Google Git
Sign in
apache / trafodion / 4528a10009f8f704c8516d1f42a7451ae7deafe6 / . / core / sql / regress / privs2 / TEST143
blob: ece3c389844db03a64e46a6ad4478815d33ffed5 [file] [log] [blame]
-- ============================================================================
-- Test: TEST143
-- @@@ START COPYRIGHT @@@
--
-- Licensed to the Apache Software Foundation (ASF) under one
-- or more contributor license agreements. See the NOTICE file
-- distributed with this work for additional information
-- regarding copyright ownership. The ASF licenses this file
-- to you under the Apache License, Version 2.0 (the
-- "License"); you may not use this file except in compliance
-- with the License. You may obtain a copy of the License at
--
-- http://www.apache.org/licenses/LICENSE-2.0
--
-- Unless required by applicable law or agreed to in writing,
-- software distributed under the License is distributed on an
-- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-- KIND, either express or implied. See the License for the
-- specific language governing permissions and limitations
-- under the License.
--
-- @@@ END COPYRIGHT @@@
--
-- ============================================================================
-- Functionality: Test view privilege propagation for objects and columns
--
-- Expected files: EXPECTED143
-- ============================================================================
cqd SHOWDDL_DISPLAY_PRIVILEGE_GRANTS 'ON';
cqd ALLOW_WGO_FOR_ROLES 'OFF';
cqd traf_store_object_desc 'ON';
cqd traf_read_object_desc 'ON';
obey TEST143(clean_up);
log LOG143 clear ;
obey TEST143(set_up);
obey TEST143(test_view_object_priv_propagation);
obey TEST143(test_view_column_priv_propagation);
obey TEST143(test_view_role_priv_propagation);
obey TEST143(test_view_misc_priv_propagation);
log;
obey TEST143(clean_up);
exit;
-- ============================================================================
?section clean_up
-- ============================================================================
-- Cleaning up test environment
drop schema if exists t143_udr cascade;
drop schema if exists t143_user1 cascade;
drop schema if exists t143_user2 cascade;
drop schema if exists t143_user3 cascade;
drop schema if exists t143_user5 cascade;
revoke role user2_role from sql_user2;
revoke role user3_role from sql_user3;
drop role user2_role;
drop role user3_role;
-- ============================================================================
?section set_up
-- ============================================================================
-- Setup the test environment
-- create function to display bitmaps as a bitmap rather than longs
-- use the function from privs2/TEST140
sh rm -f ./etest140.dll;
sh sh $$scriptsdir$$/tools/dll-compile.ksh etest140.cpp
2>&1 | tee LOG140-SECONDARY;
set pattern $$DLL$$ etest140.dll;
set pattern $$QUOTE$$ '''';
create schema t143_udr;
set schema t143_udr;
create library t143_l1 file $$QUOTE$$ $$REGRRUNDIR$$/$$DLL$$ $$QUOTE$$ ;
create function translateBitmap(bitmap largeint) returns (bitmap_string char (20))
language c parameter style sql external name 'translateBitmap'
library t143_l1
deterministic no sql final call allow any parallelism state area size 1024 ;
grant execute on function t143_udr.translateBitmap to "PUBLIC";
-- query to read privs from metadata
prepare get_obj_privs from
select distinct
substring (object_name,11,15) as object_name,
object_type as type,
substring(authname(grantor_id),1,10) as grantor,
substring(authname(grantee_id),1,10) as grantee,
t143_udr.translateBitmap(privileges_bitmap) as granted_privs,
t143_udr.translateBitmap(grantable_bitmap) as grantable_privs
from "_PRIVMGR_MD_".object_privileges
where object_uid in
(select object_uid
from "_MD_".objects
where object_name like 'U%' and schema_name like 'T143_USER%')
order by 1, 2, 3
;
prepare get_col_privs from
select distinct
substring (object_name,11,15) as object_name,
column_number,
substring(authname(grantor_id),1,10) as grantor,
