCatalog functions, then Catalog
1484  // constructor won't find the tables we have just created.
1485  dbConn->query("BEGIN TRANSACTION");
1486  try {
1487  dbConn->query(
1488  "CREATE TABLE mapd_tables (tableid integer primary key, name text unique, userid "
1489  "integer, ncolumns integer, "
1490  "isview boolean, "
1491  "fragments text, frag_type integer, max_frag_rows integer, max_chunk_size "
1492  "bigint, "
1493  "frag_page_size integer, "
1494  "max_rows bigint, partitions text, shard_column_id integer, shard integer, "
1495  "sort_column_id integer default 0, storage_type text default '', "
1496  "max_rollback_epochs integer default -1, "
1497  "is_system_table boolean default 0, "
1498  "num_shards integer, key_metainfo TEXT, version_num "
1499  "BIGINT DEFAULT 1) ");
1500  dbConn->query(
1501  "CREATE TABLE mapd_columns (tableid integer references mapd_tables, columnid "
1502  "integer, name text, coltype "
1503  "integer, colsubtype integer, coldim integer, colscale integer, is_notnull "
1504  "boolean, compression integer, "
1505  "comp_param integer, size integer, chunks text, is_systemcol boolean, "
1506  "is_virtualcol boolean, virtual_expr "
1507  "text, is_deletedcol boolean, version_num BIGINT, default_value text, "
1508  "primary key(tableid, columnid), unique(tableid, name))");
1509  dbConn->query(
1510  "CREATE TABLE mapd_views (tableid integer references mapd_tables, sql text)");
1511  dbConn->query(
1512  "CREATE TABLE mapd_dashboards (id integer primary key autoincrement, name text , "
1513  "userid integer references mapd_users, state text, image_hash text, update_time "
1514  "timestamp, "
1515  "metadata text, UNIQUE(userid, name) )");
1516  dbConn->query(
1517  "CREATE TABLE mapd_links (linkid integer primary key, userid integer references "
1518  "mapd_users, "
1519  "link text unique, view_state text, update_time timestamp, view_metadata text)");
1520  dbConn->query(
1521  "CREATE TABLE mapd_dictionaries (dictid integer primary key, name text unique, "
1522  "nbits int, is_shared boolean, "
1523  "refcount int, version_num BIGINT DEFAULT 1)");
1524  dbConn->query(
1525  "CREATE TABLE mapd_logical_to_physical(logical_table_id integer, "
1526  "physical_table_id "
1527  "integer)");
1528  dbConn->query("CREATE TABLE mapd_record_ownership_marker (dummy integer)");
1529  dbConn->query_with_text_params(
1530  "INSERT INTO mapd_record_ownership_marker (dummy) VALUES (?1)",
1531  std::vector<std::string>{std::to_string(owner)});
1532 
1533  if (g_enable_fsi) {
1534  dbConn->query(Catalog::getForeignServerSchema());
1535  dbConn->query(Catalog::getForeignTableSchema());
1536  }
1537  dbConn->query(Catalog::getCustomExpressionsSchema());
1538  } catch (const std::exception&) {
1539  dbConn->query("ROLLBACK TRANSACTION");
1540  boost::filesystem::remove(basePath_ + "/" + shared::kCatalogDirectoryName + "/" +
1541  name);
1542  throw;
1543  }
1544  dbConn->query("END TRANSACTION");
1545 
1546  std::shared_ptr<Catalog> cat;
1547  // Now update SysCatalog with privileges and the new database
1548  sqliteConnector_->query("BEGIN TRANSACTION");
1549  try {
1550  sqliteConnector_->query_with_text_param(
1551  "INSERT INTO mapd_databases (name, owner) VALUES (?, " + std::to_string(owner) +
1552  ")",
1553  name);
1554  CHECK(getMetadataForDB(name, db));
1555 
1556  cat = getCatalog(db, true);
1557 
1558  if (owner != shared::kRootUserId) {
1560  object.loadKey(*cat);
1561  UserMetadata user;
1562  CHECK(getMetadataForUserById(owner, user));
1563  grantAllOnDatabase_unsafe(user.userName, object, *cat);
1564  }
1565  } catch (const std::exception&) {
1566  sqliteConnector_->query("ROLLBACK TRANSACTION");
1567  boost::filesystem::remove(basePath_ + "/" + shared::kCatalogDirectoryName + "/" +
1568  name);
1569  throw;
1570  }
1571  sqliteConnector_->query("END TRANSACTION");
1572 
1573  // force a migration on the new database
1575  cat = getCatalog(db, false);
1576 
1577  if (g_enable_fsi) {
1578  try {
1579  cat->createDefaultServersIfNotExists();
1580  } catch (...) {
1581  boost::filesystem::remove(basePath_ + "/" + shared::kCatalogDirectoryName + "/" +
1582  name);
1583  throw;
1584  }
1585  }
1586 }
const int kRootUserId
std::string cat(Ts &&...args)
void removeCatalog(const std::string &dbName)
std::string name() const
Definition: SysCatalog.h:358
const std::string kSystemCatalogName
heavyai::unique_lock< heavyai::shared_mutex > write_lock
bool getMetadataForUserById(const int32_t idIn, UserMetadata &user)
std::string to_string(char const *&&v)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:154
void grantAllOnDatabase_unsafe(const std::string &roleName, DBObject &object, const Catalog_Namespace::Catalog &catalog)
static const std::string getForeignTableSchema(bool if_not_exists=false)
Definition: Catalog.cpp:782
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:153
static const std::string getForeignServerSchema(bool if_not_exists=false)
Definition: Catalog.cpp:775
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:508
std::string to_upper(const std::string &str)
std::shared_ptr< Catalog > getCatalog(const std::string &dbName)
static const std::string getCustomExpressionsSchema(bool if_not_exists=false)
Definition: Catalog.cpp:790
const std::string kCatalogDirectoryName
#define CHECK(condition)
Definition: Logger.h:291
bool g_enable_fsi
Definition: Catalog.cpp:96
bool getMetadataForDB(const std::string &name, DBMetadata &db)

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::createDBObject ( const UserMetadata user,
const std::string &  objectName,
DBObjectType  type,
const Catalog_Namespace::Catalog catalog,
int32_t  objectId = -1 
)

Definition at line 1882 of file SysCatalog.cpp.

References AccessPrivileges::ALL_DASHBOARD, AccessPrivileges::ALL_DATABASE, AccessPrivileges::ALL_SERVER, AccessPrivileges::ALL_TABLE, DashboardDBObjectType, getUserGrantee(), grantDBObjectPrivileges_unsafe(), Grantee::grantPrivileges(), instance(), Catalog_Namespace::UserMetadata::isSuper, ServerDBObjectType, sqliteConnector_, TableDBObjectType, Catalog_Namespace::UserMetadata::userId, Catalog_Namespace::UserMetadata::userLoggable(), and Catalog_Namespace::UserMetadata::userName.

Referenced by CreateForeignServerCommand::execute(), CreateForeignTableCommand::execute(), and EmbeddedDatabase::DBEngineImpl::importArrowTable().

1886  {
1887  sys_write_lock write_lock(this);
1888  sys_sqlite_lock sqlite_lock(this);
1889 
1890  DBObject object =
1891  objectId == -1 ? DBObject(objectName, type) : DBObject(objectId, type);
1892  object.loadKey(catalog);
1893  switch (type) {
1894  case TableDBObjectType:
1895  object.setPrivileges(AccessPrivileges::ALL_TABLE);
1896  break;
1897  case DashboardDBObjectType:
1898  object.setPrivileges(AccessPrivileges::ALL_DASHBOARD);
1899  break;
1900  case ServerDBObjectType:
1901  object.setPrivileges(AccessPrivileges::ALL_SERVER);
1902  break;
1903  default:
1904  object.setPrivileges(AccessPrivileges::ALL_DATABASE);
1905  break;
1906  }
1907  object.setOwner(user.userId);
1908  sqliteConnector_->query("BEGIN TRANSACTION");
1909  try {
1910  if (!user.isSuper) { // no need to grant to suser, has all privs by default
1911  grantDBObjectPrivileges_unsafe(user.userName, object, catalog);
1912  auto* grantee = instance().getUserGrantee(user.userName);
1913  if (!grantee) {
1914  throw runtime_error("Cannot create DBObject. User " + user.userLoggable() +
1915  " does not exist.");
1916  }
1917  grantee->grantPrivileges(object);
1918  }
1919  } catch (std::exception& e) {
1920  sqliteConnector_->query("ROLLBACK TRANSACTION");
1921  throw;
1922  }
1923  sqliteConnector_->query("END TRANSACTION");
1924 }
static const AccessPrivileges ALL_DATABASE
Definition: DBObject.h:151
virtual void grantPrivileges(const DBObject &object)
Definition: Grantee.cpp:105
heavyai::unique_lock< heavyai::shared_mutex > write_lock
void grantDBObjectPrivileges_unsafe(const std::string &granteeName, const DBObject object, const Catalog_Namespace::Catalog &catalog)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:154
static SysCatalog & instance()
Definition: SysCatalog.h:343
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:153
static const AccessPrivileges ALL_SERVER
Definition: DBObject.h:187
User * getUserGrantee(const std::string &name) const
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:508
void loadKey()
Definition: DBObject.cpp:190
static const AccessPrivileges ALL_DASHBOARD
Definition: DBObject.h:169
static const AccessPrivileges ALL_TABLE
Definition: DBObject.h:157

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::createRole ( const std::string &  roleName,
const bool  user_private_role,
const bool  is_temporary = false 
)

Definition at line 2840 of file SysCatalog.cpp.

References createRole_unsafe(), and execInTransaction().

2842  {
2844  &SysCatalog::createRole_unsafe, roleName, user_private_role, is_temporary);
2845 }
void createRole_unsafe(const std::string &roleName, const bool userPrivateRole, const bool is_temporary)
void execInTransaction(F &&f, Args &&...args)

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::createRole_unsafe ( const std::string &  roleName,
const bool  userPrivateRole,
const bool  is_temporary 
)
private

Definition at line 2260 of file SysCatalog.cpp.

References DatabaseDBObjectType, DBObjectKey::dbId, getGrantee(), granteeMap_, Catalog_Namespace::anonymous_namespace{SysCatalog.cpp}::insertOrUpdateObjectPrivileges(), shared::kDefaultDbName, DBObjectKey::permissionType, DBObject::setObjectKey(), sqliteConnector_, and to_upper().

Referenced by addAdminUserRole(), createRole(), createUser(), and initDB().

2262  {
2263  sys_write_lock write_lock(this);
2264 
2265  auto* grantee = getGrantee(roleName);
2266  if (grantee) {
2267  throw std::runtime_error("CREATE ROLE " + roleName +
2268  " failed because grantee with this name already exists.");
2269  }
2270  std::unique_ptr<Grantee> g;
2271  if (user_private_role) {
2272  g.reset(new User(roleName));
2273  } else {
2274  g.reset(new Role(roleName));
2275  }
2276  grantee = g.get();
2277  granteeMap_[to_upper(roleName)] = std::move(g);
2278 
2279  // NOTE (max): Why create an empty privileges record for a role?
2280  /* grant none privileges to this role and add it to sqlite DB */
2282  DBObjectKey objKey;
2283  // 0 is an id that does not exist
2284  objKey.dbId = 0;
2286  dbObject.setObjectKey(objKey);
2287  grantee->grantPrivileges(dbObject);
2288 
2289  if (!is_temporary) {
2290  sys_sqlite_lock sqlite_lock(this);
2292  sqliteConnector_, roleName, user_private_role, dbObject);
2293  }
2294 }
Definition: Grantee.h:75
Grantee * getGrantee(const std::string &name) const
Definition: Grantee.h:81
heavyai::unique_lock< heavyai::shared_mutex > write_lock
void insertOrUpdateObjectPrivileges(std::unique_ptr< SqliteConnector > &sqliteConnector, std::string roleName, bool userRole, const DBObject &object)
Definition: SysCatalog.cpp:514
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:154
const std::string kDefaultDbName
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:153
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:508
std::string to_upper(const std::string &str)
int32_t dbId
Definition: DBObject.h:54
int32_t permissionType
Definition: DBObject.h:53

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::createRoles ( )
private

Definition at line 445 of file SysCatalog.cpp.

References sqliteConnector_.

Referenced by checkAndExecuteMigrations().

445  {
446  sys_sqlite_lock sqlite_lock(this);
447  sqliteConnector_->query("BEGIN TRANSACTION");
448  try {
449  sqliteConnector_->query(
450  "SELECT name FROM sqlite_master WHERE type='table' AND name='mapd_roles'");
451  if (sqliteConnector_->getNumRows() != 0) {
452  // already done
453  sqliteConnector_->query("END TRANSACTION");
454  return;
455  }
456  sqliteConnector_->query(
457  "CREATE TABLE mapd_roles(roleName text, userName text, UNIQUE(roleName, "
458  "userName))");
459  } catch (const std::exception&) {
460  sqliteConnector_->query("ROLLBACK TRANSACTION");
461  throw;
462  }
463  sqliteConnector_->query("END TRANSACTION");
464 }
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:154
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:508

+ Here is the caller graph for this function:

UserMetadata Catalog_Namespace::SysCatalog::createUser ( std::string const &  name,
UserAlterations  alts,
bool  is_temporary 
)

Definition at line 987 of file SysCatalog.cpp.

References Catalog_Namespace::UserAlterations::can_login, CHECK, createRole_unsafe(), Catalog_Namespace::DBMetadata::dbId, Catalog_Namespace::UserAlterations::default_db, Catalog_Namespace::g_log_user_id, g_read_only, getGrantee(), getMetadataForDB(), getMetadataForUser(), getUser(), anonymous_namespace{SysCatalog.cpp}::hash_with_bcrypt(), Catalog_Namespace::UserAlterations::is_super, name(), next_temporary_user_id_, Catalog_Namespace::UserAlterations::passwd, sqliteConnector_, temporary_users_by_id_, temporary_users_by_name_, to_string(), Catalog_Namespace::UserMetadata::userLoggable(), and VLOG.

Referenced by syncUserWithRemoteProvider().

