/Users/deen/code/yugabyte-db/src/yb/yql/cql/ql/ptree/pt_grant_revoke.cc

Source (jump to first uncovered line)
//--------------------------------------------------------------------------------------------------
// Copyright (c) YugaByte, Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
// in compliance with the License.  You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software distributed under the License
// is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
// or implied.  See the License for the specific language governing permissions and limitations
// under the License.
//
//
// Treenode definitions for GRANT statements.
//--------------------------------------------------------------------------------------------------

#include "yb/yql/cql/ql/ptree/pt_grant_revoke.h"

#include "yb/common/redis_constants_common.h"

#include "yb/gutil/strings/substitute.h"

#include "yb/yql/cql/ql/ptree/pt_option.h"
#include "yb/yql/cql/ql/ptree/sem_context.h"
#include "yb/yql/cql/ql/ptree/sem_state.h"
#include "yb/yql/cql/ql/ptree/yb_location.h"

DECLARE_bool(use_cassandra_authentication);

namespace yb {
namespace ql {

using std::shared_ptr;
using std::to_string;
using strings::Substitute;

//--------------------------------------------------------------------------------------------------
// GRANT Role Statement.

PTGrantRevokeRole::PTGrantRevokeRole(MemoryContext* memctx,
                                     YBLocation::SharedPtr loc,
                                     client::GrantRevokeStatementType statement_type,
                                     const MCSharedPtr<MCString>& granted_role_name,
                                     const MCSharedPtr<MCString>& recipient_role_name)
    : TreeNode(memctx, loc),
      statement_type_(statement_type),
      granted_role_name_(granted_role_name),
      recipient_role_name_(recipient_role_name) {}

PTGrantRevokeRole::~PTGrantRevokeRole() {
}

Status PTGrantRevokeRole::Analyze(SemContext* sem_context) {
  if (FLAGS_use_cassandra_authentication) {
    RETURN_NOT_OK(sem_context->CheckHasRolePermission(loc(), PermissionType::AUTHORIZE_PERMISSION,
        recipient_role_name_->data()));
    RETURN_NOT_OK(sem_context->CheckHasRolePermission(loc(), PermissionType::AUTHORIZE_PERMISSION,
        granted_role_name_->data()));
  }
  return Status::OK();
}

void PTGrantRevokeRole::PrintSemanticAnalysisResult(SemContext* sem_context) {
  MCString sem_output("\tGRANT Role ", sem_context->PTempMem());
  sem_output = sem_output + granted_role_name().c_str() +  " TO  " + recipient_role_name().c_str();
  VLOG(3) << "SEMANTIC ANALYSIS RESULT (" << *loc_ << "):\n" << sem_output;
}


//--------------------------------------------------------------------------------------------------
// GRANT Permission Statement.

// TODO (Bristy) : Move this into commn/util.
const std::map<std::string, PermissionType >  PTGrantRevokePermission::kPermissionMap = {
    {"all", PermissionType::ALL_PERMISSION },
    {"alter", PermissionType::ALTER_PERMISSION},
    {"create", PermissionType::CREATE_PERMISSION},
    {"drop", PermissionType::DROP_PERMISSION },
    {"select", PermissionType::SELECT_PERMISSION},
    {"modify", PermissionType::MODIFY_PERMISSION},
    {"authorize", PermissionType::AUTHORIZE_PERMISSION},
    {"describe", PermissionType::DESCRIBE_PERMISSION}
};

//--------------------------------------------------------------------------------------------------

PTGrantRevokePermission::PTGrantRevokePermission(MemoryContext* memctx,
                                                 YBLocation::SharedPtr loc,
                                                 client::GrantRevokeStatementType statement_type,
                                                 const MCSharedPtr<MCString>& permission_name,
                                                 const ResourceType& resource_type,
                                                 const PTQualifiedName::SharedPtr& resource_name,
                                                 const PTQualifiedName::SharedPtr& role_name)
    : TreeNode(memctx, loc),
      statement_type_(statement_type),
      permission_name_(permission_name),
      complete_resource_name_(resource_name),
      role_name_(role_name),
      resource_type_(resource_type) {
}

