external
/
citus
mirror of https://github.com/citusdata/citus.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fixes review issues

grant_parameter_propagation
gurkanindibay 2024-02-06 15:43:41 +03:00
parent dcfb386a09
commit 047a75f2d2
3 changed files with 53 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
src/backend/distributed/commands/parameter.c
View File

@ -18,9 +18,12 @@
static List * GenerateGrantOnParameterFromAclItem(char *parameterName, AclItem *aclItem); static List * GenerateGrantOnParameterFromAclItem(char *parameterName, AclItem *aclItem);
static bool HasAclGrantOption(AclItem *aclItem, AclMode aclMode); static bool HasAclGrantOption(AclItem *aclItem, AclMode aclMode);
static void CheckPermissionsAndGrants(AclItem *aclItem, AclMode modes[], int numModes); static void ValidatePermissionsAndGrants(AclItem *aclItem, AclMode modes[], int numModes);
static void CheckAndAppendQuery(List **queries, AclItem *aclItem, Oid granteeOid, static void CheckAndAppendGrantParameterQuery(List **queries, AclItem *aclItem, Oid
char *parameterName, AclMode mode, char *modeStr); granteeOid,
char *parameterName, AclMode mode,
char *modeStr);
static void RemoveSemicolonFromEnd(char *query);
List * List *
@ -39,13 +42,18 @@ PostprocessGrantParameterStmt(Node *node, const char *queryString)
(void *) command, (void *) command,
ENABLE_DDL_PROPAGATION); ENABLE_DDL_PROPAGATION);
return NontransactionalNodeDDLTaskList(REMOTE_NODES, commands); return NodeDDLTaskList(REMOTE_NODES, commands);
} }
/* /*
* GenerateGrantOnParameterFromAclItem generates a query string for replicating a users permissions * GenerateGrantOnParameterFromAclItem generates the grant queries for the given aclItem.
* on a database. * First it sets the current role to the grantor of the aclItem, then it appends the grant
* privilege queries for the aclItem, and finally it resets the role to the original role.
* Ex: If the aclItem has the grant option for ACL_SET, it generates the following queries:
* SET ROLE <grantor>;
* GRANT SET ON <parameterName> TO <grantee>;
* RESET ROLE;
*/ */
static List * static List *
GenerateGrantOnParameterFromAclItem(char *parameterName, AclItem *aclItem) GenerateGrantOnParameterFromAclItem(char *parameterName, AclItem *aclItem)
@ -53,14 +61,16 @@ GenerateGrantOnParameterFromAclItem(char *parameterName, AclItem *aclItem)
/* /*
* seems unlikely but we check if there is a grant option in the list without the actual permission * seems unlikely but we check if there is a grant option in the list without the actual permission
*/ */
CheckPermissionsAndGrants(aclItem, (AclMode[]) { ACL_SET, ACL_ALTER_SYSTEM }, 2); ValidatePermissionsAndGrants(aclItem, (AclMode[]) { ACL_SET, ACL_ALTER_SYSTEM }, 2);
Oid granteeOid = aclItem->ai_grantee; Oid granteeOid = aclItem->ai_grantee;
List *queries = NIL; List *queries = NIL;
queries = lappend(queries, GenerateSetRoleQuery(aclItem->ai_grantor)); queries = lappend(queries, GenerateSetRoleQuery(aclItem->ai_grantor));
CheckAndAppendQuery(&queries, aclItem, granteeOid, parameterName, ACL_SET, "SET"); CheckAndAppendGrantParameterQuery(&queries, aclItem, granteeOid, parameterName,
CheckAndAppendQuery(&queries, aclItem, granteeOid, parameterName, ACL_ALTER_SYSTEM, ACL_SET, "SET");
CheckAndAppendGrantParameterQuery(&queries, aclItem, granteeOid, parameterName,
ACL_ALTER_SYSTEM,
"ALTER SYSTEM"); "ALTER SYSTEM");
queries = lappend(queries, "RESET ROLE"); queries = lappend(queries, "RESET ROLE");
@ -70,11 +80,13 @@ GenerateGrantOnParameterFromAclItem(char *parameterName, AclItem *aclItem)
/* /*
* CheckAndAppendQuery checks if the aclItem has the given mode and if it has, it appends the * CheckAndAppendGrantParameterQuery checks if the aclItem has the given mode and if it has, it appends the
* corresponding query to the queries list. * corresponding query to the queries list.
* Ex: If the mode is ACL_SET, it appends the query "GRANT SET ON <parameterName> TO <grantee>"
*/ */
static void static void
CheckAndAppendQuery(List **queries, AclItem *aclItem, Oid granteeOid, char *parameterName, CheckAndAppendGrantParameterQuery(List **queries, AclItem *aclItem, Oid granteeOid,
char *parameterName,
AclMode mode, char *modeStr) AclMode mode, char *modeStr)
{ {
AclResult aclresult = pg_parameter_aclcheck(parameterName, granteeOid, mode); AclResult aclresult = pg_parameter_aclcheck(parameterName, granteeOid, mode);
@ -85,9 +97,7 @@ CheckAndAppendQuery(List **queries, AclItem *aclItem, Oid granteeOid, char *para
modeStr, modeStr,
HasAclGrantOption(aclItem, mode))); HasAclGrantOption(aclItem, mode)));
/* remove the semicolon at the end of the query since it is already */ RemoveSemicolonFromEnd(query);
/* appended in metadata_sync phase */
query[strlen(query) - 1] = '\0';
*queries = lappend(*queries, query); *queries = lappend(*queries, query);
} }
@ -95,11 +105,26 @@ CheckAndAppendQuery(List **queries, AclItem *aclItem, Oid granteeOid, char *para
/* /*
* CheckPermissionsAndGrants checks if the aclItem has the valid permissions and grants * RemoveSemicolonFromEnd removes the semicolon at the end of the query if it exists.
*/
static void
RemoveSemicolonFromEnd(char *query)
{
/* remove the semicolon at the end of the query since it is already */
/* appended in metadata_sync phase */
if (query[strlen(query) - 1] == ';')
{
query[strlen(query) - 1] = '\0';
}
}
/*
* ValidatePermissionsAndGrants validates if the aclItem has the valid permissions and grants
* for the given modes. * for the given modes.
*/ */
static void static void
CheckPermissionsAndGrants(AclItem *aclItem, AclMode modes[], int numModes) ValidatePermissionsAndGrants(AclItem *aclItem, AclMode modes[], int numModes)
{ {
AclMode permissions = ACLITEM_GET_PRIVS(*aclItem) & ACL_ALL_RIGHTS_PARAMETER_ACL; AclMode permissions = ACLITEM_GET_PRIVS(*aclItem) & ACL_ALL_RIGHTS_PARAMETER_ACL;
AclMode grants = ACLITEM_GET_GOPTIONS(*aclItem) & ACL_ALL_RIGHTS_PARAMETER_ACL; AclMode grants = ACLITEM_GET_GOPTIONS(*aclItem) & ACL_ALL_RIGHTS_PARAMETER_ACL;
@ -119,6 +144,9 @@ CheckPermissionsAndGrants(AclItem *aclItem, AclMode modes[], int numModes)
} }
/*
* HasAclGrantOption checks if the aclItem has the grant option for the given mode.
*/
static bool static bool
HasAclGrantOption(AclItem *aclItem, AclMode aclMode) HasAclGrantOption(AclItem *aclItem, AclMode aclMode)
{ {
@ -126,8 +154,12 @@ HasAclGrantOption(AclItem *aclItem, AclMode aclMode)
} }
/*
* GenerateGrantStmtOnParametersFromCatalogTable generates the grant statements for the parameters
* from the pg_parameter_acl catalog table.
*/
List * List *
GrantOnParameters(void) GenerateGrantStmtOnParametersFromCatalogTable(void)
{ {
/* Open pg_shdescription catalog */ /* Open pg_shdescription catalog */
Relation paramPermissionRelation = table_open(ParameterAclRelationId, Relation paramPermissionRelation = table_open(ParameterAclRelationId,

2
src/backend/distributed/metadata/metadata_sync.c
View File

@ -4726,7 +4726,7 @@ PropagateNodeWideObjectsCommandList(void)
ddlCommands = list_concat(ddlCommands, alterRoleSetCommands); ddlCommands = list_concat(ddlCommands, alterRoleSetCommands);
} }
#if PG_VERSION_NUM >= PG_VERSION_15 #if PG_VERSION_NUM >= PG_VERSION_15
List *grantOnParameterCommands = GrantOnParameters(); List *grantOnParameterCommands = GenerateGrantStmtOnParametersFromCatalogTable();
ddlCommands = list_concat(ddlCommands, grantOnParameterCommands); ddlCommands = list_concat(ddlCommands, grantOnParameterCommands);
#endif /* PG_VERSION_NUM >= PG_VERSION_15 */ #endif /* PG_VERSION_NUM >= PG_VERSION_15 */

2
src/include/distributed/grant_utils.h
View File

@ -13,7 +13,7 @@
#include "nodes/parsenodes.h" #include "nodes/parsenodes.h"
#if PG_VERSION_NUM >= PG_VERSION_15 #if PG_VERSION_NUM >= PG_VERSION_15
extern List * GrantOnParameters(void); extern List * GenerateGrantStmtOnParametersFromCatalogTable(void);
#endif /* PG_VERSION_NUM >= PG_VERSION_15 */ #endif /* PG_VERSION_NUM >= PG_VERSION_15 */
extern char * GenerateSetRoleQuery(Oid roleOid); extern char * GenerateSetRoleQuery(Oid roleOid);