Support GRANT .. ON SCHEMA .. in Babelfish (#2326)

Support GRANT/REVOKE .. ON SCHEMA .. in Babelfish

PLEASE NOTE: This change is with the assumption that we are going to restrict function overloading. Based on any other decision made otherwise, the catalog implementation would be extended to store the arguments in another PR.

Supported syntax GRANT <permission> ON SCHEMA::<schema_name> TO <user_name>
Supported syntax REVOKE <permission> ON SCHEMA::<schema_name> FROM <user_name>
Added one SQL statement PLTSQL_STMT_GRANTSCHEMA to store relevant information to execute GRANT/REVOKE .. ON SCHEMA .. statements.
Created one catalog table sys.babelfish_schema_permissions to hold the details for each GRANT/REVOKE statements.
GRANT on schema/objects adds a row in the catalog table if not exists already.
REVOKE on schema/objects removes the corresponding row in the catalog table if it exists already.
REVOKE on schema internally grants permission to all the objects if there are explicit permissions granted to the objects belonging to the same schema.
GRANT ALL on objects work as it is and add rows in the catalog for each relevant permission depending on the object type.
REVOKE ALL on object should do nothing, if the relevant schema permission exists in the catalog. But, it should remove the rows from the catalog if the object level permission is granted.
Drop statement for OBJECT/SCHEMA removes all the relevant object entries from the catalog.

Issues Resolved
Task: BABEL-4344, BABEL-4485

Signed-off-by: Shalini Lohia [email protected]

contrib/babelfishpg_tsql/sql/ownership.sql

@@ -14,6 +14,19 @@ CREATE TABLE sys.babelfish_sysdatabases (
 
 GRANT SELECT on sys.babelfish_sysdatabases TO PUBLIC;
 
+-- BABELFISH_SCHEMA_PERMISSIONS
+-- This catalog is implemented specially to support GRANT/REVOKE .. ON SCHEMA ..
+-- Please avoid using this catalog anywhere else.
+CREATE TABLE sys.babelfish_schema_permissions (
+  dbid smallint NOT NULL,
+  schema_name sys.NVARCHAR(128) NOT NULL COLLATE sys.database_default,
+  object_name sys.NVARCHAR(128) NOT NULL COLLATE sys.database_default,
+  permission INT NOT NULL,
+  grantee sys.NVARCHAR(128) NOT NULL COLLATE sys.database_default,
+  object_type CHAR(1) NOT NULL COLLATE sys.database_default,
+  PRIMARY KEY(dbid, schema_name, object_name, grantee, object_type)
+);
+
 -- BABELFISH_FUNCTION_EXT
 CREATE TABLE sys.babelfish_function_ext (
 	nspname NAME NOT NULL,

contrib/babelfishpg_tsql/sql/upgrades/babelfishpg_tsql--4.0.0--4.1.0.sql

@@ -2863,6 +2863,17 @@ END;
 $$ LANGUAGE pltsql;
 GRANT EXECUTE ON PROCEDURE sys.sp_procedure_params_100_managed TO PUBLIC;
 
+-- BABELFISH_SCHEMA_PERMISSIONS
+CREATE TABLE IF NOT EXISTS sys.babelfish_schema_permissions (
+  dbid smallint NOT NULL,
+  schema_name sys.NVARCHAR(128) NOT NULL COLLATE sys.database_default,
+  object_name sys.NVARCHAR(128) NOT NULL COLLATE sys.database_default,
+  permission INT NOT NULL,
+  grantee sys.NVARCHAR(128) NOT NULL COLLATE sys.database_default,
+  object_type CHAR(1) NOT NULL COLLATE sys.database_default,
+  PRIMARY KEY(dbid, schema_name, object_name, grantee, object_type)
+);
+
 CALL sys.babelfish_drop_deprecated_object('view', 'sys', 'sysforeignkeys_deprecated_4_1_0');
 CALL sys.babelfish_drop_deprecated_object('view', 'sys', 'system_objects_deprecated_4_1_0');
 CALL sys.babelfish_drop_deprecated_object('view', 'sys', 'syscolumns_deprecated_4_1_0');