Grant read access for columnar metadata tables to unprivileged user

src/backend/columnar/sql/columnar--10.0-1--10.0-2.sql

@@ -0,0 +1,5 @@
+/* columnar--10.0-1--10.0-2.sql */
+
+-- grant read access for columnar metadata tables to unprivileged user
+GRANT USAGE ON SCHEMA columnar TO PUBLIC;
+GRANT SELECT ON ALL tables IN SCHEMA columnar TO PUBLIC ;

src/backend/columnar/sql/downgrades/columnar--10.0-2--10.0-1.sql

@@ -0,0 +1,5 @@
+/* columnar--10.0-2--10.0-1.sql */
+
+-- revoke read access for columnar metadata tables from unprivileged user
+REVOKE USAGE ON SCHEMA columnar FROM PUBLIC;
+REVOKE SELECT ON ALL tables IN SCHEMA columnar FROM PUBLIC;

src/backend/distributed/sql/citus--10.0-1--10.0-2.sql

@@ -1 +1,3 @@
 -- citus--10.0-1--10.0-2
+
+#include "../../columnar/sql/columnar--10.0-1--10.0-2.sql"

src/backend/distributed/sql/downgrades/citus--10.0-2--10.0-1.sql

@@ -1 +1,2 @@
 /* citus--10.0-2--10.0-1.sql */
+#include "../../../columnar/sql/downgrades/columnar--10.0-2--10.0-1.sql"

src/test/regress/expected/multi_multiuser.out

@@ -256,6 +256,37 @@ SELECT lock_relation_if_exists('test', 'ACCESS SHARE');
 SELECT lock_relation_if_exists('test', 'EXCLUSIVE');
 ERROR:  permission denied for table test
 ABORT;
+-- test creating columnar tables and accessing to columnar metadata tables via unprivileged user
+-- all below 5 commands should throw no permission errors
+-- read columnar metadata table
+SELECT * FROM columnar.stripe;
+ storage_id | stripe_num | file_offset | data_length | column_count | chunk_row_count | row_count | chunk_group_count
+---------------------------------------------------------------------
+(0 rows)
+
+-- alter a columnar setting
+SET columnar.chunk_group_row_limit = 1050;
+DO $proc$
+BEGIN
+IF substring(current_Setting('server_version'), '\d+')::int >= 12 THEN
+  EXECUTE $$
+    -- create columnar table
+    CREATE TABLE columnar_table (a int) USING columnar;
+    -- alter a columnar table that is created by that unprivileged user
+    SELECT alter_columnar_table_set('columnar_table', chunk_group_row_limit => 100);
+    -- and drop it
+    DROP TABLE columnar_table;
+  $$;
+END IF;
+END$proc$;
+-- cannot modify columnar metadata table as unprivileged user
+INSERT INTO columnar.stripe VALUES(99);
+ERROR:  permission denied for table stripe
+-- Cannot drop columnar metadata table as unprivileged user.
+-- Privileged user also cannot drop but with a different error message.
+-- (since citus extension has a dependency to it)
+DROP TABLE columnar.chunk;
+ERROR:  must be owner of table chunk
 -- check no permission
 SET ROLE no_access;
 EXECUTE prepare_insert(1);

src/test/regress/sql/multi_multiuser.sql

@@ -155,6 +155,34 @@ SELECT lock_relation_if_exists('test', 'ACCESS SHARE');
 SELECT lock_relation_if_exists('test', 'EXCLUSIVE');
 ABORT;
 
+-- test creating columnar tables and accessing to columnar metadata tables via unprivileged user
+
+-- all below 5 commands should throw no permission errors
+-- read columnar metadata table
+SELECT * FROM columnar.stripe;
+-- alter a columnar setting
+SET columnar.chunk_group_row_limit = 1050;
+
+DO $proc$
+BEGIN
+IF substring(current_Setting('server_version'), '\d+')::int >= 12 THEN
+  EXECUTE $$
+    -- create columnar table
+    CREATE TABLE columnar_table (a int) USING columnar;
+    -- alter a columnar table that is created by that unprivileged user
+    SELECT alter_columnar_table_set('columnar_table', chunk_group_row_limit => 100);
+    -- and drop it
+    DROP TABLE columnar_table;
+  $$;
+END IF;
+END$proc$;
+
+-- cannot modify columnar metadata table as unprivileged user
+INSERT INTO columnar.stripe VALUES(99);
+-- Cannot drop columnar metadata table as unprivileged user.
+-- Privileged user also cannot drop but with a different error message.
+-- (since citus extension has a dependency to it)
+DROP TABLE columnar.chunk;
 
 -- check no permission
 SET ROLE no_access;