Thanks to visit codestin.com
Credit goes to Github.com

Skip to content

[Feature] Support EXECUTE AS chaining via original user privilege check #68180

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
viethqb wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Feature] Support EXECUTE AS chaining via original user privilege check #68180

viethqb wants to merge 1 commit into from
+157 −17

Conversation

@viethqb
Copy link

@viethqb viethqb commented Jan 20, 2026
edited
Loading

Enable multiple sequential EXECUTE AS statements on the same connection by checking IMPERSONATE privileges based on the original login user instead of the current impersonated user.

  • Store original user context (identity, groups, roles) in AccessControlContext
  • Initialize original context during authentication
  • Use original context for IMPERSONATE checks in AuthorizationMgr.canExecuteAs()
  • Add test case for EXECUTE AS chaining scenario
  • Fix security issue: reset original context on re-authentication to prevent
    new user from inheriting IMPERSONATE privileges from previous login user

Maintains backward compatibility with fallback to current user behavior.

Why I'm doing:

Currently, when using EXECUTE AS user WITH NO REVERT, the system checks IMPERSONATE privileges based on the current impersonated user (currentUserIdentity), not the original login user (qualifiedUser). This creates a limitation where:

  1. After executing EXECUTE AS user1 WITH NO REVERT, the connection context switches to user1
  2. When attempting to execute EXECUTE AS user2 WITH NO REVERT on the same connection, the system checks if user1 has IMPERSONATE privilege on user2
  3. If user1 doesn't have IMPERSONATE privilege on user2, the operation fails, even though the original login user (e.g., admin_user) might have IMPERSONATE privileges on both user1 and user2

This limitation prevents applications using connection pooling from chaining multiple EXECUTE AS statements on the same connection, forcing them to either:

  • Grant IMPERSONATE privileges to intermediate users (not always feasible)
  • Use separate connections for each user (defeats connection pooling)

What I'm doing:

This PR enables EXECUTE AS to check IMPERSONATE privileges based on the original login user instead of the current impersonated user, allowing multiple sequential EXECUTE AS statements on the same connection.

Implementation details:

  1. Store original user context in AccessControlContext:

    • Added originalUserIdentity, originalGroups, and originalRoleIds fields to store the original login user context snapshot
    • These fields are initialized once during authentication and remain unchanged during the session

  2. Initialize original context in AuthenticationHandler:

    • Call initOriginalUserContext() after setting groups and roles during authentication
    • This ensures the original user context is captured at login time

  3. Modify privilege checking in AuthorizationMgr.canExecuteAs():

    • Use original user context (identity, groups, roles) for IMPERSONATE privilege checks when available
    • Fallback to current user behavior if original context is not available (for backward compatibility)

  4. Add test case to verify the feature:

    • Test case testExecuteAsChainUsesOriginalLoginUserForImpersonateCheck() verifies that chaining EXECUTE AS statements works correctly based on original user privileges

Example usage:
-- Login as admin_user (has IMPERSONATE on user1 and user2)
EXECUTE AS user1 WITH NO REVERT; -- Checks: admin_user has IMPERSONATE on user1 ✓
-- ... execute queries with user1 permissions ...
EXECUTE AS user2 WITH NO REVERT; -- Checks: admin_user has IMPERSONATE on user2 ✓ (now works!)

Fixes #68149

What type of PR is this:

  • BugFix
  • Feature
  • Enhancement
  • Refactor
  • UT
  • Doc
  • Tool

Does this PR entail a change in behavior?

  • Yes, this PR will result in a change in behavior.
  • No, this PR will not result in a change in behavior.

If yes, please specify the type of change:

  • Interface/UI changes: syntax, type conversion, expression evaluation, display information
  • Parameter changes: default values, similar parameters but with different default values
  • Policy changes: use new policy to replace old one, functionality automatically enabled
  • Feature removed
  • Miscellaneous: upgrade & downgrade compatibility, etc.

Checklist:

  • I have added test cases for my bug fix or my new feature
  • This pr needs user documentation (for new or modified features or behaviors)
    • I have added documentation for my new feature or new function
    • This pr needs auto generate documentation
  • This is a backport pr

Bugfix cherry-pick branch check:

  • I have checked the version labels which the pr will be auto-backported to the target branch
    • 4.1
    • 4.0
    • 3.5
    • 3.4

@viethqb viethqb requested a review from a team as a code owner January 20, 2026 16:39
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Jan 20, 2026
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c658bfda90

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

@viethqb viethqb force-pushed the feature/execute-as-original-impersonator branch from c658bfd to 383dd16 Compare January 20, 2026 17:11
@alvin-celerdata
Copy link
Contributor

alvin-celerdata commented Jan 20, 2026

@codex review

chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Jan 20, 2026
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 383dd16e72

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@viethqb
[Feature] Support EXECUTE AS chaining via original user privilege check
3aa121b 
Enable multiple sequential EXECUTE AS statements on the same connection
by checking IMPERSONATE privileges based on the original login user
instead of the current impersonated user.

- Store original user context (identity, groups, roles) in AccessControlContext
- Initialize original context during authentication
- Use original context for IMPERSONATE checks in AuthorizationMgr.canExecuteAs()
- Add test case for EXECUTE AS chaining scenario
- Fix security issue: reset original context on re-authentication to prevent
  new user from inheriting IMPERSONATE privileges from previous login user

Maintains backward compatibility with fallback to current user behavior.

Signed-off-by: Hoang Quoc Viet <[email protected]>
@viethqb viethqb force-pushed the feature/execute-as-original-impersonator branch from 383dd16 to 3aa121b Compare January 21, 2026 00:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

@viethqb viethqb

Labels

behavior_changed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Feature Request] EXECUTE AS: Check IMPERSONATE privilege based on original authenticated user

2 participants

@viethqb @alvin-celerdata