From f5c15e2392415178e1748553535a554a6016b78c Mon Sep 17 00:00:00 2001 From: Shreya Rai Date: Mon, 9 Jun 2025 09:31:11 +0000 Subject: [PATCH 1/3] Added full support for sys.database_permissions view Signed-off-by: Shreya Rai --- src/backend/catalog/aclchk.c | 25 ++++++++++++++++++++++++- src/include/utils/acl.h | 3 +++ 2 files changed, 27 insertions(+), 1 deletion(-) diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c index a9a626db3c1..e585122871b 100644 --- a/src/backend/catalog/aclchk.c +++ b/src/backend/catalog/aclchk.c @@ -173,6 +173,7 @@ static void recordExtensionInitPrivWorker(Oid objoid, Oid classoid, int objsubid tsql_has_linked_srv_permissions_hook_type tsql_has_linked_srv_permissions_hook = NULL; bbf_execute_grantstmt_as_dbsecadmin_hook_type bbf_execute_grantstmt_as_dbsecadmin_hook = NULL; +update_bbf_schema_permissions_catalog_hook_type update_bbf_schema_permissions_catalog_hook = NULL; pltsql_allow_storing_init_privs_hook_type pltsql_allow_storing_init_privs_hook = NULL; /* * If is_grant is true, adds the given privileges for the list of @@ -2040,7 +2041,7 @@ ExecGrant_Relation(InternalGrant *istmt) { (*bbf_execute_grantstmt_as_dbsecadmin_hook) (objtype, relOid, ownerId, this_privileges, &grantorId, &avail_goptions); } - + /* * Restrict the privileges to what we can actually grant, and emit * the standards-mandated warning and error messages. @@ -2052,6 +2053,16 @@ ExecGrant_Relation(InternalGrant *istmt) NameStr(pg_class_tuple->relname), 0, NULL); + /* Call the hook to add the permission in bbf_schema_permissions catalog + * If the hook returns false, indicates that object-level and schema-level grants both are present and schema-level grant is revoked. + * In such case we remove schema-level entry from the bbf_schema_permissions catalog but skip the execution of revoke as object-level grants exist. + */ + if (update_bbf_schema_permissions_catalog_hook && !(*update_bbf_schema_permissions_catalog_hook) (this_privileges, istmt->is_grant, istmt->grantees, + istmt->col_privs, pg_class_tuple->oid, GetUserNameFromId(grantorId, false), + istmt->grant_option, GetUserNameFromId(ownerId, false), istmt->objtype)) + { + return; + } /* * Generate new ACL. */ @@ -2258,6 +2269,7 @@ ExecGrant_common(InternalGrant *istmt, Oid classid, AclMode default_privs, (*bbf_execute_grantstmt_as_dbsecadmin_hook) (get_object_type(classid, objectid), objectid, ownerId, istmt->privileges, &grantorId, &avail_goptions); } + nameDatum = SysCacheGetAttrNotNull(cacheid, tuple, get_object_attnum_name(classid)); @@ -2272,6 +2284,17 @@ ExecGrant_common(InternalGrant *istmt, Oid classid, AclMode default_privs, NameStr(*DatumGetName(nameDatum)), 0, NULL); + /* Call the hook to add the permission in bbf_schema_permissions catalog + * If the hook returns false, indicates that object-level and schema-level grants both are present and schema-level grant is revoked. + * In such case we remove schema-level entry from the bbf_schema_permissions catalog but skip the execution of revoke as object-level grants exist. + */ + if ((istmt->objtype == OBJECT_PROCEDURE || istmt->objtype == OBJECT_FUNCTION) && update_bbf_schema_permissions_catalog_hook && !(*update_bbf_schema_permissions_catalog_hook) (this_privileges, istmt->is_grant, istmt->grantees, + istmt->col_privs, objectid, GetUserNameFromId(grantorId, false), + istmt->grant_option, GetUserNameFromId(ownerId, false), istmt->objtype)) + { + return; + } + /* * Generate new ACL. */ diff --git a/src/include/utils/acl.h b/src/include/utils/acl.h index b672a2f340d..73a5c378b0f 100644 --- a/src/include/utils/acl.h +++ b/src/include/utils/acl.h @@ -312,6 +312,9 @@ extern PGDLLEXPORT pltsql_allow_storing_init_privs_hook_type pltsql_allow_storin typedef bool (*bbf_check_member_has_direct_priv_to_grant_role_hook_type) (Oid, Oid); extern PGDLLEXPORT bbf_check_member_has_direct_priv_to_grant_role_hook_type bbf_check_member_has_direct_priv_to_grant_role_hook; +typedef bool (*update_bbf_schema_permissions_catalog_hook_type) (AclMode , bool, List*, List*, Oid, const char*, bool, const char*, ObjectType); +extern PGDLLEXPORT update_bbf_schema_permissions_catalog_hook_type update_bbf_schema_permissions_catalog_hook; + #define IS_BBF_DB_DDLADMIN(namespaceId) \ (is_bbf_db_ddladmin_operation_hook && \ is_bbf_db_ddladmin_operation_hook(namespaceId)) From f4300bc4c61fda8bdfd170764c4ac72981c8f649 Mon Sep 17 00:00:00 2001 From: Shreya Rai Date: Wed, 18 Jun 2025 17:52:28 +0000 Subject: [PATCH 2/3] Released locks before returning from ExecGrant function Signed-off-by: Shreya Rai --- src/backend/catalog/aclchk.