Dump physical database aclprivs for fixed database roles (#456)

We were not dumping the acls on physical database granted to fixed database roles of user defined databases in babelfish dump and restore. As a result after bbf dump CREATE SCHEMA. would fail we permission denied error. As a fix, dump a DO block which will run all the grant statements again for the fixed database roles for user defined logical databases. While running these grants we will switch to sysadmin because it has all the necessary permissions to grant and so that DROP DATABASE also works correctly. We internally switch to sysadmin when executing revoke commands during drop db commands, which would only work if grantor was also sysadmin. Engine PR : #456 Extension PR : babelfish-for-postgresql/babelfish_extensions#3003 Task: BABEL-5294 Signed-off-by: Tanzeel Khan <[email protected]>
babelfish-for-postgresql · Oct 3, 2024 · 4f6fa60 · 4f6fa60
1 parent 1cc5129
commit 4f6fa60
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 0 deletions.
diff --git a/src/bin/pg_dump/dump_babel_utils.c b/src/bin/pg_dump/dump_babel_utils.c
@@ -1971,3 +1971,49 @@ dumpBabelfishConstrIndex(Archive *fout, const IndxInfo *indxinfo,
 	appendPQExpBuffer(delq, "DROP CONSTRAINT %s;\n",
 					  fmtId(constrinfo->dobj.name));
 }
+
+void
+dumpBabelPhysicalDatabaseACLs(Archive *fout)
+{
+	PQExpBuffer	query;
+
+	if (!isBabelfishDatabase(fout) || fout->dopt->binary_upgrade)
+		return;
+
+	query = createPQExpBuffer();
+
+	appendPQExpBuffer(query,
+					"DO $$"
+					"\nDECLARE"
+					"\n	rolname TEXT;"
+					"\n	original_name TEXT;"
+					"\nBEGIN"
+					"\n	SET LOCAL ROLE sysadmin;"
+					"\n	FOR rolname, original_name IN ("
+					"\n		SELECT a.rolname, a.orig_username FROM sys.babelfish_authid_user_ext a"
+					"\n			WHERE orig_username IN ('dbo') AND"
+					"\n			database_name NOT IN ('master', 'tempdb', 'msdb')");
+
+	if (bbf_db_name)
+		appendPQExpBuffer(query,
+					"\n			 AND database_name = '%s'", escaped_bbf_db_name);
+
+	appendPQExpBuffer(query,
+					"\n	) LOOP"
+					"\n		CASE WHEN original_name = 'dbo' THEN"
+					"\n			EXECUTE format('GRANT CREATE, CONNECT, TEMPORARY ON DATABASE \"%%s\" TO \"%%s\"; ', CURRENT_DATABASE(), rolname);"
+					"\n		END CASE;"
+					"\n	END LOOP;"
+					"\n	RESET ROLE;"
+					"\nEND$$;\n\n");
+
+	ArchiveEntry(fout, nilCatalogId, createDumpId(),
+				 ARCHIVE_OPTS(.tag = "BABELFISHDATABASEACLS",
+							  .description = "BABELFISHDATABASEACLS",
+							  .section = SECTION_POST_DATA,
+							  .createStmt = query->data));
+
+	destroyPQExpBuffer(query);
+
+	return;
+}
diff --git a/src/bin/pg_dump/dump_babel_utils.h b/src/bin/pg_dump/dump_babel_utils.h
@@ -36,6 +36,7 @@ extern void updateExtConfigArray(Archive *fout, char ***extconfigarray, int ncon
 extern void prepareForBabelfishDatabaseDump(Archive *fout, SimpleStringList *schema_include_patterns);
 extern void setBabelfishDependenciesForLogicalDatabaseDump(Archive *fout);
 extern void dumpBabelGUCs(Archive *fout);
+extern void dumpBabelPhysicalDatabaseACLs(Archive *fout);
 extern void fixCopyCommand(Archive *fout, PQExpBuffer copyBuf, TableInfo *tbinfo, bool isFrom);
 extern bool bbfIsDumpWithInsert(Archive *fout, TableInfo *tbinfo);
 extern void addFromClauseForBabelfishCatalogTable(PQExpBuffer buf, TableInfo *tbinfo);

diff --git a/src/bin/pg_dump/pg_dump.c b/src/bin/pg_dump/pg_dump.c
@@ -993,6 +993,8 @@ main(int argc, char **argv)
 	for (i = 0; i < numObjs; i++)
 		dumpDumpableObject(fout, dobjs[i]);
 
+	dumpBabelPhysicalDatabaseACLs(fout);
+
 	/*
 	 * Set up options info to ensure we dump what we want.
 	 */