OmniSciDB  72c90bc290
 All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Friends Macros Groups Pages
Grantee Class Referenceabstract

#include <Grantee.h>

+ Inheritance diagram for Grantee:
+ Collaboration diagram for Grantee:

Public Member Functions

 Grantee (const std::string &name)
 
virtual ~Grantee ()
 
virtual bool isUser () const =0
 
virtual void grantPrivileges (const DBObject &object)
 
virtual DBObjectrevokePrivileges (const DBObject &object)
 
virtual void grantRole (Role *role)
 
virtual void revokeRole (Role *role)
 
virtual bool hasAnyPrivileges (const DBObject &objectRequested, bool only_direct) const
 
virtual bool checkPrivileges (const DBObject &objectRequested) const
 
virtual void updatePrivileges ()
 
virtual void updatePrivileges (Role *role)
 
virtual void revokeAllOnDatabase (int32_t dbId)
 
virtual void renameDbObject (const DBObject &object)
 
void getPrivileges (DBObject &object, bool only_direct)
 
DBObjectfindDbObject (const DBObjectKey &objectKey, bool only_direct) const
 
bool hasAnyPrivilegesOnDb (int32_t dbId, bool only_direct) const
 
const std::string & getName () const
 
void setName (const std::string &name)
 
std::vector< std::string > getRoles (bool only_direct=true) const
 
bool hasRole (Role *role, bool only_direct) const
 
const DBObjectMapgetDbObjects (bool only_direct) const
 
void checkCycles (Role *newRole)
 
void reassignObjectOwners (const std::set< int32_t > &old_owner_ids, int32_t new_owner_id, int32_t db_id)
 
void reassignObjectOwner (DBObjectKey &object_key, int32_t new_owner_id)
 

Protected Attributes

std::string name_
 
std::unordered_set< Role * > roles_
 
DBObjectMap effectivePrivileges_
 
DBObjectMap directPrivileges_
 

Private Types

using DBObjectMap = std::map< DBObjectKey, std::unique_ptr< DBObject >>
 

Detailed Description

Definition at line 32 of file Grantee.h.

Member Typedef Documentation

using Grantee::DBObjectMap = std::map<DBObjectKey, std::unique_ptr<DBObject>>
private

Definition at line 33 of file Grantee.h.

Constructor & Destructor Documentation

Grantee::Grantee ( const std::string &  name)

Definition at line 26 of file Grantee.cpp.

26 : name_(name) {}
std::string name_
Definition: Grantee.h:67
string name
Definition: setup.in.py:72
Grantee::~Grantee ( )
virtual

Definition at line 28 of file Grantee.cpp.

References directPrivileges_, effectivePrivileges_, and roles_.

28  {
29  for (auto role : roles_) {
30  role->removeGrantee(this);
31  }
32  effectivePrivileges_.clear();
33  directPrivileges_.clear();
34  roles_.clear();
35 }
DBObjectMap effectivePrivileges_
Definition: Grantee.h:70
std::unordered_set< Role * > roles_
Definition: Grantee.h:68
DBObjectMap directPrivileges_
Definition: Grantee.h:72

Member Function Documentation

void Grantee::checkCycles ( Role newRole)

Definition at line 310 of file Grantee.cpp.

References CHECK, Role::getGrantees(), and getName().

Referenced by grantRole().

310  {
311  std::stack<Grantee*> grantees;
312  grantees.push(this);
313  while (!grantees.empty()) {
314  auto* grantee = grantees.top();
315  grantees.pop();
316  if (!grantee->isUser()) {
317  Role* r = dynamic_cast<Role*>(grantee);
318  CHECK(r);
319  if (r == newRole) {
320  throw runtime_error("Granting role " + newRole->getName() + " to " + getName() +
321  " creates cycle in grantee graph.");
322  }
323  for (auto g : r->getGrantees()) {
324  grantees.push(g);
325  }
326  }
327  }
328 }
Definition: Grantee.h:81
const std::string & getName() const
Definition: Grantee.h:52
std::vector< Grantee * > getGrantees() const
Definition: Grantee.cpp:389
#define CHECK(condition)
Definition: Logger.h:291

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

bool Grantee::checkPrivileges ( const DBObject objectRequested) const
virtual

Definition at line 231 of file Grantee.cpp.