989  {
991  sys_sqlite_lock sqlite_lock(this);
992 
993  if (!alts.passwd) {
994  alts.passwd = "";
995  }
996  if (!alts.is_super) {
997  alts.is_super = false;
998  }
999  if (!alts.default_db) {
1000  alts.default_db = "";
1001  }
1002  if (!alts.can_login) {
1003  alts.can_login = true;
1004  }
1005 
1006  UserMetadata user;
1007  if (getMetadataForUser(name, user)) {
1008  throw runtime_error("User " + user.userLoggable() + " already exists.");
1009  }
1010  if (getGrantee(name)) {
1011  std::string const loggable = g_log_user_id ? std::string("") : name + ' ';
1012  throw runtime_error(
1013  "User " + loggable +
1014  "is same as one of existing grantees. User and role names should be unique.");
1015  }
1016  DBMetadata db;
1017  if (!alts.default_db->empty()) {
1018  if (!getMetadataForDB(*alts.default_db, db)) {
1019  throw runtime_error("DEFAULT_DB " + *alts.default_db + " not found.");
1020  }
1021  }
1022 
1023  // Temporary user.
1024  if (is_temporary) {
1025  if (!g_read_only) {
1026  throw std::runtime_error("Temporary users require read-only mode.");
1027  // NOTE(sy): We can remove this restriction when we're confident that
1028  // nothing permanent can depend on a temporary user.
1029  }
1030  auto user2 = std::make_shared<UserMetadata>(next_temporary_user_id_++,
1031  name,
1032  hash_with_bcrypt(*alts.passwd),
1033  *alts.is_super,
1034  !alts.default_db->empty() ? db.dbId : -1,
1035  *alts.can_login,
1036  true);
1037  temporary_users_by_name_[name] = user2;
1038  temporary_users_by_id_[user2->userId] = user2;
1039  createRole_unsafe(name, /*userPrivateRole=*/true, /*is_temporary=*/true);
1040  VLOG(1) << "Created temporary user: " << user2->userLoggable();
1041  return *user2;
1042  }
1043 
1044  // Normal user.
1045  sqliteConnector_->query("BEGIN TRANSACTION");
1046  try {
1047  std::vector<std::string> vals;
1048  if (!alts.default_db->empty()) {
1049  vals = {name,
1050  hash_with_bcrypt(*alts.passwd),
1051  std::to_string(*alts.is_super),
1052  std::to_string(db.dbId),
1053  std::to_string(*alts.can_login)};
1054  sqliteConnector_->query_with_text_params(
1055  "INSERT INTO mapd_users (name, passwd_hash, issuper, default_db, can_login) "
1056  "VALUES (?, ?, ?, ?, ?)",
1057  vals);
1058  } else {
1059  vals = {name,
1060  hash_with_bcrypt(*alts.passwd),
1061  std::to_string(*alts.is_super),
1062  std::to_string(*alts.can_login)};
1063  sqliteConnector_->query_with_text_params(
1064  "INSERT INTO mapd_users (name, passwd_hash, issuper, can_login) "
1065  "VALUES (?, ?, ?, ?)",
1066  vals);
1067  }
1068  createRole_unsafe(name, /*userPrivateRole=*/true, /*is_temporary=*/false);
1069  } catch (const std::exception& e) {
1070  sqliteConnector_->query("ROLLBACK TRANSACTION");
1071  throw;
1072  }
1073  sqliteConnector_->query("END TRANSACTION");
1074  auto u = getUser(name);
1075  CHECK(u);
1076  VLOG(1) << "Created user: " << u->userLoggable();
1077  return *u;
1078 }
std::optional< UserMetadata > getUser(std::string const &uname)
Definition: SysCatalog.h:203
void createRole_unsafe(const std::string &roleName, const bool userPrivateRole, const bool is_temporary)
bool getMetadataForUser(const std::string &name, UserMetadata &user)
std::string name() const
Definition: SysCatalog.h:358
Grantee * getGrantee(const std::string &name) const
heavyai::unique_lock< heavyai::shared_mutex > write_lock
std::string to_string(char const *&&v)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:154
std::unordered_map< std::string, std::shared_ptr< UserMetadata > > temporary_users_by_name_
Definition: SysCatalog.h:542
std::string hash_with_bcrypt(const std::string &pwd)
Definition: SysCatalog.cpp:71
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:153
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:508
bool g_read_only
Definition: File.cpp:40
std::unordered_map< int32_t, std::shared_ptr< UserMetadata > > temporary_users_by_id_
Definition: SysCatalog.h:543
#define CHECK(condition)
Definition: Logger.h:291
#define VLOG(n)
Definition: Logger.h:387
bool getMetadataForDB(const std::string &name, DBMetadata &db)

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::createVersionHistoryTable ( ) const
private

Definition at line 3174 of file SysCatalog.cpp.

References sqliteConnector_.

Referenced by recordExecutedMigration().

3174  {
3175  sys_sqlite_lock sqlite_lock(this);
3176  sqliteConnector_->query(
3177  "CREATE TABLE mapd_version_history(version integer, migration_history text "
3178  "unique)");
3179 }
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:154
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:508

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::deleteObjectDescriptorMap ( const std::string &  roleName)
private

Definition at line 2462 of file SysCatalog.cpp.

References objectDescriptorMap_.

Referenced by dropUserUnchecked(), and revokeDBObjectPrivileges_unsafe().

2462  {
2463  sys_write_lock write_lock(this);
2464 
2465  for (auto d = objectDescriptorMap_.begin(); d != objectDescriptorMap_.end();) {
2466  if (d->second->roleName == roleName) {
2467  d = objectDescriptorMap_.erase(d);
2468  } else {
2469  d++;
2470  }
2471  }
2472 }
ObjectRoleDescriptorMap objectDescriptorMap_
Definition: SysCatalog.h:507
heavyai::unique_lock< heavyai::shared_mutex > write_lock
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:153

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::deleteObjectDescriptorMap ( const std::string &  roleName,
DBObject object,
const Catalog_Namespace::Catalog cat 
)
private

Definition at line 2475 of file SysCatalog.cpp.

References Catalog_Namespace::DBMetadata::dbId, Catalog_Namespace::Catalog::getCurrentDB(), objectDescriptorMap_, and to_string().

2477  {
2478  sys_write_lock write_lock(this);
2479  auto range = objectDescriptorMap_.equal_range(
2480  std::to_string(cat.getCurrentDB().dbId) + ":" +
2481  std::to_string(object.getObjectKey().permissionType) + ":" +
2482  std::to_string(object.getObjectKey().objectId));
2483  for (auto d = range.first; d != range.second;) {
2484  // remove the entry
2485  if (d->second->roleName == roleName) {
2486  d = objectDescriptorMap_.erase(d);
2487  } else {
2488  d++;
2489  }
2490  }
2491 }
ObjectRoleDescriptorMap objectDescriptorMap_
Definition: SysCatalog.h:507
heavyai::unique_lock< heavyai::shared_mutex > write_lock
std::string to_string(char const *&&v)
const DBMetadata & getCurrentDB() const
Definition: Catalog.h:248
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:153

+ Here is the call graph for this function:

static void Catalog_Namespace::SysCatalog::destroy ( )
inlinestatic

Definition at line 351 of file SysCatalog.h.

References migrations::MigrationMgr::destroy(), instance_, and instance_mutex_.

Referenced by main(), EmbeddedDatabase::DBEngineImpl::reset(), and DBHandler::shutdown().

351  {
353  instance_.reset();
355  }
static std::unique_ptr< SysCatalog > instance_
Definition: SysCatalog.h:525
static std::mutex instance_mutex_
Definition: SysCatalog.h:524
std::unique_lock< T > unique_lock

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::dropDatabase ( const DBMetadata db)

Definition at line 1588 of file SysCatalog.cpp.

References cat(), DashboardDBObjectType, Catalog_Namespace::DBMetadata::dbId, Catalog_Namespace::DBMetadata::dbName, getCatalog(), granteeMap_, removeCatalog(), revokeAllOnDatabase_unsafe(), revokeDBObjectPrivilegesFromAll_unsafe(), sqliteConnector_, TableDBObjectType, run_benchmark_import::tables, and to_string().

Referenced by initializeInformationSchemaDb().

1588  {
1589  auto cat = getCatalog(db, false);
1590  cat->eraseDbPhysicalData();
1591  sys_write_lock write_lock(this);
1592  sys_sqlite_lock sqlite_lock(this);
1593  sqliteConnector_->query("BEGIN TRANSACTION");
1594  try {
1595  // remove this database ID from any users that have it set as their default database
1596  sqliteConnector_->query_with_text_param(
1597  "UPDATE mapd_users SET default_db = NULL WHERE default_db = ?",
1598  std::to_string(db.dbId));
1599  /* revoke object privileges to all tables of the database being dropped */
1600  const auto tables = cat->getAllTableMetadata();
1601  for (const auto table : tables) {
1602  if (table->shard >= 0) {
1603  // skip shards, they're not standalone tables
1604  continue;
1605  }
1607  DBObject(table->tableName, TableDBObjectType), cat.get());
1608  }
1609  const auto dashboards = cat->getAllDashboardsMetadata();
1610  for (const auto dashboard : dashboards) {
1612  DBObject(dashboard->dashboardId, DashboardDBObjectType), cat.get());
1613  }
1614  /* revoke object privileges to the database being dropped */
1615  for (const auto& grantee : granteeMap_) {
1616  if (grantee.second->hasAnyPrivilegesOnDb(db.dbId, true)) {
1618  grantee.second->getName(), db.dbId, grantee.second.get());
1619  }
1620  }
1621  sqliteConnector_->query_with_text_param("DELETE FROM mapd_databases WHERE dbid = ?",
1622  std::to_string(db.dbId));
1623  cat->eraseDbMetadata();
1624  removeCatalog(db.dbName);
1625  } catch (const std::exception&) {
1626  sqliteConnector_->query("ROLLBACK TRANSACTION");
1627  throw;
1628  }
1629  sqliteConnector_->query("END TRANSACTION");
1630 }
void revokeAllOnDatabase_unsafe(const std::string &roleName, int32_t dbId, Grantee *grantee)
std::string cat(Ts &&...args)
void removeCatalog(const std::string &dbName)
heavyai::unique_lock< heavyai::shared_mutex > write_lock
std::string to_string(char const *&&v)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:154
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:153
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:508
std::shared_ptr< Catalog > getCatalog(const std::string &dbName)
void revokeDBObjectPrivilegesFromAll_unsafe(DBObject object, Catalog *catalog)

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::dropRole ( const std::string &  roleName,
const bool  is_temporary = false 
)

Definition at line 2847 of file SysCatalog.cpp.

References dropRole_unsafe(), and execInTransaction().

2847  {
2848  execInTransaction(&SysCatalog::dropRole_unsafe, roleName, is_temporary);
2849 }
void execInTransaction(F &&f, Args &&...args)
void dropRole_unsafe(const std::string &roleName, const bool is_temporary)

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::dropRole_unsafe ( const std::string &  roleName,
const bool  is_temporary 
)
private

Definition at line 2296 of file SysCatalog.cpp.

References granteeMap_, objectDescriptorMap_, sqliteConnector_, and to_upper().

Referenced by dropRole(), and dropUserUnchecked().

2296  {
2297  sys_write_lock write_lock(this);
2298 
2299  for (auto d = objectDescriptorMap_.begin(); d != objectDescriptorMap_.end();) {
2300  if (d->second->roleName == roleName) {
2301  d = objectDescriptorMap_.erase(d);
2302  } else {
2303  d++;
2304  }
2305  }
2306  // it may very well be a user "role", so keep it generic
2307  granteeMap_.erase(to_upper(roleName));
2308 
2309  if (!is_temporary) {
2310  sys_sqlite_lock sqlite_lock(this);
2311  sqliteConnector_->query_with_text_param("DELETE FROM mapd_roles WHERE roleName = ?",
2312  roleName);
2313  sqliteConnector_->query_with_text_param(
2314  "DELETE FROM mapd_object_permissions WHERE roleName = ?", roleName);
2315  }
2316 }
ObjectRoleDescriptorMap objectDescriptorMap_
Definition: SysCatalog.h:507
heavyai::unique_lock< heavyai::shared_mutex > write_lock
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:154
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:153
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:508
std::string to_upper(const std::string &str)

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::dropUser ( const std::string &  name)

Definition at line 1118 of file SysCatalog.cpp.

References dropUserUnchecked(), Catalog_Namespace::g_log_user_id, getAllDBMetadata(), getMetadataForUser(), and Catalog_Namespace::UserMetadata::userId.

1118  {
1119  sys_write_lock write_lock(this);
1120  sys_sqlite_lock sqlite_lock(this);
1121 
1122  std::string const loggable = g_log_user_id ? std::string("") : name + ' ';
1123 
1124  UserMetadata user;
1125  if (!getMetadataForUser(name, user)) {
1126  throw runtime_error("Cannot drop user. User " + loggable + "does not exist.");
1127  }
1128 
1129  auto dbs = getAllDBMetadata();
1130  for (const auto& db : dbs) {
1131  if (db.dbOwner == user.userId) {
1132  throw runtime_error("Cannot drop user. User " + loggable + "owns database " +
1133  db.dbName);
1134  }
1135  }
1136 
1137  dropUserUnchecked(name, user);
1138 }
void dropUserUnchecked(const std::string &name, const UserMetadata &user)
bool getMetadataForUser(const std::string &name, UserMetadata &user)
std::string name() const
Definition: SysCatalog.h:358
heavyai::unique_lock< heavyai::shared_mutex > write_lock
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:154
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:153
std::list< DBMetadata > getAllDBMetadata()

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::dropUserUnchecked ( const std::string &  name,
const UserMetadata user 
)

Definition at line 1081 of file SysCatalog.cpp.

References CHECK, deleteObjectDescriptorMap(), dropRole_unsafe(), Catalog_Namespace::UserMetadata::is_temporary, sqliteConnector_, temporary_users_by_id_, temporary_users_by_name_, to_string(), and Catalog_Namespace::UserMetadata::userId.

Referenced by dropUser().

1081  {
1082  sys_write_lock write_lock(this);
1083  sys_sqlite_lock sqlite_lock(this);
1084 
1085  // Temporary user.
1086  if (user.is_temporary) {
1087  auto it1 = temporary_users_by_name_.find(name);
1088  CHECK(it1 != temporary_users_by_name_.end());
1089  auto it2 = temporary_users_by_id_.find(it1->second->userId);
1090  CHECK(it2 != temporary_users_by_id_.end());
1091  dropRole_unsafe(name, /*is_temporary=*/true);
1093  temporary_users_by_name_.erase(it1);
1094  temporary_users_by_id_.erase(it2);
1095  return;
1096  }
1097 
1098  // Normal user.
1099 
1100  sqliteConnector_->query("BEGIN TRANSACTION");
1101  try {
1102  dropRole_unsafe(name, /*is_temporary=*/false);
1104  const std::string& roleName(name);
1105  sqliteConnector_->query_with_text_param("DELETE FROM mapd_roles WHERE userName = ?",
1106  roleName);
1107  sqliteConnector_->query("DELETE FROM mapd_users WHERE userid = " +
1108  std::to_string(user.userId));
1109  sqliteConnector_->query("DELETE FROM mapd_privileges WHERE userid = " +
1110  std::to_string(user.userId));
1111  } catch (const std::exception& e) {
1112  sqliteConnector_->query("ROLLBACK TRANSACTION");
1113  throw;
1114  }
1115  sqliteConnector_->query("END TRANSACTION");
1116 }
std::string name() const
Definition: SysCatalog.h:358
heavyai::unique_lock< heavyai::shared_mutex > write_lock
std::string to_string(char const *&&v)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:154
std::unordered_map< std::string, std::shared_ptr< UserMetadata > > temporary_users_by_name_
Definition: SysCatalog.h:542
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:153
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:508
void dropRole_unsafe(const std::string &roleName, const bool is_temporary)
void deleteObjectDescriptorMap(const std::string &roleName)
std::unordered_map< int32_t, std::shared_ptr< UserMetadata > > temporary_users_by_id_
Definition: SysCatalog.h:543
#define CHECK(condition)
Definition: Logger.h:291

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

template<typename F , typename... Args>
void Catalog_Namespace::SysCatalog::execInTransaction ( F &&  f,
Args &&...  args 
)
private

Definition at line 2827 of file SysCatalog.cpp.

References run_benchmark_import::args, anonymous_namespace{Utm.h}::f, and sqliteConnector_.

Referenced by createRole(), dropRole(), grantDBObjectPrivileges(), grantDBObjectPrivilegesBatch(), grantRole(), grantRoleBatch(), revokeDBObjectPrivileges(), revokeDBObjectPrivilegesBatch(), revokeDBObjectPrivilegesFromAll(), revokeDBObjectPrivilegesFromAllBatch(), revokeRole(), and revokeRoleBatch().

2827  {
2828  sys_write_lock write_lock(this);
2829  sys_sqlite_lock sqlite_lock(this);
2830  sqliteConnector_->query("BEGIN TRANSACTION");
2831  try {
2832  (this->*f)(std::forward<Args>(args)...);
2833  } catch (std::exception&) {
2834  sqliteConnector_->query("ROLLBACK TRANSACTION");
2835  throw;
2836  }
2837  sqliteConnector_->query("END TRANSACTION");
2838 }
heavyai::unique_lock< heavyai::shared_mutex > write_lock
constexpr double f
Definition: Utm.h:31
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:154
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:153
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:508

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::fixRolesMigration ( )
private

Definition at line 472 of file SysCatalog.cpp.

References sqliteConnector_.

Referenced by checkAndExecuteMigrations().

472  {
473  sys_sqlite_lock sqlite_lock(this);
474  sqliteConnector_->query("BEGIN TRANSACTION");
475  try {
476  sqliteConnector_->query("SELECT name FROM mapd_users");
477  auto num_rows = sqliteConnector_->getNumRows();
478  std::vector<std::string> user_names;
479  for (size_t i = 0; i < num_rows; ++i) {
480  user_names.push_back(sqliteConnector_->getData<std::string>(i, 0));
481  }
482  for (const auto& user_name : user_names) {
483  sqliteConnector_->query_with_text_param("DELETE FROM mapd_roles WHERE roleName = ?",
484  user_name);
485  }
486  } catch (const std::exception&) {
487  sqliteConnector_->query("ROLLBACK TRANSACTION");
488  throw;
489  }
490  sqliteConnector_->query("END TRANSACTION");
491 }
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:154
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:508

+ Here is the caller graph for this function:

list< DBMetadata > Catalog_Namespace::SysCatalog::getAllDBMetadata ( )

Definition at line 1721 of file SysCatalog.cpp.

