From aeb49d73705018f300f2aa3b029849e5d88f3dbc Mon Sep 17 00:00:00 2001 From: gurkanindibay Date: Mon, 15 Jan 2024 11:35:44 +0300 Subject: [PATCH 01/18] Adds regular statement propagation --- .../commands/distribute_object_ops.c | 17 ++ src/backend/distributed/commands/parameter.c | 27 +++ .../deparser/deparse_parameter_stmts.c | 63 ++++++ src/include/distributed/commands.h | 3 + src/include/distributed/deparser.h | 2 + .../grant_on_parameter_propagation.out | 182 ++++++++++++++++++ .../regress/expected/multi_test_helpers.out | 21 +- src/test/regress/multi_1_schedule | 1 + .../sql/grant_on_parameter_propagation.sql | 64 ++++++ src/test/regress/sql/multi_test_helpers.sql | 22 +++ 10 files changed, 401 insertions(+), 1 deletion(-) create mode 100644 src/backend/distributed/commands/parameter.c create mode 100644 src/backend/distributed/deparser/deparse_parameter_stmts.c create mode 100644 src/test/regress/expected/grant_on_parameter_propagation.out create mode 100644 src/test/regress/sql/grant_on_parameter_propagation.sql diff --git a/src/backend/distributed/commands/distribute_object_ops.c b/src/backend/distributed/commands/distribute_object_ops.c index fe1f422b6..a378bf2de 100644 --- a/src/backend/distributed/commands/distribute_object_ops.c +++ b/src/backend/distributed/commands/distribute_object_ops.c @@ -762,6 +762,18 @@ static DistributeObjectOps Index_Drop = { .address = NULL, .markDistributed = false, }; + +static DistributeObjectOps Parameter_Grant = { + .deparse = DeparseGrantOnParameterStmt, + .qualify = NULL, + .preprocess = NULL, + .postprocess = PostprocessGrantParameterStmt, + .objectType = OBJECT_PARAMETER_ACL, + .operationType = DIST_OPS_ALTER, + .address = NULL, + .markDistributed = false, +}; + static DistributeObjectOps Policy_Drop = { .deparse = NULL, .qualify = NULL, @@ -2061,6 +2073,11 @@ GetDistributeObjectOps(Node *node) return &Database_Grant; } + case OBJECT_PARAMETER_ACL: + { + return &Parameter_Grant; + } + default: { return &Any_Grant; diff --git a/src/backend/distributed/commands/parameter.c b/src/backend/distributed/commands/parameter.c new file mode 100644 index 000000000..84c6e358b --- /dev/null +++ b/src/backend/distributed/commands/parameter.c @@ -0,0 +1,27 @@ +#include "postgres.h" + +#include "catalog/namespace.h" +#include "commands/defrem.h" +#include "distributed/metadata_sync.h" +#include "distributed/deparser.h" +#include "distributed/commands.h" + + +List * +PostprocessGrantParameterStmt(Node *node, const char *queryString) +{ + if (!ShouldPropagate()) + { + return NIL; + } + + EnsurePropagationToCoordinator(); + + char *command = DeparseTreeNode(node); + + List *commands = list_make3(DISABLE_DDL_PROPAGATION, + (void *) command, + ENABLE_DDL_PROPAGATION); + + return NontransactionalNodeDDLTaskList(REMOTE_NODES, commands); +} diff --git a/src/backend/distributed/deparser/deparse_parameter_stmts.c b/src/backend/distributed/deparser/deparse_parameter_stmts.c new file mode 100644 index 000000000..cf462eddb --- /dev/null +++ b/src/backend/distributed/deparser/deparse_parameter_stmts.c @@ -0,0 +1,63 @@ +/*------------------------------------------------------------------------- + * + * deparse_database_stmts.c + * All routines to deparse parameter statements. + * + * ------------------------------------------------------------------------- +*/ + +#include "postgres.h" + +#include "utils/builtins.h" + +#include "distributed/deparser.h" +#include "distributed/listutils.h" + +static void AppendGrantParameters(StringInfo buf, GrantStmt *stmt); +static void AppendGrantOnParameterStmt(StringInfo buf, GrantStmt *stmt); + +static void +AppendGrantParameters(StringInfo buf, GrantStmt *stmt) +{ + appendStringInfo(buf, " ON PARAMETER "); + + DefElem *def = NULL; + foreach_ptr(def, stmt->objects) + { + char *parameter = strVal(def); + appendStringInfoString(buf, quote_identifier(parameter)); + if (def != (DefElem *) lfirst(list_tail(stmt->objects))) + { + appendStringInfo(buf, ", "); + } + } +} + +static void +AppendGrantOnParameterStmt(StringInfo buf, GrantStmt *stmt) +{ + Assert(stmt->objtype == OBJECT_PARAMETER_ACL); + + AppendGrantSharedPrefix(buf, stmt); + + AppendGrantParameters(buf, stmt); + + AppendGrantSharedSuffix(buf, stmt); +} + + +char * +DeparseGrantOnParameterStmt(Node *node) +{ + GrantStmt *stmt = castNode(GrantStmt, node); + Assert(stmt->objtype == OBJECT_PARAMETER_ACL); + + StringInfoData str = { 0 }; + initStringInfo(&str); + + AppendGrantOnParameterStmt(&str, stmt); + + return str.data; +} + + diff --git a/src/include/distributed/commands.h b/src/include/distributed/commands.h index 4eb6df8bf..789cad7da 100644 --- a/src/include/distributed/commands.h +++ b/src/include/distributed/commands.h @@ -447,6 +447,9 @@ extern List * PreprocessDropOwnedStmt(Node *node, const char *queryString, ProcessUtilityContext processUtilityContext); extern List * PostprocessReassignOwnedStmt(Node *node, const char *queryString); +/* parameter.c - forward declarations */ +extern List * PostprocessGrantParameterStmt(Node *node, const char *queryString); + /* policy.c - forward declarations */ extern List * CreatePolicyCommands(Oid relationId); extern void ErrorIfUnsupportedPolicy(Relation relation); diff --git a/src/include/distributed/deparser.h b/src/include/distributed/deparser.h index 22636b401..5c60f1caa 100644 --- a/src/include/distributed/deparser.h +++ b/src/include/distributed/deparser.h @@ -254,6 +254,8 @@ extern char * DeparseCreateDatabaseStmt(Node *node); extern char * DeparseDropDatabaseStmt(Node *node); extern char * DeparseAlterDatabaseRenameStmt(Node *node); +/* forward declarations for deparse_parameter_stmts.c*/ +extern char * DeparseGrantOnParameterStmt(Node *node); /* forward declaration for deparse_publication_stmts.c */ extern char * DeparseCreatePublicationStmt(Node *stmt); diff --git a/src/test/regress/expected/grant_on_parameter_propagation.out b/src/test/regress/expected/grant_on_parameter_propagation.out new file mode 100644 index 000000000..091fcbf7d --- /dev/null +++ b/src/test/regress/expected/grant_on_parameter_propagation.out @@ -0,0 +1,182 @@ +create user grant_param_user1; +create user grant_param_user2; +create user grant_param_user3; +create user grant_param_user4; +create user "grant_param_user5-\!"; +--test the grant command with all options +SET citus.log_remote_commands to on; +SET citus.grep_remote_commands = '%GRANT%'; +GRANT SET,ALTER SYSTEM ON PARAMETER max_connections,shared_buffers TO grant_param_user1,grant_param_user2,"grant_param_user5-\!" WITH GRANT OPTION GRANTED BY CURRENT_USER; +NOTICE: issuing GRANT set, alter system ON PARAMETER max_connections, shared_buffers TO grant_param_user1, grant_param_user2, "grant_param_user5-\!" WITH GRANT OPTION GRANTED BY postgres; +DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx +NOTICE: issuing GRANT set, alter system ON PARAMETER max_connections, shared_buffers TO grant_param_user1, grant_param_user2, "grant_param_user5-\!" WITH GRANT OPTION GRANTED BY postgres; +DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx +RESET citus.log_remote_commands; +SELECT check_parameter_privileges(ARRAY['grant_param_user1','grant_param_user2','grant_param_user5-\!'],ARRAY['max_connections','shared_buffers'], ARRAY['SET','ALTER SYSTEM']); + check_parameter_privileges +--------------------------------------------------------------------- + (t,grant_param_user1,max_connections,SET) + (t,grant_param_user1,max_connections,SET) + (t,grant_param_user1,max_connections,SET) + (t,grant_param_user1,max_connections,"ALTER SYSTEM") + (t,grant_param_user1,max_connections,"ALTER SYSTEM") + (t,grant_param_user1,max_connections,"ALTER SYSTEM") + (t,grant_param_user1,shared_buffers,SET) + (t,grant_param_user1,shared_buffers,SET) + (t,grant_param_user1,shared_buffers,SET) + (t,grant_param_user1,shared_buffers,"ALTER SYSTEM") + (t,grant_param_user1,shared_buffers,"ALTER SYSTEM") + (t,grant_param_user1,shared_buffers,"ALTER SYSTEM") + (t,grant_param_user2,max_connections,SET) + (t,grant_param_user2,max_connections,SET) + (t,grant_param_user2,max_connections,SET) + (t,grant_param_user2,max_connections,"ALTER SYSTEM") + (t,grant_param_user2,max_connections,"ALTER SYSTEM") + (t,grant_param_user2,max_connections,"ALTER SYSTEM") + (t,grant_param_user2,shared_buffers,SET) + (t,grant_param_user2,shared_buffers,SET) + (t,grant_param_user2,shared_buffers,SET) + (t,grant_param_user2,shared_buffers,"ALTER SYSTEM") + (t,grant_param_user2,shared_buffers,"ALTER SYSTEM") + (t,grant_param_user2,shared_buffers,"ALTER SYSTEM") + (t,"grant_param_user5-\\!",max_connections,SET) + (t,"grant_param_user5-\\!",max_connections,SET) + (t,"grant_param_user5-\\!",max_connections,SET) + (t,"grant_param_user5-\\!",max_connections,"ALTER SYSTEM") + (t,"grant_param_user5-\\!",max_connections,"ALTER SYSTEM") + (t,"grant_param_user5-\\!",max_connections,"ALTER SYSTEM") + (t,"grant_param_user5-\\!",shared_buffers,SET) + (t,"grant_param_user5-\\!",shared_buffers,SET) + (t,"grant_param_user5-\\!",shared_buffers,SET) + (t,"grant_param_user5-\\!",shared_buffers,"ALTER SYSTEM") + (t,"grant_param_user5-\\!",shared_buffers,"ALTER SYSTEM") + (t,"grant_param_user5-\\!",shared_buffers,"ALTER SYSTEM") +(36 rows) + +--test the grant command admin option using grant_param_user1 with granted by +set role grant_param_user1; +SET citus.log_remote_commands to on; +GRANT SET,ALTER SYSTEM ON PARAMETER max_connections,shared_buffers TO grant_param_user3 GRANTED BY grant_param_user1; +NOTICE: issuing GRANT set, alter system ON PARAMETER max_connections, shared_buffers TO grant_param_user3 GRANTED BY grant_param_user1; +DETAIL: on server grant_param_user1@localhost:xxxxx connectionId: xxxxxxx +NOTICE: issuing GRANT set, alter system ON PARAMETER max_connections, shared_buffers TO grant_param_user3 GRANTED BY grant_param_user1; +DETAIL: on server grant_param_user1@localhost:xxxxx connectionId: xxxxxxx +SELECT check_parameter_privileges(ARRAY['grant_param_user3'],ARRAY['max_connections','shared_buffers'], ARRAY['SET','ALTER SYSTEM']); + check_parameter_privileges +--------------------------------------------------------------------- + (t,grant_param_user3,max_connections,SET) + (t,grant_param_user3,max_connections,SET) + (t,grant_param_user3,max_connections,SET) + (t,grant_param_user3,max_connections,"ALTER SYSTEM") + (t,grant_param_user3,max_connections,"ALTER SYSTEM") + (t,grant_param_user3,max_connections,"ALTER SYSTEM") + (t,grant_param_user3,shared_buffers,SET) + (t,grant_param_user3,shared_buffers,SET) + (t,grant_param_user3,shared_buffers,SET) + (t,grant_param_user3,shared_buffers,"ALTER SYSTEM") + (t,grant_param_user3,shared_buffers,"ALTER SYSTEM") + (t,grant_param_user3,shared_buffers,"ALTER SYSTEM") +(12 rows) + +reset role; +--test the revoke command grant option with all options +REVOKE GRANT OPTION FOR SET,ALTER SYSTEM ON PARAMETER max_connections,shared_buffers FROM grant_param_user1,grant_param_user2,"grant_param_user5-\!" cascade; +NOTICE: issuing REVOKE GRANT OPTION FOR set, alter system ON PARAMETER max_connections, shared_buffers FROM grant_param_user1, grant_param_user2, "grant_param_user5-\!" CASCADE; +DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx +NOTICE: issuing REVOKE GRANT OPTION FOR set, alter system ON PARAMETER max_connections, shared_buffers FROM grant_param_user1, grant_param_user2, "grant_param_user5-\!" CASCADE; +DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx +--test if the admin option removed for the revoked user. Need to get error +SET ROLE "grant_param_user5-\!"; +GRANT SET,ALTER SYSTEM ON PARAMETER max_connections,shared_buffers TO grant_param_user3 GRANTED BY "grant_param_user5-\!"; +WARNING: no privileges were granted for "max_connections" +WARNING: no privileges were granted for "shared_buffers" +NOTICE: issuing GRANT set, alter system ON PARAMETER max_connections, shared_buffers TO grant_param_user3 GRANTED BY "grant_param_user5-\!"; +DETAIL: on server grant_param_user5-\!