diff --git a/contrib/babelfishpg_tsql/sql/ownership.sql b/contrib/babelfishpg_tsql/sql/ownership.sql index b7db670ef9d..ead72faff5c 100644 --- a/contrib/babelfishpg_tsql/sql/ownership.sql +++ b/contrib/babelfishpg_tsql/sql/ownership.sql @@ -26,7 +26,7 @@ CREATE TABLE sys.babelfish_schema_permissions ( object_type CHAR(1) NOT NULL COLLATE sys.database_default, function_args TEXT COLLATE "C", grantor sys.NVARCHAR(128) COLLATE sys.database_default, - PRIMARY KEY(dbid, schema_name, object_name, grantee, object_type) + PRIMARY KEY(dbid, schema_name, object_name, permission, grantee, object_type, grantor) ); -- BABELFISH_FUNCTION_EXT diff --git a/contrib/babelfishpg_tsql/sql/sys_views.sql b/contrib/babelfishpg_tsql/sql/sys_views.sql index f4e4548d595..2b91118d699 100644 --- a/contrib/babelfishpg_tsql/sql/sys_views.sql +++ b/contrib/babelfishpg_tsql/sql/sys_views.sql @@ -3588,22 +3588,121 @@ SELECT WHERE FALSE; GRANT SELECT ON sys.sql_expression_dependencies TO PUBLIC; -CREATE OR REPLACE VIEW sys.database_permissions -AS +CREATE OR REPLACE VIEW sys.database_permissions +AS +WITH current_db AS ( + SELECT sys.db_name() AS dbname, sys.db_id() AS current_db_id +), +permission_mapping AS ( + SELECT * FROM (VALUES + (1, 'INSERT', 'IN'), + (2, 'SELECT', 'SL'), + (4, 'UPDATE', 'UP'), + (8, 'DELETE', 'DL'), + (32, 'REFERENCES', 'RF'), + (128, 'EXECUTE', 'EX'), + (2048, 'CONNECT', 'CO') + ) AS pm(bit, permission_name, type_code) +) +SELECT + CASE bsp.object_type + WHEN 'd' THEN CAST(0 AS sys.tinyint) + WHEN 's' THEN CAST(3 AS sys.tinyint) + ELSE CAST(1 AS sys.tinyint) + END AS class, + + CASE bsp.object_type + WHEN 'd' THEN CAST('DATABASE' AS sys.NVARCHAR(60)) COLLATE sys."bbf_unicode_cp1_ci_as" + WHEN 's' THEN CAST('SCHEMA' AS sys.NVARCHAR(60)) COLLATE sys."bbf_unicode_cp1_ci_as" + ELSE CAST('OBJECT_OR_COLUMN' AS sys.NVARCHAR(60)) COLLATE sys."bbf_unicode_cp1_ci_as" + END AS class_desc, + + CASE bsp.object_type + WHEN 'd' THEN CAST(0 AS sys.int) + WHEN 's' THEN CAST(s.schema_id AS sys.int) + ELSE CAST(o.object_id AS sys.int) + END AS major_id, + + CAST(0 AS sys.int) AS minor_id, + + CAST( + CASE + WHEN bsp.grantee = 'public' THEN sys.USER_ID('public') + ELSE sys.USER_ID(SUBSTRING(bsp.grantee FROM LENGTH(db.dbname) + 2)) + END AS sys.int + ) AS grantee_principal_id, + + CAST( + CASE + WHEN bsp.grantor = 'public' THEN sys.USER_ID('public') + ELSE sys.USER_ID(SUBSTRING(bsp.grantor FROM LENGTH(db.dbname) + 2)) + END AS sys.int + ) AS grantor_principal_id, + + CAST(pm.type_code AS sys.BPCHAR(4)) COLLATE sys."bbf_unicode_cp1_ci_as" AS type, + CAST(pm.permission_name AS sys.NVARCHAR(128)) COLLATE sys."bbf_unicode_cp1_ci_as" AS permission_name, + + CAST( + CASE + WHEN (bsp.permission & 256) != 0 THEN 'W' + ELSE 'G' + END AS sys.BPCHAR(1) + ) COLLATE sys."bbf_unicode_cp1_ci_as" AS state, + + CAST( + CASE + WHEN (bsp.permission & 256) != 0 THEN 'GRANT_WITH_GRANT_OPTION' + ELSE 'GRANT' + END AS sys.NVARCHAR(60) + ) COLLATE sys."bbf_unicode_cp1_ci_as" AS state_desc + +FROM sys.babelfish_schema_permissions bsp +CROSS JOIN current_db db +LEFT JOIN sys.schemas s + ON bsp.schema_name = s.name AND bsp.object_type = 's' +LEFT JOIN sys.objects o + ON bsp.object_name = o.name AND bsp.object_type NOT IN ('d', 's') +JOIN LATERAL ( + SELECT permission_name, type_code + FROM permission_mapping + WHERE (bsp.permission & bit) != 0 +) pm ON TRUE +WHERE bsp.dbid = db.current_db_id + AND ( + pg_has_role(current_user, db.dbname || '_dbo', 'MEMBER') + OR pg_has_role(current_user, db.dbname || '_db_owner', 'MEMBER') + OR pg_has_role(current_user, db.dbname || '_db_securityadmin', 'MEMBER') + OR pg_has_role(current_user, db.dbname || '_db_accessadmin', 'MEMBER') + OR bsp.grantee COLLATE sys."bbf_unicode_cp1_ci_as" = CURRENT_USER + OR bsp.grantor COLLATE sys."bbf_unicode_cp1_ci_as" = CURRENT_USER + OR bsp.grantee = 'public' + OR bsp.grantor = 'public' + ) + +UNION ALL + SELECT - CAST(0 as sys.tinyint) AS class, - CAST('' as sys.NVARCHAR(60)) AS class_desc, - CAST(0 as sys.int) AS major_id, - CAST(0 as sys.int) AS minor_id, - CAST(0 as sys.int) AS grantee_principal_id, - CAST(0 as sys.int) AS grantor_principal_id, - CAST('a' as sys.BPCHAR(4)) AS type, - CAST('' as sys.NVARCHAR(128)) AS permission_name, - CAST('G' as sys.BPCHAR(1)) AS state, - CAST('' as sys.NVARCHAR(60)) AS state_desc -WHERE FALSE; + CAST(0 AS sys.tinyint) AS class, + CAST('DATABASE' AS sys.NVARCHAR(60)) COLLATE sys."bbf_unicode_cp1_ci_as" AS class_desc, + CAST(0 AS sys.int) AS major_id, + CAST(0 AS sys.int) AS minor_id, + CAST(sys.USER_ID('dbo') AS sys.int) AS grantee_principal_id, + CAST(sys.USER_ID('dbo') AS sys.int) AS grantor_principal_id, + CAST('CO' AS sys.BPCHAR(4)) COLLATE sys."bbf_unicode_cp1_ci_as" AS type, + CAST('CONNECT' AS sys.NVARCHAR(128)) COLLATE sys."bbf_unicode_cp1_ci_as" AS permission_name, + CAST('G' AS sys.BPCHAR(1)) COLLATE sys."bbf_unicode_cp1_ci_as" AS state, + CAST('GRANT' AS sys.NVARCHAR(60)) COLLATE sys."bbf_unicode_cp1_ci_as" AS state_desc +WHERE EXISTS ( + SELECT 1 + FROM current_db db + WHERE pg_has_role(current_user, db.dbname || '_dbo', 'MEMBER') + OR pg_has_role(current_user, db.dbname || '_db_owner', 'MEMBER') + OR pg_has_role(current_user, db.dbname || '_db_securityadmin', 'MEMBER') +); + GRANT SELECT ON sys.database_permissions TO PUBLIC; + CREATE OR REPLACE VIEW sys.availability_replicas AS SELECT CAST(NULL as sys.UNIQUEIDENTIFIER) AS replica_id diff --git a/contrib/babelfishpg_tsql/sql/upgrades/babelfishpg_tsql--5.2.0--5.3.0.sql b/contrib/babelfishpg_tsql/sql/upgrades/babelfishpg_tsql--5.2.0--5.3.0.sql index 699db7566fc..c5cb79e15ff 100644 --- a/contrib/babelfishpg_tsql/sql/upgrades/babelfishpg_tsql--5.2.0--5.3.0.sql +++ b/contrib/babelfishpg_tsql/sql/upgrades/babelfishpg_tsql--5.2.0--5.3.0.sql @@ -464,6 +464,19 @@ WHERE sch.nspname = t.typnamespace::regnamespace::name AND t.typtypmod = -1 AND t.typtype = 'd'; +/* + * Update grantor to 'dbo' before altering primary key, to avoid grantor is NULL error + */ +UPDATE sys.babelfish_schema_permissions +SET grantor = 'master_dbo'; + +-- Babelfish catalog tables are marked system tables and postgres does not normally allow modification on +-- system tables so need to temporarily set allow_system_table_mods to update the primary key of babelfish_function_ext. +SET allow_system_table_mods = ON; +ALTER TABLE sys.babelfish_schema_permissions DROP CONSTRAINT babelfish_schema_permissions_pkey; +ALTER TABLE sys.babelfish_schema_permissions ADD CONSTRAINT babelfish_schema_permissions_pkey PRIMARY KEY(dbid, schema_name, object_name, permission, grantee, object_type, grantor); +RESET allow_system_table_mods; + -- Drops the temporary procedure used by the upgrade script. -- Please have this be one of the last statements executed in this upgrade script. DROP PROCEDURE sys.babelfish_drop_deprecated_object(varchar, varchar, varchar); diff --git a/contrib/babelfishpg_tsql/src/catalog.c b/contrib/babelfishpg_tsql/src/catalog.c index c036f0d73f7..5afb1bb7c51 100644 --- a/contrib/babelfishpg_tsql/src/catalog.c +++ b/contrib/babelfishpg_tsql/src/catalog.c @@ -1708,7 +1708,7 @@ get_bbf_schema_perms_oid() return bbf_schema_perms_oid; } -static Oid +Oid get_bbf_schema_perms_idx_oid() { if (!OidIsValid(bbf_schema_perms_idx_oid)) @@ -1928,6 +1928,7 @@ static Datum get_function_nspname(HeapTuple tuple, TupleDesc dsc); static Datum get_function_name(HeapTuple tuple, TupleDesc dsc); static Datum get_perms_schema_name(HeapTuple tuple, TupleDesc dsc); static Datum get_perms_grantee_name(HeapTuple tuple, TupleDesc dsc); +static Datum get_perms_grantor_name(HeapTuple tuple, TupleDesc dsc); static Datum get_server_name(HeapTuple tuple, TupleDesc dsc); static Datum get_partition_function_dbname(HeapTuple tuple, TupleDesc dsc); static Datum get_partition_scheme_dbname(HeapTuple tuple, TupleDesc dsc); @@ -1941,6 +1942,7 @@ static bool is_singledb_exists_userdb(void); /* Rule validation function declaration */ static bool check_exist(void *arg, HeapTuple tuple); +static bool is_database_level_permission_or_public_grantee(void *arg, HeapTuple tuple); static bool check_rules(Rule rules[], size_t num_rules, HeapTuple tuple, TupleDesc dsc, Tuplestorestate *res_tupstore, TupleDesc res_tupdesc); static bool check_must_match_rules(Rule rules[], size_t num_rules, Oid catalog_oid, @@ -1958,7 +1960,6 @@ static void rename_view_update_bbf_catalog(RenameStmt *stmt); static void rename_procfunc_update_bbf_catalog(RenameStmt *stmt); static void rename_object_update_bbf_schema_permission_catalog(RenameStmt *stmt, int rename_type); -static int get_privilege_of_object(const char *schema_name, const char *object_name, const char *grantee, const char *object_type); /***************************************** * Catalog Extra Info @@ -2082,9 +2083,11 @@ Rule must_match_rules_function[] = Rule must_match_rules_schema_permission[] = { {" in babelfish_schema_permissions must also exist in babelfish_namespace_ext", - "babelfish_namespace_ext", "nspname", NULL, get_perms_schema_name, NULL, check_exist, NULL}, + "babelfish_namespace_ext", "nspname", NULL, get_perms_schema_name, NULL, is_database_level_permission_or_public_grantee, NULL}, {" in babelfish_schema_permissions must also exist in pg_authid", - "pg_authid", "rolname", NULL, get_perms_grantee_name, NULL, check_exist, NULL} + "pg_authid", "rolname", NULL, get_perms_grantee_name, NULL, is_database_level_permission_or_public_grantee, NULL}, + {" in babelfish_schema_permissions must also exist in pg_authid", + "pg_authid", "rolname", NULL, get_perms_grantor_name, NULL, is_database_level_permission_or_public_grantee, NULL} }; /* babelfish_server_options */ @@ -2585,6 +2588,17 @@ get_perms_grantee_name(HeapTuple tuple, TupleDesc dsc) return CStringGetDatum(grantee_name); } +static Datum +get_perms_grantor_name(HeapTuple tuple, TupleDesc dsc) +{ + bool isNull; + Datum grantor_datum = heap_getattr(tuple, Anum_bbf_schema_perms_grantor, dsc, &isNull); + char *grantor_name = pstrdup(TextDatumGetCString(grantor_datum)); + truncate_identifier(grantor_name, strlen(grantor_name), false); + + return CStringGetDatum(grantor_name); +} + static Datum get_server_name(HeapTuple tuple, TupleDesc dsc) { @@ -2814,6 +2828,43 @@ check_exist(void *arg, HeapTuple tuple) return found; } +/* + * The following function checks whether the permission is database level permission. + * In a database level permission, schema-name is set as ALL. + * To exclude ALL from metadata inconsistency, this function passes true in case of a database level permission. + * Similarly, it checks for "public" grantee, to exclude "public" from metadata inconsistency. + */ +static bool +is_database_level_permission_or_public_grantee(void *arg, HeapTuple tuple) +{ + Rule *rule; + TupleDesc dsc; + bool object_type_is_null; + const char *object_type_str; + Datum object_type; + bool grantee_is_null; + const char *grantee_str; + Datum grantee; + + rule = (Rule *) arg; + dsc = rule->tupdesc; + + object_type = heap_getattr(tuple, Anum_bbf_schema_perms_object_type, dsc, &object_type_is_null); + object_type_str= TextDatumGetCString(object_type); + + grantee = heap_getattr(tuple, Anum_bbf_schema_perms_grantee, dsc, &grantee_is_null); + grantee_str = TextDatumGetCString(grantee); + + if (object_type_is_null) + ereport(ERROR, + (errcode(ERRCODE_NULL_VALUE_NOT_ALLOWED), + errmsg("schema name should not be null in babelfish_schema_permissions catalog"))); + + if ((strcmp(object_type_str, "d") == 0 ) || (strcmp(grantee_str, PUBLIC_ROLE_NAME) == 0)) + return true; + return check_exist(arg, tuple); +} + /***************************************** * Helper functions *****************************************/ @@ -2952,6 +3003,7 @@ void alter_user_can_connect(bool is_grant, char *user_name, char *db_name) { Relation bbf_authid_user_ext_rel; + Relation bbf_schema_perm_rel; TupleDesc bbf_authid_user_ext_dsc; ScanKeyData key[2]; HeapTuple usertuple; @@ -2960,6 +3012,10 @@ alter_user_can_connect(bool is_grant, char *user_name, char *db_name) Datum new_record_user_ext[BBF_AUTHID_USER_EXT_NUM_COLS]; bool new_record_nulls_user_ext[BBF_AUTHID_USER_EXT_NUM_COLS]; bool new_record_repl_user_ext[BBF_AUTHID_USER_EXT_NUM_COLS]; + const char *grantee = psprintf("%s_%s", db_name, user_name); + const char *grantor = psprintf("%s_dbo", db_name); + ScanKeyData scanKey[6]; + // SysScanDesc scan; bbf_authid_user_ext_rel = table_open(get_authid_user_ext_oid(), RowExclusiveLock); @@ -2989,14 +3045,77 @@ alter_user_can_connect(bool is_grant, char *user_name, char *db_name) (errcode(ERRCODE_UNDEFINED_OBJECT), errmsg("Cannot find the user \"%s\", because it does not exist or you do not have permission.", user_name))); + /* Open the schema permission catalog for connect privilege update */ + bbf_schema_perm_rel = table_open(get_bbf_schema_perms_oid(), RowExclusiveLock); + + ScanKeyInit(&scanKey[0], + Anum_bbf_schema_perms_dbid, + BTEqualStrategyNumber, F_INT2EQ, + Int16GetDatum(get_cur_db_id())); + ScanKeyEntryInitialize(&scanKey[1], 0, + Anum_bbf_schema_perms_schema_name, + BTEqualStrategyNumber, + InvalidOid, + tsql_get_database_or_server_collation_oid_internal(false), + F_TEXTEQ, + CStringGetTextDatum(PERMISSIONS_FOR_DATABASE)); + ScanKeyEntryInitialize(&scanKey[2], 0, + Anum_bbf_schema_perms_object_name, + BTEqualStrategyNumber, + InvalidOid, + tsql_get_database_or_server_collation_oid_internal(false), + F_TEXTEQ, + CStringGetTextDatum(PERMISSIONS_FOR_ALL_OBJECTS_IN_SCHEMA)); + ScanKeyEntryInitialize(&scanKey[3], 0, + Anum_bbf_schema_perms_grantee, + BTEqualStrategyNumber, + InvalidOid, + tsql_get_database_or_server_collation_oid_internal(false), + F_TEXTEQ, + CStringGetTextDatum(grantee)); + ScanKeyEntryInitialize(&scanKey[4], 0, + Anum_bbf_schema_perms_object_type, + BTEqualStrategyNumber, + InvalidOid, + tsql_get_database_or_server_collation_oid_internal(false), + F_TEXTEQ, + CStringGetTextDatum(OBJ_DATABASE)); + ScanKeyEntryInitialize(&scanKey[5], 0, + Anum_bbf_schema_perms_grantor, + BTEqualStrategyNumber, + InvalidOid, + tsql_get_database_or_server_collation_oid_internal(false), + F_TEXTEQ, + CStringGetTextDatum(grantor)); + // scan = systable_beginscan(bbf_schema_perm_rel, + // get_bbf_schema_perms_idx_oid(), + // true, NULL, 6, scanKey); + + /* * Update the column user_can_connect to 1 in case of GRANT and to 0 in * case of REVOKE */ if (is_grant) + { new_record_user_ext[USER_EXT_USER_CAN_CONNECT] = Int32GetDatum(1); + /* Add entry to bbf_schema_permissions when CONNECT privilege is granted */ + if(!privilege_exists_in_bbf_schema_permissions(bbf_schema_perm_rel, scanKey, PERMISSIONS_FOR_DATABASE, PERMISSIONS_FOR_ALL_OBJECTS_IN_SCHEMA, grantee, OBJ_DATABASE, grantor, false)) + { + add_entry_to_bbf_schema_perms(bbf_schema_perm_rel, PERMISSIONS_FOR_DATABASE, PERMISSIONS_FOR_ALL_OBJECTS_IN_SCHEMA, ACL_CONNECT, grantee, OBJ_DATABASE, NULL , grantor, false); + } + } else + { new_record_user_ext[USER_EXT_USER_CAN_CONNECT] = Int32GetDatum(0); + /* Remove entry from bbf_schema_permissions when CONNECT privilege is revoked */ + if(!privilege_exists_in_bbf_schema_permissions(bbf_schema_perm_rel, scanKey, PERMISSIONS_FOR_DATABASE, PERMISSIONS_FOR_ALL_OBJECTS_IN_SCHEMA, grantee, OBJ_DATABASE, grantor, false)) + { + remove_entry_from_bbf_schema_perms(bbf_schema_perm_rel, scanKey, PERMISSIONS_FOR_DATABASE, PERMISSIONS_FOR_ALL_OBJECTS_IN_SCHEMA, grantee, OBJ_DATABASE, grantor, false); + } + } + // systable_endscan(scan); + table_close(bbf_schema_perm_rel, RowExclusiveLock); new_record_repl_user_ext[USER_EXT_USER_CAN_CONNECT] = true; @@ -3641,27 +3760,27 @@ rename_procfunc_update_bbf_catalog(RenameStmt *stmt) * Add an entry to catalog BABELFISH_SCHEMA_PERMISSIONS. */ void -add_entry_to_bbf_schema_perms(const char *schema_name, +add_entry_to_bbf_schema_perms(Relation bbf_schema_rel, + const char *schema_name, const char *object_name, int permission, const char *grantee, const char *object_type, - const char *func_args) + const char *func_args, + const char *grantor, + bool grant_option) { - Relation bbf_schema_rel; TupleDesc bbf_schema_dsc; HeapTuple tuple_bbf_schema; Datum new_record_bbf_schema[BBF_SCHEMA_PERMS_NUM_OF_COLS]; bool new_record_nulls_bbf_schema[BBF_SCHEMA_PERMS_NUM_OF_COLS]; - int16 dbid = get_cur_db_id(); + int16 dbid = get_cur_db_id(); + int new_permission = 0; - /* Immediately return, if grantee is NULL or PUBLIC. */ - if ((grantee == NULL) || (strcmp(grantee, PUBLIC_ROLE_NAME) == 0)) + /* Immediately return, if grantee is NULL or permission is 0 */ + if (grantee == NULL || permission==0) return; - /* Fetch the relation */ - bbf_schema_rel = table_open(get_bbf_schema_perms_oid(), - RowExclusiveLock); bbf_schema_dsc = RelationGetDescr(bbf_schema_rel); /* Build a tuple to insert */ @@ -3671,14 +3790,21 @@ add_entry_to_bbf_schema_perms(const char *schema_name, new_record_bbf_schema[Anum_bbf_schema_perms_dbid - 1] = Int16GetDatum(dbid); new_record_bbf_schema[Anum_bbf_schema_perms_schema_name - 1] = CStringGetTextDatum(pstrdup(schema_name)); new_record_bbf_schema[Anum_bbf_schema_perms_object_name - 1] = CStringGetTextDatum(pstrdup(object_name)); - new_record_bbf_schema[Anum_bbf_schema_perms_permission - 1] = Int32GetDatum(permission); + if(grant_option) + { + new_permission = permission | ACL_USAGE; + new_record_bbf_schema[Anum_bbf_schema_perms_permission - 1] = Int32GetDatum(new_permission); + } + else{ + new_record_bbf_schema[Anum_bbf_schema_perms_permission - 1] = Int32GetDatum(permission); + } new_record_bbf_schema[Anum_bbf_schema_perms_grantee - 1] = CStringGetTextDatum(pstrdup(grantee)); new_record_bbf_schema[Anum_bbf_schema_perms_object_type - 1] = CStringGetTextDatum(pstrdup(object_type)); if (func_args) new_record_bbf_schema[Anum_bbf_schema_perms_function_args - 1] = CStringGetTextDatum(func_args); else new_record_nulls_bbf_schema[Anum_bbf_schema_perms_function_args - 1] = true; - new_record_nulls_bbf_schema[Anum_bbf_schema_perms_grantor - 1] = true; + new_record_bbf_schema[Anum_bbf_schema_perms_grantor - 1] = CStringGetTextDatum(pstrdup(grantor)); tuple_bbf_schema = heap_form_tuple(bbf_schema_dsc, new_record_bbf_schema, @@ -3687,9 +3813,6 @@ add_entry_to_bbf_schema_perms(const char *schema_name, /* Insert new record in the bbf_authid_user_ext table */ CatalogTupleInsert(bbf_schema_rel, tuple_bbf_schema); - /* Close bbf_authid_user_ext, but keep lock till commit */ - table_close(bbf_schema_rel, RowExclusiveLock); - /* make sure later steps can see the entry added here */ CommandCounterIncrement(); } @@ -3698,20 +3821,23 @@ add_entry_to_bbf_schema_perms(const char *schema_name, * Updates the permission column for a particular row in BABELFISH_SCHEMA_PERMISSIONS table. */ void -update_privileges_of_object(const char *schema_name, +update_privileges_of_object(Relation bbf_schema_rel, + ScanKeyData *scanKey, + const char *schema_name, const char *object_name, int new_permission, const char *grantee, const char *object_type, - bool is_grant) + bool is_grant, + const char *grantor, + bool grant_option) { - Relation bbf_schema_rel; HeapTuple tuple_bbf_schema; TupleDesc bbf_schema_dsc; HeapTuple new_tuple; - ScanKeyData scanKey[5]; + // ScanKeyData scanKey[6]; SysScanDesc scan; - int16 dbid = get_cur_db_id(); + // int16 dbid = get_cur_db_id(); int old_permission = 0; int current_permission = 0; Datum new_record_bbf_schema[BBF_SCHEMA_PERMS_NUM_OF_COLS]; @@ -3722,12 +3848,12 @@ update_privileges_of_object(const char *schema_name, if (schema_name == NULL || is_shared_schema(schema_name)) return; - /* Immediately return, if grantee is NULL or PUBLIC. */ - if ((grantee == NULL) || (strcmp(grantee, PUBLIC_ROLE_NAME) == 0)) + /* Immediately return, if grantee is NULL. */ + if (grantee == NULL) return; /* Get existing privilege of an object. */ - old_permission = get_privilege_of_object(schema_name, object_name, grantee, object_type); + old_permission = get_privilege_of_object(bbf_schema_rel, scanKey, schema_name, object_name, grantee, object_type, grantor, grant_option); if (is_grant) { @@ -3743,74 +3869,91 @@ update_privileges_of_object(const char *schema_name, */ current_permission = old_permission & ~new_permission; } - - if (current_permission == 0) + if ((!grant_option && current_permission == 0) || (grant_option && current_permission == ACL_USAGE)) { - remove_entry_from_bbf_schema_perms(schema_name, object_name, grantee, object_type); + remove_entry_from_bbf_schema_perms(bbf_schema_rel, scanKey, schema_name, object_name, grantee, object_type, grantor, grant_option); return; } - bbf_schema_rel = table_open(get_bbf_schema_perms_oid(), - RowExclusiveLock); - - ScanKeyInit(&scanKey[0], - Anum_bbf_schema_perms_dbid, - BTEqualStrategyNumber, F_INT2EQ, - Int16GetDatum(dbid)); - ScanKeyEntryInitialize(&scanKey[1], 0, - Anum_bbf_schema_perms_schema_name, - BTEqualStrategyNumber, - InvalidOid, - tsql_get_database_or_server_collation_oid_internal(false), - F_TEXTEQ, - CStringGetTextDatum(schema_name)); - ScanKeyEntryInitialize(&scanKey[2], 0, - Anum_bbf_schema_perms_object_name, - BTEqualStrategyNumber, - InvalidOid, - tsql_get_database_or_server_collation_oid_internal(false), - F_TEXTEQ, - CStringGetTextDatum(object_name)); - ScanKeyInit(&scanKey[3], - Anum_bbf_schema_perms_permission, - BTEqualStrategyNumber, F_INT4EQ, - Int32GetDatum(old_permission)); - ScanKeyEntryInitialize(&scanKey[4], 0, - Anum_bbf_schema_perms_grantee, - BTEqualStrategyNumber, - InvalidOid, - tsql_get_database_or_server_collation_oid_internal(false), - F_TEXTEQ, - CStringGetTextDatum(grantee)); + // ScanKeyInit(&scanKey[0], + // Anum_bbf_schema_perms_dbid, + // BTEqualStrategyNumber, F_INT2EQ, + // Int16GetDatum(dbid)); + // ScanKeyEntryInitialize(&scanKey[1], 0, + // Anum_bbf_schema_perms_schema_name, + // BTEqualStrategyNumber, + // InvalidOid, + // tsql_get_database_or_server_collation_oid_internal(false), + // F_TEXTEQ, + // CStringGetTextDatum(schema_name)); + // ScanKeyEntryInitialize(&scanKey[2], 0, + // Anum_bbf_schema_perms_object_name, + // BTEqualStrategyNumber, + // InvalidOid, + // tsql_get_database_or_server_collation_oid_internal(false), + // F_TEXTEQ, + // CStringGetTextDatum(object_name)); + // ScanKeyInit(&scanKey[3], + // Anum_bbf_schema_perms_permission, + // BTEqualStrategyNumber, F_INT4EQ, + // Int32GetDatum(old_permission)); + // ScanKeyEntryInitialize(&scanKey[4], 0, + // Anum_bbf_schema_perms_grantee, + // BTEqualStrategyNumber, + // InvalidOid, + // tsql_get_database_or_server_collation_oid_internal(false), + // F_TEXTEQ, + // CStringGetTextDatum(grantee)); + // ScanKeyEntryInitialize(&scanKey[5], 0, + // Anum_bbf_schema_perms_grantor, + // BTEqualStrategyNumber, + // InvalidOid, + // tsql_get_database_or_server_collation_oid_internal(false), + // F_TEXTEQ, + // CStringGetTextDatum(grantor)); scan = systable_beginscan(bbf_schema_rel, get_bbf_schema_perms_idx_oid(), - false, NULL, 5, scanKey); - + false, NULL, 6, scanKey); tuple_bbf_schema = systable_getnext(scan); - if (HeapTupleIsValid(tuple_bbf_schema)) - { - bbf_schema_dsc = RelationGetDescr(bbf_schema_rel); - /* Build a tuple to insert */ - MemSet(new_record_bbf_schema, 0, sizeof(new_record_bbf_schema)); - MemSet(new_record_nulls_bbf_schema, false, sizeof(new_record_nulls_bbf_schema)); - MemSet(new_record_repl_bbf_schema, false, sizeof(new_record_repl_bbf_schema)); - new_record_bbf_schema[Anum_bbf_schema_perms_permission - 1] = Int32GetDatum(current_permission); - new_record_repl_bbf_schema[Anum_bbf_schema_perms_permission - 1] = true; + while (HeapTupleIsValid(tuple_bbf_schema)) + { + Datum datum; + bool isnull; + int permission_val; - new_tuple = heap_modify_tuple(tuple_bbf_schema, - bbf_schema_dsc, - new_record_bbf_schema, - new_record_nulls_bbf_schema, - new_record_repl_bbf_schema); + datum = heap_getattr(tuple_bbf_schema, Anum_bbf_schema_perms_permission, RelationGetDescr(bbf_schema_rel), &isnull); - CatalogTupleUpdate(bbf_schema_rel, &new_tuple->t_self, new_tuple); - heap_freetuple(new_tuple); + if (isnull) + continue; + permission_val = DatumGetInt32(datum); + + if ((grant_option && (permission_val & ACL_USAGE)) || (!grant_option && !(permission_val & ACL_USAGE))) + { + bbf_schema_dsc = RelationGetDescr(bbf_schema_rel); + /* Build a tuple to insert */ + MemSet(new_record_bbf_schema, 0, sizeof(new_record_bbf_schema)); + MemSet(new_record_nulls_bbf_schema, false, sizeof(new_record_nulls_bbf_schema)); + MemSet(new_record_repl_bbf_schema, false, sizeof(new_record_repl_bbf_schema)); + + new_record_bbf_schema[Anum_bbf_schema_perms_permission - 1] = Int32GetDatum(current_permission); + new_record_repl_bbf_schema[Anum_bbf_schema_perms_permission - 1] = true; + + new_tuple = heap_modify_tuple(tuple_bbf_schema, + bbf_schema_dsc, + new_record_bbf_schema, + new_record_nulls_bbf_schema, + new_record_repl_bbf_schema); + + CatalogTupleUpdate(bbf_schema_rel, &new_tuple->t_self, new_tuple); + heap_freetuple(new_tuple); + break; + } + tuple_bbf_schema = systable_getnext(scan); } systable_endscan(scan); - table_close(bbf_schema_rel, RowExclusiveLock); /* make sure later steps can see the entry updated here */ CommandCounterIncrement(); @@ -3820,176 +3963,234 @@ update_privileges_of_object(const char *schema_name, * Checks if a particular privilege exists in catalog BABELFISH_SCHEMA_PERMISSIONS. */ bool -privilege_exists_in_bbf_schema_permissions(const char *schema_name, +privilege_exists_in_bbf_schema_permissions(Relation bbf_schema_rel, + ScanKeyData *scanKey, + const char *schema_name, const char *object_name, const char *grantee, - const char *object_type) + const char *object_type, + const char *grantor, + bool grant_option) { - Relation bbf_schema_rel; + // Relation bbf_schema_rel; HeapTuple tuple_bbf_schema; SysScanDesc scan; - bool catalog_entry_exists = false; - int16 dbid = get_cur_db_id(); + bool catalog_entry_exists = false; + // int16 dbid = get_cur_db_id(); /* Immediately return false, if SCHEMA name is NULL or it's a shared schema. */ if (schema_name == NULL || is_shared_schema(schema_name)) return false; - if (grantee != NULL) - { - ScanKeyData scanKey[5]; - /* Immediately return false, if grantee is PUBLIC. */ - if (strcmp(grantee, PUBLIC_ROLE_NAME) == 0) - return false; - - bbf_schema_rel = table_open(get_bbf_schema_perms_oid(), - AccessShareLock); - ScanKeyInit(&scanKey[0], - Anum_bbf_schema_perms_dbid, - BTEqualStrategyNumber, F_INT2EQ, - Int16GetDatum(dbid)); - ScanKeyEntryInitialize(&scanKey[1], 0, - Anum_bbf_schema_perms_schema_name, - BTEqualStrategyNumber, - InvalidOid, - tsql_get_database_or_server_collation_oid_internal(false), - F_TEXTEQ, - CStringGetTextDatum(schema_name)); - ScanKeyEntryInitialize(&scanKey[2], 0, - Anum_bbf_schema_perms_object_name, - BTEqualStrategyNumber, - InvalidOid, - tsql_get_database_or_server_collation_oid_internal(false), - F_TEXTEQ, - CStringGetTextDatum(object_name)); - ScanKeyEntryInitialize(&scanKey[3], 0, - Anum_bbf_schema_perms_grantee, - BTEqualStrategyNumber, - InvalidOid, - tsql_get_database_or_server_collation_oid_internal(false), - F_TEXTEQ, - CStringGetTextDatum(grantee)); - ScanKeyEntryInitialize(&scanKey[4], 0, - Anum_bbf_schema_perms_object_type, - BTEqualStrategyNumber, - InvalidOid, - tsql_get_database_or_server_collation_oid_internal(false), - F_TEXTEQ, - CStringGetTextDatum(object_type)); + // if (grantee != NULL) + // { + // ScanKeyData scanKey[6]; + + // bbf_schema_rel = table_open(get_bbf_schema_perms_oid(), + // AccessShareLock); + // ScanKeyInit(&scanKey[0], + // Anum_bbf_schema_perms_dbid, + // BTEqualStrategyNumber, F_INT2EQ, + // Int16GetDatum(dbid)); + // ScanKeyEntryInitialize(&scanKey[1], 0, + // Anum_bbf_schema_perms_schema_name, + // BTEqualStrategyNumber, + // InvalidOid, + // tsql_get_database_or_server_collation_oid_internal(false), + // F_TEXTEQ, + // CStringGetTextDatum(schema_name)); + // ScanKeyEntryInitialize(&scanKey[2], 0, + // Anum_bbf_schema_perms_object_name, + // BTEqualStrategyNumber, + // InvalidOid, + // tsql_get_database_or_server_collation_oid_internal(false), + // F_TEXTEQ, + // CStringGetTextDatum(object_name)); + // ScanKeyEntryInitialize(&scanKey[3], 0, + // Anum_bbf_schema_perms_grantee, + // BTEqualStrategyNumber, + // InvalidOid, + // tsql_get_database_or_server_collation_oid_internal(false), + // F_TEXTEQ, + // CStringGetTextDatum(grantee)); + // ScanKeyEntryInitialize(&scanKey[4], 0, + // Anum_bbf_schema_perms_object_type, + // BTEqualStrategyNumber, + // InvalidOid, + // tsql_get_database_or_server_collation_oid_internal(false), + // F_TEXTEQ, + // CStringGetTextDatum(object_type)); + // ScanKeyEntryInitialize(&scanKey[5], 0, + // Anum_bbf_schema_perms_grantor, + // BTEqualStrategyNumber, + // InvalidOid, + // tsql_get_database_or_server_collation_oid_internal(false), + // F_TEXTEQ, + // CStringGetTextDatum(grantor)); scan = systable_beginscan(bbf_schema_rel, get_bbf_schema_perms_idx_oid(), - true, NULL, 5, scanKey); - } - else + true, NULL, 6, scanKey); + // } + // else + // { + // ScanKeyData scanKey[5]; + // bbf_schema_rel = table_open(get_bbf_schema_perms_oid(), + // AccessShareLock); + // ScanKeyInit(&scanKey[0], + // Anum_bbf_schema_perms_dbid, + // BTEqualStrategyNumber, F_INT2EQ, + // Int16GetDatum(dbid)); + // ScanKeyEntryInitialize(&scanKey[1], 0, + // Anum_bbf_schema_perms_schema_name, + // BTEqualStrategyNumber, + // InvalidOid, + // tsql_get_database_or_server_collation_oid_internal(false), + // F_TEXTEQ, + // CStringGetTextDatum(schema_name)); + // ScanKeyEntryInitialize(&scanKey[2], 0, + // Anum_bbf_schema_perms_object_name, + // BTEqualStrategyNumber, + // InvalidOid, + // tsql_get_database_or_server_collation_oid_internal(false), + // F_TEXTEQ, + // CStringGetTextDatum(object_name)); + // ScanKeyEntryInitialize(&scanKey[3], 0, + // Anum_bbf_schema_perms_object_type, + // BTEqualStrategyNumber, + // InvalidOid, + // tsql_get_database_or_server_collation_oid_internal(false), + // F_TEXTEQ, + // CStringGetTextDatum(object_type)); + // ScanKeyEntryInitialize(&scanKey[4], 0, + // Anum_bbf_schema_perms_grantor, + // BTEqualStrategyNumber, + // InvalidOid, + // tsql_get_database_or_server_collation_oid_internal(false), + // F_TEXTEQ, + // CStringGetTextDatum(grantor)); + + // scan = systable_beginscan(bbf_schema_rel, + // get_bbf_schema_perms_idx_oid(), + // true, NULL, 5, scanKey); + // } + tuple_bbf_schema = systable_getnext(scan); + + while (HeapTupleIsValid(tuple_bbf_schema)) { - ScanKeyData scanKey[4]; - bbf_schema_rel = table_open(get_bbf_schema_perms_oid(), - AccessShareLock); - ScanKeyInit(&scanKey[0], - Anum_bbf_schema_perms_dbid, - BTEqualStrategyNumber, F_INT2EQ, - Int16GetDatum(dbid)); - ScanKeyEntryInitialize(&scanKey[1], 0, - Anum_bbf_schema_perms_schema_name, - BTEqualStrategyNumber, - InvalidOid, - tsql_get_database_or_server_collation_oid_internal(false), - F_TEXTEQ, - CStringGetTextDatum(schema_name)); - ScanKeyEntryInitialize(&scanKey[2], 0, - Anum_bbf_schema_perms_object_name, - BTEqualStrategyNumber, - InvalidOid, - tsql_get_database_or_server_collation_oid_internal(false), - F_TEXTEQ, - CStringGetTextDatum(object_name)); - ScanKeyEntryInitialize(&scanKey[3], 0, - Anum_bbf_schema_perms_object_type, - BTEqualStrategyNumber, - InvalidOid, - tsql_get_database_or_server_collation_oid_internal(false), - F_TEXTEQ, - CStringGetTextDatum(object_type)); + Datum datum; + bool isnull; + int permission_val; - scan = systable_beginscan(bbf_schema_rel, - get_bbf_schema_perms_idx_oid(), - true, NULL, 4, scanKey); - } + datum = heap_getattr(tuple_bbf_schema, + Anum_bbf_schema_perms_permission, + RelationGetDescr(bbf_schema_rel), + &isnull); + if (isnull) + continue; - tuple_bbf_schema = systable_getnext(scan); - if (HeapTupleIsValid(tuple_bbf_schema)) - catalog_entry_exists = true; + permission_val = DatumGetInt32(datum); + + if ((grant_option && (permission_val & ACL_USAGE)) || (!grant_option && !