1. Modified syntax of ALTER ROLE command according to Dmitry's request.

2. Avoid any use of predefined NT group name "Domain Admins".
3. Fixed DYN code generation for USER operations.

                     ***** WARNING *****
After this commit all previous backups of 2.5 databases with turned on
admins mapping become unrestorable. ODS is not changed.

src/burp/backup.epp

@@ -3996,8 +3996,9 @@ void write_mapping(void)
 			if (X.RDB$SYSTEM_FLAG == (ROLE_FLAG_MAY_TRUST | ROLE_FLAG_DBO))
 			{
 				put(tdgbl, rec_mapping);
-				put_text(att_map_os, DOMAIN_ADMINS, strlen(DOMAIN_ADMINS) + 1);
+				//put_text(att_map_os, DOMAIN-ADMINS, strlen(DOMAIN-ADMINS) + 1);
-				put_text(att_map_role, ADMIN_ROLE, strlen(ADMIN_ROLE) + 1);
+				//put_text(att_map_role, ADMIN-ROLE, strlen(ADMIN-ROLE) + 1);
+				put_text(att_auto_map_role, ADMIN_ROLE, strlen(ADMIN_ROLE) + 1);
 				put(tdgbl, att_end);
 				BURP_verbose (297, ADMIN_ROLE);
 				// msg 297 writing mapping for @1

src/burp/burp.h

@@ -540,7 +540,8 @@ enum att_type {
 	// Names mapping
 	att_map_os = SERIES,
 	att_map_user,
-	att_map_role
+	att_map_role,
+	att_auto_map_role
 };
 
 

src/burp/restore.epp

@@ -5876,7 +5876,7 @@ bool get_mapping(BurpGlobals* tdgbl)
 		{
 			switch (attribute)
 			{
-			case att_map_role:
+/*			case att_map_role:
 				l = GET_TEXT(temp);
 				role.assign(temp, l);
 				break;
@@ -5885,6 +5885,11 @@ bool get_mapping(BurpGlobals* tdgbl)
 				l = GET_TEXT(temp);
 				os.assign(temp, l);
 				break;
+ */
+			case att_auto_map_role:
+				l = GET_TEXT(temp);
+				role.assign(temp, l);
+				break;
 
 			default:
 				// msg 299 name mapping
@@ -5898,7 +5903,7 @@ bool get_mapping(BurpGlobals* tdgbl)
 			return true;	// silently skip attributes on old server
 		}
 
-		if (os != DOMAIN_ADMINS || role != ADMIN_ROLE)
+		if (role != ADMIN_ROLE)
 		{
 			BURP_error(300, false);
 			return true;

src/dsql/ddl.cpp

@@ -5807,13 +5807,14 @@ static void modify_map(dsql_req* request)
 	fb_assert(node->nod_type == nod_mod_role);
 
 	const dsql_str* ds = (dsql_str*) node->nod_arg[e_mod_role_os_name];
-	fb_assert(ds);
+	fb_assert(ds || 
-	request->append_cstring(isc_dyn_mapping, ds->str_data);
+			  node->nod_arg[e_mod_role_action]->getSlong() == isc_dyn_automap_role ||
+			  node->nod_arg[e_mod_role_action]->getSlong() == isc_dyn_autounmap_role);
+	request->append_cstring(isc_dyn_mapping, ds ? ds->str_data : "");
 
 	ds = (dsql_str*) node->nod_arg[e_mod_role_db_name];
 	fb_assert(ds);
-	request->append_cstring(*(SLONG *)	// TODO: use getSlong()
+	request->append_cstring(node->nod_arg[e_mod_role_action]->getSlong(), ds->str_data);
-		(node->nod_arg[e_mod_role_action]->nod_desc.dsc_address), ds->str_data);
 
 	request->append_uchar(isc_dyn_end);
 }
@@ -5879,6 +5880,7 @@ static void define_user(dsql_req* request, UCHAR op)
 	}
 
 	request->append_uchar(isc_user_end);
+	request->append_uchar(isc_dyn_end);
 }
 
 

src/dsql/keywords.cpp

@@ -231,6 +231,7 @@ static const TOK tokens[] =
 	{KW_LOWER, "LOWER", 2, false},
 	{LPAD, "LPAD", 2, false},
 	{MANUAL, "MANUAL", 1, false},
+	{MAPPING, "MAPPING", 2, false},
 	{MATCHED, "MATCHED", 2, false},
 	{MATCHING, "MATCHING", 2, false},
 	{MAXIMUM, "MAX", 1, false},

src/dsql/parse.y

@@ -546,6 +546,7 @@ inline void check_copy_incr(char*& to, const char ch, const char* const string)
 %token FIRSTNAME
 %token LASTNAME
 %token MIDDLENAME
+%token MAPPING
 %token OS_NAME
 %token SIMILAR
 %token UUID_TO_CHAR
@@ -2474,6 +2475,7 @@ alter_udf_clause    : symbol_UDF_name entry_op module_op
 			{ $$ = make_node(nod_mod_udf, e_mod_udf_count, $1, $2, $3); }
 			;
 
+/*
 alter_role_clause	: symbol_role_name alter_role_action OS_NAME os_security_name
 			{ $$ = make_node(nod_mod_role, e_mod_role_count, $4, $1, $2); }
 			;
@@ -2483,6 +2485,17 @@ alter_role_action	: ADD
 		| DROP
 			{ $$ = MAKE_const_slong (isc_dyn_unmap_role); }
 		;
+ */
+
+alter_role_clause	: symbol_role_name alter_role_enable AUTO ADMIN MAPPING
+			{ $$ = make_node(nod_mod_role, e_mod_role_count, NULL, $1, $2); }
+			;
+
+alter_role_enable	: SET
+			{ $$ = MAKE_const_slong (isc_dyn_automap_role); }
+		| DROP
+			{ $$ = MAKE_const_slong (isc_dyn_autounmap_role); }
+		;
 	
 os_security_name	: STRING
 			{ $$ = $1; }
@@ -4982,6 +4995,7 @@ non_reserved_word :
 	| FIRSTNAME
 	| MIDDLENAME
 	| LASTNAME
+	| MAPPING
 	| OS_NAME
 	| UUID_TO_CHAR
 	| COMMON				// new execute statement

src/include/consts_pub.h

@@ -827,6 +827,8 @@
 #define isc_dyn_unmap_role							2
 #define isc_dyn_map_user							3
 #define isc_dyn_unmap_user							4
+#define isc_dyn_automap_role						5
+#define isc_dyn_autounmap_role						6
 
 /********************/
 /* Users control    */

src/jrd/constants.h

@@ -73,8 +73,6 @@ const char* const ADMIN_ROLE = "RDB$ADMIN";
 // Value 1 is skipped because rdb$system_flag = 1 is used in all other cases.
 const SSHORT ROLE_FLAG_MAY_TRUST	= 2;
 const SSHORT ROLE_FLAG_DBO			= 4;
-// Predefined NT group name
-const char* const DOMAIN_ADMINS = "Domain Admins";
 
 const char* const PRIMARY_KEY		= "PRIMARY KEY";
 const char* const FOREIGN_KEY		= "FOREIGN KEY";

src/jrd/dyn_mod.epp

@@ -3425,7 +3425,7 @@ void DYN_modify_mapping(Global* gbl, const UCHAR** ptr)
 	// This is FB 2.5 limited implementation!
 	// Later it should work with new system table, something like RDB$MAPPING.
 
-	if (osName != DOMAIN_ADMINS || dbName != ADMIN_ROLE)
+	if (dbName != ADMIN_ROLE)
 	{
 		Firebird::status_exception::raise(isc_no_meta_update, isc_arg_gds, isc_wish_list, isc_arg_end);
 	}
@@ -3445,11 +3445,11 @@ void DYN_modify_mapping(Global* gbl, const UCHAR** ptr)
 		MODIFY X
 			switch (op)
 			{
-			case isc_dyn_map_role:
+			case isc_dyn_automap_role:
 				X.RDB$SYSTEM_FLAG = ROLE_FLAG_DBO | ROLE_FLAG_MAY_TRUST;
 				break;
 
-			case isc_dyn_unmap_role:
+			case isc_dyn_autounmap_role:
 				X.RDB$SYSTEM_FLAG = ROLE_FLAG_DBO;
 				break;