Restrict DROP USER/ROLE from non-dbo user #2859
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: ANJU BHARTI <[email protected]>
Pull Request Test Coverage Report for Build 10453221297Details
💛 - Coveralls |
Comment on lines
3440
to
3443
| if (!has_privs_of_role(GetUserId(),get_role_oid(db_owner_name, false))) | ||
| ereport(ERROR, | ||
| (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), | ||
| errmsg("User does not have permission to perform this action."))); |
There was a problem hiding this comment.
Is this aligning with ideal T-SQL behaviour? Error msg is matching?
|
|
||
| /* must be database owner to drop user/role*/ | ||
| db_owner_name = get_db_owner_name(get_cur_db_name()); | ||
| if (!has_privs_of_role(GetUserId(),get_role_oid(db_owner_name, false))) |
There was a problem hiding this comment.
nit: ...(GetUserId(),<WHITESPACE> get_role_oid...
|
|
||
| /* must be database owner to drop user/role*/ | ||
| db_owner_name = get_db_owner_name(get_cur_db_name()); | ||
| if (!has_privs_of_role(GetUserId(),get_role_oid(db_owner_name, false))) |
There was a problem hiding this comment.
Why has_privs_of_role , not is_member_of_role?
There was a problem hiding this comment.
Because this is what we are checking when creating the role/user.
Deepesh125
requested changes
Aug 15, 2024
Deepesh125
previously approved these changes
Aug 15, 2024
anju15bharti
force-pushed
the
jira-BABEL-5173
branch
from
ba94f77 to
1734382
Compare
Signed-off-by: ANJU BHARTI <[email protected]>
anju15bharti
force-pushed
the
jira-BABEL-5173
branch
from
1734382 to
ec5d2b5
Compare
added 2 commits
August 16, 2024 03:24
Signed-off-by: ANJU BHARTI <[email protected]>
anju15bharti
force-pushed
the
jira-BABEL-5173
branch
from
63ee771 to
7c1b926
Compare
Signed-off-by: ANJU BHARTI <[email protected]>
anju15bharti
force-pushed
the
jira-BABEL-5173
branch
from
7c1b926 to
675f72e
Compare
Comment on lines
3306
to
3307
| if ((drop_user && strncmp(logical_role_name, "dbo", rolename_len) == 0) || | ||
| (drop_role && strncmp(logical_role_name, "db_owner", rolename_len) == 0)) |
There was a problem hiding this comment.
What if this check is run against user name d or db_o or db_ow etc.? We need to have the length comparison before using strncmp().
There was a problem hiding this comment.
Please add such testcases.
| const char *db_owner_name; | ||
| int role_oid; | ||
| int rolename_len; | ||
| char *logical_role_name = NULL; |
There was a problem hiding this comment.
logical_role_name is not needed IMO. Let's use rolespec->rolename only.
Signed-off-by: ANJU BHARTI <[email protected]>
HarshLunagariya
approved these changes
Aug 16, 2024
| @@ -3285,15 +3285,44 @@ bbf_ProcessUtility(PlannedStmt *pstmt, | |||
| { | |||
| RoleSpec *rolspec = lfirst(item); | |||
| char *user_name; | |||
| char *db_principal; | |||
There was a problem hiding this comment.
We should pfree db_principal. db_owner_name is a const char*, it can't be freed.
There was a problem hiding this comment.
We should not pfree db_principal as it is pointing to string literal.
There was a problem hiding this comment.
it is it pointing to string literal then make it const char * here itself.
const char * db_principal = drop_user ? "user" : "role"
There was a problem hiding this comment.
Why do we need separate test files? Let's reuse some existing test files. IIRC we should avoid creating new test files wherever possible.
There was a problem hiding this comment.
We don’t have any such testfile for this usecase hence created one for this usecase testing.
There was a problem hiding this comment.
I meant wherever we have tests for restricting create login/user, we can use that file.
There was a problem hiding this comment.
please add some tests which involves if exists, for example, drop user if exists username
Deepesh125
requested changes
Aug 19, 2024
|
|
||
| user_name = get_physical_user_name(db_name, rolspec->rolename, false); | ||
| db_owner_name = get_db_owner_name(get_cur_db_name()); |
There was a problem hiding this comment.
Nit: simply use db_name instead of get_cur_db_name
|
|
||
| user_name = get_physical_user_name(db_name, rolspec->rolename, false); | ||
| db_owner_name = get_db_owner_name(get_cur_db_name()); | ||
| role_oid = get_role_oid(user_name, true); |
There was a problem hiding this comment.
For if exist case which is already present in some testfiles
| @@ -3285,15 +3285,44 @@ bbf_ProcessUtility(PlannedStmt *pstmt, | |||
| { | |||
| RoleSpec *rolspec = lfirst(item); | |||
| char *user_name; | |||
| char *db_principal; | |||
There was a problem hiding this comment.
it is it pointing to string literal then make it const char * here itself.
const char * db_principal = drop_user ? "user" : "role"
There was a problem hiding this comment.
please add some tests which involves if exists, for example, drop user if exists username
Signed-off-by: Harsh Lunagariya <[email protected]>
Deepesh125
requested changes
Aug 19, 2024
|
|
||
| user_name = get_physical_user_name(db_name, rolspec->rolename, false); | ||
| db_owner_name = get_db_owner_name(db_name); |
There was a problem hiding this comment.
we should check whether user_name is valid T-SQL role or login.
Signed-off-by: Harsh Lunagariya <[email protected]>
Deepesh125
approved these changes
Aug 19, 2024
|
Deepesh125
merged commit a66de39
into
babelfish-for-postgresql:BABEL_4_X_DEV
44 checks passed
shalinilohia50
pushed a commit
to amazon-aurora/babelfish_extensions
that referenced
this pull request
Aug 20, 2024
) Earlier, any user was able to drop user/role, irrespective of whether that user has required privileges or not. With this commit, Only dbo and members of db_owner will have the permission to drop user/role. Additionally, this restricts dropping internal database principal such as dbo and db_owner, it restricts dropping non-Babelfish roles from TDS endpoint. Task: BABEL-5173 Authored-by: ANJU BHARTI <[email protected]> Co-authored-by: Harsh Lunagariya <[email protected]> Signed-off-by: Harsh Lunagariya <[email protected]>
shalinilohia50
pushed a commit
to amazon-aurora/babelfish_extensions
that referenced
this pull request
Aug 20, 2024
) Earlier, any user was able to drop user/role, irrespective of whether that user has required privileges or not. With this commit, Only dbo and members of db_owner will have the permission to drop user/role. Additionally, this restricts dropping internal database principal such as dbo and db_owner, it restricts dropping non-Babelfish roles from TDS endpoint. Task: BABEL-5173 Authored-by: ANJU BHARTI <[email protected]> Co-authored-by: Harsh Lunagariya <[email protected]> Signed-off-by: Harsh Lunagariya <[email protected]>
shardgupta
pushed a commit
that referenced
this pull request
Aug 20, 2024
Earlier, a user was able to drop user/role that belonged to another database. With this commit, a user can only drop the role/user that belongs to the same database with sufficient privileges. Issues Resolved Task: BABEL-5173 Signed-off-by: Shalini Lohia [email protected]
shardgupta
pushed a commit
that referenced
this pull request
Aug 20, 2024
Earlier, a user was able to drop user/role that belonged to another database. With this commit, a user can only drop the role/user that belongs to the same database with sufficient privileges. Issues Resolved Task: BABEL-5173 Signed-off-by: Shalini Lohia [email protected]
anju15bharti
added a commit
to amazon-aurora/babelfish_extensions
that referenced
this pull request
Aug 20, 2024
) Earlier, any user was able to drop user/role, irrespective of whether that user has required privileges or not. With this commit, Only dbo and members of db_owner will have the permission to drop user/role. Additionally, this restricts dropping internal database principal such as dbo and db_owner, it restricts dropping non-Babelfish roles from TDS endpoint. Task: BABEL-5173 Authored-by: ANJU BHARTI <[email protected]> Co-authored-by: Harsh Lunagariya <[email protected]> Signed-off-by: Harsh Lunagariya <[email protected]>
sharathbp
pushed a commit
to amazon-aurora/babelfish_extensions
that referenced
this pull request
Aug 20, 2024
) Earlier, any user was able to drop user/role, irrespective of whether that user has required privileges or not. With this commit, Only dbo and members of db_owner will have the permission to drop user/role. Additionally, this restricts dropping internal database principal such as dbo and db_owner, it restricts dropping non-Babelfish roles from TDS endpoint. Task: BABEL-5173 Authored-by: ANJU BHARTI <[email protected]> Co-authored-by: Harsh Lunagariya <[email protected]> Signed-off-by: Harsh Lunagariya <[email protected]>
anju15bharti
added a commit
to amazon-aurora/babelfish_extensions
that referenced
this pull request
Aug 26, 2024
) Earlier, any user was able to drop user/role, irrespective of whether that user has required privileges or not. With this commit, Only dbo and members of db_owner will have the permission to drop user/role. Additionally, this restricts dropping internal database principal such as dbo and db_owner, it restricts dropping non-Babelfish roles from TDS endpoint. Task: BABEL-5173 Authored-by: ANJU BHARTI <[email protected]> Co-authored-by: Harsh Lunagariya <[email protected]> Signed-off-by: Harsh Lunagariya <[email protected]>
anju15bharti
added a commit
to amazon-aurora/babelfish_extensions
that referenced
this pull request
Aug 26, 2024
) Earlier, any user was able to drop user/role, irrespective of whether that user has required privileges or not. With this commit, Only dbo and members of db_owner will have the permission to drop user/role. Additionally, this restricts dropping internal database principal such as dbo and db_owner, it restricts dropping non-Babelfish roles from TDS endpoint. Task: BABEL-5173 Authored-by: ANJU BHARTI <[email protected]> Co-authored-by: Harsh Lunagariya <[email protected]> Signed-off-by: Harsh Lunagariya <[email protected]>
anju15bharti
pushed a commit
to amazon-aurora/babelfish_extensions
that referenced
this pull request
Aug 26, 2024
) (babelfish-for-postgresql#2864) Earlier, a user was able to drop user/role that belonged to another database. With this commit, a user can only drop the role/user that belongs to the same database with sufficient privileges. Issues Resolved Task: BABEL-5173 Signed-off-by: Shalini Lohia [email protected]
anju15bharti
pushed a commit
to amazon-aurora/babelfish_extensions
that referenced
this pull request
Aug 26, 2024
) (babelfish-for-postgresql#2864) Earlier, a user was able to drop user/role that belonged to another database. With this commit, a user can only drop the role/user that belongs to the same database with sufficient privileges. Issues Resolved Task: BABEL-5173 Signed-off-by: Shalini Lohia [email protected]
anju15bharti
pushed a commit
to amazon-aurora/babelfish_extensions
that referenced
this pull request
Aug 26, 2024
) (babelfish-for-postgresql#2865) Earlier, a user was able to drop user/role that belonged to another database. With this commit, a user can only drop the role/user that belongs to the same database with sufficient privileges. Issues Resolved Task: BABEL-5173 Signed-off-by: Shalini Lohia [email protected]
anju15bharti
pushed a commit
to amazon-aurora/babelfish_extensions
that referenced
this pull request
Aug 26, 2024
) (babelfish-for-postgresql#2865) Earlier, a user was able to drop user/role that belonged to another database. With this commit, a user can only drop the role/user that belongs to the same database with sufficient privileges. Issues Resolved Task: BABEL-5173 Signed-off-by: Shalini Lohia [email protected]
This was referenced Aug 26, 2024
shardgupta
pushed a commit
that referenced
this pull request
Aug 26, 2024
Earlier, any user was able to drop user/role, irrespective of whether that user has required privileges or not. With this commit, Only dbo and members of db_owner will have the permission to drop user/role. Additionally, this restricts dropping internal database principal such as dbo and db_owner, it restricts dropping non-Babelfish roles from TDS endpoint. Task: BABEL-5173 Authored-by: ANJU BHARTI <[email protected]>
shardgupta
pushed a commit
that referenced
this pull request
Aug 26, 2024
Earlier, any user was able to drop user/role, irrespective of whether that user has required privileges or not. With this commit, Only dbo and members of db_owner will have the permission to drop user/role. Additionally, this restricts dropping internal database principal such as dbo and db_owner, it restricts dropping non-Babelfish roles from TDS endpoint. Task: BABEL-5173 Authored-by: ANJU BHARTI <[email protected]>
shardgupta
pushed a commit
that referenced
this pull request
Aug 26, 2024
Earlier, any user was able to drop user/role, irrespective of whether that user has required privileges or not. With this commit, Only dbo and members of db_owner will have the permission to drop user/role. Additionally, this restricts dropping internal database principal such as dbo and db_owner, it restricts dropping non-Babelfish roles from TDS endpoint. Task: BABEL-5173 Authored-by: ANJU BHARTI <[email protected]>
shardgupta
pushed a commit
that referenced
this pull request
Aug 26, 2024
Earlier, a user was able to drop user/role that belonged to another database. With this commit, a user can only drop the role/user that belongs to the same database with sufficient privileges. Issues Resolved Task: BABEL-5173 Signed-off-by: Shalini Lohia [email protected]
staticlibs
pushed a commit
to wiltondb/babelfish_extensions
that referenced
this pull request
Oct 20, 2024
) (babelfish-for-postgresql#2864) Earlier, a user was able to drop user/role that belonged to another database. With this commit, a user can only drop the role/user that belongs to the same database with sufficient privileges. Issues Resolved Task: BABEL-5173 Signed-off-by: Shalini Lohia [email protected]
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Earlier, any user was able to drop user/role, irrespective of whether that user has required privileges or not.
With this commit, only dbo should have the permission to drop user/role.
Issues Resolved
BABEL-5173
Test Scenarios Covered
Use case based -
Boundary conditions -
Arbitrary inputs -
Negative test cases -
Minor version upgrade tests -
Major version upgrade tests -
Performance tests -
Tooling impact -
Client tests -
Check List
By submitting this pull request, I confirm that my contribution is under the terms of the Apache 2.0 and PostgreSQL licenses, and grant any person obtaining a copy of the contribution permission to relicense all or a portion of my contribution to the PostgreSQL License solely to contribute all or a portion of my contribution to the PostgreSQL open source project.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.