From 79927790c57b6aff577afe0f3b3c321d67ffa599 Mon Sep 17 00:00:00 2001 From: ANJU BHARTI Date: Fri, 25 Oct 2024 11:36:51 +0000 Subject: [PATCH] Support for fixed server role dbcreator (#65) This role has following privileges with it: Members of the dbcreator fixed server role can 1. Create database 2. Alter database (if has access to that database, i.e either owner of the database or has mapped user in it) 3. Drop any database. Engine PR : https://github.com/amazon-aurora/postgresql_modified_for_babelfish/pull/93 Issues Resolved [BABEL-5115] By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice. Signed-off-by: ANJU BHARTI --- .../src/backend/tds/tdsutils.c | 45 +- contrib/babelfishpg_tds/src/include/tds_int.h | 7 + .../babelfishpg_tsql/sql/babelfishpg_tsql.sql | 22 +- contrib/babelfishpg_tsql/sql/ownership.sql | 7 +- .../babelfishpg_tsql--4.3.0--4.4.0.sql | 87 +- .../src/backend_parser/gram-tsql-epilogue.y.c | 2 +- contrib/babelfishpg_tsql/src/catalog.c | 18 +- contrib/babelfishpg_tsql/src/catalog.h | 11 + contrib/babelfishpg_tsql/src/dbcmds.c | 16 +- contrib/babelfishpg_tsql/src/pl_handler.c | 104 +- contrib/babelfishpg_tsql/src/rolecmds.c | 29 +- contrib/babelfishpg_tsql/src/rolecmds.h | 1 + test/JDBC/expected/BABEL-2403.out | 4 + test/JDBC/expected/BABEL-LOGIN-USER-EXT.out | 10 +- .../expected/dbcreator_role-vu-cleanup.out | 66 + .../expected/dbcreator_role-vu-prepare.out | 92 ++ .../expected/dbcreator_role-vu-verify.out | 1338 +++++++++++++++++ .../expected/is_srvrolemember-vu-verify.out | 2 +- test/JDBC/expected/is_srvrolemember.out | 2 +- .../permission_restrictions_from_pg.out | 12 +- .../securityadmin_role-vu-cleanup.out | 3 + .../securityadmin_role-vu-prepare.out | 5 + .../expected/securityadmin_role-vu-verify.out | 48 + test/JDBC/expected/single_db/BABEL-2403.out | 4 + .../single_db/BABEL-LOGIN-USER-EXT.out | 10 +- .../sys-server_principals-vu-verify.out | 1 + .../test_windows_login-vu-prepare.out | 1 + test/JDBC/input/dbcreator_role-vu-cleanup.mix | 66 + test/JDBC/input/dbcreator_role-vu-prepare.mix | 92 ++ test/JDBC/input/dbcreator_role-vu-verify.mix | 756 ++++++++++ .../input/securityadmin_role-vu-cleanup.mix | 3 + .../input/securityadmin_role-vu-prepare.mix | 5 + .../input/securityadmin_role-vu-verify.mix | 26 + .../input/test_windows_login-vu-prepare.mix | 3 +- test/JDBC/upgrade/15_5/schedule | 1 + test/JDBC/upgrade/15_6/schedule | 1 + test/JDBC/upgrade/15_7/schedule | 1 + test/JDBC/upgrade/15_8/schedule | 1 + test/JDBC/upgrade/15_9/schedule | 1 + test/JDBC/upgrade/16_1/schedule | 1 + test/JDBC/upgrade/16_2/schedule | 1 + test/JDBC/upgrade/16_3/schedule | 1 + test/JDBC/upgrade/16_4/schedule | 1 + test/JDBC/upgrade/latest/schedule | 1 + 44 files changed, 2791 insertions(+), 117 deletions(-) create mode 100644 test/JDBC/expected/dbcreator_role-vu-cleanup.out create mode 100644 test/JDBC/expected/dbcreator_role-vu-prepare.out create mode 100644 test/JDBC/expected/dbcreator_role-vu-verify.out create mode 100644 test/JDBC/input/dbcreator_role-vu-cleanup.mix create mode 100644 test/JDBC/input/dbcreator_role-vu-prepare.mix create mode 100644 test/JDBC/input/dbcreator_role-vu-verify.mix diff --git a/contrib/babelfishpg_tds/src/backend/tds/tdsutils.c b/contrib/babelfishpg_tds/src/backend/tds/tdsutils.c index 01e9c5a465..58585d5dbc 100644 --- a/contrib/babelfishpg_tds/src/backend/tds/tdsutils.c +++ b/contrib/babelfishpg_tds/src/backend/tds/tdsutils.c @@ -68,6 +68,18 @@ static bool handle_dropdb(DropdbStmt *dropdb_stmt); static char *get_role_name(RoleSpec *role); char *get_rolespec_name_internal(const RoleSpec *role, bool missing_ok); +static Oid bbf_admin_oid = InvalidOid; + +/* Returns OID of bbf_role_admin server role */ +static Oid +get_bbf_role_admin_oid(void) +{ + if (!OidIsValid(bbf_admin_oid)) + bbf_admin_oid = get_role_oid(BABELFISH_ROLE_ADMIN, false); + return bbf_admin_oid; +} + + /* * GetUTF8CodePoint - extract the next Unicode code point from 1..4 * bytes at 'in' in UTF-8 encoding. @@ -893,19 +905,15 @@ get_rolespec_name_internal(const RoleSpec *role, bool missing_ok) static void check_babelfish_droprole_restrictions(char *role) { - Oid bbf_role_admin_oid = InvalidOid; - if (MyProcPort->is_tds_conn && sql_dialect == SQL_DIALECT_TSQL) return; - bbf_role_admin_oid = get_role_oid(BABELFISH_ROLE_ADMIN, false); - /* * Allow DROP ROLE if current user is bbf_role_admin as we need * to allow remove_babelfish from PG endpoint. It is safe * since only superusers can assume this role. */ - if (bbf_role_admin_oid == GetUserId()) + if (get_bbf_role_admin_oid() == GetUserId()) return; if (is_babelfish_role(role)) @@ -939,17 +947,21 @@ is_babelfish_role(const char *role) Oid bbf_master_guest_oid; Oid bbf_tempdb_guest_oid; Oid bbf_msdb_guest_oid; - Oid securityadmin_oid; + Oid securityadmin; + Oid dbcreator; sysadmin_oid = get_role_oid(BABELFISH_SYSADMIN, true); /* missing OK */ role_oid = get_role_oid(role, true); /* missing OK */ - securityadmin_oid = get_role_oid(BABELFISH_SECURITYADMIN, true); /* missing OK */ + securityadmin = get_role_oid(BABELFISH_SECURITYADMIN, true); /* missing OK */ + dbcreator = get_role_oid(BABELFISH_DBCREATOR, true); /* missing OK */ - if (!OidIsValid(sysadmin_oid) || !OidIsValid(role_oid)) + if (!OidIsValid(sysadmin_oid) || !OidIsValid(role_oid) + || !OidIsValid(securityadmin) || !OidIsValid(dbcreator)) return false; if (is_member_of_role(sysadmin_oid, role_oid) || - is_member_of_role(securityadmin_oid, role_oid) || + is_member_of_role(securityadmin, role_oid) || + is_member_of_role(dbcreator, role_oid) || pg_strcasecmp(role, BABELFISH_ROLE_ADMIN) == 0) /* check if it is bbf_role_admin */ return true; @@ -1206,24 +1218,20 @@ static bool handle_grant_role(GrantRoleStmt *grant_stmt) { ListCell *item; - Oid bbf_role_admin_oid = InvalidOid; - Oid securityadmin_oid = InvalidOid; if (MyProcPort->is_tds_conn && sql_dialect == SQL_DIALECT_TSQL) return true; - bbf_role_admin_oid = get_role_oid(BABELFISH_ROLE_ADMIN, false); - securityadmin_oid = get_role_oid(BABELFISH_SECURITYADMIN, false); /* * Allow GRANT ROLE if current user is bbf_role_admin as we need * to allow initialise_babelfish from PG endpoint. It is safe * since only superusers can assume this role. */ - if (bbf_role_admin_oid == GetUserId()) + if (get_bbf_role_admin_oid() == GetUserId()) return true; - /* Restrict roles to added as a member of bbf_role_admin/securityadmin */ + /* Restrict roles to added as a member of BBF default server roles */ foreach(item, grant_stmt->granted_roles) { AccessPriv *priv = (AccessPriv *) lfirst(item); @@ -1234,18 +1242,19 @@ handle_grant_role(GrantRoleStmt *grant_stmt) continue; roleid = get_role_oid(rolename, false); - if (OidIsValid(roleid) && (roleid == bbf_role_admin_oid || roleid == securityadmin_oid)) + if (OidIsValid(roleid) && IS_DEFAULT_BBF_SERVER_ROLE(rolename)) check_babelfish_alterrole_restictions(false); } - /* Restrict grant to/from bbf_role_admin/securityadmin role */ + /* Restrict grant to/from bbf_role_admin, securityadmin or dbcreator role */ + foreach(item, grant_stmt->grantee_roles) { RoleSpec *rolespec = lfirst_node(RoleSpec, item); Oid roleid; roleid = get_rolespec_oid(rolespec, false); - if (OidIsValid(roleid) && (roleid == bbf_role_admin_oid || roleid == securityadmin_oid)) + if (OidIsValid(roleid) && IS_DEFAULT_BBF_SERVER_ROLE(rolespec->rolename)) check_babelfish_alterrole_restictions(false); } diff --git a/contrib/babelfishpg_tds/src/include/tds_int.h b/contrib/babelfishpg_tds/src/include/tds_int.h index 30894728d7..a51c1ab82a 100644 --- a/contrib/babelfishpg_tds/src/include/tds_int.h +++ b/contrib/babelfishpg_tds/src/include/tds_int.h @@ -257,6 +257,13 @@ extern ProcessUtility_hook_type next_ProcessUtility; #define BABELFISH_SYSADMIN "sysadmin" #define BABELFISH_ROLE_ADMIN "bbf_role_admin" #define BABELFISH_SECURITYADMIN "securityadmin" +#define BABELFISH_DBCREATOR "dbcreator" + +#define IS_DEFAULT_BBF_SERVER_ROLE(rolename) \ + ((strlen(rolename) == 13 && strncmp(rolename, BABELFISH_SECURITYADMIN, 13) == 0) || \ + (strlen(rolename) == 14 && strncmp(rolename, BABELFISH_ROLE_ADMIN, 14) == 0) || \ + (strlen(rolename) == 9 && strncmp(rolename, BABELFISH_DBCREATOR, 9) == 0) || \ + (strlen(rolename) == 8 && strncmp(rolename, BABELFISH_SYSADMIN, 8) == 0)) /* Functions in backend/tds/tdscomm.c */ extern void TdsSetMessageType(uint8_t msgType); diff --git a/contrib/babelfishpg_tsql/sql/babelfishpg_tsql.sql b/contrib/babelfishpg_tsql/sql/babelfishpg_tsql.sql index 0a6a567cad..8b4ae717e3 100644 --- a/contrib/babelfishpg_tsql/sql/babelfishpg_tsql.sql +++ b/contrib/babelfishpg_tsql/sql/babelfishpg_tsql.sql @@ -2049,13 +2049,13 @@ DECLARE login_valid BOOLEAN; BEGIN role := TRIM(trailing from LOWER(role)); login := TRIM(trailing from LOWER(login)); - + login_valid = (login = suser_name() COLLATE sys.database_default) OR (EXISTS (SELECT name FROM sys.server_principals WHERE LOWER(name) = login COLLATE sys.database_default - AND type = 'S')); + AND type IN ('S', 'R'))); IF NOT login_valid THEN RETURN NULL; @@ -2063,8 +2063,10 @@ BEGIN ELSIF role = 'public' COLLATE sys.database_default THEN RETURN 1; - ELSIF role = 'sysadmin' COLLATE sys.database_default OR role = 'securityadmin' COLLATE sys.database_default THEN - has_role = (pg_has_role(login::TEXT, role::TEXT, 'MEMBER') OR pg_has_role(login::TEXT, 'sysadmin'::TEXT, 'MEMBER')); + ELSIF role COLLATE sys.database_default IN ('sysadmin', 'securityadmin', 'dbcreator') THEN + has_role = (pg_has_role(login::TEXT, role::TEXT, 'MEMBER') + OR ((login COLLATE sys.database_default NOT IN ('sysadmin', 'securityadmin', 'dbcreator')) + AND pg_has_role(login::TEXT, 'sysadmin'::TEXT, 'MEMBER'))); IF has_role THEN RETURN 1; ELSE @@ -2075,7 +2077,6 @@ BEGIN 'serveradmin', 'setupadmin', 'processadmin', - 'dbcreator', 'diskadmin', 'bulkadmin') THEN RETURN 0; @@ -2324,8 +2325,8 @@ BEGIN OR lower(rolname) = lower(RTRIM(@srvrolename))) AND type = 'R') OR lower(RTRIM(@srvrolename)) IN ( - 'serveradmin', 'setupadmin', 'securityadmin', 'processadmin', - 'dbcreator', 'diskadmin', 'bulkadmin') + 'serveradmin', 'setupadmin', 'processadmin', + 'diskadmin', 'bulkadmin') BEGIN SELECT CAST(Ext1.rolname AS sys.SYSNAME) AS 'ServerRole', CAST(Ext2.rolname AS sys.SYSNAME) AS 'MemberName', @@ -2442,7 +2443,12 @@ CAST(0 AS INT) AS serveradmin, CAST(0 AS INT) AS setupadmin, CAST(0 AS INT) AS processadmin, CAST(0 AS INT) AS diskadmin, -CAST(0 AS INT) AS dbcreator, +CAST( + CASE + WHEN is_srvrolemember('dbcreator', Base.name) = 1 THEN 1 + ELSE 0 + END +AS INT) AS dbcreator, CAST(0 AS INT) AS bulkadmin FROM sys.server_principals AS Base WHERE Base.type in ('S', 'U'); diff --git a/contrib/babelfishpg_tsql/sql/ownership.sql b/contrib/babelfishpg_tsql/sql/ownership.sql index 078e32d1d4..fe902ff840 100644 --- a/contrib/babelfishpg_tsql/sql/ownership.sql +++ b/contrib/babelfishpg_tsql/sql/ownership.sql @@ -259,7 +259,7 @@ CREATE OR REPLACE PROCEDURE initialize_babelfish ( sa_name VARCHAR(128) ) LANGUAGE plpgsql AS $$ DECLARE - reserved_roles varchar[] := ARRAY['sysadmin', 'securityadmin', + reserved_roles varchar[] := ARRAY['sysadmin', 'securityadmin', 'dbcreator', 'master_dbo', 'master_guest', 'master_db_owner', 'master_db_accessadmin', 'master_db_datareader', 'master_db_datawriter', 'tempdb_dbo', 'tempdb_guest', 'tempdb_db_owner', 'tempdb_db_accessadmin', 'tempdb_db_datareader', 'tempdb_db_datawriter', 'msdb_dbo', 'msdb_guest', 'msdb_db_owner', 'msdb_db_accessadmin', 'msdb_db_datareader', 'msdb_db_datawriter']; @@ -290,12 +290,14 @@ BEGIN END IF; EXECUTE format('CREATE ROLE securityadmin CREATEROLE INHERIT PASSWORD NULL'); + EXECUTE format('CREATE ROLE dbcreator CREATEDB INHERIT PASSWORD NULL'); EXECUTE format('CREATE ROLE bbf_role_admin CREATEDB CREATEROLE INHERIT PASSWORD NULL'); EXECUTE format('GRANT CREATE ON DATABASE %s TO bbf_role_admin WITH GRANT OPTION', CURRENT_DATABASE()); EXECUTE format('GRANT %I to bbf_role_admin WITH ADMIN TRUE;', sa_name); EXECUTE format('CREATE ROLE sysadmin CREATEDB CREATEROLE INHERIT ROLE %I', sa_name); EXECUTE format('GRANT sysadmin TO bbf_role_admin WITH ADMIN TRUE'); EXECUTE format('GRANT securityadmin TO bbf_role_admin WITH ADMIN TRUE'); + EXECUTE format('GRANT dbcreator TO bbf_role_admin WITH ADMIN TRUE'); EXECUTE format('GRANT USAGE, SELECT ON SEQUENCE sys.babelfish_partition_function_seq TO sysadmin WITH GRANT OPTION'); EXECUTE format('GRANT USAGE, SELECT ON SEQUENCE sys.babelfish_partition_scheme_seq TO sysadmin WITH GRANT OPTION'); EXECUTE format('GRANT USAGE, SELECT ON SEQUENCE sys.babelfish_db_seq TO sysadmin WITH GRANT OPTION'); @@ -306,6 +308,7 @@ BEGIN CALL sys.babel_initialize_logins('sysadmin'); CALL sys.babel_initialize_logins('bbf_role_admin'); CALL sys.babel_initialize_logins('securityadmin'); + CALL