diff --git a/src/backend/distributed/commands/utility_hook.c b/src/backend/distributed/commands/utility_hook.c index 005ee5235..5d334e459 100644 --- a/src/backend/distributed/commands/utility_hook.c +++ b/src/backend/distributed/commands/utility_hook.c @@ -97,50 +97,13 @@ #define UNMARK_OBJECT_DISTRIBUTED \ "SELECT pg_catalog.citus_unmark_object_distributed(%d, %d, %d,%s)" -typedef enum +typedef enum DistributedOperation { NO_DISTRIBUTED_OPS, MARK_DISTRIBUTED, UNMARK_DISTRIBUTED } DistributedOperation; -/* - * NonMainDbDistributedStatementInfo is used to determine whether a statement is - * supported from non-main databases and whether it should be marked as - * distributed explicitly (*). - * - * We always have to mark such the objects created "as distributed" but while for - * some object types we can delegate this to main database, for some others we have - * to explicitly send a command to all nodes in this code-path to achieve this. - */ -typedef struct NonMainDbDistributedStatementInfo -{ - int statementType; - DistributedOperation distributedOperation; - ObjectType *supportedObjectTypes; - int supportedObjectTypesSize; -} NonMainDbDistributedStatementInfo; - -typedef struct ObjectInfo -{ - char *name; - Oid id; -} ObjectInfo; - -/* - * NonMainDbSupportedStatements is an array of statements that are supported - * from non-main databases. - */ -ObjectType supportedObjectTypesForGrantStmt[] = { OBJECT_DATABASE }; - -static const NonMainDbDistributedStatementInfo NonMainDbSupportedStatements[] = { - { T_GrantRoleStmt, NO_DISTRIBUTED_OPS, NULL, 0 }, - { T_CreateRoleStmt, MARK_DISTRIBUTED, NULL, 0 }, - { T_DropRoleStmt, UNMARK_DISTRIBUTED, NULL, 0 }, - { T_AlterRoleStmt, NO_DISTRIBUTED_OPS, NULL, 0 }, - { T_GrantStmt, NO_DISTRIBUTED_OPS, supportedObjectTypesForGrantStmt, - sizeof(supportedObjectTypesForGrantStmt) / sizeof(ObjectType) } -}; /* * NonMainDbDistributedStatementInfo is used to determine whether a statement is @@ -232,11 +195,13 @@ static bool NonMainDbCheckSupportedObjectTypeForGrant(Node *node); */ ObjectType supportedObjectTypesForGrantStmt[] = { OBJECT_DATABASE }; static const NonMainDbDistributedStatementInfo NonMainDbSupportedStatements[] = { - { T_GrantRoleStmt, false, NULL }, - { T_CreateRoleStmt, true, NULL }, - { T_GrantStmt, false, NonMainDbCheckSupportedObjectTypeForGrant }, - { T_CreatedbStmt, false, NULL }, - { T_DropdbStmt, false, NULL }, + { T_GrantRoleStmt, NO_DISTRIBUTED_OPS, NULL }, + { T_CreateRoleStmt, MARK_DISTRIBUTED, NULL, 0 }, + { T_DropRoleStmt, UNMARK_DISTRIBUTED, NULL, 0 }, + { T_AlterRoleStmt, NO_DISTRIBUTED_OPS, NULL, 0 }, + { T_GrantStmt, NO_DISTRIBUTED_OPS, NonMainDbCheckSupportedObjectTypeForGrant }, + { T_CreatedbStmt, NO_DISTRIBUTED_OPS, NULL }, + { T_DropdbStmt, NO_DISTRIBUTED_OPS, NULL }, }; @@ -1777,7 +1742,7 @@ RunPreprocessMainDBCommand(Node *parsetree) RunCitusMainDBQuery((char *) queryString); return; } - + if (StatementRequiresUnmarkDistributedFromNonMainDb(parsetree)) { diff --git a/src/test/regress/expected/grant_on_database_propagation_2pc.out b/src/test/regress/expected/grant_on_database_propagation_2pc.out deleted file mode 100644 index b2aa4c6f2..000000000 --- a/src/test/regress/expected/grant_on_database_propagation_2pc.out +++ /dev/null @@ -1,470 +0,0 @@ --- Public role has connect,temp,temporary privileges on database --- To test these scenarios, we need to revoke these privileges from public role --- since public role privileges are inherited by new roles/users -set citus.enable_create_database_propagation to on; -create database test_2pc_db; -show citus.main_db; - citus.main_db ---------------------------------------------------------------------- - regression -(1 row) - -revoke connect,temp,temporary on database test_2pc_db from public; -CREATE SCHEMA grant_on_database_propagation; -SET search_path TO grant_on_database_propagation; --- test grant/revoke CREATE privilege propagation on database -create user myuser; -\c test_2pc_db - - :master_port -grant create on database test_2pc_db to myuser; -\c regression - - :master_port; -select check_database_privileges('myuser','test_2pc_db',ARRAY['CREATE']); - check_database_privileges ---------------------------------------------------------------------- - (CREATE,t) - (CREATE,t) - (CREATE,t) -(3 rows) - -\c test_2pc_db - - :master_port -revoke create on database test_2pc_db from myuser; -\c regression - - :master_port; -select check_database_privileges('myuser','test_2pc_db',ARRAY['CREATE']); - check_database_privileges ---------------------------------------------------------------------- - (CREATE,f) - (CREATE,f) - (CREATE,f) -(3 rows) - -drop user myuser; ---------------------------------------------------------------------- --- test grant/revoke CONNECT privilege propagation on database -\c regression - - :master_port -create user myuser2; -\c test_2pc_db - - :master_port -grant CONNECT on database test_2pc_db to myuser2; -\c regression - - :master_port; -select check_database_privileges('myuser2','test_2pc_db',ARRAY['CONNECT']); - check_database_privileges ---------------------------------------------------------------------- - (CONNECT,t) - (CONNECT,t) - (CONNECT,t) -(3 rows) - -\c test_2pc_db - - :master_port -revoke connect on database test_2pc_db from myuser2; -\c regression - - :master_port -select check_database_privileges('myuser2','test_2pc_db',ARRAY['CONNECT']); - check_database_privileges ---------------------------------------------------------------------- - (CONNECT,f) - (CONNECT,f) - (CONNECT,f) -(3 rows) - -drop user myuser2; ---------------------------------------------------------------------- --- test grant/revoke TEMP privilege propagation on database -\c regression - - :master_port -create user myuser3; --- test grant/revoke temp on database -\c test_2pc_db - - :master_port -grant TEMP on database test_2pc_db to myuser3; -\c regression - - :master_port; -select check_database_privileges('myuser3','test_2pc_db',ARRAY['TEMP']); - check_database_privileges ---------------------------------------------------------------------- - (TEMP,t) - (TEMP,t) - (TEMP,t) -(3 rows) - -\c test_2pc_db - - :worker_1_port -revoke TEMP on database test_2pc_db from myuser3; -\c regression - - :master_port; -select check_database_privileges('myuser3','test_2pc_db',ARRAY['TEMP']); - check_database_privileges ---------------------------------------------------------------------- - (TEMP,f) - (TEMP,f) - (TEMP,f) -(3 rows) - -drop user myuser3; ---------------------------------------------------------------------- -\c regression - - :master_port --- test temporary privilege on database -create user myuser4; --- test grant/revoke temporary on database -\c test_2pc_db - - :worker_1_port -grant TEMPORARY on database test_2pc_db to myuser4; -\c regression - - :master_port -select check_database_privileges('myuser4','test_2pc_db',ARRAY['TEMPORARY']); - check_database_privileges ---------------------------------------------------------------------- - (TEMPORARY,t) - (TEMPORARY,t) - (TEMPORARY,t) -(3 rows) - -\c test_2pc_db - - :master_port -revoke TEMPORARY on database test_2pc_db from myuser4; -\c regression - - :master_port; -select check_database_privileges('myuser4','test_2pc_db',ARRAY['TEMPORARY']); - check_database_privileges ---------------------------------------------------------------------- - (TEMPORARY,f) - (TEMPORARY,f) - (TEMPORARY,f) -(3 rows) - -drop user myuser4; ---------------------------------------------------------------------- --- test ALL privileges with ALL statement on database -create user myuser5; -grant ALL on database test_2pc_db to myuser5; -\c regression - - :master_port -select check_database_privileges('myuser5','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); - check_database_privileges ---------------------------------------------------------------------- - (CREATE,t) - (CREATE,t) - (CREATE,t) - (CONNECT,t) - (CONNECT,t) - (CONNECT,t) - (TEMP,t) - (TEMP,t) - (TEMP,t) - (TEMPORARY,t) - (TEMPORARY,t) - (TEMPORARY,t) -(12 rows) - -\c test_2pc_db - - :master_port -revoke ALL on database test_2pc_db from myuser5; -\c regression - - :master_port -select check_database_privileges('myuser5','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); - check_database_privileges ---------------------------------------------------------------------- - (CREATE,f) - (CREATE,f) - (CREATE,f) - (CONNECT,f) - (CONNECT,f) - (CONNECT,f) - (TEMP,f) - (TEMP,f) - (TEMP,f) - (TEMPORARY,f) - (TEMPORARY,f) - (TEMPORARY,f) -(12 rows) - -drop user myuser5; ---------------------------------------------------------------------- --- test CREATE,CONNECT,TEMP,TEMPORARY privileges one by one on database -create user myuser6; -\c test_2pc_db - - :master_port -grant CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db to myuser6; -\c regression - - :master_port -select check_database_privileges('myuser6','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); - check_database_privileges ---------------------------------------------------------------------- - (CREATE,t) - (CREATE,t) - (CREATE,t) - (CONNECT,t) - (CONNECT,t) - (CONNECT,t) - (TEMP,t) - (TEMP,t) - (TEMP,t) - (TEMPORARY,t) - (TEMPORARY,t) - (TEMPORARY,t) -(12 rows) - -\c test_2pc_db - - :master_port -revoke CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db from myuser6; -\c regression - - :master_port -select check_database_privileges('myuser6','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); - check_database_privileges ---------------------------------------------------------------------- - (CREATE,f) - (CREATE,f) - (CREATE,f) - (CONNECT,f) - (CONNECT,f) - (CONNECT,f) - (TEMP,f) - (TEMP,f) - (TEMP,f) - (TEMPORARY,f) - (TEMPORARY,f) - (TEMPORARY,f) -(12 rows) - -drop user myuser6; ---------------------------------------------------------------------- --- test CREATE,CONNECT,TEMP,TEMPORARY privileges one by one on database with grant option -create user myuser7; -create user myuser_1; -\c test_2pc_db - - :master_port -grant CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db to myuser7; -set role myuser7; ---here since myuser does not have grant option, it should fail -grant CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db to myuser_1; -WARNING: no privileges were granted for "test_2pc_db" -\c regression - - :master_port -select check_database_privileges('myuser_1','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); - check_database_privileges ---------------------------------------------------------------------- - (CREATE,f) - (CREATE,f) - (CREATE,f) - (CONNECT,f) - (CONNECT,f) - (CONNECT,f) - (TEMP,f) - (TEMP,f) - (TEMP,f) - (TEMPORARY,f) - (TEMPORARY,f) - (TEMPORARY,f) -(12 rows) - -\c test_2pc_db - - :master_port -RESET ROLE; -grant CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db to myuser7 with grant option; -set role myuser7; ---here since myuser have grant option, it should succeed -grant CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db to myuser_1 granted by myuser7; -\c regression - - :master_port -select check_database_privileges('myuser_1','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); - check_database_privileges ---------------------------------------------------------------------- - (CREATE,t) - (CREATE,t) - (CREATE,t) - (CONNECT,t) - (CONNECT,t) - (CONNECT,t) - (TEMP,t) - (TEMP,t) - (TEMP,t) - (TEMPORARY,t) - (TEMPORARY,t) - (TEMPORARY,t) -(12 rows) - -\c test_2pc_db - - :master_port -RESET ROLE; ---below test should fail and should throw an error since myuser_1 still have the dependent privileges -revoke CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db from myuser7 restrict; -ERROR: dependent privileges exist -HINT: Use CASCADE to revoke them too. ---below test should fail and should throw an error since myuser_1 still have the dependent privileges -revoke grant option for CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db from myuser7 restrict ; -ERROR: dependent privileges exist -HINT: Use CASCADE to revoke them too. ---below test should succeed and should not throw any error since myuser_1 privileges are revoked with cascade -revoke grant option for CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db from myuser7 cascade ; ---here we test if myuser still have the privileges after revoke grant option for -\c regression - - :master_port -select check_database_privileges('myuser7','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); - check_database_privileges ---------------------------------------------------------------------- - (CREATE,t) - (CREATE,t) - (CREATE,t) - (CONNECT,t) - (CONNECT,t) - (CONNECT,t) - (TEMP,t) - (TEMP,t) - (TEMP,t) - (TEMPORARY,t) - (TEMPORARY,t) - (TEMPORARY,t) -(12 rows) - -\c test_2pc_db - - :master_port -reset role; -revoke CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db from myuser7; -revoke CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db from myuser_1; -\c regression - - :master_port -drop user myuser_1; -drop user myuser7; ---------------------------------------------------------------------- --- test CREATE,CONNECT,TEMP,TEMPORARY privileges one by one on database multi database --- and multi user -\c regression - - :master_port -create user myuser8; -create user myuser_2; -set citus.enable_create_database_propagation to on; -create database test_db; -revoke connect,temp,temporary on database test_db from public; -\c test_2pc_db - - :master_port -grant CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db,test_db to myuser8,myuser_2; -\c regression - - :master_port -select check_database_privileges('myuser8','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); - check_database_privileges ---------------------------------------------------------------------- - (CREATE,t) - (CREATE,t) - (CREATE,t) - (CONNECT,t) - (CONNECT,t) - (CONNECT,t) - (TEMP,t) - (TEMP,t) - (TEMP,t) - (TEMPORARY,t) - (TEMPORARY,t) - (TEMPORARY,t) -(12 