hcq/oceanbase
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix bug that system privs create any table, drop any tableallowed to access table obj also

Browse Source
This commit is contained in:
jingtaoye35
2023-11-09 13:13:48 +00:00
committed by ob-robot
parent 0c24ef4988
commit a399421cc0
6 changed files with 114 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

68
src/sql/privilege_check/ob_ora_priv_check.cpp
View File

@ -1028,7 +1028,7 @@ int ObOraSysChecker::check_owner_or_p1_or_access(
ret = OB_SUCCESS;
bool accessible = false;
OZ (check_access_to_obj(guard, tenant_id, user_id,
p1, obj_type, obj_id, role_id_array, accessible));
p1, obj_type, obj_id, database_name, role_id_array, accessible));
if (OB_SUCC(ret)) {
if (accessible) {
ret = OB_ERR_NO_PRIVILEGE;
@ -1055,6 +1055,7 @@ int ObOraSysChecker::check_access_to_obj(
const ObRawPriv p1,
const uint64_t obj_type,
const uint64_t obj_id,
const ObString &database_name,
const ObIArray<uint64_t> &role_id_array,
bool &accessible)
{
@ -1062,13 +1063,29 @@ int ObOraSysChecker::check_access_to_obj(
accessible = false;
ObRawPrivArray sys_priv_array;
ObRawObjPrivArray obj_priv_array;
bool is_owner = false;
// 1. 建立和p1相关的权限列表
OZ (build_related_sys_priv_array(p1, sys_priv_array), p1);
// 2. 检查user_id是否具有sys_priv_array中的系统权限一种
if (OB_SUCC(ret)) {
const ObUserInfo *user_info = NULL;
if (database_name.empty()) {
is_owner = true;
} else if (OB_FAIL(guard.get_user_info(tenant_id, user_id, user_info))) {
LOG_WARN("failed to get user info", K(ret), K(tenant_id), K(user_id));
} else if (OB_ISNULL(user_info)) {
ret = OB_USER_NOT_EXIST;
LOG_USER_ERROR(OB_USER_NOT_EXIST, database_name.length(), database_name.ptr());
} else {
is_owner = ObOraPrivCheck::user_is_owner(user_info->get_user_name(), database_name);
}
}
if (OB_FAIL(ret)) {
} else if (is_owner) {
accessible = true;
} else {
if (sys_priv_array.count() > 0) {
OZ (check_p1_or_plist(guard, tenant_id, user_id,
p1, NO_OPTION, sys_priv_array, role_id_array));
OZ (check_p1_or_plist(guard, tenant_id, user_id, p1, NO_OPTION, sys_priv_array, role_id_array));
} else {
OZ (check_p1(guard, tenant_id, user_id, p1, role_id_array));
}
@ -1077,7 +1094,6 @@ int ObOraSysChecker::check_access_to_obj(
} else {
ret = OB_SUCCESS;
}
}
if (OB_SUCC(ret) && !accessible) {
// 3. 建立和p1,obj_type相关的对象权限列表
OZ (build_related_obj_priv_array(p1, obj_type, obj_priv_array), p1, obj_type);
@ -1092,6 +1108,7 @@ int ObOraSysChecker::check_access_to_obj(
}
}
}
}
return ret;
}
@ -1102,6 +1119,7 @@ int ObOraSysChecker::check_access_to_obj(
const uint64_t user_id,
const uint64_t obj_type,
const uint64_t obj_id,
const ObString &database_name,
const ObIArray<uint64_t> &role_id_array,
bool &accessible)
{
@ -1109,10 +1127,29 @@ int ObOraSysChecker::check_access_to_obj(
accessible = false;
ObRawPrivArray sys_priv_array;
ObRawObjPrivArray obj_priv_array;
bool is_owner = false;
// 1. 建立相关的sys权限列表
OZ (build_related_sys_priv_array(obj_type, sys_priv_array));
// 2. 检查user_id是否具有 sys_priv 中的任意一个
if (OB_SUCC(ret) && sys_priv_array.count() > 0) {
if (OB_SUCC(ret)) {
const ObUserInfo *user_info = NULL;
if (database_name.empty()) {
is_owner = true;
} else if (OB_FAIL(guard.get_user_info(tenant_id, user_id, user_info))) {
LOG_WARN("failed to get user info", K(ret), K(tenant_id), K(user_id));
} else if (OB_ISNULL(user_info)) {
ret = OB_USER_NOT_EXIST;
LOG_USER_ERROR(OB_USER_NOT_EXIST, database_name.length(), database_name.ptr());
} else {
