hcq/oceanbase
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix bug that system privs create any table, drop any tableallowed to access table obj also

Browse Source
This commit is contained in:
jingtaoye35
2023-11-09 13:13:48 +00:00
committed by ob-robot
parent 0c24ef4988
commit a399421cc0
6 changed files with 114 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
src/sql/resolver/cmd/ob_show_resolver.cpp
View File

@ -1590,6 +1590,7 @@ int ObShowResolver::check_desc_priv_if_ness(
OZ (schema_checker_->check_access_to_obj(real_tenant_id,
session_info_->get_priv_user_id(),
table_schema->get_table_id(),
database_name,
stmt::T_SHOW_COLUMNS,
session_info_->get_enable_role_array(),
accessible,

17
src/sql/resolver/ddl/ob_create_view_resolver.cpp
View File

@ -677,17 +677,18 @@ int ObCreateViewResolver::check_privilege_needed(ObCreateTableStmt &stmt,
const TableItem *table_item = select_stmt.get_table_item(i);
CK (OB_NOT_NULL(table_item));
OZ (schema_checker_->check_access_to_obj(session_info_->get_effective_tenant_id(),
session_info_->get_priv_user_id(),
table_item->ref_id_,
stmt::T_CREATE_VIEW,
session_info_->get_enable_role_array(),
accessible),
session_info_->get_priv_user_id(),
table_item->ref_id_,
table_item->database_name_,
stmt::T_CREATE_VIEW,
session_info_->get_enable_role_array(),
accessible),
session_info_->get_effective_tenant_id(), session_info_->get_user_id(),
stmt.get_database_name());
if (!accessible) {
if (OB_SUCC(ret) && !accessible) {
ret = OB_TABLE_NOT_EXIST;
LOG_USER_ERROR(OB_TABLE_NOT_EXIST, to_cstring(stmt.get_database_name()),
to_cstring(table_item->table_name_));
LOG_USER_ERROR(OB_TABLE_NOT_EXIST, to_cstring(table_item->database_name_),
to_cstring(table_item->table_name_));
}
}
if (OB_SUCC(ret)) {

8
src/sql/resolver/ob_schema_checker.cpp
View File

@ -2795,10 +2795,16 @@ int ObSchemaChecker::check_ora_ddl_priv(
}
/**检查用户user_id是否能access到obj_id,会检查系统权限和对象权限*/
/*
*系统权限又分了两类:
* 1. 全局有效:create any table, create any view ....
* 2. user’s shema有效:create table,create view,create synonym, create index, ....
*/
int ObSchemaChecker::check_access_to_obj(
const uint64_t tenant_id,
const uint64_t user_id,
const uint64_t obj_id,
const ObString &database_name,
const sql::stmt::StmtType stmt_type,
const ObIArray<uint64_t> &role_id_array,
bool &accessible,
@ -2827,6 +2833,7 @@ int ObSchemaChecker::check_access_to_obj(
static_cast<uint64_t>
(share::schema::ObObjectType::TABLE),
obj_id,
database_name,
role_id_array,
accessible),
K(tenant_id), K(user_id), K(stmt_type), K(role_id_array));
@ -2842,6 +2849,7 @@ int ObSchemaChecker::check_access_to_obj(
static_cast<uint64_t>
(share::schema::ObObjectType::TABLE),
obj_id,
database_name,
role_id_array,
accessible),
K(tenant_id), K(user_id), K(stmt_type), K(role_id_array));

1
src/sql/resolver/ob_schema_checker.h
View File

@ -451,6 +451,7 @@ public:
int check_access_to_obj(const uint64_t tenant_id,
const uint64_t user_id,
const uint64_t obj_id,
const common::ObString &database_name,
const sql::stmt::StmtType stmt_type,
const ObIArray<uint64_t> &role_id_array,
bool &accessible,