Change DB owner with ALTER AUTHORIZATION #1954
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
robverschoor
changed the title
shalinilohia50
approved these changes
Oct 26, 2023
Deepesh125
requested changes
Oct 26, 2023
Deepesh125
approved these changes
Oct 26, 2023
Deepesh125
merged commit 1083c88
into
babelfish-for-postgresql:BABEL_3_X_DEV
27 checks passed
1 task
staticlibs
pushed a commit
to wiltondb/babelfish_extensions
that referenced
this pull request
Apr 21, 2024
Implement ALTER AUTHORIZATION to change database ownership. Syntax: ALTER AUTHORIZATION ON DATABASE::<dbname> TO <login-name> It is a common requirement for the DBA to create a database to be owned by a login. Thus far in Babelfish this was possible only by (temporarily) making the target login a member of sysadmin role, which is undesirable. To change the database owner to a different login, all that is required is to update sys.babelfish_sysdatabases.owner to the new owner's login name. There are some restrictions such as that the new owner cannot be a user in the database already (guest user does not count). A non-sysadmin DB owner cannot grant ownership to anyone else, including to a sysadmin login. (however, it is OK to grant ownership to yourself although there seems little point in that). When the current DB owner has an active session in the database with the current DB set to that same database, and at the same time a different session change the database ownership, the now-previous owner retains access rights in the session as long as the database context remains unchanged; as soon as the database context is changed, the access rights from the DB ownership are lost: Babelfish behaves identically to T-SQL here. To implement this feature, statement type PLTSQL_STMT_CHANGE_DBOWNER was introduced rather than something more generic-looking like PLTSQL_STMT_ALTERAUTH: other cases of ALTER AUTHORIZATION may affect the ownership/permissions-related artefacts that are created by Babelfish, or require different catalog modifications; therefore, the DB ownership change is more of a one-off case. BABEL-2121: Babel does not support ALTER AUTHORIZATION syntax to change database owner Signed-off-by: Rob Verschoor <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Implement
ALTER AUTHORIZATIONto change database ownership.Syntax:
ALTER AUTHORIZATION ON DATABASE::<dbname> TO <login-name>It is a common requirement for the DBA to create a database to be owned by a login. Thus far in Babelfish this was possible only by (temporarily) making the target login a member of
sysadminrole, which is undesirable.To change the database owner to a different login, all that is required is to update
sys.babelfish_sysdatabases.ownerto the new owner's login name. There are some restrictions such as that the new owner cannot be a user in the database already (guestuser does not count). a non-sysadminDB owner cannot grant ownership to anyone else, including to asysadminlogin. (however, it is OK to grant ownership to yourself although there seems little point in that).When the current DB owner has an active session in the database with the current DB set to that same database, and at the same time a different session change the database ownership, the now-previous owner retains access rights in the session as long as the database context remains unchanged; as soon as the database context is changed, the access rights from the DB ownership are lost: Babelfish behaves identically to T-SQL here.
To implement this feature, statement type
PLTSQL_STMT_CHANGE_DBOWNERwas introduced rather than something more generic-looking likePLTSQL_STMT_ALTERAUTH: other cases ofALTER AUTHORIZATIONmay affect the ownership/permissions-related artefacts that are created by Babelfish, or require different catalog modifications; therefore, the DB ownership change is more of a one-off case.Signed-off-by: Rob Verschoor [email protected]
Issues Resolved
BABEL-2121: Babel does not support ALTER AUTHORIZATION syntax to change database owner
Test Scenarios Covered
Use case based - Yes
Boundary conditions - Yes
Arbitrary inputs - N/A
Negative test cases - Yes
Minor version upgrade tests - N/A
Major version upgrade tests - N/A
Performance tests - N/A
Tooling impact - N/A
Client tests - N/A
Check List
By submitting this pull request, I confirm that my contribution is under the terms of the Apache 2.0 and PostgreSQL licenses, and grant any person obtaining a copy of the contribution permission to relicense all or a portion of my contribution to the PostgreSQL License solely to contribute all or a portion of my contribution to the PostgreSQL open source project.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.