578 lines
23 KiB
C++
578 lines
23 KiB
C++
/**
|
|
* Copyright (c) 2021 OceanBase
|
|
* OceanBase CE is licensed under Mulan PubL v2.
|
|
* You can use this software according to the terms and conditions of the Mulan PubL v2.
|
|
* You may obtain a copy of Mulan PubL v2 at:
|
|
* http://license.coscl.org.cn/MulanPubL-2.0
|
|
* THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
|
|
* EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
|
|
* MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
|
|
* See the Mulan PubL v2 for more details.
|
|
*/
|
|
|
|
#define USING_LOG_PREFIX SQL_RESV
|
|
|
|
#include "sql/resolver/dcl/ob_alter_user_profile_resolver.h"
|
|
|
|
#include "share/schema/ob_schema_struct.h"
|
|
#include "sql/session/ob_sql_session_info.h"
|
|
#include "sql/resolver/dcl/ob_grant_resolver.h"
|
|
#include "share/ob_rpc_struct.h"
|
|
#include "lib/encrypt/ob_encrypted_helper.h"
|
|
using namespace oceanbase::sql;
|
|
using namespace oceanbase::common;
|
|
using oceanbase::share::schema::ObUserInfo;
|
|
|
|
ObAlterUserProfileResolver::ObAlterUserProfileResolver(ObResolverParams ¶ms)
|
|
: ObDCLResolver(params)
|
|
{
|
|
}
|
|
|
|
ObAlterUserProfileResolver::~ObAlterUserProfileResolver()
|
|
{
|
|
}
|
|
|
|
int ObAlterUserProfileResolver::resolve_set_role(const ParseNode &parse_tree)
|
|
{
|
|
int ret = OB_SUCCESS;
|
|
ObAlterUserProfileStmt *stmt = NULL;
|
|
|
|
if (OB_ISNULL(params_.session_info_)) {
|
|
ret = OB_ERR_UNEXPECTED;
|
|
LOG_WARN("not init", K(ret));
|
|
} else if (OB_ISNULL(params_.schema_checker_)) {
|
|
ret = OB_ERR_UNEXPECTED;
|
|
LOG_WARN("not init", K(ret));
|
|
} else if (T_SET_ROLE != parse_tree.type_
|
|
|| 1 != parse_tree.num_child_) {
|
|
ret = OB_INVALID_ARGUMENT;
|
|
LOG_WARN("wrong root", K(ret), K(parse_tree.type_), K(parse_tree.num_child_));
|
|
} else if (OB_ISNULL(stmt = create_stmt<ObAlterUserProfileStmt>())) {
|
|
ret = OB_ALLOCATE_MEMORY_FAILED;
|
|
LOG_WARN("Failed to create ObAlterUserProfileStmt", K(ret));
|
|
} else {
|
|
ObString user_name;
|
|
ObString host_name(OB_DEFAULT_HOST_NAME);
|
|
const ObUserInfo *user_info = NULL;
|
|
if (OB_FAIL(params_.schema_checker_->get_user_info(
|
|
params_.session_info_->get_effective_tenant_id(),
|
|
params_.session_info_->get_user_id(), user_info))) {
|
|
LOG_WARN("get user info failed", K(ret));
|
|
} else if (NULL == user_info) {
|
|
ret = OB_ERR_UNEXPECTED;
|
|
LOG_WARN("current user info is null", K(ret));
|
|
} else {
|
|
|
|
obrpc::ObAlterUserProfileArg &arg = stmt->get_ddl_arg();
|
|
arg.tenant_id_ = params_.session_info_->get_effective_tenant_id();
|
|
stmt->set_set_role_flag(1);
|
|
|
|
/* 1. resolve default role */
|
|
OZ (resolve_default_role_clause(parse_tree.children_[0], arg,
|
|
user_info->get_role_id_array(), false));
|
|
|
|
}
|
|
}
|
|
return ret;
|
|
}
|
|
|
|
int ObAlterUserProfileResolver::resolve_role_list(
|
|