rows) - -select check_database_privileges('myuser8','test_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); - check_database_privileges ---------------------------------------------------------------------- - (CREATE,t) - (CREATE,t) - (CREATE,t) - (CONNECT,t) - (CONNECT,t) - (CONNECT,t) - (TEMP,t) - (TEMP,t) - (TEMP,t) - (TEMPORARY,t) - (TEMPORARY,t) - (TEMPORARY,t) -(12 rows) - -select check_database_privileges('myuser_2','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); - check_database_privileges ---------------------------------------------------------------------- - (CREATE,t) - (CREATE,t) - (CREATE,t) - (CONNECT,t) - (CONNECT,t) - (CONNECT,t) - (TEMP,t) - (TEMP,t) - (TEMP,t) - (TEMPORARY,t) - (TEMPORARY,t) - (TEMPORARY,t) -(12 rows) - -select check_database_privileges('myuser_2','test_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); - check_database_privileges ---------------------------------------------------------------------- - (CREATE,t) - (CREATE,t) - (CREATE,t) - (CONNECT,t) - (CONNECT,t) - (CONNECT,t) - (TEMP,t) - (TEMP,t) - (TEMP,t) - (TEMPORARY,t) - (TEMPORARY,t) - (TEMPORARY,t) -(12 rows) - -\c test_2pc_db - - :master_port -RESET ROLE; ---below test should fail and should throw an error -revoke CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db,test_db from myuser8 ; ---below test should succeed and should not throw any error -revoke CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db,test_db from myuser_2; ---below test should succeed and should not throw any error -revoke CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db,test_db from myuser8 cascade; -\c regression - - :master_port -select check_database_privileges('myuser8','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); - check_database_privileges ---------------------------------------------------------------------- - (CREATE,f) - (CREATE,f) - (CREATE,f) - (CONNECT,f) - (CONNECT,f) - (CONNECT,f) - (TEMP,f) - (TEMP,f) - (TEMP,f) - (TEMPORARY,f) - (TEMPORARY,f) - (TEMPORARY,f) -(12 rows) - -select check_database_privileges('myuser8','test_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); - check_database_privileges ---------------------------------------------------------------------- - (CREATE,f) - (CREATE,f) - (CREATE,f) - (CONNECT,f) - (CONNECT,f) - (CONNECT,f) - (TEMP,f) - (TEMP,f) - (TEMP,f) - (TEMPORARY,f) - (TEMPORARY,f) - (TEMPORARY,f) -(12 rows) - -select check_database_privileges('myuser_2','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); - check_database_privileges ---------------------------------------------------------------------- - (CREATE,f) - (CREATE,f) - (CREATE,f) - (CONNECT,f) - (CONNECT,f) - (CONNECT,f) - (TEMP,f) - (TEMP,f) - (TEMP,f) - (TEMPORARY,f) - (TEMPORARY,f) - (TEMPORARY,f) -(12 rows) - -select check_database_privileges('myuser_2','test_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); - check_database_privileges ---------------------------------------------------------------------- - (CREATE,f) - (CREATE,f) - (CREATE,f) - (CONNECT,f) - (CONNECT,f) - (CONNECT,f) - (TEMP,f) - (TEMP,f) - (TEMP,f) - (TEMPORARY,f) - (TEMPORARY,f) - (TEMPORARY,f) -(12 rows) - -\c test_2pc_db - - :master_port -reset role; -\c regression - - :master_port -drop user myuser_2; -drop user myuser8; -set citus.enable_create_database_propagation to on; -drop database test_db; ---------------------------------------------------------------------- --- rollbacks public role database privileges to original state -grant connect,temp,temporary on database test_2pc_db to public; -drop database test_2pc_db; -set citus.enable_create_database_propagation to off; -DROP SCHEMA grant_on_database_propagation CASCADE; ---------------------------------------------------------------------- diff --git a/src/test/regress/expected/metadata_sync_2pc.out b/src/test/regress/expected/metadata_sync_2pc.out deleted file mode 100644 index 2d268e812..000000000 --- a/src/test/regress/expected/metadata_sync_2pc.out +++ /dev/null @@ -1,251 +0,0 @@ -CREATE SCHEMA metadata_sync_2pc_schema; -SET search_path TO metadata_sync_2pc_schema; -set citus.enable_create_database_propagation to on; -CREATE DATABASE metadata_sync_2pc_db; -revoke connect,temp,temporary on database metadata_sync_2pc_db from public; -\c metadata_sync_2pc_db -SHOW citus.main_db; - citus.main_db ---------------------------------------------------------------------- - regression -(1 row) - -CREATE USER grant_role2pc_user1; -CREATE USER grant_role2pc_user2; -CREATE USER grant_role2pc_user3; -CREATE USER grant_role2pc_user4; -CREATE USER grant_role2pc_user5; -\c regression -select 1 from citus_remove_node('localhost', :worker_2_port); - ?column? ---------------------------------------------------------------------- - 1 -(1 row) - ---tests for grant role -\c metadata_sync_2pc_db -grant grant_role2pc_user1,grant_role2pc_user2 to grant_role2pc_user3 WITH ADMIN OPTION; -grant grant_role2pc_user1,grant_role2pc_user2 to grant_role2pc_user4,grant_role2pc_user5 granted by grant_role2pc_user3; ---test for grant on database -\c metadata_sync_2pc_db - - :master_port -grant create on database metadata_sync_2pc_db to grant_role2pc_user1; -grant connect on database metadata_sync_2pc_db to grant_role2pc_user2; -grant ALL on database metadata_sync_2pc_db to grant_role2pc_user3; -\c regression -select check_database_privileges('grant_role2pc_user1','metadata_sync_2pc_db',ARRAY['CREATE']); - check_database_privileges ---------------------------------------------------------------------- - (CREATE,t) - (CREATE,t) -(2 rows) - -select check_database_privileges('grant_role2pc_user2','metadata_sync_2pc_db',ARRAY['CONNECT']); - check_database_privileges ---------------------------------------------------------------------- - (CONNECT,t) - (CONNECT,t) -(2 rows) - -select check_database_privileges('grant_role2pc_user3','metadata_sync_2pc_db',ARRAY['CREATE','CONNECT','TEMP','TEMPORARY']); - check_database_privileges ---------------------------------------------------------------------- - (CREATE,t) - (CREATE,t) - (CONNECT,t) - (CONNECT,t) - (TEMP,t) - (TEMP,t) - (TEMPORARY,t) - (TEMPORARY,t) -(8 rows) - -\c regression -set citus.enable_create_database_propagation to on; -select 1 from citus_add_node('localhost', :worker_2_port); - ?column? ---------------------------------------------------------------------- - 1 -(1 row) - -select result FROM run_command_on_all_nodes($$ -SELECT array_to_json(array_agg(row_to_json(t))) -FROM ( - SELECT member::regrole, roleid::regrole as role, grantor::regrole, admin_option - FROM pg_auth_members - WHERE member::regrole::text in - ('grant_role2pc_user2','grant_role2pc_user3','grant_role2pc_user4','grant_role2pc_user5') - order by member::regrole::text -) t -$$); - result ---------------------------------------------------------------------- - [{"member":"grant_role2pc_user3","role":"grant_role2pc_user1","grantor":"postgres","admin_option":true},{"member":"grant_role2pc_user3","role":"grant_role2pc_user2","grantor":"postgres","admin_option":true},{"member":"grant_role2pc_user4","role":"grant_role2pc_user1","grantor":"grant_role2pc_user3","admin_option":false},{"member":"grant_role2pc_user4","role":"grant_role2pc_user2","grantor":"grant_role2pc_user3","admin_option":false},{"member":"grant_role2pc_user5","role":"grant_role2pc_user1","grantor":"grant_role2pc_user3","admin_option":false},{"member":"grant_role2pc_user5","role":"grant_role2pc_user2","grantor":"grant_role2pc_user3","admin_option":false}] - [{"member":"grant_role2pc_user3","role":"grant_role2pc_user1","grantor":"postgres","admin_option":true},{"member":"grant_role2pc_user3","role":"grant_role2pc_user2","grantor":"postgres","admin_option":true},{"member":"grant_role2pc_user4","role":"grant_role2pc_user1","grantor":"grant_role2pc_user3","admin_option":false},{"member":"grant_role2pc_user4","role":"grant_role2pc_user2","grantor":"grant_role2pc_user3","admin_option":false},{"member":"grant_role2pc_user5","role":"grant_role2pc_user1","grantor":"grant_role2pc_user3","admin_option":false},{"member":"grant_role2pc_user5","role":"grant_role2pc_user2","grantor":"grant_role2pc_user3","admin_option":false}] - [{"member":"grant_role2pc_user3","role":"grant_role2pc_user1","grantor":"postgres","admin_option":true},{"member":"grant_role2pc_user3","role":"grant_role2pc_user2","grantor":"postgres","admin_option":true},{"member":"grant_role2pc_user4","role":"grant_role2pc_user1","grantor":"postgres","admin_option":false},{"member":"grant_role2pc_user4","role":"grant_role2pc_user2","grantor":"postgres","admin_option":false},{"member":"grant_role2pc_user5","role":"grant_role2pc_user1","grantor":"postgres","admin_option":false},{"member":"grant_role2pc_user5","role":"grant_role2pc_user2","grantor":"postgres","admin_option":false}] -(3 rows) - -select check_database_privileges('grant_role2pc_user1','metadata_sync_2pc_db',ARRAY['CREATE']); - check_database_privileges ---------------------------------------------------------------------- - (CREATE,t) - (CREATE,t) - (CREATE,t) -(3 rows) - -select check_database_privileges('grant_role2pc_user2','metadata_sync_2pc_db',ARRAY['CONNECT']); - check_database_privileges ---------------------------------------------------------------------- - (CONNECT,t) - (CONNECT,t) - (CONNECT,t) -(3 rows) - -select check_database_privileges('grant_role2pc_user3','metadata_sync_2pc_db',ARRAY['CREATE','CONNECT','TEMP','TEMPORARY']); - check_database_privileges ---------------------------------------------------------------------- - (CREATE,t) - (CREATE,t) - (CREATE,t) - (CONNECT,t) - (CONNECT,t) - (CONNECT,t) - (TEMP,t) - (TEMP,t) - (TEMP,t) - (TEMPORARY,t) - (TEMPORARY,t) - (TEMPORARY,t) -(12 rows) - -\c metadata_sync_2pc_db -revoke grant_role2pc_user1,grant_role2pc_user2 from grant_role2pc_user4,grant_role2pc_user5 granted by grant_role2pc_user3; -revoke admin option for grant_role2pc_user1,grant_role2pc_user2 from grant_role2pc_user3; -revoke grant_role2pc_user1,grant_role2pc_user2 from grant_role2pc_user3; -revoke ALL on database metadata_sync_2pc_db from grant_role2pc_user3; -revoke CONNECT on database metadata_sync_2pc_db from grant_role2pc_user2; -revoke CREATE on database metadata_sync_2pc_db from grant_role2pc_user1; -\c regression -drop user grant_role2pc_user1,grant_role2pc_user2,grant_role2pc_user3,grant_role2pc_user4,grant_role2pc_user5; ---test for user operations ---test for create user -\c regression - - :master_port -select 1 from citus_remove_node('localhost', :worker_2_port); - ?column? ---------------------------------------------------------------------- - 1 -(1 row) - -\c metadata_sync_2pc_db - - :master_port -CREATE ROLE test_role1 WITH LOGIN PASSWORD 'password1'; -\c metadata_sync_2pc_db - - :worker_1_port -CREATE USER "test_role2-needs\!escape" -WITH - SUPERUSER CREATEDB CREATEROLE INHERIT LOGIN REPLICATION BYPASSRLS CONNECTION -LIMIT 10 VALID UNTIL '2023-01-01' IN ROLE test_role1; -create role test_role3; -\c regression - - :master_port -select 1 from citus_add_node('localhost', :worker_2_port); - ?column? ---------------------------------------------------------------------- - 1 -(1 row) - -select result FROM run_command_on_all_nodes($$ - SELECT array_to_json(array_agg(row_to_json(t))) - FROM ( - SELECT rolname, rolsuper, rolinherit, rolcreaterole, rolcreatedb, - rolcanlogin, rolreplication, rolbypassrls, rolconnlimit, - (rolpassword != '') as pass_not_empty, DATE(rolvaliduntil) - FROM pg_authid - WHERE rolname in ('test_role1', 'test_role2-needs\!escape') - ORDER BY rolname - ) t -$$); - result ---------------------------------------------------------------------- - [{"rolname":"test_role1","rolsuper":false,"rolinherit":true,"rolcreaterole":false,"rolcreatedb":false,"rolcanlogin":true,"rolreplication":false,"rolbypassrls":false,"rolconnlimit":-1,"pass_not_empty":true,"date":null},{"rolname":"test_role2-needs\\!escape","rolsuper":true,"rolinherit":true,"rolcreaterole":true,"rolcreatedb":true,"rolcanlogin":true,"rolreplication":true,"rolbypassrls":true,"rolconnlimit":10,"pass_not_empty":null,"date":"2023-01-01"}] - [{"rolname":"test_role1","rolsuper":false,"rolinherit":true,"rolcreaterole":false,"rolcreatedb":false,"rolcanlogin":true,"rolreplication":false,"rolbypassrls":false,"rolconnlimit":-1,"pass_not_empty":true,"date":null},{"rolname":"test_role2-needs\\!escape","rolsuper":true,"rolinherit":true,"rolcreaterole":true,"rolcreatedb":true,"rolcanlogin":true,"rolreplication":true,"rolbypassrls":true,"rolconnlimit":10,"pass_not_empty":null,"date":"2023-01-01"}] - [{"rolname":"test_role1","rolsuper":false,"rolinherit":true,"rolcreaterole":false,"rolcreatedb":false,"rolcanlogin":true,"rolreplication":false,"rolbypassrls":false,"rolconnlimit":-1,"pass_not_empty":true,"date":"infinity"},{"rolname":"test_role2-needs\\!escape","rolsuper":true,"rolinherit":true,"rolcreaterole":true,"rolcreatedb":true,"rolcanlogin":true,"rolreplication":true,"rolbypassrls":true,"rolconnlimit":10,"pass_not_empty":null,"date":"2023-01-01"}] -(3 rows) - ---test for alter user -select 1 from citus_remove_node('localhost', :worker_2_port); - ?column? ---------------------------------------------------------------------- - 1 -(1 row) - -\c metadata_sync_2pc_db - - :master_port --- Test ALTER ROLE with various options -ALTER ROLE test_role1 WITH PASSWORD 'new_password1'; -\c metadata_sync_2pc_db - - :worker_1_port -ALTER USER "test_role2-needs\!escape" -WITH - NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT NOLOGIN NOREPLICATION NOBYPASSRLS CONNECTION -LIMIT 5 VALID UNTIL '2024-01-01'; -\c regression - - :master_port -select 1 from citus_add_node('localhost', :worker_2_port); - ?column? ---------------------------------------------------------------------- - 