mirror of https://github.com/citusdata/citus.git
Merge e0cc004c7e into d885e1a016
Gürkan İndibay
GitHub
commit
585e5b9b48
|
|
@ -44,7 +44,8 @@ static int ObjectAddressComparator(const void *a, const void *b);
|
||||||
static void EnsureDependenciesExistOnAllNodes(const ObjectAddress *target);
|
static void EnsureDependenciesExistOnAllNodes(const ObjectAddress *target);
|
||||||
static void EnsureRequiredObjectSetExistOnAllNodes(const ObjectAddress *target,
|
static void EnsureRequiredObjectSetExistOnAllNodes(const ObjectAddress *target,
|
||||||
RequiredObjectSet requiredObjectSet);
|
RequiredObjectSet requiredObjectSet);
|
||||||
static List * GetDependencyCreateDDLCommands(const ObjectAddress *dependency);
|
static List * GetDependencyCreateDDLCommands(const ObjectAddress *dependency, bool
|
||||||
|
fetchGrantStatements);
|
||||||
static bool ShouldPropagateObject(const ObjectAddress *address);
|
static bool ShouldPropagateObject(const ObjectAddress *address);
|
||||||
static char * DropTableIfExistsCommand(Oid relationId);
|
static char * DropTableIfExistsCommand(Oid relationId);
|
||||||
|
|
||||||
|
|
@ -164,7 +165,7 @@ EnsureRequiredObjectSetExistOnAllNodes(const ObjectAddress *target,
|
||||||
ObjectAddress *object = NULL;
|
ObjectAddress *object = NULL;
|
||||||
foreach_ptr(object, objectsToBeCreated)
|
foreach_ptr(object, objectsToBeCreated)
|
||||||
{
|
{
|
||||||
List *dependencyCommands = GetDependencyCreateDDLCommands(object);
|
List *dependencyCommands = GetDependencyCreateDDLCommands(object, true);
|
||||||
ddlCommands = list_concat(ddlCommands, dependencyCommands);
|
ddlCommands = list_concat(ddlCommands, dependencyCommands);
|
||||||
|
|
||||||
/* create a new list with objects that actually created commands */
|
/* create a new list with objects that actually created commands */
|
||||||
|
|
@ -432,7 +433,7 @@ GetDistributableDependenciesForObject(const ObjectAddress *target)
|
||||||
* in nodes, but we utilize logic it follows to choose the objects that could
|
* in nodes, but we utilize logic it follows to choose the objects that could
|
||||||
* be distributed
|
* be distributed
|
||||||
*/
|
*/
|
||||||
List *dependencyCommands = GetDependencyCreateDDLCommands(dependency);
|
List *dependencyCommands = GetDependencyCreateDDLCommands(dependency, true);
|
||||||
|
|
||||||
/* create a new list with dependencies that actually created commands */
|
/* create a new list with dependencies that actually created commands */
|
||||||
if (list_length(dependencyCommands) > 0)
|
if (list_length(dependencyCommands) > 0)
|
||||||
|
|
@ -465,7 +466,7 @@ DropTableIfExistsCommand(Oid relationId)
|
||||||
* commands to execute on a worker to create the object.
|
* commands to execute on a worker to create the object.
|
||||||
*/
|
*/
|
||||||
static List *
|
static List *
|
||||||
GetDependencyCreateDDLCommands(const ObjectAddress *dependency)
|
GetDependencyCreateDDLCommands(const ObjectAddress *dependency, bool fetchGrantStatements)
|
||||||
{
|
{
|
||||||
switch (getObjectClass(dependency))
|
switch (getObjectClass(dependency))
|
||||||
{
|
{
|
||||||
|
|
@ -605,7 +606,8 @@ GetDependencyCreateDDLCommands(const ObjectAddress *dependency)
|
||||||
|
|
||||||
case OCLASS_ROLE:
|
case OCLASS_ROLE:
|
||||||
{
|
{
|
||||||
return GenerateCreateOrAlterRoleCommand(dependency->objectId);
|
return GenerateCreateOrAlterRoleCommand(dependency->objectId,
|
||||||
|
fetchGrantStatements);
|
||||||
}
|
}
|
||||||
|
|
||||||
case OCLASS_SCHEMA:
|
case OCLASS_SCHEMA:
|
||||||
|
|
@ -680,15 +682,16 @@ GetDependencyCreateDDLCommands(const ObjectAddress *dependency)
|
||||||
List *
|
List *
|
||||||
GetAllDependencyCreateDDLCommands(const List *dependencies)
