/Users/deen/code/yugabyte-db/src/yb/yql/cql/ql/ptree/pt_grant_revoke.cc
Line | Count | Source (jump to first uncovered line) |
1 | | //-------------------------------------------------------------------------------------------------- |
2 | | // Copyright (c) YugaByte, Inc. |
3 | | // |
4 | | // Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except |
5 | | // in compliance with the License. You may obtain a copy of the License at |
6 | | // |
7 | | // http://www.apache.org/licenses/LICENSE-2.0 |
8 | | // |
9 | | // Unless required by applicable law or agreed to in writing, software distributed under the License |
10 | | // is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express |
11 | | // or implied. See the License for the specific language governing permissions and limitations |
12 | | // under the License. |
13 | | // |
14 | | // |
15 | | // Treenode definitions for GRANT statements. |
16 | | //-------------------------------------------------------------------------------------------------- |
17 | | |
18 | | #include "yb/yql/cql/ql/ptree/pt_grant_revoke.h" |
19 | | |
20 | | #include "yb/common/redis_constants_common.h" |
21 | | |
22 | | #include "yb/gutil/strings/substitute.h" |
23 | | |
24 | | #include "yb/yql/cql/ql/ptree/pt_option.h" |
25 | | #include "yb/yql/cql/ql/ptree/sem_context.h" |
26 | | #include "yb/yql/cql/ql/ptree/sem_state.h" |
27 | | #include "yb/yql/cql/ql/ptree/yb_location.h" |
28 | | |
29 | | DECLARE_bool(use_cassandra_authentication); |
30 | | |
31 | | namespace yb { |
32 | | namespace ql { |
33 | | |
34 | | using std::shared_ptr; |
35 | | using std::to_string; |
36 | | using strings::Substitute; |
37 | | |
38 | | //-------------------------------------------------------------------------------------------------- |
39 | | // GRANT Role Statement. |
40 | | |
41 | | PTGrantRevokeRole::PTGrantRevokeRole(MemoryContext* memctx, |
42 | | YBLocation::SharedPtr loc, |
43 | | client::GrantRevokeStatementType statement_type, |
44 | | const MCSharedPtr<MCString>& granted_role_name, |
45 | | const MCSharedPtr<MCString>& recipient_role_name) |
46 | | : TreeNode(memctx, loc), |
47 | | statement_type_(statement_type), |
48 | | granted_role_name_(granted_role_name), |
49 | 98 | recipient_role_name_(recipient_role_name) {} |
50 | | |
51 | 74 | PTGrantRevokeRole::~PTGrantRevokeRole() { |
52 | 74 | } |
53 | | |
54 | 98 | Status PTGrantRevokeRole::Analyze(SemContext* sem_context) { |
55 | 98 | if (FLAGS_use_cassandra_authentication) { |
56 | 98 | RETURN_NOT_OK(sem_context->CheckHasRolePermission(loc(), PermissionType::AUTHORIZE_PERMISSION, |
57 | 98 | recipient_role_name_->data())); |
58 | 82 | RETURN_NOT_OK(sem_context->CheckHasRolePermission(loc(), PermissionType::AUTHORIZE_PERMISSION, |
59 | 82 | granted_role_name_->data())); |
60 | 82 | } |
61 | 76 | return Status::OK(); |
62 | 98 | } |
63 | | |
64 | 0 | void PTGrantRevokeRole::PrintSemanticAnalysisResult(SemContext* sem_context) { |
65 | 0 | MCString sem_output("\tGRANT Role ", sem_context->PTempMem()); |
66 | 0 | sem_output = sem_output + granted_role_name().c_str() + " TO " + recipient_role_name().c_str(); |
67 | 0 | VLOG(3) << "SEMANTIC ANALYSIS RESULT (" << *loc_ << "):\n" << sem_output; |
68 | 0 | } |
69 | | |
70 | | |
71 | | //-------------------------------------------------------------------------------------------------- |
72 | | // GRANT Permission Statement. |
73 | | |
74 | | // TODO (Bristy) : Move this into commn/util. |
75 | | const std::map<std::string, PermissionType > PTGrantRevokePermission::kPermissionMap = { |
76 | | {"all", PermissionType::ALL_PERMISSION }, |
77 | | {"alter", PermissionType::ALTER_PERMISSION}, |
78 | | {"create", PermissionType::CREATE_PERMISSION}, |
79 | | {"drop", PermissionType::DROP_PERMISSION }, |
80 | | {"select", PermissionType::SELECT_PERMISSION}, |
81 | | {"modify", PermissionType::MODIFY_PERMISSION}, |
82 | | {"authorize", PermissionType::AUTHORIZE_PERMISSION}, |
83 | | {"describe", PermissionType::DESCRIBE_PERMISSION} |
84 | | }; |
85 | | |
86 | | //-------------------------------------------------------------------------------------------------- |
87 | | |
88 | | PTGrantRevokePermission::PTGrantRevokePermission(MemoryContext* memctx, |
89 | | YBLocation::SharedPtr loc, |
90 | | client::GrantRevokeStatementType statement_type, |
91 | | const MCSharedPtr<MCString>& permission_name, |