(permission_val & ACL_USAGE))) + { + catalog_entry_exists = true; + break; + } + tuple_bbf_schema = systable_getnext(scan); + } systable_endscan(scan); - table_close(bbf_schema_rel, AccessShareLock); + // table_close(bbf_schema_rel, AccessShareLock); return catalog_entry_exists; } /* * Get the value of permission column from BABELFISH_SCHEMA_PERMISSIONS table. */ -static int -get_privilege_of_object(const char *schema_name, +int +get_privilege_of_object(Relation bbf_schema_rel, + ScanKeyData *scanKey, + const char *schema_name, const char *object_name, const char *grantee, - const char *object_type) + const char *object_type, + const char *grantor, + bool grant_option) { - Relation bbf_schema_rel; + // Relation bbf_schema_rel; HeapTuple tuple_bbf_schema; - ScanKeyData scanKey[5]; + // ScanKeyData scanKey[6]; SysScanDesc scan; - int16 dbid = get_cur_db_id(); - int permission = 0; - - bbf_schema_rel = table_open(get_bbf_schema_perms_oid(), - AccessShareLock); - ScanKeyInit(&scanKey[0], - Anum_bbf_schema_perms_dbid, - BTEqualStrategyNumber, F_INT2EQ, - Int16GetDatum(dbid)); - ScanKeyEntryInitialize(&scanKey[1], 0, - Anum_bbf_schema_perms_schema_name, - BTEqualStrategyNumber, - InvalidOid, - tsql_get_database_or_server_collation_oid_internal(false), - F_TEXTEQ, - CStringGetTextDatum(schema_name)); - ScanKeyEntryInitialize(&scanKey[2], 0, - Anum_bbf_schema_perms_object_name, - BTEqualStrategyNumber, - InvalidOid, - tsql_get_database_or_server_collation_oid_internal(false), - F_TEXTEQ, - CStringGetTextDatum(object_name)); - ScanKeyEntryInitialize(&scanKey[3], 0, - Anum_bbf_schema_perms_grantee, - BTEqualStrategyNumber, - InvalidOid, - tsql_get_database_or_server_collation_oid_internal(false), - F_TEXTEQ, - CStringGetTextDatum(grantee)); - ScanKeyEntryInitialize(&scanKey[4], 0, - Anum_bbf_schema_perms_object_type, - BTEqualStrategyNumber, - InvalidOid, - tsql_get_database_or_server_collation_oid_internal(false), - F_TEXTEQ, - CStringGetTextDatum(object_type)); + // int16 dbid = get_cur_db_id(); + int permission = 0; + + // bbf_schema_rel = table_open(get_bbf_schema_perms_oid(), + // AccessShareLock); + // ScanKeyInit(&scanKey[0], + // Anum_bbf_schema_perms_dbid, + // BTEqualStrategyNumber, F_INT2EQ, + // Int16GetDatum(dbid)); + // ScanKeyEntryInitialize(&scanKey[1], 0, + // Anum_bbf_schema_perms_schema_name, + // BTEqualStrategyNumber, + // InvalidOid, + // tsql_get_database_or_server_collation_oid_internal(false), + // F_TEXTEQ, + // CStringGetTextDatum(schema_name)); + // ScanKeyEntryInitialize(&scanKey[2], 0, + // Anum_bbf_schema_perms_object_name, + // BTEqualStrategyNumber, + // InvalidOid, + // tsql_get_database_or_server_collation_oid_internal(false), + // F_TEXTEQ, + // CStringGetTextDatum(object_name)); + // ScanKeyEntryInitialize(&scanKey[3], 0, + // Anum_bbf_schema_perms_grantee, + // BTEqualStrategyNumber, + // InvalidOid, + // tsql_get_database_or_server_collation_oid_internal(false), + // F_TEXTEQ, + // CStringGetTextDatum(grantee)); + // ScanKeyEntryInitialize(&scanKey[4], 0, + // Anum_bbf_schema_perms_object_type, + // BTEqualStrategyNumber, + // InvalidOid, + // tsql_get_database_or_server_collation_oid_internal(false), + // F_TEXTEQ, + // CStringGetTextDatum(object_type)); + // ScanKeyEntryInitialize(&scanKey[5], 0, + // Anum_bbf_schema_perms_grantor, + // BTEqualStrategyNumber, + // InvalidOid, + // tsql_get_database_or_server_collation_oid_internal(false), + // F_TEXTEQ, + // CStringGetTextDatum(grantor)); scan = systable_beginscan(bbf_schema_rel, get_bbf_schema_perms_idx_oid(), - true, NULL, 5, scanKey); + true, NULL, 6, scanKey); tuple_bbf_schema = systable_getnext(scan); - if (HeapTupleIsValid(tuple_bbf_schema)) + while (HeapTupleIsValid(tuple_bbf_schema)) { Datum datum; bool isnull; + int current_perm; + datum = heap_getattr(tuple_bbf_schema, Anum_bbf_schema_perms_permission, RelationGetDescr(bbf_schema_rel), &isnull); - permission = DatumGetInt32(datum); + if (isnull) + continue; + + current_perm = DatumGetInt32(datum); + + if ((grant_option && (current_perm & ACL_USAGE)) || (!grant_option && !(current_perm & ACL_USAGE))) + { + permission = current_perm; + break; + } + tuple_bbf_schema = systable_getnext(scan); } systable_endscan(scan); - table_close(bbf_schema_rel, AccessShareLock); + // table_close(bbf_schema_rel, AccessShareLock); return permission; } @@ -3997,70 +4198,98 @@ get_privilege_of_object(const char *schema_name, * Removes a row from the catalog BABELFISH_SCHEMA_PERMISSIONS. */ void -remove_entry_from_bbf_schema_perms(const char *schema_name, +remove_entry_from_bbf_schema_perms(Relation bbf_schema_rel, + ScanKeyData *scanKey, + const char *schema_name, const char *object_name, const char *grantee, - const char *object_type) + const char *object_type, + const char *grantor, + bool grant_option) { - Relation bbf_schema_rel; HeapTuple tuple_bbf_schema; - ScanKeyData scanKey[5]; + // ScanKeyData scanKey[6]; SysScanDesc scan; - int16 dbid = get_cur_db_id(); + // int16 dbid = get_cur_db_id(); /* Immediately return false, if SCHEMA name is NULL or it's a shared schema. */ if (schema_name == NULL || is_shared_schema(schema_name)) return; - /* Immediately return, if grantee is NULL or PUBLIC. */ - if ((grantee == NULL) || (strcmp(grantee, PUBLIC_ROLE_NAME) == 0)) + /* Immediately return, if grantee is NULL. */ + if ((grantee == NULL)) return; - bbf_schema_rel = table_open(get_bbf_schema_perms_oid(), - RowExclusiveLock); - ScanKeyInit(&scanKey[0], - Anum_bbf_schema_perms_dbid, - BTEqualStrategyNumber, F_INT2EQ, - Int16GetDatum(dbid)); - ScanKeyEntryInitialize(&scanKey[1], 0, - Anum_bbf_schema_perms_schema_name, - BTEqualStrategyNumber, - InvalidOid, - tsql_get_database_or_server_collation_oid_internal(false), - F_TEXTEQ, - CStringGetTextDatum(schema_name)); - ScanKeyEntryInitialize(&scanKey[2], 0, - Anum_bbf_schema_perms_object_name, - BTEqualStrategyNumber, - InvalidOid, - tsql_get_database_or_server_collation_oid_internal(false), - F_TEXTEQ, - CStringGetTextDatum(object_name)); - ScanKeyEntryInitialize(&scanKey[3], 0, - Anum_bbf_schema_perms_grantee, - BTEqualStrategyNumber, - InvalidOid, - tsql_get_database_or_server_collation_oid_internal(false), - F_TEXTEQ, - CStringGetTextDatum(grantee)); - ScanKeyEntryInitialize(&scanKey[4], 0, - Anum_bbf_schema_perms_object_type, - BTEqualStrategyNumber, - InvalidOid, - tsql_get_database_or_server_collation_oid_internal(false), - F_TEXTEQ, - CStringGetTextDatum(object_type)); + // ScanKeyInit(&scanKey[0], + // Anum_bbf_schema_perms_dbid, + // BTEqualStrategyNumber, F_INT2EQ, + // Int16GetDatum(dbid)); + // ScanKeyEntryInitialize(&scanKey[1], 0, + // Anum_bbf_schema_perms_schema_name, + // BTEqualStrategyNumber, + // InvalidOid, + // tsql_get_database_or_server_collation_oid_internal(false), + // F_TEXTEQ, + // CStringGetTextDatum(schema_name)); + // ScanKeyEntryInitialize(&scanKey[2], 0, + // Anum_bbf_schema_perms_object_name, + // BTEqualStrategyNumber, + // InvalidOid, + // tsql_get_database_or_server_collation_oid_internal(false), + // F_TEXTEQ, + // CStringGetTextDatum(object_name)); + // ScanKeyEntryInitialize(&scanKey[3], 0, + // Anum_bbf_schema_perms_grantee, + // BTEqualStrategyNumber, + // InvalidOid, + // tsql_get_database_or_server_collation_oid_internal(false), + // F_TEXTEQ, + // CStringGetTextDatum(grantee)); + // ScanKeyEntryInitialize(&scanKey[4], 0, + // Anum_bbf_schema_perms_object_type, + // BTEqualStrategyNumber, + // InvalidOid, + // tsql_get_database_or_server_collation_oid_internal(false), + // F_TEXTEQ, + // CStringGetTextDatum(object_type)); + // ScanKeyEntryInitialize(&scanKey[5], 0, // New scan key for grantor + // Anum_bbf_schema_perms_grantor, + // BTEqualStrategyNumber, + // InvalidOid, + // tsql_get_database_or_server_collation_oid_internal(false), + // F_TEXTEQ, + // CStringGetTextDatum(grantor)); scan = systable_beginscan(bbf_schema_rel, get_bbf_schema_perms_idx_oid(), - true, NULL, 5, scanKey); - + true, NULL, 6, scanKey); tuple_bbf_schema = systable_getnext(scan); - if (HeapTupleIsValid(tuple_bbf_schema)) - CatalogTupleDelete(bbf_schema_rel, &tuple_bbf_schema->t_self); + while (HeapTupleIsValid(tuple_bbf_schema)) + { + bool isnull; + Datum permission_datum = heap_getattr(tuple_bbf_schema, + Anum_bbf_schema_perms_permission, + RelationGetDescr(bbf_schema_rel), + &isnull); + int permission_val = DatumGetInt32(permission_datum); + + if (isnull) + continue; + + /* Check the ACL_USAGE bit according to grant_option and delete matching tuple */ + if ((grant_option && (permission_val & ACL_USAGE)) || (!grant_option && !(permission_val & ACL_USAGE))) + { + /* Delete the matching tuple and exit */ + if (HeapTupleIsValid(tuple_bbf_schema)) + { + CatalogTupleDelete(bbf_schema_rel, &tuple_bbf_schema->t_self); + break; + } + } + tuple_bbf_schema = systable_getnext(scan); + } systable_endscan(scan); - table_close(bbf_schema_rel, RowExclusiveLock); } /* @@ -4068,18 +4297,22 @@ remove_entry_from_bbf_schema_perms(const char *schema_name, * If exists, updates the PERMISSION column in the table. */ void -add_or_update_object_in_bbf_schema(const char *schema_name, +add_or_update_object_in_bbf_schema(Relation bbf_schema_rel, + ScanKeyData *scanKey, + const char *schema_name, const char *object_name, int new_permission, const char *grantee, const char *object_type, bool is_grant, - const char *func_args) + const char *func_args, + const char *grantor, + bool grant_option) { - if (!privilege_exists_in_bbf_schema_permissions(schema_name, object_name, grantee, object_type)) - add_entry_to_bbf_schema_perms(schema_name, object_name, new_permission, grantee, object_type, func_args); + if (!privilege_exists_in_bbf_schema_permissions(bbf_schema_rel, scanKey, schema_name, object_name, grantee, object_type, grantor, grant_option)) + add_entry_to_bbf_schema_perms(bbf_schema_rel, schema_name, object_name, new_permission, grantee, object_type, func_args,grantor, grant_option); else - update_privileges_of_object(schema_name, object_name, new_permission, grantee, object_type, is_grant); + update_privileges_of_object(bbf_schema_rel, scanKey, schema_name, object_name, new_permission, grantee, object_type, is_grant, grantor, grant_option); } /* @@ -4202,13 +4435,14 @@ drop_bbf_schema_permission_entries(int16 dbid) void grant_perms_to_objects_in_schema(const char *schema_name, int permission, - const char *grantee) + const char *grantee, + const char *grantor) { SysScanDesc scan; Relation bbf_schema_rel; TupleDesc dsc; HeapTuple tuple_bbf_schema; - ScanKeyData scanKey[3]; + ScanKeyData scanKey[4]; int16 dbid = get_cur_db_id(); const char *db_name = get_cur_db_name(); @@ -4234,9 +4468,16 @@ grant_perms_to_objects_in_schema(const char *schema_name, tsql_get_database_or_server_collation_oid_internal(false), F_TEXTEQ, CStringGetTextDatum(grantee)); + ScanKeyEntryInitialize(&scanKey[3], 0, + Anum_bbf_schema_perms_grantor, + BTEqualStrategyNumber, + InvalidOid, + tsql_get_database_or_server_collation_oid_internal(false), + F_TEXTEQ, + CStringGetTextDatum(grantor)); scan = systable_beginscan(bbf_schema_rel, get_bbf_schema_perms_idx_oid(), - true, NULL, 3, scanKey); + true, NULL, 4, scanKey); tuple_bbf_schema = systable_getnext(scan); while (HeapTupleIsValid(tuple_bbf_schema)) diff --git a/contrib/babelfishpg_tsql/src/catalog.h b/contrib/babelfishpg_tsql/src/catalog.h index 697f0d1a338..5cc69ce036d 100644 --- a/contrib/babelfishpg_tsql/src/catalog.h +++ b/contrib/babelfishpg_tsql/src/catalog.h @@ -6,6 +6,7 @@ #include "catalog/catalog.h" #include "access/attnum.h" +#include "access/genam.h" #include "utils/jsonb.h" /***************************************** @@ -323,9 +324,11 @@ typedef FormData_bbf_function_ext *Form_bbf_function_ext; #define BABELFISH_SYSADMIN "sysadmin" #define BABELFISH_DBCREATOR "dbcreator" #define PERMISSIONS_FOR_ALL_OBJECTS_IN_SCHEMA "ALL" +#define PERMISSIONS_FOR_DATABASE "ALL" #define ALL_PERMISSIONS_ON_RELATION 47 /* last 6 bits as 101111 represents ALL privileges on a relation. */ #define ALL_PERMISSIONS_ON_FUNCTION 128 /* last 8 bits as 10000000 represents ALL privileges on a procedure/function. */ #define OBJ_SCHEMA "s" +#define OBJ_DATABASE "d" #define OBJ_RELATION "r" #define OBJ_PROCEDURE "p" #define OBJ_FUNCTION "f" @@ -357,6 +360,7 @@ extern Oid bbf_schema_perms_oid; extern Oid bbf_schema_perms_idx_oid; extern Oid get_bbf_schema_perms_oid(void); +extern Oid get_bbf_schema_perms_idx_oid(void); typedef struct FormData_bbf_schema_perms { @@ -371,13 +375,14 @@ typedef struct FormData_bbf_schema_perms typedef FormData_bbf_schema_perms *Form_bbf_schema_perms; -extern void add_entry_to_bbf_schema_perms(const char *schema_name, const char *object_name, int permission, const char *grantee, const char *object_type, const char *func_args); -extern bool privilege_exists_in_bbf_schema_permissions(const char *schema_name, const char *object_name, const char *grantee, const char *object_type); -extern void update_privileges_of_object(const char *schema_name, const char *object_name, int new_permission, const char *grantee, const char *object_type, bool is_grant); -extern void remove_entry_from_bbf_schema_perms(const char *schema_name, const char *object_name, const char *grantee, const char *object_type); -extern void add_or_update_object_in_bbf_schema(const char *schema_name, const char *object_name, int new_permission, const char *grantee, const char *object_type, bool is_grant, const char *func_args); +extern void add_entry_to_bbf_schema_perms(Relation bbf_schema_rel, const char *schema_name, const char *object_name, int permission, const char *grantee, const char *object_type, const char *func_args, const char *grantor, bool grant_option); +extern bool privilege_exists_in_bbf_schema_permissions(Relation bbf_schema_rel, ScanKeyData *scanKey, const char *schema_name, const char *object_name, const char *grantee, const char *object_type, const char *grantor, bool grant_option); +extern void update_privileges_of_object(Relation bbf_schema_rel, ScanKeyData *scanKey, const char *schema_name, const char *object_name, int new_permission, const char *grantee, const char *object_type, bool is_grant, const char *grantor, bool grant_option); +extern void remove_entry_from_bbf_schema_perms(Relation bbf_schema_rel, ScanKeyData *scanKey, const char *schema_name, const char *object_name, const char *grantee, const char *object_type, const char *grantor, bool grant_option); +extern void add_or_update_object_in_bbf_schema(Relation bbf_schema_rel, ScanKeyData *scanKey, const char *schema_name, const char *object_name, int new_permission, const char *grantee, const char *object_type, bool is_grant, const char *func_args, const char *grantor, bool grant_option); +extern int get_privilege_of_object(Relation bbf_schema_rel, ScanKeyData *scanKey, const char *schema_name, const char *object_name, const char *grantee, const char *object_type, const char *grantor, bool grant_option); extern void clean_up_bbf_schema_permissions(const char *schema_name, const char *object_name, bool is_schema); -extern void grant_perms_to_objects_in_schema(const char *schema_name, int permission, const char *grantee); +extern void grant_perms_to_objects_in_schema(const char *schema_name, int permission, const char *grantee, const char *grantor); extern void exec_internal_grant_on_function(Oid objectId); /***************************************** diff --git a/contrib/babelfishpg_tsql/src/hooks.c b/contrib/babelfishpg_tsql/src/hooks.c index 2397dd0da28..0ce75267e59 100644 --- a/contrib/babelfishpg_tsql/src/hooks.c +++ b/contrib/babelfishpg_tsql/src/hooks.c @@ -65,6 +65,7 @@ #include "storage/sinvaladt.h" #include "tcop/utility.h" #include "utils/builtins.h" +#include "utils/elog.h" #include "utils/fmgroids.h" #include "utils/lsyscache.h" #include "utils/rel.h" @@ -99,6 +100,7 @@ #define UNPIVOT_SOURCE_ALIAS_INDEX 4 /* Source table alias */ #define UNPIVOT_SOURCE_COLS_INDEX 5 /* List of source columns */ #define UNPIVOT_NODE_INDEX 6 /* Transformed node (JoinExpr) */ +#define ALL_PERMISSIONS_ON_OBJECT 16511 /* All permissions on an object */ extern bool babelfish_dump_restore; extern char *babelfish_dump_restore_min_oid; @@ -214,6 +216,9 @@ static bool bbf_check_rowcount_hook(int es_processed); extern bool called_from_tsql_insert_exec(); extern bool called_for_tsql_itvf_func(); +static bool update_bbf_schema_permissions_catalog(AclMode privileges, bool is_grant, List *grantees, + List *col_privs, Oid object_oid, const char *grantor, + bool grant_option, const char *obj_owner_name, ObjectType objtype); static void is_function_pg_stat_valid(FunctionCallInfo fcinfo, PgStat_FunctionCallUsage *fcu, char prokind, bool finalize); @@ -334,6 +339,7 @@ static pltsql_is_partitioned_table_reloptions_allowed_hook_type prev_pltsql_is_p static ExecFuncProc_AclCheck_hook_type prev_ExecFuncProc_AclCheck_hook = NULL; static bbf_execute_grantstmt_as_dbsecadmin_hook_type prev_bbf_execute_grantstmt_as_dbsecadmin_hook = NULL; static bbf_check_member_has_direct_priv_to_grant_role_hook_type prev_bbf_check_member_has_direct_priv_to_grant_role_hook = NULL; +static update_bbf_schema_permissions_catalog_hook_type prev_update_bbf_schema_permissions_catalog_hook = NULL; static validateCachedPlanSearchPath_hook_type prev_validateCachedPlanSearchPath_hook = NULL; ExecInitParallelPlan_hook_type prev_ExecInitParallelPlan_hook = NULL; ParallelQueryMain_hook_type prev_ParallelQueryMain_hook = NULL; @@ -567,6 +573,9 @@ InstallExtendedHooks(void) prev_bbf_check_member_has_direct_priv_to_grant_role_hook = bbf_check_member_has_direct_priv_to_grant_role_hook; bbf_check_member_has_direct_priv_to_grant_role_hook = bbf_check_member_has_direct_priv_to_grant_role; + + prev_update_bbf_schema_permissions_catalog_hook = update_bbf_schema_permissions_catalog_hook; + update_bbf_schema_permissions_catalog_hook = update_bbf_schema_permissions_catalog; pltsql_get_object_identity_event_trigger_hook = pltsql_get_object_identity_event_trigger; @@ -663,6 +672,7 @@ UninstallExtendedHooks(void) ExecFuncProc_AclCheck_hook = prev_ExecFuncProc_AclCheck_hook; bbf_execute_grantstmt_as_dbsecadmin_hook = prev_bbf_execute_grantstmt_as_dbsecadmin_hook; bbf_check_member_has_direct_priv_to_grant_role_hook = prev_bbf_check_member_has_direct_priv_to_grant_role_hook; + update_bbf_schema_permissions_catalog_hook = prev_update_bbf_schema_permissions_catalog_hook; validateCachedPlanSearchPath_hook = prev_validateCachedPlanSearchPath_hook; bbf_InitializeParallelDSM_hook = NULL; @@ -6215,6 +6225,455 @@ handle_grantstmt_for_dbsecadmin(ObjectType objType, Oid objId, Oid ownerId, } +/* + * Function update_bbf_schema_permissions_catalog aims to add/remove entries into sys.babelfish_schema_permissions catalog + */ +static bool +update_bbf_schema_permissions_catalog(AclMode privileges, bool is_grant, List *grantees, + List *col_privs, Oid object_oid, const char *orig_grantor, + bool grant_option, const char *obj_owner_name, ObjectType objtype) +{ + Oid save_userid; + int save_sec_context; + bool only_object_grants = true; + char *dbname = get_cur_db_name(); + char *db_owner_name = get_db_owner_name(dbname); + const char *current_user = GetUserNameFromId(GetUserId(), false); + Oid sch_id = InvalidOid; + const char *logical_schema = NULL; + const char *suffix = "_bbfobj"; + int grantor_len = strlen(orig_grantor); + int suffix_len = strlen(suffix); + const char *grantor = orig_grantor; + const char *grantor_suffix = NULL; + ObjectAddress address; + ListCell *lc; + const char *grantee = NULL; + const char *schema_name = NULL; + const char *object_name = NULL; + const char *func_args = NULL; + const char *object_type = NULL; + Relation bbf_schema_perm_rel = NULL; + + GetUserIdAndSecContext(&save_userid, &save_sec_context); + + /* + * Return if it is an internal grant or column privillege + */ + if (!IS_TDS_CONN() || sql_dialect != SQL_DIALECT_TSQL || save_sec_context == 1 || (list_length(col_privs) != 0)) + return true; + + /* + * Return if the object_type is not table, function or procedure. + */ + if(objtype != OBJECT_TABLE && objtype != OBJECT_FUNCTION && objtype != OBJECT_PROCEDURE) + return true; + + /* + * If grantor ends with "_bbfobj", remove the suffix as this is an internal Babelfish role. + * This is the case when the schema_owner is the member of db_owner user role. + * It sets the grantor as an internal role and adds a suffix "_bbfobj" to the grantor. + */ + if(grantor_len > suffix_len) + { + /* + * Check if the grantor has a "_bbfobj" suffix + */ + grantor_suffix = orig_grantor + grantor_len - suffix_len; + if (strcmp(grantor_suffix, suffix) == 0) + { + const char *temp = pnstrdup(orig_grantor, grantor_len - suffix_len); + Oid temp_oid = get_role_oid(temp, true); + Oid db_owner_oid = get_role_oid(db_owner_name, true); + + /* + * If the grantor has "_bbfobj" suffix, remove it and check that the user is a member of db_owner user role to ensure this was an internal user role. + * Set "_bbfobj" suffix rempved string as the grantor + */ + if (OidIsValid(temp_oid) && OidIsValid(db_owner_oid) && is_member_of_role(temp_oid, db_owner_oid)) + { + grantor = temp; + } + } + } + + address.objectId = object_oid; + address.objectSubId = 0; + + if (objtype == OBJECT_TABLE) + { + object_name = get_rel_name(object_oid); + object_type = OBJ_RELATION; + address.classId = RelationRelationId; + sch_id = get_object_namespace(&address); + schema_name = get_namespace_name(sch_id); + + /* + * Return if the permission is being granted on a temp table. + * This condition checks if it is a temporary namespace i.e. in turn checking if it is a temp table. + */ + if (isTempNamespace(sch_id)) + { + ereport(ERROR, + (errcode(ERRCODE_INVALID_GRANT_OPERATION), + errmsg("Cannot find the object \"%s\", because it does not exist or you do not have permission.", object_name))); + } + + if(schema_name != NULL) + logical_schema = get_logical_schema_name(schema_name, false); + else + logical_schema = get_authid_user_ext_schema_name(dbname, current_user); + + /* + * Handles "grant all" query i.e. all the privilleges on an object + */ + if (privileges == ALL_PERMISSIONS_ON_OBJECT) + privileges = ALL_PERMISSIONS_ON_RELATION; + } + else if ((objtype == OBJECT_PROCEDURE) || (objtype == OBJECT_FUNCTION)) + { + object_name = get_func_name(object_oid); + address.classId = ProcedureRelationId; + sch_id = get_object_namespace(&address); + schema_name = get_namespace_name(sch_id); + + if(schema_name != NULL) + logical_schema = get_logical_schema_name(schema_name, false); + else + logical_schema = get_authid_user_ext_schema_name(dbname, current_user); + + if (OidIsValid(object_oid)) + func_args = gen_func_arg_list(object_oid); + + if(objtype == OBJECT_PROCEDURE) + object_type = OBJ_PROCEDURE; + else + object_type = OBJ_FUNCTION; + + /* + * Handles "grant all" query i.e. all the privilleges on an object + */ + if (privileges == ALL_PERMISSIONS_ON_OBJECT) + privileges = ALL_PERMISSIONS_ON_FUNCTION; + } + + /* + * Lock sys.babelfish_schema_permissions catalog with ExclusiveLock + */ + bbf_schema_perm_rel = table_open(get_bbf_schema_perms_oid(), ExclusiveLock); + if (is_grant) + { + foreach(lc, grantees) + { + Oid grantee_oid = lfirst_oid(lc); + int old_priv_normal_grant = 0; + int old_priv_grant_with_option = 0; + ScanKeyData scanKey[6]; + // SysScanDesc scan; + + if (grantee_oid == ACL_ID_PUBLIC) + grantee = PUBLIC_ROLE_NAME; + else + grantee = GetUserNameFromId(grantee_oid, false); + + ScanKeyInit(&scanKey[0], + Anum_bbf_schema_perms_dbid, + BTEqualStrategyNumber, F_INT2EQ, + Int16GetDatum(get_cur_db_id())); + ScanKeyEntryInitialize(&scanKey[1], 0, + Anum_bbf_schema_perms_schema_name, + BTEqualStrategyNumber, + InvalidOid, + tsql_get_database_or_server_collation_oid_internal(false), + F_TEXTEQ, + CStringGetTextDatum(logical_schema)); + ScanKeyEntryInitialize(&scanKey[2], 0, + Anum_bbf_schema_perms_object_name, + BTEqualStrategyNumber, + InvalidOid, + tsql_get_database_or_server_collation_oid_internal(false), + F_TEXTEQ, + CStringGetTextDatum(object_name)); + ScanKeyEntryInitialize(&scanKey[3], 0, + Anum_bbf_schema_perms_grantee, + BTEqualStrategyNumber, + InvalidOid, + tsql_get_database_or_server_collation_oid_internal(false), + F_TEXTEQ, + CStringGetTextDatum(grantee)); + ScanKeyEntryInitialize(&scanKey[4], 0, + Anum_bbf_schema_perms_object_type, + BTEqualStrategyNumber, + InvalidOid, + tsql_get_database_or_server_collation_oid_internal(false), + F_TEXTEQ, + CStringGetTextDatum(object_type)); + ScanKeyEntryInitialize(&scanKey[5], 0, + Anum_bbf_schema_perms_grantor, + BTEqualStrategyNumber, + InvalidOid, + tsql_get_database_or_server_collation_oid_internal(false), + F_TEXTEQ, + CStringGetTextDatum(grantor)); + // scan = systable_beginscan(bbf_schema_perm_rel, + // get_bbf_schema_perms_idx_oid(), + // true, NULL, 6, scanKey); + + /* + * Extract older permissions existing on the object for corresponding grantor and grantee - false indicates permissions without grant_option + */ + if(privilege_exists_in_bbf_schema_permissions(bbf_schema_perm_rel, scanKey, logical_schema, object_name, grantee, object_type, grantor, false)) + { + old_priv_normal_grant = get_privilege_of_object(bbf_schema_perm_rel, scanKey, logical_schema, object_name, grantee, object_type, grantor, false); + } + + /* + * Extract older permissions existing on the object for corresponding grantor and grantee - true indicates permissions with grant_option + */ + if(privilege_exists_in_bbf_schema_permissions(bbf_schema_perm_rel, scanKey, logical_schema, object_name, grantee, object_type, grantor, true)) + { + old_priv_grant_with_option = get_privilege_of_object(bbf_schema_perm_rel, scanKey, logical_schema, object_name, grantee, object_type, grantor, true); + } + if (grantee && (strcmp(grantee, obj_owner_name) == 0 || strcmp(grantee, grantor) == 0)) + { + ereport(ERROR, + (errcode(ERRCODE_INVALID_GRANT_OPERATION), + errmsg("Cannot GRANT privileges to the entity owner or the grantor themselves"))); + } + + /* + * Special database roles should throw an error. + */ + if(strcmp(grantee, PUBLIC_ROLE_NAME) != 0) + { + throw_error_for_fixed_db_role((char *) grantee, dbname); + } + + /* + * For grant with grant_option, first check if the privilege was already there in normal grants i.e. without options + */ + if(grant_option) + { + int common_permission = old_priv_normal_grant & privileges; + /* + * Indicates all the permissions being granted are already present in normal grants + */ + if(common_permission == old_priv_normal_grant) + { + /* + * Remove all entries from normal grants + */ + update_privileges_of_object(bbf_schema_perm_rel, scanKey, logical_schema, object_name, old_priv_normal_grant, grantee, object_type, false, grantor, false); + } + /* + * Indicates few the permissions being granted are already present in normal grants + */ + else if(common_permission!=0) + { + /* + * Remove common_permission entries from normal grants + */ + update_privileges_of_object(bbf_schema_perm_rel, scanKey, logical_schema, object_name, common_permission, grantee, object_type, false, grantor, false); + } + } + /* + * For normal grant, first check if the privilege was already there in grant with options + */ + else + { + int common_permission = old_priv_grant_with_option & privileges; + if(common_permission != 0) + { + /* + * There are a few common privilleges already there in grant with option privillege. We need to grant the other permissions. + */ + privileges = privileges^common_permission; + + /* + * If privileges to be granted are 0, indicates all the privileges are already present in grant with option, so skip the execution + */ + if(privileges == 0) + return true; + } + } + /* + * The privilleges are filtered now add the remaining privilleges + */ + if(grant_option) + { + add_or_update_object_in_bbf_schema(bbf_schema_perm_rel, scanKey, logical_schema, object_name, privileges, grantee, object_type, true, func_args, grantor, true); + } + else{ + add_or_update_object_in_bbf_schema(bbf_schema_perm_rel, scanKey, logical_schema, object_name, privileges, grantee, object_type, true, func_args, grantor, false); + } + // systable_endscan(scan); + } + } + else + { + /* + * While revoking check if schema-level grant exists, if yes remove entries from bbf_schema_permissions but + * skip engine side execution, hence only_object_grants is set as false. + */ + foreach(lc, grantees) + { + Oid grantee_oid = lfirst_oid(lc); + int old_priv_normal_grant = 0; + int old_priv_grant_with_option = 0; + int priv_from_normal_grant = 0; + int priv_from_grant_option = 0; + ScanKeyData scanKey[6]; + // SysScanDesc scan; + ScanKeyData scanKeySchema[6]; + // SysScanDesc scanSchema; + + if (grantee_oid == ACL_ID_PUBLIC) + grantee = PUBLIC_ROLE_NAME; + else + grantee = GetUserNameFromId(grantee_oid, false); + + ScanKeyInit(&scanKey[0], + Anum_bbf_schema_perms_dbid, + BTEqualStrategyNumber, F_INT2EQ, + Int16GetDatum(get_cur_db_id())); + ScanKeyEntryInitialize(&scanKey[1], 0, + Anum_bbf_schema_perms_schema_name, + BTEqualStrategyNumber, + InvalidOid, + tsql_get_database_or_server_collation_oid_internal(false), + F_TEXTEQ, + CStringGetTextDatum(logical_schema)); + ScanKeyEntryInitialize(&scanKey[2], 0, + Anum_bbf_schema_perms_object_name, + BTEqualStrategyNumber, + InvalidOid, + tsql_get_database_or_server_collation_oid_internal(false), + F_TEXTEQ, + CStringGetTextDatum(object_name)); + ScanKeyEntryInitialize(&scanKey[3], 0, + Anum_bbf_schema_perms_grantee, + BTEqualStrategyNumber, + InvalidOid, + tsql_get_database_or_server_collation_oid_internal(false), + F_TEXTEQ, + CStringGetTextDatum(grantee)); + ScanKeyEntryInitialize(&scanKey[4], 0, + Anum_bbf_schema_perms_object_type, + BTEqualStrategyNumber, + InvalidOid, + tsql_get_database_or_server_collation_oid_internal(false), + F_TEXTEQ, + CStringGetTextDatum(object_type)); + ScanKeyEntryInitialize(&scanKey[5], 0, + Anum_bbf_schema_perms_grantor, + BTEqualStrategyNumber, + InvalidOid, + tsql_get_database_or_server_collation_oid_internal(false), + F_TEXTEQ, + CStringGetTextDatum(grantor)); + // scan = systable_beginscan(bbf_schema_perm_rel, + // get_bbf_schema_perms_idx_oid(), + // true, NULL, 6, scanKey); + + ScanKeyInit(&scanKeySchema[0], + Anum_bbf_schema_perms_dbid, + BTEqualStrategyNumber, F_INT2EQ, + Int16GetDatum(get_cur_db_id())); + ScanKeyEntryInitialize(&scanKeySchema[1], 0, + Anum_bbf_schema_perms_schema_name, + BTEqualStrategyNumber, + InvalidOid, + tsql_get_database_or_server_collation_oid_internal(false), + F_TEXTEQ, + CStringGetTextDatum(logical_schema)); + ScanKeyEntryInitialize(&scanKeySchema[2], 0, + Anum_bbf_schema_perms_object_name, + BTEqualStrategyNumber, + InvalidOid, + tsql_get_database_or_server_collation_oid_internal(false), + F_TEXTEQ, + CStringGetTextDatum(PERMISSIONS_FOR_ALL_OBJECTS_IN_SCHEMA)); + ScanKeyEntryInitialize(&scanKeySchema[3], 0, + Anum_bbf_schema_perms_grantee, + BTEqualStrategyNumber, + InvalidOid, + tsql_get_database_or_server_collation_oid_internal(false), + F_TEXTEQ, + CStringGetTextDatum(grantee)); + ScanKeyEntryInitialize(&scanKeySchema[4], 0, + Anum_bbf_schema_perms_object_type, + BTEqualStrategyNumber, + InvalidOid, + tsql_get_database_or_server_collation_oid_internal(false), + F_TEXTEQ, + CStringGetTextDatum(OBJ_SCHEMA)); + ScanKeyEntryInitialize(&scanKeySchema[5], 0, + Anum_bbf_schema_perms_grantor, + BTEqualStrategyNumber, + InvalidOid, + tsql_get_database_or_server_collation_oid_internal(false), + F_TEXTEQ, + CStringGetTextDatum(grantor)); + // scanSchema = systable_beginscan(bbf_schema_perm_rel, + // get_bbf_schema_perms_idx_oid(), + // true, NULL, 6, scanKeySchema); + + if (privilege_exists_in_bbf_schema_permissions(bbf_schema_perm_rel, scanKeySchema, logical_schema, PERMISSIONS_FOR_ALL_OBJECTS_IN_SCHEMA, grantee, OBJ_SCHEMA, grantor, false)) + only_object_grants = false; + + /* + * Extract older permissions existing on the object for corresponding grantor and grantee - false indicates permissions without grant_option + */ + if(privilege_exists_in_bbf_schema_permissions(bbf_schema_perm_rel, scanKey, logical_schema, object_name, grantee, object_type, grantor, false)) + { + old_priv_normal_grant = get_privilege_of_object(bbf_schema_perm_rel, scanKey, logical_schema, object_name, grantee, object_type, grantor, false); + } + /* + * Extract older permissions existing on the object for corresponding grantor and grantee - true indicates permissions with grant_option + */ + if(privilege_exists_in_bbf_schema_permissions(bbf_schema_perm_rel, scanKey, logical_schema, object_name, grantee, object_type, grantor, true)) + { + old_priv_grant_with_option = get_privilege_of_object(bbf_schema_perm_rel, scanKey, logical_schema, object_name, grantee, object_type, grantor, true); + } + if (grantee && (strcmp(grantee, obj_owner_name) == 0 || strcmp(grantee, grantor) == 0)) + { + ereport(ERROR, + (errcode(ERRCODE_INVALID_GRANT_OPERATION), + errmsg("Cannot REVOKE privileges to the entity owner or the grantor themselves"))); + } + + /* + * Special database roles should throw an error. + */ + if(strcmp(grantee, PUBLIC_ROLE_NAME) != 0) + { + throw_error_for_fixed_db_role((char *) grantee, dbname); + } + + /* + * Permissions to be revoked from normal grant and grant with option row + */ + priv_from_normal_grant = old_priv_normal_grant & privileges; + priv_from_grant_option = old_priv_grant_with_option & privileges; + + if(priv_from_normal_grant) + { + update_privileges_of_object(bbf_schema_perm_rel, scanKey, logical_schema, object_name, priv_from_normal_grant, grantee, object_type, false, grantor, false); + } + if(priv_from_grant_option) + { + update_privileges_of_object(bbf_schema_perm_rel, scanKey, logical_schema, object_name, priv_from_grant_option, grantee, object_type, false, grantor, true); + } + // systable_endscan(scan); + // systable_endscan(scanSchema); + } + } + table_close(bbf_schema_perm_rel, ExclusiveLock); + pfree(dbname); + pfree(db_owner_name); + return only_object_grants; +} + /* * Objects are always owned by current user in postgres but in babelfish * schema contained objects should be owned by the schema owner by default diff --git a/contrib/babelfishpg_tsql/src/pl_exec-2.c b/contrib/babelfishpg_tsql/src/pl_exec-2.c index 370f7f9ff75..78639a3ebbd 100644 --- a/contrib/babelfishpg_tsql/src/pl_exec-2.c +++ b/contrib/babelfishpg_tsql/src/pl_exec-2.c @@ -3895,6 +3895,17 @@ exec_stmt_grantschema(PLtsql_execstate *estate, PLtsql_stmt_grantschema *stmt) Oid schemaOid; char *user = GetUserNameFromId(GetUserId(), false); const char *db_owner = get_owner_of_db(dbname); + char *db_owner_name = get_db_owner_name(dbname); + const char *grantor; + HeapTuple tup; + Form_pg_namespace nspForm; + const char *suffix = "_bbfobj"; + int grantor_len; + int suffix_len = strlen(suffix); + const char *grantor_suffix = NULL; + Relation bbf_schema_perm_rel; + ScanKeyData scanKey[6]; + // SysScanDesc scan; login_is_db_owner = 0 == strcmp(login, db_owner); schema_name = get_physical_schema_name(dbname, stmt->schema_name); @@ -3914,6 +3925,43 @@ exec_stmt_grantschema(PLtsql_execstate *estate, PLtsql_stmt_grantschema *stmt) errmsg("An object or column name is missing or empty. For SELECT INTO statements, verify each column has a name. For other statements, look for empty alias names. Aliases defined as \"\" or [] are not allowed. Change the alias to a valid name."))); } + tup = SearchSysCache1(NAMESPACEOID, ObjectIdGetDatum(schemaOid)); + if (!HeapTupleIsValid(tup)) + elog(ERROR, "cache lookup failed for namespace %u", schemaOid); + + nspForm = (Form_pg_namespace) GETSTRUCT(tup); + + /* + * Grantor