hcq/oceanbase
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

remove the compat mode check in oracle priv check

Browse Source
This commit is contained in:
yinyj17
2023-12-20 02:13:15 +00:00
committed by ob-robot
parent d6512565b6
commit ef362efaf5
2 changed files with 231 additions and 349 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
src/pl/ob_pl.cpp
View File

@ -3716,18 +3716,18 @@ int ObPLExecState::check_pl_execute_priv(ObSchemaGetterGuard &guard,
user_info)); user_info));
CK (user_info != NULL); CK (user_info != NULL);
OX (obj_owner_id = user_info->get_user_id()); OX (obj_owner_id = user_info->get_user_id());
OZ (ObOraSysChecker::check_ora_obj_priv(guard,
obj_tenant_id,
user_id,
database_name,
obj_id,
OBJ_LEVEL_FOR_TAB_PRIV,
static_cast<uint64_t>(object_type),
OBJ_PRIV_ID_EXECUTE,
CHECK_FLAG_NORMAL,
obj_owner_id,
role_id_array));
} }
OZ (ObOraSysChecker::check_ora_obj_priv(guard,
obj_tenant_id,
user_id,
database_name,
obj_id,
OBJ_LEVEL_FOR_TAB_PRIV,
static_cast<uint64_t>(object_type),
OBJ_PRIV_ID_EXECUTE,
CHECK_FLAG_NORMAL,
obj_owner_id,
role_id_array));
if (ROUTINE_SCHEMA == schema_type && ret == OB_TABLE_NOT_EXIST) { if (ROUTINE_SCHEMA == schema_type && ret == OB_TABLE_NOT_EXIST) {
ret = OB_WRONG_COLUMN_NAME; ret = OB_WRONG_COLUMN_NAME;
} }

554
src/sql/privilege_check/ob_ora_priv_check.cpp
View File

@ -171,17 +171,11 @@ int ObOraSysChecker::check_plist_and(
const uint64_t option) const uint64_t option)
{ {
int ret = OB_SUCCESS; int ret = OB_SUCCESS;
lib::Worker::CompatMode compat_mode; OZX1 (check_plist_and_in_single(guard, tenant_id, user_id, plist, option), OB_ERR_NO_PRIVILEGE);
if (ret == OB_ERR_NO_PRIVILEGE) {
OZ (guard.get_tenant_compat_mode(tenant_id, compat_mode)); ret = OB_SUCCESS;
/* 仅在oracle模式下执行 */ OZX1 (check_plist_and_in_roles(guard, tenant_id, user_id, plist, role_id_array, option),
if (OB_SUCC(ret) && compat_mode == lib::Worker::CompatMode::ORACLE) { OB_ERR_NO_PRIVILEGE, tenant_id, user_id, plist);
OZX1 (check_plist_and_in_single(guard, tenant_id, user_id, plist, option), OB_ERR_NO_PRIVILEGE);
if (ret == OB_ERR_NO_PRIVILEGE) {
ret = OB_SUCCESS;
OZX1 (check_plist_and_in_roles(guard, tenant_id, user_id, plist, role_id_array, option),
OB_ERR_NO_PRIVILEGE, tenant_id, user_id, plist);
}
} }
return ret; return ret;
} }
@ -198,17 +192,11 @@ int ObOraSysChecker::check_plist_or(
const uint64_t option) const uint64_t option)
{ {
int ret = OB_SUCCESS; int ret = OB_SUCCESS;
lib::Worker::CompatMode compat_mode; OZX1 (check_plist_or_in_single(guard, tenant_id, user_id, plist, option), OB_ERR_NO_PRIVILEGE);
if (ret == OB_ERR_NO_PRIVILEGE) {
OZ (guard.get_tenant_compat_mode(tenant_id, compat_mode)); ret = OB_SUCCESS;
/* 仅在oracle模式下执行 */ OZX1 (check_plist_or_in_roles(guard, tenant_id, user_id, plist, role_id_array, option),
if (OB_SUCC(ret) && compat_mode == lib::Worker::CompatMode::ORACLE) { OB_ERR_NO_PRIVILEGE, tenant_id, user_id, plist);
OZX1 (check_plist_or_in_single(guard, tenant_id, user_id, plist, option), OB_ERR_NO_PRIVILEGE);
if (ret == OB_ERR_NO_PRIVILEGE) {
ret = OB_SUCCESS;
OZX1 (check_plist_or_in_roles(guard, tenant_id, user_id, plist, role_id_array, option),
OB_ERR_NO_PRIVILEGE, tenant_id, user_id, plist);
}
} }
return ret; return ret;
} }