References Catalog_Namespace::DBMetadata::dbId, Catalog_Namespace::DBMetadata::dbName, Catalog_Namespace::DBMetadata::dbOwner, and sqliteConnector_.

Referenced by dropUser(), getCatalogsForAllDbs(), and getDatabaseListForUser().

1721  {
1722  sys_sqlite_lock sqlite_lock(this);
1723  sqliteConnector_->query("SELECT dbid, name, owner FROM mapd_databases");
1724  int numRows = sqliteConnector_->getNumRows();
1725  list<DBMetadata> db_list;
1726  for (int r = 0; r < numRows; ++r) {
1727  DBMetadata db;
1728  db.dbId = sqliteConnector_->getData<int>(r, 0);
1729  db.dbName = sqliteConnector_->getData<string>(r, 1);
1730  db.dbOwner = sqliteConnector_->getData<int>(r, 2);
1731  db_list.push_back(db);
1732  }
1733  return db_list;
1734 }
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:154
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:508

+ Here is the caller graph for this function:

list< UserMetadata > Catalog_Namespace::SysCatalog::getAllUserMetadata ( )

Definition at line 1781 of file SysCatalog.cpp.

References Catalog_Namespace::anonymous_namespace{SysCatalog.cpp}::get_users(), and sqliteConnector_.

Referenced by Catalog_Namespace::anonymous_namespace{Catalog.cpp}::get_user_id_to_user_name_map(), and getDatabaseListForUser().

1781  {
1782  sys_sqlite_lock sqlite_lock(this);
1783  return get_users(*this, sqliteConnector_);
1784 }
auto get_users(SysCatalog &syscat, std::unique_ptr< SqliteConnector > &sqliteConnector, const int32_t dbId=-1)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:154
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:508

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

list< UserMetadata > Catalog_Namespace::SysCatalog::getAllUserMetadata ( const int64_t  dbId)

return the users associated with the given DB

Definition at line 1774 of file SysCatalog.cpp.

References Catalog_Namespace::anonymous_namespace{SysCatalog.cpp}::get_users(), and sqliteConnector_.

1774  {
1775  // this call is to return users that have some form of permissions to objects in the db
1776  // sadly mapd_object_permissions table is also misused to manage user roles.
1777  sys_sqlite_lock sqlite_lock(this);
1778  return get_users(*this, sqliteConnector_, dbId);
1779 }
auto get_users(SysCatalog &syscat, std::unique_ptr< SqliteConnector > &sqliteConnector, const int32_t dbId=-1)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:154
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:508

+ Here is the call graph for this function:

Calcite& Catalog_Namespace::SysCatalog::getCalciteMgr ( ) const
inline

Definition at line 235 of file SysCatalog.h.

References calciteMgr_.

235 { return *calciteMgr_; }
std::shared_ptr< Calcite > calciteMgr_
Definition: SysCatalog.h:513
std::shared_ptr< Catalog > Catalog_Namespace::SysCatalog::getCatalog ( const std::string &  dbName)

Definition at line 3014 of file SysCatalog.cpp.

References cat_map_, getMetadataForDB(), and to_upper().

Referenced by foreign_storage::anonymous_namespace{LogFileBufferParser.cpp}::add_nonce_values(), Executor::addDeletedColumn(), QueryFragmentDescriptor::buildFragmentPerKernelMap(), foreign_storage::cache_blocks(), changeDatabaseOwner(), anonymous_namespace{DBHandler.cpp}::check_in_memory_system_table_query(), DBHandler::checkInMemorySystemTableQuery(), anonymous_namespace{Calcite.cpp}::checkPermissionForTables(), Executor::computeStringDictionaryGenerations(), anonymous_namespace{ExternalExecutor.cpp}::create_table_schema(), createDatabase(), foreign_storage::ForeignDataWrapperFactory::createForeignTableProxy(), foreign_storage::ParquetDataWrapper::createRenderGroupAnalyzers(), foreign_storage::AbstractTextFileDataWrapper::createRenderGroupAnalyzers(), DictionaryValueConverter< TARGET_TYPE >::DictionaryValueConverter(), dropDatabase(), foreign_storage::ParquetDataWrapper::fetchChunkMetadata(), foreign_storage::ForeignTableSchema::ForeignTableSchema(), anonymous_namespace{SerializeToSql.cpp}::from_to_string(), foreign_storage::anonymous_namespace{InternalMemoryStatsDataWrapper.cpp}::get_column_name(), foreign_storage::get_foreign_table_for_key(), Catalog_Namespace::get_metadata_for_column(), Catalog_Namespace::get_metadata_for_table(), anonymous_namespace{RelAlgExecutor.cpp}::get_physical_inputs_with_spi_col_id(), foreign_storage::anonymous_namespace{InternalCatalogDataWrapper.cpp}::get_table_ddl(), foreign_storage::get_table_name(), foreign_storage::ParseBufferRequest::getCatalog(), anonymous_namespace{RelAlgDag.cpp}::getCatalogAndTableFromScanNode(), getCatalogsForAllDbs(), foreign_storage::ParquetImportBatchResult::getChunksAndDictionaries(), lockmgr::TableLockMgrImpl< TableDataLockMgr >::getClusterTableMutex(), foreign_storage::ParquetDataWrapper::getColumnsToInitialize(), RelAlgTranslator::getInIntegerSetExpr(), RowSetMemoryOwner::getOrAddStringDictProxy(), InputTableInfoCache::getTableInfo(), foreign_storage::init_chunk_for_column(), foreign_storage::Csv::init_chunk_for_column(), PersistentStorageMgr::isForeignStorage(), Executor::isFragmentFullyDeleted(), foreign_storage::AbstractTextFileDataWrapper::iterativeFileScan(), boost::serialization::load_construct_data(), foreign_storage::ParquetDataWrapper::loadBuffersUsingLazyParquetChunkLoader(), login(), foreign_storage::populate_string_dictionary(), foreign_storage::AbstractTextFileDataWrapper::populateChunkBuffers(), foreign_storage::AbstractTextFileDataWrapper::populateChunkMetadata(), anonymous_namespace{RelAlgExecutor.cpp}::prepare_for_system_table_execution(), anonymous_namespace{RelAlgExecutor.cpp}::prepare_string_dictionaries(), QueryRewriter::rewriteColumnarUpdate(), anonymous_namespace{RelAlgExecutor.cpp}::set_parallelism_hints(), StringValueConverter::StringValueConverter(), switchDatabase(), foreign_storage::AbstractTextFileDataWrapper::updateMetadata(), and ScalarExprToSql::visitColumnVar().

3014  {
3015  dbid_to_cat_map::const_accessor cata;
3016  if (cat_map_.find(cata, to_upper(dbName))) {
3017  return cata->second;
3018  } else {
3020  if (getMetadataForDB(dbName, db_meta)) {
3021  return getCatalog(db_meta, false);
3022  } else {
3023  return nullptr;
3024  }
3025  }
3026 }
std::string to_upper(const std::string &str)
std::shared_ptr< Catalog > getCatalog(const std::string &dbName)
bool getMetadataForDB(const std::string &name, DBMetadata &db)

+ Here is the call graph for this function:

std::shared_ptr< Catalog > Catalog_Namespace::SysCatalog::getCatalog ( const int32_t  db_id)

Definition at line 3028 of file SysCatalog.cpp.

References cat_map_.

3028  {
3029  dbid_to_cat_map::const_accessor cata;
3030  for (dbid_to_cat_map::iterator cat_it = cat_map_.begin(); cat_it != cat_map_.end();
3031  ++cat_it) {
3032  if (cat_it->second->getDatabaseId() == db_id) {
3033  return cat_it->second;
3034  }
3035  }
3036  return nullptr;
3037 }
std::shared_ptr< Catalog > Catalog_Namespace::SysCatalog::getCatalog ( const DBMetadata curDB,
bool  is_new_db 
)

Definition at line 3039 of file SysCatalog.cpp.

References basePath_, calciteMgr_, cat(), cat_map_, dataMgr_, Catalog_Namespace::DBMetadata::dbName, string_dict_hosts_, and to_upper().

3039  {
3040  const auto key = to_upper(curDB.dbName);
3041  {
3042  dbid_to_cat_map::const_accessor cata;
3043  if (cat_map_.find(cata, key)) {
3044  return cata->second;
3045  }
3046  }
3047 
3048  // Catalog doesnt exist
3049  // has to be made outside of lock as migration uses cat
3050  auto cat = std::make_shared<Catalog>(
3051  basePath_, curDB, dataMgr_, string_dict_hosts_, calciteMgr_, is_new_db);
3052 
3053  dbid_to_cat_map::accessor cata;
3054 
3055  if (cat_map_.find(cata, key)) {
3056  return cata->second;
3057  }
3058 
3059  cat_map_.insert(cata, key);
3060  cata->second = cat;
3061 
3062  return cat;
3063 }
std::string cat(Ts &&...args)
std::shared_ptr< Data_Namespace::DataMgr > dataMgr_
Definition: SysCatalog.h:510
std::string to_upper(const std::string &str)
std::vector< LeafHostInfo > string_dict_hosts_
Definition: SysCatalog.h:514
std::shared_ptr< Calcite > calciteMgr_
Definition: SysCatalog.h:513

+ Here is the call graph for this function:

const std::string& Catalog_Namespace::SysCatalog::getCatalogBasePath ( ) const
inline

Definition at line 236 of file SysCatalog.h.

References basePath_.

236 { return basePath_; }
std::vector< Catalog * > Catalog_Namespace::SysCatalog::getCatalogsForAllDbs ( )

Definition at line 1140 of file SysCatalog.cpp.

References getAllDBMetadata(), and getCatalog().

1140  {
1141  std::vector<Catalog*> catalogs{};
1142  const auto& db_metadata_list = getAllDBMetadata();
1143  for (const auto& db_metadata : db_metadata_list) {
1144  catalogs.emplace_back(getCatalog(db_metadata, false).get());
1145  }
1146  return catalogs;
1147 }
std::shared_ptr< Catalog > getCatalog(const std::string &dbName)
std::list< DBMetadata > getAllDBMetadata()

+ Here is the call graph for this function:

std::set< std::string > Catalog_Namespace::SysCatalog::getCreatedRoles ( ) const

Definition at line 2675 of file SysCatalog.cpp.

References granteeMap_, and isDashboardSystemRole().

2675  {
2676  sys_read_lock read_lock(this);
2677  std::set<std::string> roles; // Sorted for human readers.
2678  for (const auto& [key, grantee] : granteeMap_) {
2679  if (!grantee->isUser() && !isDashboardSystemRole(grantee->getName())) {
2680  roles.emplace(grantee->getName());
2681  }
2682  }
2683  return roles;
2684 }
heavyai::shared_lock< heavyai::shared_mutex > read_lock
bool isDashboardSystemRole(const std::string &roleName) const
read_lock< SysCatalog > sys_read_lock
Definition: Catalog.cpp:120

+ Here is the call graph for this function:

DBSummaryList Catalog_Namespace::SysCatalog::getDatabaseListForUser ( const UserMetadata user)

Definition at line 1853 of file SysCatalog.cpp.

References AccessPrivileges::ACCESS, checkPrivileges(), DatabaseDBObjectType, Catalog_Namespace::DBSummary::dbName, getAllDBMetadata(), getAllUserMetadata(), DBObject::loadKey(), DBObject::setPrivileges(), Catalog_Namespace::UserMetadata::userId, and Catalog_Namespace::UserMetadata::userName.

Referenced by ShowDatabasesCommand::execute().

1853  {
1854  DBSummaryList ret;
1855 
1856  std::list<Catalog_Namespace::DBMetadata> db_list = getAllDBMetadata();
1857  std::list<Catalog_Namespace::UserMetadata> user_list = getAllUserMetadata();
1858 
1859  std::map<int32_t, std::string> user_id_to_name_map;
1860  for (const auto& user : user_list) {
1861  user_id_to_name_map.emplace(user.userId, user.userName);
1862  }
1863 
1864  for (auto d : db_list) {
1865  DBObject dbObject(d.dbName, DatabaseDBObjectType);
1866  dbObject.loadKey();
1867  dbObject.setPrivileges(AccessPrivileges::ACCESS);
1868  if (!checkPrivileges(user, std::vector<DBObject>{dbObject})) {
1869  continue;
1870  }
1871 
1872  if (auto it = user_id_to_name_map.find(d.dbOwner); it != user_id_to_name_map.end()) {
1873  ret.emplace_back(DBSummary{d.dbName, it->second});
1874  } else {
1875  ret.emplace_back(DBSummary{d.dbName, "<DELETED>"});
1876  }
1877  }
1878 
1879  return ret;
1880 }
bool checkPrivileges(const UserMetadata &user, const std::vector< DBObject > &privObjects) const
std::list< UserMetadata > getAllUserMetadata()
std::list< DBMetadata > getAllDBMetadata()
static const AccessPrivileges ACCESS
Definition: DBObject.h:153
std::list< DBSummary > DBSummaryList
Definition: SysCatalog.h:145

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

Data_Namespace::DataMgr& Catalog_Namespace::SysCatalog::getDataMgr ( ) const
inline

Definition at line 234 of file SysCatalog.h.

References dataMgr_.

Referenced by Executor::clearMemory(), Executor::getExecutor(), foreign_storage::InternalMemoryStatsDataWrapper::initializeObjectsForTable(), foreign_storage::InternalStorageStatsDataWrapper::initializeObjectsForTable(), ResultSet::radixSortOnGpu(), and anonymous_namespace{RelAlgExecutor.cpp}::set_parallelism_hints().

234 { return *dataMgr_; }
std::shared_ptr< Data_Namespace::DataMgr > dataMgr_
Definition: SysCatalog.h:510

+ Here is the caller graph for this function:

std::optional<DBMetadata> Catalog_Namespace::SysCatalog::getDB ( std::string const &  dbname)
inline

Definition at line 215 of file SysCatalog.h.

References getMetadataForDB().

215  {
216  if (DBMetadata db; getMetadataForDB(dbname, db)) {
217  return db;
218  }
219  return {};
220  }
bool getMetadataForDB(const std::string &name, DBMetadata &db)

+ Here is the call graph for this function:

std::optional<DBMetadata> Catalog_Namespace::SysCatalog::getDB ( int32_t const  dbid)
inline

Definition at line 221 of file SysCatalog.h.

References getMetadataForDBById().

221  {
222  if (DBMetadata db; getMetadataForDBById(dbid, db)) {
223  return db;
224  }
225  return {};
226  }
bool getMetadataForDBById(const int32_t idIn, DBMetadata &db)

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::getDBObjectPrivileges ( const std::string &  granteeName,
DBObject object,
const Catalog_Namespace::Catalog catalog 
) const

Definition at line 2238 of file SysCatalog.cpp.

References getGrantee(), getMetadataForUser(), instance(), and Catalog_Namespace::UserMetadata::isSuper.

2240  {
2241  sys_read_lock read_lock(this);
2242  UserMetadata user_meta;
2243 
2244  if (instance().getMetadataForUser(granteeName, user_meta)) {
2245  if (user_meta.isSuper) {
2246  throw runtime_error(
2247  "Request to show privileges from " + granteeName +
2248  " failed because user is super user and has all privileges by default.");
2249  }
2250  }
2251  auto* grantee = instance().getGrantee(granteeName);
2252  if (!grantee) {
2253  throw runtime_error("Request to show privileges for " + granteeName +
2254  " failed because role or user with this name does not exist.");
2255  }
2256  object.loadKey(catalog);
2257  grantee->getPrivileges(object, true);
2258 }
heavyai::shared_lock< heavyai::shared_mutex > read_lock
bool getMetadataForUser(const std::string &name, UserMetadata &user)
Grantee * getGrantee(const std::string &name) const
static SysCatalog & instance()
Definition: SysCatalog.h:343
read_lock< SysCatalog > sys_read_lock
Definition: Catalog.cpp:120

+ Here is the call graph for this function:

std::shared_ptr<Catalog> Catalog_Namespace::SysCatalog::getDummyCatalog ( )
inline

Definition at line 369 of file SysCatalog.h.