1 -(1 row) - -select result FROM run_command_on_all_nodes($$ - SELECT array_to_json(array_agg(row_to_json(t))) - FROM ( - SELECT rolname, rolsuper, rolinherit, rolcreaterole, rolcreatedb, - rolcanlogin, rolreplication, rolbypassrls, rolconnlimit, - (rolpassword != '') as pass_not_empty, DATE(rolvaliduntil) - FROM pg_authid - WHERE rolname in ('test_role1', 'test_role2-needs\!escape') - ORDER BY rolname - ) t -$$); - result ---------------------------------------------------------------------- - [{"rolname":"test_role1","rolsuper":false,"rolinherit":true,"rolcreaterole":false,"rolcreatedb":false,"rolcanlogin":true,"rolreplication":false,"rolbypassrls":false,"rolconnlimit":-1,"pass_not_empty":true,"date":null},{"rolname":"test_role2-needs\\!escape","rolsuper":false,"rolinherit":false,"rolcreaterole":false,"rolcreatedb":false,"rolcanlogin":false,"rolreplication":false,"rolbypassrls":false,"rolconnlimit":5,"pass_not_empty":null,"date":"2024-01-01"}] - [{"rolname":"test_role1","rolsuper":false,"rolinherit":true,"rolcreaterole":false,"rolcreatedb":false,"rolcanlogin":true,"rolreplication":false,"rolbypassrls":false,"rolconnlimit":-1,"pass_not_empty":true,"date":null},{"rolname":"test_role2-needs\\!escape","rolsuper":false,"rolinherit":false,"rolcreaterole":false,"rolcreatedb":false,"rolcanlogin":false,"rolreplication":false,"rolbypassrls":false,"rolconnlimit":5,"pass_not_empty":null,"date":"2024-01-01"}] - [{"rolname":"test_role1","rolsuper":false,"rolinherit":true,"rolcreaterole":false,"rolcreatedb":false,"rolcanlogin":true,"rolreplication":false,"rolbypassrls":false,"rolconnlimit":-1,"pass_not_empty":true,"date":"infinity"},{"rolname":"test_role2-needs\\!escape","rolsuper":false,"rolinherit":false,"rolcreaterole":false,"rolcreatedb":false,"rolcanlogin":false,"rolreplication":false,"rolbypassrls":false,"rolconnlimit":5,"pass_not_empty":null,"date":"2024-01-01"}] -(3 rows) - ---test for drop user -select 1 from citus_remove_node('localhost', :worker_2_port); - ?column? ---------------------------------------------------------------------- - 1 -(1 row) - -\c metadata_sync_2pc_db - - :worker_1_port -DROP ROLE test_role1, "test_role2-needs\!escape"; -\c metadata_sync_2pc_db - - :master_port -DROP ROLE test_role3; -\c regression - - :master_port -select 1 from citus_add_node('localhost', :worker_2_port); - ?column? ---------------------------------------------------------------------- - 1 -(1 row) - -select result FROM run_command_on_all_nodes($$ - SELECT array_to_json(array_agg(row_to_json(t))) - FROM ( - SELECT rolname, rolsuper, rolinherit, rolcreaterole, rolcreatedb, - rolcanlogin, rolreplication, rolbypassrls, rolconnlimit, - (rolpassword != '') as pass_not_empty, DATE(rolvaliduntil) - FROM pg_authid - WHERE rolname in ('test_role1', 'test_role2-needs\!escape') - ORDER BY rolname - ) t -$$); - result ---------------------------------------------------------------------- - - - [{"rolname":"test_role1","rolsuper":false,"rolinherit":true,"rolcreaterole":false,"rolcreatedb":false,"rolcanlogin":true,"rolreplication":false,"rolbypassrls":false,"rolconnlimit":-1,"pass_not_empty":true,"date":"infinity"},{"rolname":"test_role2-needs\\!escape","rolsuper":false,"rolinherit":false,"rolcreaterole":false,"rolcreatedb":false,"rolcanlogin":false,"rolreplication":false,"rolbypassrls":false,"rolconnlimit":5,"pass_not_empty":null,"date":"2024-01-01"}] -(3 rows) - -set citus.enable_create_database_propagation to on; -drop database metadata_sync_2pc_db; -drop schema metadata_sync_2pc_schema; -reset citus.enable_create_database_propagation; -reset search_path; diff --git a/src/test/regress/multi_schedule b/src/test/regress/multi_schedule index 793bb8006..cf9b54267 100644 --- a/src/test/regress/multi_schedule +++ b/src/test/regress/multi_schedule @@ -109,11 +109,9 @@ test: undistribute_table test: run_command_on_all_nodes test: background_task_queue_monitor test: other_databases grant_role_from_non_maindb -test: other_databases test: role_operations_2pc test: citus_internal_access - # Causal clock test test: clock diff --git a/src/test/regress/sql/grant_on_database_propagation_2pc.sql b/src/test/regress/sql/grant_on_database_propagation_2pc.sql deleted file mode 100644 index 9e025a8c8..000000000 --- a/src/test/regress/sql/grant_on_database_propagation_2pc.sql +++ /dev/null @@ -1,251 +0,0 @@ --- Public role has connect,temp,temporary privileges on database --- To test these scenarios, we need to revoke these privileges from public role --- since public role privileges are inherited by new roles/users -set citus.enable_create_database_propagation to on; -create database test_2pc_db; - -show citus.main_db; - -revoke connect,temp,temporary on database test_2pc_db from public; - - - -CREATE SCHEMA grant_on_database_propagation; -SET search_path TO grant_on_database_propagation; - - --- test grant/revoke CREATE privilege propagation on database -create user myuser; - - -\c test_2pc_db - - :master_port -grant create on database test_2pc_db to myuser; - -\c regression - - :master_port; -select check_database_privileges('myuser','test_2pc_db',ARRAY['CREATE']); - -\c test_2pc_db - - :master_port -revoke create on database test_2pc_db from myuser; - -\c regression - - :master_port; -select check_database_privileges('myuser','test_2pc_db',ARRAY['CREATE']); - -drop user myuser; ------------------------------------------------------------------------ - --- test grant/revoke CONNECT privilege propagation on database -\c regression - - :master_port -create user myuser2; - -\c test_2pc_db - - :master_port -grant CONNECT on database test_2pc_db to myuser2; - -\c regression - - :master_port; -select check_database_privileges('myuser2','test_2pc_db',ARRAY['CONNECT']); - -\c test_2pc_db - - :master_port -revoke connect on database test_2pc_db from myuser2; - -\c regression - - :master_port -select check_database_privileges('myuser2','test_2pc_db',ARRAY['CONNECT']); - -drop user myuser2; - ------------------------------------------------------------------------ - --- test grant/revoke TEMP privilege propagation on database -\c regression - - :master_port -create user myuser3; - --- test grant/revoke temp on database -\c test_2pc_db - - :master_port -grant TEMP on database test_2pc_db to myuser3; - -\c regression - - :master_port; -select check_database_privileges('myuser3','test_2pc_db',ARRAY['TEMP']); - - -\c test_2pc_db - - :worker_1_port -revoke TEMP on database test_2pc_db from myuser3; - -\c regression - - :master_port; -select check_database_privileges('myuser3','test_2pc_db',ARRAY['TEMP']); - -drop user myuser3; - ------------------------------------------------------------------------ - -\c regression - - :master_port --- test temporary privilege on database -create user myuser4; - --- test grant/revoke temporary on database -\c test_2pc_db - - :worker_1_port -grant TEMPORARY on database test_2pc_db to myuser4; - -\c