Avoid storing initial privileges for Babelfish objects created during…

… initialization (#3136) In Babelfish, Currently There are two patterns followed for initial privileges for system created objects: 1. Initial privileges are stored for the objects that are created during CREATE EXTENSION like system object, catalogs. 2. But for the objects that are created during `initialize_babelfish()` (which gets executed after creating extension) like dbo user, schema for system generated TSQL databases like master, msdb, tempdb, Initial privileges are not being recorded. When there are any GRANT/REVOKE on objects which are created during `initialize_babelfish()` in any upgrade script, they are falsely being considered as internal/system-generated object and initial_privileges are being stored for them which can cause inconsistency between initial privileges of a newly spawned database server and upgraded database server. To avoid this situation, we should not store initial privileges for GRANT/REVOKE execution during upgrade. For achieving this, * Extension Changes: This commit implements `pltsql_allow_storing_init_privs_hook` hook for checking whether to store initial privileges for given object or not. There are 3 category of handling storage of initial privileges: 1. SAVE_INIT_PRIVS : Check if it is objects created during CREATE extension and store initial privs for them. system, information_schema_tsql objects and pltsql language are the examples of it. 2. DISCARD_INIT_PRIVS : If it is schema contained object within system created TSQL schema like master, msdb or tempdb OR user created schema, Do not store initial privileges for them. 3. ERROR_INIT_PRIVS : The default case when above 2 conditions doesn't match then error out. To avoid error please classify it between above 2 conditions. * Engine Changes: Reverts the temporary fix [3f20518](babelfish-for-postgresql/postgresql_modified_for_babelfish@3f20518) and [f9e9557](babelfish-for-postgresql/postgresql_modified_for_babelfish@f9e9557). Added `pltsql_check_store_init_privs_flag_hook` hook for checking whether to store initial privileges or not. Engine PR : babelfish-for-postgresql/postgresql_modified_for_babelfish#480 Task: BABEL-5410 Signed-off-by: Harsh Lunagariya <[email protected]>
babelfish-for-postgresql · Dec 17, 2024 · 0b085d3 · 0b085d3
1 parent 7c332d8
commit 0b085d3
Show file tree

Hide file tree

Showing 30 changed files with 173 additions and 0 deletions.
diff --git a/contrib/babelfishpg_tsql/src/hooks.c b/contrib/babelfishpg_tsql/src/hooks.c
@@ -28,6 +28,8 @@
 #include "commands/copy.h"
 #include "commands/dbcommands.h"
 #include "commands/explain.h"
+#include "commands/extension.h"
+#include "commands/proclang.h"
 #include "commands/tablecmds.h"
 #include "commands/trigger.h"
 #include "commands/view.h"
@@ -90,6 +92,13 @@ extern char *babelfish_dump_restore_min_oid;
 extern bool pltsql_quoted_identifier;
 extern bool pltsql_ansi_nulls;
 
+typedef enum PltsqlInitPrivsOptions
+{
+	SAVE_INIT_PRIVS,
+	DISCARD_INIT_PRIVS,
+	ERROR_INIT_PRIVS
+} PltsqlInitPrivsOptions;
+
 /*****************************************
  * 			Catalog Hooks
  *****************************************/
@@ -186,6 +195,7 @@ static void is_function_pg_stat_valid(FunctionCallInfo fcinfo,
 									  PgStat_FunctionCallUsage *fcu,
 									  char prokind, bool finalize);
 static AclResult pltsql_ExecFuncProc_AclCheck(Oid funcid);
+static bool allow_storing_init_privs(Oid objoid, Oid classoid, int objsubid);
 
