From dbe2d0230af6856f8145fea9d9218ff87dc7cc16 Mon Sep 17 00:00:00 2001 From: shalinilohia50 <46928246+shalinilohia50@users.noreply.github.com> Date: Wed, 22 Nov 2023 10:27:15 +0530 Subject: [PATCH] Revert "Fix bugs for GRANT/REVOKE on SCHEMA (#2031)" (#2051) This reverts commit dd23da9b3ada6d662a0246bcbb48e2b3dcaaae37. Co-authored-by: Shalini Lohia --- contrib/babelfishpg_tsql/sql/ownership.sql | 10 +- .../babelfishpg_tsql--3.3.0--3.4.0.sql | 10 +- contrib/babelfishpg_tsql/src/catalog.c | 193 +++++--------- contrib/babelfishpg_tsql/src/catalog.h | 2 - contrib/babelfishpg_tsql/src/pl_exec-2.c | 48 ++-- contrib/babelfishpg_tsql/src/pl_handler.c | 82 +++--- contrib/babelfishpg_tsql/src/pltsql_utils.c | 5 +- contrib/babelfishpg_tsql/src/tsqlIface.cpp | 20 -- .../src/tsqlUnsupportedFeatureHandler.cpp | 8 +- test/JDBC/expected/BABEL-GRANT.out | 34 +-- test/JDBC/expected/GRANT_SCHEMA.out | 236 +----------------- test/JDBC/input/BABEL-GRANT.sql | 18 +- test/JDBC/input/GRANT_SCHEMA.mix | 157 +----------- .../expected_create.out | 1 + 14 files changed, 143 insertions(+), 681 deletions(-) diff --git a/contrib/babelfishpg_tsql/sql/ownership.sql b/contrib/babelfishpg_tsql/sql/ownership.sql index 43aa25e5758..e8b1961f515 100644 --- a/contrib/babelfishpg_tsql/sql/ownership.sql +++ b/contrib/babelfishpg_tsql/sql/ownership.sql @@ -17,11 +17,11 @@ GRANT SELECT on sys.babelfish_sysdatabases TO PUBLIC; -- BABELFISH_SCHEMA_PERMISSIONS CREATE TABLE sys.babelfish_schema_permissions ( dbid smallint NOT NULL, - schema_name NAME NOT NULL COLLATE sys.database_default, - object_name NAME NOT NULL COLLATE sys.database_default, - permission NAME NOT NULL COLLATE sys.database_default, - grantee NAME NOT NULL COLLATE sys.database_default, - object_type NAME COLLATE sys.database_default, + schema_name NAME NOT NULL, + object_name NAME NOT NULL, + permission NAME NOT NULL, + grantee NAME NOT NULL, + object_type NAME, PRIMARY KEY(dbid, schema_name, object_name, permission, grantee) ); diff --git a/contrib/babelfishpg_tsql/sql/upgrades/babelfishpg_tsql--3.3.0--3.4.0.sql b/contrib/babelfishpg_tsql/sql/upgrades/babelfishpg_tsql--3.3.0--3.4.0.sql index 448610a5d18..ec4eb5354fa 100644 --- a/contrib/babelfishpg_tsql/sql/upgrades/babelfishpg_tsql--3.3.0--3.4.0.sql +++ b/contrib/babelfishpg_tsql/sql/upgrades/babelfishpg_tsql--3.3.0--3.4.0.sql @@ -891,11 +891,11 @@ LANGUAGE plpgsql STABLE; -- BABELFISH_SCHEMA_PERMISSIONS CREATE TABLE IF NOT EXISTS sys.babelfish_schema_permissions ( dbid smallint NOT NULL, - schema_name NAME NOT NULL COLLATE sys.database_default, - object_name NAME NOT NULL COLLATE sys.database_default, - permission NAME NOT NULL COLLATE sys.database_default, - grantee NAME NOT NULL COLLATE sys.database_default, - object_type NAME COLLATE sys.database_default, + schema_name NAME NOT NULL, + object_name NAME NOT NULL, + permission NAME NOT NULL, + grantee NAME NOT NULL, + object_type NAME, PRIMARY KEY(dbid, schema_name, object_name, permission, grantee) ); diff --git a/contrib/babelfishpg_tsql/src/catalog.c b/contrib/babelfishpg_tsql/src/catalog.c index 11ae5bf1bcc..3229fdecd81 100644 --- a/contrib/babelfishpg_tsql/src/catalog.c +++ b/contrib/babelfishpg_tsql/src/catalog.c @@ -2817,10 +2817,6 @@ add_entry_to_bbf_schema(const char *schema_name, bool new_record_nulls_bbf_schema[BBF_SCHEMA_PERMS_NUM_OF_COLS]; int16 dbid = get_cur_db_id(); - /* Immediately return, if grantee is NULL or PUBLIC. */ - if ((grantee == NULL) || (strcmp(grantee, "public") == 0)) - return; - /* Fetch the relation */ bbf_schema_rel = table_open(get_bbf_schema_perms_oid(), RowExclusiveLock); @@ -2863,65 +2859,45 @@ check_bbf_schema_for_entry(const char *schema_name, { Relation bbf_schema_rel; HeapTuple tuple_bbf_schema; - ScanKeyData scanKey[5]; - SysScanDesc scan; + ScanKeyData key[5]; + TableScanDesc scan; bool catalog_entry_exists = false; int16 dbid = get_cur_db_id(); - /* Immediately return false, if grantee is NULL or PUBLIC. */ - if ((grantee == NULL) || (strcmp(grantee, "public") == 0)) - return false; - bbf_schema_rel = table_open(get_bbf_schema_perms_oid(), AccessShareLock); - ScanKeyInit(&scanKey[0], + ScanKeyInit(&key[0], Anum_bbf_schema_perms_dbid, BTEqualStrategyNumber, F_INT2EQ, Int16GetDatum(dbid)); - ScanKeyEntryInitialize(&scanKey[1], 0, + ScanKeyInit(&key[1], Anum_bbf_schema_perms_schema_name, - BTEqualStrategyNumber, - InvalidOid, - tsql_get_server_collation_oid_internal(false), - F_NAMEEQ, + BTEqualStrategyNumber, F_NAMEEQ, CStringGetDatum(schema_name)); - ScanKeyEntryInitialize(&scanKey[2], 0, + ScanKeyInit(&key[2], Anum_bbf_schema_perms_object_name, - BTEqualStrategyNumber, - InvalidOid, - tsql_get_server_collation_oid_internal(false), - F_NAMEEQ, + BTEqualStrategyNumber, F_NAMEEQ, CStringGetDatum(object_name)); - ScanKeyEntryInitialize(&scanKey[3], 0, + ScanKeyInit(&key[3], Anum_bbf_schema_perms_permission, - BTEqualStrategyNumber, - InvalidOid, - tsql_get_server_collation_oid_internal(false), - F_NAMEEQ, + BTEqualStrategyNumber, F_NAMEEQ, CStringGetDatum(permission)); - ScanKeyEntryInitialize(&scanKey[4], 0, + ScanKeyInit(&key[4], Anum_bbf_schema_perms_grantee, - BTEqualStrategyNumber, - InvalidOid, - tsql_get_server_collation_oid_internal(false), - F_NAMEEQ, + BTEqualStrategyNumber, F_NAMEEQ, CStringGetDatum(grantee)); - scan = systable_beginscan(bbf_schema_rel, - get_bbf_schema_perms_idx_oid(), - true, NULL, 5, scanKey); - tuple_bbf_schema = systable_getnext(scan); + scan = table_beginscan_catalog(bbf_schema_rel, 5, key); + + tuple_bbf_schema = heap_getnext(scan, ForwardScanDirection); if (HeapTupleIsValid(tuple_bbf_schema)) catalog_entry_exists = true; - systable_endscan(scan); + table_endscan(scan); table_close(bbf_schema_rel, AccessShareLock); return catalog_entry_exists; } -/* - * Checks if a particular schema has any SCHEMA level permission granted to any user. - */ bool check_bbf_schema_for_schema(const char *schema_name, const char *object_name, @@ -2930,7 +2906,7 @@ check_bbf_schema_for_schema(const char *schema_name, Relation bbf_schema_rel; HeapTuple tuple_bbf_schema; ScanKeyData key[4]; - SysScanDesc scan; + TableScanDesc scan; bool catalog_entry_exists = false; int16 dbid = get_cur_db_id(); @@ -2940,37 +2916,26 @@ check_bbf_schema_for_schema(const char *schema_name, Anum_bbf_schema_perms_dbid, BTEqualStrategyNumber, F_INT2EQ, Int16GetDatum(dbid)); - ScanKeyEntryInitialize(&key[1], 0, + ScanKeyInit(&key[1], Anum_bbf_schema_perms_schema_name, - BTEqualStrategyNumber, - InvalidOid, - tsql_get_server_collation_oid_internal(false), - F_NAMEEQ, + BTEqualStrategyNumber, F_NAMEEQ, CStringGetDatum(schema_name)); - ScanKeyEntryInitialize(&key[2], 0, + ScanKeyInit(&key[2], Anum_bbf_schema_perms_object_name, - BTEqualStrategyNumber, - InvalidOid, - tsql_get_server_collation_oid_internal(false), - F_NAMEEQ, + BTEqualStrategyNumber, F_NAMEEQ, CStringGetDatum(object_name)); - ScanKeyEntryInitialize(&key[3], 0, + ScanKeyInit(&key[3], Anum_bbf_schema_perms_permission, - BTEqualStrategyNumber, - InvalidOid, - tsql_get_server_collation_oid_internal(false), - F_NAMEEQ, + BTEqualStrategyNumber, F_NAMEEQ, CStringGetDatum(permission)); - scan = systable_beginscan(bbf_schema_rel, - get_bbf_schema_perms_idx_oid(), - true, NULL, 4, key); + scan = table_beginscan_catalog(bbf_schema_rel, 4, key); - tuple_bbf_schema = systable_getnext(scan); + tuple_bbf_schema = heap_getnext(scan, ForwardScanDirection); if (HeapTupleIsValid(tuple_bbf_schema)) catalog_entry_exists = true; - systable_endscan(scan); + table_endscan(scan); table_close(bbf_schema_rel, AccessShareLock); return catalog_entry_exists; } @@ -2983,59 +2948,44 @@ del_from_bbf_schema(const char *schema_name, { Relation bbf_schema_rel; HeapTuple tuple_bbf_schema; - ScanKeyData scanKey[5]; - SysScanDesc scan; + ScanKeyData key[5]; + TableScanDesc scan; int16 dbid = get_cur_db_id(); - /* Immediately return, if grantee is NULL or PUBLIC. */ - if ((grantee == NULL) || (strcmp(grantee, "public") == 0)) - return; - bbf_schema_rel = table_open(get_bbf_schema_perms_oid(), RowExclusiveLock); - ScanKeyInit(&scanKey[0], + ScanKeyInit(&key[0], Anum_bbf_schema_perms_dbid, BTEqualStrategyNumber, F_INT2EQ, Int16GetDatum(dbid)); - ScanKeyEntryInitialize(&scanKey[1], 0, + ScanKeyInit(&key[1], Anum_bbf_schema_perms_schema_name, - BTEqualStrategyNumber, - InvalidOid, - tsql_get_server_collation_oid_internal(false), - F_NAMEEQ, + BTEqualStrategyNumber, F_NAMEEQ, CStringGetDatum(schema_name)); - ScanKeyEntryInitialize(&scanKey[2], 0, + ScanKeyInit(&key[2], Anum_bbf_schema_perms_object_name, - BTEqualStrategyNumber, - InvalidOid, - tsql_get_server_collation_oid_internal(false), - F_NAMEEQ, + BTEqualStrategyNumber, F_NAMEEQ, CStringGetDatum(object_name)); - ScanKeyEntryInitialize(&scanKey[3], 0, + ScanKeyInit(&key[3], Anum_bbf_schema_perms_permission, - BTEqualStrategyNumber, - InvalidOid, - tsql_get_server_collation_oid_internal(false), - F_NAMEEQ, + BTEqualStrategyNumber, F_NAMEEQ, CStringGetDatum(permission)); - ScanKeyEntryInitialize(&scanKey[4], 0, + ScanKeyInit(&key[4], Anum_bbf_schema_perms_grantee, - BTEqualStrategyNumber, - InvalidOid, - tsql_get_server_collation_oid_internal(false), - F_NAMEEQ, + BTEqualStrategyNumber, F_NAMEEQ, CStringGetDatum(grantee)); - scan = systable_beginscan(bbf_schema_rel, - get_bbf_schema_perms_idx_oid(), - true, NULL, 5, scanKey); - tuple_bbf_schema = systable_getnext(scan); + scan = table_beginscan_catalog(bbf_schema_rel, 5, key); + + tuple_bbf_schema = heap_getnext(scan, ForwardScanDirection); if (HeapTupleIsValid(tuple_bbf_schema)) CatalogTupleDelete(bbf_schema_rel, &tuple_bbf_schema->t_self); - systable_endscan(scan); + table_endscan(scan); table_close(bbf_schema_rel, RowExclusiveLock); + + CommandCounterIncrement(); } void @@ -3059,12 +3009,9 @@ clean_up_bbf_schema(const char *schema_name, Anum_bbf_schema_perms_dbid, BTEqualStrategyNumber, F_INT2EQ, Int16GetDatum(dbid)); - ScanKeyEntryInitialize(&scanKey[1], 0, + ScanKeyInit(&scanKey[1], Anum_bbf_schema_perms_schema_name, - BTEqualStrategyNumber, - InvalidOid, - tsql_get_server_collation_oid_internal(false), - F_NAMEEQ, + BTEqualStrategyNumber, F_NAMEEQ, CStringGetDatum(schema_name)); scan = systable_beginscan(bbf_schema_rel, get_bbf_schema_perms_idx_oid(), @@ -3077,19 +3024,13 @@ clean_up_bbf_schema(const char *schema_name, Anum_bbf_schema_perms_dbid, BTEqualStrategyNumber, F_INT2EQ, Int16GetDatum(dbid)); - ScanKeyEntryInitialize(&scanKey[1], 0, + ScanKeyInit(&scanKey[1], Anum_bbf_schema_perms_schema_name, - BTEqualStrategyNumber, - InvalidOid, - tsql_get_server_collation_oid_internal(false), - F_NAMEEQ, + BTEqualStrategyNumber, F_NAMEEQ, CStringGetDatum(schema_name)); - ScanKeyEntryInitialize(&scanKey[2], 0, + ScanKeyInit(&scanKey[2], Anum_bbf_schema_perms_object_name, - BTEqualStrategyNumber, - InvalidOid, - tsql_get_server_collation_oid_internal(false), - F_NAMEEQ, + BTEqualStrategyNumber, F_NAMEEQ, CStringGetDatum(object_name)); scan = systable_beginscan(bbf_schema_rel, get_bbf_schema_perms_idx_oid(), @@ -3107,18 +3048,12 @@ clean_up_bbf_schema(const char *schema_name, table_close(bbf_schema_rel, RowExclusiveLock); } -/* - * For all objects belonging to a schema which has OBJECT level permission, - * It grants the permission explicitly when REVOKE has been executed on that - * specific schema. - */ - void grant_perms_to_objects_in_schema(const char *schema_name, const char *permission, const char *grantee) { - SysScanDesc scan; + TableScanDesc scan; Relation bbf_schema_rel; HeapTuple tuple_bbf_schema; const char *object_name; @@ -3134,31 +3069,21 @@ grant_perms_to_objects_in_schema(const char *schema_name, Anum_bbf_schema_perms_dbid, BTEqualStrategyNumber, F_INT2EQ, Int16GetDatum(dbid)); - ScanKeyEntryInitialize(&scanKey[1], 0, + ScanKeyInit(&scanKey[1], Anum_bbf_schema_perms_schema_name, - BTEqualStrategyNumber, - InvalidOid, - tsql_get_server_collation_oid_internal(false), - F_NAMEEQ, + BTEqualStrategyNumber, F_NAMEEQ, CStringGetDatum(schema_name)); - ScanKeyEntryInitialize(&scanKey[2], 0, + ScanKeyInit(&scanKey[2], Anum_bbf_schema_perms_permission, - BTEqualStrategyNumber, - InvalidOid, - tsql_get_server_collation_oid_internal(false), - F_NAMEEQ, + BTEqualStrategyNumber, F_NAMEEQ, CStringGetDatum(permission)); - ScanKeyEntryInitialize(&scanKey[3], 