OmniSciDB  d2f719934e
 All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Friends Macros Groups Pages
Grantee Class Referenceabstract

#include <Grantee.h>

+ Inheritance diagram for Grantee:
+ Collaboration diagram for Grantee:

Public Member Functions

 Grantee (const std::string &name)
 
virtual ~Grantee ()
 
virtual bool isUser () const =0
 
virtual void grantPrivileges (const DBObject &object)
 
virtual DBObjectrevokePrivileges (const DBObject &object)
 
virtual void grantRole (Role *role)
 
virtual void revokeRole (Role *role)
 
virtual bool hasAnyPrivileges (const DBObject &objectRequested, bool only_direct) const
 
virtual bool checkPrivileges (const DBObject &objectRequested) const
 
virtual void updatePrivileges ()
 
virtual void updatePrivileges (Role *role)
 
virtual void revokeAllOnDatabase (int32_t dbId)
 
virtual void renameDbObject (const DBObject &object)
 
void getPrivileges (DBObject &object, bool only_direct)
 
DBObjectfindDbObject (const DBObjectKey &objectKey, bool only_direct) const
 
bool hasAnyPrivilegesOnDb (int32_t dbId, bool only_direct) const
 
const std::string & getName () const
 
void setName (const std::string &name)
 
std::vector< std::string > getRoles (bool only_direct=true) const
 
bool hasRole (Role *role, bool only_direct) const
 
const DBObjectMapgetDbObjects (bool only_direct) const
 
void checkCycles (Role *newRole)
 
void reassignObjectOwners (const std::set< int32_t > &old_owner_ids, int32_t new_owner_id, int32_t db_id)
 
void reassignObjectOwner (DBObjectKey &object_key, int32_t new_owner_id)
 

Protected Attributes

std::string name_
 
std::unordered_set< Role * > roles_
 
DBObjectMap effectivePrivileges_
 
DBObjectMap directPrivileges_
 

Private Types

using DBObjectMap = std::map< DBObjectKey, std::unique_ptr< DBObject >>
 

Detailed Description

Definition at line 32 of file Grantee.h.

Member Typedef Documentation

using Grantee::DBObjectMap = std::map<DBObjectKey, std::unique_ptr<DBObject>>
private

Definition at line 33 of file Grantee.h.

Constructor & Destructor Documentation

Grantee::Grantee ( const std::string &  name)

Definition at line 26 of file Grantee.cpp.

26 : name_(name) {}
string name
Definition: setup.in.py:72
std::string name_
Definition: Grantee.h:67
Grantee::~Grantee ( )
virtual

Definition at line 28 of file Grantee.cpp.

References directPrivileges_, effectivePrivileges_, and roles_.

28  {
29  for (auto role : roles_) {
30  role->removeGrantee(this);
31  }
32  effectivePrivileges_.clear();
33  directPrivileges_.clear();
34  roles_.clear();
35 }
DBObjectMap effectivePrivileges_
Definition: Grantee.h:70
std::unordered_set< Role * > roles_
Definition: Grantee.h:68
DBObjectMap directPrivileges_
Definition: Grantee.h:72

Member Function Documentation

void Grantee::checkCycles ( Role newRole)

Definition at line 306 of file Grantee.cpp.

References CHECK, Role::getGrantees(), and getName().

Referenced by grantRole().

306  {
307  std::stack<Grantee*> grantees;
308  grantees.push(this);
309  while (!grantees.empty()) {
310  auto* grantee = grantees.top();
311  grantees.pop();
312  if (!grantee->isUser()) {
313  Role* r = dynamic_cast<Role*>(grantee);
314  CHECK(r);
315  if (r == newRole) {
316  throw runtime_error("Granting role " + newRole->getName() + " to " + getName() +
317  " creates cycle in grantee graph.");
318  }
319  for (auto g : r->getGrantees()) {
320  grantees.push(g);
321  }
322  }
323  }
324 }
Definition: Grantee.h:81
const std::string & getName() const
Definition: Grantee.h:52
std::vector< Grantee * > getGrantees() const
Definition: Grantee.cpp:385
#define CHECK(condition)
Definition: Logger.h:211

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

bool Grantee::checkPrivileges ( const DBObject objectRequested) const
virtual

Definition at line 231 of file Grantee.cpp.