References DBObjectKey::dbId, findDbObject(), DBObject::getObjectKey(), hasEnoughPrivs(), and DBObjectKey::objectId.

231  {
232  DBObjectKey objectKey = objectRequested.getObjectKey();
233  if (hasEnoughPrivs(findDbObject(objectKey, false), &objectRequested)) {
234  return true;
235  }
236 
237  // if we have an object associated -> ignore it
238  if (objectKey.objectId != -1) {
239  objectKey.objectId = -1;
240  if (hasEnoughPrivs(findDbObject(objectKey, false), &objectRequested)) {
241  return true;
242  }
243  }
244 
245  // if we have an
246  if (objectKey.dbId != -1) {
247  objectKey.dbId = -1;
248  if (hasEnoughPrivs(findDbObject(objectKey, false), &objectRequested)) {
249  return true;
250  }
251  }
252  return false;
253 }
DBObjectKey getObjectKey() const
Definition: DBObject.h:221
int32_t objectId
Definition: DBObject.h:55
static bool hasEnoughPrivs(const DBObject *real, const DBObject *requested)
Definition: Grantee.cpp:187
DBObject * findDbObject(const DBObjectKey &objectKey, bool only_direct) const
Definition: Grantee.cpp:85
int32_t dbId
Definition: DBObject.h:54

+ Here is the call graph for this function:

DBObject * Grantee::findDbObject ( const DBObjectKey objectKey,
bool  only_direct 
) const

Definition at line 85 of file Grantee.cpp.

References directPrivileges_, and effectivePrivileges_.

Referenced by checkPrivileges(), Catalog_Namespace::Catalog::createOrUpdateDashboardSystemRole(), getPrivileges(), grantPrivileges(), DBHandler::has_object_privilege(), hasAnyPrivileges(), revokePrivileges(), updatePrivileges(), and Catalog_Namespace::SysCatalog::verifyDBObjectOwnership().

85  {
86  const DBObjectMap& privs = only_direct ? directPrivileges_ : effectivePrivileges_;
87  DBObject* dbObject = nullptr;
88  auto dbObjectIt = privs.find(objectKey);
89  if (dbObjectIt != privs.end()) {
90  dbObject = dbObjectIt->second.get();
91  }
92  return dbObject;
93 }
DBObjectMap effectivePrivileges_
Definition: Grantee.h:70
std::map< DBObjectKey, std::unique_ptr< DBObject >> DBObjectMap
Definition: Grantee.h:33
DBObjectMap directPrivileges_
Definition: Grantee.h:72

+ Here is the caller graph for this function:

const DBObjectMap* Grantee::getDbObjects ( bool  only_direct) const
inline

Definition at line 56 of file Grantee.h.

References directPrivileges_, and effectivePrivileges_.

Referenced by Catalog_Namespace::Catalog::createOrUpdateDashboardSystemRole(), and updatePrivileges().

56  {
57  return only_direct ? &directPrivileges_ : &effectivePrivileges_;
58  }
DBObjectMap effectivePrivileges_
Definition: Grantee.h:70
DBObjectMap directPrivileges_
Definition: Grantee.h:72

+ Here is the caller graph for this function:

const std::string& Grantee::getName ( ) const
inline

Definition at line 52 of file Grantee.h.

References name_.

Referenced by Role::addGrantee(), checkCycles(), getPrivileges(), grantRole(), Role::removeGrantee(), renameDbObject(), and revokePrivileges().

52 { return name_; }
std::string name_
Definition: Grantee.h:67

+ Here is the caller graph for this function:

void Grantee::getPrivileges ( DBObject object,
bool  only_direct 
)

Definition at line 76 of file Grantee.cpp.

References findDbObject(), and getName().

