Adding Grantor Information in sys.babelfish_schema_permissions catalog#73
Adding Grantor Information in sys.babelfish_schema_permissions catalog#73shreyeah38 wants to merge 22 commits intoamazon-aurora:bbf-database-permission-viewfrom
Conversation
Signed-off-by: Shreya Rai <shreyaxr@amazon.com>
shreyeah38
changed the title
shreyeah38
changed the title
Signed-off-by: Shreya Rai <shreyaxr@amazon.com>
Signed-off-by: Shreya Rai <shreyaxr@amazon.com>
Signed-off-by: Shreya Rai <shreyaxr@amazon.com>
Signed-off-by: Shreya Rai <shreyaxr@amazon.com>
Signed-off-by: Shreya Rai <shreyaxr@amazon.com>
…updated primary key Signed-off-by: Shreya Rai <shreyaxr@amazon.com>
| function_args TEXT COLLATE "C", | ||
| grantor sys.NVARCHAR(128) COLLATE sys.database_default, | ||
| PRIMARY KEY(dbid, schema_name, object_name, grantee, object_type) | ||
| PRIMARY KEY(dbid, schema_name, object_name, permission, grantee, object_type, grantor) |
There was a problem hiding this comment.
Why is permission a primary key?
There was a problem hiding this comment.
Now we store "grant" permissions and "grant with options" permissions in 2 different rows. If there's no primary key on permission if would lead to an error when all the parameters are same except the permission.
Signed-off-by: Shreya Rai <shreyaxr@amazon.com>
Signed-off-by: Shreya Rai <shreyaxr@amazon.com>
Signed-off-by: Shreya Rai <shreyaxr@amazon.com>
Signed-off-by: Shreya Rai <shreyaxr@amazon.com>
Signed-off-by: Shreya Rai <shreyaxr@amazon.com>
Signed-off-by: Shreya Rai <shreyaxr@amazon.com>
Signed-off-by: Shreya Rai <shreyaxr@amazon.com>
Signed-off-by: Shreya Rai <shreyaxr@amazon.com>
Signed-off-by: Shreya Rai <shreyaxr@amazon.com>
| new_record_bbf_schema[Anum_bbf_schema_perms_permission - 1] = Int32GetDatum(current_permission); | ||
| new_record_repl_bbf_schema[Anum_bbf_schema_perms_permission - 1] = true; | ||
|
|
||
| new_tuple = heap_modify_tuple(tuple_bbf_schema, |
There was a problem hiding this comment.
We are not releasing tuple_bbf_schema, Make sure to release this using ReleaseSysCache.
Also in this file, I see multiple such instances where we haven't actually released it.
…e, function or procedure Signed-off-by: Shreya Rai <shreyaxr@amazon.com>
Pull Request Test Coverage Report for Build 15847758092Details
💛 - Coveralls |
contrib/babelfishpg_tsql/src/hooks.c
Outdated
| /* | ||
| * Special database roles should throw an error. | ||
| */ | ||
| if(strcmp(grantee, PUBLIC_ROLE_NAME) != 0) | ||
| { | ||
| throw_error_for_fixed_db_role((char *) grantee, dbname); | ||
| } |
contrib/babelfishpg_tsql/src/hooks.c
Outdated
| /* | ||
| * Remove all entries from normal grants | ||
| */ | ||
| update_privileges_of_object(logical_schema, object_name, old_priv_normal_grant, grantee, OBJ_RELATION, false, grantor, false); |
There was a problem hiding this comment.
Blocking: There is high chances of race condition here.
| * The following hook aims to add/remove entries into BBF schema permissions catalog | ||
| */ | ||
| static bool | ||
| update_bbf_schema_permissions_catalog(AclMode privileges, bool is_grant, List *grantees, |
There was a problem hiding this comment.
Nit:
- Please add explanatory description and comments.
- Indentation
The following hook->Function update_bbf_schema_permissions_catalogBBF->Babelfish[Lets not use acronym in description]
There was a problem hiding this comment.
Thanks, will make the changes
| /* | ||
| * If grantor ends with "_bbfobj", remove the suffix as this is an internal BBF role. | ||
| */ |
There was a problem hiding this comment.
How can the grantor be _bbfobj for grant on schema in T-SQL?
There was a problem hiding this comment.
This is the case when the schema_owner is the member of db_owner user role, this sets the grantor to be _bbfobj
Signed-off-by: Shreya Rai <shreyaxr@amazon.com>
Signed-off-by: Shreya Rai <shreyaxr@amazon.com>
Signed-off-by: Shreya Rai <shreyaxr@amazon.com>
Imran-imtiaz48
left a comment
Imran-imtiaz48
left a comment
There was a problem hiding this comment.
This script demonstrates a well-structured and advanced implementation of database permission mapping using Common Table Expressions (CTEs), bitwise operations, and role-based access logic in a Babelfish-compatible PostgreSQL environment. The use of GRANT, CREATE OR REPLACE VIEW, and JOIN LATERAL shows a solid understanding of both SQL Server-style and PostgreSQL-style syntax. The permission_mapping CTE is thoughtfully constructed to map bit values to permission names and type codes, enhancing readability and maintainability. The main view, sys.database_permissions, effectively combines permissions from multiple object types (database, schema, object) while dynamically resolving principals and ensuring correct filtering through pg_has_role checks. One suggestion for improvement would be to modularize repeated expressions (e.g., pg_has_role(...)) into reusable components or helper functions if the environment allows. Also, ensuring consistent and thorough commenting would help future developers quickly understand the complex logic. Overall, this is a strong and comprehensive implementation of a permissions view with well-handled edge cases and system compatibility.
7 participants
Description
The following PR adds grantor information in
sys.babelfish_schema_permissionscatalog, addressing a current limitation in Babelfish.The functionality is achieved by hook implementation and reversing the flow of GRANT / REVOKE statement in Babelfish. This enhancement enables users to view grantor of various permissions.
Another functionality added is the storage of database-level CONNECT permission granted to users. This PR also provides a distinction between the storage of normal permissions and permissions with grant option in
sys.babelfish_schema_permissionscatalog.Part of Jira - BABEL-5690
Engine PR : amazon-aurora/postgresql_modified_for_babelfish#132
Signed-off-by: Shreya Rai shreyaxr@amazon.com