@localhost:xxxxx connectionId: xxxxxxx +NOTICE: issuing GRANT set, alter system ON PARAMETER max_connections, shared_buffers TO grant_param_user3 GRANTED BY "grant_param_user5-\!"; +DETAIL: on server grant_param_user5-\!@localhost:xxxxx connectionId: xxxxxxx +SELECT check_parameter_privileges(ARRAY['grant_param_user3'],ARRAY['max_connections','shared_buffers'], ARRAY['SET','ALTER SYSTEM']); + check_parameter_privileges +--------------------------------------------------------------------- + (f,grant_param_user3,max_connections,SET) + (f,grant_param_user3,max_connections,SET) + (f,grant_param_user3,max_connections,SET) + (f,grant_param_user3,max_connections,"ALTER SYSTEM") + (f,grant_param_user3,max_connections,"ALTER SYSTEM") + (f,grant_param_user3,max_connections,"ALTER SYSTEM") + (f,grant_param_user3,shared_buffers,SET) + (f,grant_param_user3,shared_buffers,SET) + (f,grant_param_user3,shared_buffers,SET) + (f,grant_param_user3,shared_buffers,"ALTER SYSTEM") + (f,grant_param_user3,shared_buffers,"ALTER SYSTEM") + (f,grant_param_user3,shared_buffers,"ALTER SYSTEM") +(12 rows) + +RESET ROLE; +--test the revoke command +REVOKE SET,ALTER SYSTEM ON PARAMETER max_connections,shared_buffers FROM grant_param_user1,grant_param_user2,grant_param_user3,"grant_param_user5-\!"; +RESET citus.log_remote_commands; +SELECT check_parameter_privileges(ARRAY['grant_param_user1','grant_param_user2','grant_param_user3'],ARRAY['max_connections','shared_buffers'], ARRAY['SET','ALTER SYSTEM']); + check_parameter_privileges +--------------------------------------------------------------------- + (f,grant_param_user1,max_connections,SET) + (f,grant_param_user1,max_connections,SET) + (f,grant_param_user1,max_connections,SET) + (f,grant_param_user1,max_connections,"ALTER SYSTEM") + (f,grant_param_user1,max_connections,"ALTER SYSTEM") + (f,grant_param_user1,max_connections,"ALTER SYSTEM") + (f,grant_param_user1,shared_buffers,SET) + (f,grant_param_user1,shared_buffers,SET) + (f,grant_param_user1,shared_buffers,SET) + (f,grant_param_user1,shared_buffers,"ALTER SYSTEM") + (f,grant_param_user1,shared_buffers,"ALTER SYSTEM") + (f,grant_param_user1,shared_buffers,"ALTER SYSTEM") + (f,grant_param_user2,max_connections,SET) + (f,grant_param_user2,max_connections,SET) + (f,grant_param_user2,max_connections,SET) + (f,grant_param_user2,max_connections,"ALTER SYSTEM") + (f,grant_param_user2,max_connections,"ALTER SYSTEM") + (f,grant_param_user2,max_connections,"ALTER SYSTEM") + (f,grant_param_user2,shared_buffers,SET) + (f,grant_param_user2,shared_buffers,SET) + (f,grant_param_user2,shared_buffers,SET) + (f,grant_param_user2,shared_buffers,"ALTER SYSTEM") + (f,grant_param_user2,shared_buffers,"ALTER SYSTEM") + (f,grant_param_user2,shared_buffers,"ALTER SYSTEM") + (f,grant_param_user3,max_connections,SET) + (f,grant_param_user3,max_connections,SET) + (f,grant_param_user3,max_connections,SET) + (f,grant_param_user3,max_connections,"ALTER SYSTEM") + (f,grant_param_user3,max_connections,"ALTER SYSTEM") + (f,grant_param_user3,max_connections,"ALTER SYSTEM") + (f,grant_param_user3,shared_buffers,SET) + (f,grant_param_user3,shared_buffers,SET) + (f,grant_param_user3,shared_buffers,SET) + (f,grant_param_user3,shared_buffers,"ALTER SYSTEM") + (f,grant_param_user3,shared_buffers,"ALTER SYSTEM") + (f,grant_param_user3,shared_buffers,"ALTER SYSTEM") +(36 rows) + +--test with single permission and single user +GRANT ALTER SYSTEM ON PARAMETER max_connections,shared_buffers TO grant_param_user3; +SELECT check_parameter_privileges(ARRAY['grant_param_user4'],ARRAY['max_connections','shared_buffers'], ARRAY['ALTER SYSTEM']); + check_parameter_privileges +--------------------------------------------------------------------- + (f,grant_param_user4,max_connections,"ALTER SYSTEM") + (f,grant_param_user4,max_connections,"ALTER SYSTEM") + (f,grant_param_user4,max_connections,"ALTER SYSTEM") + (f,grant_param_user4,shared_buffers,"ALTER SYSTEM") + (f,grant_param_user4,shared_buffers,"ALTER SYSTEM") + (f,grant_param_user4,shared_buffers,"ALTER SYSTEM") +(6 rows) + +--clean all resources +DROP USER grant_param_user1; +DROP USER grant_param_user2; +DROP USER grant_param_user3; +ERROR: role "grant_param_user3" cannot be dropped because some objects depend on it +DETAIL: privileges for parameter max_connections +privileges for parameter shared_buffers +DROP USER grant_param_user4; +DROP USER "grant_param_user5-\!"; +reset citus.log_remote_commands; +reset citus.grep_remote_commands; diff --git a/src/test/regress/expected/multi_test_helpers.out b/src/test/regress/expected/multi_test_helpers.out index 70a541d2a..8b9a833a3 100644 --- a/src/test/regress/expected/multi_test_helpers.out +++ b/src/test/regress/expected/multi_test_helpers.out @@ -625,4 +625,23 @@ BEGIN ) q2 JOIN pg_dist_node USING (nodeid); END; -$func$ LANGUAGE plpgsql; \ No newline at end of file +$func$ LANGUAGE plpgsql; +CREATE OR REPLACE FUNCTION check_parameter_privileges(users text[], parameters text[], permissions text[]) +RETURNS TABLE ( res text, usr text, param text, perms text) AS $func$ +DECLARE + u text; + p text; + perm text; +BEGIN + FOREACH u IN ARRAY users + LOOP + FOREACH p IN ARRAY parameters + LOOP + FOREACH perm IN ARRAY permissions + LOOP + RETURN QUERY EXECUTE format($inner$SELECT result ,'%1$s','%2$s','%3$s' FROM run_command_on_all_nodes($$SELECT has_parameter_privilege('%1$s','%2$s', '%3$s'); $$)$inner$, u, p, perm); + END LOOP; + END LOOP; + END LOOP; +END; +$func$ LANGUAGE plpgsql;; diff --git a/src/test/regress/multi_1_schedule b/src/test/regress/multi_1_schedule index 2b9fdeb2d..726c64e32 100644 --- a/src/test/regress/multi_1_schedule +++ b/src/test/regress/multi_1_schedule @@ -60,6 +60,7 @@ test: alter_database_propagation test: citus_shards test: reassign_owned +test: grant_on_parameter_propagation # ---------- # multi_citus_tools tests utility functions written for citus tools diff --git a/src/test/regress/sql/grant_on_parameter_propagation.sql b/src/test/regress/sql/grant_on_parameter_propagation.sql new file mode 100644 index 000000000..1a4a98db0 --- /dev/null +++ b/src/test/regress/sql/grant_on_parameter_propagation.sql @@ -0,0 +1,64 @@ + + +create user grant_param_user1; +create user grant_param_user2; +create user grant_param_user3; +create user grant_param_user4; +create user "grant_param_user5-\!"; + + +--test the grant command with all options +SET citus.log_remote_commands to on; +SET citus.grep_remote_commands = '%GRANT%'; +GRANT SET,ALTER SYSTEM ON PARAMETER max_connections,shared_buffers TO grant_param_user1,grant_param_user2,"grant_param_user5-\!" WITH GRANT OPTION GRANTED BY CURRENT_USER; + +RESET citus.log_remote_commands; +SELECT check_parameter_privileges(ARRAY['grant_param_user1','grant_param_user2','grant_param_user5-\!'],ARRAY['max_connections','shared_buffers'], ARRAY['SET','ALTER SYSTEM']); + +--test the grant command admin option using grant_param_user1 with granted by +set role grant_param_user1; +SET citus.log_remote_commands to on; +GRANT SET,ALTER SYSTEM ON PARAMETER max_connections,shared_buffers TO grant_param_user3 GRANTED BY grant_param_user1; +SELECT check_parameter_privileges(ARRAY['grant_param_user3'],ARRAY['max_connections','shared_buffers'], ARRAY['SET','ALTER SYSTEM']); + +reset role; + +--test the revoke command grant option with all options +REVOKE GRANT OPTION FOR SET,ALTER SYSTEM ON PARAMETER max_connections,shared_buffers FROM grant_param_user1,grant_param_user2,"grant_param_user5-\!" cascade; + +--test if the admin option removed for the revoked user. Need to get error +SET ROLE "grant_param_user5-\!"; +GRANT SET,ALTER SYSTEM ON PARAMETER max_connections,shared_buffers TO grant_param_user3 GRANTED BY "grant_param_user5-\!"; + +SELECT check_parameter_privileges(ARRAY['grant_param_user3'],ARRAY['max_connections','shared_buffers'], ARRAY['SET','ALTER SYSTEM']); + +RESET ROLE; + +--test the revoke command +REVOKE SET,ALTER SYSTEM ON PARAMETER max_connections,shared_buffers FROM grant_param_user1,grant_param_user2,grant_param_user3,"grant_param_user5-\!"; + +RESET citus.log_remote_commands; + +SELECT check_parameter_privileges(ARRAY['grant_param_user1','grant_param_user2','grant_param_user3'],ARRAY['max_connections','shared_buffers'], ARRAY['SET','ALTER SYSTEM']); + + +--test with single permission and single user +GRANT ALTER SYSTEM ON PARAMETER max_connections,shared_buffers TO grant_param_user3; + +SELECT check_parameter_privileges(ARRAY['grant_param_user4'],ARRAY['max_connections','shared_buffers'], ARRAY['ALTER SYSTEM']); + +--clean all resources +DROP USER grant_param_user1; +DROP USER grant_param_user2; +DROP USER grant_param_user3; +DROP USER grant_param_user4; +DROP USER "grant_param_user5-\!"; + +reset citus.log_remote_commands; +reset citus.grep_remote_commands; + + + + + + diff --git a/src/test/regress/sql/multi_test_helpers.sql b/src/test/regress/sql/multi_test_helpers.sql index e67b782a5..ec156e518 100644 --- a/src/test/regress/sql/multi_test_helpers.sql +++ b/src/test/regress/sql/multi_test_helpers.sql @@ -652,3 +652,25 @@ BEGIN JOIN pg_dist_node USING (nodeid); END; $func$ LANGUAGE plpgsql; + + + +CREATE OR REPLACE FUNCTION check_parameter_privileges(users text[], parameters text[], permissions text[]) +RETURNS TABLE ( res text, usr text, param text, perms text) AS $func$ +DECLARE + u text; + p text; + perm text; +BEGIN + FOREACH u IN ARRAY users + LOOP + FOREACH p IN ARRAY parameters + LOOP + FOREACH perm IN ARRAY permissions + LOOP + RETURN QUERY EXECUTE format($inner$SELECT result ,'%1$s','%2$s','%3$s' FROM run_command_on_all_nodes($$SELECT has_parameter_privilege('%1$s','%2$s', '%3$s'); $$)$inner$, u, p, perm); + END LOOP; + END LOOP; + END LOOP; +END; +$func$ LANGUAGE plpgsql;; From 3c73117597ba0269de5c20b28a8804056ea38970 Mon Sep 17 00:00:00 2001 From: gurkanindibay Date: Wed, 17 Jan 2024 10:29:23 +0300 Subject: [PATCH 02/18] Adds metadata sync support for grant on parameter --- src/backend/distributed/commands/parameter.c | 120 ++++++++++++++++++ .../distributed/metadata/metadata_sync.c | 50 ++++++-- src/include/distributed/grant_utils.h | 34 +++++ .../grant_on_parameter_propagation.out | 68 +++++++++- src/test/regress/multi_1_schedule | 2 +- .../sql/grant_on_parameter_propagation.sql | 14 ++ 6 files changed, 275 insertions(+), 13 deletions(-) create mode 100644 src/include/distributed/grant_utils.h diff --git a/src/backend/distributed/commands/parameter.c b/src/backend/distributed/commands/parameter.c index 84c6e358b..3e1c91a59 100644 --- a/src/backend/distributed/commands/parameter.c +++ b/src/backend/distributed/commands/parameter.c @@ -1,10 +1,24 @@ #include "postgres.h" + +#include "access/genam.h" #include "catalog/namespace.h" +#include "catalog/pg_parameter_acl.h" #include "commands/defrem.h" #include "distributed/metadata_sync.h" #include "distributed/deparser.h" #include "distributed/commands.h" +#include "distributed/grant_utils.h" +#include "distributed/listutils.h" + +#include "utils/acl.h" +#include "utils/builtins.h" +#include "utils/syscache.h" + +static List *GenerateGrantOnParameterFromAclItem(char *parameterName, AclItem *aclItem); +static bool HasAclGrantOption(AclItem *aclItem,AclMode aclMode); +static void CheckPermissionsAndGrants(AclItem *aclItem, AclMode modes[], int numModes); +static void CheckAndAppendQuery(List **queries, AclItem *aclItem, Oid granteeOid, char *parameterName, AclMode mode, char *modeStr); List * @@ -25,3 +39,109 @@ PostprocessGrantParameterStmt(Node *node, const char *queryString) return NontransactionalNodeDDLTaskList(REMOTE_NODES, commands); } + + +/* + * GenerateGrantOnParameterFromAclItem generates a query string for replicating a users permissions + * on a database. + */ +static List * +GenerateGrantOnParameterFromAclItem(char *parameterName, AclItem *aclItem) +{ + /* + * seems unlikely but we check if there is a grant option in the list without the actual permission + */ + CheckPermissionsAndGrants(aclItem, (AclMode[]) {ACL_SET, ACL_ALTER_SYSTEM}, 2); + Oid granteeOid = aclItem->ai_grantee; + List *queries = NIL; + + queries = lappend(queries, GenerateSetRoleQuery(aclItem->ai_grantor)); + + CheckAndAppendQuery(&queries, aclItem, granteeOid, parameterName, ACL_SET, "SET"); + CheckAndAppendQuery(&queries, aclItem, granteeOid, parameterName, ACL_ALTER_SYSTEM, "ALTER SYSTEM"); + + queries = lappend(queries, "RESET ROLE"); + + return queries; +} + +static void CheckAndAppendQuery(List **queries, AclItem *aclItem, Oid granteeOid, char *parameterName, AclMode mode, char *modeStr) { + AclResult aclresult = pg_parameter_aclcheck(parameterName, granteeOid, mode); + if (aclresult == ACLCHECK_OK) + { + char *query = DeparseTreeNode((Node *) GenerateGrantStmtForRightsWithObjectName( + OBJECT_PARAMETER_ACL, granteeOid, parameterName, + modeStr, + HasAclGrantOption(aclItem, mode))); + + // remove the semicolon at the end of the query since it is already + // appended in metadata_sync phase + query[strlen(query) - 1] = '\0'; + + *queries = lappend(*queries, query); + } +} + +static void CheckPermissionsAndGrants(AclItem *aclItem, AclMode modes[], int numModes) { + AclMode permissions = ACLITEM_GET_PRIVS(*aclItem) & ACL_ALL_RIGHTS_PARAMETER_ACL; + AclMode grants = ACLITEM_GET_GOPTIONS(*aclItem) & ACL_ALL_RIGHTS_PARAMETER_ACL; + + for (int i = 0; i < numModes; i++) { + AclMode mode = modes[i]; + Assert(!(grants & mode) || (permissions & mode)); + } +} + +static bool HasAclGrantOption(AclItem *aclItem,AclMode aclMode) +{ + return (aclItem->ai_privs & ACL_GRANT_OPTION_FOR(aclMode)) != 0; +} + +List * GrantOnParameters(void) +{ + /* Open pg_shdescription catalog */ + Relation paramPermissionRelation = table_open(ParameterAclRelationId, AccessShareLock); + + + int scanKeyCount = 0; + bool indexOk = false; + SysScanDesc scan = systable_beginscan(paramPermissionRelation, InvalidOid, + indexOk, NULL, scanKeyCount,NULL); + HeapTuple tuple; + List *commands = NIL; + while ((tuple = systable_getnext(scan)) != NULL) + { + + bool isNull = false; + + TupleDesc tupdesc = RelationGetDescr(paramPermissionRelation); + + Datum aclDatum = heap_getattr(tuple, Anum_pg_parameter_acl_paracl, tupdesc, + &isNull); + Datum parameterNameDatum = heap_getattr(tuple, Anum_pg_parameter_acl_parname, tupdesc, + &isNull); + + char *parameterName = TextDatumGetCString(parameterNameDatum); + + Acl *acl = DatumGetAclPCopy(aclDatum); + AclItem *aclDat = ACL_DAT(acl); + int aclNum = ACL_NUM(acl); + + + + for (int i = 0; i < aclNum; i++) + { + commands = list_concat(commands, + GenerateGrantOnParameterFromAclItem( + parameterName, &aclDat[i])); + } + + + } + + /* End the scan and close the catalog */ + systable_endscan(scan); + table_close(paramPermissionRelation, AccessShareLock); + + return commands; +} diff --git a/src/backend/distributed/metadata/metadata_sync.c b/src/backend/distributed/metadata/metadata_sync.c index 842a45519..c5266bff4 100644 --- a/src/backend/distributed/metadata/metadata_sync.c +++ b/src/backend/distributed/metadata/metadata_sync.c @@ -88,6 +88,7 @@ #include "distributed/tenant_schema_metadata.h" #include "distributed/utils/array_type.h" #include "distributed/utils/function.h" +#include "distributed/grant_utils.h" #include "distributed/version_compat.h" #include "distributed/worker_manager.h" #include "distributed/worker_protocol.h" @@ -115,11 +116,6 @@ static bool SyncNodeMetadataSnapshotToNode(WorkerNode *workerNode, bool raiseOnE static void DropMetadataSnapshotOnNode(WorkerNode *workerNode); static char * CreateSequenceDependencyCommand(Oid relationId, Oid sequenceId, char *columnName); -static GrantStmt * GenerateGrantStmtForRights(ObjectType objectType, - Oid roleOid, - Oid objectId, - char *permission, - bool withGrantOption); static List * GetObjectsForGrantStmt(ObjectType objectType, Oid objectId); static AccessPriv * GetAccessPrivObjectForGrantStmt(char *permission); static List * GenerateGrantOnSchemaQueriesFromAclItem(Oid schemaOid, @@ -130,7 +126,6 @@ static List * GenerateGrantOnFunctionQueriesFromAclItem(Oid schemaOid, static List * GrantOnSequenceDDLCommands(Oid sequenceOid); static List * GenerateGrantOnSequenceQueriesFromAclItem(Oid sequenceOid, AclItem *aclItem); -static char * GenerateSetRoleQuery(Oid roleOid); static void MetadataSyncSigTermHandler(SIGNAL_ARGS); static void MetadataSyncSigAlrmHandler(SIGNAL_ARGS); @@ -2159,18 +2154,51 @@ GenerateGrantOnDatabaseFromAclItem(Oid databaseOid, AclItem *aclItem) * The field `objects` of GrantStmt doesn't have a common structure for all types. * Make sure you have added your object type to GetObjectsForGrantStmt. */ -static GrantStmt * +GrantStmt * GenerateGrantStmtForRights(ObjectType objectType, Oid roleOid, Oid objectId, char *permission, bool withGrantOption) { + return BaseGenerateGrantStmtForRights(objectType,roleOid,objectId,NULL,permission,withGrantOption); +} + +GrantStmt * +GenerateGrantStmtForRightsWithObjectName(ObjectType objectType, + Oid roleOid, + char *objectName, + char *permission, + bool withGrantOption) +{ + return BaseGenerateGrantStmtForRights(objectType,roleOid,InvalidOid,objectName,permission,withGrantOption); +} + + +GrantStmt * +BaseGenerateGrantStmtForRights(ObjectType objectType, + Oid roleOid, + Oid objectId, + char *objectName, + char *permission, + bool withGrantOption) +{ + + //either objectId or objectName should be valid + Assert(objectId != InvalidOid || objectName != NULL); + GrantStmt *stmt = makeNode(GrantStmt); stmt->is_grant = true; stmt->targtype = ACL_TARGET_OBJECT; stmt->objtype = objectType; - stmt->objects = GetObjectsForGrantStmt(objectType, objectId); + if (objectId != InvalidOid) + { + stmt->objects = GetObjectsForGrantStmt(objectType, objectId); + } + else + { + stmt->objects = list_make1(makeString(objectName)); + } stmt->privileges = list_make1(GetAccessPrivObjectForGrantStmt(permission)); stmt->grantees = list_make1(GetRoleSpecObjectForUser(roleOid)); stmt->grant_option = withGrantOption; @@ -2179,6 +2207,7 @@ GenerateGrantStmtForRights(ObjectType objectType, } + /* * GetObjectsForGrantStmt takes an object type and object id and returns the 'objects' * field to be used when creating GrantStmt. We have only one object here (the one with @@ -2230,6 +2259,7 @@ GetObjectsForGrantStmt(ObjectType objectType, Oid objectId) return list_make1(makeString(get_database_name(objectId))); } + default: { elog(ERROR, "unsupported object type for GRANT"); @@ -2563,7 +2593,7 @@ SetLocalEnableMetadataSync(bool state) } -static char * +char * GenerateSetRoleQuery(Oid roleOid) { StringInfo buf = makeStringInfo(); @@ -4682,6 +4712,8 @@ PropagateNodeWideObjectsCommandList(void) List *alterRoleSetCommands = GenerateAlterRoleSetCommandForRole(InvalidOid); ddlCommands = list_concat(ddlCommands, alterRoleSetCommands); } + List *grantOnParameterCommands = GrantOnParameters(); + ddlCommands = list_concat(ddlCommands, grantOnParameterCommands); return ddlCommands; } diff --git a/src/include/distributed/grant_utils.h b/src/include/distributed/grant_utils.h new file mode 100644 index 000000000..8f9e24d8f --- /dev/null +++ b/src/include/distributed/grant_utils.h @@ -0,0 +1,34 @@ +/*------------------------------------------------------------------------- + * + * grant_utils.h + * + * Routines for grant operations. + * + *------------------------------------------------------------------------- + */ +#ifndef CITUS_GRANT_UTILS_H +#define CITUS_GRANT_UTILS_H +#include "postgres.h" +#include "nodes/parsenodes.h" + +extern List * GrantOnParameters(void); +extern char * GenerateSetRoleQuery(Oid roleOid); +extern GrantStmt * GenerateGrantStmtForRights(ObjectType objectType, + Oid roleOid, + Oid objectId, + char *permission, + bool withGrantOption); +extern GrantStmt *GenerateGrantStmtForRightsWithObjectName(ObjectType objectType, + Oid roleOid, + char *objectName, + char *permission, + bool withGrantOption); +extern GrantStmt *BaseGenerateGrantStmtForRights(ObjectType objectType, + Oid roleOid, + Oid objectId, + char *objectName, + char *permission, + bool withGrantOption); + + +#endif /* CITUS_GRANT_UTILS_H */ diff --git a/src/test/regress/expected/grant_on_parameter_propagation.out b/src/test/regress/expected/grant_on_parameter_propagation.out index 091fcbf7d..ab32b2cd0 100644 --- a/src/test/regress/expected/grant_on_parameter_propagation.out +++ b/src/test/regress/expected/grant_on_parameter_propagation.out @@ -169,13 +169,75 @@ SELECT check_parameter_privileges(ARRAY['grant_param_user4'],ARRAY['max_connecti (f,grant_param_user4,shared_buffers,"ALTER SYSTEM") (6 rows) +--test metadata_sync +SELECT 1 FROM citus_remove_node('localhost', :worker_2_port); + ?column? +--------------------------------------------------------------------- + 1 +(1 row) + +GRANT SET,ALTER SYSTEM