|
GetAllDependencyCreateDDLCommands(const List *dependencies)
|
||||||
{
|
{
|
||||||
List *commands = NIL;
|
List *ddlCommands = NIL;
|
||||||
|
|
||||||
ObjectAddress *dependency = NULL;
|
ObjectAddress *dependency = NULL;
|
||||||
foreach_ptr(dependency, dependencies)
|
foreach_ptr(dependency, dependencies)
|
||||||
{
|
{
|
||||||
commands = list_concat(commands, GetDependencyCreateDDLCommands(dependency));
|
ddlCommands = list_concat(ddlCommands, GetDependencyCreateDDLCommands(dependency,
|
||||||
|
false));
|
||||||
}
|
}
|
||||||
|
|
||||||
return commands;
|
return ddlCommands;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -56,6 +56,7 @@
|
||||||
#include "distributed/version_compat.h"
|
#include "distributed/version_compat.h"
|
||||||
#include "distributed/worker_transaction.h"
|
#include "distributed/worker_transaction.h"
|
||||||
|
|
||||||
|
|
||||||
static const char * ExtractEncryptedPassword(Oid roleOid);
|
static const char * ExtractEncryptedPassword(Oid roleOid);
|
||||||
static const char * CreateAlterRoleIfExistsCommand(AlterRoleStmt *stmt);
|
static const char * CreateAlterRoleIfExistsCommand(AlterRoleStmt *stmt);
|
||||||
static const char * CreateAlterRoleSetIfExistsCommand(AlterRoleSetStmt *stmt);
|
static const char * CreateAlterRoleSetIfExistsCommand(AlterRoleSetStmt *stmt);
|
||||||
|
|
@ -67,6 +68,9 @@ static DefElem * makeDefElemBool(char *name, bool value);
|
||||||
static List * GenerateRoleOptionsList(HeapTuple tuple);
|
static List * GenerateRoleOptionsList(HeapTuple tuple);
|
||||||
static List * GenerateGrantRoleStmtsFromOptions(RoleSpec *roleSpec, List *options);
|
static List * GenerateGrantRoleStmtsFromOptions(RoleSpec *roleSpec, List *options);
|
||||||
static List * GenerateGrantRoleStmtsOfRole(Oid roleid);
|
static List * GenerateGrantRoleStmtsOfRole(Oid roleid);
|
||||||
|
static ObjectAddress * GetRoleObjectAddressFromOid(Oid roleOid);
|
||||||
|
static GrantRoleStmt * GetGrantRoleStmtFromAuthMemberRecord(Form_pg_auth_members
|
||||||
|
membership);
|
||||||
static List * GenerateSecLabelOnRoleStmts(Oid roleid, char *rolename);
|
static List * GenerateSecLabelOnRoleStmts(Oid roleid, char *rolename);
|
||||||
static void EnsureSequentialModeForRoleDDL(void);
|
static void EnsureSequentialModeForRoleDDL(void);
|
||||||
|
|
||||||
|
|
@ -512,7 +516,7 @@ GenerateRoleOptionsList(HeapTuple tuple)
|
||||||
* the pg_authid table.
|
* the pg_authid table.
|
||||||
*/
|
*/
|
||||||
List *
|
List *
|
||||||
GenerateCreateOrAlterRoleCommand(Oid roleOid)
|
GenerateCreateOrAlterRoleCommand(Oid roleOid, bool fetchGrantStmts)
|
||||||
{
|
{
|
||||||
HeapTuple roleTuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleOid));
|
HeapTuple roleTuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleOid));
|
||||||
Form_pg_authid role = ((Form_pg_authid) GETSTRUCT(roleTuple));
|
Form_pg_authid role = ((Form_pg_authid) GETSTRUCT(roleTuple));
|
||||||
|
|
@ -562,11 +566,10 @@ GenerateCreateOrAlterRoleCommand(Oid roleOid)
|
||||||
|
|
||||||
if (EnableCreateRolePropagation)
|
if (EnableCreateRolePropagation)
|
||||||
{
|
{
|
||||||
List *grantRoleStmts = GenerateGrantRoleStmtsOfRole(roleOid);
|
if (fetchGrantStmts)
|
||||||
Node *stmt = NULL;
|
|
||||||
foreach_ptr(stmt, grantRoleStmts)
|
|
||||||
{
|
{
|
||||||
completeRoleList = lappend(completeRoleList, DeparseTreeNode(stmt));
|
completeRoleList = list_concat(completeRoleList, GenerateGrantRoleStmtsOfRole(
|
||||||
|
roleOid));
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
|
@ -577,7 +580,7 @@ GenerateCreateOrAlterRoleCommand(Oid roleOid)
|
||||||
* SecLabel stmts to be run in the new node.
|
* SecLabel stmts to be run in the new node.
