diff --git a/contrib/babelfishpg_tds/src/backend/tds/tdsutils.c b/contrib/babelfishpg_tds/src/backend/tds/tdsutils.c index 01e9c5a465..58585d5dbc 100644 --- a/contrib/babelfishpg_tds/src/backend/tds/tdsutils.c +++ b/contrib/babelfishpg_tds/src/backend/tds/tdsutils.c @@ -68,6 +68,18 @@ static bool handle_dropdb(DropdbStmt *dropdb_stmt); static char *get_role_name(RoleSpec *role); char *get_rolespec_name_internal(const RoleSpec *role, bool missing_ok); +static Oid bbf_admin_oid = InvalidOid; + +/* Returns OID of bbf_role_admin server role */ +static Oid +get_bbf_role_admin_oid(void) +{ + if (!OidIsValid(bbf_admin_oid)) + bbf_admin_oid = get_role_oid(BABELFISH_ROLE_ADMIN, false); + return bbf_admin_oid; +} + + /* * GetUTF8CodePoint - extract the next Unicode code point from 1..4 * bytes at 'in' in UTF-8 encoding. @@ -893,19 +905,15 @@ get_rolespec_name_internal(const RoleSpec *role, bool missing_ok) static void check_babelfish_droprole_restrictions(char *role) { - Oid bbf_role_admin_oid = InvalidOid; - if (MyProcPort->is_tds_conn && sql_dialect == SQL_DIALECT_TSQL) return; - bbf_role_admin_oid = get_role_oid(BABELFISH_ROLE_ADMIN, false); - /* * Allow DROP ROLE if current user is bbf_role_admin as we need * to allow remove_babelfish from PG endpoint. It is safe * since only superusers can assume this role. */ - if (bbf_role_admin_oid == GetUserId()) + if (get_bbf_role_admin_oid() == GetUserId()) return; if (is_babelfish_role(role)) @@ -939,17 +947,21 @@ is_babelfish_role(const char *role) Oid bbf_master_guest_oid; Oid bbf_tempdb_guest_oid; Oid bbf_msdb_guest_oid; - Oid securityadmin_oid; + Oid securityadmin; + Oid dbcreator; sysadmin_oid = get_role_oid(BABELFISH_SYSADMIN, true); /* missing OK */ role_oid = get_role_oid(role, true); /* missing OK */ - securityadmin_oid = get_role_oid(BABELFISH_SECURITYADMIN, true); /* missing OK */ + securityadmin = get_role_oid(BABELFISH_SECURITYADMIN, true); /* missing OK */ + dbcreator = get_role_oid(BABELFISH_DBCREATOR, true); /* missing OK */ - if (!OidIsValid(sysadmin_oid) || !OidIsValid(role_oid)) + if (!OidIsValid(sysadmin_oid) || !OidIsValid(role_oid) + || !OidIsValid(securityadmin) || !OidIsValid(dbcreator)) return false; if (is_member_of_role(sysadmin_oid, role_oid) || - is_member_of_role(securityadmin_oid, role_oid) || + is_member_of_role(securityadmin, role_oid) || + is_member_of_role(dbcreator, role_oid) || pg_strcasecmp(role, BABELFISH_ROLE_ADMIN) == 0) /* check if it is bbf_role_admin */ return true; @@ -1206,24 +1218,20 @@ static bool handle_grant_role(GrantRoleStmt *grant_stmt) { ListCell *item; - Oid bbf_role_admin_oid = InvalidOid; - Oid securityadmin_oid = InvalidOid; if (MyProcPort->is_tds_conn && sql_dialect == SQL_DIALECT_TSQL) return true; - bbf_role_admin_oid = get_role_oid(BABELFISH_ROLE_ADMIN, false); - securityadmin_oid = get_role_oid(BABELFISH_SECURITYADMIN, false); /* * Allow GRANT ROLE if current user is bbf_role_admin as we need * to allow initialise_babelfish from PG endpoint. It is safe * since only superusers can assume this role. */ - if (bbf_role_admin_oid == GetUserId()) + if (get_bbf_role_admin_oid() == GetUserId()) return true; - /* Restrict roles to added as a member of bbf_role_admin/securityadmin */ + /* Restrict roles to added as a member of BBF default server roles */ foreach(item, grant_stmt->granted_roles) { AccessPriv *priv = (AccessPriv *) lfirst(item); @@ -1234,18 +1242,19 @@ handle_grant_role(GrantRoleStmt *grant_stmt) continue; roleid = get_role_oid(rolename, false); - if (OidIsValid(roleid) && (roleid == bbf_role_admin_oid || roleid == securityadmin_oid)) + if (OidIsValid(roleid) && IS_DEFAULT_BBF_SERVER_ROLE(rolename)) check_babelfish_alterrole_restictions(false); } - /* Restrict grant to/from bbf_role_admin/securityadmin role */ + /* Restrict grant to/from bbf_role_admin, securityadmin or dbcreator role */ + foreach(item, grant_stmt->grantee_roles) { RoleSpec *rolespec = lfirst_node(RoleSpec, item); Oid roleid; roleid = get_rolespec_oid(rolespec, false); - if (OidIsValid(roleid) && (roleid == bbf_role_admin_oid || roleid == securityadmin_oid)) + if (OidIsValid(roleid) && IS_DEFAULT_BBF_SERVER_ROLE(rolespec->rolename)) check_babelfish_alterrole_restictions(false); } diff --git a/contrib/babelfishpg_tds/src/include/tds_int.h b/contrib/babelfishpg_tds/src/include/tds_int.h index c1048c5c50..4b58fcec9f 100644 --- a/contrib/babelfishpg_tds/src/include/tds_int.h +++ b/contrib/babelfishpg_tds/src/include/tds_int.h @@ -257,6 +257,13 @@ extern ProcessUtility_hook_type next_ProcessUtility; #define BABELFISH_SYSADMIN "sysadmin" #define BABELFISH_ROLE_ADMIN "bbf_role_admin" #define BABELFISH_SECURITYADMIN "securityadmin" +#define BABELFISH_DBCREATOR "dbcreator" + +#define IS_DEFAULT_BBF_SERVER_ROLE(rolename) \ + ((strlen(rolename) == 13 && strncmp(rolename, BABELFISH_SECURITYADMIN, 13) == 0) || \ + (strlen(rolename) == 14 && strncmp(rolename, BABELFISH_ROLE_ADMIN, 14) == 0) || \ + (strlen(rolename) == 9 && strncmp(rolename, BABELFISH_DBCREATOR, 9) == 0) || \ + (strlen(rolename) == 8 && strncmp(rolename, BABELFISH_SYSADMIN, 8) == 0)) /* Functions in backend/tds/tdscomm.c */ extern void TdsSetMessageType(uint8_t msgType); diff --git a/contrib/babelfishpg_tsql/sql/babelfishpg_tsql.sql b/contrib/babelfishpg_tsql/sql/babelfishpg_tsql.sql index 9cb78f11f0..c3a4835393 100644 --- a/contrib/babelfishpg_tsql/sql/babelfishpg_tsql.sql +++ b/contrib/babelfishpg_tsql/sql/babelfishpg_tsql.sql @@ -2141,7 +2141,7 @@ BEGIN FROM sys.server_principals WHERE pg_catalog.lower(name) = login COLLATE sys.database_default - AND type = 'S')); + AND type IN ('S', 'R'))); IF NOT login_valid THEN RETURN NULL; @@ -2149,8 +2149,10 @@ BEGIN ELSIF role = 'public' COLLATE sys.database_default THEN RETURN 1; - ELSIF role = 'sysadmin' COLLATE sys.database_default OR role = 'securityadmin' COLLATE sys.database_default THEN - has_role = (pg_has_role(login::TEXT, role::TEXT, 'MEMBER') OR pg_has_role(login::TEXT, 'sysadmin'::TEXT, 'MEMBER')); + ELSIF role COLLATE sys.database_default IN ('sysadmin', 'securityadmin', 'dbcreator') THEN + has_role = (pg_has_role(login::TEXT, role::TEXT, 'MEMBER') + OR ((login COLLATE sys.database_default NOT IN ('sysadmin', 'securityadmin', 'dbcreator')) + AND pg_has_role(login::TEXT, 'sysadmin'::TEXT, 'MEMBER'))); IF has_role THEN RETURN 1; ELSE @@ -2161,7 +2163,6 @@ BEGIN 'serveradmin', 'setupadmin', 'processadmin', - 'dbcreator', 'diskadmin', 'bulkadmin') THEN RETURN 0; @@ -2410,8 +2411,8 @@ BEGIN OR pg_catalog.lower(rolname) = pg_catalog.lower(PG_CATALOG.RTRIM(@srvrolename))) AND type = 'R') OR pg_catalog.lower(PG_CATALOG.RTRIM(@srvrolename)) IN ( - 'serveradmin', 'setupadmin', 'securityadmin', 'processadmin', - 'dbcreator', 'diskadmin', 'bulkadmin') + 'serveradmin', 'setupadmin', 'processadmin', + 'diskadmin', 'bulkadmin') BEGIN SELECT CAST(Ext1.rolname AS sys.SYSNAME) AS 'ServerRole', CAST(Ext2.rolname AS sys.SYSNAME) AS 'MemberName', @@ -2529,7 +2530,12 @@ CAST(0 AS INT) AS serveradmin, CAST(0 AS INT) AS setupadmin, CAST(0 AS INT) AS processadmin, CAST(0 AS INT) AS diskadmin, -CAST(0 AS INT) AS dbcreator, +CAST( + CASE + WHEN is_srvrolemember('dbcreator', Base.name) = 1 THEN 1 + ELSE 0 + END +AS INT) AS dbcreator, CAST(0 AS INT) AS bulkadmin FROM sys.server_principals AS Base WHERE Base.type in ('S', 'U'); diff --git a/contrib/babelfishpg_tsql/sql/ownership.sql b/contrib/babelfishpg_tsql/sql/ownership.sql index 078e32d1d4..fe902ff840 100644 --- a/contrib/babelfishpg_tsql/sql/ownership.sql +++ b/contrib/babelfishpg_tsql/sql/ownership.sql @@ -259,7 +259,7 @@ CREATE OR REPLACE PROCEDURE initialize_babelfish ( sa_name VARCHAR(128) ) LANGUAGE plpgsql AS $$ DECLARE - reserved_roles varchar[] := ARRAY['sysadmin', 'securityadmin', + reserved_roles varchar[] := ARRAY['sysadmin', 'securityadmin', 'dbcreator', 'master_dbo', 'master_guest', 'master_db_owner', 'master_db_accessadmin', 'master_db_datareader', 'master_db_datawriter', 'tempdb_dbo', 'tempdb_guest', 'tempdb_db_owner', 'tempdb_db_accessadmin', 'tempdb_db_datareader', 'tempdb_db_datawriter', 'msdb_dbo', 'msdb_guest', 'msdb_db_owner', 'msdb_db_accessadmin', 'msdb_db_datareader', 'msdb_db_datawriter']; @@ -290,12 +290,14 @@ BEGIN END IF; EXECUTE format('CREATE ROLE securityadmin CREATEROLE INHERIT PASSWORD NULL'); + EXECUTE format('CREATE ROLE dbcreator CREATEDB INHERIT PASSWORD NULL'); EXECUTE format('CREATE ROLE bbf_role_admin CREATEDB CREATEROLE INHERIT PASSWORD NULL'); EXECUTE format('GRANT CREATE ON DATABASE %s TO bbf_role_admin WITH GRANT OPTION', CURRENT_DATABASE()); EXECUTE format('GRANT %I to bbf_role_admin WITH ADMIN TRUE;', sa_name); EXECUTE format('CREATE ROLE sysadmin CREATEDB CREATEROLE INHERIT ROLE %I', sa_name); EXECUTE format('GRANT sysadmin TO bbf_role_admin WITH ADMIN TRUE'); EXECUTE format('GRANT securityadmin TO bbf_role_admin WITH ADMIN TRUE'); + EXECUTE format('GRANT dbcreator TO bbf_role_admin WITH ADMIN TRUE'); EXECUTE format('GRANT USAGE, SELECT ON SEQUENCE sys.babelfish_partition_function_seq TO sysadmin WITH GRANT OPTION'); EXECUTE format('GRANT USAGE, SELECT ON SEQUENCE sys.babelfish_partition_scheme_seq TO sysadmin WITH GRANT OPTION'); EXECUTE format('GRANT USAGE, SELECT ON SEQUENCE sys.babelfish_db_seq TO sysadmin WITH GRANT OPTION'); @@ -306,6 +308,7 @@ BEGIN CALL sys.babel_initialize_logins('sysadmin'); CALL sys.babel_initialize_logins('bbf_role_admin'); CALL sys.babel_initialize_logins('securityadmin'); + CALL sys.babel_initialize_logins('dbcreator'); CALL sys.babel_create_builtin_dbs(sa_name); CALL sys.initialize_babel_extras(); -- run analyze for all babelfish catalog @@ -329,6 +332,8 @@ BEGIN DROP ROLE bbf_role_admin; DROP OWNED BY securityadmin; DROP ROLE securityadmin; + DROP OWNED BY dbcreator; + DROP ROLE dbcreator; END $$; diff --git a/contrib/babelfishpg_tsql/sql/upgrades/babelfishpg_tsql--4.4.0--4.5.0.sql b/contrib/babelfishpg_tsql/sql/upgrades/babelfishpg_tsql--4.4.0--4.5.0.sql index c01afb0db7..bebf3dca04 100644 --- a/contrib/babelfishpg_tsql/sql/upgrades/babelfishpg_tsql--4.4.0--4.5.0.sql +++ b/contrib/babelfishpg_tsql/sql/upgrades/babelfishpg_tsql--4.4.0--4.5.0.sql @@ -68,17 +68,22 @@ $$; DO LANGUAGE plpgsql $$ -DECLARE securityadmin TEXT; +DECLARE + existing_server_roles TEXT; BEGIN - IF EXISTS ( - SELECT FROM pg_catalog.pg_roles - WHERE rolname = 'securityadmin') - THEN - RAISE EXCEPTION 'Role "securityadmin" already exists.'; + SELECT STRING_AGG(rolname::text, ', ') + INTO existing_server_roles FROM pg_catalog.pg_roles + WHERE rolname IN ('securityadmin', 'dbcreator'); + + IF existing_server_roles IS NOT NULL THEN + RAISE EXCEPTION 'The following role(s) already exist(s): %', existing_server_roles; ELSE EXECUTE format('CREATE ROLE securityadmin CREATEROLE INHERIT PASSWORD NULL'); EXECUTE format('GRANT securityadmin TO bbf_role_admin WITH ADMIN TRUE'); CALL sys.babel_initialize_logins('securityadmin'); + EXECUTE format('CREATE ROLE dbcreator CREATEDB INHERIT PASSWORD NULL'); + EXECUTE format('GRANT dbcreator TO bbf_role_admin WITH ADMIN TRUE'); + CALL sys.babel_initialize_logins('dbcreator'); END IF; END; $$; @@ -433,7 +438,12 @@ CAST(0 AS INT) AS serveradmin, CAST(0 AS INT) AS setupadmin, CAST(0 AS INT) AS processadmin, CAST(0 AS INT) AS diskadmin, -CAST(0 AS INT) AS dbcreator, +CAST( + CASE + WHEN is_srvrolemember('dbcreator', Base.name) = 1 THEN 1 + ELSE 0 + END +AS INT) AS dbcreator, CAST(0 AS INT) AS bulkadmin FROM sys.server_principals AS Base WHERE Base.type in ('S', 'U'); @@ -1553,7 +1563,7 @@ BEGIN FROM sys.server_principals WHERE pg_catalog.lower(name) = login COLLATE sys.database_default - AND type = 'S')); + AND type IN ('S', 'R'))); IF NOT login_valid THEN RETURN NULL; @@ -1561,8 +1571,10 @@ BEGIN ELSIF role = 'public' COLLATE sys.database_default THEN RETURN 1; - ELSIF role = 'sysadmin' COLLATE sys.database_default OR role = 'securityadmin' COLLATE sys.database_default THEN - has_role = (pg_has_role(login::TEXT, role::TEXT, 'MEMBER') OR pg_has_role(login::TEXT, 'sysadmin'::TEXT, 'MEMBER')); + ELSIF role COLLATE sys.database_default IN ('sysadmin', 'securityadmin', 