@ -224,17 +212,11 @@ int ObOraSysChecker::check_p1(
const ObIArray<uint64_t> &role_id_array) const ObIArray<uint64_t> &role_id_array)
{ {
int ret = OB_SUCCESS; int ret = OB_SUCCESS;
lib::Worker::CompatMode compat_mode; OZX1 (check_p1_in_single(guard, tenant_id, user_id, p1), OB_ERR_NO_PRIVILEGE);
if (ret == OB_ERR_NO_PRIVILEGE) {
OZ (guard.get_tenant_compat_mode(tenant_id, compat_mode)); ret = OB_SUCCESS;
/* 仅在oracle模式下执行 */ OZX1 (check_p1_in_roles(guard, tenant_id, user_id, p1, role_id_array),
if (OB_SUCC(ret) && compat_mode == lib::Worker::CompatMode::ORACLE) { OB_ERR_NO_PRIVILEGE, tenant_id, user_id, p1);
OZX1 (check_p1_in_single(guard, tenant_id, user_id, p1), OB_ERR_NO_PRIVILEGE);
if (ret == OB_ERR_NO_PRIVILEGE) {
ret = OB_SUCCESS;
OZX1 (check_p1_in_roles(guard, tenant_id, user_id, p1, role_id_array),
OB_ERR_NO_PRIVILEGE, tenant_id, user_id, p1);
}
} }
return ret; return ret;
} }
@ -250,24 +232,18 @@ int ObOraSysChecker::check_plist_or_in_roles(
{ {
int ret = OB_SUCCESS; int ret = OB_SUCCESS;
bool exists; bool exists;
lib::Worker::CompatMode compat_mode; ObPackedPrivArray sys_packed_array;
OZ (get_user_sys_priv_in_roles(guard, tenant_id, user_id, sys_packed_array,
true, role_id_array),
tenant_id, user_id);
OZ (guard.get_tenant_compat_mode(tenant_id, compat_mode)); ObPackedPrivArray packed_privs;
/* 仅在oracle模式下执行 */ OZ (ObPrivPacker::pack_raw_priv_list(option, plist, packed_privs));
if (OB_SUCC(ret) && compat_mode == lib::Worker::CompatMode::ORACLE) { OZ (ObOraPrivCheck::packed_sys_priv_list_or_exists(packed_privs,
ObPackedPrivArray sys_packed_array; sys_packed_array,
OZ (get_user_sys_priv_in_roles(guard, tenant_id, user_id, sys_packed_array, exists));
true, role_id_array), if (OB_SUCC(ret) && !exists) {
tenant_id, user_id); ret = OB_ERR_NO_PRIVILEGE;
ObPackedPrivArray packed_privs;
OZ (ObPrivPacker::pack_raw_priv_list(option, plist, packed_privs));
OZ (ObOraPrivCheck::packed_sys_priv_list_or_exists(packed_privs,
sys_packed_array,
exists));
if (OB_SUCC(ret) && !exists) {
ret = OB_ERR_NO_PRIVILEGE;
}
} }
return ret; return ret;
} }
@ -283,24 +259,18 @@ int ObOraSysChecker::check_plist_and_in_roles(
{ {
int ret = OB_SUCCESS; int ret = OB_SUCCESS;
bool exists; bool exists;
lib::Worker::CompatMode compat_mode; ObPackedPrivArray sys_packed_array;
OZ (get_user_sys_priv_in_roles(guard, tenant_id, user_id, sys_packed_array,
true, role_id_array),
tenant_id, user_id);
OZ (guard.get_tenant_compat_mode(tenant_id, compat_mode)); ObPackedPrivArray packed_privs;
/* 仅在oracle模式下执行 */ OZ (ObPrivPacker::pack_raw_priv_list(option, plist, packed_privs));
if (OB_SUCC(ret) && compat_mode == lib::Worker::CompatMode::ORACLE) { OZ (ObOraPrivCheck::packed_sys_priv_list_and_exists(packed_privs,
ObPackedPrivArray sys_packed_array; sys_packed_array,
OZ (get_user_sys_priv_in_roles(guard, tenant_id, user_id, sys_packed_array, exists));
true, role_id_array), if (OB_SUCC(ret) && !exists) {
tenant_id, user_id); ret = OB_ERR_NO_PRIVILEGE;
ObPackedPrivArray packed_privs;
OZ (ObPrivPacker::pack_raw_priv_list(option, plist, packed_privs));
OZ (ObOraPrivCheck::packed_sys_priv_list_and_exists(packed_privs,
sys_packed_array,
exists));
if (OB_SUCC(ret) && !exists) {
ret = OB_ERR_NO_PRIVILEGE;
}
} }
return ret; return ret;
