external
/
citus
mirror of https://github.com/citusdata/citus.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Revoke statistics permissions from public and grant them to pg_monitor (#6812) 

This PR revokes permissions from stats views and functions from the
public role and grants `SELECT` and `EXECUTE` to pg_monitor.
multi-tenant-monitoring-pgbench
Halil Ozan Akgül 2023-03-31 12:27:06 +03:00 committed by Halil Ozan Akgul
parent 326b334a95
commit 3ada889498
7 changed files with 87 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/backend/distributed/sql/udfs/citus_stats_tenants/11.3-1.sql generated
View File

@ -71,4 +71,8 @@ FROM pg_catalog.citus_stats_tenants(FALSE);
ALTER VIEW citus.citus_stats_tenants SET SCHEMA pg_catalog; ALTER VIEW citus.citus_stats_tenants SET SCHEMA pg_catalog;
GRANT SELECT ON pg_catalog.citus_stats_tenants TO PUBLIC; REVOKE ALL ON FUNCTION pg_catalog.citus_stats_tenants(BOOLEAN) FROM PUBLIC;
GRANT EXECUTE ON FUNCTION pg_catalog.citus_stats_tenants(BOOLEAN) TO pg_monitor;
REVOKE ALL ON pg_catalog.citus_stats_tenants FROM PUBLIC;
GRANT SELECT ON pg_catalog.citus_stats_tenants TO pg_monitor;

6
src/backend/distributed/sql/udfs/citus_stats_tenants/latest.sql
View File

@ -71,4 +71,8 @@ FROM pg_catalog.citus_stats_tenants(FALSE);
ALTER VIEW citus.citus_stats_tenants SET SCHEMA pg_catalog; ALTER VIEW citus.citus_stats_tenants SET SCHEMA pg_catalog;
GRANT SELECT ON pg_catalog.citus_stats_tenants TO PUBLIC; REVOKE ALL ON FUNCTION pg_catalog.citus_stats_tenants(BOOLEAN) FROM PUBLIC;
GRANT EXECUTE ON FUNCTION pg_catalog.citus_stats_tenants(BOOLEAN) TO pg_monitor;
REVOKE ALL ON pg_catalog.citus_stats_tenants FROM PUBLIC;
GRANT SELECT ON pg_catalog.citus_stats_tenants TO pg_monitor;

7
src/backend/distributed/sql/udfs/citus_stats_tenants_local/11.3-1.sql generated
View File

@ -24,4 +24,9 @@ FROM pg_catalog.citus_stats_tenants_local()
ORDER BY score DESC; ORDER BY score DESC;
ALTER VIEW citus.citus_stats_tenants_local SET SCHEMA pg_catalog; ALTER VIEW citus.citus_stats_tenants_local SET SCHEMA pg_catalog;
GRANT SELECT ON pg_catalog.citus_stats_tenants_local TO PUBLIC;
REVOKE ALL ON FUNCTION pg_catalog.citus_stats_tenants_local(BOOLEAN) FROM PUBLIC;
GRANT EXECUTE ON FUNCTION pg_catalog.citus_stats_tenants_local(BOOLEAN) TO pg_monitor;
REVOKE ALL ON pg_catalog.citus_stats_tenants_local FROM PUBLIC;
GRANT SELECT ON pg_catalog.citus_stats_tenants_local TO pg_monitor;

7
src/backend/distributed/sql/udfs/citus_stats_tenants_local/latest.sql
View File

@ -24,4 +24,9 @@ FROM pg_catalog.citus_stats_tenants_local()
ORDER BY score DESC; ORDER BY score DESC;
ALTER VIEW citus.citus_stats_tenants_local SET SCHEMA pg_catalog; ALTER VIEW citus.citus_stats_tenants_local SET SCHEMA pg_catalog;
GRANT SELECT ON pg_catalog.citus_stats_tenants_local TO PUBLIC;
REVOKE ALL ON FUNCTION pg_catalog.citus_stats_tenants_local(BOOLEAN) FROM PUBLIC;
GRANT EXECUTE ON FUNCTION pg_catalog.citus_stats_tenants_local(BOOLEAN) TO pg_monitor;
REVOKE ALL ON pg_catalog.citus_stats_tenants_local FROM PUBLIC;
GRANT SELECT ON pg_catalog.citus_stats_tenants_local TO pg_monitor;