substring(authname(grantee_id),1,10) as grantee,
t143_udr.translateBitmap(privileges_bitmap) as granted_privs,
t143_udr.translateBitmap(grantable_bitmap) as grantable_privs
from "_PRIVMGR_MD_".column_privileges
where object_uid in
(select object_uid
from "_MD_".objects
where object_name like 'U%' and schema_name like 'T143_USER%')
order by 1, 2, 3, 4
;
-- set up role infrastructure
create role user2_role;
create role user3_role;
grant role user2_role to sql_user2;
grant role user3_role to sql_user3;
-- ============================================================================
?section test_view_object_priv_propagation
-- ============================================================================
values (user);
-- remove schemas
drop schema if exists t143_user1 cascade;
drop schema if exists t143_user2 cascade;
-- setup database with private schemas owned by users
create schema t143_user1 authorization sql_user1;
create schema t143_user2 authorization sql_user2;
-- create some tables owned by user1
set schema t143_user1;
create table u1t1 (c1 int not null primary key, c2 int, c3 int);
insert into u1t1 values (1,1,1), (2,2,2), (3,3,3), (4,4,4), (5,5,5);
create table u1t2 (c1 int not null primary key, c2 int, c3 int);
insert into u1t2 values (1,1,1), (2,2,2), (3,3,3), (4,4,4), (5,5,5);
-- grant privileges to sql_user2 on tables
grant select, delete on u1t1 to sql_user2;
grant select, delete on u1t2 to sql_user2 with grant option;
execute get_obj_privs;
-- user2 creates some views
sh sqlci -i "TEST143(user2_views)" -u sql_user2;
execute get_obj_privs;
-- user1 grants insert privilege on tables
-- u2v1 should have insert priv
-- u2v2 should have insert priv WGO
grant insert on u1t1 to sql_user2;
grant insert on u1t2 to sql_user2 with grant option;
execute get_obj_privs;
-- remove with grant option for some privileges
-- u2v2 should have insert, delete without WGO
-- u2v2 should have select WGO
revoke grant option for insert, delete on u1t2 from sql_user2;
execute get_obj_privs;
-- Add back the with grant option for delete
-- u2v2 should have select, delete with WGO
grant delete on u1t2 to sql_user2 with grant option;
execute get_obj_privs;
-- Remove insert, and delete entirely
-- u2v2 has select WGO
revoke insert, delete on u1t1 from sql_user2;
revoke insert, delete on u1t2 from sql_user2;
execute get_obj_privs;
-- ============================================================================
?section test_view_column_priv_propagation
-- ============================================================================
-- regression test 129 tests that views can be created based on column privs
-- and that revoke works (or fails) according to specifications.
-- this section tests that privileges are propagated to dependent views when
-- privs are changed on referenced objects
values (user);
-- remove schemas
drop schema if exists t143_user1 cascade;
drop schema if exists t143_user3 cascade;
-- setup database with private schemas owned by users
create schema t143_user1 authorization sql_user1;
create schema t143_user3 authorization sql_user3;
-- create some tables owned by user1
set schema t143_user1;
create table u1t1 (c1 int not null primary key, c2 int, c3 int);
insert into u1t1 values (1,1,1), (2,2,2), (3,3,3), (4,4,4), (5,5,5);
create table u1t2 (c1 int not null primary key, c2 int, c3 int);
insert into u1t2 values (1,1,1), (2,2,2), (3,3,3), (4,4,4), (5,5,5);
create table u1t3 (c1 int not null primary key, c2 int, c3 int, c4 int);
insert into u1t3 values (1,1,1,1), (2,2,2,2), (3,3,3,3), (4,4,4,4), (5,5,5,5);
-- grant column level privileges to sql_user3
grant select (c1,c2) on t143_user1.u1t1 to sql_user3;
grant select (c1,c3) on t143_user1.u1t2 to sql_user3 with grant option;
grant select (c2,c3,c1,c4) on t143_user1.u1t3 to sql_user3;
execute get_col_privs;
-- user3 can create all views
sh sqlci -i "TEST143(user3_views)" -u sql_user3;
-- Add column privs to tables that are propagated to views
