Support db_securityadmin

src/backend/catalog/aclchk.c

@@ -161,6 +161,7 @@ static void recordExtensionInitPrivWorker(Oid objoid, Oid classoid, int objsubid
 										  Acl *new_acl);
 
 tsql_has_linked_srv_permissions_hook_type tsql_has_linked_srv_permissions_hook = NULL;
+bbf_execute_grantstmt_as_dbsecadmin_hook_type bbf_execute_grantstmt_as_dbsecadmin_hook = NULL;
 
 /*
  * If is_grant is true, adds the given privileges for the list of
@@ -1722,6 +1723,11 @@ ExecGrant_Attribute(InternalGrant *istmt, Oid relOid, const char *relname,
 
 	pfree(merged_acl);
 
+	if (bbf_execute_grantstmt_as_dbsecadmin_hook)
+	{
+		(*bbf_execute_grantstmt_as_dbsecadmin_hook) (OBJECT_COLUMN, relOid, ownerId, col_privileges, &grantorId, &avail_goptions);
+	}
+
 	/*
 	 * Restrict the privileges to what we can actually grant, and emit the
 	 * standards-mandated warning and error messages.  Note: we don't track
@@ -2003,6 +2009,11 @@ ExecGrant_Relation(InternalGrant *istmt)
 					break;
 			}
 
+			if (bbf_execute_grantstmt_as_dbsecadmin_hook)
+			{
+				(*bbf_execute_grantstmt_as_dbsecadmin_hook) (objtype, relOid, ownerId, this_privileges, &grantorId, &avail_goptions);
+			}
+
 			/*
 			 * Restrict the privileges to what we can actually grant, and emit
 			 * the standards-mandated warning and error messages.
@@ -2205,6 +2216,11 @@ ExecGrant_common(InternalGrant *istmt, Oid classid, AclMode default_privs,
 							old_acl, ownerId,
 							&grantorId, &avail_goptions);
 
+		if (bbf_execute_grantstmt_as_dbsecadmin_hook)
+		{
+			(*bbf_execute_grantstmt_as_dbsecadmin_hook) (get_object_type(classid, objectid), objectid, ownerId, istmt->privileges, &grantorId, &avail_goptions);
+		}
+
 		nameDatum = SysCacheGetAttrNotNull(cacheid, tuple,
 										   get_object_attnum_name(classid));
 

src/bin/pg_dump/dump_babel_utils.c

@@ -53,9 +53,15 @@ typedef enum {
 static babelfish_status bbf_status = NONE;
 
 static char *default_bbf_db_principals =
-			"('master_dbo', 'master_db_owner', 'master_guest', 'master_db_accessadmin', 'master_db_datareader', 'master_db_datawriter', "
-			"'msdb_dbo', 'msdb_db_owner', 'msdb_guest', 'msdb_db_accessadmin', 'msdb_db_datareader', 'msdb_db_datawriter', "
-			"'tempdb_dbo', 'tempdb_db_owner', 'tempdb_guest', 'tempdb_db_accessadmin', 'tempdb_db_datareader', 'tempdb_db_datawriter') ";
+			"('master_dbo', 'master_db_owner', 'master_guest', "
+			"'master_db_accessadmin', 'master_db_securityadmin', "
+			"'master_db_datareader', 'master_db_datawriter', "
+			"'msdb_dbo', 'msdb_db_owner', 'msdb_guest', "
+			"'msdb_db_accessadmin', 'msdb_db_securityadmin', "
+			"'msdb_db_datareader', 'msdb_db_datawriter', "
+			"'tempdb_dbo', 'tempdb_db_owner', 'tempdb_guest', "
+			"'tempdb_db_accessadmin', 'tempdb_db_securityadmin', "
+			"'tempdb_db_datareader', 'tempdb_db_datawriter')" ;
 
 
 
