Grantee Class Reference

#include <Grantee.h>

Inheritance diagram for Grantee:

Collaboration diagram for Grantee:

Public Member Functions
	Grantee (const std::string &name)
virtual	~Grantee ()
virtual bool	isUser () const =0
virtual void	grantPrivileges (const DBObject &object)
virtual DBObject *	revokePrivileges (const DBObject &object)
virtual void	grantRole (Role *role)
virtual void	revokeRole (Role *role)
virtual bool	hasAnyPrivileges (const DBObject &objectRequested, bool only_direct) const
virtual bool	checkPrivileges (const DBObject &objectRequested) const
virtual void	updatePrivileges ()
virtual void	updatePrivileges (Role *role)
virtual void	revokeAllOnDatabase (int32_t dbId)
virtual void	renameDbObject (const DBObject &object)
void	getPrivileges (DBObject &object, bool only_direct)
DBObject *	findDbObject (const DBObjectKey &objectKey, bool only_direct) const
bool	hasAnyPrivilegesOnDb (int32_t dbId, bool only_direct) const
const std::string &	getName () const
void	setName (const std::string &name)
std::vector< std::string >	getRoles (bool only_direct=true) const
bool	hasRole (Role *role, bool only_direct) const
const DBObjectMap *	getDbObjects (bool only_direct) const
void	checkCycles (Role *newRole)
void	reassignObjectOwners (const std::set< int32_t > &old_owner_ids, int32_t new_owner_id, int32_t db_id)
void	reassignObjectOwner (DBObjectKey &object_key, int32_t new_owner_id)

Protected Attributes
std::string	name_
std::unordered_set< Role * >	roles_
DBObjectMap	effectivePrivileges_
DBObjectMap	directPrivileges_

Private Types
using	DBObjectMap = std::map< DBObjectKey, std::unique_ptr< DBObject >>

Detailed Description

Definition at line 32 of file Grantee.h.

Member Typedef Documentation

using Grantee::DBObjectMap = std::map<DBObjectKey, std::unique_ptr<DBObject>>

private

Definition at line 33 of file Grantee.h.

Constructor & Destructor Documentation

Grantee::Grantee

(

const std::string &

name

)

Definition at line 26 of file Grantee.cpp.

: name_(name) {}

Grantee::~Grantee ( )

virtual

Definition at line 28 of file Grantee.cpp.

References directPrivileges_, effectivePrivileges_, and roles_.

                  {
  for (auto role : roles_) {
    role->removeGrantee(this);
  }
  effectivePrivileges_.clear();
  directPrivileges_.clear();
  roles_.clear();
}

Member Function Documentation

void Grantee::checkCycles

(

Role *

newRole

)

Definition at line 310 of file Grantee.cpp.

References CHECK, Role::getGrantees(), and getName().

Referenced by grantRole().

                                       {
  std::stack<Grantee*> grantees;
  grantees.push(this);
  while (!grantees.empty()) {
    auto* grantee = grantees.top();
    grantees.pop();
    if (!grantee->isUser()) {
      Role* r = dynamic_cast<Role*>(grantee);
      CHECK(r);
      if (r == newRole) {
        throw runtime_error("Granting role " + newRole->getName() + " to " + getName() +
                            " creates cycle in grantee graph.");
      }
      for (auto g : r->getGrantees()) {
        grantees.push(g);
      }
    }
  }
}

Here is the call graph for this function:

Here is the caller graph for this function:

bool Grantee::checkPrivileges ( const DBObject &  objectRequested ) const

virtual

Definition at line 231 of file Grantee.cpp.

References DBObjectKey::dbId, findDbObject(), DBObject::getObjectKey(), hasEnoughPrivs(), and DBObjectKey::objectId.

