diff --git a/contrib/babelfishpg_tsql/sql/babelfishpg_tsql.sql b/contrib/babelfishpg_tsql/sql/babelfishpg_tsql.sql index 3a99c06d2d1..6df4e5691a1 100644 --- a/contrib/babelfishpg_tsql/sql/babelfishpg_tsql.sql +++ b/contrib/babelfishpg_tsql/sql/babelfishpg_tsql.sql @@ -2122,7 +2122,7 @@ BEGIN LEFT OUTER JOIN pg_catalog.pg_roles AS Base4 ON Base4.rolname = Bsdb.owner WHERE Ext1.database_name = DB_NAME() AND (Ext1.type != 'R' OR Ext1.type != 'A') - AND Ext1.orig_username NOT IN ('db_owner', 'db_accessadmin', 'db_datareader', 'db_datawriter') + AND Ext1.orig_username NOT IN ('db_owner', 'db_securityadmin', 'db_accessadmin', 'db_datareader', 'db_datawriter') ORDER BY UserName, RoleName; END -- If the security account is the db fixed role - db_owner @@ -2154,7 +2154,7 @@ BEGIN WHERE Ext1.database_name = DB_NAME() AND Ext2.database_name = DB_NAME() AND Ext1.type = 'R' - AND Ext2.orig_username NOT IN ('db_owner', 'db_accessadmin', 'db_datareader', 'db_datawriter') + AND Ext2.orig_username NOT IN ('db_owner', 'db_securityadmin', 'db_accessadmin', 'db_datareader', 'db_datawriter') AND (Ext1.orig_username = @name_in_db OR pg_catalog.lower(Ext1.orig_username) = pg_catalog.lower(@name_in_db)) ORDER BY Role_name, Users_in_role; END @@ -2192,7 +2192,7 @@ BEGIN LEFT OUTER JOIN pg_catalog.pg_roles AS Base4 ON Base4.rolname = Bsdb.owner WHERE Ext1.database_name = DB_NAME() AND (Ext1.type != 'R' OR Ext1.type != 'A') - AND Ext1.orig_username NOT IN ('db_owner', 'db_accessadmin', 'db_datareader', 'db_datawriter') + AND Ext1.orig_username NOT IN ('db_owner', 'db_securityadmin', 'db_accessadmin', 'db_datareader', 'db_datawriter') AND (Ext1.orig_username = @name_in_db OR pg_catalog.lower(Ext1.orig_username) = pg_catalog.lower(@name_in_db)) ORDER BY UserName, RoleName; END @@ -2352,18 +2352,19 @@ CREATE OR REPLACE PROCEDURE sys.sp_helpdbfixedrole("@rolename" sys.SYSNAME = NUL $$ BEGIN -- Returns a list of the fixed database roles. - IF LOWER(RTRIM(@rolename)) IS NULL OR LOWER(RTRIM(@rolename)) IN ('db_owner', 'db_accessadmin', 'db_datareader', 'db_datawriter') + IF LOWER(RTRIM(@rolename)) IS NULL OR LOWER(RTRIM(@rolename)) IN ('db_owner', 'db_accessadmin', 'db_securityadmin', 'db_datareader', 'db_datawriter') BEGIN SELECT CAST(DbFixedRole as sys.SYSNAME) AS DbFixedRole, CAST(Description AS sys.nvarchar(70)) AS Description FROM ( VALUES ('db_owner', 'DB Owners'), ('db_accessadmin', 'DB Access Administrators'), + ('db_securityadmin', 'DB Security Administrators'), ('db_datareader', 'DB Data Reader'), ('db_datawriter', 'DB Data Writer')) x(DbFixedRole, Description) WHERE LOWER(RTRIM(@rolename)) IS NULL OR LOWER(RTRIM(@rolename)) = DbFixedRole; END ELSE IF LOWER(RTRIM(@rolename)) IN ( - 'db_securityadmin','db_ddladmin', 'db_backupoperator', - 'db_datareader', 'db_datawriter', 'db_denydatareader', 'db_denydatawriter') + 'db_ddladmin', 'db_backupoperator', + 'db_denydatareader', 'db_denydatawriter') BEGIN -- Return an empty result set instead of raising an error SELECT CAST(NULL AS sys.SYSNAME) AS DbFixedRole, CAST(NULL AS sys.nvarchar(70)) AS Description diff --git a/contrib/babelfishpg_tsql/sql/ownership.sql b/contrib/babelfishpg_tsql/sql/ownership.sql index fe902ff840f..7e9e62a338e 100644 --- a/contrib/babelfishpg_tsql/sql/ownership.sql +++ b/contrib/babelfishpg_tsql/sql/ownership.sql @@ -260,10 +260,15 @@ LANGUAGE plpgsql AS $$ DECLARE reserved_roles varchar[] := ARRAY['sysadmin', 'securityadmin', 'dbcreator', - 'master_dbo', 'master_guest', 'master_db_owner', 'master_db_accessadmin', 'master_db_datareader', 'master_db_datawriter', - 'tempdb_dbo', 'tempdb_guest', 'tempdb_db_owner', 'tempdb_db_accessadmin', 'tempdb_db_datareader', 'tempdb_db_datawriter', - 'msdb_dbo', 'msdb_guest', 'msdb_db_owner', 'msdb_db_accessadmin', 'msdb_db_datareader', 'msdb_db_datawriter']; - + 'master_dbo', 'master_guest', 'master_db_owner', + 'master_db_accessadmin', 'master_db_securityadmin', + 'master_db_datareader', 'master_db_datawriter', + 'tempdb_dbo', 'tempdb_guest', 'tempdb_db_owner', + 'tempdb_db_accessadmin', 'tempdb_db_securityadmin', + 'tempdb_db_datareader', 'tempdb_db_datawriter', + 'msdb_dbo', 'msdb_guest', 'msdb_db_owner', + 'msdb_db_accessadmin', 'msdb_db_securityadmin', + 'msdb_db_datareader', 'msdb_db_datawriter']; user_id oid := -1; db_name name := NULL; role_name varchar; @@ -465,7 +470,7 @@ ON Base.rolname = Ext.rolname LEFT OUTER JOIN pg_catalog.pg_roles Base2 ON Ext.login_name = Base2.rolname WHERE Ext.database_name = DB_NAME() - AND (Ext.orig_username IN ('dbo', 'db_owner', 'db_accessadmin', 'db_datareader', 'db_datawriter', 'guest') -- system users should always be visible + AND (Ext.orig_username IN ('dbo', 'db_owner', 'db_securityadmin', 'db_accessadmin', 'db_datareader', 'db_datawriter', 'guest') -- system users should always be visible OR pg_has_role(Ext.rolname, 'MEMBER')) -- Current user should be able to see users it has permission of UNION ALL SELECT diff --git a/contrib/babelfishpg_tsql/sql/upgrades/babelfishpg_tsql--4.3.0--4.4.0.sql b/contrib/babelfishpg_tsql/sql/upgrades/babelfishpg_tsql--4.3.0--4.4.0.sql index 506b04e802e..c73359ec6f4 100644 --- a/contrib/babelfishpg_tsql/sql/upgrades/babelfishpg_tsql--4.3.0--4.4.0.sql +++ b/contrib/babelfishpg_tsql/sql/upgrades/babelfishpg_tsql--4.3.0--4.4.0.sql @@ -4464,7 +4464,7 @@ ON Base.rolname = Ext.rolname LEFT OUTER JOIN pg_catalog.pg_roles Base2 ON Ext.login_name = Base2.rolname WHERE Ext.database_name = DB_NAME() - AND (Ext.orig_username IN ('dbo', 'db_owner', 'db_accessadmin', 'db_datareader', 'db_datawriter', 'guest') -- system users should always be visible + AND (Ext.orig_username IN ('dbo', 'db_owner', 'db_securityadmin', 'db_accessadmin', 'db_datareader', 'db_datawriter', 'guest') -- system users should always be visible OR pg_has_role(Ext.rolname, 'MEMBER')) -- Current user should be able to see users it has permission of UNION ALL SELECT @@ -4497,18 +4497,19 @@ CREATE OR REPLACE PROCEDURE sys.sp_helpdbfixedrole("@rolename" sys.SYSNAME = NUL $$ BEGIN -- Returns a list of the fixed database roles. - IF LOWER(RTRIM(@rolename)) IS NULL OR LOWER(RTRIM(@rolename)) IN ('db_owner', 'db_accessadmin', 'db_datareader', 'db_datawriter') + IF LOWER(RTRIM(@rolename)) IS NULL OR LOWER(RTRIM(@rolename)) IN ('db_owner', 'db_accessadmin', 'db_securityadmin', 'db_datareader', 'db_datawriter') BEGIN SELECT CAST(DbFixedRole as sys.SYSNAME) AS DbFixedRole, CAST(Description AS sys.nvarchar(70)) AS Description FROM ( VALUES ('db_owner', 'DB Owners'), ('db_accessadmin', 'DB Access Administrators'), + ('db_securityadmin', 'DB Security Administrators'), ('db_datareader', 'DB Data Reader'), ('db_datawriter', 'DB Data Writer')) x(DbFixedRole, Description) WHERE LOWER(RTRIM(@rolename)) IS NULL OR LOWER(RTRIM(@rolename)) = DbFixedRole; END ELSE IF LOWER(RTRIM(@rolename)) IN ( - 'db_securityadmin','db_ddladmin', 'db_backupoperator', - 'db_datareader', 'db_datawriter', 'db_denydatareader', 'db_denydatawriter') + 'db_ddladmin', 'db_backupoperator', + 'db_denydatareader', 'db_denydatawriter') BEGIN -- Return an empty result set instead of raising an error SELECT CAST(NULL AS sys.SYSNAME) AS DbFixedRole, CAST(NULL AS sys.nvarchar(70)) AS Description @@ -4553,8 +4554,7 @@ BEGIN LEFT OUTER JOIN pg_catalog.pg_roles AS Base4 ON Base4.rolname = Bsdb.owner WHERE Ext1.database_name = DB_NAME() AND (Ext1.type != 'R' OR Ext1.type != 'A') - AND Ext1.orig_username != 'db_owner' - AND Ext1.orig_username NOT IN ('db_owner', 'db_accessadmin', 'db_datareader', 'db_datawriter') + AND Ext1.orig_username NOT IN ('db_owner', 'db_securityadmin', 'db_accessadmin', 'db_datareader', 'db_datawriter') ORDER BY UserName, RoleName; END -- If the security account is the db fixed role - db_owner @@ -4586,8 +4586,7 @@ BEGIN WHERE Ext1.database_name = DB_NAME() AND Ext2.database_name = DB_NAME() AND Ext1.type = 'R' - AND Ext2.orig_username != 'db_owner' - AND Ext2.orig_username NOT IN ('db_owner', 'db_accessadmin', 'db_datareader', 'db_datawriter') + AND Ext2.orig_username NOT IN ('db_owner', 'db_securityadmin', 'db_accessadmin', 'db_datareader', 'db_datawriter') AND (Ext1.orig_username = @name_in_db OR pg_catalog.lower(Ext1.orig_username) = pg_catalog.lower(@name_in_db)) ORDER BY Role_name, Users_in_role; END @@ -4625,8 +4624,7 @@ BEGIN LEFT OUTER JOIN pg_catalog.pg_roles AS Base4 ON Base4.rolname = Bsdb.owner WHERE Ext1.database_name = DB_NAME() AND (Ext1.type != 'R' OR Ext1.type != 'A') - AND Ext1.orig_username != 'db_owner' - AND Ext1.orig_username NOT IN ('db_owner', 'db_accessadmin', 'db_datareader', 'db_datawriter') + AND Ext1.orig_username NOT IN ('db_owner', 'db_securityadmin', 'db_accessadmin', 'db_datareader', 'db_datawriter') AND (Ext1.orig_username = @name_in_db OR pg_catalog.lower(Ext1.orig_username) = pg_catalog.lower(@name_in_db)) ORDER BY UserName, RoleName; END diff --git a/contrib/babelfishpg_tsql/src/dbcmds.c b/contrib/babelfishpg_tsql/src/dbcmds.c index 69a2d7fe9ee..e435e55d746 100644 --- a/contrib/babelfishpg_tsql/src/dbcmds.c +++ b/contrib/babelfishpg_tsql/src/dbcmds.c @@ -87,6 +87,7 @@ gen_createdb_subcmds(const char *dbname, const char *owner) const char *dbo; const char *db_owner; const char *db_accessadmin; + const char *db_securityadmin; const char *guest; const char *guest_schema; Oid owner_oid; @@ -98,6 +99,7 @@ gen_createdb_subcmds(const char *dbname, const char *owner) dbo = get_dbo_role_name(dbname); db_owner = get_db_owner_name(dbname); db_accessadmin = get_db_accessadmin_role_name(dbname); + db_securityadmin = get_db_securityadmin_role_name(dbname); guest = get_guest_role_name(dbname); guest_schema = get_guest_schema_name(dbname); owner_oid = get_role_oid(owner, true); @@ -119,9 +121,14 @@ gen_createdb_subcmds(const char *dbname, const char *owner) if (!owner_is_sa) appendStringInfo(&query, "GRANT dummy TO dummy; "); - /* create db_accessadmin for database */ appendStringInfo(&query, "CREATE ROLE dummy ROLE dummy; "); appendStringInfo(&query, "CREATE ROLE dummy ROLE dummy; "); + + /* create db_accessadmin for database */ + appendStringInfo(&query, "CREATE ROLE dummy ROLE dummy; "); + appendStringInfo(&query, "GRANT CREATE ON DATABASE dummy TO dummy; "); + + /* create db_securityadmin */ appendStringInfo(&query, "CREATE ROLE dummy ROLE dummy; "); appendStringInfo(&query, "GRANT CREATE ON DATABASE dummy TO dummy; "); @@ -146,13 +153,13 @@ gen_createdb_subcmds(const char *dbname, const char *owner) if (guest) { if (!owner_is_sa) - expected_stmt_num = list_length(logins) > 0 ? 14 : 13; + expected_stmt_num = list_length(logins) > 0 ? 16 : 15; else - expected_stmt_num = list_length(logins) > 0 ? 13 : 12; + expected_stmt_num = list_length(logins) > 0 ? 15 : 14; } else { - expected_stmt_num = 10; + expected_stmt_num = 12; if (!owner_is_sa) expected_stmt_num++; @@ -194,6 +201,12 @@ gen_createdb_subcmds(const char *dbname, const char *owner) stmt = parsetree_nth_stmt(res, i++); update_GrantStmt(stmt, get_database_name(MyDatabaseId), NULL, db_accessadmin, NULL); + stmt = parsetree_nth_stmt(res, i++); + update_CreateRoleStmt(stmt, db_securityadmin, db_owner, NULL); + + stmt = parsetree_nth_stmt(res, i++); + update_GrantStmt(stmt, get_database_name(MyDatabaseId), NULL, db_securityadmin, NULL); + if (guest) { stmt = parsetree_nth_stmt(res, i++); @@ -221,6 +234,14 @@ gen_createdb_subcmds(const char *dbname, const char *owner) update_CreateSchemaStmt(stmt, guest_schema, guest); } + pfree((char *) schema); + pfree((char *) dbo); + pfree((char *) db_owner); + pfree((char *) db_accessadmin); + pfree((char *) db_securityadmin); + pfree((char *) guest); + pfree((char *) guest_schema); + return res; } @@ -230,6 +251,7 @@ add_fixed_user_roles_to_bbf_authid_user_ext(const char *dbname) const char *dbo; const char *db_owner; const char *db_accessadmin; + const char *db_securityadmin; const char *db_datareader; const char *db_datawriter; const char *guest; @@ -237,6 +259,7 @@ add_fixed_user_roles_to_bbf_authid_user_ext(const char *dbname) dbo = get_dbo_role_name(dbname); db_owner = get_db_owner_name(dbname); db_accessadmin = get_db_accessadmin_role_name(dbname); + db_securityadmin = get_db_securityadmin_role_name(dbname); guest = get_guest_role_name(dbname); db_datareader = get_db_datareader_name(dbname); db_datawriter = get_db_datawriter_name(dbname); @@ -244,8 +267,9 @@ add_fixed_user_roles_to_bbf_authid_user_ext(const char *dbname) add_to_bbf_authid_user_ext(dbo, DBO, dbname, DBO, NULL, false, true, false); add_to_bbf_authid_user_ext(db_owner, DB_OWNER, dbname, NULL, NULL, true, true, false); add_to_bbf_authid_user_ext(db_accessadmin, DB_ACCESSADMIN, dbname, NULL, NULL, true, true, false); - add_to_bbf_authid_user_ext(db_datareader, DB_DATAREADER, dbname, NULL, NULL, true, true, false); - add_to_bbf_authid_user_ext(db_datawriter, DB_DATAWRITER, dbname, NULL, NULL, true, true, false); + add_to_bbf_authid_user_ext(db_securityadmin, DB_SECURITYADMIN, dbname, NULL, NULL, true, false, false); + add_to_bbf_authid_user_ext(db_datareader, DB_DATAREADER, dbname, NULL, NULL, true, false, false); + add_to_bbf_authid_user_ext(db_datawriter, DB_DATAWRITER, dbname, NULL, NULL, true, false, false); /* * For master, tempdb and msdb databases, the guest user will be @@ -255,6 +279,12 @@ add_fixed_user_roles_to_bbf_authid_user_ext(const char *dbname) add_to_bbf_authid_user_ext(guest, "guest", dbname, "guest", NULL, false, true, false); else add_to_bbf_authid_user_ext(guest, "guest", dbname, "guest", NULL, false, false, false); + + pfree((char *) dbo); + pfree((char *) db_owner); + pfree((char *) db_accessadmin); + pfree((char *) db_securityadmin); + pfree((char *) guest); } /* @@ -267,11 +297,12 @@ gen_dropdb_subcmds(const char *dbname, List *db_users) List *stmt_list; ListCell *elem; Node *stmt; - int expected_stmts = 10; + int expected_stmts = 12; int i = 0; const char *dbo; const char *db_owner; const char *db_accessadmin; + const char *db_securityadmin; const char *schema; const char *guest_schema; const char *db_datareader; @@ -280,6 +311,7 @@ gen_dropdb_subcmds(const char *dbname, List *db_users) dbo = get_dbo_role_name(dbname); db_owner = get_db_owner_name(dbname); db_accessadmin = get_db_accessadmin_role_name(dbname); + db_securityadmin = get_db_securityadmin_role_name(dbname); schema = get_dbo_schema_name(dbname); guest_schema = get_guest_schema_name(dbname); db_datareader = get_db_datareader_name(dbname); @@ -294,8 +326,11 @@ gen_dropdb_subcmds(const char *dbname, List *db_users) { char *user_name = (char *) lfirst(elem); - if (strcmp(user_name, db_owner) != 0 && strcmp(user_name, dbo) != 0 && - strcmp(user_name, db_accessadmin) != 0 && strcmp(user_name, db_datareader) != 0 && + if (strcmp(user_name, db_owner) != 0 && + strcmp(user_name, dbo) != 0 && + strcmp(user_name, db_accessadmin) != 0 && + strcmp(user_name, db_securityadmin) != 0 && + strcmp(user_name, db_datareader) != 0 && strcmp(user_name, db_datawriter) != 0) { appendStringInfo(&query, "DROP OWNED BY dummy CASCADE; "); @@ -303,12 +338,16 @@ gen_dropdb_subcmds(const char *dbname, List *db_users) expected_stmts += 2; } } - appendStringInfo(&query, "DROP OWNED BY dummy, dummy, dummy CASCADE; "); + appendStringInfo(&query, "DROP OWNED BY dummy, dummy, dummy, dummy CASCADE; "); - /* Then drop db_accessadmin, db_owner and dbo in that order */ + /* + * Then drop db_datareader, db_datawriter, db_securityadmin, db_accessadmin, + * db_owner and dbo in that order + */ appendStringInfo(&query, "DROP ROLE dummy; "); appendStringInfo(&query, "DROP ROLE dummy; "); - + appendStringInfo(&query, "REVOKE CREATE ON DATABASE dummy FROM dummy; "); + appendStringInfo(&query, "DROP ROLE dummy; "); appendStringInfo(&query, "REVOKE CREATE ON DATABASE dummy FROM dummy; "); appendStringInfo(&query, "DROP ROLE dummy; "); appendStringInfo(&query, "REVOKE CREATE, CONNECT, TEMPORARY ON DATABASE dummy FROM dummy; "); @@ -333,8 +372,11 @@ gen_dropdb_subcmds(const char *dbname, List *db_users) { char *user_name = (char *) lfirst(elem); - if (strcmp(user_name, db_owner) != 0 && strcmp(user_name, dbo) != 0 && - strcmp(user_name, db_accessadmin) != 0 && strcmp(user_name, db_datareader) != 0 && + if (strcmp(user_name, db_owner) != 0 && + strcmp(user_name, dbo) != 0 && + strcmp(user_name, db_accessadmin) != 0 && + strcmp(user_name, db_securityadmin) != 0 && + strcmp(user_name, db_datareader) != 0 && strcmp(user_name, db_datawriter) != 0) { stmt = parsetree_nth_stmt(stmt_list, i++); @@ -346,13 +388,18 @@ gen_dropdb_subcmds(const char *dbname, List *db_users) } stmt = parsetree_nth_stmt(stmt_list, i++); - update_DropOwnedStmt(stmt, list_make3(pstrdup(db_accessadmin), pstrdup(db_owner), pstrdup(dbo))); + update_DropOwnedStmt(stmt, list_make4(pstrdup(db_securityadmin), pstrdup(db_accessadmin), pstrdup(db_owner), pstrdup(dbo))); stmt = parsetree_nth_stmt(stmt_list, i++); update_DropRoleStmt(stmt, db_datareader); stmt = parsetree_nth_stmt(stmt_list, i++); update_DropRoleStmt(stmt, db_datawriter); + stmt = parsetree_nth_stmt(stmt_list, i++); + update_GrantStmt(stmt, get_database_name(MyDatabaseId), NULL, db_securityadmin, NULL); + stmt = parsetree_nth_stmt(stmt_list, i++); + update_DropRoleStmt(stmt, db_securityadmin); + stmt = parsetree_nth_stmt(stmt_list, i++); update_GrantStmt(stmt, get_database_name(MyDatabaseId), NULL, db_accessadmin, NULL); stmt = parsetree_nth_stmt(stmt_list, i++); @@ -366,6 +413,13 @@ gen_dropdb_subcmds(const char *dbname, List *db_users) stmt = parsetree_nth_stmt(stmt_list, i++); update_DropRoleStmt(stmt, dbo); + pfree((char *) dbo); + pfree((char *) db_owner); + pfree((char *) db_accessadmin); + pfree((char *) db_securityadmin); + pfree((char *) schema); + pfree((char *) guest_schema); + return stmt_list; } @@ -1417,12 +1471,14 @@ create_db_roles_in_database(const char *dbname, List *parsetree_list) int i = 0; char *db_owner; char *db_accessadmin; + char *db_securityadmin; char *db_datareader; char *db_datawriter; int16 dbid = get_db_id(dbname); db_owner = get_db_owner_name(dbname); db_accessadmin = get_db_accessadmin_role_name(dbname); + db_securityadmin = get_db_securityadmin_role_name(dbname); db_datareader = get_db_datareader_name(dbname); db_datawriter = get_db_datawriter_name(dbname); @@ -1437,12 +1493,23 @@ create_db_roles_in_database(const char *dbname, List *parsetree_list) stmt = parsetree_nth_stmt(parsetree_list, i++); update_CreateRoleStmt(stmt, db_datawriter, db_owner, NULL); + if (OidIsValid(get_role_oid(db_securityadmin, true))) + ereport(ERROR, + (errcode(ERRCODE_DUPLICATE_OBJECT), + errmsg("role \"%s\" already exists. Please drop the role and restart upgrade.", db_securityadmin))); + stmt = parsetree_nth_stmt(parsetree_list, i++); update_CreateRoleStmt(stmt, db_accessadmin, db_owner, NULL); stmt = parsetree_nth_stmt(parsetree_list, i++); update_GrantStmt(stmt, get_database_name(MyDatabaseId), NULL, db_accessadmin, NULL); + stmt = parsetree_nth_stmt(parsetree_list, i++); + update_CreateRoleStmt(stmt, db_securityadmin, db_owner, NULL); + + stmt = parsetree_nth_stmt(parsetree_list, i++); + update_GrantStmt(stmt, get_database_name(MyDatabaseId), NULL, db_securityadmin, NULL); + GetUserIdAndSecContext(&save_userid, &save_sec_context); PG_TRY(); @@ -1451,8 +1518,9 @@ create_db_roles_in_database(const char *dbname, List *parsetree_list) SetConfigOption("createrole_self_grant", "inherit", PGC_USERSET, PGC_S_OVERRIDE); add_to_bbf_authid_user_ext(db_accessadmin, DB_ACCESSADMIN, dbname, NULL, NULL, true, true, false); - add_to_bbf_authid_user_ext(db_datareader, DB_DATAREADER, dbname, NULL, NULL, true, true, false); - add_to_bbf_authid_user_ext(db_datawriter, DB_DATAWRITER, dbname, NULL, NULL, true, true, false); + add_to_bbf_authid_user_ext(db_securityadmin, DB_SECURITYADMIN, dbname, NULL, NULL, true, false, false); + add_to_bbf_authid_user_ext(db_datareader, DB_DATAREADER, dbname, NULL, NULL, true, false, false); + add_to_bbf_authid_user_ext(db_datawriter, DB_DATAWRITER, dbname, NULL, NULL, true, false, false); foreach(parsetree_item, parsetree_list) { @@ -1492,6 +1560,7 @@ create_db_roles_in_database(const char *dbname, List *parsetree_list) SetUserIdAndSecContext(save_userid, save_sec_context); pfree(db_owner); pfree(db_accessadmin); + pfree(db_securityadmin); pfree(db_datareader); pfree(db_datawriter); } @@ -1540,6 +1609,9 @@ create_db_roles_during_upgrade(PG_FUNCTION_ARGS) appendStringInfo(&query, "CREATE ROLE dummy ROLE dummy; "); appendStringInfo(&query, "GRANT CREATE ON DATABASE dummy TO dummy; "); + appendStringInfo(&query, "CREATE ROLE dummy ROLE dummy; "); + appendStringInfo(&query, "GRANT CREATE ON DATABASE dummy TO dummy; "); + parsetree_list = raw_parser(query.data, RAW_PARSE_DEFAULT); sysdatabase_rel = table_open(sysdatabases_oid, RowExclusiveLock); diff --git a/contrib/babelfishpg_tsql/src/hooks.c b/contrib/babelfishpg_tsql/src/hooks.c index 0df96f624c4..eb76fc240d0 100644 --- a/contrib/babelfishpg_tsql/src/hooks.c +++ b/contrib/babelfishpg_tsql/src/hooks.c @@ -34,6 +34,7 @@ #include "common/logging.h" #include "executor/execExpr.h" #include "funcapi.h" +#include "libpq/libpq.h" #include "miscadmin.h" #include "nodes/makefuncs.h" #include "nodes/nodeFuncs.h" @@ -176,6 +177,7 @@ static bool pltsql_bbfCustomProcessUtility(ParseState *pstate, ParamListInfo params, QueryCompletion *qc); extern void pltsql_bbfSelectIntoUtility(ParseState *pstate, PlannedStmt *pstmt, const char *queryString, QueryEnvironment *queryEnv, ParamListInfo params, QueryCompletion *qc, ObjectAddress *address); +static void handle_grantstmt_for_dbsecadmin(ObjectType objType, Oid objId, Oid ownerId, AclMode privileges, Oid *grantorId, AclMode *grantOptions); /***************************************** * Executor Hooks @@ -283,6 +285,7 @@ static pltsql_strpos_non_determinstic_hook_type prev_pltsql_strpos_non_determins static pltsql_replace_non_determinstic_hook_type prev_pltsql_replace_non_determinstic_hook = NULL; static pltsql_is_partitioned_table_reloptions_allowed_hook_type prev_pltsql_is_partitioned_table_reloptions_allowed_hook = NULL; static ExecFuncProc_AclCheck_hook_type prev_ExecFuncProc_AclCheck_hook = NULL; +static bbf_execute_grantstmt_as_dbsecadmin_hook_type prev_bbf_execute_grantstmt_as_dbsecadmin_hook = NULL; /***************************************** * Install / Uninstall @@ -495,6 +498,9 @@ InstallExtendedHooks(void) prev_ExecFuncProc_AclCheck_hook = ExecFuncProc_AclCheck_hook; ExecFuncProc_AclCheck_hook = pltsql_ExecFuncProc_AclCheck; + + prev_bbf_execute_grantstmt_as_dbsecadmin_hook = bbf_execute_grantstmt_as_dbsecadmin_hook; + bbf_execute_grantstmt_as_dbsecadmin_hook = handle_grantstmt_for_dbsecadmin; pltsql_get_object_identity_event_trigger_hook = pltsql_get_object_identity_event_trigger; } @@ -565,6 +571,7 @@ UninstallExtendedHooks(void) pltsql_replace_non_determinstic_hook = prev_pltsql_replace_non_determinstic_hook; pltsql_is_partitioned_table_reloptions_allowed_hook = prev_pltsql_is_partitioned_table_reloptions_allowed_hook; ExecFuncProc_AclCheck_hook = prev_ExecFuncProc_AclCheck_hook; + bbf_execute_grantstmt_as_dbsecadmin_hook = prev_bbf_execute_grantstmt_as_dbsecadmin_hook; bbf_InitializeParallelDSM_hook = NULL; bbf_ParallelWorkerMain_hook = NULL; @@ -5533,3 +5540,89 @@ pltsql_get_object_identity_event_trigger(ObjectAddress* address) } return identity; } + +/* + * Allows execution of GRANT/REVOKE statement if current_user is member of db_securityadmin + * given that GRANT/REVOKE is being executed on current database's object. It is being + * ensured that schema of given object(in GRANT/REVOKE statement) belongs to current database. + */ +static void +handle_grantstmt_for_dbsecadmin(ObjectType objType, Oid objId, Oid ownerId, + AclMode privileges, Oid *grantorId, AclMode *grantOptions) +{ + ObjectAddress address; + Oid classid = InvalidOid; + Oid schema_oid = InvalidOid; + + /* + * Return if any of following condition is true + * 1. Not a TDS client + * 2. Not a TSQL dialect + * 3. Grantor is same as owner OR Grantor already has all the required privileges. + * This means already the best grantor has been selected using select_best_grantor(). + */ + if (!MyProcPort->is_tds_conn || + sql_dialect != SQL_DIALECT_TSQL || + *grantorId == ownerId || + *grantOptions == ACL_GRANT_OPTION_FOR(privileges)) + return; + + switch(objType) + { + case OBJECT_TABLE: + case OBJECT_COLUMN: + case OBJECT_VIEW: + classid = RelationRelationId; + break; + case OBJECT_FUNCTION: + case OBJECT_PROCEDURE: + classid = ProcedureRelationId; + break; + case OBJECT_SCHEMA: + classid = NamespaceRelationId; + break; + default: + break; + } + + if (!OidIsValid(classid)) + return; + + if (classid == NamespaceRelationId) + { + schema_oid = objId; + } + else + { + ObjectAddressSet(address, classid, objId); + schema_oid = get_object_namespace(&address); + } + + if (OidIsValid(schema_oid)) + { + /* + * Don't allow if object's schema is not from current database OR + * it is a shared schema. + */ + if (!is_schema_from_db(schema_oid, get_cur_db_id())) + { + return; + } + else + { + /* + * Check if current user is member of db_securityadmin role. + * If so, then grant/revoke the requested privileges by overriding + * grantId with ownerId. + */ + if (is_member_of_role(GetUserId(), + get_db_securityadmin_oid(get_current_pltsql_db_name(), false))) + { + *grantorId = ownerId; + *grantOptions = ACL_GRANT_OPTION_FOR(privileges); + return; + } + } + } + return; +} diff --git a/contrib/babelfishpg_tsql/src/multidb.c b/contrib/babelfishpg_tsql/src/multidb.c index b2e230c20c4..de313c67c07 100644 --- a/contrib/babelfishpg_tsql/src/multidb.c +++ b/contrib/babelfishpg_tsql/src/multidb.c @@ -1494,10 +1494,35 @@ get_db_accessadmin_oid(const char *dbname, bool missing_ok) char *db_accessadmin_name = get_db_accessadmin_role_name(dbname); Oid db_accessadmin_oid = get_role_oid(db_accessadmin_name, missing_ok); pfree(db_accessadmin_name); - + return db_accessadmin_oid; } +char * +get_db_securityadmin_role_name(const char *dbname) +{ + char *name = palloc0(MAX_BBF_NAMEDATALEND); + + if (get_migration_mode() == SINGLE_DB && strcmp(dbname, "master") != 0 + && strcmp(dbname, "tempdb") != 0 && strcmp(dbname, "msdb") != 0) + snprintf(name, MAX_BBF_NAMEDATALEND, "%s", DB_SECURITYADMIN); + else + snprintf(name, MAX_BBF_NAMEDATALEND, "%s_%s", dbname, DB_SECURITYADMIN); + + truncate_identifier(name, strlen(name), false); + return name; +} + +Oid +get_db_securityadmin_oid(const char *dbname, bool missing_ok) +{ + char *db_securityadmin_name = get_db_securityadmin_role_name(dbname); + Oid db_securityadmin_oid = get_role_oid(db_securityadmin_name, missing_ok); + pfree(db_securityadmin_name); + + return db_securityadmin_oid; +} + char * get_guest_schema_name(const char *dbname) { diff --git a/contrib/babelfishpg_tsql/src/multidb.h b/contrib/babelfishpg_tsql/src/multidb.h index f42f51e9fc6..8058d8ed4ec 100644 --- a/contrib/babelfishpg_tsql/src/multidb.h +++ b/contrib/babelfishpg_tsql/src/multidb.h @@ -25,6 +25,8 @@ extern char *get_dbo_role_name(const char *dbname); extern char *get_dbo_role_name_by_mode(const char *dbname, MigrationMode mode); extern char *get_db_owner_name(const char *dbname); extern char *get_db_owner_name_by_mode(const char *dbname, MigrationMode mode); +extern char *get_db_securityadmin_role_name(const char *dbname); +extern Oid get_db_securityadmin_oid(const char *dbname, bool missing_ok); extern Oid get_db_owner_oid(const char *dbname, bool missing_ok); extern char *get_db_accessadmin_role_name(const char *dbname); extern Oid get_db_accessadmin_oid(const char *dbname, bool missing_ok); diff --git a/contrib/babelfishpg_tsql/src/pl_exec-2.c b/contrib/babelfishpg_tsql/src/pl_exec-2.c index 5b57247a470..607e9f9dbec 100644 --- a/contrib/babelfishpg_tsql/src/pl_exec-2.c +++ b/contrib/babelfishpg_tsql/src/pl_exec-2.c @@ -3795,9 +3795,14 @@ exec_stmt_grantschema(PLtsql_execstate *estate, PLtsql_stmt_grantschema *stmt) /* * If the login is not the db owner or the login is not the member of - * sysadmin or login is not the schema owner, then it doesn't have the permission to GRANT/REVOKE. + * sysadmin or login is not the schema owner, + * or current_user is not member of db_securityadmin fixed role + * then it doesn't have the permission to GRANT/REVOKE. */ - if (!is_member_of_role(GetSessionUserId(), get_sysadmin_oid()) && !login_is_db_owner && !object_ownercheck(NamespaceRelationId, schemaOid, GetUserId())) + if (!is_member_of_role(GetSessionUserId(), get_sysadmin_oid()) && + !login_is_db_owner && + !object_ownercheck(NamespaceRelationId, schemaOid, GetUserId()) && + !has_privs_of_role(GetUserId(), get_db_securityadmin_oid(dbname, false))) ereport(ERROR, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), errmsg("Cannot find the schema \"%s\", because it does not exist or you do not have permission.", stmt->schema_name))); diff --git a/contrib/babelfishpg_tsql/src/pl_handler.c b/contrib/babelfishpg_tsql/src/pl_handler.c index 82047225bd6..60fe23fabc9 100644 --- a/contrib/babelfishpg_tsql/src/pl_handler.c +++ b/contrib/babelfishpg_tsql/src/pl_handler.c @@ -3007,11 +3007,13 @@ bbf_ProcessUtility(PlannedStmt *pstmt, char *current_db_name = get_cur_db_name(); if (has_privs_of_role(GetUserId(), get_db_owner_oid(current_db_name, false)) || - (isuser && has_privs_of_role(GetUserId(), get_db_accessadmin_oid(current_db_name, false)))) + (isuser && has_privs_of_role(GetUserId(), get_db_accessadmin_oid(current_db_name, false))) || + (isrole && has_privs_of_role(GetUserId(), get_db_securityadmin_oid(current_db_name, false)))) { /* * members of db_owner can create roles and users * members of db_accessadmin can only create users + * members of db_securityadmin can only create db roles */ } else @@ -3308,13 +3310,13 @@ bbf_ProcessUtility(PlannedStmt *pstmt, char *db_name = get_cur_db_name(); bool is_member_of_db_owner = false; bool is_member_of_db_accessadmin = false; + bool is_member_of_db_securityadmin = false; int save_sec_context; Oid save_userid; Oid db_owner = get_db_owner_oid(db_name, false); Oid db_accessadmin = get_db_accessadmin_oid(db_name, false); + Oid db_securityadmin = get_db_securityadmin_oid(db_name, false); Oid user_oid = get_role_oid(stmt->role->rolename, false); - - /* db principal being altered should be a user or role in the current active logical database */ if ((isuser && get_db_principal_kind(user_oid, db_name) != BBF_USER) || (isrole && get_db_principal_kind(user_oid, db_name) != BBF_ROLE)) ereport(ERROR, @@ -3326,6 +3328,9 @@ bbf_ProcessUtility(PlannedStmt *pstmt, if (!is_member_of_db_owner && isuser) is_member_of_db_accessadmin = has_privs_of_role(GetUserId(), db_accessadmin); + if (!is_member_of_db_owner && isrole) + is_member_of_db_securityadmin = has_privs_of_role(GetUserId(), db_securityadmin); + /* * Check if the current user has privileges. */ @@ -3353,11 +3358,13 @@ bbf_ProcessUtility(PlannedStmt *pstmt, else if (strcmp(defel->defname, "rename") == 0) { if (is_member_of_db_owner || (isuser && is_member_of_db_accessadmin && - !has_privs_of_role(user_oid, db_owner))) + !has_privs_of_role(user_oid, db_owner)) || + (isrole && is_member_of_db_securityadmin && !has_privs_of_role(user_oid, db_owner))) { /* * members of db_owner can rename any role or user * members of db_accessadmin can rename users who are not members of db_owner + * member of db_securityadmin can rename users who are not members of db_owner */ } else @@ -3471,6 +3478,7 @@ bbf_ProcessUtility(PlannedStmt *pstmt, { Oid db_owner = get_db_owner_oid(db_name, false); Oid db_accessadmin = get_db_accessadmin_oid(db_name, false); + Oid db_securityadmin = get_db_securityadmin_oid(db_name, false); foreach(item, stmt->roles) { @@ -3500,11 +3508,13 @@ bbf_ProcessUtility(PlannedStmt *pstmt, (errcode(ERRCODE_CHECK_VIOLATION), errmsg("Cannot drop the %s '%s'.", db_principal_type, rolspec->rolename))); - if (has_privs_of_role(GetUserId(), db_owner) || (drop_user && has_privs_of_role(GetUserId(), db_accessadmin))) + if (has_privs_of_role(GetUserId(), db_owner) || (drop_user && has_privs_of_role(GetUserId(), db_accessadmin)) || + (drop_role && has_privs_of_role(GetUserId(), db_securityadmin))) { /* * db_owner can drop any user or role in database * db_accessadmin can drop users in a database + * db_securityadmin can drop roles in a database */ } else @@ -3719,6 +3729,7 @@ bbf_ProcessUtility(PlannedStmt *pstmt, { const char *db_name = get_current_pltsql_db_name(); Oid db_accessadmin = get_db_accessadmin_oid(db_name, false); + Oid db_securityadmin = get_db_securityadmin_oid(db_name, false); owner_oid = get_rolespec_oid(rolspec, true); /* @@ -3727,8 +3738,9 @@ bbf_ProcessUtility(PlannedStmt *pstmt, * to current user and later alter schema owner using bbf_role_admin */ if (!member_can_set_role(GetUserId(), owner_oid) && - has_privs_of_role(GetUserId(), db_accessadmin) && - (get_db_principal_kind(owner_oid, db_name))) + (has_privs_of_role(GetUserId(), db_accessadmin) || + has_privs_of_role(GetUserId(), db_securityadmin)) && + get_db_principal_kind(owner_oid, db_name)) { create_schema->authrole = NULL; alter_owner = true; @@ -4213,6 +4225,12 @@ bbf_ProcessUtility(PlannedStmt *pstmt, char *db_datawriter = get_db_datawriter_name(dbname); char *db_accessadmin = get_db_accessadmin_role_name(dbname); + /* + * NOTE: GRANT/REVOKE on OBJECT(schema-contained)/SCHEMA are allowed + * if current_user is member of db_securityadmin via engine hooks. + * Please refer handle_grantstmt_for_dbsecadmin() function for more details. + */ + /* Ignore when GRANT statement has no specific named object. */ if (sql_dialect != SQL_DIALECT_TSQL || grant->targtype != ACL_TARGET_OBJECT) break; diff --git a/contrib/babelfishpg_tsql/src/pltsql.h b/contrib/babelfishpg_tsql/src/pltsql.h index 7c71adb5ff6..a8dc527bece 100644 --- a/contrib/babelfishpg_tsql/src/pltsql.h +++ b/contrib/babelfishpg_tsql/src/pltsql.h @@ -1993,6 +1993,7 @@ extern bool insert_bulk_check_constraints; #define DBO "dbo" #define DB_OWNER "db_owner" #define DB_ACCESSADMIN "db_accessadmin" +#define DB_SECURITYADMIN "db_securityadmin" #define DB_DATAREADER "db_datareader" #define DB_DATAWRITER "db_datawriter" @@ -2002,9 +2003,10 @@ extern bool insert_bulk_check_constraints; strncmp(dbname, "msdb", 4) == 0) #define IS_FIXED_DB_PRINCIPAL(rolname) \ - (strncmp(rolname, DBO, 3) == 0 || \ - strncmp(rolname, DB_OWNER, 8) == 0 || \ - strncmp(rolname, DB_ACCESSADMIN, 14) == 0 || \ + (strncmp(rolname, DBO, 3) == 0 || \ + strncmp(rolname, DB_OWNER, 8) == 0 || \ + strncmp(rolname, DB_ACCESSADMIN, 14) == 0 || \ + strncmp(rolname, DB_SECURITYADMIN, 16) == 0 || \ strncmp(rolname, DB_DATAREADER, 13) == 0 || \ strncmp(rolname, DB_DATAWRITER, 13) == 0) diff --git a/contrib/babelfishpg_tsql/src/rolecmds.c b/contrib/babelfishpg_tsql/src/rolecmds.c index 5253171557f..e7330fb04ce 100644 --- a/contrib/babelfishpg_tsql/src/rolecmds.c +++ b/contrib/babelfishpg_tsql/src/rolecmds.c @@ -1846,11 +1846,16 @@ check_alter_role_stmt(GrantRoleStmt *stmt) errmsg("Cannot alter the role '%s', because it does not exist or you do not have permission.", original_user_name))); /* - * Disallow ALTER ROLE if 1. Current login doesn't have permission on the - * granted role, or 2. The current user is trying to add/drop itself from - * the granted role + * Disallow ALTER ROLE if + * 1. Current login doesn't have permission on the granted role + * OR + * 2. Granted role is not a fixed db role or current user is a member of db_securityadmin + * OR + * 3. The current user is trying to add/drop itself from the granted role */ - if (!has_privs_of_role(GetSessionUserId(), granted) || + if ((!has_privs_of_role(GetSessionUserId(), granted) && + !(get_db_principal_kind(granted, db_name) == BBF_ROLE && + has_privs_of_role(GetUserId(), get_db_securityadmin_oid(get_current_pltsql_db_name(), false)))) || grantee == GetUserId()) ereport(ERROR, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), diff --git a/test/JDBC/expected/BABEL-2403.out b/test/JDBC/expected/BABEL-2403.out index 20cd61fe4f1..6ee9a44d8bb 100644 --- a/test/JDBC/expected/BABEL-2403.out +++ b/test/JDBC/expected/BABEL-2403.out @@ -121,6 +121,12 @@ name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_user_ext m text#!#sys#!#name#!#{"Rule": " in babelfish_authid_user_ext must also exist in babelfish_sysdatabases"} name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_user_ext must also exist in pg_authid"} text#!#sys#!#name#!#{"Rule": " in babelfish_authid_user_ext must also exist in babelfish_sysdatabases"} +name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_user_ext must also exist in pg_authid"} +text#!#sys#!#name#!#{"Rule": " in babelfish_authid_user_ext must also exist in babelfish_sysdatabases"} +name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_user_ext must also exist in pg_authid"} +text#!#sys#!#name#!#{"Rule": " in babelfish_authid_user_ext must also exist in babelfish_sysdatabases"} +name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_user_ext must also exist in pg_authid"} +text#!#sys#!#name#!#{"Rule": " in babelfish_authid_user_ext must also exist in babelfish_sysdatabases"} name#!#sys#!#nspname#!#{"Rule": " in babelfish_function_ext must also exist in babelfish_namespace_ext"} name#!#pg_catalog#!#proname#!#{"Rule": " in babelfish_function_ext must also exist in pg_proc"} name#!#sys#!#nspname#!#{"Rule": " in babelfish_function_ext must also exist in babelfish_namespace_ext"} @@ -232,6 +238,12 @@ name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_user_ext m text#!#sys#!#name#!#{"Rule": " in babelfish_authid_user_ext must also exist in babelfish_sysdatabases"} name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_user_ext must also exist in pg_authid"} text#!#sys#!#name#!