const ParseNode *role_list,
|
|
obrpc::ObAlterUserProfileArg &arg,
|
|
const ObIArray<uint64_t> &role_id_array,
|
|
bool for_default_role_stmt)
|
|
{
|
|
int ret = OB_SUCCESS;
|
|
CK (OB_NOT_NULL(role_list));
|
|
CK (OB_NOT_NULL(params_.session_info_));
|
|
CK (OB_NOT_NULL(params_.schema_checker_));
|
|
hash::ObHashMap<uint64_t, ObString> roleid_pwd_map;
|
|
OZ (roleid_pwd_map.create(32, "HashRRLPwdMa"));
|
|
if (OB_SUCC(ret)) {
|
|
for (int i = 0; OB_SUCC(ret) && i < role_list->num_child_; ++i) {
|
|
uint64_t role_id = OB_INVALID_ID;
|
|
ParseNode *role = role_list->children_[i];
|
|
ParseNode *pwd_node = NULL;
|
|
if (NULL == role) {
|
|
ret = OB_ERR_UNEXPECTED;
|
|
LOG_WARN("role opt identified by node is null", K(ret));
|
|
} else if (T_IDENT == role->type_) {
|
|
} else if (T_SET_ROLE_PASSWORD != role->type_) {
|
|
ret = OB_ERR_UNEXPECTED;
|
|
LOG_WARN("role type is error", K(ret), K(role->type_));
|
|
} else if (2 == role->value_ && NULL == role->children_[1]) {
|
|
ret = OB_ERR_UNEXPECTED;
|
|
LOG_WARN("passwd_node is NULL", K(ret));
|
|
} else if (NULL == role->children_[0]) {
|
|
ret = OB_ERR_UNEXPECTED;
|
|
LOG_WARN("role node is null", K(ret));
|
|
} else {
|
|
if (2 == role->value_) {
|
|
pwd_node = role->children_[1];
|
|
}
|
|
role = role->children_[0];
|
|
}
|
|
if (OB_SUCC(ret)) {
|
|
ObString role_name;
|
|
const ObUserInfo *role_info = NULL;
|
|
role_name.assign_ptr(const_cast<char *>(role->str_value_),
|
|
static_cast<int32_t>(role->str_len_));
|
|
ObString host_name(OB_DEFAULT_HOST_NAME);
|
|
if (OB_FAIL(params_.schema_checker_->get_user_info(arg.tenant_id_, role_name,
|
|
host_name, role_info))) {
|
|
if (OB_USER_NOT_EXIST == ret || OB_ISNULL(role_info) || !role_info->is_role()) {
|
|
ret = OB_ROLE_NOT_EXIST;
|
|
LOG_USER_ERROR(OB_ROLE_NOT_EXIST,
|
|
role_name.length(), role_name.ptr());
|
|
LOG_WARN("role not exists", K(ret), K(role_name));
|
|
}
|
|
LOG_WARN("fail to get user id", K(ret), K(role_name), K(host_name));
|
|
} else if (role_info == NULL) {
|
|
if (for_default_role_stmt) {
|
|
ret = OB_ROLE_NOT_EXIST;
|
|
LOG_USER_ERROR(OB_ROLE_NOT_EXIST,
|
|
role_name.length(), role_name.ptr());
|
|
LOG_WARN("role not exists", K(ret), K(role_name));
|
|
} else {
|
|
ret = OB_ERR_ROLE_NOT_GRANTED_OR_DOES_NOT_EXIST;
|
|
LOG_USER_ERROR(OB_ERR_ROLE_NOT_GRANTED_OR_DOES_NOT_EXIST,
|
|
role_name.length(), role_name.ptr());
|
|
LOG_WARN("role not granted or does not exists", K(ret), K(role_name));
|
|
}
|
|
} else {
|
|
role_id = role_info->get_user_id();
|
|
if (is_ora_public_role(role_id)) {
|
|
ret = OB_ERR_MISSING_OR_INVALID_ROLE_NAME;
|
|
} else if (has_exist_in_array(arg.role_id_array_, role_id)) {
|
|
/* if role duplicate in role list, then raise error */
|
|
ret = OB_PRIV_DUP;
|
|
} else if (!has_exist_in_array(role_id_array, role_id)) {
|
|
/* if role not granted to user, then raise error */
|
|
if (for_default_role_stmt) {