References DBObjectKey::dbId, findDbObject(), DBObject::getObjectKey(), hasEnoughPrivs(), and DBObjectKey::objectId.

231  {
232  DBObjectKey objectKey = objectRequested.getObjectKey();
233  if (hasEnoughPrivs(findDbObject(objectKey, false), &objectRequested)) {
234  return true;
235  }
236 
237  // if we have an object associated -> ignore it
238  if (objectKey.objectId != -1) {
239  objectKey.objectId = -1;
240  if (hasEnoughPrivs(findDbObject(objectKey, false), &objectRequested)) {
241  return true;
242  }
243  }
244 
245  // if we have an
246  if (objectKey.dbId != -1) {
247  objectKey.dbId = -1;
248  if (hasEnoughPrivs(findDbObject(objectKey, false), &objectRequested)) {
249  return true;
250  }
251  }
252  return false;
253 }
DBObjectKey getObjectKey() const
Definition: DBObject.h:223
int32_t objectId
Definition: DBObject.h:57
static bool hasEnoughPrivs(const DBObject *real, const DBObject *requested)
Definition: Grantee.cpp:187
DBObject * findDbObject(const DBObjectKey &objectKey, bool only_direct) const
Definition: Grantee.cpp:85
int32_t dbId
Definition: DBObject.h:56

+ Here is the call graph for this function:

DBObject * Grantee::findDbObject ( const DBObjectKey objectKey,
bool  only_direct 
) const

Definition at line 85 of file Grantee.cpp.

References directPrivileges_, and effectivePrivileges_.

Referenced by checkPrivileges(), Catalog_Namespace::Catalog::createOrUpdateDashboardSystemRole(), getPrivileges(), grantPrivileges(), DBHandler::has_object_privilege(), hasAnyPrivileges(), revokePrivileges(), updatePrivileges(), and Catalog_Namespace::SysCatalog::verifyDBObjectOwnership().

85  {
86  const DBObjectMap& privs = only_direct ? directPrivileges_ : effectivePrivileges_;
87  DBObject* dbObject = nullptr;
88  auto dbObjectIt = privs.find(objectKey);
89  if (dbObjectIt != privs.end()) {
90  dbObject = dbObjectIt->second.get();
91  }
92  return dbObject;
93 }
DBObjectMap effectivePrivileges_
Definition: Grantee.h:70
std::map< DBObjectKey, std::unique_ptr< DBObject >> DBObjectMap
Definition: Grantee.h:33
DBObjectMap directPrivileges_
Definition: Grantee.h:72

+ Here is the caller graph for this function:

const DBObjectMap* Grantee::getDbObjects ( bool  only_direct) const
inline

Definition at line 56 of file Grantee.h.

References directPrivileges_, and effectivePrivileges_.

Referenced by Catalog_Namespace::Catalog::createOrUpdateDashboardSystemRole(), and updatePrivileges().

56  {
57  return only_direct ? &directPrivileges_ : &effectivePrivileges_;
58  }
DBObjectMap effectivePrivileges_
Definition: Grantee.h:70
DBObjectMap directPrivileges_
Definition: Grantee.h:72

+ Here is the caller graph for this function:

const std::string& Grantee::getName ( ) const
inline

Definition at line 52 of file Grantee.h.

References name_.

Referenced by Role::addGrantee(), checkCycles(), getPrivileges(), grantRole(), Role::removeGrantee(), renameDbObject(), and revokePrivileges().

52 { return name_; }
std::string name_
Definition: Grantee.h:67

+ Here is the caller graph for this function:

void Grantee::getPrivileges ( DBObject object,
bool  only_direct 
)

Definition at line 76 of file Grantee.cpp.

References findDbObject(), and getName().