ON PARAMETER max_connections,shared_buffers TO grant_param_user3,"grant_param_user5-\!" WITH GRANT OPTION GRANTED BY CURRENT_USER; +SELECT check_parameter_privileges(ARRAY['grant_param_user3','grant_param_user5-\!'],ARRAY['max_connections','shared_buffers'], ARRAY['SET','ALTER SYSTEM']); + check_parameter_privileges +--------------------------------------------------------------------- + (t,grant_param_user3,max_connections,SET) + (t,grant_param_user3,max_connections,SET) + (t,grant_param_user3,max_connections,"ALTER SYSTEM") + (t,grant_param_user3,max_connections,"ALTER SYSTEM") + (t,grant_param_user3,shared_buffers,SET) + (t,grant_param_user3,shared_buffers,SET) + (t,grant_param_user3,shared_buffers,"ALTER SYSTEM") + (t,grant_param_user3,shared_buffers,"ALTER SYSTEM") + (t,"grant_param_user5-\\!",max_connections,SET) + (t,"grant_param_user5-\\!",max_connections,SET) + (t,"grant_param_user5-\\!",max_connections,"ALTER SYSTEM") + (t,"grant_param_user5-\\!",max_connections,"ALTER SYSTEM") + (t,"grant_param_user5-\\!",shared_buffers,SET) + (t,"grant_param_user5-\\!",shared_buffers,SET) + (t,"grant_param_user5-\\!",shared_buffers,"ALTER SYSTEM") + (t,"grant_param_user5-\\!",shared_buffers,"ALTER SYSTEM") +(16 rows) + +SELECT 1 FROM citus_add_node('localhost', :worker_2_port); + ?column? +--------------------------------------------------------------------- + 1 +(1 row) + +SELECT check_parameter_privileges(ARRAY['grant_param_user3','grant_param_user5-\!'],ARRAY['max_connections','shared_buffers'], ARRAY['SET','ALTER SYSTEM']); + check_parameter_privileges +--------------------------------------------------------------------- + (t,grant_param_user3,max_connections,SET) + (t,grant_param_user3,max_connections,SET) + (t,grant_param_user3,max_connections,SET) + (t,grant_param_user3,max_connections,"ALTER SYSTEM") + (t,grant_param_user3,max_connections,"ALTER SYSTEM") + (t,grant_param_user3,max_connections,"ALTER SYSTEM") + (t,grant_param_user3,shared_buffers,SET) + (t,grant_param_user3,shared_buffers,SET) + (t,grant_param_user3,shared_buffers,SET) + (t,grant_param_user3,shared_buffers,"ALTER SYSTEM") + (t,grant_param_user3,shared_buffers,"ALTER SYSTEM") + (t,grant_param_user3,shared_buffers,"ALTER SYSTEM") + (t,"grant_param_user5-\\!",max_connections,SET) + (t,"grant_param_user5-\\!",max_connections,SET) + (t,"grant_param_user5-\\!",max_connections,SET) + (t,"grant_param_user5-\\!",max_connections,"ALTER SYSTEM") + (t,"grant_param_user5-\\!",max_connections,"ALTER SYSTEM") + (t,"grant_param_user5-\\!",max_connections,"ALTER SYSTEM") + (t,"grant_param_user5-\\!",shared_buffers,SET) + (t,"grant_param_user5-\\!",shared_buffers,SET) + (t,"grant_param_user5-\\!",shared_buffers,SET) + (t,"grant_param_user5-\\!",shared_buffers,"ALTER SYSTEM") + (t,"grant_param_user5-\\!",shared_buffers,"ALTER SYSTEM") + (t,"grant_param_user5-\\!",shared_buffers,"ALTER SYSTEM") +(24 rows) + +REVOKE SET,ALTER SYSTEM ON PARAMETER max_connections,shared_buffers FROM grant_param_user3,"grant_param_user5-\!" cascade; --clean all resources DROP USER grant_param_user1; DROP USER grant_param_user2; DROP USER grant_param_user3; -ERROR: role "grant_param_user3" cannot be dropped because some objects depend on it -DETAIL: privileges for parameter max_connections -privileges for parameter shared_buffers DROP USER grant_param_user4; DROP USER "grant_param_user5-\!"; reset citus.log_remote_commands; diff --git a/src/test/regress/multi_1_schedule b/src/test/regress/multi_1_schedule index 726c64e32..b98207b20 100644 --- a/src/test/regress/multi_1_schedule +++ b/src/test/regress/multi_1_schedule @@ -38,6 +38,7 @@ test: create_single_shard_table test: create_drop_database_propagation test: create_drop_database_propagation_pg15 test: create_drop_database_propagation_pg16 +test: grant_on_parameter_propagation # don't parallelize single_shard_table_udfs to make sure colocation ids are sequential test: single_shard_table_udfs test: schema_based_sharding @@ -60,7 +61,6 @@ test: alter_database_propagation test: citus_shards test: reassign_owned -test: grant_on_parameter_propagation # ---------- # multi_citus_tools tests utility functions written for citus tools diff --git a/src/test/regress/sql/grant_on_parameter_propagation.sql b/src/test/regress/sql/grant_on_parameter_propagation.sql index 1a4a98db0..d20831941 100644 --- a/src/test/regress/sql/grant_on_parameter_propagation.sql +++ b/src/test/regress/sql/grant_on_parameter_propagation.sql @@ -47,6 +47,20 @@ GRANT ALTER SYSTEM ON PARAMETER max_connections,shared_buffers TO grant_param_us SELECT check_parameter_privileges(ARRAY['grant_param_user4'],ARRAY['max_connections','shared_buffers'], ARRAY['ALTER SYSTEM']); +--test metadata_sync + +SELECT 1 FROM citus_remove_node('localhost', :worker_2_port); +GRANT SET,ALTER SYSTEM ON PARAMETER max_connections,shared_buffers TO grant_param_user3,"grant_param_user5-\!" WITH GRANT OPTION GRANTED BY CURRENT_USER; + +SELECT check_parameter_privileges(ARRAY['grant_param_user3','grant_param_user5-\!'],ARRAY['max_connections','shared_buffers'], ARRAY['SET','ALTER SYSTEM']); + +SELECT 1 FROM citus_add_node('localhost', :worker_2_port); + +SELECT check_parameter_privileges(ARRAY['grant_param_user3','grant_param_user5-\!'],ARRAY['max_connections','shared_buffers'], ARRAY['SET','ALTER SYSTEM']); + +REVOKE SET,ALTER SYSTEM ON PARAMETER max_connections,shared_buffers FROM grant_param_user3,"grant_param_user5-\!" cascade; + + --clean all resources DROP USER grant_param_user1; DROP USER grant_param_user2; From dfbbcce2123cdcc732bd1c0d4ce05cbdab613885 Mon Sep 17 00:00:00 2001 From: gurkanindibay Date: Wed, 17 Jan 2024 10:30:43 +0300 Subject: [PATCH 03/18] Fixes indentation --- src/backend/distributed/commands/parameter.c | 99 ++++++++++--------- .../deparser/deparse_parameter_stmts.c | 5 +- .../distributed/metadata/metadata_sync.c | 31 +++--- src/include/distributed/grant_utils.h | 31 +++--- 4 files changed, 89 insertions(+), 77 deletions(-) diff --git a/src/backend/distributed/commands/parameter.c b/src/backend/distributed/commands/parameter.c index 3e1c91a59..f51e94712 100644 --- a/src/backend/distributed/commands/parameter.c +++ b/src/backend/distributed/commands/parameter.c @@ -1,24 +1,24 @@ #include "postgres.h" - #include "access/genam.h" #include "catalog/namespace.h" #include "catalog/pg_parameter_acl.h" #include "commands/defrem.h" -#include "distributed/metadata_sync.h" -#include "distributed/deparser.h" -#include "distributed/commands.h" -#include "distributed/grant_utils.h" -#include "distributed/listutils.h" - #include "utils/acl.h" #include "utils/builtins.h" #include "utils/syscache.h" -static List *GenerateGrantOnParameterFromAclItem(char *parameterName, AclItem *aclItem); -static bool HasAclGrantOption(AclItem *aclItem,AclMode aclMode); +#include "distributed/commands.h" +#include "distributed/deparser.h" +#include "distributed/grant_utils.h" +#include "distributed/listutils.h" +#include "distributed/metadata_sync.h" + +static List * GenerateGrantOnParameterFromAclItem(char *parameterName, AclItem *aclItem); +static bool HasAclGrantOption(AclItem *aclItem, AclMode aclMode); static void CheckPermissionsAndGrants(AclItem *aclItem, AclMode modes[], int numModes); -static void CheckAndAppendQuery(List **queries, AclItem *aclItem, Oid granteeOid, char *parameterName, AclMode mode, char *modeStr); +static void CheckAndAppendQuery(List **queries, AclItem *aclItem, Oid granteeOid, + char *parameterName, AclMode mode, char *modeStr); List * @@ -51,75 +51,89 @@ GenerateGrantOnParameterFromAclItem(char *parameterName, AclItem *aclItem) /* * seems unlikely but we check if there is a grant option in the list without the actual permission */ - CheckPermissionsAndGrants(aclItem, (AclMode[]) {ACL_SET, ACL_ALTER_SYSTEM}, 2); + CheckPermissionsAndGrants(aclItem, (AclMode[]) { ACL_SET, ACL_ALTER_SYSTEM }, 2); Oid granteeOid = aclItem->ai_grantee; List *queries = NIL; queries = lappend(queries, GenerateSetRoleQuery(aclItem->ai_grantor)); CheckAndAppendQuery(&queries, aclItem, granteeOid, parameterName, ACL_SET, "SET"); - CheckAndAppendQuery(&queries, aclItem, granteeOid, parameterName, ACL_ALTER_SYSTEM, "ALTER SYSTEM"); + CheckAndAppendQuery(&queries, aclItem, granteeOid, parameterName, ACL_ALTER_SYSTEM, + "ALTER SYSTEM"); queries = lappend(queries, "RESET ROLE"); return queries; } -static void CheckAndAppendQuery(List **queries, AclItem *aclItem, Oid granteeOid, char *parameterName, AclMode mode, char *modeStr) { - AclResult aclresult = pg_parameter_aclcheck(parameterName, granteeOid, mode); - if (aclresult == ACLCHECK_OK) - { - char *query = DeparseTreeNode((Node *) GenerateGrantStmtForRightsWithObjectName( - OBJECT_PARAMETER_ACL, granteeOid, parameterName, - modeStr, - HasAclGrantOption(aclItem, mode))); - // remove the semicolon at the end of the query since it is already - // appended in metadata_sync phase +static void +CheckAndAppendQuery(List **queries, AclItem *aclItem, Oid granteeOid, char *parameterName, + AclMode mode, char *modeStr) +{ + AclResult aclresult = pg_parameter_aclcheck(parameterName, granteeOid, mode); + if (aclresult == ACLCHECK_OK) + { + char *query = DeparseTreeNode((Node *) GenerateGrantStmtForRightsWithObjectName( + OBJECT_PARAMETER_ACL, granteeOid, parameterName, + modeStr, + HasAclGrantOption(aclItem, mode))); + + /* remove the semicolon at the end of the query since it is already */ + /* appended in metadata_sync phase */ query[strlen(query) - 1] = '\0'; - *queries = lappend(*queries, query); - } + *queries = lappend(*queries, query); + } } -static void CheckPermissionsAndGrants(AclItem *aclItem, AclMode modes[], int numModes) { - AclMode permissions = ACLITEM_GET_PRIVS(*aclItem) & ACL_ALL_RIGHTS_PARAMETER_ACL; - AclMode grants = ACLITEM_GET_GOPTIONS(*aclItem) & ACL_ALL_RIGHTS_PARAMETER_ACL; - for (int i = 0; i < numModes; i++) { - AclMode mode = modes[i]; - Assert(!(grants & mode) || (permissions & mode)); - } +static void +CheckPermissionsAndGrants(AclItem *aclItem, AclMode modes[], int numModes) +{ + AclMode permissions = ACLITEM_GET_PRIVS(*aclItem) & ACL_ALL_RIGHTS_PARAMETER_ACL; + AclMode grants = ACLITEM_GET_GOPTIONS(*aclItem) & ACL_ALL_RIGHTS_PARAMETER_ACL; + + for (int i = 0; i < numModes; i++) + { + AclMode mode = modes[i]; + Assert(!