|
|
ret = OB_ERR_DEFAULT_ROLE_NOT_GRANTED_TO_USER;
|
|
LOG_USER_ERROR(OB_ERR_DEFAULT_ROLE_NOT_GRANTED_TO_USER,
|
|
role_name.length(), role_name.ptr());
|
|
LOG_WARN("role not granted to user", K(ret), K(role_name));
|
|
} else {
|
|
ret = OB_ERR_ROLE_NOT_GRANTED_OR_DOES_NOT_EXIST;
|
|
LOG_USER_ERROR(OB_ERR_ROLE_NOT_GRANTED_OR_DOES_NOT_EXIST,
|
|
role_name.length(), role_name.ptr());
|
|
LOG_WARN("role not granted or does not exists", K(ret), K(role_name));
|
|
}
|
|
} else {
|
|
OZ (arg.role_id_array_.push_back(role_id));
|
|
ObString pwd = ObString::make_string("");
|
|
if (NULL != pwd_node) {
|
|
pwd.assign_ptr(pwd_node->str_value_, static_cast<int32_t>(pwd_node->str_len_));
|
|
}
|
|
OZ (roleid_pwd_map.set_refactored(role_id, pwd));
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
// Check role password for SET ROLE
|
|
if (OB_SUCC(ret)) {
|
|
if (for_default_role_stmt) {
|
|
// do nothing when ALTER USER DEFAULT ROLE
|
|
} else {
|
|
switch (arg.default_role_flag_) {
|
|
case obrpc::OB_DEFAULT_ROLE_ALL: {
|
|
if (OB_FAIL(check_role_password(arg.tenant_id_,
|
|
role_id_array,
|
|
roleid_pwd_map,
|
|
true,
|
|
false))) {
|
|
LOG_WARN("failed to pass check_role_password", K(ret), K(arg));
|
|
}
|
|
break;
|
|
}
|
|
case obrpc::OB_DEFAULT_ROLE_ALL_EXCEPT: {
|
|
if (OB_FAIL(check_role_password(arg.tenant_id_,
|
|
role_id_array,
|
|
roleid_pwd_map,
|
|
true,
|
|
true))) {
|
|
LOG_WARN("failed to pass check_role_password", K(ret), K(arg));
|
|
}
|
|
break;
|
|
}
|
|
case obrpc::OB_DEFAULT_ROLE_LIST: {
|
|
if (OB_FAIL(check_role_password(arg.tenant_id_,
|
|
role_id_array,
|
|
roleid_pwd_map,
|
|
false,
|
|
false))) {
|
|
LOG_WARN("failed to pass check_role_password", K(ret), K(arg));
|
|
}
|
|
break;
|
|
}
|
|
case obrpc::OB_DEFAULT_ROLE_NONE: {
|
|
// No need to check for NONE
|
|
break;
|
|
}
|
|
default: {
|
|
ret = OB_ERR_UNEXPECTED;
|
|
LOG_WARN("default_role_flag invalid", K(ret), K(arg.default_role_flag_));
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
return ret;
|
|
}
|
|
|
|
int ObAlterUserProfileResolver::resolve_default_role_clause(
|
|
const ParseNode *parse_tree,
|
|
obrpc::ObAlterUserProfileArg &arg,
|
|
const ObIArray<uint64_t> &role_id_array,
|
|
bool for_default_role_stmt)
|
|
{
|
|
int ret = OB_SUCCESS;
|
|
CK (OB_NOT_NULL(parse_tree));
|
|
if (T_DEFAULT_ROLE != parse_tree->type_ || (1 != parse_tree->num_child_
|
|
&& 2 != parse_tree->num_child_)) {
|
|
ret = OB_INVALID_ARGUMENT;
|
|
LOG_WARN("wrong root", K(ret), K(parse_tree->type_), K(parse_tree->num_child_));
|
|
} else {
|
|
if (1 == parse_tree->num_child_) {
|
|
CK (OB_NOT_NULL(parse_tree->children_[0]));
|
|
if (OB_SUCC(ret)) {
|
|
if (1 == parse_tree->children_[0]->value_) {
|
|
OX (arg.default_role_flag_ = obrpc::OB_DEFAULT_ROLE_ALL);
|
|
// Sinc resolve_role_list will not be called in case OB_DEFAULT_ROLE_ALL,
|
|
// so we manually do this check here. Only for SET ROLE
