diff --git a/src/pl/ob_pl.cpp b/src/pl/ob_pl.cpp index 5459ce75d9..98472e3adc 100644 --- a/src/pl/ob_pl.cpp +++ b/src/pl/ob_pl.cpp @@ -3716,18 +3716,18 @@ int ObPLExecState::check_pl_execute_priv(ObSchemaGetterGuard &guard, user_info)); CK (user_info != NULL); OX (obj_owner_id = user_info->get_user_id()); + OZ (ObOraSysChecker::check_ora_obj_priv(guard, + obj_tenant_id, + user_id, + database_name, + obj_id, + OBJ_LEVEL_FOR_TAB_PRIV, + static_cast(object_type), + OBJ_PRIV_ID_EXECUTE, + CHECK_FLAG_NORMAL, + obj_owner_id, + role_id_array)); } - OZ (ObOraSysChecker::check_ora_obj_priv(guard, - obj_tenant_id, - user_id, - database_name, - obj_id, - OBJ_LEVEL_FOR_TAB_PRIV, - static_cast(object_type), - OBJ_PRIV_ID_EXECUTE, - CHECK_FLAG_NORMAL, - obj_owner_id, - role_id_array)); if (ROUTINE_SCHEMA == schema_type && ret == OB_TABLE_NOT_EXIST) { ret = OB_WRONG_COLUMN_NAME; } diff --git a/src/sql/privilege_check/ob_ora_priv_check.cpp b/src/sql/privilege_check/ob_ora_priv_check.cpp index 5124702e03..737c6b694d 100644 --- a/src/sql/privilege_check/ob_ora_priv_check.cpp +++ b/src/sql/privilege_check/ob_ora_priv_check.cpp @@ -171,17 +171,11 @@ int ObOraSysChecker::check_plist_and( const uint64_t option) { int ret = OB_SUCCESS; - lib::Worker::CompatMode compat_mode; - - OZ (guard.get_tenant_compat_mode(tenant_id, compat_mode)); - /* 仅在oracle模式下执行 */ - if (OB_SUCC(ret) && compat_mode == lib::Worker::CompatMode::ORACLE) { - OZX1 (check_plist_and_in_single(guard, tenant_id, user_id, plist, option), OB_ERR_NO_PRIVILEGE); - if (ret == OB_ERR_NO_PRIVILEGE) { - ret = OB_SUCCESS; - OZX1 (check_plist_and_in_roles(guard, tenant_id, user_id, plist, role_id_array, option), - OB_ERR_NO_PRIVILEGE, tenant_id, user_id, plist); - } + OZX1 (check_plist_and_in_single(guard, tenant_id, user_id, plist, option), OB_ERR_NO_PRIVILEGE); + if (ret == OB_ERR_NO_PRIVILEGE) { + ret = OB_SUCCESS; + OZX1 (check_plist_and_in_roles(guard, tenant_id, user_id, plist, role_id_array, option), + OB_ERR_NO_PRIVILEGE, tenant_id, user_id, plist); } return ret; } @@ -198,17 +192,11 @@ int ObOraSysChecker::check_plist_or( const uint64_t option) { int ret = OB_SUCCESS; - lib::Worker::CompatMode compat_mode; - - OZ (guard.get_tenant_compat_mode(tenant_id, compat_mode)); - /* 仅在oracle模式下执行 */ - if (OB_SUCC(ret) && compat_mode == lib::Worker::CompatMode::ORACLE) { - OZX1 (check_plist_or_in_single(guard, tenant_id, user_id, plist, option), OB_ERR_NO_PRIVILEGE); - if (ret == OB_ERR_NO_PRIVILEGE) { - ret = OB_SUCCESS; - OZX1 (check_plist_or_in_roles(guard, tenant_id, user_id, plist, role_id_array, option), - OB_ERR_NO_PRIVILEGE, tenant_id, user_id, plist); - } + OZX1 (check_plist_or_in_single(guard, tenant_id, user_id, plist, option), OB_ERR_NO_PRIVILEGE); + if (ret == OB_ERR_NO_PRIVILEGE) { + ret = OB_SUCCESS; + OZX1 (check_plist_or_in_roles(guard, tenant_id, user_id, plist, role_id_array, option), + OB_ERR_NO_PRIVILEGE, tenant_id, user_id, plist); } return ret; } @@ -224,17 +212,11 @@ int ObOraSysChecker::check_p1( const ObIArray &role_id_array) { int ret = OB_SUCCESS; - lib::Worker::CompatMode compat_mode; - - OZ (guard.get_tenant_compat_mode(tenant_id, compat_mode)); - /* 