diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c index a6031fb4944..2f6ed0cde93 100644 --- a/src/backend/catalog/aclchk.c +++ b/src/backend/catalog/aclchk.c @@ -163,6 +163,7 @@ static void recordExtensionInitPrivWorker(Oid objoid, Oid classoid, int objsubid Acl *new_acl); tsql_has_linked_srv_permissions_hook_type tsql_has_linked_srv_permissions_hook = NULL; +bbf_execute_grantstmt_as_dbsecadmin_hook_type bbf_execute_grantstmt_as_dbsecadmin_hook = NULL; /* * If is_grant is true, adds the given privileges for the list of @@ -1724,6 +1725,11 @@ ExecGrant_Attribute(InternalGrant *istmt, Oid relOid, const char *relname, pfree(merged_acl); + if (bbf_execute_grantstmt_as_dbsecadmin_hook) + { + (*bbf_execute_grantstmt_as_dbsecadmin_hook) (OBJECT_COLUMN, relOid, ownerId, col_privileges, &grantorId, &avail_goptions); + } + /* * Restrict the privileges to what we can actually grant, and emit the * standards-mandated warning and error messages. Note: we don't track @@ -2009,6 +2015,11 @@ ExecGrant_Relation(InternalGrant *istmt) break; } + if (bbf_execute_grantstmt_as_dbsecadmin_hook) + { + (*bbf_execute_grantstmt_as_dbsecadmin_hook) (objtype, relOid, ownerId, this_privileges, &grantorId, &avail_goptions); + } + /* * Restrict the privileges to what we can actually grant, and emit * the standards-mandated warning and error messages. @@ -2219,6 +2230,11 @@ ExecGrant_common(InternalGrant *istmt, Oid classid, AclMode default_privs, old_acl, ownerId, &grantorId, &avail_goptions); + if (bbf_execute_grantstmt_as_dbsecadmin_hook) + { + (*bbf_execute_grantstmt_as_dbsecadmin_hook) (get_object_type(classid, objectid), objectid, ownerId, istmt->privileges, &grantorId, &avail_goptions); + } + nameDatum = SysCacheGetAttrNotNull(cacheid, tuple, get_object_attnum_name(classid)); diff --git a/src/bin/pg_dump/dump_babel_utils.c b/src/bin/pg_dump/dump_babel_utils.c index fc03489962e..a1f5529dd4d 100644 --- a/src/bin/pg_dump/dump_babel_utils.c +++ b/src/bin/pg_dump/dump_babel_utils.c @@ -53,9 +53,15 @@ typedef enum { static babelfish_status bbf_status = NONE; static char *default_bbf_db_principals = - "('master_dbo', 'master_db_owner', 'master_guest', 'master_db_accessadmin', 'master_db_datareader', 'master_db_datawriter', " - "'msdb_dbo', 'msdb_db_owner', 'msdb_guest', 'msdb_db_accessadmin', 'msdb_db_datareader', 'msdb_db_datawriter', " - "'tempdb_dbo', 'tempdb_db_owner', 'tempdb_guest', 'tempdb_db_accessadmin', 'tempdb_db_datareader', 'tempdb_db_datawriter') "; + "('master_dbo', 'master_db_owner', 'master_guest', " + "'master_db_accessadmin', 'master_db_securityadmin', " + "'master_db_datareader', 'master_db_datawriter', " + "'msdb_dbo', 'msdb_db_owner', 'msdb_guest', " + "'msdb_db_accessadmin', 'msdb_db_securityadmin', " + "'msdb_db_datareader', 'msdb_db_datawriter', " + "'tempdb_dbo', 'tempdb_db_owner', 'tempdb_guest', " + "'tempdb_db_accessadmin', 'tempdb_db_securityadmin', " + "'tempdb_db_datareader', 'tempdb_db_datawriter')" ; @@ -1996,7 +2002,7 @@ dumpBabelPhysicalDatabaseACLs(Archive *fout) "\n SET LOCAL ROLE sysadmin;" "\n FOR rolname, original_name IN (" "\n SELECT a.rolname, a.orig_username FROM sys.babelfish_authid_user_ext a" - "\n WHERE orig_username IN ('dbo','db_accessadmin') AND" + "\n WHERE orig_username IN ('dbo','db_accessadmin','db_securityadmin') AND" "\n database_name NOT IN ('master', 'tempdb', 'msdb')"); if (bbf_db_name) @@ -2007,7 +2013,7 @@ dumpBabelPhysicalDatabaseACLs(Archive *fout) "\n ) LOOP" "\n CASE WHEN original_name = 'dbo' THEN" "\n EXECUTE format('GRANT CREATE, CONNECT, TEMPORARY ON DATABASE \"%%s\" TO \"%%s\"; ', CURRENT_DATABASE(), rolname);" - "\n WHEN original_name = 'db_accessadmin' THEN" + "\n WHEN original_name IN ('db_securityadmin','db_accessadmin') THEN" "\n EXECUTE format('GRANT CREATE ON DATABASE \"%%s\" TO \"%%s\"; ', CURRENT_DATABASE(), rolname);" "\n END CASE;" "\n END LOOP;" diff --git a/src/bin/pg_dump/dumpall_babel_utils.c b/src/bin/pg_dump/dumpall_babel_utils.c index bafaca1d102..e0f320a1173 100644 --- a/src/bin/pg_dump/dumpall_babel_utils.c +++ b/src/bin/pg_dump/dumpall_babel_utils.c @@ -36,9 +36,15 @@ typedef enum { static babelfish_status bbf_status = NONE; static char default_bbf_roles[] = "('sysadmin', 'bbf_role_admin', 'securityadmin', 'dbcreator', " - "'master_dbo', 'master_db_owner', 'master_guest', 'master_db_accessadmin', 'master_db_datareader', 'master_db_datawriter', " - "'msdb_dbo', 'msdb_db_owner', 'msdb_guest', 'msdb_db_accessadmin', 'msdb_db_datareader', 'msdb_db_datawriter', " - "'tempdb_dbo', 'tempdb_db_owner', 'tempdb_guest', 'tempdb_db_accessadmin', 'tempdb_db_datareader', 'tempdb_db_datawriter')"; + "'master_dbo', 'master_db_owner', 'master_guest', " + "'master_db_accessadmin', 'master_db_securityadmin', " + "'master_db_datareader', 'master_db_datawriter', " + "'msdb_dbo', 'msdb_db_owner', 'msdb_guest', " + "'msdb_db_accessadmin', 'msdb_db_securityadmin', " + "'msdb_db_datareader', 'msdb_db_datawriter', " + "'tempdb_dbo', 'tempdb_db_owner', 'tempdb_guest', " + "'tempdb_db_accessadmin', 'tempdb_db_securityadmin', " + "'tempdb_db_datareader', 'tempdb_db_datawriter')" ; /* * Run a query, return the results, exit program on failure. diff --git a/src/include/utils/acl.h b/src/include/utils/acl.h index ecb8d1cffc4..a8781df3c04 100644 --- a/src/include/utils/acl.h +++ b/src/include/utils/acl.h @@ -35,6 +35,7 @@ #include "access/htup.h" #include "nodes/parsenodes.h" #include "parser/parse_node.h" +#include "utils/aclchk_internal.h" #include "utils/snapshot.h" @@ -284,4 +285,7 @@ extern PGDLLEXPORT bbf_get_sysadmin_oid_hook_type bbf_get_sysadmin_oid_hook; typedef Oid (*get_bbf_admin_oid_hook_type) (void); extern PGDLLEXPORT get_bbf_admin_oid_hook_type get_bbf_admin_oid_hook; +typedef void (*bbf_execute_grantstmt_as_dbsecadmin_hook_type) (ObjectType objType, Oid objId, Oid ownerId, AclMode privileges, Oid *grantorId, AclMode *grantOptions); +extern PGDLLEXPORT bbf_execute_grantstmt_as_dbsecadmin_hook_type bbf_execute_grantstmt_as_dbsecadmin_hook; + #endif /* ACL_H */