(grants & mode) || (permissions & mode)); + } } -static bool HasAclGrantOption(AclItem *aclItem,AclMode aclMode) + +static bool +HasAclGrantOption(AclItem *aclItem, AclMode aclMode) { return (aclItem->ai_privs & ACL_GRANT_OPTION_FOR(aclMode)) != 0; } -List * GrantOnParameters(void) + +List * +GrantOnParameters(void) { /* Open pg_shdescription catalog */ - Relation paramPermissionRelation = table_open(ParameterAclRelationId, AccessShareLock); + Relation paramPermissionRelation = table_open(ParameterAclRelationId, + AccessShareLock); int scanKeyCount = 0; bool indexOk = false; SysScanDesc scan = systable_beginscan(paramPermissionRelation, InvalidOid, - indexOk, NULL, scanKeyCount,NULL); + indexOk, NULL, scanKeyCount, NULL); HeapTuple tuple; List *commands = NIL; while ((tuple = systable_getnext(scan)) != NULL) { - bool isNull = false; TupleDesc tupdesc = RelationGetDescr(paramPermissionRelation); Datum aclDatum = heap_getattr(tuple, Anum_pg_parameter_acl_paracl, tupdesc, - &isNull); - Datum parameterNameDatum = heap_getattr(tuple, Anum_pg_parameter_acl_parname, tupdesc, - &isNull); + &isNull); + Datum parameterNameDatum = heap_getattr(tuple, Anum_pg_parameter_acl_parname, + tupdesc, + &isNull); char *parameterName = TextDatumGetCString(parameterNameDatum); @@ -128,15 +142,12 @@ List * GrantOnParameters(void) int aclNum = ACL_NUM(acl); - for (int i = 0; i < aclNum; i++) { commands = list_concat(commands, - GenerateGrantOnParameterFromAclItem( - parameterName, &aclDat[i])); + GenerateGrantOnParameterFromAclItem( + parameterName, &aclDat[i])); } - - } /* End the scan and close the catalog */ diff --git a/src/backend/distributed/deparser/deparse_parameter_stmts.c b/src/backend/distributed/deparser/deparse_parameter_stmts.c index cf462eddb..b5f9b5afd 100644 --- a/src/backend/distributed/deparser/deparse_parameter_stmts.c +++ b/src/backend/distributed/deparser/deparse_parameter_stmts.c @@ -4,7 +4,7 @@ * All routines to deparse parameter statements. * * ------------------------------------------------------------------------- -*/ + */ #include "postgres.h" @@ -33,6 +33,7 @@ AppendGrantParameters(StringInfo buf, GrantStmt *stmt) } } + static void AppendGrantOnParameterStmt(StringInfo buf, GrantStmt *stmt) { @@ -59,5 +60,3 @@ DeparseGrantOnParameterStmt(Node *node) return str.data; } - - diff --git a/src/backend/distributed/metadata/metadata_sync.c b/src/backend/distributed/metadata/metadata_sync.c index c5266bff4..892c7fbc5 100644 --- a/src/backend/distributed/metadata/metadata_sync.c +++ b/src/backend/distributed/metadata/metadata_sync.c @@ -65,6 +65,7 @@ #include "distributed/coordinator_protocol.h" #include "distributed/deparser.h" #include "distributed/distribution_column.h" +#include "distributed/grant_utils.h" #include "distributed/listutils.h" #include "distributed/maintenanced.h" #include "distributed/metadata/dependency.h" @@ -88,7 +89,6 @@ #include "distributed/tenant_schema_metadata.h" #include "distributed/utils/array_type.h" #include "distributed/utils/function.h" -#include "distributed/grant_utils.h" #include "distributed/version_compat.h" #include "distributed/worker_manager.h" #include "distributed/worker_protocol.h" @@ -2161,30 +2161,32 @@ GenerateGrantStmtForRights(ObjectType objectType, char *permission, bool withGrantOption) { - return BaseGenerateGrantStmtForRights(objectType,roleOid,objectId,NULL,permission,withGrantOption); + return BaseGenerateGrantStmtForRights(objectType, roleOid, objectId, NULL, permission, + withGrantOption); } + GrantStmt * GenerateGrantStmtForRightsWithObjectName(ObjectType objectType, - Oid roleOid, - char *objectName, - char *permission, - bool withGrantOption) + Oid roleOid, + char *objectName, + char *permission, + bool withGrantOption) { - return BaseGenerateGrantStmtForRights(objectType,roleOid,InvalidOid,objectName,permission,withGrantOption); + return BaseGenerateGrantStmtForRights(objectType, roleOid, InvalidOid, objectName, + permission, withGrantOption); } GrantStmt * BaseGenerateGrantStmtForRights(ObjectType objectType, - Oid roleOid, - Oid objectId, - char *objectName, - char *permission, - bool withGrantOption) + Oid roleOid, + Oid objectId, + char *objectName, + char *permission, + bool withGrantOption) { - - //either objectId or objectName should be valid + /*either objectId or objectName should be valid */ Assert(objectId != InvalidOid || objectName != NULL); GrantStmt *stmt = makeNode(GrantStmt); @@ -2207,7 +2209,6 @@ BaseGenerateGrantStmtForRights(ObjectType objectType, } - /* * GetObjectsForGrantStmt takes an object type and object id and returns the 'objects' * field to be used when creating GrantStmt. We have only one object here (the one with diff --git a/src/include/distributed/grant_utils.h b/src/include/distributed/grant_utils.h index 8f9e24d8f..c3ceb413e 100644 --- a/src/include/distributed/grant_utils.h +++ b/src/include/distributed/grant_utils.h @@ -9,26 +9,27 @@ #ifndef CITUS_GRANT_UTILS_H #define CITUS_GRANT_UTILS_H #include "postgres.h" + #include "nodes/parsenodes.h" extern List * GrantOnParameters(void); extern char * GenerateSetRoleQuery(Oid roleOid); extern GrantStmt * GenerateGrantStmtForRights(ObjectType objectType, - Oid roleOid, - Oid objectId, - char *permission, - bool withGrantOption); -extern GrantStmt *GenerateGrantStmtForRightsWithObjectName(ObjectType objectType, - Oid roleOid, - char *objectName, - char *permission, - bool withGrantOption); -extern GrantStmt *BaseGenerateGrantStmtForRights(ObjectType objectType, - Oid roleOid, - Oid objectId, - char *objectName, - char *permission, - bool withGrantOption); + Oid roleOid, + Oid objectId, + char *permission, + bool withGrantOption); +extern GrantStmt * GenerateGrantStmtForRightsWithObjectName(ObjectType objectType, + Oid roleOid, + char *objectName, + char *permission, + bool withGrantOption); +extern GrantStmt * BaseGenerateGrantStmtForRights(ObjectType objectType, + Oid roleOid, + Oid objectId, + char *objectName, + char *permission, + bool withGrantOption); #endif /* CITUS_GRANT_UTILS_H */ From 5d8fd32fd3faa64a736cf9d096fc2825356ed3b5 Mon Sep 17 00:00:00 2001 From: gurkanindibay Date: Wed, 17 Jan 2024 10:34:52 +0300 Subject: [PATCH 04/18] Adds grant all test --- .../regress/expected/grant_on_parameter_propagation.out | 6 +++--- src/test/regress/sql/grant_on_parameter_propagation.sql | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/test/regress/expected/grant_on_parameter_propagation.out b/src/test/regress/expected/grant_on_parameter_propagation.out index ab32b2cd0..476297dae 100644 --- a/src/test/regress/expected/grant_on_parameter_propagation.out +++ b/src/test/regress/expected/grant_on_parameter_propagation.out @@ -56,10 +56,10 @@ SELECT check_parameter_privileges(ARRAY['grant_param_user1','grant_param_user2', --test the grant command admin option using grant_param_user1 with granted by set role grant_param_user1; SET citus.log_remote_commands to on; -GRANT SET,ALTER SYSTEM ON PARAMETER max_connections,shared_buffers TO grant_param_user3 GRANTED BY grant_param_user1; -NOTICE: issuing GRANT set, alter system ON PARAMETER max_connections, shared_buffers TO grant_param_user3 GRANTED BY grant_param_user1; +GRANT ALL ON PARAMETER max_connections,shared_buffers TO grant_param_user3 GRANTED BY grant_param_user1; +NOTICE: issuing GRANT ALL PRIVILEGES ON PARAMETER max_connections, shared_buffers TO grant_param_user3 GRANTED BY grant_param_user1; DETAIL: on server grant_param_user1@localhost:xxxxx connectionId: xxxxxxx -NOTICE: issuing GRANT set, alter system ON PARAMETER max_connections, shared_buffers TO grant_param_user3 GRANTED BY grant_param_user1; +NOTICE: issuing GRANT ALL PRIVILEGES ON PARAMETER max_connections, shared_buffers TO grant_param_user3 GRANTED BY grant_param_user1; DETAIL: on server grant_param_user1@localhost:xxxxx connectionId: xxxxxxx SELECT check_parameter_privileges(ARRAY['grant_param_user3'],ARRAY['max_connections','shared_buffers'], ARRAY['SET','ALTER SYSTEM']); check_parameter_privileges diff --git a/src/test/regress/sql/grant_on_parameter_propagation.sql b/src/test/regress/sql/grant_on_parameter_propagation.sql index d20831941..437363b35 100644 --- a/src/test/regress/sql/grant_on_parameter_propagation.sql +++ b/src/test/regress/sql/grant_on_parameter_propagation.sql @@ -18,7 +18,7 @@ SELECT check_parameter_privileges(ARRAY['grant_param_user1','grant_param_user2', --test the grant command admin option using grant_param_user1 with granted by set role grant_param_user1; SET citus.log_remote_commands to on; -GRANT SET,ALTER SYSTEM ON PARAMETER max_connections,shared_buffers TO grant_param_user3 GRANTED BY grant_param_user1; +GRANT ALL ON PARAMETER max_connections,shared_buffers TO grant_param_user3 GRANTED BY grant_param_user1; SELECT check_parameter_privileges(ARRAY['grant_param_user3'],ARRAY['max_connections','shared_buffers'], ARRAY['SET','ALTER SYSTEM']); reset role; From d54ba314f9bdcb705a9af745993092e46ed7abbe Mon Sep 17 00:00:00 2001 From: gurkanindibay Date: Wed, 17 Jan 2024 11:03:04 +0300 Subject: [PATCH 05/18] =?UTF-8?q?F=C4=B0xes=20compile=20errors?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/backend/distributed/commands/parameter.c | 14 +++++++++++--- src/backend/distributed/metadata/metadata_sync.c | 16 +++++++++++++--- 2 files changed, 24 insertions(+), 6 deletions(-) diff --git a/src/backend/distributed/commands/parameter.c b/src/backend/distributed/commands/parameter.c index f51e94712..439ff26a1 100644 --- a/src/backend/distributed/commands/parameter.c +++ b/src/backend/distributed/commands/parameter.c @@ -66,7 +66,10 @@ GenerateGrantOnParameterFromAclItem(char *parameterName, AclItem *aclItem) return queries; } - +/* + * CheckAndAppendQuery checks if the aclItem has the given mode and if it has, it appends the + * corresponding query to the queries list. +*/ static void CheckAndAppendQuery(List **queries, AclItem *aclItem, Oid granteeOid, char *parameterName, AclMode mode, char *modeStr) @@ -87,7 +90,10 @@ CheckAndAppendQuery(List **queries, AclItem *aclItem, Oid granteeOid, char *para } } - +/* +* CheckPermissionsAndGrants checks if the aclItem has the valid permissions and grants +* for the given modes. +*/ static void CheckPermissionsAndGrants(AclItem *aclItem, AclMode modes[], int numModes) { @@ -97,7 +103,9 @@ CheckPermissionsAndGrants(AclItem *aclItem, AclMode modes[], int numModes) for (int i = 0; i < numModes; i++) { AclMode mode = modes[i]; - Assert(!(grants & mode) || (permissions & mode)); + if(!