AWS AmazonRDS documentation change
Summary
Added Babelfish version compatibility column to supported/unsupported use case tables, updated role descriptions, and clarified version-specific constraints for permissions management.
Security assessment
The changes document security-related permissions management features (e.g., roles like db_securityadmin, db_accessadmin) and their version availability. While this clarifies security controls, there is no evidence of addressing a specific vulnerability. The updates improve documentation of existing security features rather than patching issues.
Diff
diff --git a/AmazonRDS/latest/AuroraUserGuide/babelfish-permissions.md b/AmazonRDS/latest/AuroraUserGuide/babelfish-permissions.md index 2d96a5666..af9aeb52d 100644 --- a//AmazonRDS/latest/AuroraUserGuide/babelfish-permissions.md +++ b//AmazonRDS/latest/AuroraUserGuide/babelfish-permissions.md @@ -15,13 +15,15 @@ The following table explains the use cases that are supported in Babelfish. For -Use case | Action | SQL commands | Comments ----|---|---|--- -Allow login to do SELECTs/DMLs/DDLs in any database | Add login to sysadmin server role | ALTER SERVER ROLE sysadmin ADD MEMBER `login` | None -Allow login to do SELECTs/DMLs/DDLs in a database | Make login the owner of the database | ALTER AUTHORIZATION ON DATABASE::`database` TO `login` | A database can have only one owner. -Allow database user to do SELECTs/DMLs on a schema | Grant permission to database user on schema | GRANT SELECT/EXECUTE/INSERT/UPDATE/DELETE ON SCHEMA::`schema` TO `user` | None -Allow database user to do SELECTs/DMLs on a schema | Make database user owner of schema at schema creation time | CREATE SCHEMA `schema` AUTHORIZATION `user` | Changing schema ownership after creation isn't currently supported. -Allow database user to do SELECTs/DMLs on an object | Grant permission to database user on object | GRANT SELECT/EXECUTE/INSERT/UPDATE/DELETE ON OBJECT::`object` TO `user` | None -Allow database user to do SELECTs/DMLs/DDLs in a database including dropping database | Add user to db_owner fixed database role | ALTER ROLE db_owner ADD MEMBER `user` | Only users can be added db_owner fixed database role. Adding roles to db_owner role is not yet supported. -Allow user or members of a custom database role to do only SELECTs in a database | Add user or role to db_datareader fixed database role | ALTER ROLE db_datareader ADD MEMBER `user` / `role` | None -Allow user or members of a custom database role to do only DMLs in a database | Add user or role to db_datawriter fixed database role | ALTER ROLE db_datawriter ADD MEMBER `user` / `role` | None -Allow user or members of a custom database role to do only DDLs in a database | Add user or role to db_accessadmin fixed database role | ALTER ROLE db_accessadmin ADD MEMBER `user` / `role` | None -Allow login to only CREATE/DROP/ALTER any database | Add login to dbcreator fixed server role | ALTER SERVER ROLE dbcreator ADD MEMBER `login` | Only those databases can be alterred on which dbcreator login has access. -Allow login to only CREATE/ALTER/DROP any login | Add login to securityadmin fixed server role | ALTER SERVER ROLE securityadmin ADD MEMBER `login` | None +Use case | Action | SQL commands | Comments | Babelfish version compatibility +---|---|---|---|--- +Allow login to do SELECTs/DMLs/DDLs in any database | Add login to sysadmin server role | ALTER SERVER ROLE sysadmin ADD MEMBER `login` | None | All versions +Allow login to do SELECTs/DMLs/DDLs in a database | Make login the owner of the database | ALTER AUTHORIZATION ON DATABASE::`database` TO `login` | A database can have only one owner. | Version 3.4 and higher +Allow database user to do SELECTs/DMLs on a schema | Grant permission to database user on schema | GRANT SELECT/EXECUTE/INSERT/UPDATE/DELETE ON SCHEMA::`schema` TO `user` | None | Version 3.6 and higher, 4.2 and higher +Allow database user to do SELECTs/DMLs on a schema | Make database user owner of schema