} }
@ -315,25 +285,19 @@ int ObOraSysChecker::check_plist_and_in_single(
{ {
int ret = OB_SUCCESS; int ret = OB_SUCCESS;
bool exists; bool exists;
lib::Worker::CompatMode compat_mode; ObSysPriv *sys_priv = NULL;
OZ (guard.get_sys_priv_with_grantee_id(tenant_id, user_id, sys_priv));
OZ (guard.get_tenant_compat_mode(tenant_id, compat_mode)); if (OB_SUCC(ret)) {
/* 仅在oracle模式下执行 */ if (sys_priv == NULL) {
if (OB_SUCC(ret) && compat_mode == lib::Worker::CompatMode::ORACLE) { ret = OB_ERR_NO_PRIVILEGE;
ObSysPriv *sys_priv = NULL; } else {
OZ (guard.get_sys_priv_with_grantee_id(tenant_id, user_id, sys_priv)); ObPackedPrivArray packed_privs;
if (OB_SUCC(ret)) { OZ (ObPrivPacker::pack_raw_priv_list(option, plist, packed_privs));
if (sys_priv == NULL) { OZ (ObOraPrivCheck::packed_sys_priv_list_and_exists(packed_privs,
sys_priv->get_priv_array(),
exists));
if (OB_SUCC(ret) && !exists) {
ret = OB_ERR_NO_PRIVILEGE; ret = OB_ERR_NO_PRIVILEGE;
} else {
ObPackedPrivArray packed_privs;
OZ (ObPrivPacker::pack_raw_priv_list(option, plist, packed_privs));
OZ (ObOraPrivCheck::packed_sys_priv_list_and_exists(packed_privs,
sys_priv->get_priv_array(),
exists));
if (OB_SUCC(ret) && !exists) {
ret = OB_ERR_NO_PRIVILEGE;
}
} }
} }
} }
@ -350,25 +314,19 @@ int ObOraSysChecker::check_plist_or_in_single(
{ {
int ret = OB_SUCCESS; int ret = OB_SUCCESS;
bool exists; bool exists;
lib::Worker::CompatMode compat_mode; ObSysPriv *sys_priv = NULL;
OZ (guard.get_sys_priv_with_grantee_id(tenant_id, user_id, sys_priv));
OZ (guard.get_tenant_compat_mode(tenant_id, compat_mode)); if (OB_SUCC(ret)) {
/* 仅在oracle模式下执行 */ if (sys_priv == NULL) {
if (OB_SUCC(ret) && compat_mode == lib::Worker::CompatMode::ORACLE) { ret = OB_ERR_NO_PRIVILEGE;
ObSysPriv *sys_priv = NULL; } else {
OZ (guard.get_sys_priv_with_grantee_id(tenant_id, user_id, sys_priv)); ObPackedPrivArray packed_privs;
if (OB_SUCC(ret)) { OZ (ObPrivPacker::pack_raw_priv_list(option, plist, packed_privs));
if (sys_priv == NULL) { OZ (ObOraPrivCheck::packed_sys_priv_list_or_exists(packed_privs,
sys_priv->get_priv_array(),
exists));
if (OB_SUCC(ret) && !exists) {
ret = OB_ERR_NO_PRIVILEGE; ret = OB_ERR_NO_PRIVILEGE;
} else {
ObPackedPrivArray packed_privs;
OZ (ObPrivPacker::pack_raw_priv_list(option, plist, packed_privs));
OZ (ObOraPrivCheck::packed_sys_priv_list_or_exists(packed_privs,
sys_priv->get_priv_array(),
exists));
if (OB_SUCC(ret) && !exists) {
ret = OB_ERR_NO_PRIVILEGE;
}
} }
} }
} }
@ -490,26 +448,20 @@ int ObOraSysChecker::check_obj_plist_or(
const ObIArray<uint64_t> &role_id_array) const ObIArray<uint64_t> &role_id_array)
{ {
int ret = OB_SUCCESS; int ret = OB_SUCCESS;
lib::Worker::CompatMode compat_mode;
int ret1; int ret1;
OZX2 (check_obj_plist_or_in_single(guard, tenant_id, user_id, obj_type,
OZ (guard.get_tenant_compat_mode(tenant_id, compat_mode)); obj_id, col_id, plist),
/* 仅在oracle模式下执行 */ OB_ERR_NO_PRIVILEGE, OB_ERR_EMPTY_QUERY,
if (OB_SUCC(ret) && compat_mode == lib::Worker::CompatMode::ORACLE) { tenant_id, user_id, obj_type, obj_id, col_id, plist);
OZX2 (check_obj_plist_or_in_single(guard, tenant_id, user_id, obj_type, if (ret == OB_ERR_NO_PRIVILEGE || ret == OB_ERR_EMPTY_QUERY) {
obj_id, col_id, plist), ret1 = ret;