|
|
if (OB_SUCC(ret)) {
|
|
if (false == for_default_role_stmt) {
|
|
if (OB_FAIL(check_role_password_all(arg.tenant_id_, role_id_array))) {
|
|
LOG_WARN("Password mismatch for set role all", K(ret), K(arg));
|
|
}
|
|
}
|
|
}
|
|
} else {
|
|
CK (3 == parse_tree->children_[0]->value_);
|
|
OX (arg.default_role_flag_ = obrpc::OB_DEFAULT_ROLE_NONE);
|
|
}
|
|
}
|
|
} else {
|
|
CK (2 == parse_tree->num_child_);
|
|
if (OB_SUCC(ret)) {
|
|
if (0 == parse_tree->children_[0]->value_) {
|
|
OX (arg.default_role_flag_ = obrpc::OB_DEFAULT_ROLE_LIST);
|
|
} else {
|
|
CK (2 == parse_tree->children_[0]->value_);
|
|
OX (arg.default_role_flag_ = obrpc::OB_DEFAULT_ROLE_ALL_EXCEPT);
|
|
}
|
|
OZ (resolve_role_list(parse_tree->children_[1], arg, role_id_array, for_default_role_stmt));
|
|
}
|
|
}
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
int ObAlterUserProfileResolver::resolve_default_role(const ParseNode &parse_tree)
|
|
{
|
|
int ret = OB_SUCCESS;
|
|
ObAlterUserProfileStmt *stmt = NULL;
|
|
uint64_t tenant_id = OB_INVALID_ID;
|
|
|
|
if (OB_ISNULL(params_.session_info_)) {
|
|
ret = OB_ERR_UNEXPECTED;
|
|
LOG_WARN("not init", K(ret));
|
|
} else if (OB_ISNULL(params_.schema_checker_)) {
|
|
ret = OB_ERR_UNEXPECTED;
|
|
LOG_WARN("not init", K(ret));
|
|
} else if (T_ALTER_USER_DEFAULT_ROLE != parse_tree.type_
|
|
|| 2 != parse_tree.num_child_) {
|
|
ret = OB_INVALID_ARGUMENT;
|
|
LOG_WARN("wrong root", K(ret), K(parse_tree.type_), K(parse_tree.num_child_));
|
|
} else if (OB_ISNULL(stmt = create_stmt<ObAlterUserProfileStmt>())) {
|
|
ret = OB_ALLOCATE_MEMORY_FAILED;
|
|
LOG_WARN("Failed to create ObAlterUserProfileStmt", K(ret));
|
|
} else {
|
|
ObString user_name;
|
|
ObString host_name;
|
|
const ObUserInfo *user_info = NULL;
|
|
obrpc::ObAlterUserProfileArg &arg = stmt->get_ddl_arg();
|
|
|
|
/* 1. resolve user */
|
|
tenant_id = params_.session_info_->get_effective_tenant_id();
|
|
arg.tenant_id_ = tenant_id;
|
|
ParseNode *user_with_host_name = parse_tree.children_[0];
|
|
// Get user_name and host_name
|
|
if (OB_ISNULL(user_with_host_name)) {
|
|
ret = OB_ERR_UNEXPECTED;
|
|
LOG_WARN("user_with_host_name is NULL");
|
|
} else {
|
|
ParseNode *user_name_node = user_with_host_name->children_[0];
|
|
ParseNode *host_name_node = user_with_host_name->children_[1];
|
|
if (OB_ISNULL(user_name_node)) {
|
|
ret = OB_ERR_UNEXPECTED;
|
|
LOG_WARN("user_name is NULL", K(ret), K(user_name));
|
|
} else {
|
|
user_name = ObString(user_name_node->str_len_, user_name_node->str_value_);
|
|
}
|
|
if (NULL != host_name_node) {
|
|
host_name = ObString(host_name_node->str_len_, host_name_node->str_value_);
|
|
} else {
|
|
host_name = ObString(OB_DEFAULT_HOST_NAME);
|
|
}
|
|
}
|
|
OZ (params_.schema_checker_->get_user_info(tenant_id, user_name, host_name, user_info),
|
|
tenant_id, user_name, host_name);
|
|
