Closed realcolaflasche closed 1 month ago
This could be fixed in two ways:
CURRENT_USER
to return att_ss_user
rather than att_user
if it's called from the applier code.Can anyone think of any other solution?
Cannot Applier just set both att_user and att_ss_user in executeSql()?
This is what I meant by (1) above. But I'm not sure whether it will be enough. What if some privileges weren't loaded and cached yet (for the original att_user) and it will be initiated during replication (for the temporary att_user)?
Alternatively Applier can be allowed to perform DML on system tables and DDL being replicated as DML. And bypass security completely by setting of FLAG_POWERFUL.
Alternatively Applier can be allowed to perform DML on system tables and DDL being replicated as DML.
AFAIU, it will bind layout of replica's system tables to the master's one, and thus disable replication of DDL statements between different Firebird versions.
The same problem as with new/modified DDL statements. But at DML level it can be solved more easily by some kind of "smart" processing of system tables on source and target side while modification of plain SQL text to comply current version is more tricky.
PS: May be we should just solve actual error and allow grantee to revoke privileges from itself regardless of who they were granted by?..
The initial implementation was pure DML and it was proven to be fragile in practice, hence I switched to statement level replication for DDL.
Currently access checks are disabled for the applier, so maybe it's really safe to just substitute att_user
. I will double check.
Hi,
I am using the async-Replication and in with DDL-Changes (chreate table), the grantor is not set correct. This ensures that replication stops Here is my way to reproduce it in FB 4.0.4 and 5.0. I'm using a Windows 11-machine, but also had this seen on a Linux-machine.
RECREATE TABLE TEST1 ( ID INTEGER GENERATED BY DEFAULT AS IDENTITY, CONSTRAINT PK_TEST1 PRIMARY KEY (ID) );
In Primary: RDB$User = DBOWNER and RDB$GRANTOR = DBOWNER In Secondary: RDB$User = DBOWNER and RDB$GRANTOR = SYSDBA
My expectation is that the Grantor on the secondary side is the same as on the primary side. Or that you can specify in the config file who executes the replication statments on the secondary side. I didn't find something in the Documentation to this.
Regards, Jan