0, + ScanKeyInit(&scanKey[3], Anum_bbf_schema_perms_grantee, - BTEqualStrategyNumber, - InvalidOid, - tsql_get_server_collation_oid_internal(false), - F_NAMEEQ, + BTEqualStrategyNumber, F_NAMEEQ, CStringGetDatum(grantee)); - scan = systable_beginscan(bbf_schema_rel, get_bbf_schema_perms_idx_oid(), - true, NULL, 4, scanKey); - tuple_bbf_schema = systable_getnext(scan); + scan = table_beginscan_catalog(bbf_schema_rel, 4, scanKey); + tuple_bbf_schema = heap_getnext(scan, ForwardScanDirection); while (HeapTupleIsValid(tuple_bbf_schema)) { @@ -3211,9 +3136,9 @@ grant_perms_to_objects_in_schema(const char *schema_name, /* make sure later steps can see the object created here */ CommandCounterIncrement(); } - tuple_bbf_schema = systable_getnext(scan); + tuple_bbf_schema = heap_getnext(scan, ForwardScanDirection); } - systable_endscan(scan); + table_endscan(scan); table_close(bbf_schema_rel, AccessShareLock); } diff --git a/contrib/babelfishpg_tsql/src/catalog.h b/contrib/babelfishpg_tsql/src/catalog.h index c3a7de00859..7b8ad195c27 100644 --- a/contrib/babelfishpg_tsql/src/catalog.h +++ b/contrib/babelfishpg_tsql/src/catalog.h @@ -299,8 +299,6 @@ typedef FormData_bbf_function_ext *Form_bbf_function_ext; #define Anum_bbf_schema_perms_grantee 5 #define Anum_bbf_schema_perms_object_type 6 -#define PERMISSIONS_FOR_ALL_OBJECTS_IN_SCHEMA "ALL" - extern Oid bbf_schema_perms_oid; extern Oid bbf_schema_perms_idx_oid; diff --git a/contrib/babelfishpg_tsql/src/pl_exec-2.c b/contrib/babelfishpg_tsql/src/pl_exec-2.c index e57c57a2e67..3b9b3a0859b 100644 --- a/contrib/babelfishpg_tsql/src/pl_exec-2.c +++ b/contrib/babelfishpg_tsql/src/pl_exec-2.c @@ -3683,36 +3683,32 @@ exec_stmt_grantschema(PLtsql_execstate *estate, PLtsql_stmt_grantschema *stmt) char *dbname = get_cur_db_name(); char *login = GetUserNameFromId(GetSessionUserId(), false); bool login_is_db_owner; + Oid datdba; char *rolname; char *schema_name; ListCell *lc; ListCell *lc1; Oid schemaOid; - char *user = GetUserNameFromId(GetUserId(), false); /* * If the login is not the db owner or the login is not the member of * sysadmin or login is not the schema owner, then it doesn't have the permission to GRANT/REVOKE. */ login_is_db_owner = 0 == strncmp(login, get_owner_of_db(dbname), NAMEDATALEN); + datdba = get_role_oid("sysadmin", false); schema_name = get_physical_schema_name(dbname, stmt->schema_name); - - if(schema_name) - { - schemaOid = LookupExplicitNamespace(schema_name, true); - } - else - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_SCHEMA), - errmsg("An object or column name is missing or empty. For SELECT INTO statements, verify each column has a name. For other statements, look for empty alias names. Aliases defined as \"\" or [] are not allowed. Change the alias to a valid name."))); - } + schemaOid = LookupExplicitNamespace(schema_name, true); if (!OidIsValid(schemaOid)) ereport(ERROR, (errcode(ERRCODE_UNDEFINED_SCHEMA), errmsg("schema \"%s\" does not exist", schema_name))); + + if (!is_member_of_role(GetSessionUserId(), datdba) && !login_is_db_owner && !pg_namespace_ownercheck(schemaOid, GetUserId())) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("Cannot find the schema \"%s\", because it does not exist or you do not have permission.", stmt->schema_name))); foreach(lc1, stmt->privileges) { @@ -3722,27 +3718,20 @@ exec_stmt_grantschema(PLtsql_execstate *estate, PLtsql_stmt_grantschema *stmt) char *grantee_name = (char *) lfirst(lc); Oid role_oid; bool grantee_is_db_owner; - if (strcmp(grantee_name, "public") != 0) - rolname = get_physical_user_name(dbname, grantee_name); - else - rolname = pstrdup("public"); + rolname = get_physical_user_name(dbname, grantee_name); role_oid = get_role_oid(rolname, true); grantee_is_db_owner = 0 == strncmp(grantee_name, get_owner_of_db(dbname), NAMEDATALEN); - if (strcmp(grantee_name, "public") != 0 && role_oid == InvalidOid) + + if (role_oid == InvalidOid) ereport(ERROR, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), errmsg("Cannot find the principal '%s', because it does not exist or you do not have permission.", grantee_name))); - if ((strcmp(rolname, user) == 0) || pg_namespace_ownercheck(schemaOid, role_oid) || is_member_of_role(role_oid, get_sysadmin_oid()) || grantee_is_db_owner) + if (pg_namespace_ownercheck(schemaOid, role_oid) || is_member_of_role(role_oid, datdba) || grantee_is_db_owner) ereport(ERROR, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), errmsg("Cannot grant, deny, or revoke permissions to sa, dbo, entity owner, information_schema, sys, or yourself."))); - if (!is_member_of_role(GetSessionUserId(), get_sysadmin_oid()) && !login_is_db_owner && !pg_namespace_ownercheck(schemaOid, GetUserId())) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("Cannot find the schema \"%s\", because it does not exist or you do not have permission.", stmt->schema_name))); - parsetree_list = gen_grantschema_subcmds(schema_name, rolname, stmt->is_grant, stmt->with_grant_option, priv_name); /* Run all subcommands */ foreach(parsetree_item, parsetree_list) @@ -3772,22 +3761,17 @@ exec_stmt_grantschema(PLtsql_execstate *estate, PLtsql_stmt_grantschema *stmt) CommandCounterIncrement(); } /* Add entry for each grant statement. */ - if (stmt->is_grant && !check_bbf_schema_for_entry(stmt->schema_name, PERMISSIONS_FOR_ALL_OBJECTS_IN_SCHEMA, priv_name, rolname)) - add_entry_to_bbf_schema(stmt->schema_name, PERMISSIONS_FOR_ALL_OBJECTS_IN_SCHEMA, priv_name, rolname, NULL); + if (stmt->is_grant && !check_bbf_schema_for_entry(stmt->schema_name, "ALL", priv_name, rolname)) + add_entry_to_bbf_schema(stmt->schema_name, "ALL", priv_name, rolname, NULL); /* Remove entry for each revoke statement. */ - if (!stmt->is_grant && check_bbf_schema_for_entry(stmt->schema_name, PERMISSIONS_FOR_ALL_OBJECTS_IN_SCHEMA, priv_name, rolname)) + if (!stmt->is_grant && check_bbf_schema_for_entry(stmt->schema_name, "ALL", priv_name, rolname)) { /* If any object in the schema has the OBJECT level permission. Then, internally grant that permission back. */ grant_perms_to_objects_in_schema(stmt->schema_name, priv_name, rolname); - del_from_bbf_schema(stmt->schema_name, PERMISSIONS_FOR_ALL_OBJECTS_IN_SCHEMA, priv_name, rolname); + del_from_bbf_schema(stmt->schema_name, "ALL", priv_name, rolname); } - pfree(rolname); } } - pfree(user); - pfree(schema_name); - pfree(dbname); - pfree(login); return