PTGrantRevokePermission::~PTGrantRevokePermission() {
}

Status PTGrantRevokePermission::Analyze(SemContext* sem_context) {
  SemState sem_state(sem_context);
  RETURN_NOT_AUTH_ENABLED(sem_context);

  // We check for the existence of the resource in the catalog manager as
  // this should be a rare occurence.
  // TODO (Bristy): Should we use a cache for these checks?

  auto iterator = kPermissionMap.find(string(permission_name_->c_str()));
  if (iterator == kPermissionMap.end()) {
    return sem_context->Error(this, Substitute("Unknown Permission '$0'",
                                               permission_name_->c_str()).c_str(),
                              ErrorCode::SYNTAX_ERROR);
  }

  permission_ = iterator->second;

  // Check that the permission being granted is supported by the resource.
  // This check should be done before anything else.
  if (permission_ != PermissionType::ALL_PERMISSION &&
      !valid_permission_for_resource(permission_, resource_type_)747) {
    // Match apache cassandra's error message.
    return sem_context->Error(loc(),
        "Resource type DataResource does not support any of the requested permissions",
        ErrorCode::SYNTAX_ERROR);
  }

  // Processing the role name.
  RETURN_NOT_OK(role_name_->AnalyzeName(sem_context, ObjectType::ROLE));
  switch (resource_type_) {
    case ResourceType::KEYSPACE: {
      if (complete_resource_name_->QLName() == common::kRedisKeyspaceName) {
        return sem_context->Error(loc(),
                                  strings::Substitute("$0 is a reserved keyspace name",
                                                      common::kRedisKeyspaceName).c_str(),
                                  ErrorCode::INVALID_ARGUMENTS);
      }
      RETURN_NOT_OK(sem_context->CheckHasKeyspacePermission(loc(),
          PermissionType::AUTHORIZE_PERMISSION,
          complete_resource_name_->ToTableName().namespace_name()));
      break;
    }
    case ResourceType::TABLE: {
      RETURN_NOT_OK(complete_resource_name_->AnalyzeName(sem_context, ObjectType::TABLE));
      RETURN_NOT_OK(sem_context->CheckHasTablePermission(loc(), AUTHORIZE_PERMISSION,
          complete_resource_name_->ToTableName()));
      break;
    }
    case ResourceType::ROLE: {
      RETURN_NOT_OK(complete_resource_name_->AnalyzeName(sem_context, ObjectType::ROLE));
      RETURN_NOT_OK(sem_context->CheckHasRolePermission(loc(), AUTHORIZE_PERMISSION,
          complete_resource_name_->QLName()));
      break;
    }
    case ResourceType::ALL_KEYSPACES: {
      RETURN_NOT_OK(sem_context->CheckHasAllKeyspacesPermission(loc(), AUTHORIZE_PERMISSION));
      break;
    }
    case ResourceType::ALL_ROLES:
      RETURN_NOT_OK(sem_context->CheckHasAllRolesPermission(loc(), AUTHORIZE_PERMISSION));
      break;
  }

  PrintSemanticAnalysisResult(sem_context);
  return Status::OK();
}


void PTGrantRevokePermission::PrintSemanticAnalysisResult(SemContext* sem_context) {
  MCString sem_output("\tGrant Permission ", sem_context->PTempMem());
  sem_output =  sem_output + " Permission : " + permission_name_->c_str();
  sem_output =  sem_output + " Resource : " + canonical_resource().c_str();
  sem_output =  sem_output + " Role : " + role_name()->QLName().c_str();
  VLOG(3) << "SEMANTIC ANALYSIS RESULT (" << *loc_ << "):\n" << sem_output0;
}