'dbcreator') THEN + has_role = (pg_has_role(login::TEXT, role::TEXT, 'MEMBER') + OR ((login COLLATE sys.database_default NOT IN ('sysadmin', 'securityadmin', 'dbcreator')) + AND pg_has_role(login::TEXT, 'sysadmin'::TEXT, 'MEMBER'))); IF has_role THEN RETURN 1; ELSE @@ -1573,7 +1585,6 @@ BEGIN 'serveradmin', 'setupadmin', 'processadmin', - 'dbcreator', 'diskadmin', 'bulkadmin') THEN RETURN 0; @@ -1708,8 +1719,8 @@ BEGIN OR pg_catalog.lower(rolname) = pg_catalog.lower(PG_CATALOG.RTRIM(@srvrolename))) AND type = 'R') OR pg_catalog.lower(PG_CATALOG.RTRIM(@srvrolename)) IN ( - 'serveradmin', 'setupadmin', 'securityadmin', 'processadmin', - 'dbcreator', 'diskadmin', 'bulkadmin') + 'serveradmin', 'setupadmin', 'processadmin', + 'diskadmin', 'bulkadmin') BEGIN SELECT CAST(Ext1.rolname AS sys.SYSNAME) AS 'ServerRole', CAST(Ext2.rolname AS sys.SYSNAME) AS 'MemberName', diff --git a/contrib/babelfishpg_tsql/src/backend_parser/gram-tsql-epilogue.y.c b/contrib/babelfishpg_tsql/src/backend_parser/gram-tsql-epilogue.y.c index 55e29044ea..fd335593d3 100644 --- a/contrib/babelfishpg_tsql/src/backend_parser/gram-tsql-epilogue.y.c +++ b/contrib/babelfishpg_tsql/src/backend_parser/gram-tsql-epilogue.y.c @@ -2072,7 +2072,7 @@ check_server_role_and_throw_if_unsupported (const char *serverrole, int position errmsg("Fixed server role '%s' is currently not supported in Babelfish", serverrole), parser_errposition(position))); } - else if (!IS_ROLENAME_SYSADMIN(serverrole) && !IS_ROLENAME_SECURITYADMIN(serverrole)) + else if (!IS_BBF_FIXED_SERVER_ROLE(serverrole)) { ereport(ERROR, (errcode(ERRCODE_FEATURE_NOT_SUPPORTED), errmsg("Only fixed server role is supported in ALTER SERVER ROLE statement"), diff --git a/contrib/babelfishpg_tsql/src/catalog.c b/contrib/babelfishpg_tsql/src/catalog.c index 2a899ce78f..0b8de9972a 100644 --- a/contrib/babelfishpg_tsql/src/catalog.c +++ b/contrib/babelfishpg_tsql/src/catalog.c @@ -4892,6 +4892,17 @@ rename_tsql_db(char *old_db_name, char *new_db_name) (errcode(ERRCODE_INVALID_PARAMETER_VALUE), errmsg("Cannot change the name of the system database %s.", old_db_name))); + /* + * Check permission on the given database. + * Dbcreator can only alter the databases in which it has a mapped user. + */ + if (!has_privs_of_role(GetSessionUserId(), get_sysadmin_oid()) && !(get_user_for_database(old_db_name) + && has_privs_of_role(GetSessionUserId(), get_dbcreator_oid()))) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("User does not have permission to rename the database \'%s\', the database does not exist, or the database is not in a state that allows access checks.", + old_db_name))); + Assert (*pltsql_protocol_plugin_ptr); /* 50 tries with 100ms sleep between tries makes 5 sec total wait */ for (tries = 0; tries < 50; tries++) @@ -4912,13 +4923,6 @@ rename_tsql_db(char *old_db_name, char *new_db_name) (errcode(ERRCODE_OBJECT_IN_USE), errmsg("The database could not be exclusively locked to perform the operation."))); - /* Check permission on the given database. */ - if (!has_privs_of_role(GetSessionUserId(), get_role_oid("sysadmin", false))) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("User does not have permission to rename the database \'%s\', the database does not exist, or the database is not in a state that allows access checks.", - old_db_name))); - /* * Get an exclusive lock on the logical database we are trying to rename. */ diff --git a/contrib/babelfishpg_tsql/src/catalog.h b/contrib/babelfishpg_tsql/src/catalog.h index 75bb2ffdb5..5e2ba021b0 100644 --- a/contrib/babelfishpg_tsql/src/catalog.h +++ b/contrib/babelfishpg_tsql/src/catalog.h @@ -317,6 +317,7 @@ typedef FormData_bbf_function_ext *Form_bbf_function_ext; #define PUBLIC_ROLE_NAME "public" #define BABELFISH_SECURITYADMIN "securityadmin" #define BABELFISH_SYSADMIN "sysadmin" +#define BABELFISH_DBCREATOR "dbcreator" #define PERMISSIONS_FOR_ALL_OBJECTS_IN_SCHEMA "ALL" #define ALL_PERMISSIONS_ON_RELATION 47 /* last 6 bits as 101111 represents ALL privileges on a relation. */ #define ALL_PERMISSIONS_ON_FUNCTION 128 /* last 8 bits as 10000000 represents ALL privileges on a procedure/function. */ @@ -336,6 +337,16 @@ typedef FormData_bbf_function_ext *Form_bbf_function_ext; (strlen(rolname) == 13 && \ strncmp(rolname, BABELFISH_SECURITYADMIN, 13) == 0) +/* check if rolename is dbcreator */ +#define IS_ROLENAME_DBCREATOR(rolname) \ + (strlen(rolname) == 9 && \ + strncmp(rolname, BABELFISH_DBCREATOR, 9) == 0) + +#define IS_BBF_FIXED_SERVER_ROLE(rolename) \ + (IS_ROLENAME_SYSADMIN(rolename) || \ + IS_ROLENAME_SECURITYADMIN(rolename) || \ + IS_ROLENAME_DBCREATOR(rolename)) + extern int permissions[]; extern Oid bbf_schema_perms_oid; diff --git a/contrib/babelfishpg_tsql/src/dbcmds.c b/contrib/babelfishpg_tsql/src/dbcmds.c index 8f38ac6383..21f36e96b9 100644 --- a/contrib/babelfishpg_tsql/src/dbcmds.c +++ b/contrib/babelfishpg_tsql/src/dbcmds.c @@ -512,7 +512,6 @@ create_bbf_db_internal(ParseState *pstate, const char *dbname, List *options, co { int16 old_dbid; char *old_dbname; - Oid datdba; Datum *new_record; bool *new_record_nulls; Relation sysdatabase_rel; @@ -529,6 +528,7 @@ create_bbf_db_internal(ParseState *pstate, const char *dbname, List *options, co const char *old_createrole_self_grant; ListCell *option; const char *database_collation_name = NULL; + Oid datdba; /* Check options */ foreach(option, options) @@ -576,7 +576,10 @@ create_bbf_db_internal(ParseState *pstate, const char *dbname, List *options, co PG_TRY(); { SetUserIdAndSecContext(GetSessionUserId(), save_sec_context | SECURITY_LOCAL_USERID_CHANGE); - if (!have_createdb_privilege()) + + /* Session user must be member of sysadmin or dbcreator fixed server role */ + if (!has_privs_of_role(GetSessionUserId(), get_sysadmin_oid()) && + !has_privs_of_role(GetSessionUserId(), get_dbcreator_oid())) ereport(ERROR, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), errmsg("permission denied to create database"))); @@ -587,10 +590,6 @@ create_bbf_db_internal(ParseState *pstate, const char *dbname, List *options, co } PG_END_TRY(); - /* dbowner is always sysadmin */ - datdba = get_role_oid("sysadmin", false); - check_can_set_role(GetSessionUserId(), datdba); - /* For simplicity, do not allow bbf db name clides with pg dbnames */ /* TODO: add another check in orignal createdb */ if (OidIsValid(get_database_oid(dbname, true))) @@ -633,6 +632,7 @@ create_bbf_db_internal(ParseState *pstate, const char *dbname, List *options, co old_dbname = get_cur_db_name(); set_cur_db(dbid, dbname); /* temporarily set current dbid as the new id */ dbo_role = get_dbo_role_name(dbname); + datdba = get_sysadmin_oid(); PG_TRY(); { @@ -774,7 +774,9 @@ drop_bbf_db(const char *dbname, bool missing_ok, bool force_drop) const char *login = GetUserNameFromId(roleid, false); bool login_is_db_owner = 0 == strncmp(login, get_owner_of_db(dbname), NAMEDATALEN); - if (!(has_privs_of_role(roleid, get_role_oid("sysadmin", false)) || login_is_db_owner)) + /* Check if login has required privilege to drop the database */ + if (!(has_privs_of_role(roleid, get_sysadmin_oid()) + || has_privs_of_role(roleid, get_dbcreator_oid()) || login_is_db_owner)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_DATABASE, dbname); diff --git a/contrib/babelfishpg_tsql/src/pl_handler.c b/contrib/babelfishpg_tsql/src/pl_handler.c index 42e14fcbdc..9556bf33e8 100644 --- a/contrib/babelfishpg_tsql/src/pl_handler.c +++ b/contrib/babelfishpg_tsql/src/pl_handler.c @@ -177,6 +177,8 @@ static void bbf_ExecDropStmt(DropStmt *stmt); static int isolation_to_int(char *isolation_level); static void bbf_set_tran_isolation(char *new_isolation_level_str); +static void gen_command_grant_revoke_priv_to_role(StringInfo query, const char *rolename, + bool is_grant, Oid login_oid); typedef struct { int oid; @@ -3672,7 +3674,7 @@ bbf_ProcessUtility(PlannedStmt *pstmt, int role_oid = get_role_oid(role_name, true); if (!OidIsValid(role_oid) || role_oid == get_bbf_role_admin_oid() - || role_oid == securityadmin_oid || role_oid == get_sysadmin_oid()) + || IS_BBF_FIXED_SERVER_ROLE(role_name)) ereport(ERROR, (errcode(ERRCODE_DUPLICATE_OBJECT), errmsg("Cannot drop the login '%s', because it does not exist or you do not have permission.", role_name))); @@ -3928,37 +3930,7 @@ bbf_ProcessUtility(PlannedStmt *pstmt, grantee_oid = get_role_oid(spec->rolename, false); initStringInfo(&query); - /* If sysadmin, provide attribute for role and database priv */ - if (IS_ROLENAME_SYSADMIN(rolspec->rolename)) - { - if (grant_role->is_grant) - appendStringInfo(&query, "ALTER ROLE dummy WITH createrole createdb; "); - - /* If grantee role is member of securityadmin then only revoke createdb */ - else if (has_privs_of_role(grantee_oid, get_securityadmin_oid())) - appendStringInfo(&query, "ALTER ROLE dummy WITH nocreatedb; "); - else - appendStringInfo(&query, "ALTER ROLE dummy WITH nocreaterole nocreatedb; "); - } - - /* If securityadmin, provide attribute for role priv */ - else if (IS_ROLENAME_SECURITYADMIN(rolspec->rolename)) - { - if (grant_role->is_grant) - appendStringInfo(&query, "ALTER ROLE dummy WITH createrole; "); - - /* If grantee role is member of sysadmin then don't revoke createrole */ - else if (!has_privs_of_role(grantee_oid, get_sysadmin_oid())) - appendStringInfo(&query, "ALTER ROLE dummy WITH nocreaterole; "); - } - - /* Otherwise, throw error */ - else - { - ereport(ERROR, - (errcode(ERRCODE_FEATURE_NOT_SUPPORTED), - errmsg("\"%s\" is not a supported fixed server role.", rolspec->rolename))); - } + gen_command_grant_revoke_priv_to_role(&query, rolspec->rolename, grant_role->is_grant, grantee_oid); /* * Set to bbf_role_admin to grant the role @@ -6959,3 +6931,71 @@ bbf_set_tran_isolation(char *new_isolation_level_str) } return ; } + +/* + * Generate command to grant/revoke required + * privileges to/from the login on the basis of + * that login's privilege. + */ +static void +gen_command_grant_revoke_priv_to_role(StringInfo query, const char *rolename, + bool is_grant, Oid login_oid) +{ + int createrole = 0, createdb = 0; + int prev_createrole = 0, prev_createdb = 0; + bool grant_createrole, revoke_createrole, grant_createdb, revoke_createdb; + bool is_sysadmin = 0, is_securityadmin = 0, is_dbcreator = 0; + + if (has_privs_of_role(login_oid, get_sysadmin_oid())) + { + createrole++; + createdb++; + is_sysadmin = true; + } + if (has_privs_of_role(login_oid, get_securityadmin_oid())) + { + createrole++; + is_securityadmin = true; + } + if (has_privs_of_role(login_oid, get_dbcreator_oid())) + { + createdb++; + is_dbcreator = true; + } + + /* keep granted attribute count*/ + prev_createrole = createrole; + prev_createdb = createdb; + + /* If sysadmin, provide attribute for role and database priv */ + if (IS_ROLENAME_SYSADMIN(rolename)) + { + createrole += ((is_grant) ? 1 : (is_sysadmin) ? -1 : 0); + createdb += ((is_grant) ? 1 : ((is_sysadmin) ? -1 : 0)); + } + else if (IS_ROLENAME_SECURITYADMIN(rolename)) + { + createrole += ((is_grant) ? 1 : ((is_securityadmin) ? -1 : 0)); + } + else if (IS_ROLENAME_DBCREATOR(rolename)) + { + createdb += ((is_grant) ? 