#{"Rule": " in babelfish_authid_user_ext must also exist in babelfish_sysdatabases"} +name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_user_ext must also exist in pg_authid"} +text#!#sys#!#name#!#{"Rule": " in babelfish_authid_user_ext must also exist in babelfish_sysdatabases"} +name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_user_ext must also exist in pg_authid"} +text#!#sys#!#name#!#{"Rule": " in babelfish_authid_user_ext must also exist in babelfish_sysdatabases"} +name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_user_ext must also exist in pg_authid"} +text#!#sys#!#name#!#{"Rule": " in babelfish_authid_user_ext must also exist in babelfish_sysdatabases"} name#!#sys#!#nspname#!#{"Rule": " in babelfish_function_ext must also exist in babelfish_namespace_ext"} name#!#pg_catalog#!#proname#!#{"Rule": " in babelfish_function_ext must also exist in pg_proc"} name#!#sys#!#nspname#!#{"Rule": " in babelfish_function_ext must also exist in babelfish_namespace_ext"} diff --git a/test/JDBC/expected/BABEL-5119-vu-verify.out b/test/JDBC/expected/BABEL-5119-vu-verify.out index f3d4bf26193..5c91ca38ba9 100644 --- a/test/JDBC/expected/BABEL-5119-vu-verify.out +++ b/test/JDBC/expected/BABEL-5119-vu-verify.out @@ -759,6 +759,7 @@ GO ~~START~~ nvarchar#!#varchar db_accessadmin#!#=C +db_securityadmin#!#=C dbo#!#=CTc ~~END~~ diff --git a/test/JDBC/expected/BABEL-LOGIN-USER-EXT.out b/test/JDBC/expected/BABEL-LOGIN-USER-EXT.out index 999d304c1bc..52de3e860b3 100644 --- a/test/JDBC/expected/BABEL-LOGIN-USER-EXT.out +++ b/test/JDBC/expected/BABEL-LOGIN-USER-EXT.out @@ -698,24 +698,28 @@ db1_db_accessadmin#!#db_accessadmin#!##!#db1#!# db1_db_datareader#!#db_datareader#!##!#db1#!# db1_db_datawriter#!#db_datawriter#!##!#db1#!# db1_db_owner#!#db_owner#!##!#db1#!# +db1_db_securityadmin#!#db_securityadmin#!##!#db1#!# db1_dbo#!#dbo#!##!#db1#!#dbo db1_guest#!#guest#!##!#db1#!#guest master_db_accessadmin#!#db_accessadmin#!##!#master#!# master_db_datareader#!#db_datareader#!##!#master#!# master_db_datawriter#!#db_datawriter#!##!#master#!# master_db_owner#!#db_owner#!##!#master#!# +master_db_securityadmin#!#db_securityadmin#!##!#master#!# master_dbo#!#dbo#!##!#master#!#dbo master_guest#!#guest#!##!#master#!#guest msdb_db_accessadmin#!#db_accessadmin#!##!#msdb#!# msdb_db_datareader#!#db_datareader#!##!#msdb#!# msdb_db_datawriter#!#db_datawriter#!##!#msdb#!# msdb_db_owner#!#db_owner#!##!#msdb#!# +msdb_db_securityadmin#!#db_securityadmin#!##!#msdb#!# msdb_dbo#!#dbo#!##!#msdb#!#dbo msdb_guest#!#guest#!##!#msdb#!#guest tempdb_db_accessadmin#!#db_accessadmin#!##!#tempdb#!# tempdb_db_datareader#!#db_datareader#!##!#tempdb#!# tempdb_db_datawriter#!#db_datawriter#!##!#tempdb#!# tempdb_db_owner#!#db_owner#!##!#tempdb#!# +tempdb_db_securityadmin#!#db_securityadmin#!##!#tempdb#!# tempdb_dbo#!#dbo#!##!#tempdb#!#dbo tempdb_guest#!#guest#!##!#tempdb#!#guest ~~END~~ @@ -883,18 +887,21 @@ master_db_accessadmin#!#db_accessadmin#!##!#master#!# master_db_datareader#!#db_datareader#!##!#master#!# master_db_datawriter#!#db_datawriter#!##!#master#!# master_db_owner#!#db_owner#!##!#master#!# +master_db_securityadmin#!#db_securityadmin#!##!#master#!# master_dbo#!#dbo#!##!#master#!#dbo master_guest#!#guest#!##!#master#!#guest msdb_db_accessadmin#!#db_accessadmin#!##!#msdb#!# msdb_db_datareader#!#db_datareader#!##!#msdb#!# msdb_db_datawriter#!#db_datawriter#!##!#msdb#!# msdb_db_owner#!#db_owner#!##!#msdb#!# +msdb_db_securityadmin#!#db_securityadmin#!##!#msdb#!# msdb_dbo#!#dbo#!##!#msdb#!#dbo msdb_guest#!#guest#!##!#msdb#!#guest tempdb_db_accessadmin#!#db_accessadmin#!##!#tempdb#!# tempdb_db_datareader#!#db_datareader#!##!#tempdb#!# tempdb_db_datawriter#!#db_datawriter#!##!#tempdb#!# tempdb_db_owner#!#db_owner#!##!#tempdb#!# +tempdb_db_securityadmin#!#db_securityadmin#!##!#tempdb#!# tempdb_dbo#!#dbo#!##!#tempdb#!#dbo tempdb_guest#!#guest#!##!#tempdb#!#guest ~~END~~ @@ -943,30 +950,35 @@ db1_db_accessadmin#!##!#db_accessadmin#!#db1#!# db1_db_datareader#!##!#db_datareader#!#db1#!# db1_db_datawriter#!##!#db_datawriter#!#db1#!# db1_db_owner#!##!#db_owner#!#db1#!# +db1_db_securityadmin#!##!#db_securityadmin#!#db1#!# db1_dbo#!##!#dbo#!#db1#!#dbo db1_guest#!##!#guest#!#db1#!#guest db2_db_accessadmin#!##!#db_accessadmin#!#db2#!# db2_db_datareader#!##!#db_datareader#!#db2#!# db2_db_datawriter#!##!#db_datawriter#!#db2#!# db2_db_owner#!##!#db_owner#!#db2#!# +db2_db_securityadmin#!##!#db_securityadmin#!#db2#!# db2_dbo#!##!#dbo#!#db2#!#dbo db2_guest#!##!#guest#!#db2#!#guest master_db_accessadmin#!##!#db_accessadmin#!#master#!# master_db_datareader#!##!#db_datareader#!#master#!# master_db_datawriter#!##!#db_datawriter#!#master#!# master_db_owner#!##!#db_owner#!#master#!# +master_db_securityadmin#!##!#db_securityadmin#!#master#!# master_dbo#!##!#dbo#!#master#!#dbo master_guest#!##!#guest#!#master#!#guest msdb_db_accessadmin#!##!#db_accessadmin#!#msdb#!# msdb_db_datareader#!##!#db_datareader#!#msdb#!# msdb_db_datawriter#!##!#db_datawriter#!#msdb#!# msdb_db_owner#!##!#db_owner#!#msdb#!# +msdb_db_securityadmin#!##!#db_securityadmin#!#msdb#!# msdb_dbo#!##!#dbo#!#msdb#!#dbo msdb_guest#!##!#guest#!#msdb#!#guest tempdb_db_accessadmin#!##!#db_accessadmin#!#tempdb#!# tempdb_db_datareader#!##!#db_datareader#!#tempdb#!# tempdb_db_datawriter#!##!#db_datawriter#!#tempdb#!# tempdb_db_owner#!##!#db_owner#!#tempdb#!# +tempdb_db_securityadmin#!##!#db_securityadmin#!#tempdb#!# tempdb_dbo#!##!#dbo#!#tempdb#!#dbo tempdb_guest#!##!#guest#!#tempdb#!#guest ~~END~~ @@ -984,6 +996,7 @@ db_accessadmin#!# db_datareader#!# db_datawriter#!# db_owner#!# +db_securityadmin#!# INFORMATION_SCHEMA#!# public#!# sys#!# @@ -1019,6 +1032,7 @@ db_accessadmin#!# db_datareader#!# db_datawriter#!# db_owner#!# +db_securityadmin#!# INFORMATION_SCHEMA#!# public#!# sys#!# @@ -1156,24 +1170,28 @@ db2_db_accessadmin#!#db_accessadmin#!##!#db2#!# db2_db_datareader#!#db_datareader#!##!#db2#!# db2_db_datawriter#!#db_datawriter#!##!#db2#!# db2_db_owner#!#db_owner#!##!#db2#!# +db2_db_securityadmin#!#db_securityadmin#!##!#db2#!# db2_dbo#!#dbo#!##!#db2#!#dbo db2_guest#!#guest#!##!#db2#!#guest master_db_accessadmin#!#db_accessadmin#!##!#master#!# master_db_datareader#!#db_datareader#!##!#master#!# master_db_datawriter#!#db_datawriter#!##!#master#!# master_db_owner#!#db_owner#!##!#master#!# +master_db_securityadmin#!#db_securityadmin#!##!#master#!# master_dbo#!#dbo#!##!#master#!#dbo master_guest#!#guest#!##!#master#!#guest msdb_db_accessadmin#!#db_accessadmin#!##!#msdb#!# msdb_db_datareader#!#db_datareader#!##!#msdb#!# msdb_db_datawriter#!#db_datawriter#!##!#msdb#!# msdb_db_owner#!#db_owner#!##!#msdb#!# +msdb_db_securityadmin#!#db_securityadmin#!##!#msdb#!# msdb_dbo#!#dbo#!##!#msdb#!#dbo msdb_guest#!#guest#!##!#msdb#!#guest tempdb_db_accessadmin#!#db_accessadmin#!##!#tempdb#!# tempdb_db_datareader#!#db_datareader#!##!#tempdb#!# tempdb_db_datawriter#!#db_datawriter#!##!#tempdb#!# tempdb_db_owner#!#db_owner#!##!#tempdb#!# +tempdb_db_securityadmin#!#db_securityadmin#!##!#tempdb#!# tempdb_dbo#!#dbo#!##!#tempdb#!#dbo tempdb_guest#!#guest#!##!#tempdb#!#guest ~~END~~ @@ -1192,18 +1210,21 @@ master_db_accessadmin#!#db_accessadmin#!##!#master#!# master_db_datareader#!#db_datareader#!##!#master#!# master_db_datawriter#!#db_datawriter#!##!#master#!# master_db_owner#!#db_owner#!##!#master#!# +master_db_securityadmin#!#db_securityadmin#!##!#master#!# master_dbo#!#dbo#!##!#master#!#dbo master_guest#!#guest#!##!#master#!#guest msdb_db_accessadmin#!#db_accessadmin#!##!#msdb#!# msdb_db_datareader#!#db_datareader#!##!#msdb#!# msdb_db_datawriter#!#db_datawriter#!##!#msdb#!# msdb_db_owner#!#db_owner#!##!#msdb#!# +msdb_db_securityadmin#!#db_securityadmin#!##!#msdb#!# msdb_dbo#!#dbo#!##!#msdb#!#dbo msdb_guest#!#guest#!##!#msdb#!#guest tempdb_db_accessadmin#!#db_accessadmin#!##!#tempdb#!# tempdb_db_datareader#!#db_datareader#!##!#tempdb#!# tempdb_db_datawriter#!#db_datawriter#!##!#tempdb#!# tempdb_db_owner#!#db_owner#!##!#tempdb#!# +tempdb_db_securityadmin#!#db_securityadmin#!##!#tempdb#!# tempdb_dbo#!#dbo#!##!#tempdb#!#dbo tempdb_guest#!#guest#!##!#tempdb#!#guest ~~END~~ @@ -1479,6 +1500,7 @@ db_accessadmin db_datareader db_datawriter db_owner +db_securityadmin dbo guest INFORMATION_SCHEMA @@ -1499,6 +1521,7 @@ db_accessadmin db_datareader db_datawriter db_owner +db_securityadmin dbo guest INFORMATION_SCHEMA @@ -1518,6 +1541,7 @@ db_accessadmin db_datareader db_datawriter db_owner +db_securityadmin dbo guest INFORMATION_SCHEMA @@ -1536,6 +1560,7 @@ db_accessadmin db_datareader db_datawriter db_owner +db_securityadmin dbo guest INFORMATION_SCHEMA diff --git a/test/JDBC/expected/BABEL-USER.out b/test/JDBC/expected/BABEL-USER.out index ba9aa1de6e9..086c67743cc 100644 --- a/test/JDBC/expected/BABEL-USER.out +++ b/test/JDBC/expected/BABEL-USER.out @@ -53,24 +53,28 @@ db1_db_accessadmin#!##!#db_accessadmin#!#db1#!# db1_db_datareader#!##!#db_datareader#!#db1#!# db1_db_datawriter#!##!#db_datawriter#!#db1#!# db1_db_owner#!##!#db_owner#!#db1#!# +db1_db_securityadmin#!##!#db_securityadmin#!#db1#!# db1_dbo#!##!#dbo#!#db1#!#dbo db1_guest#!##!#guest#!#db1#!#guest master_db_accessadmin#!##!#db_accessadmin#!#master#!# master_db_datareader#!##!#db_datareader#!#master#!# master_db_datawriter#!##!#db_datawriter#!#master#!# master_db_owner#!##!#db_owner#!#master#!# +master_db_securityadmin#!##!#db_securityadmin#!#master#!# master_dbo#!##!#dbo#!#master#!#dbo master_guest#!##!#guest#!#master#!#guest msdb_db_accessadmin#!##!#db_accessadmin#!#msdb#!# msdb_db_datareader#!##!#db_datareader#!#msdb#!# msdb_db_datawriter#!##!#db_datawriter#!#msdb#!# msdb_db_owner#!##!#db_owner#!#msdb#!# +msdb_db_securityadmin#!##!#db_securityadmin#!#msdb#!# msdb_dbo#!##!#dbo#!#msdb#!#dbo msdb_guest#!##!#guest#!#msdb#!#guest tempdb_db_accessadmin#!##!#db_accessadmin#!#tempdb#!# tempdb_db_datareader#!##!#db_datareader#!#tempdb#!# tempdb_db_datawriter#!##!#db_datawriter#!#tempdb#!# tempdb_db_owner#!##!#db_owner#!#tempdb#!# +tempdb_db_securityadmin#!##!#db_securityadmin#!#tempdb#!# tempdb_dbo#!##!#dbo#!#tempdb#!#dbo tempdb_guest#!##!#guest#!#tempdb#!#guest ~~END~~ @@ -88,6 +92,7 @@ db_accessadmin#!# db_datareader#!# db_datawriter#!# db_owner#!# +db_securityadmin#!# INFORMATION_SCHEMA#!# public#!# sys#!# diff --git a/test/JDBC/expected/Test-sp_helpdbfixedrole-dep-vu-verify.out b/test/JDBC/expected/Test-sp_helpdbfixedrole-dep-vu-verify.out index 3079345d3fe..8a423a1ceac 100644 --- a/test/JDBC/expected/Test-sp_helpdbfixedrole-dep-vu-verify.out +++ b/test/JDBC/expected/Test-sp_helpdbfixedrole-dep-vu-verify.out @@ -4,6 +4,7 @@ GO varchar#!#nvarchar db_owner#!#DB Owners db_accessadmin#!#DB Access Administrators +db_securityadmin#!#DB Security Administrators db_datareader#!#DB Data Reader db_datawriter#!#DB Data Writer ~~END~~ @@ -21,7 +22,7 @@ SELECT dbo.test_sp_helpdbfixedrole_func() GO ~~START~~ int -4 +5 ~~END~~ @@ -29,7 +30,7 @@ SELECT * FROM test_sp_helpdbfixedrole_view GO ~~START~~ int -4 +5 ~~END~~ @@ -37,6 +38,7 @@ EXEC test_sp_helpdbfixedrole_proc 'DB_securityadmin' GO ~~START~~ varchar#!#nvarchar +db_securityadmin#!#DB Security Administrators ~~END~~ diff --git a/test/JDBC/expected/Test-sp_helpdbfixedrole-vu-verify.out b/test/JDBC/expected/Test-sp_helpdbfixedrole-vu-verify.out index 5eee87026f8..24ff4bb1c38 100644 --- a/test/JDBC/expected/Test-sp_helpdbfixedrole-vu-verify.out +++ b/test/JDBC/expected/Test-sp_helpdbfixedrole-vu-verify.out @@ -1,6 +1,6 @@ INSERT INTO test_sp_helpdbfixedrole_tbl (DbFixedRole, Description) EXEC sp_helpdbfixedrole GO -~~ROW COUNT: 4~~ +~~ROW COUNT: 5~~ SELECT DbFixedRole, Description FROM test_sp_helpdbfixedrole_tbl @@ -9,6 +9,7 @@ GO varchar#!#nvarchar db_owner#!#DB Owners db_accessadmin#!#DB Access Administrators +db_securityadmin#!#DB Security Administrators db_datareader#!#DB Data Reader db_datawriter#!#DB Data Writer ~~END~~ @@ -55,6 +56,8 @@ GO INSERT INTO test_sp_helpdbfixedrole_tbl (DbFixedRole, Description) EXEC sp_helpdbfixedrole 'DB_securityadmin' GO +~~ROW COUNT: 1~~ + INSERT INTO test_sp_helpdbfixedrole_tbl (DbFixedRole, Description) EXEC sp_helpdbfixedrole 'db_ddladmin ' GO INSERT INTO test_sp_helpdbfixedrole_tbl (DbFixedRole, Description) EXEC sp_helpdbfixedrole 'DB_backupoperator ' @@ -77,6 +80,7 @@ GO ~~START~~ varchar#!#nvarchar db_accessadmin#!#DB Access Administrators +db_securityadmin#!#DB Security Administrators db_datareader#!#DB Data Reader db_datawriter#!#DB Data Writer ~~END~~ diff --git a/test/JDBC/expected/Test_alter_db_rename-vu-verify.out b/test/JDBC/expected/Test_alter_db_rename-vu-verify.out index 687dd6e3cc3..c435e0dcbde 100644 --- a/test/JDBC/expected/Test_alter_db_rename-vu-verify.out +++ b/test/JDBC/expected/Test_alter_db_rename-vu-verify.out @@ -23,6 +23,7 @@ rename_db_database1_db_accessadmin#!##!#db_accessadmin#!#rename_db_database1 rename_db_database1_db_datareader#!##!#db_datareader#!#rename_db_database1 rename_db_database1_db_datawriter#!##!#db_datawriter#!#rename_db_database1 rename_db_database1_db_owner#!##!#db_owner#!#rename_db_database1 +rename_db_database1_db_securityadmin#!##!#db_securityadmin#!#rename_db_database1 rename_db_database1_dbo#!##!#dbo#!#rename_db_database1 rename_db_database1_guest#!##!#guest#!#rename_db_database1 rename_db_database1_rename_db_login2#!#rename_db_login2#!#rename_db_login2#!#rename_db_database1 @@ -87,6 +88,7 @@ rename_db_database2_db_accessadmin#!##!#db_accessadmin#!#rename_db_database2 rename_db_database2_db_datareader#!##!#db_datareader#!#rename_db_database2 rename_db_database2_db_datawriter#!##!#db_datawriter#!#rename_db_database2 rename_db_database2_db_owner#!##!#db_owner#!#rename_db_database2 +rename_db_database2_db_securityadmin#!##!#db_securityadmin#!#rename_db_database2 rename_db_database2_dbo#!##!#dbo#!#rename_db_database2 rename_db_database2_guest#!##!#guest#!#rename_db_database2 rename_db_database2_rename_db_login2#!#rename_db_login2#!#rename_db_login2#!#rename_db_database2 @@ -198,6 +200,7 @@ thisnewdatabasenameiscasesensit4e1f355d810759b9f1a59b04496ed2e1#!##!#guest#!#thi thisnewdatabasenameiscasesensit72e4dcc7ed25f5536033cf547cd7f001#!##!#db_owner#!#thisnewdatabasenameiscasesensit44f3247005ec268e1a10c736599cfb7e thisnewdatabasenameiscasesensit7de06ed1a7bed768d6641b3e7841314c#!##!#db_datareader#!#thisnewdatabasenameiscasesensit44f3247005ec268e1a10c736599cfb7e thisnewdatabasenameiscasesensit944678472843354d6b3a4354630249a8#!##!#db_accessadmin#!#thisnewdatabasenameiscasesensit44f3247005ec268e1a10c736599cfb7e +thisnewdatabasenameiscasesensit9bafb01adb257f37faf768d9b70d81a7#!##!#db_securityadmin#!#thisnewdatabasenameiscasesensit44f3247005ec268e1a10c736599cfb7e thisnewdatabasenameiscasesensitc4313f9adf0e47cfa5aca25228e02f29#!##!#dbo#!#thisnewdatabasenameiscasesensit44f3247005ec268e1a10c736599cfb7e thisnewdatabasenameiscasesensitfa060d610d6e6cd0271b6ce99b258bcc#!##!#db_datawriter#!#thisnewdatabasenameiscasesensit44f3247005ec268e1a10c736599cfb7e ~~END~~ diff --git a/test/JDBC/expected/Test_rename_db_single-db.out b/test/JDBC/expected/Test_rename_db_single-db.out index 541d3593388..b43269cf494 100644 --- a/test/JDBC/expected/Test_rename_db_single-db.out +++ b/test/JDBC/expected/Test_rename_db_single-db.out @@ -36,6 +36,7 @@ rename_db_database1_db_accessadmin#!##!#db_accessadmin#!#rename_db_database1 rename_db_database1_db_datareader#!##!#db_datareader#!#rename_db_database1 rename_db_database1_db_datawriter#!##!#db_datawriter#!#rename_db_database1 rename_db_database1_db_owner#!##!#db_owner#!#rename_db_database1 +rename_db_database1_db_securityadmin#!##!#db_securityadmin#!#rename_db_database1 rename_db_database1_dbo#!##!#dbo#!#rename_db_database1 rename_db_database1_guest#!##!#guest#!#rename_db_database1 rename_db_database1_rename_db_role1#!##!#rename_db_role1#!#rename_db_database1 @@ -87,6 +88,7 @@ rename_db_database2_db_accessadmin#!##!#db_accessadmin#!#rename_db_database2 rename_db_database2_db_datareader#!##!#db_datareader#!#rename_db_database2 rename_db_database2_db_datawriter#!##!#db_datawriter#!#rename_db_database2 rename_db_database2_db_owner#!##!#db_owner#!#rename_db_database2 +rename_db_database2_db_securityadmin#!##!#db_securityadmin#!#rename_db_database2 rename_db_database2_dbo#!##!#dbo#!#rename_db_database2 rename_db_database2_guest#!##!#guest#!#rename_db_database2 rename_db_database2_rename_db_role1#!##!#rename_db_role1#!#rename_db_database2 @@ -138,6 +140,7 @@ rename_db_database1_db_accessadmin#!##!#db_accessadmin#!#rename_db_database1 rename_db_database1_db_datareader#!##!#db_datareader#!#rename_db_database1 rename_db_database1_db_datawriter#!##!#db_datawriter#!#rename_db_database1 rename_db_database1_db_owner#!##!#db_owner#!#rename_db_database1 +rename_db_database1_db_securityadmin#!##!#db_securityadmin#!#rename_db_database1 rename_db_database1_dbo#!##!#dbo#!#rename_db_database1 rename_db_database1_guest#!##!#guest#!#rename_db_database1 rename_db_database1_rename_db_role1#!##!#rename_db_role1#!#rename_db_database1 @@ -189,6 +192,7 @@ rename_db_database2_db_accessadmin#!##!#db_accessadmin#!#rename_db_database2 rename_db_database2_db_datareader#!##!#db_datareader#!#rename_db_database2 rename_db_database2_db_datawriter#!##!#db_datawriter#!#rename_db_database2 rename_db_database2_db_owner#!##!#db_owner#!#rename_db_database2 +rename_db_database2_db_securityadmin#!##!#db_securityadmin#!#rename_db_database2 rename_db_database2_dbo#!##!#dbo#!#rename_db_database2 rename_db_database2_guest#!##!#guest#!#rename_db_database2 rename_db_database2_rename_db_role1#!##!#rename_db_role1#!#rename_db_database2 @@ -252,6 +256,7 @@ rename_db_database1_db_accessadmin#!##!#db_accessadmin#!#rename_db_database1 rename_db_database1_db_datareader#!##!#db_datareader#!#rename_db_database1 rename_db_database1_db_datawriter#!##!#db_datawriter#!#rename_db_database1 rename_db_database1_db_owner#!##!#db_owner#!#rename_db_database1 +rename_db_database1_db_securityadmin#!##!#db_securityadmin#!#rename_db_database1 rename_db_database1_dbo#!##!#dbo#!#rename_db_database1 rename_db_database1_guest#!##!#guest#!#rename_db_database1 rename_db_database1_rename_db_role1#!##!#rename_db_role1#!#rename_db_database1 @@ -303,6 +308,7 @@ rename_db_database2_db_accessadmin#!##!#db_accessadmin#!#rename_db_database2 rename_db_database2_db_datareader#!##!#db_datareader#!#rename_db_database2 rename_db_database2_db_datawriter#!##!#db_datawriter#!#rename_db_database2 rename_db_database2_db_owner#!##!#db_owner#!#rename_db_database2 +rename_db_database2_db_securityadmin#!##!#db_securityadmin#!#rename_db_database2 rename_db_database2_dbo#!##!#dbo#!#rename_db_database2 rename_db_database2_guest#!##!#guest#!#rename_db_database2 rename_db_database2_rename_db_role1#!##!#rename_db_role1#!#rename_db_database2 @@ -354,6 +360,7 @@ rename_db_database1_db_accessadmin#!##!#db_accessadmin#!#rename_db_database1 rename_db_database1_db_datareader#!##!#db_datareader#!#rename_db_database1 rename_db_database1_db_datawriter#!##!#db_datawriter#!