-- u3v1 can now insert without WGO
-- u3v2 still cannot insert
-- u3v3 can insert without WGO
-- u3v4 can update without WGO
grant insert (c1, c2) on t143_user1.u1t1 to sql_user3;
grant insert (c1) on t143_user1.u1t2 to sql_user3;
grant update on t143_user1.u1t3 to sql_user3;
execute get_obj_privs;
execute get_col_privs;
-- Revoke privileges
-- u3v1 can no longer insert even though one column has insert priv
-- u3v3 can no longer insert
-- u3v4 can not longer update
revoke insert (c1) on t143_user1.u1t1 from sql_user3;
revoke insert (c1) on t143_user1.u1t2 from sql_user3;
revoke update on t143_user1.u1t3 from sql_user3;
execute get_obj_privs;
execute get_col_privs;
-- Test WGO grants
-- grant WGO
grant references (c1, c2, c3) on t143_user1.u1t1 to sql_user3 with grant option;
execute get_obj_privs;
-- revoke WGO
revoke grant option for references (c1) on t143_user1.u1t1 from sql_user3;
execute get_obj_privs;
execute get_col_privs;
-- ============================================================================
?section test_view_role_priv_propagation
-- ============================================================================
values (user);
cqd ALLOW_WGO_FOR_ROLES 'on';
-- remove schemas
drop schema if exists t143_user1 cascade;
drop schema if exists t143_user2 cascade;
drop schema if exists t143_user3 cascade;
-- setup database with private schemas owned by users
create schema t143_user1 authorization sql_user1;
create schema t143_user2 authorization sql_user2;
create schema t143_user3 authorization sql_user3;
-- create some tables owned by user1
set schema t143_user1;
create table u1t1 (c1 int not null primary key, c2 int, c3 int);
insert into u1t1 values (1,1,1), (2,2,2), (3,3,3), (4,4,4), (5,5,5);
create table u1t2 (c1 int not null primary key, c2 int, c3 int);
insert into u1t2 values (1,1,1), (2,2,2), (3,3,3), (4,4,4), (5,5,5);
create table u1t3 (c1 int not null primary key, c2 int, c3 int, c4 int);
insert into u1t3 values (1,1,1,1), (2,2,2,2), (3,3,3,3), (4,4,4,4), (5,5,5,5);
-- grant privileges to roles on tables
grant select (c1,c2,c3) on t143_user1.u1t1 to user2_role;
grant select (c1,c2) on t143_user1.u1t1 to user3_role;
grant select (c1,c2,c3) on t143_user1.u1t2 to user2_role with grant option;
grant select (c1,c3) on t143_user1.u1t2 to user3_role with grant option;
grant select (c2,c3,c1,c4) on t143_user1.u1t3 to user3_role;
-- create views
grant role user2_role to sql_user2;
grant role user3_role to sql_user3;
sh sqlci -i "TEST143(user2_views)" -u sql_user2;
sh sqlci -i "TEST143(user3_views)" -u sql_user3;
-- user1 grants insert privilege on tables to roles
-- u2v1 should have insert priv without WGO
-- u2v2 should have insert priv WGO
-- u3v1 should have insert priv without WGO
-- u3v2 should not be granted insert, only one col
-- u3v3 should have insert priv without WGO
-- u3v4 shoud have update without WGO, select with WGO
grant insert on u1t1 to user2_role;
grant insert on u1t2 to user2_role with grant option;
grant insert (c1, c2) on t143_user1.u1t1 to user3_role;
grant insert (c1) on t143_user1.u1t2 to user3_role;
grant update on t143_user1.u1t3 to user3_role;
grant select (c2, c3, c1,c4) on t143_user1.u1t3 to user3_role with grant option;
execute get_obj_privs;
execute get_col_privs;
-- Reset privs
revoke insert on u1t1 from user2_role;
revoke grant option for insert on u1t2 from user2_role;
revoke insert (c1, c2) on t143_user1.u1t1 from user3_role;
revoke insert (c1) on t143_user1.u1t2 from user3_role;
revoke update on t143_user1.u1t3 from user3_role;
revoke grant option for select (c2, c3) on t143_user1.u1t3 from user3_role;
execute get_obj_privs;
prepare get_obj_privs from
select distinct
substring (object_name,11,15) as object_name,
object_type as type,
substring(authname(grantor_id),1,10) as grantor,
substring(authname(grantee_id),1,10) as grantee,
t143_udr.translateBitmap(privileges_bitmap) as granted_privs,
t143_udr.translateBitmap(grantable_bitmap) as grantable_privs
from "_PRIVMGR_MD_".object_privileges