for schema-level grants will be schema owner + */ + grantor = GetUserNameFromId(nspForm->nspowner, false); + + /* + * If the grantor is db_owner, set it as dbo to match TSQL + */ + if (strcmp(schema_name, psprintf("%s_dbo", dbname)) == 0 && strcmp(grantor, psprintf("%s_db_owner", dbname)) == 0) + { + grantor = psprintf("%s_dbo", dbname); + } + + /* + * If grantor ends with "_bbfobj", remove the suffix as this is an internal BBF role. + */ + grantor_len = strlen(grantor); + grantor_suffix = grantor + grantor_len - suffix_len; + if (grantor_len >= suffix_len && strcmp(grantor_suffix, suffix) == 0) + { + const char *temp = pnstrdup(grantor, grantor_len - suffix_len); + Oid temp_oid = get_role_oid(temp, true); + Oid db_owner_oid = get_role_oid(db_owner_name, true); + + if (OidIsValid(temp_oid) && OidIsValid(db_owner_oid) && is_member_of_role(temp_oid, db_owner_oid)) + { + grantor = temp; + } + } + + ReleaseSysCache(tup); foreach(lc, stmt->grantees) { int i; @@ -3971,28 +4019,76 @@ exec_stmt_grantschema(PLtsql_execstate *estate, PLtsql_stmt_grantschema *stmt) exec_grantschema_subcmds(schema_name, rolname, stmt->is_grant, stmt->with_grant_option, permissions[i]); } + bbf_schema_perm_rel = table_open(get_bbf_schema_perms_oid(), RowExclusiveLock); + + ScanKeyInit(&scanKey[0], + Anum_bbf_schema_perms_dbid, + BTEqualStrategyNumber, F_INT2EQ, + Int16GetDatum(get_cur_db_id())); + ScanKeyEntryInitialize(&scanKey[1], 0, + Anum_bbf_schema_perms_schema_name, + BTEqualStrategyNumber, + InvalidOid, + tsql_get_database_or_server_collation_oid_internal(false), + F_TEXTEQ, + CStringGetTextDatum(stmt->schema_name)); + ScanKeyEntryInitialize(&scanKey[2], 0, + Anum_bbf_schema_perms_object_name, + BTEqualStrategyNumber, + InvalidOid, + tsql_get_database_or_server_collation_oid_internal(false), + F_TEXTEQ, + CStringGetTextDatum(PERMISSIONS_FOR_ALL_OBJECTS_IN_SCHEMA)); + ScanKeyEntryInitialize(&scanKey[3], 0, + Anum_bbf_schema_perms_grantee, + BTEqualStrategyNumber, + InvalidOid, + tsql_get_database_or_server_collation_oid_internal(false), + F_TEXTEQ, + CStringGetTextDatum(rolname)); + ScanKeyEntryInitialize(&scanKey[4], 0, + Anum_bbf_schema_perms_object_type, + BTEqualStrategyNumber, + InvalidOid, + tsql_get_database_or_server_collation_oid_internal(false), + F_TEXTEQ, + CStringGetTextDatum(OBJ_SCHEMA)); + ScanKeyEntryInitialize(&scanKey[5], 0, + Anum_bbf_schema_perms_grantor, + BTEqualStrategyNumber, + InvalidOid, + tsql_get_database_or_server_collation_oid_internal(false), + F_TEXTEQ, + CStringGetTextDatum(grantor)); + // scan = systable_beginscan(bbf_schema_perm_rel, + // get_bbf_schema_perms_idx_oid(), + // true, NULL, 6, scanKey); + if (stmt->is_grant) { /* For GRANT statement, add or update privileges in the catalog. */ - add_or_update_object_in_bbf_schema(stmt->schema_name, PERMISSIONS_FOR_ALL_OBJECTS_IN_SCHEMA, stmt->privileges, rolname, OBJ_SCHEMA, true, NULL); + add_or_update_object_in_bbf_schema(bbf_schema_perm_rel, scanKey, stmt->schema_name, PERMISSIONS_FOR_ALL_OBJECTS_IN_SCHEMA, stmt->privileges, rolname, OBJ_SCHEMA, true, NULL, grantor, false); } else { /* For REVOKE statement, update privileges in the catalog. */ - if (privilege_exists_in_bbf_schema_permissions(stmt->schema_name, PERMISSIONS_FOR_ALL_OBJECTS_IN_SCHEMA, rolname, OBJ_SCHEMA)) + if (privilege_exists_in_bbf_schema_permissions(bbf_schema_perm_rel, scanKey, stmt->schema_name, PERMISSIONS_FOR_ALL_OBJECTS_IN_SCHEMA, rolname, OBJ_SCHEMA, grantor, false)) { /* If any object in the schema has the OBJECT level permission. Then, internally grant that permission back. */ for (i = 0; i < NUMBER_OF_PERMISSIONS; i++) { if (stmt->privileges & permissions[i]) - grant_perms_to_objects_in_schema(stmt->schema_name, permissions[i], rolname); + grant_perms_to_objects_in_schema(stmt->schema_name, permissions[i], rolname, grantor); } - update_privileges_of_object(stmt->schema_name, PERMISSIONS_FOR_ALL_OBJECTS_IN_SCHEMA, stmt->privileges, rolname, OBJ_SCHEMA, false); + update_privileges_of_object(bbf_schema_perm_rel, scanKey, stmt->schema_name, PERMISSIONS_FOR_ALL_OBJECTS_IN_SCHEMA, stmt->privileges, rolname, OBJ_SCHEMA, false, grantor, false); } } pfree(rolname); + // systable_endscan(scan); + table_close(bbf_schema_perm_rel, RowExclusiveLock); } pfree(user); + pfree(db_owner_name); pfree(schema_name); pfree(dbname); pfree(login); diff --git a/contrib/babelfishpg_tsql/src/pl_handler.c b/contrib/babelfishpg_tsql/src/pl_handler.c index 50954f43b3d..fcc8eec9b39 100644 --- a/contrib/babelfishpg_tsql/src/pl_handler.c +++ b/contrib/babelfishpg_tsql/src/pl_handler.c @@ -64,6 +64,7 @@ #include "utils/acl.h" #include "utils/builtins.h" #include "utils/guc_tables.h" +#include "utils/fmgroids.h" #include "utils/inval.h" #include "utils/lsyscache.h" #include "utils/plancache.h" @@ -2968,6 +2969,7 @@ bbf_ProcessUtility(PlannedStmt *pstmt, strcmp(queryString, CREATE_FIXED_DB_ROLES) != 0) { CreateRoleStmt *stmt = (CreateRoleStmt *) parsetree; + Relation bbf_schema_perm_rel; List *login_options = NIL; List *user_options = NIL; ListCell *option; @@ -3344,6 +3346,8 @@ bbf_ProcessUtility(PlannedStmt *pstmt, PG_TRY(); { + const char *current_db_name = get_cur_db_name(); + const char *grantor = psprintf("%s_dbo", current_db_name); /* * We have performed all the permissions checks. * Set current user to bbf_role_admin for create permissions. @@ -3383,8 +3387,16 @@ bbf_ProcessUtility(PlannedStmt *pstmt, * our babelfish catalog. These roles are meant to be internal * and not be visible to customer from Babelfish endpoint. */ + bbf_schema_perm_rel = table_open(get_bbf_schema_perms_oid(), RowExclusiveLock); if (strcmp(queryString, INTERNAL_ALTER_ROLE) != 0) + { create_bbf_authid_user_ext(stmt, isuser, isuser, from_windows); + + /* Add connect privillege entry into the bbf_schema_permissions, which is granted by default when a user is created. */ + if(isuser) + add_entry_to_bbf_schema_perms(bbf_schema_perm_rel, PERMISSIONS_FOR_DATABASE, PERMISSIONS_FOR_ALL_OBJECTS_IN_SCHEMA, ACL_CONNECT, stmt->role, OBJ_DATABASE, NULL, grantor, false); + } + table_close(bbf_schema_perm_rel, RowExclusiveLock); } } @@ -4022,6 +4034,71 @@ bbf_ProcessUtility(PlannedStmt *pstmt, errmsg("Could not drop login '%s' as the user is currently logged in.", role_name))); } + /* Remove the CONNECT privilege entry from bbf_schema_permissions when a user is dropped. */ + foreach(item, stmt->roles) + { + RoleSpec *rolspec = lfirst(item); + const char *current_db_name = get_cur_db_name(); + const char *grantee = GetUserNameFromId(get_role_oid(rolspec->rolename, false), false); + const char *grantor = psprintf("%s_dbo", current_db_name); + Relation bbf_schema_perm_rel; + ScanKeyData scanKey[6]; + // SysScanDesc scan; + + bbf_schema_perm_rel = table_open(get_bbf_schema_perms_oid(), RowExclusiveLock); + + ScanKeyInit(&scanKey[0], + Anum_bbf_schema_perms_dbid, + BTEqualStrategyNumber, F_INT2EQ, + Int16GetDatum(get_cur_db_id())); + ScanKeyEntryInitialize(&scanKey[1], 0, + Anum_bbf_schema_perms_schema_name, + BTEqualStrategyNumber, + InvalidOid, + tsql_get_database_or_server_collation_oid_internal(false), + F_TEXTEQ, + CStringGetTextDatum(PERMISSIONS_FOR_DATABASE)); + ScanKeyEntryInitialize(&scanKey[2], 0, + Anum_bbf_schema_perms_object_name, + BTEqualStrategyNumber, + InvalidOid, + tsql_get_database_or_server_collation_oid_internal(false), + F_TEXTEQ, + CStringGetTextDatum(PERMISSIONS_FOR_ALL_OBJECTS_IN_SCHEMA)); + ScanKeyEntryInitialize(&scanKey[3], 0, + Anum_bbf_schema_perms_grantee, + BTEqualStrategyNumber, + InvalidOid, + tsql_get_database_or_server_collation_oid_internal(false), + F_TEXTEQ, + CStringGetTextDatum(grantee)); + ScanKeyEntryInitialize(&scanKey[4], 0, + Anum_bbf_schema_perms_object_type, + BTEqualStrategyNumber, + InvalidOid, + tsql_get_database_or_server_collation_oid_internal(false), + F_TEXTEQ, + CStringGetTextDatum(OBJ_DATABASE)); + ScanKeyEntryInitialize(&scanKey[5], 0, + Anum_bbf_schema_perms_grantor, + BTEqualStrategyNumber, + InvalidOid, + tsql_get_database_or_server_collation_oid_internal(false), + F_TEXTEQ, + CStringGetTextDatum(grantor)); + // scan = systable_beginscan(bbf_schema_perm_rel, + // get_bbf_schema_perms_idx_oid(), + // true, NULL, 6, scanKey); + + + if(privilege_exists_in_bbf_schema_permissions(bbf_schema_perm_rel, scanKey, PERMISSIONS_FOR_DATABASE, PERMISSIONS_FOR_ALL_OBJECTS_IN_SCHEMA, grantee, OBJ_DATABASE, grantor, false)) + { + update_privileges_of_object(bbf_schema_perm_rel, scanKey, PERMISSIONS_FOR_DATABASE, PERMISSIONS_FOR_ALL_OBJECTS_IN_SCHEMA, ACL_CONNECT, grantee, OBJ_DATABASE, false, grantor, false); + } + // systable_endscan(scan); + table_close(bbf_schema_perm_rel, RowExclusiveLock); + } + /* * We have performed all the permissions checks. * Set current user to bbf_role_admin for drop permissions. @@ -4647,206 +4724,9 @@ bbf_ProcessUtility(PlannedStmt *pstmt, Assert(list_length(grant->objects) == 1); if (grant->objtype == OBJECT_SCHEMA) break; - else if (grant->objtype == OBJECT_TABLE && strcmp(CREATE_LOGICAL_DATABASE, queryString) != 0 && strcmp(queryString, CREATE_FIXED_DB_ROLES) != 0) + else if ((grant->objtype == OBJECT_TABLE && strcmp(CREATE_LOGICAL_DATABASE, queryString) != 0 && strcmp(queryString, CREATE_FIXED_DB_ROLES) != 0) || (grant->objtype == OBJECT_PROCEDURE) || (grant->objtype == OBJECT_FUNCTION)) { - /* - * Ignore GRANT statements that are executed implicitly as a part of - * CREATE database statements. Refer: create_bbf_db_internal(). - * These GRANT statement are just executed at the end, without checking any - * schema permission or adding catalog entry. - */ - RangeVar *rv = (RangeVar *) linitial(grant->objects); - const char *current_user = GetUserNameFromId(GetUserId(), false); - const char *logical_schema = NULL; - char *obj = rv->relname; - bool exec_pg_command = false; - ListCell *lc; - ListCell *lc1; - if (rv->schemaname != NULL) - logical_schema = get_logical_schema_name(rv->schemaname, false); - else - logical_schema = get_authid_user_ext_schema_name(dbname, current_user); - - /* If ALL PRIVILEGES is granted/revoked. */ - if (list_length(grant->privileges) == 0) - { - if (grant->is_grant) - { - foreach(lc, grant->grantees) - { - RoleSpec *rol_spec = (RoleSpec *) lfirst(lc); - /* Special database roles should throw an error. */ - throw_error_for_fixed_db_role(rol_spec->rolename, dbname); - add_or_update_object_in_bbf_schema(logical_schema, obj, ALL_PERMISSIONS_ON_RELATION, rol_spec->rolename, OBJ_RELATION, true, NULL); - } - } - else - { - foreach(lc, grant->grantees) - { - RoleSpec *rol_spec = (RoleSpec *) lfirst(lc); - /* Special database roles should throw an error. */ - throw_error_for_fixed_db_role(rol_spec->rolename, dbname); - /* - * 1. If permission on schema exists, don't revoke any permission from the object. - * 2. If permission on object exists, update the privilege in the catalog and revoke permission. - */ - update_privileges_of_object(logical_schema, obj, ALL_PERMISSIONS_ON_RELATION, rol_spec->rolename, OBJ_RELATION, false); - if (privilege_exists_in_bbf_schema_permissions(logical_schema, PERMISSIONS_FOR_ALL_OBJECTS_IN_SCHEMA, rol_spec->rolename, OBJ_SCHEMA)) - return; - } - } - exec_pg_command = true; - } - foreach(lc1, grant->privileges) - { - AccessPriv *ap = (AccessPriv *) lfirst(lc1); - AclMode privilege = string_to_privilege(ap->priv_name); - if (grant->is_grant) - { - exec_pg_command = true; - /* Don't add/update an entry, if the permission is granted on column list.*/ - if (ap->cols == NULL) - { - foreach(lc, grant->grantees) - { - RoleSpec *rol_spec = (RoleSpec *) lfirst(lc); - /* Special database roles should throw an error. */ - throw_error_for_fixed_db_role(rol_spec->rolename, dbname); - add_or_update_object_in_bbf_schema(logical_schema, obj, privilege, rol_spec->rolename, OBJ_RELATION, true, NULL); - } - } - } - else - { - /* Don't update an entry, if the permission is granted on column list.*/ - if (ap->cols == NULL) - { - foreach(lc, grant->grantees) - { - RoleSpec *rol_spec = (RoleSpec *) lfirst(lc); - /* Special database roles should throw an error. */ - throw_error_for_fixed_db_role(rol_spec->rolename, dbname); - /* - * If permission on schema exists, don't revoke any permission from the object. - */ - if (!exec_pg_command && !privilege_exists_in_bbf_schema_permissions(logical_schema, PERMISSIONS_FOR_ALL_OBJECTS_IN_SCHEMA, rol_spec->rolename, OBJ_SCHEMA)) - exec_pg_command = true; - - update_privileges_of_object(logical_schema, obj, privilege, rol_spec->rolename, OBJ_RELATION, false); - } - } - } - } - if (exec_pg_command) - call_prev_ProcessUtility(pstmt, queryString, readOnlyTree, context, params, queryEnv, dest, qc); - return; - } - else if ((grant->objtype == OBJECT_PROCEDURE) || (grant->objtype == OBJECT_FUNCTION)) - { - ObjectWithArgs *ob = (ObjectWithArgs *) linitial(grant->objects); - const char *current_user = GetUserNameFromId(GetUserId(), false); - ListCell *lc; - ListCell *lc1; - bool exec_pg_command = false; - const char *logicalschema = NULL; - char *funcname = NULL; - const char *obj_type = NULL; - Oid func_oid = LookupFuncWithArgs(OBJECT_ROUTINE, ob, true); - const char *func_args = NULL; - if (OidIsValid(func_oid)) - func_args = gen_func_arg_list(func_oid); - if (grant->objtype == OBJECT_FUNCTION) - obj_type = OBJ_FUNCTION; - else - obj_type = OBJ_PROCEDURE; - if (list_length(ob->objname) == 1) - { - Node *func = (Node *) linitial(ob->objname); - funcname = strVal(func); - logicalschema = get_authid_user_ext_schema_name(dbname, current_user); - } - else - { - Node *schema = (Node *) linitial(ob->objname); - char *schemaname = strVal(schema); - Node *func = (Node *) lsecond(ob->objname); - logicalschema = get_logical_schema_name(schemaname, true); - funcname = strVal(func); - } - - /* If ALL PRIVILEGES is granted/revoked. */ - if (list_length(grant->privileges) == 0) - { - if (grant->is_grant) - { - foreach(lc, grant->grantees) - { - RoleSpec *rol_spec = (RoleSpec *) lfirst(lc); - /* Special database roles should throw an error. */ - throw_error_for_fixed_db_role(rol_spec->rolename, dbname); - add_or_update_object_in_bbf_schema(logicalschema, funcname, ALL_PERMISSIONS_ON_FUNCTION, rol_spec->rolename, obj_type, true, func_args); - } - } - else - { - foreach(lc, grant->grantees) - { - RoleSpec *rol_spec = (RoleSpec *) lfirst(lc); - /* Special database roles should throw an error. */ - throw_error_for_fixed_db_role(rol_spec->rolename, dbname); - /* - * 1. If permission on schema exists, don't revoke any permission from the object. - * 2. If permission on object exists, update the privilege in the catalog and revoke permission. - */ - update_privileges_of_object(logicalschema, funcname, ALL_PERMISSIONS_ON_FUNCTION, rol_spec->rolename, obj_type, false); - if (privilege_exists_in_bbf_schema_permissions(logicalschema, PERMISSIONS_FOR_ALL_OBJECTS_IN_SCHEMA, rol_spec->rolename, OBJ_SCHEMA)) - return; - } - } - exec_pg_command = true; - } - foreach(lc1, grant->privileges) - { - AccessPriv *ap = (AccessPriv *) lfirst(lc1); - AclMode privilege = string_to_privilege(ap->priv_name); - if (grant->is_grant) - { - exec_pg_command = true; - if (strcmp(INTERNAL_GRANT_STATEMENT, queryString) != 0) - { - /* - * If it is an implicit GRANT issued by exec_internal_grant_on_function, then we should not add catalog - * entry. Catalog entry is supposed to be added only by explicit GRANTs. - */ - foreach(lc, grant->grantees) - { - RoleSpec *rol_spec = (RoleSpec *) lfirst(lc); - /* Special database roles should throw an error. */ - throw_error_for_fixed_db_role(rol_spec->rolename, dbname); - add_or_update_object_in_bbf_schema(logicalschema, funcname, privilege, rol_spec->rolename, obj_type, true, func_args); - } - } - } - else - { - foreach(lc, grant->grantees) - { - RoleSpec *rol_spec = (RoleSpec *) lfirst(lc); - /* Special database roles should throw an error. */ - throw_error_for_fixed_db_role(rol_spec->rolename, dbname); - /* - * If permission on schema exists, don't revoke any permission from the object. - */ - if (!exec_pg_command && !privilege_exists_in_bbf_schema_permissions(logicalschema, PERMISSIONS_FOR_ALL_OBJECTS_IN_SCHEMA, rol_spec->rolename, OBJ_SCHEMA)) - exec_pg_command = true; - /* Update the privilege in the catalog. */ - update_privileges_of_object(logicalschema, funcname, privilege, rol_spec->rolename, obj_type, false); - } - } - } - if (exec_pg_command) - call_prev_ProcessUtility(pstmt, queryString, readOnlyTree, context, params, queryEnv, dest, qc); + call_prev_ProcessUtility(pstmt, queryString, readOnlyTree, context, params, queryEnv, dest, qc); return; } pfree(db_datareader); diff --git a/test/JDBC/expected/1_GRANT_SCHEMA-before-17_6-vu-cleanup.out b/test/JDBC/expected/1_GRANT_SCHEMA-before-17_6-vu-cleanup.out new file mode 100644 index 00000000000..573d781ce30 --- /dev/null +++ b/test/JDBC/expected/1_GRANT_SCHEMA-before-17_6-vu-cleanup.out @@ -0,0 +1,106 @@ +-- tsql + +-- Cleanup +drop table babel_4768_t1_new +go + +drop table babel_4768_s1.babel_4768_t1_new +go + +drop view babel_4768_v1_new +go + +drop view babel_4768_s1.babel_4768_v1_new +go + +drop proc babel_4768_p1_new +go + +drop proc babel_4768_s1.babel_4768_p1_new +go + +drop proc babel_4768_p2_new +go + +drop proc babel_4768_s1.babel_4768_p2_new +go + +drop FUNCTION babel_4768_f1_new +go + +drop FUNCTION babel_4768_s1.babel_4768_f1_new +go + +drop FUNCTION babel_4768_f2_new +go + +drop FUNCTION babel_4768_s1.babel_4768_f2_new +go + +drop schema babel_4768_s1; +go + +drop table babel_4768_schema_longer_than_64_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.t1 +go + +drop schema babel_4768_schema_longer_than_64_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa +go + +DROP TABLE babel_4768_s2.t1 +go + +DROP VIEW babel_4768_s2.v1 +go + +DROP PROC babel_4768_s2.p1 +go + +DROP SCHEMA babel_4768_s2 +GO + +DROP TABLE babel_4768ログイαιώνια.t1 +go + + +DROP TABLE "babel_4768 😎$chem@ #123 🌍rder".t1 +go + +DROP TABLE [babel_4768유니코드스키마👻].t1 +go + +DROP SCHEMA babel_4768ログイαιώνια +GO + +DROP SCHEMA [babel_4768 😎$chem@ #123 🌍rder] +GO + +DROP SCHEMA [babel_4768유니코드스키마👻] +GO + + + +drop user babel_4768_u1; +go + +-- psql +-- Need to terminate active session before cleaning up the login +SELECT pg_terminate_backend(pid) FROM pg_stat_get_activity(NULL) +WHERE sys.suser_name(usesysid) = 'babel_4768_l1' AND backend_type = 'client backend' AND usesysid IS NOT NULL; +go +~~START~~ +bool +~~END~~ + + +-- Wait to sync with another session +SELECT pg_sleep(1); +go +~~START~~ +void + +~~END~~ + + +-- tsql +drop login babel_4768_l1; +go diff --git a/test/JDBC/expected/1_GRANT_SCHEMA-before-17_6-vu-prepare.out b/test/JDBC/expected/1_GRANT_SCHEMA-before-17_6-vu-prepare.out new file mode 100644 index 00000000000..830fdc1c87f --- /dev/null +++ b/test/JDBC/expected/1_GRANT_SCHEMA-before-17_6-vu-prepare.out @@ -0,0 +1,191 @@ +-- tsql +create schema babel_4768_s1 +go + +create login babel_4768_l1 with password = '12345678' +go + +create user babel_4768_u1 for login babel_4768_l1 +go + +create table babel_4768_t1(a int, b int); +go + +create table babel_4768_s1.babel_4768_t1(a int, b int); +go + +create view babel_4768_v1 as select 1; +go + +create view babel_4768_s1.babel_4768_v1 as select 2; +go + +create proc babel_4768_p1 as select 1; +go + +create proc babel_4768_s1.babel_4768_p1 as select 1; +go + +create proc babel_4768_p2 @l datetimeoffset(2) as select 1; +go + +create proc babel_4768_s1.babel_4768_p2 @l datetimeoffset(2) as select 1; +go + +CREATE FUNCTION babel_4768_f1() returns int begin declare @a int; set @a = 1; return @a; end +go + +CREATE FUNCTION babel_4768_s1.babel_4768_f1() returns int begin declare @a int; set @a = 1; return @a; end +go + +CREATE FUNCTION babel_4768_f2(@l int) returns int begin declare @a int; set @a = 1; return @a; end +go + +CREATE FUNCTION babel_4768_s1.babel_4768_f2(@l int) returns int begin declare @a int; set @a = 1; return @a; end +go + +-- tsql +-- GRANT individual object access to babel_4768_u1 +GRANT SELECT ON dbo.babel_4768_t1 TO babel_4768_u1 +go + +GRANT SELECT ON babel_4768_s1.babel_4768_t1 TO babel_4768_u1 +go + +GRANT SELECT ON dbo.babel_4768_v1 TO babel_4768_u1 +go + +GRANT SELECT ON babel_4768_s1.babel_4768_v1 TO babel_4768_u1 +go + +GRANT EXECUTE ON dbo.babel_4768_p1 TO babel_4768_u1 +GO + +GRANT EXECUTE ON babel_4768_s1.babel_4768_p1 TO babel_4768_u1 +GO + +GRANT EXECUTE ON dbo.babel_4768_p2 TO babel_4768_u1 +GO + +GRANT EXECUTE ON babel_4768_s1.babel_4768_p2 TO babel_4768_u1 +GO + +GRANT EXECUTE ON dbo.babel_4768_f1 TO babel_4768_u1 +GO + +GRANT EXECUTE ON babel_4768_s1.babel_4768_f1 TO babel_4768_u1 +GO + +GRANT EXECUTE ON dbo.babel_4768_f2 TO babel_4768_u1 +GO + +GRANT EXECUTE ON babel_4768_s1.babel_4768_f2 TO babel_4768_u1 +GO + +GRANT SELECT, EXECUTE ON SCHEMA::dbo TO babel_4768_u1 +GO + +GRANT SELECT, EXECUTE ON SCHEMA::babel_4768_s1 TO babel_4768_u1 +GO + +-- psql +select schema_name, object_name, permission, grantee, object_type, function_args, grantor from sys.babelfish_schema_permissions where schema_name = 'babel_4768_s1' collate sys.database_default order by object_name; +go +~~START~~ +"sys"."varchar"#!#"sys"."varchar"#!#int4#!#"sys"."varchar"#!#bpchar#!#text#!#"sys"."varchar" +babel_4768_s1#!#ALL#!#130#!#master_babel_4768_u1#!#s#!##!# +babel_4768_s1#!#babel_4768_f1#!#128#!#master_babel_4768_u1#!#f#!##!# +babel_4768_s1#!#babel_4768_f2#!#128#!#master_babel_4768_u1#!#f#!#pg_catalog.int4#!# +babel_4768_s1#!#babel_4768_p1#!#128#!#master_babel_4768_u1#!#p#!##!# +babel_4768_s1#!#babel_4768_p2#!#128#!#master_babel_4768_u1#!#p#!#sys.datetimeoffset#!# +babel_4768_s1#!#babel_4768_t1#!#2#!#master_babel_4768_u1#!#r#!##!# +babel_4768_s1#!#babel_4768_v1#!#2#!#master_babel_4768_u1#!#r#!##!# +~~END~~ + + +select schema_name, object_name, permission, grantee, object_type, function_args, grantor from sys.babelfish_schema_permissions where schema_name = 'dbo' and grantee like '%babel_4768_u1' collate sys.database_default order by object_name; +go +~~START~~ +"sys"."varchar"#!#"sys"."varchar"#!#int4#!#"sys"."varchar"#!#bpchar#!#text#!#"sys"."varchar" +dbo#!#ALL#!#130#!#master_babel_4768_u1#!#s#!##!# +dbo#!#babel_4768_f1#!#128#!#master_babel_4768_u1#!#f#!##!# +dbo#!#babel_4768_f2#!#128#!#master_babel_4768_u1#!#f#!#pg_catalog.int4#!# +dbo#!#babel_4768_p1#!#128#!#master_babel_4768_u1#!#p#!##!# +dbo#!#babel_4768_p2#!#128#!#master_babel_4768_u1#!#p#!#sys.datetimeoffset#!# +dbo#!#babel_4768_t1#!#2#!#master_babel_4768_u1#!#r#!##!# +dbo#!#babel_4768_v1#!#2#!#master_babel_4768_u1#!#r#!##!# +~~END~~ + + +-- tsql +-- to test schema length truncation +CREATE SCHEMA babel_4768_schema_longer_than_64_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa +go + +CREATE TABLE babel_4768_schema_longer_than_64_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.t1 (a int) +go + +GRANT SELECT ON babel_4768_schema_longer_than_64_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.t1 TO babel_4768_u1 +go + +-- to test perms of multiple objects in same schema +CREATE SCHEMA babel_4768_s2 +GO + +CREATE TABLE babel_4768_s2.t1 (a int) +go + +create view babel_4768_s2.v1 as select 1; +go + +create proc babel_4768_s2.p1 as select 1; +go + +GRANT SELECT ON babel_4768_s2.t1 TO babel_4768_u1 +go + +GRANT SELECT ON babel_4768_s2.v1 TO babel_4768_u1 +go + + +GRANT EXECUTE ON babel_4768_s2.p1 TO babel_4768_u1 +go + +-- to test consistency in case of special characters in schema name +CREATE SCHEMA babel_4768ログイαιώνια +GO + +CREATE SCHEMA [babel_4768 😎$chem@ #123 🌍rder] +GO + +CREATE SCHEMA [babel_4768유니코드스키마👻] +GO + +CREATE TABLE babel_4768ログイαιώνια.t1 (a int) +go + +GRANT SELECT ON babel_4768ログイαιώνια.t1 TO babel_4768_u1 +go + +CREATE TABLE "babel_4768 😎$chem@ #123 🌍rder".t1 (a int) +go + +GRANT SELECT ON "babel_4768 😎$chem@ #123 🌍rder".t1 TO babel_4768_u1 +go + +CREATE TABLE [babel_4768유니코드스키마👻].t1 (a int) +go + +GRANT SELECT ON [babel_4768유니코드스키마👻].t1 TO babel_4768_u1 +go + + + +-- check for inconsistent metadata before upgrade +select COUNT(*) FROM sys.babelfish_inconsistent_metadata(); +go +~~START~~ +int +0 +~~END~~ + diff --git a/test/JDBC/expected/1_GRANT_SCHEMA-before-17_6-vu-verify.out b/test/JDBC/expected/1_GRANT_SCHEMA-before-17_6-vu-verify.out new file mode 100644 index 00000000000..439a193bbc6 --- /dev/null +++ b/test/JDBC/expected/1_GRANT_SCHEMA-before-17_6-vu-verify.out @@ -0,0 +1,207 @@ +-- tsql +-- check for inconsistent metadata after upgrade +select COUNT(*) FROM sys.babelfish_inconsistent_metadata(); +go +~~START~~ +int +0 +~~END~~ + + +-- psql +select schema_name, object_name, permission, grantee, object_type, function_args, grantor from sys.babelfish_schema_permissions where schema_name = 'babel_4768_s1' collate sys.database_default and grantee like '%babel_4768_u1' collate sys.database_default order by object_name; +go +~~START~~ +"sys"."varchar"#!#"sys"."varchar"#!#int4#!#"sys"."varchar"#!#bpchar#!#text#!#"sys"."varchar" +babel_4768_s1#!#ALL#!#130#!#master_babel_4768_u1#!#s#!##!#master_dbo +babel_4768_s1#!#babel_4768_f1#!#128#!#master_babel_4768_u1#!#f#!##!#master_dbo +babel_4768_s1#!#babel_4768_f2#!#128#!#master_babel_4768_u1#!#f#!#pg_catalog.int4#!#master_dbo +babel_4768_s1#!#babel_4768_p1#!#128#!#master_babel_4768_u1#!#p#!##!#master_dbo +babel_4768_s1#!#babel_4768_p2#!#128#!#master_babel_4768_u1#!#p#!#sys.datetimeoffset#!#master_dbo +babel_4768_s1#!#babel_4768_t1#!#2#!#master_babel_4768_u1#!#r#!##!#master_dbo +babel_4768_s1#!#babel_4768_v1#!#2#!#master_babel_4768_u1#!#r#!##!#master_dbo +~~END~~ + + +select schema_name, object_name, permission, grantee, object_type, function_args, grantor from sys.babelfish_schema_permissions where schema_name = 'dbo' collate sys.database_default and grantee like '%babel_4768_u1' collate sys.database_default order by object_name; +go +~~START~~ +"sys"."varchar"#!#"sys"."varchar"#!#int4#!#"sys"."varchar"#!#bpchar#!#text#!#"sys"."varchar" +dbo#!#ALL#!#130#!#master_babel_4768_u1#!#s#!##!#master_dbo +dbo#!#babel_4768_f1#!#128#!#master_babel_4768_u1#!#f#!##!#master_dbo +dbo#!#babel_4768_f2#!#128#!#master_babel_4768_u1#!#f#!#pg_catalog.int4#!#master_dbo +dbo#!#babel_4768_p1#!#128#!#master_babel_4768_u1#!#p#!##!#master_dbo +dbo#!#babel_4768_p2#!#128#!#master_babel_4768_u1#!#p#!#sys.datetimeoffset#!#master_dbo +dbo#!#babel_4768_t1#!#2#!#master_babel_4768_u1#!#r#!##!#master_dbo +dbo#!#babel_4768_v1#!#2#!#master_babel_4768_u1#!#r#!##!#master_dbo +~~END~~ + + +-- tsql +-- rename the objects where permissions are already granted +sp_rename 'babel_4768_s1.babel_4768_t1', 'babel_4768_t1_new', 'OBJECT'; +go +sp_rename 'babel_4768_s1.babel_4768_v1', 'babel_4768_v1_new', 'OBJECT'; +go +sp_rename 'babel_4768_s1.babel_4768_p1', 'babel_4768_p1_new', 'OBJECT'; +go +sp_rename 'babel_4768_s1.babel_4768_p2', 'babel_4768_p2_new', 'OBJECT'; +go +sp_rename 'babel_4768_s1.babel_4768_f1', 'babel_4768_f1_new', 'OBJECT'; +go +sp_rename 'babel_4768_s1.babel_4768_f2', 'babel_4768_f2_new', 'OBJECT'; +go + +sp_rename 'babel_4768_t1', 'babel_4768_t1_new', 'OBJECT'; +go +sp_rename 'babel_4768_v1', 'babel_4768_v1_new', 'OBJECT'; +go +sp_rename 'babel_4768_p1', 'babel_4768_p1_new', 'OBJECT'; +go +sp_rename 'babel_4768_p2', 'babel_4768_p2_new', 'OBJECT'; +go +sp_rename 'babel_4768_f1', 'babel_4768_f1_new', 'OBJECT'; +go +sp_rename 'babel_4768_f2', 'babel_4768_f2_new', 'OBJECT'; +go + +-- psql +-- catalog should show new object names +select schema_name, object_name, permission, grantee, object_type, function_args from sys.babelfish_schema_permissions where schema_name = 'babel_4768_s1' collate sys.database_default and grantee like '%babel_4768_u1' collate sys.database_default order by object_name; +go +~~START~~ +"sys"."varchar"#!#"sys"."varchar"#!#int4#!#"sys"."varchar"#!#bpchar#!#text +babel_4768_s1#!#ALL#!#130#!#master_babel_4768_u1#!#s#!# +babel_4768_s1#!#babel_4768_f1_new#!#128#!#master_babel_4768_u1#!#f#!# +babel_4768_s1#!#babel_4768_f2_new#!#128#!#master_babel_4768_u1#!#f#!#pg_catalog.int4 +babel_4768_s1#!#babel_4768_p1_new#!#128#!#master_babel_4768_u1#!#p#!# +babel_4768_s1#!#babel_4768_p2_new#!#128#!#master_babel_4768_u1#!#p#!#sys.datetimeoffset +babel_4768_s1#!#babel_4768_t1_new#!#2#!#master_babel_4768_u1#!#r#!# +babel_4768_s1#!#babel_4768_v1_new#!#2#!#master_babel_4768_u1#!#r#!# +~~END~~ + + +select schema_name, object_name, permission, grantee, object_type, function_args from sys.babelfish_schema_permissions where schema_name = 'dbo' collate sys.database_default and grantee like '%babel_4768_u1' collate sys.database_default order by object_name; +go +~~START~~ +"sys"."varchar"#!#"sys"."varchar"#!#int4#!#"sys"."varchar"#!#bpchar#!#text +dbo#!#ALL#!#130#!#master_babel_4768_u1#!#s#!# +dbo#!#babel_4768_f1_new#!#128#!#master_babel_4768_u1#!#f#!# +dbo#!#babel_4768_f2_new#!#128#!#master_babel_4768_u1#!#f#!#pg_catalog.int4 +dbo#!#babel_4768_p1_new#!#128#!#master_babel_4768_u1#!#p#!# +dbo#!#babel_4768_p2_new#!#128#!#master_babel_4768_u1#!#p#!#sys.datetimeoffset +dbo#!#babel_4768_t1_new#!#2#!#master_babel_4768_u1#!#r#!# +dbo#!#babel_4768_v1_new#!#2#!#master_babel_4768_u1#!#r#!# +~~END~~ + + +-- tsql +REVOKE SELECT, EXECUTE ON SCHEMA::dbo FROM babel_4768_u1 +GO + +REVOKE SELECT, EXECUTE ON SCHEMA::babel_4768_s1 FROM babel_4768_u1 +GO + +-- psql +-- catalog entry ALL should be gone now +select schema_name, object_name, permission, grantee, object_type, function_args from sys.babelfish_schema_permissions where schema_name = 'babel_4768_s1' collate sys.database_default and grantee like '%babel_4768_u1' collate sys.database_default order by object_name; +go +~~START~~ +"sys"."varchar"#!#"sys"."varchar"#!#int4#!#"sys"."varchar"#!#bpchar#!#text +babel_4768_s1#!#babel_4768_f1_new#!#128#!#master_babel_4768_u1#!#f#!# +babel_4768_s1#!#babel_4768_f2_new#!#128#!#master_babel_4768_u1#!#f#!#pg_catalog.int4 +babel_4768_s1#!#babel_4768_p1_new#!#128#!#master_babel_4768_u1#!#p#!# +babel_4768_s1#!#babel_4768_p2_new#!#128#!#master_babel_4768_u1#!#p#!#sys.datetimeoffset +babel_4768_s1#!#babel_4768_t1_new#!#2#!#master_babel_4768_u1#!#r#!# +babel_4768_s1#!#babel_4768_v1_new#!#2#!#master_babel_4768_u1#!#r#!# +~~END~~ + + +select schema_name, object_name, permission, grantee, object_type, function_args from sys.babelfish_schema_permissions where schema_name = 'dbo' collate sys.database_default and grantee like '%babel_4768_u1' collate sys.database_default order by object_name; +go +~~START~~ +"sys"."varchar"#!#"sys"."varchar"#!#int4#!#"sys"."varchar"#!#bpchar#!#text +dbo#!#babel_4768_f1_new#!#128#!#master_babel_4768_u1#!#f#!# +dbo#!#babel_4768_f2_new#!#128#!#master_babel_4768_u1#!#f#!#pg_catalog.int4 +dbo#!#babel_4768_p1_new#!#128#!#master_babel_4768_u1#!#p#!# +dbo#!#babel_4768_p2_new#!#128#!#master_babel_4768_u1#!#p#!#sys.datetimeoffset +dbo#!#babel_4768_t1_new#!#2#!#master_babel_4768_u1#!#r#!# +dbo#!#babel_4768_v1_new#!#2#!#master_babel_4768_u1#!#r#!# +~~END~~ + + +-- tsql +-- REVOKE individual object access from babel_4768_u1 +REVOKE SELECT ON dbo.babel_4768_t1_new FROM babel_4768_u1 +go + +REVOKE SELECT ON babel_4768_s1.babel_4768_t1_new FROM babel_4768_u1 +go + +REVOKE SELECT ON dbo.babel_4768_v1_new FROM babel_4768_u1 +go + +REVOKE SELECT ON babel_4768_s1.babel_4768_v1_new FROM babel_4768_u1 +go + +REVOKE EXECUTE ON babel_4768_p1_new FROM babel_4768_u1 +GO + +REVOKE EXECUTE ON babel_4768_s1.babel_4768_p1_new FROM babel_4768_u1 +GO + +REVOKE EXECUTE ON babel_4768_p2_new FROM babel_4768_u1 +GO + +REVOKE EXECUTE ON babel_4768_s1.babel_4768_p2_new FROM babel_4768_u1 +GO + +REVOKE EXECUTE ON babel_4768_f1_new FROM babel_4768_u1 +GO + +REVOKE EXECUTE ON babel_4768_s1.babel_4768_f1_new FROM babel_4768_u1 +GO + +REVOKE EXECUTE ON babel_4768_f2_new FROM babel_4768_u1 +GO + +REVOKE EXECUTE ON babel_4768_s1.babel_4768_f2_new FROM babel_4768_u1 +GO + +REVOKE SELECT ON babel_4768_schema_longer_than_64_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.t1 FROM babel_4768_u1 +go + + +REVOKE SELECT ON babel_4768_s2.t1 FROM babel_4768_u1 +go + +REVOKE SELECT ON babel_4768_s2.v1 FROM babel_4768_u1 +go + +REVOKE EXECUTE ON babel_4768_s2.p1 FROM babel_4768_u1 +go + +REVOKE SELECT ON babel_4768ログイαιώνια.t1 FROM babel_4768_u1 +go + +REVOKE SELECT ON "babel_4768 😎$chem@ #123 🌍rder".t1 FROM babel_4768_u1 +go + +REVOKE SELECT ON [babel_4768유니코드스키마👻].t1 FROM babel_4768_u1 +go + +-- psql +-- catalog should be empty now +select schema_name, object_name, permission, grantee, object_type, function_args from sys.babelfish_schema_permissions where schema_name = 'babel_4768_s1' collate sys.database_default and grantee like '%babel_4768_u1' collate sys.database_default order by object_name; +go +~~START~~ +"sys"."varchar"#!#"sys"."varchar"#!#int4#!#"sys"."varchar"#!#bpchar#!#text +~~END~~ + + +select schema_name, object_name, permission, grantee, object_type, function_args from sys.babelfish_schema_permissions where schema_name = 'dbo' collate sys.database_default and grantee like '%babel_4768_u1' collate sys.database_default order by object_name; +go +~~START~~ +"sys"."varchar"#!#"sys"."varchar"#!#int4#!#"sys"."varchar"#!#bpchar#!#text +~~END~~ + diff --git a/test/JDBC/expected/1_GRANT_SCHEMA-vu-prepare.out b/test/JDBC/expected/1_GRANT_SCHEMA-vu-prepare.out index 830fdc1c87f..052511ffe1f 100644 --- a/test/JDBC/expected/1_GRANT_SCHEMA-vu-prepare.out +++ b/test/JDBC/expected/1_GRANT_SCHEMA-vu-prepare.out @@ -93,13 +93,13 @@ select schema_name, object_name, permission, grantee, object_type, function_args go ~~START~~ "sys"."varchar"#!#"sys"."varchar"#!#int4#!#"sys"."varchar"#!#bpchar#!#text#!#"sys"."varchar" -babel_4768_s1#!#ALL#!#130#!#master_babel_4768_u1#!#s#!##!# -babel_4768_s1#!#babel_4768_f1#!#128#!#master_babel_4768_u1#!#f#!##!# -babel_4768_s1#!#babel_4768_f2#!