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c index e585122871b..4a0d5958857 100644 --- a/src/backend/catalog/aclchk.c +++ b/src/backend/catalog/aclchk.c @@ -2061,6 +2061,13 @@ ExecGrant_Relation(InternalGrant *istmt) istmt->col_privs, pg_class_tuple->oid, GetUserNameFromId(grantorId, false), istmt->grant_option, GetUserNameFromId(ownerId, false), istmt->objtype)) { + pfree(old_rel_acl); + pfree(col_privileges); + if (!is_enr) + UnlockTuple(relation, &tuple->t_self, InplaceUpdateTupleLock); + ReleaseSysCache(tuple); + table_close(attRelation, RowExclusiveLock); + table_close(relation, RowExclusiveLock); return; } /* @@ -2288,10 +2295,14 @@ ExecGrant_common(InternalGrant *istmt, Oid classid, AclMode default_privs, * If the hook returns false, indicates that object-level and schema-level grants both are present and schema-level grant is revoked. * In such case we remove schema-level entry from the bbf_schema_permissions catalog but skip the execution of revoke as object-level grants exist. */ - if ((istmt->objtype == OBJECT_PROCEDURE || istmt->objtype == OBJECT_FUNCTION) && update_bbf_schema_permissions_catalog_hook && !(*update_bbf_schema_permissions_catalog_hook) (this_privileges, istmt->is_grant, istmt->grantees, + if (update_bbf_schema_permissions_catalog_hook && !(*update_bbf_schema_permissions_catalog_hook) (this_privileges, istmt->is_grant, istmt->grantees, istmt->col_privs, objectid, GetUserNameFromId(grantorId, false), istmt->grant_option, GetUserNameFromId(ownerId, false), istmt->objtype)) { + if (!is_enr) + UnlockTuple(relation, &tuple->t_self, InplaceUpdateTupleLock); + ReleaseSysCache(tuple); + table_close(relation, RowExclusiveLock); return; } From 8e1ff4cd645c89d4800d5bc5ff96205e52d7506e Mon Sep 17 00:00:00 2001 From: Shreya Rai Date: Fri, 20 Jun 2025 08:36:12 +0000 Subject: [PATCH 3/3] fixed indentation Signed-off-by: Shreya Rai --- src/backend/catalog/aclchk.c | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c index 4a0d5958857..b571457be53 100644 --- a/src/backend/catalog/aclchk.c +++ b/src/backend/catalog/aclchk.c @@ -2041,7 +2041,7 @@ ExecGrant_Relation(InternalGrant *istmt) { (*bbf_execute_grantstmt_as_dbsecadmin_hook) (objtype, relOid, ownerId, this_privileges, &grantorId, &avail_goptions); } - + /* * Restrict the privileges to what we can actually grant, and emit * the standards-mandated warning and error messages. @@ -2053,10 +2053,11 @@ ExecGrant_Relation(InternalGrant *istmt) NameStr(pg_class_tuple->relname), 0, NULL); - /* Call the hook to add the permission in bbf_schema_permissions catalog - * If the hook returns false, indicates that object-level and schema-level grants both are present and schema-level grant is revoked. - * In such case we remove schema-level entry from the bbf_schema_permissions catalog but skip the execution of revoke as object-level grants exist. - */ + /* + * Call the hook to add the permission in bbf_schema_permissions catalog + * If the hook returns false, indicates that object-level and schema-level grants both are present and schema-level grant is revoked. + * In such case we remove schema-level entry from the bbf_schema_permissions catalog but skip the execution of revoke as object-level grants exist. + */ if (update_bbf_schema_permissions_catalog_hook && !(*update_bbf_schema_permissions_catalog_hook) (this_privileges, istmt->is_grant, istmt->grantees, istmt->col_privs, pg_class_tuple->oid, GetUserNameFromId(grantorId, false), istmt->grant_option, GetUserNameFromId(ownerId, false), istmt->objtype)) @@ -2069,7 +2070,8 @@ ExecGrant_Relation(InternalGrant *istmt) table_close(attRelation, RowExclusiveLock); table_close(relation, RowExclusiveLock); return; - } + } + /* * Generate new ACL. */ @@ -2276,7 +2278,6 @@ ExecGrant_common(InternalGrant *istmt, Oid classid, AclMode default_privs, (*bbf_execute_grantstmt_as_dbsecadmin_hook) (get_object_type(classid, objectid), objectid, ownerId, istmt->privileges, &grantorId, &avail_goptions); } - nameDatum = SysCacheGetAttrNotNull(cacheid, tuple, get_object_attnum_name(classid)); @@ -2291,10 +2292,11 @@ ExecGrant_common(InternalGrant *istmt, Oid classid, AclMode default_privs, NameStr(*DatumGetName(nameDatum)), 0, NULL); - /* Call the hook to add the permission in bbf_schema_permissions catalog - * If the hook returns false, indicates that object-level and schema-level grants both are present and schema-level grant is revoked. - * In such case we remove schema-level entry from the bbf_schema_permissions catalog but skip the execution of revoke as object-level grants exist. - */ + /* + * Call the hook to add the permission in bbf_schema_permissions catalog + * If the hook returns false, indicates that object-level and schema-level grants both are present and schema-level grant is revoked. + * In such case we remove schema-level entry from the bbf_schema_permissions catalog but skip the execution of revoke as object-level grants exist. + */ if (update_bbf_schema_permissions_catalog_hook && !(*update_bbf_schema_permissions_catalog_hook) (this_privileges, istmt->is_grant, istmt->grantees, istmt->col_privs, objectid, GetUserNameFromId(grantorId, false), istmt->grant_option, GetUserNameFromId(ownerId, false), istmt->objtype))