                                                                   {
  DBObjectKey objectKey = objectRequested.getObjectKey();
  if (hasEnoughPrivs(findDbObject(objectKey, false), &objectRequested)) {
    return true;
  }

  // if we have an object associated -> ignore it
  if (objectKey.objectId != -1) {
    objectKey.objectId = -1;
    if (hasEnoughPrivs(findDbObject(objectKey, false), &objectRequested)) {
      return true;
    }
  }

  // if we have an
  if (objectKey.dbId != -1) {
    objectKey.dbId = -1;
    if (hasEnoughPrivs(findDbObject(objectKey, false), &objectRequested)) {
      return true;
    }
  }
  return false;
}

Here is the call graph for this function:

DBObject * Grantee::findDbObject	(	const DBObjectKey &	objectKey,
		bool	only_direct
	)		const

Definition at line 85 of file Grantee.cpp.

References directPrivileges_, and effectivePrivileges_.

Referenced by checkPrivileges(), Catalog_Namespace::Catalog::createOrUpdateDashboardSystemRole(), getPrivileges(), grantPrivileges(), DBHandler::has_object_privilege(), hasAnyPrivileges(), revokePrivileges(), updatePrivileges(), and Catalog_Namespace::SysCatalog::verifyDBObjectOwnership().

                                                                                    {
  const DBObjectMap& privs = only_direct ? directPrivileges_ : effectivePrivileges_;
  DBObject* dbObject = nullptr;
  auto dbObjectIt = privs.find(objectKey);
  if (dbObjectIt != privs.end()) {
    dbObject = dbObjectIt->second.get();
  }
  return dbObject;
}

Here is the caller graph for this function:

const DBObjectMap* Grantee::getDbObjects ( bool  only_direct ) const

inline

Definition at line 56 of file Grantee.h.

References directPrivileges_, and effectivePrivileges_.

Referenced by Catalog_Namespace::Catalog::createOrUpdateDashboardSystemRole(), and updatePrivileges().

                                                          {
    return only_direct ? &directPrivileges_ : &effectivePrivileges_;
  }

Here is the caller graph for this function:

const std::string& Grantee::getName ( ) const

inline

Definition at line 52 of file Grantee.h.

References name_.

Referenced by Role::addGrantee(), checkCycles(), getPrivileges(), grantRole(), Role::removeGrantee(), renameDbObject(), and revokePrivileges().

{ return name_; }

Here is the caller graph for this function:

void Grantee::getPrivileges	(	DBObject &	object,
		bool	only_direct
	)

Definition at line 76 of file Grantee.cpp.

References findDbObject(), and getName().

                                                              {
  auto dbObject = findDbObject(object.getObjectKey(), only_direct);
  if (!dbObject) {  // not found
    throw runtime_error("Can not get privileges because " + getName() +
                        " has no privileges to " + object.getName());
  }
  object.grantPrivileges(*dbObject);
}

Here is the call graph for this function:

std::vector< std::string > Grantee::getRoles

(

bool

only_direct = true

)

const

Definition at line 37 of file Grantee.cpp.

                                                             {
  std::set<std::string> roles;  // Sorted for human readers.
  std::stack<const Grantee*> g;
  g.push(this);
  while (!g.empty()) {
    auto r = g.top();
    g.pop();
    for (auto direct_role : r->roles_) {
      g.push(direct_role);
      roles.insert(direct_role->getName());
    }
    if (only_direct) {
      break;
    }
  }
  return std::vector(roles.begin(), roles.end());
}

void Grantee::grantPrivileges ( const DBObject &  object )

virtual

Definition at line 105 of file Grantee.cpp.

References directPrivileges_, effectivePrivileges_, findDbObject(), and updatePrivileges().

Referenced by Catalog_Namespace::SysCatalog::createDBObject().