76  {
77  auto dbObject = findDbObject(object.getObjectKey(), only_direct);
78  if (!dbObject) { // not found
79  throw runtime_error("Can not get privileges because " + getName() +
80  " has no privileges to " + object.getName());
81  }
82  object.grantPrivileges(*dbObject);
83 }
const std::string & getName() const
Definition: Grantee.h:52
DBObject * findDbObject(const DBObjectKey &objectKey, bool only_direct) const
Definition: Grantee.cpp:85

+ Here is the call graph for this function:

std::vector< std::string > Grantee::getRoles ( bool  only_direct = true) const

Definition at line 37 of file Grantee.cpp.

37  {
38  std::set<std::string> roles; // Sorted for human readers.
39  std::stack<const Grantee*> g;
40  g.push(this);
41  while (!g.empty()) {
42  auto r = g.top();
43  g.pop();
44  for (auto direct_role : r->roles_) {
45  g.push(direct_role);
46  roles.insert(direct_role->getName());
47  }
48  if (only_direct) {
49  break;
50  }
51  }
52  return std::vector(roles.begin(), roles.end());
53 }
void Grantee::grantPrivileges ( const DBObject object)
virtual

Definition at line 105 of file Grantee.cpp.

References directPrivileges_, effectivePrivileges_, findDbObject(), and updatePrivileges().

Referenced by Catalog_Namespace::SysCatalog::createDBObject().

105  {
106  auto* dbObject = findDbObject(object.getObjectKey(), false);
107  if (!dbObject) { // not found
108  effectivePrivileges_[object.getObjectKey()] = boost::make_unique<DBObject>(object);
109  } else { // found
110  dbObject->grantPrivileges(object);
111  }
112  dbObject = findDbObject(object.getObjectKey(), true);
113  if (!dbObject) { // not found
114  directPrivileges_[object.getObjectKey()] = boost::make_unique<DBObject>(object);
115  } else { // found
116  dbObject->grantPrivileges(object);
117  }
119 }
DBObjectMap effectivePrivileges_
Definition: Grantee.h:70
virtual void updatePrivileges()
Definition: Grantee.cpp:268
DBObject * findDbObject(const DBObjectKey &objectKey, bool only_direct) const
Definition: Grantee.cpp:85
DBObjectMap directPrivileges_
Definition: Grantee.h:72

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Grantee::grantRole ( Role role)
virtual

Definition at line 163 of file Grantee.cpp.

References Role::addGrantee(), checkCycles(), getName(), name_, roles_, and updatePrivileges().

163  {
164  bool found = false;
165  for (const auto* granted_role : roles_) {
166  if (role == granted_role) {
167  found = true;
168  break;
169  }
170  }
171  if (found) {
172  throw runtime_error("Role " + role->getName() + " have been granted to " + name_ +
173  " already.");
174  }
175  checkCycles(role);
176  roles_.insert(role);
177  role->addGrantee(this);
179 }
virtual void updatePrivileges()
Definition: Grantee.cpp:268
virtual void addGrantee(Grantee *grantee)
Definition: Grantee.cpp:367
const std::string & getName() const
Definition: Grantee.h:52
std::unordered_set< Role * > roles_
Definition: Grantee.h:68
void checkCycles(Role *newRole)
Definition: Grantee.cpp:306
std::string name_
Definition: Grantee.h:67

+ Here is the call graph for this function:

bool Grantee::hasAnyPrivileges ( const DBObject objectRequested,
bool  only_direct 
) const
virtual

Definition at line 207 of file Grantee.cpp.

References DBObjectKey::dbId, findDbObject(), DBObject::getObjectKey(), hasAnyPrivs(), and DBObjectKey::objectId.