 /*****************************************
  * 			Replication Hooks
@@ -513,6 +523,8 @@ InstallExtendedHooks(void)
 	pltsql_get_object_owner_hook = pltsql_get_object_owner;
 
 	is_bbf_db_ddladmin_operation_hook = is_bbf_db_ddladmin_operation;
+
+	pltsql_allow_storing_init_privs_hook = allow_storing_init_privs;
 }
 
 void
@@ -588,6 +600,7 @@ UninstallExtendedHooks(void)
 	handle_param_collation_hook = NULL;
 	handle_default_collation_hook = NULL;
 	pltsql_get_object_identity_event_trigger_hook = NULL;
+	pltsql_allow_storing_init_privs_hook = NULL;
 }
 
 /*****************************************
@@ -5851,3 +5864,111 @@ is_bbf_db_ddladmin_operation(Oid namespaceId)
 
 	return false;
 }
+
+static bool
+allow_storing_init_privs(Oid objoid, Oid classoid, int objsubid)
+{
+	ObjectAddress			address;
+	Oid						nspoid = InvalidOid;
+	ObjectType				objtype;
+	PltsqlInitPrivsOptions	init_privs_opt = ERROR_INIT_PRIVS;
+
+	/*
+	 * Check if it is create/upgrade script of babelfishpg_tsql extension
+	 * Otherwise return true -- Allow storing.
+	 */
+	if (!(creating_extension &&
+		OidIsValid(CurrentExtensionObject) &&
+		CurrentExtensionObject == get_extension_oid("babelfishpg_tsql", true)))
+		return true;
+
+	/* 
+	 * There are 3 category of handling
+	 * 1. SAVE_INIT_PRIVS    : Check if it is objects created during CREATE extension and
+	 *                         store initial privs for them. system, information_schema_tsql
+	 *                         objects and pltsql language are the examples of it.
+	 * 
+	 * 2. DISCARD_INIT_PRIVS : If it is schema contained object within system created
+	 *                         TSQL schema like master, msdb or tempdb OR user created schema,
+	 *                         Do not store initial privileges for them.
+	 * 
+	 * 3. ERROR_INIT_PRIVS   : The default case when above 2 conditions doesn't match then error
+	 *                         out. To avoid error please classify it between above 2 condtions. 
+	 */
+	ObjectAddressSet(address, classoid, objoid);
+	objtype = get_object_type(classoid, objoid);
+	if (objtype == OBJECT_SCHEMA)
+	{
+		nspoid = objoid;
+	}
+	else
+	{
+		nspoid = get_object_namespace(&address);
+	}
+	if (OidIsValid(nspoid)) /* Schema contained objects */
+	{
+		char *nspname = get_namespace_name(nspoid);
+		if (nspname && is_shared_schema(nspname))
+		{
+			init_privs_opt = SAVE_INIT_PRIVS;
+		}
+		else if (nspname && get_logical_schema_name(nspname, true))
+		{
+			init_privs_opt = DISCARD_INIT_PRIVS;
+		}
+	}
+	else /* Non-schema contained object */
+	{
+		switch (objtype)
+		{
+			case OBJECT_LANGUAGE:
+				if (OidIsValid(objoid) &&
+					objoid == get_language_oid("pltsql", true))
+				{
+					init_privs_opt = SAVE_INIT_PRIVS;
+					break;
+				}
+				else
+				{
+					break;
+				}
+			case OBJECT_DATABASE:
+				if (OidIsValid(objoid) &&
+					objoid == MyDatabaseId)
+				{
+					init_privs_opt = DISCARD_INIT_PRIVS;
+					break;
+				}
+				else
+				{
+					break;
+				}
+			default:
+				break;
+		}
+	}
+
+	switch (init_privs_opt)
+	{
+		case SAVE_INIT_PRIVS:
+			return true;
+			break;
+		case DISCARD_INIT_PRIVS:
+			return false;
+			break;
+		case ERROR_INIT_PRIVS:
+			/*
+			 * NOTE: Following error message mentions that upgrade script shouldn't
+			 * be storing initial privileges BUT it is not the rigid ristriction.
+			 * If it is required to add initial privileges for some objects like objects created
+			 * during CREATE extension then please add an exception for them in above logic.
+			 */
+			ereport(ERROR,
+					(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
+					 errmsg("Initial privileges for given object %s can not be "
+							"added during Babelfish upgrade.",
+							getObjectDescription(&address, true))));
+			return true;
+	}
+	return true;
+}
diff --git a/test/JDBC/upgrade/13_6/schedule b/test/JDBC/upgrade/13_6/schedule
@@ -119,6 +119,7 @@ BABEL-PG-SYSTEM-FUNCTIONS
 BABEL-PROCID
 BABEL-RAND
 BABEL-ROLE
+BABEL_SCHEMATA
 BABEL-SPCOLUMNS
 BABEL-SPCOLUMNS-dep
 BABEL-SP_COLUMNS_MANAGED-dep

