Exclude grant/revoke dbo to master user while creating database/alter…

… authorization on database (babelfish-for-postgresql#2963) Earlier with the fix for BABEL-5119, BABEL-5218, we were granting dbo to the login while creating the database and granting/revoking dbo to/from login while alter authorization on database but it is not required to grant/revoke dbo to/from master user since it will always be member of sysadmin. With this commit, we have excluded granting/revoking dbo to/from master user while creating database or doing alter authorization on database. Issues Resolved Regression of BABEL-5119, BABEL-5218 Signed-off-by: ANJU BHARTI <[email protected]>
amazon-aurora · Sep 25, 2024 · 38259e3 · 38259e3
1 parent 3997e2e
commit 38259e3
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 8 deletions.
diff --git a/contrib/babelfishpg_tsql/src/dbcmds.c b/contrib/babelfishpg_tsql/src/dbcmds.c
@@ -88,12 +88,16 @@ gen_createdb_subcmds(const char *dbname, const char *owner)
 	const char     *db_owner;
 	const char     *guest;
 	const char     *guest_schema;
+	Oid       	owner_oid;
+	bool     	owner_is_sa;
 
 	schema = get_dbo_schema_name(dbname);
 	dbo = get_dbo_role_name(dbname);
 	db_owner = get_db_owner_name(dbname);
 	guest = get_guest_role_name(dbname);
 	guest_schema = get_guest_schema_name(dbname);
+	owner_oid = get_role_oid(owner, true);
+	owner_is_sa = role_is_sa(owner_oid);
 
 	/*
 	 * To avoid SQL injection, we generate statement parsetree with dummy
@@ -104,7 +108,10 @@ gen_createdb_subcmds(const char *dbname, const char *owner)
 	appendStringInfo(&query, "CREATE ROLE dummy CREATEROLE INHERIT; ");
 	appendStringInfo(&query, "CREATE ROLE dummy INHERIT CREATEROLE ROLE sysadmin IN ROLE dummy; ");
 	appendStringInfo(&query, "GRANT CREATE, CONNECT, TEMPORARY ON DATABASE dummy TO dummy; ");
-	appendStringInfo(&query, "GRANT dummy TO dummy; ");
+
+	/* Only grant dbo to owner if owner is not master user  */
+	if (!owner_is_sa)
+		appendStringInfo(&query, "GRANT dummy TO dummy; ");
 
 	if (guest)
 	{
@@ -125,9 +132,19 @@ gen_createdb_subcmds(const char *dbname, const char *owner)
 	res = raw_parser(query.data, RAW_PARSE_DEFAULT);
 
 	if (guest)
-		expected_stmt_num = list_length(logins) > 0 ? 10 : 9;
+	{
+		if (!owner_is_sa)
+			expected_stmt_num = list_length(logins) > 0 ? 10 : 9;	
+		else
+			expected_stmt_num = list_length(logins) > 0 ? 9 : 8;
+	}
 	else
-		expected_stmt_num = 7;
+	{
+		expected_stmt_num = 6;
+
+		if (!owner_is_sa)
+			expected_stmt_num++;
+	}
 
 	if (list_length(res) != expected_stmt_num)
 		ereport(ERROR,
@@ -145,11 +162,13 @@ gen_createdb_subcmds(const char *dbname, const char *owner)
 	stmt = parsetree_nth_stmt(res, i++);
 	update_GrantStmt(stmt, get_database_name(MyDatabaseId), NULL, dbo, NULL);
 
-	/* Grant dbo role to owner */
-	stmt = parsetree_nth_stmt(res, i++);
-
-	update_GrantRoleStmt(stmt, list_make1(make_accesspriv_node(dbo)),
-						 list_make1(make_rolespec_node(owner)));
+	if (!owner_is_sa)
+	{
+		/* Grant dbo role to owner */
+		stmt = parsetree_nth_stmt(res, i++);
+		update_GrantRoleStmt(stmt, list_make1(make_accesspriv_node(dbo)),
+							list_make1(make_rolespec_node(owner)));
+	}
 
 	if (guest)
 	{

diff --git a/contrib/babelfishpg_tsql/src/rolecmds.c b/contrib/babelfishpg_tsql/src/rolecmds.c
@@ -588,6 +588,14 @@ grant_revoke_dbo_to_login(const char* login, const char* db_name, bool is_grant)
 	PlannedStmt *wrapper;
 
 	const char *dbo_role_name = get_dbo_role_name(db_name);
+
+	/*
+	 * If login i.e old_owner/new_owner is master user 
+	 * then skip grant/revoke dbo to login
+	 * since it will always be the member of sysadmin.
+	 */
+	if (role_is_sa(get_role_oid(login, true)))
+		return;
 
 	initStringInfo(&query);