Support fixed database role db_ddladmin (#71)

Support fixed database role db_ddladmin

Engine PR : amazon-aurora/postgresql_modified_for_babelfish#101

Task : BABEL-5116

Signed-off-by: Tanzeel Khan [email protected]
Co-authored-by: Harsh Lunagaria [email protected]

.github/workflows/jdbc-tests-db-collation.yml

@@ -1,5 +1,5 @@
 name: JDBC Tests DB COLLATION
-on: [push, pull_request]
+on: [pull_request]
 
 jobs:
   run-babelfish-jdbc-tests:

.github/workflows/jdbc-tests-single-db-mode.yml

@@ -1,5 +1,5 @@
 name: JDBC Tests With Single-DB Migration Mode
-on: [push, pull_request]
+on: [pull_request]
 
 jobs:
   run-babelfish-jdbc-tests:

.github/workflows/jdbc-tests-with-non-default-server-collation.yml

@@ -1,5 +1,5 @@
 name: JDBC Tests with Non Default Server Collation
-on: [push, pull_request]
+on: [pull_request]
 
 jobs:
   run-babelfish-jdbc-tests:

.github/workflows/jdbc-tests-with-parallel-query.yml

@@ -1,5 +1,5 @@
 name: JDBC Tests With Parallel Query
-on: [push, pull_request]
+on: [pull_request]
 
 jobs:
   run-babelfish-jdbc-tests-with-parallel-query-mode:

.github/workflows/major-version-upgrade.yml

@@ -1,5 +1,5 @@
 name: Major Version Upgrade Tests for empty database
-on: [push, pull_request]
+on: [pull_request]
 
 jobs:
   run-babelfish-mvu-tests:

.github/workflows/minor-version-upgrade.yml

@@ -1,5 +1,5 @@
 name: Minor Version Upgrade Tests for empty database
-on: []
+on: [pull_request]
 
 jobs:
   extension-tests:

.github/workflows/pg_dump-restore-test.yml

@@ -1,5 +1,5 @@
 name: pg_dump/restore Test Framework
-on: [push, pull_request]
+on: [pull_request]
 
 jobs:
   generate-dump-restore-tests:

.github/workflows/pr-code-coverage.yml

@@ -1,5 +1,5 @@
 name: Tests
-on: [push, pull_request]
+on: [pull_request]
 
 jobs:
 

.github/workflows/singledb-version-upgrade.yml

@@ -1,5 +1,5 @@
 name: Major Version Upgrade Tests for singledb mode
-on: [push, pull_request]
+on: [pull_request]
 
 jobs:
   run-babelfish-mvu-tests-singledb:

.github/workflows/sql-validation-tests.yml

@@ -1,5 +1,5 @@
 name: Validate Installation/Upgrade Scripts
-on: [push, pull_request]
+on: [pull_request]
 
 jobs:
   run-sql-validation-tests:

.github/workflows/static-code-analyzer.yml

@@ -1,5 +1,5 @@
 name: Static Code Analyzer
-on: [push, pull_request]
+on: [pull_request]
 
 jobs:
   run-static-code-analyzer:

.github/workflows/tap-tests.yml

@@ -1,5 +1,5 @@
 name: TAP Tests
-on: [push, pull_request]
+on: [pull_request]
 
 jobs:
   run-babelfish-tap-tests:

.github/workflows/unit-tests.yml

@@ -1,5 +1,5 @@
 name: Unit Tests
-on: [push, pull_request]
+on: [pull_request]
 
 jobs:
   run-babelfish-unit-tests:

.github/workflows/upgrade-test.yml

@@ -1,5 +1,5 @@
 name: Version Upgrade Test Framework
-on: [push, pull_request]
+on: [pull_request]
 
 jobs:
   generate-version-upgrade-tests:

contrib/babelfishpg_tsql/sql/babelfishpg_tsql.sql

@@ -2122,7 +2122,7 @@ BEGIN
 		LEFT OUTER JOIN pg_catalog.pg_roles AS Base4 ON Base4.rolname = Bsdb.owner
 		WHERE Ext1.database_name = DB_NAME()
 		AND (Ext1.type != 'R' OR Ext1.type != 'A')
-		AND Ext1.orig_username NOT IN ('db_owner', 'db_securityadmin', 'db_accessadmin', 'db_datareader', 'db_datawriter')
+		AND Ext1.orig_username NOT IN ('db_owner', 'db_securityadmin', 'db_accessadmin', 'db_datareader', 'db_datawriter', 'db_ddladmin')
 		ORDER BY UserName, RoleName;
 	END
 	-- If the security account is the db fixed role - db_owner
@@ -2154,7 +2154,7 @@ BEGIN
 		WHERE Ext1.database_name = DB_NAME()
 		AND Ext2.database_name = DB_NAME()
 		AND Ext1.type = 'R'
-		AND Ext2.orig_username NOT IN ('db_owner', 'db_securityadmin', 'db_accessadmin', 'db_datareader', 'db_datawriter')
+		AND Ext2.orig_username NOT IN ('db_owner', 'db_securityadmin', 'db_accessadmin', 'db_datareader', 'db_datawriter', 'db_ddladmin')
 		AND (Ext1.orig_username = @name_in_db OR pg_catalog.lower(Ext1.orig_username) = pg_catalog.lower(@name_in_db))
 		ORDER BY Role_name, Users_in_role;
 	END
@@ -2192,7 +2192,7 @@ BEGIN
 		LEFT OUTER JOIN pg_catalog.pg_roles AS Base4 ON Base4.rolname = Bsdb.owner
 		WHERE Ext1.database_name = DB_NAME()
 		AND (Ext1.type != 'R' OR Ext1.type != 'A')
-		AND Ext1.orig_username NOT IN ('db_owner', 'db_securityadmin', 'db_accessadmin', 'db_datareader', 'db_datawriter')
+		AND Ext1.orig_username NOT IN ('db_owner', 'db_securityadmin', 'db_accessadmin', 'db_datareader', 'db_datawriter', 'db_ddladmin')
 		AND (Ext1.orig_username = @name_in_db OR pg_catalog.lower(Ext1.orig_username) = pg_catalog.lower(@name_in_db))
 		ORDER BY UserName, RoleName;
 	END
@@ -2352,19 +2352,19 @@ CREATE OR REPLACE PROCEDURE sys.sp_helpdbfixedrole("@rolename" sys.SYSNAME = NUL
 $$
 BEGIN
 	-- Returns a list of the fixed database roles. 
-	IF LOWER(RTRIM(@rolename)) IS NULL OR LOWER(RTRIM(@rolename)) IN ('db_owner', 'db_accessadmin', 'db_securityadmin', 'db_datareader', 'db_datawriter')
+	IF LOWER(RTRIM(@rolename)) IS NULL OR LOWER(RTRIM(@rolename)) IN ('db_owner', 'db_accessadmin', 'db_securityadmin', 'db_datareader', 'db_datawriter', 'db_ddladmin')
 	BEGIN
 		SELECT CAST(DbFixedRole as sys.SYSNAME) AS DbFixedRole, CAST(Description AS sys.nvarchar(70)) AS Description FROM (
 			VALUES ('db_owner', 'DB Owners'),
 			('db_accessadmin', 'DB Access Administrators'),
 			('db_securityadmin', 'DB Security Administrators'),
 			('db_datareader', 'DB Data Reader'),
-			('db_datawriter', 'DB Data Writer')) x(DbFixedRole, Description)
+			('db_datawriter', 'DB Data Writer'),
+			('db_ddladmin', 'DB DDL Administrators')) x(DbFixedRole, Description)
 			WHERE LOWER(RTRIM(@rolename)) IS NULL OR LOWER(RTRIM(@rolename)) = DbFixedRole;
 	END
 	ELSE IF LOWER(RTRIM(@rolename)) IN (
-			'db_ddladmin', 'db_backupoperator',
-			'db_denydatareader', 'db_denydatawriter')
+			'db_backupoperator', 'db_denydatareader', 'db_denydatawriter')
 	BEGIN
 		-- Return an empty result set instead of raising an error
 		SELECT CAST(NULL AS sys.SYSNAME) AS DbFixedRole, CAST(NULL AS sys.nvarchar(70)) AS Description
@@ -3017,6 +3017,22 @@ BEGIN
 					WHERE s1.name = @schemaname AND o1.name = @subname;
 					SELECT @count = COUNT(*) FROM #tempTable;
 
+					IF @count < 1
+						BEGIN
+							-- sys.objects does not show routines which current user cannot execute but
+							-- roles like db_ddladmin allow renaming a procedure even though they cannot
+							-- execute it, so search again in pg_proc if count is zero
+							DROP TABLE #tempTable;
+							SELECT CAST(CASE 
+											WHEN p.prokind = 'p' THEN 'P'
+											WHEN p.prokind = 'a' THEN 'AF'
+											WHEN format_type(p.prorettype, NULL) = 'trigger' THEN 'TR'
+											ELSE 'FN'
+										END as sys.bpchar(2)) AS type INTO #tempTable
+							FROM pg_proc p INNER JOIN sys.schemas s1 ON p.pronamespace = s1.schema_id
+							WHERE s1.name = @schemaname AND CAST(p.proname AS sys.sysname) = @subname;
+							SELECT @count = COUNT(*) FROM #tempTable;
+						END
 					IF @count > 1
 						BEGIN
 							THROW 33557097, N'There are multiple objects with the given @objname.', 1;

contrib/babelfishpg_tsql/sql/ownership.sql

@@ -262,13 +262,13 @@ DECLARE
 	reserved_roles varchar[] := ARRAY['sysadmin', 'securityadmin', 'dbcreator',
 									  'master_dbo', 'master_guest', 'master_db_owner',
 									  'master_db_accessadmin', 'master_db_securityadmin',
-									  'master_db_datareader', 'master_db_datawriter',
+									  'master_db_datareader', 'master_db_datawriter', 'master_db_ddladmin',
 									  'tempdb_dbo', 'tempdb_guest', 'tempdb_db_owner', 
 									  'tempdb_db_accessadmin', 'tempdb_db_securityadmin',
-									  'tempdb_db_datareader', 'tempdb_db_datawriter',
+									  'tempdb_db_datareader', 'tempdb_db_datawriter', 'tempdb_db_ddladmin',
 									  'msdb_dbo', 'msdb_guest', 'msdb_db_owner',
 									  'msdb_db_accessadmin', 'msdb_db_securityadmin',
-									  'msdb_db_datareader', 'msdb_db_datawriter'];
+									  'msdb_db_datareader', 'msdb_db_datawriter', 'msdb_db_ddladmin'];
 	user_id  oid := -1;
 	db_name  name := NULL;
 	role_name varchar;
@@ -297,7 +297,7 @@ BEGIN
 	EXECUTE format('CREATE ROLE securityadmin CREATEROLE INHERIT PASSWORD NULL');
 	EXECUTE format('CREATE ROLE dbcreator CREATEDB INHERIT PASSWORD NULL');
 	EXECUTE format('CREATE ROLE bbf_role_admin CREATEDB CREATEROLE INHERIT PASSWORD NULL');
-	EXECUTE format('GRANT CREATE ON DATABASE %s TO bbf_role_admin WITH GRANT OPTION', CURRENT_DATABASE());
+	EXECUTE format('GRANT CREATE ON DATABASE %s TO bbf_role_admin', CURRENT_DATABASE());
 	EXECUTE format('GRANT %I to bbf_role_admin WITH ADMIN TRUE;', sa_name);
 	EXECUTE format('CREATE ROLE sysadmin CREATEDB CREATEROLE INHERIT ROLE %I', sa_name);
 	EXECUTE format('GRANT sysadmin TO bbf_role_admin WITH ADMIN TRUE');
@@ -470,7 +470,7 @@ ON Base.rolname = Ext.rolname
 LEFT OUTER JOIN pg_catalog.pg_roles Base2
 ON Ext.login_name = Base2.rolname
 WHERE Ext.database_name = DB_NAME()
-  AND (Ext.orig_username IN ('dbo', 'db_owner', 'db_securityadmin', 'db_accessadmin', 'db_datareader', 'db_datawriter', 'guest') -- system users should always be visible
+  AND (Ext.orig_username IN ('dbo', 'db_owner', 'db_securityadmin', 'db_accessadmin', 'db_datareader', 'db_datawriter', 'db_ddladmin', 'guest') -- system users should always be visible
   OR pg_has_role(Ext.rolname, 'MEMBER')) -- Current user should be able to see users it has permission of
 UNION ALL
 SELECT

contrib/babelfishpg_tsql/sql/sys_functions.sql

@@ -4501,7 +4501,7 @@ BEGIN
         END IF;
     ELSIF EXISTS (SELECT orig_username FROM sys.babelfish_authid_user_ext WHERE orig_username = role COLLATE sys.database_default)
     THEN
-        IF (((SELECT orig_username FROM sys.babelfish_authid_user_ext WHERE rolname = CURRENT_USER) = 'dbo' COLLATE sys.database_default) AND role COLLATE sys.database_default IN ('db_owner', 'db_accessadmin', 'db_datareader', 'db_datawriter'))
+        IF (((SELECT orig_username FROM sys.babelfish_authid_user_ext WHERE rolname = CURRENT_USER) = 'dbo' COLLATE sys.database_default) AND role COLLATE sys.database_default IN ('db_owner', 'db_accessadmin', 'db_datareader', 'db_datawriter', 'db_ddladmin'))
         THEN RETURN 1;
         ELSIF EXISTS (SELECT name FROM sys.user_token WHERE name = role COLLATE sys.database_default)
         THEN RETURN 1; -- Return 1 if current session user is a member of role or windows group