at schema creation time | CREATE SCHEMA `schema` AUTHORIZATION `user` | Changing schema ownership after creation isn't currently supported. | Version 1.2 and higher +Allow database user to do SELECTs/DMLs on an object | Grant permission to database user on object | GRANT SELECT/EXECUTE/INSERT/UPDATE/DELETE ON OBJECT::`object` TO `user` | None | All versions +Allow database user to do SELECTs/DMLs/DDLs in a database including dropping database | Add user to db_owner fixed database role | ALTER ROLE db_owner ADD MEMBER `user` | Only users can be added db_owner fixed database role. Adding roles to db_owner role is not yet supported. | Version 4.5 and higher, 5.1 and higher +Allow user or members of a custom database role to do only SELECTs in a database | Add user or role to db_datareader fixed database role | ALTER ROLE db_datareader ADD MEMBER `user` / `role` | None | Version 4.5 and higher, 5.1 and higher +Allow user or members of a custom database role to do only DMLs in a database | Add user or role to db_datawriter fixed database role | ALTER ROLE db_datawriter ADD MEMBER `user` / `role` | None | Version 4.5 and higher, 5.1 and higher +Allow user or members of a custom database role to do only DDLs in a database | Add user or role to db_accessadmin fixed database role | ALTER ROLE db_accessadmin ADD MEMBER `user` / `role` | None | Version 4.5 and higher, 5.1 and higher +Allow user or members of a custom database role to only CREATE/ALTER/DROP custom roles, GRANT/REVOKE permissions on objects in a database and/or CREATE SCHEMA in a database | Add user or role to db_securityadmin fixed database role | ALTER ROLE db_securityadmin ADD MEMBER `user` / `role` | None | Version 4.5 and higher, 5.1 and higher +Allow user or members of a custom database role to only CREATE/ALTER/DROP any user, grant and revoke database access and map user accounts to logins and/or CREATE SCHEMA in a database | Add user or role to db_accessadmin fixed database role | ALTER ROLE db_accessadmin ADD MEMBER `user` / `role` | None | Version 4.5 and higher, 5.1 and higher +Allow login to only CREATE/DROP/ALTER any database | Add login to dbcreator fixed server role | ALTER SERVER ROLE dbcreator ADD MEMBER `login` | Only those databases can be altered on which dbcreator login has access. | Version 4.5 and higher, 5.1 and higher +Allow login to only CREATE/ALTER/DROP any login | Add login to securityadmin fixed server role | ALTER SERVER ROLE securityadmin ADD MEMBER `login` | None | Version 4.5 and higher, 5.1 and higher @@ -33,4 +35,4 @@ The following table explains the use cases that aren't supported in Babelfish, b -Use case | Action | SQL commands | Comments ----|---|---|--- -Allow user to do SELECTs/DMLs on an object/schema along with option to GRANT these permissions to other users | GRANT the permissions to all the other users directly | GRANT SELECT/EXECUTE/INSERT/UPDATE/DELETE ON OBJECT/SCHEMA::`object`/`schema` TO `user` | GRANT ... WITH GRANT OPTION isn't currently supported. -Allow database user to do SELECTs/DMLs/DDLs in a database including dropping database | Add members of role to db_owner fixed database role | ALTER ROLE db_owner ADD MEMBER `user` | Adding roles to db_owner role isn't currently supported. +Use case | Action | SQL commands | Comments | Babelfish version compatibility for workarounds +---|---|---|---|--- +Allow user to do SELECTs/DMLs on an object/schema along with option to GRANT these permissions to other users | GRANT the permissions to all the other users directly | GRANT SELECT/EXECUTE/INSERT/UPDATE/DELETE ON OBJECT/SCHEMA::`object`/`schema` TO `user` | GRANT ... WITH GRANT OPTION isn't currently supported. | Version 3.6 and higher, 4.2 and higher +Allow database user to do SELECTs/DMLs/DDLs in a database including dropping database | Add members of role to db_owner fixed database role | ALTER ROLE db_owner ADD MEMBER `user` | Adding roles to db_owner role isn't currently supported. | Version 4.5 and higher, 5.1 and higher