external
/
citus
mirror of https://github.com/citusdata/citus.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Support for SECURITY LABEL on ROLE from non-main database. For now the object of the security label is checked with an if statement. That part will be updated after #7443.

pull/7525/head
eaydingol 2024-02-21 08:29:09 +00:00
parent 211415dd4b
commit 0a51de1635
4 changed files with 195 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
src/backend/distributed/commands/utility_hook.c
View File

@ -175,6 +175,7 @@ static MarkObjectDistributedParams GetMarkObjectDistributedParams(Node *parsetre
* NonMainDbDistributedStatementInfo objects. * NonMainDbDistributedStatementInfo objects.
*/ */
static bool NonMainDbCheckSupportedObjectTypeForGrant(Node *node); static bool NonMainDbCheckSupportedObjectTypeForGrant(Node *node);
static bool NonMainDbCheckSupportedObjectTypeForSecLabel(Node *node);
/* /*
@ -188,6 +189,7 @@ static const NonMainDbDistributedStatementInfo NonMainDbSupportedStatements[] =
{ T_GrantStmt, false, NonMainDbCheckSupportedObjectTypeForGrant }, { T_GrantStmt, false, NonMainDbCheckSupportedObjectTypeForGrant },
{ T_CreatedbStmt, false, NULL }, { T_CreatedbStmt, false, NULL },
{ T_DropdbStmt, false, NULL }, { T_DropdbStmt, false, NULL },
{ T_SecLabelStmt, false, NonMainDbCheckSupportedObjectTypeForSecLabel},
}; };
@ -1862,3 +1864,15 @@ NonMainDbCheckSupportedObjectTypeForGrant(Node *node)
GrantStmt *stmt = castNode(GrantStmt, node); GrantStmt *stmt = castNode(GrantStmt, node);
return stmt->objtype == OBJECT_DATABASE; return stmt->objtype == OBJECT_DATABASE;
} }
/*
* NonMainDbCheckSupportedObjectTypeForSecLabel implements checkSupportedObjectTypes
* callback for SecLabel.
*/
static bool
NonMainDbCheckSupportedObjectTypeForSecLabel(Node *node)
{
SecLabelStmt *stmt = castNode(SecLabelStmt, node);
return stmt->objtype == OBJECT_ROLE;
}

110
src/test/regress/expected/seclabel_non_maindb.out Normal file
View File

@ -0,0 +1,110 @@
-- SECLABEL
--
-- Test suite for running SECURITY LABEL ON ROLE statements from non-main databases
SET citus.enable_create_database_propagation to ON;
CREATE DATABASE database1;
CREATE DATABASE database2;
\c - - - :worker_1_port
SET citus.enable_create_database_propagation to ON;
CREATE DATABASE database_w1;
\c - - - :master_port
CREATE ROLE user1;
\c database1
SHOW citus.main_db;
citus.main_db
---------------------------------------------------------------------
regression
(1 row)
SHOW citus.superuser;
citus.superuser
---------------------------------------------------------------------
postgres
(1 row)
CREATE ROLE "user 2";
-- Set a SECURITY LABEL on a role from a non-main database
SECURITY LABEL FOR "citus '!tests_label_provider" ON ROLE user1 IS 'citus_classified';
SECURITY LABEL FOR "citus '!tests_label_provider" ON ROLE "user 2" IS 'citus_unclassified';
-- Check the result
\c regression
SELECT node_type, result FROM get_citus_tests_label_provider_labels('user1') ORDER BY node_type;
node_type | result
---------------------------------------------------------------------
coordinator | {"label": "citus_classified", "objtype": "role", "provider": "citus '!tests_label_provider"}
worker_1 | {"label": "citus_classified", "objtype": "role", "provider": "citus '!tests_label_provider"}
worker_2 | {"label": "citus_classified", "objtype": "role", "provider": "citus '!tests_label_provider"}
(3 rows)
SELECT node_type, result FROM get_citus_tests_label_provider_labels('"user 2"') ORDER BY node_type;
node_type | result
---------------------------------------------------------------------
coordinator | {"label": "citus_unclassified", "objtype": "role", "provider": "citus '!tests_label_provider"}
worker_1 | {"label": "citus_unclassified", "objtype": "role", "provider": "citus '!tests_label_provider"}
worker_2 | {"label": "citus_unclassified", "objtype": "role", "provider": "citus '!tests_label_provider"}
(3 rows)
\c database1
-- Set a SECURITY LABEL on database, it should not be propagated
SECURITY LABEL FOR "citus '!tests_label_provider" ON DATABASE database1 IS 'citus_classified';
-- Set a SECURITY LABEL on a table, it should not be propagated
CREATE TABLE a (i int);
SECURITY LABEL ON TABLE a IS 'citus_classified';
\c regression
SELECT node_type, result FROM get_citus_tests_label_provider_labels('database1') ORDER BY node_type;
node_type | result
---------------------------------------------------------------------
coordinator | {"label": "citus_classified", "objtype": "database", "provider": "citus '!tests_label_provider"}
worker_1 |
worker_2 |
(3 rows)
-- Check that only the SECURITY LABEL for ROLES is propagated to the non-main databases on other nodes
\c - - - :worker_1_port
\c database_w1
SELECT provider, objtype, label, objname FROM pg_seclabels ORDER BY objname;
provider | objtype | label | objname
---------------------------------------------------------------------
citus '!tests_label_provider | role | citus_unclassified | "user 2"
citus '!tests_label_provider | role | citus_classified | user1
(2 rows)
-- Check the result after a transaction
BEGIN;
SECURITY LABEL FOR "citus '!tests_label_provider" ON ROLE user1 IS 'citus_unclassified';
SECURITY LABEL FOR "citus '!tests_label_provider" ON DATABASE database_w1 IS 'citus_classified';
COMMIT;
\c regression
SELECT node_type, result FROM get_citus_tests_label_provider_labels('database_w1') ORDER BY node_type;
node_type | result
---------------------------------------------------------------------
coordinator |
worker_1 | {"label": "citus_classified", "objtype": "database", "provider": "citus '!tests_label_provider"}
worker_2 |
(3 rows)
SELECT node_type, result FROM get_citus_tests_label_provider_labels('user1') ORDER BY node_type;
node_type | result
---------------------------------------------------------------------
coordinator | {"label": "citus_unclassified", "objtype": "role", "provider": "citus '!tests_label_provider"}
worker_1 | {"label": "citus_unclassified", "objtype": "role", "provider": "citus '!tests_label_provider"}
worker_2 | {"label": "citus_unclassified", "objtype": "role", "provider": "citus '!tests_label_provider"}
(3 rows)
BEGIN;
SECURITY LABEL FOR "citus '!tests_label_provider" ON ROLE "user 2" IS 'citus_classified';
ROLLBACK;
SELECT node_type, result FROM get_citus_tests_label_provider_labels('"user 2"') ORDER BY node_type;
node_type | result
---------------------------------------------------------------------
coordinator | {"label": "citus_unclassified", "objtype": "role", "provider": "citus '!tests_label_provider"}
worker_1 | {"label": "citus_unclassified", "objtype": "role", "provider": "citus '!tests_label_provider"}
worker_2 | {"label": "citus_unclassified", "objtype": "role", "provider": "citus '!tests_label_provider"}
(3 rows)
-- clean up
DROP DATABASE database1;
DROP DATABASE database2;
DROP DATABASE database_w1;
DROP ROLE user1;
DROP ROLE "user 2";

1
src/test/regress/multi_schedule
View File

@ -109,6 +109,7 @@ test: undistribute_table
test: run_command_on_all_nodes test: run_command_on_all_nodes
test: background_task_queue_monitor test: background_task_queue_monitor
test: other_databases grant_role_from_non_maindb test: other_databases grant_role_from_non_maindb
test: seclabel_non_maindb
test: citus_internal_access test: citus_internal_access
# Causal clock test # Causal clock test

70
src/test/regress/sql/seclabel_non_maindb.sql Normal file
View File

@ -0,0 +1,70 @@
-- SECLABEL
--
-- Test suite for running SECURITY LABEL ON ROLE statements from non-main databases
SET citus.enable_create_database_propagation to ON;
CREATE DATABASE database1;
CREATE DATABASE database2;
\c - - - :worker_1_port
SET citus.enable_create_database_propagation to ON;
CREATE DATABASE database_w1;
\c - - - :master_port
CREATE ROLE user1;
\c database1
SHOW citus.main_db;
SHOW citus.superuser;
CREATE ROLE "user 2";
-- Set a SECURITY LABEL on a role from a non-main database
SECURITY LABEL FOR "citus '!tests_label_provider" ON ROLE user1 IS 'citus_classified';
SECURITY LABEL FOR "citus '!tests_label_provider" ON ROLE "user 2" IS 'citus_unclassified';
-- Check the result
\c regression
SELECT node_type, result FROM get_citus_tests_label_provider_labels('user1') ORDER BY node_type;
SELECT node_type, result FROM get_citus_tests_label_provider_labels('"user 2"') ORDER BY node_type;
\c database1
-- Set a SECURITY LABEL on database, it should not be propagated
SECURITY LABEL FOR "citus '!tests_label_provider" ON DATABASE database1 IS 'citus_classified';
-- Set a SECURITY LABEL on a table, it should not be propagated
CREATE TABLE a (i int);
SECURITY LABEL ON TABLE a IS 'citus_classified';
\c regression
SELECT node_type, result FROM get_citus_tests_label_provider_labels('database1') ORDER BY node_type;
-- Check that only the SECURITY LABEL for ROLES is propagated to the non-main databases on other nodes
\c - - - :worker_1_port
\c database_w1
SELECT provider, objtype, label, objname FROM pg_seclabels ORDER BY objname;
-- Check the result after a transaction
BEGIN;
SECURITY LABEL FOR "citus '!tests_label_provider" ON ROLE user1 IS 'citus_unclassified';
SECURITY LABEL FOR "citus '!tests_label_provider" ON DATABASE database_w1 IS 'citus_classified';
COMMIT;
\c regression
SELECT node_type, result FROM get_citus_tests_label_provider_labels('database_w1') ORDER BY node_type;
SELECT node_type, result FROM get_citus_tests_label_provider_labels('user1') ORDER BY node_type;
BEGIN;
SECURITY LABEL FOR "citus '!tests_label_provider" ON ROLE "user 2" IS 'citus_classified';
ROLLBACK;
SELECT node_type, result FROM get_citus_tests_label_provider_labels('"user 2"') ORDER BY node_type;
-- clean up
DROP DATABASE database1;
DROP DATABASE database2;
DROP DATABASE database_w1;
DROP ROLE user1;
DROP ROLE "user 2";