76  {
77  auto dbObject = findDbObject(object.getObjectKey(), only_direct);
78  if (!dbObject) { // not found
79  throw runtime_error("Can not get privileges because " + getName() +
80  " has no privileges to " + object.getName());
81  }
82  object.grantPrivileges(*dbObject);
83 }
const std::string & getName() const
Definition: Grantee.h:52
DBObject * findDbObject(const DBObjectKey &objectKey, bool only_direct) const
Definition: Grantee.cpp:85

+ Here is the call graph for this function:

std::vector< std::string > Grantee::getRoles ( bool  only_direct = true) const

Definition at line 37 of file Grantee.cpp.

37  {
38  std::set<std::string> roles; // Sorted for human readers.
39  std::stack<const Grantee*> g;
40  g.push(this);
41  while (!g.empty()) {
42  auto r = g.top();
43  g.pop();
44  for (auto direct_role : r->roles_) {
45  g.push(direct_role);
46  roles.insert(direct_role->getName());
47  }
48  if (only_direct) {
49  break;
50  }
51  }
52  return std::vector(roles.begin(), roles.end());
53 }
void Grantee::grantPrivileges ( const DBObject object)
virtual

Definition at line 105 of file Grantee.cpp.

References directPrivileges_, effectivePrivileges_, findDbObject(), and updatePrivileges().

Referenced by Catalog_Namespace::SysCatalog::createDBObject().

105  {
106  auto* dbObject = findDbObject(object.getObjectKey(), false);
107  if (!dbObject) { // not found
108  effectivePrivileges_[object.getObjectKey()] = boost::make_unique<DBObject>(object);
109  } else { // found
110  dbObject->grantPrivileges(object);
111  }
112  dbObject = findDbObject(object.getObjectKey(), true);
113  if (!dbObject) { // not found
114  directPrivileges_[object.getObjectKey()] = boost::make_unique<DBObject>(object);
115  } else { // found
116  dbObject->grantPrivileges(object);
117  }
119 }
DBObjectMap effectivePrivileges_
Definition: Grantee.h:70
virtual void updatePrivileges()
Definition: Grantee.cpp:268
DBObject * findDbObject(const DBObjectKey &objectKey, bool only_direct) const
Definition: Grantee.cpp:85
DBObjectMap directPrivileges_
Definition: Grantee.h:72

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Grantee::grantRole ( Role role)
virtual

Definition at line 163 of file Grantee.cpp.

References Role::addGrantee(), checkCycles(), getName(), name_, roles_, and updatePrivileges().

163  {
164  bool found = false;
165  for (const auto* granted_role : roles_) {
166  if (role == granted_role) {
167  found = true;
168  break;
169  }
170  }
171  if (found) {
172  throw runtime_error("Role " + role->getName() + " have been granted to " + name_ +
173  " already.");
174  }
175  checkCycles(role);
176  roles_.insert(role);
177  role->addGrantee(this);
179 }
virtual void updatePrivileges()
Definition: Grantee.cpp:268
virtual void addGrantee(Grantee *grantee)
Definition: Grantee.cpp:371
const std::string & getName() const
Definition: Grantee.h:52
std::unordered_set< Role * > roles_
Definition: Grantee.h:68
void checkCycles(Role *newRole)
Definition: Grantee.cpp:310
std::string name_
Definition: Grantee.h:67

+ Here is the call graph for this function:

bool Grantee::hasAnyPrivileges ( const DBObject objectRequested,
bool  only_direct 
) const
virtual

Definition at line 207 of file Grantee.cpp.

References DBObjectKey::dbId, findDbObject(), DBObject::getObjectKey(), hasAnyPrivs(), and DBObjectKey::objectId.