#128#!#master_babel_4768_u1#!#f#!#pg_catalog.int4#!# -babel_4768_s1#!#babel_4768_p1#!#128#!#master_babel_4768_u1#!#p#!##!# -babel_4768_s1#!#babel_4768_p2#!#128#!#master_babel_4768_u1#!#p#!#sys.datetimeoffset#!# -babel_4768_s1#!#babel_4768_t1#!#2#!#master_babel_4768_u1#!#r#!##!# -babel_4768_s1#!#babel_4768_v1#!#2#!#master_babel_4768_u1#!#r#!##!# +babel_4768_s1#!#ALL#!#130#!#master_babel_4768_u1#!#s#!##!#master_dbo +babel_4768_s1#!#babel_4768_f1#!#128#!#master_babel_4768_u1#!#f#!##!#master_dbo +babel_4768_s1#!#babel_4768_f2#!#128#!#master_babel_4768_u1#!#f#!#pg_catalog.int4#!#master_dbo +babel_4768_s1#!#babel_4768_p1#!#128#!#master_babel_4768_u1#!#p#!##!#master_dbo +babel_4768_s1#!#babel_4768_p2#!#128#!#master_babel_4768_u1#!#p#!#sys.datetimeoffset#!#master_dbo +babel_4768_s1#!#babel_4768_t1#!#2#!#master_babel_4768_u1#!#r#!##!#master_dbo +babel_4768_s1#!#babel_4768_v1#!#2#!#master_babel_4768_u1#!#r#!##!#master_dbo ~~END~~ @@ -107,13 +107,13 @@ select schema_name, object_name, permission, grantee, object_type, function_args go ~~START~~ "sys"."varchar"#!#"sys"."varchar"#!#int4#!#"sys"."varchar"#!#bpchar#!#text#!#"sys"."varchar" -dbo#!#ALL#!#130#!#master_babel_4768_u1#!#s#!##!# -dbo#!#babel_4768_f1#!#128#!#master_babel_4768_u1#!#f#!##!# -dbo#!#babel_4768_f2#!#128#!#master_babel_4768_u1#!#f#!#pg_catalog.int4#!# -dbo#!#babel_4768_p1#!#128#!#master_babel_4768_u1#!#p#!##!# -dbo#!#babel_4768_p2#!#128#!#master_babel_4768_u1#!#p#!#sys.datetimeoffset#!# -dbo#!#babel_4768_t1#!#2#!#master_babel_4768_u1#!#r#!##!# -dbo#!#babel_4768_v1#!#2#!#master_babel_4768_u1#!#r#!##!# +dbo#!#ALL#!#130#!#master_babel_4768_u1#!#s#!##!#master_dbo +dbo#!#babel_4768_f1#!#128#!#master_babel_4768_u1#!#f#!##!#master_dbo +dbo#!#babel_4768_f2#!#128#!#master_babel_4768_u1#!#f#!#pg_catalog.int4#!#master_dbo +dbo#!#babel_4768_p1#!#128#!#master_babel_4768_u1#!#p#!##!#master_dbo +dbo#!#babel_4768_p2#!#128#!#master_babel_4768_u1#!#p#!#sys.datetimeoffset#!#master_dbo +dbo#!#babel_4768_t1#!#2#!#master_babel_4768_u1#!#r#!##!#master_dbo +dbo#!#babel_4768_v1#!#2#!#master_babel_4768_u1#!#r#!##!#master_dbo ~~END~~ diff --git a/test/JDBC/expected/1_GRANT_SCHEMA-vu-verify.out b/test/JDBC/expected/1_GRANT_SCHEMA-vu-verify.out index 7b231e04b21..439a193bbc6 100644 --- a/test/JDBC/expected/1_GRANT_SCHEMA-vu-verify.out +++ b/test/JDBC/expected/1_GRANT_SCHEMA-vu-verify.out @@ -13,13 +13,13 @@ select schema_name, object_name, permission, grantee, object_type, function_args go ~~START~~ "sys"."varchar"#!#"sys"."varchar"#!#int4#!#"sys"."varchar"#!#bpchar#!#text#!#"sys"."varchar" -babel_4768_s1#!#ALL#!#130#!#master_babel_4768_u1#!#s#!##!# -babel_4768_s1#!#babel_4768_f1#!#128#!#master_babel_4768_u1#!#f#!##!# -babel_4768_s1#!#babel_4768_f2#!#128#!#master_babel_4768_u1#!#f#!#pg_catalog.int4#!# -babel_4768_s1#!#babel_4768_p1#!#128#!#master_babel_4768_u1#!#p#!##!# -babel_4768_s1#!#babel_4768_p2#!#128#!#master_babel_4768_u1#!#p#!#sys.datetimeoffset#!# -babel_4768_s1#!#babel_4768_t1#!#2#!#master_babel_4768_u1#!#r#!##!# -babel_4768_s1#!#babel_4768_v1#!#2#!#master_babel_4768_u1#!#r#!##!# +babel_4768_s1#!#ALL#!#130#!#master_babel_4768_u1#!#s#!##!#master_dbo +babel_4768_s1#!#babel_4768_f1#!#128#!#master_babel_4768_u1#!#f#!##!#master_dbo +babel_4768_s1#!#babel_4768_f2#!#128#!#master_babel_4768_u1#!#f#!#pg_catalog.int4#!#master_dbo +babel_4768_s1#!#babel_4768_p1#!#128#!#master_babel_4768_u1#!#p#!##!#master_dbo +babel_4768_s1#!#babel_4768_p2#!#128#!#master_babel_4768_u1#!#p#!#sys.datetimeoffset#!#master_dbo +babel_4768_s1#!#babel_4768_t1#!#2#!#master_babel_4768_u1#!#r#!##!#master_dbo +babel_4768_s1#!#babel_4768_v1#!#2#!#master_babel_4768_u1#!#r#!##!#master_dbo ~~END~~ @@ -27,13 +27,13 @@ select schema_name, object_name, permission, grantee, object_type, function_args go ~~START~~ "sys"."varchar"#!#"sys"."varchar"#!#int4#!#"sys"."varchar"#!#bpchar#!#text#!#"sys"."varchar" -dbo#!#ALL#!#130#!#master_babel_4768_u1#!#s#!##!# -dbo#!#babel_4768_f1#!#128#!#master_babel_4768_u1#!#f#!##!# -dbo#!#babel_4768_f2#!#128#!#master_babel_4768_u1#!#f#!#pg_catalog.int4#!# -dbo#!#babel_4768_p1#!#128#!#master_babel_4768_u1#!#p#!##!# -dbo#!#babel_4768_p2#!#128#!#master_babel_4768_u1#!#p#!#sys.datetimeoffset#!# -dbo#!#babel_4768_t1#!#2#!#master_babel_4768_u1#!#r#!##!# -dbo#!#babel_4768_v1#!#2#!#master_babel_4768_u1#!#r#!##!# +dbo#!#ALL#!#130#!#master_babel_4768_u1#!#s#!##!#master_dbo +dbo#!#babel_4768_f1#!#128#!#master_babel_4768_u1#!#f#!##!#master_dbo +dbo#!#babel_4768_f2#!#128#!#master_babel_4768_u1#!#f#!#pg_catalog.int4#!#master_dbo +dbo#!#babel_4768_p1#!#128#!#master_babel_4768_u1#!#p#!##!#master_dbo +dbo#!#babel_4768_p2#!#128#!#master_babel_4768_u1#!#p#!#sys.datetimeoffset#!#master_dbo +dbo#!#babel_4768_t1#!#2#!#master_babel_4768_u1#!#r#!##!#master_dbo +dbo#!#babel_4768_v1#!#2#!#master_babel_4768_u1#!#r#!##!#master_dbo ~~END~~ diff --git a/test/JDBC/expected/BABEL-3865.out b/test/JDBC/expected/BABEL-3865.out index ec071432a6f..023f8062f81 100644 --- a/test/JDBC/expected/BABEL-3865.out +++ b/test/JDBC/expected/BABEL-3865.out @@ -128,19 +128,27 @@ GO GRANT ALL ON #temp_5 TO role_a GO - -DROP ROLE role_a -GO ~~ERROR (Code: 33557097)~~ -~~ERROR (Message: role "master_role_a" cannot be dropped because some objects depend on it)~~ +~~ERROR (Message: Cannot find the object "#temp_5", because it does not exist or you do not have permission.)~~ +DROP ROLE role_a +GO + REVOKE ALL ON #temp_5 FROM role_a GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: User or role "role_a" does not exist)~~ + DROP TABLE #temp_5 GO DROP ROLE role_a GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot drop the role 'role_a', because it does not exist or you do not have permission.)~~ + diff --git a/test/JDBC/expected/GRANT_SCHEMA.out b/test/JDBC/expected/GRANT_SCHEMA.out index 16d4c4b5d08..ff875f213fa 100644 --- a/test/JDBC/expected/GRANT_SCHEMA.out +++ b/test/JDBC/expected/GRANT_SCHEMA.out @@ -540,11 +540,11 @@ where schema_name = 'babel_4344_s1' collate "C" order by permission; -- and obje go ~~START~~ "sys"."varchar"#!#"sys"."varchar"#!#int4#!#"sys"."varchar"#!#"sys"."varchar" -babel_4344_s1#!#babel_4344_v1#!#2#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_t1#!#47#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_p1#!#128#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_f1#!#128#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#ALL#!#131#!#babel_4344_d1_babel_4344_u1#!# +babel_4344_s1#!#babel_4344_v1#!#2#!#babel_4344_d1_babel_4344_u1#!#babel_4344_d1_dbo +babel_4344_s1#!#babel_4344_t1#!#47#!#babel_4344_d1_babel_4344_u1#!#babel_4344_d1_dbo +babel_4344_s1#!#babel_4344_p1#!#128#!#babel_4344_d1_babel_4344_u1#!#babel_4344_d1_dbo +babel_4344_s1#!#babel_4344_f1#!#128#!#babel_4344_d1_babel_4344_u1#!#babel_4344_d1_dbo +babel_4344_s1#!#ALL#!#131#!#babel_4344_d1_babel_4344_u1#!#babel_4344_d1_dbo ~~END~~ @@ -567,11 +567,11 @@ where schema_name = 'babel_4344_s1' collate "C" order by permission; go ~~START~~ "sys"."varchar"#!#"sys"."varchar"#!#int4#!#"sys"."varchar"#!#"sys"."varchar" -babel_4344_s1#!#babel_4344_v1#!#2#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_t1#!#47#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_p1#!#128#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_f1#!#128#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#ALL#!#131#!#babel_4344_d1_babel_4344_u1#!# +babel_4344_s1#!#babel_4344_v1#!#2#!#babel_4344_d1_babel_4344_u1#!#babel_4344_d1_dbo +babel_4344_s1#!#babel_4344_t1#!#47#!#babel_4344_d1_babel_4344_u1#!#babel_4344_d1_dbo +babel_4344_s1#!#babel_4344_p1#!#128#!#babel_4344_d1_babel_4344_u1#!#babel_4344_d1_dbo +babel_4344_s1#!#babel_4344_f1#!#128#!#babel_4344_d1_babel_4344_u1#!#babel_4344_d1_dbo +babel_4344_s1#!#ALL#!#131#!#babel_4344_d1_babel_4344_u1#!#babel_4344_d1_dbo ~~END~~ @@ -763,11 +763,11 @@ select schema_name, object_name, permission, grantee, grantor from sys.babelfish go ~~START~~ "sys"."varchar"#!#"sys"."varchar"#!#int4#!#"sys"."varchar"#!#"sys"."varchar" -babel_4344_s1#!#ALL#!#131#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_f1#!#128#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_p1#!#128#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_t1#!#47#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_v1#!#2#!#babel_4344_d1_babel_4344_u1#!# +babel_4344_s1#!#ALL#!#131#!#babel_4344_d1_babel_4344_u1#!#babel_4344_d1_dbo +babel_4344_s1#!#babel_4344_f1#!#128#!#babel_4344_d1_babel_4344_u1#!#babel_4344_d1_dbo +babel_4344_s1#!#babel_4344_p1#!#128#!#babel_4344_d1_babel_4344_u1#!#babel_4344_d1_dbo +babel_4344_s1#!#babel_4344_t1#!#47#!#babel_4344_d1_babel_4344_u1#!#babel_4344_d1_dbo +babel_4344_s1#!#babel_4344_v1#!#2#!#babel_4344_d1_babel_4344_u1#!#babel_4344_d1_dbo ~~END~~ @@ -792,11 +792,11 @@ select schema_name, object_name, permission, grantee, grantor from sys.babelfish go ~~START~~ "sys"."varchar"#!#"sys"."varchar"#!#int4#!#"sys"."varchar"#!#"sys"."varchar" -babel_4344_s1#!#ALL#!#131#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_f1_new#!#128#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_p1_new#!#128#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_t1_new#!#47#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_v1_new#!#2#!#babel_4344_d1_babel_4344_u1#!# +babel_4344_s1#!#ALL#!#131#!#babel_4344_d1_babel_4344_u1#!#babel_4344_d1_dbo +babel_4344_s1#!#babel_4344_f1_new#!#128#!#babel_4344_d1_babel_4344_u1#!#babel_4344_d1_dbo +babel_4344_s1#!#babel_4344_p1_new#!#128#!#babel_4344_d1_babel_4344_u1#!#babel_4344_d1_dbo +babel_4344_s1#!#babel_4344_t1_new#!#47#!#babel_4344_d1_babel_4344_u1#!#babel_4344_d1_dbo +babel_4344_s1#!#babel_4344_v1_new#!#2#!#babel_4344_d1_babel_4344_u1#!#babel_4344_d1_dbo ~~END~~ @@ -1658,11 +1658,11 @@ where schema_name = 'babel_4344_s1' collate "C" order by permission; -- and obje go ~~START~~ "sys"."varchar"#!#"sys"."varchar"#!#int4#!#"sys"."varchar"#!#"sys"."varchar" -babel_4344_s1#!#babel_4344_v1#!#2#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_t1#!#47#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_p1#!#128#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_f1#!#128#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#ALL#!#131#!#babel_4344_d1_babel_4344_u1#!# +babel_4344_s1#!#babel_4344_v1#!#2#!#babel_4344_d1_babel_4344_u1#!#babel_4344_d1_dbo +babel_4344_s1#!#babel_4344_t1#!#47#!#babel_4344_d1_babel_4344_u1#!#babel_4344_d1_dbo +babel_4344_s1#!#babel_4344_p1#!#128#!#babel_4344_d1_babel_4344_u1#!#babel_4344_d1_dbo +babel_4344_s1#!#babel_4344_f1#!#128#!#babel_4344_d1_babel_4344_u1#!#babel_4344_d1_dbo +babel_4344_s1#!#ALL#!#131#!#babel_4344_d1_babel_4344_u1#!#babel_4344_d1_dbo ~~END~~ @@ -1685,11 +1685,11 @@ where schema_name = 'babel_4344_s1' collate "C" order by permission; go ~~START~~ "sys"."varchar"#!#"sys"."varchar"#!#int4#!#"sys"."varchar"#!#"sys"."varchar" -babel_4344_s1#!#babel_4344_v1#!#2#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_t1#!#47#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_p1#!#128#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_f1#!#128#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#ALL#!#131#!#babel_4344_d1_babel_4344_u1#!# +babel_4344_s1#!#babel_4344_v1#!#2#!#babel_4344_d1_babel_4344_u1#!#babel_4344_d1_dbo +babel_4344_s1#!#babel_4344_t1#!#47#!#babel_4344_d1_babel_4344_u1#!#babel_4344_d1_dbo +babel_4344_s1#!#babel_4344_p1#!#128#!#babel_4344_d1_babel_4344_u1#!#babel_4344_d1_dbo +babel_4344_s1#!#babel_4344_f1#!#128#!#babel_4344_d1_babel_4344_u1#!#babel_4344_d1_dbo +babel_4344_s1#!#ALL#!#131#!#babel_4344_d1_babel_4344_u1#!#babel_4344_d1_dbo ~~END~~ @@ -1881,11 +1881,11 @@ select schema_name, object_name, permission, grantee, grantor from sys.babelfish go ~~START~~ "sys"."varchar"#!#"sys"."varchar"#!#int4#!#"sys"."varchar"#!#"sys"."varchar" -babel_4344_s1#!#ALL#!#131#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_f1#!#128#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_p1#!#128#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_t1#!#47#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_v1#!#2#!#babel_4344_d1_babel_4344_u1#!# +babel_4344_s1#!#ALL#!#131#!#babel_4344_d1_babel_4344_u1#!#babel_4344_d1_dbo +babel_4344_s1#!#babel_4344_f1#!#128#!#babel_4344_d1_babel_4344_u1#!#babel_4344_d1_dbo +babel_4344_s1#!#babel_4344_p1#!#128#!#babel_4344_d1_babel_4344_u1#!#babel_4344_d1_dbo +babel_4344_s1#!#babel_4344_t1#!#47#!#babel_4344_d1_babel_4344_u1#!#babel_4344_d1_dbo +babel_4344_s1#!#babel_4344_v1#!#2#!#babel_4344_d1_babel_4344_u1#!#babel_4344_d1_dbo ~~END~~ @@ -1910,11 +1910,11 @@ select schema_name, object_name, permission, grantee, grantor from sys.babelfish go ~~START~~ "sys"."varchar"#!#"sys"."varchar"#!#int4#!#"sys"."varchar"#!#"sys"."varchar" -babel_4344_s1#!#ALL#!#131#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_f1_new#!#128#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_p1_new#!#128#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_t1_new#!#47#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_v1_new#!#2#!#babel_4344_d1_babel_4344_u1#!# +babel_4344_s1#!#ALL#!#131#!#babel_4344_d1_babel_4344_u1#!#babel_4344_d1_dbo +babel_4344_s1#!#babel_4344_f1_new#!#128#!#babel_4344_d1_babel_4344_u1#!#babel_4344_d1_dbo +babel_4344_s1#!#babel_4344_p1_new#!#128#!#babel_4344_d1_babel_4344_u1#!#babel_4344_d1_dbo +babel_4344_s1#!#babel_4344_t1_new#!#47#!#babel_4344_d1_babel_4344_u1#!#babel_4344_d1_dbo +babel_4344_s1#!#babel_4344_v1_new#!#2#!#babel_4344_d1_babel_4344_u1#!#babel_4344_d1_dbo ~~END~~ @@ -2690,7 +2690,9 @@ varchar insert successful ~~END~~ -~~ROW COUNT: 1~~ +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot GRANT privileges to the entity owner or the grantor themselves)~~ insert into s1.t1 (a) values (next value for s1.sq1); go @@ -2700,12 +2702,8 @@ go update s1.t1 set a = 2 where a = 1; go -~~ROW COUNT: 1~~ - delete from s1.t1 where a = 2; go -~~ROW COUNT: 1~~ - select * from s1.v1; go ~~START~~ @@ -2809,7 +2807,9 @@ varchar insert successful ~~END~~ -~~ROW COUNT: 1~~ +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot GRANT privileges to the entity owner or the grantor themselves)~~ insert into s1.t1 (a) values (next value for s1.sq1); go @@ -2819,12 +2819,8 @@ go update s1.t1 set a = 2 where a = 1; go -~~ROW COUNT: 1~~ - delete from s1.t1 where a = 2; go -~~ROW COUNT: 1~~ - select * from s1.v1; go ~~START~~ @@ -3037,9 +3033,9 @@ u1 select * from s1.t1; go -~~START~~ -int -~~END~~ +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table t1)~~ insert into s1.t1 values (1); go @@ -3233,9 +3229,9 @@ u1 select * from s1.t1; go -~~START~~ -int -~~END~~ +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table t1)~~ insert into s1.t1 values (1); go @@ -3445,7 +3441,9 @@ varchar insert successful ~~END~~ -~~ROW COUNT: 1~~ +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot GRANT privileges to the entity owner or the grantor themselves)~~ insert into s1.t1 (a) values (next value for s1.sq1); go @@ -3461,8 +3459,6 @@ go delete from s1.t1 where a = 1; go -~~ROW COUNT: 1~~ - select * from s1.v1; go ~~START~~ @@ -3577,7 +3573,9 @@ varchar insert successful ~~END~~ -~~ROW COUNT: 1~~ +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot GRANT privileges to the entity owner or the grantor themselves)~~ insert into s1.t1 (a) values (next value for s1.sq1); go @@ -3593,8 +3591,6 @@ go delete from s1.t1 where a = 1; go -~~ROW COUNT: 1~~ - select * from s1.v1; go ~~START~~ @@ -3712,7 +3708,9 @@ varchar insert successful ~~END~~ -~~ROW COUNT: 1~~ +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot GRANT privileges to the entity owner or the grantor themselves)~~ insert into s1.t1 (a) values (next value for s1.sq1); go @@ -3728,8 +3726,6 @@ go delete from s1.t1 where a = 1; go -~~ROW COUNT: 1~~ - select * from s1.v1; go ~~START~~ @@ -3859,7 +3855,9 @@ varchar insert successful ~~END~~ -~~ROW COUNT: 1~~ +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot GRANT privileges to the entity owner or the grantor themselves)~~ insert into s1.t1 (a) values (next value for s1.sq1); go @@ -3875,8 +3873,6 @@ go delete from s1.t1 where a = 1; go -~~ROW COUNT: 1~~ - select * from s1.v1; go ~~START~~ @@ -3986,7 +3982,9 @@ varchar insert successful ~~END~~ -~~ROW COUNT: 1~~ +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot GRANT privileges to the entity owner or the grantor themselves)~~ insert into s1.t1 (a) values (next value for s1.sq1); go @@ -4002,8 +4000,6 @@ go delete from s1.t1 where a = 1; go -~~ROW COUNT: 1~~ - select * from s1.v1; go ~~START~~ @@ -4115,7 +4111,9 @@ varchar insert successful ~~END~~ -~~ROW COUNT: 1~~ +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot GRANT privileges to the entity owner or the grantor themselves)~~ insert into s1.t1 (a) values (next value for s1.sq1); go @@ -4131,8 +4129,6 @@ go delete from s1.t1 where a = 1; go -~~ROW COUNT: 1~~ - select * from s1.v1; go ~~START~~ @@ -4251,7 +4247,9 @@ varchar insert successful ~~END~~ -~~ROW COUNT: 1~~ +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot GRANT privileges to the entity owner or the grantor themselves)~~ insert into s1.t1 (a) values (next value for s1.sq1); go @@ -4267,8 +4265,6 @@ go delete from s1.t1 where a = 1; go -~~ROW COUNT: 1~~ - select * from s1.v1; go ~~START~~ @@ -6645,8 +6641,8 @@ where object_name = 'GRANT_SCHEMA_t1' collate sys.database_default; go ~~START~~ "sys"."varchar"#!#"sys"."varchar"#!#int4#!#"sys"."varchar"#!#"sys"."varchar" -dbo#!#grant_schema_t1#!#128#!#master_guest#!# -dbo#!#grant_schema_t1#!#2#!#master_guest#!# +dbo#!#grant_schema_t1#!#128#!#master_guest#!#master_dbo +dbo#!#grant_schema_t1#!#2#!#master_guest#!#master_dbo ~~END~~ diff --git a/test/JDBC/expected/db_accessadmin-vu-verify.out b/test/JDBC/expected/db_accessadmin-vu-verify.out index fda5e04f780..569b53c77d8 100644 --- a/test/JDBC/expected/db_accessadmin-vu-verify.out +++ b/test/JDBC/expected/db_accessadmin-vu-verify.out @@ -101,25 +101,25 @@ GO ~~ERROR (Message: Cannot use the special principal 'db_accessadmin')~~ -- Cannot GRANT/REVOKE on objects TO/FROM db_accessadmin -GRANT ALL on object::t1 to db_accessadmin; -- Error, no grant on special roles +GRANT ALL on object::babel_5136_t1 to db_accessadmin; -- Error, no grant on special roles go ~~ERROR (Code: 33557097)~~ ~~ERROR (Message: Cannot grant, deny or revoke permissions to or from special roles.)~~ -REVOKE ALL on object::t1 to db_accessadmin; -- Error, no grant on special roles +REVOKE ALL on object::babel_5136_t1 to db_accessadmin; -- Error, no grant on special roles go ~~ERROR (Code: 33557097)~~ ~~ERROR (Message: Cannot grant, deny or revoke permissions to or from special roles.)~~ -GRANT SELECT on object::t1 to db_accessadmin; -- Error, no grant on special roles +GRANT SELECT on object::babel_5136_t1 to db_accessadmin; -- Error, no grant on special roles go ~~ERROR (Code: 33557097)~~ ~~ERROR (Message: Cannot grant, deny or revoke permissions to or from special roles.)~~ -REVOKE EXECUTE on object::t1 to db_accessadmin; -- Error, no grant on special roles +REVOKE EXECUTE on object::babel_5136_f1 to db_accessadmin; -- Error, no grant on special roles go ~~ERROR (Code: 33557097)~~ diff --git a/test/JDBC/expected/db_owner-before-17_6-vu-cleanup.out b/test/JDBC/expected/db_owner-before-17_6-vu-cleanup.out new file mode 100644 index 00000000000..773ac427df2 --- /dev/null +++ b/test/JDBC/expected/db_owner-before-17_6-vu-cleanup.out @@ -0,0 +1,19 @@ +-- tsql +use dbowner__main_db +go +drop database dbowner__test_db +go +drop user dbowner__u1 +go +drop login dbowner__l1 +go +drop login dbowner__l2 +go +drop login dbowner__temp +go +revoke connect from guest +go +use master +go +drop database dbowner__main_db +go diff --git a/test/JDBC/expected/db_owner-before-17_6-vu-prepare.out b/test/JDBC/expected/db_owner-before-17_6-vu-prepare.out new file mode 100644 index 00000000000..6cc1c0e28c3 --- /dev/null +++ b/test/JDBC/expected/db_owner-before-17_6-vu-prepare.out @@ -0,0 +1,140 @@ +-- tsql +create database dbowner__main_db +go +use dbowner__main_db +go +grant connect to guest +go +create login dbowner__l1 with password = '123' +go +create user dbowner__u1 for login dbowner__l1 +go +create login dbowner__l2 with password = '123' +go +create login dbowner__temp with password = '123' +go +create user dbowner__u2 for login dbowner__l2 +go +create schema dbowner__s0 +go +create table dbowner__s0.dbowner__t00 (w float) +go +create function dbowner__s0.dbowner__f00() returns int as begin return 987 end +go +create type dbowner__s0.dbowner__typ00 from int +go +create trigger dbowner__s0.dbowner__trg00 +on dbowner__s0.dbowner__t00 +after insert +as +begin + select 'New row inserted' +end +go +create index dbowner__idx00 on dbowner__s0.dbowner__t00 (w) +go +create view dbowner__s0.dbowner__v00 as select 1 +go +create sequence dbowner__s0.dbowner__seq00 as int start with 1 increment by 1; +go +create schema dbowner__s1 authorization dbowner__u1 +go +create schema dbowner__s2 authorization dbowner__u2 +go +create table dbo.dbowner__t0 (x int) +go +create function dbo.dbowner__f0() returns int as begin return 10 end +go +create procedure dbo.dbowner__p0 as select 20 +go +create type dbo.dbowner__typ0 from int +go +create trigger dbo.dbowner__trg0 +on dbo.dbowner__t0 +after insert +as +begin + select 'New row inserted' +end +go +create index dbowner__idx0 on dbo.dbowner__t0 (x) +go +create view dbo.dbowner__v0 as select 1 +go +create sequence dbo.dbowner__seq0 as int start with 2 increment by 2; +go + +create role dbowner__r1 +go +create role dbowner__r2 +go + +-- tsql user=dbowner__l1 password=123 +use dbowner__main_db +go +select is_member('db_owner') +go +~~START~~ +int +0 +~~END~~ + +create table dbowner__s1.dbowner__t1 (a int) +go +create function dbowner__s1.dbowner__f1() returns int as begin return 11 end +go +create procedure dbowner__s1.dbowner__p1 as select 21 +go +create type dbowner__s1.dbowner__typ1 from int +go +create trigger dbowner__s1.dbowner__trg1 +on dbowner__s1.dbowner__t1 +after insert +as +begin + select 'New row inserted' +end +go +create index dbowner__idx1 on dbowner__s1.dbowner__t1 (a) +go +create view dbowner__s1.dbowner__v1 as select 1 +go +create sequence dbowner__s1.dbowner__seq1 as int start with 3 increment by 3; +go + +-- tsql user=dbowner__l2 password=123 +use dbowner__main_db +go +select is_member('db_owner') +go +~~START~~ +int +0 +~~END~~ + +create table dbowner__s2.dbowner__t2 (a int) +go +create function dbowner__s2.dbowner__f2() returns int as begin return 12 end +go +create procedure dbowner__s2.dbowner__p2 as select 22 +go +create type dbowner__s2.dbowner__typ2 from int +go +create trigger dbowner__s2.dbowner__trg2 +on dbowner__s2.dbowner__t2 +after insert +as +begin + select 'New row inserted' +end +go +create index dbowner__idx2 on dbowner__s2.dbowner__t2 (a) +go +create view dbowner__s2.dbowner__v2 as select 1 +go +create sequence dbowner__s2.dbowner__seq2 as int start with 4 increment by 4; +go + +-- tsql +alter role db_owner add member dbowner__u1 +go diff --git a/test/JDBC/expected/db_owner-before-17_6-vu-verify.out b/test/JDBC/expected/db_owner-before-17_6-vu-verify.out new file mode 100644 index 00000000000..c944c747c09 --- /dev/null +++ b/test/JDBC/expected/db_owner-before-17_6-vu-verify.out @@ -0,0 +1,2136 @@ +-- psql +-- Before anything, let's check if internal role linking/delinking worked as expected +SELECT r.rolname AS parent_role +FROM pg_auth_members m +JOIN pg_roles r ON (m.roleid = r.oid) +JOIN pg_roles mr ON (m.member = mr.oid) +WHERE mr.rolname = 'dbowner__main_db_dbowner__u1_bbfobj' +ORDER BY r.rolname; +go +~~START~~ +name +~~END~~ + + +SELECT r.rolname AS parent_role +FROM pg_auth_members m +JOIN pg_roles r ON (m.roleid = r.oid) +JOIN pg_roles mr ON (m.member = mr.oid) +WHERE mr.rolname = 'dbowner__main_db_dbowner__u1' +ORDER BY r.rolname; +go +~~START~~ +name +dbowner__main_db_db_owner +dbowner__main_db_dbo +dbowner__main_db_dbowner__u1_bbfobj +~~END~~ + + +SELECT r.rolname AS parent_role +FROM pg_auth_members m +JOIN pg_roles r ON (m.roleid = r.oid) +JOIN pg_roles mr ON (m.member = mr.oid) +WHERE mr.rolname = 'dbowner__main_db_db_owner' +ORDER BY r.rolname; +go +~~START~~ +name +dbowner__main_db_db_accessadmin +dbowner__main_db_db_datareader +dbowner__main_db_db_datawriter +dbowner__main_db_db_ddladmin +dbowner__main_db_db_securityadmin +dbowner__main_db_dbowner__r1 +dbowner__main_db_dbowner__r2 +dbowner__main_db_dbowner__u1_bbfobj +dbowner__main_db_dbowner__u2 +dbowner__main_db_guest +~~END~~ + + +SELECT r.rolname AS parent_role +FROM pg_auth_members m +JOIN pg_roles r ON (m.roleid = r.oid) +JOIN pg_roles mr ON (m.member = mr.oid) +WHERE mr.rolname = 'dbowner__main_db_dbo' +ORDER BY r.rolname; +go +~~START~~ +name +dbowner__main_db_db_owner +~~END~~ + + +-- tsql +alter login dbowner__l1 with password = '123' +go +alter login dbowner__l2 with password = '123' +go +alter login dbowner__temp with password = '123' +go + +-- Testing for name clash +create login dbowner__main_db_dbowner__u1_bbfobj with password = '123' +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot create database principal "dbowner__main_db_dbowner__u1_bbfobj" as there already exists a Babelfish internal role with the same name)~~ + +use dbowner__main_db +go +create login dbowner__nameclash with password = '123' +go +create user dbowner__u1_bbfobj for login dbowner__nameclash +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot create database principal "dbowner__main_db_dbowner__u1_bbfobj" as there already exists a Babelfish internal role with the same name)~~ + +drop login dbowner__nameclash +go +use master +go + +-- Adding/Dropping non-existent user to db_owner should throw error +alter role db_owner add member a_very_invalid_username +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: role "master_a_very_invalid_username" does not exist)~~ + +alter role db_owner drop member a_very_invalid_username +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: role "master_a_very_invalid_username" does not exist)~~ + + +-- tsql user=dbowner__l1 password=123 +-- CASE 0: Should not be able to manipulate server level objects +use dbowner__main_db +go +select is_member('db_owner') +go +~~START~~ +int +1 +~~END~~ + +create database dbowner_try_db_create +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied to create database)~~ + +create login dbowner_try_login_create with password = '123' +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Current login dbowner__l1 does not have permission to create new login)~~ + +drop login dbowner__l1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot drop the login 'dbowner__l1', because it does not exist or you do not have permission.)~~ + +drop login dbowner__l2 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot drop the login 'dbowner__l2', because it does not exist or you do not have permission.)~~ + +alter server role sysadmin add member dbowner__temp +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Current login dbowner__l1 does not have permission to alter server role)~~ + + +-- CASE 1: Able to access all objects in its own database +select is_member('db_owner') +go +~~START~~ +int +1 +~~END~~ + +insert into dbo.dbowner__t0 values (10), (20), (30) +go +~~START~~ +varchar +New row inserted +~~END~~ + +~~ROW COUNT: 3~~ + +select * from dbo.dbowner__t0 +go +~~START~~ +int +10 +20 +30 +~~END~~ + +select * from dbo.dbowner__v0 +go +~~START~~ +int +1 +~~END~~ + +select next value for dbo.dbowner__seq0; +go +~~START~~ +bigint +2 +~~END~~ + +select dbo.dbowner__f0() +go +~~START~~ +int +10 +~~END~~ + +exec dbo.dbowner__p0 +go +~~START~~ +int +20 +~~END~~ + +insert into dbowner__s1.dbowner__t1 values (11), (21), (31) +go +~~START~~ +varchar +New row inserted +~~END~~ + +~~ROW COUNT: 3~~ + +select * from dbowner__s1.dbowner__t1 +go +~~START~~ +int +11 +21 +31 +~~END~~ + +select * from dbowner__s1.dbowner__v1 +go +~~START~~ +int +1 +~~END~~ + +select next value for dbowner__s1.dbowner__seq1; +go +~~START~~ +bigint +3 +~~END~~ + +select dbowner__s1.dbowner__f1() +go +~~START~~ +int +11 +~~END~~ + +exec dbowner__s1.dbowner__p1 +go +~~START~~ +int +21 +~~END~~ + +insert into dbowner__s2.dbowner__t2 values (12), (22), (32) +go +~~START~~ +varchar +New row inserted +~~END~~ + +~~ROW COUNT: 3~~ + +select * from dbowner__s2.dbowner__t2 +go +~~START~~ +int +12 +22 +32 +~~END~~ + +select * from dbowner__s2.dbowner__v2 +go +~~START~~ +int +1 +~~END~~ + +select next value for dbowner__s2.dbowner__seq2; +go +~~START~~ +bigint +4 +~~END~~ + +select dbowner__s2.dbowner__f2() +go +~~START~~ +int +12 +~~END~~ + +exec dbowner__s2.dbowner__p2 +go +~~START~~ +int +22 +~~END~~ + + +-- CASE 2: Able to perform DDL on objects in its own database +create table dbowner__s1.dbowner__t11 (a dbowner__s1.dbowner__typ1) +go +create schema dbowner__s3 authorization dbowner__u1 +go +create schema dbowner__sch_u2 authorization dbowner__u2 +go +create schema dbowner__sch_db_owner authorization db_owner +go +create type dbowner__s3.dbowner__typ3 from int +go +create table dbowner__s3.dbowner__t3 (a dbowner__s3.dbowner__typ3) +go +create function dbowner__s3.dbowner__f3() returns int as begin return 13 end +go +create procedure dbowner__s3.dbowner__p3 as select 23 +go +create view dbowner__s3.dbowner__v3 as select 230 +go +create sequence dbowner__s3.dbowner__seq3 as int start with 5 increment by 5; +go +alter table dbo.dbowner__t0 add b int +go +alter function dbo.dbowner__f0() returns int as begin return 134 end +go +alter procedure dbo.dbowner__p0 as select 234 +go +alter table dbo.dbowner__t0 drop column b +go +alter function dbo.dbowner__f0() returns int as begin return 10 end +go +alter procedure dbo.dbowner__p0 as select 20 +go + +-- Member of db_owner role should be allowed to rename objects +exec sp_rename 'dbo.dbowner__t0.x', 'x_renamed', 'column' +go +exec sp_rename 'dbo.dbowner__typ0', 'dbowner__typ0_renamed', 'userdatatype' +go +exec sp_rename 'dbo.dbowner__t0', 'dbowner__t0_renamed', 'object' +go +exec sp_rename 'dbo.dbowner__p0', 'dbowner__p0_renamed', 'object' +go +exec sp_rename 'dbo.dbowner__f0', 'dbowner__f0_renamed', 'object' +go +exec sp_rename 'dbo.dbowner__v0', 'dbowner__v0_renamed', 'object' +go +exec sp_rename 'dbowner__trg0', 'dbowner__trg0_renamed', 'object' +go +exec sp_rename 'dbo.dbowner__seq0', 'dbowner__seq0_renamed', 'object' +go + +-- psql +-- Procedure/function owners should be dbowner__main_db_dbo +SELECT proname, + proowner::regrole +FROM pg_proc +WHERE pronamespace::regnamespace::text = 'dbowner__main_db_dbo' +AND proname LIKE 'dbowner__%' +ORDER BY proname; +GO +~~START~~ +name#!#regrole +dbowner__f0_renamed#!#dbowner__main_db_dbo +dbowner__p0_renamed#!#dbowner__main_db_dbo +dbowner__trg0_renamed#!#dbowner__main_db_dbo +~~END~~ + + +-- Object owners should be dbowner__main_db_dbo +SELECT + n.nspname AS schema, + c.relname AS table, + CASE c.relkind + WHEN 'r' THEN 'table' + WHEN 'v' THEN 'view' + WHEN 'm' THEN 'materialized view' + WHEN 'i' THEN 'index' + WHEN 'S' THEN 'sequence' + WHEN 's' THEN 'special' + WHEN 'f' THEN 'foreign table' + END AS type, + pg_catalog.pg_get_userbyid(c.relowner) AS owner +FROM pg_catalog.pg_class c +LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace +WHERE n.nspname = 'dbowner__main_db_dbo' +AND c.relname LIKE 'dbowner__%' +AND c.relkind IN ('r', 'v', 'm', 'i', 'S', 's', 'f') +ORDER BY n.nspname, c.relkind, c.relname; +GO +~~START~~ +name#!#name#!#text#!#name +dbowner__main_db_dbo#!#dbowner__seq0_renamed#!#sequence#!#dbowner__main_db_dbo +dbowner__main_db_dbo#!#dbowner__idx0dbowner__t09cffe6f70730964de614f2e351e0e1bf#!#index#!#dbowner__main_db_dbo +dbowner__main_db_dbo#!#dbowner__t0_renamed#!#table#!#dbowner__main_db_dbo +dbowner__main_db_dbo#!#dbowner__v0_renamed#!#view#!#dbowner__main_db_dbo +~~END~~ + + +-- tsql user=dbowner__l1 password=123 +exec sp_rename 'dbo.dbowner__t0_renamed', 'dbowner__t0', 'object' +go +exec sp_rename 'dbo.dbowner__t0.x_renamed', 'x', 'column' +go +exec sp_rename 'dbo.dbowner__typ0_renamed', 'dbowner__typ0', 'userdatatype' +go +exec sp_rename 'dbo.dbowner__p0_renamed', 'dbowner__p0', 'object' +go +exec sp_rename 'dbo.dbowner__f0_renamed', 'dbowner__f0', 'object' +go +exec sp_rename 'dbo.dbowner__v0_renamed', 'dbowner__v0', 'object' +go +exec sp_rename 'dbowner__trg0_renamed', 'dbowner__trg0', 'object' +go +exec sp_rename 'dbo.dbowner__seq0_renamed', 'dbowner__seq0', 'object' +go + +exec sp_rename 'dbowner__s1.dbowner__t1.a', 'a_renamed', 'column' +go +exec sp_rename 'dbowner__s1.dbowner__typ1', 'dbowner__typ1_renamed', 'userdatatype' +go +exec sp_rename 'dbowner__s1.dbowner__t1', 'dbowner__t1_renamed', 'object' +go +exec sp_rename 'dbowner__s1.dbowner__p1', 'dbowner__p1_renamed', 'object' +go +exec sp_rename 'dbowner__s1.dbowner__f1', 'dbowner__f1_renamed', 'object' +go +exec sp_rename 'dbowner__s1.dbowner__v1', 'dbowner__v1_renamed', 'object' +go +exec sp_rename 'dbowner__s1.dbowner__trg1', 'dbowner__trg1_renamed', 'object' +go +exec sp_rename 'dbowner__s1.dbowner__seq1', 'dbowner__seq1_renamed', 'object' +go + +exec sp_rename 'dbowner__s3.dbowner__t3.a', 'a_renamed', 'column' +go +exec sp_rename 'dbowner__s3.dbowner__typ3', 'dbowner__typ3_renamed', 'userdatatype' +go +exec sp_rename 'dbowner__s3.dbowner__t3', 'dbowner__t3_renamed', 'object' +go +exec sp_rename 'dbowner__s3.dbowner__p3', 'dbowner__p3_renamed', 'object' +go +exec sp_rename 'dbowner__s3.dbowner__f3', 'dbowner__f3_renamed', 'object' +go +exec sp_rename 'dbowner__s3.dbowner__v3', 'dbowner__v3_renamed', 'object' +go +exec sp_rename 'dbowner__s3.dbowner__seq3', 'dbowner__seq3_renamed', 'object' +go + +-- psql +-- Procedure/function owners should be dbowner__main_db_dbowner__u1_bbfobj +SELECT proname, + proowner::regrole +FROM pg_proc +WHERE pronamespace::regnamespace::text = 'dbowner__main_db_dbowner__s1' +OR pronamespace::regnamespace::text = 'dbowner__main_db_dbowner__s3' +ORDER BY proname; +GO +~~START~~ +name#!