OB_ERR_NO_PRIVILEGE, OB_ERR_EMPTY_QUERY, ret = OB_SUCCESS;
tenant_id, user_id, obj_type, obj_id, col_id, plist); OZ (check_obj_plist_or_in_roles(guard, tenant_id, user_id, obj_type,
if (ret == OB_ERR_NO_PRIVILEGE || ret == OB_ERR_EMPTY_QUERY) { obj_id, col_id, plist, role_id_array),
ret1 = ret; tenant_id, user_id, obj_type, obj_id, col_id, plist);
ret = OB_SUCCESS; /* 无任何间接权限,但有直接权限,需要更改错误码为 no privilege */
OZ (check_obj_plist_or_in_roles(guard, tenant_id, user_id, obj_type, if (ret == OB_ERR_EMPTY_QUERY && ret1 != OB_ERR_EMPTY_QUERY) {
obj_id, col_id, plist, role_id_array), ret = OB_ERR_NO_PRIVILEGE;
tenant_id, user_id, obj_type, obj_id, col_id, plist);
/* 无任何间接权限,但有直接权限,需要更改错误码为 no privilege */
if (ret == OB_ERR_EMPTY_QUERY && ret1 != OB_ERR_EMPTY_QUERY) {
ret = OB_ERR_NO_PRIVILEGE;
}
} }
} }
return ret; return ret;
@ -530,29 +482,19 @@ int ObOraSysChecker::check_obj_p1(
const ObIArray<uint64_t> &role_id_array) const ObIArray<uint64_t> &role_id_array)
{ {
int ret = OB_SUCCESS; int ret = OB_SUCCESS;
// unused
// bool exists;
lib::Worker::CompatMode compat_mode;
// unused
// ObObjPriv *obj_priv = NULL;
int ret1; int ret1;
OZX2 (check_obj_p1_in_single(guard, tenant_id, user_id, obj_type, obj_id, col_id, p1, option),
OZ (guard.get_tenant_compat_mode(tenant_id, compat_mode)); OB_ERR_NO_PRIVILEGE, OB_ERR_EMPTY_QUERY,
/* 仅在oracle模式下执行 */ tenant_id, user_id, obj_type, obj_id, col_id, p1, option);
if (OB_SUCC(ret) && compat_mode == lib::Worker::CompatMode::ORACLE) { if (ret == OB_ERR_NO_PRIVILEGE || ret == OB_ERR_EMPTY_QUERY) {
OZX2 (check_obj_p1_in_single(guard, tenant_id, user_id, obj_type, obj_id, col_id, p1, option), ret1 = ret;
OB_ERR_NO_PRIVILEGE, OB_ERR_EMPTY_QUERY, ret = OB_SUCCESS;
tenant_id, user_id, obj_type, obj_id, col_id, p1, option); OZX1 (check_obj_p1_in_roles(guard, tenant_id, user_id, obj_type,
if (ret == OB_ERR_NO_PRIVILEGE || ret == OB_ERR_EMPTY_QUERY) { obj_id, col_id, p1, option, role_id_array), OB_ERR_EMPTY_QUERY,
ret1 = ret; tenant_id, user_id, obj_type, obj_id, col_id, p1, option);
ret = OB_SUCCESS; /* 无任何间接权限,但有直接权限,需要更改错误码为 no privilege */
OZX1 (check_obj_p1_in_roles(guard, tenant_id, user_id, obj_type, if (ret == OB_ERR_EMPTY_QUERY && ret1 != OB_ERR_EMPTY_QUERY) {
obj_id, col_id, p1, option, role_id_array), OB_ERR_EMPTY_QUERY, ret = OB_ERR_NO_PRIVILEGE;
tenant_id, user_id, obj_type, obj_id, col_id, p1, option);
/* 无任何间接权限,但有直接权限,需要更改错误码为 no privilege */
if (ret == OB_ERR_EMPTY_QUERY && ret1 != OB_ERR_EMPTY_QUERY) {
ret = OB_ERR_NO_PRIVILEGE;
}
} }
} }
return ret; return ret;
@ -568,19 +510,13 @@ int ObOraSysChecker::check_p1_or_plist_in_single(
{ {
int ret = OB_SUCCESS; int ret = OB_SUCCESS;
ObSysPriv *sys_priv = NULL; ObSysPriv *sys_priv = NULL;
lib::Worker::CompatMode compat_mode; OZ (guard.get_sys_priv_with_grantee_id(tenant_id, user_id, sys_priv));
if (OB_SUCC(ret)) {
OZ (guard.get_tenant_compat_mode(tenant_id, compat_mode)); if (sys_priv == NULL) {
/* 仅在oracle模式下执行 */ ret = OB_ERR_NO_PRIVILEGE;
if (OB_SUCC(ret) && compat_mode == lib::Worker::CompatMode::ORACLE) { } else {
OZ (guard.get_sys_priv_with_grantee_id(tenant_id, user_id, sys_priv)); OZX1 (check_p1_or_plist_using_privs(sys_priv->get_priv_array(), p1, option, plist),
if (OB_SUCC(ret)) { OB_ERR_NO_PRIVILEGE);