References dummyCatalog_.

Referenced by Catalog_Namespace::Catalog::getObjForLock().

369 { return dummyCatalog_; }
std::shared_ptr< Catalog > dummyCatalog_
Definition: SysCatalog.h:541

+ Here is the caller graph for this function:

Grantee * Catalog_Namespace::SysCatalog::getGrantee ( const std::string &  name) const

Definition at line 2545 of file SysCatalog.cpp.

References granteeMap_, and to_upper().

Referenced by buildRoleMapUnlocked(), buildUserRoleMapUnlocked(), createRole_unsafe(), createUser(), getDBObjectPrivileges(), getRoleGrantee(), getRoles(), getUserGrantee(), grantDBObjectPrivileges_unsafe(), grantRole_unsafe(), renameDBObject(), renameUser(), revokeDBObjectPrivileges_unsafe(), and revokeRole_unsafe().

2545  {
2546  sys_read_lock read_lock(this);
2547  auto grantee = granteeMap_.find(to_upper(name));
2548  if (grantee == granteeMap_.end()) { // check to make sure role exists
2549  return nullptr;
2550  }
2551  return grantee->second.get(); // returns pointer to role
2552 }
heavyai::shared_lock< heavyai::shared_mutex > read_lock
std::string name() const
Definition: SysCatalog.h:358
std::string to_upper(const std::string &str)
read_lock< SysCatalog > sys_read_lock
Definition: Catalog.cpp:120

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

std::unordered_map< std::string, std::vector< std::string > > Catalog_Namespace::SysCatalog::getGranteesOfSharedDashboards ( const std::vector< std::string > &  dashboard_ids)

Definition at line 2983 of file SysCatalog.cpp.

References DashboardDBObjectType, sqliteConnector_, and to_string().

Referenced by Catalog_Namespace::Catalog::createDashboardSystemRoles().

2983  {
2984  sys_sqlite_lock sqlite_lock(this);
2985  std::unordered_map<std::string, std::vector<std::string>> active_grantees;
2986  sqliteConnector_->query("BEGIN TRANSACTION");
2987  try {
2988  for (auto dash : dashboard_ids) {
2989  std::vector<std::string> grantees = {};
2990  sqliteConnector_->query_with_text_params(
2991  "SELECT roleName FROM mapd_object_permissions WHERE objectPermissions NOT IN "
2992  "(0,1) AND objectPermissionsType = ? AND objectId = ?",
2993  std::vector<std::string>{
2994  std::to_string(static_cast<int32_t>(DashboardDBObjectType)), dash});
2995  int num_rows = sqliteConnector_->getNumRows();
2996  if (num_rows == 0) {
2997  // no grantees
2998  continue;
2999  } else {
3000  for (size_t i = 0; i < sqliteConnector_->getNumRows(); ++i) {
3001  grantees.push_back(sqliteConnector_->getData<string>(i, 0));
3002  }
3003  active_grantees[dash] = grantees;
3004  }
3005  }
3006  } catch (const std::exception& e) {
3007  sqliteConnector_->query("ROLLBACK TRANSACTION");
3008  throw;
3009  }
3010  sqliteConnector_->query("END TRANSACTION");
3011  return active_grantees;
3012 }
std::string to_string(char const *&&v)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:154
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:508

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

std::vector< ObjectRoleDescriptor > Catalog_Namespace::SysCatalog::getMetadataForAllObjects ( ) const

Definition at line 2576 of file SysCatalog.cpp.

References isDashboardSystemRole(), and objectDescriptorMap_.

2576  {
2577  sys_read_lock read_lock(this);
2578  std::vector<ObjectRoleDescriptor> objects;
2579  for (const auto& entry : objectDescriptorMap_) {
2580  auto object_role = entry.second.get();
2581  if (object_role->dbId != 0 && !isDashboardSystemRole(object_role->roleName)) {
2582  objects.emplace_back(*object_role);
2583  }
2584  }
2585  return objects;
2586 }
heavyai::shared_lock< heavyai::shared_mutex > read_lock
ObjectRoleDescriptorMap objectDescriptorMap_
Definition: SysCatalog.h:507
bool isDashboardSystemRole(const std::string &roleName) const
read_lock< SysCatalog > sys_read_lock
Definition: Catalog.cpp:120

+ Here is the call graph for this function:

bool Catalog_Namespace::SysCatalog::getMetadataForDB ( const std::string &  name,
DBMetadata db 
)

Definition at line 1822 of file SysCatalog.cpp.

References Catalog_Namespace::DBMetadata::dbId, Catalog_Namespace::DBMetadata::dbName, Catalog_Namespace::DBMetadata::dbOwner, sqliteConnector_, and to_upper().

Referenced by alterUser(), changeDatabaseOwner(), createDatabase(), createUser(), getCatalog(), getDB(), getMetadataWithDefaultDB(), initializeInformationSchemaDb(), migrateDBAccessPrivileges(), renameDatabase(), and Catalog_Namespace::UserAlterations::wouldChange().

1822  {
1823  sys_read_lock read_lock(this);
1824  sys_sqlite_lock sqlite_lock(this);
1825  sqliteConnector_->query_with_text_param(
1826  "SELECT dbid, name, owner FROM mapd_databases WHERE UPPER(name) = ?",
1827  to_upper(name));
1828  int numRows = sqliteConnector_->getNumRows();
1829  if (numRows == 0) {
1830  return false;
1831  }
1832  db.dbId = sqliteConnector_->getData<int>(0, 0);
1833  db.dbName = sqliteConnector_->getData<string>(0, 1);
1834  db.dbOwner = sqliteConnector_->getData<int>(0, 2);
1835  return true;
1836 }
heavyai::shared_lock< heavyai::shared_mutex > read_lock
std::string name() const
Definition: SysCatalog.h:358
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:154
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:508
std::string to_upper(const std::string &str)
read_lock< SysCatalog > sys_read_lock
Definition: Catalog.cpp:120

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

bool Catalog_Namespace::SysCatalog::getMetadataForDBById ( const int32_t  idIn,
DBMetadata db 
)

Definition at line 1838 of file SysCatalog.cpp.

References Catalog_Namespace::DBMetadata::dbId, Catalog_Namespace::DBMetadata::dbName, Catalog_Namespace::DBMetadata::dbOwner, sqliteConnector_, and to_string().

Referenced by getDB(), and getMetadataWithDefaultDB().

1838  {
1839  sys_sqlite_lock sqlite_lock(this);
1840  sqliteConnector_->query_with_text_param(
1841  "SELECT dbid, name, owner FROM mapd_databases WHERE dbid = ?",
1842  std::to_string(idIn));
1843  int numRows = sqliteConnector_->getNumRows();
1844  if (numRows == 0) {
1845  return false;
1846  }
1847  db.dbId = sqliteConnector_->getData<int>(0, 0);
1848  db.dbName = sqliteConnector_->getData<string>(0, 1);
1849  db.dbOwner = sqliteConnector_->getData<int>(0, 2);
1850  return true;
1851 }
std::string to_string(char const *&&v)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:154
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:508

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

std::vector< ObjectRoleDescriptor * > Catalog_Namespace::SysCatalog::getMetadataForObject ( int32_t  dbId,
int32_t  dbType,
int32_t  objectId 
) const

Definition at line 2563 of file SysCatalog.cpp.

References objectDescriptorMap_, and to_string().

Referenced by renameDBObject().

2563  {
2564  sys_read_lock read_lock(this);
2565  std::vector<ObjectRoleDescriptor*> objectsList;
2566 
2567  auto range = objectDescriptorMap_.equal_range(std::to_string(dbId) + ":" +
2568  std::to_string(dbType) + ":" +
2569  std::to_string(objectId));
2570  for (auto d = range.first; d != range.second; ++d) {
2571  objectsList.push_back(d->second.get());
2572  }
2573  return objectsList; // return pointers to objects
2574 }
heavyai::shared_lock< heavyai::shared_mutex > read_lock
ObjectRoleDescriptorMap objectDescriptorMap_
Definition: SysCatalog.h:507
std::string to_string(char const *&&v)
read_lock< SysCatalog > sys_read_lock
Definition: Catalog.cpp:120

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

bool Catalog_Namespace::SysCatalog::getMetadataForUser ( const std::string &  name,
UserMetadata user 
)

Definition at line 1682 of file SysCatalog.cpp.

References Catalog_Namespace::parseUserMetadataFromSQLite(), sqliteConnector_, and temporary_users_by_name_.

Referenced by alterUser(), changeDatabaseOwner(), checkPasswordForUserImpl(), checkPrivileges(), createUser(), dropUser(), getDBObjectPrivileges(), getMetadataWithDefaultDB(), getRoles(), getUser(), grantDBObjectPrivileges_unsafe(), grantRoleBatch_unsafe(), login(), renameUser(), revokeDBObjectPrivileges_unsafe(), and revokeRoleBatch_unsafe().

1682  {
1683  sys_read_lock read_lock(this);
1684  sys_sqlite_lock sqlite_lock(this);
1685  sqliteConnector_->query_with_text_param(
1686  "SELECT userid, name, passwd_hash, issuper, default_db, can_login FROM mapd_users "
1687  "WHERE name = ?",
1688  name);
1689  int numRows = sqliteConnector_->getNumRows();
1690  if (numRows == 0) {
1691  auto userit = temporary_users_by_name_.find(name);
1692  if (userit != temporary_users_by_name_.end()) {
1693  user = *userit->second;
1694  return true;
1695  } else {
1696  return false;
1697  }
1698  }
1700 }
heavyai::shared_lock< heavyai::shared_mutex > read_lock
static bool parseUserMetadataFromSQLite(const std::unique_ptr< SqliteConnector > &conn, UserMetadata &user, int row)
std::string name() const
Definition: SysCatalog.h:358
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:154
std::unordered_map< std::string, std::shared_ptr< UserMetadata > > temporary_users_by_name_
Definition: SysCatalog.h:542
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:508
read_lock< SysCatalog > sys_read_lock
Definition: Catalog.cpp:120

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

bool Catalog_Namespace::SysCatalog::getMetadataForUserById ( const int32_t  idIn,
UserMetadata user 
)

Definition at line 1702 of file SysCatalog.cpp.

References Catalog_Namespace::parseUserMetadataFromSQLite(), sqliteConnector_, temporary_users_by_id_, and to_string().

Referenced by changeDatabaseOwner(), createDatabase(), getUser(), populateRoleDbObjects(), and reassignObjectOwners().

1702  {
1703  sys_sqlite_lock sqlite_lock(this);
1704  sqliteConnector_->query_with_text_param(
1705  "SELECT userid, name, passwd_hash, issuper, default_db, can_login FROM mapd_users "
1706  "WHERE userid = ?",
1707  std::to_string(idIn));
1708  int numRows = sqliteConnector_->getNumRows();
1709  if (numRows == 0) {
1710  auto userit = temporary_users_by_id_.find(idIn);
1711  if (userit != temporary_users_by_id_.end()) {
1712  user = *userit->second;
1713  return true;
1714  } else {
1715  return false;
1716  }
1717  }
1719 }
static bool parseUserMetadataFromSQLite(const std::unique_ptr< SqliteConnector > &conn, UserMetadata &user, int row)
std::string to_string(char const *&&v)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:154
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:508
std::unordered_map< int32_t, std::shared_ptr< UserMetadata > > temporary_users_by_id_
Definition: SysCatalog.h:543

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::getMetadataWithDefaultDB ( std::string &  dbname,
const std::string &  username,
Catalog_Namespace::DBMetadata db_meta,
UserMetadata user_meta 
)
private

Definition at line 1786 of file SysCatalog.cpp.

References Catalog_Namespace::DBMetadata::dbName, Catalog_Namespace::UserMetadata::defaultDbId, Catalog_Namespace::g_log_user_id, getMetadataForDB(), getMetadataForDBById(), getMetadataForUser(), shared::kDefaultDbName, to_string(), Catalog_Namespace::UserMetadata::userId, and Catalog_Namespace::UserMetadata::userName.

Referenced by login(), and switchDatabase().

1789  {
1790  sys_read_lock read_lock(this);
1791  if (!getMetadataForUser(username, user_meta)) {
1792  throw std::runtime_error("Invalid credentials.");
1793  }
1794 
1795  if (!dbname.empty()) {
1796  if (!getMetadataForDB(dbname, db_meta)) {
1797  throw std::runtime_error("Database name " + dbname + " does not exist.");
1798  }
1799  // loaded the requested database
1800  } else {
1801  if (user_meta.defaultDbId != -1) {
1802  if (!getMetadataForDBById(user_meta.defaultDbId, db_meta)) {
1803  std::string loggable = g_log_user_id ? std::string("") : ' ' + user_meta.userName;
1804  throw std::runtime_error(
1805  "Server error: User #" + std::to_string(user_meta.userId) + loggable +
1806  " has invalid default_db #" + std::to_string(user_meta.defaultDbId) +
1807  " which does not exist.");
1808  }
1809  dbname = db_meta.dbName;
1810  // loaded the user's default database
1811  } else {
1812  if (!getMetadataForDB(shared::kDefaultDbName, db_meta)) {
1813  throw std::runtime_error(std::string("Database ") + shared::kDefaultDbName +
1814  " does not exist.");
1815  }
1816  dbname = shared::kDefaultDbName;
1817  // loaded the mapd database by default
1818  }
1819  }
1820 }
heavyai::shared_lock< heavyai::shared_mutex > read_lock
bool getMetadataForUser(const std::string &name, UserMetadata &user)
std::string to_string(char const *&&v)
const std::string kDefaultDbName
read_lock< SysCatalog > sys_read_lock
Definition: Catalog.cpp:120
bool getMetadataForDBById(const int32_t idIn, DBMetadata &db)
bool getMetadataForDB(const std::string &name, DBMetadata &db)

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

Role * Catalog_Namespace::SysCatalog::getRoleGrantee ( const std::string &  name) const

Definition at line 2554 of file SysCatalog.cpp.

References getGrantee().

Referenced by Catalog_Namespace::Catalog::createDashboardSystemRoles(), grantRole_unsafe(), isRoleGrantedToGrantee(), revokeRole_unsafe(), and syncUserWithRemoteProvider().

2554  {
2555  return dynamic_cast<Role*>(getGrantee(name));
2556 }
std::string name() const
Definition: SysCatalog.h:358
Grantee * getGrantee(const std::string &name) const
Definition: Grantee.h:81

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

std::vector< std::string > Catalog_Namespace::SysCatalog::getRoles ( const std::string &  user_name,
bool  effective = true 
)

Definition at line 2614 of file SysCatalog.cpp.

References getGrantee().

2615  {
2616  sys_read_lock read_lock(this);
2617  auto* grantee = getGrantee(user_name);
2618  if (!grantee) {
2619  throw std::runtime_error("user or role not found");
2620  }
2621  return grantee->getRoles(/*only_direct=*/!effective);
2622 }
heavyai::shared_lock< heavyai::shared_mutex > read_lock
Grantee * getGrantee(const std::string &name) const
read_lock< SysCatalog > sys_read_lock
Definition: Catalog.cpp:120

+ Here is the call graph for this function:

std::vector< std::string > Catalog_Namespace::SysCatalog::getRoles ( bool  include_user_private_role,
bool  is_super,
const std::string &  user_name,
bool  ignore_deleted_user = false 
)

Definition at line 2645 of file SysCatalog.cpp.

References getMetadataForUser(), granteeMap_, isDashboardSystemRole(), and isRoleGrantedToGrantee().

2648  {
2649  sys_read_lock read_lock(this);
2650  if (ignore_deleted_user) {
2651  // In certain cases, it is possible to concurrently call this method while the user is
2652  // being dropped. In such a case, return an empty result.
2653  UserMetadata user;
2654  if (!getMetadataForUser(user_name, user)) {
2655  return {};
2656  }
2657  }
2658  std::vector<std::string> roles;
2659  for (auto& grantee : granteeMap_) {
2660  if (!include_user_private_role && grantee.second->isUser()) {
2661  continue;
2662  }
2663  if (!is_super &&
2664  !isRoleGrantedToGrantee(user_name, grantee.second->getName(), false)) {
2665  continue;
2666  }
2667  if (isDashboardSystemRole(grantee.second->getName())) {
2668  continue;
2669  }
2670  roles.push_back(grantee.second->getName());
2671  }
2672  return roles;
2673 }
heavyai::shared_lock< heavyai::shared_mutex > read_lock
bool getMetadataForUser(const std::string &name, UserMetadata &user)
bool isRoleGrantedToGrantee(const std::string &granteeName, const std::string &roleName, bool only_direct) const
bool isDashboardSystemRole(const std::string &roleName) const
read_lock< SysCatalog > sys_read_lock
Definition: Catalog.cpp:120

+ Here is the call graph for this function:

std::vector< std::string > Catalog_Namespace::SysCatalog::getRoles ( const std::string &  userName,
const int32_t  dbId 
)

Definition at line 2624 of file SysCatalog.cpp.