1: ((is_dbcreator) ? -1 : 0)); + } + else + { + ereport(ERROR, + (errcode(ERRCODE_FEATURE_NOT_SUPPORTED), + errmsg("\"%s\" is not a supported fixed server role.", rolename))); + } + + grant_createrole = (prev_createrole == 0 && createrole == 1); + grant_createdb = (prev_createdb == 0 && createdb == 1); + revoke_createrole = (prev_createrole == 1 && createrole == 0); + revoke_createdb = (prev_createdb == 1 && createdb == 0); + + /* Genarate grante/revoke required attribute to the required role query */ + appendStringInfo(query, "ALTER ROLE dummy WITH %s %s; ", grant_createrole ? "createrole" : + (revoke_createrole ? "nocreaterole" : ""), grant_createdb ? "createdb" : + (revoke_createdb ? "nocreatedb" : "")); + +} \ No newline at end of file diff --git a/contrib/babelfishpg_tsql/src/rolecmds.c b/contrib/babelfishpg_tsql/src/rolecmds.c index 092ecadb2b..79e147ccea 100644 --- a/contrib/babelfishpg_tsql/src/rolecmds.c +++ b/contrib/babelfishpg_tsql/src/rolecmds.c @@ -78,6 +78,7 @@ static void validateFQDN(char *fqdn); static Oid bbf_admin_oid = InvalidOid; static Oid securityadmin_oid = InvalidOid; +static Oid dbcreator_oid = InvalidOid; void create_bbf_authid_login_ext(CreateRoleStmt *stmt) @@ -143,12 +144,10 @@ create_bbf_authid_login_ext(CreateRoleStmt *stmt) new_record_login_ext[LOGIN_EXT_ROLNAME] = NameGetDatum(&rolname_namedata); new_record_login_ext[LOGIN_EXT_IS_DISABLED] = Int32GetDatum(0); - if (strcmp(stmt->role, "sysadmin") == 0) + if (IS_BBF_FIXED_SERVER_ROLE(stmt->role)) new_record_login_ext[LOGIN_EXT_TYPE] = CStringGetTextDatum("R"); else if (strcmp(stmt->role, "bbf_role_admin") == 0) new_record_login_ext[LOGIN_EXT_TYPE] = CStringGetTextDatum("Z"); - else if (strcmp(stmt->role, BABELFISH_SECURITYADMIN) == 0) - new_record_login_ext[LOGIN_EXT_TYPE] = CStringGetTextDatum("R"); else if (from_windows) new_record_login_ext[LOGIN_EXT_TYPE] = CStringGetTextDatum("U"); else @@ -716,6 +715,15 @@ get_securityadmin_oid(void) return securityadmin_oid; } +/* Returns OID of dbcreator server role */ +Oid +get_dbcreator_oid(void) +{ + if (!OidIsValid(dbcreator_oid)) + dbcreator_oid = get_role_oid(BABELFISH_DBCREATOR, false); + return dbcreator_oid; +} + /* * Returns OID of SA of the current database. * We assume that SA is the DBA of the babelfish DB. @@ -1067,7 +1075,8 @@ drop_all_logins(PG_FUNCTION_ARGS) * Remove SA from authid_login_ext now but do not add it to the list * because we don't want to remove the corresponding PG role. */ - if (role_is_sa(get_role_oid(rolname, false)) || (strcmp(rolname, "sysadmin") == 0) || (strcmp(rolname, "bbf_role_admin") == 0)) + if (role_is_sa(get_role_oid(rolname, false)) || (strcmp(rolname, "bbf_role_admin") == 0) + || IS_BBF_FIXED_SERVER_ROLE(rolname)) CatalogTupleDelete(bbf_authid_login_ext_rel, &tuple->t_self); else rolname_list = lcons(rolname, rolname_list); @@ -1820,7 +1829,7 @@ is_alter_server_stmt(GrantRoleStmt *stmt) RoleSpec *spec = (RoleSpec *) linitial(stmt->granted_roles); /* only supported server roles */ - if (IS_ROLENAME_SYSADMIN(spec->rolename) || IS_ROLENAME_SECURITYADMIN(spec->rolename)) + if (IS_BBF_FIXED_SERVER_ROLE(spec->rolename)) return true; } @@ -1864,10 +1873,12 @@ check_alter_server_stmt(GrantRoleStmt *stmt) /* * check if it has sysadmin privileges or - * if server role is securityadmin and it has privileges of securityadmin + * if server role is securityadmin and it has privileges of securityadmin or + * if server role is dbcreator and it has privileges of dbcreator */ - if (!has_privs_of_role(GetSessionUserId(), sysadmin) && ((strcmp(granted_name, BABELFISH_SECURITYADMIN) != 0) - || !has_privs_of_role(GetSessionUserId(), get_securityadmin_oid()))) + if (!has_privs_of_role(GetSessionUserId(), sysadmin) && (!IS_ROLENAME_SECURITYADMIN(granted_name) + || !has_privs_of_role(GetSessionUserId(), get_securityadmin_oid())) && (!IS_ROLENAME_DBCREATOR(granted_name) + || !has_privs_of_role(GetSessionUserId(), get_dbcreator_oid()))) ereport(ERROR, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), errmsg("Current login %s does not have permission to alter server role", @@ -1877,7 +1888,7 @@ check_alter_server_stmt(GrantRoleStmt *stmt) * sysadmin role is not granted if grantee login has a user in one of the * databases, as Babelfish only supports one dbo currently */ - if (stmt->is_grant && (strcmp(granted_name, "sysadmin") == 0) && has_user_in_db(grantee_name, &db_name)) + if (stmt->is_grant && IS_ROLENAME_SYSADMIN(granted_name) && has_user_in_db(grantee_name, &db_name)) ereport(ERROR, (errcode(ERRCODE_FEATURE_NOT_SUPPORTED), errmsg("'sysadmin' role cannot be granted to login: a user is already created in database '%s'", db_name))); diff --git a/contrib/babelfishpg_tsql/src/rolecmds.h b/contrib/babelfishpg_tsql/src/rolecmds.h index 599ed97c7a..be06452591 100644 --- a/contrib/babelfishpg_tsql/src/rolecmds.h +++ b/contrib/babelfishpg_tsql/src/rolecmds.h @@ -56,6 +56,7 @@ extern void drop_bbf_roles(ObjectAccessType access, extern bool role_is_sa(Oid roleid); extern Oid get_bbf_role_admin_oid(void); extern Oid get_securityadmin_oid(void); +extern Oid get_dbcreator_oid(void); extern Oid get_sa_role_oid(void); extern bool tsql_has_pgstat_permissions(Oid roleid); extern bool tsql_has_linked_srv_permissions(Oid roleid); diff --git a/test/JDBC/expected/BABEL-2403.out b/test/JDBC/expected/BABEL-2403.out index 18a6f78786..20cd61fe4f 100644 --- a/test/JDBC/expected/BABEL-2403.out +++ b/test/JDBC/expected/BABEL-2403.out @@ -83,6 +83,8 @@ name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_login_ext text#!#sys#!#name#!#{"Rule": " in babelfish_authid_login_ext must also exist in babelfish_sysdatabases"} name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_login_ext must also exist in pg_authid"} text#!#sys#!#name#!#{"Rule": " in babelfish_authid_login_ext must also exist in babelfish_sysdatabases"} +name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_login_ext must also exist in pg_authid"} +text#!#sys#!#name#!#{"Rule": " in babelfish_authid_login_ext must also exist in babelfish_sysdatabases"} name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_user_ext must also exist in pg_authid"} text#!#sys#!#name#!#{"Rule": " in babelfish_authid_user_ext must also exist in babelfish_sysdatabases"} name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_user_ext must also exist in pg_authid"} @@ -192,6 +194,8 @@ name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_login_ext text#!#sys#!#name#!#{"Rule": " in babelfish_authid_login_ext must also exist in babelfish_sysdatabases"} name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_login_ext must also exist in pg_authid"} text#!#sys#!#name#!#{"Rule": " in babelfish_authid_login_ext must also exist in babelfish_sysdatabases"} +name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_login_ext must also exist in pg_authid"} +text#!#sys#!#name#!#{"Rule": " in babelfish_authid_login_ext must also exist in babelfish_sysdatabases"} name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_user_ext must also exist in pg_authid"} text#!#sys#!#name#!#{"Rule": " in babelfish_authid_user_ext must also exist in babelfish_sysdatabases"} name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_user_ext must also exist in pg_authid"} diff --git a/test/JDBC/expected/BABEL-LOGIN-USER-EXT.out b/test/JDBC/expected/BABEL-LOGIN-USER-EXT.out index 4780d8a897..999d304c1b 100644 --- a/test/JDBC/expected/BABEL-LOGIN-USER-EXT.out +++ b/test/JDBC/expected/BABEL-LOGIN-USER-EXT.out @@ -281,7 +281,7 @@ SELECT COUNT(*) FROM sys.babelfish_authid_login_ext; go ~~START~~ int -4 +5 ~~END~~ @@ -292,7 +292,7 @@ SELECT COUNT(*) FROM sys.babelfish_authid_login_ext; go ~~START~~ int -5 +6 ~~END~~ @@ -304,7 +304,7 @@ SELECT COUNT(*) FROM sys.babelfish_authid_login_ext; go ~~START~~ int -6 +7 ~~END~~ @@ -392,7 +392,7 @@ SELECT COUNT(*) FROM sys.babelfish_authid_login_ext; go ~~START~~ int -5 +6 ~~END~~ @@ -422,7 +422,7 @@ SELECT COUNT(*) FROM sys.babelfish_authid_login_ext; go ~~START~~ int -4 +5 ~~END~~ diff --git a/test/JDBC/expected/dbcreator_role-vu-cleanup.out b/test/JDBC/expected/dbcreator_role-vu-cleanup.out new file mode 100644 index 0000000000..c7fec43025 --- /dev/null +++ b/test/JDBC/expected/dbcreator_role-vu-cleanup.out @@ -0,0 +1,66 @@ +-- tsql +drop user dbcreator_user1 +go + +drop user no_dbcreator_user1 +go + +drop login dbcreator_login1 +go + +drop login dbcreator_l2 +go + +use dbcreator_db1 +go + +drop user no_dbcreator_user1 +go + +use master +go + +drop login no_dbcreator_login1 +go + +drop database dbcreator_db1 +go + +drop schema dbcreator_scm1 +go + +drop view dbcreator_show_role_mem +go + +drop TRIGGER dbcreator_tggr1 +go + +DROP TABLE dbc_sp_helpsrvrolemember_tbl +GO + +drop table dbcreator_tb1 +go + +drop view dbcreator_v1 +go + +drop function dbcreator_func1() +go + +drop procedure dbcreator_proc1 +go + +drop procedure dbcreator_create_database_p1 +go + +drop procedure dbcreator_drop_database_p1 +go + +drop procedure dbcreator_add_mem_p1 +go + +drop procedure dbcreator_drop_mem_p1 +go + +drop role dbcreator_rol +go diff --git a/test/JDBC/expected/dbcreator_role-vu-prepare.out b/test/JDBC/expected/dbcreator_role-vu-prepare.out new file mode 100644 index 0000000000..50462af18a --- /dev/null +++ b/test/JDBC/expected/dbcreator_role-vu-prepare.out @@ -0,0 +1,92 @@ +-- tsql +create login dbcreator_login1 with password = '123' +go + +create login no_dbcreator_login1 with password = '123' +go + +create login dbcreator_l2 with password = '123' +go + +create user dbcreator_user1 for login dbcreator_login1 +go + +create user no_dbcreator_user1 for login no_dbcreator_login1 +go + +-- tsql +create role dbcreator_rol +go + +create database dbcreator_db1 +go + +create schema dbcreator_scm1 +go + +CREATE VIEW dbcreator_show_role_mem AS +SELECT +roles.name AS RolePrincipalName +, members.name AS MemberPrincipalName +FROM sys.server_role_members AS server_role_members +INNER JOIN sys.server_principals AS roles + ON server_role_members.role_principal_id = roles.principal_id +INNER JOIN sys.server_principals AS members + ON server_role_members.member_principal_id = members.principal_id order by MemberPrincipalName; +GO + +CREATE TABLE dbc_sp_helpsrvrolemember_tbl (ServerRole sys.SYSNAME, + MemberName sys.SYSNAME, + MemberSID sys.VARBINARY(85)); +GO + +create table dbcreator_tb1(a int) +go + +create view dbcreator_v1 as select 1; +go + +create function dbcreator_func1() returns int as begin return 1 end; +go + +create procedure dbcreator_proc1 as begin select 1; end +go + +CREATE TRIGGER dbcreator_tggr1 on dbcreator_tb1 AFTER INSERT AS BEGIN END; +go + +create procedure dbcreator_create_database_p1 as begin create database dbcreator_db_new; end +go + +Grant execute on dbcreator_create_database_p1 to PUBLIC; +go + +create procedure dbcreator_drop_database_p1 as begin drop database dbcreator_db_new; end +go + +Grant execute on dbcreator_drop_database_p1 to PUBLIC; +go + +create procedure dbcreator_add_mem_p1 as begin Alter server role dbcreator add member no_dbcreator_login1; end +go + +Grant execute on dbcreator_add_mem_p1 to PUBLIC; +go + +create procedure dbcreator_drop_mem_p1 as begin Alter server role dbcreator drop member no_dbcreator_login1; end +go + +Grant execute on dbcreator_drop_mem_p1 to PUBLIC; +go + +use dbcreator_db1 +go + +create user dbcreator_user1 for login dbcreator_login1 +go + +create user no_dbcreator_user1 for login no_dbcreator_login1 +go + +use master +go diff --git a/test/JDBC/expected/dbcreator_role-vu-verify.out b/test/JDBC/expected/dbcreator_role-vu-verify.out new file mode 100644 index 0000000000..51ed2f2e6e --- /dev/null +++ b/test/JDBC/expected/dbcreator_role-vu-verify.out @@ -0,0 +1,1338 @@ +-- tsql +-- should be 0 +select is_srvrolemember('sysadmin', 'dbcreator') +go +~~START~~ +int +0 +~~END~~ + + +select is_srvrolemember('securityadmin', 'dbcreator') +go +~~START~~ +int +0 +~~END~~ + + +select is_srvrolemember('dbcreator', 'sysadmin') +go +~~START~~ +int +0 +~~END~~ + + +select is_srvrolemember('dbcreator', 'securityadmin') +go +~~START~~ +int +0 +~~END~~ + + +alter login dbcreator_login1 with password='123' +go + +alter login no_dbcreator_login1 with password='123' +go + +TRUNCATE TABLE dbc_sp_helpsrvrolemember_tbl +GO + +-- sp_helpsrvrolemember +INSERT INTO dbc_sp_helpsrvrolemember_tbl (ServerRole, MemberName, MemberSID) EXEC sp_helpsrvrolemember 'dbcreator' +GO + +SELECT ServerRole, MemberName, (CASE WHEN MemberSID IS NULL THEN 0 ELSE 1 END) FROM dbc_sp_helpsrvrolemember_tbl where MemberName like '%dbcreator%' +GO +~~START~~ +varchar#!#varchar#!#int +~~END~~ + + +-- make login member of dbcreator +Alter server role dbcreator add member dbcreator_login1 +go + +select * from dbcreator_show_role_mem where MemberPrincipalName like 'jdbc_user' or MemberPrincipalName like '%dbcreator_%' +go +~~START~~ +varchar#!#varchar +dbcreator#!#dbcreator_login1 +sysadmin#!