207  {
208  DBObjectKey objectKey = objectRequested.getObjectKey();
209  if (hasAnyPrivs(findDbObject(objectKey, only_direct), &objectRequested)) {
210  return true;
211  }
212 
213  // if we have an object associated -> ignore it
214  if (objectKey.objectId != -1) {
215  objectKey.objectId = -1;
216  if (hasAnyPrivs(findDbObject(objectKey, only_direct), &objectRequested)) {
217  return true;
218  }
219  }
220 
221  // if we have an
222  if (objectKey.dbId != -1) {
223  objectKey.dbId = -1;
224  if (hasAnyPrivs(findDbObject(objectKey, only_direct), &objectRequested)) {
225  return true;
226  }
227  }
228  return false;
229 }
DBObjectKey getObjectKey() const
Definition: DBObject.h:221
int32_t objectId
Definition: DBObject.h:55
static bool hasAnyPrivs(const DBObject *real, const DBObject *)
Definition: Grantee.cpp:199
DBObject * findDbObject(const DBObjectKey &objectKey, bool only_direct) const
Definition: Grantee.cpp:85
int32_t dbId
Definition: DBObject.h:54

+ Here is the call graph for this function:

bool Grantee::hasAnyPrivilegesOnDb ( int32_t  dbId,
bool  only_direct 
) const

Definition at line 95 of file Grantee.cpp.

References directPrivileges_, and effectivePrivileges_.

Referenced by Catalog_Namespace::anonymous_namespace{SysCatalog.cpp}::get_users().

95  {
96  const DBObjectMap& privs = only_direct ? directPrivileges_ : effectivePrivileges_;
97  for (const auto& priv : privs) {
98  if (priv.second->getObjectKey().dbId == dbId) {
99  return true;
100  }
101  }
102  return false;
103 }
DBObjectMap effectivePrivileges_
Definition: Grantee.h:70
std::map< DBObjectKey, std::unique_ptr< DBObject >> DBObjectMap
Definition: Grantee.h:33
DBObjectMap directPrivileges_
Definition: Grantee.h:72

+ Here is the caller graph for this function:

bool Grantee::hasRole ( Role role,
bool  only_direct 
) const

Definition at line 55 of file Grantee.cpp.

References roles_.

Referenced by Catalog_Namespace::SysCatalog::isRoleGrantedToGrantee().

55  {
56  if (only_direct) {
57  return roles_.find(role) != roles_.end();
58  } else {
59  std::stack<const Grantee*> roles;
60  roles.push(this);
61  while (!roles.empty()) {
62  auto r = roles.top();
63  roles.pop();
64  if (r == role) {
65  return true;
66  } else {
67  for (auto granted_role : r->roles_) {
68  roles.push(granted_role);
69  }
70  }
71  }
72  return false;
73  }
74 }
std::unordered_set< Role * > roles_
Definition: Grantee.h:68

+ Here is the caller graph for this function:

virtual bool Grantee::isUser ( ) const
pure virtual

Implemented in Role, and User.

void Grantee::reassignObjectOwner ( DBObjectKey object_key,
int32_t  new_owner_id 
)

Definition at line 348 of file Grantee.cpp.

References directPrivileges_, and effectivePrivileges_.

348  {
349  for (const auto& [grantee_object_key, object] : effectivePrivileges_) {
350  if (grantee_object_key == object_key) {
351  object->setOwner(new_owner_id);
352  }
353  }
354 
355  for (const auto& [grantee_object_key, object] : directPrivileges_) {
356  if (grantee_object_key == object_key) {
357  object->setOwner(new_owner_id);
358  }
359  }
360 }
DBObjectMap effectivePrivileges_
Definition: Grantee.h:70
DBObjectMap directPrivileges_
Definition: Grantee.h:72
void Grantee::reassignObjectOwners ( const std::set< int32_t > &  old_owner_ids,
int32_t  new_owner_id,
int32_t  db_id 
)

Definition at line 330 of file Grantee.cpp.

References shared::contains(), directPrivileges_, and effectivePrivileges_.