PLTSQL_RC_OK; } diff --git a/contrib/babelfishpg_tsql/src/pl_handler.c b/contrib/babelfishpg_tsql/src/pl_handler.c index e5bd330a9d3..7169c30dbef 100644 --- a/contrib/babelfishpg_tsql/src/pl_handler.c +++ b/contrib/babelfishpg_tsql/src/pl_handler.c @@ -3563,10 +3563,7 @@ bbf_ProcessUtility(PlannedStmt *pstmt, char *permissions[] = {"select", "insert", "update", "references", "delete"}; for(i = 0; i < 5; i++) { - /* - * If object permission doesn't exist already, add an entry to the catalog. - */ - if (!check_bbf_schema_for_entry(logical_schema, obj, permissions[i], rol_spec->rolename)) + if ((rol_spec->rolename != NULL) && !check_bbf_schema_for_entry(logical_schema, obj, permissions[i], rol_spec->rolename)) add_entry_to_bbf_schema(logical_schema, obj, permissions[i], rol_spec->rolename, obj_type); } } @@ -3582,15 +3579,10 @@ bbf_ProcessUtility(PlannedStmt *pstmt, char *permissions[] = {"select", "insert", "update", "references", "delete"}; for(i = 0; i < 5; i++) { - /* - * 1. If only schema permission exists, don't revoke any permission. - * 2. If only object permission exists, delete entry from the catalog and revoke permission. - * 3. If both schema and object permission exist, don't revoke any permission but delete object - * entry from the catalog. - */ - if (check_bbf_schema_for_entry(logical_schema, PERMISSIONS_FOR_ALL_OBJECTS_IN_SCHEMA, permissions[i], rol_spec->rolename) && !has_schema_perms) + if ((rol_spec->rolename != NULL) && check_bbf_schema_for_entry(logical_schema, "ALL", permissions[i], rol_spec->rolename) && !has_schema_perms) has_schema_perms = true; - del_from_bbf_schema(logical_schema, obj, permissions[i], rol_spec->rolename); + if ((rol_spec->rolename != NULL) && check_bbf_schema_for_entry(logical_schema, obj, permissions[i], rol_spec->rolename)) + del_from_bbf_schema(logical_schema, obj, permissions[i], rol_spec->rolename); } if (has_schema_perms) return; @@ -3617,12 +3609,7 @@ bbf_ProcessUtility(PlannedStmt *pstmt, foreach(lc, grant->grantees) { RoleSpec *rol_spec = (RoleSpec *) lfirst(lc); - /* - * Don't add an entry, if the permission is granted on column list. - */ - if (ap->cols != NULL) - break; - if (!check_bbf_schema_for_entry(logical_schema, obj, ap->priv_name, rol_spec->rolename)) + if ((ap->cols == NULL) && (rol_spec->rolename != NULL) && !check_bbf_schema_for_entry(logical_schema, obj, ap->priv_name, rol_spec->rolename)) add_entry_to_bbf_schema(logical_schema, obj, ap->priv_name, rol_spec->rolename, obj_type); } } @@ -3635,7 +3622,7 @@ bbf_ProcessUtility(PlannedStmt *pstmt, * 1. If GRANT on schema does not exist, execute REVOKE statement and remove the catalog entry if exists. * 2. If GRANT on schema exist, only remove the entry from the catalog if exists. */ - if ((logical_schema != NULL) && !check_bbf_schema_for_entry(logical_schema, PERMISSIONS_FOR_ALL_OBJECTS_IN_SCHEMA, ap->priv_name, rol_spec->rolename)) + if ((logical_schema != NULL) && (rol_spec->rolename != NULL) && !check_bbf_schema_for_entry(logical_schema, "ALL", ap->priv_name, rol_spec->rolename)) { if (prev_ProcessUtility) prev_ProcessUtility(pstmt, queryString, readOnlyTree, context, params, @@ -3644,12 +3631,8 @@ bbf_ProcessUtility(PlannedStmt *pstmt, standard_ProcessUtility(pstmt, queryString, readOnlyTree, context, params, queryEnv, dest, qc); } - /* - * Don't remove an entry, if the permission is revoked on column list. - */ - if (ap->cols != NULL) - break; - del_from_bbf_schema(logical_schema, obj, ap->priv_name, rol_spec->rolename); + if ((ap->cols == NULL) && (rol_spec->rolename != NULL) && check_bbf_schema_for_entry(logical_schema, obj, ap->priv_name, rol_spec->rolename)) + del_from_bbf_schema(logical_schema, obj, ap->priv_name, rol_spec->rolename); } } } @@ -3682,28 +3665,28 @@ bbf_ProcessUtility(PlannedStmt *pstmt, logicalschema = get_logical_schema_name(schemaname, true); funcname = strVal(func); } - + /* + * Case: When ALL PRIVILEGES is revoked internally during create function. + * Check if schema entry exists in the catalog, do not revoke any permission if exists. + */ + if (pstmt->stmt_len == 0 && list_length(grant->privileges) == 0) + { + if(check_bbf_schema_for_schema(logicalschema, "ALL", "execute")) + return; + break; + } /* If ALL PRIVILEGES is granted/revoked. */ if (list_length(grant->privileges) == 0) { - /* - * Case: When ALL PRIVILEGES is revoked internally during create function. - * Check if schema entry exists in the catalog, do not revoke any permission if exists. - */ - if (pstmt->stmt_len == 0) - { - if(check_bbf_schema_for_schema(logicalschema, PERMISSIONS_FOR_ALL_OBJECTS_IN_SCHEMA, "execute")) - return; - } - if (grant->is_grant) { foreach(lc, grant->grantees) { RoleSpec *rol_spec = (RoleSpec *) lfirst(lc); - if (!check_bbf_schema_for_entry(logicalschema, funcname, "execute", rol_spec->rolename)) + if ((rol_spec->rolename != NULL) && !check_bbf_schema_for_entry(logicalschema, funcname, "execute", rol_spec->rolename)) add_entry_to_bbf_schema(logicalschema, funcname, "execute", rol_spec->rolename, obj_type); } + break; } else { @@ -3711,14 +3694,15 @@ bbf_ProcessUtility(PlannedStmt *pstmt, { RoleSpec *rol_spec = (RoleSpec *) lfirst(lc); bool has_schema_perms = false; - if (check_bbf_schema_for_entry(logicalschema, PERMISSIONS_FOR_ALL_OBJECTS_IN_SCHEMA, "execute", rol_spec->rolename) && !has_schema_perms) + if ((rol_spec->rolename != NULL) && check_bbf_schema_for_entry(logicalschema, "ALL", "execute", rol_spec->rolename) && !has_schema_perms) has_schema_perms = true; - del_from_bbf_schema(logicalschema, funcname, "execute", rol_spec->rolename); + if ((rol_spec->rolename != NULL) && check_bbf_schema_for_entry(logicalschema, funcname, "execute", rol_spec->rolename)) + del_from_bbf_schema(logicalschema, funcname, "execute", rol_spec->rolename); if (has_schema_perms) return; } + break; } - break; } foreach(lc1, grant->privileges) { @@ -3736,11 +3720,9 @@ bbf_ProcessUtility(PlannedStmt *pstmt, foreach(lc, grant->grantees) { RoleSpec *rol_spec = (RoleSpec *) lfirst(lc); - /* Add an entry to the catalog, if an entry doesn't