diff --git a/test/JDBC/upgrade/13_7/schedule b/test/JDBC/upgrade/13_7/schedule
@@ -117,6 +117,7 @@ BABEL-PG-SYSTEM-FUNCTIONS
 BABEL-PROCID
 BABEL-RAND
 BABEL-ROLE
+BABEL_SCHEMATA
 BABEL-SPCOLUMNS
 BABEL-SPCOLUMNS-dep
 BABEL-SP_COLUMNS_MANAGED-dep

diff --git a/test/JDBC/upgrade/13_8/schedule b/test/JDBC/upgrade/13_8/schedule
@@ -117,6 +117,7 @@ BABEL-PG-SYSTEM-FUNCTIONS
 BABEL-PROCID
 BABEL-RAND
 BABEL-ROLE
+BABEL_SCHEMATA
 BABEL-SPCOLUMNS
 BABEL-SPCOLUMNS-dep
 BABEL-SP_COLUMNS_MANAGED-dep

diff --git a/test/JDBC/upgrade/13_9/schedule b/test/JDBC/upgrade/13_9/schedule
@@ -116,6 +116,7 @@ BABEL-PG-SYSTEM-FUNCTIONS
 BABEL-PROCID
 BABEL-RAND
 BABEL-ROLE
+BABEL_SCHEMATA
 BABEL-SPCOLUMNS
 BABEL-SPCOLUMNS-dep
 BABEL-SP_COLUMNS_MANAGED-dep

diff --git a/test/JDBC/upgrade/14_10/schedule b/test/JDBC/upgrade/14_10/schedule
@@ -132,6 +132,7 @@ BABEL-2845
 BABEL-2884
 BABEL-2944
 BABEL-3116
+BABEL-3117
 BABEL-3118
 BABEL-3249
 BABEL-3486
@@ -386,6 +387,7 @@ case_insensitive_collation-before-16_5-or-15_9
 sys-has_perms_by_name
 sys-has_perms_by_name-dep
 BABEL_OBJECT_ID-before-16_5-or-15_9
+BABEL_SCHEMATA
 isc-schemata-dep
 AVG-Aggregate-common
 AVG-Aggregate-Dep

diff --git a/test/JDBC/upgrade/14_11/schedule b/test/JDBC/upgrade/14_11/schedule
@@ -133,6 +133,7 @@ BABEL-2845
 BABEL-2884
 BABEL-2944
 BABEL-3116
+BABEL-3117
 BABEL-3118
 BABEL-3249
 BABEL-3486
@@ -387,6 +388,7 @@ case_insensitive_collation-before-16_5-or-15_9
 sys-has_perms_by_name
 sys-has_perms_by_name-dep
 BABEL_OBJECT_ID-before-16_5-or-15_9
+BABEL_SCHEMATA
 isc-schemata-dep
 AVG-Aggregate-common
 AVG-Aggregate-Dep