if (ret == OB_USER_NOT_EXIST) {
|
|
LOG_USER_ERROR(OB_USER_NOT_EXIST, user_name.length(), user_name.ptr());
|
|
}
|
|
if (OB_SUCC(ret)) {
|
|
if (user_info == NULL) {
|
|
ret = OB_USER_NOT_EXIST;
|
|
LOG_USER_ERROR(OB_USER_NOT_EXIST, user_name.length(), user_name.ptr());
|
|
} else if (OB_FAIL(check_dcl_on_inner_user(parse_tree.type_,
|
|
session_info_->get_priv_user_id(),
|
|
user_info->get_user_id()))) {
|
|
LOG_WARN("failed to check dcl on inner-user or unsupport to modify reserved user", K(ret),
|
|
K(session_info_->get_user_name()), K(user_name));
|
|
} else {
|
|
arg.user_id_ = user_info->get_user_id();
|
|
}
|
|
}
|
|
|
|
/* 2. resolve default role */
|
|
OZ (resolve_default_role_clause(parse_tree.children_[1], arg,
|
|
user_info->get_role_id_array(), true));
|
|
|
|
}
|
|
return ret;
|
|
}
|
|
|
|
int ObAlterUserProfileResolver::resolve(const ParseNode &parse_tree)
|
|
{
|
|
int ret = OB_SUCCESS;
|
|
ParseNode *user_with_host_name = NULL;
|
|
ParseNode *user_name = NULL;
|
|
ParseNode *host_name = NULL;
|
|
ParseNode *user_profile = NULL;
|
|
ParseNode *profile_name = NULL;
|
|
ObAlterUserProfileStmt *lock_alter_user_profile_stmt = NULL;
|
|
|
|
if (OB_ISNULL(params_.session_info_)) {
|
|
ret = OB_ERR_UNEXPECTED;
|
|
LOG_WARN("not init", K(ret));
|
|
} else if (T_SET_ROLE == parse_tree.type_) {
|
|
OZ (resolve_set_role(parse_tree));
|
|
} else if (T_ALTER_USER_DEFAULT_ROLE == parse_tree.type_) {
|
|
OZ (resolve_default_role(parse_tree));
|
|
} else if (T_ALTER_USER_PROFILE != parse_tree.type_
|
|
|| 2 != parse_tree.num_child_) {
|
|
ret = OB_INVALID_ARGUMENT;
|
|
LOG_WARN("wrong root", K(ret), K(parse_tree.type_), K(parse_tree.num_child_));
|
|
} else if (OB_ISNULL(user_with_host_name = parse_tree.children_[0])
|
|
|| OB_ISNULL(user_profile = parse_tree.children_[1])) {
|
|
ret = OB_ERR_UNEXPECTED;
|
|
LOG_WARN("child is null", K(parse_tree.children_[0]), K(parse_tree.children_[1]), K(ret));
|
|
} else if (T_USER_WITH_HOST_NAME != user_with_host_name->type_
|
|
|| user_with_host_name->num_child_ != 2) {
|
|
ret = OB_ERR_UNEXPECTED;
|
|
LOG_WARN("1st child type error",
|
|
"type", user_with_host_name->type_,
|
|
"child_num", user_with_host_name->num_child_,
|
|
K(ret));
|
|
} else if (T_USER_PROFILE != user_profile->type_
|
|
|| user_profile->num_child_ != 1) {
|
|
ret = OB_ERR_UNEXPECTED;
|
|
LOG_WARN("2nd child type error",
|
|
"type", user_profile->type_,
|
|
"child_num", user_profile->num_child_,
|
|
K(ret));
|
|
} else if (OB_ISNULL(user_name = user_with_host_name->children_[0])) {
|
|
ret = OB_ERR_UNEXPECTED;
|
|
LOG_WARN("child is null", K(ret));
|
|
} else if (OB_ISNULL(profile_name = user_profile->children_[0])) {
|
|
ret = OB_ERR_UNEXPECTED;
|
|
LOG_WARN("child is null", K(ret));
|
|
} else if (OB_ISNULL(lock_alter_user_profile_stmt = create_stmt<ObAlterUserProfileStmt>())) {
|
|
ret = OB_ALLOCATE_MEMORY_FAILED;
|
|