}  // namespace ql
}  // namespace yb

Line	Count	Source (jump to first uncovered line)
1		//--------------------------------------------------------------------------------------------------
2		// Copyright (c) YugaByte, Inc.
3		//
4		// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
5		// in compliance with the License. You may obtain a copy of the License at
6		//
7		// http://www.apache.org/licenses/LICENSE-2.0
8		//
9		// Unless required by applicable law or agreed to in writing, software distributed under the License
10		// is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
11		// or implied. See the License for the specific language governing permissions and limitations
12		// under the License.
13		//
14		//
15		// Treenode definitions for GRANT statements.
16		//--------------------------------------------------------------------------------------------------
17
18		#include "yb/yql/cql/ql/ptree/pt_grant_revoke.h"
19
20		#include "yb/common/redis_constants_common.h"
21
22		#include "yb/gutil/strings/substitute.h"
23
24		#include "yb/yql/cql/ql/ptree/pt_option.h"
25		#include "yb/yql/cql/ql/ptree/sem_context.h"
26		#include "yb/yql/cql/ql/ptree/sem_state.h"
27		#include "yb/yql/cql/ql/ptree/yb_location.h"
28
29		DECLARE_bool(use_cassandra_authentication);
30
31		namespace yb {
32		namespace ql {
33
34		using std::shared_ptr;
35		using std::to_string;
36		using strings::Substitute;
37
38		//--------------------------------------------------------------------------------------------------
39		// GRANT Role Statement.
40
41		PTGrantRevokeRole::PTGrantRevokeRole(MemoryContext* memctx,
42		YBLocation::SharedPtr loc,
43		client::GrantRevokeStatementType statement_type,
44		const MCSharedPtr<MCString>& granted_role_name,
45		const MCSharedPtr<MCString>& recipient_role_name)
46		: TreeNode(memctx, loc),
47		statement_type_(statement_type),
48		granted_role_name_(granted_role_name),
49	98	recipient_role_name_(recipient_role_name) {}
50
51	74	PTGrantRevokeRole::~PTGrantRevokeRole() {
52	74	}
53
54	98	Status PTGrantRevokeRole::Analyze(SemContext* sem_context) {
55	98	if (FLAGS_use_cassandra_authentication) {
56	98	RETURN_NOT_OK(sem_context->CheckHasRolePermission(loc(), PermissionType::AUTHORIZE_PERMISSION,
57	98	recipient_role_name_->data()));
58	82	RETURN_NOT_OK(sem_context->CheckHasRolePermission(loc(), PermissionType::AUTHORIZE_PERMISSION,
59	82	granted_role_name_->data()));
60	82	}
61	76	return Status::OK();
62	98	}
63
64	0	void PTGrantRevokeRole::PrintSemanticAnalysisResult(SemContext* sem_context) {
65	0	MCString sem_output("\tGRANT Role ", sem_context->PTempMem());
66	0	sem_output = sem_output + granted_role_name().c_str() + " TO " + recipient_role_name().c_str();
67	0	VLOG(3) << "SEMANTIC ANALYSIS RESULT (" << *loc_ << "):\n" << sem_output;
68	0	}
69
70
71		//--------------------------------------------------------------------------------------------------
72		// GRANT Permission Statement.
73
74		// TODO (Bristy) : Move this into commn/util.
75		const std::map<std::string, PermissionType > PTGrantRevokePermission::kPermissionMap = {
76		{"all", PermissionType::ALL_PERMISSION },
77		{"alter", PermissionType::ALTER_PERMISSION},
78		{"create", PermissionType::CREATE_PERMISSION},
79		{"drop", PermissionType::DROP_PERMISSION },
80		{"select", PermissionType::SELECT_PERMISSION},
81		{"modify", PermissionType::MODIFY_PERMISSION},
82		{"authorize", PermissionType::AUTHORIZE_PERMISSION},
83		{"describe", PermissionType::DESCRIBE_PERMISSION}
84		};
85
86		//--------------------------------------------------------------------------------------------------
87
88		PTGrantRevokePermission::PTGrantRevokePermission(MemoryContext* memctx,
89		YBLocation::SharedPtr loc,
90		client::GrantRevokeStatementType statement_type,
91		const MCSharedPtr<MCString>& permission_name,
92		const ResourceType& resource_type,