where object_uid in
(select object_uid
from "_MD_".objects
where object_name like 'U%' and schema_name like 'T143_USER%')
order by 1, 2, 3
;
execute get_obj_privs;
execute get_col_privs;
prepare get_col_privs from
select distinct
substring (object_name,11,15) as object_name,
column_number,
substring(authname(grantor_id),1,10) as grantor,
substring(authname(grantee_id),1,10) as grantee,
t143_udr.translateBitmap(privileges_bitmap) as granted_privs,
t143_udr.translateBitmap(grantable_bitmap) as grantable_privs
from "_PRIVMGR_MD_".column_privileges
where object_uid in
(select object_uid
from "_MD_".objects
where object_name like 'U%' and schema_name like 'T143_USER%')
order by 1, 2, 3, 4;
execute get_col_privs;
-- ============================================================================
?section test_view_misc_priv_propagation
-- ============================================================================
--
-- Verifies that multiple views with different owners don't cause issues
--
-- Views:
--
-- u1v1 -> u1t1
-- u5v1 -> u1t1
-- u5v2 -> u1t1
-- u2v1 -> u1v1 -> u1t1
-- u3v1 -> u2v1 -> u1v1 ->u1t1
-- u3v2 -> u3v1 -> u2v1 -> u1v1 -> u1t1
values (user);
cqd ALLOW_WGO_FOR_ROLES 'on';
-- remove schemas
drop schema if exists t143_user1 cascade;
drop schema if exists t143_user2 cascade;
drop schema if exists t143_user3 cascade;
drop schema if exists t143_user5 cascade;
-- setup database with private schemas owned by users
create schema t143_user1 authorization sql_user1;
create schema t143_user2 authorization user2_role;
create schema t143_user3 authorization sql_user3;
create schema t143_user5 authorization sql_user5;
-- create objects owned by sql_user1
set schema t143_user1;
create table u1t1 (c1 int not null primary key, c2 int, c3 int);
insert into u1t1 values (1,1,1), (2,2,2), (3,3,3), (4,4,4), (5,5,5);
grant select (c1) on u1t1 to sql_user5;
grant select (c2, c3) on u1t1 to sql_user5 with grant option;
create view u1v1 (u1v1_c1, u1v1_c2) as select c2, c3 from u1t1;
grant select on u1v1 to user2_role with grant option;
grant select on u1v1 to sql_user5;
-- create objects for role user2_role;
set schema t143_user2;
create view u2v1 (u2v1_c1, u2v1_c2) as
select u1v1_c2, u1v1_c1 from t143_user1.u1v1;
grant select (u2v1_c1, u2v1_c2) on u2v1 to sql_user3;
grant select on u2v1 to sql_user6 with grant option;
grant select (u2v1_c2) on u2v1 to sql_user6;
-- create objects for user sql_user3
set schema t143_user3;
create view u3v1 (u3v1_c1, u3v1_c2) as
select u2v1_c2, u2v1_c1
from t143_user2.u2v1;
-- create objects for user sq1_user5
set schema t143_user5;
create view u5v1(u5v1_c1, u5v1_c2, u5v1_c3) as
select * from t143_user1.u1t1;
create view u5v2 (u5v1_c1) as
select u5v1_c2 from t143_user5.u5v1, t143_user1.u1v1;
-- u1v1 user1 grants: select user2_role WGO, select user5
-- u2v1 user2-role grants: select user6 WGO
execute get_obj_privs;
prepare get_obj_privs from
select distinct
substring (object_name,11,15) as object_name,
object_type as type,
substring(authname(grantor_id),1,10) as grantor,
substring(authname(grantee_id),1,10) as grantee,
t143_udr.translateBitmap(privileges_bitmap) as granted_privs,
t143_udr.translateBitmap(grantable_bitmap) as grantable_privs
from "_PRIVMGR_MD_".object_privileges
where object_uid in
(select object_uid
from "_MD_".objects
where object_name like 'U%' and schema_name like 'T143_USER%')
order by 1, 2, 3
;
execute get_obj_privs;
-- u1t1 user1 grants: c1-select, c2/c3-select WGO user5
-- u2v1 user2_role grants: c1/c2-select user3, select-c2 user6
execute get_col_privs;
prepare get_col_privs from
select distinct
substring (object_name,11,15) as object_name,
column_number,
substring(authname(grantor_id),1,10) as grantor,
substring(authname(grantee_id),1,10) as grantee,
t143_udr.translateBitmap(privileges_bitmap) as granted_privs,
t143_udr.translateBitmap(grantable_bitmap) as grantable_privs
from "_PRIVMGR_MD_".column_privileges
where object_uid in
(select object_uid