|
||||||
*/
|
*/
|
||||||
List *secLabelOnRoleStmts = GenerateSecLabelOnRoleStmts(roleOid, rolename);
|
List *secLabelOnRoleStmts = GenerateSecLabelOnRoleStmts(roleOid, rolename);
|
||||||
stmt = NULL;
|
Node *stmt = NULL;
|
||||||
foreach_ptr(stmt, secLabelOnRoleStmts)
|
foreach_ptr(stmt, secLabelOnRoleStmts)
|
||||||
{
|
{
|
||||||
completeRoleList = lappend(completeRoleList, DeparseTreeNode(stmt));
|
completeRoleList = lappend(completeRoleList, DeparseTreeNode(stmt));
|
||||||
|
|
@ -872,7 +875,9 @@ GenerateGrantRoleStmtsOfRole(Oid roleid)
|
||||||
{
|
{
|
||||||
Relation pgAuthMembers = table_open(AuthMemRelationId, AccessShareLock);
|
Relation pgAuthMembers = table_open(AuthMemRelationId, AccessShareLock);
|
||||||
HeapTuple tuple = NULL;
|
HeapTuple tuple = NULL;
|
||||||
List *stmts = NIL;
|
|
||||||
|
List *adminStmts = NIL;
|
||||||
|
List *otherStmts = NIL;
|
||||||
|
|
||||||
ScanKeyData skey[1];
|
ScanKeyData skey[1];
|
||||||
|
|
||||||
|
|
@ -885,12 +890,128 @@ GenerateGrantRoleStmtsOfRole(Oid roleid)
|
||||||
{
|
{
|
||||||
Form_pg_auth_members membership = (Form_pg_auth_members) GETSTRUCT(tuple);
|
Form_pg_auth_members membership = (Form_pg_auth_members) GETSTRUCT(tuple);
|
||||||
|
|
||||||
|
GrantRoleStmt *grantRoleStmt = GetGrantRoleStmtFromAuthMemberRecord(membership);
|
||||||
|
if (grantRoleStmt == NULL)
|
||||||
|
{
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (membership->admin_option)
|
||||||
|
{
|
||||||
|
adminStmts = lappend(adminStmts, grantRoleStmt);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
otherStmts = lappend(otherStmts, grantRoleStmt);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
systable_endscan(scan);
|
||||||
|
table_close(pgAuthMembers, AccessShareLock);
|
||||||
|
|
||||||
|
List *allStmts = list_concat(adminStmts, otherStmts);
|
||||||
|
List *commands = NIL;
|
||||||
|
Node *stmt = NULL;
|
||||||
|
foreach_ptr(stmt, allStmts)
|
||||||
|
{
|
||||||
|
commands = lappend(commands, DeparseTreeNode(stmt));
|
||||||
|
}
|
||||||
|
|
||||||
|
return commands;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
List *
|
||||||
|
GenerateGrantRoleStmts()
|
||||||
|
{
|
||||||
|
Relation pgAuthMembers = table_open(AuthMemRelationId, AccessShareLock);
|
||||||
|
HeapTuple tuple = NULL;
|
||||||
|
List *adminStmts = NIL;
|
||||||
|
List *otherStmts = NIL;
|
||||||
|
|
||||||
|
SysScanDesc scan = systable_beginscan(pgAuthMembers, InvalidOid, false,
|
||||||
|
NULL, 0, NULL);
|
||||||
|
|
||||||
|
while (HeapTupleIsValid(tuple = systable_getnext(scan)))
|
||||||
|
{
|
||||||
|
Form_pg_auth_members membership = (Form_pg_auth_members) GETSTRUCT(tuple);
|
||||||
|
|
||||||
|
/* we only propagate the grant if the grantor is
|
||||||
|
* member and role are distributed since all are required
|
||||||
|
* to be distributed for the grant to be propagated
|
||||||
|
*/
|
||||||
|
|
||||||
|
|
||||||
|
bool isAuthMemberDistributed = IsAnyObjectDistributed(list_make1(
|
||||||
|
GetRoleObjectAddressFromOid(
|
||||||
|
membership->grantor)))
|
||||||
|
&&
|
||||||
|
IsAnyObjectDistributed(list_make1(
|
||||||
|
GetRoleObjectAddressFromOid(
|
||||||
|
membership->member)))
|
||||||
|
&&
|
||||||
|
IsAnyObjectDistributed(list_make1(
|
||||||
|
GetRoleObjectAddressFromOid(
|
||||||
|
membership->roleid)));
|
||||||
|
if (!isAuthMemberDistributed)
|
||||||
|
{
|
||||||
|
/* we only need to propagate the grant if the grantor is distributed */
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
GrantRoleStmt *grantRoleStmt = GetGrantRoleStmtFromAuthMemberRecord(membership);
|
||||||
|
if (grantRoleStmt == NULL)
|
||||||
|
{
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (membership->admin_option)
|
||||||
|
{
|
||||||
|
adminStmts = lappend(adminStmts, grantRoleStmt);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
otherStmts = lappend(otherStmts, grantRoleStmt);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
systable_endscan(scan);
|
||||||
|
table_close(pgAuthMembers, AccessShareLock);
|
||||||
|
|
||||||
|
List *allStmts = list_concat(adminStmts, otherStmts);
|
||||||
|
|
||||||
|
/*iterate through the list of adminStmts and otherStmts */
|
||||||
|
/*and using DeparseTreeNode to convert the GrantRoleStmt to a string */
|
||||||
|
/*and then add the string to the list of commands */
|
||||||
|
List *commands = NIL;
|
