forked from babelfish-for-postgresql/babelfish_extensions
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Support Cross-database references in views (babelfish-for-postgresql#…
…2899) Support execution of views which references objects (tables/views/functions) from across the databases. Here we are talking about Babelfish logical database (T-SQL database) which is different from a physical Postgres database. To support this, perform permission checks for cross database objects using session user (login) instead of current_user (user of current T-SQL database). The reason login can be used for permission check is since login is member of all it’s users, so it inherits all their permissions so it will be able execute any cross database objects owned by its users. This commit handles functions and tables/views separately for cross database permission checks. For functions/procedures, a new hook `ExecFuncProc_AclCheck_hook` and for tables/views existing `ExecutorStart_hook` will be used to decide whether to use session user or current_user for permission check depending upon whether the object is from same or different database. We will be using `is_schema_from_db` function to identify if the object is from different database which performs a lookup into `babelfish_namespace_ext` catalog table which can be expensive as will be doing it pretty frequently. So, added this table into SYSCACHE for better performance. Tables/views permissions are handled slightly different than functions as we do not blindly want to check the permissions against session user (current login) since permissions of RTEs inside a view are checked against that view's owner which can very well be a user of some different database. So if we blindly check permission against session user instead of view's owner then it would break view's ownership chaining. Instead, we will replace `checkAsUser` with it's corresponding mapped login if present and only in cases where `checkAsUser` is not set, we will replace it with session user (login). We are using login to allow cross database queries since login can access all its objects across the databases. Getting mapped login to a user require lookup into sys.babelfish_authid_user_ext catalog table using its primary key column (rolname) so added this table is also into SYSCACHE. Additionally, remove previous code to globally set current user to session user since newer logic takes care of the permission check now. Task: BABEL-5206 Signed-off-by: Rishabh Tanwar <[email protected]> Engine PR: babelfish-for-postgresql/postgresql_modified_for_babelfish#434
- Loading branch information
1 parent
62115bd
commit 868472a
Showing
29 changed files
with
1,425 additions
and
395 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.