#jdbc_user +~~END~~ + + +-- should error out +create login dbcreator with password = '123' +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: The Server principal 'dbcreator' already exists)~~ + + +-- terminate-tsql-conn + + +-- tsql user=dbcreator_login1 password=123 + +-- Case 1 - positives +-- dbcreator's login privileges +-- alter server role dbcreator should be allowed +Alter server role dbcreator add member no_dbcreator_login1 +go + +Alter server role dbcreator drop member no_dbcreator_login1 +go + +-- create/drop database should be allowed +drop database dbcreator_db1 +go + +create database dbcreator_db; +go + +-- owner should be dbcreator_login1 +SELECT owner AS database_owner FROM sys.babelfish_sysdatabases WHERE name = 'dbcreator_db'; +go +~~START~~ +varchar +dbcreator_login1 +~~END~~ + + +use dbcreator_db +go + +select current_user +go +~~START~~ +varchar +dbo +~~END~~ + + +create table dbc_t1(a int) +go + +drop table dbc_t1 +go + +use master +go + +-- alter database should be allowed +alter database dbcreator_db modify name=dbcreator_db_1 +go + +-- sp_renamedb should be allowed +EXEC sp_renamedb 'dbcreator_db_1', 'dbcreator_db' +GO + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- tsql +-- transfer ownership to different login +alter authorization on database::dbcreator_db to no_dbcreator_login1 +go + +-- terminate-tsql-conn + +-- tsql user=dbcreator_login1 password=123 +-- should not be allowed +use dbcreator_db +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: The server principal "dbcreator_login1" is not able to access the database "dbcreator_db" under the current security context)~~ + + +EXEC sp_renamedb 'dbcreator_db', 'dbcreator_db_1' +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: User does not have permission to rename the database 'dbcreator_db', the database does not exist, or the database is not in a state that allows access checks.)~~ + + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- tsql +use dbcreator_db +go + +create user u1 for login dbcreator_login1 +go + +-- terminate-tsql-conn + +-- tsql user=dbcreator_login1 password=123 +-- should be allowed +use dbcreator_db +go + +-- should not be dbo +select current_user +go +~~START~~ +varchar +u1 +~~END~~ + + +use master +go + +EXEC sp_renamedb 'dbcreator_db', 'dbcreator_db_1' +GO + +EXEC sp_renamedb 'dbcreator_db_1', 'dbcreator_db' +GO + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- tsql + +use dbcreator_db +go + +drop user u1 +go + +-- terminate-tsql-conn + +-- tsql user=dbcreator_login1 password=123 +-- drop database should be allowed +-- password based login +drop database dbcreator_db +go + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- tsql +create database dbcreator_db1 +go + +-- terminate-tsql-conn + +-- tsql user=no_dbcreator_login1 password=123 +-- connection should get refused +use dbcreator_db1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: The server principal "no_dbcreator_login1" is not able to access the database "dbcreator_db1" under the current security context)~~ + + +-- should give permission denied +Alter server role dbcreator add member no_dbcreator_login1 +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Current login no_dbcreator_login1 does not have permission to alter server role)~~ + + +Alter server role dbcreator drop member no_dbcreator_login1 +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Current login no_dbcreator_login1 does not have permission to alter server role)~~ + + +-- terminate-tsql-conn user=no_dbcreator_login1 password=123 + +-- tsql user=dbcreator_login1 password=123 +-- System objects +select name, sysadmin, dbcreator from syslogins where name like '%dbcreator%' order by name +go +~~START~~ +varchar#!#int#!#int +dbcreator_login1#!#0#!#1 +~~END~~ + + +-- should give permission denied +EXEC sp_renamedb 'dbcreator_db1', 'dbcreator_db2' +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: User does not have permission to rename the database 'dbcreator_db1', the database does not exist, or the database is not in a state that allows access checks.)~~ + + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- tsql +use dbcreator_db1 +go + +grant connect to guest +go + +-- terminate-tsql-conn + +-- tsql user=dbcreator_login1 password=123 +-- should be allowed +EXEC sp_renamedb 'dbcreator_db1', 'dbcreator_db2' +GO + +-- should return 0 +select is_srvrolemember ('sysadmin') +go +~~START~~ +int +0 +~~END~~ + + +-- should return 1 +select is_srvrolemember ('dbcreator') +go +~~START~~ +int +1 +~~END~~ + + +select is_srvrolemember ('dbcreator', 'dbcreator_login1') +GO +~~START~~ +int +1 +~~END~~ + + +-- it should be allowed +drop database dbcreator_db2 +go + +-- inside procedure +exec dbcreator_create_database_p1 +go + +exec dbcreator_add_mem_p1 +go + +exec dbcreator_drop_mem_p1 +go + +exec dbcreator_drop_database_p1 +go + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- tsql +-- login is member of both dbcreator as well as sysadmin +drop user dbcreator_user1 +go + +Alter server role sysadmin add member dbcreator_login1 +go + +create database dbcreator_db1 +go + +-- terminate-tsql-conn + +-- tsql user=dbcreator_login1 password=123 +-- it should be able to connect to the database +use dbcreator_db1 +go + +-- it should be dbo +select current_user +go +~~START~~ +varchar +dbo +~~END~~ + + +-- both attribute should be true +select rolname, rolcreaterole, rolcreatedb from pg_roles where rolname = 'dbcreator_login1' +go +~~START~~ +varchar#!#bit#!#bit +dbcreator_login1#!#1#!#1 +~~END~~ + + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- tsql +-- only member of dbcreator +alter server role sysadmin drop member dbcreator_login1 +go + +create user dbcreator_user1 for login dbcreator_login1 +go + +TRUNCATE TABLE dbc_sp_helpsrvrolemember_tbl +GO + +-- sp_helpsrvrolemember +INSERT INTO dbc_sp_helpsrvrolemember_tbl (ServerRole, MemberName, MemberSID) EXEC sp_helpsrvrolemember 'dbcreator' +GO +~~ROW COUNT: 1~~ + + +SELECT ServerRole, MemberName, (CASE WHEN MemberSID IS NULL THEN 0 ELSE 1 END) FROM dbc_sp_helpsrvrolemember_tbl where MemberName like '%dbcreator%' +GO +~~START~~ +varchar#!#varchar#!#int +dbcreator#!#dbcreator_login1#!#1 +~~END~~ + + +-- only rolcreatedb attribute should be true +select rolname, rolcreaterole, rolcreatedb from pg_roles where rolname = 'dbcreator_login1' +go +~~START~~ +varchar#!#bit#!#bit +dbcreator_login1#!#0#!#1 +~~END~~ + + +-- terminate-tsql-conn + +-- tsql user=dbcreator_login1 password=123 + +-- should be able to create/drop database +drop database dbcreator_db1 +go + +create database dbcreator_db3 +go + +drop database dbcreator_db3 +go + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- tsql +-- only member of sysadmin +create database dbcreator_db1 +go + +drop user dbcreator_user1 +go + +alter server role sysadmin add member dbcreator_login1 +go + +alter server role dbcreator drop member dbcreator_login1 +go + +-- terminate-tsql-conn + +-- tsql user=dbcreator_login1 password=123 + +-- should be 1 +select is_srvrolemember('sysadmin') +go +~~START~~ +int +1 +~~END~~ + + +-- both attribute should be true +select rolname, rolcreaterole, rolcreatedb from pg_roles where rolname = 'dbcreator_login1' +go +~~START~~ +varchar#!#bit#!#bit +dbcreator_login1#!#1#!#1 +~~END~~ + + +-- should be able to create/drop login +create login test_dbcreator_l1 with password ='123' +go + +drop login test_dbcreator_l1 +go + +-- should return 1 +select is_srvrolemember ('sysadmin') +go +~~START~~ +int +1 +~~END~~ + + +-- should return 1 +select is_srvrolemember ('dbcreator') +go +~~START~~ +int +1 +~~END~~ + + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- tsql +-- make it member of dbcreator only +alter server role sysadmin drop member dbcreator_login1 +go + +alter server role dbcreator add member dbcreator_login1 +go + +create user dbcreator_user1 for login dbcreator_login1 +go + +use dbcreator_db1 +go + +create user dbcreator_user1 for login dbcreator_login1 +go + +create user no_dbcreator_user1 for login no_dbcreator_login1 +go + +-- terminate-tsql-conn + +-- tsql user=dbcreator_login1 password=123 +-- Case 2 - negatives +-- alter server role sysadmin should give permission denied +Alter server role sysadmin add member no_dbcreator_login1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Current login dbcreator_login1 does not have permission to alter server role)~~ + + +-- alter server role dbcreator add member db roles should error out +Alter server role dbcreator add member guest +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: role "guest" does not exist)~~ + + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- tsql +create role dummy_role +go + +-- terminate-tsql-conn + +-- tsql user=dbcreator_login1 password=123 +-- should error out +Alter server role dbcreator add member dummy_role +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: role "dummy_role" does not exist)~~ + + +-- create login permission denied +-- windows login +create login [babel\dbcreator_l1] from windows; +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Current login dbcreator_login1 does not have permission to create new login)~~ + + +-- password based login +create login dbcreator_l2 with password = '123' +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Current login dbcreator_login1 does not have permission to create new login)~~ + + +-- alter authorization on database permission denied +alter authorization on database::dbcreator_db1 to no_dbcreator_login1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot find the principal 'no_dbcreator_login1', because it does not exist or you do not have permission.)~~ + + +-- alter login should give permission denied +-- password based login +alter login dbcreator_l2 with password = '123' +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot alter the login 'dbcreator_l2', because it does not exist or you do not have permission.)~~ + + +ALTER LOGIN dbcreator_l2 disable; +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot alter the login 'dbcreator_l2', because it does not exist or you do not have permission.)~~ + + +ALTER LOGIN dbcreator_l2 enable; +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot alter the login 'dbcreator_l2', because it does not exist or you do not have permission.)~~ + + +ALTER LOGIN no_dbcreator_login1 with default_database=dbcreator_db1; +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot alter the login 'no_dbcreator_login1', because it does not exist or you do not have permission.)~~ + + +-- drop login permission denied +drop login no_dbcreator_login1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot drop the login 'no_dbcreator_login1', because it does not exist or you do not have permission.)~~ + + +-- grant database permissions (only connect is supported) +-- should give permission denied +REVOKE CONNECT FROM no_dbcreator_user1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Grantor does not have GRANT permission.)~~ + + +GRANT CONNECT TO no_dbcreator_user1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Grantor does not have GRANT permission.)~~ + + +-- dbcreator login's mapped user should not have any priv +select current_user, db_name() +go +~~START~~ +varchar#!#nvarchar +dbcreator_user1#!#master +~~END~~ + + +select suser_name() +go +~~START~~ +nvarchar +dbcreator_login1 +~~END~~ + + +-- create objects/user permission denied +create user dbcreator_l2 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: User does not have permission to perform this action.)~~ + + +create role dbcreator_role1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: User does not have permission to perform this action.)