207  {
208  DBObjectKey objectKey = objectRequested.getObjectKey();
209  if (hasAnyPrivs(findDbObject(objectKey, only_direct), &objectRequested)) {
210  return true;
211  }
212 
213  // if we have an object associated -> ignore it
214  if (objectKey.objectId != -1) {
215  objectKey.objectId = -1;
216  if (hasAnyPrivs(findDbObject(objectKey, only_direct), &objectRequested)) {
217  return true;
218  }
219  }
220 
221  // if we have an
222  if (objectKey.dbId != -1) {
223  objectKey.dbId = -1;
224  if (hasAnyPrivs(findDbObject(objectKey, only_direct), &objectRequested)) {
225  return true;
226  }
227  }
228  return false;
229 }
DBObjectKey getObjectKey() const
Definition: DBObject.h:223
int32_t objectId
Definition: DBObject.h:57
static bool hasAnyPrivs(const DBObject *real, const DBObject *)
Definition: Grantee.cpp:199
DBObject * findDbObject(const DBObjectKey &objectKey, bool only_direct) const
Definition: Grantee.cpp:85
int32_t dbId
Definition: DBObject.h:56

+ Here is the call graph for this function:

bool Grantee::hasAnyPrivilegesOnDb ( int32_t  dbId,
bool  only_direct 
) const

Definition at line 95 of file Grantee.cpp.

References directPrivileges_, and effectivePrivileges_.

Referenced by Catalog_Namespace::anonymous_namespace{SysCatalog.cpp}::get_users().

95  {
96  const DBObjectMap& privs = only_direct ? directPrivileges_ : effectivePrivileges_;
97  for (const auto& priv : privs) {
98  if (priv.second->getObjectKey().dbId == dbId) {
99  return true;
100  }
101  }
102  return false;
103 }
DBObjectMap effectivePrivileges_
Definition: Grantee.h:70
std::map< DBObjectKey, std::unique_ptr< DBObject >> DBObjectMap
Definition: Grantee.h:33
DBObjectMap directPrivileges_
Definition: Grantee.h:72

+ Here is the caller graph for this function:

bool Grantee::hasRole ( Role role,
bool  only_direct 
) const

Definition at line 55 of file Grantee.cpp.

References roles_.

Referenced by Catalog_Namespace::SysCatalog::isRoleGrantedToGrantee().

55  {
56  if (only_direct) {
57  return roles_.find(role) != roles_.end();
58  } else {
59  std::stack<const Grantee*> roles;
60  roles.push(this);
61  while (!roles.empty()) {
62  auto r = roles.top();
63  roles.pop();
64  if (r == role) {
65  return true;
66  } else {
67  for (auto granted_role : r->roles_) {
68  roles.push(granted_role);
69  }
70  }
71  }
72  return false;
73  }
74 }
std::unordered_set< Role * > roles_
Definition: Grantee.h:68

+ Here is the caller graph for this function:

virtual bool Grantee::isUser ( ) const
pure virtual

Implemented in Role, and User.

void Grantee::reassignObjectOwner ( DBObjectKey object_key,
int32_t  new_owner_id 
)

Definition at line 344 of file Grantee.cpp.

References directPrivileges_, and effectivePrivileges_.

344  {
345  for (const auto& [grantee_object_key, object] : effectivePrivileges_) {
346  if (grantee_object_key == object_key) {
347  object->setOwner(new_owner_id);
348  }
349  }
350 
351  for (const auto& [grantee_object_key, object] : directPrivileges_) {
352  if (grantee_object_key == object_key) {
353  object->setOwner(new_owner_id);
354  }
355  }
356 }
DBObjectMap effectivePrivileges_
Definition: Grantee.h:70
DBObjectMap directPrivileges_
Definition: Grantee.h:72
void Grantee::reassignObjectOwners ( const std::set< int32_t > &  old_owner_ids,
int32_t  new_owner_id,
int32_t  db_id 
)

Definition at line 326 of file Grantee.cpp.

References shared::contains(), directPrivileges_, and effectivePrivileges_.