exist already. */ - if (!check_bbf_schema_for_entry(logicalschema, funcname, ap->priv_name, rol_spec->rolename)) - { + /* Don't store a row in catalog, if permission is granted for column */ + if ((rol_spec->rolename != NULL) && !check_bbf_schema_for_entry(logicalschema, funcname, ap->priv_name, rol_spec->rolename)) add_entry_to_bbf_schema(logicalschema, funcname, ap->priv_name, rol_spec->rolename, obj_type); - } } } else @@ -3749,10 +3731,10 @@ bbf_ProcessUtility(PlannedStmt *pstmt, { RoleSpec *rol_spec = (RoleSpec *) lfirst(lc); /* - * 1. If GRANT on schema does not exist, execute REVOKE statement and remove the catalog entry if exists. - * 2. If GRANT on schema exist, only remove the entry from the catalog if exists. - */ - if (!check_bbf_schema_for_entry(logicalschema, PERMISSIONS_FOR_ALL_OBJECTS_IN_SCHEMA, ap->priv_name, rol_spec->rolename)) + * 1. If GRANT on schema does not exist, execute REVOKE statement and remove the catalog entry if exists. + * 2. If GRANT on schema exist, only remove the entry from the catalog if exists. + */ + if ((rol_spec->rolename != NULL) && !check_bbf_schema_for_entry(logicalschema, "ALL", ap->priv_name, rol_spec->rolename)) { /* Execute REVOKE statement. */ if (prev_ProcessUtility) @@ -3762,8 +3744,8 @@ bbf_ProcessUtility(PlannedStmt *pstmt, standard_ProcessUtility(pstmt, queryString, readOnlyTree, context, params, queryEnv, dest, qc); } - /* Remove an entry from the catalog, if it exists. */ - del_from_bbf_schema(logicalschema, funcname, ap->priv_name, rol_spec->rolename); + if ((rol_spec->rolename != NULL) && check_bbf_schema_for_entry(logicalschema, funcname, ap->priv_name, rol_spec->rolename)) + del_from_bbf_schema(logicalschema, funcname, ap->priv_name, rol_spec->rolename); } } } diff --git a/contrib/babelfishpg_tsql/src/pltsql_utils.c b/contrib/babelfishpg_tsql/src/pltsql_utils.c index 457915329cb..d6fed4fec88 100644 --- a/contrib/babelfishpg_tsql/src/pltsql_utils.c +++ b/contrib/babelfishpg_tsql/src/pltsql_utils.c @@ -1036,10 +1036,7 @@ update_GrantStmt(Node *n, const char *object, const char *obj_schema, const char if (grantee && stmt->grantees) { RoleSpec *tmp = (RoleSpec *) llast(stmt->grantees); - if (strcmp(grantee, "public") == 0) - { - tmp->roletype = ROLESPEC_PUBLIC; - } + tmp->rolename = pstrdup(grantee); } } diff --git a/contrib/babelfishpg_tsql/src/tsqlIface.cpp b/contrib/babelfishpg_tsql/src/tsqlIface.cpp index 87e7b89d364..a366b9f7342 100644 --- a/contrib/babelfishpg_tsql/src/tsqlIface.cpp +++ b/contrib/babelfishpg_tsql/src/tsqlIface.cpp @@ -5481,11 +5481,6 @@ makeGrantdbStatement(TSqlParser::Security_statementContext *ctx) char *grantee_name = pstrdup(downcase_truncate_identifier(id_str.c_str(), id_str.length(), true)); grantee_list = lappend(grantee_list, grantee_name); } - if (prin->PUBLIC()) - { - char *grantee_name = pstrdup("public"); - grantee_list = lappend(grantee_list, grantee_name); - } } result->grantees = grantee_list; return (PLtsql_stmt *) result; @@ -5514,11 +5509,6 @@ makeGrantdbStatement(TSqlParser::Security_statementContext *ctx) char *grantee_name = pstrdup(downcase_truncate_identifier(id_str.c_str(), id_str.length(), true)); grantee_list = lappend(grantee_list, grantee_name); } - if (prin->PUBLIC()) - { - char *grantee_name = pstrdup("public"); - grantee_list = lappend(grantee_list, grantee_name); - } } result->grantees = grantee_list; return (PLtsql_stmt *) result; @@ -5549,11 +5539,6 @@ makeGrantdbStatement(TSqlParser::Security_statementContext *ctx) char *grantee_name = pstrdup(downcase_truncate_identifier(id_str.c_str(), id_str.length(), true)); grantee_list = lappend(grantee_list, grantee_name); } - if (prin->PUBLIC()) - { - char *grantee_name = pstrdup("public"); - grantee_list = lappend(grantee_list, grantee_name); - } } List *privilege_list = NIL; for (auto perm: ctx->grant_statement()->permissions()->permission()) @@ -5606,11 +5591,6 @@ makeGrantdbStatement(TSqlParser::Security_statementContext *ctx) char *grantee_name = pstrdup(downcase_truncate_identifier(id_str.c_str(), id_str.length(), true)); grantee_list = lappend(grantee_list, grantee_name); } - if (prin->PUBLIC()) - { - char *grantee_name = pstrdup("public"); - grantee_list = lappend(grantee_list, grantee_name); - } } List *privilege_list = NIL; for (auto perm: ctx->revoke_statement()->permissions()->permission()) diff --git a/contrib/babelfishpg_tsql/src/tsqlUnsupportedFeatureHandler.cpp b/contrib/babelfishpg_tsql/src/tsqlUnsupportedFeatureHandler.cpp index 77cb9c1b3cd..ee3cf57a8b0 100644 --- a/contrib/babelfishpg_tsql/src/tsqlUnsupportedFeatureHandler.cpp +++ b/contrib/babelfishpg_tsql/src/tsqlUnsupportedFeatureHandler.cpp @@ -1704,8 +1704,7 @@ void TsqlUnsupportedFeatureHandlerImpl::checkSupportedGrantStmt(TSqlParser::Gran continue; else { - unsupported_feature = "GRANT PERMISSION " + ::getFullText(single_perm); - std::transform(unsupported_feature.begin(), unsupported_feature.end(), unsupported_feature.begin(), ::toupper); + unsupported_feature = "GRANT PERMISSION " + perm->getText(); handle(INSTR_UNSUPPORTED_TSQL_REVOKE_STMT, unsupported_feature.c_str(), getLineAndPos(perm)); } @@ -1719,7 +1718,6 @@ void TsqlUnsupportedFeatureHandlerImpl::checkSupportedGrantStmt(TSqlParser::Gran if (obj_type && !obj_type->OBJECT()) { unsupported_feature = "GRANT ON " + obj_type->getText(); - std::transform(unsupported_feature.begin(), unsupported_feature.end(), unsupported_feature.begin(), ::toupper); handle(INSTR_UNSUPPORTED_TSQL_REVOKE_STMT, unsupported_feature.c_str(), getLineAndPos(obj_type)); } } @@ -1799,8 +1797,7 @@ void TsqlUnsupportedFeatureHandlerImpl::checkSupportedRevokeStmt(TSqlParser::Rev continue; else { - unsupported_feature = "REVOKE PERMISSION " + ::getFullText(single_perm); - std::transform(unsupported_feature.begin(), unsupported_feature.end(), unsupported_feature.begin(), ::toupper); + unsupported_feature = "REVOKE PERMISSION " + perm->getText(); handle(INSTR_UNSUPPORTED_TSQL_REVOKE_STMT, unsupported_feature.c_str(), getLineAndPos(perm)); } @@ -1814,7 +1811,6 @@ void TsqlUnsupportedFeatureHandlerImpl::checkSupportedRevokeStmt(TSqlParser::Rev if (obj_type && !obj_type->OBJECT()) { unsupported_feature = "REVOKE ON " + obj_type->getText(); - std::transform(unsupported_feature.begin(), unsupported_feature.end(), unsupported_feature.begin(), ::toupper); handle(INSTR_UNSUPPORTED_TSQL_REVOKE_STMT, unsupported_feature.c_str(), getLineAndPos(obj_type)); } } diff --git a/test/JDBC/expected/BABEL-GRANT.out b/test/JDBC/expected/BABEL-GRANT.out index d2d340992f0..c66ded47bc2 100644 --- a/test/JDBC/expected/BABEL-GRANT.out +++ b/test/JDBC/expected/BABEL-GRANT.out @@ -158,7 +158,7 @@ GO REVOKE SELECT ON SCHEMA::scm FROM guest; GO -GRANT showplan ON OBJECT::t1 TO guest; -- unsupported permission +GRANT SHOWPLAN ON OBJECT::t1 TO guest; -- unsupported permission GO ~~ERROR (Code: 33557097)~~ @@ -172,48 +172,20 @@ GO ~~ERROR (Message: 'REVOKE PERMISSION SHOWPLAN' is not currently supported in Babelfish)~~ -GRANT ALL ON SCHEMA::scm TO guest; +GRANT ALL ON SCHEMA::scm TO guest; -- unsupported class GO ~~ERROR (Code: 33557097)~~ ~~ERROR (Message: 'GRANT ON SCHEMA' is not currently supported in Babelfish)~~ -REVOKE ALL ON SCHEMA::scm TO guest; +REVOKE ALL ON SCHEMA::scm TO guest; -- unsupported class GO ~~ERROR (Code: 33557097)~~ ~~ERROR (Message: 'REVOKE ON SCHEMA' is not currently supported in Babelfish)~~ -GRANT create table ON OBJECT::t1 TO guest; -- unsupported permission -GO -~~ERROR (Code: 33557097)~~ - -~~ERROR (Message: 'GRANT PERMISSION CREATE TABLE' is not currently supported in Babelfish)~~ - - -REVOKE create table ON OBJECT::t2 FROM alogin; -- unsupported permission -GO -~~ERROR (Code: 33557097)~~ - -~~ERROR (Message: 'REVOKE PERMISSION CREATE TABLE' is not currently supported in Babelfish)~~ - - -GRANT SELECT ON table::t1 TO guest; -- unsupported object -GO -~~ERROR (Code: 33557097)~~ - -~~ERROR (Message: 'GRANT ON TABLE' is not currently supported in Babelfish)~~ - - -REVOKE SELECT ON table::t1 FROM guest; -- unsupported object -GO -~~ERROR (Code: 33557097)~~ - -~~ERROR (Message: 'REVOKE ON TABLE' is not currently supported in Babelfish)~~ - - GRANT ALL ON OBJECT::t1 TO guest WITH GRANT OPTION AS superuser; GO ~~ERROR (Code: 33557097)~~ diff --git a/test/JDBC/expected/GRANT_SCHEMA.out b/test/JDBC/expected/GRANT_SCHEMA.out index 935acbe2f53..1891d685978 100644 --- a/test/JDBC/expected/GRANT_SCHEMA.out +++ b/test/JDBC/expected/GRANT_SCHEMA.out @@ -12,18 +12,9 @@ go create user babel_4344_u1 for login babel_4344_l1; go -create login αιώνια with password = '12345678' -go - -create user αιώνια for login αιώνια; -go - create schema babel_4344_s1; go -create schema αγάπη; -go - create schema babel_4344_s2 authorization babel_4344_u1; go @@ -36,9 +27,6 @@ go create table babel_4344_s2.babel_4344_t1(a int); go -create table αγάπη.abc(a int); -go - create table babel_4344_t3(a int, b int); go @@ -57,69 +45,12 @@ go create proc babel_4344_s1.babel_4344_p1 as select 2; go -create proc babel_4344_s1.babel_4344_p3 as select 3; -go - CREATE FUNCTION babel_4344_f1() RETURNS INT AS BEGIN RETURN (SELECT COUNT(*) FROM sys.tables) END go CREATE FUNCTION babel_4344_s1.babel_4344_f1() RETURNS INT AS BEGIN RETURN (SELECT COUNT(*) FROM sys.objects) END go -grant SELECT on schema::babel_4344_S1 to public, αιώνια; -go - -grant select on schema::αγάπη to αιώνια; -go - --- tsql user=αιώνια password=12345678 -use babel_4344_d1; -go - -select * from αγάπη.abc; -go -~~START~~ -int -~~END~~ - - -select * from babel_4344_S1.babel_4344_t1; -go -~~START~~ -int -~~END~~ - - -use master; -go - --- tsql user=babel_4344_l1 password=12345678 -use babel_4344_d1; -go - --- User has select privileges, tables and views be accessible -select * from babel_4344_s1.babel_4344_t1 -go -~~START~~ -int -~~END~~ - -select * from babel_4344_s1.babel_4344_v1; -go -~~START~~ -int -2 -~~END~~ - -use master; -go - --- tsql -use babel_4344_d1; -go -revoke select on schema::babel_4344_s1 from public, αιώνια; -go - -- tsql user=babel_4344_l1 password=12345678 use babel_4344_d1; go @@ -186,9 +117,9 @@ go -- GRANT OBJECT privilege use babel_4344_d1; go -grant SELECT on babel_4344_t1 to BABEL_4344_U1; +grant select on babel_4344_t1 to babel_4344_u1; go -grant SELECT on babel_4344_s1.babel_4344_t1 to babel_4344_u1; +grant select on babel_4344_s1.babel_4344_t1 to babel_4344_u1; go grant all on babel_4344_s1.babel_4344_t1 to babel_4344_u1; go @@ -204,14 +135,7 @@ grant execute on babel_4344_p1 to babel_4344_u1; go grant execute on babel_4344_s1.babel_4344_p1 to babel_4344_u1; go --- inside a transaction, permission will not be granted since it is rolled back -begin transaction; -exec sp_executesql N'grant execute on babel_4344_s1.babel_4344_p3 to babel_4344_u1;'; -rollback transaction; -go - --- Mixed case -grant Execute on Babel_4344_F1 to babel_4344_u1; +grant execute on babel_4344_f1 to babel_4344_u1; go grant execute on babel_4344_s1.babel_4344_f1 to babel_4344_u1; go @@ -228,36 +152,8 @@ go ~~ERROR (Message: Cannot find the principal 'jdbc_user', because it does not exist or you do not have permission.)~~ -grant SELECT on schema::babel_4344_s2 to guest; -- should pass -go -grant select on schema::"" to guest; -- should fail -go -~~ERROR (Code: 33557097)~~ - -~~ERROR (Message: An object or column name is missing or empty. For SELECT INTO statements, verify each column has a name. For other statements, look for empty alias names. Aliases defined as "" or [] are not allowed. Change the alias to a valid name.)~~ - -grant select on schema::non_existing_schema to guest; -- should fail -go -~~ERROR (Code: 33557097)~~ - -~~ERROR (Message: schema "non_existing_schema" does not exist)~~ - --- grant statement via a procedure -create procedure grant_perm_proc as begin exec('grant select on schema::[] to guest') end; -go -exec grant_perm_proc; -- should fail -go -~~ERROR (Code: 33557097)~~ - -~~ERROR (Message: An object or column name is missing or empty. For SELECT INTO statements, verify each column has a name. For other statements, look for empty alias names. Aliases defined as "" or [] are not allowed. Change the alias to a valid name.)~~ - --- non-existing role -grant SELECT on schema::dbo to guest, babel_4344_u3; -- should fail +grant select on schema::babel_4344_s2 to guest; -- should pass go -~~ERROR (Code: 33557097)~~ - -~~ERROR (Message: Cannot find the principal 'babel_4344_u3', because it does not exist or you do not have permission.)