References isDashboardSystemRole(), isRoleGrantedToGrantee(), sqliteConnector_, and to_string().

2625  {
2626  sys_sqlite_lock sqlite_lock(this);
2627  std::string sql =
2628  "SELECT DISTINCT roleName FROM mapd_object_permissions WHERE "
2629  "objectPermissions<>0 "
2630  "AND roleType=0 AND dbId=" +
2631  std::to_string(dbId);
2632  sqliteConnector_->query(sql);
2633  int numRows = sqliteConnector_->getNumRows();
2634  std::vector<std::string> roles(0);
2635  for (int r = 0; r < numRows; ++r) {
2636  auto roleName = sqliteConnector_->getData<string>(r, 0);
2637  if (isRoleGrantedToGrantee(userName, roleName, false) &&
2638  !isDashboardSystemRole(roleName)) {
2639  roles.push_back(roleName);
2640  }
2641  }
2642  return roles;
2643 }
std::string to_string(char const *&&v)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:154
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:508
bool isRoleGrantedToGrantee(const std::string &granteeName, const std::string &roleName, bool only_direct) const
bool isDashboardSystemRole(const std::string &roleName) const

+ Here is the call graph for this function:

SqliteConnector* Catalog_Namespace::SysCatalog::getSqliteConnector ( )
inline

Definition at line 237 of file SysCatalog.h.

References sqliteConnector_.

237 { return sqliteConnector_.get(); }
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:508
std::optional<UserMetadata> Catalog_Namespace::SysCatalog::getUser ( std::string const &  uname)
inline

Definition at line 203 of file SysCatalog.h.

References getMetadataForUser().

Referenced by alterUser(), createUser(), and syncUserWithRemoteProvider().

203  {
204  if (UserMetadata user; getMetadataForUser(uname, user)) {
205  return user;
206  }
207  return {};
208  }
bool getMetadataForUser(const std::string &name, UserMetadata &user)

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

std::optional<UserMetadata> Catalog_Namespace::SysCatalog::getUser ( int32_t const  uid)
inline

Definition at line 209 of file SysCatalog.h.

References getMetadataForUserById().

209  {
210  if (UserMetadata user; getMetadataForUserById(uid, user)) {
211  return user;
212  }
213  return {};
214  }
bool getMetadataForUserById(const int32_t idIn, UserMetadata &user)

+ Here is the call graph for this function:

User * Catalog_Namespace::SysCatalog::getUserGrantee ( const std::string &  name) const

Definition at line 2558 of file SysCatalog.cpp.

References getGrantee().

Referenced by checkPrivileges(), createDBObject(), Catalog_Namespace::anonymous_namespace{SysCatalog.cpp}::get_users(), hasAnyPrivileges(), isRoleGrantedToGrantee(), populateRoleDbObjects(), syncUserWithRemoteProvider(), and verifyDBObjectOwnership().

2558  {
2559  return dynamic_cast<User*>(getGrantee(name));
2560 }
std::string name() const
Definition: SysCatalog.h:358
Definition: Grantee.h:75
Grantee * getGrantee(const std::string &name) const

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::grantAllOnDatabase_unsafe ( const std::string &  roleName,
DBObject object,
const Catalog_Namespace::Catalog catalog 
)
private

Definition at line 2003 of file SysCatalog.cpp.

References AccessPrivileges::ACCESS, AccessPrivileges::ALL_DASHBOARD, AccessPrivileges::ALL_SERVER, AccessPrivileges::ALL_TABLE, AccessPrivileges::ALL_VIEW, DashboardDBObjectType, DatabaseDBObjectType, g_enable_fsi, grantDBObjectPrivileges_unsafe(), ServerDBObjectType, DBObject::setPermissionType(), DBObject::setPrivileges(), TableDBObjectType, AccessPrivileges::VIEW_SQL_EDITOR, and ViewDBObjectType.

Referenced by createDatabase(), and grantDBObjectPrivileges_unsafe().

2005  {
2006  // It's a separate use case because it's easier for implementation to convert ALL ON
2007  // DATABASE into ALL ON DASHBOARDS, ALL ON VIEWS and ALL ON TABLES
2008  // Add DB Access privileges
2009  DBObject tmp_object = object;
2012  grantDBObjectPrivileges_unsafe(roleName, tmp_object, catalog);
2015  grantDBObjectPrivileges_unsafe(roleName, tmp_object, catalog);
2018  grantDBObjectPrivileges_unsafe(roleName, tmp_object, catalog);
2020  tmp_object.setPermissionType(ViewDBObjectType);
2021  grantDBObjectPrivileges_unsafe(roleName, tmp_object, catalog);
2022 
2023  if (g_enable_fsi) {
2026  grantDBObjectPrivileges_unsafe(roleName, tmp_object, catalog);
2027  }
2028 
2031  grantDBObjectPrivileges_unsafe(roleName, tmp_object, catalog);
2032  return;
2033 }
static const AccessPrivileges VIEW_SQL_EDITOR
Definition: DBObject.h:152
void setPrivileges(const AccessPrivileges &privs)
Definition: DBObject.h:227
void grantDBObjectPrivileges_unsafe(const std::string &granteeName, const DBObject object, const Catalog_Namespace::Catalog &catalog)
static const AccessPrivileges ALL_VIEW
Definition: DBObject.h:177
void setPermissionType(const DBObjectType &permissionType)
Definition: DBObject.cpp:160
static const AccessPrivileges ALL_SERVER
Definition: DBObject.h:187
static const AccessPrivileges ALL_DASHBOARD
Definition: DBObject.h:169
static const AccessPrivileges ACCESS
Definition: DBObject.h:153
static const AccessPrivileges ALL_TABLE
Definition: DBObject.h:157
bool g_enable_fsi
Definition: Catalog.cpp:96

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::grantDBObjectPrivileges ( const std::string &  grantee,
const DBObject object,
const Catalog_Namespace::Catalog catalog 
)

Definition at line 2873 of file SysCatalog.cpp.

References execInTransaction(), and grantDBObjectPrivileges_unsafe().

2875  {
2877  &SysCatalog::grantDBObjectPrivileges_unsafe, grantee, object, catalog);
2878 }
void grantDBObjectPrivileges_unsafe(const std::string &granteeName, const DBObject object, const Catalog_Namespace::Catalog &catalog)
void execInTransaction(F &&f, Args &&...args)

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::grantDBObjectPrivileges_unsafe ( const std::string &  granteeName,
const DBObject  object,
const Catalog_Namespace::Catalog catalog 
)
private

Definition at line 1961 of file SysCatalog.cpp.

References DatabasePrivileges::ALL, CHECK, DatabaseDBObjectType, getGrantee(), getMetadataForUser(), grantAllOnDatabase_unsafe(), Catalog_Namespace::anonymous_namespace{SysCatalog.cpp}::insertOrUpdateObjectPrivileges(), instance(), Catalog_Namespace::UserMetadata::is_temporary, Catalog_Namespace::UserMetadata::isSuper, sqliteConnector_, and updateObjectDescriptorMap().

Referenced by createDBObject(), grantAllOnDatabase_unsafe(), grantDBObjectPrivileges(), grantDBObjectPrivilegesBatch_unsafe(), and runUpdateQueriesAndChangeOwnership().

1964  {
1965  object.loadKey(catalog);
1966  CHECK(object.valid());
1967  if (object.getPrivileges().hasPermission(DatabasePrivileges::ALL) &&
1968  object.getObjectKey().permissionType == DatabaseDBObjectType) {
1969  return grantAllOnDatabase_unsafe(granteeName, object, catalog);
1970  }
1971 
1972  sys_write_lock write_lock(this);
1973 
1974  UserMetadata user_meta;
1975  bool is_temporary_user{false};
1976  if (instance().getMetadataForUser(granteeName, user_meta)) {
1977  if (user_meta.isSuper) {
1978  // super doesn't have explicit privileges so nothing to do
1979  return;
1980  }
1981  is_temporary_user = user_meta.is_temporary;
1982  }
1983  auto* grantee = instance().getGrantee(granteeName);
1984  if (!grantee) {
1985  throw runtime_error("Request to grant privileges to " + granteeName +
1986  " failed because role or user with this name does not exist.");
1987  }
1988  grantee->grantPrivileges(object);
1989 
1990  /* apply grant privileges statement to sqlite DB */
1991  std::vector<std::string> objectKey = object.toString();
1992  object.resetPrivileges();
1993  grantee->getPrivileges(object, true);
1994 
1995  if (!is_temporary_user) {
1996  sys_sqlite_lock sqlite_lock(this);
1998  sqliteConnector_, granteeName, grantee->isUser(), object);
1999  }
2000  updateObjectDescriptorMap(granteeName, object, grantee->isUser(), catalog);
2001 }
static const int32_t ALL
Definition: DBObject.h:77
bool getMetadataForUser(const std::string &name, UserMetadata &user)
Grantee * getGrantee(const std::string &name) const
heavyai::unique_lock< heavyai::shared_mutex > write_lock
void insertOrUpdateObjectPrivileges(std::unique_ptr< SqliteConnector > &sqliteConnector, std::string roleName, bool userRole, const DBObject &object)
Definition: SysCatalog.cpp:514
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:154
static SysCatalog & instance()
Definition: SysCatalog.h:343
void grantAllOnDatabase_unsafe(const std::string &roleName, DBObject &object, const Catalog_Namespace::Catalog &catalog)
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:153
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:508
void updateObjectDescriptorMap(const std::string &roleName, DBObject &object, bool roleType, const Catalog_Namespace::Catalog &cat)
#define CHECK(condition)
Definition: Logger.h:291

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::grantDBObjectPrivilegesBatch ( const std::vector< std::string > &  grantees,
const std::vector< DBObject > &  objects,
const Catalog_Namespace::Catalog catalog 
)

Definition at line 2880 of file SysCatalog.cpp.

References execInTransaction(), and grantDBObjectPrivilegesBatch_unsafe().

2882  {
2884  &SysCatalog::grantDBObjectPrivilegesBatch_unsafe, grantees, objects, catalog);
2885 }
void grantDBObjectPrivilegesBatch_unsafe(const std::vector< std::string > &grantees, const std::vector< DBObject > &objects, const Catalog_Namespace::Catalog &catalog)
void execInTransaction(F &&f, Args &&...args)

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::grantDBObjectPrivilegesBatch_unsafe ( const std::vector< std::string > &  grantees,
const std::vector< DBObject > &  objects,
const Catalog_Namespace::Catalog catalog 
)
private

Definition at line 1949 of file SysCatalog.cpp.

References grantDBObjectPrivileges_unsafe().

Referenced by grantDBObjectPrivilegesBatch(), and reassignObjectOwners().

1952  {
1953  for (const auto& grantee : grantees) {
1954  for (const auto& object : objects) {
1955  grantDBObjectPrivileges_unsafe(grantee, object, catalog);
1956  }
1957  }
1958 }
void grantDBObjectPrivileges_unsafe(const std::string &granteeName, const DBObject object, const Catalog_Namespace::Catalog &catalog)

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::grantDefaultPrivilegesToRole_unsafe ( const std::string &  name,
bool  issuper 
)
private
void Catalog_Namespace::SysCatalog::grantRole ( const std::string &  role,
const std::string &  grantee,
const bool  is_temporary = false 
)

Definition at line 2856 of file SysCatalog.cpp.

References execInTransaction(), and grantRole_unsafe().

Referenced by syncUserWithRemoteProvider().

2858  {
2859  execInTransaction(&SysCatalog::grantRole_unsafe, role, grantee, is_temporary);
2860 }
void grantRole_unsafe(const std::string &roleName, const std::string &granteeName, const bool is_temporary)
void execInTransaction(F &&f, Args &&...args)

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::grantRole_unsafe ( const std::string &  roleName,
const std::string &  granteeName,
const bool  is_temporary 
)
private

Definition at line 2333 of file SysCatalog.cpp.

References getGrantee(), getRoleGrantee(), and sqliteConnector_.

Referenced by grantRole(), and grantRoleBatch_unsafe().

2335  {
2336  auto* rl = getRoleGrantee(roleName);
2337  if (!rl) {
2338  throw runtime_error("Request to grant role " + roleName +
2339  " failed because role with this name does not exist.");
2340  }
2341  auto* grantee = getGrantee(granteeName);
2342  if (!grantee) {
2343  throw runtime_error("Request to grant role " + roleName + " failed because grantee " +
2344  granteeName + " does not exist.");
2345  }
2346  sys_write_lock write_lock(this);
2347  if (!grantee->hasRole(rl, true)) {
2348  grantee->grantRole(rl);
2349  if (!is_temporary) {
2350  sys_sqlite_lock sqlite_lock(this);
2351  sqliteConnector_->query_with_text_params(
2352  "INSERT INTO mapd_roles(roleName, userName) VALUES (?, ?)",
2353  std::vector<std::string>{rl->getName(), grantee->getName()});
2354  }
2355  }
2356 }
Grantee * getGrantee(const std::string &name) const
heavyai::unique_lock< heavyai::shared_mutex > write_lock
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:154
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:153
Role * getRoleGrantee(const std::string &name) const
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:508

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::grantRoleBatch ( const std::vector< std::string > &  roles,
const std::vector< std::string > &  grantees 
)

Definition at line 2851 of file SysCatalog.cpp.

References execInTransaction(), and grantRoleBatch_unsafe().

Referenced by Catalog_Namespace::Catalog::createDashboardSystemRoles().

2852  {
2854 }
void grantRoleBatch_unsafe(const std::vector< std::string > &roles, const std::vector< std::string > &grantees)
void execInTransaction(F &&f, Args &&...args)

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::grantRoleBatch_unsafe ( const std::vector< std::string > &  roles,
const std::vector< std::string > &  grantees 
)
private

Definition at line 2318 of file SysCatalog.cpp.

References getMetadataForUser(), grantRole_unsafe(), and Catalog_Namespace::UserMetadata::is_temporary.

Referenced by grantRoleBatch().

2319  {
2320  for (const auto& role : roles) {
2321  for (const auto& grantee : grantees) {
2322  bool is_temporary_user{false};
2323  UserMetadata user;
2324  if (getMetadataForUser(grantee, user)) {
2325  is_temporary_user = user.is_temporary;
2326  }
2327  grantRole_unsafe(role, grantee, is_temporary_user);
2328  }
2329  }
2330 }
bool getMetadataForUser(const std::string &name, UserMetadata &user)
void grantRole_unsafe(const std::string &roleName, const std::string &granteeName, const bool is_temporary)

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

bool Catalog_Namespace::SysCatalog::hasAnyPrivileges ( const UserMetadata user,
std::vector< DBObject > &  privObjects 
)

Definition at line 2493 of file SysCatalog.cpp.

References getUserGrantee(), instance(), Catalog_Namespace::UserMetadata::isSuper, Catalog_Namespace::UserMetadata::userLoggable(), and Catalog_Namespace::UserMetadata::userName.

2494  {
2495  sys_read_lock read_lock(this);
2496  if (user.isSuper) {
2497  return true;
2498  }
2499  auto* user_rl = instance().getUserGrantee(user.userName);
2500  if (!user_rl) {
2501  throw runtime_error("Cannot check privileges. User " + user.userLoggable() +
2502  " does not exist.");
2503  }
2504  for (std::vector<DBObject>::iterator objectIt = privObjects.begin();
2505  objectIt != privObjects.end();
2506  ++objectIt) {
2507  if (!user_rl->hasAnyPrivileges(*objectIt, false)) {
2508  return false;
2509  }
2510  }
2511  return true;
2512 }
heavyai::shared_lock< heavyai::shared_mutex > read_lock
static SysCatalog & instance()
Definition: SysCatalog.h:343
User * getUserGrantee(const std::string &name) const
read_lock< SysCatalog > sys_read_lock
Definition: Catalog.cpp:120

+ Here is the call graph for this function:

bool Catalog_Namespace::SysCatalog::hasExecutedMigration ( const std::string &  migration_name) const

Definition at line 3145 of file SysCatalog.cpp.

