mirror of https://github.com/citusdata/citus.git
Support for SECURITY LABEL on ROLE from non-main database. For now the object of the security label is checked with an if statement. That part will be updated after #7443.
parent
211415dd4b
commit
0a51de1635
|
@ -175,6 +175,7 @@ static MarkObjectDistributedParams GetMarkObjectDistributedParams(Node *parsetre
|
||||||
* NonMainDbDistributedStatementInfo objects.
|
* NonMainDbDistributedStatementInfo objects.
|
||||||
*/
|
*/
|
||||||
static bool NonMainDbCheckSupportedObjectTypeForGrant(Node *node);
|
static bool NonMainDbCheckSupportedObjectTypeForGrant(Node *node);
|
||||||
|
static bool NonMainDbCheckSupportedObjectTypeForSecLabel(Node *node);
|
||||||
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -188,6 +189,7 @@ static const NonMainDbDistributedStatementInfo NonMainDbSupportedStatements[] =
|
||||||
{ T_GrantStmt, false, NonMainDbCheckSupportedObjectTypeForGrant },
|
{ T_GrantStmt, false, NonMainDbCheckSupportedObjectTypeForGrant },
|
||||||
{ T_CreatedbStmt, false, NULL },
|
{ T_CreatedbStmt, false, NULL },
|
||||||
{ T_DropdbStmt, false, NULL },
|
{ T_DropdbStmt, false, NULL },
|
||||||
|
{ T_SecLabelStmt, false, NonMainDbCheckSupportedObjectTypeForSecLabel},
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
|
@ -1862,3 +1864,15 @@ NonMainDbCheckSupportedObjectTypeForGrant(Node *node)
|
||||||
GrantStmt *stmt = castNode(GrantStmt, node);
|
GrantStmt *stmt = castNode(GrantStmt, node);
|
||||||
return stmt->objtype == OBJECT_DATABASE;
|
return stmt->objtype == OBJECT_DATABASE;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/*
|
||||||
|
* NonMainDbCheckSupportedObjectTypeForSecLabel implements checkSupportedObjectTypes
|
||||||
|
* callback for SecLabel.
|
||||||
|
*/
|
||||||
|
static bool
|
||||||
|
NonMainDbCheckSupportedObjectTypeForSecLabel(Node *node)
|
||||||
|
{
|
||||||
|
SecLabelStmt *stmt = castNode(SecLabelStmt, node);
|
||||||
|
return stmt->objtype == OBJECT_ROLE;
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,110 @@
|
||||||
|
-- SECLABEL
|
||||||
|
--
|
||||||
|
-- Test suite for running SECURITY LABEL ON ROLE statements from non-main databases
|
||||||
|
SET citus.enable_create_database_propagation to ON;
|
||||||
|
CREATE DATABASE database1;
|
||||||
|
CREATE DATABASE database2;
|
||||||
|
\c - - - :worker_1_port
|
||||||
|
SET citus.enable_create_database_propagation to ON;
|
||||||
|
CREATE DATABASE database_w1;
|
||||||
|
\c - - - :master_port
|
||||||
|
CREATE ROLE user1;
|
||||||
|
\c database1
|
||||||
|
SHOW citus.main_db;
|
||||||
|
citus.main_db
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
regression
|
||||||
|
(1 row)
|
||||||
|
|
||||||
|
SHOW citus.superuser;
|
||||||
|
citus.superuser
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
postgres
|
||||||
|
(1 row)
|
||||||
|
|
||||||
|
CREATE ROLE "user 2";
|
||||||
|
-- Set a SECURITY LABEL on a role from a non-main database
|
||||||
|
SECURITY LABEL FOR "citus '!tests_label_provider" ON ROLE user1 IS 'citus_classified';
|
||||||
|
SECURITY LABEL FOR "citus '!tests_label_provider" ON ROLE "user 2" IS 'citus_unclassified';
|
||||||
|
-- Check the result
|
||||||
|
\c regression
|
||||||
|
SELECT node_type, result FROM get_citus_tests_label_provider_labels('user1') ORDER BY node_type;
|
||||||
|
node_type | result
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
coordinator | {"label": "citus_classified", "objtype": "role", "provider": "citus '!tests_label_provider"}
|
||||||
|
worker_1 | {"label": "citus_classified", "objtype": "role", "provider": "citus '!tests_label_provider"}
|
||||||
|
worker_2 | {"label": "citus_classified", "objtype": "role", "provider": "citus '!tests_label_provider"}
|
||||||
|
(3 rows)
|
||||||
|
|
||||||
|
SELECT node_type, result FROM get_citus_tests_label_provider_labels('"user 2"') ORDER BY node_type;
|
||||||
|
node_type | result
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
coordinator | {"label": "citus_unclassified", "objtype": "role", "provider": "citus '!tests_label_provider"}
|
||||||
|
worker_1 | {"label": "citus_unclassified", "objtype": "role", "provider": "citus '!tests_label_provider"}
|
||||||
|
worker_2 | {"label": "citus_unclassified", "objtype": "role", "provider": "citus '!tests_label_provider"}
|
||||||
|
(3 rows)
|
||||||
|
|
||||||
|
\c database1
|
||||||
|
-- Set a SECURITY LABEL on database, it should not be propagated
|
||||||
|
SECURITY LABEL FOR "citus '!tests_label_provider" ON DATABASE database1 IS 'citus_classified';
|
||||||
|
-- Set a SECURITY LABEL on a table, it should not be propagated
|
||||||
|
CREATE TABLE a (i int);
|
||||||
|
SECURITY LABEL ON TABLE a IS 'citus_classified';
|
||||||
|
\c regression
|
||||||
|
SELECT node_type, result FROM get_citus_tests_label_provider_labels('database1') ORDER BY node_type;
|
||||||
|
node_type | result
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
coordinator | {"label": "citus_classified", "objtype": "database", "provider": "citus '!tests_label_provider"}
|
||||||
|
worker_1 |
|
||||||
|
worker_2 |
|
||||||
|
(3 rows)
|
||||||
|
|
||||||
|
-- Check that only the SECURITY LABEL for ROLES is propagated to the non-main databases on other nodes
|
||||||
|
\c - - - :worker_1_port
|
||||||
|
\c database_w1
|
||||||
|
SELECT provider, objtype, label, objname FROM pg_seclabels ORDER BY objname;
|
||||||
|
provider | objtype | label | objname
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
citus '!tests_label_provider | role | citus_unclassified | "user 2"
|
||||||
|
citus '!tests_label_provider | role | citus_classified | user1
|
||||||
|
(2 rows)
|
||||||
|
|
||||||
|
-- Check the result after a transaction
|
||||||
|
BEGIN;
|
||||||
|
SECURITY LABEL FOR "citus '!tests_label_provider" ON ROLE user1 IS 'citus_unclassified';
|
||||||
|
SECURITY LABEL FOR "citus '!tests_label_provider" ON DATABASE database_w1 IS 'citus_classified';
|
||||||
|
COMMIT;
|
||||||
|
\c regression
|
||||||
|
SELECT node_type, result FROM get_citus_tests_label_provider_labels('database_w1') ORDER BY node_type;
|
||||||
|
node_type | result
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
coordinator |
|
||||||
|
worker_1 | {"label": "citus_classified", "objtype": "database", "provider": "citus '!tests_label_provider"}
|
||||||
|
worker_2 |
|
||||||
|
(3 rows)
|
||||||
|
|
||||||
|
SELECT node_type, result FROM get_citus_tests_label_provider_labels('user1') ORDER BY node_type;
|
||||||
|
node_type | result
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
coordinator | {"label": "citus_unclassified", "objtype": "role", "provider": "citus '!tests_label_provider"}
|
||||||
|
worker_1 | {"label": "citus_unclassified", "objtype": "role", "provider": "citus '!tests_label_provider"}
|
||||||
|
worker_2 | {"label": "citus_unclassified", "objtype": "role", "provider": "citus '!tests_label_provider"}
|
||||||
|
(3 rows)
|
||||||
|
|
||||||
|
BEGIN;
|
||||||
|
SECURITY LABEL FOR "citus '!tests_label_provider" ON ROLE "user 2" IS 'citus_classified';
|
||||||
|
ROLLBACK;
|
||||||
|
SELECT node_type, result FROM get_citus_tests_label_provider_labels('"user 2"') ORDER BY node_type;
|
||||||
|
node_type | result
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
coordinator | {"label": "citus_unclassified", "objtype": "role", "provider": "citus '!tests_label_provider"}
|
||||||
|
worker_1 | {"label": "citus_unclassified", "objtype": "role", "provider": "citus '!tests_label_provider"}
|
||||||
|
worker_2 | {"label": "citus_unclassified", "objtype": "role", "provider": "citus '!tests_label_provider"}
|
||||||
|
(3 rows)
|
||||||
|
|
||||||
|
-- clean up
|
||||||
|
DROP DATABASE database1;
|
||||||
|
DROP DATABASE database2;
|
||||||
|
DROP DATABASE database_w1;
|
||||||
|
DROP ROLE user1;
|
||||||
|
DROP ROLE "user 2";
|
|
@ -109,6 +109,7 @@ test: undistribute_table
|
||||||
test: run_command_on_all_nodes
|
test: run_command_on_all_nodes
|
||||||
test: background_task_queue_monitor
|
test: background_task_queue_monitor
|
||||||
test: other_databases grant_role_from_non_maindb
|
test: other_databases grant_role_from_non_maindb
|
||||||
|
test: seclabel_non_maindb
|
||||||
test: citus_internal_access
|
test: citus_internal_access
|
||||||
|
|
||||||
# Causal clock test
|
# Causal clock test
|
||||||
|
|
|
@ -0,0 +1,70 @@
|
||||||
|
-- SECLABEL
|
||||||
|
--
|
||||||
|
-- Test suite for running SECURITY LABEL ON ROLE statements from non-main databases
|
||||||
|
|
||||||
|
SET citus.enable_create_database_propagation to ON;
|
||||||
|
|
||||||
|
CREATE DATABASE database1;
|
||||||
|
CREATE DATABASE database2;
|
||||||
|
|
||||||
|
\c - - - :worker_1_port
|
||||||
|
SET citus.enable_create_database_propagation to ON;
|
||||||
|
CREATE DATABASE database_w1;
|
||||||
|
|
||||||
|
|
||||||
|
\c - - - :master_port
|
||||||
|
CREATE ROLE user1;
|
||||||
|
\c database1
|
||||||
|
SHOW citus.main_db;
|
||||||
|
SHOW citus.superuser;
|
||||||
|
|
||||||
|
CREATE ROLE "user 2";
|
||||||
|
|
||||||
|
-- Set a SECURITY LABEL on a role from a non-main database
|
||||||
|
SECURITY LABEL FOR "citus '!tests_label_provider" ON ROLE user1 IS 'citus_classified';
|
||||||
|
SECURITY LABEL FOR "citus '!tests_label_provider" ON ROLE "user 2" IS 'citus_unclassified';
|
||||||
|
|
||||||
|
-- Check the result
|
||||||
|
\c regression
|
||||||
|
SELECT node_type, result FROM get_citus_tests_label_provider_labels('user1') ORDER BY node_type;
|
||||||
|
SELECT node_type, result FROM get_citus_tests_label_provider_labels('"user 2"') ORDER BY node_type;
|
||||||
|
|
||||||
|
\c database1
|
||||||
|
-- Set a SECURITY LABEL on database, it should not be propagated
|
||||||
|
SECURITY LABEL FOR "citus '!tests_label_provider" ON DATABASE database1 IS 'citus_classified';
|
||||||
|
|
||||||
|
-- Set a SECURITY LABEL on a table, it should not be propagated
|
||||||
|
CREATE TABLE a (i int);
|
||||||
|
SECURITY LABEL ON TABLE a IS 'citus_classified';
|
||||||
|
|
||||||
|
\c regression
|
||||||
|
SELECT node_type, result FROM get_citus_tests_label_provider_labels('database1') ORDER BY node_type;
|
||||||
|
|
||||||
|
-- Check that only the SECURITY LABEL for ROLES is propagated to the non-main databases on other nodes
|
||||||
|
\c - - - :worker_1_port
|
||||||
|
\c database_w1
|
||||||
|
SELECT provider, objtype, label, objname FROM pg_seclabels ORDER BY objname;
|
||||||
|
|
||||||
|
|
||||||
|
-- Check the result after a transaction
|
||||||
|
BEGIN;
|
||||||
|
SECURITY LABEL FOR "citus '!tests_label_provider" ON ROLE user1 IS 'citus_unclassified';
|
||||||
|
SECURITY LABEL FOR "citus '!tests_label_provider" ON DATABASE database_w1 IS 'citus_classified';
|
||||||
|
COMMIT;
|
||||||
|
|
||||||
|
\c regression
|
||||||
|
SELECT node_type, result FROM get_citus_tests_label_provider_labels('database_w1') ORDER BY node_type;
|
||||||
|
SELECT node_type, result FROM get_citus_tests_label_provider_labels('user1') ORDER BY node_type;
|
||||||
|
|
||||||
|
BEGIN;
|
||||||
|
SECURITY LABEL FOR "citus '!tests_label_provider" ON ROLE "user 2" IS 'citus_classified';
|
||||||
|
ROLLBACK;
|
||||||
|
|
||||||
|
SELECT node_type, result FROM get_citus_tests_label_provider_labels('"user 2"') ORDER BY node_type;
|
||||||
|
|
||||||
|
-- clean up
|
||||||
|
DROP DATABASE database1;
|
||||||
|
DROP DATABASE database2;
|
||||||
|
DROP DATABASE database_w1;
|
||||||
|
DROP ROLE user1;
|
||||||
|
DROP ROLE "user 2";
|
Loading…
Reference in New Issue