is_owner = ObOraPrivCheck::user_is_owner(user_info->get_user_name(), database_name);
}
}
if (OB_FAIL(ret)) {
} else if (is_owner) {
accessible = true;
/* is_owner = true, means user can access obj */
} else {
if (sys_priv_array.count() > 0) {
OZ (check_plist_or(guard, tenant_id, user_id, sys_priv_array, role_id_array));
if (OB_SUCC(ret)) {
accessible = true;
@ -1138,6 +1175,7 @@ int ObOraSysChecker::check_access_to_obj(
accessible = false;
}
}
}
return ret;
}
@ -1235,6 +1273,8 @@ int ObOraSysChecker::build_related_sys_priv_array(
OZ (sys_priv_array.push_back(PRIV_ID_CREATE_ANY_VIEW));
break;
case static_cast<uint64_t>(PRIV_ID_CREATE_ANY_VIEW):
OZ (sys_priv_array.push_back(PRIV_ID_CREATE_ANY_TABLE));
OZ (sys_priv_array.push_back(PRIV_ID_DROP_ANY_TABLE));
OZ (sys_priv_array.push_back(PRIV_ID_ALTER_ANY_TABLE));
OZ (sys_priv_array.push_back(PRIV_ID_LOCK_ANY_TABLE));
OZ (sys_priv_array.push_back(PRIV_ID_COMMENT_ANY_TABLE));
@ -1264,6 +1304,8 @@ int ObOraSysChecker::build_related_sys_priv_array(
sys_priv_array.reset();
switch (obj_type) {
case static_cast<uint64_t>(ObObjectType::TABLE): {
OZ (sys_priv_array.push_back(PRIV_ID_CREATE_ANY_TABLE));
OZ (sys_priv_array.push_back(PRIV_ID_DROP_ANY_TABLE));
OZ (sys_priv_array.push_back(PRIV_ID_ALTER_ANY_TABLE));
OZ (sys_priv_array.push_back(PRIV_ID_LOCK_ANY_TABLE));
OZ (sys_priv_array.push_back(PRIV_ID_COMMENT_ANY_TABLE));
@ -1291,6 +1333,7 @@ int ObOraSysChecker::build_related_obj_priv_array(
obj_priv_array.reset();
switch (obj_type) {
case static_cast<uint64_t>(ObObjectType::TABLE): {
OZ (obj_priv_array.push_back(OBJ_PRIV_ID_CREATE));
OZ (obj_priv_array.push_back(OBJ_PRIV_ID_ALTER));
OZ (obj_priv_array.push_back(OBJ_PRIV_ID_DEBUG));
OZ (obj_priv_array.push_back(OBJ_PRIV_ID_DELETE));
@ -1720,6 +1763,12 @@ int ObOraSysChecker::check_ora_obj_priv_for_create_view(
OZ (priv_list.push_back(PRIV_ID_INSERT_ANY_TABLE));
OZ (priv_list.push_back(PRIV_ID_UPDATE_ANY_TABLE));
OZ (priv_list.push_back(PRIV_ID_DELETE_ANY_TABLE));
OZ (priv_list.push_back(PRIV_ID_CREATE_ANY_TABLE));
OZ (priv_list.push_back(PRIV_ID_DROP_ANY_TABLE));
OZ (priv_list.push_back(PRIV_ID_ALTER_ANY_TABLE));
OZ (priv_list.push_back(PRIV_ID_LOCK_ANY_TABLE));
OZ (priv_list.push_back(PRIV_ID_COMMENT_ANY_TABLE));
OZ (priv_list.push_back(PRIV_ID_FLASHBACK_ANY_TABLE));
} else {
OZ (priv_list.push_back(PRIV_ID_SELECT_ANY_DICTIONARY));
}
@ -1733,7 +1782,12 @@ int ObOraSysChecker::check_ora_obj_priv_for_create_view(
OZ (obj_p_list.push_back(OBJ_PRIV_ID_INSERT));
OZ (obj_p_list.push_back(OBJ_PRIV_ID_UPDATE));
OZ (obj_p_list.push_back(OBJ_PRIV_ID_DELETE));
OZ (obj_p_list.push_back(OBJ_PRIV_ID_CREATE));
OZ (obj_p_list.push_back(OBJ_PRIV_ID_ALTER));
OZ (obj_p_list.push_back(OBJ_PRIV_ID_DEBUG));
OZ (obj_p_list.push_back(OBJ_PRIV_ID_INDEX));
OZ (obj_p_list.push_back(OBJ_PRIV_ID_READ));
OZ (obj_p_list.push_back(OBJ_PRIV_ID_REFERENCES));
OZ (check_obj_plist_or_in_single(guard, tenant_id, user_id, obj_type,
obj_id, col_id, obj_p_list),
tenant_id, user_id, obj_type, obj_id, col_id, obj_p_list);
@ -2571,7 +2625,7 @@ int ObOraSysChecker::check_ora_ddl_ref_priv(
if (ret == OB_ERR_NO_PRIVILEGE || ret == OB_ERR_EMPTY_QUERY) {
ret = OB_SUCCESS;
bool accessible = false;
OZ (check_access_to_obj(guard, tenant_id, user_id, obj_type, obj_id,
OZ (check_access_to_obj(guard, tenant_id, user_id, obj_type, obj_id, database_name,
role_id_array, accessible));
OX (ret = accessible ? OB_ERR_NO_SYS_PRIVILEGE : OB_TABLE_NOT_EXIST);
}