References hasVersionHistoryTable(), and sqliteConnector_.

Referenced by checkDuplicateCaseInsensitiveDbNames(), and initializeInformationSchemaDb().

3145  {
3146  if (hasVersionHistoryTable()) {
3147  sys_sqlite_lock sqlite_lock(this);
3148  sqliteConnector_->query_with_text_params(
3149  "SELECT migration_history FROM mapd_version_history WHERE migration_history = ?",
3150  std::vector<std::string>{migration_name});
3151  return (sqliteConnector_->getNumRows() > 0);
3152  }
3153  return false;
3154 }
bool hasVersionHistoryTable() const
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:154
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:508

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

bool Catalog_Namespace::SysCatalog::hasVersionHistoryTable ( ) const
private

Definition at line 3166 of file SysCatalog.cpp.

References sqliteConnector_.

Referenced by hasExecutedMigration(), and recordExecutedMigration().

3166  {
3167  sys_sqlite_lock sqlite_lock(this);
3168  sqliteConnector_->query(
3169  "select name from sqlite_master WHERE type='table' AND "
3170  "name='mapd_version_history'");
3171  return (sqliteConnector_->getNumRows() > 0);
3172 }
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:154
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:508

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::importDataFromOldMapdDB ( )
private

Definition at line 396 of file SysCatalog.cpp.

References basePath_, logger::ERROR, logger::INFO, shared::kCatalogDirectoryName, shared::kSystemCatalogName, LOG, and sqliteConnector_.

396  {
397  sys_sqlite_lock sqlite_lock(this);
398  std::string mapd_db_path = basePath_ + "/" + shared::kCatalogDirectoryName + "/mapd";
399  sqliteConnector_->query("ATTACH DATABASE `" + mapd_db_path + "` as old_cat");
400  sqliteConnector_->query("BEGIN TRANSACTION");
401  LOG(INFO) << "Moving global metadata into a separate catalog";
402  try {
403  auto moveTableIfExists = [conn = sqliteConnector_.get()](const std::string& tableName,
404  bool deleteOld = true) {
405  conn->query("SELECT sql FROM old_cat.sqlite_master WHERE type='table' AND name='" +
406  tableName + "'");
407  if (conn->getNumRows() != 0) {
408  conn->query(conn->getData<string>(0, 0));
409  conn->query("INSERT INTO " + tableName + " SELECT * FROM old_cat." + tableName);
410  if (deleteOld) {
411  conn->query("DROP TABLE old_cat." + tableName);
412  }
413  }
414  };
415  moveTableIfExists("mapd_users");
416  moveTableIfExists("mapd_databases");
417  moveTableIfExists("mapd_roles");
418  moveTableIfExists("mapd_object_permissions");
419  moveTableIfExists("mapd_privileges");
420  moveTableIfExists("mapd_version_history", false);
421  } catch (const std::exception& e) {
422  LOG(ERROR) << "Failed to move global metadata into a separate catalog: " << e.what();
423  sqliteConnector_->query("ROLLBACK TRANSACTION");
424  try {
425  sqliteConnector_->query("DETACH DATABASE old_cat");
426  } catch (const std::exception&) {
427  // nothing to do here
428  }
429  throw;
430  }
431  sqliteConnector_->query("END TRANSACTION");
432  const std::string sys_catalog_path =
433  basePath_ + "/" + shared::kCatalogDirectoryName + "/" + shared::kSystemCatalogName;
434  LOG(INFO) << "Global metadata has been successfully moved into a separate catalog: "
435  << sys_catalog_path
436  << ". Using this database with an older version of heavydb "
437  "is now impossible.";
438  try {
439  sqliteConnector_->query("DETACH DATABASE old_cat");
440  } catch (const std::exception&) {
441  // nothing to do here
442  }
443 }
#define LOG(tag)
Definition: Logger.h:285
const std::string kSystemCatalogName
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:154
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:508
const std::string kCatalogDirectoryName
void Catalog_Namespace::SysCatalog::init ( const std::string &  basePath,
std::shared_ptr< Data_Namespace::DataMgr dataMgr,
const AuthMetadata authMetadata,
std::shared_ptr< Calcite calcite,
bool  is_new_db,
bool  aggregator,
const std::vector< LeafHostInfo > &  string_dict_hosts 
)

Definition at line 191 of file SysCatalog.cpp.

References anonymous_namespace{SysCatalog.cpp}::copy_catalog_if_read_only(), Catalog_Namespace::dsqliteMutex_(), g_multi_instance, shared::kCatalogDirectoryName, shared::kLockfilesDirectoryName, shared::kSystemCatalogName, migrations::MigrationMgr::migrationEnabled(), migrations::MigrationMgr::relaxMigrationLock(), and migrations::MigrationMgr::takeMigrationLock().

197  {
198  basePath_ = !g_multi_instance ? copy_catalog_if_read_only(basePath).string() : basePath;
201  dcatalogMutex_ = std::make_unique<heavyai::DistributedSharedMutex>(
202  std::filesystem::path(basePath_) / shared::kLockfilesDirectoryName /
204  [this](size_t) {
206  *dsqliteMutex_);
208  });
209  dsqliteMutex_ = std::make_unique<heavyai::DistributedSharedMutex>(
210  std::filesystem::path(basePath_) / shared::kLockfilesDirectoryName /
213  sys_sqlite_lock sqlite_lock(this);
214  dataMgr_ = dataMgr;
215  authMetadata_ = &authMetadata;
216  pki_server_.reset(new PkiServer(*authMetadata_));
217  calciteMgr_ = calcite;
218  string_dict_hosts_ = string_dict_hosts;
219  aggregator_ = aggregator;
221  if (is_new_db) {
222  initDB();
223  } else {
224  bool db_exists =
225  boost::filesystem::exists(basePath_ + "/" + shared::kCatalogDirectoryName + "/" +
227  if (!db_exists) {
229  }
233  }
234  }
235  buildMaps(is_new_db);
236  is_initialized_ = true;
237 }
void buildMaps(bool is_new_db=false)
Definition: SysCatalog.cpp:243
bool g_multi_instance
Definition: heavyai_locks.h:21
static void relaxMigrationLock()
const std::string kSystemCatalogName
heavyai::unique_lock< heavyai::shared_mutex > write_lock
std::unique_ptr< PkiServer > pki_server_
Definition: SysCatalog.h:511
const AuthMetadata * authMetadata_
Definition: SysCatalog.h:512
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:154
static bool migrationEnabled()
Definition: MigrationMgr.h:43
std::shared_ptr< Data_Namespace::DataMgr > dataMgr_
Definition: SysCatalog.h:510
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:153
std::unique_lock< T > unique_lock
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:508
std::unique_ptr< heavyai::DistributedSharedMutex > dsqliteMutex_
Definition: SysCatalog.h:534
static void takeMigrationLock(const std::string &base_path)
void buildMapsUnlocked(bool is_new_db=false)
Definition: SysCatalog.cpp:250
const std::string kCatalogDirectoryName
std::vector< LeafHostInfo > string_dict_hosts_
Definition: SysCatalog.h:514
std::unique_ptr< heavyai::DistributedSharedMutex > dcatalogMutex_
Definition: SysCatalog.h:533
std::shared_ptr< Calcite > calciteMgr_
Definition: SysCatalog.h:513
const std::string kLockfilesDirectoryName
std::filesystem::path copy_catalog_if_read_only(std::filesystem::path base_data_path)
Definition: SysCatalog.cpp:79

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::initDB ( )
private

Definition at line 315 of file SysCatalog.cpp.

References createDatabase(), createRole_unsafe(), g_read_only, anonymous_namespace{SysCatalog.cpp}::hash_with_bcrypt(), shared::kDefaultDbName, shared::kDefaultRootPasswd, shared::kRootUserId, shared::kRootUserIdStr, shared::kRootUsername, and sqliteConnector_.

315  {
316  if (g_read_only) {
317  throw std::runtime_error("can't init a new database in read-only mode");
318  }
319  sys_sqlite_lock sqlite_lock(this);
320  sqliteConnector_->query("BEGIN TRANSACTION");
321  try {
322  sqliteConnector_->query(
323  "CREATE TABLE mapd_users (userid integer primary key, name text unique, "
324  "passwd_hash text, issuper boolean, default_db integer references "
325  "mapd_databases, can_login boolean)");
326  sqliteConnector_->query_with_text_params(
327  "INSERT INTO mapd_users VALUES (?, ?, ?, 1, NULL, 1)",
328  std::vector<std::string>{shared::kRootUserIdStr,
331  sqliteConnector_->query(
332  "CREATE TABLE mapd_databases (dbid integer primary key, name text unique, owner "
333  "integer references mapd_users)");
334  sqliteConnector_->query(
335  "CREATE TABLE mapd_roles(roleName text, userName text, UNIQUE(roleName, "
336  "userName))");
337  sqliteConnector_->query(
338  "CREATE TABLE mapd_object_permissions ("
339  "roleName text, "
340  "roleType bool, "
341  "dbId integer references mapd_databases, "
342  "objectName text, "
343  "objectId integer, "
344  "objectPermissionsType integer, "
345  "objectPermissions integer, "
346  "objectOwnerId integer, UNIQUE(roleName, objectPermissionsType, dbId, "
347  "objectId))");
348  } catch (const std::exception&) {
349  sqliteConnector_->query("ROLLBACK TRANSACTION");
350  throw;
351  }
352  sqliteConnector_->query("END TRANSACTION");
355  shared::kRootUsername, /*userPrivateRole=*/true, /*is_temporary=*/false);
356 }
const int kRootUserId
void createRole_unsafe(const std::string &roleName, const bool userPrivateRole, const bool is_temporary)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:154
const std::string kDefaultDbName
std::string hash_with_bcrypt(const std::string &pwd)
Definition: SysCatalog.cpp:71
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:508
const std::string kRootUsername
bool g_read_only
Definition: File.cpp:40
const std::string kDefaultRootPasswd
const std::string kRootUserIdStr
void createDatabase(const std::string &dbname, int owner)

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::initializeInformationSchemaDb ( )
private

Definition at line 3124 of file SysCatalog.cpp.

References createDatabase(), dropDatabase(), g_enable_system_tables, getMetadataForDB(), hasExecutedMigration(), shared::kInfoSchemaDbName, shared::kInfoSchemaMigrationName, shared::kRootUserId, LOG, recordExecutedMigration(), and logger::WARNING.

3124  {
3126  sys_write_lock write_lock(this);
3127  DBMetadata db_metadata;
3128  if (getMetadataForDB(shared::kInfoSchemaDbName, db_metadata)) {
3129  LOG(WARNING) << "A database with name \"" << shared::kInfoSchemaDbName
3130  << "\" already exists. System table creation will be skipped. Rename "
3131  "this database in order to use system tables.";
3132  } else {
3134  try {
3136  } catch (...) {
3138  dropDatabase(db_metadata);
3139  throw;
3140  }
3141  }
3142  }
3143 }
void recordExecutedMigration(const std::string &migration_name) const
const int kRootUserId
#define LOG(tag)
Definition: Logger.h:285
void dropDatabase(const DBMetadata &db)
heavyai::unique_lock< heavyai::shared_mutex > write_lock
const std::string kInfoSchemaDbName
bool g_enable_system_tables
Definition: SysCatalog.cpp:64
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:153
bool hasExecutedMigration(const std::string &migration_name) const
void createDatabase(const std::string &dbname, int owner)
const std::string kInfoSchemaMigrationName
bool getMetadataForDB(const std::string &name, DBMetadata &db)

+ Here is the call graph for this function:

static SysCatalog& Catalog_Namespace::SysCatalog::instance ( )
inlinestatic

Definition at line 343 of file SysCatalog.h.

References instance_, instance_mutex_, and SysCatalog().

Referenced by foreign_storage::anonymous_namespace{LogFileBufferParser.cpp}::add_nonce_values(), Executor::addDeletedColumn(), QueryFragmentDescriptor::buildFragmentPerKernelMap(), foreign_storage::cache_blocks(), AlterForeignServerCommand::changeForeignServerOwner(), AlterDatabaseCommand::changeOwner(), anonymous_namespace{Calcite.cpp}::check_db_access(), anonymous_namespace{DBHandler.cpp}::check_in_memory_system_table_query(), Catalog_Namespace::SessionInfo::checkDBAccessPrivileges(), DBHandler::checkInMemorySystemTableQuery(), anonymous_namespace{Calcite.cpp}::checkPermissionForTables(), checkPrivileges(), QueryRunner::QueryRunner::clearCpuMemory(), QueryRunner::QueryRunner::clearGpuMemory(), Executor::clearMemory(), Executor::computeStringDictionaryGenerations(), Parser::create_stmt_for_query(), anonymous_namespace{ExternalExecutor.cpp}::create_table_schema(), Catalog_Namespace::Catalog::createDashboardSystemRoles(), createDBObject(), foreign_storage::ForeignDataWrapperFactory::createForeignTableProxy(), foreign_storage::ParquetDataWrapper::createRenderGroupAnalyzers(), foreign_storage::AbstractTextFileDataWrapper::createRenderGroupAnalyzers(), QueryRunner::QueryRunner::createStatement(), DictionaryValueConverter< TARGET_TYPE >::DictionaryValueConverter(), CreateForeignServerCommand::execute(), DropForeignServerCommand::execute(), CreateForeignTableCommand::execute(), ShowCreateTableCommand::execute(), ShowDatabasesCommand::execute(), ShowUserDetailsCommand::execute(), ShowRolesCommand::execute(), RefreshForeignTablesCommand::execute(), AlterDatabaseCommand::execute(), foreign_storage::ParquetDataWrapper::fetchChunkMetadata(), foreign_storage::ForeignTableSchema::ForeignTableSchema(), anonymous_namespace{SerializeToSql.cpp}::from_to_string(), foreign_storage::anonymous_namespace{InternalCatalogDataWrapper.cpp}::get_all_dashboards(), foreign_storage::anonymous_namespace{InternalCatalogDataWrapper.cpp}::get_all_role_assignments(), foreign_storage::anonymous_namespace{InternalCatalogDataWrapper.cpp}::get_all_tables(), foreign_storage::anonymous_namespace{InternalMemoryStatsDataWrapper.cpp}::get_column_name(), foreign_storage::get_db_name(), foreign_storage::get_foreign_table_for_key(), Catalog_Namespace::get_metadata_for_column(), Catalog_Namespace::get_metadata_for_table(), anonymous_namespace{RelAlgExecutor.cpp}::get_physical_inputs_with_spi_col_id(), foreign_storage::anonymous_namespace{InternalCatalogDataWrapper.cpp}::get_table_ddl(), foreign_storage::get_table_name(), Catalog_Namespace::anonymous_namespace{Catalog.cpp}::get_user_id_to_user_name_map(), foreign_storage::anonymous_namespace{InternalCatalogDataWrapper.cpp}::get_user_name(), QueryRunner::QueryRunner::getBufferPoolStats(), QueryRunner::QueryRunner::getCalcitePlan(), foreign_storage::ParseBufferRequest::getCatalog(), anonymous_namespace{RelAlgDag.cpp}::getCatalogAndTableFromScanNode(), foreign_storage::ParquetImportBatchResult::getChunksAndDictionaries(), lockmgr::TableLockMgrImpl< TableDataLockMgr >::getClusterTableMutex(), foreign_storage::ParquetDataWrapper::getColumnsToInitialize(), getDBObjectPrivileges(), QueryRunner::QueryRunner::getExecutor(), Executor::getExecutor(), RelAlgTranslator::getInIntegerSetExpr(), QueryRunner::QueryRunner::getMemoryInfo(), Catalog_Namespace::Catalog::getObjForLock(), RowSetMemoryOwner::getOrAddStringDictProxy(), Parser::LocalQueryConnector::getOuterFragmentCount(), QueryRunner::QueryRunner::getParsedGlobalQueryHints(), QueryRunner::QueryRunner::getParsedQueryHint(), QueryRunner::QueryRunner::getParsedQueryHints(), QueryRunner::QueryRunner::getQueryInfoForDataRecyclerTest(), QueryRunner::QueryRunner::getRaExecutionSequence(), QueryRunner::QueryRunner::getRelAlgDag(), QueryRunner::QueryRunner::getRelAlgTranslator(), QueryRunner::QueryRunner::getRootNodeFromParsedQuery(), InputTableInfoCache::getTableInfo(), grantDBObjectPrivileges_unsafe(), hasAnyPrivileges(), EmbeddedDatabase::DBEngineImpl::importArrowTable(), foreign_storage::init_chunk_for_column(), foreign_storage::Csv::init_chunk_for_column(), foreign_storage::InternalCatalogDataWrapper::initializeObjectsForTable(), foreign_storage::InternalMemoryStatsDataWrapper::initializeObjectsForTable(), foreign_storage::InternalStorageStatsDataWrapper::initializeObjectsForTable(), PersistentStorageMgr::isForeignStorage(), Executor::isFragmentFullyDeleted(), isRoleGrantedToGrantee(), foreign_storage::AbstractTextFileDataWrapper::iterativeFileScan(), boost::serialization::load_construct_data(), foreign_storage::ParquetDataWrapper::loadBuffersUsingLazyParquetChunkLoader(), DBObject::loadKey(), main(), foreign_storage::populate_string_dictionary(), foreign_storage::InternalSystemDataWrapper::populateChunkBuffers(), foreign_storage::AbstractTextFileDataWrapper::populateChunkBuffers(), foreign_storage::InternalSystemDataWrapper::populateChunkMetadata(), foreign_storage::AbstractTextFileDataWrapper::populateChunkMetadata(), anonymous_namespace{RelAlgExecutor.cpp}::prepare_for_system_table_execution(), anonymous_namespace{RelAlgExecutor.cpp}::prepare_string_dictionaries(), DBHandler::processCalciteRequest(), QueryRunner::QueryRunner::QueryRunner(), ResultSet::radixSortOnGpu(), Catalog_Namespace::Catalog::recordOwnershipOfObjectsInObjectPermissions(), AlterDatabaseCommand::rename(), AlterForeignServerCommand::renameForeignServer(), revokeDBObjectPrivileges_unsafe(), QueryRewriter::rewriteColumnarUpdate(), QueryRunner::QueryRunner::runDDLStatement(), QueryRunner::QueryRunner::runSelectQuery(), QueryRunner::QueryRunner::runSQL(), QueryRunner::QueryRunner::runSQLWithAllowingInterrupt(), anonymous_namespace{RelAlgExecutor.cpp}::set_parallelism_hints(), EmbeddedDatabase::DBEngineImpl::setDatabase(), foreign_storage::ForeignTableRefreshScheduler::start(), StringValueConverter::StringValueConverter(), foreign_storage::AbstractTextFileDataWrapper::updateMetadata(), verifyDBObjectOwnership(), ScalarExprToSql::visitColumnVar(), and Catalog_Namespace::UserAlterations::wouldChange().