~~ + + +create schema perm_denied_scm +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for database jdbc_testdb)~~ + + +create view perm_denied_v1 as select 1; +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for schema master_dbo)~~ + + +create table perm_denied_tb1 (a int); +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for schema master_dbo)~~ + + +select 1 into perm_denied_tb2; +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for schema master_dbo)~~ + + +create function perm_denied_func1() returns int as begin return 1 end; +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for schema master_dbo)~~ + + +create procedure perm_denied_proc1 as begin select 1; end +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for schema master_dbo)~~ + + +create type perm_denied_typ1 from int; +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for schema master_dbo)~~ + + +create index perm_denied_index1 on dbcreator_tb1(a); +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: must be owner of table dbcreator_tb1)~~ + + +CREATE FUNCTION perm_denied_func1() RETURNS TABLE AS RETURN ( SELECT 1 AS Value); +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for schema master_dbo)~~ + + +-- DMLS on object permission denied +Alter user no_dbcreator_user1 with DEFAULT_SCHEMA=dbcreator_scm1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Current user does not have privileges to change schema)~~ + + +Alter role dbcreator_rol add member no_dbcreator_user1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Current login dbcreator_login1 does not have permission to alter role master_dbcreator_rol)~~ + + +Alter role dbcreator_rol drop member no_dbcreator_user1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Current login dbcreator_login1 does not have permission to alter role master_dbcreator_rol)~~ + + +Alter table dbcreator_tb1 add b int +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: must be owner of table dbcreator_tb1)~~ + + +Insert into dbcreator_tb1 values (1) +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table dbcreator_tb1)~~ + + +UPDATE dbcreator_tb1 SET a = 2 where a = 1; +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table dbcreator_tb1)~~ + + +DELETE FROM dbcreator_tb1 WHERE a = 1; +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table dbcreator_tb1)~~ + + +TRUNCATE TABLE dbcreator_tb1; +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table dbcreator_tb1)~~ + + +select * from dbcreator_tb1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table dbcreator_tb1)~~ + + +select * from dbcreator_v1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for view dbcreator_v1)~~ + + +select dbcreator_func1() +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for function dbcreator_func1)~~ + + +exec dbcreator_proc1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for procedure dbcreator_proc1)~~ + + +Enable trigger dbcreator_tggr1 on dbcreator_tb1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: must be owner of table dbcreator_tb1)~~ + + +Disable trigger dbcreator_tggr1 on dbcreator_tb1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: must be owner of table dbcreator_tb1)~~ + + +-- grant on objects permission denied +Grant select on dbcreator_tb1 to no_dbcreator_user1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table dbcreator_tb1)~~ + + +Grant update on dbcreator_v1 to no_dbcreator_user1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table dbcreator_v1)~~ + + +Grant update on dbcreator_v1 to no_dbcreator_user1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table dbcreator_v1)~~ + + +Grant exec on dbcreator_func1 to no_dbcreator_user1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for function dbcreator_func1)~~ + + +Grant exec on dbcreator_proc1 to no_dbcreator_user1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for function dbcreator_proc1)~~ + + +-- Revoke on objects permission denied +Revoke select on dbcreator_tb1 from no_dbcreator_user1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table dbcreator_tb1)~~ + + +Revoke update on dbcreator_v1 from no_dbcreator_user1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table dbcreator_v1)~~ + + +Revoke update on dbcreator_v1 from no_dbcreator_user1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table dbcreator_v1)~~ + + +Revoke exec on dbcreator_func1 from no_dbcreator_user1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for function dbcreator_func1)~~ + + +Revoke exec on dbcreator_proc1 from no_dbcreator_user1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for function dbcreator_proc1)~~ + + +-- grant on schema +-- permission denied +grant select on dbcreator_v1 to no_dbcreator_user1; +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table dbcreator_v1)~~ + +grant select on dbo.dbcreator_v1 to no_dbcreator_user1; +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table dbcreator_v1)~~ + +grant execute on dbcreator_proc1 to no_dbcreator_user1; +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for function dbcreator_proc1)~~ + +grant execute on dbo.dbcreator_proc1 to no_dbcreator_user1; +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for function dbcreator_proc1)~~ + + +-- revoke on schema +-- permission denied +revoke select on dbcreator_v1 from no_dbcreator_user1; +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table dbcreator_v1)~~ + +revoke select on dbo.dbcreator_v1 from no_dbcreator_user1; +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table dbcreator_v1)~~ + +revoke execute on dbcreator_proc1 from no_dbcreator_user1; +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for function dbcreator_proc1)~~ + +revoke execute on dbo.dbcreator_proc1 from no_dbcreator_user1; +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for function dbcreator_proc1)~~ + + +-- drop object permission denied +drop user dbcreator_l2 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot drop the user 'dbcreator_l2', because it does not exist or you do not have permission.)~~ + + +drop role dbcreator_rol +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot drop the role 'dbcreator_rol', because it does not exist or you do not have permission.)~~ + + +drop schema dbcreator_scm1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: must be owner of schema master_dbcreator_scm1)~~ + + +drop view dbcreator_show_role_mem +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: must be owner of view dbcreator_show_role_mem)~~ + + +drop TRIGGER dbcreator_tggr1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: must be owner of relation dbcreator_tb1)~~ + + +drop table dbcreator_tb1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: must be owner of table dbcreator_tb1)~~ + + +drop view dbcreator_v1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: must be owner of view dbcreator_v1)~~ + + +drop function dbcreator_func1() +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: must be owner of function dbcreator_func1)~~ + + +drop procedure dbcreator_proc1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: must be owner of procedure dbcreator_proc1)~~ + + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + + +-- tsql database=dbcreator_db1 +-- dbcreator login should not get mapped to dbo if no user exist, it should disconnect +drop user dbcreator_user1 +go + +-- terminate-tsql-conn database=dbcreator_db1 + +-- tsql user=dbcreator_login1 password=123 +-- it should disconnect +use dbcreator_db1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: The server principal "dbcreator_login1" is not able to access the database "dbcreator_db1" under the current security context)~~ + + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- tsql +-- Case 3 - check unintended/unauthorized use of dbcreator +drop role dummy_role +go + +CREATE LOGIN dbcreator_restrict_new_login WITH password = '12345678'; +go + +ALTER SERVER ROLE sysadmin ADD MEMBER dbcreator_restrict_new_login; +GO + +select * from dbcreator_show_role_mem where MemberPrincipalName like 'jdbc_user' or MemberPrincipalName like '%dbcreator_%' +go +~~START~~ +varchar#!#varchar +dbcreator#!#dbcreator_login1 +sysadmin#!#dbcreator_restrict_new_login +sysadmin#!#jdbc_user +~~END~~ + + +-- terminate-tsql-conn + +-- tsql user=dbcreator_restrict_new_login password=12345678 +select * from dbcreator_show_role_mem where MemberPrincipalName like 'jdbc_user' or MemberPrincipalName like '%dbcreator_%' +go +~~START~~ +varchar#!#varchar +dbcreator#!#dbcreator_login1 +sysadmin#!#dbcreator_restrict_new_login +sysadmin#!#jdbc_user +~~END~~ + + +select current_user, db_name() +go +~~START~~ +varchar#!#nvarchar +dbo#!#master +~~END~~ + + +CREATE ROLE dbcreator_restrictions_role; +GO + +-- a tsql login should not be able to drop dbcreator explicitly from tsql port +-- should be denied +ALTER ROLE dbcreator_restrictions_role ADD MEMBER dbcreator; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: role "master_dbcreator" does not exist)~~ + + +DROP LOGIN dbcreator; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot drop the login 'dbcreator', because it does not exist or you do not have permission.)~~ + + +DROP ROLE dbcreator_restrictions_role; +GO + +-- terminate-tsql-conn user=dbcreator_restrict_new_login password=12345678 + +-- psql user=dbcreator_restrict_new_login password=12345678 +-- a tsql login should not be able to alter/grant/drop dbcreator from pg port +ALTER ROLE dbcreator NOCREATEDB; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +ALTER ROLE dbcreator WITH PASSWORD '12345678'; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +ALTER ROLE dbcreator VALID UNTIL 'infinity'; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +ALTER ROLE dbcreator WITH CONNECTION LIMIT 1; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +GRANT dbcreator TO dbcreator_restrict_new_login; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +GRANT sysadmin TO dbcreator +go +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +GRANT dbcreator TO dbcreator +go +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +GRANT dbcreator_restrict_new_login TO dbcreator; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +REVOKE dbcreator FROM master_dbo; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +REVOKE master_dbo FROM dbcreator; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +DROP ROLE dbcreator; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be dropped or altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +SET SESSION AUTHORIZATION dbcreator; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: permission denied to set session authorization + Server SQLState: 42501)~~ + + +SET ROLE dbcreator; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: permission denied to set role "dbcreator" + Server SQLState: 42501)~~ + + +-- psql +-- normal PG user +CREATE USER dbcreator_restrictions_pg_user WITH LOGIN CREATEROLE PASSWORD '12345678' inherit; +go + +-- psql user=dbcreator_restrictions_pg_user password=12345678 +-- a normal psql user should not be able to alter/grant/drop dbcreator from pg port +ALTER ROLE dbcreator NOCREATEDB; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +-- Altering a role by an underprivileged login should be restricted +alter user dbcreator_restrict_new_login with password '123' +go +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: permission denied to alter role + Detail: To change another role's password, the current user must have the CREATEROLE attribute and the ADMIN option on the role. + Server SQLState: 42501)~~ + + +ALTER ROLE dbcreator WITH PASSWORD '12345678'; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +ALTER ROLE dbcreator VALID UNTIL 'infinity'; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +ALTER ROLE dbcreator WITH CONNECTION LIMIT 1; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +GRANT dbcreator TO dbcreator_restrict_new_login; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +GRANT dbcreator_restrict_new_login TO dbcreator; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +REVOKE dbcreator FROM master_dbo; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +REVOKE sysadmin FROM dbcreator +go +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +REVOKE dbcreator FROM dbcreator +go +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +REVOKE master_dbo FROM dbcreator; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +DROP ROLE dbcreator; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be