@@ -1996,7 +2002,7 @@ dumpBabelPhysicalDatabaseACLs(Archive *fout)
 					"\n	SET LOCAL ROLE sysadmin;"
 					"\n	FOR rolname, original_name IN ("
 					"\n		SELECT a.rolname, a.orig_username FROM sys.babelfish_authid_user_ext a"
-					"\n			WHERE orig_username IN ('dbo','db_accessadmin') AND"
+					"\n			WHERE orig_username IN ('dbo','db_accessadmin','db_securityadmin') AND"
 					"\n			database_name NOT IN ('master', 'tempdb', 'msdb')");
 
 	if (bbf_db_name)
@@ -2007,7 +2013,7 @@ dumpBabelPhysicalDatabaseACLs(Archive *fout)
 					"\n	) LOOP"
 					"\n		CASE WHEN original_name = 'dbo' THEN"
 					"\n			EXECUTE format('GRANT CREATE, CONNECT, TEMPORARY ON DATABASE \"%%s\" TO \"%%s\"; ', CURRENT_DATABASE(), rolname);"
-					"\n		WHEN original_name = 'db_accessadmin' THEN"
+					"\n		WHEN original_name IN ('db_securityadmin','db_accessadmin') THEN"
 					"\n			EXECUTE format('GRANT CREATE ON DATABASE \"%%s\" TO \"%%s\"; ', CURRENT_DATABASE(), rolname);"
 					"\n		END CASE;"
 					"\n	END LOOP;"

src/bin/pg_dump/dumpall_babel_utils.c

@@ -36,9 +36,15 @@ typedef enum {
 static babelfish_status bbf_status = NONE;
 
 static char default_bbf_roles[] = "('sysadmin', 'bbf_role_admin', 'securityadmin', 'dbcreator', "
-								  "'master_dbo', 'master_db_owner', 'master_guest', 'master_db_accessadmin', 'master_db_datareader', 'master_db_datawriter', "
-								  "'msdb_dbo', 'msdb_db_owner', 'msdb_guest', 'msdb_db_accessadmin', 'msdb_db_datareader', 'msdb_db_datawriter', "
-								  "'tempdb_dbo', 'tempdb_db_owner', 'tempdb_guest', 'tempdb_db_accessadmin', 'tempdb_db_datareader', 'tempdb_db_datawriter')";
+                                  "'master_dbo', 'master_db_owner', 'master_guest', "
+                                  "'master_db_accessadmin', 'master_db_securityadmin', "
+                                  "'master_db_datareader', 'master_db_datawriter', "
+                                  "'msdb_dbo', 'msdb_db_owner', 'msdb_guest', "
+                                  "'msdb_db_accessadmin', 'msdb_db_securityadmin', "
+                                  "'msdb_db_datareader', 'msdb_db_datawriter', "
+                                  "'tempdb_dbo', 'tempdb_db_owner', 'tempdb_guest', "
+                                  "'tempdb_db_accessadmin', 'tempdb_db_securityadmin', "
+                                  "'tempdb_db_datareader', 'tempdb_db_datawriter')" ;
 
 /*
  * Run a query, return the results, exit program on failure.

src/include/utils/acl.h

@@ -35,6 +35,7 @@
 #include "access/htup.h"
 #include "nodes/parsenodes.h"
 #include "parser/parse_node.h"
+#include "utils/aclchk_internal.h"
 #include "utils/snapshot.h"
 
 
@@ -284,4 +285,7 @@ extern PGDLLEXPORT bbf_get_sysadmin_oid_hook_type bbf_get_sysadmin_oid_hook;
 typedef Oid (*get_bbf_admin_oid_hook_type) (void);
 extern PGDLLEXPORT get_bbf_admin_oid_hook_type get_bbf_admin_oid_hook;
 
+typedef void (*bbf_execute_grantstmt_as_dbsecadmin_hook_type) (ObjectType objType, Oid objId, Oid ownerId, AclMode privileges, Oid *grantorId, AclMode *grantOptions);
+extern PGDLLEXPORT bbf_execute_grantstmt_as_dbsecadmin_hook_type bbf_execute_grantstmt_as_dbsecadmin_hook;
+
 #endif							/* ACL_H */