(grants & mode) || (permissions & mode)){ + ereport(ERROR, (errmsg("ACL item has no grant option for mode %d", mode))); + } } } diff --git a/src/backend/distributed/metadata/metadata_sync.c b/src/backend/distributed/metadata/metadata_sync.c index 892c7fbc5..879bfbdd4 100644 --- a/src/backend/distributed/metadata/metadata_sync.c +++ b/src/backend/distributed/metadata/metadata_sync.c @@ -2165,7 +2165,13 @@ GenerateGrantStmtForRights(ObjectType objectType, withGrantOption); } - +/* + * GenerateGrantStmtForRightsWithObjectName is the function for creating + * GrantStmt's for all types of objects that are supported with object name. + * It takes parameters to fill a GrantStmt's fields and returns the GrantStmt. + * The field `objects` of GrantStmt doesn't have a common structure for all types. + * Make sure you have added your object type to GetObjectsForGrantStmt. + */ GrantStmt * GenerateGrantStmtForRightsWithObjectName(ObjectType objectType, Oid roleOid, @@ -2177,7 +2183,12 @@ GenerateGrantStmtForRightsWithObjectName(ObjectType objectType, permission, withGrantOption); } - +/* + * BaseGenerateGrantStmtForRights is the base function for creating + * GrantStmt's for all types of objects that are supported with object . + * It is used by GenerateGrantStmtForRights and GenerateGrantStmtForRightsWithObjectName + * to support both object id and object name. + */ GrantStmt * BaseGenerateGrantStmtForRights(ObjectType objectType, Oid roleOid, @@ -2260,7 +2271,6 @@ GetObjectsForGrantStmt(ObjectType objectType, Oid objectId) return list_make1(makeString(get_database_name(objectId))); } - default: { elog(ERROR, "unsupported object type for GRANT"); From bc945c2c65a3032a502f82208281a4252a932bea Mon Sep 17 00:00:00 2001 From: gurkanindibay Date: Wed, 17 Jan 2024 11:12:26 +0300 Subject: [PATCH 06/18] Adds pg14 support --- src/backend/distributed/commands/parameter.c | 2 +- .../grant_on_parameter_propagation.out | 26 +++++++++---------- .../sql/grant_on_parameter_propagation.sql | 11 +++++++- 3 files changed, 23 insertions(+), 16 deletions(-) diff --git a/src/backend/distributed/commands/parameter.c b/src/backend/distributed/commands/parameter.c index 439ff26a1..86cd1b26d 100644 --- a/src/backend/distributed/commands/parameter.c +++ b/src/backend/distributed/commands/parameter.c @@ -104,7 +104,7 @@ CheckPermissionsAndGrants(AclItem *aclItem, AclMode modes[], int numModes) { AclMode mode = modes[i]; if(!(grants & mode) || (permissions & mode)){ - ereport(ERROR, (errmsg("ACL item has no grant option for mode %d", mode))); + ereport(ERROR, (errmsg("ACL item has no grant option for mode %lu", mode))); } } } diff --git a/src/test/regress/expected/grant_on_parameter_propagation.out b/src/test/regress/expected/grant_on_parameter_propagation.out index 476297dae..8ea428007 100644 --- a/src/test/regress/expected/grant_on_parameter_propagation.out +++ b/src/test/regress/expected/grant_on_parameter_propagation.out @@ -1,3 +1,13 @@ +-- +-- PG15 +-- +SHOW server_version \gset +SELECT substring(:'server_version', '\d+')::int >= 15 AS server_version_ge_15 +\gset +\if :server_version_ge_15 +\else +\q +\endif create user grant_param_user1; create user grant_param_user2; create user grant_param_user3; @@ -199,39 +209,27 @@ SELECT check_parameter_privileges(ARRAY['grant_param_user3','grant_param_user5-\ (16 rows) SELECT 1 FROM citus_add_node('localhost', :worker_2_port); - ?column? ---------------------------------------------------------------------- - 1 -(1 row) - +ERROR: ACL item has no grant option for mode 4096 SELECT check_parameter_privileges(ARRAY['grant_param_user3','grant_param_user5-\!'],ARRAY['max_connections','shared_buffers'], ARRAY['SET','ALTER SYSTEM']); check_parameter_privileges --------------------------------------------------------------------- (t,grant_param_user3,max_connections,SET) (t,grant_param_user3,max_connections,SET) - (t,grant_param_user3,max_connections,SET) - (t,grant_param_user3,max_connections,"ALTER SYSTEM") (t,grant_param_user3,max_connections,"ALTER SYSTEM") (t,grant_param_user3,max_connections,"ALTER SYSTEM") (t,grant_param_user3,shared_buffers,SET) (t,grant_param_user3,shared_buffers,SET) - (t,grant_param_user3,shared_buffers,SET) - (t,grant_param_user3,shared_buffers,"ALTER SYSTEM") (t,grant_param_user3,shared_buffers,"ALTER SYSTEM") (t,grant_param_user3,shared_buffers,"ALTER SYSTEM") (t,"grant_param_user5-\\!",max_connections,SET) (t,"grant_param_user5-\\!",max_connections,SET) - (t,"grant_param_user5-\\!",max_connections,SET) - (t,"grant_param_user5-\\!",max_connections,"ALTER SYSTEM") (t,"grant_param_user5-\\!",max_connections,"ALTER SYSTEM") (t,"grant_param_user5-\\!",max_connections,"ALTER SYSTEM") (t,"grant_param_user5-\\!",shared_buffers,SET) (t,"grant_param_user5-\\!",shared_buffers,SET) - (t,"grant_param_user5-\\!",shared_buffers,SET) (t,"grant_param_user5-\\!",shared_buffers,"ALTER SYSTEM") (t,"grant_param_user5-\\!",shared_buffers,"ALTER SYSTEM") - (t,"grant_param_user5-\\!",shared_buffers,"ALTER SYSTEM") -(24 rows) +(16 rows) REVOKE SET,ALTER SYSTEM ON PARAMETER max_connections,shared_buffers FROM grant_param_user3,"grant_param_user5-\!" cascade; --clean all resources diff --git a/src/test/regress/sql/grant_on_parameter_propagation.sql b/src/test/regress/sql/grant_on_parameter_propagation.sql index 437363b35..08667c360 100644 --- a/src/test/regress/sql/grant_on_parameter_propagation.sql +++ b/src/test/regress/sql/grant_on_parameter_propagation.sql @@ -1,4 +1,13 @@ - +-- +-- PG15 +-- +SHOW server_version \gset +SELECT substring(:'server_version', '\d+')::int >= 15 AS server_version_ge_15 +\gset +\if :server_version_ge_15 +\else +\q +\endif create user grant_param_user1; create user grant_param_user2; From 0e05dd3c27ee9984e47073c3d9c80a4afdf8690c Mon Sep 17 00:00:00 2001 From: gurkanindibay Date: Wed, 17 Jan 2024 11:36:10 +0300 Subject: [PATCH 07/18] Adds compile check for pg14 --- src/backend/distributed/commands/distribute_object_ops.c | 5 ++++- src/backend/distributed/commands/parameter.c | 3 +++ src/backend/distributed/deparser/deparse_parameter_stmts.c | 3 +++ src/include/distributed/commands.h | 2 ++ src/include/distributed/deparser.h | 2 ++ 5 files changed, 14 insertions(+), 1 deletion(-) diff --git a/src/backend/distributed/commands/distribute_object_ops.c b/src/backend/distributed/commands/distribute_object_ops.c index a378bf2de..08ae7c26a 100644 --- a/src/backend/distributed/commands/distribute_object_ops.c +++ b/src/backend/distributed/commands/distribute_object_ops.c @@ -763,6 +763,7 @@ static DistributeObjectOps Index_Drop = { .markDistributed = false, }; +#if PG_VERSION_NUM >= PG_VERSION_15 static DistributeObjectOps Parameter_Grant = { .deparse = DeparseGrantOnParameterStmt, .qualify = NULL, @@ -773,6 +774,7 @@ static DistributeObjectOps Parameter_Grant = { .address = NULL, .markDistributed = false, }; +#endif /* PG_VERSION_NUM >= PG_VERSION_14 */ static DistributeObjectOps Policy_Drop = { .deparse = NULL, @@ -2072,11 +2074,12 @@ GetDistributeObjectOps(Node *node) { return &Database_Grant; } - +#if PG_VERSION_NUM >= PG_VERSION_15 case OBJECT_PARAMETER_ACL: { return &Parameter_Grant; } +#endif default: { diff --git a/src/backend/distributed/commands/parameter.c b/src/backend/distributed/commands/parameter.c index 86cd1b26d..5f2d4cb9b 100644 --- a/src/backend/distributed/commands/parameter.c +++ b/src/backend/distributed/commands/parameter.c @@ -1,3 +1,5 @@ +#include "pg_version_constants.h" +#if PG_VERSION_NUM >= PG_VERSION_15 #include "postgres.h" #include "access/genam.h" @@ -164,3 +166,4 @@ GrantOnParameters(void) return commands; } +#endif /* PG_VERSION_NUM >= PG_VERSION_15 */ diff --git a/src/backend/distributed/deparser/deparse_parameter_stmts.c b/src/backend/distributed/deparser/deparse_parameter_stmts.c index b5f9b5afd..1df225601 100644 --- a/src/backend/distributed/deparser/deparse_parameter_stmts.c +++ b/src/backend/distributed/deparser/deparse_parameter_stmts.c @@ -6,6 +6,8 @@ * ------------------------------------------------------------------------- */ +#include "pg_version_constants.h" +#if PG_VERSION_NUM >= PG_VERSION_15 #include "postgres.h" #include "utils/builtins.h" @@ -60,3 +62,4 @@ DeparseGrantOnParameterStmt(Node *node) return str.data; } +#endif /* PG_VERSION_NUM >= PG_VERSION_15 */ diff --git a/src/include/distributed/commands.h b/src/include/distributed/commands.h index 789cad7da..dd63a985c 100644 --- a/src/include/distributed/commands.h +++ b/src/include/distributed/commands.h @@ -447,8 +447,10 @@ extern List * PreprocessDropOwnedStmt(Node *node, const char *queryString, ProcessUtilityContext processUtilityContext); extern List * PostprocessReassignOwnedStmt(Node *node, const char *queryString); +#if PG_VERSION_NUM >= PG_VERSION_15 /* parameter.c - forward declarations */ extern List * PostprocessGrantParameterStmt(Node *node, const char *queryString); +#endif /* PG_VERSION_NUM >= PG_VERSION_15 */ /* policy.c - forward declarations */ extern List * CreatePolicyCommands(Oid relationId); diff --git a/src/include/distributed/deparser.h b/src/include/distributed/deparser.h index 5c60f1caa..ec630c3d0 100644 --- a/src/include/distributed/deparser.h +++ b/src/include/distributed/deparser.h @@ -254,8 +254,10 @@ extern char * DeparseCreateDatabaseStmt(Node *node); extern char * DeparseDropDatabaseStmt(Node *node); extern char * DeparseAlterDatabaseRenameStmt(Node *node); +#if PG_VERSION_NUM >= PG_VERSION_15 /* forward declarations for deparse_parameter_stmts.c*/ extern char * DeparseGrantOnParameterStmt(Node *node); +#endif /* PG_VERSION_NUM >= PG_VERSION_15 */ /* forward declaration for deparse_publication_stmts.c */ extern char * DeparseCreatePublicationStmt(Node *stmt); From 15817ab9248e09503efe11eff902f51ebceadfbc Mon Sep 17 00:00:00 2001 From: gurkanindibay Date: Wed, 17 Jan 2024 11:36:38 +0300 Subject: [PATCH 08/18] Fixes indentation --- .../distributed/commands/distribute_object_ops.c | 1 + src/backend/distributed/commands/parameter.c | 15 ++++++++++----- .../deparser/deparse_parameter_stmts.c | 2 ++ src/backend/distributed/metadata/metadata_sync.c | 2 ++ src/include/distributed/commands.h | 1 + src/include/distributed/deparser.h | 1 + 6 files changed, 17 insertions(+), 5 deletions(-) diff --git a/src/backend/distributed/commands/distribute_object_ops.c b/src/backend/distributed/commands/distribute_object_ops.c index 08ae7c26a..f6d0b406a 100644 --- a/src/backend/distributed/commands/distribute_object_ops.c +++ b/src/backend/distributed/commands/distribute_object_ops.c @@ -2074,6 +2074,7 @@ GetDistributeObjectOps(Node *node) { return &Database_Grant; } + #if PG_VERSION_NUM >= PG_VERSION_15 case OBJECT_PARAMETER_ACL: { diff --git a/src/backend/distributed/commands/parameter.c b/src/backend/distributed/commands/parameter.c index 5f2d4cb9b..65c806c43 100644 --- a/src/backend/distributed/commands/parameter.c +++ b/src/backend/distributed/commands/parameter.c @@ -68,10 +68,11 @@ GenerateGrantOnParameterFromAclItem(char *parameterName, AclItem *aclItem) return queries; } + /* * CheckAndAppendQuery checks if the aclItem has the given mode and if it has, it appends the * corresponding query to the queries list. -*/ + */ static void CheckAndAppendQuery(List **queries, AclItem *aclItem, Oid granteeOid, char *parameterName, AclMode mode, char *modeStr) @@ -92,10 +93,11 @@ CheckAndAppendQuery(List **queries, AclItem *aclItem, Oid granteeOid, char *para } } + /* -* CheckPermissionsAndGrants checks if the aclItem has the valid permissions and grants -* for the given modes. -*/ + * CheckPermissionsAndGrants checks if the aclItem has the valid permissions and grants + * for the given modes. + */ static void CheckPermissionsAndGrants(AclItem *aclItem, AclMode modes[], int numModes) { @@ -105,7 +107,8 @@ CheckPermissionsAndGrants(AclItem *aclItem, AclMode modes[], int numModes) for (int i = 0; i < numModes; i++) { AclMode mode = modes[i]; - if(!(grants & mode) || (permissions & mode)){ + if (!