#rename_db_database1 rename_db_database1_db_owner#!##!#db_owner#!#rename_db_database1 +rename_db_database1_db_securityadmin#!##!#db_securityadmin#!#rename_db_database1 rename_db_database1_dbo#!##!#dbo#!#rename_db_database1 rename_db_database1_guest#!##!#guest#!#rename_db_database1 rename_db_database1_rename_db_role1#!##!#rename_db_role1#!#rename_db_database1 @@ -405,6 +412,7 @@ rename_db_database2_db_accessadmin#!##!#db_accessadmin#!#rename_db_database2 rename_db_database2_db_datareader#!##!#db_datareader#!#rename_db_database2 rename_db_database2_db_datawriter#!##!#db_datawriter#!#rename_db_database2 rename_db_database2_db_owner#!##!#db_owner#!#rename_db_database2 +rename_db_database2_db_securityadmin#!##!#db_securityadmin#!#rename_db_database2 rename_db_database2_dbo#!##!#dbo#!#rename_db_database2 rename_db_database2_guest#!##!#guest#!#rename_db_database2 rename_db_database2_rename_db_role1#!##!#rename_db_role1#!#rename_db_database2 diff --git a/test/JDBC/expected/Test_sp_rename_database-vu-verify.out b/test/JDBC/expected/Test_sp_rename_database-vu-verify.out index 25ed3c274af..1900036990c 100644 --- a/test/JDBC/expected/Test_sp_rename_database-vu-verify.out +++ b/test/JDBC/expected/Test_sp_rename_database-vu-verify.out @@ -23,6 +23,7 @@ sp_rename_database1_db_accessadmin#!##!#db_accessadmin#!#sp_rename_database1 sp_rename_database1_db_datareader#!##!#db_datareader#!#sp_rename_database1 sp_rename_database1_db_datawriter#!##!#db_datawriter#!#sp_rename_database1 sp_rename_database1_db_owner#!##!#db_owner#!#sp_rename_database1 +sp_rename_database1_db_securityadmin#!##!#db_securityadmin#!#sp_rename_database1 sp_rename_database1_dbo#!##!#dbo#!#sp_rename_database1 sp_rename_database1_guest#!##!#guest#!#sp_rename_database1 sp_rename_database1_sp_rename_login2#!#sp_rename_login2#!#sp_rename_login2#!#sp_rename_database1 @@ -87,6 +88,7 @@ sp_rename_database2_db_accessadmin#!##!#db_accessadmin#!#sp_rename_database2 sp_rename_database2_db_datareader#!##!#db_datareader#!#sp_rename_database2 sp_rename_database2_db_datawriter#!##!#db_datawriter#!#sp_rename_database2 sp_rename_database2_db_owner#!##!#db_owner#!#sp_rename_database2 +sp_rename_database2_db_securityadmin#!##!#db_securityadmin#!#sp_rename_database2 sp_rename_database2_dbo#!##!#dbo#!#sp_rename_database2 sp_rename_database2_guest#!##!#guest#!#sp_rename_database2 sp_rename_database2_sp_rename_login2#!#sp_rename_login2#!#sp_rename_login2#!#sp_rename_database2 @@ -206,6 +208,7 @@ sp_rename_thisnewdatabasenameis21f79a8b66248a73068dca6edd5b0ca3#!##!#guest#!#sp_ sp_rename_thisnewdatabasenameis95c235131f6db63ef16f222aa48d0554#!##!#db_datareader#!#sp_rename_thisnewdatabasenameisb8bd7c94f797959aa629fc2f9e821637 sp_rename_thisnewdatabasenameisa0a5aa90abf2314f4773860fda5e43a2#!##!#db_accessadmin#!#sp_rename_thisnewdatabasenameisb8bd7c94f797959aa629fc2f9e821637 sp_rename_thisnewdatabasenameisc7c7032a834c11dbbbbf4911217c443a#!##!#db_datawriter#!#sp_rename_thisnewdatabasenameisb8bd7c94f797959aa629fc2f9e821637 +sp_rename_thisnewdatabasenameisf37d42f2565acdd17a6e787fa43e9065#!##!#db_securityadmin#!#sp_rename_thisnewdatabasenameisb8bd7c94f797959aa629fc2f9e821637 sp_rename_thisnewdatabasenameisfacf8af797f428fdc401ffddc672894d#!##!#dbo#!#sp_rename_thisnewdatabasenameisb8bd7c94f797959aa629fc2f9e821637 ~~END~~ diff --git a/test/JDBC/expected/Test_sp_renamedb-vu-verify.out b/test/JDBC/expected/Test_sp_renamedb-vu-verify.out index a68d7ab49c5..460a11cb6a6 100644 --- a/test/JDBC/expected/Test_sp_renamedb-vu-verify.out +++ b/test/JDBC/expected/Test_sp_renamedb-vu-verify.out @@ -23,6 +23,7 @@ sp_renamedb_database1_db_accessadmin#!##!#db_accessadmin#!#sp_renamedb_database1 sp_renamedb_database1_db_datareader#!##!#db_datareader#!#sp_renamedb_database1 sp_renamedb_database1_db_datawriter#!##!#db_datawriter#!#sp_renamedb_database1 sp_renamedb_database1_db_owner#!##!#db_owner#!#sp_renamedb_database1 +sp_renamedb_database1_db_securityadmin#!##!#db_securityadmin#!#sp_renamedb_database1 sp_renamedb_database1_dbo#!##!#dbo#!#sp_renamedb_database1 sp_renamedb_database1_guest#!##!#guest#!#sp_renamedb_database1 sp_renamedb_database1_sp_renamedb_login2#!#sp_renamedb_login2#!#sp_renamedb_login2#!#sp_renamedb_database1 @@ -87,6 +88,7 @@ sp_renamedb_database2_db_accessadmin#!##!#db_accessadmin#!#sp_renamedb_database2 sp_renamedb_database2_db_datareader#!##!#db_datareader#!#sp_renamedb_database2 sp_renamedb_database2_db_datawriter#!##!#db_datawriter#!#sp_renamedb_database2 sp_renamedb_database2_db_owner#!##!#db_owner#!#sp_renamedb_database2 +sp_renamedb_database2_db_securityadmin#!##!#db_securityadmin#!#sp_renamedb_database2 sp_renamedb_database2_dbo#!##!#dbo#!#sp_renamedb_database2 sp_renamedb_database2_guest#!##!#guest#!#sp_renamedb_database2 sp_renamedb_database2_sp_renamedb_login2#!#sp_renamedb_login2#!#sp_renamedb_login2#!#sp_renamedb_database2 @@ -205,6 +207,7 @@ sp_renamedb_thisnewdatabasename115699cc11f7805d9b9b640d6455580c#!##!#dbo#!#sp_re sp_renamedb_thisnewdatabasename2a476218bfa8dba9ac86fb898b11e9a5#!##!#db_datawriter#!#sp_renamedb_thisnewdatabasename738bbb14cb857db43c693446c049f0bd sp_renamedb_thisnewdatabasename7052c471c798d0b08c69f719bcd607d7#!##!#db_datareader#!#sp_renamedb_thisnewdatabasename738bbb14cb857db43c693446c049f0bd sp_renamedb_thisnewdatabasenameb0dffbb56deab7ad4e684df689419c65#!##!#db_owner#!#sp_renamedb_thisnewdatabasename738bbb14cb857db43c693446c049f0bd +sp_renamedb_thisnewdatabasenameda6915c331b2fe3a4c4e33126c0366c1#!##!#db_securityadmin#!#sp_renamedb_thisnewdatabasename738bbb14cb857db43c693446c049f0bd sp_renamedb_thisnewdatabasenamedeb7cafbbedd23f312d90e7c10a60901#!##!#guest#!#sp_renamedb_thisnewdatabasename738bbb14cb857db43c693446c049f0bd sp_renamedb_thisnewdatabasenameeeb9e8f522c23281503d418ce3640572#!##!#db_accessadmin#!#sp_renamedb_thisnewdatabasename738bbb14cb857db43c693446c049f0bd ~~END~~ diff --git a/test/JDBC/expected/datareader_datawriter.out b/test/JDBC/expected/datareader_datawriter.out index 8fe304b2bbc..ddc726e3b2d 100644 --- a/test/JDBC/expected/datareader_datawriter.out +++ b/test/JDBC/expected/datareader_datawriter.out @@ -284,7 +284,7 @@ go -- Insert the results of sp_helprole into the temporary table INSERT INTO #UserRoles EXEC sp_helprole; go -~~ROW COUNT: 5~~ +~~ROW COUNT: 6~~ -- Select the desired fields from the temporary table SELECT RoleName, IsAppRole FROM #UserRoles WHERE RoleName IN ('db_datareader', 'db_datawriter'); diff --git a/test/JDBC/expected/db_securityadmin-vu-cleanup.out b/test/JDBC/expected/db_securityadmin-vu-cleanup.out new file mode 100644 index 00000000000..94345389f4c --- /dev/null +++ b/test/JDBC/expected/db_securityadmin-vu-cleanup.out @@ -0,0 +1,43 @@ +-- tsql +USE master +GO +DROP DATABASE IF EXISTS babel_5135_db1; +GO +DROP ROLE babel_5135_r1; +GO +DROP LOGIN babel_5135_l2 +GO +DROP USER babel_5135_dbsecadmin_u1 +GO +DROP LOGIN babel_5135_dbsecadmin_l1 +GO +DROP ROLE babel_5135_dbsecadmin_r1 +GO +DROP TABLE babel_5135_schema1.babel_5135_t1; +GO +DROP VIEW babel_5135_schema1.babel_5135_v1; +GO +DROP PROCEDURE babel_5135_schema1.babel_5135_p1; +GO +DROP FUNCTION babel_5135_schema1.babel_5135_f1(); +GO +DROP FUNCTION babel_5135_schema1.babel_5135_tvf1(); +GO +DROP PROCEDURE babel_5135_roleop_proc1; +GO +DROP PROCEDURE babel_5135_roleop_proc2; +GO +DROP PROCEDURE babel_5135_roleop_proc3; +GO +DROP PROCEDURE babel_5135_schemaop_proc1; +GO +DROP PROCEDURE babel_5135_grantop_proc1, babel_5135_revokeop_proc1; +GO +DROP SCHEMA babel_5135_schema1; +GO +DROP USER babel_5135_u1; +GO +DROP LOGIN babel_5135_l1; +GO +DROP VIEW babel_5135_show_role_mem; +GO diff --git a/test/JDBC/expected/db_securityadmin-vu-prepare.out b/test/JDBC/expected/db_securityadmin-vu-prepare.out new file mode 100644 index 00000000000..d1c19b8dd44 --- /dev/null +++ b/test/JDBC/expected/db_securityadmin-vu-prepare.out @@ -0,0 +1,108 @@ +-- tsql +create login babel_5135_l1 with password='12345678'; +GO + +create user babel_5135_u1 for login babel_5135_l1; +GO + +create role babel_5135_r1; +GO + +create login babel_5135_l2 with password='12345678'; +GO + +create login babel_5135_dbsecadmin_l1 with password='12345678'; +GO + +create user babel_5135_dbsecadmin_u1 for login babel_5135_dbsecadmin_l1; +GO + +create role babel_5135_dbsecadmin_r1; +GO + +create schema babel_5135_schema1; +GO + +create table babel_5135_schema1.babel_5135_t1(a int, b int); +GO + +create view babel_5135_schema1.babel_5135_v1 as select 1; +GO + +CREATE PROC babel_5135_schema1.babel_5135_p1 AS SELECT 1 +GO + +CREATE FUNCTION babel_5135_schema1.babel_5135_f1() RETURNS INT AS BEGIN return 1; END +GO + +CREATE FUNCTION babel_5135_schema1.babel_5135_tvf1() RETURNS TABLE AS RETURN (SELECT a, b FROM babel_5135_schema1.babel_5135_t1); +GO + +CREATE VIEW babel_5135_show_role_mem AS +SELECT +roles.name AS RolePrincipalName +, members.name AS MemberPrincipalName +FROM sys.database_role_members AS db_role_mems +INNER JOIN sys.database_principals AS roles + ON db_role_mems.role_principal_id = roles.principal_id +INNER JOIN sys.database_principals AS members + ON db_role_mems.member_principal_id = members.principal_id order by MemberPrincipalName; +GO + +CREATE PROCEDURE babel_5135_roleop_proc1 AS BEGIN CREATE ROLE babel_5135_role2; ALTER ROLE babel_5135_role2 WITH NAME = babel_5135_role3; DROP ROLE babel_5135_role3; END +GO +CREATE PROCEDURE babel_5135_roleop_proc2 AS BEGIN ALTER ROLE babel_5135_r1 ADD MEMBER babel_5135_u1; END +GO +CREATE PROCEDURE babel_5135_roleop_proc3 AS BEGIN ALTER ROLE babel_5135_r1 DROP MEMBER babel_5135_u1; END +GO +CREATE PROCEDURE babel_5135_schemaop_proc1 AS BEGIN CREATE SCHEMA babel_5135_sch11; END +GO +CREATE PROCEDURE babel_5135_grantop_proc1 AS BEGIN +GRANT SELECT, INSERT, UPDATE, DELETE ON babel_5135_schema1.babel_5135_t1 TO babel_5135_u1; +GRANT SELECT ON babel_5135_schema1.babel_5135_v1 TO babel_5135_u1; +GRANT EXECUTE ON babel_5135_schema1.babel_5135_p1 TO babel_5135_u1; +GRANT EXECUTE ON babel_5135_schema1.babel_5135_f1 TO babel_5135_u1; +GRANT EXECUTE ON babel_5135_schema1.babel_5135_tvf1 TO babel_5135_u1; +END +GO +CREATE PROCEDURE babel_5135_revokeop_proc1 AS BEGIN +REVOKE SELECT, INSERT, UPDATE, DELETE ON babel_5135_schema1.babel_5135_t1 FROM babel_5135_u1; +REVOKE SELECT ON babel_5135_schema1.babel_5135_v1 FROM babel_5135_u1; +REVOKE EXECUTE ON babel_5135_schema1.babel_5135_p1 FROM babel_5135_u1; +REVOKE EXECUTE ON babel_5135_schema1.babel_5135_f1 FROM babel_5135_u1; +REVOKE EXECUTE ON babel_5135_schema1.babel_5135_tvf1 FROM babel_5135_u1; +END +GO + +GRANT EXECUTE ON babel_5135_roleop_proc1 TO PUBLIC; +GO +GRANT EXECUTE ON babel_5135_roleop_proc2 TO PUBLIC; +GO +GRANT EXECUTE ON babel_5135_roleop_proc3 TO PUBLIC; +GO +GRANT EXECUTE ON babel_5135_schemaop_proc1 TO PUBLIC; +GO +GRANT EXECUTE ON babel_5135_grantop_proc1 TO PUBLIC; +GO +GRANT EXECUTE ON babel_5135_revokeop_proc1 TO PUBLIC; +GO + +create database babel_5135_db1 +GO + +USE babel_5135_db1; +GO + +create user babel_5135_u1 for login babel_5135_l1; +GO + +CREATE VIEW babel_5135_show_role_mem AS +SELECT +roles.name AS RolePrincipalName +, members.name AS MemberPrincipalName +FROM sys.database_role_members AS db_role_mems +INNER JOIN sys.database_principals AS roles + ON db_role_mems.role_principal_id = roles.principal_id +INNER JOIN sys.database_principals AS members + ON db_role_mems.member_principal_id = members.principal_id order by MemberPrincipalName; +GO diff --git a/test/JDBC/expected/db_securityadmin-vu-verify.out b/test/JDBC/expected/db_securityadmin-vu-verify.out new file mode 100644 index 00000000000..33a1c7defb5 --- /dev/null +++ b/test/JDBC/expected/db_securityadmin-vu-verify.out @@ -0,0 +1,1317 @@ +-- tsql +-- bbf dump does not dump password so reset the password +ALTER LOGIN babel_5135_l1 WITH PASSWORD='12345678'; +GO + +ALTER LOGIN babel_5135_l2 WITH PASSWORD='12345678'; +GO + +ALTER LOGIN babel_5135_dbsecadmin_l1 WITH PASSWORD='12345678'; +GO + +-- tsql +-- CASE 1 Allowed syntaxes to modify the membership of db_securityadmin + -- CASE 1.1 Validate ALTER ROLE ... ADD/DROP MEMBER + -- CASE 1.2 Validate sp_addrolemember + -- CASE 1.3 Test inside database with truncated name +ALTER ROLE db_securityadmin ADD MEMBER babel_5135_u1; +GO + +ALTER ROLE db_securityadmin ADD MEMBER babel_5135_r1; +GO + +EXEC sp_addrolemember 'db_securityadmin', 'babel_5135_u1'; +GO + +EXEC sp_addrolemember 'db_securityadmin', 'babel_5135_r1'; +GO + +SELECT * FROM babel_5135_show_role_mem WHERE RolePrincipalName = 'db_securityadmin'; +GO +~~START~~ +varchar#!#varchar +db_securityadmin#!#babel_5135_r1 +db_securityadmin#!#babel_5135_u1 +~~END~~ + + +ALTER ROLE db_securityadmin DROP MEMBER babel_5135_u1; +GO + +ALTER ROLE db_securityadmin DROP MEMBER babel_5135_r1; +GO + +EXEC sp_droprolemember 'db_securityadmin', 'babel_5135_u1'; +GO + +EXEC sp_droprolemember 'db_securityadmin', 'babel_5135_r1'; +GO + +SELECT * FROM babel_5135_show_role_mem WHERE RolePrincipalName = 'db_securityadmin'; +GO +~~START~~ +varchar#!#varchar +~~END~~ + + +-- CASE 1.3 Test inside database with truncated name +USE babel_5135_db1; +GO + +ALTER ROLE db_securityadmin ADD MEMBER babel_5135_u1; +GO + +SELECT * FROM babel_5135_show_role_mem WHERE RolePrincipalName = 'db_securityadmin'; +GO +~~START~~ +varchar#!#varchar +db_securityadmin#!#babel_5135_u1 +~~END~~ + + +ALTER ROLE db_securityadmin DROP MEMBER babel_5135_u1; +GO + +SELECT * FROM babel_5135_show_role_mem WHERE RolePrincipalName = 'db_securityadmin'; +GO +~~START~~ +varchar#!#varchar +~~END~~ + + +EXEC sp_addrolemember 'db_securityadmin', 'babel_5135_u1'; +GO + +SELECT * FROM babel_5135_show_role_mem WHERE RolePrincipalName = 'db_securityadmin'; +GO +~~START~~ +varchar#!#varchar +db_securityadmin#!#babel_5135_u1 +~~END~~ + + +EXEC sp_droprolemember 'db_securityadmin', 'babel_5135_u1'; +GO + +SELECT * FROM babel_5135_show_role_mem WHERE RolePrincipalName = 'db_securityadmin'; +GO +~~START~~ +varchar#!#varchar +~~END~~ + + +USE master; +GO + +-- tsql +-- CASE 2 - Only members of db_owner should be able to modify the membership of db_securityadmin + -- [already covered by CASE 1] CASE 2.1 - Verify members of db_owner can modify the membership + -- CASE 2.2 - Verify that members of db_securityadmin itself can't modify it's own membership +ALTER ROLE db_securityadmin ADD MEMBER babel_5135_dbsecadmin_u1; +GO + +-- tsql user=babel_5135_dbsecadmin_l1 password=12345678 +-- it should fail +ALTER ROLE db_securityadmin ADD MEMBER babel_5135_u1; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot alter the role 'db_securityadmin', because it does not exist or you do not have permission.)~~ + + +ALTER ROLE db_securityadmin DROP MEMBER babel_5135_dbsecadmin_u1; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot alter the role 'db_securityadmin', because it does not exist or you do not have permission.)~~ + + +-- tsql +-- CASE 3 - Able to manage database roles + -- CASE 3.1 - CREATE/ALTER/DROP ROLE + -- CASE 3.2 - ADD/DROP the membership of user-defined database roles should be allowed + -- CASE 3.3 - ADD/DROP the membership of system-defined database roles should be blocked + -- CASE 3.4 - CREATE/ALTER/DROP USER should not be Allowed +-- role created by another user, to test alter/drop on it +CREATE ROLE babel_5135_role1; +GO + +-- tsql user=babel_5135_dbsecadmin_l1 password=12345678 +CREATE ROLE babel_5135_role2; +GO + +ALTER ROLE babel_5135_role2 WITH NAME = babel_5135_role3; +GO + +DROP ROLE babel_5135_role3; +GO + +ALTER ROLE babel_5135_role1 WITH NAME = babel_5135_role4; +GO + +DROP ROLE babel_5135_role4; +GO + +-- create/alter/drop role inside procedure +-- execution should be succeeded with no error +EXEC babel_5135_roleop_proc1; +GO + +-- CASE 3.2 - ADD/DROP the membership of user-defined database roles +ALTER ROLE babel_5135_r1 ADD MEMBER babel_5135_u1; +GO + +ALTER ROLE babel_5135_r1 DROP MEMBER babel_5135_u1; +GO + +-- alter role add member inside procedure +-- execution should be succeeded with no error +-- Add +EXEC babel_5135_roleop_proc2; +GO + +-- Drop +EXEC babel_5135_roleop_proc3; +GO + +-- CASE 3.3 - ADD/DROP the membership of system-defined database roles should be blocked +ALTER ROLE db_accessadmin ADD MEMBER babel_5135_u1; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot alter the role 'db_accessadmin', because it does not exist or you do not have permission.)~~ + + +ALTER ROLE db_owner ADD MEMBER babel_5135_u1; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Adding members to db_owner is not currently supported in Babelfish)~~ + + +-- CASE 3.4 -- CREATE/ALTER/DROP USER should fail +CREATE USER babel_5135_user1 FOR LOGIN babel_5135_l2; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: User does not have permission to perform this action.)~~ + + +ALTER USER babel_5135_u1 WITH NAME = babel_5135_dbsecadmin_u2; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Current user does not have privileges to change user name)~~ + + +ALTER USER babel_5135_u1 WITH DEFAULT_SCHEMA=dbo; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Current user does not have privileges to change schema)~~ + + +DROP USER babel_5135_u1; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot drop the user 'babel_5135_u1', because it does not exist or you do not have permission.)~~ + + +-- CASE 4 - CREATE SCHEMA should be allowed +CREATE SCHEMA babel_5135_sch1; +GO + +CREATE SCHEMA babel_5135_sch2 AUTHORIZATION babel_5135_u1; +GO + +SELECT name, sys.user_name(principal_id) FROM sys.schemas WHERE name IN ('babel_5135_sch1','babel_5135_sch2') ORDER BY name; +GO +~~START~~ +varchar#!#nvarchar +babel_5135_sch1#!#babel_5135_dbsecadmin_u1 +babel_5135_sch2#!#babel_5135_u1 +~~END~~ + + +-- tsql +-- granting db_securityadmin to guest and create schema +alter role db_securityadmin add member guest; +GO + +-- tsql user=babel_5135_l2 password=12345678 +select current_user; +GO +~~START~~ +varchar +guest +~~END~~ + + +CREATE SCHEMA babel_5135_sch3; +GO + +SELECT name, sys.user_name(principal_id) FROM sys.schemas WHERE name LIKE 'babel_5135_sch3' ORDER BY name; +GO +~~START~~ +varchar#!#nvarchar +babel_5135_sch3#!