||||||
|
Node *stmt = NULL;
|
||||||
|
foreach_ptr(stmt, allStmts)
|
||||||
|
{
|
||||||
|
commands = lappend(commands, DeparseTreeNode(stmt));
|
||||||
|
}
|
||||||
|
|
||||||
|
return commands;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static ObjectAddress *
|
||||||
|
GetRoleObjectAddressFromOid(Oid roleOid)
|
||||||
|
{
|
||||||
|
ObjectAddress *roleAddress = palloc0(sizeof(ObjectAddress));
|
||||||
|
ObjectAddressSet(*roleAddress, AuthIdRelationId, roleOid);
|
||||||
|
return roleAddress;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static GrantRoleStmt *
|
||||||
|
GetGrantRoleStmtFromAuthMemberRecord(Form_pg_auth_members membership)
|
||||||
|
{
|
||||||
ObjectAddress *roleAddress = palloc0(sizeof(ObjectAddress));
|
ObjectAddress *roleAddress = palloc0(sizeof(ObjectAddress));
|
||||||
ObjectAddressSet(*roleAddress, AuthIdRelationId, membership->grantor);
|
ObjectAddressSet(*roleAddress, AuthIdRelationId, membership->grantor);
|
||||||
if (!IsAnyObjectDistributed(list_make1(roleAddress)))
|
if (!IsAnyObjectDistributed(list_make1(roleAddress)))
|
||||||
{
|
{
|
||||||
/* we only need to propagate the grant if the grantor is distributed */
|
/* we only need to propagate the grant if the grantor is distributed */
|
||||||
continue;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
GrantRoleStmt *grantRoleStmt = makeNode(GrantRoleStmt);
|
GrantRoleStmt *grantRoleStmt = makeNode(GrantRoleStmt);
|
||||||
|
|
@ -944,14 +1065,7 @@ GenerateGrantRoleStmtsOfRole(Oid roleid)
|
||||||
#else
|
#else
|
||||||
grantRoleStmt->admin_opt = membership->admin_option;
|
grantRoleStmt->admin_opt = membership->admin_option;
|
||||||
#endif
|
#endif
|
||||||
|
return grantRoleStmt;
|
||||||
stmts = lappend(stmts, grantRoleStmt);
|
|
||||||
}
|
|
||||||
|
|
||||||
systable_endscan(scan);
|
|
||||||
table_close(pgAuthMembers, AccessShareLock);
|
|
||||||
|
|
||||||
return stmts;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -1202,7 +1316,7 @@ UnmarkRolesDistributed(List *roles)
|
||||||
List *
|
List *
|
||||||
FilterDistributedRoles(List *roles)
|
FilterDistributedRoles(List *roles)
|
||||||
{
|
{
|
||||||
List *distributedRoles = NIL;
|
List *validRoles = NIL;
|
||||||
Node *roleNode = NULL;
|
Node *roleNode = NULL;
|
||||||
foreach_ptr(roleNode, roles)
|
foreach_ptr(roleNode, roles)
|
||||||
{
|
{
|
||||||
|
|
@ -1218,12 +1332,46 @@ FilterDistributedRoles(List *roles)
|
||||||
}
|
}
|
||||||
ObjectAddress *roleAddress = palloc0(sizeof(ObjectAddress));
|
ObjectAddress *roleAddress = palloc0(sizeof(ObjectAddress));
|
||||||
ObjectAddressSet(*roleAddress, AuthIdRelationId, roleOid);
|
ObjectAddressSet(*roleAddress, AuthIdRelationId, roleOid);
|
||||||
if (IsAnyObjectDistributed(list_make1(roleAddress)))
|
bool isSystemRole = IsReservedName(role->rolename);
|
||||||
|
if (IsAnyObjectDistributed(list_make1(roleAddress)) || isSystemRole)
|
||||||
{
|
{
|
||||||
distributedRoles = lappend(distributedRoles, role);
|
validRoles = lappend(validRoles, role);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return distributedRoles;
|
return validRoles;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/*
|
||||||
|
* FilterDistributedRoles filters the list of AccessPrivs and returns the ones
|
||||||
|
* that are distributed.
|
||||||
|
*/
|
||||||
|
List *
|
||||||
|
FilterDistributedGrantedRoles(List *roles)
|
||||||
|
{
|
||||||
|
List *validRoles = NIL;
|
||||||
|
Node *roleNode = NULL;
|
||||||
|
foreach_ptr(roleNode, roles)
|
||||||
|
{
|
||||||
|
AccessPriv *role = castNode(AccessPriv, roleNode);
|
||||||
|
Oid roleOid = get_role_oid(role->priv_name, false);
|
||||||
|
if (roleOid == InvalidOid)
|
||||||
|
{
|
||||||
|
/*
|
||||||
|
* Non-existing roles are ignored silently here. Postgres will
|
||||||
|
* handle to give an error or not for these roles.
|
||||||
|
*/
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
ObjectAddress *roleAddress = palloc0(sizeof(ObjectAddress));
|
||||||
|
ObjectAddressSet(*roleAddress, AuthIdRelationId, roleOid);
|
||||||
|
bool isSystemRole = IsReservedName(role->priv_name);
|
||||||
|
if (IsAnyObjectDistributed(list_make1(roleAddress)) || isSystemRole)
|
||||||
|
{
|
||||||
|
validRoles = lappend(validRoles, role);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return validRoles;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -1244,17 +1392,22 @@ PreprocessGrantRoleStmt(Node *node, const char *queryString,