LOG_WARN("Failed to create ObAlterUserProfileStmt", K(ret));
|
|
} else {
|
|
host_name = user_with_host_name->children_[1];
|
|
obrpc::ObAlterUserProfileArg &arg = lock_alter_user_profile_stmt->get_ddl_arg();
|
|
arg.default_role_flag_ = OB_INVALID_ID;
|
|
arg.user_name_ = ObString(user_name->str_len_, user_name->str_value_);
|
|
if (NULL != host_name) {
|
|
arg.host_name_ = ObString(host_name->str_len_, host_name->str_value_);
|
|
} else {
|
|
arg.host_name_ = ObString(OB_DEFAULT_HOST_NAME);
|
|
}
|
|
if (profile_name->type_ != T_DEFAULT) {
|
|
arg.profile_name_ = ObString(profile_name->str_len_, profile_name->str_value_);
|
|
}
|
|
arg.tenant_id_ = params_.session_info_->get_effective_tenant_id();
|
|
if (OB_FAIL(check_dcl_on_inner_user(parse_tree.type_,
|
|
session_info_->get_priv_user_id(),
|
|
arg.user_name_,
|
|
arg.host_name_))) {
|
|
LOG_WARN("failed to check dcl on inner-user or unsupport to modify reserved user", K(ret),
|
|
K(params_.session_info_->get_user_name()), K(arg.user_name_));
|
|
}
|
|
}
|
|
if (OB_SUCC(ret) && T_SET_ROLE != parse_tree.type_
|
|
&& ObSchemaChecker::is_ora_priv_check()) {
|
|
OZ (schema_checker_->check_ora_ddl_priv(
|
|
session_info_->get_effective_tenant_id(),
|
|
session_info_->get_priv_user_id(),
|
|
ObString(""),
|
|
stmt::T_ALTER_USER_PROFILE,
|
|
session_info_->get_enable_role_array()),
|
|
session_info_->get_effective_tenant_id(), session_info_->get_user_id());
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
/**
|
|
* check_role_password_all
|
|
* A wrapper function to check password when default_role_flag_ == OB_DEFAULT_ROLE_ALL
|
|
* @param {const ObIArray<uint64_t> &} role_id_array : rold ids being checked
|
|
* @return {int} : OB_SUCCESS,
|
|
* OB_ERR_MISSING_OR_INVALID_PASSWORD_FOR_ROLE,
|
|
* Other error.
|
|
*/
|
|
int ObAlterUserProfileResolver::check_role_password_all(
|
|
const uint64_t tenant_id,
|
|
const ObIArray<uint64_t> &role_id_array)
|
|
{
|
|
int ret = OB_SUCCESS;
|
|
hash::ObHashMap<uint64_t, ObString> roleid_pwd_map;
|
|
if (OB_FAIL(roleid_pwd_map.create(2, "HasTmpCKPwdMa"))) {
|
|
LOG_WARN("failed to create ObHaspMap", K(ret));
|
|
} else if (OB_FAIL(check_role_password(tenant_id, role_id_array,
|
|
roleid_pwd_map,
|
|
true,
|
|
false))) {
|
|
LOG_WARN("failed to check password for SET ROLE ALL", K(ret), K(tenant_id));
|
|
}
|
|
return ret;
|
|
}
|
|
|
|
/**
|
|
* check_role_password
|
|
* Check whether there is any password mismatch for SET ROLE
|
|
* @param {const ObIArray<uint64_t> &} role_id_array : role ids being checked
|
|
* @param {const hash::ObHashMap<uint64_t, ObString>} roleid_pwd_map : role_id and its passwd read
|
|
* from user input
|
|
* @param {bool} has_all : Whether ALL is in user's input
|
|
* @param {bool} has_except : Whether except is in user's input
|
|
* @return {int} : OB_SUCCESS,
|
|
* OB_ERR_MISSING_OR_INVALID_PASSWORD_FOR_ROLE,
|
|
* Other error.