#regrole +dbowner__f1_renamed#!#dbowner__main_db_dbowner__u1_bbfobj +dbowner__f3_renamed#!#dbowner__main_db_dbowner__u1_bbfobj +dbowner__p1_renamed#!#dbowner__main_db_dbowner__u1_bbfobj +dbowner__p3_renamed#!#dbowner__main_db_dbowner__u1_bbfobj +dbowner__trg1_renamed#!#dbowner__main_db_dbowner__u1_bbfobj +~~END~~ + + +-- Table owners should be dbowner__main_db_dbowner__u1_bbfobj +SELECT + n.nspname AS schema, + c.relname AS table, + CASE c.relkind + WHEN 'r' THEN 'table' + WHEN 'v' THEN 'view' + WHEN 'm' THEN 'materialized view' + WHEN 'i' THEN 'index' + WHEN 'S' THEN 'sequence' + WHEN 's' THEN 'special' + WHEN 'f' THEN 'foreign table' + END AS type, + pg_catalog.pg_get_userbyid(c.relowner) AS owner +FROM pg_catalog.pg_class c +LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace +WHERE (n.nspname = 'dbowner__main_db_dbowner__s1' OR n.nspname = 'dbowner__main_db_dbowner__s3') +AND c.relkind IN ('r', 'v', 'm', 'i', 'S', 's', 'f') +ORDER BY n.nspname, c.relkind, c.relname; +GO +~~START~~ +name#!#name#!#text#!#name +dbowner__main_db_dbowner__s1#!#dbowner__seq1_renamed#!#sequence#!#dbowner__main_db_dbowner__u1_bbfobj +dbowner__main_db_dbowner__s1#!#dbowner__idx1dbowner__t1051d92a6c0688536803636483cfc1e78#!#index#!#dbowner__main_db_dbowner__u1_bbfobj +dbowner__main_db_dbowner__s1#!#dbowner__t11#!#table#!#dbowner__main_db_dbowner__u1_bbfobj +dbowner__main_db_dbowner__s1#!#dbowner__t1_renamed#!#table#!#dbowner__main_db_dbowner__u1_bbfobj +dbowner__main_db_dbowner__s1#!#dbowner__v1_renamed#!#view#!#dbowner__main_db_dbowner__u1_bbfobj +dbowner__main_db_dbowner__s3#!#dbowner__seq3_renamed#!#sequence#!#dbowner__main_db_dbowner__u1_bbfobj +dbowner__main_db_dbowner__s3#!#dbowner__t3_renamed#!#table#!#dbowner__main_db_dbowner__u1_bbfobj +dbowner__main_db_dbowner__s3#!#dbowner__v3_renamed#!#view#!#dbowner__main_db_dbowner__u1_bbfobj +~~END~~ + + +-- tsql user=dbowner__l1 password=123 +exec sp_rename 'dbowner__s1.dbowner__t1_renamed', 'dbowner__t1', 'object' +go +exec sp_rename 'dbowner__s1.dbowner__t1.a_renamed', 'a', 'column' +go +exec sp_rename 'dbowner__s1.dbowner__typ1_renamed', 'dbowner__typ1', 'userdatatype' +go +exec sp_rename 'dbowner__s1.dbowner__p1_renamed', 'dbowner__p1', 'object' +go +exec sp_rename 'dbowner__s1.dbowner__f1_renamed', 'dbowner__f1', 'object' +go +exec sp_rename 'dbowner__s1.dbowner__v1_renamed', 'dbowner__v1', 'object' +go +exec sp_rename 'dbowner__s1.dbowner__trg1_renamed', 'dbowner__trg1', 'object' +go +exec sp_rename 'dbowner__s1.dbowner__seq1_renamed', 'dbowner__seq1', 'object' +go + +exec sp_rename 'dbowner__s3.dbowner__t3_renamed', 'dbowner__t3', 'object' +go +exec sp_rename 'dbowner__s3.dbowner__t3.a_renamed', 'a', 'column' +go +exec sp_rename 'dbowner__s3.dbowner__typ3_renamed', 'dbowner__typ3', 'userdatatype' +go +exec sp_rename 'dbowner__s3.dbowner__p3_renamed', 'dbowner__p3', 'object' +go +exec sp_rename 'dbowner__s3.dbowner__f3_renamed', 'dbowner__f3', 'object' +go +exec sp_rename 'dbowner__s3.dbowner__v3_renamed', 'dbowner__v3', 'object' +go +exec sp_rename 'dbowner__s3.dbowner__seq3_renamed', 'dbowner__seq3', 'object' +go + +exec sp_rename 'dbowner__s2.dbowner__t2.a', 'a_renamed', 'column' +go +exec sp_rename 'dbowner__s2.dbowner__typ2', 'dbowner__typ2_renamed', 'userdatatype' +go +exec sp_rename 'dbowner__s2.dbowner__t2', 'dbowner__t2_renamed', 'object' +go +exec sp_rename 'dbowner__s2.dbowner__p2', 'dbowner__p2_renamed', 'object' +go +exec sp_rename 'dbowner__s2.dbowner__f2', 'dbowner__f2_renamed', 'object' +go +exec sp_rename 'dbowner__s2.dbowner__v2', 'dbowner__v2_renamed', 'object' +go +exec sp_rename 'dbowner__s2.dbowner__seq2', 'dbowner__seq2_renamed', 'object' +go + +-- psql +-- Procedure/function owners should be dbowner__main_db_dbowner__u2 +SELECT proname, + proowner::regrole +FROM pg_proc +WHERE pronamespace::regnamespace::text = 'dbowner__main_db_dbowner__s2' +ORDER BY proname; +GO +~~START~~ +name#!#regrole +dbowner__f2_renamed#!#dbowner__main_db_dbowner__u2 +dbowner__p2_renamed#!#dbowner__main_db_dbowner__u2 +dbowner__trg2#!#dbowner__main_db_dbowner__u2 +~~END~~ + + +-- Table owners should be dbowner__main_db_dbowner__u2 +SELECT + n.nspname AS schema, + c.relname AS table, + CASE c.relkind + WHEN 'r' THEN 'table' + WHEN 'v' THEN 'view' + WHEN 'm' THEN 'materialized view' + WHEN 'i' THEN 'index' + WHEN 'S' THEN 'sequence' + WHEN 's' THEN 'special' + WHEN 'f' THEN 'foreign table' + END AS type, + pg_catalog.pg_get_userbyid(c.relowner) AS owner +FROM pg_catalog.pg_class c +LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace +WHERE n.nspname = 'dbowner__main_db_dbowner__s2' +AND c.relkind IN ('r', 'v', 'm', 'i', 'S', 's', 'f') +ORDER BY n.nspname, c.relkind, c.relname; +GO +~~START~~ +name#!#name#!#text#!#name +dbowner__main_db_dbowner__s2#!#dbowner__seq2_renamed#!#sequence#!#dbowner__main_db_dbowner__u2 +dbowner__main_db_dbowner__s2#!#dbowner__idx2dbowner__t29e647ba0aded42e8e308d42ed0d51945#!#index#!#dbowner__main_db_dbowner__u2 +dbowner__main_db_dbowner__s2#!#dbowner__t2_renamed#!#table#!#dbowner__main_db_dbowner__u2 +dbowner__main_db_dbowner__s2#!#dbowner__v2_renamed#!#view#!#dbowner__main_db_dbowner__u2 +~~END~~ + + +-- tsql user=dbowner__l1 password=123 +exec sp_rename 'dbowner__s2.dbowner__t2_renamed', 'dbowner__t2', 'object' +go +exec sp_rename 'dbowner__s2.dbowner__t2.a_renamed', 'a', 'column' +go +exec sp_rename 'dbowner__s2.dbowner__typ2_renamed', 'dbowner__typ2', 'userdatatype' +go +exec sp_rename 'dbowner__s2.dbowner__p2_renamed', 'dbowner__p2', 'object' +go +exec sp_rename 'dbowner__s2.dbowner__f2_renamed', 'dbowner__f2', 'object' +go +exec sp_rename 'dbowner__s2.dbowner__v2_renamed', 'dbowner__v2', 'object' +go +exec sp_rename 'dbowner__s2.dbowner__seq2_renamed', 'dbowner__seq2', 'object' +go + +-- CASE 3: Able to GRANT/REVOKE on SCHEMA/OBJECT +grant select on schema::dbowner__s1 to dbowner__u2 +go +grant insert on schema::dbowner__s2 to guest +go +grant update on schema::dbowner__s3 to dbowner__u2 +go +grant delete on schema::dbo to dbowner__u2 +go +grant select on object::dbo.dbowner__t0 to dbowner__u2 +go +grant insert on object::dbowner__s1.dbowner__t1 to dbowner__u2 +go +grant update on object::dbowner__s2.dbowner__t2 to dbowner__u1 +go +grant delete on object::dbowner__s3.dbowner__t3 to dbowner__u2 +go +grant execute on object::dbowner__s1.dbowner__f1 to dbowner__u1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot GRANT privileges to the entity owner or the grantor themselves)~~ + +grant execute on object::dbowner__s3.dbowner__p3 to dbowner__u1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot GRANT privileges to the entity owner or the grantor themselves)~~ + + +-- psql +select schema_name, object_name, permission, grantee, grantor from sys.babelfish_schema_permissions +where grantee IN ('dbowner__main_db_guest', 'dbowner__main_db_dbowner__u1', 'dbowner__main_db_dbowner__u2') order by permission, grantee, schema_name; +GO +~~START~~ +"sys"."varchar"#!#"sys"."varchar"#!#int4#!#"sys"."varchar"#!#"sys"."varchar" +dbowner__s1#!#dbowner__t1#!#1#!#dbowner__main_db_dbowner__u2#!#dbowner__main_db_dbowner__u1 +dbowner__s2#!#ALL#!#1#!#dbowner__main_db_guest#!#dbowner__main_db_dbowner__u2 +dbo#!#dbowner__t0#!#2#!#dbowner__main_db_dbowner__u2#!#dbowner__main_db_dbo +dbowner__s1#!#ALL#!#2#!#dbowner__main_db_dbowner__u2#!#dbowner__main_db_dbowner__u1 +dbowner__s2#!#dbowner__t2#!#4#!#dbowner__main_db_dbowner__u1#!#dbowner__main_db_dbowner__u2 +dbowner__s3#!#ALL#!#4#!#dbowner__main_db_dbowner__u2#!#dbowner__main_db_dbowner__u1 +dbo#!#ALL#!#8#!#dbowner__main_db_dbowner__u2#!#dbowner__main_db_dbo +dbowner__s3#!#dbowner__t3#!#8#!#dbowner__main_db_dbowner__u2#!#dbowner__main_db_dbowner__u1 +~~END~~ + + +-- tsql user=dbowner__l1 password=123 +revoke select on schema::dbowner__s1 to dbowner__u2 +go +revoke insert on schema::dbowner__s2 to guest +go +revoke update on schema::dbowner__s3 to dbowner__u2 +go +revoke delete on schema::dbo to dbowner__u2 +go +revoke select on object::dbo.dbowner__t0 to dbowner__u2 +go +revoke insert on object::dbowner__s1.dbowner__t1 to dbowner__u2 +go +revoke update on object::dbowner__s2.dbowner__t2 to dbowner__u1 +go +revoke delete on object::dbowner__s3.dbowner__t3 to dbowner__u2 +go +revoke execute on object::dbowner__s1.dbowner__f1 to dbowner__u1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot REVOKE privileges to the entity owner or the grantor themselves)~~ + +revoke execute on object::dbowner__s3.dbowner__p3 to dbowner__u1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot REVOKE privileges to the entity owner or the grantor themselves)~~ + + +-- tsql +-- Adding a member to db_owner role should not affect other user's privileges +use dbowner__main_db +go +alter role db_owner drop member dbowner__u1 +go +alter role db_owner drop member dbowner__u1 -- adding again should not throw error +go +grant select on schema::dbowner__s0 to dbowner__u2 +go +alter role db_owner add member dbowner__u1 +go +alter role db_owner add member dbowner__u1 -- dropping again should not throw error +go +grant execute on schema::dbowner__s0 to dbowner__u2 +go + +-- Check sp_helpuser +CREATE TABLE #db_owner_roles(userName sys.SYSNAME, roleName sys.SYSNAME, loginName sys.SYSNAME NULL, defdb sys.SYSNAME NULL, defschema sys.SYSNAME, userid INT, sid sys.VARBINARY(85)); +go +INSERT INTO #db_owner_roles EXEC sp_helpuser 'dbowner__u1'; +go +~~ROW COUNT: 1~~ + +SELECT userName, roleName FROM #db_owner_roles; +go +~~START~~ +varchar#!#varchar +dbowner__u1#!#db_owner +~~END~~ + +DROP TABLE #db_owner_roles; +go + +-- tsql user=dbowner__l2 password=123 +-- GRANT on dbowner__u2 should allow it to still access objects in schema +use dbowner__main_db +go +select * from dbowner__s0.dbowner__t00 +go +~~START~~ +float +~~END~~ + +select * from dbowner__s0.dbowner__v00 +go +~~START~~ +int +1 +~~END~~ + +select dbowner__s0.dbowner__f00() +go +~~START~~ +int +987 +~~END~~ + + +-- tsql +revoke select on schema::dbowner__s0 to dbowner__u2 +go +revoke execute on schema::dbowner__s0 to dbowner__u2 +go + +-- psql +select schema_name, object_name, permission, grantee, grantor from sys.babelfish_schema_permissions +where grantee IN ('dbowner__main_db_guest', 'dbowner__main_db_dbowner__u1', 'dbowner__main_db_dbowner__u2') order by permission; +GO +~~START~~ +"sys"."varchar"#!#"sys"."varchar"#!#int4#!#"sys"."varchar"#!#"sys"."varchar" +~~END~~ + + +-- tsql user=dbowner__l1 password=123 +-- CASE 4: Able to ALTER ANY USER +select rolname, login_name, default_schema_name, default_language_name from babelfish_authid_user_ext where rolname in ('dbowner__main_db_dbowner__u1', 'dbowner__main_db_new_dbowner__u2') order by rolname +go +~~START~~ +varchar#!#varchar#!#nvarchar#!#nvarchar +dbowner__main_db_dbowner__u1#!#dbowner__l1#!#dbo#!#English +~~END~~ + +alter user dbowner__u1 with default_schema = dbowner__s1 +go +alter user dbowner__u2 with default_schema = dbo +go +alter user dbowner__u2 with login = dbowner__temp +go +alter user dbowner__u2 with name = new_dbowner__u2 +go +select rolname, login_name, default_schema_name, default_language_name from babelfish_authid_user_ext where rolname in ('dbowner__main_db_dbowner__u1', 'dbowner__main_db_new_dbowner__u2') order by rolname +go +~~START~~ +varchar#!#varchar#!#nvarchar#!#nvarchar +dbowner__main_db_dbowner__u1#!#dbowner__l1#!#dbowner__s1#!#English +dbowner__main_db_new_dbowner__u2#!#dbowner__temp#!#dbo#!#English +~~END~~ + +select sys.user_name(), sys.suser_name(), is_member('db_owner') +go +~~START~~ +nvarchar#!#nvarchar#!#int +dbowner__u1#!#dbowner__l1#!#1 +~~END~~ + +alter user new_dbowner__u2 with default_schema = dbo +go +alter user new_dbowner__u2 with login = dbowner__l2 +go +alter user new_dbowner__u2 with name = dbowner__u2 +go +alter user dbowner__u1 with login = dbowner__temp +go +select sys.user_name(), sys.suser_name(), is_member('db_owner') +go +~~START~~ +nvarchar#!#nvarchar#!#int +guest#!#dbowner__l1#!#0 +~~END~~ + +select rolname, login_name, default_schema_name, default_language_name from babelfish_authid_user_ext where rolname in ('dbowner__main_db_dbowner__u1', 'dbowner__main_db_new_dbowner__u2') order by rolname +go +~~START~~ +varchar#!#varchar#!#nvarchar#!#nvarchar +dbowner__main_db_dbowner__u1#!#dbowner__temp#!#dbowner__s1#!#English +~~END~~ + +alter user dbowner__u1 with login = dbowner__l1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Current user does not have privileges to change login)~~ + +select rolname, login_name, default_schema_name, default_language_name from babelfish_authid_user_ext where rolname in ('dbowner__main_db_dbowner__u1', 'dbowner__main_db_new_dbowner__u2') order by rolname +go +~~START~~ +varchar#!#varchar#!#nvarchar#!#nvarchar +dbowner__main_db_dbowner__u1#!#dbowner__temp#!#dbowner__s1#!#English +~~END~~ + +select name from sys.database_principals order by name +go +~~START~~ +varchar +db_accessadmin +db_datareader +db_datawriter +db_ddladmin +db_owner +db_securityadmin +dbo +guest +INFORMATION_SCHEMA +public +sys +~~END~~ + + +-- tsql +use dbowner__main_db +go +exec sp_droprolemember 'db_owner', 'dbowner__u1' +go +exec sp_droprolemember 'db_owner', 'dbowner__u1' -- dropping again should not throw error +go + +-- Check name clash scenario +create role dbowner__u1_bbfobj +go +exec sp_addrolemember 'db_owner', 'dbowner__u1' +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Internal role "dbowner__main_db_dbowner__u1_bbfobj" could not be created because a role already exists with the same name)~~ + +drop role dbowner__u1_bbfobj +go + +exec sp_addrolemember 'db_owner', 'dbowner__u1' -- adding again should not throw error +go +exec sp_addrolemember 'db_owner', 'dbowner__u1' -- adding again should not throw error +go +alter user dbowner__u1 with login = dbowner__l1 +go + +-- terminate-tsql-conn user=dbowner__l1 password=123 + +-- tsql user=dbowner__l1 password=123 +use dbowner__main_db +go +select sys.user_name(), is_member('db_owner') +go +~~START~~ +nvarchar#!#int +dbowner__u1#!#1 +~~END~~ + +select rolname, login_name, default_schema_name, default_language_name from babelfish_authid_user_ext where rolname in ('dbowner__main_db_dbowner__u1', 'dbowner__main_db_new_dbowner__u2') order by rolname +go +~~START~~ +varchar#!#varchar#!#nvarchar#!#nvarchar +dbowner__main_db_dbowner__u1#!#dbowner__l1#!#dbowner__s1#!#English +~~END~~ + +select name from sys.database_principals order by name +go +~~START~~ +varchar +db_accessadmin +db_datareader +db_datawriter +db_ddladmin +db_owner +db_securityadmin +dbo +dbowner__r1 +dbowner__r2 +dbowner__u1 +dbowner__u2 +guest +INFORMATION_SCHEMA +public +sys +~~END~~ + + +-- tsql user=dbowner__l2 password=123 +use dbowner__main_db +go +select is_member('db_owner') +go +~~START~~ +int +0 +~~END~~ + +select * from dbo.dbowner__t0 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table dbowner__t0)~~ + +select * from dbo.dbowner__v0 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for view dbowner__v0)~~ + +select next value for dbo.dbowner__seq0; +go +~~START~~ +bigint +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for sequence dbowner__seq0)~~ + +select dbo.dbowner__f0() +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for function dbowner__f0)~~ + +exec dbo.dbowner__p0 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for procedure dbowner__p0)~~ + +select * from dbowner__s1.dbowner__t1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table dbowner__t1)~~ + +select * from dbowner__s1.dbowner__v1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for view dbowner__v1)~~ + +select next value for dbowner__s1.dbowner__seq1; +go +~~START~~ +bigint +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for sequence dbowner__seq1)~~ + +select dbowner__s1.dbowner__f1() +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for function dbowner__f1)~~ + +exec dbowner__s1.dbowner__p1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for procedure dbowner__p1)~~ + +select * from dbowner__s2.dbowner__t2 +go +~~START~~ +int +12 +22 +32 +~~END~~ + +select * from dbowner__s2.dbowner__v2 +go +~~START~~ +int +1 +~~END~~ + +select next value for dbowner__s2.dbowner__seq2; +go +~~START~~ +bigint +8 +~~END~~ + +select dbowner__s2.dbowner__f2() +go +~~START~~ +int +12 +~~END~~ + +exec dbowner__s2.dbowner__p2 +go +~~START~~ +int +22 +~~END~~ + +select * from dbowner__s1.dbowner__t11 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table dbowner__t11)~~ + +select * from dbowner__s3.dbowner__t3 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table dbowner__t3)~~ + +select * from dbowner__s3.dbowner__v3 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for view dbowner__v3)~~ + +select next value for dbowner__s3.dbowner__seq3; +go +~~START~~ +bigint +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for sequence dbowner__seq3)~~ + +select dbowner__s3.dbowner__f3() +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for function dbowner__f3)~~ + +exec dbowner__s3.dbowner__p3 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for procedure dbowner__p3)~~ + + +select name from sys.database_principals order by name +go +~~START~~ +varchar +db_accessadmin +db_datareader +db_datawriter +db_ddladmin +db_owner +db_securityadmin +dbo +dbowner__u2 +guest +INFORMATION_SCHEMA +public +sys +~~END~~ + + +-- psql +-- Procedure/function owners should be dbowner__main_db_dbowner__u1_bbfobj +SELECT proname, + proowner::regrole +FROM pg_proc +WHERE pronamespace::regnamespace::text = 'dbowner__main_db_dbowner__s1' +OR pronamespace::regnamespace::text = 'dbowner__main_db_dbowner__s3' +ORDER BY proname; +GO +~~START~~ +name#!#regrole +dbowner__f1#!#dbowner__main_db_dbowner__u1_bbfobj +dbowner__f3#!#dbowner__main_db_dbowner__u1_bbfobj +dbowner__p1#!#dbowner__main_db_dbowner__u1_bbfobj +dbowner__p3#!#dbowner__main_db_dbowner__u1_bbfobj +dbowner__trg1#!#dbowner__main_db_dbowner__u1_bbfobj +~~END~~ + + +-- Table owners should be dbowner__main_db_dbowner__u1_bbfobj +SELECT + n.nspname AS schema, + c.relname AS table, + CASE c.relkind + WHEN 'r' THEN 'table' + WHEN 'v' THEN 'view' + WHEN 'm' THEN 'materialized view' + WHEN 'i' THEN 'index' + WHEN 'S' THEN 'sequence' + WHEN 's' THEN 'special' + WHEN 'f' THEN 'foreign table' + END AS type, + pg_catalog.pg_get_userbyid(c.relowner) AS owner +FROM pg_catalog.pg_class c +LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace +WHERE (n.nspname = 'dbowner__main_db_dbowner__s1' OR n.nspname = 'dbowner__main_db_dbowner__s3') +AND c.relkind IN ('r', 'v', 'm', 'i', 'S', 's', 'f') +ORDER BY n.nspname, c.relkind, c.relname; +GO +~~START~~ +name#!#name#!#text#!#name +dbowner__main_db_dbowner__s1#!#dbowner__seq1#!#sequence#!#dbowner__main_db_dbowner__u1_bbfobj +dbowner__main_db_dbowner__s1#!#dbowner__idx1dbowner__t1051d92a6c0688536803636483cfc1e78#!#index#!#dbowner__main_db_dbowner__u1_bbfobj +dbowner__main_db_dbowner__s1#!#dbowner__t1#!#table#!#dbowner__main_db_dbowner__u1_bbfobj +dbowner__main_db_dbowner__s1#!#dbowner__t11#!#table#!#dbowner__main_db_dbowner__u1_bbfobj +dbowner__main_db_dbowner__s1#!#dbowner__v1#!#view#!#dbowner__main_db_dbowner__u1_bbfobj +dbowner__main_db_dbowner__s3#!#dbowner__seq3#!#sequence#!#dbowner__main_db_dbowner__u1_bbfobj +dbowner__main_db_dbowner__s3#!#dbowner__t3#!#table#!#dbowner__main_db_dbowner__u1_bbfobj +dbowner__main_db_dbowner__s3#!#dbowner__v3#!#view#!#dbowner__main_db_dbowner__u1_bbfobj +~~END~~ + + +-- Schemas owner should be dbowner__main_db_dbowner__u1_bbfobj except for dbowner__main_db_dbowner__sch_u2 and dbowner__main_db_dbowner__sch_db_owner +SELECT + r.rolname AS schema_owner, + ns.nspname +FROM + pg_namespace ns +JOIN + pg_roles r +ON + ns.nspowner = r.oid +WHERE + ns.nspname IN ('dbowner__main_db_dbowner__s1', 'dbowner__main_db_dbowner__s3', 'dbowner__main_db_dbowner__sch_u2', 'dbowner__main_db_dbowner__sch_db_owner') +ORDER BY ns.nspname; +GO +~~START~~ +name#!#name +dbowner__main_db_dbowner__u1_bbfobj#!#dbowner__main_db_dbowner__s1 +dbowner__main_db_dbowner__u1_bbfobj#!#dbowner__main_db_dbowner__s3 +dbowner__main_db_db_owner#!#dbowner__main_db_dbowner__sch_db_owner +dbowner__main_db_dbowner__u2#!#dbowner__main_db_dbowner__sch_u2 +~~END~~ + + +-- tsql +select * from dbo.dbowner__t0 +go +~~START~~ +int +10 +20 +30 +~~END~~ + +select * from dbo.dbowner__v0 +go +~~START~~ +int +1 +~~END~~ + +select next value for dbo.dbowner__seq0; +go +~~START~~ +bigint +4 +~~END~~ + +select dbo.dbowner__f0() +go +~~START~~ +int +10 +~~END~~ + +exec dbo.dbowner__p0 +go +~~START~~ +int +20 +~~END~~ + +select * from dbowner__s1.dbowner__t1 +go +~~START~~ +int +11 +21 +31 +~~END~~ + +select * from dbowner__s1.dbowner__v1 +go +~~START~~ +int +1 +~~END~~ + +select next value for dbowner__s1.dbowner__seq1; +go +~~START~~ +bigint +6 +~~END~~ + +select dbowner__s1.dbowner__f1() +go +~~START~~ +int +11 +~~END~~ + +exec dbowner__s1.dbowner__p1 +go +~~START~~ +int +21 +~~END~~ + +select * from dbowner__s2.dbowner__t2 +go +~~START~~ +int +12 +22 +32 +~~END~~ + +select * from dbowner__s2.dbowner__v2 +go +~~START~~ +int +1 +~~END~~ + +select next value for dbowner__s2.dbowner__seq2; +go +~~START~~ +bigint +12 +~~END~~ + +select dbowner__s2.dbowner__f2() +go +~~START~~ +int +12 +~~END~~ + +exec dbowner__s2.dbowner__p2 +go +~~START~~ +int +22 +~~END~~ + +select * from dbowner__s1.dbowner__t11 +go +~~START~~ +int +~~END~~ + +select * from dbowner__s3.dbowner__t3 +go +~~START~~ +int +~~END~~ + +select * from dbowner__s3.dbowner__v3 +go +~~START~~ +int +230 +~~END~~ + +select next value for dbowner__s3.dbowner__seq3; +go +~~START~~ +bigint +5 +~~END~~ + +select dbowner__s3.dbowner__f3() +go +~~START~~ +int +13 +~~END~~ + +exec dbowner__s3.dbowner__p3 +go +~~START~~ +int +23 +~~END~~ + +create schema dbowner__sch_u1 authorization dbowner__u1 +go + +-- Schema owners should be dbowner__main_db_dbowner__u1_bbfobj +SELECT + r.rolname AS schema_owner, + ns.nspname +FROM + pg_namespace ns +JOIN + pg_roles r +ON + ns.nspowner = r.oid +WHERE + ns.nspname = 'dbowner__main_db_dbowner__sch_u1' +ORDER BY ns.nspname; +GO +~~START~~ +varchar#!#varchar +dbowner__main_db_dbowner__u1_bbfobj#!#dbowner__main_db_dbowner__sch_u1 +~~END~~ + + +select name from sys.database_principals order by name +go +~~START~~ +varchar +db_accessadmin +db_datareader +db_datawriter +db_ddladmin +db_owner +db_securityadmin +dbo +dbowner__r1 +dbowner__r2 +dbowner__u1 +dbowner__u2 +guest +INFORMATION_SCHEMA +public +sys +~~END~~ + + +-- CASE 5: If removed from db_owner, user should lose access to objects in schemas except the ones it owns +alter role db_owner drop member dbowner__u1 +go + +-- psql +-- Before anything, let's check if internal role linking/delinking got reverted as expected +SELECT rolname FROM pg_roles WHERE rolname = 'dbowner__main_db_dbowner__u1_bbfobj'; -- "_bbfobj" role should not exist +go +~~START~~ +name +~~END~~ + + + +SELECT r.rolname AS parent_role +FROM pg_auth_members m +JOIN pg_roles r ON (m.roleid = r.oid) +JOIN pg_roles mr ON (m.member = mr.oid) +WHERE mr.rolname = 'dbowner__main_db_dbowner__u1' +ORDER BY r.rolname; +go +~~START~~ +name +~~END~~ + + +SELECT r.rolname AS parent_role +FROM pg_auth_members m +JOIN pg_roles r ON (m.roleid = r.oid) +JOIN pg_roles mr ON (m.member = mr.oid) +WHERE mr.rolname = 'dbowner__main_db_db_owner' +ORDER BY r.rolname; +go +~~START~~ +name +dbowner__main_db_db_accessadmin +dbowner__main_db_db_datareader +dbowner__main_db_db_datawriter +dbowner__main_db_db_ddladmin +dbowner__main_db_db_securityadmin +dbowner__main_db_dbowner__r1 +dbowner__main_db_dbowner__r2 +dbowner__main_db_dbowner__u1 +dbowner__main_db_dbowner__u2 +dbowner__main_db_guest +~~END~~ + + +SELECT r.rolname AS parent_role +FROM pg_auth_members m +JOIN pg_roles r ON (m.roleid = r.oid) +JOIN pg_roles mr ON (m.member = mr.oid) +WHERE mr.rolname = 'dbowner__main_db_dbo' +ORDER BY r.rolname; +go +~~START~~ +name +dbowner__main_db_db_owner +~~END~~ + + +-- tsql user=dbowner__l1 password=123 +select is_member('db_owner') +go +~~START~~ +int +0 +~~END~~ + +select * from dbo.dbowner__t0 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table dbowner__t0)~~ + +select * from dbo.dbowner__v0 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for view dbowner__v0)~~ + +select next value for dbo.dbowner__seq0; +go +~~START~~ +bigint +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for sequence dbowner__seq0)~~ + +select dbo.dbowner__f0() +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for function dbowner__f0)~~ + +exec dbo.dbowner__p0 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for procedure dbowner__p0)~~ + +select * from dbowner__s1.dbowner__t1 +go +~~START~~ +int +11 +21 +31 +~~END~~ + +select * from dbowner__s1.dbowner__v1 +go +~~START~~ +int +1 +~~END~~ + +select next value for dbowner__s1.dbowner__seq1; +go +~~START~~ +bigint +9 +~~END~~ + +select dbowner__s1.dbowner__f1() +go +~~START~~ +int +11 +~~END~~ + +exec dbowner__s1.dbowner__p1 +go +~~START~~ +int +21 +~~END~~ + +select * from dbowner__s2.dbowner__t2 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table dbowner__t2)~~ + +select * from dbowner__s2.dbowner__v2 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for view dbowner__v2)~~ + +select next value for dbowner__s2.dbowner__seq2; +go +~~START~~ +bigint +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for sequence dbowner__seq2)~~ + +select dbowner__s2.dbowner__f2() +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for function dbowner__f2)~~ + +exec dbowner__s2.dbowner__p2 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for procedure dbowner__p2)~~ + +select * from dbowner__s1.dbowner__t11 +go +~~START~~ +int +~~END~~ + +select * from dbowner__s3.dbowner__t3 +go +~~START~~ +int +~~END~~ + +select * from dbowner__s3.dbowner__v3 +go +~~START~~ +int +230 +~~END~~ + +select next value for dbowner__s3.dbowner__seq3; +go +~~START~~ +bigint +10 +~~END~~ + +select dbowner__s3.dbowner__f3() +go +~~START~~ +int +13 +~~END~~ + +exec dbowner__s3.dbowner__p3 +go +~~START~~ +int +23 +~~END~~ + + +-- CASE 6: If removed from db_owner, user should lose access to create objects in schemas except the ones it owns +alter table dbo.dbowner__t0 add c int +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: must be owner of table dbowner__t0)~~ + +alter function dbo.dbowner__f0() returns int as begin return 1345 end +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for schema dbowner__main_db_dbo)~~ + +alter procedure dbo.dbowner__p0 as select 2345 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for schema dbowner__main_db_dbo)~~ + +create role dbowner__r3 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: User does not have permission to perform this action.)~~ + +create role dbowner__r4 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: User does not have permission to perform this action.)~~ + +create user dbowner__temp for login dbowner__temp +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: User does not have permission to perform this action.)~~ + +alter role dbowner__r1 add member dbowner__u2 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Current login dbowner__l1 does not have permission to alter role dbowner__main_db_dbowner__r1)~~ + +drop user dbowner__u2 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot drop the user 'dbowner__u2', because it does not exist or you do not have permission.)~~ + +drop role dbowner__r1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot drop the role 'dbowner__r1', because it does not exist or you do not have permission.)~~ + +drop role dbowner__r2 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot drop the role 'dbowner__r2', because it does not exist or you do not have permission.)~~ + + +-- psql +-- Procedure/function owners should be dbowner__main_db_dbowner__u1 +SELECT proname, + proowner::regrole +FROM pg_proc +WHERE pronamespace::regnamespace::text = 'dbowner__main_db_dbowner__s1' +OR pronamespace::regnamespace::text = 'dbowner__main_db_dbowner__s3' +ORDER BY proname; +GO +~~START~~ +name#!#regrole +dbowner__f1#!#dbowner__main_db_dbowner__u1 +dbowner__f3#!#dbowner__main_db_dbowner__u1 +dbowner__p1#!#dbowner__main_db_dbowner__u1 +dbowner__p3#!#dbowner__main_db_dbowner__u1 +dbowner__trg1#!#dbowner__main_db_dbowner__u1 +~~END~~ + + +-- Table owners should be dbowner__main_db_dbowner__u1 +SELECT + n.nspname AS schema, + c.relname AS table, + CASE c.relkind + WHEN 'r' THEN 'table' + WHEN 'v' THEN 'view' + WHEN 'm' THEN 'materialized view' + WHEN 'i' THEN 'index' + WHEN 'S' THEN 'sequence' + WHEN 's' THEN 'special' + WHEN 'f' THEN 'foreign table' + END AS type, + pg_catalog.pg_get_userbyid(c.relowner) AS owner +FROM pg_catalog.pg_class c +LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace +WHERE (n.nspname = 'dbowner__main_db_dbowner__s1' OR n.nspname = 'dbowner__main_db_dbowner__s3') +AND c.relkind IN ('r', 'v', 'm', 'i', 'S', 's', 'f') +ORDER BY n.nspname, c.relkind, c.relname; +GO +~~START~~ +name#!#name#!#text#!#name +dbowner__main_db_dbowner__s1#!#dbowner__seq1#!#sequence#!#dbowner__main_db_dbowner__u1 +dbowner__main_db_dbowner__s1#!#dbowner__idx1dbowner__t1051d92a6c0688536803636483cfc1e78#!#index#!#dbowner__main_db_dbowner__u1 +dbowner__main_db_dbowner__s1#!#dbowner__t1#!#table#!#dbowner__main_db_dbowner__u1 +dbowner__main_db_dbowner__s1#!#dbowner__t11#!#table#!#dbowner__main_db_dbowner__u1 +dbowner__main_db_dbowner__s1#!#dbowner__v1#!#view#!#dbowner__main_db_dbowner__u1 +dbowner__main_db_dbowner__s3#!#dbowner__seq3#!#sequence#!#dbowner__main_db_dbowner__u1 +dbowner__main_db_dbowner__s3#!#dbowner__t3#!#table#!#dbowner__main_db_dbowner__u1 +dbowner__main_db_dbowner__s3#!#dbowner__v3#!#view#!#dbowner__main_db_dbowner__u1 +~~END~~ + + +-- Schema owners should be dbowner__main_db_dbowner__u1 +SELECT + r.rolname AS schema_owner, + ns.nspname +FROM + pg_namespace ns +JOIN + pg_roles r +ON + ns.nspowner = r.oid +WHERE + ns.nspname IN ('dbowner__main_db_dbowner__s1', 'dbowner__main_db_dbowner__s3', 'dbowner__main_db_dbowner__sch_u1', 'dbowner__main_db_dbowner__sch_u2', 'dbowner__main_db_dbowner__sch_db_owner') +ORDER BY ns.nspname; +GO +~~START~~ +name#!#name +dbowner__main_db_dbowner__u1#!#dbowner__main_db_dbowner__s1 +dbowner__main_db_dbowner__u1#!#dbowner__main_db_dbowner__s3 +dbowner__main_db_db_owner#!#dbowner__main_db_dbowner__sch_db_owner +dbowner__main_db_dbowner__u1#!#dbowner__main_db_dbowner__sch_u1 +dbowner__main_db_dbowner__u2#!#dbowner__main_db_dbowner__sch_u2 +~~END~~ + + +-- tsql +alter role db_owner add member dbowner__u1 +go + +-- psql +-- Need to terminate active session before cleaning up the login +SELECT pg_terminate_backend(pid) FROM pg_stat_get_activity(NULL) +WHERE sys.suser_name(usesysid) = 'dbowner__l2' AND backend_type = 'client backend' AND usesysid IS NOT NULL; +GO +~~START~~ +bool +t +~~END~~ + +-- Wait to sync with another session +SELECT pg_sleep(1); +GO +~~START~~ +void + +~~END~~ + + +-- tsql user=dbowner__l1 password=123 +select is_member('db_owner') +go +~~START~~ +int +1 +~~END~~ + + +-- CASE 6: User member of db_owner should be able to drop all objects in its database +create role dbowner__r3 +go +create role dbowner__r4 +go +create user dbowner__temp for login dbowner__temp +go +alter role dbowner__r1 add member dbowner__temp +go +alter role dbowner__r3 add member dbowner__temp +go +alter role dbowner__r3 add member dbowner__r1 +go +alter role dbowner__r4 add member dbowner__r2 +go +drop user dbowner__temp +go +drop role dbowner__r1 +go +drop role dbowner__r2 +go +drop role dbowner__r3 +go +drop role dbowner__r4 +go + +drop index dbowner__idx0 on dbo.dbowner__t0 +go +drop table dbo.dbowner__t0 +go +drop function dbo.dbowner__f0 +go +drop procedure dbo.dbowner__p0 +go +drop type dbo.dbowner__typ0 +go +drop view dbo.dbowner__v0 +go +drop sequence dbo.dbowner__seq0 +go +drop index dbowner__idx1 on dbowner__s1.dbowner__t1 +go +drop table dbowner__s1.dbowner__t1 +go +drop function dbowner__s1.dbowner__f1 +go +drop procedure dbowner__s1.dbowner__p1 +go +drop table dbowner__s1.dbowner__t11 +go +drop type dbowner__s1.dbowner__typ1 +go +drop view dbowner__s1.dbowner__v1 +go +drop sequence dbowner__s1.dbowner__seq1 +go +drop index dbowner__idx2 on dbowner__s2.dbowner__t2 +go +drop table dbowner__s2.dbowner__t2 +go +drop function dbowner__s2.dbowner__f2 +go +drop procedure dbowner__s2.dbowner__p2 +go +drop type dbowner__s2.dbowner__typ2 +go +drop view dbowner__s2.dbowner__v2 +go +drop sequence dbowner__s2.dbowner__seq2 +go +drop table dbowner__s3.dbowner__t3 +go +drop function dbowner__s3.dbowner__f3 +go +drop procedure dbowner__s3.dbowner__p3 +go +drop type dbowner__s3.dbowner__typ3 +go +drop view dbowner__s3.dbowner__v3 +go +drop sequence dbowner__s3.dbowner__seq3 +go +drop index dbowner__idx00 on dbowner__s0.dbowner__t00 +go +drop table dbowner__s0.dbowner__t00 +go +drop function dbowner__s0.dbowner__f00 +go +drop type dbowner__s0.dbowner__typ00 +go +drop view dbowner__s0.dbowner__v00 +go +drop sequence dbowner__s0.dbowner__seq00 +go +drop schema dbowner__s0 +go +drop schema dbowner__s1 +go +drop schema dbowner__s2 +go +drop schema dbowner__s3 +go +drop schema dbowner__sch_u1 +go +drop schema dbowner__sch_u2 +go +drop schema dbowner__sch_db_owner +go +drop user dbowner__u2 +go + +-- tsql +alter role db_owner drop member dbowner__u1 +go + +-- tsql user=dbowner__l1 password=123 +select is_member('db_owner') +go +~~START~~ +int +0 +~~END~~ + + +-- tsql +-- CASE 7: Check if db_owner can drop the database +create database dbowner__test_db +go +use dbowner__test_db +go +create user dbowner__test_db_dbowner__u1 for login dbowner__l1 +go +alter role db_owner add member dbowner__test_db_dbowner__u1 +go +use dbowner__main_db +go + +-- tsql user=dbowner__l1 password=123 +select sys.user_name() +go +~~START~~ +nvarchar +dbowner__u1 +~~END~~ + +select is_member('db_owner') +go +~~START~~ +int +0 +~~END~~ + +drop database dbowner__test_db +go + +-- tsql +-- CASE 8: Check if there can be multiple db_owners +create database dbowner__test_db +go +use dbowner__test_db +go +create user dbowner__test_db_dbowner__u1 for login dbowner__l1 +go +alter role db_owner add member dbowner__test_db_dbowner__u1 +go + +-- tsql user=dbowner__l1 password=123 +-- CASE 9: Should be able to add other users to db_owner role as a member of db_owner +use dbowner__test_db +go +select is_member('db_owner') +go +~~START~~ +int +1 +~~END~~ + +create user dbowner__test_db_dbowner__u2 for login dbowner__l2 +go +alter role db_owner add member dbowner__test_db_dbowner__u2 +go +select is_rolemember('db_owner', 'dbowner__test_db_dbowner__u1'), is_rolemember('db_owner', 'dbowner__test_db_dbowner__u2') +go +~~START~~ +int#!