if (sys_priv == NULL) {
ret = OB_ERR_NO_PRIVILEGE;
} else {
OZX1 (check_p1_or_plist_using_privs(sys_priv->get_priv_array(), p1, option, plist),
OB_ERR_NO_PRIVILEGE);
}
} }
} }
return ret; return ret;
@ -627,25 +563,17 @@ int ObOraSysChecker::check_p1_with_plist_info(
const ObIArray<uint64_t> &role_id_array) const ObIArray<uint64_t> &role_id_array)
{ {
int ret = OB_SUCCESS; int ret = OB_SUCCESS;
// unused OZX1 (check_p1_with_plist_info_in_single(
// ObSysPriv *sys_priv = NULL; guard, tenant_id, user_id, p1, option, plist, has_other_priv),
lib::Worker::CompatMode compat_mode; OB_ERR_NO_PRIVILEGE);
if (ret == OB_ERR_NO_PRIVILEGE) {
OZ (guard.get_tenant_compat_mode(tenant_id, compat_mode)); ret = OB_SUCCESS;
/* 仅在oracle模式下执行 */ if (has_other_priv) {
if (OB_SUCC(ret) && compat_mode == lib::Worker::CompatMode::ORACLE) { OZX1 (check_p1_in_roles(guard, tenant_id, user_id, p1, role_id_array), OB_ERR_NO_PRIVILEGE);
OZX1 (check_p1_with_plist_info_in_single( } else {
guard, tenant_id, user_id, p1, option, plist, has_other_priv), OZX1 (check_p1_with_plist_info_in_roles(
OB_ERR_NO_PRIVILEGE); guard, tenant_id, user_id, p1, option, plist,
if (ret == OB_ERR_NO_PRIVILEGE) { has_other_priv, role_id_array), OB_ERR_NO_PRIVILEGE);
ret = OB_SUCCESS;
if (has_other_priv) {
OZX1 (check_p1_in_roles(guard, tenant_id, user_id, p1, role_id_array), OB_ERR_NO_PRIVILEGE);
} else {
OZX1 (check_p1_with_plist_info_in_roles(
guard, tenant_id, user_id, p1, option, plist,
has_other_priv, role_id_array), OB_ERR_NO_PRIVILEGE);
}
} }
} }
return ret; return ret;
@ -716,20 +644,15 @@ int ObOraSysChecker::check_p1_with_plist_info_in_single(
{ {
int ret = OB_SUCCESS; int ret = OB_SUCCESS;
ObSysPriv *sys_priv = NULL; ObSysPriv *sys_priv = NULL;
lib::Worker::CompatMode compat_mode;
has_other_priv = false; has_other_priv = false;
OZ (guard.get_tenant_compat_mode(tenant_id, compat_mode)); OZ (guard.get_sys_priv_with_grantee_id(tenant_id, user_id, sys_priv));
/* 仅在oracle模式下执行 */ if (OB_SUCC(ret)) {
if (OB_SUCC(ret) && compat_mode == lib::Worker::CompatMode::ORACLE) { if (sys_priv == NULL) {
OZ (guard.get_sys_priv_with_grantee_id(tenant_id, user_id, sys_priv)); ret = OB_ERR_NO_PRIVILEGE;
if (OB_SUCC(ret)) { } else {
if (sys_priv == NULL) { OZX1 (check_p1_with_plist_info_using_privs(
ret = OB_ERR_NO_PRIVILEGE; sys_priv->get_priv_array(), p1, option, plist, has_other_priv),
} else { OB_ERR_NO_PRIVILEGE);
OZX1 (check_p1_with_plist_info_using_privs(
sys_priv->get_priv_array(), p1, option, plist, has_other_priv),
OB_ERR_NO_PRIVILEGE);
}
} }
} }
return ret; return ret;
@ -749,20 +672,12 @@ int ObOraSysChecker::check_p1_or_plist(
const ObIArray<uint64_t> &role_id_array) const ObIArray<uint64_t> &role_id_array)
{ {
int ret = OB_SUCCESS; int ret = OB_SUCCESS;
// unused OZX1 (check_p1_or_plist_in_single(guard, tenant_id, user_id, p1, option, plist),
// ObSysPriv *sys_priv = NULL; OB_ERR_NO_PRIVILEGE);
lib::Worker::CompatMode compat_mode; if (ret == OB_ERR_NO_PRIVILEGE) {
ret = OB_SUCCESS;
OZ (guard.get_tenant_compat_mode(tenant_id, compat_mode)); OZ (check_p1_or_plist_in_roles(guard, tenant_id, user_id, p1,
/* 仅在oracle模式下执行 */ option, plist, role_id_array));
if (OB_SUCC(ret) && compat_mode == lib::Worker::CompatMode::ORACLE) {