(grants & mode) || (permissions & mode)) + { ereport(ERROR, (errmsg("ACL item has no grant option for mode %lu", mode))); } } @@ -166,4 +169,6 @@ GrantOnParameters(void) return commands; } + + #endif /* PG_VERSION_NUM >= PG_VERSION_15 */ diff --git a/src/backend/distributed/deparser/deparse_parameter_stmts.c b/src/backend/distributed/deparser/deparse_parameter_stmts.c index 1df225601..7c4d5b464 100644 --- a/src/backend/distributed/deparser/deparse_parameter_stmts.c +++ b/src/backend/distributed/deparser/deparse_parameter_stmts.c @@ -62,4 +62,6 @@ DeparseGrantOnParameterStmt(Node *node) return str.data; } + + #endif /* PG_VERSION_NUM >= PG_VERSION_15 */ diff --git a/src/backend/distributed/metadata/metadata_sync.c b/src/backend/distributed/metadata/metadata_sync.c index 879bfbdd4..730c30759 100644 --- a/src/backend/distributed/metadata/metadata_sync.c +++ b/src/backend/distributed/metadata/metadata_sync.c @@ -2165,6 +2165,7 @@ GenerateGrantStmtForRights(ObjectType objectType, withGrantOption); } + /* * GenerateGrantStmtForRightsWithObjectName is the function for creating * GrantStmt's for all types of objects that are supported with object name. @@ -2183,6 +2184,7 @@ GenerateGrantStmtForRightsWithObjectName(ObjectType objectType, permission, withGrantOption); } + /* * BaseGenerateGrantStmtForRights is the base function for creating * GrantStmt's for all types of objects that are supported with object . diff --git a/src/include/distributed/commands.h b/src/include/distributed/commands.h index dd63a985c..c989d1b81 100644 --- a/src/include/distributed/commands.h +++ b/src/include/distributed/commands.h @@ -448,6 +448,7 @@ extern List * PreprocessDropOwnedStmt(Node *node, const char *queryString, extern List * PostprocessReassignOwnedStmt(Node *node, const char *queryString); #if PG_VERSION_NUM >= PG_VERSION_15 + /* parameter.c - forward declarations */ extern List * PostprocessGrantParameterStmt(Node *node, const char *queryString); #endif /* PG_VERSION_NUM >= PG_VERSION_15 */ diff --git a/src/include/distributed/deparser.h b/src/include/distributed/deparser.h index ec630c3d0..69e2f8cf9 100644 --- a/src/include/distributed/deparser.h +++ b/src/include/distributed/deparser.h @@ -255,6 +255,7 @@ extern char * DeparseDropDatabaseStmt(Node *node); extern char * DeparseAlterDatabaseRenameStmt(Node *node); #if PG_VERSION_NUM >= PG_VERSION_15 + /* forward declarations for deparse_parameter_stmts.c*/ extern char * DeparseGrantOnParameterStmt(Node *node); #endif /* PG_VERSION_NUM >= PG_VERSION_15 */ From 83079e46bcc4e0ec925d1d1038ff5ac6cb0b77b7 Mon Sep 17 00:00:00 2001 From: gurkanindibay Date: Wed, 17 Jan 2024 12:51:48 +0300 Subject: [PATCH 09/18] Fixes postgres start error --- src/backend/distributed/commands/parameter.c | 6 +++--- src/backend/distributed/deparser/deparse_parameter_stmts.c | 3 ++- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/src/backend/distributed/commands/parameter.c b/src/backend/distributed/commands/parameter.c index 65c806c43..8e82f8e0b 100644 --- a/src/backend/distributed/commands/parameter.c +++ b/src/backend/distributed/commands/parameter.c @@ -1,7 +1,7 @@ -#include "pg_version_constants.h" -#if PG_VERSION_NUM >= PG_VERSION_15 #include "postgres.h" +#include "pg_version_constants.h" +#if PG_VERSION_NUM >= PG_VERSION_15 #include "access/genam.h" #include "catalog/namespace.h" #include "catalog/pg_parameter_acl.h" @@ -109,7 +109,7 @@ CheckPermissionsAndGrants(AclItem *aclItem, AclMode modes[], int numModes) AclMode mode = modes[i]; if (!(grants & mode) || (permissions & mode)) { - ereport(ERROR, (errmsg("ACL item has no grant option for mode %lu", mode))); + ereport(ERROR, (errmsg("ACL item has no grant option for mode %u", mode))); } } } diff --git a/src/backend/distributed/deparser/deparse_parameter_stmts.c b/src/backend/distributed/deparser/deparse_parameter_stmts.c index 7c4d5b464..87a7fdb9e 100644 --- a/src/backend/distributed/deparser/deparse_parameter_stmts.c +++ b/src/backend/distributed/deparser/deparse_parameter_stmts.c @@ -6,9 +6,10 @@ * ------------------------------------------------------------------------- */ +#include "postgres.h" + #include "pg_version_constants.h" #if PG_VERSION_NUM >= PG_VERSION_15 -#include "postgres.h" #include "utils/builtins.h" From 70f14208110de2d3875e3e294e1e70a9beacc063 Mon Sep 17 00:00:00 2001 From: gurkanindibay Date: Wed, 17 Jan 2024 13:30:45 +0300 Subject: [PATCH 10/18] Fixes PG 16 compile warning --- src/backend/distributed/commands/parameter.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/backend/distributed/commands/parameter.c b/src/backend/distributed/commands/parameter.c index 8e82f8e0b..5ea10c53b 100644 --- a/src/backend/distributed/commands/parameter.c +++ b/src/backend/distributed/commands/parameter.c @@ -109,7 +109,11 @@ CheckPermissionsAndGrants(AclItem *aclItem, AclMode modes[], int numModes) AclMode mode = modes[i]; if (!(grants & mode) || (permissions & mode)) { +#if PG_VERSION_NUM >= PG_VERSION_16 + ereport(ERROR, (errmsg("ACL item has no grant option for mode %lu", mode))); +#else ereport(ERROR, (errmsg("ACL item has no grant option for mode %u", mode))); +#endif } } } From 1247c0d4b553fe62a7f810f6742afb423477820d Mon Sep 17 00:00:00 2001 From: gurkanindibay Date: Wed, 17 Jan 2024 13:51:12 +0300 Subject: [PATCH 11/18] Fixes postgres 14 errors --- src/backend/distributed/metadata/metadata_sync.c | 2 ++ src/include/distributed/grant_utils.h | 3 +++ .../expected/grant_on_parameter_propagation_0.out | 9 +++++++++ 3 files changed, 14 insertions(+) create mode 100644 src/test/regress/expected/grant_on_parameter_propagation_0.out diff --git a/src/backend/distributed/metadata/metadata_sync.c b/src/backend/distributed/metadata/metadata_sync.c index 730c30759..dd4c81bc3 100644 --- a/src/backend/distributed/metadata/metadata_sync.c +++ b/src/backend/distributed/metadata/metadata_sync.c @@ -4725,8 +4725,10 @@ PropagateNodeWideObjectsCommandList(void) List *alterRoleSetCommands = GenerateAlterRoleSetCommandForRole(InvalidOid); ddlCommands = list_concat(ddlCommands, alterRoleSetCommands); } +#if PG_VERSION_NUM >= PG_VERSION_15 List *grantOnParameterCommands = GrantOnParameters(); ddlCommands = list_concat(ddlCommands, grantOnParameterCommands); +#endif /* PG_VERSION_NUM >= PG_VERSION_15 */ return ddlCommands; } diff --git a/src/include/distributed/grant_utils.h b/src/include/distributed/grant_utils.h index c3ceb413e..b76538ffe 100644 --- a/src/include/distributed/grant_utils.h +++ b/src/include/distributed/grant_utils.h @@ -12,7 +12,10 @@ #include "nodes/parsenodes.h" +#if PG_VERSION_NUM >= PG_VERSION_15 extern List * GrantOnParameters(void); +#endif /* PG_VERSION_NUM >= PG_VERSION_15 */ + extern char * GenerateSetRoleQuery(Oid roleOid); extern GrantStmt * GenerateGrantStmtForRights(ObjectType objectType, Oid roleOid, diff --git a/src/test/regress/expected/grant_on_parameter_propagation_0.out b/src/test/regress/expected/grant_on_parameter_propagation_0.out new file mode 100644 index 000000000..b1ed9cc5b --- /dev/null +++ b/src/test/regress/expected/grant_on_parameter_propagation_0.out @@ -0,0 +1,9 @@ +-- +-- PG15 +-- +SHOW server_version \gset +SELECT substring(:'server_version', '\d+')::int >= 15 AS server_version_ge_15 +\gset +\if :server_version_ge_15 +\else +\q From bf47d20148c6821e95f77cd0e49140288d432af9 Mon Sep 17 00:00:00 2001 From: gurkanindibay Date: Wed, 17 Jan 2024 14:53:42 +0300 Subject: [PATCH 12/18] Fixes assert error --- src/backend/distributed/commands/parameter.c | 2 +- .../expected/grant_on_parameter_propagation.out | 16 ++++++++++++++-- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/src/backend/distributed/commands/parameter.c b/src/backend/distributed/commands/parameter.c index 5ea10c53b..6d11d3b69 100644 --- a/src/backend/distributed/commands/parameter.c +++ b/src/backend/distributed/commands/parameter.c @@ -107,7 +107,7 @@ CheckPermissionsAndGrants(AclItem *aclItem, AclMode modes[], int numModes) for (int i = 0; i < numModes; i++) { AclMode mode = modes[i]; - if (!(grants & mode) || (permissions & mode)) + if ((grants & mode) && !(permissions & mode)) { #if PG_VERSION_NUM >= PG_VERSION_16 ereport(ERROR, (errmsg("ACL item has no grant option for mode %lu", mode))); diff --git a/src/test/regress/expected/grant_on_parameter_propagation.out b/src/test/regress/expected/grant_on_parameter_propagation.out index 8ea428007..9c66a4e3f 100644 --- a/src/test/regress/expected/grant_on_parameter_propagation.out +++ b/src/test/regress/expected/grant_on_parameter_propagation.out @@ -209,27 +209,39 @@ SELECT check_parameter_privileges(ARRAY['grant_param_user3','grant_param_user5-\ (16 rows) SELECT 1 FROM citus_add_node('localhost', :worker_2_port); -ERROR: ACL item has no grant option for mode 4096 + ?column? +--------------------------------------------------------------------- + 1 +(1 row) + SELECT check_parameter_privileges(ARRAY['grant_param_user3','grant_param_user5-\!'],ARRAY['max_connections','shared_buffers'], ARRAY['SET','ALTER SYSTEM']); check_parameter_privileges --------------------------------------------------------------------- (t,grant_param_user3,max_connections,SET) (t,grant_param_user3,max_connections,SET) + (t,grant_param_user3,max_connections,SET) + (t,grant_param_user3,max_connections,"ALTER SYSTEM") (t,grant_param_user3,max_connections,"ALTER SYSTEM") (t,grant_param_user3,max_connections,"ALTER SYSTEM") (t,grant_param_user3,shared_buffers,SET) (t,grant_param_user3,shared_buffers,SET) + (t,grant_param_user3,shared_buffers,SET) + (t,grant_param_user3,shared_buffers,"ALTER SYSTEM") (t,grant_param_user3,shared_buffers,"ALTER SYSTEM") (t,grant_param_user3,shared_buffers,"ALTER SYSTEM") (t,"grant_param_user5-\\!",max_connections,SET) (t,"grant_param_user5-\\!",max_connections,SET) + (t,"grant_param_user5-\\!",max_connections,SET) + (t,"grant_param_user5-\\!",max_connections,"ALTER SYSTEM") (t,"grant_param_user5-\\!",max_connections,"ALTER SYSTEM") (t,"grant_param_user5-\\!",max_connections,"ALTER SYSTEM") (t,"grant_param_user5-\\!",shared_buffers,SET) (t,"grant_param_user5-\\!",shared_buffers,SET) + (t,"grant_param_user5-\\!",shared_buffers,SET) (t,"grant_param_user5-\\!",shared_buffers,"ALTER SYSTEM") (t,"grant_param_user5-\\!",shared_buffers,"ALTER SYSTEM") -(16 rows) + (t,"grant_param_user5-\\!",shared_buffers,"ALTER SYSTEM") +(24 rows) REVOKE SET,ALTER SYSTEM ON PARAMETER max_connections,shared_buffers FROM grant_param_user3,"grant_param_user5-\!" cascade; --clean all resources From ec7e135e15de593b886385d84a4f78b08ebb3be4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCrkan=20=C4=B0ndibay?= Date: Mon, 22 Jan 2024 12:09:21 +0300 Subject: [PATCH 13/18] Fixes wrong comment --- src/backend/distributed/commands/distribute_object_ops.