|
||||||
|
|
||||||
GrantRoleStmt *stmt = castNode(GrantRoleStmt, node);
|
GrantRoleStmt *stmt = castNode(GrantRoleStmt, node);
|
||||||
List *allGranteeRoles = stmt->grantee_roles;
|
List *allGranteeRoles = stmt->grantee_roles;
|
||||||
|
List *allGrantedRoles = stmt->granted_roles;
|
||||||
RoleSpec *grantor = stmt->grantor;
|
RoleSpec *grantor = stmt->grantor;
|
||||||
|
|
||||||
List *distributedGranteeRoles = FilterDistributedRoles(allGranteeRoles);
|
DistributedRolesInGrantRoleStmt *distributedRolesInGrantStmt =
|
||||||
if (list_length(distributedGranteeRoles) <= 0)
|
ExtractDistributedRolesInGrantRoleStmt(stmt);
|
||||||
|
|
||||||
|
if (!distributedRolesInGrantStmt->isGrantRoleStmtValid)
|
||||||
{
|
{
|
||||||
return NIL;
|
return NIL;
|
||||||
}
|
}
|
||||||
|
|
||||||
stmt->grantee_roles = distributedGranteeRoles;
|
stmt->grantee_roles = distributedRolesInGrantStmt->distributedGrantees;
|
||||||
|
stmt->granted_roles = distributedRolesInGrantStmt->distributedGrantedRoles;
|
||||||
char *sql = DeparseTreeNode((Node *) stmt);
|
char *sql = DeparseTreeNode((Node *) stmt);
|
||||||
stmt->grantee_roles = allGranteeRoles;
|
stmt->grantee_roles = allGranteeRoles;
|
||||||
|
stmt->granted_roles = allGrantedRoles;
|
||||||
stmt->grantor = grantor;
|
stmt->grantor = grantor;
|
||||||
|
|
||||||
List *commands = list_make3(DISABLE_DDL_PROPAGATION,
|
List *commands = list_make3(DISABLE_DDL_PROPAGATION,
|
||||||
|
|
@ -1265,6 +1418,54 @@ PreprocessGrantRoleStmt(Node *node, const char *queryString,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
DistributedRolesInGrantRoleStmt *
|
||||||
|
ExtractDistributedRolesInGrantRoleStmt(GrantRoleStmt *stmt)
|
||||||
|
{
|
||||||
|
DistributedRolesInGrantRoleStmt *distributedRolesInGrantRoleStmt = palloc0(
|
||||||
|
sizeof(DistributedRolesInGrantRoleStmt));
|
||||||
|
distributedRolesInGrantRoleStmt->distributedGrantees = FilterDistributedRoles(
|
||||||
|
stmt->grantee_roles);
|
||||||
|
distributedRolesInGrantRoleStmt->distributedGrantedRoles =
|
||||||
|
FilterDistributedGrantedRoles(stmt->granted_roles);
|
||||||
|
distributedRolesInGrantRoleStmt->grantor = stmt->grantor;
|
||||||
|
distributedRolesInGrantRoleStmt->isGrantRoleStmtValid = true;
|
||||||
|
|
||||||
|
bool grantorMissingOk = false;
|
||||||
|
bool isGrantorDefined = distributedRolesInGrantRoleStmt->grantor != NULL &&
|
||||||
|
get_rolespec_oid(distributedRolesInGrantRoleStmt->grantor,
|
||||||
|
grantorMissingOk) != InvalidOid;
|
||||||
|
bool isGrantorDistributed = IsAnyObjectDistributed(RoleSpecToObjectAddress(
|
||||||
|
distributedRolesInGrantRoleStmt
|
||||||
|
->grantor, grantorMissingOk));
|
||||||
|
bool skipDueToGrantor = isGrantorDefined && !isGrantorDistributed;
|
||||||
|
if (list_length(distributedRolesInGrantRoleStmt->distributedGrantees) <= 0)
|
||||||
|
{
|
||||||
|
ereport(NOTICE, (errmsg("not propagating GRANT command to other nodes"),
|
||||||
|
errhint("Since no grantees are distributed, "
|
||||||
|
"the GRANT command will not be propagated to other nodes.")));
|
||||||
|
distributedRolesInGrantRoleStmt->isGrantRoleStmtValid = false;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (list_length(distributedRolesInGrantRoleStmt->distributedGrantedRoles) <= 0)
|
||||||
|
{
|
||||||
|
ereport(NOTICE, (errmsg("not propagating GRANT command to other nodes"),
|
||||||
|
errhint("Since no granted roles are distributed, "
|
||||||
|
"the GRANT command will not be propagated to other nodes.")));
|
||||||
|
distributedRolesInGrantRoleStmt->isGrantRoleStmtValid = false;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (skipDueToGrantor)
|
||||||
|
{
|
||||||
|
ereport(NOTICE, (errmsg("not propagating GRANT command to other nodes"),
|
||||||
|
errhint("Since grantor is not distributed, "
|
||||||
|
"the GRANT command will not be propagated to other nodes.")));
|
||||||
|
distributedRolesInGrantRoleStmt->isGrantRoleStmtValid = false;
|
||||||
|
}
|
||||||
|
|
||||||
|
return distributedRolesInGrantRoleStmt;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* PostprocessGrantRoleStmt actually creates the plan we need to execute for grant
|
* PostprocessGrantRoleStmt actually creates the plan we need to execute for grant
|
||||||
* role statement.
|
* role statement.
