From 53e8c63c541b55115e6051a6a906e9305868ee39 Mon Sep 17 00:00:00 2001 From: ANJU BHARTI Date: Fri, 20 Dec 2024 03:56:36 +0000 Subject: [PATCH 1/4] Performance Improvement of create login in BBF Signed-off-by: ANJU BHARTI --- src/backend/utils/adt/acl.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/src/backend/utils/adt/acl.c b/src/backend/utils/adt/acl.c index 2cbb2ba5b2e..4c01cf1dc84 100644 --- a/src/backend/utils/adt/acl.c +++ b/src/backend/utils/adt/acl.c @@ -5076,7 +5076,18 @@ roles_is_member_of(Oid roleid, enum RoleRecurseType type, */ if (otherid == admin_of && form->admin_option && OidIsValid(admin_of) && !OidIsValid(*admin_role)) - *admin_role = memberid; + { + *admin_role = memberid; + + /* + * Need not to iterate through all the members + * if admin_role is found. + */ + if (sql_dialect == SQL_DIALECT_TSQL) + { + return NULL; + } + } /* If we're supposed to ignore non-heritable grants, do so. */ if (type == ROLERECURSE_PRIVS && !form->inherit_option) From 891e2d1ba20193e05b41b45cb0bbaaa18ae26a2e Mon Sep 17 00:00:00 2001 From: ANJU BHARTI Date: Mon, 23 Dec 2024 08:48:42 +0000 Subject: [PATCH 2/4] Add check for bbf_role_admin Signed-off-by: ANJU BHARTI --- src/backend/utils/adt/acl.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/backend/utils/adt/acl.c b/src/backend/utils/adt/acl.c index 4c01cf1dc84..6938ea07970 100644 --- a/src/backend/utils/adt/acl.c +++ b/src/backend/utils/adt/acl.c @@ -5081,9 +5081,10 @@ roles_is_member_of(Oid roleid, enum RoleRecurseType type, /* * Need not to iterate through all the members - * if admin_role is found. + * if roleid is bbf_role_admin and admin_role is found. */ - if (sql_dialect == SQL_DIALECT_TSQL) + if (sql_dialect == SQL_DIALECT_TSQL && + get_bbf_admin_oid_hook && roleid == (*get_bbf_admin_oid_hook)()) { return NULL; } From 9fcbae29764abeb90427a5a091e23f1b11e47298 Mon Sep 17 00:00:00 2001 From: ANJU BHARTI Date: Tue, 31 Dec 2024 14:58:05 +0000 Subject: [PATCH 3/4] Add hook in is_admin_of_role Signed-off-by: ANJU BHARTI --- src/backend/utils/adt/acl.c | 28 +++++++++++++++------------- src/include/utils/acl.h | 3 +++ 2 files changed, 18 insertions(+), 13 deletions(-) diff --git a/src/backend/utils/adt/acl.c b/src/backend/utils/adt/acl.c index 6938ea07970..341c56bbdcc 100644 --- a/src/backend/utils/adt/acl.c +++ b/src/backend/utils/adt/acl.c @@ -134,6 +134,7 @@ bbf_get_sysadmin_oid_hook_type bbf_get_sysadmin_oid_hook = NULL; get_bbf_admin_oid_hook_type get_bbf_admin_oid_hook = NULL; pltsql_get_object_owner_hook_type pltsql_get_object_owner_hook = NULL; is_bbf_db_ddladmin_operation_hook_type is_bbf_db_ddladmin_operation_hook = NULL; +has_bbf_role_direct_membership_with_admin_true_hook_type has_bbf_role_direct_membership_with_admin_true_hook = NULL; /* @@ -5076,19 +5077,7 @@ roles_is_member_of(Oid roleid, enum RoleRecurseType type, */ if (otherid == admin_of && form->admin_option && OidIsValid(admin_of) && !OidIsValid(*admin_role)) - { - *admin_role = memberid; - - /* - * Need not to iterate through all the members - * if roleid is bbf_role_admin and admin_role is found. - */ - if (sql_dialect == SQL_DIALECT_TSQL && - get_bbf_admin_oid_hook && roleid == (*get_bbf_admin_oid_hook)()) - { - return NULL; - } - } + *admin_role = memberid; /* If we're supposed to ignore non-heritable grants, do so. */ if (type == ROLERECURSE_PRIVS && !form->inherit_option) @@ -5290,6 +5279,19 @@ is_admin_of_role(Oid member, Oid role) if (member == role) return false; + /* + * Check if the given member is bbf_role_admin. + * If the member has the privilege to grant a given role through direct membership, + * returns the member with admin option set to true. + */ + if (sql_dialect == SQL_DIALECT_TSQL + && get_bbf_admin_oid_hook && member == (*get_bbf_admin_oid_hook)() + && (has_bbf_role_direct_membership_with_admin_true_hook) + && (*has_bbf_role_direct_membership_with_admin_true_hook)(role)) + { + return member; + } + (void) roles_is_member_of(member, ROLERECURSE_MEMBERS, role, &admin_role); return OidIsValid(admin_role); } diff --git a/src/include/utils/acl.h b/src/include/utils/acl.h index 1df439f3692..74e48a7af57 100644 --- a/src/include/utils/acl.h +++ b/src/include/utils/acl.h @@ -309,6 +309,9 @@ extern PGDLLEXPORT is_bbf_db_ddladmin_operation_hook_type is_bbf_db_ddladmin_ope typedef bool (*pltsql_allow_storing_init_privs_hook_type) (Oid objoid, Oid classoid, int objsubid); extern PGDLLEXPORT pltsql_allow_storing_init_privs_hook_type pltsql_allow_storing_init_privs_hook; +typedef bool (*has_bbf_role_direct_membership_with_admin_true_hook_type) (Oid); +extern PGDLLEXPORT has_bbf_role_direct_membership_with_admin_true_hook_type has_bbf_role_direct_membership_with_admin_true_hook; + #define IS_BBF_DB_DDLADMIN(namespaceId) \ (is_bbf_db_ddladmin_operation_hook && \ is_bbf_db_ddladmin_operation_hook(namespaceId)) From 3919861e249bc9332ea58208bfdc583ad9c237ae Mon Sep 17 00:00:00 2001 From: ANJU BHARTI Date: Wed, 1 Jan 2025 09:28:45 +0000 Subject: [PATCH 4/4] Add conditions inside hook Signed-off-by: ANJU BHARTI --- src/backend/utils/adt/acl.c | 15 ++++----------- src/include/utils/acl.h | 4 ++-- 2 files changed, 6 insertions(+), 13 deletions(-) diff --git a/src/backend/utils/adt/acl.c b/src/backend/utils/adt/acl.c index 341c56bbdcc..141310b14ca 100644 --- a/src/backend/utils/adt/acl.c +++ b/src/backend/utils/adt/acl.c @@ -134,7 +134,7 @@ bbf_get_sysadmin_oid_hook_type bbf_get_sysadmin_oid_hook = NULL; get_bbf_admin_oid_hook_type get_bbf_admin_oid_hook = NULL; pltsql_get_object_owner_hook_type pltsql_get_object_owner_hook = NULL; is_bbf_db_ddladmin_operation_hook_type is_bbf_db_ddladmin_operation_hook = NULL; -has_bbf_role_direct_membership_with_admin_true_hook_type has_bbf_role_direct_membership_with_admin_true_hook = NULL; +bbf_check_member_has_direct_priv_to_grant_role_hook_type bbf_check_member_has_direct_priv_to_grant_role_hook = NULL; /* @@ -5279,17 +5279,10 @@ is_admin_of_role(Oid member, Oid role) if (member == role) return false; - /* - * Check if the given member is bbf_role_admin. - * If the member has the privilege to grant a given role through direct membership, - * returns the member with admin option set to true. - */ - if (sql_dialect == SQL_DIALECT_TSQL - && get_bbf_admin_oid_hook && member == (*get_bbf_admin_oid_hook)() - && (has_bbf_role_direct_membership_with_admin_true_hook) - && (*has_bbf_role_direct_membership_with_admin_true_hook)(role)) + if ((bbf_check_member_has_direct_priv_to_grant_role_hook) + && (*bbf_check_member_has_direct_priv_to_grant_role_hook)(member, role)) { - return member; + return true; } (void) roles_is_member_of(member, ROLERECURSE_MEMBERS, role, &admin_role); diff --git a/src/include/utils/acl.h b/src/include/utils/acl.h index 74e48a7af57..b672a2f340d 100644 --- a/src/include/utils/acl.h +++ b/src/include/utils/acl.h @@ -309,8 +309,8 @@ extern PGDLLEXPORT is_bbf_db_ddladmin_operation_hook_type is_bbf_db_ddladmin_ope typedef bool (*pltsql_allow_storing_init_privs_hook_type) (Oid objoid, Oid classoid, int objsubid); extern PGDLLEXPORT pltsql_allow_storing_init_privs_hook_type pltsql_allow_storing_init_privs_hook; -typedef bool (*has_bbf_role_direct_membership_with_admin_true_hook_type) (Oid); -extern PGDLLEXPORT has_bbf_role_direct_membership_with_admin_true_hook_type has_bbf_role_direct_membership_with_admin_true_hook; +typedef bool (*bbf_check_member_has_direct_priv_to_grant_role_hook_type) (Oid, Oid); +extern PGDLLEXPORT bbf_check_member_has_direct_priv_to_grant_role_hook_type bbf_check_member_has_direct_priv_to_grant_role_hook; #define IS_BBF_DB_DDLADMIN(namespaceId) \ (is_bbf_db_ddladmin_operation_hook && \