Support for SECURITY LABEL on ROLE from non-main database. For now the object of the security label is checked with an if statement. That part will be updated after #7443.

src/backend/distributed/commands/utility_hook.c

@@ -175,6 +175,7 @@ static MarkObjectDistributedParams GetMarkObjectDistributedParams(Node *parsetre
  * NonMainDbDistributedStatementInfo objects.
  */
 static bool NonMainDbCheckSupportedObjectTypeForGrant(Node *node);
+static bool NonMainDbCheckSupportedObjectTypeForSecLabel(Node *node);
 
 
 /*
@@ -188,6 +189,7 @@ static const NonMainDbDistributedStatementInfo NonMainDbSupportedStatements[] =
 	{ T_GrantStmt, false, NonMainDbCheckSupportedObjectTypeForGrant },
 	{ T_CreatedbStmt, false, NULL },
 	{ T_DropdbStmt, false, NULL },
+	{ T_SecLabelStmt, false, NonMainDbCheckSupportedObjectTypeForSecLabel},
 };
 
 
@@ -1862,3 +1864,15 @@ NonMainDbCheckSupportedObjectTypeForGrant(Node *node)
 	GrantStmt *stmt = castNode(GrantStmt, node);
 	return stmt->objtype == OBJECT_DATABASE;
 }
+
+
+/*
+ * NonMainDbCheckSupportedObjectTypeForSecLabel implements checkSupportedObjectTypes
+ * callback for SecLabel.
+ */
+static bool
+NonMainDbCheckSupportedObjectTypeForSecLabel(Node *node)
+{
+	SecLabelStmt *stmt = castNode(SecLabelStmt, node);
+	return stmt->objtype == OBJECT_ROLE;
+}

src/test/regress/expected/seclabel_non_maindb.out

@@ -0,0 +1,110 @@
+-- SECLABEL
+--
+-- Test suite for running SECURITY LABEL ON ROLE statements from non-main databases
+SET citus.enable_create_database_propagation to ON;
+CREATE DATABASE database1;
+CREATE DATABASE database2;
+\c - - - :worker_1_port
+SET citus.enable_create_database_propagation to ON;
+CREATE DATABASE database_w1;
+\c - - - :master_port
+CREATE ROLE user1;
+\c database1
+SHOW citus.main_db;
+ citus.main_db
+---------------------------------------------------------------------
+ regression
+(1 row)
+
+SHOW citus.superuser;
+ citus.superuser
+---------------------------------------------------------------------
+ postgres
+(1 row)
+
+CREATE ROLE "user 2";
+-- Set a SECURITY LABEL on a role from a non-main database
+SECURITY LABEL FOR "citus '!tests_label_provider" ON ROLE user1 IS 'citus_classified';
+SECURITY LABEL FOR "citus '!tests_label_provider" ON ROLE "user 2" IS 'citus_unclassified';
+-- Check the result
+\c regression
+SELECT node_type, result FROM get_citus_tests_label_provider_labels('user1') ORDER BY node_type;
+  node_type  |                                            result
+---------------------------------------------------------------------
+ coordinator | {"label": "citus_classified", "objtype": "role", "provider": "citus '!tests_label_provider"}
+ worker_1    | {"label": "citus_classified", "objtype": "role", "provider": "citus '!tests_label_provider"}
+ worker_2    | {"label": "citus_classified", "objtype": "role", "provider": "citus '!tests_label_provider"}
+(3 rows)
+
+SELECT node_type, result FROM get_citus_tests_label_provider_labels('"user 2"') ORDER BY node_type;
+  node_type  |                                             result
+---------------------------------------------------------------------
+ coordinator | {"label": "citus_unclassified", "objtype": "role", "provider": "citus '!tests_label_provider"}
+ worker_1    | {"label": "citus_unclassified", "objtype": "role", "provider": "citus '!tests_label_provider"}
+ worker_2    | {"label": "citus_unclassified", "objtype": "role", "provider": "citus '!tests_label_provider"}
+(3 rows)
+
+\c database1
+-- Set a SECURITY LABEL on database, it should not be propagated
+SECURITY LABEL FOR "citus '!tests_label_provider" ON DATABASE database1 IS 'citus_classified';
+-- Set a SECURITY LABEL on a table, it should not be propagated
+CREATE TABLE a (i int);
+SECURITY LABEL ON TABLE a IS 'citus_classified';
+\c regression
+SELECT node_type, result FROM get_citus_tests_label_provider_labels('database1') ORDER BY node_type;
+  node_type  |                                              result
+---------------------------------------------------------------------
+ coordinator | {"label": "citus_classified", "objtype": "database", "provider": "citus '!tests_label_provider"}
+ worker_1    |
+ worker_2    |
+(3 rows)
+
+-- Check that only the SECURITY LABEL for ROLES is propagated to the non-main databases on other nodes
+\c - - - :worker_1_port
+\c database_w1
+SELECT provider, objtype, label, objname FROM pg_seclabels ORDER BY objname;
+           provider           | objtype |       label        | objname
+---------------------------------------------------------------------
+ citus '!tests_label_provider | role    | citus_unclassified | "user 2"
+ citus '!tests_label_provider | role    | citus_classified   | user1
+(2 rows)
+
+-- Check the result after a transaction
+BEGIN;
+SECURITY LABEL FOR "citus '!tests_label_provider" ON ROLE user1 IS 'citus_unclassified';
+SECURITY LABEL FOR "citus '!tests_label_provider" ON DATABASE database_w1 IS 'citus_classified';
+COMMIT;
+\c regression
+SELECT node_type, result FROM get_citus_tests_label_provider_labels('database_w1') ORDER BY node_type;
+  node_type  |                                              result
+---------------------------------------------------------------------
+ coordinator |
+ worker_1    | {"label": "citus_classified", "objtype": "database", "provider": "citus '!tests_label_provider"}
+ worker_2    |
+(3 rows)
+
+SELECT node_type, result FROM get_citus_tests_label_provider_labels('user1') ORDER BY node_type;
+  node_type  |                                             result
+---------------------------------------------------------------------
+ coordinator | {"label": "citus_unclassified", "objtype": "role", "provider": "citus '!tests_label_provider"}
+ worker_1    | {"label": "citus_unclassified", "objtype": "role", "provider": "citus '!tests_label_provider"}
+ worker_2    | {"label": "citus_unclassified", "objtype": "role", "provider": "citus '!tests_label_provider"}
+(3 rows)
+
+BEGIN;
+SECURITY LABEL FOR "citus '!tests_label_provider" ON ROLE "user 2" IS 'citus_classified';
+ROLLBACK;
+SELECT node_type, result FROM get_citus_tests_label_provider_labels('"user 2"') ORDER BY node_type;
+  node_type  |                                             result
+---------------------------------------------------------------------
+ coordinator | {"label": "citus_unclassified", "objtype": "role", "provider": "citus '!tests_label_provider"}
+ worker_1    | {"label": "citus_unclassified", "objtype": "role", "provider": "citus '!tests_label_provider"}
+ worker_2    | {"label": "citus_unclassified", "objtype": "role", "provider": "citus '!tests_label_provider"}
+(3 rows)
+
+-- clean up
+DROP DATABASE database1;
+DROP DATABASE database2;
+DROP DATABASE database_w1;
+DROP ROLE user1;
+DROP ROLE "user 2";

src/test/regress/multi_schedule

@@ -109,6 +109,7 @@ test: undistribute_table
 test: run_command_on_all_nodes
 test: background_task_queue_monitor
 test: other_databases grant_role_from_non_maindb
+test: seclabel_non_maindb
 test: citus_internal_access
 
 # Causal clock test

src/test/regress/sql/seclabel_non_maindb.sql

@@ -0,0 +1,70 @@
+-- SECLABEL
+--
+-- Test suite for running SECURITY LABEL ON ROLE statements from non-main databases
+
+SET citus.enable_create_database_propagation to ON;
+
+CREATE DATABASE database1;
+CREATE DATABASE database2;
+
+\c - - - :worker_1_port
+SET citus.enable_create_database_propagation to ON;
+CREATE DATABASE database_w1;
+
+
+\c - - - :master_port
+CREATE ROLE user1;
+\c database1
+SHOW citus.main_db;
+SHOW citus.superuser;
+
+CREATE ROLE "user 2";
+
+-- Set a SECURITY LABEL on a role from a non-main database
+SECURITY LABEL FOR "citus '!tests_label_provider" ON ROLE user1 IS 'citus_classified';
+SECURITY LABEL FOR "citus '!tests_label_provider" ON ROLE "user 2" IS 'citus_unclassified';
+
+-- Check the result
+\c regression
+SELECT node_type, result FROM get_citus_tests_label_provider_labels('user1') ORDER BY node_type;
+SELECT node_type, result FROM get_citus_tests_label_provider_labels('"user 2"') ORDER BY node_type;
+
+\c database1 
+-- Set a SECURITY LABEL on database, it should not be propagated
+SECURITY LABEL FOR "citus '!tests_label_provider" ON DATABASE database1 IS 'citus_classified';
+
+-- Set a SECURITY LABEL on a table, it should not be propagated
+CREATE TABLE a (i int);
+SECURITY LABEL ON TABLE a IS 'citus_classified';
+
+\c regression
+SELECT node_type, result FROM get_citus_tests_label_provider_labels('database1') ORDER BY node_type;
+
+-- Check that only the SECURITY LABEL for ROLES is propagated to the non-main databases on other nodes
+\c - - - :worker_1_port
+\c database_w1
+SELECT provider, objtype, label, objname FROM pg_seclabels ORDER BY objname;
+
+
+-- Check the result after a transaction
+BEGIN;
+SECURITY LABEL FOR "citus '!tests_label_provider" ON ROLE user1 IS 'citus_unclassified';
+SECURITY LABEL FOR "citus '!tests_label_provider" ON DATABASE database_w1 IS 'citus_classified';
+COMMIT;
+
+\c regression
+SELECT node_type, result FROM get_citus_tests_label_provider_labels('database_w1') ORDER BY node_type;
+SELECT node_type, result FROM get_citus_tests_label_provider_labels('user1') ORDER BY node_type;
+
+BEGIN;
+SECURITY LABEL FOR "citus '!tests_label_provider" ON ROLE "user 2" IS 'citus_classified';
+ROLLBACK;
+
+SELECT node_type, result FROM get_citus_tests_label_provider_labels('"user 2"') ORDER BY node_type;
+
+-- clean up
+DROP DATABASE database1;
+DROP DATABASE database2;
+DROP DATABASE database_w1;
+DROP ROLE user1;
+DROP ROLE "user 2";