New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CBRD-25268] Refactor authenticate module #5073
base: develop
Are you sure you want to change the base?
Conversation
…egalArgumentException when rows value is zero
…related functions to authenticate_grant
…ons, some refactoring
… about backward compat
…ted to authenticate, change not to expose the link array
…lling authenticate_cache related function as follow 'Au_cache.func()'
…sn't have to exposed to public
…expose au_check_owner to public
@@ -1049,7 +1049,8 @@ csql_do_session_cmd (char *line_read, CSQL_ARGUMENT * csql_arg) | |||
{ | |||
if (csql_arg->sysadm && au_is_dba_group_member (Au_user)) | |||
{ | |||
au_disable (); | |||
int dummy; | |||
AU_DISABLE (dummy); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
AU_DISABLE (dummy); | |
Au_disable = true; |
dummy is not used after this line and can be removed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To hide Au_disable, I prefer to call AU_DISABLE (value)
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!!
…(), getter function. here null checking is done too
http://jira.cubrid.org/browse/CBRD-25268
This PR refactors
authenticate.c
file into serveral files according to the following code analysis.Background
Terms (Authenticate, Authorization)
CUBRID's Authenticate module handles authentication and authorization processing for users and database objects. Two key concepts related to this are:
Specifically, CUBRID is responsible for the following functionalities:
System Catalogs
In CUBRID, information related to user management and database object privileges is managed through system catalog tables.
The database objects that can be assigned privileges, their system catalog names, and a brief description are as follows:
The followings are the system catalogs that manage user and password information, as well as granting information.
For more details of schema information for each system catalog, refer to the CUBRID manual.
💡 As of version 11.3, _db_auth and db_authorization manage granting information for tables and views (_db_class) only. Other database objects are only supported for owner changes. In version 11.4, privilege assignment will be expanded to other objects beyond tables and views.Overview
createdb
builds system catalogs related to user and granting information in cub_server.unloaddb
exports user and granting information.cubridcs
andcubridsa
handle authentication and authorization for database resources (objects).Architecture
unloaddb
,createdb
,cubridcs
, andcubridsa
use different entry point APIs of the authenticate module.createdb
: Callsau_install()
to build the related system catalogs.createdb
is a SA_ONLY utility that performs database creation through the client-side logic of the SA library.unloaddb
: Reads user and granting information and writes it as text (CUBRID's unloaddb form) for migration.cubridcs
,cubridsa
: Use key features like login, authentication, and authorization by connecting tocub_server
through utilities likecsql
,cub_cas
, andCS
utility.authenticate_context
: Handles user login and holds environment information for authentication/authorization of the currently connected user.authenticate_cache
: Memory cache to prevent meaningless repetitive catalog information access/changes in runtime. Also used for memory representation of relevant information.authenticate_owner
: Collection of routines to handle owner changes for database objects (user-based authorization).authenticate_grant
: Processes grant/revoke statements. Provides the following two APIs to either retrieve complex join relationships in memory representation (authenticate_cache
) or apply changes in the cache to the system catalog.get_grants()
apply_grants()
authenticate_access_XXX
: CRUD processing for each catalog schema.authenticate_migration
: Routine processing for migrating user and grant information usingunloaddb
.Structures and APIs
The following is an introduction to the key data structures and APIs of the authenticate module.
cubridcs
, which includes the authenticate module, is a single-threaded structure, meaning most of the called APIs are not thread-safe.Key Variables (OID)
System Catalog Class OIDs
Au_authorizations_class
: Class OID ofdb_root
Au_authorization_class
: Class OID ofdb_authorization
Au_user_class
: Class OID ofdb_user
Au_password_class
: Class OID ofdb_password
OIDs of Records in System Catalogs
Au_root
: Unique instance (row) OID ofdb_root
(∈db_root
)Au_dba_user
: OID of the DBA user (∈db_user
)Au_public_user
: OID of the PUBLIC user (∈db_user
)Au_user
: OID of the currently logged-in user (∈db_user
)Operational Variables
Au_disable
: Authorization check flag; if true (1), authorization checks are bypassed.Au_user_name
: Name of the currently logged-in user.Au_user_password...
: Encrypted password information of the currently logged-in user.authenticate_cache
Au_cache
: Memory cache of privilege information obtained by accessing the system catalog.Key Functions
Lifecycle Functions
au_init (void)
: Initializes key variables in memory. Does not fetch actual values from the DB server.au_install (void)
: Called by thecreatedb
utility and creates the privilege-related system catalogs on the DB server as described above.au_start (void)
: Called by utilities likecubridcs
orcubridsa
, which include CAS, CSQL, and CS libraries. Fetches privilege-related information from the DB server into memory structures and performs login.au_final (void)
: Removes key variable information from memory.Authenticate Context Functions
The authenticate context holds comprehensive information managed by login and user status change APIs during runtime.
set_user (user)
set_password (user, password, ...)
login (name, password, ignore_dba_priv)
disable_password (void)
Getters:
get_public_user()
,get_dba_user()
,get_current_user_name()
,get_public_user_name()
,get_user_class_name()
Authorization Functions
au_grant ()
au_revoke ()
Owner Access/Change Functions
au_change_owner (DB_RESOURCE_TYPE, )
: Changes the owner without considering inheritance or partitions.au_change_class_owner ()
: Changes the owner considering inheritance and partitions.au_change_serial_owner ()
au_change_trigger_owner ()
au_change_sp_owner ()
au_get_class_owner ()
Migration Functions for
unloaddb
au_export_users ()
au_export_grants ()
Debugging Functions
au_dump (void)
au_dump_to_file (FILE)
au_dump_user (user, FILE)
au_dump_auth (FILE)