#guest +~~END~~ + + +DROP SCHEMA babel_5135_sch3; +GO + +-- tsql +alter role db_securityadmin DROP member guest; +GO + +-- tsql user=babel_5135_dbsecadmin_l1 password=12345678 +-- schema creation inside procedure +-- execution should be succeeded with no error +EXEC babel_5135_schemaop_proc1; +GO + +DROP SCHEMA babel_5135_sch11; +GO + +-- ALTER/DROP of unowned schema should not be allowed +-- NOTE: Add testcase when supported +ALTER SCHEMA babel_5135_schema1 TRANSFER t33144; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: 'ALTER SCHEMA' is not currently supported in Babelfish)~~ + + +DROP SCHEMA babel_5135_schema1; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: must be owner of schema master_babel_5135_schema1)~~ + + +DROP SCHEMA babel_5135_sch1; +GO + +-- tsql user=babel_5135_l1 password=12345678 +SELECT current_user; +GO +~~START~~ +varchar +babel_5135_u1 +~~END~~ + +DROP SCHEMA babel_5135_sch2; +GO + +-- CASE 5 - GRANT/REVOKE management of permissions + -- CASE 5.1 - Validate GRANT/REVOKE of object/schema privileges + -- CASE 5.2 - Validate members of db_securityadmin can not actually access given objects + -- CASE 5.3 - Validate that after GRANT/REVOKE, objectowner/dbo can execute REVOKE/GRANT respectively + -- CASE 5.4 - Grant/Revoke should not be allowed for show shared schema or any other database's schema +GRANT SELECT, INSERT, UPDATE, DELETE ON babel_5135_schema1.babel_5135_t1 TO babel_5135_u1; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table babel_5135_t1)~~ + + +GRANT SELECT ON babel_5135_schema1.babel_5135_v1 TO babel_5135_u1; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table babel_5135_v1)~~ + + +GRANT EXECUTE ON babel_5135_schema1.babel_5135_p1 TO babel_5135_u1; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for function babel_5135_p1)~~ + + +GRANT EXECUTE ON babel_5135_schema1.babel_5135_f1 TO babel_5135_u1; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for function babel_5135_f1)~~ + + +GRANT EXECUTE ON babel_5135_schema1.babel_5135_tvf1 TO babel_5135_u1; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for function babel_5135_tvf1)~~ + + +-- tsql user=babel_5135_l1 password=12345678 +SELECT current_user; +GO +~~START~~ +varchar +babel_5135_u1 +~~END~~ + + +SELECT COUNT(*) FROM babel_5135_schema1.babel_5135_t1; +INSERT INTO babel_5135_schema1.babel_5135_t1 VALUES (1,2); +UPDATE babel_5135_schema1.babel_5135_t1 SET a = 2 WHERE a = 1; +DELETE FROM babel_5135_schema1.babel_5135_t1 WHERE a = 2; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table babel_5135_t1)~~ + + +SELECT COUNT(*) FROM babel_5135_schema1.babel_5135_v1; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for view babel_5135_v1)~~ + + +EXEC babel_5135_schema1.babel_5135_p1; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for procedure babel_5135_p1)~~ + + +SELECT babel_5135_schema1.babel_5135_f1(); +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for function babel_5135_f1)~~ + + +SELECT * FROM babel_5135_schema1.babel_5135_tvf1(); +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for function babel_5135_tvf1)~~ + + +-- tsql user=babel_5135_dbsecadmin_l1 password=12345678 +REVOKE SELECT, INSERT, UPDATE, DELETE ON babel_5135_schema1.babel_5135_t1 FROM babel_5135_u1; +GO + +REVOKE SELECT ON babel_5135_schema1.babel_5135_v1 FROM babel_5135_u1; +GO + +REVOKE EXECUTE ON babel_5135_schema1.babel_5135_p1 FROM babel_5135_u1; +GO + +REVOKE EXECUTE ON babel_5135_schema1.babel_5135_f1 FROM babel_5135_u1; +GO + +REVOKE EXECUTE ON babel_5135_schema1.babel_5135_tvf1 FROM babel_5135_u1; +GO + +-- tsql user=babel_5135_l1 password=12345678 +SELECT current_user; +GO +~~START~~ +varchar +babel_5135_u1 +~~END~~ + + +SELECT COUNT(*) FROM babel_5135_schema1.babel_5135_t1; +INSERT INTO babel_5135_schema1.babel_5135_t1 VALUES (1,2); +UPDATE babel_5135_schema1.babel_5135_t1 SET a = 2 WHERE a = 1; +DELETE FROM babel_5135_schema1.babel_5135_t1 WHERE a = 2; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table babel_5135_t1)~~ + + +SELECT COUNT(*) FROM babel_5135_schema1.babel_5135_v1; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for view babel_5135_v1)~~ + + +EXEC babel_5135_schema1.babel_5135_p1; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for procedure babel_5135_p1)~~ + + +SELECT babel_5135_schema1.babel_5135_f1(); +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for function babel_5135_f1)~~ + + +SELECT * FROM babel_5135_schema1.babel_5135_tvf1(); +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for function babel_5135_tvf1)~~ + + +-- tsql user=babel_5135_dbsecadmin_l1 password=12345678 +-- Testing GRANT inside procedure +EXEC babel_5135_grantop_proc1; +GO + +-- tsql user=babel_5135_l1 password=12345678 +SELECT current_user; +GO +~~START~~ +varchar +babel_5135_u1 +~~END~~ + + +SELECT COUNT(*) FROM babel_5135_schema1.babel_5135_t1; +INSERT INTO babel_5135_schema1.babel_5135_t1 VALUES (1,2); +UPDATE babel_5135_schema1.babel_5135_t1 SET a = 2 WHERE a = 1; +DELETE FROM babel_5135_schema1.babel_5135_t1 WHERE a = 2; +GO +~~START~~ +int +0 +~~END~~ + +~~ROW COUNT: 1~~ + +~~ROW COUNT: 1~~ + +~~ROW COUNT: 1~~ + + +SELECT COUNT(*) FROM babel_5135_schema1.babel_5135_v1; +GO +~~START~~ +int +1 +~~END~~ + + +EXEC babel_5135_schema1.babel_5135_p1; +GO +~~START~~ +int +1 +~~END~~ + + +SELECT babel_5135_schema1.babel_5135_f1(); +GO +~~START~~ +int +1 +~~END~~ + + +SELECT * FROM babel_5135_schema1.babel_5135_tvf1(); +GO +~~START~~ +int#!#int +~~END~~ + + +-- tsql user=babel_5135_dbsecadmin_l1 password=12345678 +-- Testing revokes inside procedure +EXEC babel_5135_revokeop_proc1; +GO + +-- tsql user=babel_5135_l1 password=12345678 +SELECT current_user; +GO +~~START~~ +varchar +babel_5135_u1 +~~END~~ + + +SELECT COUNT(*) FROM babel_5135_schema1.babel_5135_t1; +INSERT INTO babel_5135_schema1.babel_5135_t1 VALUES (1,2); +UPDATE babel_5135_schema1.babel_5135_t1 SET a = 2 WHERE a = 1; +DELETE FROM babel_5135_schema1.babel_5135_t1 WHERE a = 2; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table babel_5135_t1)~~ + + +SELECT COUNT(*) FROM babel_5135_schema1.babel_5135_v1; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for view babel_5135_v1)~~ + + +EXEC babel_5135_schema1.babel_5135_p1; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for procedure babel_5135_p1)~~ + + +SELECT babel_5135_schema1.babel_5135_f1(); +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for function babel_5135_f1)~~ + + +SELECT * FROM babel_5135_schema1.babel_5135_tvf1(); +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for function babel_5135_tvf1)~~ + + + +-- tsql user=babel_5135_dbsecadmin_l1 password=12345678 +GRANT SELECT, INSERT, UPDATE, DELETE, EXECUTE ON SCHEMA::babel_5135_schema1 TO babel_5135_u1; +GO + +-- tsql user=babel_5135_l1 password=12345678 +SELECT current_user; +GO +~~START~~ +varchar +babel_5135_u1 +~~END~~ + + +SELECT COUNT(*) FROM babel_5135_schema1.babel_5135_t1; +INSERT INTO babel_5135_schema1.babel_5135_t1 VALUES (1,2); +UPDATE babel_5135_schema1.babel_5135_t1 SET a = 2 WHERE a = 1; +DELETE FROM babel_5135_schema1.babel_5135_t1 WHERE a = 2; +GO +~~START~~ +int +0 +~~END~~ + +~~ROW COUNT: 1~~ + +~~ROW COUNT: 1~~ + +~~ROW COUNT: 1~~ + + +SELECT COUNT(*) FROM babel_5135_schema1.babel_5135_v1; +GO +~~START~~ +int +1 +~~END~~ + + +EXEC babel_5135_schema1.babel_5135_p1; +GO +~~START~~ +int +1 +~~END~~ + + +SELECT babel_5135_schema1.babel_5135_f1(); +GO +~~START~~ +int +1 +~~END~~ + + +SELECT * FROM babel_5135_schema1.babel_5135_tvf1(); +GO +~~START~~ +int#!#int +~~END~~ + + +-- tsql user=babel_5135_dbsecadmin_l1 password=12345678 +REVOKE SELECT, INSERT, UPDATE, DELETE, EXECUTE ON SCHEMA::babel_5135_schema1 FROM babel_5135_u1; +GO + +-- tsql user=babel_5135_l1 password=12345678 +SELECT current_user; +GO +~~START~~ +varchar +babel_5135_u1 +~~END~~ + + +SELECT COUNT(*) FROM babel_5135_schema1.babel_5135_t1; +INSERT INTO babel_5135_schema1.babel_5135_t1 VALUES (1,2); +UPDATE babel_5135_schema1.babel_5135_t1 SET a = 2 WHERE a = 1; +DELETE FROM babel_5135_schema1.babel_5135_t1 WHERE a = 2; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table babel_5135_t1)~~ + + +SELECT COUNT(*) FROM babel_5135_schema1.babel_5135_v1; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for view babel_5135_v1)~~ + + +EXEC babel_5135_schema1.babel_5135_p1; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for procedure babel_5135_p1)~~ + + +SELECT babel_5135_schema1.babel_5135_f1(); +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for function babel_5135_f1)~~ + + +SELECT * FROM babel_5135_schema1.babel_5135_tvf1(); +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for function babel_5135_tvf1)~~ + + +-- tsql user=babel_5135_dbsecadmin_l1 password=12345678 +-- CASE 5.2 - Validate members of db_securityadmin can not actually access given objects +SELECT current_user; +GO +~~START~~ +varchar +babel_5135_dbsecadmin_u1 +~~END~~ + + +SELECT COUNT(*) FROM babel_5135_schema1.babel_5135_t1; +INSERT INTO babel_5135_schema1.babel_5135_t1 VALUES (1,2); +UPDATE babel_5135_schema1.babel_5135_t1 SET a = 2 WHERE a = 1; +DELETE FROM babel_5135_schema1.babel_5135_t1 WHERE a = 2; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table babel_5135_t1)~~ + + +SELECT COUNT(*) FROM babel_5135_schema1.babel_5135_v1; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for view babel_5135_v1)~~ + + +EXEC babel_5135_schema1.babel_5135_p1; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for procedure babel_5135_p1)~~ + + +SELECT babel_5135_schema1.babel_5135_f1(); +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for function babel_5135_f1)~~ + + +SELECT * FROM babel_5135_schema1.babel_5135_tvf1(); +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for function babel_5135_tvf1)~~ + + +-- tsql user=babel_5135_dbsecadmin_l1 password=12345678 +-- CASE 5.3 - Validate that after GRANT/REVOKE, objectowner/dbo can execute REVOKE/GRANT respectively +-- execute GRANT via db_securityadmin member and REVOKE it with object owner +GRANT SELECT, INSERT, UPDATE, DELETE ON babel_5135_schema1.babel_5135_t1 TO babel_5135_u1; +GO + +GRANT SELECT ON babel_5135_schema1.babel_5135_v1 TO babel_5135_u1; +GO + +GRANT EXECUTE ON babel_5135_schema1.babel_5135_p1 TO babel_5135_u1; +GO + +GRANT EXECUTE ON babel_5135_schema1.babel_5135_f1 TO babel_5135_u1; +GO + +GRANT EXECUTE ON babel_5135_schema1.babel_5135_tvf1 TO babel_5135_u1; +GO + +-- tsql +REVOKE SELECT, INSERT, UPDATE, DELETE ON babel_5135_schema1.babel_5135_t1 FROM babel_5135_u1; +GO + +REVOKE SELECT ON babel_5135_schema1.babel_5135_v1 FROM babel_5135_u1; +GO + +REVOKE EXECUTE ON babel_5135_schema1.babel_5135_p1 FROM babel_5135_u1; +GO + +REVOKE EXECUTE ON babel_5135_schema1.babel_5135_f1 FROM babel_5135_u1; +GO + +REVOKE EXECUTE ON babel_5135_schema1.babel_5135_tvf1 FROM babel_5135_u1; +GO + +-- execute GRANT as objectowner/dbo +GRANT SELECT, INSERT, UPDATE, DELETE ON babel_5135_schema1.babel_5135_t1 TO babel_5135_u1; +GO + +GRANT SELECT ON babel_5135_schema1.babel_5135_v1 TO babel_5135_u1; +GO + +GRANT EXECUTE ON babel_5135_schema1.babel_5135_p1 TO babel_5135_u1; +GO + +GRANT EXECUTE ON babel_5135_schema1.babel_5135_f1 TO babel_5135_u1; +GO + +GRANT EXECUTE ON babel_5135_schema1.babel_5135_tvf1 TO babel_5135_u1; +GO + +-- tsql user=babel_5135_dbsecadmin_l1 password=12345678 +REVOKE SELECT, INSERT, UPDATE, DELETE ON babel_5135_schema1.babel_5135_t1 FROM babel_5135_u1; +GO + +REVOKE SELECT ON babel_5135_schema1.babel_5135_v1 FROM babel_5135_u1; +GO + +REVOKE EXECUTE ON babel_5135_schema1.babel_5135_p1 FROM babel_5135_u1; +GO + +REVOKE EXECUTE ON babel_5135_schema1.babel_5135_f1 FROM babel_5135_u1; +GO + +REVOKE EXECUTE ON babel_5135_schema1.babel_5135_tvf1 FROM babel_5135_u1; +GO + +-- tsql user=babel_5135_dbsecadmin_l1 password=12345678 +-- CASE 5.4 - Grant/Revoke should not be allowed for show shared schema or any other database's schema +-- Following error is misleading, will be fixed separately +GRANT SELECT ON sys.database_principals TO babel_5135_u1; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Could find logical schema name for: "sys")~~ + + +REVOKE SELECT ON sys.database_principals FROM babel_5135_u1; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Could find logical schema name for: "sys")~~ + + +GRANT SELECT ON pg_catalog.pg_namespace TO babel_5135_u1; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Could find logical schema name for: "pg_catalog")~~ + + +REVOKE SELECT ON pg_catalog.pg_namespace FROM babel_5135_u1; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Could find logical schema name for: "pg_catalog")~~ + + +REVOKE SELECT ON babel_5135_db1.dbo.babel_5135_show_role_mem TO babel_5135_u1; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table babel_5135_show_role_mem)~~ + + +REVOKE SELECT ON babel_5135_db1.dbo.babel_5135_show_role_mem FROM babel_5135_u1; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table babel_5135_show_role_mem)~~ + + +-- tsql +-- CASE 6 - is_member() / is_rolemember() testcases +SELECT is_member('db_securityadmin'), is_rolemember('db_securityadmin'); +GO +~~START~~ +int#!#int +0#!#1 +~~END~~ + + +SELECT is_rolemember('db_securityadmin', 'dbo'); +GO +~~START~~ +int +1 +~~END~~ + + +SELECT is_rolemember('db_securityadmin', 'db_owner'); +GO +~~START~~ +int +0 +~~END~~ + + +SELECT is_rolemember('db_securityadmin', 'db_accessadmin'); +GO +~~START~~ +int +0 +~~END~~ + + +-- tsql user=babel_5135_dbsecadmin_l1 password=12345678 +SELECT is_member('db_securityadmin'), is_rolemember('db_securityadmin'); +GO +~~START~~ +int#!#int +1#!#1 +~~END~~ + + +-- tsql +EXEC sp_droprolemember 'db_securityadmin', 'babel_5135_dbsecadmin_u1'; +GO + +-- tsql user=babel_5135_dbsecadmin_l1 password=12345678 +SELECT is_member('db_securityadmin'), is_rolemember('db_securityadmin'); +GO +~~START~~ +int#!#int +0#!#0 +~~END~~ + + +-- tsql +EXEC sp_addrolemember 'db_securityadmin', 'babel_5135_dbsecadmin_u1'; +GO + +-- tsql user=babel_5135_dbsecadmin_l1 password=12345678 +SELECT is_member('db_securityadmin'), is_rolemember('db_securityadmin'); +GO +~~START~~ +int#!#int +1#!#1 +~~END~~ + + + +-- tsql +-- CASE 7 - system procedures + -- CASE 7.1 - sp_helpdbfixedrole testcase are covered in respective test Test-sp_helpdbfixedrole file + -- CASE 7.2 - sp_helpuser + -- CASE 7.3 - sp_helprole + -- CASE 7.4 - sp_helprolemember +-- test for helpuser +CREATE TABLE temp_sp_helpuser(RoleName sys.sysname, Role_id int, +Users_in_role sys.sysname, UserID int); +GO + +GRANT INSERT,SELECT ON temp_sp_helpuser TO PUBLIC; +GO + +-- tsql user=babel_5135_dbsecadmin_l1 password=12345678 +INSERT INTO temp_sp_helpuser(RoleName, Role_id, Users_in_role, UserID) EXEC sp_helpuser 'db_securityadmin'; +GO +~~ROW COUNT: 1~~ + + +SELECT Rolename, sys.user_name(Role_id), Users_in_role, sys.user_name(UserID) FROM temp_sp_helpuser +WHERE Rolename = 'db_securityadmin' ORDER BY Users_in_role; +GO +~~START~~ +varchar#!#nvarchar#!#varchar#!#nvarchar +db_securityadmin#!#db_securityadmin#!#babel_5135_dbsecadmin_u1#!#babel_5135_dbsecadmin_u1 +~~END~~ + + +-- tsql +TRUNCATE TABLE temp_sp_helpuser; +GO + +-- tsql +INSERT INTO temp_sp_helpuser(RoleName, Role_id, Users_in_role, UserID) EXEC sp_helpuser 'db_securityadmin'; +GO +~~ROW COUNT: 1~~ + + +SELECT Rolename, sys.user_name(Role_id), Users_in_role, sys.user_name(UserID) FROM temp_sp_helpuser +WHERE Rolename = 'db_securityadmin' ORDER BY Users_in_role; +GO +~~START~~ +varchar#!#nvarchar#!#varchar#!#nvarchar +db_securityadmin#!#db_securityadmin#!#babel_5135_dbsecadmin_u1#!#babel_5135_dbsecadmin_u1 +~~END~~ + + +-- tsql +DROP TABLE temp_sp_helpuser; +GO + +-- test for sp_helprole +CREATE TABLE temp_sp_helprole(RoleName sys.sysname, RoleId int, IsAppRole int); +GO + +GRANT INSERT,SELECT ON temp_sp_helprole TO PUBLIC; +GO + +-- tsql user=babel_5135_dbsecadmin_l1 password=12345678 +INSERT INTO temp_sp_helprole(RoleName, RoleId, IsAppRole) EXEC sp_helprole 'db_securityadmin'; +GO +~~ROW COUNT: 1~~ + + +SELECT RoleName, sys.user_name(RoleId), IsAppRole FROM temp_sp_helprole +WHERE RoleName = 'db_securityadmin'; +GO +~~START~~ +varchar#!#nvarchar#!#int +db_securityadmin#!#db_securityadmin#!#0 +~~END~~ + + +-- tsql +TRUNCATE TABLE temp_sp_helprole; +GO + +-- tsql +INSERT INTO temp_sp_helprole(RoleName, RoleId, IsAppRole) EXEC sp_helprole 'db_securityadmin'; +GO +~~ROW COUNT: 1~~ + + +SELECT RoleName, sys.user_name(RoleId), IsAppRole FROM temp_sp_helprole +WHERE RoleName = 'db_securityadmin'; +GO +~~START~~ +varchar#!#nvarchar#!#int +db_securityadmin#!#db_securityadmin#!#0 +~~END~~ + + +-- tsql +DROP TABLE temp_sp_helprole; +GO + +-- test for temp_sp_helprolemember +CREATE TABLE temp_sp_helprolemember(DbRole sys.sysname, MemberName sys.sysname, MemberSID SYS.VARBINARY(85)); +GO + +GRANT INSERT,SELECT ON temp_sp_helprolemember TO PUBLIC; +GO + +-- tsql user=babel_5135_dbsecadmin_l1 password=12345678 +INSERT INTO temp_sp_helprolemember(DbRole, MemberName, MemberSID) EXEC sp_helprolemember 'db_securityadmin'; +GO +~~ROW COUNT: 1~~ + + +SELECT DbRole, MemberName FROM temp_sp_helprolemember +WHERE DbRole = 'db_securityadmin' ORDER BY MemberName; +GO +~~START~~ +varchar#!#varchar +db_securityadmin#!#babel_5135_dbsecadmin_u1 +~~END~~ + + +-- tsql +TRUNCATE TABLE temp_sp_helprolemember; +GO + +-- tsql +INSERT INTO temp_sp_helprolemember(DbRole, MemberName, MemberSID) EXEC sp_helprolemember 'db_securityadmin'; +GO +~~ROW COUNT: 1~~ + + +SELECT DbRole, MemberName FROM temp_sp_helprolemember +WHERE DbRole = 'db_securityadmin' ORDER BY MemberName; +GO +~~START~~ +varchar#!#varchar +db_securityadmin#!#babel_5135_dbsecadmin_u1 +~~END~~ + + +-- tsql +DROP TABLE temp_sp_helprolemember; +GO + +-- CASE 8 +USE babel_5135_db1; +GO + +SELECT name, type, type_desc, default_schema_name, is_fixed_role, authentication_type_desc FROM sys.database_principals WHERE NAME = 'db_securityadmin'; +GO +~~START~~ +varchar#!#char#!#nvarchar#!#varchar#!#bit#!#nvarchar +db_securityadmin#!#R#!#DATABASE_ROLE#!##!#1#!# +~~END~~ + + +USE master; +GO + +-- tsql +-- CASE 9 - Restrictions +-- normal tsql login +CREATE LOGIN db_securityadmin_restrictions_login WITH password = '12345678'; +GO + +ALTER SERVER ROLE sysadmin ADD MEMBER db_securityadmin_restrictions_login; +GO + +-- psql +-- normal PG user +CREATE USER db_securityadmin_restrictions_pg_user WITH LOGIN CREATEROLE CREATEDB PASSWORD '12345678' inherit; +go + +-- tsql user=db_securityadmin_restrictions_login password=12345678 +-- a tsql login should not be able to rename/drop db_securityadmin and grant/revoke on it explicitly from tsql port +ALTER ROLE db_securityadmin WITH NAME = db_securityadmin1; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot alter the user db_securityadmin)~~ + + +DROP ROLE db_securityadmin; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot drop the role 'db_securityadmin'.)~~ + + +GRANT SELECT ON babel_5135_schema1.babel_5135_t1 TO db_securityadmin; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot grant, deny or revoke permissions to or from special roles.)~~ + + +GRANT SELECT, INSERT, UPDATE, DELETE, EXECUTE ON SCHEMA::babel_5135_schema1 TO db_securityadmin; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot grant, deny or revoke permissions to or from special roles.)~~ + + +REVOKE SELECT ON babel_5135_schema1.babel_5135_t1 FROM db_securityadmin; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot grant, deny or revoke permissions to or from special roles.)~~ + + +REVOKE SELECT, INSERT, UPDATE, DELETE, EXECUTE ON SCHEMA::babel_5135_schema1 FROM db_securityadmin; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot grant, deny or revoke permissions to or from special roles.)