328  {
329  for (const auto& [object_key, object] : effectivePrivileges_) {
330  if (object_key.objectId != -1 && object_key.dbId == db_id &&
331  shared::contains(old_owner_ids, object->getOwner())) {
332  object->setOwner(new_owner_id);
333  }
334  }
335 
336  for (const auto& [object_key, object] : directPrivileges_) {
337  if (object_key.objectId != -1 && object_key.dbId == db_id &&
338  shared::contains(old_owner_ids, object->getOwner())) {
339  object->setOwner(new_owner_id);
340  }
341  }
342 }
DBObjectMap effectivePrivileges_
Definition: Grantee.h:70
bool contains(const T &container, const U &element)
Definition: misc.h:187
DBObjectMap directPrivileges_
Definition: Grantee.h:72

+ Here is the call graph for this function:

void Grantee::renameDbObject ( const DBObject object)
virtual

Reimplemented in Role.

Definition at line 121 of file Grantee.cpp.

References directPrivileges_, effectivePrivileges_, and getName().

Referenced by Role::renameDbObject(), Catalog_Namespace::SysCatalog::renameDBObject(), and Catalog_Namespace::Catalog::renameTable().

121  {
122  // rename direct and effective objects
123  auto directIt = directPrivileges_.find(object.getObjectKey());
124  if (directIt != directPrivileges_.end()) {
125  directIt->second->setName(object.getName());
126  }
127 
128  auto effectiveIt = effectivePrivileges_.find(object.getObjectKey());
129  if (effectiveIt != effectivePrivileges_.end()) {
130  effectiveIt->second->setName(object.getName());
131  }
132 }
DBObjectMap effectivePrivileges_
Definition: Grantee.h:70
const std::string & getName() const
Definition: Grantee.h:52
DBObjectMap directPrivileges_
Definition: Grantee.h:72

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void Grantee::revokeAllOnDatabase ( int32_t  dbId)
virtual

Reimplemented in Role.

Definition at line 292 of file Grantee.cpp.

References directPrivileges_, effectivePrivileges_, and updatePrivileges().

Referenced by Role::revokeAllOnDatabase(), and Catalog_Namespace::SysCatalog::revokeAllOnDatabase_unsafe().

292  {
293  std::vector<DBObjectMap*> sources = {&effectivePrivileges_, &directPrivileges_};
294  for (auto privs : sources) {
295  for (auto iter = privs->begin(); iter != privs->end();) {
296  if (iter->first.dbId == dbId) {
297  iter = privs->erase(iter);
298  } else {
299  ++iter;
300  }
301  }
302  }
304 }
DBObjectMap effectivePrivileges_
Definition: Grantee.h:70
virtual void updatePrivileges()
Definition: Grantee.cpp:268
DBObjectMap directPrivileges_
Definition: Grantee.h:72

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

DBObject * Grantee::revokePrivileges ( const DBObject object)
virtual

Definition at line 136 of file Grantee.cpp.

References directPrivileges_, effectivePrivileges_, findDbObject(), getName(), and updatePrivileges().

136  {
137  auto dbObject = findDbObject(object.getObjectKey(), true);
138  if (!dbObject ||
139  !dbObject->getPrivileges().hasAny()) { // not found or has none of privileges set
140  throw runtime_error("Can not revoke privileges because " + getName() +
141  " has no privileges to " + object.getName());
142  }
143  bool object_removed = false;
144  dbObject->revokePrivileges(object);
145  if (!dbObject->getPrivileges().hasAny()) {
146  directPrivileges_.erase(object.getObjectKey());
147  object_removed = true;
148  }
149 
150  auto* cachedDbObject = findDbObject(object.getObjectKey(), false);
151  if (cachedDbObject && cachedDbObject->getPrivileges().hasAny()) {
152  cachedDbObject->revokePrivileges(object);
153  if (!cachedDbObject->getPrivileges().hasAny()) {
154  effectivePrivileges_.erase(object.getObjectKey());
155  }
156  }
157 
159 
160  return object_removed ? nullptr : dbObject;
161 }
DBObjectMap effectivePrivileges_
Definition: Grantee.h:70
virtual void updatePrivileges()
Definition: Grantee.cpp:268
const std::string & getName() const
Definition: Grantee.h:52
DBObject * findDbObject(const DBObjectKey &objectKey, bool only_direct) const
Definition: Grantee.cpp:85
DBObjectMap directPrivileges_
Definition: Grantee.h:72

+ Here is the call graph for this function:

void Grantee::revokeRole ( Role role)
virtual

Definition at line 181 of file Grantee.cpp.

