Skip to content

Get rid of the unnecessary permissions for implicit domains#8937

Open
dyemanov wants to merge 4 commits intomasterfrom
work/8881
Open

Get rid of the unnecessary permissions for implicit domains#8937
dyemanov wants to merge 4 commits intomasterfrom
work/8881

Conversation

@dyemanov
Copy link
Member

@dyemanov dyemanov commented Mar 10, 2026

This PR addresses some issues spotted in #8881:

  1. Dropping a field / parameter which is based on implicit domain leaves orphan records inside RDB$USER_PRIVILEGES and RDB$SECURITY_CLASSES
  2. No privileges should be assigned to implicit domains created under the hood

dyemanov added 2 commits March 10, 2026 16:02
@dyemanov
Remove security class and user privileges from the domain being dropp…
8d98b5d 
…ed (see #8881: Large amount of unnecessary privileges in RDB for SYSDBA)
@dyemanov
Fix TDBB_dont_post_dfw usage for procedures/functions. Don't grant US…
eb42053 
…AGE permissions (and don't create a security class) for implicit domains (see #8881: Large amount of unnecessary privileges in RDB for SYSDBA).
@dyemanov dyemanov self-assigned this Mar 10, 2026
@dyemanov dyemanov linked an issue Mar 10, 2026 that may be closed by this pull request
Large amount of unnecessary privileges in RDB$USER_PRIVILEGES for SYSDBA #8881
Open
@aafemt
Copy link
Contributor

aafemt commented Mar 10, 2026

While you are at it, could you also mark implicit domains as system, please?..

@dyemanov
Copy link
Member Author

dyemanov commented Mar 10, 2026

While you are at it, could you also mark implicit domains as system, please?..

I'm not sure this is correct (and that it will not cause backward compatibility issues).

@aafemt
Copy link
Contributor

aafemt commented Mar 10, 2026

But it would allow to clean out the hack with RDB$ prefix comparison from Firebird code and give users more freedom in domain naming.

@sim1984
Copy link
Contributor

sim1984 commented Mar 10, 2026
edited
Loading

In my mind, a system domain is a domain that is used in system tables. You can add the automatically generated domain flag to ods 14.

@aafemt
Copy link
Contributor

aafemt commented Mar 10, 2026

I always read it as "created and maintained by system" in contrast to "created by user".

AlexPeshkoff
AlexPeshkoff reviewed Mar 10, 2026
View reviewed changes
src/dsql/DdlNodes.epp Outdated
// second pass
if (alterIndividualParameters)
executeAlterIndividualParameters(tdbb, dsqlScratch, transaction, !altered, true, false);
executeAlterIndividualParameters(tdbb, dsqlScratch, transaction, false, true, false);
Copy link
Member

@AlexPeshkoff AlexPeshkoff Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry that I did not mention it at once - in that case no reasons to have create parameter in executeAlterIndividualParameters, false is always passed to it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AlexPeshkoff AlexPeshkoff AlexPeshkoff left review comments

Assignees

@dyemanov dyemanov

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Large amount of unnecessary privileges in RDB$USER_PRIVILEGES for SYSDBA

4 participants

@dyemanov @aafemt @sim1984 @AlexPeshkoff