|
||||||
|
|
|
||||||
|
|
@ -5167,6 +5167,11 @@ SendDependencyCreationCommands(MetadataSyncContext *context)
|
||||||
List *ddlCommands = GetAllDependencyCreateDDLCommands(list_make1(dependency));
|
List *ddlCommands = GetAllDependencyCreateDDLCommands(list_make1(dependency));
|
||||||
SendOrCollectCommandListToActivatedNodes(context, ddlCommands);
|
SendOrCollectCommandListToActivatedNodes(context, ddlCommands);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
List *grantRoleCommands = GenerateGrantRoleStmts();
|
||||||
|
SendOrCollectCommandListToActivatedNodes(context, grantRoleCommands);
|
||||||
|
|
||||||
|
|
||||||
MemoryContextSwitchTo(oldContext);
|
MemoryContextSwitchTo(oldContext);
|
||||||
|
|
||||||
if (!MetadataSyncCollectsCommands(context))
|
if (!MetadataSyncCollectsCommands(context))
|
||||||
|
|
|
||||||
|
|
@ -174,6 +174,14 @@ typedef enum TenantOperation
|
||||||
TENANT_SET_SCHEMA,
|
TENANT_SET_SCHEMA,
|
||||||
} TenantOperation;
|
} TenantOperation;
|
||||||
|
|
||||||
|
typedef struct DistributedRolesInGrantRoleStmt
|
||||||
|
{
|
||||||
|
List *distributedGrantees;
|
||||||
|
List *distributedGrantedRoles;
|
||||||
|
RoleSpec *grantor;
|
||||||
|
bool isGrantRoleStmtValid;
|
||||||
|
} DistributedRolesInGrantRoleStmt;
|
||||||
|
|
||||||
#define TOTAL_TENANT_OPERATION 5
|
#define TOTAL_TENANT_OPERATION 5
|
||||||
extern const char *TenantOperationNames[TOTAL_TENANT_OPERATION];
|
extern const char *TenantOperationNames[TOTAL_TENANT_OPERATION];
|
||||||
|
|
||||||
|
|
@ -519,7 +527,7 @@ extern List * PreprocessDropRoleStmt(Node *stmt, const char *queryString,
|
||||||
extern List * PreprocessGrantRoleStmt(Node *stmt, const char *queryString,
|
extern List * PreprocessGrantRoleStmt(Node *stmt, const char *queryString,
|
||||||
ProcessUtilityContext processUtilityContext);
|
ProcessUtilityContext processUtilityContext);
|
||||||
extern List * PostprocessGrantRoleStmt(Node *stmt, const char *queryString);
|
extern List * PostprocessGrantRoleStmt(Node *stmt, const char *queryString);
|
||||||
extern List * GenerateCreateOrAlterRoleCommand(Oid roleOid);
|
extern List * GenerateCreateOrAlterRoleCommand(Oid roleOid, bool fetchGrantStatements);
|
||||||
extern List * CreateRoleStmtObjectAddress(Node *stmt, bool missing_ok, bool
|
extern List * CreateRoleStmtObjectAddress(Node *stmt, bool missing_ok, bool
|
||||||
isPostprocess);
|
isPostprocess);
|
||||||
|
|
||||||
|
|
@ -527,7 +535,11 @@ extern List * RenameRoleStmtObjectAddress(Node *stmt, bool missing_ok, bool
|
||||||
isPostprocess);
|
isPostprocess);
|
||||||
|
|
||||||
extern void UnmarkRolesDistributed(List *roles);
|
extern void UnmarkRolesDistributed(List *roles);
|
||||||
|
extern List * FilterDistributedGrantedRoles(List *roles);
|
||||||
extern List * FilterDistributedRoles(List *roles);
|
extern List * FilterDistributedRoles(List *roles);
|
||||||
|
extern DistributedRolesInGrantRoleStmt * ExtractDistributedRolesInGrantRoleStmt(
|
||||||
|
GrantRoleStmt *stmt);
|
||||||
|
extern List * GenerateGrantRoleStmts(void);
|
||||||
|
|
||||||
/* schema.c - forward declarations */
|
/* schema.c - forward declarations */
|
||||||
extern List * PostprocessCreateSchemaStmt(Node *node, const char *queryString);
|
extern List * PostprocessCreateSchemaStmt(Node *node, const char *queryString);
|
||||||
|
|
|
||||||
|
|
@ -196,7 +196,6 @@ SELECT roleid::regrole::text AS role, member::regrole::text, grantor::regrole::t
|
||||||
(1 row)
|
(1 row)
|
||||||
|
|
||||||
\c - - - :master_port
|
\c - - - :master_port
|
||||||
create role test_admin_role;
|
|
||||||
-- test grants with distributed and non-distributed roles
|
-- test grants with distributed and non-distributed roles
|
||||||
SELECT master_remove_node('localhost', :worker_2_port);
|
SELECT master_remove_node('localhost', :worker_2_port);
|
||||||
master_remove_node
|
master_remove_node
|
||||||
|
|
@ -204,6 +203,7 @@ SELECT master_remove_node('localhost', :worker_2_port);
|
||||||
|
|
||||||
(1 row)
|
(1 row)
|
||||||
|
|
||||||
|
create role test_admin_role;
|
||||||
CREATE ROLE dist_role_1 SUPERUSER;
|
CREATE ROLE dist_role_1 SUPERUSER;
|
||||||
CREATE ROLE dist_role_2;
|
CREATE ROLE dist_role_2;
|
||||||
CREATE ROLE dist_role_3;
|
CREATE ROLE dist_role_3;
|
||||||
|
|
@ -225,6 +225,10 @@ SET citus.enable_create_role_propagation TO ON;
|
||||||
grant dist_role_3,dist_role_1 to test_admin_role with admin option;
|
grant dist_role_3,dist_role_1 to test_admin_role with admin option;
|
||||||
SET ROLE dist_role_1;
|
SET ROLE dist_role_1;
|
||||||
GRANT non_dist_role_1 TO non_dist_role_2;
|
GRANT non_dist_role_1 TO non_dist_role_2;
|
||||||
|
NOTICE: not propagating GRANT command to other nodes
|
||||||
|
HINT: Since no grantees are distributed, the GRANT command will not be propagated to other nodes.
|
||||||
|
NOTICE: not propagating GRANT command to other nodes
|
||||||
|
HINT: Since no granted roles are distributed, the GRANT command will not be propagated to other nodes.