#int +1#!#1 +~~END~~ + + +-- CASE 10: Should be able to drop other users from db_owner role as a member of db_owner, including itself +alter role db_owner drop member dbowner__test_db_dbowner__u2 +go +alter role db_owner drop member dbowner__test_db_dbowner__u1 +go + +-- tsql +alter role db_owner add member dbowner__test_db_dbowner__u1 +go +alter role db_owner add member dbowner__test_db_dbowner__u2 +go + +-- psql +-- Need to terminate active session before cleaning up the login +SELECT pg_terminate_backend(pid) FROM pg_stat_get_activity(NULL) +WHERE sys.suser_name(usesysid) = 'dbowner__l1' AND backend_type = 'client backend' AND usesysid IS NOT NULL; +GO +~~START~~ +bool +t +~~END~~ + +-- Wait to sync with another session +SELECT pg_sleep(1); +GO +~~START~~ +void + +~~END~~ + + + +-- psql +-- Check if dropping user, also drops the linked "_bbfobj" role +select rolname from pg_authid where rolname like 'dbowner__test_db_%' order by rolname; +go +~~START~~ +name +dbowner__test_db_db_accessadmin +dbowner__test_db_db_datareader +dbowner__test_db_db_datawriter +dbowner__test_db_db_ddladmin +dbowner__test_db_db_owner +dbowner__test_db_db_securityadmin +dbowner__test_db_dbo +dbowner__test_db_dbowner__test_db_dbowner__u1 +dbowner__test_db_dbowner__test_db_dbowner__u1_bbfobj +dbowner__test_db_dbowner__test_db_dbowner__u2 +dbowner__test_db_dbowner__test_db_dbowner__u2_bbfobj +dbowner__test_db_guest +~~END~~ + + +-- tsql +use dbowner__test_db +go +drop user dbowner__test_db_dbowner__u1 +go +drop user dbowner__test_db_dbowner__u2 +go +use dbowner__main_db +go + +-- psql +select rolname from pg_authid where rolname like 'dbowner__test_db_%' order by rolname; +go +~~START~~ +name +dbowner__test_db_db_accessadmin +dbowner__test_db_db_datareader +dbowner__test_db_db_datawriter +dbowner__test_db_db_ddladmin +dbowner__test_db_db_owner +dbowner__test_db_db_securityadmin +dbowner__test_db_dbo +dbowner__test_db_guest +~~END~~ + + +-- tsql +-- CASE 11: Check if long database names and long user names work with db_owner role +create database dbowner_averyveryveryveryveryveryveryveryveryveryverylongdatabasename -- 70 characters +go +use dbowner_averyveryveryveryveryveryveryveryveryveryverylongdatabasename +go +create user dbowner_averyveryveryveryveryveryveryveryveryveryverylongusername for login dbowner__temp -- 66 characters +go +alter role db_owner add member dbowner_averyveryveryveryveryveryveryveryveryveryverylongusername +go + +-- tsql user=dbowner__temp password=123 +use dbowner_averyveryveryveryveryveryveryveryveryveryverylongdatabasename +go +select is_member('db_owner') +go +~~START~~ +int +1 +~~END~~ + +create schema db_owner_temp_schema +go +create table dbo.temp_tab (a int) +go +create table db_owner_temp_schema.temp_tab (a int) +go +insert into dbo.temp_tab values (1), (2), (34567) +go +~~ROW COUNT: 3~~ + +insert into db_owner_temp_schema.temp_tab values (1), (2), (34567) +go +~~ROW COUNT: 3~~ + +select * from dbo.temp_tab +go +~~START~~ +int +1 +2 +34567 +~~END~~ + +select * from db_owner_temp_schema.temp_tab +go +~~START~~ +int +1 +2 +34567 +~~END~~ + +drop table db_owner_temp_schema.temp_tab +go +drop table dbo.temp_tab +go +drop schema db_owner_temp_schema +go +alter role db_owner drop member dbowner_averyveryveryveryveryveryveryveryveryveryverylongusername +go +select is_member('db_owner') +go +~~START~~ +int +0 +~~END~~ + +use master +go + +-- tsql +drop user dbowner_averyveryveryveryveryveryveryveryveryveryverylongusername +go +use master +go +drop database dbowner_averyveryveryveryveryveryveryveryveryveryverylongdatabasename +go + +-- Check for windows login +exec sys.babelfish_add_domain_mapping_entry 'dbownerdomain', 'dbownerdomain.babel'; +go +create login [dbownerdomain\abc] from windows +go +create user [dbownerdomain\abc] +go +select is_rolemember('db_owner', 'dbownerdomain\abc') +go +~~START~~ +int +0 +~~END~~ + +alter role db_owner add member [dbownerdomain\abc] +go +select is_rolemember('db_owner', 'dbownerdomain\abc') +go +~~START~~ +int +1 +~~END~~ + +alter role db_owner drop member [dbownerdomain\abc] +go +select is_rolemember('db_owner', 'dbownerdomain\abc') +go +~~START~~ +int +0 +~~END~~ + +exec sp_addrolemember 'db_owner', 'dbownerdomain\abc' +go +select is_rolemember('db_owner', 'dbownerdomain\abc') +go +~~START~~ +int +1 +~~END~~ + +exec sp_droprolemember 'db_owner', 'dbownerdomain\abc' +go +select is_rolemember('db_owner', 'dbownerdomain\abc') +go +~~START~~ +int +0 +~~END~~ + +drop user [dbownerdomain\abc] +go +drop login [dbownerdomain\abc] +go +exec sys.babelfish_remove_domain_mapping_entry 'dbownerdomain' +go diff --git a/test/JDBC/expected/db_owner-vu-verify.out b/test/JDBC/expected/db_owner-vu-verify.out index 2be22068414..006117569f7 100644 --- a/test/JDBC/expected/db_owner-vu-verify.out +++ b/test/JDBC/expected/db_owner-vu-verify.out @@ -624,25 +624,34 @@ grant delete on object::dbowner__s3.dbowner__t3 to dbowner__u2 go grant execute on object::dbowner__s1.dbowner__f1 to dbowner__u1 go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot GRANT privileges to the entity owner or the grantor themselves)~~ + grant execute on object::dbowner__s3.dbowner__p3 to dbowner__u1 go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot GRANT privileges to the entity owner or the grantor themselves)~~ + -- psql select schema_name, object_name, permission, grantee, grantor from sys.babelfish_schema_permissions -where grantee IN ('dbowner__main_db_guest', 'dbowner__main_db_dbowner__u1', 'dbowner__main_db_dbowner__u2') order by permission; +where grantee IN ('dbowner__main_db_guest', 'dbowner__main_db_dbowner__u1', 'dbowner__main_db_dbowner__u2') order by permission, grantee, schema_name; GO ~~START~~ "sys"."varchar"#!#"sys"."varchar"#!#int4#!#"sys"."varchar"#!#"sys"."varchar" -dbowner__s1#!#dbowner__t1#!#1#!#dbowner__main_db_dbowner__u2#!# -dbowner__s2#!#ALL#!#1#!#dbowner__main_db_guest#!# -dbowner__s1#!#ALL#!#2#!#dbowner__main_db_dbowner__u2#!# -dbo#!#dbowner__t0#!#2#!#dbowner__main_db_dbowner__u2#!# -dbowner__s3#!#ALL#!#4#!#dbowner__main_db_dbowner__u2#!# -dbowner__s2#!#dbowner__t2#!#4#!#dbowner__main_db_dbowner__u1#!# -dbowner__s3#!#dbowner__t3#!#8#!#dbowner__main_db_dbowner__u2#!# -dbo#!#ALL#!#8#!#dbowner__main_db_dbowner__u2#!# -dbowner__s3#!#dbowner__p3#!#128#!#dbowner__main_db_dbowner__u1#!# -dbowner__s1#!#dbowner__f1#!#128#!#dbowner__main_db_dbowner__u1#!# +dbowner__s1#!#dbowner__t1#!#1#!#dbowner__main_db_dbowner__u2#!#dbowner__main_db_dbowner__u1 +dbowner__s2#!#ALL#!#1#!#dbowner__main_db_guest#!#dbowner__main_db_dbowner__u2 +dbo#!#dbowner__t0#!#2#!#dbowner__main_db_dbowner__u2#!#dbowner__main_db_dbo +dbowner__s1#!#ALL#!#2#!#dbowner__main_db_dbowner__u2#!#dbowner__main_db_dbowner__u1 +dbowner__s2#!#dbowner__t2#!#4#!#dbowner__main_db_dbowner__u1#!#dbowner__main_db_dbowner__u2 +dbowner__s3#!#ALL#!#4#!#dbowner__main_db_dbowner__u2#!#dbowner__main_db_dbowner__u1 +dbo#!#ALL#!#8#!#dbowner__main_db_dbowner__u2#!#dbowner__main_db_dbo +dbowner__s3#!#dbowner__t3#!#8#!#dbowner__main_db_dbowner__u2#!#dbowner__main_db_dbowner__u1 +ALL#!#ALL#!#2048#!#dbowner__main_db_dbowner__u1#!#dbowner__main_db_dbo +ALL#!#ALL#!#2048#!#dbowner__main_db_dbowner__u2#!#dbowner__main_db_dbo +ALL#!#ALL#!#2048#!#dbowner__main_db_guest#!#dbowner__main_db_dbo ~~END~~ @@ -665,8 +674,16 @@ revoke delete on object::dbowner__s3.dbowner__t3 to dbowner__u2 go revoke execute on object::dbowner__s1.dbowner__f1 to dbowner__u1 go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot REVOKE privileges to the entity owner or the grantor themselves)~~ + revoke execute on object::dbowner__s3.dbowner__p3 to dbowner__u1 go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot REVOKE privileges to the entity owner or the grantor themselves)~~ + -- tsql -- Adding a member to db_owner role should not affect other user's privileges @@ -739,6 +756,9 @@ where grantee IN ('dbowner__main_db_guest', 'dbowner__main_db_dbowner__u1', 'dbo GO ~~START~~ "sys"."varchar"#!#"sys"."varchar"#!#int4#!#"sys"."varchar"#!#"sys"."varchar" +ALL#!#ALL#!#2048#!#dbowner__main_db_guest#!#dbowner__main_db_dbo +ALL#!#ALL#!#2048#!#dbowner__main_db_dbowner__u1#!#dbowner__main_db_dbo +ALL#!#ALL#!#2048#!#dbowner__main_db_dbowner__u2#!#dbowner__main_db_dbo ~~END~~ diff --git a/test/JDBC/expected/single_db/GRANT_SCHEMA.out b/test/JDBC/expected/single_db/GRANT_SCHEMA.out index 16d4c4b5d08..6c491fd0f53 100644 --- a/test/JDBC/expected/single_db/GRANT_SCHEMA.out +++ b/test/JDBC/expected/single_db/GRANT_SCHEMA.out @@ -540,11 +540,11 @@ where schema_name = 'babel_4344_s1' collate "C" order by permission; -- and obje go ~~START~~ "sys"."varchar"#!#"sys"."varchar"#!#int4#!#"sys"."varchar"#!#"sys"."varchar" -babel_4344_s1#!#babel_4344_v1#!#2#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_t1#!#47#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_p1#!#128#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_f1#!#128#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#ALL#!#131#!#babel_4344_d1_babel_4344_u1#!# +babel_4344_s1#!#babel_4344_v1#!#2#!#babel_4344_d1_babel_4344_u1#!#dbo +babel_4344_s1#!#babel_4344_t1#!#47#!#babel_4344_d1_babel_4344_u1#!#dbo +babel_4344_s1#!#babel_4344_p1#!#128#!#babel_4344_d1_babel_4344_u1#!#dbo +babel_4344_s1#!#babel_4344_f1#!#128#!#babel_4344_d1_babel_4344_u1#!#dbo +babel_4344_s1#!#ALL#!#131#!#babel_4344_d1_babel_4344_u1#!#dbo ~~END~~ @@ -567,11 +567,11 @@ where schema_name = 'babel_4344_s1' collate "C" order by permission; go ~~START~~ "sys"."varchar"#!#"sys"."varchar"#!#int4#!#"sys"."varchar"#!#"sys"."varchar" -babel_4344_s1#!#babel_4344_v1#!#2#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_t1#!#47#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_p1#!#128#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_f1#!#128#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#ALL#!#131#!#babel_4344_d1_babel_4344_u1#!# +babel_4344_s1#!#babel_4344_v1#!#2#!#babel_4344_d1_babel_4344_u1#!#dbo +babel_4344_s1#!#babel_4344_t1#!#47#!#babel_4344_d1_babel_4344_u1#!#dbo +babel_4344_s1#!#babel_4344_p1#!#128#!#babel_4344_d1_babel_4344_u1#!#dbo +babel_4344_s1#!#babel_4344_f1#!#128#!#babel_4344_d1_babel_4344_u1#!#dbo +babel_4344_s1#!#ALL#!#131#!#babel_4344_d1_babel_4344_u1#!#dbo ~~END~~ @@ -763,11 +763,11 @@ select schema_name, object_name, permission, grantee, grantor from sys.babelfish go ~~START~~ "sys"."varchar"#!#"sys"."varchar"#!#int4#!#"sys"."varchar"#!#"sys"."varchar" -babel_4344_s1#!#ALL#!#131#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_f1#!#128#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_p1#!#128#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_t1#!#47#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_v1#!#2#!#babel_4344_d1_babel_4344_u1#!# +babel_4344_s1#!#ALL#!#131#!#babel_4344_d1_babel_4344_u1#!#dbo +babel_4344_s1#!#babel_4344_f1#!#128#!#babel_4344_d1_babel_4344_u1#!#dbo +babel_4344_s1#!#babel_4344_p1#!#128#!#babel_4344_d1_babel_4344_u1#!#dbo +babel_4344_s1#!#babel_4344_t1#!#47#!#babel_4344_d1_babel_4344_u1#!#dbo +babel_4344_s1#!#babel_4344_v1#!#2#!#babel_4344_d1_babel_4344_u1#!#dbo ~~END~~ @@ -792,11 +792,11 @@ select schema_name, object_name, permission, grantee, grantor from sys.babelfish go ~~START~~ "sys"."varchar"#!#"sys"."varchar"#!#int4#!#"sys"."varchar"#!#"sys"."varchar" -babel_4344_s1#!#ALL#!#131#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_f1_new#!#128#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_p1_new#!#128#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_t1_new#!#47#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_v1_new#!#2#!#babel_4344_d1_babel_4344_u1#!# +babel_4344_s1#!#ALL#!#131#!#babel_4344_d1_babel_4344_u1#!#dbo +babel_4344_s1#!#babel_4344_f1_new#!#128#!#babel_4344_d1_babel_4344_u1#!#dbo +babel_4344_s1#!#babel_4344_p1_new#!#128#!#babel_4344_d1_babel_4344_u1#!#dbo +babel_4344_s1#!#babel_4344_t1_new#!#47#!#babel_4344_d1_babel_4344_u1#!#dbo +babel_4344_s1#!#babel_4344_v1_new#!#2#!#babel_4344_d1_babel_4344_u1#!#dbo ~~END~~ @@ -1658,11 +1658,11 @@ where schema_name = 'babel_4344_s1' collate "C" order by permission; -- and obje go ~~START~~ "sys"."varchar"#!#"sys"."varchar"#!#int4#!#"sys"."varchar"#!#"sys"."varchar" -babel_4344_s1#!#babel_4344_v1#!#2#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_t1#!#47#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_p1#!#128#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_f1#!#128#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#ALL#!#131#!#babel_4344_d1_babel_4344_u1#!# +babel_4344_s1#!#babel_4344_v1#!#2#!#babel_4344_d1_babel_4344_u1#!#dbo +babel_4344_s1#!#babel_4344_t1#!#47#!#babel_4344_d1_babel_4344_u1#!#dbo +babel_4344_s1#!#babel_4344_p1#!#128#!#babel_4344_d1_babel_4344_u1#!#dbo +babel_4344_s1#!#babel_4344_f1#!#128#!#babel_4344_d1_babel_4344_u1#!#dbo +babel_4344_s1#!#ALL#!#131#!#babel_4344_d1_babel_4344_u1#!#dbo ~~END~~ @@ -1685,11 +1685,11 @@ where schema_name = 'babel_4344_s1' collate "C" order by permission; go ~~START~~ "sys"."varchar"#!#"sys"."varchar"#!#int4#!#"sys"."varchar"#!#"sys"."varchar" -babel_4344_s1#!#babel_4344_v1#!#2#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_t1#!#47#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_p1#!#128#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_f1#!#128#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#ALL#!#131#!#babel_4344_d1_babel_4344_u1#!# +babel_4344_s1#!#babel_4344_v1#!#2#!#babel_4344_d1_babel_4344_u1#!#dbo +babel_4344_s1#!#babel_4344_t1#!#47#!#babel_4344_d1_babel_4344_u1#!#dbo +babel_4344_s1#!#babel_4344_p1#!#128#!#babel_4344_d1_babel_4344_u1#!#dbo +babel_4344_s1#!#babel_4344_f1#!#128#!#babel_4344_d1_babel_4344_u1#!#dbo +babel_4344_s1#!#ALL#!#131#!#babel_4344_d1_babel_4344_u1#!#dbo ~~END~~ @@ -1881,11 +1881,11 @@ select schema_name, object_name, permission, grantee, grantor from sys.babelfish go ~~START~~ "sys"."varchar"#!#"sys"."varchar"#!#int4#!#"sys"."varchar"#!#"sys"."varchar" -babel_4344_s1#!#ALL#!#131#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_f1#!#128#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_p1#!#128#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_t1#!#47#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_v1#!#2#!#babel_4344_d1_babel_4344_u1#!# +babel_4344_s1#!#ALL#!#131#!#babel_4344_d1_babel_4344_u1#!#dbo +babel_4344_s1#!#babel_4344_f1#!#128#!#babel_4344_d1_babel_4344_u1#!#dbo +babel_4344_s1#!#babel_4344_p1#!#128#!#babel_4344_d1_babel_4344_u1#!#dbo +babel_4344_s1#!#babel_4344_t1#!#47#!#babel_4344_d1_babel_4344_u1#!#dbo +babel_4344_s1#!#babel_4344_v1#!#2#!#babel_4344_d1_babel_4344_u1#!#dbo ~~END~~ @@ -1910,11 +1910,11 @@ select schema_name, object_name, permission, grantee, grantor from sys.babelfish go ~~START~~ "sys"."varchar"#!#"sys"."varchar"#!#int4#!#"sys"."varchar"#!#"sys"."varchar" -babel_4344_s1#!#ALL#!#131#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_f1_new#!#128#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_p1_new#!#128#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_t1_new#!#47#!#babel_4344_d1_babel_4344_u1#!# -babel_4344_s1#!#babel_4344_v1_new#!#2#!#babel_4344_d1_babel_4344_u1#!# +babel_4344_s1#!#ALL#!#131#!#babel_4344_d1_babel_4344_u1#!#dbo +babel_4344_s1#!#babel_4344_f1_new#!#128#!#babel_4344_d1_babel_4344_u1#!#dbo +babel_4344_s1#!#babel_4344_p1_new#!#128#!#babel_4344_d1_babel_4344_u1#!#dbo +babel_4344_s1#!#babel_4344_t1_new#!#47#!#babel_4344_d1_babel_4344_u1#!#dbo +babel_4344_s1#!#babel_4344_v1_new#!#2#!#babel_4344_d1_babel_4344_u1#!#dbo ~~END~~ @@ -2690,7 +2690,9 @@ varchar insert successful ~~END~~ -~~ROW COUNT: 1~~ +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot GRANT privileges to the entity owner or the grantor themselves)~~ insert into s1.t1 (a) values (next value for s1.sq1); go @@ -2700,12 +2702,8 @@ go update s1.t1 set a = 2 where a = 1; go -~~ROW COUNT: 1~~ - delete from s1.t1 where a = 2; go -~~ROW COUNT: 1~~ - select * from s1.v1; go ~~START~~ @@ -2809,7 +2807,9 @@ varchar insert successful ~~END~~ -~~ROW COUNT: 1~~ +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot GRANT privileges to the entity owner or the grantor themselves)~~ insert into s1.t1 (a) values (next value for s1.sq1); go @@ -2819,12 +2819,8 @@ go update s1.t1 set a = 2 where a = 1; go -~~ROW COUNT: 1~~ - delete from s1.t1 where a = 2; go -~~ROW COUNT: 1~~ - select * from s1.v1; go ~~START~~ @@ -3037,9 +3033,9 @@ u1 select * from s1.t1; go -~~START~~ -int -~~END~~ +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table t1)~~ insert into s1.t1 values (1); go @@ -3233,9 +3229,9 @@ u1 select * from s1.t1; go -~~START~~ -int -~~END~~ +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table t1)~~ insert into s1.t1 values (1); go @@ -3445,7 +3441,9 @@ varchar insert successful ~~END~~ -~~ROW COUNT: 1~~ +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot GRANT privileges to the entity owner or the grantor themselves)~~ insert into s1.t1 (a) values (next value for s1.sq1); go @@ -3461,8 +3459,6 @@ go delete from s1.t1 where a = 1; go -~~ROW COUNT: 1~~ - select * from s1.v1; go ~~START~~ @@ -3577,7 +3573,9 @@ varchar insert successful ~~END~~ -~~ROW COUNT: 1~~ +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot GRANT privileges to the entity owner or the grantor themselves)~~ insert into s1.t1 (a) values (next value for s1.sq1); go @@ -3593,8 +3591,6 @@ go delete from s1.t1 where a = 1; go -~~ROW COUNT: 1~~ - select * from s1.v1; go ~~START~~ @@ -3712,7 +3708,9 @@ varchar insert successful ~~END~~ -~~ROW COUNT: 1~~ +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot GRANT privileges to the entity owner or the grantor themselves)~~ insert into s1.t1 (a) values (next value for s1.sq1); go @@ -3728,8 +3726,6 @@ go delete from s1.t1 where a = 1; go -~~ROW COUNT: 1~~ - select * from s1.v1; go ~~START~~ @@ -3859,7 +3855,9 @@ varchar insert successful ~~END~~ -~~ROW COUNT: 1~~ +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot GRANT privileges to the entity owner or the grantor themselves)~~ insert into s1.t1 (a) values (next value for s1.sq1); go @@ -3875,8 +3873,6 @@ go delete from s1.t1 where a = 1; go -~~ROW COUNT: 1~~ - select * from s1.v1; go ~~START~~ @@ -3986,7 +3982,9 @@ varchar insert successful ~~END~~ -~~ROW COUNT: 1~~ +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot GRANT privileges to the entity owner or the grantor themselves)~~ insert into s1.t1 (a) values (next value for s1.sq1); go @@ -4002,8 +4000,6 @@ go delete from s1.t1 where a = 1; go -~~ROW COUNT: 1~~ - select * from s1.v1; go ~~START~~ @@ -4115,7 +4111,9 @@ varchar insert successful ~~END~~ -~~ROW COUNT: 1~~ +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot GRANT privileges to the entity owner or the grantor themselves)~~ insert into s1.t1 (a) values (next value for s1.sq1); go @@ -4131,8 +4129,6 @@ go delete from s1.t1 where a = 1; go -~~ROW COUNT: 1~~ - select * from s1.v1; go ~~START~~ @@ -4251,7 +4247,9 @@ varchar insert successful ~~END~~ -~~ROW COUNT: 1~~ +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot GRANT privileges to the entity owner or the grantor themselves)~~ insert into s1.t1 (a) values (next value for s1.sq1); go @@ -4267,8 +4265,6 @@ go delete from s1.t1 where a = 1; go -~~ROW COUNT: 1~~ - select * from s1.v1; go ~~START~~ @@ -6645,8 +6641,8 @@ where object_name = 'GRANT_SCHEMA_t1' collate sys.database_default; go ~~START~~ "sys"."varchar"#!#"sys"."varchar"#!#int4#!#"sys"."varchar"#!#"sys"."varchar" -dbo#!#grant_schema_t1#!#128#!#master_guest#!# -dbo#!#grant_schema_t1#!#2#!#master_guest#!# +dbo#!#grant_schema_t1#!#128#!#master_guest#!#master_dbo +dbo#!#grant_schema_t1#!#2#!#master_guest#!#master_dbo ~~END~~ diff --git a/test/JDBC/expected/single_db/db_accessadmin-vu-verify.out b/test/JDBC/expected/single_db/db_accessadmin-vu-verify.out index 1d6984ce2c3..4a2a31c5626 100644 --- a/test/JDBC/expected/single_db/db_accessadmin-vu-verify.out +++ b/test/JDBC/expected/single_db/db_accessadmin-vu-verify.out @@ -101,25 +101,25 @@ GO ~~ERROR (Message: Cannot use the special principal 'db_accessadmin')~~ -- Cannot GRANT/REVOKE on objects TO/FROM db_accessadmin -GRANT ALL on object::t1 to db_accessadmin; -- Error, no grant on special roles +GRANT ALL on object::babel_5136_t1 to db_accessadmin; -- Error, no grant on special roles go ~~ERROR (Code: 33557097)~~ ~~ERROR (Message: Cannot grant, deny or revoke permissions to or from special roles.)~~ -REVOKE ALL on object::t1 to db_accessadmin; -- Error, no grant on special roles +REVOKE ALL on object::babel_5136_t1 to db_accessadmin; -- Error, no grant on special roles go ~~ERROR (Code: 33557097)~~ ~~ERROR (Message: Cannot grant, deny or revoke permissions to or from special roles.)~~ -GRANT SELECT on object::t1 to db_accessadmin; -- Error, no grant on special roles +GRANT SELECT on object::babel_5136_t1 to db_accessadmin; -- Error, no grant on special roles go ~~ERROR (Code: 33557097)~~ ~~ERROR (Message: Cannot grant, deny or revoke permissions to or from special roles.)~~ -REVOKE EXECUTE on object::t1 to db_accessadmin; -- Error, no grant on special roles +REVOKE EXECUTE on object::babel_5136_f1 to db_accessadmin; -- Error, no grant on special roles go ~~ERROR (Code: 33557097)~~ diff --git a/test/JDBC/input/1_GRANT_SCHEMA-before-17_6-vu-cleanup.mix b/test/JDBC/input/1_GRANT_SCHEMA-before-17_6-vu-cleanup.mix new file mode 100644 index 00000000000..b94f2444ead --- /dev/null +++ b/test/JDBC/input/1_GRANT_SCHEMA-before-17_6-vu-cleanup.mix @@ -0,0 +1,97 @@ +-- tsql +-- Cleanup + +drop table babel_4768_t1_new +go + +drop table babel_4768_s1.babel_4768_t1_new +go + +drop view babel_4768_v1_new +go + +drop view babel_4768_s1.babel_4768_v1_new +go + +drop proc babel_4768_p1_new +go + +drop proc babel_4768_s1.babel_4768_p1_new +go + +drop proc babel_4768_p2_new +go + +drop proc babel_4768_s1.babel_4768_p2_new +go + +drop FUNCTION babel_4768_f1_new +go + +drop FUNCTION babel_4768_s1.babel_4768_f1_new +go + +drop FUNCTION babel_4768_f2_new +go + +drop FUNCTION babel_4768_s1.babel_4768_f2_new +go + +drop schema babel_4768_s1; +go + +drop table babel_4768_schema_longer_than_64_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.t1 +go + +drop schema babel_4768_schema_longer_than_64_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa +go + +DROP TABLE babel_4768_s2.t1 +go + +DROP VIEW babel_4768_s2.v1 +go + +DROP PROC babel_4768_s2.p1 +go + +DROP SCHEMA babel_4768_s2 +GO + +DROP TABLE babel_4768ログイαιώνια.t1 +go + + +DROP TABLE "babel_4768 😎$chem@ #123 🌍rder".t1 +go + +DROP TABLE [babel_4768유니코드스키마👻].t1 +go + +DROP SCHEMA babel_4768ログイαιώνια +GO + +DROP SCHEMA [babel_4768 😎$chem@ #123 🌍rder] +GO + +DROP SCHEMA [babel_4768유니코드스키마👻] +GO + + + +drop user babel_4768_u1; +go + +-- psql +-- Need to terminate active session before cleaning up the login +SELECT pg_terminate_backend(pid) FROM pg_stat_get_activity(NULL) +WHERE sys.suser_name(usesysid) = 'babel_4768_l1' AND backend_type = 'client backend' AND usesysid IS NOT NULL; +go + +-- Wait to sync with another session +SELECT pg_sleep(1); +go + +-- tsql +drop login babel_4768_l1; +go diff --git a/test/JDBC/input/1_GRANT_SCHEMA-before-17_6-vu-prepare.mix b/test/JDBC/input/1_GRANT_SCHEMA-before-17_6-vu-prepare.mix new file mode 100644 index 00000000000..0208ca95f9a --- /dev/null +++ b/test/JDBC/input/1_GRANT_SCHEMA-before-17_6-vu-prepare.mix @@ -0,0 +1,164 @@ +-- tsql +create schema babel_4768_s1 +go + +create login babel_4768_l1 with password = '12345678' +go + +create user babel_4768_u1 for login babel_4768_l1 +go + +create table babel_4768_t1(a int, b int); +go + +create table babel_4768_s1.babel_4768_t1(a int, b int); +go + +create view babel_4768_v1 as select 1; +go + +create view babel_4768_s1.babel_4768_v1 as select 2; +go + +create proc babel_4768_p1 as select 1; +go + +create proc babel_4768_s1.babel_4768_p1 as select 1; +go + +create proc babel_4768_p2 @l datetimeoffset(2) as select 1; +go + +create proc babel_4768_s1.babel_4768_p2 @l datetimeoffset(2) as select 1; +go + +CREATE FUNCTION babel_4768_f1() returns int begin declare @a int; set @a = 1; return @a; end +go + +CREATE FUNCTION babel_4768_s1.babel_4768_f1() returns int begin declare @a int; set @a = 1; return @a; end +go + +CREATE FUNCTION babel_4768_f2(@l int) returns int begin declare @a int; set @a = 1; return @a; end +go + +CREATE FUNCTION babel_4768_s1.babel_4768_f2(@l int) returns int begin declare @a int; set @a = 1; return @a; end +go + +-- tsql +-- GRANT individual object access to babel_4768_u1 +GRANT SELECT ON dbo.babel_4768_t1 TO babel_4768_u1 +go + +GRANT SELECT ON babel_4768_s1.babel_4768_t1 TO babel_4768_u1 +go + +GRANT SELECT ON dbo.babel_4768_v1 TO babel_4768_u1 +go + +GRANT SELECT ON babel_4768_s1.babel_4768_v1 TO babel_4768_u1 +go + +GRANT EXECUTE ON dbo.babel_4768_p1 TO babel_4768_u1 +GO + +GRANT EXECUTE ON babel_4768_s1.babel_4768_p1 TO babel_4768_u1 +GO + +GRANT EXECUTE ON dbo.babel_4768_p2 TO babel_4768_u1 +GO + +GRANT EXECUTE ON babel_4768_s1.babel_4768_p2 TO babel_4768_u1 +GO + +GRANT EXECUTE ON dbo.babel_4768_f1 TO babel_4768_u1 +GO + +GRANT EXECUTE ON babel_4768_s1.babel_4768_f1 TO babel_4768_u1 +GO + +GRANT EXECUTE ON dbo.babel_4768_f2 TO babel_4768_u1 +GO + +GRANT EXECUTE ON babel_4768_s1.babel_4768_f2 TO babel_4768_u1 +GO + +GRANT SELECT, EXECUTE ON SCHEMA::dbo TO babel_4768_u1 +GO + +GRANT SELECT, EXECUTE ON SCHEMA::babel_4768_s1 TO babel_4768_u1 +GO + +-- psql +select schema_name, object_name, permission, grantee, object_type, function_args, grantor from sys.babelfish_schema_permissions where schema_name = 'babel_4768_s1' collate sys.database_default order by object_name; +go + +select schema_name, object_name, permission, grantee, object_type, function_args, grantor from sys.babelfish_schema_permissions where schema_name = 'dbo' and grantee like '%babel_4768_u1' collate sys.database_default order by object_name; +go + +-- tsql +-- to test schema length truncation +CREATE SCHEMA babel_4768_schema_longer_than_64_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa +go + +CREATE TABLE babel_4768_schema_longer_than_64_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.t1 (a int) +go + +GRANT SELECT ON babel_4768_schema_longer_than_64_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.t1 TO babel_4768_u1 +go + +-- to test perms of multiple objects in same schema +CREATE SCHEMA babel_4768_s2 +GO + +CREATE TABLE babel_4768_s2.t1 (a int) +go + +create view babel_4768_s2.v1 as select 1; +go + +create proc babel_4768_s2.p1 as select 1; +go + +GRANT SELECT ON babel_4768_s2.t1 TO babel_4768_u1 +go + +GRANT SELECT ON babel_4768_s2.v1 TO babel_4768_u1 +go + + +GRANT EXECUTE ON babel_4768_s2.p1 TO babel_4768_u1 +go + +-- to test consistency in case of special characters in schema name +CREATE SCHEMA babel_4768ログイαιώνια +GO + +CREATE SCHEMA [babel_4768 😎$chem@ #123 🌍rder] +GO + +CREATE SCHEMA [babel_4768유니코드스키마👻] +GO + +CREATE TABLE babel_4768ログイαιώνια.t1 (a int) +go + +GRANT SELECT ON babel_4768ログイαιώνια.t1 TO babel_4768_u1 +go + +CREATE TABLE "babel_4768 😎$chem@ #123 🌍rder".t1 (a int) +go + +GRANT SELECT ON "babel_4768 😎$chem@ #123 🌍rder".t1 TO babel_4768_u1 +go + +CREATE TABLE [babel_4768유니코드스키마👻].t1 (a int) +go + +GRANT SELECT ON [babel_4768유니코드스키마👻].t1 TO babel_4768_u1 +go + + + +-- check for inconsistent metadata before upgrade +select COUNT(*) FROM sys.babelfish_inconsistent_metadata(); +go diff --git a/test/JDBC/input/1_GRANT_SCHEMA-before-17_6-vu-verify.mix b/test/JDBC/input/1_GRANT_SCHEMA-before-17_6-vu-verify.mix new file mode 100644 index 00000000000..eaf8db08c34 --- /dev/null +++ b/test/JDBC/input/1_GRANT_SCHEMA-before-17_6-vu-verify.mix @@ -0,0 +1,130 @@ +-- tsql +-- check for inconsistent metadata after upgrade +select COUNT(*) FROM sys.babelfish_inconsistent_metadata(); +go + +-- psql +select schema_name, object_name, permission, grantee, object_type, function_args, grantor from sys.babelfish_schema_permissions where schema_name = 'babel_4768_s1' collate sys.database_default and grantee like '%babel_4768_u1' collate sys.database_default order by object_name; +go + +select schema_name, object_name, permission, grantee, object_type, function_args, grantor from sys.babelfish_schema_permissions where schema_name = 'dbo' collate sys.database_default and grantee like '%babel_4768_u1' collate sys.database_default order by object_name; +go + +-- tsql +-- rename the objects where permissions are already granted +sp_rename 'babel_4768_s1.babel_4768_t1', 'babel_4768_t1_new', 'OBJECT'; +go +sp_rename 'babel_4768_s1.babel_4768_v1', 'babel_4768_v1_new', 'OBJECT'; +go +sp_rename 'babel_4768_s1.babel_4768_p1', 'babel_4768_p1_new', 'OBJECT'; +go +sp_rename 'babel_4768_s1.babel_4768_p2', 'babel_4768_p2_new', 'OBJECT'; +go +sp_rename 'babel_4768_s1.babel_4768_f1', 'babel_4768_f1_new', 'OBJECT'; +go +sp_rename 'babel_4768_s1.babel_4768_f2', 'babel_4768_f2_new', 'OBJECT'; +go + +sp_rename 'babel_4768_t1', 'babel_4768_t1_new', 'OBJECT'; +go +sp_rename 'babel_4768_v1', 'babel_4768_v1_new', 'OBJECT'; +go +sp_rename 'babel_4768_p1', 'babel_4768_p1_new', 'OBJECT'; +go +sp_rename 'babel_4768_p2', 'babel_4768_p2_new', 'OBJECT'; +go +sp_rename 'babel_4768_f1', 'babel_4768_f1_new', 'OBJECT'; +go +sp_rename 'babel_4768_f2', 'babel_4768_f2_new', 'OBJECT'; +go + +-- psql +-- catalog should show new object names +select schema_name, object_name, permission, grantee, object_type, function_args from sys.babelfish_schema_permissions where schema_name = 'babel_4768_s1' collate sys.database_default and grantee like '%babel_4768_u1' collate sys.database_default order by object_name; +go + +select schema_name, object_name, permission, grantee, object_type, function_args from sys.babelfish_schema_permissions where schema_name = 'dbo' collate sys.database_default and grantee like '%babel_4768_u1' collate sys.database_default order by object_name; +go + +-- tsql +REVOKE SELECT, EXECUTE ON SCHEMA::dbo FROM babel_4768_u1 +GO + +REVOKE SELECT, EXECUTE ON SCHEMA::babel_4768_s1 FROM babel_4768_u1 +GO + +-- psql +-- catalog entry ALL should be gone now +select schema_name, object_name, permission, grantee, object_type, function_args from sys.babelfish_schema_permissions where schema_name = 'babel_4768_s1' collate sys.database_default and grantee like '%babel_4768_u1' collate sys.database_default order by object_name; +go + +select schema_name, object_name, permission, grantee, object_type, function_args from sys.babelfish_schema_permissions where schema_name = 'dbo' collate sys.database_default and grantee like '%babel_4768_u1' collate sys.database_default order by object_name; +go + +-- tsql +-- REVOKE individual object access from babel_4768_u1 +REVOKE SELECT ON dbo.babel_4768_t1_new FROM babel_4768_u1 +go + +REVOKE SELECT ON babel_4768_s1.babel_4768_t1_new FROM babel_4768_u1 +go + +REVOKE SELECT ON dbo.babel_4768_v1_new FROM babel_4768_u1 +go + +REVOKE SELECT ON babel_4768_s1.babel_4768_v1_new FROM babel_4768_u1 +go + +REVOKE EXECUTE ON babel_4768_p1_new FROM babel_4768_u1 +GO + +REVOKE EXECUTE ON babel_4768_s1.babel_4768_p1_new FROM babel_4768_u1 +GO + +REVOKE EXECUTE ON babel_4768_p2_new FROM babel_4768_u1 +GO + +REVOKE EXECUTE ON babel_4768_s1.babel_4768_p2_new FROM babel_4768_u1 +GO + +REVOKE EXECUTE ON babel_4768_f1_new FROM babel_4768_u1 +GO + +REVOKE EXECUTE ON babel_4768_s1.babel_4768_f1_new FROM babel_4768_u1 +GO + +REVOKE EXECUTE ON babel_4768_f2_new FROM babel_4768_u1 +GO + +REVOKE EXECUTE ON babel_4768_s1.babel_4768_f2_new FROM babel_4768_u1 +GO + +REVOKE SELECT ON babel_4768_schema_longer_than_64_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.t1 FROM babel_4768_u1 +go + + +REVOKE SELECT ON babel_4768_s2.t1 FROM babel_4768_u1 +go + +REVOKE SELECT ON babel_4768_s2.v1 FROM babel_4768_u1 +go + +REVOKE EXECUTE ON babel_4768_s2.p1 FROM babel_4768_u1 +go + +REVOKE SELECT ON babel_4768ログイαιώνια.t1 FROM babel_4768_u1 +go + +REVOKE SELECT ON "babel_4768 😎$chem@ #123 🌍rder".t1 FROM babel_4768_u1 +go + +REVOKE SELECT ON [babel_4768유니코드스키마👻].t1 FROM babel_4768_u1 +go + +-- psql +-- catalog should be empty now +select schema_name, object_name, permission, grantee, object_type, function_args from sys.babelfish_schema_permissions where schema_name = 'babel_4768_s1' collate sys.database_default and grantee like '%babel_4768_u1' collate sys.database_default order by object_name; +go + +select