From: Chris Sosnin <k.sosnin@tarantool.org> To: tarantool-patches@dev.tarantool.org Subject: [Tarantool-patches] [PATCH] sql: remove grants associated with the table Date: Fri, 6 Dec 2019 15:53:08 +0300 [thread overview] Message-ID: <20191206125308.79432-1-k.sosnin@tarantool.org> (raw) Dropping table with sql removes everything associated with it but grants, which is inconsistent. Generating code for it fixes this bug. Closes #4546 --- branch: https://github.com/tarantool/tarantool/tree/ksosnin/gh-4546-sql-drop-grants issue: https://github.com/tarantool/tarantool/issues/4546 src/box/sql/build.c | 43 +++++++++++++++++++++++ src/box/user.cc | 7 ++++ src/box/user.h | 4 +++ test/sql/gh-4546-sql-drop-grants.result | 34 ++++++++++++++++++ test/sql/gh-4546-sql-drop-grants.test.lua | 15 ++++++++ 5 files changed, 103 insertions(+) create mode 100644 test/sql/gh-4546-sql-drop-grants.result create mode 100644 test/sql/gh-4546-sql-drop-grants.test.lua diff --git a/src/box/sql/build.c b/src/box/sql/build.c index 51cd7ce63..d700ec5e2 100644 --- a/src/box/sql/build.c +++ b/src/box/sql/build.c @@ -56,6 +56,7 @@ #include "box/schema.h" #include "box/tuple_format.h" #include "box/coll_id_cache.h" +#include "box/user.h" void sql_finish_coding(struct Parse *parse_context) @@ -1523,6 +1524,43 @@ vdbe_emit_ck_constraint_drop(struct Parse *parser, const char *ck_name, sqlReleaseTempRange(parser, key_reg, 3); } +/** + * Generate VDBE program to remove table grants. + * + * @param parser Parsing context. + * @param space Space whose grants will be deleted. + */ +static void +vdbe_emit_drop_grants(struct Parse *parser, struct space *space) +{ + struct Vdbe *v = sqlGetVdbe(parser); + if (v == NULL) + return; + /* + * Get uid of users through space->access + * and generate code to delete corresponding + * entries from _priv + */ + int key_reg = sqlGetTempRange(parser, 4); + for (uint8_t token = 0; token < BOX_USER_MAX; ++token) { + if (space->access[token].granted) { + struct user *user = user_find_by_token(token); + sqlVdbeAddOp2(v, OP_Integer, user->def->uid, + key_reg); + sqlVdbeAddOp4(v, OP_String8, 0, key_reg + 1, 0, + "space", P4_STATIC); + sqlVdbeAddOp2(v, OP_Integer, space->def->id, + key_reg + 2); + sqlVdbeAddOp3(v, OP_MakeRecord, key_reg, 3, + key_reg + 3); + sqlVdbeAddOp2(v, OP_SDelete, BOX_PRIV_ID, + key_reg + 3); + } + } + VdbeComment((v, "Remove table grants")); + sqlReleaseTempRange(parser, key_reg, 3); +} + /** * Generate code to drop a table. * This routine includes dropping triggers, sequences, @@ -1538,6 +1576,11 @@ sql_code_drop_table(struct Parse *parse_context, struct space *space, { struct Vdbe *v = sqlGetVdbe(parse_context); assert(v != NULL); + /* + * Remove all grants associated with + * with the table being dropped. + */ + vdbe_emit_drop_grants(parse_context, space); /* * Drop all triggers associated with the table being * dropped. Code is generated to remove entries from diff --git a/src/box/user.cc b/src/box/user.cc index a012cb196..fe0555886 100644 --- a/src/box/user.cc +++ b/src/box/user.cc @@ -517,6 +517,13 @@ user_find(uint32_t uid) return user; } +/* Find a user by authentication token. */ +struct user * +user_find_by_token(uint8_t auth_token) +{ + return &users[auth_token]; +} + /** Find user by name. */ struct user * user_find_by_name(const char *name, uint32_t len) diff --git a/src/box/user.h b/src/box/user.h index 545401d5c..ccfc59346 100644 --- a/src/box/user.h +++ b/src/box/user.h @@ -112,6 +112,10 @@ user_find_by_name(const char *name, uint32_t len); struct user * user_find(uint32_t uid); +/* Find a user by authentication token. */ +struct user * +user_find_by_token(uint8_t auth_token); + /** Create a cache of user's privileges in @a cr. */ void credentials_create(struct credentials *cr, struct user *user); diff --git a/test/sql/gh-4546-sql-drop-grants.result b/test/sql/gh-4546-sql-drop-grants.result new file mode 100644 index 000000000..915a265bd --- /dev/null +++ b/test/sql/gh-4546-sql-drop-grants.result @@ -0,0 +1,34 @@ +test_run = require('test_run').new() +--- +... +engine = test_run:get_cfg('engine') +--- +... +box.execute('pragma sql_default_engine=\''..engine..'\'') +--- +- row_count: 0 +... +-- If we drop the table with sql, all associated +-- grants must be deleted so we don't recieve an error +box.cfg{} +--- +... +box.schema.user.create('test_user1') +--- +... +box.schema.user.create('test_user2') +--- +... +test_space = box.schema.create_space('T') +--- +... +box.schema.user.grant('test_user1', 'read', 'space', 'T') +--- +... +box.schema.user.grant('test_user2', 'write', 'space', 'T') +--- +... +box.execute([[DROP TABLE T;]]) +--- +- row_count: 1 +... diff --git a/test/sql/gh-4546-sql-drop-grants.test.lua b/test/sql/gh-4546-sql-drop-grants.test.lua new file mode 100644 index 000000000..6aeca4ce0 --- /dev/null +++ b/test/sql/gh-4546-sql-drop-grants.test.lua @@ -0,0 +1,15 @@ +test_run = require('test_run').new() +engine = test_run:get_cfg('engine') +box.execute('pragma sql_default_engine=\''..engine..'\'') + +-- If we drop the table with sql, all associated +-- grants must be deleted so we don't recieve an error + +box.cfg{} + +box.schema.user.create('test_user1') +box.schema.user.create('test_user2') +test_space = box.schema.create_space('T') +box.schema.user.grant('test_user1', 'read', 'space', 'T') +box.schema.user.grant('test_user2', 'write', 'space', 'T') +box.execute([[DROP TABLE T;]]) -- 2.21.0 (Apple Git-122.2)
next reply other threads:[~2019-12-06 12:53 UTC|newest] Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-12-06 12:53 Chris Sosnin [this message] 2019-12-07 10:29 ` Chris Sosnin 2019-12-10 23:45 ` Vladislav Shpilevoy 2019-12-11 9:50 ` Chris Sosnin 2019-12-17 23:13 ` Vladislav Shpilevoy 2019-12-17 23:13 ` Vladislav Shpilevoy 2019-12-18 11:00 ` [Tarantool-patches] [PATCH 0/2] sql: revoke table privileges on drop Chris Sosnin 2019-12-18 11:00 ` [Tarantool-patches] [PATCH 1/2] sql: remove grants associated with the table Chris Sosnin 2019-12-24 1:37 ` Nikita Pettik 2019-12-24 16:47 ` Vladislav Shpilevoy 2019-12-18 11:00 ` [Tarantool-patches] [PATCH 2/2] sql: drop only generated sequence in DROP TABLE Chris Sosnin 2019-12-24 1:23 ` Nikita Pettik 2019-12-24 16:26 ` Vladislav Shpilevoy 2019-12-24 23:19 ` Nikita Pettik
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20191206125308.79432-1-k.sosnin@tarantool.org \ --to=k.sosnin@tarantool.org \ --cc=tarantool-patches@dev.tarantool.org \ --subject='Re: [Tarantool-patches] [PATCH] sql: remove grants associated with the table' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox