[BRC-3414] Add hook for backup token access check on SCHEMAs (#59)

Eric Pei · tristan957 · commit 96c49f01200e · 2025-08-13T15:10:16.000-05:00
See parent PR https://github.com/databricks-eng/hadron/pull/1441
diff --git a/src/backend/catalog/namespace.c b/src/backend/catalog/namespace.c
@@ -58,6 +58,7 @@
 #include "utils/snapmgr.h"
 #include "utils/syscache.h"
 #include "utils/varlena.h"
+#include "catalog/objectaccess.h"
 
 
 /*
@@ -2960,8 +2961,22 @@ LookupExplicitNamespace(const char *nspname, bool missing_ok)
 
 	aclresult = pg_namespace_aclcheck(namespaceId, GetUserId(), ACL_USAGE);
 	if (aclresult != ACLCHECK_OK)
+	{
+		/* BEGIN HADRON
+		 * If we don't have the necessary native Postgres permission, check if
+		 * our Databricks OAuth token grants us permission.
+		 */
+		if (NamespaceUnityCatalogAccess_hook != NULL
+			&& (*NamespaceUnityCatalogAccess_hook) (namespaceId, nspname, ACL_USAGE))
+		{
+			aclresult = ACLCHECK_OK;
+		}
+		/* END HADRON */
+
 		aclcheck_error(aclresult, OBJECT_SCHEMA,
 					   nspname);
+	}
+
 	/* Schema search hook for this lookup */
 	InvokeNamespaceSearchHook(namespaceId, true);
 
diff --git a/src/backend/catalog/objectaccess.c b/src/backend/catalog/objectaccess.c
@@ -21,6 +21,10 @@
  */
 object_access_hook_type object_access_hook = NULL;
 
+/* Backup hook to check for Unity Catalog namespace access after native permissions check fails */
+NamespaceUnityCatalogAccess_hook_type NamespaceUnityCatalogAccess_hook = NULL;
+
+
 /*
  * RunObjectPostCreateHook
  *
diff --git a/src/include/catalog/objectaccess.h b/src/include/catalog/objectaccess.h
@@ -10,6 +10,8 @@
 #ifndef OBJECTACCESS_H
 #define OBJECTACCESS_H
 
+#include "nodes/parsenodes.h"
+
 /*
  * Object access hooks are intended to be called just before or just after
  * performing certain actions on a SQL object.  This is intended as
@@ -142,6 +144,10 @@ extern void RunObjectPostAlterHook(Oid classId, Oid objectId, int subId,
 extern bool RunNamespaceSearchHook(Oid objectId, bool ereport_on_violation);
 extern void RunFunctionExecuteHook(Oid objectId);
 
+/* Backup hook to check for Unity Catalog namespace access after native permissions check fails */
+typedef bool (*NamespaceUnityCatalogAccess_hook_type) (Oid namespaceId, const char *nspname, AclMode requiredPerms);
+extern PGDLLIMPORT NamespaceUnityCatalogAccess_hook_type NamespaceUnityCatalogAccess_hook;
+
 /*
  * The following macros are wrappers around the functions above; these should
  * normally be used to invoke the hook in lieu of calling the above functions
