142 lines
5.0 KiB
C++
142 lines
5.0 KiB
C++
/**
|
|
* Copyright (c) 2021 OceanBase
|
|
* OceanBase CE is licensed under Mulan PubL v2.
|
|
* You can use this software according to the terms and conditions of the Mulan PubL v2.
|
|
* You may obtain a copy of Mulan PubL v2 at:
|
|
* http://license.coscl.org.cn/MulanPubL-2.0
|
|
* THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
|
|
* EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
|
|
* MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
|
|
* See the Mulan PubL v2 for more details.
|
|
*/
|
|
|
|
#define USING_LOG_PREFIX SQL_ENG
|
|
#include "sql/engine/expr/ob_expr_sys_privilege_check.h"
|
|
|
|
#include "share/object/ob_obj_cast.h"
|
|
#include "share/schema/ob_schema_getter_guard.h"
|
|
#include "sql/session/ob_sql_session_info.h"
|
|
#include "sql/engine/ob_exec_context.h"
|
|
|
|
using namespace oceanbase::common;
|
|
namespace oceanbase
|
|
{
|
|
namespace sql
|
|
{
|
|
|
|
ObExprSysPrivilegeCheck::ObExprSysPrivilegeCheck(ObIAllocator &alloc)
|
|
: ObFuncExprOperator(alloc, T_FUN_SYS_SYS_PRIVILEGE_CHECK, N_SYS_PRIVILEGE_CHECK, 4, NOT_ROW_DIMENSION)
|
|
{
|
|
}
|
|
|
|
ObExprSysPrivilegeCheck::~ObExprSysPrivilegeCheck()
|
|
{
|
|
}
|
|
|
|
int ObExprSysPrivilegeCheck::calc_result_typeN(
|
|
ObExprResType &type,
|
|
ObExprResType *types,
|
|
int64_t param_num,
|
|
ObExprTypeCtx &type_ctx) const
|
|
{
|
|
UNUSED(type_ctx);
|
|
int ret = OB_SUCCESS;
|
|
CK(NULL != types);
|
|
CK(4 == param_num);
|
|
CK(NOT_ROW_DIMENSION == row_dimension_);
|
|
if (OB_SUCC(ret)) {
|
|
type.set_int();
|
|
type.set_scale(ObAccuracy::DDL_DEFAULT_ACCURACY[ObIntType].scale_);
|
|
type.set_precision(ObAccuracy::DDL_DEFAULT_ACCURACY[ObIntType].precision_);
|
|
|
|
types[0].set_type(ObVarcharType);
|
|
types[0].set_calc_collation_type(ObCharset::get_system_collation());
|
|
types[1].set_calc_type(ObIntType);
|
|
types[2].set_type(ObVarcharType);
|
|
types[2].set_calc_collation_type(ObCharset::get_system_collation());
|
|
types[3].set_type(ObVarcharType);
|
|
types[3].set_calc_collation_type(ObCharset::get_system_collation());
|
|
}
|
|
return ret;
|
|
}
|
|
|
|
int ObExprSysPrivilegeCheck::check_show_priv(bool &allow_show,
|
|
ObExecContext &exec_ctx,
|
|
const common::ObString &level_str,
|
|
const uint64_t tenant_id,
|
|
const common::ObString &db_name,
|
|
const common::ObString &table_name)
|
|
{
|
|
int ret = OB_SUCCESS;
|
|
share::schema::ObSessionPrivInfo session_priv;
|
|
const share::schema::ObSchemaGetterGuard *schema_guard =
|
|
exec_ctx.get_virtual_table_ctx().schema_guard_;
|
|
if (OB_UNLIKELY(NULL == schema_guard)) {
|
|
ret = OB_SCHEMA_ERROR;
|
|
}
|
|
exec_ctx.get_my_session()->get_session_priv_info(session_priv);
|
|
allow_show = true;
|
|
if (OB_SUCC(ret)) {
|
|
//tenant_id in table is static casted to int64_t,
|
|
//and use statis_cast<uint64_t> for retrieving(same with schema_service)
|
|
// schema拆分后,普通租户schema表的tenant_id为0,此时鉴权取session_priv.tenant_id_
|
|
if (session_priv.tenant_id_ != static_cast<uint64_t>(tenant_id)
|
|
&& OB_INVALID_TENANT_ID != tenant_id) {
|
|
//not current tenant's row
|
|
} else if (0 == level_str.case_compare("db_acc")) {
|
|
if (OB_FAIL(const_cast<share::schema::ObSchemaGetterGuard *>(schema_guard)->check_db_show(
|
|
session_priv, db_name, allow_show))) {
|
|
LOG_WARN("Check db show failed", K(ret));
|
|
}
|
|
} else if (0 == level_str.case_compare("table_acc")) {
|
|
//if (OB_FAIL(priv_mgr.check_table_show(session_priv,
|
|
if (OB_FAIL(const_cast<share::schema::ObSchemaGetterGuard *>(schema_guard)->check_table_show(
|
|
session_priv, db_name, table_name, allow_show))) {
|
|
LOG_WARN("Check table show failed", K(ret));
|
|
}
|
|
} else {
|
|
ret = OB_INVALID_ARGUMENT;
|
|
LOG_WARN("Check priv level error", K(ret));
|
|
}
|
|
}
|
|
return ret;
|
|
}
|
|
|
|
int ObExprSysPrivilegeCheck::cg_expr(ObExprCGCtx &, const ObRawExpr &, ObExpr &expr) const
|
|
{
|
|
int ret = OB_SUCCESS;
|
|
CK(4 == expr.arg_cnt_);
|
|
expr.eval_func_ = eval_sys_privilege_check;
|
|
return ret;
|
|
}
|
|
|
|
int ObExprSysPrivilegeCheck::eval_sys_privilege_check(
|
|
const ObExpr &expr, ObEvalCtx &ctx, ObDatum &expr_datum)
|
|
{
|
|
int ret = OB_SUCCESS;
|
|
ObDatum *level = NULL;
|
|
ObDatum *tenant = NULL;
|
|
ObDatum *db = NULL;
|
|
ObDatum *table = NULL;
|
|
bool allow_show = true;
|
|
if (OB_FAIL(expr.eval_param_value(ctx, level, tenant, db, table))) {
|
|
LOG_WARN("evaluate parameters failed", K(ret));
|
|
} else if (tenant->is_null()) {
|
|
ret = OB_ERR_UNEXPECTED;
|
|
LOG_WARN("tenant is null", K(ret));
|
|
} else if (OB_FAIL(check_show_priv(allow_show, ctx.exec_ctx_,
|
|
level->is_null() ? ObString() : level->get_string(),
|
|
tenant->get_int(),
|
|
db->is_null() ? ObString() : db->get_string(),
|
|
table->is_null() ? ObString() : table->get_string()))) {
|
|
LOG_WARN("check show privilege failed", K(ret));
|
|
} else {
|
|
expr_datum.set_int(allow_show ? 0 : -1);
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
}// ns sql
|
|
}// ns oceanbase
|