2
src/sql/privilege_check/ob_ora_priv_check.h
View File

@ -496,6 +496,7 @@ public:
const share::ObRawPriv p1,
const uint64_t obj_type,
const uint64_t obj_id,
const common::ObString &database_name,
const ObIArray<uint64_t> &role_id_array,
bool &exists);
@ -505,6 +506,7 @@ public:
const uint64_t user_id,
const uint64_t obj_type,
const uint64_t obj_id,
const common::ObString &database_name,
const ObIArray<uint64_t> &role_id_array,
bool &accessible);

1
src/sql/resolver/cmd/ob_show_resolver.cpp
View File

@ -1590,6 +1590,7 @@ int ObShowResolver::check_desc_priv_if_ness(
OZ (schema_checker_->check_access_to_obj(real_tenant_id,
session_info_->get_priv_user_id(),
table_schema->get_table_id(),
database_name,
stmt::T_SHOW_COLUMNS,
session_info_->get_enable_role_array(),
accessible,

5
src/sql/resolver/ddl/ob_create_view_resolver.cpp
View File

@ -679,14 +679,15 @@ int ObCreateViewResolver::check_privilege_needed(ObCreateTableStmt &stmt,
OZ (schema_checker_->check_access_to_obj(session_info_->get_effective_tenant_id(),
session_info_->get_priv_user_id(),
table_item->ref_id_,
table_item->database_name_,
stmt::T_CREATE_VIEW,
session_info_->get_enable_role_array(),
accessible),
session_info_->get_effective_tenant_id(), session_info_->get_user_id(),
stmt.get_database_name());
if (!accessible) {
if (OB_SUCC(ret) && !accessible) {
ret = OB_TABLE_NOT_EXIST;
LOG_USER_ERROR(OB_TABLE_NOT_EXIST, to_cstring(stmt.get_database_name()),
LOG_USER_ERROR(OB_TABLE_NOT_EXIST, to_cstring(table_item->database_name_),
to_cstring(table_item->table_name_));
}
}

8
src/sql/resolver/ob_schema_checker.cpp
View File

@ -2795,10 +2795,16 @@ int ObSchemaChecker::check_ora_ddl_priv(
}
/**检查用户user_id是否能access到obj_id,会检查系统权限和对象权限*/
/*
*系统权限又分了两类:
* 1. 全局有效:create any table, create any view ....
* 2. user’s shema有效:create table,create view,create synonym, create index, ....
*/
int ObSchemaChecker::check_access_to_obj(
const uint64_t tenant_id,
const uint64_t user_id,
const uint64_t obj_id,
const ObString &database_name,
const sql::stmt::StmtType stmt_type,
const ObIArray<uint64_t> &role_id_array,
bool &accessible,
@ -2827,6 +2833,7 @@ int ObSchemaChecker::check_access_to_obj(
static_cast<uint64_t>
(share::schema::ObObjectType::TABLE),
obj_id,
database_name,
role_id_array,
accessible),
K(tenant_id), K(user_id), K(stmt_type), K(role_id_array));
@ -2842,6 +2849,7 @@ int ObSchemaChecker::check_access_to_obj(
static_cast<uint64_t>
(share::schema::ObObjectType::TABLE),
obj_id,
database_name,
role_id_array,
accessible),
K(tenant_id), K(user_id), K(stmt_type), K(role_id_array));

1
src/sql/resolver/ob_schema_checker.h
View File

@ -451,6 +451,7 @@ public:
int check_access_to_obj(const uint64_t tenant_id,
const uint64_t user_id,
const uint64_t obj_id,
const common::ObString &database_name,
const sql::stmt::StmtType stmt_type,
const ObIArray<uint64_t> &role_id_array,
bool &accessible,