From 0bbfbf3c36efc892d998451ad6a0cac3deb7a6b2 Mon Sep 17 00:00:00 2001 From: Naisila Puka <37271756+naisila@users.noreply.github.com> Date: Tue, 27 Sep 2022 14:53:23 +0300 Subject: [PATCH] Tests moving a shard with RLS owned by nonbypassrls & nonsuperuser (#6369) (cherry picked from commit 63e4d2372226c7bfff0e65676d59ccfbd9b15626) --- ...enterprise_isolation_logicalrep_1_schedule | 1 + ...logical_replication_nonsu_nonbypassrls.out | 170 ++++++++++++++++++ ...ogical_replication_nonsu_nonbypassrls.spec | 136 ++++++++++++++ 3 files changed, 307 insertions(+) create mode 100644 src/test/regress/expected/isolation_logical_replication_nonsu_nonbypassrls.out create mode 100644 src/test/regress/spec/isolation_logical_replication_nonsu_nonbypassrls.spec diff --git a/src/test/regress/enterprise_isolation_logicalrep_1_schedule b/src/test/regress/enterprise_isolation_logicalrep_1_schedule index 23ed93739..2656e96d5 100644 --- a/src/test/regress/enterprise_isolation_logicalrep_1_schedule +++ b/src/test/regress/enterprise_isolation_logicalrep_1_schedule @@ -6,6 +6,7 @@ test: isolation_setup test: isolation_cluster_management test: isolation_logical_replication_single_shard_commands +test: isolation_logical_replication_nonsu_nonbypassrls test: isolation_logical_replication_multi_shard_commands test: isolation_non_blocking_shard_split test: isolation_create_distributed_concurrently_after_drop_column diff --git a/src/test/regress/expected/isolation_logical_replication_nonsu_nonbypassrls.out b/src/test/regress/expected/isolation_logical_replication_nonsu_nonbypassrls.out new file mode 100644 index 000000000..19a3746c0 --- /dev/null +++ b/src/test/regress/expected/isolation_logical_replication_nonsu_nonbypassrls.out @@ -0,0 +1,170 @@ +Parsed test spec with 3 sessions + +starting permutation: s1-table-owner-new_user s1-table-enable-rls s1-get-shard-distribution s1-user-spec s3-acquire-advisory-lock s1-begin s1-set-role s1-move-placement s2-insert s3-release-advisory-lock s1-reset-role s1-end s1-select s1-get-shard-distribution +step s1-table-owner-new_user: + ALTER TABLE dist OWNER TO new_user; + +step s1-table-enable-rls: + ALTER TABLE dist ENABLE ROW LEVEL SECURITY; + +step s1-get-shard-distribution: + SELECT shardid, nodeport FROM pg_dist_placement INNER JOIN pg_dist_node ON (pg_dist_placement.groupid = pg_dist_node.groupid) WHERE shardstate != 4 AND shardid IN (SELECT * FROM selected_shard) ORDER BY nodeport; + +shardid|nodeport +--------------------------------------------------------------------- +1234003| 57638 +(1 row) + +step s1-user-spec: + SELECT rolname, rolsuper, rolbypassrls FROM pg_authid WHERE rolname = 'new_user'; + +rolname |rolsuper|rolbypassrls +--------------------------------------------------------------------- +new_user|f |f +(1 row) + +step s3-acquire-advisory-lock: + SELECT pg_advisory_lock(44000, 55152); + +pg_advisory_lock +--------------------------------------------------------------------- + +(1 row) + +step s1-begin: + BEGIN; + +step s1-set-role: + SET ROLE new_user; + +step s1-move-placement: + SELECT citus_move_shard_placement((SELECT * FROM selected_shard), 'localhost', 57638, 'localhost', 57637); + +step s2-insert: + INSERT INTO dist VALUES (23, 23); + +step s3-release-advisory-lock: + SELECT pg_advisory_unlock(44000, 55152); + +pg_advisory_unlock +--------------------------------------------------------------------- +t +(1 row) + +step s1-move-placement: <... completed> +citus_move_shard_placement +--------------------------------------------------------------------- + +(1 row) + +step s1-reset-role: + RESET ROLE; + +step s1-end: + COMMIT; + +step s1-select: + SELECT * FROM dist ORDER BY column1; + +column1|column2 +--------------------------------------------------------------------- + 23| 23 +(1 row) + +step s1-get-shard-distribution: + SELECT shardid, nodeport FROM pg_dist_placement INNER JOIN pg_dist_node ON (pg_dist_placement.groupid = pg_dist_node.groupid) WHERE shardstate != 4 AND shardid IN (SELECT * FROM selected_shard) ORDER BY nodeport; + +shardid|nodeport +--------------------------------------------------------------------- +1234003| 57637 +(1 row) + + +starting permutation: s1-no-connection-cache s2-no-connection-cache s3-no-connection-cache s1-table-owner-new_user s1-table-force-rls s1-get-shard-distribution s1-user-spec s3-acquire-advisory-lock s1-begin s1-set-role s1-move-placement s2-insert s3-release-advisory-lock s1-reset-role s1-end s1-select s1-get-shard-distribution +step s1-no-connection-cache: + SET citus.max_cached_conns_per_worker to 0; + +step s2-no-connection-cache: + SET citus.max_cached_conns_per_worker to 0; + +step s3-no-connection-cache: + SET citus.max_cached_conns_per_worker to 0; + +step s1-table-owner-new_user: + ALTER TABLE dist OWNER TO new_user; + +step s1-table-force-rls: + ALTER TABLE dist FORCE ROW LEVEL SECURITY; + +step s1-get-shard-distribution: + SELECT shardid, nodeport FROM pg_dist_placement INNER JOIN pg_dist_node ON (pg_dist_placement.groupid = pg_dist_node.groupid) WHERE shardstate != 4 AND shardid IN (SELECT * FROM selected_shard) ORDER BY nodeport; + +shardid|nodeport +--------------------------------------------------------------------- +1234003| 57638 +(1 row) + +step s1-user-spec: + SELECT rolname, rolsuper, rolbypassrls FROM pg_authid WHERE rolname = 'new_user'; + +rolname |rolsuper|rolbypassrls +--------------------------------------------------------------------- +new_user|f |f +(1 row) + +step s3-acquire-advisory-lock: + SELECT pg_advisory_lock(44000, 55152); + +pg_advisory_lock +--------------------------------------------------------------------- + +(1 row) + +step s1-begin: + BEGIN; + +step s1-set-role: + SET ROLE new_user; + +step s1-move-placement: + SELECT citus_move_shard_placement((SELECT * FROM selected_shard), 'localhost', 57638, 'localhost', 57637); + +step s2-insert: + INSERT INTO dist VALUES (23, 23); + +step s3-release-advisory-lock: + SELECT pg_advisory_unlock(44000, 55152); + +pg_advisory_unlock +--------------------------------------------------------------------- +t +(1 row) + +step s1-move-placement: <... completed> +citus_move_shard_placement +--------------------------------------------------------------------- + +(1 row) + +step s1-reset-role: + RESET ROLE; + +step s1-end: + COMMIT; + +step s1-select: + SELECT * FROM dist ORDER BY column1; + +column1|column2 +--------------------------------------------------------------------- + 23| 23 +(1 row) + +step s1-get-shard-distribution: + SELECT shardid, nodeport FROM pg_dist_placement INNER JOIN pg_dist_node ON (pg_dist_placement.groupid = pg_dist_node.groupid) WHERE shardstate != 4 AND shardid IN (SELECT * FROM selected_shard) ORDER BY nodeport; + +shardid|nodeport +--------------------------------------------------------------------- +1234003| 57637 +(1 row) + diff --git a/src/test/regress/spec/isolation_logical_replication_nonsu_nonbypassrls.spec b/src/test/regress/spec/isolation_logical_replication_nonsu_nonbypassrls.spec new file mode 100644 index 000000000..1eaeee98f --- /dev/null +++ b/src/test/regress/spec/isolation_logical_replication_nonsu_nonbypassrls.spec @@ -0,0 +1,136 @@ +// isolation_logical_replication_nonsu_nonbypassrls +// test moving a single shard that has rls +// owned by a user that is neither superuser nor bypassrls +// PG15 added extra permission checks within logical replication +// this test makes sure that target table owners should still +// be able to replicate despite RLS policies. +// Relevant PG commit: a2ab9c06ea15fbcb2bfde570986a06b37f52bcca + +setup +{ + -- setup involves a lot of DDL inside a single tx block, so use sequential mode + SET LOCAL citus.multi_shard_modify_mode TO 'sequential'; + + SET citus.max_cached_conns_per_worker to 0; + SET citus.next_shard_id TO 1234000; + SET citus.shard_count TO 4; + SET citus.shard_replication_factor TO 1; + + CREATE TABLE dist(column1 int PRIMARY KEY, column2 int); + SELECT create_distributed_table('dist', 'column1'); + + CREATE USER new_user; + GRANT ALL ON SCHEMA public TO new_user; + + SELECT get_shard_id_for_distribution_column('dist', 23) INTO selected_shard; + GRANT ALL ON TABLE selected_shard TO new_user; +} + +teardown +{ + DROP TABLE selected_shard; + DROP TABLE dist; + REVOKE ALL ON SCHEMA public FROM new_user; + DROP USER new_user; +} + +session "s1" + +step "s1-no-connection-cache" +{ + SET citus.max_cached_conns_per_worker to 0; +} + +step "s1-table-owner-new_user" +{ + ALTER TABLE dist OWNER TO new_user; +} + +step "s1-table-enable-rls" +{ + ALTER TABLE dist ENABLE ROW LEVEL SECURITY; +} + +step "s1-table-force-rls" +{ + ALTER TABLE dist FORCE ROW LEVEL SECURITY; +} + +step "s1-user-spec" +{ + SELECT rolname, rolsuper, rolbypassrls FROM pg_authid WHERE rolname = 'new_user'; +} + +step "s1-begin" +{ + BEGIN; +} + +step "s1-set-role" +{ + SET ROLE new_user; +} + +step "s1-move-placement" +{ + SELECT citus_move_shard_placement((SELECT * FROM selected_shard), 'localhost', 57638, 'localhost', 57637); +} + +step "s1-reset-role" +{ + RESET ROLE; +} + +step "s1-end" +{ + COMMIT; +} + +step "s1-select" +{ + SELECT * FROM dist ORDER BY column1; +} + +step "s1-get-shard-distribution" +{ + SELECT shardid, nodeport FROM pg_dist_placement INNER JOIN pg_dist_node ON (pg_dist_placement.groupid = pg_dist_node.groupid) WHERE shardstate != 4 AND shardid IN (SELECT * FROM selected_shard) ORDER BY nodeport; +} + +session "s2" + +step "s2-no-connection-cache" +{ + SET citus.max_cached_conns_per_worker to 0; +} + +step "s2-insert" +{ + INSERT INTO dist VALUES (23, 23); +} + +session "s3" + +step "s3-no-connection-cache" +{ + SET citus.max_cached_conns_per_worker to 0; +} + +step "s3-acquire-advisory-lock" +{ + SELECT pg_advisory_lock(44000, 55152); +} + +step "s3-release-advisory-lock" +{ + SELECT pg_advisory_unlock(44000, 55152); +} + +// first permutation enables row level security +// second permutation forces row level security +// either way we should be able to complete the shard move +// Check out https://github.com/citusdata/citus/pull/6369#discussion_r979823178 for details + +permutation "s1-table-owner-new_user" "s1-table-enable-rls" "s1-get-shard-distribution" "s1-user-spec" "s3-acquire-advisory-lock" "s1-begin" "s1-set-role" "s1-move-placement" "s2-insert" "s3-release-advisory-lock" "s1-reset-role" "s1-end" "s1-select" "s1-get-shard-distribution" +// running no connection cache commands on 2nd permutation because of #3785 +// otherwise citus_move_shard_placement fails with permission error of new_user +permutation "s1-no-connection-cache" "s2-no-connection-cache" "s3-no-connection-cache" "s1-table-owner-new_user" "s1-table-force-rls" "s1-get-shard-distribution" "s1-user-spec" "s3-acquire-advisory-lock" "s1-begin" "s1-set-role" "s1-move-placement" "s2-insert" "s3-release-advisory-lock" "s1-reset-role" "s1-end" "s1-select" "s1-get-shard-distribution"