OZX1 (check_p1_or_plist_in_single(guard, tenant_id, user_id, p1, option, plist),
OB_ERR_NO_PRIVILEGE);
if (ret == OB_ERR_NO_PRIVILEGE) {
ret = OB_SUCCESS;
OZ (check_p1_or_plist_in_roles(guard, tenant_id, user_id, p1,
option, plist, role_id_array));
}
} }
return ret; return ret;
} }
@ -820,25 +735,19 @@ int ObOraSysChecker::check_p1_or_cond_p2_in_single(
{ {
int ret = OB_SUCCESS; int ret = OB_SUCCESS;
ObSysPriv *sys_priv = NULL; ObSysPriv *sys_priv = NULL;
lib::Worker::CompatMode compat_mode;
bool exists = false; bool exists = false;
OZ (guard.get_sys_priv_with_grantee_id(tenant_id, ur_id, sys_priv));
OZ (guard.get_tenant_compat_mode(tenant_id, compat_mode)); if (OB_SUCC(ret)) {
/* 仅在oracle模式下执行 */ if (sys_priv == NULL) {
if (OB_SUCC(ret) && compat_mode == lib::Worker::CompatMode::ORACLE) { ret = OB_ERR_NO_PRIVILEGE;
OZ (guard.get_sys_priv_with_grantee_id(tenant_id, ur_id, sys_priv)); } else {
if (OB_SUCC(ret)) { OZ (ObOraPrivCheck::p1_or_cond_p2_exists(p1,
if (sys_priv == NULL) { is_owner,
p2,
sys_priv->get_priv_array(),
exists));
if (OB_SUCC(ret) && !exists) {
ret = OB_ERR_NO_PRIVILEGE; ret = OB_ERR_NO_PRIVILEGE;
} else {
OZ (ObOraPrivCheck::p1_or_cond_p2_exists(p1,
is_owner,
p2,
sys_priv->get_priv_array(),
exists));
if (OB_SUCC(ret) && !exists) {
ret = OB_ERR_NO_PRIVILEGE;
}
} }
} }
} }
@ -888,31 +797,25 @@ int ObOraSysChecker::check_p1_or_owner_and_p2(
{ {
int ret = OB_SUCCESS; int ret = OB_SUCCESS;
bool is_owner; bool is_owner;
lib::Worker::CompatMode compat_mode; if (database_name.empty()) {
is_owner = true;
if (OB_FAIL(guard.get_tenant_compat_mode(tenant_id, compat_mode))) { } else {
LOG_WARN("get_tenant_compat_mode failed", K(ret)); const ObUserInfo *user_info = NULL;
} else if (compat_mode == lib::Worker::CompatMode::ORACLE) { OZ (guard.get_user_info(tenant_id, user_id, user_info));
if (database_name.empty()) { if (OB_SUCC(ret) && NULL == user_info) {
is_owner = true; ret = OB_USER_NOT_EXIST;
} else { LOG_USER_ERROR(OB_USER_NOT_EXIST, database_name.length(), database_name.ptr());
const ObUserInfo *user_info = NULL;
OZ (guard.get_user_info(tenant_id, user_id, user_info));
if (OB_SUCC(ret) && NULL == user_info) {
ret = OB_USER_NOT_EXIST;
LOG_USER_ERROR(OB_USER_NOT_EXIST, database_name.length(), database_name.ptr());
}
OX (is_owner = ObOraPrivCheck::user_is_owner(user_info->get_user_name(),
database_name));
} }
OZX1 (check_p1_or_cond_p2_in_single(guard, tenant_id, user_id, p1, is_owner, p2), OX (is_owner = ObOraPrivCheck::user_is_owner(user_info->get_user_name(),
OB_ERR_NO_PRIVILEGE, tenant_id, user_id, p1, is_owner, p2); database_name));
if (ret == OB_ERR_NO_PRIVILEGE) { }
ret = OB_SUCCESS; OZX1 (check_p1_or_cond_p2_in_single(guard, tenant_id, user_id, p1, is_owner, p2),
OZ (check_p1_or_cond_p2_in_roles(guard, tenant_id, user_id, p1, OB_ERR_NO_PRIVILEGE, tenant_id, user_id, p1, is_owner, p2);
is_owner, p2, role_id_array)); if (ret == OB_ERR_NO_PRIVILEGE) {
ret = OB_SUCCESS;
OZ (check_p1_or_cond_p2_in_roles(guard, tenant_id, user_id, p1,
is_owner, p2, role_id_array));
}
} }
return ret; return ret;
} }
@ -938,42 +841,36 @@ int ObOraSysChecker::check_owner_or_p1_or_objp2(
int ret = OB_SUCCESS; int ret = OB_SUCCESS;
bool is_owner = false; bool is_owner = false;