|
|
*/
|
|
int ObAlterUserProfileResolver::check_role_password(
|
|
const uint64_t tenant_id,
|
|
const ObIArray<uint64_t> &role_id_array,
|
|
const hash::ObHashMap<uint64_t, ObString> &roleid_pwd_map,
|
|
bool has_all,
|
|
bool has_except)
|
|
{
|
|
int ret = OB_SUCCESS;
|
|
ObArray<uint64_t> checked_roleid_array;
|
|
// Find out which role shall be checked
|
|
if (has_all) {
|
|
if (has_except) {
|
|
ObString pwd;
|
|
for (int i = 0; OB_SUCC(ret) && i < role_id_array.count(); ++i) {
|
|
uint64_t role_id = role_id_array.at(i);
|
|
if (OB_FAIL(roleid_pwd_map.get_refactored(role_id, pwd))) {
|
|
if (OB_HASH_NOT_EXIST == ret) {
|
|
ret = OB_SUCCESS;
|
|
OZ (checked_roleid_array.push_back(role_id));
|
|
} else {
|
|
LOG_WARN("failed to read from roleid_pwd_map", K(ret), K(role_id));
|
|
}
|
|
} else {
|
|
// role_id is in except list, do not append it to checked_roleid_array
|
|
}
|
|
}
|
|
} else { // false == has_except
|
|
// check all of the role ids
|
|
OZ (checked_roleid_array.assign(role_id_array));
|
|
}
|
|
} else { //false == has_all
|
|
for (hash::ObHashMap<uint64_t, ObString>::const_iterator iter = roleid_pwd_map.begin();
|
|
OB_SUCC(ret) && iter != roleid_pwd_map.end(); ++iter) {
|
|
OZ (checked_roleid_array.push_back(iter->first));
|
|
}
|
|
}
|
|
// Check every role for its password
|
|
if (OB_SUCC(ret)) {
|
|
const ObUserInfo *role_info = NULL;
|
|
for (int i = 0; OB_SUCC(ret) && i < checked_roleid_array.count(); ++i) {
|
|
role_info = NULL;
|
|
uint64_t role_id = checked_roleid_array.at(i);
|
|
if (OB_FAIL(params_.schema_checker_->get_user_info(tenant_id, role_id, role_info))) {
|
|
LOG_WARN("get role info failed", K(ret), K(tenant_id));
|
|
} else if (NULL == role_info) {
|
|
ret = OB_ERR_UNEXPECTED;
|
|
LOG_WARN("Current role info is NULL", K(ret));
|
|
} else {
|
|
const ObString &saved_pwd = role_info->get_passwd_str();
|
|
ObString pwd;
|
|
// Read password from map
|
|
if (OB_FAIL(roleid_pwd_map.get_refactored(role_id, pwd))) {
|
|
if (OB_HASH_NOT_EXIST == ret) {
|
|
pwd = ObString::make_string("");
|
|
ret = OB_SUCCESS;
|
|
} else {
|
|
LOG_WARN("failed to read from roleid_pwd_map", K(ret), K(role_id));
|
|
}
|
|
}
|
|
// Check if password match
|
|
if (OB_SUCC(ret)) {
|
|
if (OB_FAIL(check_passwd(pwd, saved_pwd))) {
|
|
LOG_WARN("password mismatch", K(ret));
|
|
LOG_USER_ERROR(OB_ERR_MISSING_OR_INVALID_PASSWORD_FOR_ROLE,
|
|
role_info->get_user_name_str().length(),
|
|
role_info->get_user_name_str().ptr());
|
|
} else {
|
|
// Password match, do nothing
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
return ret;
|
|
}
|
|
|
|
/**
|
|
* check_passwd
|
|
* Function to check whether password mismatch
|
|
* @param {const ObString &} pwd : unencrypted password from user input
|
|
* @param {const ObString &} saved_pwd : encrypted password stored in __all_user
|
|
* @return {int} : OB_SUCCESS,
|
|
* OB_ERR_MISSING_OR_INVALID_PASSWORD_FOR_ROLE,
|
|
* Other error.
|
|
*/
|
|
int ObAlterUserProfileResolver::check_passwd(const ObString &pwd, const ObString &saved_pwd)
|
|
{
|
|
int ret = OB_SUCCESS;
|
|
if (saved_pwd.empty()) {
|
|
// if saved_pwd is empty, this function return OB_SUCCESS
|
|
} else {
|
|
if (pwd.empty()) {
|
|
ret = OB_ERR_MISSING_OR_INVALID_PASSWORD_FOR_ROLE;
|
|
LOG_WARN("Password empty", K(ret));
|
|
} else {
|
|
ObString pwd_enc;
|
|
char enc_buf[ENC_BUF_LEN] = {0};
|
|
pwd_enc.assign_ptr(enc_buf, ENC_STRING_BUF_LEN);
|
|
if (OB_FAIL(ObEncryptedHelper::encrypt_passwd_to_stage2(pwd, pwd_enc))) {
|
|
LOG_WARN("Encrypt password failed", K(ret));
|
|
} else if (!ObCharset::case_sensitive_equal(pwd_enc, saved_pwd)) {
|
|
ret = OB_ERR_MISSING_OR_INVALID_PASSWORD_FOR_ROLE;
|
|
LOG_WARN("Password for role mismatch", K(ret));
|
|
}
|
|
}
|
|
}
|
|
return ret;
|
|
}
|