Add table function to execute stored procedure in SQLServer

[Praveen2112]

Description

A dedicated table function which allows us to run stored procedures in SQLServer. We can't use existing query table function - as it wraps with inside a query like SELECT * FROM (EXEC my_procedure) o - so we are handing them via a different function. All the pushdown are disabled for JdbcProcedureHandle resolved by this Procedure.

Slightly different implementation from #15813

Limitation

• In case of stored procedures with multiple statement - we process the ResultSet only for the first statement. (Test to be added)
• Stored procedures with output variables are not supported.
• Input variables for the stored procedures are not parameterized(yet).

Example

SELECT * FROM TABLE(system.procedure(query => 'CALL my_new_procedure()')

Release notes

( ) This is not user-visible or docs only and no release notes are required.
(x) Release notes are required, please propose a release note for me.
( ) Release notes are required, with the following suggested text:

# SQLServer 
* Add support for executing stored procedures using `procedure` table function. 

[findepi]

Overall LGTM. @kokosing please review

[findepi]

add a code comment

[findepi]

Let's have a BaseJdbcConnectorTableHandle marker interface and let JdbcProcedureHandle, JdbcTableHandle both extend it; use here

[Praveen2112]

It should be as an abstract class right ?

[findepi]

Why not for procedure handle?
Have same check for them too

[Praveen2112]

In case of ProcedureHandle we won't face the no columns kind of a situation - plus the columns are populated when we are creating the table handle. Add the ProcedureHandle doesn't support project pushdown there is a good chance the column we pass on RecordSetProvider might be a subset of overall columns present in ProcedureHandle. Will implement it.

[findepi]

not sure if we use records for between-nodes serialization (I think we are starting to)

then ProcedureFunctionHandle above can be a record too

also, i don't think we need @JsonProperty and @JsonCreator for records (airlift/airlift#993), do we?

[Praveen2112]

ProcedureFunctionHandle - wanted be in-sync with other TableHandle implementation. I don't have any strong opinions on it. Will move it to a record.

[findepi]

redundant else

[findepi]

You don't need this. The code will never get invoked with JdbcProcedureHandle, and if it would, it would fail explicitly anyway

[findepi]

You don't need this.

[Praveen2112]

Can we replicate it for all alter options ?

[Praveen2112]

@findepi AC.

[kokosing]

looks good

[vlad-lyutenko]

We can't use existing query table function - as it wraps with inside a query like SELECT * FROM (CALL my_procedure()) o

As for me it's really new topic, can you please point me to some entry point, to understand what we have now (I mean existing query table function) and why we can't use it for this connectors

[findepi]

@vlad-lyutenko this all boils down to two things

• Connection.prepareStatement vs Connection.prepareCall
• blocking additional SQL pushdown for calls

[mosabua]

Given that this is a very powerful user facing feature that potentially has huge security and functionality implications I request the following:

• Make sure documentation is included in this PR similar to the query passthrough table function with the relevant warnings and suggestions about security in each connector doc
• Figure out how this works in terms of privileges or other access control we potentially have to add

cc @colebow @jhlodin @k-haley1

[mosabua]

Also for reference following is a link to the section in the MySQL connector docs where a new subsection for the new table function is needed.

https://trino.io/docs/current/connector/mysql.html#table-functions

And related question... will this table function have a similar restriction where it is required that the stored procedure returns a result set? If so .. that could be limiting functionality. And if not ... the security implications are even bigger since arbitrary stored procedures can be called.

Last.. I assume that the user accessing the database from the catalog configuration has to have the right to run the stored procedure .. can you detail what is actually specifically needed in MySQL and SQL Server terminology?

[Praveen2112]

will this table function have a similar restriction where it is required that the stored procedure returns a result set?

Yes we have a same restriction where the stored procedure has to return a ResultSet - we don't support multiple ResultSet as of now.

I assume that the user accessing the database from the catalog configuration has to have the right to run the stored procedure

Similar to tables - if the user specified in the catalog configuration has access to run the stored procedures then we would support it.

[Praveen2112]

@kokosing AC

[kasiafi]

I think it would be more user-friendly if the argument was renamed to procedure and the user would only pass the procedure call, that is "procedure_name()" without the CALL keyword.

[kokosing]

Depending on vendor you are using CALL or EXEC. So maybe we could rename name of function to call to exec depending on vendor (connector) and only pass the name of procedure. This could work only if we are not expecting to pass parameters any parameters to procedures.

[Praveen2112]

In case of arguments we could either pass them as an Array<String> and handle them accordingly.

[mosabua]

Need any help with the docs here @Praveen2112 ? Should I send a separate parallel PR?

[kokosing]

skimmed. I am fine with the approach

[kokosing]

what if procedure expects an integer?

[Praveen2112]

For now we pass the arguments as string - we pass it without quotes for integer and with additional quotes for string (if requested by the underlying datasource).

[kokosing]

Should we document this?

[Praveen2112]

But for SQLServer, it doesn't expect additional quotes. So do we need to document it ?

[martint]

It’d be better to pass the arguments as a ROW, so each one has the proper type. You get type safety and avoid conversions that might not be possible to do easily or reliably.

[Praveen2112]

Can you provide pointer on where/how it is established during the analysis step - Should we use a different Argument specification for this.

[martint]

Cc @kasiafi

[kasiafi]

The type of scalar argument is established at TF declaration.

[kasiafi]

Even if we could pass arbitrary scalars, it seems right to use an array of varchar in this case. It shifts the responsibility of formatting them the right way to the user. That's in the spirit of query pass-through. This way it is harder for the user to pass parameters, or non-literal expressions, but I don't know if a real use-case would need those capabilities.

Like @kokosing noticed, we must watch out for possible abuse (injection).

[kasiafi]

Table argument is the only argument type of table functions that is polymorphic . Technically, we could make use of it, and pass a scalar subquery containing parameters. But then we'd have to refactor the PTF to use the operator-based execution.

[kokosing]

it looks like one could inject some SQL by using inputs.

[Praveen2112]

Thanks for pointing it out. Have added additional checks.

[hashhar]

Approach looks good, some early comments.

[hashhar]

https://learn.microsoft.com/en-us/sql/t-sql/queries/output-clause-transact-sql?view=sql-server-ver16 exists so can we test with it as well?

[Praveen2112]

Have added test with OUTPUT clause.

[Praveen2112]

@hashhar , @skrzypo987 AC

[Praveen2112]

Rebased the PR to resolve conflicts.

[hashhar]

LGTM with the recent changes.

[mosabua]

Docs look good. Did not look at the code..

[kokosing]

Should we document this?

[findepi]

If we can process arguments via preparedCall.setParameter we wouldn't need this.
if we cannot process arguments via preparedCall.setParameter we shouldn't pretend we can.
If the user provides parameter values as string literals to be concatenated with the procedure call, why can't they provide the whole procedure call (including the parameters)? Just like we do with SQL pushdown?

[Praveen2112]

If we can process arguments via preparedCall.setParameter we wouldn't need this.

It could be possible - like if we could get the procedure column information and map them accordingly. I would like implement them in an incremental way as executing stored procedure is kind of an experimental feature. WDYT ?

why can't they provide the whole procedure call (including the parameters)? Just like we do with SQL pushdown?

The initial approach we have is like SQL Pushdown - where we don't do any processing but consume a String as an input. For some datasources like SQLServer it would be helpful if we could get the schema and procedure name - so we could apply some checks to ensure the SP doesn't any DDL or DML operations. So it more of an extended version of SQLPushdown - where we take some of them in parts and concat all the pieces.

that was just for emphasis.

[Praveen2112]

Rebased due to conflicts.

[Praveen2112]

Overridden by #16696