GRANT SELECT access for metadata tables to public

Previously, we errored out if non-user tries to SELECT query for some metadata tables. It seems that we already GRANT SELECT access to some metadata tables but not others. With this change, we GRANT SELECT access to all existing Citus metadata tables.
2016-12-23 13:24:40 +03:00 · 2016-12-23 13:24:40 +03:00 · 0851fd2f0b
parent d608ef3311
commit 0851fd2f0b
9 changed files with 71 additions and 3 deletions
--- a/src/backend/distributed/Makefile
+++ b/src/backend/distributed/Makefile
@ -9,7 +9,7 @@ EXTVERSIONS = 5.0 5.0-1 5.0-2  \
 	5.1-1 5.1-2 5.1-3 5.1-4 5.1-5 5.1-6 5.1-7 5.1-8 \
 	5.2-1 5.2-2 5.2-3 5.2-4 \
 	6.0-1 6.0-2 6.0-3 6.0-4 6.0-5 6.0-6 6.0-7 6.0-8 6.0-9 6.0-10 6.0-11 6.0-12 6.0-13 6.0-14 6.0-15 6.0-16 6.0-17 6.0-18 \
-	6.1-1 6.1-2 6.1-3 6.1-4 6.1-5 6.1-6 6.1-7 6.1-8 6.1-9
+	6.1-1 6.1-2 6.1-3 6.1-4 6.1-5 6.1-6 6.1-7 6.1-8 6.1-9 6.1-10
 # All citus--*.sql files in the source directory
 DATA = $(patsubst $(citus_abs_srcdir)/%.sql,%.sql,$(wildcard $(citus_abs_srcdir)/$(EXTENSION)--*--*.sql))
@ -113,6 +113,8 @@ $(EXTENSION)--6.1-8.sql: $(EXTENSION)--6.1-7.sql $(EXTENSION)--6.1-7--6.1-8.sql
 	cat $^ > $@
 $(EXTENSION)--6.1-9.sql: $(EXTENSION)--6.1-8.sql $(EXTENSION)--6.1-8--6.1-9.sql
 	cat $^ > $@
 $(EXTENSION)--6.1-10.sql: $(EXTENSION)--6.1-9.sql $(EXTENSION)--6.1-9--6.1-10.sql
 	cat $^ > $@
 NO_PGXS = 1
--- a/src/backend/distributed/citus--6.1-8--6.1-9.sql
+++ b/src/backend/distributed/citus--6.1-8--6.1-9.sql
@ -86,4 +86,4 @@ $cdbdt$;
 COMMENT ON FUNCTION citus_drop_trigger()
    IS 'perform checks and actions at the end of DROP actions';
-RESET search_path;
+RESET search_path;
--- a/src/backend/distributed/citus--6.1-9--6.1-10.sql
+++ b/src/backend/distributed/citus--6.1-9--6.1-10.sql
@ -0,0 +1,10 @@
 /* citus--6.1-9--6.1-10.sql */
 GRANT SELECT ON pg_catalog.pg_dist_node TO public;
 GRANT SELECT ON pg_catalog.pg_dist_colocation TO public;
 GRANT SELECT ON pg_catalog.pg_dist_colocationid_seq TO public;
 GRANT SELECT ON pg_catalog.pg_dist_groupid_seq TO public;
 GRANT SELECT ON pg_catalog.pg_dist_node_nodeid_seq TO public;
 GRANT SELECT ON pg_catalog.pg_dist_shard_placement_placementid_seq TO public;
 GRANT SELECT ON pg_catalog.pg_dist_shardid_seq TO public;
 GRANT SELECT ON pg_catalog.pg_dist_jobid_seq TO public;
--- a/src/backend/distributed/citus.control
+++ b/src/backend/distributed/citus.control
@ -1,6 +1,6 @@
 # Citus extension
 comment = 'Citus distributed database'
-default_version = '6.1-9'
+default_version = '6.1-10'
 module_pathname = '$libdir/citus'
 relocatable = false
 schema = pg_catalog
--- a/src/test/regress/expected/multi_extension.out
+++ b/src/test/regress/expected/multi_extension.out
@ -67,6 +67,7 @@ ALTER EXTENSION citus UPDATE TO '6.1-6';
 ALTER EXTENSION citus UPDATE TO '6.1-7';
 ALTER EXTENSION citus UPDATE TO '6.1-8';
 ALTER EXTENSION citus UPDATE TO '6.1-9';
 ALTER EXTENSION citus UPDATE TO '6.1-10';
 -- ensure no objects were created outside pg_catalog
 SELECT COUNT(*)
 FROM pg_depend AS pgd,
--- a/src/test/regress/expected/multi_metadata_access.out
+++ b/src/test/regress/expected/multi_metadata_access.out
@ -0,0 +1,27 @@
 --
 -- MULTI_METADATA_ACCESS
 --
 ALTER SEQUENCE pg_catalog.pg_dist_shardid_seq RESTART 1360000;
 ALTER SEQUENCE pg_catalog.pg_dist_jobid_seq RESTART 1360000;
 CREATE USER no_access;
 NOTICE:  not propagating CREATE ROLE/USER commands to worker nodes
 HINT:  Connect to worker nodes directly to manually create all necessary users and roles.
 SET ROLE no_access;
 -- list relations in the citus extension without sufficient privileges
 SELECT pg_class.oid::regclass
 FROM pg_class
    JOIN pg_namespace nsp ON (pg_class.relnamespace = nsp.oid)
    JOIN pg_depend dep ON(objid = pg_class.oid)
    JOIN pg_extension ext ON (ext.oid = dep.refobjid)
 WHERE
    refclassid = 'pg_extension'::regclass
    AND classid ='pg_class'::regclass
    AND ext.extname = 'citus'
    AND nsp.nspname = 'pg_catalog'
    AND NOT has_table_privilege(pg_class.oid, 'select');
 oid 
 -----
 (0 rows)
 RESET role;
 DROP USER no_access;
--- a/src/test/regress/multi_schedule
+++ b/src/test/regress/multi_schedule
@ -19,6 +19,7 @@ test: multi_extension
 test: multi_cluster_management
 test: multi_table_ddl
 test: multi_name_lengths
 test: multi_metadata_access
 # ----------
 # The following distributed tests depend on creating a partitioned table and
--- a/src/test/regress/sql/multi_extension.sql
+++ b/src/test/regress/sql/multi_extension.sql
@ -67,6 +67,7 @@ ALTER EXTENSION citus UPDATE TO '6.1-6';
 ALTER EXTENSION citus UPDATE TO '6.1-7';
 ALTER EXTENSION citus UPDATE TO '6.1-8';
 ALTER EXTENSION citus UPDATE TO '6.1-9';
 ALTER EXTENSION citus UPDATE TO '6.1-10';
 -- ensure no objects were created outside pg_catalog
 SELECT COUNT(*)
--- a/src/test/regress/sql/multi_metadata_access.sql
+++ b/src/test/regress/sql/multi_metadata_access.sql
@ -0,0 +1,26 @@
 --
 -- MULTI_METADATA_ACCESS
 --
 ALTER SEQUENCE pg_catalog.pg_dist_shardid_seq RESTART 1360000;
 ALTER SEQUENCE pg_catalog.pg_dist_jobid_seq RESTART 1360000;
 CREATE USER no_access;
 SET ROLE no_access;
 -- list relations in the citus extension without sufficient privileges
 SELECT pg_class.oid::regclass
 FROM pg_class
    JOIN pg_namespace nsp ON (pg_class.relnamespace = nsp.oid)
    JOIN pg_depend dep ON(objid = pg_class.oid)
    JOIN pg_extension ext ON (ext.oid = dep.refobjid)
 WHERE
    refclassid = 'pg_extension'::regclass
    AND classid ='pg_class'::regclass
    AND ext.extname = 'citus'
    AND nsp.nspname = 'pg_catalog'
    AND NOT has_table_privilege(pg_class.oid, 'select');
 RESET role;
 DROP USER no_access;