sys.babel_initialize_logins('dbcreator'); CALL sys.babel_create_builtin_dbs(sa_name); CALL sys.initialize_babel_extras(); -- run analyze for all babelfish catalog @@ -329,6 +332,8 @@ BEGIN DROP ROLE bbf_role_admin; DROP OWNED BY securityadmin; DROP ROLE securityadmin; + DROP OWNED BY dbcreator; + DROP ROLE dbcreator; END $$; diff --git a/contrib/babelfishpg_tsql/sql/upgrades/babelfishpg_tsql--4.3.0--4.4.0.sql b/contrib/babelfishpg_tsql/sql/upgrades/babelfishpg_tsql--4.3.0--4.4.0.sql index 0aa3bfd4f4..21ca498af7 100644 --- a/contrib/babelfishpg_tsql/sql/upgrades/babelfishpg_tsql--4.3.0--4.4.0.sql +++ b/contrib/babelfishpg_tsql/sql/upgrades/babelfishpg_tsql--4.3.0--4.4.0.sql @@ -82,17 +82,22 @@ DROP PROCEDURE sys.create_db_roles_during_upgrade(); DO LANGUAGE plpgsql $$ -DECLARE securityadmin TEXT; +DECLARE + existing_server_roles TEXT; BEGIN - IF EXISTS ( - SELECT FROM pg_catalog.pg_roles - WHERE rolname = 'securityadmin') - THEN - RAISE EXCEPTION 'Role "securityadmin" already exists.'; + SELECT STRING_AGG(rolname::text, ', ') + INTO existing_server_roles FROM pg_catalog.pg_roles + WHERE rolname IN ('securityadmin', 'dbcreator'); + + IF existing_server_roles IS NOT NULL THEN + RAISE EXCEPTION 'The following role(s) already exist(s): %', existing_server_roles; ELSE EXECUTE format('CREATE ROLE securityadmin CREATEROLE INHERIT PASSWORD NULL'); EXECUTE format('GRANT securityadmin TO bbf_role_admin WITH ADMIN TRUE'); CALL sys.babel_initialize_logins('securityadmin'); + EXECUTE format('CREATE ROLE dbcreator CREATEDB INHERIT PASSWORD NULL'); + EXECUTE format('GRANT dbcreator TO bbf_role_admin WITH ADMIN TRUE'); + CALL sys.babel_initialize_logins('dbcreator'); END IF; END; $$; @@ -183,13 +188,13 @@ DECLARE login_valid BOOLEAN; BEGIN role := TRIM(trailing from LOWER(role)); login := TRIM(trailing from LOWER(login)); - + login_valid = (login = suser_name() COLLATE sys.database_default) OR (EXISTS (SELECT name FROM sys.server_principals WHERE LOWER(name) = login COLLATE sys.database_default - AND type = 'S')); + AND type IN ('S', 'R'))); IF NOT login_valid THEN RETURN NULL; @@ -197,8 +202,10 @@ BEGIN ELSIF role = 'public' COLLATE sys.database_default THEN RETURN 1; - ELSIF role = 'sysadmin' COLLATE sys.database_default OR role = 'securityadmin' COLLATE sys.database_default THEN - has_role = (pg_has_role(login::TEXT, role::TEXT, 'MEMBER') OR pg_has_role(login::TEXT, 'sysadmin'::TEXT, 'MEMBER')); + ELSIF role COLLATE sys.database_default IN ('sysadmin', 'securityadmin', 'dbcreator') THEN + has_role = (pg_has_role(login::TEXT, role::TEXT, 'MEMBER') + OR ((login COLLATE sys.database_default NOT IN ('sysadmin', 'securityadmin', 'dbcreator')) + AND pg_has_role(login::TEXT, 'sysadmin'::TEXT, 'MEMBER'))); IF has_role THEN RETURN 1; ELSE @@ -209,20 +216,69 @@ BEGIN 'serveradmin', 'setupadmin', 'processadmin', - 'dbcreator', 'diskadmin', 'bulkadmin') THEN RETURN 0; ELSE RETURN NULL; - END IF; + END IF; EXCEPTION WHEN OTHERS THEN RETURN NULL; END; $$ LANGUAGE plpgsql STABLE; +-- sp_helpsrvrolemember +CREATE OR REPLACE PROCEDURE sys.sp_helpsrvrolemember("@srvrolename" sys.SYSNAME = NULL) AS +$$ +BEGIN + -- If server role is not specified, return info for all server roles + IF @srvrolename IS NULL + BEGIN + SELECT CAST(Ext1.rolname AS sys.SYSNAME) AS 'ServerRole', + CAST(Ext2.rolname AS sys.SYSNAME) AS 'MemberName', + CAST(CAST(Base2.oid AS INT) AS sys.VARBINARY(85)) AS 'MemberSID' + FROM pg_catalog.pg_auth_members AS Authmbr + INNER JOIN pg_catalog.pg_roles AS Base1 ON Base1.oid = Authmbr.roleid + INNER JOIN pg_catalog.pg_roles AS Base2 ON Base2.oid = Authmbr.member + INNER JOIN sys.babelfish_authid_login_ext AS Ext1 ON Base1.rolname = Ext1.rolname + INNER JOIN sys.babelfish_authid_login_ext AS Ext2 ON Base2.rolname = Ext2.rolname + WHERE Ext1.type = 'R' AND Ext2.type != 'Z' + ORDER BY ServerRole, MemberName; + END + -- If a valid server role is specified, return its member info + -- If the role is a SQL server predefined role (i.e. serveradmin), + -- do not raise an error even if it does not exist + ELSE IF EXISTS (SELECT 1 + FROM sys.babelfish_authid_login_ext + WHERE (rolname = RTRIM(@srvrolename) + OR lower(rolname) = lower(RTRIM(@srvrolename))) + AND type = 'R') + OR lower(RTRIM(@srvrolename)) IN ( + 'serveradmin', 'setupadmin', 'processadmin', + 'diskadmin', 'bulkadmin') + BEGIN + SELECT CAST(Ext1.rolname AS sys.SYSNAME) AS 'ServerRole', + CAST(Ext2.rolname AS sys.SYSNAME) AS 'MemberName', + CAST(CAST(Base2.oid AS INT) AS sys.VARBINARY(85)) AS 'MemberSID' + FROM pg_catalog.pg_auth_members AS Authmbr + INNER JOIN pg_catalog.pg_roles AS Base1 ON Base1.oid = Authmbr.roleid + INNER JOIN pg_catalog.pg_roles AS Base2 ON Base2.oid = Authmbr.member + INNER JOIN sys.babelfish_authid_login_ext AS Ext1 ON Base1.rolname = Ext1.rolname + INNER JOIN sys.babelfish_authid_login_ext AS Ext2 ON Base2.rolname = Ext2.rolname + WHERE Ext1.type = 'R' AND Ext2.type != 'Z' + AND (Ext1.rolname = RTRIM(@srvrolename) OR lower(Ext1.rolname) = lower(RTRIM(@srvrolename))) + ORDER BY ServerRole, MemberName; + END + -- If the specified server role is not valid + ELSE + RAISERROR('%s is not a known fixed role.', 16, 1, @srvrolename); +END; +$$ +LANGUAGE 'pltsql'; +GRANT EXECUTE ON PROCEDURE sys.sp_helpsrvrolemember TO PUBLIC; + -- SYSLOGINS CREATE OR REPLACE VIEW sys.syslogins AS SELECT @@ -277,7 +333,12 @@ CAST(0 AS INT) AS serveradmin, CAST(0 AS INT) AS setupadmin, CAST(0 AS INT) AS processadmin, CAST(0 AS INT) AS diskadmin, -CAST(0 AS INT) AS dbcreator, +CAST( + CASE + WHEN is_srvrolemember('dbcreator', Base.name) = 1 THEN 1 + ELSE 0 + END +AS INT) AS dbcreator, CAST(0 AS INT) AS bulkadmin FROM sys.server_principals AS Base WHERE Base.type in ('S', 'U'); diff --git a/contrib/babelfishpg_tsql/src/backend_parser/gram-tsql-epilogue.y.c b/contrib/babelfishpg_tsql/src/backend_parser/gram-tsql-epilogue.y.c index 55e29044ea..fd335593d3 100644 --- a/contrib/babelfishpg_tsql/src/backend_parser/gram-tsql-epilogue.y.c +++ b/contrib/babelfishpg_tsql/src/backend_parser/gram-tsql-epilogue.y.c @@ -2072,7 +2072,7 @@ check_server_role_and_throw_if_unsupported (const char *serverrole, int position errmsg("Fixed server role '%s' is currently not supported in Babelfish", serverrole), parser_errposition(position))); } - else if (!IS_ROLENAME_SYSADMIN(serverrole) && !IS_ROLENAME_SECURITYADMIN(serverrole)) + else if (!IS_BBF_FIXED_SERVER_ROLE(serverrole)) { ereport(ERROR, (errcode(ERRCODE_FEATURE_NOT_SUPPORTED), errmsg("Only fixed server role is supported in ALTER SERVER ROLE statement"), diff --git a/contrib/babelfishpg_tsql/src/catalog.c b/contrib/babelfishpg_tsql/src/catalog.c index df2cbae0df..d2f3f61516 100644 --- a/contrib/babelfishpg_tsql/src/catalog.c +++ b/contrib/babelfishpg_tsql/src/catalog.c @@ -4868,6 +4868,17 @@ rename_tsql_db(char *old_db_name, char *new_db_name) (errcode(ERRCODE_INVALID_PARAMETER_VALUE), errmsg("Cannot change the name of the system database %s.", old_db_name))); + /* + * Check permission on the given database. + * Dbcreator can only alter the databases in which it has a mapped user. + */ + if (!has_privs_of_role(GetSessionUserId(), get_sysadmin_oid()) && !(get_user_for_database(old_db_name) + && has_privs_of_role(GetSessionUserId(), get_dbcreator_oid()))) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("User does not have permission to rename the database \'%s\', the database does not exist, or the database is not in a state that allows access checks.", + old_db_name))); + Assert (*pltsql_protocol_plugin_ptr); /* 50 tries with 100ms sleep between tries makes 5 sec total wait */ for (tries = 0; tries < 50; tries++) @@ -4888,13 +4899,6 @@ rename_tsql_db(char *old_db_name, char *new_db_name) (errcode(ERRCODE_OBJECT_IN_USE), errmsg("The database could not be exclusively locked to perform the operation."))); - /* Check permission on the given database. */ - if (!has_privs_of_role(GetSessionUserId(), get_role_oid("sysadmin", false))) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("User does not have permission to rename the database \'%s\', the database does not exist, or the database is not in a state that allows access checks.", - old_db_name))); - /* * Get an exclusive lock on the logical database we are trying to rename. */ diff --git a/contrib/babelfishpg_tsql/src/catalog.h b/contrib/babelfishpg_tsql/src/catalog.h index 75bb2ffdb5..5e2ba021b0 100644 --- a/contrib/babelfishpg_tsql/src/catalog.h +++ b/contrib/babelfishpg_tsql/src/catalog.h @@ -317,6 +317,7 @@ typedef FormData_bbf_function_ext *Form_bbf_function_ext; #define PUBLIC_ROLE_NAME "public" #define BABELFISH_SECURITYADMIN "securityadmin" #define BABELFISH_SYSADMIN "sysadmin" +#define BABELFISH_DBCREATOR "dbcreator" #define PERMISSIONS_FOR_ALL_OBJECTS_IN_SCHEMA "ALL" #define ALL_PERMISSIONS_ON_RELATION 47 /* last 6 bits as 101111 represents ALL privileges on a relation. */ #define ALL_PERMISSIONS_ON_FUNCTION 128 /* last 8 bits as 10000000 represents ALL privileges on a procedure/function. */ @@ -336,6 +337,16 @@ typedef FormData_bbf_function_ext *Form_bbf_function_ext; (strlen(rolname) == 13 && \ strncmp(rolname, BABELFISH_SECURITYADMIN, 13) == 0) +/* check if rolename is dbcreator */ +#define IS_ROLENAME_DBCREATOR(rolname) \ + (strlen(rolname) == 9 && \ + strncmp(rolname, BABELFISH_DBCREATOR, 9) == 0) + +#define IS_BBF_FIXED_SERVER_ROLE(rolename) \ + (IS_ROLENAME_SYSADMIN(rolename) || \ + IS_ROLENAME_SECURITYADMIN(rolename) || \ + IS_ROLENAME_DBCREATOR(rolename)) + extern int permissions[]; extern Oid bbf_schema_perms_oid; diff --git a/contrib/babelfishpg_tsql/src/dbcmds.c b/contrib/babelfishpg_tsql/src/dbcmds.c index b4bf1c3105..69a2d7fe9e 100644 --- a/contrib/babelfishpg_tsql/src/dbcmds.c +++ b/contrib/babelfishpg_tsql/src/dbcmds.c @@ -512,7 +512,6 @@ create_bbf_db_internal(ParseState *pstate, const char *dbname, List *options, co { int16 old_dbid; char *old_dbname; - Oid datdba; Datum *new_record; bool *new_record_nulls; Relation sysdatabase_rel; @@ -529,6 +528,7 @@ create_bbf_db_internal(ParseState *pstate, const char *dbname, List *options, co const char *old_createrole_self_grant; ListCell *option; const char *database_collation_name = NULL; + Oid datdba; /* Check options */ foreach(option, options) @@ -576,7 +576,10 @@ create_bbf_db_internal(ParseState *pstate, const char *dbname, List *options, co PG_TRY(); { SetUserIdAndSecContext(GetSessionUserId(), save_sec_context | SECURITY_LOCAL_USERID_CHANGE); - if (!have_createdb_privilege()) + + /* Session user must be member of sysadmin or dbcreator fixed server role */ + if (!has_privs_of_role(GetSessionUserId(), get_sysadmin_oid()) && + !has_privs_of_role(GetSessionUserId(), get_dbcreator_oid())) ereport(ERROR, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), errmsg("permission denied to create database"))); @@ -587,10 +590,6 @@ create_bbf_db_internal(ParseState *pstate, const char *dbname, List *options, co } PG_END_TRY(); - /* dbowner is always sysadmin */ - datdba = get_role_oid("sysadmin", false); - check_can_set_role(GetSessionUserId(), datdba); - /* For simplicity, do not allow bbf db name clides with pg dbnames */ /* TODO: add another check in orignal createdb */ if (OidIsValid(get_database_oid(dbname, true))) @@ -633,6 +632,7 @@ create_bbf_db_internal(ParseState *pstate, const char *dbname, List *options, co old_dbname = get_cur_db_name(); set_cur_db(dbid, dbname); /* temporarily set current dbid as the new id */ dbo_role = get_dbo_role_name(dbname); + datdba = get_sysadmin_oid(); PG_TRY(); { @@ -774,7 +774,9 @@ drop_bbf_db(const char *dbname, bool missing_ok, bool force_drop) const char *login = GetUserNameFromId(roleid, false); bool login_is_db_owner = 0 == strncmp(login, get_owner_of_db(dbname), NAMEDATALEN); - if (!(has_privs_of_role(roleid, get_role_oid("sysadmin", false)) || login_is_db_owner)) + /* Check if login has required privilege to drop the database */ + if (!(has_privs_of_role(roleid, get_sysadmin_oid()) + || has_privs_of_role(roleid, get_dbcreator_oid()) || login_is_db_owner)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_DATABASE, dbname); diff --git a/contrib/babelfishpg_tsql/src/pl_handler.c b/contrib/babelfishpg_tsql/src/pl_handler.c index 3a4273b9c0..3077708658 100644 --- a/contrib/babelfishpg_tsql/src/pl_handler.c +++ b/contrib/babelfishpg_tsql/src/pl_handler.c @@ -177,6 +177,8 @@ static void bbf_ExecDropStmt(DropStmt *stmt); static int isolation_to_int(char *isolation_level); static void bbf_set_tran_isolation(char *new_isolation_level_str); +static void gen_command_grant_revoke_priv_to_role(StringInfo query, const char *rolename, + bool is_grant, Oid login_oid); typedef struct { int oid; @@ -3643,7 +3645,7 @@ bbf_ProcessUtility(PlannedStmt *pstmt, int role_oid = get_role_oid(role_name, true); if (!OidIsValid(role_oid) || role_oid == get_bbf_role_admin_oid() - || role_oid == securityadmin_oid || role_oid == get_sysadmin_oid()) + || IS_BBF_FIXED_SERVER_ROLE(role_name)) ereport(ERROR, (errcode(ERRCODE_DUPLICATE_OBJECT), errmsg("Cannot drop the login '%s', because it does not exist or you do not have permission.", role_name))); @@ -3899,37 +3901,7 @@ bbf_ProcessUtility(PlannedStmt *pstmt, grantee_oid = get_role_oid(spec->rolename, false); initStringInfo(&query); - /* If sysadmin, provide attribute for role and database priv */ - if (IS_ROLENAME_SYSADMIN(rolspec->rolename)) - { - if (grant_role->is_grant) - appendStringInfo(&query, "ALTER ROLE dummy WITH createrole createdb; "); - - /* If grantee role is member of securityadmin then only revoke createdb */ - else if (has_privs_of_role(grantee_oid, get_securityadmin_oid())) - appendStringInfo(&query, "ALTER ROLE dummy WITH nocreatedb; "); - else - appendStringInfo(&query, "ALTER ROLE dummy WITH nocreaterole nocreatedb; "); - } - - /* If securityadmin, provide attribute for role priv */ - else if (IS_ROLENAME_SECURITYADMIN(rolspec->rolename)) - { - if (grant_role->is_grant) - appendStringInfo(&query, "ALTER ROLE dummy WITH createrole; "); - - /* If grantee role is member of sysadmin then don't revoke createrole */ - else if (!has_privs_of_role(grantee_oid, get_sysadmin_oid())) - appendStringInfo(&query, "ALTER ROLE dummy WITH nocreaterole; "); - } - - /* Otherwise, throw error */ - else - { - ereport(ERROR, - (errcode(ERRCODE_FEATURE_NOT_SUPPORTED), - errmsg("\"%s\" is not a supported fixed server role.", rolspec->rolename))); - } + gen_command_grant_revoke_priv_to_role(&query, rolspec->rolename, grant_role->is_grant, grantee_oid); /* * Set to bbf_role_admin to grant the role @@ -6883,3 +6855,71 @@ bbf_set_tran_isolation(char *new_isolation_level_str) } return ; } + +/* + * Generate command to grant/revoke required + * privileges to/from the login on the basis of + * that login's privilege. + */ +static void +gen_command_grant_revoke_priv_to_role(StringInfo query, const char *rolename, + bool is_grant, Oid login_oid) +{ + int createrole = 0, createdb = 0; + int prev_createrole = 0, prev_createdb = 0; + bool grant_createrole, revoke_createrole, grant_createdb, revoke_createdb; + bool is_sysadmin = 0, is_securityadmin = 0, is_dbcreator = 0; + + if (has_privs_of_role(login_oid, get_sysadmin_oid())) + { + createrole++; + createdb++; + is_sysadmin = true; + } + if (has_privs_of_role(login_oid, get_securityadmin_oid())) + { + createrole++; + is_securityadmin = true; + } + if (has_privs_of_role(login_oid, get_dbcreator_oid())) + { + createdb++; + is_dbcreator = true; + } + + /* keep granted attribute count*/ + prev_createrole = createrole; + prev_createdb = createdb; + + /* If sysadmin, provide attribute for role and database priv */ + if (IS_ROLENAME_SYSADMIN(rolename)) + { + createrole += ((is_grant) ? 1 : (is_sysadmin) ? -1 : 0); + createdb += ((is_grant) ? 1 : ((is_sysadmin) ? -1 : 0)); + } + else if (IS_ROLENAME_SECURITYADMIN(rolename)) + { + createrole += ((is_grant) ? 1 : ((is_securityadmin) ? -1 : 0)); + } + else if (IS_ROLENAME_DBCREATOR(rolename)) + { + createdb += ((is_grant) ? 1: ((is_dbcreator) ? -1 : 0)); + } + else + { + ereport(ERROR, + (errcode(ERRCODE_FEATURE_NOT_SUPPORTED), + errmsg("\"%s\" is not a supported fixed server role.", rolename))); + } + + grant_createrole = (prev_createrole == 0 && createrole == 1); + grant_createdb = (prev_createdb == 0 && createdb == 1); + revoke_createrole = (prev_createrole == 1 && createrole == 0); + revoke_createdb = (prev_createdb == 1 && createdb == 0); + + /* Genarate grante/revoke required attribute to the required role query */ + appendStringInfo(query, "ALTER ROLE dummy WITH %s %s; ", grant_createrole ? "createrole" : + (revoke_createrole ? "nocreaterole" : ""), grant_createdb ? "createdb" : + (revoke_createdb ? "nocreatedb" : "")); + +} \ No newline at end of file diff --git a/contrib/babelfishpg_tsql/src/rolecmds.c b/contrib/babelfishpg_tsql/src/rolecmds.c index d5df1f4db3..5253171557 100644 --- a/contrib/babelfishpg_tsql/src/rolecmds.c +++ b/contrib/babelfishpg_tsql/src/rolecmds.c @@ -78,6 +78,7 @@ static void validateFQDN(char *fqdn); static Oid bbf_admin_oid = InvalidOid; static Oid securityadmin_oid = InvalidOid; +static Oid dbcreator_oid = InvalidOid; void create_bbf_authid_login_ext(CreateRoleStmt *stmt) @@ -143,12 +144,10 @@ create_bbf_authid_login_ext(CreateRoleStmt *stmt) new_record_login_ext[LOGIN_EXT_ROLNAME] = NameGetDatum(&rolname_namedata); new_record_login_ext[LOGIN_EXT_IS_DISABLED] = Int32GetDatum(0); - if (strcmp(stmt->role, "sysadmin") == 0) + if (IS_BBF_FIXED_SERVER_ROLE(stmt->role)) new_record_login_ext[LOGIN_EXT_TYPE] = CStringGetTextDatum("R"); else if (strcmp(stmt->role, "bbf_role_admin") == 0) new_record_login_ext[LOGIN_EXT_TYPE] = CStringGetTextDatum("Z"); - else if (strcmp(stmt->role, BABELFISH_SECURITYADMIN) == 0) - new_record_login_ext[LOGIN_EXT_TYPE] = CStringGetTextDatum("R"); else if (from_windows) new_record_login_ext[LOGIN_EXT_TYPE] = CStringGetTextDatum("U"); else @@ -698,6 +697,15 @@ get_securityadmin_oid(void) return securityadmin_oid; } +/* Returns OID of dbcreator server role */ +Oid +get_dbcreator_oid(void) +{ + if (!OidIsValid(dbcreator_oid)) + dbcreator_oid = get_role_oid(BABELFISH_DBCREATOR, false); + return dbcreator_oid; +} + /* * Returns OID of SA of the current database. * We assume that SA is the DBA of the babelfish DB. @@ -1049,7 +1057,8 @@ drop_all_logins(PG_FUNCTION_ARGS) * Remove SA from authid_login_ext now but do not add it to the list * because we don't want to remove the corresponding PG role. */ - if (role_is_sa(get_role_oid(rolname, false)) || (strcmp(rolname, "sysadmin") == 0) || (strcmp(rolname, "bbf_role_admin") == 0)) + if (role_is_sa(get_role_oid(rolname, false)) || (strcmp(rolname, "bbf_role_admin") == 0) + || IS_BBF_FIXED_SERVER_ROLE(rolname)) CatalogTupleDelete(bbf_authid_login_ext_rel, &tuple->t_self); else rolname_list = lcons(rolname, rolname_list); @@ -1683,7 +1692,7 @@ is_alter_server_stmt(GrantRoleStmt *stmt) RoleSpec *spec = (RoleSpec *) linitial(stmt->granted_roles); /* only supported server roles */ - if (IS_ROLENAME_SYSADMIN(spec->rolename) || IS_ROLENAME_SECURITYADMIN(spec->rolename)) + if (IS_BBF_FIXED_SERVER_ROLE(spec->rolename)) return true; } @@ -1727,10 +1736,12 @@ check_alter_server_stmt(GrantRoleStmt *stmt) /* * check if it has sysadmin privileges or - * if server role is securityadmin and it has privileges of securityadmin + * if server role is securityadmin and it has privileges of securityadmin or + * if server role is dbcreator and it has privileges of dbcreator */ - if (!has_privs_of_role(GetSessionUserId(), sysadmin) && ((strcmp(granted_name, BABELFISH_SECURITYADMIN) != 0) - || !has_privs_of_role(GetSessionUserId(), get_securityadmin_oid()))) + if (!has_privs_of_role(GetSessionUserId(), sysadmin) && (!IS_ROLENAME_SECURITYADMIN(granted_name) + || !has_privs_of_role(GetSessionUserId(), get_securityadmin_oid())) && (!IS_ROLENAME_DBCREATOR(granted_name) + || !has_privs_of_role(GetSessionUserId(), get_dbcreator_oid()))) ereport(ERROR, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), errmsg("Current login %s does not have permission to alter server role", @@ -1740,7 +1751,7 @@ check_alter_server_stmt(GrantRoleStmt *stmt) * sysadmin role is not granted if grantee login has a user in one of the * databases, as Babelfish only supports one dbo currently */ - if (stmt->is_grant && (strcmp(granted_name, "sysadmin") == 0) && has_user_in_db(grantee_name, &db_name)) + if (stmt->is_grant && IS_ROLENAME_SYSADMIN(granted_name) && has_user_in_db(grantee_name, &db_name)) ereport(ERROR, (errcode(ERRCODE_FEATURE_NOT_SUPPORTED), errmsg("'sysadmin' role cannot be granted to login: a user is already created in database '%s'", db_name))); diff --git a/contrib/babelfishpg_tsql/src/rolecmds.h b/contrib/babelfishpg_tsql/src/rolecmds.h index b1459efee5..a05542d20b 100644 --- a/contrib/babelfishpg_tsql/src/rolecmds.h +++ b/contrib/babelfishpg_tsql/src/rolecmds.h @@ -56,6 +56,7 @@ extern void drop_bbf_roles(ObjectAccessType access, extern bool role_is_sa(Oid roleid); extern Oid get_bbf_role_admin_oid(void); extern Oid get_securityadmin_oid(void); +extern Oid get_dbcreator_oid(void); extern Oid get_sa_role_oid(void); extern bool tsql_has_pgstat_permissions(Oid roleid); extern bool tsql_has_linked_srv_permissions(Oid roleid); diff --git a/test/JDBC/expected/BABEL-2403.out b/test/JDBC/expected/BABEL-2403.out index 18a6f78786..20cd61fe4f 100644 --- a/test/JDBC/expected/BABEL-2403.out +++ b/test/JDBC/expected/BABEL-2403.out @@ -83,6 +83,8 @@ name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_login_ext text#!#sys#!#name#!#{"Rule": " in babelfish_authid_login_ext must also exist in babelfish_sysdatabases"} name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_login_ext must also exist in pg_authid"} text#!#sys#!#name#!#{"Rule": " in babelfish_authid_login_ext must also exist in babelfish_sysdatabases"} +name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_login_ext must also exist in pg_authid"} +text#!#sys#!#name#!#{"Rule": " in babelfish_authid_login_ext must also exist in babelfish_sysdatabases"} name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_user_ext must also exist in pg_authid"} text#!#sys#!#name#!#{"Rule": " in babelfish_authid_user_ext must also exist in babelfish_sysdatabases"} name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_user_ext must also exist in pg_authid"} @@ -192,6 +194,8 @@ name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_login_ext text#!#sys#!#name#!#{"Rule": " in babelfish_authid_login_ext must also exist in babelfish_sysdatabases"} name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_login_ext must also exist in pg_authid"} text#!#sys#!#name#!#{"Rule": " in babelfish_authid_login_ext must also exist in babelfish_sysdatabases"} +name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_login_ext must also exist in pg_authid"} +text#!#sys#!#name#!#{"Rule": " in babelfish_authid_login_ext must also exist in babelfish_sysdatabases"} name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_user_ext must also exist in pg_authid"} text#!#sys#!#name#!#{"Rule": " in babelfish_authid_user_ext must also exist in babelfish_sysdatabases"} name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_user_ext must also exist in pg_authid"} diff --git a/test/JDBC/expected/BABEL-LOGIN-USER-EXT.out b/test/JDBC/expected/BABEL-LOGIN-USER-EXT.out index 4780d8a897..999d304c1b 100644 --- a/test/JDBC/expected/BABEL-LOGIN-USER-EXT.out +++ b/test/JDBC/expected/BABEL-LOGIN-USER-EXT.out @@ -281,7 +281,7 @@ SELECT COUNT(*) FROM sys.babelfish_authid_login_ext; go ~~START~~ int -4 +5 ~~END~~ @@ -292,7 +292,7 @@ SELECT COUNT(*) FROM sys.babelfish_authid_login_ext; go ~~START~~ int -5 +6 ~~END~~ @@ -304,7 +304,7 @@ SELECT COUNT(*) FROM sys.babelfish_authid_login_ext; go ~~START~~ int -6 +7 ~~END~~ @@ -392,7 +392,7 @@ SELECT COUNT(*) FROM sys.babelfish_authid_login_ext; go ~~START~~ int -5 +6 ~~END~~ @@ -422,7 +422,7 @@ SELECT COUNT(*) FROM sys.babelfish_authid_login_ext; go ~~START~~ int -4 +5 ~~END~~ diff --git a/test/JDBC/expected/dbcreator_role-vu-cleanup.out b/test/JDBC/expected/dbcreator_role-vu-cleanup.out new file mode 100644 index 0000000000..c7fec43025 --- /dev/null +++ b/test/JDBC/expected/dbcreator_role-vu-cleanup.out @@ -0,0 +1,66 @@ +-- tsql +drop user dbcreator_user1 +go + +drop user no_dbcreator_user1 +go + +drop login dbcreator_login1 +go + +drop login dbcreator_l2 +go + +use dbcreator_db1 +go + +drop user no_dbcreator_user1 +go + +use master +go + +drop login no_dbcreator_login1 +go + +drop database dbcreator_db1 +go + +drop schema dbcreator_scm1 +go + +drop view dbcreator_show_role_mem +go + +drop TRIGGER dbcreator_tggr1 +go + +DROP TABLE dbc_sp_helpsrvrolemember_tbl +GO + +drop table dbcreator_tb1 +go + +drop view dbcreator_v1 +go + +drop function dbcreator_func1() +go + +drop procedure dbcreator_proc1 +go + +drop procedure dbcreator_create_database_p1 +go + +drop procedure dbcreator_drop_database_p1 +go + +drop procedure dbcreator_add_mem_p1 +go + +drop procedure dbcreator_drop_mem_p1 +go + +drop role dbcreator_rol +go diff --git a/test/JDBC/expected/dbcreator_role-vu-prepare.out b/test/JDBC/expected/dbcreator_role-vu-prepare.out new file mode 100644 index 0000000000..50462af18a --- /dev/null +++ b/test/JDBC/expected/dbcreator_role-vu-prepare.out @@ -0,0 +1,92 @@ +-- tsql +create login dbcreator_login1 with password = '123' +go + +create login no_dbcreator_login1 with password = '123' +go + +create login dbcreator_l2 with password = '123' +go + +create user dbcreator_user1 for login dbcreator_login1 +go + +create user no_dbcreator_user1 for login no_dbcreator_login1 +go + +-- tsql +create role dbcreator_rol +go + +create database dbcreator_db1 +go + +create schema dbcreator_scm1 +go + +CREATE VIEW dbcreator_show_role_mem AS +SELECT +roles.name AS RolePrincipalName +, members.name AS MemberPrincipalName +FROM sys.server_role_members AS server_role_members +INNER JOIN sys.server_principals AS roles + ON server_role_members.role_principal_id = roles.principal_id +INNER JOIN sys.server_principals AS members + ON server_role_members.member_principal_id = members.principal_id order by MemberPrincipalName; +GO + +CREATE TABLE dbc_sp_helpsrvrolemember_tbl (ServerRole sys.SYSNAME, + MemberName sys.SYSNAME, + MemberSID sys.VARBINARY(85)); +GO + +create table dbcreator_tb1(a int) +go + +create view dbcreator_v1 as select 1; +go + +create function dbcreator_func1() returns int as begin return 1 end; +go + +create procedure dbcreator_proc1 as begin select 1; end +go + +CREATE TRIGGER dbcreator_tggr1 on dbcreator_tb1 AFTER INSERT AS BEGIN END; +go + +create procedure dbcreator_create_database_p1 as begin create database dbcreator_db_new; end +go + +Grant execute on dbcreator_create_database_p1 to PUBLIC; +go + +create procedure dbcreator_drop_database_p1 as begin drop database dbcreator_db_new; end +go + +Grant execute on dbcreator_drop_database_p1 to PUBLIC; +go + +create procedure dbcreator_add_mem_p1 as begin Alter server role dbcreator add member no_dbcreator_login1; end +go + +Grant execute on dbcreator_add_mem_p1 to PUBLIC; +go + +create procedure dbcreator_drop_mem_p1 as begin Alter server role dbcreator drop member no_dbcreator_login1; end +go + +Grant execute on dbcreator_drop_mem_p1 to PUBLIC; +go + +use dbcreator_db1 +go + +create user dbcreator_user1 for login dbcreator_login1 +go + +create user no_dbcreator_user1 for login no_dbcreator_login1 +go + +use master +go diff --git a/test/JDBC/expected/dbcreator_role-vu-verify.out b/test/JDBC/expected/dbcreator_role-vu-verify.out new file mode 100644 index 0000000000..51ed2f2e6e --- /dev/null +++ b/test/JDBC/expected/dbcreator_role-vu-verify.out @@ -0,0 +1,1338 @@ +-- tsql +-- should be 0 +select is_srvrolemember('sysadmin', 'dbcreator') +go +~~START~~ +int +0 +~~END~~ + + +select is_srvrolemember('securityadmin', 'dbcreator') +go +~~START~~ +int +0 +~~END~~ + + +select is_srvrolemember('dbcreator', 'sysadmin') +go +~~START~~ +int +0 +~~END~~ + + +select is_srvrolemember('dbcreator', 'securityadmin') +go +~~START~~ +int +0 +~~END~~ + + +alter login dbcreator_login1 with password='123' +go + +alter login no_dbcreator_login1 with password='123' +go + +TRUNCATE TABLE dbc_sp_helpsrvrolemember_tbl +GO + +-- sp_helpsrvrolemember +INSERT INTO dbc_sp_helpsrvrolemember_tbl (ServerRole, MemberName, MemberSID) EXEC sp_helpsrvrolemember 'dbcreator' +GO + +SELECT ServerRole, MemberName, (CASE WHEN MemberSID IS NULL THEN 0 ELSE 1 END) FROM dbc_sp_helpsrvrolemember_tbl where MemberName like '%dbcreator%' +GO +~~START~~ +varchar#!#varchar#!#int +~~END~~ + + +-- make login member of dbcreator +Alter server role dbcreator add member dbcreator_login1 +go + +select * from dbcreator_show_role_mem where MemberPrincipalName like 'jdbc_user' or MemberPrincipalName like '%dbcreator_%' +go +~~START~~ +varchar#!#varchar +dbcreator#!#dbcreator_login1 +sysadmin#!#jdbc_user +~~END~~ + + +-- should error out +create login dbcreator with password = '123' +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: The Server principal 'dbcreator' already exists)~~ + + +-- terminate-tsql-conn + + +-- tsql user=dbcreator_login1 password=123 + +-- Case 1 - positives +-- dbcreator's login privileges +-- alter server role dbcreator should be allowed +Alter server role dbcreator add member no_dbcreator_login1 +go + +Alter server role dbcreator drop member no_dbcreator_login1 +go + +-- create/drop database should be allowed +drop database dbcreator_db1 +go + +create database dbcreator_db; +go + +-- owner should be dbcreator_login1 +SELECT owner AS database_owner FROM sys.babelfish_sysdatabases WHERE name = 'dbcreator_db'; +go +~~START~~ +varchar +dbcreator_login1 +~~END~~ + + +use dbcreator_db +go + +select current_user +go +~~START~~ +varchar +dbo +~~END~~ + + +create table dbc_t1(a int) +go + +drop table dbc_t1 +go + +use master +go + +-- alter database should be allowed +alter database dbcreator_db modify name=dbcreator_db_1 +go + +-- sp_renamedb should be allowed +EXEC sp_renamedb 'dbcreator_db_1', 'dbcreator_db' +GO + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- tsql +-- transfer ownership to different login +alter authorization on database::dbcreator_db to no_dbcreator_login1 +go + +-- terminate-tsql-conn + +-- tsql user=dbcreator_login1 password=123 +-- should not be allowed +use dbcreator_db +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: The server principal "dbcreator_login1" is not able to access the database "dbcreator_db" under the current security context)~~ + + +EXEC sp_renamedb 'dbcreator_db', 'dbcreator_db_1' +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: User does not have permission to rename the database 'dbcreator_db', the database does not exist, or the database is not in a state that allows access checks.)~~ + + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- tsql +use dbcreator_db +go + +create user u1 for login dbcreator_login1 +go + +-- terminate-tsql-conn + +-- tsql user=dbcreator_login1 password=123 +-- should be allowed +use dbcreator_db +go + +-- should not be dbo +select current_user +go +~~START~~ +varchar +u1 +~~END~~ + + +use master +go + +EXEC sp_renamedb 'dbcreator_db', 'dbcreator_db_1' +GO + +EXEC sp_renamedb 'dbcreator_db_1', 'dbcreator_db' +GO + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- tsql + +use dbcreator_db +go + +drop user u1 +go + +-- terminate-tsql-conn + +-- tsql user=dbcreator_login1 password=123 +-- drop database should be allowed +-- password based login +drop database dbcreator_db +go + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- tsql +create database dbcreator_db1 +go + +-- terminate-tsql-conn + +-- tsql user=no_dbcreator_login1 password=123 +-- connection should get refused +use dbcreator_db1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: The server principal "no_dbcreator_login1" is not able to access the database "dbcreator_db1" under the current security context)~~ + + +-- should give permission denied +Alter server role dbcreator add member no_dbcreator_login1 +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Current login no_dbcreator_login1 does not have permission to alter server role)~~ + + +Alter server role dbcreator drop member no_dbcreator_login1 +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Current login no_dbcreator_login1 does not have permission to alter server role)~~ + + +-- terminate-tsql-conn user=no_dbcreator_login1 password=123 + +-- tsql user=dbcreator_login1 password=123 +-- System objects +select name, sysadmin, dbcreator from syslogins where name like '%dbcreator%' order by name +go +~~START~~ +varchar#!#int#!#int +dbcreator_login1#!#0#!#1 +~~END~~ + + +-- should give permission denied +EXEC sp_renamedb 'dbcreator_db1', 'dbcreator_db2' +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: User does not have permission to rename the database 'dbcreator_db1', the database does not exist, or the database is not in a state that allows access checks.)~~ + + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- tsql +use dbcreator_db1 +go + +grant connect to guest +go + +-- terminate-tsql-conn + +-- tsql user=dbcreator_login1 password=123 +-- should be allowed +EXEC sp_renamedb 'dbcreator_db1', 'dbcreator_db2' +GO + +-- should return 0 +select is_srvrolemember ('sysadmin') +go +~~START~~ +int +0 +~~END~~ + + +-- should return 1 +select is_srvrolemember ('dbcreator') +go +~~START~~ +int +1 +~~END~~ + + +select is_srvrolemember ('dbcreator', 'dbcreator_login1') +GO +~~START~~ +int +1 +~~END~~ + + +-- it should be allowed +drop database dbcreator_db2 +go + +-- inside procedure +exec dbcreator_create_database_p1 +go + +exec dbcreator_add_mem_p1 +go + +exec dbcreator_drop_mem_p1 +go + +exec dbcreator_drop_database_p1 +go + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- tsql +-- login is member of both dbcreator as well as sysadmin +drop user dbcreator_user1 +go + +Alter server role sysadmin add member dbcreator_login1 +go + +create database dbcreator_db1 +go + +-- terminate-tsql-conn + +-- tsql user=dbcreator_login1 password=123 +-- it should be able to connect to the database +use dbcreator_db1 +go + +-- it should be dbo +select current_user +go +~~START~~ +varchar +dbo +~~END~~ + + +-- both attribute should be true +select rolname, rolcreaterole, rolcreatedb from pg_roles where rolname = 'dbcreator_login1' +go +~~START~~ +varchar#!#bit#!#bit +dbcreator_login1#!#1#!#1 +~~END~~ + + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- tsql +-- only member of dbcreator +alter server role sysadmin drop member dbcreator_login1 +go + +create user dbcreator_user1 for login dbcreator_login1 +go + +TRUNCATE TABLE dbc_sp_helpsrvrolemember_tbl +GO + +-- sp_helpsrvrolemember +INSERT INTO dbc_sp_helpsrvrolemember_tbl (ServerRole, MemberName, MemberSID) EXEC sp_helpsrvrolemember 'dbcreator' +GO +~~ROW COUNT: 1~~ + + +SELECT ServerRole, MemberName, (CASE WHEN MemberSID IS NULL THEN 0 ELSE 1 END) FROM dbc_sp_helpsrvrolemember_tbl where MemberName like '%dbcreator%' +GO +~~START~~ +varchar#!#varchar#!#int +dbcreator#!#dbcreator_login1#!#1 +~~END~~ + + +-- only rolcreatedb attribute should be true +select rolname, rolcreaterole, rolcreatedb from pg_roles where rolname = 'dbcreator_login1' +go +~~START~~ +varchar#!#bit#!#bit +dbcreator_login1#!#0#!#1 +~~END~~ + + +-- terminate-tsql-conn + +-- tsql user=dbcreator_login1 password=123 + +-- should be able to create/drop database +drop database dbcreator_db1 +go + +create database dbcreator_db3 +go + +drop database dbcreator_db3 +go + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- tsql +-- only member of sysadmin +create database dbcreator_db1 +go + +drop user dbcreator_user1 +go + +alter server role sysadmin add member dbcreator_login1 +go + +alter server role dbcreator drop member dbcreator_login1 +go + +-- terminate-tsql-conn + +-- tsql user=dbcreator_login1 password=123 + +-- should be 1 +select is_srvrolemember('sysadmin') +go +~~START~~ +int +1 +~~END~~ + + +-- both attribute should be true +select rolname, rolcreaterole, rolcreatedb from pg_roles where rolname = 'dbcreator_login1' +go +~~START~~ +varchar#!#bit#!#bit +dbcreator_login1#!#1#!#1 +~~END~~ + + +-- should be able to create/drop login +create login test_dbcreator_l1 with password ='123' +go + +drop login test_dbcreator_l1 +go + +-- should return 1 +select is_srvrolemember ('sysadmin') +go +~~START~~ +int +1 +~~END~~ + + +-- should return 1 +select is_srvrolemember ('dbcreator') +go +~~START~~ +int +1 +~~END~~ + + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- tsql +-- make it member of dbcreator only +alter server role sysadmin drop member dbcreator_login1 +go + +alter server role dbcreator add member dbcreator_login1 +go + +create user dbcreator_user1 for login dbcreator_login1 +go + +use dbcreator_db1 +go + +create user dbcreator_user1 for login dbcreator_login1 +go + +create user no_dbcreator_user1 for login no_dbcreator_login1 +go + +-- terminate-tsql-conn + +-- tsql user=dbcreator_login1 password=123 +-- Case 2 - negatives +-- alter server role sysadmin should give permission denied +Alter server role sysadmin add member no_dbcreator_login1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Current login dbcreator_login1 does not have permission to alter server role)~~ + + +-- alter server role dbcreator add member db roles should error out +Alter server role dbcreator add member guest +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: role "guest" does not exist)~~ + + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- tsql +create role dummy_role +go + +-- terminate-tsql-conn + +-- tsql user=dbcreator_login1 password=123 +-- should error out +Alter server role dbcreator add member dummy_role +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: role "dummy_role" does not exist)~~ + + +-- create login permission denied +-- windows login +create login [babel\dbcreator_l1] from windows; +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Current login dbcreator_login1 does not have permission to create new login)~~ + + +-- password based login +create login dbcreator_l2 with password = '123' +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Current login dbcreator_login1 does not have permission to create new login)~~ + + +-- alter authorization on database permission denied +alter authorization on database::dbcreator_db1 to no_dbcreator_login1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot find the principal 'no_dbcreator_login1', because it does not exist or you do not have permission.)