regression - - :master_port -select check_database_privileges('myuser4','test_2pc_db',ARRAY['TEMPORARY']); - -\c test_2pc_db - - :master_port -revoke TEMPORARY on database test_2pc_db from myuser4; - -\c regression - - :master_port; -select check_database_privileges('myuser4','test_2pc_db',ARRAY['TEMPORARY']); - -drop user myuser4; ------------------------------------------------------------------------ - --- test ALL privileges with ALL statement on database -create user myuser5; - -grant ALL on database test_2pc_db to myuser5; - -\c regression - - :master_port -select check_database_privileges('myuser5','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); - - -\c test_2pc_db - - :master_port -revoke ALL on database test_2pc_db from myuser5; - -\c regression - - :master_port -select check_database_privileges('myuser5','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); - -drop user myuser5; ------------------------------------------------------------------------ - --- test CREATE,CONNECT,TEMP,TEMPORARY privileges one by one on database -create user myuser6; - -\c test_2pc_db - - :master_port -grant CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db to myuser6; - -\c regression - - :master_port -select check_database_privileges('myuser6','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); - -\c test_2pc_db - - :master_port -revoke CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db from myuser6; - -\c regression - - :master_port -select check_database_privileges('myuser6','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); - - -drop user myuser6; ------------------------------------------------------------------------ - --- test CREATE,CONNECT,TEMP,TEMPORARY privileges one by one on database with grant option -create user myuser7; -create user myuser_1; - -\c test_2pc_db - - :master_port -grant CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db to myuser7; - -set role myuser7; ---here since myuser does not have grant option, it should fail -grant CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db to myuser_1; - -\c regression - - :master_port -select check_database_privileges('myuser_1','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); - -\c test_2pc_db - - :master_port - -RESET ROLE; - -grant CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db to myuser7 with grant option; -set role myuser7; - ---here since myuser have grant option, it should succeed -grant CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db to myuser_1 granted by myuser7; - -\c regression - - :master_port -select check_database_privileges('myuser_1','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); - -\c test_2pc_db - - :master_port - -RESET ROLE; - ---below test should fail and should throw an error since myuser_1 still have the dependent privileges -revoke CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db from myuser7 restrict; ---below test should fail and should throw an error since myuser_1 still have the dependent privileges -revoke grant option for CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db from myuser7 restrict ; - ---below test should succeed and should not throw any error since myuser_1 privileges are revoked with cascade -revoke grant option for CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db from myuser7 cascade ; - ---here we test if myuser still have the privileges after revoke grant option for - -\c regression - - :master_port -select check_database_privileges('myuser7','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); - - -\c test_2pc_db - - :master_port - -reset role; - -revoke CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db from myuser7; -revoke CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db from myuser_1; - -\c regression - - :master_port -drop user myuser_1; -drop user myuser7; - ------------------------------------------------------------------------ - --- test CREATE,CONNECT,TEMP,TEMPORARY privileges one by one on database multi database --- and multi user -\c regression - - :master_port -create user myuser8; -create user myuser_2; - -set citus.enable_create_database_propagation to on; -create database test_db; - -revoke connect,temp,temporary on database test_db from public; - -\c test_2pc_db - - :master_port -grant CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db,test_db to myuser8,myuser_2; - -\c regression - - :master_port -select check_database_privileges('myuser8','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); -select check_database_privileges('myuser8','test_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); -select check_database_privileges('myuser_2','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); -select check_database_privileges('myuser_2','test_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); - - -\c test_2pc_db - - :master_port - -RESET ROLE; ---below test should fail and should throw an error -revoke CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db,test_db from myuser8 ; - ---below test should succeed and should not throw any error -revoke CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db,test_db from myuser_2; - ---below test should succeed and should not throw any error -revoke CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db,test_db from myuser8 cascade; - -\c regression - - :master_port -select check_database_privileges('myuser8','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); -select check_database_privileges('myuser8','test_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); -select check_database_privileges('myuser_2','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); -select check_database_privileges('myuser_2','test_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); - - -\c test_2pc_db - - :master_port - -reset role; - -\c regression - - :master_port -drop user myuser_2; -drop user myuser8; - -set citus.enable_create_database_propagation to on; -drop database test_db; - ---------------------------------------------------------------------------- --- rollbacks public role database privileges to original state -grant connect,temp,temporary on database test_2pc_db to public; -drop database test_2pc_db; -set citus.enable_create_database_propagation to off; -DROP SCHEMA grant_on_database_propagation CASCADE; - ---------------------------------------------------------------------------- diff --git a/src/test/regress/sql/grant_role_2pc.sql b/src/test/regress/sql/grant_role_2pc.sql deleted file mode 100644 index 1684bfe12..000000000 --- a/src/test/regress/sql/grant_role_2pc.sql +++ /dev/null @@ -1,156 +0,0 @@ - - -CREATE SCHEMA grant_role2pc; - -SET search_path TO grant_role2pc; - -set citus.enable_create_database_propagation to on; - - -CREATE DATABASE grant_role2pc_db; - - -\c grant_role2pc_db -SHOW citus.main_db; - - -SET citus.superuser TO 'postgres'; -CREATE USER