dropped or altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +SET SESSION AUTHORIZATION dbcreator; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: permission denied to set session authorization + Server SQLState: 42501)~~ + + +SET ROLE dbcreator; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: permission denied to set role "dbcreator" + Server SQLState: 42501)~~ + + +-- psql +-- Need to terminate active session before cleaning up the login +SELECT pg_terminate_backend(pid) FROM pg_stat_get_activity(NULL) +WHERE sys.suser_name(usesysid) = 'dbcreator_restrict_new_login' AND backend_type = 'client backend' AND usesysid IS NOT NULL; +go +~~START~~ +bool +t +~~END~~ + + +DROP USER dbcreator_restrictions_pg_user; +GO + +-- Wait to sync with another session +SELECT pg_sleep(1); +GO +~~START~~ +void + +~~END~~ + + +-- tsql + +ALTER SERVER ROLE sysadmin drop MEMBER dbcreator_restrict_new_login; +GO + +DROP LOGIN dbcreator_restrict_new_login +GO diff --git a/test/JDBC/expected/is_srvrolemember-vu-verify.out b/test/JDBC/expected/is_srvrolemember-vu-verify.out index 4955dd3fbc..8075a28c90 100644 --- a/test/JDBC/expected/is_srvrolemember-vu-verify.out +++ b/test/JDBC/expected/is_srvrolemember-vu-verify.out @@ -138,7 +138,7 @@ SELECT is_srvrolemember('dbcreator') GO ~~START~~ int -0 +1 ~~END~~ diff --git a/test/JDBC/expected/is_srvrolemember.out b/test/JDBC/expected/is_srvrolemember.out index 4955dd3fbc..8075a28c90 100644 --- a/test/JDBC/expected/is_srvrolemember.out +++ b/test/JDBC/expected/is_srvrolemember.out @@ -138,7 +138,7 @@ SELECT is_srvrolemember('dbcreator') GO ~~START~~ int -0 +1 ~~END~~ diff --git a/test/JDBC/expected/permission_restrictions_from_pg.out b/test/JDBC/expected/permission_restrictions_from_pg.out index c166441a23..4167613ebb 100644 --- a/test/JDBC/expected/permission_restrictions_from_pg.out +++ b/test/JDBC/expected/permission_restrictions_from_pg.out @@ -12,8 +12,7 @@ grant sysadmin to permission_restrictions_tsql_login; go ~~ERROR (Code: 0)~~ -~~ERROR (Message: ERROR: permission denied to grant role "sysadmin" - Detail: Only roles with the ADMIN option on role "sysadmin" may grant this role. +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session Server SQLState: 42501)~~ @@ -32,8 +31,7 @@ grant sysadmin to permission_restrictions_psql_user; go ~~ERROR (Code: 0)~~ -~~ERROR (Message: ERROR: permission denied to grant role "sysadmin" - Detail: Only roles with the ADMIN option on role "sysadmin" may grant this role. +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session Server SQLState: 42501)~~ @@ -63,8 +61,7 @@ grant sysadmin to permission_restrictions_tsql_login; go ~~ERROR (Code: 0)~~ -~~ERROR (Message: ERROR: permission denied to grant role "sysadmin" - Detail: Only roles with the ADMIN option on role "sysadmin" may grant this role. +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session Server SQLState: 42501)~~ @@ -83,8 +80,7 @@ grant sysadmin to permission_restrictions_psql_user; go ~~ERROR (Code: 0)~~ -~~ERROR (Message: ERROR: permission denied to grant role "sysadmin" - Detail: Only roles with the ADMIN option on role "sysadmin" may grant this role. +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session Server SQLState: 42501)~~ diff --git a/test/JDBC/expected/securityadmin_role-vu-cleanup.out b/test/JDBC/expected/securityadmin_role-vu-cleanup.out index fb82964f8d..7eaf398df8 100644 --- a/test/JDBC/expected/securityadmin_role-vu-cleanup.out +++ b/test/JDBC/expected/securityadmin_role-vu-cleanup.out @@ -32,6 +32,9 @@ go drop TRIGGER securityadmin_tggr1 go +DROP TABLE sadm_sp_helpsrvrolemember_tbl +GO + drop table securityadmin_tb1 go diff --git a/test/JDBC/expected/securityadmin_role-vu-prepare.out b/test/JDBC/expected/securityadmin_role-vu-prepare.out index 1f96ebe37e..925c01678f 100644 --- a/test/JDBC/expected/securityadmin_role-vu-prepare.out +++ b/test/JDBC/expected/securityadmin_role-vu-prepare.out @@ -32,6 +32,11 @@ INNER JOIN sys.server_principals AS members ON server_role_members.member_principal_id = members.principal_id order by MemberPrincipalName; GO +CREATE TABLE sadm_sp_helpsrvrolemember_tbl (ServerRole sys.SYSNAME, + MemberName sys.SYSNAME, + MemberSID sys.VARBINARY(85)); +GO + create table securityadmin_tb1(a int) go diff --git a/test/JDBC/expected/securityadmin_role-vu-verify.out b/test/JDBC/expected/securityadmin_role-vu-verify.out index f3b35d0386..5fcde2d413 100644 --- a/test/JDBC/expected/securityadmin_role-vu-verify.out +++ b/test/JDBC/expected/securityadmin_role-vu-verify.out @@ -1,10 +1,40 @@ -- tsql +select is_srvrolemember('sysadmin', 'securityadmin') +go +~~START~~ +int +0 +~~END~~ + + +select is_srvrolemember('securityadmin', 'sysadmin') +go +~~START~~ +int +0 +~~END~~ + + alter login securityadmin_login1 with password='123' go alter login no_securityadmin_login1 with password='123' go +TRUNCATE TABLE sadm_sp_helpsrvrolemember_tbl +GO + +-- sp_helpsrvrolemember +INSERT INTO sadm_sp_helpsrvrolemember_tbl (ServerRole, MemberName, MemberSID) EXEC sp_helpsrvrolemember 'securityadmin' +GO + +SELECT ServerRole, MemberName, (CASE WHEN MemberSID IS NULL THEN 0 ELSE 1 END) FROM sadm_sp_helpsrvrolemember_tbl where MemberName like '%securityadmin%' +GO +~~START~~ +varchar#!#varchar#!#int +~~END~~ + + -- make login member of securityadmin Alter server role securityadmin add member securityadmin_login1 go @@ -262,6 +292,7 @@ FROM sys.server_principals ORDER BY name GO ~~START~~ varchar#!#char#!#nvarchar#!#varchar#!#varchar#!#int#!#int#!#bit +dbcreator#!#R#!#SERVER_ROLE#!##!#English#!##!#1#!#1 jdbc_user#!#S#!#SQL_LOGIN#!#master#!#English#!#-1#!#-1#!#0 no_securityadmin_login1#!#S#!#SQL_LOGIN#!#master#!#English#!#-1#!#-1#!#0 public#!#R#!#SERVER_ROLE#!##!##!##!#1#!#0 @@ -553,6 +584,23 @@ go create user securityadmin_user1 for login securityadmin_login1 go +TRUNCATE TABLE sadm_sp_helpsrvrolemember_tbl +GO + +-- sp_helpsrvrolemember +INSERT INTO sadm_sp_helpsrvrolemember_tbl (ServerRole, MemberName, MemberSID) EXEC sp_helpsrvrolemember 'securityadmin' +GO +~~ROW COUNT: 1~~ + + +SELECT ServerRole, MemberName, (CASE WHEN MemberSID IS NULL THEN 0 ELSE 1 END) FROM sadm_sp_helpsrvrolemember_tbl where MemberName like '%securityadmin%' +GO +~~START~~ +varchar#!#varchar#!#int +securityadmin#!#securityadmin_login1#!#1 +~~END~~ + + -- terminate-tsql-conn -- tsql user=securityadmin_login1 password=123 diff --git a/test/JDBC/expected/single_db/BABEL-2403.out b/test/JDBC/expected/single_db/BABEL-2403.out index 916f4cdf66..2f20395b10 100644 --- a/test/JDBC/expected/single_db/BABEL-2403.out +++ b/test/JDBC/expected/single_db/BABEL-2403.out @@ -71,6 +71,8 @@ name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_login_ext text#!#sys#!#name#!#{"Rule": " in babelfish_authid_login_ext must also exist in babelfish_sysdatabases"} name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_login_ext must also exist in pg_authid"} text#!#sys#!#name#!#{"Rule": " in babelfish_authid_login_ext must also exist in babelfish_sysdatabases"} +name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_login_ext must also exist in pg_authid"} +text#!#sys#!#name#!#{"Rule": " in babelfish_authid_login_ext must also exist in babelfish_sysdatabases"} name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_user_ext must also exist in pg_authid"} text#!#sys#!#name#!#{"Rule": " in babelfish_authid_user_ext must also exist in babelfish_sysdatabases"} name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_user_ext must also exist in pg_authid"} @@ -168,6 +170,8 @@ name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_login_ext text#!#sys#!#name#!#{"Rule": " in babelfish_authid_login_ext must also exist in babelfish_sysdatabases"} name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_login_ext must also exist in pg_authid"} text#!#sys#!#name#!#{"Rule": " in babelfish_authid_login_ext must also exist in babelfish_sysdatabases"} +name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_login_ext must also exist in pg_authid"} +text#!#sys#!#name#!#{"Rule": " in babelfish_authid_login_ext must also exist in babelfish_sysdatabases"} name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_user_ext must also exist in pg_authid"} text#!#sys#!#name#!#{"Rule": " in babelfish_authid_user_ext must also exist in babelfish_sysdatabases"} name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_user_ext must also exist in pg_authid"} diff --git a/test/JDBC/expected/single_db/BABEL-LOGIN-USER-EXT.out b/test/JDBC/expected/single_db/BABEL-LOGIN-USER-EXT.out index 9b37746703..651c14ea95 100644 --- a/test/JDBC/expected/single_db/BABEL-LOGIN-USER-EXT.out +++ b/test/JDBC/expected/single_db/BABEL-LOGIN-USER-EXT.out @@ -281,7 +281,7 @@ SELECT COUNT(*) FROM sys.babelfish_authid_login_ext; go ~~START~~ int -4 +5 ~~END~~ @@ -292,7 +292,7 @@ SELECT COUNT(*) FROM sys.babelfish_authid_login_ext; go ~~START~~ int -5 +6 ~~END~~ @@ -304,7 +304,7 @@ SELECT COUNT(*) FROM sys.babelfish_authid_login_ext; go ~~START~~ int -6 +7 ~~END~~ @@ -392,7 +392,7 @@ SELECT COUNT(*) FROM sys.babelfish_authid_login_ext; go ~~START~~ int -5 +6 ~~END~~ @@ -422,7 +422,7 @@ SELECT COUNT(*) FROM sys.babelfish_authid_login_ext; go ~~START~~ int -4 +5 ~~END~~ diff --git a/test/JDBC/expected/sys-server_principals-vu-verify.out b/test/JDBC/expected/sys-server_principals-vu-verify.out index aef130e734..65f2f5628e 100644 --- a/test/JDBC/expected/sys-server_principals-vu-verify.out +++ b/test/JDBC/expected/sys-server_principals-vu-verify.out @@ -61,6 +61,7 @@ FROM sys.server_principals ORDER BY name GO ~~START~~ varchar#!#char#!#nvarchar#!#varchar#!#varchar#!#int#!#int#!#bit +dbcreator#!#R#!#SERVER_ROLE#!##!#English#!##!#1#!#1 jdbc_user#!#S#!#SQL_LOGIN#!#master#!#English#!#-1#!#-1#!#0 public#!#R#!#SERVER_ROLE#!##!##!##!#1#!#0 securityadmin#!#R#!#SERVER_ROLE#!##!#English#!##!#1#!#1 diff --git a/test/JDBC/expected/test_windows_login-vu-prepare.out b/test/JDBC/expected/test_windows_login-vu-prepare.out index aedb3e8755..6cb5a741ec 100644 --- a/test/JDBC/expected/test_windows_login-vu-prepare.out +++ b/test/JDBC/expected/test_windows_login-vu-prepare.out @@ -7,6 +7,7 @@ $$ begin end if; end $$; GO +-- terminate-psql-conn -- tsql CREATE DATABASE ad_db; diff --git a/test/JDBC/input/dbcreator_role-vu-cleanup.mix b/test/JDBC/input/dbcreator_role-vu-cleanup.mix new file mode 100644 index 0000000000..b96c379ad1 --- /dev/null +++ b/test/JDBC/input/dbcreator_role-vu-cleanup.mix @@ -0,0 +1,66 @@ +-- tsql +drop user dbcreator_user1 +go + +drop user no_dbcreator_user1 +go + +drop login dbcreator_login1 +go + +drop login dbcreator_l2 +go + +use dbcreator_db1 +go + +drop user no_dbcreator_user1 +go + +use master +go + +drop login no_dbcreator_login1 +go + +drop database dbcreator_db1 +go + +drop schema dbcreator_scm1 +go + +drop view dbcreator_show_role_mem +go + +drop TRIGGER dbcreator_tggr1 +go + +DROP TABLE dbc_sp_helpsrvrolemember_tbl +GO + +drop table dbcreator_tb1 +go + +drop view dbcreator_v1 +go + +drop function dbcreator_func1() +go + +drop procedure dbcreator_proc1 +go + +drop procedure dbcreator_create_database_p1 +go + +drop procedure dbcreator_drop_database_p1 +go + +drop procedure dbcreator_add_mem_p1 +go + +drop procedure dbcreator_drop_mem_p1 +go + +drop role dbcreator_rol +go \ No newline at end of file diff --git a/test/JDBC/input/dbcreator_role-vu-prepare.mix b/test/JDBC/input/dbcreator_role-vu-prepare.mix new file mode 100644 index 0000000000..55d39ada67 --- /dev/null +++ b/test/JDBC/input/dbcreator_role-vu-prepare.mix @@ -0,0 +1,92 @@ +-- tsql +create login dbcreator_login1 with password = '123' +go + +create login no_dbcreator_login1 with password = '123' +go + +create login dbcreator_l2 with password = '123' +go + +create user dbcreator_user1 for login dbcreator_login1 +go + +create user no_dbcreator_user1 for login no_dbcreator_login1 +go + +-- tsql +create role dbcreator_rol +go + +create database dbcreator_db1 +go + +create schema dbcreator_scm1 +go + +CREATE VIEW dbcreator_show_role_mem AS +SELECT +roles.name AS RolePrincipalName +, members.name AS