~~ + + +-- alter login should give permission denied +-- password based login +alter login dbcreator_l2 with password = '123' +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot alter the login 'dbcreator_l2', because it does not exist or you do not have permission.)~~ + + +ALTER LOGIN dbcreator_l2 disable; +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot alter the login 'dbcreator_l2', because it does not exist or you do not have permission.)~~ + + +ALTER LOGIN dbcreator_l2 enable; +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot alter the login 'dbcreator_l2', because it does not exist or you do not have permission.)~~ + + +ALTER LOGIN no_dbcreator_login1 with default_database=dbcreator_db1; +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot alter the login 'no_dbcreator_login1', because it does not exist or you do not have permission.)~~ + + +-- drop login permission denied +drop login no_dbcreator_login1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot drop the login 'no_dbcreator_login1', because it does not exist or you do not have permission.)~~ + + +-- grant database permissions (only connect is supported) +-- should give permission denied +REVOKE CONNECT FROM no_dbcreator_user1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Grantor does not have GRANT permission.)~~ + + +GRANT CONNECT TO no_dbcreator_user1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Grantor does not have GRANT permission.)~~ + + +-- dbcreator login's mapped user should not have any priv +select current_user, db_name() +go +~~START~~ +varchar#!#nvarchar +dbcreator_user1#!#master +~~END~~ + + +select suser_name() +go +~~START~~ +nvarchar +dbcreator_login1 +~~END~~ + + +-- create objects/user permission denied +create user dbcreator_l2 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: User does not have permission to perform this action.)~~ + + +create role dbcreator_role1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: User does not have permission to perform this action.)~~ + + +create schema perm_denied_scm +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for database jdbc_testdb)~~ + + +create view perm_denied_v1 as select 1; +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for schema master_dbo)~~ + + +create table perm_denied_tb1 (a int); +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for schema master_dbo)~~ + + +select 1 into perm_denied_tb2; +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for schema master_dbo)~~ + + +create function perm_denied_func1() returns int as begin return 1 end; +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for schema master_dbo)~~ + + +create procedure perm_denied_proc1 as begin select 1; end +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for schema master_dbo)~~ + + +create type perm_denied_typ1 from int; +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for schema master_dbo)~~ + + +create index perm_denied_index1 on dbcreator_tb1(a); +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: must be owner of table dbcreator_tb1)~~ + + +CREATE FUNCTION perm_denied_func1() RETURNS TABLE AS RETURN ( SELECT 1 AS Value); +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for schema master_dbo)~~ + + +-- DMLS on object permission denied +Alter user no_dbcreator_user1 with DEFAULT_SCHEMA=dbcreator_scm1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Current user does not have privileges to change schema)~~ + + +Alter role dbcreator_rol add member no_dbcreator_user1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Current login dbcreator_login1 does not have permission to alter role master_dbcreator_rol)~~ + + +Alter role dbcreator_rol drop member no_dbcreator_user1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Current login dbcreator_login1 does not have permission to alter role master_dbcreator_rol)~~ + + +Alter table dbcreator_tb1 add b int +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: must be owner of table dbcreator_tb1)~~ + + +Insert into dbcreator_tb1 values (1) +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table dbcreator_tb1)~~ + + +UPDATE dbcreator_tb1 SET a = 2 where a = 1; +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table dbcreator_tb1)~~ + + +DELETE FROM dbcreator_tb1 WHERE a = 1; +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table dbcreator_tb1)~~ + + +TRUNCATE TABLE dbcreator_tb1; +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table dbcreator_tb1)~~ + + +select * from dbcreator_tb1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table dbcreator_tb1)~~ + + +select * from dbcreator_v1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for view dbcreator_v1)~~ + + +select dbcreator_func1() +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for function dbcreator_func1)~~ + + +exec dbcreator_proc1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for procedure dbcreator_proc1)~~ + + +Enable trigger dbcreator_tggr1 on dbcreator_tb1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: must be owner of table dbcreator_tb1)~~ + + +Disable trigger dbcreator_tggr1 on dbcreator_tb1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: must be owner of table dbcreator_tb1)~~ + + +-- grant on objects permission denied +Grant select on dbcreator_tb1 to no_dbcreator_user1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table dbcreator_tb1)~~ + + +Grant update on dbcreator_v1 to no_dbcreator_user1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table dbcreator_v1)~~ + + +Grant update on dbcreator_v1 to no_dbcreator_user1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table dbcreator_v1)~~ + + +Grant exec on dbcreator_func1 to no_dbcreator_user1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for function dbcreator_func1)~~ + + +Grant exec on dbcreator_proc1 to no_dbcreator_user1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for function dbcreator_proc1)~~ + + +-- Revoke on objects permission denied +Revoke select on dbcreator_tb1 from no_dbcreator_user1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table dbcreator_tb1)~~ + + +Revoke update on dbcreator_v1 from no_dbcreator_user1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table dbcreator_v1)~~ + + +Revoke update on dbcreator_v1 from no_dbcreator_user1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table dbcreator_v1)~~ + + +Revoke exec on dbcreator_func1 from no_dbcreator_user1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for function dbcreator_func1)~~ + + +Revoke exec on dbcreator_proc1 from no_dbcreator_user1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for function dbcreator_proc1)~~ + + +-- grant on schema +-- permission denied +grant select on dbcreator_v1 to no_dbcreator_user1; +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table dbcreator_v1)~~ + +grant select on dbo.dbcreator_v1 to no_dbcreator_user1; +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table dbcreator_v1)~~ + +grant execute on dbcreator_proc1 to no_dbcreator_user1; +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for function dbcreator_proc1)~~ + +grant execute on dbo.dbcreator_proc1 to no_dbcreator_user1; +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for function dbcreator_proc1)~~ + + +-- revoke on schema +-- permission denied +revoke select on dbcreator_v1 from no_dbcreator_user1; +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table dbcreator_v1)~~ + +revoke select on dbo.dbcreator_v1 from no_dbcreator_user1; +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for table dbcreator_v1)~~ + +revoke execute on dbcreator_proc1 from no_dbcreator_user1; +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for function dbcreator_proc1)~~ + +revoke execute on dbo.dbcreator_proc1 from no_dbcreator_user1; +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for function dbcreator_proc1)~~ + + +-- drop object permission denied +drop user dbcreator_l2 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot drop the user 'dbcreator_l2', because it does not exist or you do not have permission.)~~ + + +drop role dbcreator_rol +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot drop the role 'dbcreator_rol', because it does not exist or you do not have permission.)~~ + + +drop schema dbcreator_scm1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: must be owner of schema master_dbcreator_scm1)~~ + + +drop view dbcreator_show_role_mem +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: must be owner of view dbcreator_show_role_mem)~~ + + +drop TRIGGER dbcreator_tggr1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: must be owner of relation dbcreator_tb1)~~ + + +drop table dbcreator_tb1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: must be owner of table dbcreator_tb1)~~ + + +drop view dbcreator_v1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: must be owner of view dbcreator_v1)~~ + + +drop function dbcreator_func1() +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: must be owner of function dbcreator_func1)~~ + + +drop procedure dbcreator_proc1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: must be owner of procedure dbcreator_proc1)~~ + + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + + +-- tsql database=dbcreator_db1 +-- dbcreator login should not get mapped to dbo if no user exist, it should disconnect +drop user dbcreator_user1 +go + +-- terminate-tsql-conn database=dbcreator_db1 + +-- tsql user=dbcreator_login1 password=123 +-- it should disconnect +use dbcreator_db1 +go +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: The server principal "dbcreator_login1" is not able to access the database "dbcreator_db1" under the current security context)~~ + + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- tsql +-- Case 3 - check unintended/unauthorized use of dbcreator +drop role dummy_role +go + +CREATE LOGIN dbcreator_restrict_new_login WITH password = '12345678'; +go + +ALTER SERVER ROLE sysadmin ADD MEMBER dbcreator_restrict_new_login; +GO + +select * from dbcreator_show_role_mem where MemberPrincipalName like 'jdbc_user' or MemberPrincipalName like '%dbcreator_%' +go +~~START~~ +varchar#!#varchar +dbcreator#!#dbcreator_login1 +sysadmin#!#dbcreator_restrict_new_login +sysadmin#!#jdbc_user +~~END~~ + + +-- terminate-tsql-conn + +-- tsql user=dbcreator_restrict_new_login password=12345678 +select * from dbcreator_show_role_mem where MemberPrincipalName like 'jdbc_user' or MemberPrincipalName like '%dbcreator_%' +go +~~START~~ +varchar#!#varchar +dbcreator#!#dbcreator_login1 +sysadmin#!#dbcreator_restrict_new_login +sysadmin#!#jdbc_user +~~END~~ + + +select current_user, db_name() +go +~~START~~ +varchar#!#nvarchar +dbo#!#master +~~END~~ + + +CREATE ROLE dbcreator_restrictions_role; +GO + +-- a tsql login should not be able to drop dbcreator explicitly from tsql port +-- should be denied +ALTER ROLE dbcreator_restrictions_role ADD MEMBER dbcreator; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: role "master_dbcreator" does not exist)~~ + + +DROP LOGIN dbcreator; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot drop the login 'dbcreator', because it does not exist or you do not have permission.)