40
src/test/regress/expected/citus_stats_tenants.out
View File

@ -692,5 +692,45 @@ SELECT tenant_attribute, read_count_in_this_period, read_count_in_last_period, q
thisisaverylooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo | 1 | 0 | 1 | 0 thisisaverylooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo | 1 | 0 | 1 | 0
(1 row) (1 row)
-- test role permissions
CREATE ROLE stats_non_superuser WITH LOGIN;
SET ROLE stats_non_superuser;
SELECT count(*)>=0 FROM citus_stats_tenants;
ERROR: permission denied for view citus_stats_tenants
SELECT count(*)>=0 FROM citus_stats_tenants_local;
ERROR: permission denied for view citus_stats_tenants_local
SELECT count(*)>=0 FROM citus_stats_tenants();
ERROR: permission denied for function citus_stats_tenants
SELECT count(*)>=0 FROM citus_stats_tenants_local();
ERROR: permission denied for function citus_stats_tenants_local
RESET ROLE;
GRANT pg_monitor TO stats_non_superuser;
SET ROLE stats_non_superuser;
SELECT count(*)>=0 FROM citus_stats_tenants;
?column?
---------------------------------------------------------------------
t
(1 row)
SELECT count(*)>=0 FROM citus_stats_tenants_local;
?column?
---------------------------------------------------------------------
t
(1 row)
SELECT count(*)>=0 FROM citus_stats_tenants();
?column?
---------------------------------------------------------------------
t
(1 row)
SELECT count(*)>=0 FROM citus_stats_tenants_local();
?column?
---------------------------------------------------------------------
t
(1 row)
RESET ROLE;
DROP ROLE stats_non_superuser;
SET client_min_messages TO ERROR; SET client_min_messages TO ERROR;
DROP SCHEMA citus_stats_tenants CASCADE; DROP SCHEMA citus_stats_tenants CASCADE;

4
src/test/regress/expected/multi_metadata_access.out
View File

@ -21,7 +21,9 @@ ORDER BY 1;
--------------------------------------------------------------------- ---------------------------------------------------------------------
pg_dist_authinfo pg_dist_authinfo
pg_dist_clock_logical_seq pg_dist_clock_logical_seq
(2 rows) citus_stats_tenants_local
citus_stats_tenants
(4 rows)
RESET role; RESET role;
DROP USER no_access; DROP USER no_access;

22
src/test/regress/sql/citus_stats_tenants.sql
View File

@ -213,5 +213,27 @@ SELECT result FROM run_command_on_all_nodes('SELECT clean_citus_stats_tenants()'
SELECT count(*)>=0 FROM dist_tbl_text WHERE a = 'thisisaveryloooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooongname'; SELECT count(*)>=0 FROM dist_tbl_text WHERE a = 'thisisaveryloooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooongname';
SELECT tenant_attribute, read_count_in_this_period, read_count_in_last_period, query_count_in_this_period, query_count_in_last_period FROM citus_stats_tenants ORDER BY tenant_attribute; SELECT tenant_attribute, read_count_in_this_period, read_count_in_last_period, query_count_in_this_period, query_count_in_last_period FROM citus_stats_tenants ORDER BY tenant_attribute;
-- test role permissions
CREATE ROLE stats_non_superuser WITH LOGIN;
SET ROLE stats_non_superuser;
SELECT count(*)>=0 FROM citus_stats_tenants;
SELECT count(*)>=0 FROM citus_stats_tenants_local;
SELECT count(*)>=0 FROM citus_stats_tenants();
SELECT count(*)>=0 FROM citus_stats_tenants_local();
RESET ROLE;
GRANT pg_monitor TO stats_non_superuser;
SET ROLE stats_non_superuser;
SELECT count(*)>=0 FROM citus_stats_tenants;
SELECT count(*)>=0 FROM citus_stats_tenants_local;
SELECT count(*)>=0 FROM citus_stats_tenants();
SELECT count(*)>=0 FROM citus_stats_tenants_local();
RESET ROLE;
DROP ROLE stats_non_superuser;
SET client_min_messages TO ERROR; SET client_min_messages TO ERROR;
DROP SCHEMA citus_stats_tenants CASCADE; DROP SCHEMA citus_stats_tenants CASCADE;