仅在oracle模式下执行 */ - if (OB_SUCC(ret) && compat_mode == lib::Worker::CompatMode::ORACLE) { - OZX1 (check_p1_in_single(guard, tenant_id, user_id, p1), OB_ERR_NO_PRIVILEGE); - if (ret == OB_ERR_NO_PRIVILEGE) { - ret = OB_SUCCESS; - OZX1 (check_p1_in_roles(guard, tenant_id, user_id, p1, role_id_array), - OB_ERR_NO_PRIVILEGE, tenant_id, user_id, p1); - } + OZX1 (check_p1_in_single(guard, tenant_id, user_id, p1), OB_ERR_NO_PRIVILEGE); + if (ret == OB_ERR_NO_PRIVILEGE) { + ret = OB_SUCCESS; + OZX1 (check_p1_in_roles(guard, tenant_id, user_id, p1, role_id_array), + OB_ERR_NO_PRIVILEGE, tenant_id, user_id, p1); } return ret; } @@ -250,24 +232,18 @@ int ObOraSysChecker::check_plist_or_in_roles( { int ret = OB_SUCCESS; bool exists; - lib::Worker::CompatMode compat_mode; + ObPackedPrivArray sys_packed_array; + OZ (get_user_sys_priv_in_roles(guard, tenant_id, user_id, sys_packed_array, + true, role_id_array), + tenant_id, user_id); - OZ (guard.get_tenant_compat_mode(tenant_id, compat_mode)); - /* 仅在oracle模式下执行 */ - if (OB_SUCC(ret) && compat_mode == lib::Worker::CompatMode::ORACLE) { - ObPackedPrivArray sys_packed_array; - OZ (get_user_sys_priv_in_roles(guard, tenant_id, user_id, sys_packed_array, - true, role_id_array), - tenant_id, user_id); - - ObPackedPrivArray packed_privs; - OZ (ObPrivPacker::pack_raw_priv_list(option, plist, packed_privs)); - OZ (ObOraPrivCheck::packed_sys_priv_list_or_exists(packed_privs, - sys_packed_array, - exists)); - if (OB_SUCC(ret) && !exists) { - ret = OB_ERR_NO_PRIVILEGE; - } + ObPackedPrivArray packed_privs; + OZ (ObPrivPacker::pack_raw_priv_list(option, plist, packed_privs)); + OZ (ObOraPrivCheck::packed_sys_priv_list_or_exists(packed_privs, + sys_packed_array, + exists)); + if (OB_SUCC(ret) && !exists) { + ret = OB_ERR_NO_PRIVILEGE; } return ret; } @@ -283,24 +259,18 @@ int ObOraSysChecker::check_plist_and_in_roles( { int ret = OB_SUCCESS; bool exists; - lib::Worker::CompatMode compat_mode; + ObPackedPrivArray sys_packed_array; + OZ (get_user_sys_priv_in_roles(guard, tenant_id, user_id, sys_packed_array, + true, role_id_array), + tenant_id, user_id); - OZ (guard.get_tenant_compat_mode(tenant_id, compat_mode)); - /* 仅在oracle模式下执行 */ - if (OB_SUCC(ret) && compat_mode == lib::Worker::CompatMode::ORACLE) { - ObPackedPrivArray sys_packed_array; - OZ (get_user_sys_priv_in_roles(guard, tenant_id, user_id, sys_packed_array, - true, role_id_array), - tenant_id, user_id); - - ObPackedPrivArray packed_privs; - OZ (ObPrivPacker::pack_raw_priv_list(option, plist, packed_privs)); - OZ (ObOraPrivCheck::packed_sys_priv_list_and_exists(packed_privs, - sys_packed_array, - exists)); - if (OB_SUCC(ret) && !exists) { - ret = OB_ERR_NO_PRIVILEGE; - } + ObPackedPrivArray packed_privs; + OZ (ObPrivPacker::pack_raw_priv_list(option, plist, packed_privs)); + OZ (ObOraPrivCheck::packed_sys_priv_list_and_exists(packed_privs, + sys_packed_array, + exists)); + if (OB_SUCC(ret) && !exists) { + ret = OB_ERR_NO_PRIVILEGE; } return ret; } @@ -315,25 +285,19 @@ int ObOraSysChecker::check_plist_and_in_single( { int ret = OB_SUCCESS; bool exists; - lib::Worker::CompatMode compat_mode; - - OZ (guard.get_tenant_compat_mode(tenant_id, compat_mode)); - /* 仅在oracle模式下执行 */ - if (OB_SUCC(ret) && compat_mode == lib::Worker::CompatMode::ORACLE) { - ObSysPriv *sys_priv = NULL; - OZ (guard.get_sys_priv_with_grantee_id(tenant_id, user_id, sys_priv)); - if (OB_SUCC(ret)) { - if (sys_priv == NULL) { + ObSysPriv *sys_priv = NULL; + OZ (guard.get_sys_priv_with_grantee_id(tenant_id, user_id, sys_priv)); + if (OB_SUCC(ret)) { + if (sys_priv == NULL) { + ret = OB_ERR_NO_PRIVILEGE; + } else { + ObPackedPrivArray packed_privs; + OZ (ObPrivPacker::pack_raw_priv_list(option, plist, packed_privs)); + OZ (ObOraPrivCheck::packed_sys_priv_list_and_exists(packed_privs, + sys_priv->get_priv_array(), + exists)); + if (OB_SUCC(ret) && !exists) { ret = OB_ERR_NO_PRIVILEGE; - } else { - ObPackedPrivArray packed_privs; - OZ (ObPrivPacker::pack_raw_priv_list(option, plist, packed_privs)); - OZ (ObOraPrivCheck::packed_sys_priv_list_and_exists(packed_privs, - sys_priv->get_priv_array(), - exists)); - if (OB_SUCC(ret) && !exists) { - ret = OB_ERR_NO_PRIVILEGE; - } } } } @@ -350,25 +314,19 @@ int ObOraSysChecker::check_plist_or_in_single( { int ret = OB_SUCCESS; bool exists; - lib::Worker::CompatMode compat_mode; - - OZ (guard.get_tenant_compat_mode(tenant_id, compat_mode)); - /* 仅在oracle模式下执行 */ - if (OB_SUCC(ret) && compat_mode == lib::Worker::CompatMode::ORACLE) { - ObSysPriv *sys_priv = NULL; - OZ (guard.get_sys_priv_with_grantee_id(tenant_id, user_id, sys_priv)); - if (OB_SUCC(ret)) { - if (sys_priv == NULL) { + ObSysPriv *sys_priv = NULL; + OZ (guard.get_sys_priv_with_grantee_id(tenant_id, user_id, sys_priv)); + if (OB_SUCC(ret)) { + if (sys_priv == NULL) { + ret = OB_ERR_NO_PRIVILEGE; + } else { + ObPackedPrivArray packed_privs; + OZ (ObPrivPacker::pack_raw_priv_list(option, plist, packed_privs)); + OZ (ObOraPrivCheck::packed_sys_priv_list_or_exists(packed_privs, + sys_priv->get_priv_array(), + exists)); + if (OB_SUCC(ret) && !exists) { ret = OB_ERR_NO_PRIVILEGE; - } else { - ObPackedPrivArray packed_privs; - OZ (ObPrivPacker::pack_raw_priv_list(option, plist, packed_privs)); - OZ (ObOraPrivCheck::packed_sys_priv_list_or_exists(packed_privs, - sys_priv->get_priv_array(), - exists)); - if (OB_SUCC(ret) && !exists) { - ret = OB_ERR_NO_PRIVILEGE; - } } } } @@ -490,26 +448,20 @@ int ObOraSysChecker::check_obj_plist_or( const ObIArray &role_id_array) { int ret = OB_SUCCESS; - lib::Worker::CompatMode compat_mode; int ret1; - - OZ (guard.get_tenant_compat_mode(tenant_id, compat_mode)); - /* 仅在oracle模式下执行 */ - if (OB_SUCC(ret) && compat_mode == lib::Worker::CompatMode::ORACLE) { - OZX2 (check_obj_plist_or_in_single(guard, tenant_id, user_id, obj_type, - obj_id, col_id, plist), - OB_ERR_NO_PRIVILEGE, OB_ERR_EMPTY_QUERY, - tenant_id, user_id, obj_type, obj_id, col_id, plist); - if (ret == OB_ERR_NO_PRIVILEGE || ret == OB_ERR_EMPTY_QUERY) { - ret1 = ret; - ret = OB_SUCCESS; - OZ (check_obj_plist_or_in_roles(guard, tenant_id, user_id, obj_type, - obj_id, col_id, plist, role_id_array), - tenant_id, user_id, obj_type, obj_id, col_id, plist); - /* 无任何间接权限,但有直接权限,需要更改错误码为 no privilege */ - if (ret == OB_ERR_EMPTY_QUERY && ret1 != OB_ERR_EMPTY_QUERY) { - ret = OB_ERR_NO_PRIVILEGE; - } + OZX2 (check_obj_plist_or_in_single(guard, tenant_id, user_id, obj_type, + obj_id, col_id, plist), + OB_ERR_NO_PRIVILEGE, OB_ERR_EMPTY_QUERY, + tenant_id, user_id, obj_type, obj_id, col_id, plist); + if (ret == OB_ERR_NO_PRIVILEGE || ret == OB_ERR_EMPTY_QUERY) { + ret1 = ret; + ret = OB_SUCCESS; + OZ (check_obj_plist_or_in_roles(guard, tenant_id, user_id, obj_type, + obj_id, col_id, plist, role_id_array), + tenant_id, user_id, obj_type, obj_id, col_id, plist); + /* 无任何间接权限,但有直接权限,需要更改错误码为 no privilege */ + if (ret == OB_ERR_EMPTY_QUERY && ret1 != OB_ERR_EMPTY_QUERY) { + ret = OB_ERR_NO_PRIVILEGE; } } return ret; @@ -530,29 +482,19 @@ int ObOraSysChecker::check_obj_p1( const ObIArray &role_id_array) { int ret = OB_SUCCESS; - // unused - // bool exists; - lib::Worker::CompatMode compat_mode; - // unused - // ObObjPriv *obj_priv = NULL; int ret1; - - OZ (guard.get_tenant_compat_mode(tenant_id, compat_mode)); - /* 仅在oracle模式下执行 */ - if (OB_SUCC(ret) && compat_mode == lib::Worker::CompatMode::ORACLE) { - OZX2 (check_obj_p1_in_single(guard, tenant_id, user_id, obj_type, obj_id, col_id, p1, option), - OB_ERR_NO_PRIVILEGE, OB_ERR_EMPTY_QUERY, - tenant_id, user_id, obj_type, obj_id, col_id, p1, option); - if (ret == OB_ERR_NO_PRIVILEGE || ret == OB_ERR_EMPTY_QUERY) { - ret1 = ret; - ret = OB_SUCCESS; - OZX1 (check_obj_p1_in_roles(guard, tenant_id, user_id, obj_type, - obj_id, col_id, p1, option, role_id_array), OB_ERR_EMPTY_QUERY, - tenant_id, user_id, obj_type, obj_id, col_id, p1, option); - /* 无任何间接权限,但有直接权限,需要更改错误码为 no privilege */ - if (ret == OB_ERR_EMPTY_QUERY && ret1 != OB_ERR_EMPTY_QUERY) { - ret = OB_ERR_NO_PRIVILEGE; - } + OZX2 (check_obj_p1_in_single(guard, tenant_id, user_id, obj_type, obj_id, col_id, p1, option), + OB_ERR_NO_PRIVILEGE, OB_ERR_EMPTY_QUERY, + tenant_id, user_id, obj_type, obj_id, col_id, p1, option); + if (ret == OB_ERR_NO_PRIVILEGE || ret == OB_ERR_EMPTY_QUERY) { + ret1 = ret; + ret = OB_SUCCESS; + OZX1 (check_obj_p1_in_roles(guard, tenant_id, user_id, obj_type, + obj_id, col_id, p1, option, role_id_array), OB_ERR_EMPTY_QUERY, + tenant_id, user_id, obj_type, obj_id, col_id, p1, option); + /* 无任何间接权限,但有直接权限,需要更改错误码为 no privilege */ + if (ret == OB_ERR_EMPTY_QUERY && ret1 != OB_ERR_EMPTY_QUERY) { + ret = OB_ERR_NO_PRIVILEGE; } } return ret; @@ -568,19 +510,13 @@ int ObOraSysChecker::check_p1_or_plist_in_single( { int ret = OB_SUCCESS; ObSysPriv *sys_priv = NULL; - lib::Worker::CompatMode compat_mode; - - OZ (guard.get_tenant_compat_mode(tenant_id, compat_mode)); - /* 仅在oracle模式下执行 */ - if (OB_SUCC(ret) && compat_mode == lib::Worker::CompatMode::ORACLE) { - OZ (guard.get_sys_priv_with_grantee_id(tenant_id, user_id, sys_priv)); - if (OB_SUCC(ret)) { - if (sys_priv == NULL) { - ret = OB_ERR_NO_PRIVILEGE; - } else { - OZX1 (check_p1_or_plist_using_privs(sys_priv->get_priv_array(), p1, option, plist), - OB_ERR_NO_PRIVILEGE); - } + OZ (guard.get_sys_priv_with_grantee_id(tenant_id, user_id, sys_priv)); + if (OB_SUCC(ret)) { + if (sys_priv == NULL) { + ret = OB_ERR_NO_PRIVILEGE; + } else { + OZX1 (check_p1_or_plist_using_privs(sys_priv->get_priv_array(), p1, option, plist), + OB_ERR_NO_PRIVILEGE); } } return