~~ + + +DROP ROLE dbcreator_restrictions_role; +GO + +-- terminate-tsql-conn user=dbcreator_restrict_new_login password=12345678 + +-- psql user=dbcreator_restrict_new_login password=12345678 +-- a tsql login should not be able to alter/grant/drop dbcreator from pg port +ALTER ROLE dbcreator NOCREATEDB; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +ALTER ROLE dbcreator WITH PASSWORD '12345678'; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +ALTER ROLE dbcreator VALID UNTIL 'infinity'; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +ALTER ROLE dbcreator WITH CONNECTION LIMIT 1; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +GRANT dbcreator TO dbcreator_restrict_new_login; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +GRANT sysadmin TO dbcreator +go +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +GRANT dbcreator TO dbcreator +go +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +GRANT dbcreator_restrict_new_login TO dbcreator; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +REVOKE dbcreator FROM master_dbo; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +REVOKE master_dbo FROM dbcreator; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +DROP ROLE dbcreator; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be dropped or altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +SET SESSION AUTHORIZATION dbcreator; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: permission denied to set session authorization + Server SQLState: 42501)~~ + + +SET ROLE dbcreator; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: permission denied to set role "dbcreator" + Server SQLState: 42501)~~ + + +-- psql +-- normal PG user +CREATE USER dbcreator_restrictions_pg_user WITH LOGIN CREATEROLE PASSWORD '12345678' inherit; +go + +-- psql user=dbcreator_restrictions_pg_user password=12345678 +-- a normal psql user should not be able to alter/grant/drop dbcreator from pg port +ALTER ROLE dbcreator NOCREATEDB; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +-- Altering a role by an underprivileged login should be restricted +alter user dbcreator_restrict_new_login with password '123' +go +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: permission denied to alter role + Detail: To change another role's password, the current user must have the CREATEROLE attribute and the ADMIN option on the role. + Server SQLState: 42501)~~ + + +ALTER ROLE dbcreator WITH PASSWORD '12345678'; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +ALTER ROLE dbcreator VALID UNTIL 'infinity'; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +ALTER ROLE dbcreator WITH CONNECTION LIMIT 1; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +GRANT dbcreator TO dbcreator_restrict_new_login; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +GRANT dbcreator_restrict_new_login TO dbcreator; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +REVOKE dbcreator FROM master_dbo; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +REVOKE sysadmin FROM dbcreator +go +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +REVOKE dbcreator FROM dbcreator +go +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +REVOKE master_dbo FROM dbcreator; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +DROP ROLE dbcreator; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be dropped or altered outside of a Babelfish session + Server SQLState: 42501)~~ + + +SET SESSION AUTHORIZATION dbcreator; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: permission denied to set session authorization + Server SQLState: 42501)~~ + + +SET ROLE dbcreator; +GO +~~ERROR (Code: 0)~~ + +~~ERROR (Message: ERROR: permission denied to set role "dbcreator" + Server SQLState: 42501)~~ + + +-- psql +-- Need to terminate active session before cleaning up the login +SELECT pg_terminate_backend(pid) FROM pg_stat_get_activity(NULL) +WHERE sys.suser_name(usesysid) = 'dbcreator_restrict_new_login' AND backend_type = 'client backend' AND usesysid IS NOT NULL; +go +~~START~~ +bool +t +~~END~~ + + +DROP USER dbcreator_restrictions_pg_user; +GO + +-- Wait to sync with another session +SELECT pg_sleep(1); +GO +~~START~~ +void + +~~END~~ + + +-- tsql + +ALTER SERVER ROLE sysadmin drop MEMBER dbcreator_restrict_new_login; +GO + +DROP LOGIN dbcreator_restrict_new_login +GO diff --git a/test/JDBC/expected/is_srvrolemember-vu-verify.out b/test/JDBC/expected/is_srvrolemember-vu-verify.out index 4955dd3fbc..8075a28c90 100644 --- a/test/JDBC/expected/is_srvrolemember-vu-verify.out +++ b/test/JDBC/expected/is_srvrolemember-vu-verify.out @@ -138,7 +138,7 @@ SELECT is_srvrolemember('dbcreator') GO ~~START~~ int -0 +1 ~~END~~ diff --git a/test/JDBC/expected/is_srvrolemember.out b/test/JDBC/expected/is_srvrolemember.out index 4955dd3fbc..8075a28c90 100644 --- a/test/JDBC/expected/is_srvrolemember.out +++ b/test/JDBC/expected/is_srvrolemember.out @@ -138,7 +138,7 @@ SELECT is_srvrolemember('dbcreator') GO ~~START~~ int -0 +1 ~~END~~ diff --git a/test/JDBC/expected/permission_restrictions_from_pg.out b/test/JDBC/expected/permission_restrictions_from_pg.out index c166441a23..4167613ebb 100644 --- a/test/JDBC/expected/permission_restrictions_from_pg.out +++ b/test/JDBC/expected/permission_restrictions_from_pg.out @@ -12,8 +12,7 @@ grant sysadmin to permission_restrictions_tsql_login; go ~~ERROR (Code: 0)~~ -~~ERROR (Message: ERROR: permission denied to grant role "sysadmin" - Detail: Only roles with the ADMIN option on role "sysadmin" may grant this role. +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session Server SQLState: 42501)~~ @@ -32,8 +31,7 @@ grant sysadmin to permission_restrictions_psql_user; go ~~ERROR (Code: 0)~~ -~~ERROR (Message: ERROR: permission denied to grant role "sysadmin" - Detail: Only roles with the ADMIN option on role "sysadmin" may grant this role. +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session Server SQLState: 42501)~~ @@ -63,8 +61,7 @@ grant sysadmin to permission_restrictions_tsql_login; go ~~ERROR (Code: 0)~~ -~~ERROR (Message: ERROR: permission denied to grant role "sysadmin" - Detail: Only roles with the ADMIN option on role "sysadmin" may grant this role. +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session Server SQLState: 42501)~~ @@ -83,8 +80,7 @@ grant sysadmin to permission_restrictions_psql_user; go ~~ERROR (Code: 0)~~ -~~ERROR (Message: ERROR: permission denied to grant role "sysadmin" - Detail: Only roles with the ADMIN option on role "sysadmin" may grant this role. +~~ERROR (Message: ERROR: Babelfish-created logins/users/roles cannot be altered outside of a Babelfish session Server SQLState: 42501)~~ diff --git a/test/JDBC/expected/securityadmin_role-vu-cleanup.out b/test/JDBC/expected/securityadmin_role-vu-cleanup.out index fb82964f8d..7eaf398df8 100644 --- a/test/JDBC/expected/securityadmin_role-vu-cleanup.out +++ b/test/JDBC/expected/securityadmin_role-vu-cleanup.out @@ -32,6 +32,9 @@ go drop TRIGGER securityadmin_tggr1 go +DROP TABLE sadm_sp_helpsrvrolemember_tbl +GO + drop table securityadmin_tb1 go diff --git a/test/JDBC/expected/securityadmin_role-vu-prepare.out b/test/JDBC/expected/securityadmin_role-vu-prepare.out index 1f96ebe37e..925c01678f 100644 --- a/test/JDBC/expected/securityadmin_role-vu-prepare.out +++ b/test/JDBC/expected/securityadmin_role-vu-prepare.out @@ -32,6 +32,11 @@ INNER JOIN sys.server_principals AS members ON server_role_members.member_principal_id = members.principal_id order by MemberPrincipalName; GO +CREATE TABLE sadm_sp_helpsrvrolemember_tbl (ServerRole sys.SYSNAME, + MemberName sys.SYSNAME, + MemberSID sys.VARBINARY(85)); +GO + create table securityadmin_tb1(a int) go diff --git a/test/JDBC/expected/securityadmin_role-vu-verify.out b/test/JDBC/expected/securityadmin_role-vu-verify.out index f3b35d0386..5fcde2d413 100644 --- a/test/JDBC/expected/securityadmin_role-vu-verify.out +++ b/test/JDBC/expected/securityadmin_role-vu-verify.out @@ -1,10 +1,40 @@ -- tsql +select is_srvrolemember('sysadmin', 'securityadmin') +go +~~START~~ +int +0 +~~END~~ + + +select is_srvrolemember('securityadmin', 'sysadmin') +go +~~START~~ +int +0 +~~END~~ + + alter login securityadmin_login1 with password='123' go alter login no_securityadmin_login1 with password='123' go +TRUNCATE TABLE sadm_sp_helpsrvrolemember_tbl +GO + +-- sp_helpsrvrolemember +INSERT INTO sadm_sp_helpsrvrolemember_tbl (ServerRole, MemberName, MemberSID) EXEC sp_helpsrvrolemember 'securityadmin' +GO + +SELECT ServerRole, MemberName, (CASE WHEN MemberSID IS NULL THEN 0 ELSE 1 END) FROM sadm_sp_helpsrvrolemember_tbl where MemberName like '%securityadmin%' +GO +~~START~~ +varchar#!#varchar#!#int +~~END~~ + + -- make login member of securityadmin Alter server role securityadmin add member securityadmin_login1 go @@ -262,6 +292,7 @@ FROM sys.server_principals ORDER BY name GO ~~START~~ varchar#!#char#!#nvarchar#!#varchar#!#varchar#!#int#!#int#!#bit +dbcreator#!#R#!#SERVER_ROLE#!##!#English#!##!#1#!#1 jdbc_user#!#S#!#SQL_LOGIN#!#master#!#English#!#-1#!#-1#!#0 no_securityadmin_login1#!#S#!#SQL_LOGIN#!#master#!#English#!#-1#!#-1#!#0 public#!#R#!#SERVER_ROLE#!##!##!##!#1#!#0 @@ -553,6 +584,23 @@ go create user securityadmin_user1 for login securityadmin_login1 go +TRUNCATE TABLE sadm_sp_helpsrvrolemember_tbl +GO + +-- sp_helpsrvrolemember +INSERT INTO sadm_sp_helpsrvrolemember_tbl (ServerRole, MemberName, MemberSID) EXEC sp_helpsrvrolemember 'securityadmin' +GO +~~ROW COUNT: 1~~ + + +SELECT ServerRole, MemberName, (CASE WHEN MemberSID IS NULL THEN 0 ELSE 1 END) FROM sadm_sp_helpsrvrolemember_tbl where MemberName like '%securityadmin%' +GO +~~START~~ +varchar#!#varchar#!#int +securityadmin#!#securityadmin_login1#!#1 +~~END~~ + + -- terminate-tsql-conn -- tsql user=securityadmin_login1 password=123 diff --git a/test/JDBC/expected/single_db/BABEL-2403.out b/test/JDBC/expected/single_db/BABEL-2403.out index 916f4cdf66..2f20395b10 100644 --- a/test/JDBC/expected/single_db/BABEL-2403.out +++ b/test/JDBC/expected/single_db/BABEL-2403.out @@ -71,6 +71,8 @@ name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_login_ext text#!#sys#!#name#!#{"Rule": " in babelfish_authid_login_ext must also exist in babelfish_sysdatabases"} name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_login_ext must also exist in pg_authid"} text#!#sys#!#name#!#{"Rule": " in babelfish_authid_login_ext must also exist in babelfish_sysdatabases"} +name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_login_ext must also exist in pg_authid"} +text#!#sys#!#name#!#{"Rule": " in babelfish_authid_login_ext must also exist in babelfish_sysdatabases"} name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_user_ext must also exist in pg_authid"} text#!#sys#!#name#!#{"Rule": " in babelfish_authid_user_ext must also exist in babelfish_sysdatabases"} name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_user_ext must also exist in pg_authid"} @@ -168,6 +170,8 @@ name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_login_ext text#!#sys#!#name#!#{"Rule": " in babelfish_authid_login_ext must also exist in babelfish_sysdatabases"} name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_login_ext must also exist in pg_authid"} text#!#sys#!#name#!#{"Rule": " in babelfish_authid_login_ext must also exist in babelfish_sysdatabases"} +name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_login_ext must also exist in pg_authid"} +text#!#sys#!#name#!#{"Rule": " in babelfish_authid_login_ext must also exist in babelfish_sysdatabases"} name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_user_ext must also exist in pg_authid"} text#!#sys#!#name#!#{"Rule": " in babelfish_authid_user_ext must also exist in babelfish_sysdatabases"} name#!#pg_catalog#!#rolname#!#{"Rule": " in babelfish_authid_user_ext must also exist in pg_authid"} diff --git a/test/JDBC/expected/single_db/BABEL-LOGIN-USER-EXT.out b/test/JDBC/expected/single_db/BABEL-LOGIN-USER-EXT.out index 9b37746703..651c14ea95 100644 --- a/test/JDBC/expected/single_db/BABEL-LOGIN-USER-EXT.out +++ b/test/JDBC/expected/single_db/BABEL-LOGIN-USER-EXT.out @@ -281,7 +281,7 @@ SELECT COUNT(*) FROM sys.babelfish_authid_login_ext; go ~~START~~ int -4 +5 ~~END~~ @@ -292,7 +292,7 @@ SELECT COUNT(*) FROM sys.babelfish_authid_login_ext; go ~~START~~ int -5 +6 ~~END~~ @@ -304,7 +304,7 @@ SELECT COUNT(*) FROM sys.babelfish_authid_login_ext; go ~~START~~ int -6 +7 ~~END~~ @@ -392,7 +392,7 @@ SELECT COUNT(*) FROM sys.babelfish_authid_login_ext; go ~~START~~ int -5 +6 ~~END~~ @@ -422,7 +422,7 @@ SELECT COUNT(*) FROM sys.babelfish_authid_login_ext; go ~~START~~ int -4 +5 ~~END~~ diff --git a/test/JDBC/expected/sys-server_principals-vu-verify.out b/test/JDBC/expected/sys-server_principals-vu-verify.out index aef130e734..65f2f5628e 100644 --- a/test/JDBC/expected/sys-server_principals-vu-verify.out +++ b/test/JDBC/expected/sys-server_principals-vu-verify.out @@ -61,6 +61,7 @@ FROM sys.server_principals ORDER BY name GO ~~START~~ varchar#!#char#!#nvarchar#!#varchar#!#varchar#!#int#!#int#!#bit +dbcreator#!#R#!#SERVER_ROLE#!##!#English#!##!#1#!#1 jdbc_user#!#S#!#SQL_LOGIN#!#master#!#English#!#-1#!#-1#!#0 public#!#R#!#SERVER_ROLE#!##!##!##!#1#!#0 securityadmin#!#R#!#SERVER_ROLE#!##!#English#!##!#1#!