343  {
345  if (!instance_) {
346  instance_.reset(new SysCatalog());
347  }
348  return *instance_;
349  }
static std::unique_ptr< SysCatalog > instance_
Definition: SysCatalog.h:525
static std::mutex instance_mutex_
Definition: SysCatalog.h:524
std::unique_lock< T > unique_lock

+ Here is the call graph for this function:

bool Catalog_Namespace::SysCatalog::isAggregator ( ) const
inline

Definition at line 342 of file SysCatalog.h.

References aggregator_.

Referenced by Parser::create_stmt_for_query(), ShowCreateTableCommand::execute(), Parser::LocalQueryConnector::getOuterFragmentCount(), and DBHandler::processCalciteRequest().

342 { return aggregator_; }

+ Here is the caller graph for this function:

bool Catalog_Namespace::SysCatalog::isDashboardSystemRole ( const std::string &  roleName) const
private

Definition at line 2610 of file SysCatalog.cpp.

References SYSTEM_ROLE_TAG().

Referenced by getCreatedRoles(), getMetadataForAllObjects(), and getRoles().

2610  {
2611  return boost::algorithm::ends_with(roleName, SYSTEM_ROLE_TAG);
2612 }
static const std::string SYSTEM_ROLE_TAG("#dash_system_role")
specifies the content in-memory of a row in the dashboard

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

bool Catalog_Namespace::SysCatalog::isInitialized ( ) const

Definition at line 239 of file SysCatalog.cpp.

239  {
240  return is_initialized_;
241 };
bool Catalog_Namespace::SysCatalog::isRoleGrantedToGrantee ( const std::string &  granteeName,
const std::string &  roleName,
bool  only_direct 
) const

Definition at line 2588 of file SysCatalog.cpp.

References CHECK, getRoleGrantee(), getUserGrantee(), Grantee::hasRole(), and instance().

Referenced by getRoles().

2590  {
2591  sys_read_lock read_lock(this);
2592  if (roleName == granteeName) {
2593  return true;
2594  }
2595  bool is_role_granted = false;
2596  auto* target_role = instance().getRoleGrantee(roleName);
2597  auto has_role = [&](auto grantee_rl) {
2598  is_role_granted = target_role && grantee_rl->hasRole(target_role, only_direct);
2599  };
2600  if (auto* user_role = instance().getUserGrantee(granteeName); user_role) {
2601  has_role(user_role);
2602  } else if (auto* role = instance().getRoleGrantee(granteeName); role) {
2603  has_role(role);
2604  } else {
2605  CHECK(false);
2606  }
2607  return is_role_granted;
2608 }
heavyai::shared_lock< heavyai::shared_mutex > read_lock
static SysCatalog & instance()
Definition: SysCatalog.h:343
Role * getRoleGrantee(const std::string &name) const
User * getUserGrantee(const std::string &name) const
bool hasRole(Role *role, bool only_direct) const
Definition: Grantee.cpp:55
#define CHECK(condition)
Definition: Logger.h:291
read_lock< SysCatalog > sys_read_lock
Definition: Catalog.cpp:120

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

std::shared_ptr< Catalog > Catalog_Namespace::SysCatalog::login ( std::string &  db,
std::string &  username,
const std::string &  password,
UserMetadata user_meta,
bool  check_password = true 
)

logins (connects) a user against a database.

throws a std::exception in all error cases! (including wrong password)

Definition at line 923 of file SysCatalog.cpp.

References Catalog_Namespace::UserMetadata::can_login, getCatalog(), getMetadataForUser(), getMetadataWithDefaultDB(), and loginImpl().

927  {
928  // NOTE(sy): The dbname isn't const because getMetadataWithDefaultDB()
929  // can reset it. The username isn't const because SamlServer's
930  // login()/authenticate_user() can reset it.
931 
932  if (check_password) {
933  loginImpl(username, password, user_meta);
934  } else { // not checking for password so user must exist
935  if (!getMetadataForUser(username, user_meta)) {
936  throw std::runtime_error("Invalid credentials.");
937  }
938  }
939  // we should have a user and user_meta by now
940  if (!user_meta.can_login) {
941  throw std::runtime_error("Unauthorized Access: User " + username + " is deactivated");
942  }
944  getMetadataWithDefaultDB(dbname, username, db_meta, user_meta);
945  return getCatalog(db_meta, false);
946 }
bool getMetadataForUser(const std::string &name, UserMetadata &user)
void loginImpl(std::string &username, const std::string &password, UserMetadata &user_meta)
Definition: SysCatalog.cpp:949
void getMetadataWithDefaultDB(std::string &dbname, const std::string &username, Catalog_Namespace::DBMetadata &db_meta, UserMetadata &user_meta)
std::shared_ptr< Catalog > getCatalog(const std::string &dbName)

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::loginImpl ( std::string &  username,
const std::string &  password,
UserMetadata user_meta 
)
private

Definition at line 949 of file SysCatalog.cpp.

References checkPasswordForUser().

Referenced by login().

951  {
952  if (!checkPasswordForUser(password, username, user_meta)) {
953  throw std::runtime_error("Authentication failure");
954  }
955 }
bool checkPasswordForUser(const std::string &passwd, std::string &name, UserMetadata &user)

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::migrateDBAccessPrivileges ( )
private

Definition at line 805 of file SysCatalog.cpp.

References AccessPrivileges::ACCESS, CHECK, DatabaseDBObjectType, DBObjectKey::dbId, Catalog_Namespace::DBMetadata::dbId, Catalog_Namespace::DBMetadata::dbName, Catalog_Namespace::DBMetadata::dbOwner, logger::ERROR, getMetadataForDB(), logger::INFO, Catalog_Namespace::anonymous_namespace{SysCatalog.cpp}::insertOrUpdateObjectPrivileges(), shared::kRootUserId, LOG, MAPD_VERSION, DBObjectKey::permissionType, DBObject::setName(), DBObject::setObjectType(), sqliteConnector_, to_string(), DBObject::updatePrivileges(), and AccessPrivileges::VIEW_SQL_EDITOR.

Referenced by checkAndExecuteMigrations().

805  {
806  sys_sqlite_lock sqlite_lock(this);
807  sqliteConnector_->query("BEGIN TRANSACTION");
808  try {
809  sqliteConnector_->query(
810  "select name from sqlite_master WHERE type='table' AND "
811  "name='mapd_version_history'");
812  if (sqliteConnector_->getNumRows() == 0) {
813  sqliteConnector_->query(
814  "CREATE TABLE mapd_version_history(version integer, migration_history text "
815  "unique)");
816  } else {
817  sqliteConnector_->query(
818  "select * from mapd_version_history where migration_history = "
819  "'db_access_privileges'");
820  if (sqliteConnector_->getNumRows() != 0) {
821  // both privileges migrated
822  // no need for further execution
823  sqliteConnector_->query("END TRANSACTION");
824  return;
825  }
826  }
827  // Insert check for migration
828  sqliteConnector_->query_with_text_params(
829  "INSERT INTO mapd_version_history(version, migration_history) values(?,?)",
830  std::vector<std::string>{std::to_string(MAPD_VERSION), "db_access_privileges"});
831 
832  sqliteConnector_->query("select dbid, name from mapd_databases");
833  std::unordered_map<int, string> databases;
834  for (size_t i = 0; i < sqliteConnector_->getNumRows(); ++i) {
835  databases[sqliteConnector_->getData<int>(i, 0)] =
836  sqliteConnector_->getData<string>(i, 1);
837  }
838 
839  sqliteConnector_->query("select userid, name from mapd_users");
840  std::unordered_map<int, string> users;
841  for (size_t i = 0; i < sqliteConnector_->getNumRows(); ++i) {
842  users[sqliteConnector_->getData<int>(i, 0)] =
843  sqliteConnector_->getData<string>(i, 1);
844  }
845 
846  // All existing users by default will be granted DB Access permissions
847  // and view sql editor privileges
848  DBMetadata dbmeta;
849  for (auto db_ : databases) {
850  CHECK(getMetadataForDB(db_.second, dbmeta));
851  for (auto user : users) {
852  if (user.first != shared::kRootUserId) {
853  {
854  DBObjectKey key;
856  key.dbId = dbmeta.dbId;
857 
858  // access permission;
859  DBObject object_access(key, AccessPrivileges::ACCESS, dbmeta.dbOwner);
860  object_access.setObjectType(DBObjectType::DatabaseDBObjectType);
861  object_access.setName(dbmeta.dbName);
862  // sql_editor permission
863  DBObject object_editor(
864  key, AccessPrivileges::VIEW_SQL_EDITOR, dbmeta.dbOwner);
865  object_editor.setObjectType(DBObjectType::DatabaseDBObjectType);
866  object_editor.setName(dbmeta.dbName);
867  object_editor.updatePrivileges(object_access);
869  sqliteConnector_, user.second, true, object_editor);
870  }
871  }
872  }
873  }
874  } catch (const std::exception& e) {
875  LOG(ERROR) << "Failed to migrate db access privileges: " << e.what();
876  sqliteConnector_->query("ROLLBACK TRANSACTION");
877  throw;
878  }
879  sqliteConnector_->query("END TRANSACTION");
880  LOG(INFO) << "Successfully migrated db access privileges";
881 }
static const AccessPrivileges VIEW_SQL_EDITOR
Definition: DBObject.h:152
const int kRootUserId
#define LOG(tag)
Definition: Logger.h:285
void insertOrUpdateObjectPrivileges(std::unique_ptr< SqliteConnector > &sqliteConnector, std::string roleName, bool userRole, const DBObject &object)
Definition: SysCatalog.cpp:514
std::string to_string(char const *&&v)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:154
static const int32_t MAPD_VERSION
Definition: release.h:32
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:508
int32_t dbId
Definition: DBObject.h:54
static const AccessPrivileges ACCESS
Definition: DBObject.h:153
#define CHECK(condition)
Definition: Logger.h:291
int32_t permissionType
Definition: DBObject.h:53
bool getMetadataForDB(const std::string &name, DBMetadata &db)

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::migratePrivileged_old ( )
private

Definition at line 883 of file SysCatalog.cpp.

References sqliteConnector_.

Referenced by checkAndExecuteMigrations().

883  {
884  sys_sqlite_lock sqlite_lock(this);
885 
886  sqliteConnector_->query("BEGIN TRANSACTION");
887  try {
888  sqliteConnector_->query(
889  "CREATE TABLE IF NOT EXISTS mapd_privileges (userid integer references "
890  "mapd_users, dbid integer references "
891  "mapd_databases, select_priv boolean, insert_priv boolean, UNIQUE(userid, "
892  "dbid))");
893  } catch (const std::exception& e) {
894  sqliteConnector_->query("ROLLBACK TRANSACTION");
895  throw;
896  }
897  sqliteConnector_->query("END TRANSACTION");
898 }
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:154
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:508

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::migratePrivileges ( )
private

Definition at line 547 of file SysCatalog.cpp.

References AccessPrivileges::ALL_DASHBOARD_MIGRATE, AccessPrivileges::ALL_TABLE_MIGRATE, AccessPrivileges::ALL_VIEW_MIGRATE, DashboardDBObjectType, DatabaseDBObjectType, Catalog_Namespace::anonymous_namespace{SysCatalog.cpp}::insertOrUpdateObjectPrivileges(), shared::kRootUserId, AccessPrivileges::NONE, sqliteConnector_, TableDBObjectType, run_benchmark_import::type, and ViewDBObjectType.

Referenced by checkAndExecuteMigrations().