|
||||||
SET citus.enable_create_role_propagation TO OFF;
|
SET citus.enable_create_role_propagation TO OFF;
|
||||||
grant dist_role_1 to non_dist_role_1 with admin option;
|
grant dist_role_1 to non_dist_role_1 with admin option;
|
||||||
SET ROLE non_dist_role_1;
|
SET ROLE non_dist_role_1;
|
||||||
|
|
@ -232,7 +236,11 @@ GRANT dist_role_1 TO dist_role_2 granted by non_dist_role_1;
|
||||||
RESET ROLE;
|
RESET ROLE;
|
||||||
SET citus.enable_create_role_propagation TO ON;
|
SET citus.enable_create_role_propagation TO ON;
|
||||||
GRANT dist_role_3 TO non_dist_role_3 granted by test_admin_role;
|
GRANT dist_role_3 TO non_dist_role_3 granted by test_admin_role;
|
||||||
|
NOTICE: not propagating GRANT command to other nodes
|
||||||
|
HINT: Since no grantees are distributed, the GRANT command will not be propagated to other nodes.
|
||||||
GRANT non_dist_role_4 TO dist_role_4;
|
GRANT non_dist_role_4 TO dist_role_4;
|
||||||
|
NOTICE: not propagating GRANT command to other nodes
|
||||||
|
HINT: Since no granted roles are distributed, the GRANT command will not be propagated to other nodes.
|
||||||
GRANT dist_role_3 TO dist_role_4 granted by test_admin_role;
|
GRANT dist_role_3 TO dist_role_4 granted by test_admin_role;
|
||||||
SELECT 1 FROM master_add_node('localhost', :worker_2_port);
|
SELECT 1 FROM master_add_node('localhost', :worker_2_port);
|
||||||
?column?
|
?column?
|
||||||
|
|
@ -300,6 +308,8 @@ SELECT objid::regrole FROM pg_catalog.pg_dist_object WHERE classid='pg_authid'::
|
||||||
(5 rows)
|
(5 rows)
|
||||||
|
|
||||||
REVOKE dist_role_3 from non_dist_role_3 granted by test_admin_role cascade;
|
REVOKE dist_role_3 from non_dist_role_3 granted by test_admin_role cascade;
|
||||||
|
NOTICE: not propagating GRANT command to other nodes
|
||||||
|
HINT: Since no grantees are distributed, the GRANT command will not be propagated to other nodes.
|
||||||
SELECT result FROM run_command_on_all_nodes(
|
SELECT result FROM run_command_on_all_nodes(
|
||||||
$$
|
$$
|
||||||
SELECT json_agg(q.* ORDER BY member) FROM (
|
SELECT json_agg(q.* ORDER BY member) FROM (
|
||||||
|
|
@ -322,8 +332,7 @@ drop role test_admin_role;
|
||||||
SELECT roleid::regrole::text AS role, member::regrole::text, grantor::regrole::text, admin_option FROM pg_auth_members WHERE roleid::regrole::text LIKE '%dist\_%' ORDER BY 1, 2;
|
SELECT roleid::regrole::text AS role, member::regrole::text, grantor::regrole::text, admin_option FROM pg_auth_members WHERE roleid::regrole::text LIKE '%dist\_%' ORDER BY 1, 2;
|
||||||
role | member | grantor | admin_option
|
role | member | grantor | admin_option
|
||||||
---------------------------------------------------------------------
|
---------------------------------------------------------------------
|
||||||
non_dist_role_4 | dist_role_4 | postgres | f
|
(0 rows)
|
||||||
(1 row)
|
|
||||||
|
|
||||||
SELECT rolname FROM pg_authid WHERE rolname LIKE '%dist\_%' ORDER BY 1;
|
SELECT rolname FROM pg_authid WHERE rolname LIKE '%dist\_%' ORDER BY 1;
|
||||||
rolname
|
rolname
|
||||||
|
|
@ -441,9 +450,7 @@ SELECT roleid::regrole::text AS role, member::regrole::text, grantor::regrole::t
|
||||||
dist_mixed_1 | dist_mixed_4 | postgres | f
|
dist_mixed_1 | dist_mixed_4 | postgres | f
|
||||||
dist_mixed_2 | dist_mixed_3 | postgres | f
|
dist_mixed_2 | dist_mixed_3 | postgres | f
|
||||||
dist_mixed_2 | dist_mixed_4 | postgres | f
|
dist_mixed_2 | dist_mixed_4 | postgres | f
|
||||||
nondist_mixed_1 | dist_mixed_3 | postgres | f
|
(4 rows)
|
||||||
nondist_mixed_1 | dist_mixed_4 | postgres | f
|
|
||||||
(6 rows)
|
|
||||||
|
|
||||||
SELECT rolname FROM pg_authid WHERE rolname LIKE '%dist\_mixed%' ORDER BY 1;
|
SELECT rolname FROM pg_authid WHERE rolname LIKE '%dist\_mixed%' ORDER BY 1;
|
||||||
rolname
|
rolname
|
||||||
|
|
@ -571,7 +578,15 @@ HINT: Connect to other nodes directly to manually create all necessary users an
|
||||||
SET citus.enable_create_role_propagation TO ON;
|
SET citus.enable_create_role_propagation TO ON;
|
||||||
CREATE ROLE dist_cascade;
|
CREATE ROLE dist_cascade;
|
||||||
GRANT nondist_cascade_1 TO nondist_cascade_2;
|
GRANT nondist_cascade_1 TO nondist_cascade_2;
|
||||||
|
NOTICE: not propagating GRANT command to other nodes
|
||||||
|
HINT: Since no grantees are distributed, the GRANT command will not be propagated to other nodes.
|
||||||
|
NOTICE: not propagating GRANT command to other nodes
|
||||||
|
HINT: Since no granted roles are distributed, the GRANT command will not be propagated to other nodes.