diff --git a/test/JDBC/upgrade/14_12/schedule b/test/JDBC/upgrade/14_12/schedule
@@ -132,6 +132,7 @@ BABEL-2845
 BABEL-2884
 BABEL-2944
 BABEL-3116
+BABEL-3117
 BABEL-3118
 BABEL-3249
 BABEL-3486
@@ -385,6 +386,7 @@ case_insensitive_collation-before-16_5-or-15_9
 sys-has_perms_by_name
 sys-has_perms_by_name-dep
 BABEL_OBJECT_ID-before-16_5-or-15_9
+BABEL_SCHEMATA
 isc-schemata-dep
 AVG-Aggregate-common
 AVG-Aggregate-Dep

diff --git a/test/JDBC/upgrade/14_13/schedule b/test/JDBC/upgrade/14_13/schedule
@@ -132,6 +132,7 @@ BABEL-2845
 BABEL-2884
 BABEL-2944
 BABEL-3116
+BABEL-3117
 BABEL-3118
 BABEL-3249
 BABEL-3486
@@ -385,6 +386,7 @@ case_insensitive_collation-before-16_5-or-15_9
 sys-has_perms_by_name
 sys-has_perms_by_name-dep
 BABEL_OBJECT_ID-before-16_5-or-15_9
+BABEL_SCHEMATA
 isc-schemata-dep
 AVG-Aggregate-common
 AVG-Aggregate-Dep

diff --git a/test/JDBC/upgrade/14_15/schedule b/test/JDBC/upgrade/14_15/schedule
@@ -132,6 +132,7 @@ BABEL-2845
 BABEL-2884
 BABEL-2944
 BABEL-3116
+BABEL-3117
 BABEL-3118
 BABEL-3249
 BABEL-3486
@@ -385,6 +386,7 @@ case_insensitive_collation-before-16_5-or-15_9
 sys-has_perms_by_name
 sys-has_perms_by_name-dep
 BABEL_OBJECT_ID-before-16_5-or-15_9
+BABEL_SCHEMATA
 isc-schemata-dep
 AVG-Aggregate-common
 AVG-Aggregate-Dep

diff --git a/test/JDBC/upgrade/14_3/schedule b/test/JDBC/upgrade/14_3/schedule
@@ -123,6 +123,7 @@ BABEL-PROCID
 BABEL-RAND
 BABEL-ROLE
 BABEL-ROLE-MEMBER
+BABEL_SCHEMATA
 BABEL-SPCOLUMNS
 BABEL-SPCOLUMNS-dep
 BABEL-SP_COLUMNS_MANAGED-dep

diff --git a/test/JDBC/upgrade/14_5/schedule b/test/JDBC/upgrade/14_5/schedule
@@ -122,6 +122,7 @@ BABEL-PROCID
 BABEL-RAND
 BABEL-ROLE
 BABEL-ROLE-MEMBER
+BABEL_SCHEMATA
 BABEL-SP_COLUMNS_MANAGED-dep
 BABEL-SP_FKEYS
 BABEL-SP_FKEYS-dep

diff --git a/test/JDBC/upgrade/14_6/schedule b/test/JDBC/upgrade/14_6/schedule
@@ -58,6 +58,7 @@ BABEL-3000
 BABEL-3000-dep
 BABEL-3010-before-15_6
 BABEL-3116
+BABEL-3117
 BABEL-3118
 BABEL-3121
 BABEL-3144
@@ -136,6 +137,7 @@ BABEL-PROCID
 BABEL-RAND
 BABEL-ROLE
 BABEL-ROLE-MEMBER
+BABEL_SCHEMATA
 BABEL-SPCOLUMNS
 BABEL-SPCOLUMNS-dep
 BABEL-SP_COLUMNS_MANAGED-dep