~~ - -- tsql user=babel_4344_l1 password=12345678 -- User has OBJECT privileges, should be accessible. @@ -319,12 +215,6 @@ int 2 ~~END~~ -exec babel_4344_s1.babel_4344_p3; -- should fail, grant statement was rolled back -go -~~ERROR (Code: 33557097)~~ - -~~ERROR (Message: permission denied for procedure babel_4344_p3)~~ - select * from babel_4344_f1(); go ~~START~~ @@ -352,7 +242,7 @@ grant select on schema::babel_4344_s1 to babel_4344_u1; -- should fail go ~~ERROR (Code: 33557097)~~ -~~ERROR (Message: Cannot grant, deny, or revoke permissions to sa, dbo, entity owner, information_schema, sys, or yourself.)~~ +~~ERROR (Message: Cannot find the schema "babel_4344_s1", because it does not exist or you do not have permission.)~~ use master; go @@ -366,19 +256,6 @@ go use master; go --- psql --- GRANT statement add an entry to the catalog -select schema_name, object_name, permission, grantee from sys.babelfish_schema_permissions -where schema_name = 'babel_4344_s1' collate "C" and object_name = 'ALL' collate "C" order by permission; -go -~~START~~ -name#!#name#!#name#!#name -babel_4344_s1#!#ALL#!#execute#!#babel_4344_d1_babel_4344_u1 -babel_4344_s1#!#ALL#!#insert#!#babel_4344_d1_babel_4344_u1 -babel_4344_s1#!#ALL#!#select#!#babel_4344_d1_babel_4344_u1 -~~END~~ - - -- tsql user=babel_4344_l1 password=12345678 -- User has OBJECT and SCHEMA privileges, should be accessible. use babel_4344_d1; @@ -418,7 +295,7 @@ select * from babel_4344_s1.babel_4344_f1(); go ~~START~~ int -11 +10 ~~END~~ use master; @@ -462,14 +339,14 @@ int 2 ~~END~~ -exec babel_4344_s1.babel_4344_p1; +exec babel_4344_s1.babel_4344_p1; -- TODO: should be accessible go ~~START~~ int 2 ~~END~~ -select * from babel_4344_s1.babel_4344_f1(); +select * from babel_4344_s1.babel_4344_f1(); -- TODO: should be accessible go ~~START~~ int @@ -535,7 +412,7 @@ select * from babel_4344_s1.babel_4344_f2(); go ~~START~~ int -15 +14 ~~END~~ use master; @@ -600,7 +477,7 @@ select * from babel_4344_s1.babel_4344_f1(); go ~~START~~ int -15 +14 ~~END~~ select * from babel_4344_s2.babel_4344_t1; @@ -621,15 +498,6 @@ go use master; go --- psql --- REVOKE on schema removes the entry from the catalog -select * from sys.babelfish_schema_permissions where schema_name = 'babel_4344_s1' collate sys.database_default; -go -~~START~~ -int2#!#name#!#name#!#name#!#name#!#name -~~END~~ - - -- tsql user=babel_4344_l1 password=12345678 -- User has no privileges, shouldn't be accessible. use babel_4344_d1; @@ -673,54 +541,6 @@ go use master; go --- psql --- grant object permission -grant select on babel_4344_s1.babel_4344_t1 to babel_4344_d1_babel_4344_u1; -go - --- tsql --- grant schema permission -use babel_4344_d1; -go -grant select on schema::babel_4344_s1 to babel_4344_u1; -go -use master -go - --- tsql user=babel_4344_l1 password=12345678 -use babel_4344_d1; -go -select * from babel_4344_s1.babel_4344_t1; -- accessible -go -~~START~~ -int -2 -3 -3 -4 -5 -~~END~~ - -use master -go - --- psql --- revoke schema permission -revoke select on all tables in schema babel_4344_s1 from babel_4344_d1_babel_4344_u1; -go - --- tsql user=babel_4344_l1 password=12345678 -use babel_4344_d1; -go -select * from babel_4344_s1.babel_4344_t1; -- not accessible -go -~~ERROR (Code: 33557097)~~ - -~~ERROR (Message: permission denied for table babel_4344_t1)~~ - -use master -go - -- tsql -- Drop objects use babel_4344_d1; @@ -759,9 +579,6 @@ go drop proc babel_4344_s1.babel_4344_p2; go -drop proc babel_4344_s1.babel_4344_p3; -go - drop function babel_4344_f1; go @@ -780,18 +597,9 @@ go drop schema babel_4344_s2; go -drop table αγάπη.abc; -go - -drop schema αγάπη; -go - drop user babel_4344_u1; go -drop user αιώνια; -go - use master; go @@ -821,27 +629,3 @@ void -- tsql drop login babel_4344_l1; go - --- psql --- Need to terminate active session before cleaning up the login -SELECT pg_terminate_backend(pid) FROM pg_stat_get_activity(NULL) -WHERE sys.suser_name(usesysid) = 'αιώνια' AND backend_type = 'client backend' AND usesysid IS NOT NULL; -go -~~START~~ -bool -t -~~END~~ - - --- Wait to sync with another session -SELECT pg_sleep(1); -go -~~START~~ -void - -~~END~~ - - --- tsql -drop login αιώνια; -go diff --git a/test/JDBC/input/BABEL-GRANT.sql b/test/JDBC/input/BABEL-GRANT.sql index 5728ae1ff47..5777c9ecc86 100644 --- a/test/JDBC/input/BABEL-GRANT.sql +++ b/test/JDBC/input/BABEL-GRANT.sql @@ -148,28 +148,16 @@ GO REVOKE SELECT ON SCHEMA::scm FROM guest; GO -GRANT showplan ON OBJECT::t1 TO guest; -- unsupported permission +GRANT SHOWPLAN ON OBJECT::t1 TO guest; -- unsupported permission GO REVOKE SHOWPLAN ON OBJECT::t2 TO alogin; -- unsupported permission GO -GRANT ALL ON SCHEMA::scm TO guest; +GRANT ALL ON SCHEMA::scm TO guest; -- unsupported class GO -REVOKE ALL ON SCHEMA::scm TO guest; -GO - -GRANT create table ON OBJECT::t1 TO guest; -- unsupported permission -GO - -REVOKE create table ON OBJECT::t2 FROM alogin; -- unsupported permission -GO - -GRANT SELECT ON table::t1 TO guest; -- unsupported object -GO - -REVOKE SELECT ON table::t1 FROM guest; -- unsupported object +REVOKE ALL ON SCHEMA::scm TO guest; -- unsupported class GO GRANT ALL ON OBJECT::t1 TO guest WITH GRANT OPTION AS superuser; diff --git a/test/JDBC/input/GRANT_SCHEMA.mix b/test/JDBC/input/GRANT_SCHEMA.mix index f4af9f7af76..1572bea803b 100644 --- a/test/JDBC/input/GRANT_SCHEMA.mix +++ b/test/JDBC/input/GRANT_SCHEMA.mix @@ -12,18 +12,9 @@ go create user babel_4344_u1 for login babel_4344_l1; go -create login αιώνια with password = '12345678' -go - -create user αιώνια for login αιώνια; -go - create schema babel_4344_s1; go -create schema αγάπη; -go - create schema babel_4344_s2 authorization babel_4344_u1; go @@ -36,9 +27,6 @@ go create table babel_4344_s2.babel_4344_t1(a int); go -create table αγάπη.abc(a int); -go - create table babel_4344_t3(a int, b int); go @@ -57,52 +45,12 @@ go create proc babel_4344_s1.babel_4344_p1 as select 2; go -create proc babel_4344_s1.babel_4344_p3 as select 3; -go - CREATE FUNCTION babel_4344_f1() RETURNS INT AS BEGIN RETURN (SELECT COUNT(*) FROM sys.tables) END go CREATE FUNCTION babel_4344_s1.babel_4344_f1() RETURNS INT AS BEGIN RETURN (SELECT COUNT(*) FROM sys.objects) END go -grant SELECT on schema::babel_4344_S1 to public, αιώνια; -go - -grant select on schema::αγάπη to αιώνια; -go - --- tsql user=αιώνια password=12345678 -use babel_4344_d1; -go - -select * from αγάπη.abc; -go - -select * from babel_4344_S1.babel_4344_t1; -go - -use master; -go - --- tsql user=babel_4344_l1 password=12345678 -use babel_4344_d1; -go - --- User has select privileges, tables and views be accessible -select * from babel_4344_s1.babel_4344_t1 -go -select * from babel_4344_s1.babel_4344_v1; -go -use master; -go - --- tsql -use babel_4344_d1; -go -revoke select on schema::babel_4344_s1 from public, αιώνια; -go - -- tsql user=babel_4344_l1 password=12345678 use babel_4344_d1; go @@ -133,9 +81,9 @@ go -- GRANT OBJECT privilege use babel_4344_d1; go -grant SELECT on babel_4344_t1 to BABEL_4344_U1; +grant select on babel_4344_t1 to babel_4344_u1; go -grant SELECT on babel_4344_s1.babel_4344_t1 to babel_4344_u1; +grant select on babel_4344_s1.babel_4344_t1 to babel_4344_u1; go grant all on babel_4344_s1.babel_4344_t1 to babel_4344_u1; go @@ -151,14 +99,7 @@ grant execute on babel_4344_p1 to babel_4344_u1; go grant execute on babel_4344_s1.babel_4344_p1 to babel_4344_u1; go --- inside a transaction, permission will not be granted since it is rolled back -begin transaction; -exec sp_executesql N'grant execute on babel_4344_s1.babel_4344_p3 to babel_4344_u1;'; -rollback transaction; -go - --- Mixed case -grant Execute on Babel_4344_F1 to babel_4344_u1; +grant execute on babel_4344_f1 to babel_4344_u1; go grant execute on babel_4344_s1.babel_4344_f1 to babel_4344_u1; go @@ -167,19 +108,7 @@ grant select on schema::babel_4344_s2 to babel_4344_u1; -- should fail go grant select on schema::babel_4344_s2 to jdbc_user; -- should fail go -grant SELECT on schema::babel_4344_s2 to guest; -- should pass -go -grant select on schema::"" to guest; -- should fail -go -grant select on schema::non_existing_schema to guest; -- should fail -go --- grant statement via a procedure -create procedure grant_perm_proc as begin exec('grant select on schema::[] to guest') end; -go -exec grant_perm_proc; -- should fail -go --- non-existing role -grant SELECT on schema::dbo to guest, babel_4344_u3; -- should fail +grant select on schema::babel_4344_s2 to guest; -- should pass go -- tsql user=babel_4344_l1 password=12345678 @@ -204,8 +133,6 @@ exec babel_4344_p1; go exec babel_4344_s1.babel_4344_p1; go -exec babel_4344_s1.babel_4344_p3; -- should fail, grant statement was rolled back -go select * from babel_4344_f1(); go select * from babel_4344_s1.babel_4344_f1(); @@ -229,12 +156,6 @@ go use master; go --- psql --- GRANT statement add an entry to the catalog -select schema_name, object_name, permission, grantee from sys.babelfish_schema_permissions -where schema_name = 'babel_4344_s1' collate "C" and object_name = 'ALL' collate "C" order by permission; -go - -- tsql user=babel_4344_l1 password=12345678 -- User has OBJECT and SCHEMA privileges, should be accessible. use babel_4344_d1; @@ -275,9 +196,9 @@ select * from babel_4344_s1.babel_4344_t3 -- not accessible go select * from babel_4344_s1.babel_4344_v1; go -exec babel_4344_s1.babel_4344_p1; +exec babel_4344_s1.babel_4344_p1; -- TODO: should be accessible go -select * from babel_4344_s1.babel_4344_f1(); +select * from babel_4344_s1.babel_4344_f1(); -- TODO: should be accessible go select * from babel_4344_s2.babel_4344_t1; go @@ -366,11 +287,6 @@ go use master; go --- psql --- REVOKE on schema removes the entry from the catalog -select * from sys.babelfish_schema_permissions where schema_name = 'babel_4344_s1' collate sys.database_default; -go - -- tsql user=babel_4344_l1 password=12345678 -- User has no privileges, shouldn't be accessible. use babel_4344_d1; @@ -390,41 +306,6 @@ go use master; go --- psql --- grant object permission -grant select on babel_4344_s1.babel_4344_t1 to babel_4344_d1_babel_4344_u1; -go - --- tsql --- grant schema permission -use babel_4344_d1; -go -grant select on schema::babel_4344_s1 to babel_4344_u1; -go -use master -go - --- tsql user=babel_4344_l1 password=12345678 -use babel_4344_d1; -go -select * from babel_4344_s1.babel_4344_t1; -- accessible -go -use master -go - --- psql --- revoke schema permission -revoke select on all tables in schema babel_4344_s1 from babel_4344_d1_babel_4344_u1; -go - --- tsql user=babel_4344_l1 password=12345678 -use babel_4344_d1; -go -select * from babel_4344_s1.babel_4344_t1; -- not accessible -go -use master -go - -- tsql -- Drop objects use babel_4344_d1; @@ -463,9 +344,6 @@ go drop proc babel_4344_s1.babel_4344_p2; go -drop proc babel_4344_s1.babel_4344_p3; -go - drop function babel_4344_f1; go @@ -484,18 +362,9 @@ go drop schema babel_4344_s2; go -drop table αγάπη.abc; -go - -drop schema αγάπη; -go - drop user babel_4344_u1; go -drop user αιώνια; -go - use master; go @@ -515,17 +384,3 @@ go -- tsql drop login babel_4344_l1; go - --- psql --- Need to terminate active session before cleaning up the login -SELECT pg_terminate_backend(pid) FROM pg_stat_get_activity(NULL) -WHERE sys.suser_name(usesysid) = 'αιώνια' AND backend_type = 'client backend' AND usesysid IS NOT NULL; -go - --- Wait to sync with another session -SELECT pg_sleep(1); -go - --- tsql -drop login αιώνια; -go diff --git a/test/python/expected/sql_validation_framework/expected_create.out b/test/python/expected/sql_validation_framework/expected_create.out index 6e84326140f..9afdefed16b 100644 --- a/test/python/expected/sql_validation_framework/expected_create.out +++ b/test/python/expected/sql_validation_framework/expected_create.out @@ -72,6 +72,7 @@ Could not find tests for procedure sys.printarg Could not find tests for procedure sys.sp_cursor_list Could not find tests for procedure sys.sp_describe_cursor Could not find tests for table sys.babelfish_helpcollation +Could not find tests for table sys.babelfish_schema_permissions Could not find tests for table sys.babelfish_syslanguages Could not find tests for table sys.service_settings Could not find tests for table sys.spt_datatype_info_table