332  {
333  for (const auto& [object_key, object] : effectivePrivileges_) {
334  if (object_key.objectId != -1 && object_key.dbId == db_id &&
335  shared::contains(old_owner_ids, object->getOwner())) {
336  object->setOwner(new_owner_id);
337  }
338  }
339 
340  for (const auto& [object_key, object] : directPrivileges_) {
341  if (object_key.objectId != -1 && object_key.dbId == db_id &&
342  shared::contains(old_owner_ids, object->getOwner())) {
343  object->setOwner(new_owner_id);
344  }
345  }
346 }
DBObjectMap effectivePrivileges_
Definition: Grantee.h:70
bool contains(const T &container, const U &element)
Definition: misc.h:195
DBObjectMap directPrivileges_
Definition: Grantee.h:72

+ Here is the call graph for this function:

void Grantee::renameDbObject ( const DBObject object)
virtual

Reimplemented in Role.

Definition at line 121 of file Grantee.cpp.

References directPrivileges_, effectivePrivileges_, and getName().

Referenced by Role::renameDbObject(), Catalog_Namespace::SysCatalog::renameDBObject(), Catalog_Namespace::Catalog::renameTable(), and Catalog_Namespace::Catalog::renameTables().

121  {
122  // rename direct and effective objects
123  auto directIt = directPrivileges_.find(object.getObjectKey());
124  if (directIt != directPrivileges_.end()) {
125  directIt->second->setName(object.getName());
126  }
127 
128  auto effectiveIt = effectivePrivileges_.find(object.getObjectKey());
129  if (effectiveIt != effectivePrivileges_.end()) {
130  effectiveIt->second->setName(object.getName());
131  }
132 }
DBObjectMap effectivePrivileges_
Definition: Grantee.h:70
const std::string & getName() const
Definition: Grantee.h:52
DBObjectMap directPrivileges_
Definition: Grantee.h:72

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Grantee::revokeAllOnDatabase ( int32_t  dbId)
virtual

Reimplemented in Role.

Definition at line 296 of file Grantee.cpp.

References directPrivileges_, effectivePrivileges_, and updatePrivileges().

Referenced by Role::revokeAllOnDatabase(), and Catalog_Namespace::SysCatalog::revokeAllOnDatabase_unsafe().

296  {
297  std::vector<DBObjectMap*> sources = {&effectivePrivileges_, &directPrivileges_};
298  for (auto privs : sources) {
299  for (auto iter = privs->begin(); iter != privs->end();) {
300  if (iter->first.dbId == dbId) {
301  iter = privs->erase(iter);
302  } else {
303  ++iter;
304  }
305  }
306  }
308 }
DBObjectMap effectivePrivileges_
Definition: Grantee.h:70
virtual void updatePrivileges()
Definition: Grantee.cpp:268
DBObjectMap directPrivileges_
Definition: Grantee.h:72

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

DBObject * Grantee::revokePrivileges ( const DBObject object)
virtual

Definition at line 136 of file Grantee.cpp.

References directPrivileges_, effectivePrivileges_, findDbObject(), getName(), and updatePrivileges().

136  {
137  auto dbObject = findDbObject(object.getObjectKey(), true);
138  if (!dbObject ||
139  !dbObject->getPrivileges().hasAny()) { // not found or has none of privileges set
140  throw runtime_error("Can not revoke privileges because " + getName() +
141  " has no privileges to " + object.getName());
142  }
143  bool object_removed = false;
144  dbObject->revokePrivileges(object);
145  if (!dbObject->getPrivileges().hasAny()) {
146  directPrivileges_.erase(object.getObjectKey());
147  object_removed = true;
148  }
149 
150  auto* cachedDbObject = findDbObject(object.getObjectKey(), false);
151  if (cachedDbObject && cachedDbObject->getPrivileges().hasAny()) {
152  cachedDbObject->revokePrivileges(object);
153  if (!cachedDbObject->getPrivileges().hasAny()) {
154  effectivePrivileges_.erase(object.getObjectKey());
155  }
156  }
157 
159 
160  return object_removed ? nullptr : dbObject;
161 }
DBObjectMap effectivePrivileges_
Definition: Grantee.h:70
virtual void updatePrivileges()
Definition: Grantee.cpp:268
const std::string & getName() const
Definition: Grantee.h:52
DBObject * findDbObject(const DBObjectKey &objectKey, bool only_direct) const
Definition: Grantee.cpp:85
DBObjectMap directPrivileges_
Definition: Grantee.h:72

+ Here is the call graph for this function:

void Grantee::revokeRole ( Role role)
virtual

Definition at line 181 of file Grantee.cpp.