92 | | const ResourceType& resource_type, |
93 | | const PTQualifiedName::SharedPtr& resource_name, |
94 | | const PTQualifiedName::SharedPtr& role_name) |
95 | | : TreeNode(memctx, loc), |
96 | | statement_type_(statement_type), |
97 | | permission_name_(permission_name), |
98 | | complete_resource_name_(resource_name), |
99 | | role_name_(role_name), |
100 | 815 | resource_type_(resource_type) { |
101 | 815 | } |
102 | | |
103 | 785 | PTGrantRevokePermission::~PTGrantRevokePermission() { |
104 | 785 | } |
105 | | |
106 | 815 | Status PTGrantRevokePermission::Analyze(SemContext* sem_context) { |
107 | 815 | SemState sem_state(sem_context); |
108 | 815 | RETURN_NOT_AUTH_ENABLED(sem_context); |
109 | | |
110 | | // We check for the existence of the resource in the catalog manager as |
111 | | // this should be a rare occurence. |
112 | | // TODO (Bristy): Should we use a cache for these checks? |
113 | | |
114 | 815 | auto iterator = kPermissionMap.find(string(permission_name_->c_str())); |
115 | 815 | if (iterator == kPermissionMap.end()) { |
116 | 0 | return sem_context->Error(this, Substitute("Unknown Permission '$0'", |
117 | 0 | permission_name_->c_str()).c_str(), |
118 | 0 | ErrorCode::SYNTAX_ERROR); |
119 | 0 | } |
120 | | |
121 | 815 | permission_ = iterator->second; |
122 | | |
123 | | // Check that the permission being granted is supported by the resource. |
124 | | // This check should be done before anything else. |
125 | 815 | if (permission_ != PermissionType::ALL_PERMISSION && |
126 | 747 | !valid_permission_for_resource(permission_, resource_type_)) { |
127 | | // Match apache cassandra's error message. |
128 | 46 | return sem_context->Error(loc(), |
129 | 46 | "Resource type DataResource does not support any of the requested permissions", |
130 | 46 | ErrorCode::SYNTAX_ERROR); |
131 | 46 | } |
132 | | |
133 | | // Processing the role name. |
134 | 769 | RETURN_NOT_OK(role_name_->AnalyzeName(sem_context, ObjectType::ROLE)); |
135 | 769 | switch (resource_type_) { |
136 | 252 | case ResourceType::KEYSPACE: { |
137 | 252 | if (complete_resource_name_->QLName() == common::kRedisKeyspaceName) { |
138 | 0 | return sem_context->Error(loc(), |
139 | 0 | strings::Substitute("$0 is a reserved keyspace name", |
140 | 0 | common::kRedisKeyspaceName).c_str(), |
141 | 0 | ErrorCode::INVALID_ARGUMENTS); |
142 | 0 | } |
143 | 252 | RETURN_NOT_OK(sem_context->CheckHasKeyspacePermission(loc(), |
144 | 252 | PermissionType::AUTHORIZE_PERMISSION, |
145 | 252 | complete_resource_name_->ToTableName().namespace_name())); |
146 | 240 | break; |
147 | 252 | } |
148 | 219 | case ResourceType::TABLE: { |
149 | 219 | RETURN_NOT_OK(complete_resource_name_->AnalyzeName(sem_context, ObjectType::TABLE)); |
150 | 219 | RETURN_NOT_OK(sem_context->CheckHasTablePermission(loc(), AUTHORIZE_PERMISSION, |
151 | 219 | complete_resource_name_->ToTableName())); |
152 | 203 | break; |
153 | 219 | } |
154 | 89 | case ResourceType::ROLE: { |
155 | 89 | RETURN_NOT_OK(complete_resource_name_->AnalyzeName(sem_context, ObjectType::ROLE)); |
156 | 89 | RETURN_NOT_OK(sem_context->CheckHasRolePermission(loc(), AUTHORIZE_PERMISSION, |
157 | 89 | complete_resource_name_->QLName())); |
158 | 89 | break; |
159 | 89 | } |
160 | 140 | case ResourceType::ALL_KEYSPACES: { |
161 | 140 | RETURN_NOT_OK(sem_context->CheckHasAllKeyspacesPermission(loc(), AUTHORIZE_PERMISSION)); |
162 | 140 | break; |
163 | 140 | } |
164 | 69 | case ResourceType::ALL_ROLES: |
165 | 69 | RETURN_NOT_OK(sem_context->CheckHasAllRolesPermission(loc(), AUTHORIZE_PERMISSION)); |
166 | 69 | break; |
167 | 741 | } |
168 | | |
169 | 741 | PrintSemanticAnalysisResult(sem_context); |
170 | 741 | return Status::OK(); |
171 | 741 | } |
172 | | |
173 | | |
174 | 741 | void PTGrantRevokePermission::PrintSemanticAnalysisResult(SemContext* sem_context) { |
175 | 741 | MCString sem_output("\tGrant Permission ", sem_context->PTempMem()); |
176 | 741 | sem_output = sem_output + " Permission : " + permission_name_->c_str(); |
177 | 741 | sem_output = sem_output + " Resource : " + canonical_resource().c_str(); |
178 | 741 | sem_output = sem_output + " Role : " + role_name()->QLName().c_str(); |
179 | 0 | VLOG(3) << "SEMANTIC ANALYSIS RESULT (" << *loc_ << "):\n" << sem_output; |
180 | 741 | } |
181 | | |
182 | | } // namespace ql |
183 | | } // namespace yb |