                                                    {
  auto* dbObject = findDbObject(object.getObjectKey(), false);
  if (!dbObject) {  // not found
    effectivePrivileges_[object.getObjectKey()] = boost::make_unique<DBObject>(object);
  } else {  // found
    dbObject->grantPrivileges(object);
  }
  dbObject = findDbObject(object.getObjectKey(), true);
  if (!dbObject) {  // not found
    directPrivileges_[object.getObjectKey()] = boost::make_unique<DBObject>(object);
  } else {  // found
    dbObject->grantPrivileges(object);
  }
  updatePrivileges();
}

Here is the call graph for this function:

Here is the caller graph for this function:

void Grantee::grantRole ( Role *  role )

virtual

Definition at line 163 of file Grantee.cpp.

References Role::addGrantee(), checkCycles(), getName(), name_, roles_, and updatePrivileges().

                                  {
  bool found = false;
  for (const auto* granted_role : roles_) {
    if (role == granted_role) {
      found = true;
      break;
    }
  }
  if (found) {
    throw runtime_error("Role " + role->getName() + " have been granted to " + name_ +
                        " already.");
  }
  checkCycles(role);
  roles_.insert(role);
  role->addGrantee(this);
  updatePrivileges();
}

Here is the call graph for this function:

bool Grantee::hasAnyPrivileges ( const DBObject &  objectRequested, bool  only_direct  ) const

virtual

Definition at line 207 of file Grantee.cpp.

References DBObjectKey::dbId, findDbObject(), DBObject::getObjectKey(), hasAnyPrivs(), and DBObjectKey::objectId.

                                                                                      {
  DBObjectKey objectKey = objectRequested.getObjectKey();
  if (hasAnyPrivs(findDbObject(objectKey, only_direct), &objectRequested)) {
    return true;
  }

  // if we have an object associated -> ignore it
  if (objectKey.objectId != -1) {
    objectKey.objectId = -1;
    if (hasAnyPrivs(findDbObject(objectKey, only_direct), &objectRequested)) {
      return true;
    }
  }

  // if we have an
  if (objectKey.dbId != -1) {
    objectKey.dbId = -1;
    if (hasAnyPrivs(findDbObject(objectKey, only_direct), &objectRequested)) {
      return true;
    }
  }
  return false;
}

Here is the call graph for this function:

bool Grantee::hasAnyPrivilegesOnDb	(	int32_t	dbId,
		bool	only_direct
	)		const

Definition at line 95 of file Grantee.cpp.

References directPrivileges_, and effectivePrivileges_.

Referenced by Catalog_Namespace::anonymous_namespace{SysCatalog.cpp}::get_users().

                                                                       {
  const DBObjectMap& privs = only_direct ? directPrivileges_ : effectivePrivileges_;
  for (const auto& priv : privs) {
    if (priv.second->getObjectKey().dbId == dbId) {
      return true;
    }
  }
  return false;
}

Here is the caller graph for this function:

bool Grantee::hasRole	(	Role *	role,
		bool	only_direct
	)		const

Definition at line 55 of file Grantee.cpp.

References roles_.

Referenced by Catalog_Namespace::SysCatalog::isRoleGrantedToGrantee().

                                                        {
  if (only_direct) {
    return roles_.find(role) != roles_.end();
  } else {
    std::stack<const Grantee*> roles;
    roles.push(this);
    while (!roles.empty()) {
      auto r = roles.top();
      roles.pop();
      if (r == role) {
        return true;
      } else {
        for (auto granted_role : r->roles_) {
          roles.push(granted_role);
        }
      }
    }
    return false;
  }
}

Here is the caller graph for this function:

virtual bool Grantee::isUser ( ) const

pure virtual

Implemented in Role, and User.

void Grantee::reassignObjectOwner	(	DBObjectKey &	object_key,
		int32_t	new_owner_id
	)

Definition at line 348 of file Grantee.cpp.

References directPrivileges_, and effectivePrivileges_.

                                                                               {
  for (const auto& [grantee_object_key, object] : effectivePrivileges_) {
    if (grantee_object_key == object_key) {
      object->setOwner(new_owner_id);
    }
  }

  for (const auto& [grantee_object_key, object] : directPrivileges_) {
    if (grantee_object_key == object_key) {
      object->setOwner(new_owner_id);
    }
  }
}

void Grantee::reassignObjectOwners	(	const std::set< int32_t > &	old_owner_ids,
		int32_t	new_owner_id,
		int32_t	db_id
	)

Definition at line 330 of file Grantee.cpp.