ret; @@ -627,25 +563,17 @@ int ObOraSysChecker::check_p1_with_plist_info( const ObIArray &role_id_array) { int ret = OB_SUCCESS; - // unused - // ObSysPriv *sys_priv = NULL; - lib::Worker::CompatMode compat_mode; - - OZ (guard.get_tenant_compat_mode(tenant_id, compat_mode)); - /* 仅在oracle模式下执行 */ - if (OB_SUCC(ret) && compat_mode == lib::Worker::CompatMode::ORACLE) { - OZX1 (check_p1_with_plist_info_in_single( - guard, tenant_id, user_id, p1, option, plist, has_other_priv), - OB_ERR_NO_PRIVILEGE); - if (ret == OB_ERR_NO_PRIVILEGE) { - ret = OB_SUCCESS; - if (has_other_priv) { - OZX1 (check_p1_in_roles(guard, tenant_id, user_id, p1, role_id_array), OB_ERR_NO_PRIVILEGE); - } else { - OZX1 (check_p1_with_plist_info_in_roles( - guard, tenant_id, user_id, p1, option, plist, - has_other_priv, role_id_array), OB_ERR_NO_PRIVILEGE); - } + OZX1 (check_p1_with_plist_info_in_single( + guard, tenant_id, user_id, p1, option, plist, has_other_priv), + OB_ERR_NO_PRIVILEGE); + if (ret == OB_ERR_NO_PRIVILEGE) { + ret = OB_SUCCESS; + if (has_other_priv) { + OZX1 (check_p1_in_roles(guard, tenant_id, user_id, p1, role_id_array), OB_ERR_NO_PRIVILEGE); + } else { + OZX1 (check_p1_with_plist_info_in_roles( + guard, tenant_id, user_id, p1, option, plist, + has_other_priv, role_id_array), OB_ERR_NO_PRIVILEGE); } } return ret; @@ -716,20 +644,15 @@ int ObOraSysChecker::check_p1_with_plist_info_in_single( { int ret = OB_SUCCESS; ObSysPriv *sys_priv = NULL; - lib::Worker::CompatMode compat_mode; has_other_priv = false; - OZ (guard.get_tenant_compat_mode(tenant_id, compat_mode)); - /* 仅在oracle模式下执行 */ - if (OB_SUCC(ret) && compat_mode == lib::Worker::CompatMode::ORACLE) { - OZ (guard.get_sys_priv_with_grantee_id(tenant_id, user_id, sys_priv)); - if (OB_SUCC(ret)) { - if (sys_priv == NULL) { - ret = OB_ERR_NO_PRIVILEGE; - } else { - OZX1 (check_p1_with_plist_info_using_privs( - sys_priv->get_priv_array(), p1, option, plist, has_other_priv), - OB_ERR_NO_PRIVILEGE); - } + OZ (guard.get_sys_priv_with_grantee_id(tenant_id, user_id, sys_priv)); + if (OB_SUCC(ret)) { + if (sys_priv == NULL) { + ret = OB_ERR_NO_PRIVILEGE; + } else { + OZX1 (check_p1_with_plist_info_using_privs( + sys_priv->get_priv_array(), p1, option, plist, has_other_priv), + OB_ERR_NO_PRIVILEGE); } } return ret; @@ -749,20 +672,12 @@ int ObOraSysChecker::check_p1_or_plist( const ObIArray &role_id_array) { int ret = OB_SUCCESS; - // unused - // ObSysPriv *sys_priv = NULL; - lib::Worker::CompatMode compat_mode; - - OZ (guard.get_tenant_compat_mode(tenant_id, compat_mode)); - /* 仅在oracle模式下执行 */ - if (OB_SUCC(ret) && compat_mode == lib::Worker::CompatMode::ORACLE) { - OZX1 (check_p1_or_plist_in_single(guard, tenant_id, user_id, p1, option, plist), - OB_ERR_NO_PRIVILEGE); - if (ret == OB_ERR_NO_PRIVILEGE) { - ret = OB_SUCCESS; - OZ (check_p1_or_plist_in_roles(guard, tenant_id, user_id, p1, - option, plist, role_id_array)); - } + OZX1 (check_p1_or_plist_in_single(guard, tenant_id, user_id, p1, option, plist), + OB_ERR_NO_PRIVILEGE); + if (ret == OB_ERR_NO_PRIVILEGE) { + ret = OB_SUCCESS; + OZ (check_p1_or_plist_in_roles(guard, tenant_id, user_id, p1, + option, plist, role_id_array)); } return ret; } @@ -820,25 +735,19 @@ int ObOraSysChecker::check_p1_or_cond_p2_in_single( { int ret = OB_SUCCESS; ObSysPriv *sys_priv = NULL; - lib::Worker::CompatMode compat_mode; bool exists = false; - - OZ (guard.get_tenant_compat_mode(tenant_id, compat_mode)); - /* 仅在oracle模式下执行 */ - if (OB_SUCC(ret) && compat_mode == lib::Worker::CompatMode::ORACLE) { - OZ (guard.get_sys_priv_with_grantee_id(tenant_id, ur_id, sys_priv)); - if (OB_SUCC(ret)) { - if (sys_priv == NULL) { + OZ (guard.get_sys_priv_with_grantee_id(tenant_id, ur_id, sys_priv)); + if (OB_SUCC(ret)) { + if (sys_priv == NULL) { + ret = OB_ERR_NO_PRIVILEGE; + } else { + OZ (ObOraPrivCheck::p1_or_cond_p2_exists(p1, + is_owner, + p2, + sys_priv->get_priv_array(), + exists)); + if (OB_SUCC(ret) && !exists) { ret = OB_ERR_NO_PRIVILEGE; - } else { - OZ (ObOraPrivCheck::p1_or_cond_p2_exists(p1, - is_owner, - p2, - sys_priv->get_priv_array(), - exists)); - if (OB_SUCC(ret) && !exists) { - ret = OB_ERR_NO_PRIVILEGE; - } } } } @@ -888,31 +797,25 @@ int ObOraSysChecker::check_p1_or_owner_and_p2( { int ret = OB_SUCCESS; bool is_owner; - lib::Worker::CompatMode compat_mode; - - if (OB_FAIL(guard.get_tenant_compat_mode(tenant_id, compat_mode))) { - LOG_WARN("get_tenant_compat_mode failed", K(ret)); - } else if (compat_mode == lib::Worker::CompatMode::ORACLE) { - if (database_name.empty()) { - is_owner = true; - } else { - const ObUserInfo *user_info = NULL; - OZ (guard.get_user_info(tenant_id, user_id, user_info)); - if (OB_SUCC(ret) && NULL == user_info) { - ret = OB_USER_NOT_EXIST; - LOG_USER_ERROR(OB_USER_NOT_EXIST, database_name.length(), database_name.ptr()); - } - OX (is_owner = ObOraPrivCheck::user_is_owner(user_info->get_user_name(), - database_name)); + if (database_name.empty()) { + is_owner = true; + } else { + const ObUserInfo *user_info = NULL; + OZ (guard.get_user_info(tenant_id, user_id, user_info)); + if (OB_SUCC(ret) && NULL == user_info) { + ret = OB_USER_NOT_EXIST; + LOG_USER_ERROR(OB_USER_NOT_EXIST, database_name.length(), database_name.ptr()); } - OZX1 (check_p1_or_cond_p2_in_single(guard, tenant_id, user_id, p1, is_owner, p2), - OB_ERR_NO_PRIVILEGE, tenant_id, user_id, p1, is_owner, p2); - if (ret == OB_ERR_NO_PRIVILEGE) { - ret = OB_SUCCESS; - OZ (check_p1_or_cond_p2_in_roles(guard, tenant_id, user_id, p1, - is_owner, p2, role_id_array)); + OX (is_owner = ObOraPrivCheck::user_is_owner(user_info->get_user_name(), + database_name)); + } + OZX1 (check_p1_or_cond_p2_in_single(guard, tenant_id, user_id, p1, is_owner, p2), + OB_ERR_NO_PRIVILEGE, tenant_id, user_id, p1, is_owner, p2); + if (ret == OB_ERR_NO_PRIVILEGE) { + ret = OB_SUCCESS; + OZ (check_p1_or_cond_p2_in_roles(guard, tenant_id, user_id, p1, + is_owner, p2, role_id_array)); - } } return ret; } @@ -938,42 +841,36 @@ int ObOraSysChecker::check_owner_or_p1_or_objp2( int ret = OB_SUCCESS; bool is_owner = false; uint64_t obj_owner_id = OB_INVALID_ID; - lib::Worker::CompatMode compat_mode; - - if (OB_FAIL(guard.get_tenant_compat_mode(tenant_id, compat_mode))) { - LOG_WARN("get_tenant_compat_mode failed", K(ret)); - } else if (compat_mode == lib::Worker::CompatMode::ORACLE) { - if (database_name.empty()) { - is_owner = true; - obj_owner_id = user_id; - } else { - const ObUserInfo *user_info = NULL; - OZ (guard.get_user_info(tenant_id, user_id, user_info)); - if (OB_SUCC(ret) && NULL == user_info) { - ret = OB_USER_NOT_EXIST; - LOG_USER_ERROR(OB_USER_NOT_EXIST, database_name.length(), database_name.ptr()); - } - OX (is_owner = ObOraPrivCheck::user_is_owner(user_info->get_user_name(), - database_name)); - OZ (guard.get_user_id(tenant_id, database_name, - ObString(OB_DEFAULT_HOST_NAME), obj_owner_id)); - if (OB_SUCC(ret) && obj_owner_id == OB_INVALID_ID) { - ret = OB_USER_NOT_EXIST; - LOG_USER_ERROR(OB_USER_NOT_EXIST, database_name.length(), database_name.ptr()); - } + if (database_name.empty()) { + is_owner = true; + obj_owner_id = user_id; + } else { + const ObUserInfo *user_info = NULL; + OZ (guard.get_user_info(tenant_id, user_id, user_info)); + if (OB_SUCC(ret) && NULL == user_info) { + ret = OB_USER_NOT_EXIST; + LOG_USER_ERROR(OB_USER_NOT_EXIST, database_name.length(), database_name.ptr()); } - if (!is_owner) { - OZX1 (check_p1(guard, tenant_id, user_id, p1, role_id_array), - OB_ERR_NO_PRIVILEGE, tenant_id, user_id, p1); - if (ret == OB_ERR_NO_PRIVILEGE) { - ret = OB_SUCCESS; - OZ (check_ora_obj_priv(guard, tenant_id, user_id, database_name, obj_id, - OBJ_LEVEL_FOR_TAB_PRIV, obj_type, obj_p2, CHECK_FLAG_NORMAL, - obj_owner_id, role_id_array)); - /*OZ (check_obj_p1(guard, tenant_id, user_id, obj_type, - obj_id, OBJ_LEVEL_FOR_TAB_PRIV, obj_p2, NO_OPTION, role_id_array), - tenant_id, user_id, obj_type, obj_id, OBJ_LEVEL_FOR_TAB_PRIV, obj_p2);*/ - } + OX (is_owner = ObOraPrivCheck::user_is_owner(user_info->get_user_name(), + database_name)); + OZ (guard.get_user_id(tenant_id, database_name, + ObString(OB_DEFAULT_HOST_NAME), obj_owner_id)); + if (OB_SUCC(ret) && obj_owner_id == OB_INVALID_ID) { + ret = OB_USER_NOT_EXIST; + LOG_USER_ERROR(OB_USER_NOT_EXIST, database_name.length(), database_name.ptr()); + } + } + if (!is_owner) { + OZX1 (check_p1(guard, tenant_id, user_id, p1, role_id_array), + OB_ERR_NO_PRIVILEGE, tenant_id, user_id, p1); + if (ret == OB_ERR_NO_PRIVILEGE) { + ret = OB_SUCCESS; + OZ (check_ora_obj_priv(guard, tenant_id, user_id, database_name, obj_id, + OBJ_LEVEL_FOR_TAB_PRIV, obj_type, obj_p2, CHECK_FLAG_NORMAL, + obj_owner_id, role_id_array)); + /*OZ (check_obj_p1(guard, tenant_id, user_id, obj_type, + obj_id, OBJ_LEVEL_FOR_TAB_PRIV, obj_p2, NO_OPTION, role_id_array), + tenant_id, user_id, obj_type, obj_id, OBJ_LEVEL_FOR_TAB_PRIV, obj_p2);*/ } } return ret; @@ -999,42 +896,37 @@ int ObOraSysChecker::check_owner_or_p1_or_access( { int ret = OB_SUCCESS; bool is_owner = false; - lib::Worker::CompatMode compat_mode; - if (OB_FAIL(guard.get_tenant_compat_mode(tenant_id, compat_mode))) { - LOG_WARN("get_tenant_compat_mode failed", K(ret)); - } else if (compat_mode == lib::Worker::CompatMode::ORACLE) { - if (database_name.empty()) { - is_owner = true; - } else { - const ObUserInfo *user_info = NULL; - OZ (guard.get_user_info(tenant_id, user_id, user_info)); - if (OB_SUCC(ret)) { - if (OB_ISNULL(user_info)) { - ret = OB_USER_NOT_EXIST; - LOG_USER_ERROR(OB_USER_NOT_EXIST, database_name.length(), database_name.ptr()); - } - } - // 1. Check if is owner - OX (is_owner = ObOraPrivCheck::user_is_owner(user_info->get_user_name(), - database_name)); - } + if (database_name.empty()) { + is_owner = true; + } else { + const ObUserInfo *user_info = NULL; + OZ (guard.get_user_info(tenant_id, user_id, user_info)); if (OB_SUCC(ret)) { - if (!is_owner) { - // 2. Check sys priv - OZX1 (check_p1(guard, tenant_id, user_id, p1, role_id_array), - OB_ERR_NO_PRIVILEGE, tenant_id, user_id, p1); - // 3. Check related priv - if (OB_ERR_NO_PRIVILEGE == ret) { - ret = OB_SUCCESS; - bool accessible = false; - OZ (check_access_to_obj(guard, tenant_id, user_id, - p1, obj_type, obj_id, database_name, role_id_array, accessible)); - if (OB_SUCC(ret)) { - if (accessible) { - ret = OB_ERR_NO_PRIVILEGE; - } else { - ret = OB_TABLE_NOT_EXIST; - } + if (OB_ISNULL(user_info)) { + ret = OB_USER_NOT_EXIST; + LOG_USER_ERROR(OB_USER_NOT_EXIST, database_name.length(), database_name.ptr()); + } + } + // 1. Check if is owner + OX (is_owner = ObOraPrivCheck::user_is_owner(user_info->get_user_name(), + database_name)); + } + if (OB_SUCC(ret)) { + if (!is_owner) { + // 2. Check sys priv + OZX1 (check_p1(guard, tenant_id, user_id, p1, role_id_array), + OB_ERR_NO_PRIVILEGE, tenant_id, user_id, p1); + // 3. Check related priv + if (OB_ERR_NO_PRIVILEGE == ret) { + ret = OB_SUCCESS; + bool accessible = false; + OZ (check_access_to_obj(guard, tenant_id, user_id, + p1, obj_type, obj_id, database_name, role_id_array, accessible)); + if (OB_SUCC(ret)) { + if (accessible) { + ret = OB_ERR_NO_PRIVILEGE; + } else { + ret = OB_TABLE_NOT_EXIST; } } } @@ -1404,31 +1296,21 @@ int ObOraSysChecker::check_owner_or_p1( const ObIArray &role_id_array) { int ret = OB_SUCCESS; - // unused - // ObSysPriv *sys_priv = NULL; bool is_owner = false; - lib::Worker::CompatMode compat_mode; - // unused - // bool exists = false; - - if (OB_FAIL(guard.get_tenant_compat_mode(tenant_id, compat_mode))) { - LOG_WARN("get_tenant_compat_mode failed", K(ret)); - } else if (compat_mode == lib::Worker::CompatMode::ORACLE) { - if (database_name.empty()) { - is_owner = true; - } else { - const ObUserInfo *user_info = NULL; - OZ (guard.get_user_info(tenant_id, user_id, user_info)); - if (OB_SUCC(ret) && NULL == user_info) { - ret = OB_USER_NOT_EXIST; - LOG_USER_ERROR(OB_USER_NOT_EXIST, database_name.length(), database_name.ptr()); - } - OX (is_owner = ObOraPrivCheck::user_is_owner(user_info->get_user_name(), - database_name)); - } - if (!is_owner) { - OZ (check_p1(guard, tenant_id, user_id, p1, role_id_array), tenant_id, user_id, p1); + if (database_name.empty()) { + is_owner = true; + } else { + const ObUserInfo *user_info = NULL; + OZ (guard.get_user_info(tenant_id, user_id, user_info)); + if (OB_SUCC(ret) && NULL == user_info) { + ret = OB_USER_NOT_EXIST; + LOG_USER_ERROR(OB_USER_NOT_EXIST, database_name.length(), database_name.ptr()); } + OX (is_owner = ObOraPrivCheck::user_is_owner(user_info->get_user_name(), + database_name)); + } + if (!is_owner) { + OZ (check_p1(guard, tenant_id, user_id, p1, role_id_array), tenant_id, user_id, p1); } return ret; }