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/backend/distributed/commands/distribute_object_ops.c b/src/backend/distributed/commands/distribute_object_ops.c index f6d0b406a..485ab4470 100644 --- a/src/backend/distributed/commands/distribute_object_ops.c +++ b/src/backend/distributed/commands/distribute_object_ops.c @@ -774,7 +774,7 @@ static DistributeObjectOps Parameter_Grant = { .address = NULL, .markDistributed = false, }; -#endif /* PG_VERSION_NUM >= PG_VERSION_14 */ +#endif /* PG_VERSION_NUM >= PG_VERSION_15 */ static DistributeObjectOps Policy_Drop = { .deparse = NULL, From 047a75f2d24cfa6c45a59346b3461ce9a957fa9a Mon Sep 17 00:00:00 2001 From: gurkanindibay Date: Tue, 6 Feb 2024 15:43:41 +0300 Subject: [PATCH 14/18] Fixes review issues --- src/backend/distributed/commands/parameter.c | 70 ++++++++++++++----- .../distributed/metadata/metadata_sync.c | 2 +- src/include/distributed/grant_utils.h | 2 +- 3 files changed, 53 insertions(+), 21 deletions(-) diff --git a/src/backend/distributed/commands/parameter.c b/src/backend/distributed/commands/parameter.c index 6d11d3b69..5449d4251 100644 --- a/src/backend/distributed/commands/parameter.c +++ b/src/backend/distributed/commands/parameter.c @@ -18,9 +18,12 @@ static List * GenerateGrantOnParameterFromAclItem(char *parameterName, AclItem *aclItem); static bool HasAclGrantOption(AclItem *aclItem, AclMode aclMode); -static void CheckPermissionsAndGrants(AclItem *aclItem, AclMode modes[], int numModes); -static void CheckAndAppendQuery(List **queries, AclItem *aclItem, Oid granteeOid, - char *parameterName, AclMode mode, char *modeStr); +static void ValidatePermissionsAndGrants(AclItem *aclItem, AclMode modes[], int numModes); +static void CheckAndAppendGrantParameterQuery(List **queries, AclItem *aclItem, Oid + granteeOid, + char *parameterName, AclMode mode, + char *modeStr); +static void RemoveSemicolonFromEnd(char *query); List * @@ -39,13 +42,18 @@ PostprocessGrantParameterStmt(Node *node, const char *queryString) (void *) command, ENABLE_DDL_PROPAGATION); - return NontransactionalNodeDDLTaskList(REMOTE_NODES, commands); + return NodeDDLTaskList(REMOTE_NODES, commands); } /* - * GenerateGrantOnParameterFromAclItem generates a query string for replicating a users permissions - * on a database. + * GenerateGrantOnParameterFromAclItem generates the grant queries for the given aclItem. + * First it sets the current role to the grantor of the aclItem, then it appends the grant + * privilege queries for the aclItem, and finally it resets the role to the original role. + * Ex: If the aclItem has the grant option for ACL_SET, it generates the following queries: + * SET ROLE ; + * GRANT SET ON TO ; + * RESET ROLE; */ static List * GenerateGrantOnParameterFromAclItem(char *parameterName, AclItem *aclItem) @@ -53,15 +61,17 @@ GenerateGrantOnParameterFromAclItem(char *parameterName, AclItem *aclItem) /* * seems unlikely but we check if there is a grant option in the list without the actual permission */ - CheckPermissionsAndGrants(aclItem, (AclMode[]) { ACL_SET, ACL_ALTER_SYSTEM }, 2); + ValidatePermissionsAndGrants(aclItem, (AclMode[]) { ACL_SET, ACL_ALTER_SYSTEM }, 2); Oid granteeOid = aclItem->ai_grantee; List *queries = NIL; queries = lappend(queries, GenerateSetRoleQuery(aclItem->ai_grantor)); - CheckAndAppendQuery(&queries, aclItem, granteeOid, parameterName, ACL_SET, "SET"); - CheckAndAppendQuery(&queries, aclItem, granteeOid, parameterName, ACL_ALTER_SYSTEM, - "ALTER SYSTEM"); + CheckAndAppendGrantParameterQuery(&queries, aclItem, granteeOid, parameterName, + ACL_SET, "SET"); + CheckAndAppendGrantParameterQuery(&queries, aclItem, granteeOid, parameterName, + ACL_ALTER_SYSTEM, + "ALTER SYSTEM"); queries = lappend(queries, "RESET ROLE"); @@ -70,12 +80,14 @@ GenerateGrantOnParameterFromAclItem(char *parameterName, AclItem *aclItem) /* - * CheckAndAppendQuery checks if the aclItem has the given mode and if it has, it appends the + * CheckAndAppendGrantParameterQuery checks if the aclItem has the given mode and if it has, it appends the * corresponding query to the queries list. + * Ex: If the mode is ACL_SET, it appends the query "GRANT SET ON TO " */ static void -CheckAndAppendQuery(List **queries, AclItem *aclItem, Oid granteeOid, char *parameterName, - AclMode mode, char *modeStr) +CheckAndAppendGrantParameterQuery(List **queries, AclItem *aclItem, Oid granteeOid, + char *parameterName, + AclMode mode, char *modeStr) { AclResult aclresult = pg_parameter_aclcheck(parameterName, granteeOid, mode); if (aclresult == ACLCHECK_OK) @@ -85,9 +97,7 @@ CheckAndAppendQuery(List **queries, AclItem *aclItem, Oid granteeOid, char *para modeStr, HasAclGrantOption(aclItem, mode))); - /* remove the semicolon at the end of the query since it is already */ - /* appended in metadata_sync phase */ - query[strlen(query) - 1] = '\0'; + RemoveSemicolonFromEnd(query); *queries = lappend(*queries, query); } @@ -95,11 +105,26 @@ CheckAndAppendQuery(List **queries, AclItem *aclItem, Oid granteeOid, char *para /* - * CheckPermissionsAndGrants checks if the aclItem has the valid permissions and grants + * RemoveSemicolonFromEnd removes the semicolon at the end of the query if it exists. + */ +static void +RemoveSemicolonFromEnd(char *query) +{ + /* remove the semicolon at the end of the query since it is already */ + /* appended in metadata_sync phase */ + if (query[strlen(query) - 1] == ';') + { + query[strlen(query) - 1] = '\0'; + } +} + + +/* + * ValidatePermissionsAndGrants validates if the aclItem has the valid permissions and grants * for the given modes. */ static void -CheckPermissionsAndGrants(AclItem *aclItem, AclMode modes[], int numModes) +ValidatePermissionsAndGrants(AclItem *aclItem, AclMode modes[], int numModes) { AclMode permissions = ACLITEM_GET_PRIVS(*aclItem) & ACL_ALL_RIGHTS_PARAMETER_ACL; AclMode grants = ACLITEM_GET_GOPTIONS(*aclItem) & ACL_ALL_RIGHTS_PARAMETER_ACL; @@ -119,6 +144,9 @@ CheckPermissionsAndGrants(AclItem *aclItem, AclMode modes[], int numModes) } +/* + * HasAclGrantOption checks if the aclItem has the grant option for the given mode. + */ static bool HasAclGrantOption(AclItem *aclItem, AclMode aclMode) { @@ -126,8 +154,12 @@ HasAclGrantOption(AclItem *aclItem, AclMode aclMode) } +/* + * GenerateGrantStmtOnParametersFromCatalogTable generates the grant statements for the parameters + * from the pg_parameter_acl catalog table. + */ List * -GrantOnParameters(void) +GenerateGrantStmtOnParametersFromCatalogTable(void) { /* Open pg_shdescription catalog */ Relation paramPermissionRelation = table_open(ParameterAclRelationId, diff --git a/src/backend/distributed/metadata/metadata_sync.c b/src/backend/distributed/metadata/metadata_sync.c index 29569749c..518f13eb7 100644 --- a/src/backend/distributed/metadata/metadata_sync.c +++ b/src/backend/distributed/metadata/metadata_sync.c @@ -4726,7 +4726,7 @@ PropagateNodeWideObjectsCommandList(void) ddlCommands = list_concat(ddlCommands, alterRoleSetCommands); } #if PG_VERSION_NUM >= PG_VERSION_15 - List *grantOnParameterCommands = GrantOnParameters(); + List *grantOnParameterCommands = GenerateGrantStmtOnParametersFromCatalogTable(); ddlCommands = list_concat(ddlCommands, grantOnParameterCommands); #endif /* PG_VERSION_NUM >= PG_VERSION_15 */ diff --git a/src/include/distributed/grant_utils.h b/src/include/distributed/grant_utils.h index b76538ffe..f184b56e8 100644 --- a/src/include/distributed/grant_utils.h +++ b/src/include/distributed/grant_utils.h @@ -13,7 +13,7 @@ #include "nodes/parsenodes.h" #if PG_VERSION_NUM >= PG_VERSION_15 -extern List * GrantOnParameters(void); +extern List * GenerateGrantStmtOnParametersFromCatalogTable(void); #endif /* PG_VERSION_NUM >= PG_VERSION_15 */ extern char * GenerateSetRoleQuery(Oid roleOid); From 75eb20dc06d5ab756700a20b7e628c6eb7d7ef87 Mon Sep 17 00:00:00 2001 From: gurkanindibay Date: Tue, 6 Feb 2024 16:55:05 +0300 Subject: [PATCH 15/18] Fixes indentation error --- src/backend/distributed/commands/parameter.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/src/backend/distributed/commands/parameter.c b/src/backend/distributed/commands/parameter.c index 5449d4251..1d180ee08 100644 --- a/src/backend/distributed/commands/parameter.c +++ b/src/backend/distributed/commands/parameter.c @@ -51,9 +51,9 @@ PostprocessGrantParameterStmt(Node *node, const char *queryString) * First it sets the current role to the grantor of the aclItem, then it appends the grant * privilege queries for the aclItem, and finally it resets the role to the original role. * Ex: If the aclItem has the grant option for ACL_SET, it generates the following queries: - * SET ROLE ; - * GRANT SET ON TO ; - * RESET ROLE; + * SET ROLE ; + * GRANT SET ON TO ; + * RESET ROLE; */ static List * GenerateGrantOnParameterFromAclItem(char *parameterName, AclItem *aclItem) @@ -206,5 +206,4 @@ GenerateGrantStmtOnParametersFromCatalogTable(void) return commands; } - #endif /* PG_VERSION_NUM >= PG_VERSION_15 */ From faba4b0cfa143d5cabc566b07bba16b969176f6b Mon Sep 17 00:00:00 2001 From: gurkanindibay Date: Tue, 6 Feb 2024 17:03:01 +0300 Subject: [PATCH 16/18] Fixes indent check --- src/backend/distributed/commands/parameter.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/backend/distributed/commands/parameter.c b/src/backend/distributed/commands/parameter.c index 1d180ee08..ef961e1dd 100644 --- a/src/backend/distributed/commands/parameter.c +++ b/src/backend/distributed/commands/parameter.c @@ -206,4 +206,5 @@ GenerateGrantStmtOnParametersFromCatalogTable(void) return commands; } + #endif /* PG_VERSION_NUM >= PG_VERSION_15 */ From 41247f1ebd734b3c6db45e7e2784160a526fca9e Mon Sep 17 00:00:00 2001 From: gurkanindibay Date: Mon, 26 Feb 2024 12:11:51 +0300 Subject: [PATCH 17/18] Fixes helper sql --- src/test/regress/expected/multi_test_helpers.out | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/test/regress/expected/multi_test_helpers.out b/src/test/regress/expected/multi_test_helpers.out index 04fe5033d..f0ad9a5eb 100644 --- a/src/test/regress/expected/multi_test_helpers.out +++ b/src/test/regress/expected/multi_test_helpers.out @@ -644,7 +644,7 @@ BEGIN END LOOP; END LOOP; END; -$func$ LANGUAGE plpgsql;; +$func$ LANGUAGE plpgsql; CREATE OR REPLACE FUNCTION check_database_privileges(role_name text, db_name text, permissions text[]) RETURNS TABLE(permission text, result text) AS $func$ From a319ae0389b1039529a9e0dc60d1c417fbddf518 Mon Sep 17 00:00:00 2001 From: gurkanindibay Date: Mon, 26 Feb 2024 12:30:47 +0300 Subject: [PATCH 18/18] Removes unnecessary lines --- src/test/regress/sql/grant_on_parameter_propagation.sql | 6 ------ 1 file changed, 6 deletions(-) diff --git a/src/test/regress/sql/grant_on_parameter_propagation.sql b/src/test/regress/sql/grant_on_parameter_propagation.sql index 08667c360..072aa70c7 100644 --- a/src/test/regress/sql/grant_on_parameter_propagation.sql +++ b/src/test/regress/sql/grant_on_parameter_propagation.sql @@ -79,9 +79,3 @@ DROP USER "grant_param_user5-\!"; reset citus.log_remote_commands; reset citus.grep_remote_commands; - - - - - -