References Role::removeGrantee(), roles_, and updatePrivileges().

181  {
182  roles_.erase(role);
183  role->removeGrantee(this);
185 }
virtual void updatePrivileges()
Definition: Grantee.cpp:268
virtual void removeGrantee(Grantee *grantee)
Definition: Grantee.cpp:380
std::unordered_set< Role * > roles_
Definition: Grantee.h:68

+ Here is the call graph for this function:

void Grantee::setName ( const std::string &  name)
inline

Definition at line 53 of file Grantee.h.

References setup::name, and name_.

53 { name_ = name; }
std::string name_
Definition: Grantee.h:67
string name
Definition: setup.in.py:72
void Grantee::updatePrivileges ( )
virtual

Reimplemented in Role.

Definition at line 268 of file Grantee.cpp.

References directPrivileges_, effectivePrivileges_, and roles_.

Referenced by grantPrivileges(), grantRole(), revokeAllOnDatabase(), revokePrivileges(), revokeRole(), and Role::updatePrivileges().

268  {
269  // Zero out the effective privileges. DBObjects may still exist, but will be empty.
270  for (auto& dbObject : effectivePrivileges_) {
271  dbObject.second->resetPrivileges();
272  }
273  // Load this Grantee's direct privileges into its effective privileges.
274  for (auto it = directPrivileges_.begin(); it != directPrivileges_.end(); ++it) {
275  if (effectivePrivileges_.find(it->first) != effectivePrivileges_.end()) {
276  effectivePrivileges_[it->first]->updatePrivileges(*it->second);
277  }
278  }
279  // Load any other roles that we've been granted into the effective privileges.
280  for (auto role : roles_) {
281  if (role->getDbObjects(false)->size() > 0) {
282  updatePrivileges(role);
283  }
284  }
285  // Free any DBObjects that are still empty in the effective privileges.
286  for (auto dbObjectIt = effectivePrivileges_.begin();
287  dbObjectIt != effectivePrivileges_.end();) {
288  if (!dbObjectIt->second->getPrivileges().hasAny()) {
289  dbObjectIt = effectivePrivileges_.erase(dbObjectIt);
290  } else {
291  ++dbObjectIt;
292  }
293  }
294 }
DBObjectMap effectivePrivileges_
Definition: Grantee.h:70
virtual void updatePrivileges()
Definition: Grantee.cpp:268
std::unordered_set< Role * > roles_
Definition: Grantee.h:68
DBObjectMap directPrivileges_
Definition: Grantee.h:72

+ Here is the caller graph for this function:

void Grantee::updatePrivileges ( Role role)
virtual

Definition at line 255 of file Grantee.cpp.

References effectivePrivileges_, findDbObject(), and getDbObjects().

255  {
256  for (auto& roleDbObject : *role->getDbObjects(false)) {
257  auto dbObject = findDbObject(roleDbObject.first, false);
258  if (dbObject) { // found
259  dbObject->updatePrivileges(*roleDbObject.second);
260  } else { // not found
261  effectivePrivileges_[roleDbObject.first] =
262  boost::make_unique<DBObject>(*roleDbObject.second.get());
263  }
264  }
265 }
DBObjectMap effectivePrivileges_
Definition: Grantee.h:70
DBObject * findDbObject(const DBObjectKey &objectKey, bool only_direct) const
Definition: Grantee.cpp:85
const DBObjectMap * getDbObjects(bool only_direct) const
Definition: Grantee.h:56

+ Here is the call graph for this function:

Member Data Documentation

std::string Grantee::name_
protected

Definition at line 67 of file Grantee.h.

Referenced by getName(), grantRole(), and setName().

std::unordered_set<Role*> Grantee::roles_
protected

Definition at line 68 of file Grantee.h.

Referenced by grantRole(), hasRole(), revokeRole(), updatePrivileges(), and ~Grantee().


The documentation for this class was generated from the following files: