From ba5670c42dc1d00349da04ff6dd74545a6723af5 Mon Sep 17 00:00:00 2001 From: Harsh Lunagariya Date: Sun, 29 Dec 2024 17:05:06 +0000 Subject: [PATCH 1/3] Allow GRANT/REVOKE on sequence to members of db_securityadmin Signed-off-by: Harsh Lunagariya --- contrib/babelfishpg_tsql/src/hooks.c | 1 + contrib/babelfishpg_tsql/src/rolecmds.c | 17 ++- .../expected/db_securityadmin-vu-cleanup.out | 2 + .../expected/db_securityadmin-vu-prepare.out | 5 + .../expected/db_securityadmin-vu-verify.out | 130 +++++++++++++++++- .../ownership/db_securityadmin-vu-cleanup.mix | 2 + .../ownership/db_securityadmin-vu-prepare.mix | 5 + .../ownership/db_securityadmin-vu-verify.mix | 64 ++++++++- 8 files changed, 216 insertions(+), 10 deletions(-) diff --git a/contrib/babelfishpg_tsql/src/hooks.c b/contrib/babelfishpg_tsql/src/hooks.c index 3faacd2a3f..68ed3069bf 100644 --- a/contrib/babelfishpg_tsql/src/hooks.c +++ b/contrib/babelfishpg_tsql/src/hooks.c @@ -5723,6 +5723,7 @@ handle_grantstmt_for_dbsecadmin(ObjectType objType, Oid objId, Oid ownerId, case OBJECT_TABLE: case OBJECT_COLUMN: case OBJECT_VIEW: + case OBJECT_SEQUENCE: classid = RelationRelationId; break; case OBJECT_FUNCTION: diff --git a/contrib/babelfishpg_tsql/src/rolecmds.c b/contrib/babelfishpg_tsql/src/rolecmds.c index fa32eff09c..52f3ac4c71 100644 --- a/contrib/babelfishpg_tsql/src/rolecmds.c +++ b/contrib/babelfishpg_tsql/src/rolecmds.c @@ -2050,17 +2050,22 @@ check_alter_role_stmt(GrantRoleStmt *stmt) if (has_privs_of_role(GetUserId(), db_owner)) return; + /* + * Members of db_securityadmin role can ALTER ANY ROLE + */ + if (get_db_principal_kind(granted, db_name) == BBF_ROLE && + has_privs_of_role(GetUserId(), get_db_securityadmin_oid(db_name, false))) + { + return; + } + /* * Disallow ALTER ROLE if * 1. Current login doesn't have permission on the granted role * OR - * 2. Granted role is not a fixed db role or current user is a member of db_securityadmin - * OR - * 3. The current user is trying to add/drop itself from the granted role + * 2. The current user is trying to add/drop itself from the granted role */ - if ((!has_privs_of_role(GetSessionUserId(), granted) && - !(get_db_principal_kind(granted, db_name) == BBF_ROLE && - has_privs_of_role(GetUserId(), get_db_securityadmin_oid(get_current_pltsql_db_name(), false)))) || + if (!has_privs_of_role(GetSessionUserId(), granted) || grantee == GetUserId()) ereport(ERROR, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), diff --git a/test/JDBC/expected/db_securityadmin-vu-cleanup.out b/test/JDBC/expected/db_securityadmin-vu-cleanup.out index 94345389f4..7826938cbf 100644 --- a/test/JDBC/expected/db_securityadmin-vu-cleanup.out +++ b/test/JDBC/expected/db_securityadmin-vu-cleanup.out @@ -23,6 +23,8 @@ DROP FUNCTION babel_5135_schema1.babel_5135_f1(); GO DROP FUNCTION babel_5135_schema1.babel_5135_tvf1(); GO +DROP SEQUENCE babel_5135_schema1.babel_5135_seq1; +GO DROP PROCEDURE babel_5135_roleop_proc1; GO DROP PROCEDURE babel_5135_roleop_proc2; diff --git a/test/JDBC/expected/db_securityadmin-vu-prepare.out b/test/JDBC/expected/db_securityadmin-vu-prepare.out index d1c19b8dd4..64bc1d71a5 100644 --- a/test/JDBC/expected/db_securityadmin-vu-prepare.out +++ b/test/JDBC/expected/db_securityadmin-vu-prepare.out @@ -38,6 +38,9 @@ GO CREATE FUNCTION babel_5135_schema1.babel_5135_tvf1() RETURNS TABLE AS RETURN (SELECT a, b FROM babel_5135_schema1.babel_5135_t1); GO +CREATE SEQUENCE babel_5135_schema1.babel_5135_seq1 START WITH 1 INCREMENT BY 1 MINVALUE 1 MAXVALUE 999999 CYCLE; +GO + CREATE VIEW babel_5135_show_role_mem AS SELECT roles.name AS RolePrincipalName @@ -63,6 +66,7 @@ GRANT SELECT ON babel_5135_schema1.babel_5135_v1 TO babel_5135_u1; GRANT EXECUTE ON babel_5135_schema1.babel_5135_p1 TO babel_5135_u1; GRANT EXECUTE ON babel_5135_schema1.babel_5135_f1 TO babel_5135_u1; GRANT EXECUTE ON babel_5135_schema1.babel_5135_tvf1 TO babel_5135_u1; +GRANT UPDATE ON babel_5135_schema1.babel_5135_seq1 TO babel_5135_u1; END GO CREATE PROCEDURE babel_5135_revokeop_proc1 AS BEGIN @@ -71,6 +75,7 @@ REVOKE SELECT ON babel_5135_schema1.babel_5135_v1 FROM babel_5135_u1; REVOKE EXECUTE ON babel_5135_schema1.babel_5135_p1 FROM babel_5135_u1; REVOKE EXECUTE ON babel_5135_schema1.babel_5135_f1 FROM babel_5135_u1; REVOKE EXECUTE ON babel_5135_schema1.babel_5135_tvf1 FROM babel_5135_u1; +REVOKE UPDATE ON babel_5135_schema1.babel_5135_seq1 FROM babel_5135_u1; END GO diff --git a/test/JDBC/expected/db_securityadmin-vu-verify.out b/test/JDBC/expected/db_securityadmin-vu-verify.out index 94082ef7d4..9b4e133512 100644 --- a/test/JDBC/expected/db_securityadmin-vu-verify.out +++ b/test/JDBC/expected/db_securityadmin-vu-verify.out @@ -129,7 +129,9 @@ GO -- tsql -- CASE 3 - Able to manage database roles -- CASE 3.1 - CREATE/ALTER/DROP ROLE - -- CASE 3.2 - ADD/DROP the membership of user-defined database roles should be allowed + -- CASE 3.2.a - ADD/DROP the membership of user-defined database roles should be allowed + -- CASE 3.2.b - ADD/DROP the membership of user-defined database roles to/from current_user + -- CASE 3.2.c - It should be able to ALTER the membership of database role which is member of db_owner -- CASE 3.3 - ADD/DROP the membership of system-defined database roles should be blocked -- CASE 3.4 - CREATE/ALTER/DROP USER should not be Allowed -- role created by another user, to test alter/drop on it @@ -157,13 +159,49 @@ GO EXEC babel_5135_roleop_proc1; GO --- CASE 3.2 - ADD/DROP the membership of user-defined database roles +-- CASE 3.2.a - ADD/DROP the membership of user-defined database roles ALTER ROLE babel_5135_r1 ADD MEMBER babel_5135_u1; GO ALTER ROLE babel_5135_r1 DROP MEMBER babel_5135_u1; GO +-- CASE 3.2.b - ADD/DROP the membership of user-defined database roles to/from current_user +SELECT current_user; +GO +~~START~~ +varchar +babel_5135_dbsecadmin_u1 +~~END~~ + + +ALTER ROLE babel_5135_r1 ADD MEMBER babel_5135_dbsecadmin_u1; +GO + +ALTER ROLE babel_5135_r1 DROP MEMBER babel_5135_dbsecadmin_u1; +GO + +-- CASE 3.2.c - It should be able to ALTER the membership of database role which is member of db_owner +ALTER ROLE db_owner ADD MEMBER babel_5135_r1; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Adding database roles to db_owner is not currently supported in Babelfish)~~ + + +ALTER ROLE babel_5135_r1 ADD MEMBER babel_5135_dbsecadmin_u1; +GO + +ALTER ROLE babel_5135_r1 DROP MEMBER babel_5135_dbsecadmin_u1; +GO + +ALTER ROLE db_owner DROP MEMBER babel_5135_r1; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Dropping database roles from db_owner is not currently supported in Babelfish)~~ + + -- alter role add member inside procedure -- execution should be succeeded with no error -- Add @@ -189,6 +227,20 @@ GO ~~ERROR (Message: Cannot alter the role 'db_owner', because it does not exist or you do not have permission.)~~ +ALTER ROLE babel_5135_r1 DROP MEMBER dbo; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot use the special principal 'dbo')~~ + + +ALTER ROLE babel_5135_r1 ADD MEMBER dbo; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot use the special principal 'dbo')~~ + + -- CASE 3.4 -- CREATE/ALTER/DROP USER should fail CREATE USER babel_5135_user1 FOR LOGIN babel_5135_l2; GO @@ -345,6 +397,13 @@ GO ~~ERROR (Message: permission denied for function babel_5135_tvf1)~~ +GRANT UPDATE ON babel_5135_schema1.babel_5135_seq1 TO babel_5135_u1; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for sequence babel_5135_seq1)~~ + + -- tsql user=babel_5135_l1 password=12345678 SELECT current_user; GO @@ -392,6 +451,15 @@ GO ~~ERROR (Message: permission denied for function babel_5135_tvf1)~~ +SELECT NEXT VALUE FOR babel_5135_schema1.babel_5135_seq1; +GO +~~START~~ +bigint +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for sequence babel_5135_seq1)~~ + + -- tsql user=babel_5135_dbsecadmin_l1 password=12345678 REVOKE SELECT, INSERT, UPDATE, DELETE ON babel_5135_schema1.babel_5135_t1 FROM babel_5135_u1; GO @@ -455,6 +523,15 @@ GO ~~ERROR (Message: permission denied for function babel_5135_tvf1)~~ +SELECT NEXT VALUE FOR babel_5135_schema1.babel_5135_seq1; +GO +~~START~~ +bigint +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for sequence babel_5135_seq1)~~ + + -- tsql user=babel_5135_dbsecadmin_l1 password=12345678 -- Testing GRANT inside procedure EXEC babel_5135_grantop_proc1; @@ -517,6 +594,14 @@ int#!#int ~~END~~ +SELECT NEXT VALUE FOR babel_5135_schema1.babel_5135_seq1; +GO +~~START~~ +bigint +1 +~~END~~ + + -- tsql user=babel_5135_dbsecadmin_l1 password=12345678 -- Testing revokes inside procedure EXEC babel_5135_revokeop_proc1; @@ -569,6 +654,14 @@ GO ~~ERROR (Message: permission denied for function babel_5135_tvf1)~~ +SELECT NEXT VALUE FOR babel_5135_schema1.babel_5135_seq1; +GO +~~START~~ +bigint +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for sequence babel_5135_seq1)~~ + -- tsql user=babel_5135_dbsecadmin_l1 password=12345678 GRANT SELECT, INSERT, UPDATE, DELETE, EXECUTE ON SCHEMA::babel_5135_schema1 TO babel_5135_u1; @@ -631,6 +724,15 @@ int#!#int ~~END~~ +SELECT NEXT VALUE FOR babel_5135_schema1.babel_5135_seq1; +GO +~~START~~ +bigint +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for sequence babel_5135_seq1)~~ + + -- tsql user=babel_5135_dbsecadmin_l1 password=12345678 REVOKE SELECT, INSERT, UPDATE, DELETE, EXECUTE ON SCHEMA::babel_5135_schema1 FROM babel_5135_u1; GO @@ -682,6 +784,15 @@ GO ~~ERROR (Message: permission denied for function babel_5135_tvf1)~~ +SELECT NEXT VALUE FOR babel_5135_schema1.babel_5135_seq1; +GO +~~START~~ +bigint +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for sequence babel_5135_seq1)~~ + + -- tsql user=babel_5135_dbsecadmin_l1 password=12345678 -- CASE 5.2 - Validate members of db_securityadmin can not actually access given objects SELECT current_user; @@ -730,6 +841,15 @@ GO ~~ERROR (Message: permission denied for function babel_5135_tvf1)~~ +SELECT NEXT VALUE FOR babel_5135_schema1.babel_5135_seq1; +GO +~~START~~ +bigint +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for sequence babel_5135_seq1)~~ + + -- tsql user=babel_5135_dbsecadmin_l1 password=12345678 -- CASE 5.3 - Validate that after GRANT/REVOKE, objectowner/dbo can execute REVOKE/GRANT respectively -- execute GRANT via db_securityadmin member and REVOKE it with object owner @@ -748,6 +868,9 @@ GO GRANT EXECUTE ON babel_5135_schema1.babel_5135_tvf1 TO babel_5135_u1; GO +GRANT UPDATE ON babel_5135_schema1.babel_5135_seq1 TO babel_5135_u1; +GO + -- tsql REVOKE SELECT, INSERT, UPDATE, DELETE ON babel_5135_schema1.babel_5135_t1 FROM babel_5135_u1; GO @@ -780,6 +903,9 @@ GO GRANT EXECUTE ON babel_5135_schema1.babel_5135_tvf1 TO babel_5135_u1; GO +GRANT UPDATE ON babel_5135_schema1.babel_5135_seq1 TO babel_5135_u1; +GO + -- tsql user=babel_5135_dbsecadmin_l1 password=12345678 REVOKE SELECT, INSERT, UPDATE, DELETE ON babel_5135_schema1.babel_5135_t1 FROM babel_5135_u1; GO diff --git a/test/JDBC/input/ownership/db_securityadmin-vu-cleanup.mix b/test/JDBC/input/ownership/db_securityadmin-vu-cleanup.mix index 94345389f4..7826938cbf 100644 --- a/test/JDBC/input/ownership/db_securityadmin-vu-cleanup.mix +++ b/test/JDBC/input/ownership/db_securityadmin-vu-cleanup.mix @@ -23,6 +23,8 @@ DROP FUNCTION babel_5135_schema1.babel_5135_f1(); GO DROP FUNCTION babel_5135_schema1.babel_5135_tvf1(); GO +DROP SEQUENCE babel_5135_schema1.babel_5135_seq1; +GO DROP PROCEDURE babel_5135_roleop_proc1; GO DROP PROCEDURE babel_5135_roleop_proc2; diff --git a/test/JDBC/input/ownership/db_securityadmin-vu-prepare.mix b/test/JDBC/input/ownership/db_securityadmin-vu-prepare.mix index cb22ffdf6a..e07aa1544e 100644 --- a/test/JDBC/input/ownership/db_securityadmin-vu-prepare.mix +++ b/test/JDBC/input/ownership/db_securityadmin-vu-prepare.mix @@ -38,6 +38,9 @@ GO CREATE FUNCTION babel_5135_schema1.babel_5135_tvf1() RETURNS TABLE AS RETURN (SELECT a, b FROM babel_5135_schema1.babel_5135_t1); GO +CREATE SEQUENCE babel_5135_schema1.babel_5135_seq1 START WITH 1 INCREMENT BY 1 MINVALUE 1 MAXVALUE 999999 CYCLE; +GO + CREATE VIEW babel_5135_show_role_mem AS SELECT roles.name AS RolePrincipalName @@ -63,6 +66,7 @@ GRANT SELECT ON babel_5135_schema1.babel_5135_v1 TO babel_5135_u1; GRANT EXECUTE ON babel_5135_schema1.babel_5135_p1 TO babel_5135_u1; GRANT EXECUTE ON babel_5135_schema1.babel_5135_f1 TO babel_5135_u1; GRANT EXECUTE ON babel_5135_schema1.babel_5135_tvf1 TO babel_5135_u1; +GRANT UPDATE ON babel_5135_schema1.babel_5135_seq1 TO babel_5135_u1; END GO CREATE PROCEDURE babel_5135_revokeop_proc1 AS BEGIN @@ -71,6 +75,7 @@ REVOKE SELECT ON babel_5135_schema1.babel_5135_v1 FROM babel_5135_u1; REVOKE EXECUTE ON babel_5135_schema1.babel_5135_p1 FROM babel_5135_u1; REVOKE EXECUTE ON babel_5135_schema1.babel_5135_f1 FROM babel_5135_u1; REVOKE EXECUTE ON babel_5135_schema1.babel_5135_tvf1 FROM babel_5135_u1; +REVOKE UPDATE ON babel_5135_schema1.babel_5135_seq1 FROM babel_5135_u1; END GO diff --git a/test/JDBC/input/ownership/db_securityadmin-vu-verify.mix b/test/JDBC/input/ownership/db_securityadmin-vu-verify.mix index 2f2f15acfc..baa59432c8 100644 --- a/test/JDBC/input/ownership/db_securityadmin-vu-verify.mix +++ b/test/JDBC/input/ownership/db_securityadmin-vu-verify.mix @@ -92,7 +92,9 @@ GO -- CASE 3 - Able to manage database roles -- CASE 3.1 - CREATE/ALTER/DROP ROLE - -- CASE 3.2 - ADD/DROP the membership of user-defined database roles should be allowed + -- CASE 3.2.a - ADD/DROP the membership of user-defined database roles should be allowed + -- CASE 3.2.b - ADD/DROP the membership of user-defined database roles to/from current_user + -- CASE 3.2.c - It should be able to ALTER the membership of database role which is member of db_owner -- CASE 3.3 - ADD/DROP the membership of system-defined database roles should be blocked -- CASE 3.4 - CREATE/ALTER/DROP USER should not be Allowed -- role created by another user, to test alter/drop on it @@ -121,13 +123,36 @@ GO EXEC babel_5135_roleop_proc1; GO --- CASE 3.2 - ADD/DROP the membership of user-defined database roles +-- CASE 3.2.a - ADD/DROP the membership of user-defined database roles ALTER ROLE babel_5135_r1 ADD MEMBER babel_5135_u1; GO ALTER ROLE babel_5135_r1 DROP MEMBER babel_5135_u1; GO +-- CASE 3.2.b - ADD/DROP the membership of user-defined database roles to/from current_user +SELECT current_user; +GO + +ALTER ROLE babel_5135_r1 ADD MEMBER babel_5135_dbsecadmin_u1; +GO + +ALTER ROLE babel_5135_r1 DROP MEMBER babel_5135_dbsecadmin_u1; +GO + +-- CASE 3.2.c - It should be able to ALTER the membership of database role which is member of db_owner +ALTER ROLE db_owner ADD MEMBER babel_5135_r1; +GO + +ALTER ROLE babel_5135_r1 ADD MEMBER babel_5135_dbsecadmin_u1; +GO + +ALTER ROLE babel_5135_r1 DROP MEMBER babel_5135_dbsecadmin_u1; +GO + +ALTER ROLE db_owner DROP MEMBER babel_5135_r1; +GO + -- alter role add member inside procedure -- execution should be succeeded with no error -- Add @@ -145,6 +170,12 @@ GO ALTER ROLE db_owner ADD MEMBER babel_5135_u1; GO +ALTER ROLE babel_5135_r1 DROP MEMBER dbo; +GO + +ALTER ROLE babel_5135_r1 ADD MEMBER dbo; +GO + -- CASE 3.4 -- CREATE/ALTER/DROP USER should fail CREATE USER babel_5135_user1 FOR LOGIN babel_5135_l2; GO @@ -236,6 +267,9 @@ GO GRANT EXECUTE ON babel_5135_schema1.babel_5135_tvf1 TO babel_5135_u1; GO +GRANT UPDATE ON babel_5135_schema1.babel_5135_seq1 TO babel_5135_u1; +GO + -- tsql user=babel_5135_l1 password=12345678 SELECT current_user; GO @@ -258,6 +292,9 @@ GO SELECT * FROM babel_5135_schema1.babel_5135_tvf1(); GO +SELECT NEXT VALUE FOR babel_5135_schema1.babel_5135_seq1; +GO + -- tsql user=babel_5135_dbsecadmin_l1 password=12345678 REVOKE SELECT, INSERT, UPDATE, DELETE ON babel_5135_schema1.babel_5135_t1 FROM babel_5135_u1; GO @@ -296,6 +333,9 @@ GO SELECT * FROM babel_5135_schema1.babel_5135_tvf1(); GO +SELECT NEXT VALUE FOR babel_5135_schema1.babel_5135_seq1; +GO + -- Testing GRANT inside procedure -- tsql user=babel_5135_dbsecadmin_l1 password=12345678 EXEC babel_5135_grantop_proc1; @@ -323,6 +363,9 @@ GO SELECT * FROM babel_5135_schema1.babel_5135_tvf1(); GO +SELECT NEXT VALUE FOR babel_5135_schema1.babel_5135_seq1; +GO + -- Testing revokes inside procedure -- tsql user=babel_5135_dbsecadmin_l1 password=12345678 EXEC babel_5135_revokeop_proc1; @@ -350,6 +393,8 @@ GO SELECT * FROM babel_5135_schema1.babel_5135_tvf1(); GO +SELECT NEXT VALUE FOR babel_5135_schema1.babel_5135_seq1; +GO -- tsql user=babel_5135_dbsecadmin_l1 password=12345678 GRANT SELECT, INSERT, UPDATE, DELETE, EXECUTE ON SCHEMA::babel_5135_schema1 TO babel_5135_u1; @@ -377,6 +422,9 @@ GO SELECT * FROM babel_5135_schema1.babel_5135_tvf1(); GO +SELECT NEXT VALUE FOR babel_5135_schema1.babel_5135_seq1; +GO + -- tsql user=babel_5135_dbsecadmin_l1 password=12345678 REVOKE SELECT, INSERT, UPDATE, DELETE, EXECUTE ON SCHEMA::babel_5135_schema1 FROM babel_5135_u1; GO @@ -403,6 +451,9 @@ GO SELECT * FROM babel_5135_schema1.babel_5135_tvf1(); GO +SELECT NEXT VALUE FOR babel_5135_schema1.babel_5135_seq1; +GO + -- CASE 5.2 - Validate members of db_securityadmin can not actually access given objects -- tsql user=babel_5135_dbsecadmin_l1 password=12345678 SELECT current_user; @@ -426,6 +477,9 @@ GO SELECT * FROM babel_5135_schema1.babel_5135_tvf1(); GO +SELECT NEXT VALUE FOR babel_5135_schema1.babel_5135_seq1; +GO + -- CASE 5.3 - Validate that after GRANT/REVOKE, objectowner/dbo can execute REVOKE/GRANT respectively -- execute GRANT via db_securityadmin member and REVOKE it with object owner -- tsql user=babel_5135_dbsecadmin_l1 password=12345678 @@ -444,6 +498,9 @@ GO GRANT EXECUTE ON babel_5135_schema1.babel_5135_tvf1 TO babel_5135_u1; GO +GRANT UPDATE ON babel_5135_schema1.babel_5135_seq1 TO babel_5135_u1; +GO + -- tsql REVOKE SELECT, INSERT, UPDATE, DELETE ON babel_5135_schema1.babel_5135_t1 FROM babel_5135_u1; GO @@ -476,6 +533,9 @@ GO GRANT EXECUTE ON babel_5135_schema1.babel_5135_tvf1 TO babel_5135_u1; GO +GRANT UPDATE ON babel_5135_schema1.babel_5135_seq1 TO babel_5135_u1; +GO + -- tsql user=babel_5135_dbsecadmin_l1 password=12345678 REVOKE SELECT, INSERT, UPDATE, DELETE ON babel_5135_schema1.babel_5135_t1 FROM babel_5135_u1; GO From bea9de4fb6b2106cbf24a5a66a4fe567f959aea1 Mon Sep 17 00:00:00 2001 From: Harsh Lunagariya Date: Thu, 2 Jan 2025 18:39:34 +0000 Subject: [PATCH 2/3] Add is_rolemember tests Signed-off-by: Harsh Lunagariya --- test/JDBC/expected/BABEL-ROLE-MEMBER.out | 70 ++++++++++++++++++++++++ test/JDBC/input/BABEL-ROLE-MEMBER.mix | 25 +++++++++ 2 files changed, 95 insertions(+) diff --git a/test/JDBC/expected/BABEL-ROLE-MEMBER.out b/test/JDBC/expected/BABEL-ROLE-MEMBER.out index 3351cc79f1..d74e180326 100644 --- a/test/JDBC/expected/BABEL-ROLE-MEMBER.out +++ b/test/JDBC/expected/BABEL-ROLE-MEMBER.out @@ -1343,6 +1343,76 @@ GO ~~ERROR (Message: The role has members. It must be empty before it can be dropped.)~~ +-- tsql +-- Test system defined database role memberships +-- Following should return 1 +select is_rolemember('db_ddladmin', 'db_ddladmin') +GO +~~START~~ +int +1 +~~END~~ + +select is_rolemember('db_securityadmin', 'db_securityadmin') +GO +~~START~~ +int +1 +~~END~~ + +select is_rolemember('db_accessadmin', 'db_accessadmin') +GO +~~START~~ +int +1 +~~END~~ + +select is_rolemember('db_datareader', 'db_datareader') +GO +~~START~~ +int +1 +~~END~~ + +select is_rolemember('db_datawriter', 'db_datawriter') +GO +~~START~~ +int +1 +~~END~~ + +select is_rolemember('db_owner', 'db_owner') +GO +~~START~~ +int +1 +~~END~~ + +select is_rolemember('db_owner', 'dbo') +GO +~~START~~ +int +1 +~~END~~ + +select is_rolemember('dbo', 'dbo') +GO +~~START~~ +int +1 +~~END~~ + + +-- This should return NULL +select is_rolemember('dbo', 'db_owner') +GO +~~START~~ +int + +~~END~~ + + + -- Clean up DROP USER test_user1 GO diff --git a/test/JDBC/input/BABEL-ROLE-MEMBER.mix b/test/JDBC/input/BABEL-ROLE-MEMBER.mix index c1fdca8b48..7119b070fe 100644 --- a/test/JDBC/input/BABEL-ROLE-MEMBER.mix +++ b/test/JDBC/input/BABEL-ROLE-MEMBER.mix @@ -623,6 +623,31 @@ GO DROP ROLE test_role3 GO +-- Test system defined database role memberships +-- tsql +-- Following should return 1 +select is_rolemember('db_ddladmin', 'db_ddladmin') +GO +select is_rolemember('db_securityadmin', 'db_securityadmin') +GO +select is_rolemember('db_accessadmin', 'db_accessadmin') +GO +select is_rolemember('db_datareader', 'db_datareader') +GO +select is_rolemember('db_datawriter', 'db_datawriter') +GO +select is_rolemember('db_owner', 'db_owner') +GO +select is_rolemember('db_owner', 'dbo') +GO +select is_rolemember('dbo', 'dbo') +GO + +-- This should return NULL +select is_rolemember('dbo', 'db_owner') +GO + + -- Clean up DROP USER test_user1 GO From 84720e05b12cc484da8e7185963048c9df2189c5 Mon Sep 17 00:00:00 2001 From: Harsh Lunagariya Date: Fri, 3 Jan 2025 09:38:30 +0000 Subject: [PATCH 3/3] add comment in test Signed-off-by: Harsh Lunagariya --- test/JDBC/expected/db_securityadmin-vu-verify.out | 1 + test/JDBC/input/ownership/db_securityadmin-vu-verify.mix | 1 + 2 files changed, 2 insertions(+) diff --git a/test/JDBC/expected/db_securityadmin-vu-verify.out b/test/JDBC/expected/db_securityadmin-vu-verify.out index 9b4e133512..e8bed8ed3f 100644 --- a/test/JDBC/expected/db_securityadmin-vu-verify.out +++ b/test/JDBC/expected/db_securityadmin-vu-verify.out @@ -182,6 +182,7 @@ ALTER ROLE babel_5135_r1 DROP MEMBER babel_5135_dbsecadmin_u1; GO -- CASE 3.2.c - It should be able to ALTER the membership of database role which is member of db_owner +-- Currently it is not supported to add database role to db_owner ALTER ROLE db_owner ADD MEMBER babel_5135_r1; GO ~~ERROR (Code: 33557097)~~ diff --git a/test/JDBC/input/ownership/db_securityadmin-vu-verify.mix b/test/JDBC/input/ownership/db_securityadmin-vu-verify.mix index baa59432c8..57a2cee142 100644 --- a/test/JDBC/input/ownership/db_securityadmin-vu-verify.mix +++ b/test/JDBC/input/ownership/db_securityadmin-vu-verify.mix @@ -141,6 +141,7 @@ ALTER ROLE babel_5135_r1 DROP MEMBER babel_5135_dbsecadmin_u1; GO -- CASE 3.2.c - It should be able to ALTER the membership of database role which is member of db_owner +-- Currently it is not supported to add database role to db_owner ALTER ROLE db_owner ADD MEMBER babel_5135_r1; GO