Skip to content

Adding Grantor Information in sys.babelfish_schema_permissions catalog #132

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 6 commits into
base: bbf-database-permission-view
Choose a base branch
from
Open

Adding Grantor Information in sys.babelfish_schema_permissions catalog #132

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
f5c15e2
Added full support for sys.database_permissions view
shreyaxr3 Jun 9, 2025
cc699cd
Merge remote-tracking branch 'upstream/BABEL_5_X_DEV__PG_17_X' into d…
shreyaxr3 Jun 9, 2025
cba6fda
Merge branch 'babelfish-for-postgresql:BABEL_5_X_DEV__PG_17_X' into d…
shreyeah38 Jun 9, 2025
fdbe3ec
Merge branch 'database_permissions' of https://github.com/shreyeah38/…
shreyaxr3 Jun 9, 2025
f4300bc
Released locks before returning from ExecGrant function
shreyaxr3 Jun 18, 2025
8e1ff4c
fixed indentation
shreyaxr3 Jun 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 36 additions & 0 deletions src/backend/catalog/aclchk.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -173,6 +173,7 @@ static void recordExtensionInitPrivWorker(Oid objoid, Oid classoid, int objsubid

tsql_has_linked_srv_permissions_hook_type tsql_has_linked_srv_permissions_hook = NULL;
bbf_execute_grantstmt_as_dbsecadmin_hook_type bbf_execute_grantstmt_as_dbsecadmin_hook = NULL;
update_bbf_schema_permissions_catalog_hook_type update_bbf_schema_permissions_catalog_hook = NULL;
pltsql_allow_storing_init_privs_hook_type pltsql_allow_storing_init_privs_hook = NULL;
/*
* If is_grant is true, adds the given privileges for the list of
Expand Down Expand Up @@ -2052,6 +2053,25 @@ ExecGrant_Relation(InternalGrant *istmt)
NameStr(pg_class_tuple->relname),
0, NULL);

/*
* Call the hook to add the permission in bbf_schema_permissions catalog
* If the hook returns false, indicates that object-level and schema-level grants both are present and schema-level grant is revoked.
* In such case we remove schema-level entry from the bbf_schema_permissions catalog but skip the execution of revoke as object-level grants exist.
*/
if (update_bbf_schema_permissions_catalog_hook && !(*update_bbf_schema_permissions_catalog_hook) (this_privileges, istmt->is_grant, istmt->grantees,
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we need dialect check?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes there is a dialect check inside the hook.

istmt->col_privs, pg_class_tuple->oid, GetUserNameFromId(grantorId, false),
istmt->grant_option, GetUserNameFromId(ownerId, false), istmt->objtype))
{
pfree(old_rel_acl);
pfree(col_privileges);
if (!is_enr)
UnlockTuple(relation, &tuple->t_self, InplaceUpdateTupleLock);
ReleaseSysCache(tuple);
table_close(attRelation, RowExclusiveLock);
table_close(relation, RowExclusiveLock);
return;
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we are inside FOR loop here? do we really want to exit early?

}

/*
* Generate new ACL.
*/
Expand Down Expand Up @@ -2272,6 +2292,22 @@ ExecGrant_common(InternalGrant *istmt, Oid classid, AclMode default_privs,
NameStr(*DatumGetName(nameDatum)),
0, NULL);

/*
* Call the hook to add the permission in bbf_schema_permissions catalog
* If the hook returns false, indicates that object-level and schema-level grants both are present and schema-level grant is revoked.
* In such case we remove schema-level entry from the bbf_schema_permissions catalog but skip the execution of revoke as object-level grants exist.
*/
if (update_bbf_schema_permissions_catalog_hook && !(*update_bbf_schema_permissions_catalog_hook) (this_privileges, istmt->is_grant, istmt->grantees,
istmt->col_privs, objectid, GetUserNameFromId(grantorId, false),
istmt->grant_option, GetUserNameFromId(ownerId, false), istmt->objtype))
{
if (!is_enr)
UnlockTuple(relation, &tuple->t_self, InplaceUpdateTupleLock);
ReleaseSysCache(tuple);
table_close(relation, RowExclusiveLock);
return;
}

/*
* Generate new ACL.
*/
Expand Down
3 changes: 3 additions & 0 deletions src/include/utils/acl.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -312,6 +312,9 @@ extern PGDLLEXPORT pltsql_allow_storing_init_privs_hook_type pltsql_allow_storin
typedef bool (*bbf_check_member_has_direct_priv_to_grant_role_hook_type) (Oid, Oid);
extern PGDLLEXPORT bbf_check_member_has_direct_priv_to_grant_role_hook_type bbf_check_member_has_direct_priv_to_grant_role_hook;

typedef bool (*update_bbf_schema_permissions_catalog_hook_type) (AclMode , bool, List*, List*, Oid, const char*, bool, const char*, ObjectType);
extern PGDLLEXPORT update_bbf_schema_permissions_catalog_hook_type update_bbf_schema_permissions_catalog_hook;

#define IS_BBF_DB_DDLADMIN(namespaceId) \
(is_bbf_db_ddladmin_operation_hook && \
is_bbf_db_ddladmin_operation_hook(namespaceId))
Expand Down