547  {
548  sys_sqlite_lock sqlite_lock(this);
549  sqliteConnector_->query("BEGIN TRANSACTION");
550  try {
551  sqliteConnector_->query(
552  "SELECT name FROM sqlite_master WHERE type='table' AND "
553  "name='mapd_object_permissions'");
554  if (sqliteConnector_->getNumRows() != 0) {
555  // already done
556  sqliteConnector_->query("END TRANSACTION");
557  return;
558  }
559 
560  sqliteConnector_->query(
561  "CREATE TABLE IF NOT EXISTS mapd_object_permissions ("
562  "roleName text, "
563  "roleType bool, "
564  "dbId integer references mapd_databases, "
565  "objectName text, "
566  "objectId integer, "
567  "objectPermissionsType integer, "
568  "objectPermissions integer, "
569  "objectOwnerId integer, UNIQUE(roleName, objectPermissionsType, dbId, "
570  "objectId))");
571 
572  // get the list of databases and their grantees
573  sqliteConnector_->query(
574  "SELECT userid, dbid FROM mapd_privileges WHERE select_priv = 1 and insert_priv "
575  "= 1");
576  size_t numRows = sqliteConnector_->getNumRows();
577  vector<pair<int, int>> db_grantees(numRows);
578  for (size_t i = 0; i < numRows; ++i) {
579  db_grantees[i].first = sqliteConnector_->getData<int>(i, 0);
580  db_grantees[i].second = sqliteConnector_->getData<int>(i, 1);
581  }
582  // map user names to user ids
583  sqliteConnector_->query("select userid, name from mapd_users");
584  numRows = sqliteConnector_->getNumRows();
585  std::unordered_map<int, string> users_by_id;
586  std::unordered_map<int, bool> user_has_privs;
587  for (size_t i = 0; i < numRows; ++i) {
588  users_by_id[sqliteConnector_->getData<int>(i, 0)] =
589  sqliteConnector_->getData<string>(i, 1);
590  user_has_privs[sqliteConnector_->getData<int>(i, 0)] = false;
591  }
592  // map db names to db ids
593  sqliteConnector_->query("select dbid, name from mapd_databases");
594  numRows = sqliteConnector_->getNumRows();
595  std::unordered_map<int, string> dbs_by_id;
596  for (size_t i = 0; i < numRows; ++i) {
597  dbs_by_id[sqliteConnector_->getData<int>(i, 0)] =
598  sqliteConnector_->getData<string>(i, 1);
599  }
600  // migrate old privileges to new privileges: if user had insert access to database, he
601  // was a grantee
602  for (const auto& grantee : db_grantees) {
603  user_has_privs[grantee.first] = true;
604  auto dbName = dbs_by_id[grantee.second];
605  {
606  // table level permissions
608  DBObjectKey key{type, grantee.second};
609  DBObject object(
612  sqliteConnector_, users_by_id[grantee.first], true, object);
613  }
614 
615  {
616  // dashboard level permissions
618  DBObjectKey key{type, grantee.second};
619  DBObject object(dbName,
620  type,
621  key,
625  sqliteConnector_, users_by_id[grantee.first], true, object);
626  }
627 
628  {
629  // view level permissions
631  DBObjectKey key{type, grantee.second};
632  DBObject object(
635  sqliteConnector_, users_by_id[grantee.first], true, object);
636  }
637  }
638  for (auto user : user_has_privs) {
639  auto dbName = dbs_by_id[0];
640  if (user.second == false && user.first != shared::kRootUserId) {
641  {
643  DBObjectKey key{type, 0};
646  sqliteConnector_, users_by_id[user.first], true, object);
647  }
648  }
649  }
650  } catch (const std::exception&) {
651  sqliteConnector_->query("ROLLBACK TRANSACTION");
652  throw;
653  }
654  sqliteConnector_->query("END TRANSACTION");
655 }
const int kRootUserId
static const AccessPrivileges ALL_TABLE_MIGRATE
Definition: DBObject.h:156
void insertOrUpdateObjectPrivileges(std::unique_ptr< SqliteConnector > &sqliteConnector, std::string roleName, bool userRole, const DBObject &object)
Definition: SysCatalog.cpp:514
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:154
static const AccessPrivileges ALL_DASHBOARD_MIGRATE
Definition: DBObject.h:168
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:508
static const AccessPrivileges NONE
Definition: DBObject.h:148
static const AccessPrivileges ALL_VIEW_MIGRATE
Definition: DBObject.h:176

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

std::string Catalog_Namespace::SysCatalog::name ( ) const
inline

Definition at line 358 of file SysCatalog.h.

References shared::kSystemCatalogName.

Referenced by alterUser(), buildRoleMapUnlocked(), createUser(), and Catalog_Namespace::anonymous_namespace{SysCatalog.cpp}::get_users().

358 { return shared::kSystemCatalogName; }
const std::string kSystemCatalogName

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::populateRoleDbObjects ( const std::vector< DBObject > &  objects)

Definition at line 2734 of file SysCatalog.cpp.

References CHECK, getMetadataForUserById(), getUserGrantee(), Catalog_Namespace::anonymous_namespace{SysCatalog.cpp}::insertOrUpdateObjectPrivileges(), sqliteConnector_, and Catalog_Namespace::UserMetadata::userName.

Referenced by Catalog_Namespace::Catalog::recordOwnershipOfObjectsInObjectPermissions().

2734  {
2735  sys_write_lock write_lock(this);
2736  sys_sqlite_lock sqlite_lock(this);
2737  sqliteConnector_->query("BEGIN TRANSACTION");
2738  try {
2739  for (auto dbobject : objects) {
2740  UserMetadata user;
2741  CHECK(getMetadataForUserById(dbobject.getOwner(), user));
2742  auto* grantee = getUserGrantee(user.userName);
2743  if (grantee) {
2745  sqliteConnector_, grantee->getName(), true, dbobject);
2746  grantee->grantPrivileges(dbobject);
2747  }
2748  }
2749 
2750  } catch (const std::exception& e) {
2751  sqliteConnector_->query("ROLLBACK TRANSACTION");
2752  throw;
2753  }
2754  sqliteConnector_->query("END TRANSACTION");
2755 }
heavyai::unique_lock< heavyai::shared_mutex > write_lock
bool getMetadataForUserById(const int32_t idIn, UserMetadata &user)
void insertOrUpdateObjectPrivileges(std::unique_ptr< SqliteConnector > &sqliteConnector, std::string roleName, bool userRole, const DBObject &object)
Definition: SysCatalog.cpp:514
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:154
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:153
User * getUserGrantee(const std::string &name) const
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:508
#define CHECK(condition)
Definition: Logger.h:291

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::reassignObjectOwners ( const std::map< int32_t, std::vector< DBObject >> &  old_owner_db_objects,
int32_t  new_owner_id,
const Catalog_Namespace::Catalog catalog 
)

Reassigns database object ownership from a set of users (old owners) to another user (new owner).

Parameters
old_owner_db_objects- map of user ids and database objects whose ownership will be reassigned
new_owner_id- id of user who will own reassigned database objects
catalog- catalog for database where ownership reassignment occurred

Definition at line 3069 of file SysCatalog.cpp.

References CHECK, shared::contains(), Catalog_Namespace::Catalog::getDatabaseId(), getMetadataForUserById(), grantDBObjectPrivilegesBatch_unsafe(), granteeMap_, Catalog_Namespace::UserMetadata::isSuper, objectDescriptorMap_, rebuildObjectMapsUnlocked(), revokeDBObjectPrivilegesBatch_unsafe(), sqliteConnector_, to_string(), and Catalog_Namespace::UserMetadata::userName.

3072  {
3073  sys_write_lock write_lock(this);
3074  sys_sqlite_lock sqlite_lock(this);
3075 
3076  sqliteConnector_->query("BEGIN TRANSACTION");
3077  try {
3078  UserMetadata new_owner;
3079  CHECK(getMetadataForUserById(new_owner_id, new_owner));
3080  for (const auto& [old_owner_id, db_objects] : old_owner_db_objects) {
3081  UserMetadata old_owner;
3082  CHECK(getMetadataForUserById(old_owner_id, old_owner));
3083  if (!old_owner.isSuper) {
3084  revokeDBObjectPrivilegesBatch_unsafe({old_owner.userName}, db_objects, catalog);
3085  }
3086  if (!new_owner.isSuper) {
3087  grantDBObjectPrivilegesBatch_unsafe({new_owner.userName}, db_objects, catalog);
3088  }
3089  }
3090 
3091  std::set<int32_t> old_owner_ids;
3092  for (const auto& [old_owner_id, db_objects] : old_owner_db_objects) {
3093  old_owner_ids.emplace(old_owner_id);
3094  }
3095 
3096  auto db_id = catalog.getDatabaseId();
3097  for (const auto old_user_id : old_owner_ids) {
3098  sqliteConnector_->query_with_text_params(
3099  "UPDATE mapd_object_permissions SET objectOwnerId = ? WHERE objectOwnerId = ? "
3100  "AND dbId = ? AND objectId != -1",
3101  std::vector<std::string>{std::to_string(new_owner_id),
3102  std::to_string(old_user_id),
3103  std::to_string(db_id)});
3104  }
3105 
3106  for (const auto& [user_or_role, grantee] : granteeMap_) {
3107  grantee->reassignObjectOwners(old_owner_ids, new_owner_id, db_id);
3108  }
3109 
3110  for (const auto& [object_key, object_descriptor] : objectDescriptorMap_) {
3111  if (object_descriptor->objectId != -1 && object_descriptor->dbId == db_id &&
3112  shared::contains(old_owner_ids, object_descriptor->objectOwnerId)) {
3113  object_descriptor->objectOwnerId = new_owner_id;
3114  }
3115  }
3116  } catch (std::exception& e) {
3117  sqliteConnector_->query("ROLLBACK TRANSACTION");
3119  throw;
3120  }
3121  sqliteConnector_->query("END TRANSACTION");
3122 }
bool contains(const T &container, const U &element)
Definition: misc.h:195
void revokeDBObjectPrivilegesBatch_unsafe(const std::vector< std::string > &grantees, const std::vector< DBObject > &objects, const Catalog_Namespace::Catalog &catalog)
ObjectRoleDescriptorMap objectDescriptorMap_
Definition: SysCatalog.h:507
heavyai::unique_lock< heavyai::shared_mutex > write_lock
bool getMetadataForUserById(const int32_t idIn, UserMetadata &user)
std::string to_string(char const *&&v)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:154
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:153
int getDatabaseId() const
Definition: Catalog.h:304
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:508
void grantDBObjectPrivilegesBatch_unsafe(const std::vector< std::string > &grantees, const std::vector< DBObject > &objects, const Catalog_Namespace::Catalog &catalog)
#define CHECK(condition)
Definition: Logger.h:291

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::rebuildObjectMapsUnlocked ( )
private

Definition at line 3181 of file SysCatalog.cpp.

References buildObjectDescriptorMapUnlocked(), buildRoleMapUnlocked(), granteeMap_, and objectDescriptorMap_.

Referenced by reassignObjectOwners(), and runUpdateQueriesAndChangeOwnership().

3181  {
3182  // Rebuild updated maps from storage
3183  granteeMap_.clear();
3185  objectDescriptorMap_.clear();
3187 }
ObjectRoleDescriptorMap objectDescriptorMap_
Definition: SysCatalog.h:507

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::recordExecutedMigration ( const std::string &  migration_name) const
private

Definition at line 3156 of file SysCatalog.cpp.

References createVersionHistoryTable(), hasVersionHistoryTable(), MAPD_VERSION, sqliteConnector_, and to_string().

Referenced by checkDuplicateCaseInsensitiveDbNames(), and initializeInformationSchemaDb().

3156  {
3157  if (!hasVersionHistoryTable()) {
3159  }
3160  sys_sqlite_lock sqlite_lock(this);
3161  sqliteConnector_->query_with_text_params(
3162  "INSERT INTO mapd_version_history(version, migration_history) values(?, ?)",
3163  std::vector<std::string>{std::to_string(MAPD_VERSION), migration_name});
3164 }
std::string to_string(char const *&&v)
bool hasVersionHistoryTable() const
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:154
static const int32_t MAPD_VERSION
Definition: release.h:32
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:508
void createVersionHistoryTable() const

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::removeCatalog ( const std::string &  dbName)

Definition at line 3065 of file SysCatalog.cpp.

References cat_map_, and to_upper().

Referenced by createDatabase(), dropDatabase(), and renameDatabase().

3065  {
3066  cat_map_.erase(to_upper(dbName));
3067 }
std::string to_upper(const std::string &str)

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::renameDatabase ( std::string const &  old_name,
std::string const &  new_name 
)

Definition at line 1422 of file SysCatalog.cpp.

References DatabaseDBObjectType, Catalog_Namespace::CommonFileOperations::duplicateAndRenameCatalog(), getMetadataForDB(), shared::kSystemCatalogName, removeCatalog(), Catalog_Namespace::CommonFileOperations::removeCatalogByFullPath(), sqliteConnector_, to_string(), to_upper(), and yieldTransactionStreamer().

Referenced by AlterDatabaseCommand::rename().

1423  {
1424  using namespace std::string_literals;
1425  sys_write_lock write_lock(this);
1426  sys_sqlite_lock sqlite_lock(this);
1427 
1428  DBMetadata new_db;
1429  if (getMetadataForDB(new_name, new_db)) {
1430  throw std::runtime_error("Database " + new_name + " already exists.");
1431  }
1432  if (to_upper(new_name) == to_upper(shared::kSystemCatalogName)) {
1433  throw std::runtime_error("Database name " + new_name + "is reserved.");
1434  }
1435 
1436  DBMetadata old_db;
1437  if (!getMetadataForDB(old_name, old_db)) {
1438  throw std::runtime_error("Database " + old_name + " does not exists.");
1439  }
1440 
1441  removeCatalog(old_db.dbName);
1442 
1443  std::string old_catalog_path, new_catalog_path;
1444  std::tie(old_catalog_path, new_catalog_path) =
1445  duplicateAndRenameCatalog(old_db.dbName, new_name);
1446 
1447  auto transaction_streamer = yieldTransactionStreamer();
1448  auto failure_handler = [this, new_catalog_path] {
1449  removeCatalogByFullPath(new_catalog_path);
1450  };
1451  auto success_handler = [this, old_catalog_path] {
1452  removeCatalogByFullPath(old_catalog_path);
1453  };
1454 
1455  auto q1 = {
1456  "UPDATE mapd_databases SET name=?1 WHERE name=?2;"s, new_name, old_db.dbName};
1457  auto q2 = {
1458  "UPDATE mapd_object_permissions SET objectName=?1 WHERE objectNAME=?2 and (objectPermissionsType=?3 or objectId = -1) and dbId=?4;"s,
1459  new_name,
1460  old_db.dbName,
1462  std::to_string(old_db.dbId)};
1463 
1464  transaction_streamer(sqliteConnector_, success_handler, failure_handler, q1, q2);
1465 }
auto duplicateAndRenameCatalog(std::string const &current_name, std::string const &new_name)
Definition: SysCatalog.cpp:174
void removeCatalog(const std::string &dbName)
const std::string kSystemCatalogName
heavyai::unique_lock< heavyai::shared_mutex > write_lock
std::string to_string(char const *&&v)
sqlite_lock< SysCatalog > sys_sqlite_lock
Definition: SysCatalog.cpp:154
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:153
std::unique_ptr< SqliteConnector > sqliteConnector_
Definition: SysCatalog.h:508
std::string to_upper(const std::string &str)
void removeCatalogByFullPath(std::string const &full_path)
Definition: SysCatalog.cpp:166
bool getMetadataForDB(const std::string &name, DBMetadata &db)

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Catalog_Namespace::SysCatalog::renameDBObject ( const std::string &  objectName,
const std::string &  newName,
DBObjectType  type,
int32_t  objectId,
const Catalog_Namespace::Catalog catalog 
)

Renames an DBObject

Parameters
objectName- original DBObject name
newName- new name of DBObject
type- type of DBObject
objectId- original DBObject ID
catalog- Catalog instance object exists in

Definition at line 1926 of file SysCatalog.cpp.

References DBObjectKey::dbId, Catalog_Namespace::DBMetadata::dbId, Catalog_Namespace::Catalog::getCurrentDB(), getGrantee(), getMetadataForObject(), DBObjectKey::objectId, DBObjectKey::permissionType, Grantee::renameDbObject(), renameObjectsInDescriptorMap(), DBObject::setObjectKey(), and run_benchmark_import::type.

1930  {
1931  sys_write_lock write_lock(this);
1932  DBObject new_object(newName, type);
1933  DBObjectKey key;
1934  key.dbId = catalog.getCurrentDB().dbId;
1935  key.objectId = objectId;
1936  key.permissionType = type;
1937  new_object.setObjectKey(key);
1938  auto objdescs =
1939  getMetadataForObject(key.dbId, static_cast<int32_t>(type), key.objectId);
1940  for (auto obj : objdescs) {
1941  Grantee* grnt = getGrantee(obj->roleName);
1942  if (grnt) {
1943  grnt->renameDbObject(new_object);
1944  }
1945  }
1946  renameObjectsInDescriptorMap(new_object, catalog);
1947 }
Grantee * getGrantee(const std::string &name) const
int32_t objectId
Definition: DBObject.h:55
heavyai::unique_lock< heavyai::shared_mutex > write_lock
const DBMetadata & getCurrentDB() const
Definition: Catalog.h:248
void renameObjectsInDescriptorMap(DBObject &object, const Catalog_Namespace::Catalog &cat)
write_lock< SysCatalog > sys_write_lock
Definition: SysCatalog.cpp:153
int32_t dbId
Definition: DBObject.h:54
int32_t permissionType
Definition: DBObject.h:53
std::vector< ObjectRoleDescriptor * > getMetadataForObject(int32_t dbId, int32_t dbType, int32_t objectId) const
virtual void renameDbObject(const DBObject &object)
Definition: Grantee.cpp:121

+ Here is the call graph for this function:

void Catalog_Namespace::SysCatalog::renameObjectsInDescriptorMap ( DBObject object,
const Catalog_Namespace::Catalog cat 
)