schema_name, object_name, permission, grantee, object_type, function_args from sys.babelfish_schema_permissions where schema_name = 'dbo' collate sys.database_default and grantee like '%babel_4768_u1' collate sys.database_default order by object_name; +go diff --git a/test/JDBC/input/db_accessadmin-vu-verify.mix b/test/JDBC/input/db_accessadmin-vu-verify.mix index c9fadfc3b07..b6497dccacb 100644 --- a/test/JDBC/input/db_accessadmin-vu-verify.mix +++ b/test/JDBC/input/db_accessadmin-vu-verify.mix @@ -56,13 +56,13 @@ GO ALTER ROLE db_accessadmin DROP MEMBER db_accessadmin GO -- Cannot GRANT/REVOKE on objects TO/FROM db_accessadmin -GRANT ALL on object::t1 to db_accessadmin; -- Error, no grant on special roles +GRANT ALL on object::babel_5136_t1 to db_accessadmin; -- Error, no grant on special roles go -REVOKE ALL on object::t1 to db_accessadmin; -- Error, no grant on special roles +REVOKE ALL on object::babel_5136_t1 to db_accessadmin; -- Error, no grant on special roles go -GRANT SELECT on object::t1 to db_accessadmin; -- Error, no grant on special roles +GRANT SELECT on object::babel_5136_t1 to db_accessadmin; -- Error, no grant on special roles go -REVOKE EXECUTE on object::t1 to db_accessadmin; -- Error, no grant on special roles +REVOKE EXECUTE on object::babel_5136_f1 to db_accessadmin; -- Error, no grant on special roles go -- MEMBERS OF db_accessadmin WILL ALWAYS HAVE CONNECT PRIVILEGES diff --git a/test/JDBC/input/db_owner-before-17_6-vu-cleanup.mix b/test/JDBC/input/db_owner-before-17_6-vu-cleanup.mix new file mode 100644 index 00000000000..773ac427df2 --- /dev/null +++ b/test/JDBC/input/db_owner-before-17_6-vu-cleanup.mix @@ -0,0 +1,19 @@ +-- tsql +use dbowner__main_db +go +drop database dbowner__test_db +go +drop user dbowner__u1 +go +drop login dbowner__l1 +go +drop login dbowner__l2 +go +drop login dbowner__temp +go +revoke connect from guest +go +use master +go +drop database dbowner__main_db +go diff --git a/test/JDBC/input/db_owner-before-17_6-vu-prepare.mix b/test/JDBC/input/db_owner-before-17_6-vu-prepare.mix new file mode 100644 index 00000000000..4fe4f4551d7 --- /dev/null +++ b/test/JDBC/input/db_owner-before-17_6-vu-prepare.mix @@ -0,0 +1,130 @@ +-- tsql +create database dbowner__main_db +go +use dbowner__main_db +go +grant connect to guest +go +create login dbowner__l1 with password = '123' +go +create user dbowner__u1 for login dbowner__l1 +go +create login dbowner__l2 with password = '123' +go +create login dbowner__temp with password = '123' +go +create user dbowner__u2 for login dbowner__l2 +go +create schema dbowner__s0 +go +create table dbowner__s0.dbowner__t00 (w float) +go +create function dbowner__s0.dbowner__f00() returns int as begin return 987 end +go +create type dbowner__s0.dbowner__typ00 from int +go +create trigger dbowner__s0.dbowner__trg00 +on dbowner__s0.dbowner__t00 +after insert +as +begin + select 'New row inserted' +end +go +create index dbowner__idx00 on dbowner__s0.dbowner__t00 (w) +go +create view dbowner__s0.dbowner__v00 as select 1 +go +create sequence dbowner__s0.dbowner__seq00 as int start with 1 increment by 1; +go +create schema dbowner__s1 authorization dbowner__u1 +go +create schema dbowner__s2 authorization dbowner__u2 +go +create table dbo.dbowner__t0 (x int) +go +create function dbo.dbowner__f0() returns int as begin return 10 end +go +create procedure dbo.dbowner__p0 as select 20 +go +create type dbo.dbowner__typ0 from int +go +create trigger dbo.dbowner__trg0 +on dbo.dbowner__t0 +after insert +as +begin + select 'New row inserted' +end +go +create index dbowner__idx0 on dbo.dbowner__t0 (x) +go +create view dbo.dbowner__v0 as select 1 +go +create sequence dbo.dbowner__seq0 as int start with 2 increment by 2; +go + +create role dbowner__r1 +go +create role dbowner__r2 +go + +-- tsql user=dbowner__l1 password=123 +use dbowner__main_db +go +select is_member('db_owner') +go +create table dbowner__s1.dbowner__t1 (a int) +go +create function dbowner__s1.dbowner__f1() returns int as begin return 11 end +go +create procedure dbowner__s1.dbowner__p1 as select 21 +go +create type dbowner__s1.dbowner__typ1 from int +go +create trigger dbowner__s1.dbowner__trg1 +on dbowner__s1.dbowner__t1 +after insert +as +begin + select 'New row inserted' +end +go +create index dbowner__idx1 on dbowner__s1.dbowner__t1 (a) +go +create view dbowner__s1.dbowner__v1 as select 1 +go +create sequence dbowner__s1.dbowner__seq1 as int start with 3 increment by 3; +go + +-- tsql user=dbowner__l2 password=123 +use dbowner__main_db +go +select is_member('db_owner') +go +create table dbowner__s2.dbowner__t2 (a int) +go +create function dbowner__s2.dbowner__f2() returns int as begin return 12 end +go +create procedure dbowner__s2.dbowner__p2 as select 22 +go +create type dbowner__s2.dbowner__typ2 from int +go +create trigger dbowner__s2.dbowner__trg2 +on dbowner__s2.dbowner__t2 +after insert +as +begin + select 'New row inserted' +end +go +create index dbowner__idx2 on dbowner__s2.dbowner__t2 (a) +go +create view dbowner__s2.dbowner__v2 as select 1 +go +create sequence dbowner__s2.dbowner__seq2 as int start with 4 increment by 4; +go + +-- tsql +alter role db_owner add member dbowner__u1 +go diff --git a/test/JDBC/input/db_owner-before-17_6-vu-verify.mix b/test/JDBC/input/db_owner-before-17_6-vu-verify.mix new file mode 100644 index 00000000000..962aad369e6 --- /dev/null +++ b/test/JDBC/input/db_owner-before-17_6-vu-verify.mix @@ -0,0 +1,1159 @@ +-- psql +-- Before anything, let's check if internal role linking/delinking worked as expected +SELECT r.rolname AS parent_role +FROM pg_auth_members m +JOIN pg_roles r ON (m.roleid = r.oid) +JOIN pg_roles mr ON (m.member = mr.oid) +WHERE mr.rolname = 'dbowner__main_db_dbowner__u1_bbfobj' +ORDER BY r.rolname; +go + +SELECT r.rolname AS parent_role +FROM pg_auth_members m +JOIN pg_roles r ON (m.roleid = r.oid) +JOIN pg_roles mr ON (m.member = mr.oid) +WHERE mr.rolname = 'dbowner__main_db_dbowner__u1' +ORDER BY r.rolname; +go + +SELECT r.rolname AS parent_role +FROM pg_auth_members m +JOIN pg_roles r ON (m.roleid = r.oid) +JOIN pg_roles mr ON (m.member = mr.oid) +WHERE mr.rolname = 'dbowner__main_db_db_owner' +ORDER BY r.rolname; +go + +SELECT r.rolname AS parent_role +FROM pg_auth_members m +JOIN pg_roles r ON (m.roleid = r.oid) +JOIN pg_roles mr ON (m.member = mr.oid) +WHERE mr.rolname = 'dbowner__main_db_dbo' +ORDER BY r.rolname; +go + +-- tsql +alter login dbowner__l1 with password = '123' +go +alter login dbowner__l2 with password = '123' +go +alter login dbowner__temp with password = '123' +go + +-- Testing for name clash +create login dbowner__main_db_dbowner__u1_bbfobj with password = '123' +go +use dbowner__main_db +go +create login dbowner__nameclash with password = '123' +go +create user dbowner__u1_bbfobj for login dbowner__nameclash +go +drop login dbowner__nameclash +go +use master +go + +-- Adding/Dropping non-existent user to db_owner should throw error +alter role db_owner add member a_very_invalid_username +go +alter role db_owner drop member a_very_invalid_username +go + +-- CASE 0: Should not be able to manipulate server level objects +-- tsql user=dbowner__l1 password=123 +use dbowner__main_db +go +select is_member('db_owner') +go +create database dbowner_try_db_create +go +create login dbowner_try_login_create with password = '123' +go +drop login dbowner__l1 +go +drop login dbowner__l2 +go +alter server role sysadmin add member dbowner__temp +go + +-- CASE 1: Able to access all objects in its own database +select is_member('db_owner') +go +insert into dbo.dbowner__t0 values (10), (20), (30) +go +select * from dbo.dbowner__t0 +go +select * from dbo.dbowner__v0 +go +select next value for dbo.dbowner__seq0; +go +select dbo.dbowner__f0() +go +exec dbo.dbowner__p0 +go +insert into dbowner__s1.dbowner__t1 values (11), (21), (31) +go +select * from dbowner__s1.dbowner__t1 +go +select * from dbowner__s1.dbowner__v1 +go +select next value for dbowner__s1.dbowner__seq1; +go +select dbowner__s1.dbowner__f1() +go +exec dbowner__s1.dbowner__p1 +go +insert into dbowner__s2.dbowner__t2 values (12), (22), (32) +go +select * from dbowner__s2.dbowner__t2 +go +select * from dbowner__s2.dbowner__v2 +go +select next value for dbowner__s2.dbowner__seq2; +go +select dbowner__s2.dbowner__f2() +go +exec dbowner__s2.dbowner__p2 +go + +-- CASE 2: Able to perform DDL on objects in its own database +create table dbowner__s1.dbowner__t11 (a dbowner__s1.dbowner__typ1) +go +create schema dbowner__s3 authorization dbowner__u1 +go +create schema dbowner__sch_u2 authorization dbowner__u2 +go +create schema dbowner__sch_db_owner authorization db_owner +go +create type dbowner__s3.dbowner__typ3 from int +go +create table dbowner__s3.dbowner__t3 (a dbowner__s3.dbowner__typ3) +go +create function dbowner__s3.dbowner__f3() returns int as begin return 13 end +go +create procedure dbowner__s3.dbowner__p3 as select 23 +go +create view dbowner__s3.dbowner__v3 as select 230 +go +create sequence dbowner__s3.dbowner__seq3 as int start with 5 increment by 5; +go +alter table dbo.dbowner__t0 add b int +go +alter function dbo.dbowner__f0() returns int as begin return 134 end +go +alter procedure dbo.dbowner__p0 as select 234 +go +alter table dbo.dbowner__t0 drop column b +go +alter function dbo.dbowner__f0() returns int as begin return 10 end +go +alter procedure dbo.dbowner__p0 as select 20 +go + +-- Member of db_owner role should be allowed to rename objects +exec sp_rename 'dbo.dbowner__t0.x', 'x_renamed', 'column' +go +exec sp_rename 'dbo.dbowner__typ0', 'dbowner__typ0_renamed', 'userdatatype' +go +exec sp_rename 'dbo.dbowner__t0', 'dbowner__t0_renamed', 'object' +go +exec sp_rename 'dbo.dbowner__p0', 'dbowner__p0_renamed', 'object' +go +exec sp_rename 'dbo.dbowner__f0', 'dbowner__f0_renamed', 'object' +go +exec sp_rename 'dbo.dbowner__v0', 'dbowner__v0_renamed', 'object' +go +exec sp_rename 'dbowner__trg0', 'dbowner__trg0_renamed', 'object' +go +exec sp_rename 'dbo.dbowner__seq0', 'dbowner__seq0_renamed', 'object' +go + +-- psql +-- Procedure/function owners should be dbowner__main_db_dbo +SELECT proname, + proowner::regrole +FROM pg_proc +WHERE pronamespace::regnamespace::text = 'dbowner__main_db_dbo' +AND proname LIKE 'dbowner__%' +ORDER BY proname; +GO + +-- Object owners should be dbowner__main_db_dbo +SELECT + n.nspname AS schema, + c.relname AS table, + CASE c.relkind + WHEN 'r' THEN 'table' + WHEN 'v' THEN 'view' + WHEN 'm' THEN 'materialized view' + WHEN 'i' THEN 'index' + WHEN 'S' THEN 'sequence' + WHEN 's' THEN 'special' + WHEN 'f' THEN 'foreign table' + END AS type, + pg_catalog.pg_get_userbyid(c.relowner) AS owner +FROM pg_catalog.pg_class c +LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace +WHERE n.nspname = 'dbowner__main_db_dbo' +AND c.relname LIKE 'dbowner__%' +AND c.relkind IN ('r', 'v', 'm', 'i', 'S', 's', 'f') +ORDER BY n.nspname, c.relkind, c.relname; +GO + +-- tsql user=dbowner__l1 password=123 +exec sp_rename 'dbo.dbowner__t0_renamed', 'dbowner__t0', 'object' +go +exec sp_rename 'dbo.dbowner__t0.x_renamed', 'x', 'column' +go +exec sp_rename 'dbo.dbowner__typ0_renamed', 'dbowner__typ0', 'userdatatype' +go +exec sp_rename 'dbo.dbowner__p0_renamed', 'dbowner__p0', 'object' +go +exec sp_rename 'dbo.dbowner__f0_renamed', 'dbowner__f0', 'object' +go +exec sp_rename 'dbo.dbowner__v0_renamed', 'dbowner__v0', 'object' +go +exec sp_rename 'dbowner__trg0_renamed', 'dbowner__trg0', 'object' +go +exec sp_rename 'dbo.dbowner__seq0_renamed', 'dbowner__seq0', 'object' +go + +exec sp_rename 'dbowner__s1.dbowner__t1.a', 'a_renamed', 'column' +go +exec sp_rename 'dbowner__s1.dbowner__typ1', 'dbowner__typ1_renamed', 'userdatatype' +go +exec sp_rename 'dbowner__s1.dbowner__t1', 'dbowner__t1_renamed', 'object' +go +exec sp_rename 'dbowner__s1.dbowner__p1', 'dbowner__p1_renamed', 'object' +go +exec sp_rename 'dbowner__s1.dbowner__f1', 'dbowner__f1_renamed', 'object' +go +exec sp_rename 'dbowner__s1.dbowner__v1', 'dbowner__v1_renamed', 'object' +go +exec sp_rename 'dbowner__s1.dbowner__trg1', 'dbowner__trg1_renamed', 'object' +go +exec sp_rename 'dbowner__s1.dbowner__seq1', 'dbowner__seq1_renamed', 'object' +go + +exec sp_rename 'dbowner__s3.dbowner__t3.a', 'a_renamed', 'column' +go +exec sp_rename 'dbowner__s3.dbowner__typ3', 'dbowner__typ3_renamed', 'userdatatype' +go +exec sp_rename 'dbowner__s3.dbowner__t3', 'dbowner__t3_renamed', 'object' +go +exec sp_rename 'dbowner__s3.dbowner__p3', 'dbowner__p3_renamed', 'object' +go +exec sp_rename 'dbowner__s3.dbowner__f3', 'dbowner__f3_renamed', 'object' +go +exec sp_rename 'dbowner__s3.dbowner__v3', 'dbowner__v3_renamed', 'object' +go +exec sp_rename 'dbowner__s3.dbowner__seq3', 'dbowner__seq3_renamed', 'object' +go + +-- psql +-- Procedure/function owners should be dbowner__main_db_dbowner__u1_bbfobj +SELECT proname, + proowner::regrole +FROM pg_proc +WHERE pronamespace::regnamespace::text = 'dbowner__main_db_dbowner__s1' +OR pronamespace::regnamespace::text = 'dbowner__main_db_dbowner__s3' +ORDER BY proname; +GO + +-- Table owners should be dbowner__main_db_dbowner__u1_bbfobj +SELECT + n.nspname AS schema, + c.relname AS table, + CASE c.relkind + WHEN 'r' THEN 'table' + WHEN 'v' THEN 'view' + WHEN 'm' THEN 'materialized view' + WHEN 'i' THEN 'index' + WHEN 'S' THEN 'sequence' + WHEN 's' THEN 'special' + WHEN 'f' THEN 'foreign table' + END AS type, + pg_catalog.pg_get_userbyid(c.relowner) AS owner +FROM pg_catalog.pg_class c +LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace +WHERE (n.nspname = 'dbowner__main_db_dbowner__s1' OR n.nspname = 'dbowner__main_db_dbowner__s3') +AND c.relkind IN ('r', 'v', 'm', 'i', 'S', 's', 'f') +ORDER BY n.nspname, c.relkind, c.relname; +GO + +-- tsql user=dbowner__l1 password=123 +exec sp_rename 'dbowner__s1.dbowner__t1_renamed', 'dbowner__t1', 'object' +go +exec sp_rename 'dbowner__s1.dbowner__t1.a_renamed', 'a', 'column' +go +exec sp_rename 'dbowner__s1.dbowner__typ1_renamed', 'dbowner__typ1', 'userdatatype' +go +exec sp_rename 'dbowner__s1.dbowner__p1_renamed', 'dbowner__p1', 'object' +go +exec sp_rename 'dbowner__s1.dbowner__f1_renamed', 'dbowner__f1', 'object' +go +exec sp_rename 'dbowner__s1.dbowner__v1_renamed', 'dbowner__v1', 'object' +go +exec sp_rename 'dbowner__s1.dbowner__trg1_renamed', 'dbowner__trg1', 'object' +go +exec sp_rename 'dbowner__s1.dbowner__seq1_renamed', 'dbowner__seq1', 'object' +go + +exec sp_rename 'dbowner__s3.dbowner__t3_renamed', 'dbowner__t3', 'object' +go +exec sp_rename 'dbowner__s3.dbowner__t3.a_renamed', 'a', 'column' +go +exec sp_rename 'dbowner__s3.dbowner__typ3_renamed', 'dbowner__typ3', 'userdatatype' +go +exec sp_rename 'dbowner__s3.dbowner__p3_renamed', 'dbowner__p3', 'object' +go +exec sp_rename 'dbowner__s3.dbowner__f3_renamed', 'dbowner__f3', 'object' +go +exec sp_rename 'dbowner__s3.dbowner__v3_renamed', 'dbowner__v3', 'object' +go +exec sp_rename 'dbowner__s3.dbowner__seq3_renamed', 'dbowner__seq3', 'object' +go + +exec sp_rename 'dbowner__s2.dbowner__t2.a', 'a_renamed', 'column' +go +exec sp_rename 'dbowner__s2.dbowner__typ2', 'dbowner__typ2_renamed', 'userdatatype' +go +exec sp_rename 'dbowner__s2.dbowner__t2', 'dbowner__t2_renamed', 'object' +go +exec sp_rename 'dbowner__s2.dbowner__p2', 'dbowner__p2_renamed', 'object' +go +exec sp_rename 'dbowner__s2.dbowner__f2', 'dbowner__f2_renamed', 'object' +go +exec sp_rename 'dbowner__s2.dbowner__v2', 'dbowner__v2_renamed', 'object' +go +exec sp_rename 'dbowner__s2.dbowner__seq2', 'dbowner__seq2_renamed', 'object' +go + +-- psql +-- Procedure/function owners should be dbowner__main_db_dbowner__u2 +SELECT proname, + proowner::regrole +FROM pg_proc +WHERE pronamespace::regnamespace::text = 'dbowner__main_db_dbowner__s2' +ORDER BY proname; +GO + +-- Table owners should be dbowner__main_db_dbowner__u2 +SELECT + n.nspname AS schema, + c.relname AS table, + CASE c.relkind + WHEN 'r' THEN 'table' + WHEN 'v' THEN 'view' + WHEN 'm' THEN 'materialized view' + WHEN 'i' THEN 'index' + WHEN 'S' THEN 'sequence' + WHEN 's' THEN 'special' + WHEN 'f' THEN 'foreign table' + END AS type, + pg_catalog.pg_get_userbyid(c.relowner) AS owner +FROM pg_catalog.pg_class c +LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace +WHERE n.nspname = 'dbowner__main_db_dbowner__s2' +AND c.relkind IN ('r', 'v', 'm', 'i', 'S', 's', 'f') +ORDER BY n.nspname, c.relkind, c.relname; +GO + +-- tsql user=dbowner__l1 password=123 +exec sp_rename 'dbowner__s2.dbowner__t2_renamed', 'dbowner__t2', 'object' +go +exec sp_rename 'dbowner__s2.dbowner__t2.a_renamed', 'a', 'column' +go +exec sp_rename 'dbowner__s2.dbowner__typ2_renamed', 'dbowner__typ2', 'userdatatype' +go +exec sp_rename 'dbowner__s2.dbowner__p2_renamed', 'dbowner__p2', 'object' +go +exec sp_rename 'dbowner__s2.dbowner__f2_renamed', 'dbowner__f2', 'object' +go +exec sp_rename 'dbowner__s2.dbowner__v2_renamed', 'dbowner__v2', 'object' +go +exec sp_rename 'dbowner__s2.dbowner__seq2_renamed', 'dbowner__seq2', 'object' +go + +-- CASE 3: Able to GRANT/REVOKE on SCHEMA/OBJECT +grant select on schema::dbowner__s1 to dbowner__u2 +go +grant insert on schema::dbowner__s2 to guest +go +grant update on schema::dbowner__s3 to dbowner__u2 +go +grant delete on schema::dbo to dbowner__u2 +go +grant select on object::dbo.dbowner__t0 to dbowner__u2 +go +grant insert on object::dbowner__s1.dbowner__t1 to dbowner__u2 +go +grant update on object::dbowner__s2.dbowner__t2 to dbowner__u1 +go +grant delete on object::dbowner__s3.dbowner__t3 to dbowner__u2 +go +grant execute on object::dbowner__s1.dbowner__f1 to dbowner__u1 +go +grant execute on object::dbowner__s3.dbowner__p3 to dbowner__u1 +go + +-- psql +select schema_name, object_name, permission, grantee, grantor from sys.babelfish_schema_permissions +where grantee IN ('dbowner__main_db_guest', 'dbowner__main_db_dbowner__u1', 'dbowner__main_db_dbowner__u2') order by permission, grantee, schema_name; +GO + +-- tsql user=dbowner__l1 password=123 +revoke select on schema::dbowner__s1 to dbowner__u2 +go +revoke insert on schema::dbowner__s2 to guest +go +revoke update on schema::dbowner__s3 to dbowner__u2 +go +revoke delete on schema::dbo to dbowner__u2 +go +revoke select on object::dbo.dbowner__t0 to dbowner__u2 +go +revoke insert on object::dbowner__s1.dbowner__t1 to dbowner__u2 +go +revoke update on object::dbowner__s2.dbowner__t2 to dbowner__u1 +go +revoke delete on object::dbowner__s3.dbowner__t3 to dbowner__u2 +go +revoke execute on object::dbowner__s1.dbowner__f1 to dbowner__u1 +go +revoke execute on object::dbowner__s3.dbowner__p3 to dbowner__u1 +go + +-- Adding a member to db_owner role should not affect other user's privileges +-- tsql +use dbowner__main_db +go +alter role db_owner drop member dbowner__u1 +go +alter role db_owner drop member dbowner__u1 -- adding again should not throw error +go +grant select on schema::dbowner__s0 to dbowner__u2 +go +alter role db_owner add member dbowner__u1 +go +alter role db_owner add member dbowner__u1 -- dropping again should not throw error +go +grant execute on schema::dbowner__s0 to dbowner__u2 +go + +-- Check sp_helpuser +CREATE TABLE #db_owner_roles(userName sys.SYSNAME, roleName sys.SYSNAME, loginName sys.SYSNAME NULL, defdb sys.SYSNAME NULL, defschema sys.SYSNAME, userid INT, sid sys.VARBINARY(85)); +go +INSERT INTO #db_owner_roles EXEC sp_helpuser 'dbowner__u1'; +go +SELECT userName, roleName FROM #db_owner_roles; +go +DROP TABLE #db_owner_roles; +go + +-- GRANT on dbowner__u2 should allow it to still access objects in schema +-- tsql user=dbowner__l2 password=123 +use dbowner__main_db +go +select * from dbowner__s0.dbowner__t00 +go +select * from dbowner__s0.dbowner__v00 +go +select dbowner__s0.dbowner__f00() +go + +-- tsql +revoke select on schema::dbowner__s0 to dbowner__u2 +go +revoke execute on schema::dbowner__s0 to dbowner__u2 +go + +-- psql +select schema_name, object_name, permission, grantee, grantor from sys.babelfish_schema_permissions +where grantee IN ('dbowner__main_db_guest', 'dbowner__main_db_dbowner__u1', 'dbowner__main_db_dbowner__u2') order by permission; +GO + +-- CASE 4: Able to ALTER ANY USER +-- tsql user=dbowner__l1 password=123 +select rolname, login_name, default_schema_name, default_language_name from babelfish_authid_user_ext where rolname in ('dbowner__main_db_dbowner__u1', 'dbowner__main_db_new_dbowner__u2') order by rolname +go +alter user dbowner__u1 with default_schema = dbowner__s1 +go +alter user dbowner__u2 with default_schema = dbo +go +alter user dbowner__u2 with login = dbowner__temp +go +alter user dbowner__u2 with name = new_dbowner__u2 +go +select rolname, login_name, default_schema_name, default_language_name from babelfish_authid_user_ext where rolname in ('dbowner__main_db_dbowner__u1', 'dbowner__main_db_new_dbowner__u2') order by rolname +go +select sys.user_name(), sys.suser_name(), is_member('db_owner') +go +alter user new_dbowner__u2 with default_schema = dbo +go +alter user new_dbowner__u2 with login = dbowner__l2 +go +alter user new_dbowner__u2 with name = dbowner__u2 +go +alter user dbowner__u1 with login = dbowner__temp +go +select sys.user_name(), sys.suser_name(), is_member('db_owner') +go +select rolname, login_name, default_schema_name, default_language_name from babelfish_authid_user_ext where rolname in ('dbowner__main_db_dbowner__u1', 'dbowner__main_db_new_dbowner__u2') order by rolname +go +alter user dbowner__u1 with login = dbowner__l1 +go +select rolname, login_name, default_schema_name, default_language_name from babelfish_authid_user_ext where rolname in ('dbowner__main_db_dbowner__u1', 'dbowner__main_db_new_dbowner__u2') order by rolname +go +select name from sys.database_principals order by name +go + +-- tsql +use dbowner__main_db +go +exec sp_droprolemember 'db_owner', 'dbowner__u1' +go +exec sp_droprolemember 'db_owner', 'dbowner__u1' -- dropping again should not throw error +go + +-- Check name clash scenario +create role dbowner__u1_bbfobj +go +exec sp_addrolemember 'db_owner', 'dbowner__u1' +go +drop role dbowner__u1_bbfobj +go + +exec sp_addrolemember 'db_owner', 'dbowner__u1' -- adding again should not throw error +go +exec sp_addrolemember 'db_owner', 'dbowner__u1' -- adding again should not throw error +go +alter user dbowner__u1 with login = dbowner__l1 +go + +-- terminate-tsql-conn user=dbowner__l1 password=123 + +-- tsql user=dbowner__l1 password=123 +use dbowner__main_db +go +select sys.user_name(), is_member('db_owner') +go +select rolname, login_name, default_schema_name, default_language_name from babelfish_authid_user_ext where rolname in ('dbowner__main_db_dbowner__u1', 'dbowner__main_db_new_dbowner__u2') order by rolname +go +select name from sys.database_principals order by name +go + +-- tsql user=dbowner__l2 password=123 +use dbowner__main_db +go +select is_member('db_owner') +go +select * from dbo.dbowner__t0 +go +select * from dbo.dbowner__v0 +go +select next value for dbo.dbowner__seq0; +go +select dbo.dbowner__f0() +go +exec dbo.dbowner__p0 +go +select * from dbowner__s1.dbowner__t1 +go +select * from dbowner__s1.dbowner__v1 +go +select next value for dbowner__s1.dbowner__seq1; +go +select dbowner__s1.dbowner__f1() +go +exec dbowner__s1.dbowner__p1 +go +select * from dbowner__s2.dbowner__t2 +go +select * from dbowner__s2.dbowner__v2 +go +select next value for dbowner__s2.dbowner__seq2; +go +select dbowner__s2.dbowner__f2() +go +exec dbowner__s2.dbowner__p2 +go +select * from dbowner__s1.dbowner__t11 +go +select * from dbowner__s3.dbowner__t3 +go +select * from dbowner__s3.dbowner__v3 +go +select next value for dbowner__s3.dbowner__seq3; +go +select dbowner__s3.dbowner__f3() +go +exec dbowner__s3.dbowner__p3 +go + +select name from sys.database_principals order by name +go + +-- psql +-- Procedure/function owners should be dbowner__main_db_dbowner__u1_bbfobj +SELECT proname, + proowner::regrole +FROM pg_proc +WHERE pronamespace::regnamespace::text = 'dbowner__main_db_dbowner__s1' +OR pronamespace::regnamespace::text = 'dbowner__main_db_dbowner__s3' +ORDER BY proname; +GO + +-- Table owners should be dbowner__main_db_dbowner__u1_bbfobj +SELECT + n.nspname AS schema, + c.relname AS table, + CASE c.relkind + WHEN 'r' THEN 'table' + WHEN 'v' THEN 'view' + WHEN 'm' THEN 'materialized view' + WHEN 'i' THEN 'index' + WHEN 'S' THEN 'sequence' + WHEN 's' THEN 'special' + WHEN 'f' THEN 'foreign table' + END AS type, + pg_catalog.pg_get_userbyid(c.relowner) AS owner +FROM pg_catalog.pg_class c +LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace +WHERE (n.nspname = 'dbowner__main_db_dbowner__s1' OR n.nspname = 'dbowner__main_db_dbowner__s3') +AND c.relkind IN ('r', 'v', 'm', 'i', 'S', 's', 'f') +ORDER BY n.nspname, c.relkind, c.relname; +GO + +-- Schemas owner should be dbowner__main_db_dbowner__u1_bbfobj except for dbowner__main_db_dbowner__sch_u2 and dbowner__main_db_dbowner__sch_db_owner +SELECT + r.rolname AS schema_owner, + ns.nspname +FROM + pg_namespace ns +JOIN + pg_roles r +ON + ns.nspowner = r.oid +WHERE + ns.nspname IN ('dbowner__main_db_dbowner__s1', 'dbowner__main_db_dbowner__s3', 'dbowner__main_db_dbowner__sch_u2', 'dbowner__main_db_dbowner__sch_db_owner') +ORDER BY ns.nspname; +GO + +-- tsql +select * from dbo.dbowner__t0 +go +select * from dbo.dbowner__v0 +go +select next value for dbo.dbowner__seq0; +go +select dbo.dbowner__f0() +go +exec dbo.dbowner__p0 +go +select * from dbowner__s1.dbowner__t1 +go +select * from dbowner__s1.dbowner__v1 +go +select next value for dbowner__s1.dbowner__seq1; +go +select dbowner__s1.dbowner__f1() +go +exec dbowner__s1.dbowner__p1 +go +select * from dbowner__s2.dbowner__t2 +go +select * from dbowner__s2.dbowner__v2 +go +select next value for dbowner__s2.dbowner__seq2; +go +select dbowner__s2.dbowner__f2() +go +exec dbowner__s2.dbowner__p2 +go +select * from dbowner__s1.dbowner__t11 +go +select * from dbowner__s3.dbowner__t3 +go +select * from dbowner__s3.dbowner__v3 +go +select next value for dbowner__s3.dbowner__seq3; +go +select dbowner__s3.dbowner__f3() +go +exec dbowner__s3.dbowner__p3 +go +create schema dbowner__sch_u1 authorization dbowner__u1 +go + +-- Schema owners should be dbowner__main_db_dbowner__u1_bbfobj +SELECT + r.rolname AS schema_owner, + ns.nspname +FROM + pg_namespace ns +JOIN + pg_roles r +ON + ns.nspowner = r.oid +WHERE + ns.nspname = 'dbowner__main_db_dbowner__sch_u1' +ORDER BY ns.nspname; +GO + +select name from sys.database_principals order by name +go + +-- CASE 5: If removed from db_owner, user should lose access to objects in schemas except the ones it owns +alter role db_owner drop member dbowner__u1 +go + +-- psql +-- Before anything, let's check if internal role linking/delinking got reverted as expected +SELECT rolname FROM pg_roles WHERE rolname = 'dbowner__main_db_dbowner__u1_bbfobj'; -- "_bbfobj" role should not exist +go + +SELECT r.rolname AS parent_role +FROM pg_auth_members m +JOIN pg_roles r ON (m.roleid = r.oid) +JOIN pg_roles mr ON (m.member = mr.oid) +WHERE mr.rolname = 'dbowner__main_db_dbowner__u1' +ORDER BY r.rolname; + +go + +SELECT r.rolname AS parent_role +FROM pg_auth_members m +JOIN pg_roles r ON (m.roleid = r.oid) +JOIN pg_roles mr ON (m.member = mr.oid) +WHERE mr.rolname = 'dbowner__main_db_db_owner' +ORDER BY r.rolname; +go + +SELECT r.rolname AS parent_role +FROM pg_auth_members m +JOIN pg_roles r ON (m.roleid = r.oid) +JOIN pg_roles mr ON (m.member = mr.oid) +WHERE mr.rolname = 'dbowner__main_db_dbo' +ORDER BY r.rolname; +go + +-- tsql user=dbowner__l1 password=123 +select is_member('db_owner') +go +select * from dbo.dbowner__t0 +go +select * from dbo.dbowner__v0 +go +select next value for dbo.dbowner__seq0; +go +select dbo.dbowner__f0() +go +exec dbo.dbowner__p0 +go +select * from dbowner__s1.dbowner__t1 +go +select * from dbowner__s1.dbowner__v1 +go +select next value for dbowner__s1.dbowner__seq1; +go +select dbowner__s1.dbowner__f1() +go +exec dbowner__s1.dbowner__p1 +go +select * from dbowner__s2.dbowner__t2 +go +select * from dbowner__s2.dbowner__v2 +go +select next value for dbowner__s2.dbowner__seq2; +go +select dbowner__s2.dbowner__f2() +go +exec dbowner__s2.dbowner__p2 +go +select * from dbowner__s1.dbowner__t11 +go +select * from dbowner__s3.dbowner__t3 +go +select * from dbowner__s3.dbowner__v3 +go +select next value for dbowner__s3.dbowner__seq3; +go +select dbowner__s3.dbowner__f3() +go +exec dbowner__s3.dbowner__p3 +go + +-- CASE 6: If removed from db_owner, user should lose access to create objects in schemas except the ones it owns +alter table dbo.dbowner__t0 add c int +go +alter function dbo.dbowner__f0() returns int as begin return 1345 end +go +alter procedure dbo.dbowner__p0 as select 2345 +go +create role dbowner__r3 +go +create role dbowner__r4 +go +create user dbowner__temp for login dbowner__temp +go +alter role dbowner__r1 add member dbowner__u2 +go +drop user dbowner__u2 +go +drop role dbowner__r1 +go +drop role dbowner__r2 +go + +-- psql +-- Procedure/function owners should be dbowner__main_db_dbowner__u1 +SELECT proname, + proowner::regrole +FROM pg_proc +WHERE pronamespace::regnamespace::text = 'dbowner__main_db_dbowner__s1' +OR pronamespace::regnamespace::text = 'dbowner__main_db_dbowner__s3' +ORDER BY proname; +GO + +-- Table owners should be dbowner__main_db_dbowner__u1 +SELECT + n.nspname AS schema, + c.relname AS table, + CASE c.relkind + WHEN 'r' THEN 'table' + WHEN 'v' THEN 'view' + WHEN 'm' THEN 'materialized view' + WHEN 'i' THEN 'index' + WHEN 'S' THEN 'sequence' + WHEN 's' THEN 'special' + WHEN 'f' THEN 'foreign table' + END AS type, + pg_catalog.pg_get_userbyid(c.relowner) AS owner +FROM pg_catalog.pg_class c +LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace +WHERE (n.nspname = 'dbowner__main_db_dbowner__s1' OR n.nspname = 'dbowner__main_db_dbowner__s3') +AND c.relkind IN ('r', 'v', 'm', 'i', 'S', 's', 'f') +ORDER BY n.nspname, c.relkind, c.relname; +GO + +-- Schema owners should be dbowner__main_db_dbowner__u1 +SELECT + r.rolname AS schema_owner, + ns.nspname +FROM + pg_namespace ns +JOIN + pg_roles r +ON + ns.nspowner = r.oid +WHERE + ns.nspname IN ('dbowner__main_db_dbowner__s1', 'dbowner__main_db_dbowner__s3', 'dbowner__main_db_dbowner__sch_u1', 'dbowner__main_db_dbowner__sch_u2', 'dbowner__main_db_dbowner__sch_db_owner') +ORDER BY ns.nspname; +GO + +-- tsql +alter role db_owner add member dbowner__u1 +go + +-- psql +-- Need to terminate active session before cleaning up the login +SELECT pg_terminate_backend(pid) FROM pg_stat_get_activity(NULL) +WHERE sys.suser_name(usesysid) = 'dbowner__l2' AND backend_type = 'client backend' AND usesysid IS NOT NULL; +GO +-- Wait to sync with another session +SELECT pg_sleep(1); +GO + +-- tsql user=dbowner__l1 password=123 +select is_member('db_owner') +go + +-- CASE 6: User member of db_owner should be able to drop all objects in its database +create role dbowner__r3 +go +create role dbowner__r4 +go +create user dbowner__temp for login dbowner__temp +go +alter role dbowner__r1 add member dbowner__temp +go +alter role dbowner__r3 add member dbowner__temp +go +alter role dbowner__r3 add member dbowner__r1 +go +alter role dbowner__r4 add member dbowner__r2 +go +drop user dbowner__temp +go +drop role dbowner__r1 +go +drop role dbowner__r2 +go +drop role dbowner__r3 +go +drop role dbowner__r4 +go + +drop index dbowner__idx0 on dbo.dbowner__t0 +go +drop table dbo.dbowner__t0 +go +drop function dbo.dbowner__f0 +go +drop procedure dbo.dbowner__p0 +go +drop type dbo.dbowner__typ0 +go +drop view dbo.dbowner__v0 +go +drop sequence dbo.dbowner__seq0 +go +drop index dbowner__idx1 on dbowner__s1.dbowner__t1 +go +drop table dbowner__s1.dbowner__t1 +go +drop function dbowner__s1.dbowner__f1 +go +drop procedure dbowner__s1.dbowner__p1 +go +drop table dbowner__s1.dbowner__t11 +go +drop type dbowner__s1.dbowner__typ1 +go +drop view dbowner__s1.dbowner__v1 +go +drop sequence dbowner__s1.dbowner__seq1 +go +drop index dbowner__idx2 on dbowner__s2.dbowner__t2 +go +drop table dbowner__s2.dbowner__t2 +go +drop function dbowner__s2.dbowner__f2 +go +drop procedure dbowner__s2.dbowner__p2 +go +drop type dbowner__s2.dbowner__typ2 +go +drop view dbowner__s2.dbowner__v2 +go +drop sequence dbowner__s2.dbowner__seq2 +go +drop table dbowner__s3.dbowner__t3 +go +drop function dbowner__s3.dbowner__f3 +go +drop procedure dbowner__s3.dbowner__p3 +go +drop type dbowner__s3.dbowner__typ3 +go +drop view dbowner__s3.dbowner__v3 +go +drop sequence dbowner__s3.dbowner__seq3 +go +drop index dbowner__idx00 on dbowner__s0.dbowner__t00 +go +drop table dbowner__s0.dbowner__t00 +go +drop function dbowner__s0.dbowner__f00 +go +drop type dbowner__s0.dbowner__typ00 +go +drop view dbowner__s0.dbowner__v00 +go +drop sequence dbowner__s0.dbowner__seq00 +go +drop schema dbowner__s0 +go +drop schema dbowner__s1 +go +drop schema dbowner__s2 +go +drop schema dbowner__s3 +go +drop schema dbowner__sch_u1 +go +drop schema dbowner__sch_u2 +go +drop schema dbowner__sch_db_owner +go +drop user dbowner__u2 +go + +-- tsql +alter role db_owner drop member dbowner__u1 +go + +-- tsql user=dbowner__l1 password=123 +select is_member('db_owner') +go + +-- CASE 7: Check if db_owner can drop the database +-- tsql +create database dbowner__test_db +go +use dbowner__test_db +go +create user dbowner__test_db_dbowner__u1 for login dbowner__l1 +go +alter role db_owner add member dbowner__test_db_dbowner__u1 +go +use dbowner__main_db +go + +-- tsql user=dbowner__l1 password=123 +select sys.user_name() +go +select is_member('db_owner') +go +drop database dbowner__test_db +go + +-- CASE 8: Check if there can be multiple db_owners +-- tsql +create database dbowner__test_db +go +use