MemberPrincipalName +FROM sys.server_role_members AS server_role_members +INNER JOIN sys.server_principals AS roles + ON server_role_members.role_principal_id = roles.principal_id +INNER JOIN sys.server_principals AS members + ON server_role_members.member_principal_id = members.principal_id order by MemberPrincipalName; +GO + +CREATE TABLE dbc_sp_helpsrvrolemember_tbl (ServerRole sys.SYSNAME, + MemberName sys.SYSNAME, + MemberSID sys.VARBINARY(85)); +GO + +create table dbcreator_tb1(a int) +go + +create view dbcreator_v1 as select 1; +go + +create function dbcreator_func1() returns int as begin return 1 end; +go + +create procedure dbcreator_proc1 as begin select 1; end +go + +CREATE TRIGGER dbcreator_tggr1 on dbcreator_tb1 AFTER INSERT AS BEGIN END; +go + +create procedure dbcreator_create_database_p1 as begin create database dbcreator_db_new; end +go + +Grant execute on dbcreator_create_database_p1 to PUBLIC; +go + +create procedure dbcreator_drop_database_p1 as begin drop database dbcreator_db_new; end +go + +Grant execute on dbcreator_drop_database_p1 to PUBLIC; +go + +create procedure dbcreator_add_mem_p1 as begin Alter server role dbcreator add member no_dbcreator_login1; end +go + +Grant execute on dbcreator_add_mem_p1 to PUBLIC; +go + +create procedure dbcreator_drop_mem_p1 as begin Alter server role dbcreator drop member no_dbcreator_login1; end +go + +Grant execute on dbcreator_drop_mem_p1 to PUBLIC; +go + +use dbcreator_db1 +go + +create user dbcreator_user1 for login dbcreator_login1 +go + +create user no_dbcreator_user1 for login no_dbcreator_login1 +go + +use master +go \ No newline at end of file diff --git a/test/JDBC/input/dbcreator_role-vu-verify.mix b/test/JDBC/input/dbcreator_role-vu-verify.mix new file mode 100644 index 0000000000..4bf340787a --- /dev/null +++ b/test/JDBC/input/dbcreator_role-vu-verify.mix @@ -0,0 +1,756 @@ +-- tsql +-- should be 0 +select is_srvrolemember('sysadmin', 'dbcreator') +go + +select is_srvrolemember('securityadmin', 'dbcreator') +go + +select is_srvrolemember('dbcreator', 'sysadmin') +go + +select is_srvrolemember('dbcreator', 'securityadmin') +go + +alter login dbcreator_login1 with password='123' +go + +alter login no_dbcreator_login1 with password='123' +go + +TRUNCATE TABLE dbc_sp_helpsrvrolemember_tbl +GO + +-- sp_helpsrvrolemember +INSERT INTO dbc_sp_helpsrvrolemember_tbl (ServerRole, MemberName, MemberSID) EXEC sp_helpsrvrolemember 'dbcreator' +GO + +SELECT ServerRole, MemberName, (CASE WHEN MemberSID IS NULL THEN 0 ELSE 1 END) FROM dbc_sp_helpsrvrolemember_tbl where MemberName like '%dbcreator%' +GO + +-- make login member of dbcreator +Alter server role dbcreator add member dbcreator_login1 +go + +select * from dbcreator_show_role_mem where MemberPrincipalName like 'jdbc_user' or MemberPrincipalName like '%dbcreator_%' +go + +-- should error out +create login dbcreator with password = '123' +go + +-- terminate-tsql-conn + +-- Case 1 - positives +-- dbcreator's login privileges + +-- tsql user=dbcreator_login1 password=123 +-- alter server role dbcreator should be allowed + +Alter server role dbcreator add member no_dbcreator_login1 +go + +Alter server role dbcreator drop member no_dbcreator_login1 +go + +-- create/drop database should be allowed +drop database dbcreator_db1 +go + +create database dbcreator_db; +go + +-- owner should be dbcreator_login1 +SELECT owner AS database_owner FROM sys.babelfish_sysdatabases WHERE name = 'dbcreator_db'; +go + +use dbcreator_db +go + +select current_user +go + +create table dbc_t1(a int) +go + +drop table dbc_t1 +go + +use master +go + +-- alter database should be allowed +alter database dbcreator_db modify name=dbcreator_db_1 +go + +-- sp_renamedb should be allowed +EXEC sp_renamedb 'dbcreator_db_1', 'dbcreator_db' +GO + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- tsql +-- transfer ownership to different login +alter authorization on database::dbcreator_db to no_dbcreator_login1 +go + +-- terminate-tsql-conn + +-- tsql user=dbcreator_login1 password=123 +-- should not be allowed +use dbcreator_db +go + +EXEC sp_renamedb 'dbcreator_db', 'dbcreator_db_1' +GO + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- tsql +use dbcreator_db +go + +create user u1 for login dbcreator_login1 +go + +-- terminate-tsql-conn + +-- tsql user=dbcreator_login1 password=123 +-- should be allowed +use dbcreator_db +go + +-- should not be dbo +select current_user +go + +use master +go + +EXEC sp_renamedb 'dbcreator_db', 'dbcreator_db_1' +GO + +EXEC sp_renamedb 'dbcreator_db_1', 'dbcreator_db' +GO + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- tsql + +use dbcreator_db +go + +drop user u1 +go + +-- terminate-tsql-conn + +-- tsql user=dbcreator_login1 password=123 +-- drop database should be allowed +-- password based login +drop database dbcreator_db +go + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- tsql +create database dbcreator_db1 +go + +-- terminate-tsql-conn + +-- tsql user=no_dbcreator_login1 password=123 +-- connection should get refused +use dbcreator_db1 +go + +-- should give permission denied +Alter server role dbcreator add member no_dbcreator_login1 +GO + +Alter server role dbcreator drop member no_dbcreator_login1 +GO + +-- terminate-tsql-conn user=no_dbcreator_login1 password=123 + +-- tsql user=dbcreator_login1 password=123 +-- System objects +select name, sysadmin, dbcreator from syslogins where name like '%dbcreator%' order by name +go + +-- should give permission denied +EXEC sp_renamedb 'dbcreator_db1', 'dbcreator_db2' +GO + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- tsql +use dbcreator_db1 +go + +grant connect to guest +go + +-- terminate-tsql-conn + +-- tsql user=dbcreator_login1 password=123 +-- should be allowed +EXEC sp_renamedb 'dbcreator_db1', 'dbcreator_db2' +GO + +-- should return 0 +select is_srvrolemember ('sysadmin') +go + +-- should return 1 +select is_srvrolemember ('dbcreator') +go + +select is_srvrolemember ('dbcreator', 'dbcreator_login1') +GO + +-- it should be allowed +drop database dbcreator_db2 +go + +-- inside procedure +exec dbcreator_create_database_p1 +go + +exec dbcreator_add_mem_p1 +go + +exec dbcreator_drop_mem_p1 +go + +exec dbcreator_drop_database_p1 +go + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- login is member of both dbcreator as well as sysadmin +-- tsql +drop user dbcreator_user1 +go + +Alter server role sysadmin add member dbcreator_login1 +go + +create database dbcreator_db1 +go + +-- terminate-tsql-conn + +-- it should be able to connect to the database +-- tsql user=dbcreator_login1 password=123 +use dbcreator_db1 +go + +-- it should be dbo +select current_user +go + +-- both attribute should be true +select rolname, rolcreaterole, rolcreatedb from pg_roles where rolname = 'dbcreator_login1' +go + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- only member of dbcreator +-- tsql +alter server role sysadmin drop member dbcreator_login1 +go + +create user dbcreator_user1 for login dbcreator_login1 +go + +TRUNCATE TABLE dbc_sp_helpsrvrolemember_tbl +GO + +-- sp_helpsrvrolemember +INSERT INTO dbc_sp_helpsrvrolemember_tbl (ServerRole, MemberName, MemberSID) EXEC sp_helpsrvrolemember 'dbcreator' +GO + +SELECT ServerRole, MemberName, (CASE WHEN MemberSID IS NULL THEN 0 ELSE 1 END) FROM dbc_sp_helpsrvrolemember_tbl where MemberName like '%dbcreator%' +GO + +-- only rolcreatedb attribute should be true +select rolname, rolcreaterole, rolcreatedb from pg_roles where rolname = 'dbcreator_login1' +go + +-- terminate-tsql-conn + +-- tsql user=dbcreator_login1 password=123 + +-- should be able to create/drop database +drop database dbcreator_db1 +go + +create database dbcreator_db3 +go + +drop database dbcreator_db3 +go + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- tsql +-- only member of sysadmin +create database dbcreator_db1 +go + +drop user dbcreator_user1 +go + +alter server role sysadmin add member dbcreator_login1 +go + +alter server role dbcreator drop member dbcreator_login1 +go + +-- terminate-tsql-conn + +-- tsql user=dbcreator_login1 password=123 + +-- should be 1 +select is_srvrolemember('sysadmin') +go + +-- both attribute should be true +select rolname, rolcreaterole, rolcreatedb from pg_roles where rolname = 'dbcreator_login1' +go + +-- should be able to create/drop login +create login test_dbcreator_l1 with password ='123' +go + +drop login test_dbcreator_l1 +go + +-- should return 1 +select is_srvrolemember ('sysadmin') +go + +-- should return 1 +select is_srvrolemember ('dbcreator') +go + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- tsql +-- make it member of dbcreator only +alter server role sysadmin drop member dbcreator_login1 +go + +alter server role dbcreator add member dbcreator_login1 +go + +create user dbcreator_user1 for login dbcreator_login1 +go + +use dbcreator_db1 +go + +create user dbcreator_user1 for login dbcreator_login1 +go + +create user no_dbcreator_user1 for login no_dbcreator_login1 +go + +-- terminate-tsql-conn + +-- tsql user=dbcreator_login1 password=123 +-- Case 2 - negatives +-- alter server role sysadmin should give permission denied +Alter server role sysadmin add member no_dbcreator_login1 +go + +-- alter server role dbcreator add member db roles should error out +Alter server role dbcreator add member guest +go + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- tsql +create role dummy_role +go + +-- terminate-tsql-conn + +-- tsql user=dbcreator_login1 password=123 +-- should error out +Alter server role dbcreator add member dummy_role +go + +-- create login permission denied +-- windows login +create login [babel\dbcreator_l1] from windows; +go + +-- password based login +create login dbcreator_l2 with password = '123' +go + +-- alter authorization on database permission denied +alter authorization on database::dbcreator_db1 to no_dbcreator_login1 +go + +-- alter login should give permission denied +-- password based login +alter login dbcreator_l2 with password = '123' +go + +ALTER LOGIN dbcreator_l2 disable; +go + +ALTER LOGIN dbcreator_l2 enable; +go + +ALTER LOGIN no_dbcreator_login1 with default_database=dbcreator_db1; +go + +-- drop login permission denied +drop login no_dbcreator_login1 +go + +-- grant database permissions (only connect is supported) +-- should give permission denied +REVOKE CONNECT FROM no_dbcreator_user1 +go + +GRANT CONNECT TO no_dbcreator_user1 +go + +-- dbcreator login's mapped user should not have any priv +select current_user, db_name() +go + +select suser_name() +go + +-- create objects/user permission denied +create user dbcreator_l2 +go + +create role dbcreator_role1 +go + +create schema perm_denied_scm +go + +create view perm_denied_v1 as select 1; +go + +create table perm_denied_tb1 (a int); +go + +select 1 into perm_denied_tb2; +go + +create function perm_denied_func1() returns int as begin return 1 end; +go + +create procedure perm_denied_proc1 as begin select 1; end +go + +create type perm_denied_typ1 from int; +go + +create index perm_denied_index1 on dbcreator_tb1(a); +go + +CREATE FUNCTION perm_denied_func1() RETURNS TABLE AS RETURN ( SELECT 1 AS Value); +go + +-- DMLS on object permission denied +Alter user no_dbcreator_user1 with DEFAULT_SCHEMA=dbcreator_scm1 +go + +Alter role dbcreator_rol add member no_dbcreator_user1 +go + +Alter role dbcreator_rol drop member no_dbcreator_user1 +go + +Alter table dbcreator_tb1 add b int +go + +Insert into dbcreator_tb1 values (1) +go + +UPDATE dbcreator_tb1 SET a = 2 where a = 1; +go + +DELETE FROM dbcreator_tb1 WHERE a = 1; +go + +TRUNCATE TABLE dbcreator_tb1; +go + +select * from dbcreator_tb1 +go + +select * from dbcreator_v1 +go + +select dbcreator_func1() +go + +exec dbcreator_proc1 +go + +Enable trigger dbcreator_tggr1 on dbcreator_tb1 +go + +Disable trigger dbcreator_tggr1 on dbcreator_tb1 +go + +-- grant on objects permission denied +Grant select on dbcreator_tb1 to no_dbcreator_user1 +go + +Grant update on dbcreator_v1 to no_dbcreator_user1 +go + +Grant update on dbcreator_v1 to no_dbcreator_user1 +go + +Grant exec on dbcreator_func1 to no_dbcreator_user1 +go + +Grant exec on dbcreator_proc1 to no_dbcreator_user1 +go + +-- Revoke on objects permission denied +Revoke select on dbcreator_tb1 from no_dbcreator_user1 +go + +Revoke update on dbcreator_v1 from no_dbcreator_user1 +go + +Revoke update on dbcreator_v1 from no_dbcreator_user1 +go + +Revoke exec on dbcreator_func1 from no_dbcreator_user1 +go + +Revoke exec on dbcreator_proc1 from no_dbcreator_user1 +go + +-- grant on schema +-- permission denied +grant select on dbcreator_v1 to no_dbcreator_user1; +go +grant select on dbo.dbcreator_v1 to no_dbcreator_user1; +go +grant execute on dbcreator_proc1 to no_dbcreator_user1; +go +grant execute on dbo.dbcreator_proc1 to no_dbcreator_user1; +go + +-- revoke on schema +-- permission denied +revoke select on dbcreator_v1 from no_dbcreator_user1; +go +revoke select on dbo.dbcreator_v1 from no_dbcreator_user1; +go +revoke execute on dbcreator_proc1 from no_dbcreator_user1; +go +revoke execute on dbo.dbcreator_proc1 from no_dbcreator_user1; +go + +-- drop object permission denied +drop user dbcreator_l2 +go + +drop role dbcreator_rol +go + +drop schema dbcreator_scm1 +go + +drop view dbcreator_show_role_mem +go + +drop TRIGGER dbcreator_tggr1 +go + +drop table dbcreator_tb1 +go + +drop view dbcreator_v1 +go + +drop function dbcreator_func1() +go + +drop procedure dbcreator_proc1 +go + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- dbcreator login should not get mapped to dbo if no user exist, it should disconnect + +-- tsql database=dbcreator_db1 +drop user dbcreator_user1 +go + +-- terminate-tsql-conn database=dbcreator_db1 + +-- it should disconnect +-- tsql user=dbcreator_login1 password=123 +use dbcreator_db1 +go + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- Case 3 - check unintended/unauthorized use of dbcreator +-- tsql +drop role dummy_role +go + +CREATE LOGIN dbcreator_restrict_new_login WITH password = '12345678'; +go + +ALTER SERVER ROLE sysadmin ADD MEMBER dbcreator_restrict_new_login; +GO + +select * from dbcreator_show_role_mem where MemberPrincipalName like 'jdbc_user' or MemberPrincipalName like '%dbcreator_%' +go + +-- terminate-tsql-conn + +-- tsql user=dbcreator_restrict_new_login password=12345678 +select * from dbcreator_show_role_mem where MemberPrincipalName like 'jdbc_user' or MemberPrincipalName like '%dbcreator_%' +go + +select current_user, db_name() +go + +CREATE ROLE dbcreator_restrictions_role; +GO + +-- a tsql login should not be able to drop dbcreator explicitly from tsql port +-- should be denied +ALTER ROLE dbcreator_restrictions_role ADD MEMBER dbcreator; +GO + +DROP LOGIN dbcreator; +GO + +DROP ROLE dbcreator_restrictions_role; +GO + +-- terminate-tsql-conn user=dbcreator_restrict_new_login password=12345678 + +-- psql user=dbcreator_restrict_new_login password=12345678 +-- a tsql login should not be able to alter/grant/drop dbcreator from pg port +ALTER ROLE dbcreator NOCREATEDB; +GO + +ALTER ROLE dbcreator WITH PASSWORD '12345678'; +GO + +ALTER ROLE dbcreator VALID UNTIL 'infinity'; +GO + +ALTER ROLE dbcreator WITH CONNECTION LIMIT 1; +GO + +GRANT dbcreator TO dbcreator_restrict_new_login; +GO + +GRANT sysadmin TO dbcreator +go + +GRANT dbcreator TO dbcreator +go + +GRANT dbcreator_restrict_new_login TO dbcreator; +GO + +REVOKE dbcreator FROM master_dbo; +GO + +REVOKE master_dbo FROM dbcreator; +GO + +DROP ROLE dbcreator; +GO + +SET SESSION AUTHORIZATION dbcreator; +GO + +SET ROLE dbcreator; +GO + +-- psql +-- normal PG user +CREATE USER dbcreator_restrictions_pg_user WITH LOGIN CREATEROLE PASSWORD '12345678' inherit; +go + +-- psql user=dbcreator_restrictions_pg_user password=12345678 +-- a normal psql user should not be able to alter/grant/drop dbcreator from pg port +ALTER ROLE dbcreator NOCREATEDB; +GO + +-- Altering a role by an underprivileged login should be restricted +alter user dbcreator_restrict_new_login with password '123' +go + +ALTER ROLE dbcreator WITH PASSWORD '12345678'; +GO + +ALTER ROLE dbcreator VALID UNTIL 'infinity'; +GO + +ALTER ROLE dbcreator WITH CONNECTION LIMIT 1; +GO + +GRANT dbcreator TO dbcreator_restrict_new_login; +GO + +GRANT dbcreator_restrict_new_login TO dbcreator; +GO + +REVOKE dbcreator FROM master_dbo; +GO + +REVOKE sysadmin FROM dbcreator +go + +REVOKE dbcreator FROM dbcreator +go + +REVOKE master_dbo FROM dbcreator; +GO + +DROP ROLE dbcreator; +GO + +SET SESSION AUTHORIZATION dbcreator; +GO + +SET ROLE dbcreator; +GO + +-- psql +-- Need to terminate active session before cleaning up the login +SELECT pg_terminate_backend(pid) FROM pg_stat_get_activity(NULL) +WHERE sys.suser_name(usesysid) = 'dbcreator_restrict_new_login' AND backend_type = 'client backend' AND usesysid IS NOT NULL; +go + +DROP USER dbcreator_restrictions_pg_user; +GO + +-- Wait to sync with another session +SELECT pg_sleep(1); +GO + +-- tsql + +ALTER SERVER ROLE sysadmin drop MEMBER dbcreator_restrict_new_login; +GO + +DROP LOGIN dbcreator_restrict_new_login +GO \ No newline at end of file diff --git a/test/JDBC/input/securityadmin_role-vu-cleanup.mix b/test/JDBC/input/securityadmin_role-vu-cleanup.mix index 5523e86385..ffba6c7425 100644 --- a/test/JDBC/input/securityadmin_role-vu-cleanup.mix +++ b/test/JDBC/input/securityadmin_role-vu-cleanup.mix @@ -32,6 +32,9 @@ go drop TRIGGER securityadmin_tggr1 go +DROP TABLE sadm_sp_helpsrvrolemember_tbl +GO + drop table securityadmin_tb1 go diff --git a/test/JDBC/input/securityadmin_role-vu-prepare.mix b/test/JDBC/input/securityadmin_role-vu-prepare.mix index 6c901dbafa..01b88bc0ab 100644 --- a/test/JDBC/input/securityadmin_role-vu-prepare.mix +++ b/test/JDBC/input/securityadmin_role-vu-prepare.mix @@ -32,6 +32,11 @@ INNER JOIN sys.server_principals AS members ON server_role_members.member_principal_id = members.principal_id order by MemberPrincipalName; GO +CREATE TABLE sadm_sp_helpsrvrolemember_tbl (ServerRole sys.SYSNAME, + MemberName sys.SYSNAME, + MemberSID sys.VARBINARY(85)); +GO + create table securityadmin_tb1(a int) go diff --git a/test/JDBC/input/securityadmin_role-vu-verify.mix b/test/JDBC/input/securityadmin_role-vu-verify.mix index f121db6062..695a65ab8a 100644 --- a/test/JDBC/input/securityadmin_role-vu-verify.mix +++ b/test/JDBC/input/securityadmin_role-vu-verify.mix @@ -1,10 +1,26 @@ -- tsql +select is_srvrolemember('sysadmin', 'securityadmin') +go + +select is_srvrolemember('securityadmin', 'sysadmin') +go + alter login securityadmin_login1 with password='123' go alter login no_securityadmin_login1 with password='123' go +TRUNCATE TABLE sadm_sp_helpsrvrolemember_tbl +GO + +-- sp_helpsrvrolemember +INSERT INTO sadm_sp_helpsrvrolemember_tbl (ServerRole, MemberName, MemberSID) EXEC sp_helpsrvrolemember 'securityadmin' +GO + +SELECT ServerRole, MemberName, (CASE WHEN MemberSID IS NULL THEN 0 ELSE 1 END) FROM sadm_sp_helpsrvrolemember_tbl where MemberName like '%securityadmin%' +GO + -- make login member of securityadmin Alter server role securityadmin add member securityadmin_login1 go @@ -375,6 +391,16 @@ go create user securityadmin_user1 for login securityadmin_login1 go +TRUNCATE TABLE sadm_sp_helpsrvrolemember_tbl +GO + +-- sp_helpsrvrolemember +INSERT INTO sadm_sp_helpsrvrolemember_tbl (ServerRole, MemberName, MemberSID) EXEC sp_helpsrvrolemember 'securityadmin' +GO + +SELECT ServerRole, MemberName, (CASE WHEN MemberSID IS NULL THEN 0 ELSE 1 END) FROM sadm_sp_helpsrvrolemember_tbl where MemberName like '%securityadmin%' +GO + -- terminate-tsql-conn -- tsql user=securityadmin_login1 password=123 diff --git a/test/JDBC/input/test_windows_login-vu-prepare.mix b/test/JDBC/input/test_windows_login-vu-prepare.mix index cfc5d8c6d9..94fcf8e5fd 100644 --- a/test/JDBC/input/test_windows_login-vu-prepare.mix +++ b/test/JDBC/input/test_windows_login-vu-prepare.mix @@ -1,4 +1,4 @@ --- sla 70000 +-- sla 80000 -- TODO: BABEL-5349 -- psql do @@ -8,6 +8,7 @@ $$ begin end if; end $$; GO +-- terminate-psql-conn -- tsql CREATE DATABASE ad_db; diff --git a/test/JDBC/upgrade/15_11/schedule b/test/JDBC/upgrade/15_11/schedule index 1d3ce48c32..45d0080885 100644 --- a/test/JDBC/upgrade/15_11/schedule +++ b/test/JDBC/upgrade/15_11/schedule @@ -547,6 +547,7 @@ securityadmin_role cast-varchar-to-time xml_exist-before-16_5 BABEL-5119_before_16_5 +dbcreator_role db_accessadmin BABEL-CASE_EXPR datareader_datawriter diff --git a/test/JDBC/upgrade/15_5/schedule b/test/JDBC/upgrade/15_5/schedule index 33e3acebce..cf134b2bef 100644 --- a/test/JDBC/upgrade/15_5/schedule +++ b/test/JDBC/upgrade/15_5/schedule @@ -535,6 +535,7 @@ cast-varchar-to-time db_accessadmin xml_exist-before-16_5 BABEL-CASE_EXPR-before-16_5-or-15_9 +dbcreator_role BABEL-5186 BABEL-2736-before-16_5 smalldatetime_date_cmp diff --git a/test/JDBC/upgrade/15_6/schedule b/test/JDBC/upgrade/15_6/schedule index 48ef235a98..553bd720a1 100644 --- a/test/JDBC/upgrade/15_6/schedule +++ b/test/JDBC/upgrade/15_6/schedule @@ -550,6 +550,7 @@ cast-varchar-to-time db_accessadmin xml_exist-before-16_5 BABEL-CASE_EXPR-before-16_5-or-15_9 +dbcreator_role BABEL-5186 BABEL-2736-before-16_5 smalldatetime_date_cmp diff --git a/test/JDBC/upgrade/15_7/schedule b/test/JDBC/upgrade/15_7/schedule index 7881523e76..28ab56f2fc 100644 --- a/test/JDBC/upgrade/15_7/schedule +++ b/test/JDBC/upgrade/15_7/schedule @@ -558,6 +558,7 @@ db_accessadmin xml_exist-before-16_5 GRANT_SCHEMA-before-15_9-16_5 BABEL-CASE_EXPR-before-16_5-or-15_9 +dbcreator_role BABEL-5186 BABEL-2736-before-16_5 smalldatetime_date_cmp diff --git a/test/JDBC/upgrade/15_8/schedule b/test/JDBC/upgrade/15_8/schedule index a3cd2d0dcf..0a0870ceb8 100644 --- a/test/JDBC/upgrade/15_8/schedule +++ b/test/JDBC/upgrade/15_8/schedule @@ -549,6 +549,7 @@ db_accessadmin xml_exist-before-16_5 GRANT_SCHEMA-before-15_9-16_5 BABEL-CASE_EXPR-before-16_5-or-15_9 +dbcreator_role BABEL-5186 BABEL-2736-before-16_5 smalldatetime_date_cmp diff --git a/test/JDBC/upgrade/16_1/schedule b/test/JDBC/upgrade/16_1/schedule index 1a424da7d1..7cf473a34e 100644 --- a/test/JDBC/upgrade/16_1/schedule +++ b/test/JDBC/upgrade/16_1/schedule @@ -543,6 +543,7 @@ BABEL-5059_before_16_5 cast-varchar-to-time db_accessadmin securityadmin_role +dbcreator_role xml_exist-before-16_5 BABEL-CASE_EXPR-before-16_5-or-15_9 datareader_datawriter diff --git a/test/JDBC/upgrade/16_2/schedule b/test/JDBC/upgrade/16_2/schedule index 17b8fbbf36..95dbf578b9 100644 --- a/test/JDBC/upgrade/16_2/schedule +++ b/test/JDBC/upgrade/16_2/schedule @@ -555,6 +555,7 @@ replace-before-15_8-or-16_4 binary-datatype-operators BABEL-5059_before_16_5 cast-varchar-to-time +dbcreator_role db_accessadmin xml_exist-before-16_5 BABEL-CASE_EXPR-before-16_5-or-15_9 diff --git a/test/JDBC/upgrade/16_3/schedule b/test/JDBC/upgrade/16_3/schedule index 56cf1517e6..da37dc3d48 100644 --- a/test/JDBC/upgrade/16_3/schedule +++ b/test/JDBC/upgrade/16_3/schedule @@ -565,6 +565,7 @@ BABEL-CASE_EXPR-before-16_5-or-15_9 BABEL-5186 BABEL-2736-before-16_5 smalldatetime_date_cmp +dbcreator_role securityadmin_role datareader_datawriter BABEL-5186 diff --git a/test/JDBC/upgrade/16_4/schedule b/test/JDBC/upgrade/16_4/schedule index d60a9b6659..22bcc3db36 100644 --- a/test/JDBC/upgrade/16_4/schedule +++ b/test/JDBC/upgrade/16_4/schedule @@ -575,6 +575,7 @@ db_accessadmin GRANT_SCHEMA-before-15_9-16_5 BABEL-CASE_EXPR-before-16_5-or-15_9 charindex_replace_patindex +dbcreator_role BABEL-5186 BABEL-2736-before-16_5 smalldatetime_date_cmp diff --git a/test/JDBC/upgrade/16_6/schedule b/test/JDBC/upgrade/16_6/schedule index f04a1ba0e9..b311f0b97f 100644 --- a/test/JDBC/upgrade/16_6/schedule +++ b/test/JDBC/upgrade/16_6/schedule @@ -585,4 +585,5 @@ smalldatetime_date_cmp securityadmin_role db_accessadmin datareader_datawriter +dbcreator_role diff --git a/test/JDBC/upgrade/latest/schedule b/test/JDBC/upgrade/latest/schedule index aef6d05ccc..5a70ed86b0 100644 --- a/test/JDBC/upgrade/latest/schedule +++ b/test/JDBC/upgrade/latest/schedule @@ -581,6 +581,7 @@ cast-varchar-to-time xml_exist test_db_collation BABEL-5119 +dbcreator_role BABEL-5129 db_accessadmin BABEL-CASE_EXPR