uint64_t obj_owner_id = OB_INVALID_ID; uint64_t obj_owner_id = OB_INVALID_ID;
lib::Worker::CompatMode compat_mode; if (database_name.empty()) {
is_owner = true;
if (OB_FAIL(guard.get_tenant_compat_mode(tenant_id, compat_mode))) { obj_owner_id = user_id;
LOG_WARN("get_tenant_compat_mode failed", K(ret)); } else {
} else if (compat_mode == lib::Worker::CompatMode::ORACLE) { const ObUserInfo *user_info = NULL;
if (database_name.empty()) { OZ (guard.get_user_info(tenant_id, user_id, user_info));
is_owner = true; if (OB_SUCC(ret) && NULL == user_info) {
obj_owner_id = user_id; ret = OB_USER_NOT_EXIST;
} else { LOG_USER_ERROR(OB_USER_NOT_EXIST, database_name.length(), database_name.ptr());
const ObUserInfo *user_info = NULL;
OZ (guard.get_user_info(tenant_id, user_id, user_info));
if (OB_SUCC(ret) && NULL == user_info) {
ret = OB_USER_NOT_EXIST;
LOG_USER_ERROR(OB_USER_NOT_EXIST, database_name.length(), database_name.ptr());
}
OX (is_owner = ObOraPrivCheck::user_is_owner(user_info->get_user_name(),
database_name));
OZ (guard.get_user_id(tenant_id, database_name,
ObString(OB_DEFAULT_HOST_NAME), obj_owner_id));
if (OB_SUCC(ret) && obj_owner_id == OB_INVALID_ID) {
ret = OB_USER_NOT_EXIST;
LOG_USER_ERROR(OB_USER_NOT_EXIST, database_name.length(), database_name.ptr());
}
} }
if (!is_owner) { OX (is_owner = ObOraPrivCheck::user_is_owner(user_info->get_user_name(),
OZX1 (check_p1(guard, tenant_id, user_id, p1, role_id_array), database_name));
OB_ERR_NO_PRIVILEGE, tenant_id, user_id, p1); OZ (guard.get_user_id(tenant_id, database_name,
if (ret == OB_ERR_NO_PRIVILEGE) { ObString(OB_DEFAULT_HOST_NAME), obj_owner_id));
ret = OB_SUCCESS; if (OB_SUCC(ret) && obj_owner_id == OB_INVALID_ID) {
OZ (check_ora_obj_priv(guard, tenant_id, user_id, database_name, obj_id, ret = OB_USER_NOT_EXIST;
OBJ_LEVEL_FOR_TAB_PRIV, obj_type, obj_p2, CHECK_FLAG_NORMAL, LOG_USER_ERROR(OB_USER_NOT_EXIST, database_name.length(), database_name.ptr());
obj_owner_id, role_id_array)); }
/*OZ (check_obj_p1(guard, tenant_id, user_id, obj_type, }
obj_id, OBJ_LEVEL_FOR_TAB_PRIV, obj_p2, NO_OPTION, role_id_array), if (!is_owner) {
tenant_id, user_id, obj_type, obj_id, OBJ_LEVEL_FOR_TAB_PRIV, obj_p2);*/ OZX1 (check_p1(guard, tenant_id, user_id, p1, role_id_array),
} OB_ERR_NO_PRIVILEGE, tenant_id, user_id, p1);
if (ret == OB_ERR_NO_PRIVILEGE) {
ret = OB_SUCCESS;
OZ (check_ora_obj_priv(guard, tenant_id, user_id, database_name, obj_id,
OBJ_LEVEL_FOR_TAB_PRIV, obj_type, obj_p2, CHECK_FLAG_NORMAL,
obj_owner_id, role_id_array));
/*OZ (check_obj_p1(guard, tenant_id, user_id, obj_type,
obj_id, OBJ_LEVEL_FOR_TAB_PRIV, obj_p2, NO_OPTION, role_id_array),
tenant_id, user_id, obj_type, obj_id, OBJ_LEVEL_FOR_TAB_PRIV, obj_p2);*/
} }
} }
return ret; return ret;
@ -999,42 +896,37 @@ int ObOraSysChecker::check_owner_or_p1_or_access(
{ {
int ret = OB_SUCCESS; int ret = OB_SUCCESS;
bool is_owner = false; bool is_owner = false;
lib::Worker::CompatMode compat_mode; if (database_name.empty()) {
if (OB_FAIL(guard.get_tenant_compat_mode(tenant_id, compat_mode))) { is_owner = true;
LOG_WARN("get_tenant_compat_mode failed", K(ret)); } else {
} else if (compat_mode == lib::Worker::CompatMode::ORACLE) { const ObUserInfo *user_info = NULL;
if (database_name.empty()) { OZ (guard.get_user_info(tenant_id, user_id, user_info));