from "_MD_".objects
where object_name like 'U%' and schema_name like 'T143_USER%')
order by 1, 2, 3, 4;
execute get_col_privs;
-- Run some different tests:
-- fails with no priv
grant select (u3v1_c1, u3v1_c2) on t143_user3.u3v1 to sql_user4;
-- user2_role grants to user3 WGO
grant select (u2v1_c1, u2v1_c2) on t143_user2.u2v1 to sql_user3 with grant option;
-- now user3's grant works, user4 can create views on u3v1
grant select (u3v1_c1, u3v1_c2) on t143_user3.u3v1 to sql_user4;
-- grant insert on user1's table, doesn't affect any views
grant insert on t143_user1.u1t1 to user2_role with grant option;
-- u1t1 user1 grants: insert user2_role WGO
execute get_obj_privs;
-- u2v1 user2_role grants: + c1/c2 WGO user3
-- u3v1 user3 grants: select-c1/c2 user4
execute get_col_privs;
-- grant insert on user1's view
-- fails because u1v1 is not an insertable view
-- unfortunately, the returned error is not the best
grant insert on t143_user1.u1v1 to user2_role;
-- grant update on user1's view, this works
grant update on t143_user1.u1v1 to user2_role;
-- grant privileges by user5, these fail
grant select on t143_user5.u5v1 to sql_user4;
grant select (u5v1_c1, u5v1_c2, u5v1_c3) on t143_user5.u5v1 to sql_user4;
-- this fails, sql_user5 has WGO for the underlying column (u5v1_c2) but the
-- columns cannot be split
grant select (u5v1_c2) on t143_user5.u5v1 to sql_user4;
-- this succeeds
grant select on t143_user5.u5v2 to sql_user4;
-- u1v1 user1 grants: + update user2_role
-- u5v2 user5 grants: c1-select user4
execute get_obj_privs;
prepare get_obj_privs from
select distinct
substring (object_name,11,15) as object_name,
object_type as type,
substring(authname(grantor_id),1,10) as grantor,
substring(authname(grantee_id),1,10) as grantee,
t143_udr.translateBitmap(privileges_bitmap) as granted_privs,
t143_udr.translateBitmap(grantable_bitmap) as grantable_privs
from "_PRIVMGR_MD_".object_privileges
where object_uid in
(select object_uid
from "_MD_".objects
where object_name like 'U%' and schema_name like 'T143_USER%')
order by 1, 2, 3;
execute get_obj_privs;
execute get_col_privs;
prepare get_col_privs from
select distinct
substring (object_name,11,15) as object_name,
column_number,
substring(authname(grantor_id),1,10) as grantor,
substring(authname(grantee_id),1,10) as grantee,
t143_udr.translateBitmap(privileges_bitmap) as granted_privs,
t143_udr.translateBitmap(grantable_bitmap) as grantable_privs
from "_PRIVMGR_MD_".column_privileges
where object_uid in
(select object_uid
from "_MD_".objects
where object_name like 'U%' and schema_name like 'T143_USER%')
order by 1, 2, 3, 4;
execute get_col_privs;
-- ============================================================================
?section user2_views
-- ============================================================================
-- executed by sql_user2
log LOG143;
cqd SHOWDDL_DISPLAY_PRIVILEGE_GRANTS 'ON';
cqd traf_store_object_desc 'ON';
cqd traf_read_object_desc 'ON';
values (user);
set schema t143_user2;
create view u2v1 as select * from t143_user1.u1t1;
create view u2v2 as select * from t143_user1.u1t2;
-- ============================================================================
?section user3_views
-- ============================================================================
-- executed by sql_user3
log LOG143;
cqd SHOWDDL_DISPLAY_PRIVILEGE_GRANTS 'ON';
cqd traf_store_object_desc 'ON';
cqd traf_read_object_desc 'ON';
values (user);
set schema t143_user3;
-- following views can be created based on granted privs
create view u3v1 as select c1, c2 from t143_user1.u1t1;
showddl u3v1;
create view u3v2 as select c1, c3 from t143_user1.u1t2;
showddl u3v2;
create view u3v3 as select c1 from t143_user1.u1t2;
showddl u3v3;
create view u3v4 as select c2, c1, c4 from t143_user1.u1t3;
showddl u3v4;
get tables;
get views;
?section show_views
showddl t143_user2.u2v1;
showddl t143_user2.u2v2;
showddl t143_user3.u3v1;
showddl t143_user3.u3v2;
showddl t143_user3.u3v3;
showddl t143_user3.u3v4;