References shared::contains(), directPrivileges_, and effectivePrivileges_.

                                                  {
  for (const auto& [object_key, object] : effectivePrivileges_) {
    if (object_key.objectId != -1 && object_key.dbId == db_id &&
        shared::contains(old_owner_ids, object->getOwner())) {
      object->setOwner(new_owner_id);
    }
  }

  for (const auto& [object_key, object] : directPrivileges_) {
    if (object_key.objectId != -1 && object_key.dbId == db_id &&
        shared::contains(old_owner_ids, object->getOwner())) {
      object->setOwner(new_owner_id);
    }
  }
}

Here is the call graph for this function:

void Grantee::renameDbObject ( const DBObject &  object )

virtual

Reimplemented in Role.

Definition at line 121 of file Grantee.cpp.

References directPrivileges_, effectivePrivileges_, and getName().

Referenced by Role::renameDbObject(), Catalog_Namespace::SysCatalog::renameDBObject(), Catalog_Namespace::Catalog::renameTable(), and Catalog_Namespace::Catalog::renameTables().

                                                   {
  // rename direct and effective objects
  auto directIt = directPrivileges_.find(object.getObjectKey());
  if (directIt != directPrivileges_.end()) {
    directIt->second->setName(object.getName());
  }

  auto effectiveIt = effectivePrivileges_.find(object.getObjectKey());
  if (effectiveIt != effectivePrivileges_.end()) {
    effectiveIt->second->setName(object.getName());
  }
}

Here is the call graph for this function:

Here is the caller graph for this function:

void Grantee::revokeAllOnDatabase ( int32_t  dbId )

virtual

Reimplemented in Role.

Definition at line 296 of file Grantee.cpp.

References directPrivileges_, effectivePrivileges_, and updatePrivileges().

Referenced by Role::revokeAllOnDatabase(), and Catalog_Namespace::SysCatalog::revokeAllOnDatabase_unsafe().

                                              {
  std::vector<DBObjectMap*> sources = {&effectivePrivileges_, &directPrivileges_};
  for (auto privs : sources) {
    for (auto iter = privs->begin(); iter != privs->end();) {
      if (iter->first.dbId == dbId) {
        iter = privs->erase(iter);
      } else {
        ++iter;
      }
    }
  }
  updatePrivileges();
}

Here is the call graph for this function:

Here is the caller graph for this function:

DBObject * Grantee::revokePrivileges ( const DBObject &  object )

virtual

Definition at line 136 of file Grantee.cpp.

References directPrivileges_, effectivePrivileges_, findDbObject(), getName(), and updatePrivileges().

                                                          {
  auto dbObject = findDbObject(object.getObjectKey(), true);
  if (!dbObject ||
      !dbObject->getPrivileges().hasAny()) {  // not found or has none of privileges set
    throw runtime_error("Can not revoke privileges because " + getName() +
                        " has no privileges to " + object.getName());
  }
  bool object_removed = false;
  dbObject->revokePrivileges(object);
  if (!dbObject->getPrivileges().hasAny()) {
    directPrivileges_.erase(object.getObjectKey());
    object_removed = true;
  }

  auto* cachedDbObject = findDbObject(object.getObjectKey(), false);
  if (cachedDbObject && cachedDbObject->getPrivileges().hasAny()) {
    cachedDbObject->revokePrivileges(object);
    if (!cachedDbObject->getPrivileges().hasAny()) {
      effectivePrivileges_.erase(object.getObjectKey());
    }
  }

  updatePrivileges();

  return object_removed ? nullptr : dbObject;
}

Here is the call graph for this function:

void Grantee::revokeRole ( Role *  role )

virtual

Definition at line 181 of file Grantee.cpp.