grant_role2pc_user1; -CREATE USER grant_role2pc_user2; -CREATE USER grant_role2pc_user3; -CREATE USER grant_role2pc_user4; -CREATE USER grant_role2pc_user5; -CREATE USER grant_role2pc_user6; -CREATE USER grant_role2pc_user7; - -\c grant_role2pc_db - ---test with empty superuser -SET citus.superuser TO ''; -grant grant_role2pc_user1 to grant_role2pc_user2; - -SET citus.superuser TO 'postgres'; -grant grant_role2pc_user1 to grant_role2pc_user2 with admin option granted by CURRENT_USER; - -\c regression - -select result FROM run_command_on_all_nodes( - $$ - SELECT array_to_json(array_agg(row_to_json(t))) - FROM ( - SELECT member::regrole, roleid::regrole as role, grantor::regrole, admin_option - FROM pg_auth_members - WHERE member::regrole::text = 'grant_role2pc_user2' - order by member::regrole::text - ) t - $$ -); - -\c grant_role2pc_db ---test grant under transactional context with multiple operations -BEGIN; -grant grant_role2pc_user1,grant_role2pc_user2 to grant_role2pc_user3 WITH ADMIN OPTION; -grant grant_role2pc_user1 to grant_role2pc_user4 granted by grant_role2pc_user3 ; -COMMIT; - -BEGIN; -grant grant_role2pc_user1 to grant_role2pc_user5 WITH ADMIN OPTION granted by grant_role2pc_user3; -grant grant_role2pc_user1 to grant_role2pc_user6; -ROLLBACK; - - - -BEGIN; -grant grant_role2pc_user1 to grant_role2pc_user7; -SELECT 1/0; -commit; - - -\c regression - -select result FROM run_command_on_all_nodes($$ -SELECT array_to_json(array_agg(row_to_json(t))) -FROM ( - SELECT member::regrole, roleid::regrole as role, grantor::regrole, admin_option - FROM pg_auth_members - WHERE member::regrole::text in - ('grant_role2pc_user3','grant_role2pc_user4','grant_role2pc_user5','grant_role2pc_user6','grant_role2pc_user7') - order by member::regrole::text -) t -$$); - - -\c grant_role2pc_db - -grant grant_role2pc_user1,grant_role2pc_user2 to grant_role2pc_user5,grant_role2pc_user6,grant_role2pc_user7 granted by grant_role2pc_user3; - -\c regression - -select result FROM run_command_on_all_nodes($$ -SELECT array_to_json(array_agg(row_to_json(t))) -FROM ( - SELECT member::regrole, roleid::regrole as role, grantor::regrole, admin_option - FROM pg_auth_members - WHERE member::regrole::text in - ('grant_role2pc_user5','grant_role2pc_user6','grant_role2pc_user7') - order by member::regrole::text -) t -$$); - -\c grant_role2pc_db -revoke admin option for grant_role2pc_user1 from grant_role2pc_user5 granted by grant_role2pc_user3; - ---test revoke under transactional context with multiple operations -BEGIN; -revoke grant_role2pc_user1 from grant_role2pc_user5 granted by grant_role2pc_user3 ; -revoke grant_role2pc_user1 from grant_role2pc_user4 granted by grant_role2pc_user3; -COMMIT; - -BEGIN; -revoke grant_role2pc_user1 from grant_role2pc_user6,grant_role2pc_user7 granted by grant_role2pc_user3; -revoke grant_role2pc_user1 from grant_role2pc_user3 cascade; -COMMIT; - -\c regression - -select result FROM run_command_on_all_nodes($$ -SELECT array_to_json(array_agg(row_to_json(t))) -FROM ( - SELECT member::regrole, roleid::regrole as role, grantor::regrole, admin_option - FROM pg_auth_members - WHERE member::regrole::text in - ('grant_role2pc_user2','grant_role2pc_user3','grant_role2pc_user4','grant_role2pc_user5','grant_role2pc_user6','grant_role2pc_user7') - order by member::regrole::text -) t -$$); - -\c - - - :worker_1_port -BEGIN; -grant grant_role2pc_user1 to grant_role2pc_user5 WITH ADMIN OPTION; -grant grant_role2pc_user1 to grant_role2pc_user6; -COMMIT; - -\c - - - :master_port - -select result FROM run_command_on_all_nodes($$ -SELECT array_to_json(array_agg(row_to_json(t))) -FROM ( - SELECT member::regrole, roleid::regrole as role, grantor::regrole, admin_option - FROM pg_auth_members - WHERE member::regrole::text in - ('grant_role2pc_user5','grant_role2pc_user6') - order by member::regrole::text -) t -$$); - -revoke grant_role2pc_user1 from grant_role2pc_user5,grant_role2pc_user6; - ---clean resources -DROP SCHEMA grant_role2pc; -set citus.enable_create_database_propagation to on; -DROP DATABASE grant_role2pc_db; - -drop user grant_role2pc_user2,grant_role2pc_user3,grant_role2pc_user4,grant_role2pc_user5,grant_role2pc_user6,grant_role2pc_user7; -drop user grant_role2pc_user1; - -reset citus.enable_create_database_propagation; diff --git a/src/test/regress/sql/metadata_sync_2pc.sql b/src/test/regress/sql/metadata_sync_2pc.sql deleted file mode 100644 index 531cb21a4..000000000 --- a/src/test/regress/sql/metadata_sync_2pc.sql +++ /dev/null @@ -1,177 +0,0 @@ - -CREATE SCHEMA metadata_sync_2pc_schema; - -SET search_path TO metadata_sync_2pc_schema; - -set citus.enable_create_database_propagation to on; - - -CREATE DATABASE metadata_sync_2pc_db; - -revoke connect,temp,temporary on database metadata_sync_2pc_db from public; - - -\c metadata_sync_2pc_db -SHOW citus.main_db; - -CREATE USER grant_role2pc_user1; -CREATE USER grant_role2pc_user2; -CREATE USER grant_role2pc_user3; -CREATE USER grant_role2pc_user4; -CREATE USER grant_role2pc_user5; - -\c regression -select 1 from citus_remove_node('localhost', :worker_2_port); - ---tests for grant role -\c metadata_sync_2pc_db -grant grant_role2pc_user1,grant_role2pc_user2 to grant_role2pc_user3 WITH ADMIN OPTION; -grant grant_role2pc_user1,grant_role2pc_user2 to grant_role2pc_user4,grant_role2pc_user5 granted by grant_role2pc_user3; - - - ---test for grant on database -\c metadata_sync_2pc_db - - :master_port -grant create on database metadata_sync_2pc_db to grant_role2pc_user1; -grant connect on database metadata_sync_2pc_db to grant_role2pc_user2; -grant ALL on database metadata_sync_2pc_db to grant_role2pc_user3; - -\c regression - -select check_database_privileges('grant_role2pc_user1','metadata_sync_2pc_db',ARRAY['CREATE']); -select check_database_privileges('grant_role2pc_user2','metadata_sync_2pc_db',ARRAY['CONNECT']); -select check_database_privileges('grant_role2pc_user3','metadata_sync_2pc_db',ARRAY['CREATE','CONNECT','TEMP','TEMPORARY']); - - -\c regression -set citus.enable_create_database_propagation to on; -select 1 from citus_add_node('localhost', :worker_2_port); - - -select result FROM run_command_on_all_nodes($$ -SELECT array_to_json(array_agg(row_to_json(t))) -FROM ( - SELECT member::regrole, roleid::regrole as role, grantor::regrole, admin_option - FROM pg_auth_members - WHERE member::regrole::text in - ('grant_role2pc_user2','grant_role2pc_user3','grant_role2pc_user4','grant_role2pc_user5') - order by member::regrole::text -) t -$$); - -select check_database_privileges('grant_role2pc_user1','metadata_sync_2pc_db',ARRAY['CREATE']); -select check_database_privileges('grant_role2pc_user2','metadata_sync_2pc_db',ARRAY['CONNECT']); -select check_database_privileges('grant_role2pc_user3','metadata_sync_2pc_db',ARRAY['CREATE','CONNECT','TEMP','TEMPORARY']); - - -\c metadata_sync_2pc_db -revoke grant_role2pc_user1,grant_role2pc_user2 from