dbowner__test_db +go +create user dbowner__test_db_dbowner__u1 for login dbowner__l1 +go +alter role db_owner add member dbowner__test_db_dbowner__u1 +go + +-- CASE 9: Should be able to add other users to db_owner role as a member of db_owner +-- tsql user=dbowner__l1 password=123 +use dbowner__test_db +go +select is_member('db_owner') +go +create user dbowner__test_db_dbowner__u2 for login dbowner__l2 +go +alter role db_owner add member dbowner__test_db_dbowner__u2 +go +select is_rolemember('db_owner', 'dbowner__test_db_dbowner__u1'), is_rolemember('db_owner', 'dbowner__test_db_dbowner__u2') +go + +-- CASE 10: Should be able to drop other users from db_owner role as a member of db_owner, including itself +alter role db_owner drop member dbowner__test_db_dbowner__u2 +go +alter role db_owner drop member dbowner__test_db_dbowner__u1 +go + +-- tsql +alter role db_owner add member dbowner__test_db_dbowner__u1 +go +alter role db_owner add member dbowner__test_db_dbowner__u2 +go + +-- psql +-- Need to terminate active session before cleaning up the login +SELECT pg_terminate_backend(pid) FROM pg_stat_get_activity(NULL) +WHERE sys.suser_name(usesysid) = 'dbowner__l1' AND backend_type = 'client backend' AND usesysid IS NOT NULL; +GO +-- Wait to sync with another session +SELECT pg_sleep(1); +GO + + +-- Check if dropping user, also drops the linked "_bbfobj" role +-- psql +select rolname from pg_authid where rolname like 'dbowner__test_db_%' order by rolname; +go + +-- tsql +use dbowner__test_db +go +drop user dbowner__test_db_dbowner__u1 +go +drop user dbowner__test_db_dbowner__u2 +go +use dbowner__main_db +go + +-- psql +select rolname from pg_authid where rolname like 'dbowner__test_db_%' order by rolname; +go + +-- tsql +-- CASE 11: Check if long database names and long user names work with db_owner role +create database dbowner_averyveryveryveryveryveryveryveryveryveryverylongdatabasename -- 70 characters +go +use dbowner_averyveryveryveryveryveryveryveryveryveryverylongdatabasename +go +create user dbowner_averyveryveryveryveryveryveryveryveryveryverylongusername for login dbowner__temp -- 66 characters +go +alter role db_owner add member dbowner_averyveryveryveryveryveryveryveryveryveryverylongusername +go + +-- tsql user=dbowner__temp password=123 +use dbowner_averyveryveryveryveryveryveryveryveryveryverylongdatabasename +go +select is_member('db_owner') +go +create schema db_owner_temp_schema +go +create table dbo.temp_tab (a int) +go +create table db_owner_temp_schema.temp_tab (a int) +go +insert into dbo.temp_tab values (1), (2), (34567) +go +insert into db_owner_temp_schema.temp_tab values (1), (2), (34567) +go +select * from dbo.temp_tab +go +select * from db_owner_temp_schema.temp_tab +go +drop table db_owner_temp_schema.temp_tab +go +drop table dbo.temp_tab +go +drop schema db_owner_temp_schema +go +alter role db_owner drop member dbowner_averyveryveryveryveryveryveryveryveryveryverylongusername +go +select is_member('db_owner') +go +use master +go + +-- tsql +drop user dbowner_averyveryveryveryveryveryveryveryveryveryverylongusername +go +use master +go +drop database dbowner_averyveryveryveryveryveryveryveryveryveryverylongdatabasename +go + +-- Check for windows login +exec sys.babelfish_add_domain_mapping_entry 'dbownerdomain', 'dbownerdomain.babel'; +go +create login [dbownerdomain\abc] from windows +go +create user [dbownerdomain\abc] +go +select is_rolemember('db_owner', 'dbownerdomain\abc') +go +alter role db_owner add member [dbownerdomain\abc] +go +select is_rolemember('db_owner', 'dbownerdomain\abc') +go +alter role db_owner drop member [dbownerdomain\abc] +go +select is_rolemember('db_owner', 'dbownerdomain\abc') +go +exec sp_addrolemember 'db_owner', 'dbownerdomain\abc' +go +select is_rolemember('db_owner', 'dbownerdomain\abc') +go +exec sp_droprolemember 'db_owner', 'dbownerdomain\abc' +go +select is_rolemember('db_owner', 'dbownerdomain\abc') +go +drop user [dbownerdomain\abc] +go +drop login [dbownerdomain\abc] +go +exec sys.babelfish_remove_domain_mapping_entry 'dbownerdomain' +go diff --git a/test/JDBC/input/db_owner-vu-verify.mix b/test/JDBC/input/db_owner-vu-verify.mix index 41474842562..962aad369e6 100644 --- a/test/JDBC/input/db_owner-vu-verify.mix +++ b/test/JDBC/input/db_owner-vu-verify.mix @@ -400,7 +400,7 @@ go -- psql select schema_name, object_name, permission, grantee, grantor from sys.babelfish_schema_permissions -where grantee IN ('dbowner__main_db_guest', 'dbowner__main_db_dbowner__u1', 'dbowner__main_db_dbowner__u2') order by permission; +where grantee IN ('dbowner__main_db_guest', 'dbowner__main_db_dbowner__u1', 'dbowner__main_db_dbowner__u2') order by permission, grantee, schema_name; GO -- tsql user=dbowner__l1 password=123 diff --git a/test/JDBC/input/views/sys_database_permissions-vu-cleanup.mix b/test/JDBC/input/views/sys_database_permissions-vu-cleanup.mix new file mode 100644 index 00000000000..06b5d232f34 --- /dev/null +++ b/test/JDBC/input/views/sys_database_permissions-vu-cleanup.mix @@ -0,0 +1,49 @@ +-- tsql +use babel_5690_db_1 +go + +select current_user; +go + +drop function babel_5690_function_1 +go + +drop procedure babel_5690_procedure_1 +go + +drop view babel_5690_view_1 +go + +drop table babel_5690_table_1 +go + +drop table sch1.t1; +go + +drop table sch2.t2; +go + +drop schema sch1; +go + +drop schema sch2; +go + +drop user babel_5690_user_3 +go + +drop user babel_5690_user_2 +go + +drop user babel_5690_user_1 +go + +drop login babel_5690_login_3 +go + +drop login babel_5690_login_2 +go + +drop login babel_5690_login_1 +go + diff --git a/test/JDBC/input/views/sys_database_permissions-vu-prepare.mix b/test/JDBC/input/views/sys_database_permissions-vu-prepare.mix new file mode 100644 index 00000000000..7940aeebe4b --- /dev/null +++ b/test/JDBC/input/views/sys_database_permissions-vu-prepare.mix @@ -0,0 +1,106 @@ +-- tsql +create login babel_5690_login_1 with password = '123'; +go + +create login babel_5690_login_2 with password = '123'; +go + +create login babel_5690_login_3 with password = '123'; +go + +create database babel_5690_db_1; +go + +use babel_5690_db_1; +go + +create user babel_5690_user_1 for login babel_5690_login_1; +go + +create user babel_5690_user_2 for login babel_5690_login_2; +go + +create user babel_5690_user_3 for login babel_5690_login_3; +go + +CREATE VIEW babel_5690_db_permissions_view AS +SELECT + dp.class_desc, + dp.major_id, + sys.USER_NAME(dp.grantee_principal_id) AS grantee_name, + sys.USER_NAME(dp.grantor_principal_id) AS grantor_name, + dp.permission_name, + dp.state_desc +FROM + sys.database_permissions dp; +GO +GRANT SELECT ON dbo.babel_5690_db_permissions_view TO PUBLIC; +GO + +create schema sch1; +go + +create schema sch2 authorization babel_5690_user_1; +go + +create table sch1.t1(c int); +go + +create table sch2.t2(c int); +go + +create table babel_5690_table_1(column_1 int); +go + +create view babel_5690_view_1 as select * from babel_5690_table_1; +go + +create procedure babel_5690_procedure_1 as begin select * from babel_5690_table_1 end; +go + +create function babel_5690_function_1() returns int as begin return 0; end; +go + +create login babel_5690_login_4 with password = '123'; +go + +create login babel_5690_login_5 with password = '123'; +go + +create login babel_5690_login_6 with password = '123'; +go + +create database babel_5690_db_2; +go + +use babel_5690_db_2; +go + +create user babel_5690_user_4 for login babel_5690_login_4; +go + +create user babel_5690_user_5 for login babel_5690_login_5; +go + +create user babel_5690_user_6 for login babel_5690_login_6; +go + +create table babel_5690_table_2(column_1 int); +go + +create function babel_5690_function_2() returns int as begin return 0; end; +go + +CREATE VIEW babel_5690_db_permissions_view AS +SELECT + dp.class_desc, + dp.major_id, + sys.USER_NAME(dp.grantee_principal_id) AS grantee_name, + sys.USER_NAME(dp.grantor_principal_id) AS grantor_name, + dp.permission_name, + dp.state_desc +FROM + sys.database_permissions dp; +GO +GRANT SELECT ON dbo.babel_5690_db_permissions_view TO PUBLIC; +GO \ No newline at end of file diff --git a/test/JDBC/input/views/sys_database_permissions-vu-verify.mix b/test/JDBC/input/views/sys_database_permissions-vu-verify.mix new file mode 100644 index 00000000000..cad7ddfc116 --- /dev/null +++ b/test/JDBC/input/views/sys_database_permissions-vu-verify.mix @@ -0,0 +1,849 @@ +-- tsql +-- reset the login password +ALTER LOGIN babel_5690_login_1 WITH PASSWORD = '123'; +GO + +-- reset the login password +ALTER LOGIN babel_5690_login_2 WITH PASSWORD = '123'; +GO + +-- reset the login password +ALTER LOGIN babel_5690_login_3 WITH PASSWORD = '123'; +GO + +use babel_5690_db_1; +go + +-- By default there will be connect permission for all users and there will be select permission on the view whose grantee = public +select * from dbo.babel_5690_db_permissions_view; +go + +-- Perform GRANT/REVOKE CONNECT permission by dbo +revoke connect from babel_5690_user_1; +go + +-- Connect permission is revoked from babel_5690_user_1 +select * from dbo.babel_5690_db_permissions_view; +go + +grant connect to babel_5690_user_1; +go + +-- Connect permission is granted to babel_5690_user_1 by dbo, grantor = dbo +select * from dbo.babel_5690_db_permissions_view; +go + +-- Perform GRANT/REVOKE CONNECT permission by securityadmin +alter role securityadmin add member babel_5690_login_1; +go + +-- tsql user=babel_5690_login_1 password='123' +use babel_5690_db_1; +go + +revoke connect from babel_5690_user_2; +go + +-- tsql +use babel_5690_db_1; +go + +-- Connect permission is revoked from babel_5690_user_2 +select * from dbo.babel_5690_db_permissions_view; +go + +-- tsql user=babel_5690_login_1 password='123' +use babel_5690_db_1; +go + +grant connect to babel_5690_user_2; +go + +alter role securityadmin drop member babel_5690_login_1; +go + +-- tsql +use babel_5690_db_1; +go + +-- Connect permission is granted to babel_5690_user_1 by securityadmin login, grantor = dbo +select * from dbo.babel_5690_db_permissions_view; +go + +-- Grant permission on a schema when schema owner is not set by dbo, Grantor = dbo +grant execute on schema::sch1 to babel_5690_user_2; +go + +-- Grant permission on a schema when schema owner is set by dbo, Grantor = schema owner (user1) +grant execute on schema::sch2 to babel_5690_user_2; +go + +-- schema1 grantor - dbo, schema2 grantor = schema owner (user1) +select * from dbo.babel_5690_db_permissions_view; +go + +-- Revoke back the permissions +revoke execute on schema::sch1 to babel_5690_user_2; +revoke execute on schema::sch2 to babel_5690_user_2; +go + +alter role db_owner add member babel_5690_user_2; +go + +-- tsql user=babel_5690_login_2 password='123' +use babel_5690_db_1; +go + +-- Grant permission on a schema when schema owner is not set by db_owner, Grantor = dbo +grant execute on schema::sch1 to babel_5690_user_3; +go + +-- Grant permission on a schema when schema owner is set by db_owner, Grantor = schema owner (user1) +grant execute on schema::sch2 to babel_5690_user_3; +go + +-- schema1 grantor - dbo, schema2 grantor = schema owner (user1) +select * from dbo.babel_5690_db_permissions_view; +go + +-- Revoke back the permissions +revoke execute on schema::sch1 to babel_5690_user_3; +revoke execute on schema::sch2 to babel_5690_user_3; +go + +-- tsql +use babel_5690_db_1; +go + +alter role db_owner drop member babel_5690_user_2; +go + +alter role db_securityadmin add member babel_5690_user_2; +go + +-- tsql user=babel_5690_login_2 password='123' +use babel_5690_db_1; +go + +-- Grant permission on a schema when schema owner is not set by db_securityadmin, Grantor = dbo +grant execute on schema::sch1 to babel_5690_user_3; +go + +-- Grant permission on a schema when schema owner is set by db_securityadmin, Grantor = schema owner (user1) +grant execute on schema::sch2 to babel_5690_user_3; +go + +-- tsql +use babel_5690_db_1; +go + +-- schema1 grantor - dbo, schema2 grantor = schema owner (user1) +select * from dbo.babel_5690_db_permissions_view; +go + +-- tsql user=babel_5690_login_2 password='123' +use babel_5690_db_1; +go + +-- Revoke back the permissions +revoke execute on schema::sch1 to babel_5690_user_3; +revoke execute on schema::sch2 to babel_5690_user_3; +go + +-- tsql +use babel_5690_db_1; +go + +alter role db_securityadmin drop member babel_5690_user_2; +go + +alter role db_ddladmin add member babel_5690_user_2; +go + +-- tsql user=babel_5690_login_2 password='123' +use babel_5690_db_1; +go + +-- Grant permission on a schema when schema owner is not set by db_ddladmin, negative test - permission denied +grant execute on schema::sch1 to babel_5690_user_3; +go + +-- Grant permission on a schema when schema owner is set by db_ddladmin, negative test - permission denied +grant execute on schema::sch2 to babel_5690_user_3; +go + +-- tsql +use babel_5690_db_1; +go + +alter role db_ddladmin drop member babel_5690_user_2; +go + +alter role db_accessadmin add member babel_5690_user_2; +go + +-- tsql user=babel_5690_login_2 password='123' +use babel_5690_db_1; +go + +-- Grant permission on a schema when schema owner is not set by db_accessadmin, negative test - permission denied +grant execute on schema::sch1 to babel_5690_user_3; +go + +-- Grant permission on a schema when schema owner is set by db_accessadmin, negative test - permission denied +grant execute on schema::sch2 to babel_5690_user_3; +go + +-- tsql +use babel_5690_db_1; +go + +alter role db_accessadmin drop member babel_5690_user_2; +go + +alter role db_datawriter add member babel_5690_user_2; +go + +-- tsql user=babel_5690_login_2 password='123' +use babel_5690_db_1; +go + +-- Grant permission on a schema when schema owner is not set by db_datawriter, negative test - permission denied +grant execute on schema::sch1 to babel_5690_user_3; +go + +-- Grant permission on a schema when schema owner is set by db_datawriter, negative test - permission denied +grant execute on schema::sch2 to babel_5690_user_3; +go + +-- tsql +use babel_5690_db_1; +go + +alter role db_datawriter drop member babel_5690_user_2; +go + +alter role db_datareader add member babel_5690_user_2; +go + +-- tsql user=babel_5690_login_2 password='123' +use babel_5690_db_1; +go + +-- Grant permission on a schema when schema owner is not set by db_datareader, negative test - permission denied +grant execute on schema::sch1 to babel_5690_user_3; +go + +-- Grant permission on a schema when schema owner is set by db_datareader, negative test - permission denied +grant execute on schema::sch2 to babel_5690_user_3; +go + +-- tsql +use babel_5690_db_1; +go + +alter role db_datareader drop member babel_5690_user_2; +go + +-- Negative Test i.e. Grant with option on schema is not supported in Babelfish yet +grant select on schema::sch1 to babel_5690_user_3 with grant option; +go + +grant select on schema::sch2 to babel_5690_user_3 with grant option; +go + +-- Grant permission on a schema objects when schema owner is not set by dbo, Grantor = dbo +grant select on sch1.t1 to babel_5690_user_2; +go + +-- Grant permission on a schema objects when schema owner is set by dbo, Grantor = dbo +grant select on sch2.t2 to babel_5690_user_2; +go + +-- schema1 grantor - dbo, schema2 grantor = schema owner +select * from dbo.babel_5690_db_permissions_view; +go + +-- Revoke back the permissions +revoke select on sch1.t1 to babel_5690_user_2; +revoke select on sch2.t2 to babel_5690_user_2; +go + +alter role db_owner add member babel_5690_user_2; +go + +-- tsql user=babel_5690_login_2 password='123' +use babel_5690_db_1; +go + +-- Grant permission on a schema when schema owner is not set by db_owner, Grantor = dbo +grant select on sch1.t1 to babel_5690_user_3; +go + +-- Grant permission on a schema when schema owner is set by db_owner, Grantor = schema owner (user1) +grant select on sch2.t2 to babel_5690_user_3; +go + +-- schema1 grantor - dbo, schema2 grantor = schema owner (user1) +select * from dbo.babel_5690_db_permissions_view; +go + +-- Revoke back the permissions +revoke select on sch1.t1 to babel_5690_user_3; +revoke select on sch2.t2 to babel_5690_user_3; +go + +-- tsql +use babel_5690_db_1; +go + +alter role db_owner drop member babel_5690_user_2; +go + +alter role db_securityadmin add member babel_5690_user_2; +go + +-- tsql user=babel_5690_login_2 password='123' +use babel_5690_db_1; +go + +-- Grant permission on a schema when schema owner is not set by db_securityadmin, Grantor = dbo +grant select on sch1.t1 to babel_5690_user_3; +go + +-- Grant permission on a schema when schema owner is set by db_securityadmin, Grantor = schema owner (user1) +grant select on sch2.t2 to babel_5690_user_3; +go + +-- tsql +use babel_5690_db_1; +go + +-- schema1 grantor - dbo, schema2 grantor = schema owner (user1) +select * from dbo.babel_5690_db_permissions_view; +go + +-- tsql user=babel_5690_login_2 password='123' +use babel_5690_db_1; +go + +-- Revoke back the permissions +revoke select on sch1.t1 to babel_5690_user_3; +revoke select on sch2.t2 to babel_5690_user_3; +go + +-- tsql +use babel_5690_db_1; +go + +alter role db_securityadmin drop member babel_5690_user_2; +go + +alter role db_accessadmin add member babel_5690_user_2; +go + +-- tsql user=babel_5690_login_2 password='123' +use babel_5690_db_1; +go + +-- Grant permission on a schema when schema owner is not set by db_accessadmin, Grantor = dbo +grant select on sch1.t1 to babel_5690_user_3; +go + +-- Grant permission on a schema when schema owner is set by db_accessadmin, Grantor = schema owner (user1) +grant select on sch2.t2 to babel_5690_user_3; +go + +-- tsql +use babel_5690_db_1; +go + +alter role db_accessadmin drop member babel_5690_user_2; +go + +grant delete on sch1.t1 to babel_5690_user_2 with grant option; +go + +grant delete on sch2.t2 to babel_5690_user_2 with grant option; +go + +-- schema1 grantor - dbo, schema2 grantor = schema owner (user1) +select * from dbo.babel_5690_db_permissions_view; +go + +-- tsql user=babel_5690_login_2 password='123' +use babel_5690_db_1; +go + +grant delete on sch1.t1 to babel_5690_user_3; +go + +grant delete on sch2.t2 to babel_5690_user_3; +go + +-- tsql +use babel_5690_db_1; +go + +select * from dbo.babel_5690_db_permissions_view; +go + +-- tsql user=babel_5690_login_2 password='123' +use babel_5690_db_1; +go + +-- Revoke the permissions +revoke delete on sch1.t1 from babel_5690_user_3; +revoke delete on sch2.t2 from babel_5690_user_3; +go + +-- tsql +use babel_5690_db_1; +go + +revoke delete on sch1.t1 to babel_5690_user_2; +go + +revoke delete on sch2.t2 to babel_5690_user_2; +go + +-- Grant permissions to objects via dbo +grant select on babel_5690_table_1 to babel_5690_user_2; +go + +grant select on babel_5690_view_1 to babel_5690_user_2; +go + +grant execute on babel_5690_procedure_1 to babel_5690_user_2; +go + +grant execute on babel_5690_function_1 to babel_5690_user_2; +go + +-- Grantor = dbo +select * from dbo.babel_5690_db_permissions_view; +go + +-- Revoke the permissions +revoke select on babel_5690_table_1 to babel_5690_user_2; +revoke select on babel_5690_view_1 to babel_5690_user_2; +revoke execute on babel_5690_procedure_1 to babel_5690_user_2; +revoke execute on babel_5690_function_1 to babel_5690_user_2; +go + +alter role db_owner add member babel_5690_user_1; +go + +-- tsql user=babel_5690_login_1 password='123' +use babel_5690_db_1; +go + +-- Grant permissions to objects via db_owner +grant select on babel_5690_table_1 to babel_5690_user_2; +go + +grant select on babel_5690_view_1 to babel_5690_user_2; +go + +grant execute on babel_5690_procedure_1 to babel_5690_user_2; +go + +grant execute on babel_5690_function_1 to babel_5690_user_2; +go + +-- Grantor = dbo +select * from dbo.babel_5690_db_permissions_view; +go + +-- Revoke the permissions +revoke select on babel_5690_table_1 to babel_5690_user_2; +revoke select on babel_5690_view_1 to babel_5690_user_2; +revoke execute on babel_5690_procedure_1 to babel_5690_user_2; +revoke execute on babel_5690_function_1 to babel_5690_user_2; +go + +-- tsql +use babel_5690_db_1; +go + +alter role db_owner drop member babel_5690_user_1; +go + +alter role db_securityadmin add member babel_5690_user_1; +go + +-- tsql user=babel_5690_login_1 password='123' +use babel_5690_db_1; +go + +-- Grant permissions to objects via db_securityadmin +grant select on babel_5690_table_1 to babel_5690_user_2; +go + +grant select on babel_5690_view_1 to babel_5690_user_2; +go + +grant execute on babel_5690_procedure_1 to babel_5690_user_2; +go + +grant execute on babel_5690_function_1 to babel_5690_user_2; +go + +-- tsql +use babel_5690_db_1; +go + +-- Grantor = dbo +select * from dbo.babel_5690_db_permissions_view; +go + +-- tsql user=babel_5690_login_1 password='123' +use babel_5690_db_1; +go + +-- Revoke the permissions +revoke select on babel_5690_table_1 to babel_5690_user_2; +revoke select on babel_5690_view_1 to babel_5690_user_2; +revoke execute on babel_5690_procedure_1 to babel_5690_user_2; +revoke execute on babel_5690_function_1 to babel_5690_user_2; +go + +-- tsql +use babel_5690_db_1; +go + +alter role db_securityadmin drop member babel_5690_user_1; +go + +alter role db_accessadmin add member babel_5690_user_1; +go + +-- tsql user=babel_5690_login_1 password='123' +use babel_5690_db_1; +go + +-- Grant permissions to objects via db_accessadmin +grant select on babel_5690_table_1 to babel_5690_user_2; +go + +grant select on babel_5690_view_1 to babel_5690_user_2; +go + +grant execute on babel_5690_procedure_1 to babel_5690_user_2; +go + +grant execute on babel_5690_function_1 to babel_5690_user_2; +go + +-- tsql +use babel_5690_db_1; +go + +alter role db_accessadmin drop member babel_5690_user_1; +go + +-- Grant permission with grant option +grant select on babel_5690_table_1 to babel_5690_user_2 with grant option; +go + +grant select on babel_5690_view_1 to babel_5690_user_2 with grant option; +go + +grant execute on babel_5690_procedure_1 to babel_5690_user_2 with grant option; +go + +grant execute on babel_5690_function_1 to babel_5690_user_2 with grant option; +go + +-- Grantor = dbo +select * from dbo.babel_5690_db_permissions_view; +go + +-- tsql user=babel_5690_login_2 password='123' +use babel_5690_db_1; +go + +grant select on babel_5690_table_1 to babel_5690_user_3 with grant option; +go + +grant select on babel_5690_view_1 to babel_5690_user_3; +go + +grant execute on babel_5690_procedure_1 to babel_5690_user_3; +go + +grant execute on babel_5690_function_1 to babel_5690_user_3; +go + +-- Grantor = user2 +select * from dbo.babel_5690_db_permissions_view; +go + +-- Revoke the permissions +revoke select on babel_5690_table_1 to babel_5690_user_3; +revoke select on babel_5690_view_1 to babel_5690_user_3; +revoke execute on babel_5690_procedure_1 to babel_5690_user_3; +revoke execute on babel_5690_function_1 to babel_5690_user_3; +go + +-- tsql +use babel_5690_db_1; +go + +-- Revoke the permissions +revoke select on babel_5690_table_1 to babel_5690_user_2; +revoke select on babel_5690_view_1 to babel_5690_user_2; +revoke execute on babel_5690_procedure_1 to babel_5690_user_2; +revoke execute on babel_5690_function_1 to babel_5690_user_2; +go + +select * from dbo.babel_5690_db_permissions_view; +go + +-- Grant a few permissions +grant select on babel_5690_table_1 to babel_5690_user_1 with grant option; +go + +grant select on babel_5690_view_1 to babel_5690_user_2 with grant option; +go + +grant execute on babel_5690_procedure_1 to babel_5690_user_3 with grant option; +go + +grant execute on babel_5690_function_1 to babel_5690_user_2 with grant option; +go + +grant select on sch1.t1 to babel_5690_user_2; +go + +grant select on sch2.t2 to babel_5690_user_3; +go + +grant execute on schema::sch1 to babel_5690_user_2; +go + +grant execute on schema::sch2 to babel_5690_user_2; +go + +-- tsql user=babel_5690_login_2 password='123' +use babel_5690_db_1; +go + +grant execute on babel_5690_function_1 to babel_5690_user_3; +go + +-- tsql user=babel_5690_login_3 password='123' +use babel_5690_db_1; +go + +grant execute on babel_5690_procedure_1 to babel_5690_user_2; +go + +-- tsql +use babel_5690_db_1; +go + +-- All permissions are visible +select * from dbo.babel_5690_db_permissions_view; +go + +-- tsql user=babel_5690_login_2 password='123' +use babel_5690_db_1; +go + +-- Permissions where user2 is grantor/grantee are only visible +select * from dbo.babel_5690_db_permissions_view; +go + +-- tsql +use babel_5690_db_1; +go + +alter role db_owner add member babel_5690_user_2; +go + +-- tsql user=babel_5690_login_2 password='123' +use babel_5690_db_1; +go + +-- All permissions are visible to db_owner +select * from dbo.babel_5690_db_permissions_view; +go + +-- tsql +use babel_5690_db_1; +go + +alter role db_owner drop member babel_5690_user_2; +go + +alter role db_ddladmin add member babel_5690_user_2; +go + +-- tsql user=babel_5690_login_2 password='123' +use babel_5690_db_1; +go + +-- Permissions where user2 is grantor/grantee are only visible when user 2 is db_ddladmin +select * from dbo.babel_5690_db_permissions_view; +go + +-- tsql +use babel_5690_db_1; +go + +alter role db_ddladmin drop member babel_5690_user_2; +go + +alter role db_securityadmin add member babel_5690_user_2; +go + +-- tsql user=babel_5690_login_2 password='123' +use babel_5690_db_1; +go + +-- All permissions are visible to db_securityadmin +select * from dbo.babel_5690_db_permissions_view; +go + +-- tsql +use babel_5690_db_1; +go + +alter role db_securityadmin drop member babel_5690_user_2; +go + +alter role db_datawriter add member babel_5690_user_2; +go + +-- tsql user=babel_5690_login_2 password='123' +use babel_5690_db_1; +go + +-- Permissions where user2 is grantor/grantee are only visible when user 2 is db_datawriter +select * from dbo.babel_5690_db_permissions_view; +go + +-- tsql +use babel_5690_db_1; +go + +alter role db_datawriter drop member babel_5690_user_2; +go + +alter role db_accessadmin add member babel_5690_user_2; +go + +-- tsql user=babel_5690_login_2 password='123' +use babel_5690_db_1; +go + +-- All permissions are visible to db_accessadmin +select * from dbo.babel_5690_db_permissions_view; +go + +-- tsql +use babel_5690_db_1; +go + +alter role db_accessadmin drop member babel_5690_user_2; +go + +alter role db_datareader add member babel_5690_user_2; +go + +-- tsql user=babel_5690_login_2 password='123' +use babel_5690_db_1; +go + +-- Permissions where user2 is grantor/grantee are only visible when user 2 is db_datareader +select * from dbo.babel_5690_db_permissions_view; +go + +-- tsql +use babel_5690_db_1; +go + +alter role db_datareader drop member babel_5690_user_2; +go + +-- Revoke the permissions +-- tsql user=babel_5690_login_2 password='123' +use babel_5690_db_1; +go + +revoke execute on babel_5690_function_1 from babel_5690_user_3; +go + +-- tsql user=babel_5690_login_3 password='123' +use babel_5690_db_1; +go + +revoke execute on babel_5690_procedure_1 from babel_5690_user_2; +go + +-- tsql +use babel_5690_db_1; +go + +revoke select on babel_5690_table_1 from babel_5690_user_1; +revoke select on babel_5690_view_1 from babel_5690_user_2; +revoke execute on babel_5690_procedure_1 from babel_5690_user_3; +revoke execute on babel_5690_function_1 from babel_5690_user_2; +revoke select on sch1.t1 from babel_5690_user_2; +revoke select on sch2.t2 from babel_5690_user_3; +revoke execute on schema::sch1 from babel_5690_user_2; +revoke execute on schema::sch2 from babel_5690_user_2; + +-- Grant Permissions to public +grant select on babel_5690_table_1 to public; +grant execute on babel_5690_procedure_1 to public; +go + +-- Grant Permissions to guest +grant select on babel_5690_table_1 to guest; +grant execute on babel_5690_procedure_1 to guest; +go + +-- tsql user=babel_5690_login_2 password='123' +use babel_5690_db_1; +go + +-- Permissions granted to public are visible to all the users, while permissions granted to guest are not +select * from dbo.babel_5690_db_permissions_view; +go + +-- tsql +use babel_5690_db_1; +go + +-- Revoke Permissions +revoke select on babel_5690_table_1 to public; +revoke execute on babel_5690_procedure_1 to public; +revoke select on babel_5690_table_1 to guest; +revoke execute on babel_5690_procedure_1 to guest; +go + +select * from dbo.babel_5690_db_permissions_view; +go + +-- tsql +use babel_5690_db_2; +go + +-- Grant a few permissions +grant select on babel_5690_table_2 to babel_5690_user_4; +grant execute on babel_5690_function_2 to babel_5690_user_4; +go + +-- Switching over to a new database, we can only view the permissions existing in that database +select * from dbo.babel_5690_db_permissions_view; +go + +-- Revoke the permissions +revoke select on babel_5690_table_2 from babel_5690_user_4; +revoke execute on babel_5690_function_2 from babel_5690_user_4; +go + +select * from dbo.babel_5690_db_permissions_view; +go \ No newline at end of file diff --git a/test/JDBC/jdbc_schedule b/test/JDBC/jdbc_schedule index c672f778632..bd113292e06 100644 --- a/test/JDBC/jdbc_schedule +++ b/test/JDBC/jdbc_schedule @@ -595,3 +595,9 @@ ignore#!#money_aggregate-before-17_5-or-16_9-vu-cleanup ignore#!#money_aggregate-before-17_6-or-16_10-vu-prepare ignore#!#money_aggregate-before-17_6-or-16_10-vu-verify ignore#!#money_aggregate-before-17_6-or-16_10-vu-cleanup +ignore#!#1_GRANT_SCHEMA-before-17_6-vu-prepare +ignore#!#1_GRANT_SCHEMA-before-17_6-vu-verify +ignore#!#1_GRANT_SCHEMA-before-17_6-vu-cleanup +ignore#!#db_owner-before-17_6-vu-prepare +ignore#!#db_owner-before-17_6-vu-verify +ignore#!#db_owner-before-17_6-vu-cleanup diff --git a/test/JDBC/upgrade/15_7/schedule b/test/JDBC/upgrade/15_7/schedule index 80aaf874e39..240a0c5617f 100644 --- a/test/JDBC/upgrade/15_7/schedule +++ b/test/JDBC/upgrade/15_7/schedule @@ -515,7 +515,7 @@ babel-4475_before_16_5 babel-4517 alter-procedure-before-15_8-or-16_4 babel_table_type -1_GRANT_SCHEMA +1_GRANT_SCHEMA-before-17_6 BABEL-4707 BABEL_4817 trim-before-15_8-or-16_4 diff --git a/test/JDBC/upgrade/16_10/schedule b/test/JDBC/upgrade/16_10/schedule index 401e413257d..4e53e4325f0 100644 --- a/test/JDBC/upgrade/16_10/schedule +++ b/test/JDBC/upgrade/16_10/schedule @@ -534,7 +534,7 @@ babel-4517 babel_table_type alter-procedure alter-function -1_GRANT_SCHEMA +1_GRANT_SCHEMA-before-17_6 BABEL-4707 BABEL_4817 upper_lower @@ -599,7 +599,7 @@ test_conv_string_to_datetime2-before-17_4 test_conv_string_to_datetimeoffset-before-17_4 test_conv_string_to_smalldatetime test_conv_string_to_time-before-17_4 -db_owner +db_owner-before-17_6 BABEL-5031 test_conv_money_to_varchar fixeddecimal_modulo diff --git a/test/JDBC/upgrade/16_3/schedule b/test/JDBC/upgrade/16_3/schedule index 1480bfc8a6c..78449b097f1 100644 --- a/test/JDBC/upgrade/16_3/schedule +++ b/test/JDBC/upgrade/16_3/schedule @@ -522,7 +522,7 @@ babel-3254 babel-4517 babel_table_type alter-procedure-before-15_8-or-16_4 -1_GRANT_SCHEMA +1_GRANT_SCHEMA-before-17_6 BABEL-4707 BABEL_4817 BABEL-4641-before-16_5-or-15_9 diff --git a/test/JDBC/upgrade/16_4/schedule b/test/JDBC/upgrade/16_4/schedule index bc60e4a9e93..102b4001ccd 100644 --- a/test/JDBC/upgrade/16_4/schedule +++ b/test/JDBC/upgrade/16_4/schedule @@ -528,7 +528,7 @@ babel-3254 babel-4517 babel_table_type alter-procedure-15_8-or-16_4 -1_GRANT_SCHEMA +1_GRANT_SCHEMA-before-17_6 BABEL-4707 BABEL_4817 upper_lower diff --git a/test/JDBC/upgrade/16_8/schedule b/test/JDBC/upgrade/16_8/schedule index 98de9572d77..411922561a4 100644 --- a/test/JDBC/upgrade/16_8/schedule +++ b/test/JDBC/upgrade/16_8/schedule @@ -533,7 +533,7 @@ babel-4517 babel_table_type alter-procedure alter-function -1_GRANT_SCHEMA +1_GRANT_SCHEMA-before-17_6 BABEL-4707 BABEL_4817 upper_lower @@ -598,7 +598,7 @@ test_conv_string_to_datetime2-before-17_4 test_conv_string_to_datetimeoffset-before-17_4 test_conv_string_to_smalldatetime test_conv_string_to_time-before-17_4 -db_owner +db_owner-before-17_6 BABEL-5031 test_conv_money_to_varchar fixeddecimal_modulo diff --git a/test/JDBC/upgrade/16_9/schedule b/test/JDBC/upgrade/16_9/schedule index 648ed276d36..99143b7f46b 100644 --- a/test/JDBC/upgrade/16_9/schedule +++ b/test/JDBC/upgrade/16_9/schedule @@ -534,7 +534,7 @@ babel-4517 babel_table_type alter-procedure alter-function -1_GRANT_SCHEMA +1_GRANT_SCHEMA-before-17_6 BABEL-4707 BABEL_4817 upper_lower @@ -599,7 +599,7 @@ test_conv_string_to_datetime2-before-17_4 test_conv_string_to_datetimeoffset-before-17_4 test_conv_string_to_smalldatetime test_conv_string_to_time-before-17_4 -db_owner +db_owner-before-17_6 BABEL-5031 test_conv_money_to_varchar fixeddecimal_modulo diff --git a/test/JDBC/upgrade/17_4/schedule b/test/JDBC/upgrade/17_4/schedule index f30426908a2..7ce112adb9f 100644 --- a/test/JDBC/upgrade/17_4/schedule +++ b/test/JDBC/upgrade/17_4/schedule @@ -529,7 +529,7 @@ babel-4517 babel_table_type alter-procedure alter-function -1_GRANT_SCHEMA +1_GRANT_SCHEMA-before-17_6 BABEL-4707 BABEL_4817 upper_lower @@ -593,7 +593,7 @@ BABEL-5186 BABEL-2736 cast_nvarchar_test datareader_datawriter -db_owner +db_owner-before-17_6 smalldatetime_date_cmp BABEL-2961 BABEL-5031 diff --git a/test/JDBC/upgrade/17_5/schedule b/test/JDBC/upgrade/17_5/schedule index c140f499074..f4696edfe91 100644 --- a/test/JDBC/upgrade/17_5/schedule +++ b/test/JDBC/upgrade/17_5/schedule @@ -533,7 +533,7 @@ babel-4517 babel_table_type alter-procedure alter-function -1_GRANT_SCHEMA +1_GRANT_SCHEMA-before-17_6 BABEL-4707 BABEL_4817 upper_lower @@ -597,7 +597,7 @@ BABEL-5186 BABEL-2736 cast_nvarchar_test datareader_datawriter -db_owner +db_owner-before-17_6 smalldatetime_date_cmp BABEL-2961 BABEL-5031