diff --git a/test/JDBC/upgrade/14_7/schedule b/test/JDBC/upgrade/14_7/schedule
@@ -60,6 +60,7 @@ BABEL-3000
 BABEL-3000-dep
 BABEL-3010-before-15_6
 BABEL-3116
+BABEL-3117
 BABEL-3118
 BABEL-3121
 BABEL-3144
@@ -149,6 +150,7 @@ BABEL-PROCID
 BABEL-RAND
 BABEL-ROLE
 BABEL-ROLE-MEMBER
+BABEL_SCHEMATA
 BABEL-SPCOLUMNS
 BABEL-SPCOLUMNS-dep
 BABEL-SP_COLUMNS_MANAGED-dep

diff --git a/test/JDBC/upgrade/14_8/schedule b/test/JDBC/upgrade/14_8/schedule
@@ -60,6 +60,7 @@ BABEL-3000
 BABEL-3000-dep
 BABEL-3010-before-15_6
 BABEL-3116
+BABEL-3117
 BABEL-3118
 BABEL-3121
 BABEL-3144
@@ -147,6 +148,7 @@ BABEL-PROCID
 BABEL-RAND
 BABEL-ROLE
 BABEL-ROLE-MEMBER
+BABEL_SCHEMATA
 BABEL-SPCOLUMNS
 BABEL-SPCOLUMNS-dep
 BABEL-SP_COLUMNS_MANAGED-dep

diff --git a/test/JDBC/upgrade/14_9/schedule b/test/JDBC/upgrade/14_9/schedule
@@ -132,6 +132,7 @@ BABEL-2845
 BABEL-2884
 BABEL-2944
 BABEL-3116
+BABEL-3117
 BABEL-3118
 BABEL-3249
 BABEL-3486
@@ -386,6 +387,7 @@ case_insensitive_collation-before-16_5-or-15_9
 sys-has_perms_by_name
 sys-has_perms_by_name-dep
 BABEL_OBJECT_ID-before-16_5-or-15_9
+BABEL_SCHEMATA
 isc-schemata-dep
 AVG-Aggregate-common
 AVG-Aggregate-Dep

diff --git a/test/JDBC/upgrade/15_1/schedule b/test/JDBC/upgrade/15_1/schedule
@@ -58,6 +58,7 @@ BABEL-3000
 BABEL-3000-dep
 BABEL-3010-before-15_6
 BABEL-3116
+BABEL-3117
 BABEL-3118
 BABEL-3121
 BABEL-3144
@@ -135,6 +136,7 @@ BABEL-PROCID
 BABEL-RAND
 BABEL-ROLE
 BABEL-ROLE-MEMBER
+BABEL_SCHEMATA
 BABEL-SPCOLUMNS
 BABEL-SPCOLUMNS-dep
 BABEL-SP_COLUMNS_MANAGED-dep

diff --git a/test/JDBC/upgrade/15_10/schedule b/test/JDBC/upgrade/15_10/schedule
@@ -63,6 +63,7 @@ BABEL-3000
 BABEL-3000-dep
 BABEL-3010
 BABEL-3116
+BABEL-3117
 BABEL-3118
 BABEL-3121
 BABEL-3144
@@ -167,6 +168,7 @@ BABEL-PROCID
 BABEL-RAND
 BABEL-ROLE
 BABEL-ROLE-MEMBER
+BABEL_SCHEMATA
 BABEL-SPCOLUMNS
 BABEL-SPCOLUMNS-dep
 BABEL-SP_COLUMNS_MANAGED-dep

diff --git a/test/JDBC/upgrade/15_2/schedule b/test/JDBC/upgrade/15_2/schedule
@@ -60,6 +60,7 @@ BABEL-3000
 BABEL-3000-dep
 BABEL-3010-before-15_6
 BABEL-3116
+BABEL-3117
 BABEL-3118
 BABEL-3121
 BABEL-3144
@@ -148,6 +149,7 @@ BABEL-PROCID
 BABEL-RAND
 BABEL-ROLE
 BABEL-ROLE-MEMBER
+BABEL_SCHEMATA
 BABEL-SPCOLUMNS
 BABEL-SPCOLUMNS-dep
 BABEL-SP_COLUMNS_MANAGED-dep