~~ + + +-- psql user=db_securityadmin_restrictions_login password=12345678 +-- a tsql login should not be able to alter/grant/drop db_securityadmin from pg port +ALTER ROLE master_db_securityadmin NOCREATEROLE; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +ALTER ROLE master_db_securityadmin WITH PASSWORD '12345678'; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +ALTER ROLE master_db_securityadmin VALID UNTIL 'infinity'; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +ALTER ROLE master_db_securityadmin WITH CONNECTION LIMIT 1; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + + +-- GRANT master_db_securityadmin TO db_securityadmin_restrictions_login; +-- GO +GRANT db_securityadmin_restrictions_login TO master_db_securityadmin; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: permission denied to grant role "db_securityadmin_restrictions_login" + Detail: Only roles with the ADMIN option on role "db_securityadmin_restrictions_login" may grant this role. + Server SQLState: 42501)~~ + + + +-- REVOKE master_db_securityadmin FROM master_dbo; +-- GO +REVOKE master_dbo FROM master_db_securityadmin; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: permission denied to revoke role "master_dbo" + Detail: Only roles with the ADMIN option on role "master_dbo" may revoke this role. + Server SQLState: 42501)~~ + + +DROP ROLE master_db_securityadmin; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be dropped or altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +SET SESSION AUTHORIZATION master_db_securityadmin; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: permission denied to set session authorization + Server SQLState: 42501)~~ + + +SET ROLE master_db_securityadmin; +GO + +-- psql user=db_securityadmin_restrictions_pg_user password=12345678 +-- a normal psql user should not be able to alter/grant/drop db_securityadmin from pg port +ALTER ROLE master_db_securityadmin NOCREATEROLE; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +ALTER ROLE master_db_securityadmin WITH PASSWORD '12345678'; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +ALTER ROLE master_db_securityadmin VALID UNTIL 'infinity'; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +ALTER ROLE master_db_securityadmin WITH CONNECTION LIMIT 1; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +GRANT master_db_securityadmin TO db_securityadmin_restrictions_login; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: permission denied to grant role "master_db_securityadmin" + Detail: Only roles with the ADMIN option on role "master_db_securityadmin" may grant this role. + Server SQLState: 42501)~~ + + +GRANT db_securityadmin_restrictions_login TO master_db_securityadmin; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: permission denied to grant role "db_securityadmin_restrictions_login" + Detail: Only roles with the ADMIN option on role "db_securityadmin_restrictions_login" may grant this role. + Server SQLState: 42501)~~ + + +REVOKE master_db_securityadmin FROM master_dbo; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: permission denied to revoke role "master_db_securityadmin" + Detail: Only roles with the ADMIN option on role "master_db_securityadmin" may revoke this role. + Server SQLState: 42501)~~ + + +REVOKE master_dbo FROM master_db_securityadmin; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: permission denied to revoke role "master_dbo" + Detail: Only roles with the ADMIN option on role "master_dbo" may revoke this role. + Server SQLState: 42501)~~ + + +DROP ROLE master_db_securityadmin; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be dropped or altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +SET SESSION AUTHORIZATION master_db_securityadmin; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: permission denied to set session authorization + Server SQLState: 42501)~~ + + +SET ROLE master_db_securityadmin; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: permission denied to set role "master_db_securityadmin" + Server SQLState: 42501)~~ + + +-- psql +DROP USER db_securityadmin_restrictions_pg_user; +GO + +-- Need to terminate active session before cleaning up the login +SELECT pg_terminate_backend(pid) FROM pg_stat_get_activity(NULL) +WHERE sys.suser_name(usesysid) = 'db_securityadmin_restrictions_login' AND backend_type = 'client backend' AND usesysid IS NOT NULL; +GO +~~START~~ +bool +t +t +~~END~~ + + +-- tsql +DROP LOGIN db_securityadmin_restrictions_login; +GO diff --git a/test/JDBC/expected/single_db/BABEL-2403.out b/test/JDBC/expected/single_db/BABEL-2403.out index 2f20395b10c..08d51c04177 100644 --- a/test/JDBC/expected/single_db/BABEL-2403.out +++ b/test/JDBC/expected/single_db/BABEL-2403.out @@ -109,6 +109,12 @@ name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_user_ext m text#!#sys#!#name#!#{"Rule": " in babelfish_authid_user_ext must also exist in babelfish_sysdatabases"} name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_user_ext must also exist in pg_authid"} text#!#sys#!#name#!#{"Rule": " in babelfish_authid_user_ext must also exist in babelfish_sysdatabases"} +name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_user_ext must also exist in pg_authid"} +text#!#sys#!#name#!#{"Rule": " in babelfish_authid_user_ext must also exist in babelfish_sysdatabases"} +name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_user_ext must also exist in pg_authid"} +text#!#sys#!#name#!#{"Rule": " in babelfish_authid_user_ext must also exist in babelfish_sysdatabases"} +name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_user_ext must also exist in pg_authid"} +text#!#sys#!#name#!#{"Rule": " in babelfish_authid_user_ext must also exist in babelfish_sysdatabases"} name#!#sys#!#nspname#!#{"Rule": " in babelfish_function_ext must also exist in babelfish_namespace_ext"} name#!#pg_catalog#!#proname#!#{"Rule": " in babelfish_function_ext must also exist in pg_proc"} name#!#sys#!#nspname#!#{"Rule": " in babelfish_function_ext must also exist in babelfish_namespace_ext"} @@ -208,6 +214,12 @@ name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_user_ext m text#!#sys#!#name#!#{"Rule": " in babelfish_authid_user_ext must also exist in babelfish_sysdatabases"} name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_user_ext must also exist in pg_authid"} text#!#sys#!#name#!#{"Rule": " in babelfish_authid_user_ext must also exist in babelfish_sysdatabases"} +name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_user_ext must also exist in pg_authid"} +text#!#sys#!#name#!#{"Rule": " in babelfish_authid_user_ext must also exist in babelfish_sysdatabases"} +name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_user_ext must also exist in pg_authid"} +text#!#sys#!#name#!#{"Rule": " in babelfish_authid_user_ext must also exist in babelfish_sysdatabases"} +name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_user_ext must also exist in pg_authid"} +text#!#sys#!#name#!#{"Rule": " in babelfish_authid_user_ext must also exist in babelfish_sysdatabases"} name#!#sys#!#nspname#!#{"Rule": " in babelfish_function_ext must also exist in babelfish_namespace_ext"} name#!#pg_catalog#!#proname#!#{"Rule": " in babelfish_function_ext must also exist in pg_proc"} name#!#sys#!#nspname#!#{"Rule": " in babelfish_function_ext must also exist in babelfish_namespace_ext"} diff --git a/test/JDBC/expected/single_db/BABEL-LOGIN-USER-EXT.out b/test/JDBC/expected/single_db/BABEL-LOGIN-USER-EXT.out index 651c14ea950..f01405e747a 100644 --- a/test/JDBC/expected/single_db/BABEL-LOGIN-USER-EXT.out +++ b/test/JDBC/expected/single_db/BABEL-LOGIN-USER-EXT.out @@ -699,23 +699,27 @@ db_accessadmin#!#db_accessadmin#!##!#db1#!# db_datareader#!#db_datareader#!##!#db1#!# db_datawriter#!#db_datawriter#!##!#db1#!# db_owner#!#db_owner#!##!#db1#!# +db_securityadmin#!#db_securityadmin#!##!#db1#!# dbo#!#dbo#!##!#db1#!#dbo master_db_accessadmin#!#db_accessadmin#!##!#master#!# master_db_datareader#!#db_datareader#!##!#master#!# master_db_datawriter#!#db_datawriter#!##!#master#!# master_db_owner#!#db_owner#!##!#master#!# +master_db_securityadmin#!#db_securityadmin#!##!#master#!# master_dbo#!#dbo#!##!#master#!#dbo master_guest#!#guest#!##!#master#!#guest msdb_db_accessadmin#!#db_accessadmin#!##!#msdb#!# msdb_db_datareader#!#db_datareader#!##!#msdb#!# msdb_db_datawriter#!#db_datawriter#!##!#msdb#!# msdb_db_owner#!#db_owner#!##!#msdb#!# +msdb_db_securityadmin#!#db_securityadmin#!##!#msdb#!# msdb_dbo#!#dbo#!##!#msdb#!#dbo msdb_guest#!#guest#!##!#msdb#!#guest tempdb_db_accessadmin#!#db_accessadmin#!##!#tempdb#!# tempdb_db_datareader#!#db_datareader#!##!#tempdb#!# tempdb_db_datawriter#!#db_datawriter#!##!#tempdb#!# tempdb_db_owner#!#db_owner#!##!#tempdb#!# +tempdb_db_securityadmin#!#db_securityadmin#!##!#tempdb#!# tempdb_dbo#!#dbo#!##!#tempdb#!#dbo tempdb_guest#!#guest#!##!#tempdb#!#guest ~~END~~ @@ -883,18 +887,21 @@ master_db_accessadmin#!#db_accessadmin#!##!#master#!# master_db_datareader#!#db_datareader#!##!#master#!# master_db_datawriter#!#db_datawriter#!##!#master#!# master_db_owner#!#db_owner#!##!#master#!# +master_db_securityadmin#!#db_securityadmin#!##!#master#!# master_dbo#!#dbo#!##!#master#!#dbo master_guest#!#guest#!##!#master#!#guest msdb_db_accessadmin#!#db_accessadmin#!##!#msdb#!# msdb_db_datareader#!#db_datareader#!##!#msdb#!# msdb_db_datawriter#!#db_datawriter#!##!#msdb#!# msdb_db_owner#!#db_owner#!##!#msdb#!# +msdb_db_securityadmin#!#db_securityadmin#!##!#msdb#!# msdb_dbo#!#dbo#!##!#msdb#!#dbo msdb_guest#!#guest#!##!#msdb#!#guest tempdb_db_accessadmin#!#db_accessadmin#!##!#tempdb#!# tempdb_db_datareader#!#db_datareader#!##!#tempdb#!# tempdb_db_datawriter#!#db_datawriter#!##!#tempdb#!# tempdb_db_owner#!#db_owner#!##!#tempdb#!# +tempdb_db_securityadmin#!#db_securityadmin#!##!#tempdb#!# tempdb_dbo#!#dbo#!##!#tempdb#!#dbo tempdb_guest#!#guest#!##!#tempdb#!#guest ~~END~~ @@ -948,23 +955,27 @@ db_accessadmin#!##!#db_accessadmin#!#db1#!# db_datareader#!##!#db_datareader#!#db1#!# db_datawriter#!##!#db_datawriter#!#db1#!# db_owner#!##!#db_owner#!#db1#!# +db_securityadmin#!##!#db_securityadmin#!#db1#!# dbo#!##!#dbo#!#db1#!#dbo master_db_accessadmin#!##!#db_accessadmin#!#master#!# master_db_datareader#!##!#db_datareader#!#master#!# master_db_datawriter#!##!#db_datawriter#!#master#!# master_db_owner#!##!#db_owner#!#master#!# +master_db_securityadmin#!##!#db_securityadmin#!#master#!# master_dbo#!##!#dbo#!#master#!#dbo master_guest#!##!#guest#!#master#!#guest msdb_db_accessadmin#!##!#db_accessadmin#!#msdb#!# msdb_db_datareader#!##!#db_datareader#!#msdb#!# msdb_db_datawriter#!##!#db_datawriter#!#msdb#!# msdb_db_owner#!##!#db_owner#!#msdb#!# +msdb_db_securityadmin#!##!#db_securityadmin#!#msdb#!# msdb_dbo#!##!#dbo#!#msdb#!#dbo msdb_guest#!##!#guest#!#msdb#!#guest tempdb_db_accessadmin#!##!#db_accessadmin#!#tempdb#!# tempdb_db_datareader#!##!#db_datareader#!#tempdb#!# tempdb_db_datawriter#!##!#db_datawriter#!#tempdb#!# tempdb_db_owner#!##!#db_owner#!#tempdb#!# +tempdb_db_securityadmin#!##!#db_securityadmin#!#tempdb#!# tempdb_dbo#!##!#dbo#!#tempdb#!#dbo tempdb_guest#!##!#guest#!#tempdb#!#guest ~~END~~ @@ -982,6 +993,7 @@ db_accessadmin#!# db_datareader#!# db_datawriter#!# db_owner#!# +db_securityadmin#!# INFORMATION_SCHEMA#!# public#!# sys#!# @@ -1016,6 +1028,7 @@ db_accessadmin#!# db_datareader#!# db_datawriter#!# db_owner#!# +db_securityadmin#!# INFORMATION_SCHEMA#!# public#!# sys#!# @@ -1157,18 +1170,21 @@ master_db_accessadmin#!#db_accessadmin#!##!#master#!# master_db_datareader#!#db_datareader#!##!#master#!# master_db_datawriter#!#db_datawriter#!##!#master#!# master_db_owner#!#db_owner#!##!#master#!# +master_db_securityadmin#!#db_securityadmin#!##!#master#!# master_dbo#!#dbo#!##!#master#!#dbo master_guest#!#guest#!##!#master#!#guest msdb_db_accessadmin#!#db_accessadmin#!##!#msdb#!# msdb_db_datareader#!#db_datareader#!##!#msdb#!# msdb_db_datawriter#!#db_datawriter#!##!#msdb#!# msdb_db_owner#!#db_owner#!##!#msdb#!# +msdb_db_securityadmin#!#db_securityadmin#!##!#msdb#!# msdb_dbo#!#dbo#!##!#msdb#!#dbo msdb_guest#!#guest#!##!#msdb#!#guest tempdb_db_accessadmin#!#db_accessadmin#!##!#tempdb#!# tempdb_db_datareader#!#db_datareader#!##!#tempdb#!# tempdb_db_datawriter#!#db_datawriter#!##!#tempdb#!# tempdb_db_owner#!#db_owner#!##!#tempdb#!# +tempdb_db_securityadmin#!#db_securityadmin#!##!#tempdb#!# tempdb_dbo#!#dbo#!##!#tempdb#!#dbo tempdb_guest#!#guest#!##!#tempdb#!#guest ~~END~~ @@ -1191,18 +1207,21 @@ master_db_accessadmin#!#db_accessadmin#!##!#master#!# master_db_datareader#!#db_datareader#!##!#master#!# master_db_datawriter#!#db_datawriter#!##!#master#!# master_db_owner#!#db_owner#!##!#master#!# +master_db_securityadmin#!#db_securityadmin#!##!#master#!# master_dbo#!#dbo#!##!#master#!#dbo master_guest#!#guest#!##!#master#!#guest msdb_db_accessadmin#!#db_accessadmin#!##!#msdb#!# msdb_db_datareader#!#db_datareader#!##!#msdb#!# msdb_db_datawriter#!#db_datawriter#!##!#msdb#!# msdb_db_owner#!#db_owner#!##!#msdb#!# +msdb_db_securityadmin#!#db_securityadmin#!##!#msdb#!# msdb_dbo#!#dbo#!##!#msdb#!#dbo msdb_guest#!#guest#!##!#msdb#!#guest tempdb_db_accessadmin#!#db_accessadmin#!##!#tempdb#!# tempdb_db_datareader#!#db_datareader#!##!#tempdb#!# tempdb_db_datawriter#!#db_datawriter#!##!#tempdb#!# tempdb_db_owner#!#db_owner#!##!#tempdb#!# +tempdb_db_securityadmin#!#db_securityadmin#!##!#tempdb#!# tempdb_dbo#!#dbo#!##!#tempdb#!#dbo tempdb_guest#!#guest#!##!#tempdb#!#guest ~~END~~ @@ -1495,6 +1514,7 @@ db_accessadmin db_datareader db_datawriter db_owner +db_securityadmin dbo guest INFORMATION_SCHEMA @@ -1515,6 +1535,7 @@ db_accessadmin db_datareader db_datawriter db_owner +db_securityadmin dbo guest INFORMATION_SCHEMA @@ -1534,6 +1555,7 @@ db_accessadmin db_datareader db_datawriter db_owner +db_securityadmin dbo guest INFORMATION_SCHEMA @@ -1552,6 +1574,7 @@ db_accessadmin db_datareader db_datawriter db_owner +db_securityadmin dbo guest INFORMATION_SCHEMA diff --git a/test/JDBC/expected/single_db/BABEL-USER.out b/test/JDBC/expected/single_db/BABEL-USER.out index c3ce6672b62..a38500e1d7f 100644 --- a/test/JDBC/expected/single_db/BABEL-USER.out +++ b/test/JDBC/expected/single_db/BABEL-USER.out @@ -54,23 +54,27 @@ db_accessadmin#!##!#db_accessadmin#!#db1#!# db_datareader#!##!#db_datareader#!#db1#!# db_datawriter#!##!#db_datawriter#!#db1#!# db_owner#!##!#db_owner#!#db1#!# +db_securityadmin#!##!#db_securityadmin#!#db1#!# dbo#!##!#dbo#!#db1#!#dbo master_db_accessadmin#!##!#db_accessadmin#!#master#!# master_db_datareader#!##!#db_datareader#!#master#!# master_db_datawriter#!##!#db_datawriter#!#master#!# master_db_owner#!##!#db_owner#!#master#!# +master_db_securityadmin#!##!#db_securityadmin#!#master#!# master_dbo#!##!#dbo#!#master#!#dbo master_guest#!##!#guest#!#master#!#guest msdb_db_accessadmin#!##!#db_accessadmin#!#msdb#!# msdb_db_datareader#!##!#db_datareader#!#msdb#!# msdb_db_datawriter#!##!#db_datawriter#!#msdb#!# msdb_db_owner#!##!#db_owner#!#msdb#!# +msdb_db_securityadmin#!##!#db_securityadmin#!#msdb#!# msdb_dbo#!##!#dbo#!#msdb#!#dbo msdb_guest#!##!#guest#!#msdb#!#guest tempdb_db_accessadmin#!##!#db_accessadmin#!#tempdb#!# tempdb_db_datareader#!##!#db_datareader#!#tempdb#!# tempdb_db_datawriter#!##!#db_datawriter#!#tempdb#!# tempdb_db_owner#!##!#db_owner#!#tempdb#!# +tempdb_db_securityadmin#!##!#db_securityadmin#!#tempdb#!# tempdb_dbo#!##!#dbo#!#tempdb#!#dbo tempdb_guest#!##!#guest#!#tempdb#!#guest ~~END~~ @@ -88,6 +92,7 @@ db_accessadmin#!# db_datareader#!# db_datawriter#!# db_owner#!# +db_securityadmin#!# INFORMATION_SCHEMA#!# public#!# sys#!# diff --git a/test/JDBC/expected/single_db/Test_rename_db_single-db.out b/test/JDBC/expected/single_db/Test_rename_db_single-db.out index 5a0c7abc7b9..31fd69b3cec 100644 --- a/test/JDBC/expected/single_db/Test_rename_db_single-db.out +++ b/test/JDBC/expected/single_db/Test_rename_db_single-db.out @@ -36,6 +36,7 @@ db_accessadmin#!##!#db_accessadmin#!#rename_db_database1 db_datareader#!##!#db_datareader#!#rename_db_database1 db_datawriter#!##!#db_datawriter#!#rename_db_database1 db_owner#!##!#db_owner#!#rename_db_database1 +db_securityadmin#!##!#db_securityadmin#!#rename_db_database1 dbo#!##!#dbo#!#rename_db_database1 rename_db_database1_guest#!##!#guest#!#rename_db_database1 rename_db_database1_rename_db_role1#!##!#rename_db_role1#!#rename_db_database1 @@ -87,6 +88,7 @@ db_accessadmin#!##!#db_accessadmin#!#rename_db_database2 db_datareader#!##!#db_datareader#!#rename_db_database2 db_datawriter#!##!#db_datawriter#!#rename_db_database2 db_owner#!##!#db_owner#!#rename_db_database2 +db_securityadmin#!##!#db_securityadmin#!#rename_db_database2 dbo#!##!#dbo#!#rename_db_database2 rename_db_database2_guest#!##!#guest#!#rename_db_database2 rename_db_database2_rename_db_role1#!##!#rename_db_role1#!#rename_db_database2 @@ -138,6 +140,7 @@ db_accessadmin#!##!#db_accessadmin#!#rename_db_database1 db_datareader#!##!#db_datareader#!#rename_db_database1 db_datawriter#!##!#db_datawriter#!#rename_db_database1 db_owner#!##!#db_owner#!#rename_db_database1 +db_securityadmin#!##!#db_securityadmin#!#rename_db_database1 dbo#!##!#dbo#!#rename_db_database1 rename_db_database1_guest#!##!#guest#!#rename_db_database1 rename_db_database1_rename_db_role1#!##!#rename_db_role1#!#rename_db_database1 @@ -189,6 +192,7 @@ db_accessadmin#!##!#db_accessadmin#!#rename_db_database2 db_datareader#!##!#db_datareader#!#rename_db_database2 db_datawriter#!##!#db_datawriter#!#rename_db_database2 db_owner#!##!#db_owner#!#rename_db_database2 +db_securityadmin#!##!#db_securityadmin#!#rename_db_database2 dbo#!##!#dbo#!#rename_db_database2 rename_db_database2_guest#!##!#guest#!#rename_db_database2 rename_db_database2_rename_db_role1#!##!#rename_db_role1#!#rename_db_database2 @@ -252,6 +256,7 @@ db_accessadmin#!##!#db_accessadmin#!#rename_db_database1 db_datareader#!##!#db_datareader#!#rename_db_database1 db_datawriter#!##!#db_datawriter#!#rename_db_database1 db_owner#!##!#db_owner#!#rename_db_database1 +db_securityadmin#!##!#db_securityadmin#!#rename_db_database1 dbo#!##!#dbo#!#rename_db_database1 rename_db_database1_guest#!##!#guest#!#rename_db_database1 rename_db_database1_rename_db_role1#!##!#rename_db_role1#!#rename_db_database1 @@ -303,6 +308,7 @@ db_accessadmin#!##!#db_accessadmin#!#rename_db_database2 db_datareader#!##!#db_datareader#!#rename_db_database2 db_datawriter#!##!#db_datawriter#!#rename_db_database2 db_owner#!##!#db_owner#!#rename_db_database2 +db_securityadmin#!##!#db_securityadmin#!#rename_db_database2 dbo#!##!#dbo#!#rename_db_database2 rename_db_database2_guest#!##!#guest#!#rename_db_database2 rename_db_database2_rename_db_role1#!##!#rename_db_role1#!#rename_db_database2 @@ -354,6 +360,7 @@ db_accessadmin#!##!#db_accessadmin#!#rename_db_database1 db_datareader#!##!#db_datareader#!#rename_db_database1 db_datawriter#!##!#db_datawriter#!#rename_db_database1 db_owner#!##!#db_owner#!#rename_db_database1 +db_securityadmin#!##!#db_securityadmin#!#rename_db_database1 dbo#!##!#dbo#!#rename_db_database1 rename_db_database1_guest#!##!#guest#!#rename_db_database1 rename_db_database1_rename_db_role1#!##!#rename_db_role1#!#rename_db_database1 @@ -405,6 +412,7 @@ db_accessadmin#!##!#db_accessadmin#!#rename_db_database2 db_datareader#!##!#db_datareader#!#rename_db_database2 db_datawriter#!##!#db_datawriter#!#rename_db_database2 db_owner#!##!#db_owner#!#rename_db_database2 +db_securityadmin#!##!#db_securityadmin#!#rename_db_database2 dbo#!##!#dbo#!#rename_db_database2 rename_db_database2_guest#!##!#guest#!#rename_db_database2 rename_db_database2_rename_db_role1#!##!#rename_db_role1#!#rename_db_database2 diff --git a/test/JDBC/expected/single_db/datareader_datawriter.out b/test/JDBC/expected/single_db/datareader_datawriter.out index 570128b3df1..4a0dcfa4f5b 100644 --- a/test/JDBC/expected/single_db/datareader_datawriter.out +++ b/test/JDBC/expected/single_db/datareader_datawriter.out @@ -284,7 +284,7 @@ go -- Insert the results of sp_helprole into the temporary table INSERT INTO #UserRoles EXEC sp_helprole; go -~~ROW COUNT: 5~~ +~~ROW COUNT: 6~~ -- Select the desired fields from the temporary table SELECT RoleName, IsAppRole FROM #UserRoles WHERE RoleName IN ('db_datareader', 'db_datawriter'); diff --git a/test/JDBC/input/BABEL-SP_COLUMN_PRIVILEGES.mix b/test/JDBC/input/BABEL-SP_COLUMN_PRIVILEGES.mix index 992ddd6bf95..45f69a0de0f 100644 --- a/test/JDBC/input/BABEL-SP_COLUMN_PRIVILEGES.mix +++ b/test/JDBC/input/BABEL-SP_COLUMN_PRIVILEGES.mix @@ -1,4 +1,4 @@ --- sla 20000 +-- sla 60000 -- sla_for_parallel_query_enforced 20000 -- tsql CREATE DATABASE db1 diff --git a/test/JDBC/input/ownership/db_securityadmin-vu-cleanup.mix b/test/JDBC/input/ownership/db_securityadmin-vu-cleanup.mix new file mode 100644 index 00000000000..94345389f4c --- /dev/null +++ b/test/JDBC/input/ownership/db_securityadmin-vu-cleanup.mix @@ -0,0 +1,43 @@ +-- tsql +USE master +GO +DROP DATABASE IF EXISTS babel_5135_db1; +GO +DROP ROLE babel_5135_r1; +GO +DROP LOGIN babel_5135_l2 +GO +DROP USER babel_5135_dbsecadmin_u1 +GO +DROP LOGIN babel_5135_dbsecadmin_l1 +GO +DROP ROLE babel_5135_dbsecadmin_r1 +GO +DROP TABLE babel_5135_schema1.babel_5135_t1; +GO +DROP VIEW babel_5135_schema1.babel_5135_v1; +GO +DROP PROCEDURE babel_5135_schema1.babel_5135_p1; +GO +DROP FUNCTION babel_5135_schema1.babel_5135_f1(); +GO +DROP FUNCTION babel_5135_schema1.babel_5135_tvf1(); +GO +DROP PROCEDURE babel_5135_roleop_proc1; +GO +DROP PROCEDURE babel_5135_roleop_proc2; +GO +DROP PROCEDURE babel_5135_roleop_proc3; +GO +DROP PROCEDURE babel_5135_schemaop_proc1; +GO +DROP PROCEDURE babel_5135_grantop_proc1, babel_5135_revokeop_proc1; +GO +DROP SCHEMA babel_5135_schema1; +GO +DROP USER babel_5135_u1; +GO +DROP LOGIN babel_5135_l1; +GO +DROP VIEW babel_5135_show_role_mem; +GO diff --git a/test/JDBC/input/ownership/db_securityadmin-vu-prepare.mix b/test/JDBC/input/ownership/db_securityadmin-vu-prepare.mix new file mode 100644 index 00000000000..cb22ffdf6ac --- /dev/null +++ b/test/JDBC/input/ownership/db_securityadmin-vu-prepare.mix @@ -0,0 +1,108 @@ +-- tsql +create login babel_5135_l1 with password='12345678'; +GO + +create user babel_5135_u1 for login babel_5135_l1; +GO + +create role babel_5135_r1; +GO + +create login babel_5135_l2 with password='12345678'; +GO + +create login babel_5135_dbsecadmin_l1 with password='12345678'; +GO + +create user babel_5135_dbsecadmin_u1 for login babel_5135_dbsecadmin_l1; +GO + +create role babel_5135_dbsecadmin_r1; +GO + +create schema babel_5135_schema1; +GO + +create table babel_5135_schema1.babel_5135_t1(a int, b int); +GO + +create view babel_5135_schema1.babel_5135_v1 as select 1; +GO + +CREATE PROC babel_5135_schema1.babel_5135_p1 AS SELECT 1 +GO + +CREATE FUNCTION babel_5135_schema1.babel_5135_f1() RETURNS INT AS BEGIN return 1; END +GO + +CREATE FUNCTION babel_5135_schema1.babel_5135_tvf1() RETURNS TABLE AS RETURN (SELECT a, b FROM babel_5135_schema1.babel_5135_t1); +GO + +CREATE VIEW babel_5135_show_role_mem AS +SELECT +roles.name AS RolePrincipalName +, members.name AS MemberPrincipalName +FROM sys.database_role_members AS db_role_mems +INNER JOIN sys.database_principals AS roles + ON db_role_mems.role_principal_id = roles.principal_id +INNER JOIN sys.database_principals AS members + ON db_role_mems.member_principal_id = members.principal_id order by MemberPrincipalName; +GO + +CREATE PROCEDURE babel_5135_roleop_proc1 AS BEGIN CREATE ROLE babel_5135_role2; ALTER ROLE babel_5135_role2 WITH NAME = babel_5135_role3; DROP ROLE babel_5135_role3; END +GO +CREATE PROCEDURE babel_5135_roleop_proc2 AS BEGIN ALTER ROLE babel_5135_r1 ADD MEMBER babel_5135_u1; END +GO +CREATE PROCEDURE babel_5135_roleop_proc3 AS BEGIN ALTER ROLE babel_5135_r1 DROP MEMBER babel_5135_u1; END +GO +CREATE PROCEDURE babel_5135_schemaop_proc1 AS BEGIN CREATE SCHEMA babel_5135_sch11; END +GO +CREATE PROCEDURE babel_5135_grantop_proc1 AS BEGIN +GRANT SELECT, INSERT, UPDATE, DELETE ON babel_5135_schema1.babel_5135_t1 TO babel_5135_u1; +GRANT SELECT ON babel_5135_schema1.babel_5135_v1 TO babel_5135_u1; +GRANT EXECUTE ON babel_5135_schema1.babel_5135_p1 TO babel_5135_u1; +GRANT EXECUTE ON babel_5135_schema1.babel_5135_f1 TO babel_5135_u1; +GRANT EXECUTE ON babel_5135_schema1.babel_5135_tvf1 TO babel_5135_u1; +END +GO +CREATE PROCEDURE babel_5135_revokeop_proc1 AS BEGIN +REVOKE SELECT, INSERT, UPDATE, DELETE ON babel_5135_schema1.babel_5135_t1 FROM babel_5135_u1; +REVOKE SELECT ON babel_5135_schema1.babel_5135_v1 FROM babel_5135_u1; +REVOKE EXECUTE ON babel_5135_schema1.babel_5135_p1 FROM babel_5135_u1; +REVOKE EXECUTE ON babel_5135_schema1.babel_5135_f1 FROM babel_5135_u1; +REVOKE EXECUTE ON babel_5135_schema1.babel_5135_tvf1 FROM babel_5135_u1; +END +GO + +GRANT EXECUTE ON babel_5135_roleop_proc1 TO PUBLIC; +GO +GRANT EXECUTE ON babel_5135_roleop_proc2 TO PUBLIC; +GO +GRANT EXECUTE ON babel_5135_roleop_proc3 TO PUBLIC; +GO +GRANT EXECUTE ON babel_5135_schemaop_proc1 TO PUBLIC; +GO +GRANT EXECUTE ON babel_5135_grantop_proc1 TO PUBLIC; +GO +GRANT EXECUTE ON babel_5135_revokeop_proc1 TO PUBLIC; +GO + +create database babel_5135_db1 +GO + +USE babel_5135_db1; +GO + +create user babel_5135_u1 for login babel_5135_l1; +GO + +CREATE VIEW babel_5135_show_role_mem AS +SELECT +roles.name AS RolePrincipalName +, members.name AS MemberPrincipalName +FROM sys.database_role_members AS db_role_mems +INNER JOIN sys.database_principals AS roles + ON db_role_mems.role_principal_id = roles.principal_id +INNER JOIN sys.database_principals AS members + ON db_role_mems.member_principal_id = members.principal_id order by MemberPrincipalName; +GO \ No newline at end of file diff --git a/test/JDBC/input/ownership/db_securityadmin-vu-verify.mix b/test/JDBC/input/ownership/db_securityadmin-vu-verify.mix new file mode 100644 index 00000000000..2f2f15acfc4 --- /dev/null +++ b/test/JDBC/input/ownership/db_securityadmin-vu-verify.mix @@ -0,0 +1,776 @@ +-- tsql +-- bbf dump does not dump password so reset the password +ALTER LOGIN babel_5135_l1 WITH PASSWORD='12345678'; +GO + +ALTER LOGIN babel_5135_l2 WITH PASSWORD='12345678'; +GO + +ALTER LOGIN babel_5135_dbsecadmin_l1 WITH PASSWORD='12345678'; +GO + +-- CASE 1 Allowed syntaxes to modify the membership of db_securityadmin + -- CASE 1.1 Validate ALTER ROLE ... ADD/DROP MEMBER + -- CASE 1.2 Validate sp_addrolemember + -- CASE 1.3 Test inside database with truncated name +-- tsql +ALTER ROLE db_securityadmin ADD MEMBER babel_5135_u1; +GO + +ALTER ROLE db_securityadmin ADD MEMBER babel_5135_r1; +GO + +EXEC sp_addrolemember 'db_securityadmin', 'babel_5135_u1'; +GO + +EXEC sp_addrolemember 'db_securityadmin', 'babel_5135_r1'; +GO + +SELECT * FROM babel_5135_show_role_mem WHERE RolePrincipalName = 'db_securityadmin'; +GO + +ALTER ROLE db_securityadmin DROP MEMBER babel_5135_u1; +GO + +ALTER ROLE db_securityadmin DROP MEMBER babel_5135_r1; +GO + +EXEC sp_droprolemember 'db_securityadmin', 'babel_5135_u1'; +GO + +EXEC sp_droprolemember 'db_securityadmin', 'babel_5135_r1'; +GO + +SELECT * FROM babel_5135_show_role_mem WHERE RolePrincipalName = 'db_securityadmin'; +GO + +-- CASE 1.3 Test inside database with truncated name +USE babel_5135_db1; +GO + +ALTER ROLE db_securityadmin ADD MEMBER babel_5135_u1; +GO + +SELECT * FROM babel_5135_show_role_mem WHERE RolePrincipalName = 'db_securityadmin'; +GO + +ALTER ROLE db_securityadmin DROP MEMBER babel_5135_u1; +GO + +SELECT * FROM babel_5135_show_role_mem WHERE RolePrincipalName = 'db_securityadmin'; +GO + +EXEC sp_addrolemember 'db_securityadmin', 'babel_5135_u1'; +GO + +SELECT * FROM babel_5135_show_role_mem WHERE RolePrincipalName = 'db_securityadmin'; +GO + +EXEC sp_droprolemember 'db_securityadmin', 'babel_5135_u1'; +GO + +SELECT * FROM babel_5135_show_role_mem WHERE RolePrincipalName = 'db_securityadmin'; +GO + +USE master; +GO + +-- CASE 2 - Only members of db_owner should be able to modify the membership of db_securityadmin + -- [already covered by CASE 1] CASE 2.1 - Verify members of db_owner can modify the membership + -- CASE 2.2 - Verify that members of db_securityadmin itself can't modify it's own membership +-- tsql +ALTER ROLE db_securityadmin ADD MEMBER babel_5135_dbsecadmin_u1; +GO + +-- it should fail +-- tsql user=babel_5135_dbsecadmin_l1 password=12345678 +ALTER ROLE db_securityadmin ADD MEMBER babel_5135_u1; +GO + +ALTER ROLE db_securityadmin DROP MEMBER babel_5135_dbsecadmin_u1; +GO + +-- CASE 3 - Able to manage database roles + -- CASE 3.1 - CREATE/ALTER/DROP ROLE + -- CASE 3.2 - ADD/DROP the membership of user-defined database roles should be allowed + -- CASE 3.3 - ADD/DROP the membership of system-defined database roles should be blocked + -- CASE 3.4 - CREATE/ALTER/DROP USER should not be Allowed +-- role created by another user, to test alter/drop on it +-- tsql +CREATE ROLE babel_5135_role1; +GO + +-- tsql user=babel_5135_dbsecadmin_l1 password=12345678 +CREATE ROLE babel_5135_role2; +GO + +ALTER ROLE babel_5135_role2 WITH NAME = babel_5135_role3; +GO + +DROP ROLE babel_5135_role3; +GO + +ALTER ROLE babel_5135_role1 WITH NAME = babel_5135_role4; +GO + +DROP ROLE babel_5135_role4; +GO + +-- create/alter/drop role inside procedure +-- execution should be succeeded with no error +EXEC babel_5135_roleop_proc1; +GO + +-- CASE 3.2 - ADD/DROP the membership of user-defined database roles +ALTER ROLE babel_5135_r1 ADD MEMBER babel_5135_u1; +GO + +ALTER ROLE babel_5135_r1 DROP MEMBER babel_5135_u1; +GO + +-- alter role add member inside procedure +-- execution should be succeeded with no error +-- Add +EXEC babel_5135_roleop_proc2; +GO + +-- Drop +EXEC babel_5135_roleop_proc3; +GO + +-- CASE 3.3 - ADD/DROP the membership of system-defined database roles should be blocked +ALTER ROLE db_accessadmin ADD MEMBER babel_5135_u1; +GO + +ALTER ROLE db_owner ADD MEMBER babel_5135_u1; +GO + +-- CASE 3.4 -- CREATE/ALTER/DROP USER should fail +CREATE USER babel_5135_user1 FOR LOGIN babel_5135_l2; +GO + +ALTER USER babel_5135_u1 WITH NAME = babel_5135_dbsecadmin_u2; +GO + +ALTER USER babel_5135_u1 WITH DEFAULT_SCHEMA=dbo; +GO + +DROP USER babel_5135_u1; +GO + +-- CASE 4 - CREATE SCHEMA should be allowed +CREATE SCHEMA babel_5135_sch1; +GO + +CREATE SCHEMA babel_5135_sch2 AUTHORIZATION babel_5135_u1; +GO + +SELECT name, sys.user_name(principal_id) FROM sys.schemas WHERE name IN ('babel_5135_sch1','babel_5135_sch2') ORDER BY name; +GO + +-- granting db_securityadmin to guest and create schema +-- tsql +alter role db_securityadmin add member guest; +GO + +-- tsql user=babel_5135_l2 password=12345678 +select current_user; +GO + +CREATE SCHEMA babel_5135_sch3; +GO + +SELECT name, sys.user_name(principal_id) FROM sys.schemas WHERE name LIKE 'babel_5135_sch3' ORDER BY name; +GO + +DROP SCHEMA babel_5135_sch3; +GO + +-- tsql +alter role db_securityadmin DROP member guest; +GO + +-- tsql user=babel_5135_dbsecadmin_l1 password=12345678 +-- schema creation inside procedure +-- execution should be succeeded with no error +EXEC babel_5135_schemaop_proc1; +GO + +DROP SCHEMA babel_5135_sch11; +GO + +-- ALTER/DROP of unowned schema should not be allowed +-- NOTE: Add testcase when supported +ALTER SCHEMA babel_5135_schema1 TRANSFER t33144; +GO + +DROP SCHEMA babel_5135_schema1; +GO + +DROP SCHEMA babel_5135_sch1; +GO + +-- tsql user=babel_5135_l1 password=12345678 +SELECT current_user; +GO +DROP SCHEMA babel_5135_sch2; +GO + +-- CASE 5 - GRANT/REVOKE management of permissions + -- CASE 5.1 - Validate GRANT/REVOKE of object/schema privileges + -- CASE 5.2 - Validate members of db_securityadmin can not actually access given objects + -- CASE 5.3 - Validate that after GRANT/REVOKE, objectowner/dbo can execute REVOKE/GRANT respectively + -- CASE 5.4 - Grant/Revoke should not be allowed for show shared schema or any other database's schema +GRANT SELECT, INSERT, UPDATE, DELETE ON babel_5135_schema1.babel_5135_t1 TO babel_5135_u1; +GO + +GRANT SELECT ON babel_5135_schema1.babel_5135_v1 TO babel_5135_u1; +GO + +GRANT EXECUTE ON babel_5135_schema1.babel_5135_p1 TO babel_5135_u1; +GO + +GRANT EXECUTE ON babel_5135_schema1.babel_5135_f1 TO babel_5135_u1; +GO + +GRANT EXECUTE ON babel_5135_schema1.babel_5135_tvf1 TO babel_5135_u1; +GO + +-- tsql user=babel_5135_l1 password=12345678 +SELECT current_user; +GO + +SELECT COUNT(*) FROM babel_5135_schema1.babel_5135_t1; +INSERT INTO babel_5135_schema1.babel_5135_t1 VALUES (1,2); +UPDATE babel_5135_schema1.babel_5135_t1 SET a = 2 WHERE a = 1; +DELETE FROM babel_5135_schema1.babel_5135_t1 WHERE a = 2; +GO + +SELECT COUNT(*) FROM babel_5135_schema1.babel_5135_v1; +GO + +EXEC babel_5135_schema1.babel_5135_p1; +GO + +SELECT babel_5135_schema1.babel_5135_f1(); +GO + +SELECT * FROM babel_5135_schema1.babel_5135_tvf1(); +GO + +-- tsql user=babel_5135_dbsecadmin_l1 password=12345678 +REVOKE SELECT, INSERT, UPDATE, DELETE ON babel_5135_schema1.babel_5135_t1 FROM babel_5135_u1; +GO + +REVOKE SELECT ON babel_5135_schema1.babel_5135_v1 FROM babel_5135_u1; +GO + +REVOKE EXECUTE ON babel_5135_schema1.babel_5135_p1 FROM babel_5135_u1; +GO + +REVOKE EXECUTE ON babel_5135_schema1.babel_5135_f1 FROM babel_5135_u1; +GO + +REVOKE EXECUTE ON babel_5135_schema1.babel_5135_tvf1 FROM babel_5135_u1; +GO + +-- tsql user=babel_5135_l1 password=12345678 +SELECT current_user; +GO + +SELECT COUNT(*) FROM babel_5135_schema1.babel_5135_t1; +INSERT INTO babel_5135_schema1.babel_5135_t1 VALUES (1,2); +UPDATE babel_5135_schema1.babel_5135_t1 SET a = 2 WHERE a = 1; +DELETE FROM babel_5135_schema1.babel_5135_t1 WHERE a = 2; +GO + +SELECT COUNT(*) FROM babel_5135_schema1.babel_5135_v1; +GO + +EXEC babel_5135_schema1.babel_5135_p1; +GO + +SELECT babel_5135_schema1.babel_5135_f1(); +GO + +SELECT * FROM babel_5135_schema1.babel_5135_tvf1(); +GO + +-- Testing GRANT inside procedure +-- tsql user=babel_5135_dbsecadmin_l1 password=12345678 +EXEC babel_5135_grantop_proc1; +GO + +-- tsql user=babel_5135_l1 password=12345678 +SELECT current_user; +GO + +SELECT COUNT(*) FROM babel_5135_schema1.babel_5135_t1; +INSERT INTO babel_5135_schema1.babel_5135_t1 VALUES (1,2); +UPDATE babel_5135_schema1.babel_5135_t1 SET a = 2 WHERE a = 1; +DELETE FROM babel_5135_schema1.babel_5135_t1 WHERE a = 2; +GO + +SELECT COUNT(*) FROM babel_5135_schema1.babel_5135_v1; +GO + +EXEC babel_5135_schema1.babel_5135_p1; +GO + +SELECT babel_5135_schema1.babel_5135_f1(); +GO + +SELECT * FROM babel_5135_schema1.babel_5135_tvf1(); +GO + +-- Testing revokes inside procedure +-- tsql user=babel_5135_dbsecadmin_l1 password=12345678 +EXEC babel_5135_revokeop_proc1; +GO + +-- tsql user=babel_5135_l1 password=12345678 +SELECT current_user; +GO + +SELECT COUNT(*) FROM babel_5135_schema1.babel_5135_t1; +INSERT INTO babel_5135_schema1.babel_5135_t1 VALUES (1,2); +UPDATE babel_5135_schema1.babel_5135_t1 SET a = 2 WHERE a = 1; +DELETE FROM babel_5135_schema1.babel_5135_t1 WHERE a = 2; +GO + +SELECT COUNT(*) FROM babel_5135_schema1.babel_5135_v1; +GO + +EXEC babel_5135_schema1.babel_5135_p1; +GO + +SELECT babel_5135_schema1.babel_5135_f1(); +GO + +SELECT * FROM babel_5135_schema1.babel_5135_tvf1(); +GO + + +-- tsql user=babel_5135_dbsecadmin_l1 password=12345678 +GRANT SELECT, INSERT, UPDATE, DELETE, EXECUTE ON SCHEMA::babel_5135_schema1 TO babel_5135_u1; +GO + +-- tsql user=babel_5135_l1 password=12345678 +SELECT current_user; +GO + +SELECT COUNT(*) FROM babel_5135_schema1.babel_5135_t1; +INSERT INTO babel_5135_schema1.babel_5135_t1 VALUES (1,2); +UPDATE babel_5135_schema1.babel_5135_t1 SET a = 2 WHERE a = 1; +DELETE FROM babel_5135_schema1.babel_5135_t1 WHERE a = 2; +GO + +SELECT COUNT(*) FROM babel_5135_schema1.babel_5135_v1; +GO + +EXEC babel_5135_schema1.babel_5135_p1; +GO + +SELECT babel_5135_schema1.babel_5135_f1(); +GO + +SELECT * FROM babel_5135_schema1.babel_5135_tvf1(); +GO + +-- tsql user=babel_5135_dbsecadmin_l1 password=12345678 +REVOKE SELECT, INSERT, UPDATE, DELETE, EXECUTE ON SCHEMA::babel_5135_schema1 FROM babel_5135_u1; +GO + +-- tsql user=babel_5135_l1 password=12345678 +SELECT current_user; +GO + +SELECT COUNT(*) FROM babel_5135_schema1.babel_5135_t1; +INSERT INTO babel_5135_schema1.babel_5135_t1 VALUES (1,2); +UPDATE babel_5135_schema1.babel_5135_t1 SET a = 2 WHERE a = 1; +DELETE FROM babel_5135_schema1.babel_5135_t1 WHERE a = 2; +GO + +SELECT COUNT(*) FROM babel_5135_schema1.babel_5135_v1; +GO + +EXEC babel_5135_schema1.babel_5135_p1; +GO + +SELECT babel_5135_schema1.babel_5135_f1(); +GO + +SELECT * FROM babel_5135_schema1.babel_5135_tvf1(); +GO + +-- CASE 5.2 - Validate members of db_securityadmin can not actually access given objects +-- tsql user=babel_5135_dbsecadmin_l1 password=12345678 +SELECT current_user; +GO + +SELECT COUNT(*) FROM babel_5135_schema1.babel_5135_t1; +INSERT INTO babel_5135_schema1.babel_5135_t1 VALUES (1,2); +UPDATE babel_5135_schema1.babel_5135_t1 SET a = 2 WHERE a = 1; +DELETE FROM babel_5135_schema1.babel_5135_t1 WHERE a = 2; +GO + +SELECT COUNT(*) FROM babel_5135_schema1.babel_5135_v1; +GO + +EXEC babel_5135_schema1.babel_5135_p1; +GO + +SELECT babel_5135_schema1.babel_5135_f1(); +GO + +SELECT * FROM babel_5135_schema1.babel_5135_tvf1(); +GO + +-- CASE 5.3 - Validate that after GRANT/REVOKE, objectowner/dbo can execute REVOKE/GRANT respectively +-- execute GRANT via db_securityadmin member and REVOKE it with object owner +-- tsql user=babel_5135_dbsecadmin_l1 password=12345678 +GRANT SELECT, INSERT, UPDATE, DELETE ON babel_5135_schema1.babel_5135_t1 TO babel_5135_u1; +GO + +GRANT SELECT ON babel_5135_schema1.babel_5135_v1 TO babel_5135_u1; +GO + +GRANT EXECUTE ON babel_5135_schema1.babel_5135_p1 TO babel_5135_u1; +GO + +GRANT EXECUTE ON babel_5135_schema1.babel_5135_f1 TO babel_5135_u1; +GO + +GRANT EXECUTE ON babel_5135_schema1.babel_5135_tvf1 TO babel_5135_u1; +GO + +-- tsql +REVOKE SELECT, INSERT, UPDATE, DELETE ON babel_5135_schema1.babel_5135_t1 FROM babel_5135_u1; +GO + +REVOKE SELECT ON babel_5135_schema1.babel_5135_v1 FROM babel_5135_u1; +GO + +REVOKE EXECUTE ON babel_5135_schema1.babel_5135_p1 FROM babel_5135_u1; +GO + +REVOKE EXECUTE ON babel_5135_schema1.babel_5135_f1 FROM babel_5135_u1; +GO + +REVOKE EXECUTE ON babel_5135_schema1.babel_5135_tvf1 FROM babel_5135_u1; +GO + +-- execute GRANT as objectowner/dbo +GRANT SELECT, INSERT, UPDATE, DELETE ON babel_5135_schema1.babel_5135_t1 TO babel_5135_u1; +GO + +GRANT SELECT ON babel_5135_schema1.babel_5135_v1 TO babel_5135_u1; +GO + +GRANT EXECUTE ON babel_5135_schema1.babel_5135_p1 TO babel_5135_u1; +GO + +GRANT EXECUTE ON babel_5135_schema1.babel_5135_f1 TO babel_5135_u1; +GO + +GRANT EXECUTE ON babel_5135_schema1.babel_5135_tvf1 TO babel_5135_u1; +GO + +-- tsql user=babel_5135_dbsecadmin_l1 password=12345678 +REVOKE SELECT, INSERT, UPDATE, DELETE ON babel_5135_schema1.babel_5135_t1 FROM babel_5135_u1; +GO + +REVOKE SELECT ON babel_5135_schema1.babel_5135_v1 FROM babel_5135_u1; +GO + +REVOKE EXECUTE ON babel_5135_schema1.babel_5135_p1 FROM babel_5135_u1; +GO + +REVOKE EXECUTE ON babel_5135_schema1.babel_5135_f1 FROM babel_5135_u1; +GO + +REVOKE EXECUTE ON babel_5135_schema1.babel_5135_tvf1 FROM babel_5135_u1; +GO + +-- CASE 5.4 - Grant/Revoke should not be allowed for show shared schema or any other database's schema +-- tsql user=babel_5135_dbsecadmin_l1 password=12345678 +-- Following error is misleading, will be fixed separately +GRANT SELECT ON sys.database_principals TO babel_5135_u1; +GO + +REVOKE SELECT ON sys.database_principals FROM babel_5135_u1; +GO + +GRANT SELECT ON pg_catalog.pg_namespace TO babel_5135_u1; +GO + +REVOKE SELECT ON pg_catalog.pg_namespace FROM babel_5135_u1; +GO + +REVOKE SELECT ON babel_5135_db1.dbo.babel_5135_show_role_mem TO babel_5135_u1; +GO + +REVOKE SELECT ON babel_5135_db1.dbo.babel_5135_show_role_mem FROM babel_5135_u1; +GO + +-- CASE 6 - is_member() / is_rolemember() testcases +-- tsql +SELECT is_member('db_securityadmin'), is_rolemember('db_securityadmin'); +GO + +SELECT is_rolemember('db_securityadmin', 'dbo'); +GO + +SELECT is_rolemember('db_securityadmin', 'db_owner'); +GO + +SELECT is_rolemember('db_securityadmin', 'db_accessadmin'); +GO + +-- tsql user=babel_5135_dbsecadmin_l1 password=12345678 +SELECT is_member('db_securityadmin'), is_rolemember('db_securityadmin'); +GO + +-- tsql +EXEC sp_droprolemember 'db_securityadmin', 'babel_5135_dbsecadmin_u1'; +GO + +-- tsql user=babel_5135_dbsecadmin_l1 password=12345678 +SELECT is_member('db_securityadmin'), is_rolemember('db_securityadmin'); +GO + +-- tsql +EXEC sp_addrolemember 'db_securityadmin', 'babel_5135_dbsecadmin_u1'; +GO + +-- tsql user=babel_5135_dbsecadmin_l1 password=12345678 +SELECT is_member('db_securityadmin'), is_rolemember('db_securityadmin'); +GO + +-- CASE 7 - system procedures + -- CASE 7.1 - sp_helpdbfixedrole testcase are covered in respective test Test-sp_helpdbfixedrole file + -- CASE 7.2 - sp_helpuser + -- CASE 7.3 - sp_helprole + -- CASE 7.4 - sp_helprolemember + +-- test for helpuser +-- tsql +CREATE TABLE temp_sp_helpuser(RoleName sys.sysname, Role_id int, +Users_in_role sys.sysname, UserID int); +GO + +GRANT INSERT,SELECT ON temp_sp_helpuser TO PUBLIC; +GO + +-- tsql user=babel_5135_dbsecadmin_l1 password=12345678 +INSERT INTO temp_sp_helpuser(RoleName, Role_id, Users_in_role, UserID) EXEC sp_helpuser 'db_securityadmin'; +GO + +SELECT Rolename, sys.user_name(Role_id), Users_in_role, sys.user_name(UserID) FROM temp_sp_helpuser +WHERE Rolename = 'db_securityadmin' ORDER BY Users_in_role; +GO + +-- tsql +TRUNCATE TABLE temp_sp_helpuser; +GO + +-- tsql +INSERT INTO temp_sp_helpuser(RoleName, Role_id, Users_in_role, UserID) EXEC sp_helpuser 'db_securityadmin'; +GO + +SELECT Rolename, sys.user_name(Role_id), Users_in_role, sys.user_name(UserID) FROM temp_sp_helpuser +WHERE Rolename = 'db_securityadmin' ORDER BY Users_in_role; +GO + +-- tsql +DROP TABLE temp_sp_helpuser; +GO + +-- test for sp_helprole +CREATE TABLE temp_sp_helprole(RoleName sys.sysname, RoleId int, IsAppRole int); +GO + +GRANT INSERT,SELECT ON temp_sp_helprole TO PUBLIC; +GO + +-- tsql user=babel_5135_dbsecadmin_l1 password=12345678 +INSERT INTO temp_sp_helprole(RoleName, RoleId, IsAppRole) EXEC sp_helprole 'db_securityadmin'; +GO + +SELECT RoleName, sys.user_name(RoleId), IsAppRole FROM temp_sp_helprole +WHERE RoleName = 'db_securityadmin'; +GO + +-- tsql +TRUNCATE TABLE temp_sp_helprole; +GO + +-- tsql +INSERT INTO temp_sp_helprole(RoleName, RoleId, IsAppRole) EXEC sp_helprole 'db_securityadmin'; +GO + +SELECT RoleName, sys.user_name(RoleId), IsAppRole FROM temp_sp_helprole +WHERE RoleName = 'db_securityadmin'; +GO + +-- tsql +DROP TABLE temp_sp_helprole; +GO + +-- test for temp_sp_helprolemember +CREATE TABLE temp_sp_helprolemember(DbRole sys.sysname, MemberName sys.sysname, MemberSID SYS.VARBINARY(85)); +GO + +GRANT INSERT,SELECT ON temp_sp_helprolemember TO PUBLIC; +GO + +-- tsql user=babel_5135_dbsecadmin_l1 password=12345678 +INSERT INTO temp_sp_helprolemember(DbRole, MemberName, MemberSID) EXEC sp_helprolemember 'db_securityadmin'; +GO + +SELECT DbRole, MemberName FROM temp_sp_helprolemember +WHERE DbRole = 'db_securityadmin' ORDER BY MemberName; +GO + +-- tsql +TRUNCATE TABLE temp_sp_helprolemember; +GO + +-- tsql +INSERT INTO temp_sp_helprolemember(DbRole, MemberName, MemberSID) EXEC sp_helprolemember 'db_securityadmin'; +GO + +SELECT DbRole, MemberName FROM temp_sp_helprolemember +WHERE DbRole = 'db_securityadmin' ORDER BY MemberName; +GO + +-- tsql +DROP TABLE temp_sp_helprolemember; +GO + +-- CASE 8 +USE babel_5135_db1; +GO + +SELECT name, type, type_desc, default_schema_name, is_fixed_role, authentication_type_desc FROM sys.database_principals WHERE NAME = 'db_securityadmin'; +GO + +USE master; +GO + +-- CASE 9 - Restrictions +-- tsql +-- normal tsql login +CREATE LOGIN db_securityadmin_restrictions_login WITH password = '12345678'; +GO + +ALTER SERVER ROLE sysadmin ADD MEMBER db_securityadmin_restrictions_login; +GO + +-- psql +-- normal PG user +CREATE USER db_securityadmin_restrictions_pg_user WITH LOGIN CREATEROLE CREATEDB PASSWORD '12345678' inherit; +go + +-- tsql user=db_securityadmin_restrictions_login password=12345678 +-- a tsql login should not be able to rename/drop db_securityadmin and grant/revoke on it explicitly from tsql port +ALTER ROLE db_securityadmin WITH NAME = db_securityadmin1; +GO + +DROP ROLE db_securityadmin; +GO + +GRANT SELECT ON babel_5135_schema1.babel_5135_t1 TO db_securityadmin; +GO + +GRANT SELECT, INSERT, UPDATE, DELETE, EXECUTE ON SCHEMA::babel_5135_schema1 TO db_securityadmin; +GO + +REVOKE SELECT ON babel_5135_schema1.babel_5135_t1 FROM db_securityadmin; +GO + +REVOKE SELECT, INSERT, UPDATE, DELETE, EXECUTE ON SCHEMA::babel_5135_schema1 FROM db_securityadmin; +GO + +-- psql user=db_securityadmin_restrictions_login password=12345678 +-- a tsql login should not be able to alter/grant/drop db_securityadmin from pg port +ALTER ROLE master_db_securityadmin NOCREATEROLE; +GO + +ALTER ROLE master_db_securityadmin WITH PASSWORD '12345678'; +GO + +ALTER ROLE master_db_securityadmin VALID UNTIL 'infinity'; +GO + +ALTER ROLE master_db_securityadmin WITH CONNECTION LIMIT 1; +GO + +-- GRANT master_db_securityadmin TO db_securityadmin_restrictions_login; +-- GO + +GRANT db_securityadmin_restrictions_login TO master_db_securityadmin; +GO + +-- REVOKE master_db_securityadmin FROM master_dbo; +-- GO + +REVOKE master_dbo FROM master_db_securityadmin; +GO + +DROP ROLE master_db_securityadmin; +GO + +SET SESSION AUTHORIZATION master_db_securityadmin; +GO + +SET ROLE master_db_securityadmin; +GO + +-- psql user=db_securityadmin_restrictions_pg_user password=12345678 +-- a normal psql user should not be able to alter/grant/drop db_securityadmin from pg port +ALTER ROLE master_db_securityadmin NOCREATEROLE; +GO + +ALTER ROLE master_db_securityadmin WITH PASSWORD '12345678'; +GO + +ALTER ROLE master_db_securityadmin VALID UNTIL 'infinity'; +GO + +ALTER ROLE master_db_securityadmin WITH CONNECTION LIMIT 1; +GO + +GRANT master_db_securityadmin TO db_securityadmin_restrictions_login; +GO + +GRANT db_securityadmin_restrictions_login TO master_db_securityadmin; +GO + +REVOKE master_db_securityadmin FROM master_dbo; +GO + +REVOKE master_dbo FROM master_db_securityadmin; +GO + +DROP ROLE master_db_securityadmin; +GO + +SET SESSION AUTHORIZATION master_db_securityadmin; +GO + +SET ROLE master_db_securityadmin; +GO + +-- psql +DROP USER db_securityadmin_restrictions_pg_user; +GO + +-- Need to terminate active session before cleaning up the login +SELECT pg_terminate_backend(pid) FROM pg_stat_get_activity(NULL) +WHERE sys.suser_name(usesysid) = 'db_securityadmin_restrictions_login' AND backend_type = 'client backend' AND usesysid IS NOT NULL; +GO + +-- tsql +DROP LOGIN db_securityadmin_restrictions_login; +GO diff --git a/test/JDBC/upgrade/14_10/schedule b/test/JDBC/upgrade/14_10/schedule index efad13582d3..6e8adb66b90 100644 --- a/test/JDBC/upgrade/14_10/schedule +++ b/test/JDBC/upgrade/14_10/schedule @@ -466,8 +466,8 @@ binary-datatype-operators BABEL-5059 cast-varchar-to-time db_accessadmin +db_securityadmin xml_exist-before-16_5 BABEL-CASE_EXPR-before-16_5-or-15_9 datareader_datawriter BABEL-5186 - diff --git a/test/JDBC/upgrade/14_11/schedule b/test/JDBC/upgrade/14_11/schedule index bbe388e57f2..7bd8552b425 100644 --- a/test/JDBC/upgrade/14_11/schedule +++ b/test/JDBC/upgrade/14_11/schedule @@ -464,8 +464,8 @@ binary-datatype-operators BABEL-5059 cast-varchar-to-time db_accessadmin +db_securityadmin xml_exist-before-16_5 BABEL-CASE_EXPR-before-16_5-or-15_9 datareader_datawriter BABEL-5186 - diff --git a/test/JDBC/upgrade/14_12/schedule b/test/JDBC/upgrade/14_12/schedule index 0dd57908c75..4606e828bd5 100644 --- a/test/JDBC/upgrade/14_12/schedule +++ b/test/JDBC/upgrade/14_12/schedule @@ -465,6 +465,7 @@ binary-datatype-operators BABEL-5059 cast-varchar-to-time db_accessadmin +db_securityadmin xml_exist-before-16_5 BABEL-CASE_EXPR-before-16_5-or-15_9 datareader_datawriter diff --git a/test/JDBC/upgrade/14_13/schedule b/test/JDBC/upgrade/14_13/schedule index 9f443d50e19..d54080c6383 100644 --- a/test/JDBC/upgrade/14_13/schedule +++ b/test/JDBC/upgrade/14_13/schedule @@ -465,8 +465,8 @@ binary-datatype-operators BABEL-5059 cast-varchar-to-time db_accessadmin +db_securityadmin xml_exist-before-16_5 BABEL-CASE_EXPR-before-16_5-or-15_9 datareader_datawriter BABEL-5186 - diff --git a/test/JDBC/upgrade/14_14/schedule b/test/JDBC/upgrade/14_14/schedule index 9f443d50e19..d54080c6383 100644 --- a/test/JDBC/upgrade/14_14/schedule +++ b/test/JDBC/upgrade/14_14/schedule @@ -465,8 +465,8 @@ binary-datatype-operators BABEL-5059 cast-varchar-to-time db_accessadmin +db_securityadmin xml_exist-before-16_5 BABEL-CASE_EXPR-before-16_5-or-15_9 datareader_datawriter BABEL-5186 - diff --git a/test/JDBC/upgrade/14_3/schedule b/test/JDBC/upgrade/14_3/schedule index 9eb61e037fc..a925aa65bf4 100644 --- a/test/JDBC/upgrade/14_3/schedule +++ b/test/JDBC/upgrade/14_3/schedule @@ -386,6 +386,7 @@ binary-datatype-operators BABEL-5059-before-14_7-or-15_2 cast-varchar-to-time db_accessadmin +db_securityadmin xml_exist-before-16_5 BABEL-CASE_EXPR-before-16_5-or-15_9 datareader_datawriter diff --git a/test/JDBC/upgrade/14_5/schedule b/test/JDBC/upgrade/14_5/schedule index 9af527dbc42..6b1c9fd83d5 100644 --- a/test/JDBC/upgrade/14_5/schedule +++ b/test/JDBC/upgrade/14_5/schedule @@ -397,8 +397,8 @@ binary-datatype-operators BABEL-5059-before-14_7-or-15_2 cast-varchar-to-time db_accessadmin +db_securityadmin xml_exist-before-16_5 BABEL-CASE_EXPR-before-16_5-or-15_9 datareader_datawriter BABEL-5186 - diff --git a/test/JDBC/upgrade/14_6/schedule b/test/JDBC/upgrade/14_6/schedule index eca1396dfdf..06477d4b09b 100644 --- a/test/JDBC/upgrade/14_6/schedule +++ b/test/JDBC/upgrade/14_6/schedule @@ -434,8 +434,8 @@ binary-datatype-operators BABEL-5059-before-14_7-or-15_2 cast-varchar-to-time db_accessadmin +db_securityadmin xml_exist-before-16_5 BABEL-CASE_EXPR-before-16_5-or-15_9 datareader_datawriter BABEL-5186 - diff --git a/test/JDBC/upgrade/14_7/schedule b/test/JDBC/upgrade/14_7/schedule index 963256d830e..a903a05059f 100644 --- a/test/JDBC/upgrade/14_7/schedule +++ b/test/JDBC/upgrade/14_7/schedule @@ -456,8 +456,8 @@ binary-datatype-operators BABEL-5059 cast-varchar-to-time db_accessadmin +db_securityadmin xml_exist-before-16_5 BABEL-CASE_EXPR-before-16_5-or-15_9 datareader_datawriter BABEL-5186 - diff --git a/test/JDBC/upgrade/14_8/schedule b/test/JDBC/upgrade/14_8/schedule index 7ea5ce34a6e..6255927f65b 100644 --- a/test/JDBC/upgrade/14_8/schedule +++ b/test/JDBC/upgrade/14_8/schedule @@ -458,8 +458,8 @@ binary-datatype-operators BABEL-5059 cast-varchar-to-time db_accessadmin +db_securityadmin xml_exist-before-16_5 BABEL-CASE_EXPR-before-16_5-or-15_9 datareader_datawriter BABEL-5186 - diff --git a/test/JDBC/upgrade/14_9/schedule b/test/JDBC/upgrade/14_9/schedule index 0c0a5492409..41dc70e92c3 100644 --- a/test/JDBC/upgrade/14_9/schedule +++ b/test/JDBC/upgrade/14_9/schedule @@ -461,8 +461,8 @@ binary-datatype-operators BABEL-5059 cast-varchar-to-time db_accessadmin +db_securityadmin xml_exist-before-16_5 BABEL-CASE_EXPR-before-16_5-or-15_9 datareader_datawriter BABEL-5186 - diff --git a/test/JDBC/upgrade/15_1/schedule b/test/JDBC/upgrade/15_1/schedule index e21d500f505..dcfcf5d32a4 100644 --- a/test/JDBC/upgrade/15_1/schedule +++ b/test/JDBC/upgrade/15_1/schedule @@ -434,8 +434,8 @@ binary-datatype-operators BABEL-5059-before-14_7-or-15_2 cast-varchar-to-time db_accessadmin +db_securityadmin xml_exist-before-16_5 BABEL-CASE_EXPR-before-16_5-or-15_9 datareader_datawriter BABEL-5186 - diff --git a/test/JDBC/upgrade/15_2/schedule b/test/JDBC/upgrade/15_2/schedule index 682076a6123..9e678ef19a4 100644 --- a/test/JDBC/upgrade/15_2/schedule +++ b/test/JDBC/upgrade/15_2/schedule @@ -469,8 +469,8 @@ binary-datatype-operators BABEL-5059 cast-varchar-to-time db_accessadmin +db_securityadmin xml_exist-before-16_5 BABEL-CASE_EXPR-before-16_5-or-15_9 datareader_datawriter BABEL-5186 - diff --git a/test/JDBC/upgrade/15_3/schedule b/test/JDBC/upgrade/15_3/schedule index f0578957a80..0ca4f46b495 100644 --- a/test/JDBC/upgrade/15_3/schedule +++ b/test/JDBC/upgrade/15_3/schedule @@ -488,8 +488,8 @@ binary-datatype-operators BABEL-5059 cast-varchar-to-time db_accessadmin +db_securityadmin xml_exist-before-16_5 BABEL-CASE_EXPR-before-16_5-or-15_9 datareader_datawriter BABEL-5186 - diff --git a/test/JDBC/upgrade/15_4/schedule b/test/JDBC/upgrade/15_4/schedule index cbb7707748f..66e8f436387 100644 --- a/test/JDBC/upgrade/15_4/schedule +++ b/test/JDBC/upgrade/15_4/schedule @@ -501,8 +501,8 @@ binary-datatype-operators BABEL-5059 cast-varchar-to-time db_accessadmin +db_securityadmin xml_exist-before-16_5 BABEL-CASE_EXPR-before-16_5-or-15_9 datareader_datawriter BABEL-5186 - diff --git a/test/JDBC/upgrade/15_5/schedule b/test/JDBC/upgrade/15_5/schedule index feb62ea50e8..73bbc1b8754 100644 --- a/test/JDBC/upgrade/15_5/schedule +++ b/test/JDBC/upgrade/15_5/schedule @@ -532,6 +532,7 @@ binary-datatype-operators BABEL-5059 cast-varchar-to-time db_accessadmin +db_securityadmin xml_exist-before-16_5 BABEL-CASE_EXPR-before-16_5-or-15_9 dbcreator_role diff --git a/test/JDBC/upgrade/15_6/schedule b/test/JDBC/upgrade/15_6/schedule index 01e667baf42..b3b3fa23c17 100644 --- a/test/JDBC/upgrade/15_6/schedule +++ b/test/JDBC/upgrade/15_6/schedule @@ -548,6 +548,7 @@ binary-datatype-operators BABEL-5059 cast-varchar-to-time db_accessadmin +db_securityadmin xml_exist-before-16_5 BABEL-CASE_EXPR-before-16_5-or-15_9 dbcreator_role diff --git a/test/JDBC/upgrade/15_7/schedule b/test/JDBC/upgrade/15_7/schedule index 18493e11a39..3b2bcb6d1d3 100644 --- a/test/JDBC/upgrade/15_7/schedule +++ b/test/JDBC/upgrade/15_7/schedule @@ -555,6 +555,7 @@ binary-datatype-operators BABEL-5059 cast-varchar-to-time db_accessadmin +db_securityadmin xml_exist-before-16_5 GRANT_SCHEMA-before-15_9-16_5 BABEL-CASE_EXPR-before-16_5-or-15_9 diff --git a/test/JDBC/upgrade/15_8/schedule b/test/JDBC/upgrade/15_8/schedule index d6c4f4af935..7ef17229983 100644 --- a/test/JDBC/upgrade/15_8/schedule +++ b/test/JDBC/upgrade/15_8/schedule @@ -546,6 +546,7 @@ binary-datatype-operators BABEL-5059 cast-varchar-to-time db_accessadmin +db_securityadmin xml_exist-before-16_5 GRANT_SCHEMA-before-15_9-16_5 BABEL-CASE_EXPR-before-16_5-or-15_9 diff --git a/test/JDBC/upgrade/15_9/schedule b/test/JDBC/upgrade/15_9/schedule index a231afdfd3c..1d231de0f5c 100644 --- a/test/JDBC/upgrade/15_9/schedule +++ b/test/JDBC/upgrade/15_9/schedule @@ -550,6 +550,7 @@ xml_exist-before-16_5 BABEL-5119 dbcreator_role db_accessadmin +db_securityadmin BABEL-CASE_EXPR datareader_datawriter BABEL-5186 diff --git a/test/JDBC/upgrade/16_1/schedule b/test/JDBC/upgrade/16_1/schedule index 2482bba65ff..3084dd9e609 100644 --- a/test/JDBC/upgrade/16_1/schedule +++ b/test/JDBC/upgrade/16_1/schedule @@ -541,10 +541,10 @@ binary-datatype-operators BABEL-5059 cast-varchar-to-time db_accessadmin +db_securityadmin securityadmin_role dbcreator_role xml_exist-before-16_5 BABEL-CASE_EXPR-before-16_5-or-15_9 datareader_datawriter BABEL-5186 - diff --git a/test/JDBC/upgrade/16_2/schedule b/test/JDBC/upgrade/16_2/schedule index 76258405e71..a88d2df4f3d 100644 --- a/test/JDBC/upgrade/16_2/schedule +++ b/test/JDBC/upgrade/16_2/schedule @@ -557,6 +557,7 @@ BABEL-5059 cast-varchar-to-time dbcreator_role db_accessadmin +db_securityadmin xml_exist-before-16_5 BABEL-CASE_EXPR-before-16_5-or-15_9 BABEL-5186 diff --git a/test/JDBC/upgrade/16_3/schedule b/test/JDBC/upgrade/16_3/schedule index 604d75627aa..dfaa7850b0b 100644 --- a/test/JDBC/upgrade/16_3/schedule +++ b/test/JDBC/upgrade/16_3/schedule @@ -559,6 +559,7 @@ binary-datatype-operators BABEL-5059 cast-varchar-to-time db_accessadmin +db_securityadmin xml_exist-before-16_5 GRANT_SCHEMA-before-15_9-16_5 BABEL-CASE_EXPR-before-16_5-or-15_9 diff --git a/test/JDBC/upgrade/16_4/schedule b/test/JDBC/upgrade/16_4/schedule index 47d51980343..f8571b3a95b 100644 --- a/test/JDBC/upgrade/16_4/schedule +++ b/test/JDBC/upgrade/16_4/schedule @@ -572,6 +572,7 @@ cast-varchar-to-time xml_exist-before-16_5 BABEL-5119 db_accessadmin +db_securityadmin GRANT_SCHEMA-before-15_9-16_5 BABEL-CASE_EXPR-before-16_5-or-15_9 dbcreator_role diff --git a/test/JDBC/upgrade/latest/schedule b/test/JDBC/upgrade/latest/schedule index d6fa07d9c6d..50292572b84 100644 --- a/test/JDBC/upgrade/latest/schedule +++ b/test/JDBC/upgrade/latest/schedule @@ -581,7 +581,7 @@ BABEL-5119 dbcreator_role BABEL-5129 db_accessadmin +db_securityadmin BABEL-CASE_EXPR BABEL-5186 datareader_datawriter -