93		const PTQualifiedName::SharedPtr& resource_name,
94		const PTQualifiedName::SharedPtr& role_name)
95		: TreeNode(memctx, loc),
96		statement_type_(statement_type),
97		permission_name_(permission_name),
98		complete_resource_name_(resource_name),
99		role_name_(role_name),
100	815	resource_type_(resource_type) {
101	815	}
102
103	785	PTGrantRevokePermission::~PTGrantRevokePermission() {
104	785	}
105
106	815	Status PTGrantRevokePermission::Analyze(SemContext* sem_context) {
107	815	SemState sem_state(sem_context);
108	815	RETURN_NOT_AUTH_ENABLED(sem_context);
109
110		// We check for the existence of the resource in the catalog manager as
111		// this should be a rare occurence.
112		// TODO (Bristy): Should we use a cache for these checks?
113
114	815	auto iterator = kPermissionMap.find(string(permission_name_->c_str()));
115	815	if (iterator == kPermissionMap.end()) {
116	0	return sem_context->Error(this, Substitute("Unknown Permission '$0'",
117	0	permission_name_->c_str()).c_str(),
118	0	ErrorCode::SYNTAX_ERROR);
119	0	}
120
121	815	permission_ = iterator->second;
122
123		// Check that the permission being granted is supported by the resource.
124		// This check should be done before anything else.
125	815	if (permission_ != PermissionType::ALL_PERMISSION &&
126	815	!valid_permission_for_resource(permission_, resource_type_)747 ) {
127		// Match apache cassandra's error message.
128	46	return sem_context->Error(loc(),
129	46	"Resource type DataResource does not support any of the requested permissions",
130	46	ErrorCode::SYNTAX_ERROR);
131	46	}
132
133		// Processing the role name.
134	769	RETURN_NOT_OK(role_name_->AnalyzeName(sem_context, ObjectType::ROLE));
135	769	switch (resource_type_) {
136	252	case ResourceType::KEYSPACE: {
137	252	if (complete_resource_name_->QLName() == common::kRedisKeyspaceName) {
138	0	return sem_context->Error(loc(),
139	0	strings::Substitute("$0 is a reserved keyspace name",
140	0	common::kRedisKeyspaceName).c_str(),
141	0	ErrorCode::INVALID_ARGUMENTS);
142	0	}
143	252	RETURN_NOT_OK(sem_context->CheckHasKeyspacePermission(loc(),
144	252	PermissionType::AUTHORIZE_PERMISSION,
145	252	complete_resource_name_->ToTableName().namespace_name()));
146	240	break;
147	252	}
148	240	case ResourceType::TABLE: {
149	219	RETURN_NOT_OK(complete_resource_name_->AnalyzeName(sem_context, ObjectType::TABLE));
150	219	RETURN_NOT_OK(sem_context->CheckHasTablePermission(loc(), AUTHORIZE_PERMISSION,
151	219	complete_resource_name_->ToTableName()));
152	203	break;
153	219	}
154	203	case ResourceType::ROLE: {
155	89	RETURN_NOT_OK(complete_resource_name_->AnalyzeName(sem_context, ObjectType::ROLE));
156	89	RETURN_NOT_OK(sem_context->CheckHasRolePermission(loc(), AUTHORIZE_PERMISSION,
157	89	complete_resource_name_->QLName()));
158	89	break;
159	89	}
160	140	case ResourceType::ALL_KEYSPACES: {
161	140	RETURN_NOT_OK(sem_context->CheckHasAllKeyspacesPermission(loc(), AUTHORIZE_PERMISSION));
162	140	break;
163	140	}
164	140	case ResourceType::ALL_ROLES:
165	69	RETURN_NOT_OK(sem_context->CheckHasAllRolesPermission(loc(), AUTHORIZE_PERMISSION));
166	69	break;
167	769	}
168
169	741	PrintSemanticAnalysisResult(sem_context);
170	741	return Status::OK();
171	769	}
172
173
174	741	void PTGrantRevokePermission::PrintSemanticAnalysisResult(SemContext* sem_context) {
175	741	MCString sem_output("\tGrant Permission ", sem_context->PTempMem());
176	741	sem_output = sem_output + " Permission : " + permission_name_->c_str();
177	741	sem_output = sem_output + " Resource : " + canonical_resource().c_str();
178	741	sem_output = sem_output + " Role : " + role_name()->QLName().c_str();
179	741	VLOG (3) << "SEMANTIC ANALYSIS RESULT (" << *loc_ << "):\n" << sem_output0 ;
180	741	}
181
182		} // namespace ql
183		} // namespace yb

YugabyteDB (2.13.1.0-b60, 21121d69985fbf76aa6958d8f04a9bfa936293b5)

Coverage Report

Created: 2022-03-22 16:43