external
/
citus
mirror of https://github.com/citusdata/citus.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add worker_append_table_to_shard permissions tests

pull/5978/head
Marco Slot 2021-09-08 15:52:47 +02:00
parent 28a503fad9
commit 25c71fb3d0
2 changed files with 57 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
src/test/regress/expected/multi_multiuser.out
View File

@ -667,6 +667,39 @@ SELECT worker_fetch_partition_file(42, 1, 1, 1, 'localhost', :worker_1_port);
(1 row)
RESET ROLE;
-- non-superuser should be able to use worker_append_table_to_shard on their own shard
SET ROLE full_access;
CREATE TABLE full_access_user_schema.source_table (id int);
INSERT INTO full_access_user_schema.source_table VALUES (1);
CREATE TABLE full_access_user_schema.shard_0 (id int);
SELECT worker_append_table_to_shard('full_access_user_schema.shard_0', 'full_access_user_schema.source_table', 'localhost', :worker_2_port);
worker_append_table_to_shard
---------------------------------------------------------------------
(1 row)
SELECT * FROM full_access_user_schema.shard_0;
id
---------------------------------------------------------------------
1
(1 row)
RESET ROLE;
-- other users should not be able to read from a table they have no access to via worker_append_table_to_shard
SET ROLE usage_access;
SELECT worker_append_table_to_shard('full_access_user_schema.shard_0', 'full_access_user_schema.source_table', 'localhost', :worker_2_port);
WARNING: permission denied for table source_table
CONTEXT: while executing command on localhost:xxxxx
ERROR: could not copy table "source_table" from "localhost:xxxxx"
RESET ROLE;
-- allow usage_access to read from table
GRANT SELECT ON full_access_user_schema.source_table TO usage_access;
-- other users should not be able to write to a table they do not have write access to
SET ROLE usage_access;
SELECT worker_append_table_to_shard('full_access_user_schema.shard_0', 'full_access_user_schema.source_table', 'localhost', :worker_2_port);
ERROR: permission denied for table shard_0
RESET ROLE;
DROP TABLE full_access_user_schema.source_table, full_access_user_schema.shard_0;
-- now we will test that only the user who owns the fetched file is able to merge it into
-- a table
-- test that no other user can merge the downloaded file before the task is being tracked

24
src/test/regress/sql/multi_multiuser.sql
View File

@ -410,6 +410,30 @@ SET ROLE full_access;
SELECT worker_fetch_partition_file(42, 1, 1, 1, 'localhost', :worker_1_port);
RESET ROLE;
-- non-superuser should be able to use worker_append_table_to_shard on their own shard
SET ROLE full_access;
CREATE TABLE full_access_user_schema.source_table (id int);
INSERT INTO full_access_user_schema.source_table VALUES (1);
CREATE TABLE full_access_user_schema.shard_0 (id int);
SELECT worker_append_table_to_shard('full_access_user_schema.shard_0', 'full_access_user_schema.source_table', 'localhost', :worker_2_port);
SELECT * FROM full_access_user_schema.shard_0;
RESET ROLE;
-- other users should not be able to read from a table they have no access to via worker_append_table_to_shard
SET ROLE usage_access;
SELECT worker_append_table_to_shard('full_access_user_schema.shard_0', 'full_access_user_schema.source_table', 'localhost', :worker_2_port);
RESET ROLE;
-- allow usage_access to read from table
GRANT SELECT ON full_access_user_schema.source_table TO usage_access;
-- other users should not be able to write to a table they do not have write access to
SET ROLE usage_access;
SELECT worker_append_table_to_shard('full_access_user_schema.shard_0', 'full_access_user_schema.source_table', 'localhost', :worker_2_port);
RESET ROLE;
DROP TABLE full_access_user_schema.source_table, full_access_user_schema.shard_0;
-- now we will test that only the user who owns the fetched file is able to merge it into
-- a table
-- test that no other user can merge the downloaded file before the task is being tracked