grant_role2pc_user4,grant_role2pc_user5 granted by grant_role2pc_user3; - -revoke admin option for grant_role2pc_user1,grant_role2pc_user2 from grant_role2pc_user3; - -revoke grant_role2pc_user1,grant_role2pc_user2 from grant_role2pc_user3; - -revoke ALL on database metadata_sync_2pc_db from grant_role2pc_user3; -revoke CONNECT on database metadata_sync_2pc_db from grant_role2pc_user2; -revoke CREATE on database metadata_sync_2pc_db from grant_role2pc_user1; - -\c regression - -drop user grant_role2pc_user1,grant_role2pc_user2,grant_role2pc_user3,grant_role2pc_user4,grant_role2pc_user5; - - ---test for user operations - ---test for create user -\c regression - - :master_port -select 1 from citus_remove_node('localhost', :worker_2_port); - -\c metadata_sync_2pc_db - - :master_port - -CREATE ROLE test_role1 WITH LOGIN PASSWORD 'password1'; - -\c metadata_sync_2pc_db - - :worker_1_port - -CREATE USER "test_role2-needs\!escape" -WITH - SUPERUSER CREATEDB CREATEROLE INHERIT LOGIN REPLICATION BYPASSRLS CONNECTION -LIMIT 10 VALID UNTIL '2023-01-01' IN ROLE test_role1; - -create role test_role3; - -\c regression - - :master_port - -select 1 from citus_add_node('localhost', :worker_2_port); - -select result FROM run_command_on_all_nodes($$ - SELECT array_to_json(array_agg(row_to_json(t))) - FROM ( - SELECT rolname, rolsuper, rolinherit, rolcreaterole, rolcreatedb, - rolcanlogin, rolreplication, rolbypassrls, rolconnlimit, - (rolpassword != '') as pass_not_empty, DATE(rolvaliduntil) - FROM pg_authid - WHERE rolname in ('test_role1', 'test_role2-needs\!escape') - ORDER BY rolname - ) t -$$); - - - ---test for alter user -select 1 from citus_remove_node('localhost', :worker_2_port); -\c metadata_sync_2pc_db - - :master_port --- Test ALTER ROLE with various options -ALTER ROLE test_role1 WITH PASSWORD 'new_password1'; - -\c metadata_sync_2pc_db - - :worker_1_port -ALTER USER "test_role2-needs\!escape" -WITH - NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT NOLOGIN NOREPLICATION NOBYPASSRLS CONNECTION -LIMIT 5 VALID UNTIL '2024-01-01'; - -\c regression - - :master_port -select 1 from citus_add_node('localhost', :worker_2_port); - -select result FROM run_command_on_all_nodes($$ - SELECT array_to_json(array_agg(row_to_json(t))) - FROM ( - SELECT rolname, rolsuper, rolinherit, rolcreaterole, rolcreatedb, - rolcanlogin, rolreplication, rolbypassrls, rolconnlimit, - (rolpassword != '') as pass_not_empty, DATE(rolvaliduntil) - FROM pg_authid - WHERE rolname in ('test_role1', 'test_role2-needs\!escape') - ORDER BY rolname - ) t -$$); - ---test for drop user -select 1 from citus_remove_node('localhost', :worker_2_port); - -\c metadata_sync_2pc_db - - :worker_1_port -DROP ROLE test_role1, "test_role2-needs\!escape"; - -\c metadata_sync_2pc_db - - :master_port -DROP ROLE test_role3; - -\c regression - - :master_port - -select 1 from citus_add_node('localhost', :worker_2_port); -select result FROM run_command_on_all_nodes($$ - SELECT array_to_json(array_agg(row_to_json(t))) - FROM ( - SELECT rolname, rolsuper, rolinherit, rolcreaterole, rolcreatedb, - rolcanlogin, rolreplication, rolbypassrls, rolconnlimit, - (rolpassword != '') as pass_not_empty, DATE(rolvaliduntil) - FROM pg_authid - WHERE rolname in ('test_role1', 'test_role2-needs\!escape') - ORDER BY rolname - ) t -$$); - -set citus.enable_create_database_propagation to on; -drop database metadata_sync_2pc_db; - -drop schema metadata_sync_2pc_schema; - -reset citus.enable_create_database_propagation; -reset search_path; diff --git a/src/test/regress/sql/metadata_sync_from_non_maindb.sql b/src/test/regress/sql/metadata_sync_from_non_maindb.sql index 43f525189..7b6095965 100644 --- a/src/test/regress/sql/metadata_sync_from_non_maindb.sql +++ b/src/test/regress/sql/metadata_sync_from_non_maindb.sql @@ -64,8 +64,97 @@ revoke CREATE on database metadata_sync_2pc_db from "grant_role2pc'_user1"; \c regression drop user "grant_role2pc'_user1","grant_role2pc'_user2","grant_role2pc'_user3",grant_role2pc_user4,grant_role2pc_user5; +--test for user operations + +--test for create user +\c regression - - :master_port +select 1 from citus_remove_node('localhost', :worker_2_port); + +\c metadata_sync_2pc_db - - :master_port + +CREATE ROLE test_role1 WITH LOGIN PASSWORD 'password1'; + +\c metadata_sync_2pc_db - - :worker_1_port + +CREATE USER "test_role2-needs\!escape" +WITH + SUPERUSER CREATEDB CREATEROLE INHERIT LOGIN REPLICATION BYPASSRLS CONNECTION +LIMIT 10 VALID UNTIL '2023-01-01' IN ROLE test_role1; + +create role test_role3; + +\c regression - - :master_port + +select 1 from citus_add_node('localhost', :worker_2_port); + +select result FROM run_command_on_all_nodes($$ + SELECT array_to_json(array_agg(row_to_json(t))) + FROM ( + SELECT rolname, rolsuper, rolinherit, rolcreaterole, rolcreatedb, + rolcanlogin, rolreplication, rolbypassrls, rolconnlimit, + (rolpassword != '') as pass_not_empty, DATE(rolvaliduntil) + FROM pg_authid + WHERE rolname in ('test_role1', 'test_role2-needs\!escape') + ORDER BY rolname + ) t +$$); + + + +--test for alter user +select 1 from citus_remove_node('localhost', :worker_2_port); +\c metadata_sync_2pc_db - - :master_port +-- Test ALTER ROLE with various options +ALTER ROLE test_role1 WITH PASSWORD 'new_password1'; + +\c metadata_sync_2pc_db - - :worker_1_port +ALTER USER "test_role2-needs\!escape" +WITH + NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT NOLOGIN NOREPLICATION NOBYPASSRLS CONNECTION +LIMIT 5 VALID UNTIL '2024-01-01'; + +\c regression - - :master_port +select 1 from citus_add_node('localhost', :worker_2_port); + +select result FROM run_command_on_all_nodes($$ + SELECT array_to_json(array_agg(row_to_json(t))) + FROM ( + SELECT rolname, rolsuper, rolinherit, rolcreaterole, rolcreatedb, + rolcanlogin, rolreplication, rolbypassrls, rolconnlimit, + (rolpassword != '') as pass_not_empty, DATE(rolvaliduntil) + FROM pg_authid + WHERE rolname in ('test_role1', 'test_role2-needs\!escape') + ORDER BY rolname + ) t +$$); + +--test for drop user +select 1 from citus_remove_node('localhost', :worker_2_port); + +\c metadata_sync_2pc_db - - :worker_1_port +DROP ROLE test_role1, "test_role2-needs\!escape"; + +\c metadata_sync_2pc_db - - :master_port +DROP ROLE test_role3; + +\c regression - - :master_port + +select 1 from citus_add_node('localhost', :worker_2_port); +select result FROM run_command_on_all_nodes($$ + SELECT array_to_json(array_agg(row_to_json(t))) + FROM ( + SELECT rolname, rolsuper, rolinherit, rolcreaterole, rolcreatedb, + rolcanlogin, rolreplication, rolbypassrls, rolconnlimit, + (rolpassword != '') as pass_not_empty, DATE(rolvaliduntil) + FROM pg_authid + WHERE rolname in ('test_role1', 'test_role2-needs\!escape') + ORDER BY rolname + ) t +$$); + set citus.enable_create_database_propagation to on; drop database metadata_sync_2pc_db; + drop schema metadata_sync_2pc_schema; reset citus.enable_create_database_propagation;