References Role::removeGrantee(), roles_, and updatePrivileges().

181  {
182  roles_.erase(role);
183  role->removeGrantee(this);
185 }
virtual void updatePrivileges()
Definition: Grantee.cpp:268
virtual void removeGrantee(Grantee *grantee)
Definition: Grantee.cpp:376
std::unordered_set< Role * > roles_
Definition: Grantee.h:68

+ Here is the call graph for this function:

void Grantee::setName ( const std::string &  name)
inline

Definition at line 53 of file Grantee.h.

References setup::name, and name_.

53 { name_ = name; }
string name
Definition: setup.in.py:72
std::string name_
Definition: Grantee.h:67
void Grantee::updatePrivileges ( )
virtual

Reimplemented in Role.

Definition at line 268 of file Grantee.cpp.

References directPrivileges_, effectivePrivileges_, and roles_.

Referenced by grantPrivileges(), grantRole(), revokeAllOnDatabase(), revokePrivileges(), revokeRole(), and Role::updatePrivileges().

268  {
269  for (auto& dbObject : effectivePrivileges_) {
270  dbObject.second->resetPrivileges();
271  }
272  for (auto it = directPrivileges_.begin(); it != directPrivileges_.end(); ++it) {
273  if (effectivePrivileges_.find(it->first) != effectivePrivileges_.end()) {
274  effectivePrivileges_[it->first]->updatePrivileges(*it->second);
275  }
276  }
277  for (auto role : roles_) {
278  if (role->getDbObjects(false)->size() > 0) {
279  updatePrivileges(role);
280  }
281  }
282  for (auto dbObjectIt = effectivePrivileges_.begin();
283  dbObjectIt != effectivePrivileges_.end();) {
284  if (!dbObjectIt->second->getPrivileges().hasAny()) {
285  dbObjectIt = effectivePrivileges_.erase(dbObjectIt);
286  } else {
287  ++dbObjectIt;
288  }
289  }
290 }
DBObjectMap effectivePrivileges_
Definition: Grantee.h:70
virtual void updatePrivileges()
Definition: Grantee.cpp:268
std::unordered_set< Role * > roles_
Definition: Grantee.h:68
DBObjectMap directPrivileges_
Definition: Grantee.h:72

+ Here is the caller graph for this function:

void Grantee::updatePrivileges ( Role role)
virtual

Definition at line 255 of file Grantee.cpp.

References effectivePrivileges_, findDbObject(), and getDbObjects().

255  {
256  for (auto& roleDbObject : *role->getDbObjects(false)) {
257  auto dbObject = findDbObject(roleDbObject.first, false);
258  if (dbObject) { // found
259  dbObject->updatePrivileges(*roleDbObject.second);
260  } else { // not found
261  effectivePrivileges_[roleDbObject.first] =
262  boost::make_unique<DBObject>(*roleDbObject.second.get());
263  }
264  }
265 }
DBObjectMap effectivePrivileges_
Definition: Grantee.h:70
DBObject * findDbObject(const DBObjectKey &objectKey, bool only_direct) const
Definition: Grantee.cpp:85
const DBObjectMap * getDbObjects(bool only_direct) const
Definition: Grantee.h:56

+ Here is the call graph for this function:

Member Data Documentation

std::string Grantee::name_
protected

Definition at line 67 of file Grantee.h.

Referenced by getName(), grantRole(), and setName().

std::unordered_set<Role*> Grantee::roles_
protected

Definition at line 68 of file Grantee.h.

Referenced by grantRole(), hasRole(), revokeRole(), updatePrivileges(), and ~Grantee().


The documentation for this class was generated from the following files: