From 1a3a174f67eb88448706ef673701413118769866 Mon Sep 17 00:00:00 2001 From: Marco Slot Date: Fri, 4 Oct 2019 10:49:54 +0200 Subject: [PATCH] Grant usage on schema citus to public --- .../distributed/sql/citus--8.3-1--9.0-1.sql | 3 ++ src/test/regress/expected/multi_multiuser.out | 34 ++++++++++++++++--- src/test/regress/sql/multi_multiuser.sql | 5 +++ 3 files changed, 38 insertions(+), 4 deletions(-) diff --git a/src/backend/distributed/sql/citus--8.3-1--9.0-1.sql b/src/backend/distributed/sql/citus--8.3-1--9.0-1.sql index cd3ec64ad..efb686ab4 100644 --- a/src/backend/distributed/sql/citus--8.3-1--9.0-1.sql +++ b/src/backend/distributed/sql/citus--8.3-1--9.0-1.sql @@ -17,6 +17,9 @@ ALTER FUNCTION citus.refresh_isolation_tester_prepared_statement SET SCHEMA citu ALTER FUNCTION citus.replace_isolation_tester_func SET SCHEMA citus_internal; ALTER FUNCTION citus.restore_isolation_tester_func SET SCHEMA citus_internal; +-- we can now safely grant usage on the citus schema to use types +GRANT USAGE ON SCHEMA citus TO public; + #include "udfs/pg_dist_shard_placement_trigger_func/9.0-1.sql" CREATE OR REPLACE FUNCTION pg_catalog.worker_create_or_replace_object(statement text) diff --git a/src/test/regress/expected/multi_multiuser.out b/src/test/regress/expected/multi_multiuser.out index 3a85444bd..0f6686331 100644 --- a/src/test/regress/expected/multi_multiuser.out +++ b/src/test/regress/expected/multi_multiuser.out @@ -180,6 +180,32 @@ SELECT task_tracker_assign_task(1, 1, 'SELECT 1'); -- check read permission SET ROLE read_access; +-- should be allowed to run commands, as the current user +SELECT result FROM run_command_on_workers($$SELECT current_user$$); + result +------------- + read_access + read_access +(2 rows) + +SELECT result FROM run_command_on_placements('test', $$SELECT current_user$$); + result +------------- + read_access + read_access + read_access + read_access +(4 rows) + +SELECT result FROM run_command_on_colocated_placements('test', 'test_coloc', $$SELECT current_user$$); + result +------------- + read_access + read_access + read_access + read_access +(4 rows) + EXECUTE prepare_insert(1); ERROR: permission denied for table test EXECUTE prepare_select; @@ -402,7 +428,7 @@ INSERT INTO full_access_user_schema.t1 VALUES (1),(2),(3); -- not allowed to create a table SELECT create_distributed_table('full_access_user_schema.t1', 'id'); ERROR: permission denied for schema full_access_user_schema -CONTEXT: while executing command on localhost:57637 +CONTEXT: while executing command on localhost:57638 RESET ROLE; -- now we distribute the table as super user SELECT create_distributed_table('full_access_user_schema.t1', 'id'); @@ -536,7 +562,7 @@ ERROR: could not receive file "base/pgsql_job_cache/job_0042/task_000001/p_0000 -- different user should not be able to fetch partition file SET ROLE usage_access; SELECT worker_fetch_partition_file(42, 1, 1, 1, 'localhost', :worker_1_port); -WARNING: could not open file "base/pgsql_job_cache/job_0042/task_000001/p_00001.17981": No such file or directory +WARNING: could not open file "base/pgsql_job_cache/job_0042/task_000001/p_00001.17996": No such file or directory CONTEXT: while executing command on localhost:57637 ERROR: could not receive file "base/pgsql_job_cache/job_0042/task_000001/p_00001" from localhost:57637 -- only the user whom created the files should be able to fetch @@ -575,7 +601,7 @@ RESET ROLE; -- test that the super user is unable to read the contents of the intermediate file, -- although it does create the table SELECT worker_merge_files_into_table(42, 1, ARRAY['a'], ARRAY['integer']); -WARNING: Task file "task_000001.17977" does not have expected suffix ".10" +WARNING: Task file "task_000001.17982" does not have expected suffix ".10" worker_merge_files_into_table ------------------------------- @@ -617,7 +643,7 @@ SELECT worker_merge_files_and_run_query(42, 1, 'CREATE TABLE task_000001_merge(merge_column_0 int)', 'CREATE TABLE task_000001 (a) AS SELECT sum(merge_column_0) FROM task_000001_merge' ); -WARNING: Task file "task_000001.17977" does not have expected suffix ".10" +WARNING: Task file "task_000001.17982" does not have expected suffix ".10" worker_merge_files_and_run_query ---------------------------------- diff --git a/src/test/regress/sql/multi_multiuser.sql b/src/test/regress/sql/multi_multiuser.sql index 4ce88471d..8232b5116 100644 --- a/src/test/regress/sql/multi_multiuser.sql +++ b/src/test/regress/sql/multi_multiuser.sql @@ -128,6 +128,11 @@ SELECT task_tracker_assign_task(1, 1, 'SELECT 1'); -- check read permission SET ROLE read_access; +-- should be allowed to run commands, as the current user +SELECT result FROM run_command_on_workers($$SELECT current_user$$); +SELECT result FROM run_command_on_placements('test', $$SELECT current_user$$); +SELECT result FROM run_command_on_colocated_placements('test', 'test_coloc', $$SELECT current_user$$); + EXECUTE prepare_insert(1); EXECUTE prepare_select;