#1 diff --git a/test/JDBC/expected/test_windows_login-vu-prepare.out b/test/JDBC/expected/test_windows_login-vu-prepare.out index aedb3e8755..6cb5a741ec 100644 --- a/test/JDBC/expected/test_windows_login-vu-prepare.out +++ b/test/JDBC/expected/test_windows_login-vu-prepare.out @@ -7,6 +7,7 @@ $$ begin end if; end $$; GO +-- terminate-psql-conn -- tsql CREATE DATABASE ad_db; diff --git a/test/JDBC/input/dbcreator_role-vu-cleanup.mix b/test/JDBC/input/dbcreator_role-vu-cleanup.mix new file mode 100644 index 0000000000..b96c379ad1 --- /dev/null +++ b/test/JDBC/input/dbcreator_role-vu-cleanup.mix @@ -0,0 +1,66 @@ +-- tsql +drop user dbcreator_user1 +go + +drop user no_dbcreator_user1 +go + +drop login dbcreator_login1 +go + +drop login dbcreator_l2 +go + +use dbcreator_db1 +go + +drop user no_dbcreator_user1 +go + +use master +go + +drop login no_dbcreator_login1 +go + +drop database dbcreator_db1 +go + +drop schema dbcreator_scm1 +go + +drop view dbcreator_show_role_mem +go + +drop TRIGGER dbcreator_tggr1 +go + +DROP TABLE dbc_sp_helpsrvrolemember_tbl +GO + +drop table dbcreator_tb1 +go + +drop view dbcreator_v1 +go + +drop function dbcreator_func1() +go + +drop procedure dbcreator_proc1 +go + +drop procedure dbcreator_create_database_p1 +go + +drop procedure dbcreator_drop_database_p1 +go + +drop procedure dbcreator_add_mem_p1 +go + +drop procedure dbcreator_drop_mem_p1 +go + +drop role dbcreator_rol +go \ No newline at end of file diff --git a/test/JDBC/input/dbcreator_role-vu-prepare.mix b/test/JDBC/input/dbcreator_role-vu-prepare.mix new file mode 100644 index 0000000000..55d39ada67 --- /dev/null +++ b/test/JDBC/input/dbcreator_role-vu-prepare.mix @@ -0,0 +1,92 @@ +-- tsql +create login dbcreator_login1 with password = '123' +go + +create login no_dbcreator_login1 with password = '123' +go + +create login dbcreator_l2 with password = '123' +go + +create user dbcreator_user1 for login dbcreator_login1 +go + +create user no_dbcreator_user1 for login no_dbcreator_login1 +go + +-- tsql +create role dbcreator_rol +go + +create database dbcreator_db1 +go + +create schema dbcreator_scm1 +go + +CREATE VIEW dbcreator_show_role_mem AS +SELECT +roles.name AS RolePrincipalName +, members.name AS MemberPrincipalName +FROM sys.server_role_members AS server_role_members +INNER JOIN sys.server_principals AS roles + ON server_role_members.role_principal_id = roles.principal_id +INNER JOIN sys.server_principals AS members + ON server_role_members.member_principal_id = members.principal_id order by MemberPrincipalName; +GO + +CREATE TABLE dbc_sp_helpsrvrolemember_tbl (ServerRole sys.SYSNAME, + MemberName sys.SYSNAME, + MemberSID sys.VARBINARY(85)); +GO + +create table dbcreator_tb1(a int) +go + +create view dbcreator_v1 as select 1; +go + +create function dbcreator_func1() returns int as begin return 1 end; +go + +create procedure dbcreator_proc1 as begin select 1; end +go + +CREATE TRIGGER dbcreator_tggr1 on dbcreator_tb1 AFTER INSERT AS BEGIN END; +go + +create procedure dbcreator_create_database_p1 as begin create database dbcreator_db_new; end +go + +Grant execute on dbcreator_create_database_p1 to PUBLIC; +go + +create procedure dbcreator_drop_database_p1 as begin drop database dbcreator_db_new; end +go + +Grant execute on dbcreator_drop_database_p1 to PUBLIC; +go + +create procedure dbcreator_add_mem_p1 as begin Alter server role dbcreator add member no_dbcreator_login1; end +go + +Grant execute on dbcreator_add_mem_p1 to PUBLIC; +go + +create procedure dbcreator_drop_mem_p1 as begin Alter server role dbcreator drop member no_dbcreator_login1; end +go + +Grant execute on dbcreator_drop_mem_p1 to PUBLIC; +go + +use dbcreator_db1 +go + +create user dbcreator_user1 for login dbcreator_login1 +go + +create user no_dbcreator_user1 for login no_dbcreator_login1 +go + +use master +go \ No newline at end of file diff --git a/test/JDBC/input/dbcreator_role-vu-verify.mix b/test/JDBC/input/dbcreator_role-vu-verify.mix new file mode 100644 index 0000000000..4bf340787a --- /dev/null +++ b/test/JDBC/input/dbcreator_role-vu-verify.mix @@ -0,0 +1,756 @@ +-- tsql +-- should be 0 +select is_srvrolemember('sysadmin', 'dbcreator') +go + +select is_srvrolemember('securityadmin', 'dbcreator') +go + +select is_srvrolemember('dbcreator', 'sysadmin') +go + +select is_srvrolemember('dbcreator', 'securityadmin') +go + +alter login dbcreator_login1 with password='123' +go + +alter login no_dbcreator_login1 with password='123' +go + +TRUNCATE TABLE dbc_sp_helpsrvrolemember_tbl +GO + +-- sp_helpsrvrolemember +INSERT INTO dbc_sp_helpsrvrolemember_tbl (ServerRole, MemberName, MemberSID) EXEC sp_helpsrvrolemember 'dbcreator' +GO + +SELECT ServerRole, MemberName, (CASE WHEN MemberSID IS NULL THEN 0 ELSE 1 END) FROM dbc_sp_helpsrvrolemember_tbl where MemberName like '%dbcreator%' +GO + +-- make login member of dbcreator +Alter server role dbcreator add member dbcreator_login1 +go + +select * from dbcreator_show_role_mem where MemberPrincipalName like 'jdbc_user' or MemberPrincipalName like '%dbcreator_%' +go + +-- should error out +create login dbcreator with password = '123' +go + +-- terminate-tsql-conn + +-- Case 1 - positives +-- dbcreator's login privileges + +-- tsql user=dbcreator_login1 password=123 +-- alter server role dbcreator should be allowed + +Alter server role dbcreator add member no_dbcreator_login1 +go + +Alter server role dbcreator drop member no_dbcreator_login1 +go + +-- create/drop database should be allowed +drop database dbcreator_db1 +go + +create database dbcreator_db; +go + +-- owner should be dbcreator_login1 +SELECT owner AS database_owner FROM sys.babelfish_sysdatabases WHERE name = 'dbcreator_db'; +go + +use dbcreator_db +go + +select current_user +go + +create table dbc_t1(a int) +go + +drop table dbc_t1 +go + +use master +go + +-- alter database should be allowed +alter database dbcreator_db modify name=dbcreator_db_1 +go + +-- sp_renamedb should be allowed +EXEC sp_renamedb 'dbcreator_db_1', 'dbcreator_db' +GO + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- tsql +-- transfer ownership to different login +alter authorization on database::dbcreator_db to no_dbcreator_login1 +go + +-- terminate-tsql-conn + +-- tsql user=dbcreator_login1 password=123 +-- should not be allowed +use dbcreator_db +go + +EXEC sp_renamedb 'dbcreator_db', 'dbcreator_db_1' +GO + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- tsql +use dbcreator_db +go + +create user u1 for login dbcreator_login1 +go + +-- terminate-tsql-conn + +-- tsql user=dbcreator_login1 password=123 +-- should be allowed +use dbcreator_db +go + +-- should not be dbo +select current_user +go + +use master +go + +EXEC sp_renamedb 'dbcreator_db', 'dbcreator_db_1' +GO + +EXEC sp_renamedb 'dbcreator_db_1', 'dbcreator_db' +GO + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- tsql + +use dbcreator_db +go + +drop user u1 +go + +-- terminate-tsql-conn + +-- tsql user=dbcreator_login1 password=123 +-- drop database should be allowed +-- password based login +drop database dbcreator_db +go + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- tsql +create database dbcreator_db1 +go + +-- terminate-tsql-conn + +-- tsql user=no_dbcreator_login1 password=123 +-- connection should get refused +use dbcreator_db1 +go + +-- should give permission denied +Alter server role dbcreator add member no_dbcreator_login1 +GO + +Alter server role dbcreator drop member no_dbcreator_login1 +GO + +-- terminate-tsql-conn user=no_dbcreator_login1 password=123 + +-- tsql user=dbcreator_login1 password=123 +-- System objects +select name, sysadmin, dbcreator from syslogins where name like '%dbcreator%' order by name +go + +-- should give permission denied +EXEC sp_renamedb 'dbcreator_db1', 'dbcreator_db2' +GO + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- tsql +use dbcreator_db1 +go + +grant connect to guest +go + +-- terminate-tsql-conn + +-- tsql user=dbcreator_login1 password=123 +-- should be allowed +EXEC sp_renamedb 'dbcreator_db1', 'dbcreator_db2' +GO + +-- should return 0 +select is_srvrolemember ('sysadmin') +go + +-- should return 1 +select is_srvrolemember ('dbcreator') +go + +select is_srvrolemember ('dbcreator', 'dbcreator_login1') +GO + +-- it should be allowed +drop database dbcreator_db2 +go + +-- inside procedure +exec dbcreator_create_database_p1 +go + +exec dbcreator_add_mem_p1 +go + +exec dbcreator_drop_mem_p1 +go + +exec dbcreator_drop_database_p1 +go + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- login is member of both dbcreator as well as sysadmin +-- tsql +drop user dbcreator_user1 +go + +Alter server role sysadmin add member dbcreator_login1 +go + +create database dbcreator_db1 +go + +-- terminate-tsql-conn + +-- it should be able to connect to the database +-- tsql user=dbcreator_login1 password=123 +use dbcreator_db1 +go + +-- it should be dbo +select current_user +go + +-- both attribute should be true +select rolname, rolcreaterole, rolcreatedb from pg_roles where rolname = 'dbcreator_login1' +go + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- only member of dbcreator +-- tsql +alter server role sysadmin drop member dbcreator_login1 +go + +create user dbcreator_user1 for login dbcreator_login1 +go + +TRUNCATE TABLE dbc_sp_helpsrvrolemember_tbl +GO + +-- sp_helpsrvrolemember +INSERT INTO dbc_sp_helpsrvrolemember_tbl (ServerRole, MemberName, MemberSID) EXEC sp_helpsrvrolemember 'dbcreator' +GO + +SELECT ServerRole, MemberName, (CASE WHEN MemberSID IS NULL THEN 0 ELSE 1 END) FROM dbc_sp_helpsrvrolemember_tbl where MemberName like '%dbcreator%' +GO + +-- only rolcreatedb attribute should be true +select rolname, rolcreaterole, rolcreatedb from pg_roles where rolname = 'dbcreator_login1' +go + +-- terminate-tsql-conn + +-- tsql user=dbcreator_login1 password=123 + +-- should be able to create/drop database +drop database dbcreator_db1 +go + +create database dbcreator_db3 +go + +drop database dbcreator_db3 +go + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- tsql +-- only member of sysadmin +create database dbcreator_db1 +go + +drop user dbcreator_user1 +go + +alter server role sysadmin add member dbcreator_login1 +go + +alter server role dbcreator drop member dbcreator_login1 +go + +-- terminate-tsql-conn + +-- tsql user=dbcreator_login1 password=123 + +-- should be 1 +select is_srvrolemember('sysadmin') +go + +-- both attribute should be true +select rolname, rolcreaterole, rolcreatedb from pg_roles where rolname = 'dbcreator_login1' +go + +-- should be able to create/drop login +create login test_dbcreator_l1 with password ='123' +go + +drop login test_dbcreator_l1 +go + +-- should return 1 +select is_srvrolemember ('sysadmin') +go + +-- should return 1 +select is_srvrolemember ('dbcreator') +go + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- tsql +-- make it member of dbcreator only +alter server role sysadmin drop member dbcreator_login1 +go + +alter server role dbcreator add member dbcreator_login1 +go + +create user dbcreator_user1 for login dbcreator_login1 +go + +use dbcreator_db1 +go + +create user dbcreator_user1 for login dbcreator_login1 +go + +create user no_dbcreator_user1 for login no_dbcreator_login1 +go + +-- terminate-tsql-conn + +-- tsql user=dbcreator_login1 password=123 +-- Case 2 - negatives +-- alter server role sysadmin should give permission denied +Alter server role sysadmin add member no_dbcreator_login1 +go + +-- alter server role dbcreator add member db roles should error out +Alter server role dbcreator add member guest +go + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- tsql +create role dummy_role +go + +-- terminate-tsql-conn + +-- tsql user=dbcreator_login1 password=123 +-- should error out +Alter server role dbcreator add member dummy_role +go + +-- create login permission denied +-- windows login +create login [babel\dbcreator_l1] from windows; +go + +-- password based login +create login dbcreator_l2 with password = '123' +go + +-- alter authorization on database permission denied +alter authorization on database::dbcreator_db1 to no_dbcreator_login1 +go + +-- alter login should give permission denied +-- password based login +alter login dbcreator_l2 with password = '123' +go + +ALTER LOGIN dbcreator_l2 disable; +go + +ALTER LOGIN dbcreator_l2 enable; +go + +ALTER LOGIN no_dbcreator_login1 with default_database=dbcreator_db1; +go + +-- drop login permission denied +drop login no_dbcreator_login1 +go + +-- grant database permissions (only connect is supported) +-- should give permission denied +REVOKE CONNECT FROM no_dbcreator_user1 +go + +GRANT CONNECT TO no_dbcreator_user1 +go + +-- dbcreator login's mapped user should not have any priv +select current_user, db_name() +go + +select suser_name() +go + +-- create objects/user permission denied +create user dbcreator_l2 +go + +create role dbcreator_role1 +go + +create schema perm_denied_scm +go + +create view perm_denied_v1 as select 1; +go + +create table perm_denied_tb1 (a int); +go + +select 1 into perm_denied_tb2; +go + +create function perm_denied_func1() returns int as begin return 1 end; +go + +create procedure perm_denied_proc1 as begin select 1; end +go + +create type perm_denied_typ1 from int; +go + +create index perm_denied_index1 on dbcreator_tb1(a); +go + +CREATE FUNCTION perm_denied_func1() RETURNS TABLE AS RETURN ( SELECT 1 AS Value); +go + +-- DMLS on object permission denied +Alter user no_dbcreator_user1 with DEFAULT_SCHEMA=dbcreator_scm1 +go + +Alter role dbcreator_rol add member no_dbcreator_user1 +go + +Alter role dbcreator_rol drop member no_dbcreator_user1 +go + +Alter table dbcreator_tb1 add b int +go + +Insert into dbcreator_tb1 values (1) +go + +UPDATE dbcreator_tb1 SET a = 2 where a = 1; +go + +DELETE FROM dbcreator_tb1 WHERE a = 1; +go + +TRUNCATE TABLE dbcreator_tb1; +go + +select * from dbcreator_tb1 +go + +select * from dbcreator_v1 +go + +select dbcreator_func1() +go + +exec dbcreator_proc1 +go + +Enable trigger dbcreator_tggr1 on dbcreator_tb1 +go + +Disable trigger dbcreator_tggr1 on dbcreator_tb1 +go + +-- grant on objects permission denied +Grant select on dbcreator_tb1 to no_dbcreator_user1 +go + +Grant update on dbcreator_v1 to no_dbcreator_user1 +go + +Grant update on dbcreator_v1 to no_dbcreator_user1 +go + +Grant exec on dbcreator_func1 to no_dbcreator_user1 +go + +Grant exec on dbcreator_proc1 to no_dbcreator_user1 +go + +-- Revoke on objects permission denied +Revoke select on dbcreator_tb1 from no_dbcreator_user1 +go + +Revoke update on dbcreator_v1 from no_dbcreator_user1 +go + +Revoke update on dbcreator_v1 from no_dbcreator_user1 +go + +Revoke exec on dbcreator_func1 from no_dbcreator_user1 +go + +Revoke exec on dbcreator_proc1 from no_dbcreator_user1 +go + +-- grant on schema +-- permission denied +grant select on dbcreator_v1 to no_dbcreator_user1; +go +grant select on dbo.dbcreator_v1 to no_dbcreator_user1; +go +grant execute on dbcreator_proc1 to no_dbcreator_user1; +go +grant execute on dbo.dbcreator_proc1 to no_dbcreator_user1; +go + +-- revoke on schema +-- permission denied +revoke select on dbcreator_v1 from no_dbcreator_user1; +go +revoke select on dbo.dbcreator_v1 from no_dbcreator_user1; +go +revoke execute on dbcreator_proc1 from no_dbcreator_user1; +go +revoke execute on dbo.dbcreator_proc1 from no_dbcreator_user1; +go + +-- drop object permission denied +drop user dbcreator_l2 +go + +drop role dbcreator_rol +go + +drop schema dbcreator_scm1 +go + +drop view dbcreator_show_role_mem +go + +drop TRIGGER dbcreator_tggr1 +go + +drop table dbcreator_tb1 +go + +drop view dbcreator_v1 +go + +drop function dbcreator_func1() +go + +drop procedure dbcreator_proc1 +go + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- dbcreator login should not get mapped to dbo if no user exist, it should disconnect + +-- tsql database=dbcreator_db1 +drop user dbcreator_user1 +go + +-- terminate-tsql-conn database=dbcreator_db1 + +-- it should disconnect +-- tsql user=dbcreator_login1 password=123 +use dbcreator_db1 +go + +-- terminate-tsql-conn user=dbcreator_login1 password=123 + +-- Case 3 - check unintended/unauthorized use of dbcreator +-- tsql +drop role dummy_role +go + +CREATE LOGIN dbcreator_restrict_new_login WITH password = '12345678'; +go + +ALTER SERVER ROLE sysadmin ADD MEMBER dbcreator_restrict_new_login; +GO + +select * from dbcreator_show_role_mem where MemberPrincipalName like 'jdbc_user' or MemberPrincipalName like '%dbcreator_%' +go + +-- terminate-tsql-conn + +-- tsql user=dbcreator_restrict_new_login password=12345678 +select * from dbcreator_show_role_mem where MemberPrincipalName like 'jdbc_user' or MemberPrincipalName like '%dbcreator_%' +go + +select current_user, db_name() +go + +CREATE ROLE dbcreator_restrictions_role; +GO + +-- a tsql login should not be able to drop dbcreator explicitly from tsql port +-- should be denied +ALTER ROLE dbcreator_restrictions_role ADD MEMBER dbcreator; +GO + +DROP LOGIN dbcreator; +GO + +DROP ROLE dbcreator_restrictions_role; +GO + +-- terminate-tsql-conn user=dbcreator_restrict_new_login password=12345678 + +-- psql user=dbcreator_restrict_new_login password=12345678 +-- a tsql login should not be able to alter/grant/drop dbcreator from pg port +ALTER ROLE dbcreator NOCREATEDB; +GO + +ALTER ROLE dbcreator WITH PASSWORD '12345678'; +GO + +ALTER ROLE dbcreator VALID UNTIL 'infinity'; +GO + +ALTER ROLE dbcreator WITH CONNECTION LIMIT 1; +GO + +GRANT dbcreator TO dbcreator_restrict_new_login; +GO + +GRANT sysadmin TO dbcreator +go + +GRANT dbcreator TO dbcreator +go + +GRANT dbcreator_restrict_new_login TO dbcreator; +GO + +REVOKE dbcreator FROM master_dbo; +GO + +REVOKE master_dbo FROM dbcreator; +GO + +DROP ROLE dbcreator; +GO + +SET SESSION AUTHORIZATION dbcreator; +GO + +SET ROLE dbcreator; +GO + +-- psql +-- normal PG user +CREATE USER dbcreator_restrictions_pg_user WITH LOGIN CREATEROLE PASSWORD '12345678' inherit; +go + +-- psql user=dbcreator_restrictions_pg_user password=12345678 +-- a normal psql user should not be able to alter/grant/drop dbcreator from pg port +ALTER ROLE dbcreator NOCREATEDB; +GO + +-- Altering a role by an underprivileged login should be restricted +alter user dbcreator_restrict_new_login with password '123' +go + +ALTER ROLE dbcreator WITH PASSWORD '12345678'; +GO + +ALTER ROLE dbcreator VALID UNTIL 'infinity'; +GO + +ALTER ROLE dbcreator WITH CONNECTION LIMIT 1; +GO + +GRANT dbcreator TO dbcreator_restrict_new_login; +GO + +GRANT dbcreator_restrict_new_login TO dbcreator; +GO + +REVOKE dbcreator FROM master_dbo; +GO + +REVOKE sysadmin FROM dbcreator +go + +REVOKE dbcreator FROM dbcreator +go + +REVOKE master_dbo FROM dbcreator; +GO + +DROP ROLE dbcreator; +GO + +SET SESSION AUTHORIZATION dbcreator; +GO + +SET ROLE dbcreator; +GO + +-- psql +-- Need to terminate active session before cleaning up the login +SELECT pg_terminate_backend(pid) FROM pg_stat_get_activity(NULL) +WHERE sys.suser_name(usesysid) = 'dbcreator_restrict_new_login' AND backend_type = 'client backend' AND usesysid IS NOT NULL; +go + +DROP USER dbcreator_restrictions_pg_user; +GO + +-- Wait to sync with another session +SELECT pg_sleep(1); +GO + +-- tsql + +ALTER SERVER ROLE sysadmin drop MEMBER dbcreator_restrict_new_login; +GO + +DROP LOGIN dbcreator_restrict_new_login +GO \ No newline at end of file diff --git a/test/JDBC/input/securityadmin_role-vu-cleanup.mix b/test/JDBC/input/securityadmin_role-vu-cleanup.mix index 5523e86385..ffba6c7425 100644 --- a/test/JDBC/input/securityadmin_role-vu-cleanup.mix +++ b/test/JDBC/input/securityadmin_role-vu-cleanup.mix @@ -32,6 +32,9 @@ go drop TRIGGER securityadmin_tggr1 go +DROP TABLE sadm_sp_helpsrvrolemember_tbl +GO + drop table securityadmin_tb1 go diff --git a/test/JDBC/input/securityadmin_role-vu-prepare.mix b/test/JDBC/input/securityadmin_role-vu-prepare.mix index 6c901dbafa..01b88bc0ab 100644 --- a/test/JDBC/input/securityadmin_role-vu-prepare.mix +++ b/test/JDBC/input/securityadmin_role-vu-prepare.mix @@ -32,6 +32,11 @@ INNER JOIN sys.server_principals AS members ON server_role_members.member_principal_id = members.principal_id order by MemberPrincipalName; GO +CREATE TABLE sadm_sp_helpsrvrolemember_tbl (ServerRole sys.SYSNAME, + MemberName sys.SYSNAME, + MemberSID sys.VARBINARY(85)); +GO + create table securityadmin_tb1(a int) go diff --git a/test/JDBC/input/securityadmin_role-vu-verify.mix b/test/JDBC/input/securityadmin_role-vu-verify.mix index f121db6062..695a65ab8a 100644 --- a/test/JDBC/input/securityadmin_role-vu-verify.mix +++ b/test/JDBC/input/securityadmin_role-vu-verify.mix @@ -1,10 +1,26 @@ -- tsql +select is_srvrolemember('sysadmin', 'securityadmin') +go + +select is_srvrolemember('securityadmin', 'sysadmin') +go + alter login securityadmin_login1 with password='123' go alter login no_securityadmin_login1 with password='123' go +TRUNCATE TABLE sadm_sp_helpsrvrolemember_tbl +GO + +-- sp_helpsrvrolemember +INSERT INTO sadm_sp_helpsrvrolemember_tbl (ServerRole, MemberName, MemberSID) EXEC sp_helpsrvrolemember 'securityadmin' +GO + +SELECT ServerRole, MemberName, (CASE WHEN MemberSID IS NULL THEN 0 ELSE 1 END) FROM sadm_sp_helpsrvrolemember_tbl where MemberName like '%securityadmin%' +GO + -- make login member of securityadmin Alter server role securityadmin add member securityadmin_login1 go @@ -375,6 +391,16 @@ go create user securityadmin_user1 for login securityadmin_login1 go +TRUNCATE TABLE sadm_sp_helpsrvrolemember_tbl +GO + +-- sp_helpsrvrolemember +INSERT INTO sadm_sp_helpsrvrolemember_tbl (ServerRole, MemberName, MemberSID) EXEC sp_helpsrvrolemember 'securityadmin' +GO + +SELECT ServerRole, MemberName, (CASE WHEN MemberSID IS NULL THEN 0 ELSE 1 END) FROM sadm_sp_helpsrvrolemember_tbl where MemberName like '%securityadmin%' +GO + -- terminate-tsql-conn -- tsql user=securityadmin_login1 password=123 diff --git a/test/JDBC/input/test_windows_login-vu-prepare.mix b/test/JDBC/input/test_windows_login-vu-prepare.mix index cfc5d8c6d9..94fcf8e5fd 100644 --- a/test/JDBC/input/test_windows_login-vu-prepare.mix +++ b/test/JDBC/input/test_windows_login-vu-prepare.mix @@ -1,4 +1,4 @@ --- sla 70000 +-- sla 80000 -- TODO: BABEL-5349 -- psql do @@ -8,6 +8,7 @@ $$ begin end if; end $$; GO +-- terminate-psql-conn -- tsql CREATE DATABASE ad_db; diff --git a/test/JDBC/upgrade/15_5/schedule b/test/JDBC/upgrade/15_5/schedule index 393fff1b11..16355c8887 100644 --- a/test/JDBC/upgrade/15_5/schedule +++ b/test/JDBC/upgrade/15_5/schedule @@ -534,6 +534,7 @@ cast-varchar-to-time db_accessadmin xml_exist-before-16_5 BABEL-CASE_EXPR-before-16_5-or-15_9 +dbcreator_role BABEL-5186 BABEL-2736-before-16_5 securityadmin_role diff --git a/test/JDBC/upgrade/15_6/schedule b/test/JDBC/upgrade/15_6/schedule index 089cfa7286..2a5a258a33 100644 --- a/test/JDBC/upgrade/15_6/schedule +++ b/test/JDBC/upgrade/15_6/schedule @@ -550,6 +550,7 @@ cast-varchar-to-time db_accessadmin xml_exist-before-16_5 BABEL-CASE_EXPR-before-16_5-or-15_9 +dbcreator_role BABEL-5186 BABEL-2736-before-16_5 securityadmin_role diff --git a/test/JDBC/upgrade/15_7/schedule b/test/JDBC/upgrade/15_7/schedule index 1e54a202a1..afd49a7e87 100644 --- a/test/JDBC/upgrade/15_7/schedule +++ b/test/JDBC/upgrade/15_7/schedule @@ -558,6 +558,7 @@ db_accessadmin xml_exist-before-16_5 GRANT_SCHEMA-before-15_9-16_5 BABEL-CASE_EXPR-before-16_5-or-15_9 +dbcreator_role BABEL-5186 BABEL-2736-before-16_5 securityadmin_role diff --git a/test/JDBC/upgrade/15_8/schedule b/test/JDBC/upgrade/15_8/schedule index 64b8d162bc..cb65169e09 100644 --- a/test/JDBC/upgrade/15_8/schedule +++ b/test/JDBC/upgrade/15_8/schedule @@ -549,6 +549,7 @@ db_accessadmin xml_exist-before-16_5 GRANT_SCHEMA-before-15_9-16_5 BABEL-CASE_EXPR-before-16_5-or-15_9 +dbcreator_role BABEL-5186 BABEL-2736-before-16_5 securityadmin_role diff --git a/test/JDBC/upgrade/15_9/schedule b/test/JDBC/upgrade/15_9/schedule index 74109250c8..2eb61e62e8 100644 --- a/test/JDBC/upgrade/15_9/schedule +++ b/test/JDBC/upgrade/15_9/schedule @@ -548,6 +548,7 @@ securityadmin_role cast-varchar-to-time xml_exist-before-16_5 BABEL-5119_before_16_5 +dbcreator_role db_accessadmin BABEL-CASE_EXPR datareader_datawriter diff --git a/test/JDBC/upgrade/16_1/schedule b/test/JDBC/upgrade/16_1/schedule index 5a77e3b524..f8d7a8b205 100644 --- a/test/JDBC/upgrade/16_1/schedule +++ b/test/JDBC/upgrade/16_1/schedule @@ -542,6 +542,7 @@ BABEL-5059_before_16_5 cast-varchar-to-time db_accessadmin securityadmin_role +dbcreator_role xml_exist-before-16_5 BABEL-CASE_EXPR-before-16_5-or-15_9 datareader_datawriter diff --git a/test/JDBC/upgrade/16_2/schedule b/test/JDBC/upgrade/16_2/schedule index 8f30759d29..182b93b730 100644 --- a/test/JDBC/upgrade/16_2/schedule +++ b/test/JDBC/upgrade/16_2/schedule @@ -555,6 +555,7 @@ replace-before-15_8-or-16_4 binary-datatype-operators BABEL-5059_before_16_5 cast-varchar-to-time +dbcreator_role db_accessadmin xml_exist-before-16_5 BABEL-CASE_EXPR-before-16_5-or-15_9 diff --git a/test/JDBC/upgrade/16_3/schedule b/test/JDBC/upgrade/16_3/schedule index 83480da701..cad9c66ecb 100644 --- a/test/JDBC/upgrade/16_3/schedule +++ b/test/JDBC/upgrade/16_3/schedule @@ -564,6 +564,7 @@ GRANT_SCHEMA-before-15_9-16_5 BABEL-CASE_EXPR-before-16_5-or-15_9 BABEL-5186 BABEL-2736-before-16_5 +dbcreator_role securityadmin_role datareader_datawriter BABEL-5186 diff --git a/test/JDBC/upgrade/16_4/schedule b/test/JDBC/upgrade/16_4/schedule index 80f42e57b6..2ff649328e 100644 --- a/test/JDBC/upgrade/16_4/schedule +++ b/test/JDBC/upgrade/16_4/schedule @@ -575,6 +575,7 @@ db_accessadmin GRANT_SCHEMA-before-15_9-16_5 BABEL-CASE_EXPR-before-16_5-or-15_9 charindex_replace_patindex +dbcreator_role BABEL-5186 BABEL-2736-before-16_5 securityadmin_role diff --git a/test/JDBC/upgrade/latest/schedule b/test/JDBC/upgrade/latest/schedule index e3befa5589..ce4e776c7f 100644 --- a/test/JDBC/upgrade/latest/schedule +++ b/test/JDBC/upgrade/latest/schedule @@ -579,6 +579,7 @@ cast-varchar-to-time xml_exist test_db_collation BABEL-5119 +dbcreator_role BABEL-5129 db_accessadmin BABEL-CASE_EXPR