Support Same-DB Ownership Chaining for object references inside Procedure/Functions (#616)

HarshLunagariya · pranavJ23 · web-flow · commit 3e22092448b0 · 2025-09-19T10:44:36.000+05:30
This commit implements the ownership chaining support for object references inside function/procedure. The basic idea of Ownership chaining is that when one object references another, and both have the same owner, then permissions are only checked when the top-level object is accessed. Core Functionality: Added support for ownership chaining within the same database for procedures and functions Key Components Modified: Added ownership chain validation in permission checks Walker function to mark relations and functions inside view definitions Implementation: Walker function to mark relations and functions inside view definitions Walks through the query parse tree to: Mark relations and functions as being inside a view context For relations: Set checkAsUser to the view_owner when it matches the relation's owner, enabling permission checking to pass at the executor stage (ownership chaining) For procedures/functions: Store the view_owner in the parentOwnerId field to support procedure/function-specific ownership chaining logic during permission checks at the executor stage Extension PR : babelfish-for-postgresql/babelfish_extensions#4057 Task: BABEL-6030 Signed-off-by: Harsh Lunagariya <lunharsh@amazon.com> Co-authored-by: pranav jain <pranav23iitd@gmail.com>
diff --git a/src/backend/commands/functioncmds.c b/src/backend/commands/functioncmds.c
@@ -2362,7 +2362,7 @@ ExecuteCallStmt(CallStmt *stmt, ParamListInfo params, bool atomic, DestReceiver
 	Assert(IsA(fexpr, FuncExpr));
 
 	if (ExecFuncProc_AclCheck_hook)
-		aclresult = ExecFuncProc_AclCheck_hook(fexpr->funcid);
+		aclresult = ExecFuncProc_AclCheck_hook(fexpr->funcid, (Expr *)fexpr);
 	else
 		aclresult = object_aclcheck(ProcedureRelationId, fexpr->funcid, GetUserId(), ACL_EXECUTE);
 	if (aclresult != ACLCHECK_OK)
diff --git a/src/backend/executor/execExpr.c b/src/backend/executor/execExpr.c
@@ -2639,7 +2639,7 @@ ExecInitFunc(ExprEvalStep *scratch, Expr *node, List *args, Oid funcid,
 
 	/* Check permission to call function */
 	if (ExecFuncProc_AclCheck_hook)
-		aclresult = ExecFuncProc_AclCheck_hook(funcid);
+		aclresult = ExecFuncProc_AclCheck_hook(funcid, node);
 	else
 		aclresult = object_aclcheck(ProcedureRelationId, funcid, GetUserId(), ACL_EXECUTE);
 	if (aclresult != ACLCHECK_OK)
diff --git a/src/backend/executor/execSRF.c b/src/backend/executor/execSRF.c
@@ -703,7 +703,7 @@ init_sexpr(Oid foid, Oid input_collation, Expr *node,
 
 	/* Check permission to call function */
 	if (ExecFuncProc_AclCheck_hook)
-		aclresult = ExecFuncProc_AclCheck_hook(foid);
+		aclresult = ExecFuncProc_AclCheck_hook(foid, node);
 	else
 		aclresult = object_aclcheck(ProcedureRelationId, foid, GetUserId(), ACL_EXECUTE);
 	if (aclresult != ACLCHECK_OK)
diff --git a/src/include/executor/execExpr.h b/src/include/executor/execExpr.h
@@ -46,7 +46,7 @@ typedef bool (*ExecEvalBoolSubroutine) (ExprState *state,
  * Helpful in cases when permissions need to be checked against
  * a different user instead of current user.
  */
-typedef AclResult (*ExecFuncProc_AclCheck_hook_type) (Oid funcid);
+typedef AclResult (*ExecFuncProc_AclCheck_hook_type) (Oid funcid, Expr *fexpr);
 extern PGDLLIMPORT ExecFuncProc_AclCheck_hook_type ExecFuncProc_AclCheck_hook;
 
 /* ExprEvalSteps that cache a composite type's tupdesc need one of these */