References Role::removeGrantee(), roles_, and updatePrivileges().

                                   {
  roles_.erase(role);
  role->removeGrantee(this);
  updatePrivileges();
}

Here is the call graph for this function:

void Grantee::setName ( const std::string &  name )

inline

Definition at line 53 of file Grantee.h.

References setup::name, and name_.

{ name_ = name; }

void Grantee::updatePrivileges ( )

virtual

Reimplemented in Role.

Definition at line 268 of file Grantee.cpp.

References directPrivileges_, effectivePrivileges_, and roles_.

Referenced by grantPrivileges(), grantRole(), revokeAllOnDatabase(), revokePrivileges(), revokeRole(), and Role::updatePrivileges().

                               {
  // Zero out the effective privileges. DBObjects may still exist, but will be empty.
  for (auto& dbObject : effectivePrivileges_) {
    dbObject.second->resetPrivileges();
  }
  // Load this Grantee's direct privileges into its effective privileges.
  for (auto it = directPrivileges_.begin(); it != directPrivileges_.end(); ++it) {
    if (effectivePrivileges_.find(it->first) != effectivePrivileges_.end()) {
      effectivePrivileges_[it->first]->updatePrivileges(*it->second);
    }
  }
  // Load any other roles that we've been granted into the effective privileges.
  for (auto role : roles_) {
    if (role->getDbObjects(false)->size() > 0) {
      updatePrivileges(role);
    }
  }
  // Free any DBObjects that are still empty in the effective privileges.
  for (auto dbObjectIt = effectivePrivileges_.begin();
       dbObjectIt != effectivePrivileges_.end();) {
    if (!dbObjectIt->second->getPrivileges().hasAny()) {
      dbObjectIt = effectivePrivileges_.erase(dbObjectIt);
    } else {
      ++dbObjectIt;
    }
  }
}

Here is the caller graph for this function:

void Grantee::updatePrivileges ( Role *  role )

virtual

Definition at line 255 of file Grantee.cpp.

References effectivePrivileges_, findDbObject(), and getDbObjects().

                                         {
  for (auto& roleDbObject : *role->getDbObjects(false)) {
    auto dbObject = findDbObject(roleDbObject.first, false);
    if (dbObject) {  // found
      dbObject->updatePrivileges(*roleDbObject.second);
    } else {  // not found
      effectivePrivileges_[roleDbObject.first] =
          boost::make_unique<DBObject>(*roleDbObject.second.get());
    }
  }
}

Here is the call graph for this function:

Member Data Documentation

DBObjectMap Grantee::directPrivileges_

protected

Definition at line 72 of file Grantee.h.

Referenced by findDbObject(), getDbObjects(), grantPrivileges(), hasAnyPrivilegesOnDb(), reassignObjectOwner(), reassignObjectOwners(), renameDbObject(), revokeAllOnDatabase(), revokePrivileges(), updatePrivileges(), and ~Grantee().

DBObjectMap Grantee::effectivePrivileges_

protected

Definition at line 70 of file Grantee.h.

Referenced by findDbObject(), getDbObjects(), grantPrivileges(), hasAnyPrivilegesOnDb(), reassignObjectOwner(), reassignObjectOwners(), renameDbObject(), revokeAllOnDatabase(), revokePrivileges(), updatePrivileges(), and ~Grantee().

std::string Grantee::name_

protected

Definition at line 67 of file Grantee.h.

Referenced by getName(), grantRole(), and setName().

std::unordered_set<Role*> Grantee::roles_

protected

Definition at line 68 of file Grantee.h.

Referenced by grantRole(), hasRole(), revokeRole(), updatePrivileges(), and ~Grantee().

---

The documentation for this class was generated from the following files:

• /home/jenkins-slave/workspace/core-os-doxygen/Catalog/Grantee.h
• /home/jenkins-slave/workspace/core-os-doxygen/Catalog/Grantee.cpp