is_owner = true;
} else {
const ObUserInfo *user_info = NULL;
OZ (guard.get_user_info(tenant_id, user_id, user_info));
if (OB_SUCC(ret)) {
if (OB_ISNULL(user_info)) {
ret = OB_USER_NOT_EXIST;
LOG_USER_ERROR(OB_USER_NOT_EXIST, database_name.length(), database_name.ptr());
}
}
// 1. Check if is owner
OX (is_owner = ObOraPrivCheck::user_is_owner(user_info->get_user_name(),
database_name));
}
if (OB_SUCC(ret)) { if (OB_SUCC(ret)) {
if (!is_owner) { if (OB_ISNULL(user_info)) {
// 2. Check sys priv ret = OB_USER_NOT_EXIST;
OZX1 (check_p1(guard, tenant_id, user_id, p1, role_id_array), LOG_USER_ERROR(OB_USER_NOT_EXIST, database_name.length(), database_name.ptr());
OB_ERR_NO_PRIVILEGE, tenant_id, user_id, p1); }
// 3. Check related priv }
if (OB_ERR_NO_PRIVILEGE == ret) { // 1. Check if is owner
ret = OB_SUCCESS; OX (is_owner = ObOraPrivCheck::user_is_owner(user_info->get_user_name(),
bool accessible = false; database_name));
OZ (check_access_to_obj(guard, tenant_id, user_id, }
p1, obj_type, obj_id, database_name, role_id_array, accessible)); if (OB_SUCC(ret)) {
if (OB_SUCC(ret)) { if (!is_owner) {
if (accessible) { // 2. Check sys priv
ret = OB_ERR_NO_PRIVILEGE; OZX1 (check_p1(guard, tenant_id, user_id, p1, role_id_array),
} else { OB_ERR_NO_PRIVILEGE, tenant_id, user_id, p1);
ret = OB_TABLE_NOT_EXIST; // 3. Check related priv
} if (OB_ERR_NO_PRIVILEGE == ret) {
ret = OB_SUCCESS;
bool accessible = false;
OZ (check_access_to_obj(guard, tenant_id, user_id,
p1, obj_type, obj_id, database_name, role_id_array, accessible));
if (OB_SUCC(ret)) {
if (accessible) {
ret = OB_ERR_NO_PRIVILEGE;
} else {
ret = OB_TABLE_NOT_EXIST;
} }
} }
} }
@ -1404,31 +1296,21 @@ int ObOraSysChecker::check_owner_or_p1(
const ObIArray<uint64_t> &role_id_array) const ObIArray<uint64_t> &role_id_array)
{ {
int ret = OB_SUCCESS; int ret = OB_SUCCESS;
// unused
// ObSysPriv *sys_priv = NULL;
bool is_owner = false; bool is_owner = false;
lib::Worker::CompatMode compat_mode; if (database_name.empty()) {
// unused is_owner = true;
// bool exists = false; } else {
const ObUserInfo *user_info = NULL;
if (OB_FAIL(guard.get_tenant_compat_mode(tenant_id, compat_mode))) { OZ (guard.get_user_info(tenant_id, user_id, user_info));
LOG_WARN("get_tenant_compat_mode failed", K(ret)); if (OB_SUCC(ret) && NULL == user_info) {
} else if (compat_mode == lib::Worker::CompatMode::ORACLE) { ret = OB_USER_NOT_EXIST;
if (database_name.empty()) { LOG_USER_ERROR(OB_USER_NOT_EXIST, database_name.length(), database_name.ptr());
is_owner = true;
} else {
const ObUserInfo *user_info = NULL;
OZ (guard.get_user_info(tenant_id, user_id, user_info));
if (OB_SUCC(ret) && NULL == user_info) {
ret = OB_USER_NOT_EXIST;
LOG_USER_ERROR(OB_USER_NOT_EXIST, database_name.length(), database_name.ptr());
}
OX (is_owner = ObOraPrivCheck::user_is_owner(user_info->get_user_name(),
database_name));
}
if (!is_owner) {
OZ (check_p1(guard, tenant_id, user_id, p1, role_id_array), tenant_id, user_id, p1);
} }
OX (is_owner = ObOraPrivCheck::user_is_owner(user_info->get_user_name(),
database_name));
}
if (!is_owner) {
OZ (check_p1(guard, tenant_id, user_id, p1, role_id_array), tenant_id, user_id, p1);
} }
return ret; return ret;
} }