|
||||||
GRANT nondist_cascade_2 TO nondist_cascade_3;
|
GRANT nondist_cascade_2 TO nondist_cascade_3;
|
||||||
|
NOTICE: not propagating GRANT command to other nodes
|
||||||
|
HINT: Since no grantees are distributed, the GRANT command will not be propagated to other nodes.
|
||||||
|
NOTICE: not propagating GRANT command to other nodes
|
||||||
|
HINT: Since no granted roles are distributed, the GRANT command will not be propagated to other nodes.
|
||||||
SELECT objid::regrole FROM pg_catalog.pg_dist_object WHERE classid='pg_authid'::regclass::oid AND objid::regrole::text LIKE '%cascade%' ORDER BY 1;
|
SELECT objid::regrole FROM pg_catalog.pg_dist_object WHERE classid='pg_authid'::regclass::oid AND objid::regrole::text LIKE '%cascade%' ORDER BY 1;
|
||||||
objid
|
objid
|
||||||
---------------------------------------------------------------------
|
---------------------------------------------------------------------
|
||||||
|
|
@ -605,6 +620,8 @@ SELECT master_remove_node('localhost', :worker_2_port);
|
||||||
(1 row)
|
(1 row)
|
||||||
|
|
||||||
GRANT nondist_cascade_3 TO dist_cascade;
|
GRANT nondist_cascade_3 TO dist_cascade;
|
||||||
|
NOTICE: not propagating GRANT command to other nodes
|
||||||
|
HINT: Since no granted roles are distributed, the GRANT command will not be propagated to other nodes.
|
||||||
SELECT 1 FROM master_add_node('localhost', :worker_2_port);
|
SELECT 1 FROM master_add_node('localhost', :worker_2_port);
|
||||||
?column?
|
?column?
|
||||||
---------------------------------------------------------------------
|
---------------------------------------------------------------------
|
||||||
|
|
@ -643,8 +660,7 @@ SELECT roleid::regrole::text AS role, member::regrole::text, grantor::regrole::t
|
||||||
---------------------------------------------------------------------
|
---------------------------------------------------------------------
|
||||||
nondist_cascade_1 | nondist_cascade_2 | postgres | f
|
nondist_cascade_1 | nondist_cascade_2 | postgres | f
|
||||||
nondist_cascade_2 | nondist_cascade_3 | postgres | f
|
nondist_cascade_2 | nondist_cascade_3 | postgres | f
|
||||||
nondist_cascade_3 | dist_cascade | postgres | f
|
(2 rows)
|
||||||
(3 rows)
|
|
||||||
|
|
||||||
\c - - - :worker_2_port
|
\c - - - :worker_2_port
|
||||||
SELECT rolname FROM pg_authid WHERE rolname LIKE '%cascade%' ORDER BY 1;
|
SELECT rolname FROM pg_authid WHERE rolname LIKE '%cascade%' ORDER BY 1;
|
||||||
|
|
@ -675,7 +691,7 @@ SELECT roleid::regrole::text AS role, member::regrole::text, grantor::regrole::t
|
||||||
(0 rows)
|
(0 rows)
|
||||||
|
|
||||||
GRANT existing_role_1, nonexisting_role_1 TO existing_role_2, nonexisting_role_2;
|
GRANT existing_role_1, nonexisting_role_1 TO existing_role_2, nonexisting_role_2;
|
||||||
ERROR: role "nonexisting_role_2" does not exist
|
ERROR: role "nonexisting_role_1" does not exist
|
||||||
SELECT roleid::regrole::text AS role, member::regrole::text, grantor::regrole::text, admin_option FROM pg_auth_members WHERE roleid::regrole::text LIKE '%existing%' ORDER BY 1, 2;
|
SELECT roleid::regrole::text AS role, member::regrole::text, grantor::regrole::text, admin_option FROM pg_auth_members WHERE roleid::regrole::text LIKE '%existing%' ORDER BY 1, 2;
|
||||||
role | member | grantor | admin_option
|
role | member | grantor | admin_option
|
||||||
---------------------------------------------------------------------
|
---------------------------------------------------------------------
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,306 @@
|
||||||
|
-- Active: 1700033167033@@localhost@9700@gurkanindibay@public
|
||||||
|
--In below tests, complex role hierarchy is created and then granted by support is tested.
|
||||||
|
--- Test 1: Tests from main database
|
||||||
|
select 1 from citus_remove_node ('localhost',:worker_2_port);
|
||||||
|
?column?
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
1
|
||||||
|
(1 row)
|
||||||
|
|
||||||
|
set citus.enable_create_role_propagation to off;
|
||||||
|
create role non_dist_role1;
|
||||||
|
NOTICE: not propagating CREATE ROLE/USER commands to other nodes
|
||||||
|
HINT: Connect to other nodes directly to manually create all necessary users and roles.
|
||||||
|
reset citus.enable_create_role_propagation;
|
||||||
|
SELECT objid::regrole FROM pg_catalog.pg_dist_object WHERE classid='pg_authid'::regclass::oid AND objid::regrole::text= 'non_dist_role1' ORDER BY 1;
|
||||||
|
objid
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
(0 rows)
|
||||||
|
|
||||||
|
create role dist_role1;
|
||||||
|
create role dist_role2;
|
||||||
|
create role dist_role3;
|
||||||
|
create role dist_role4;
|
||||||
|
create role "dist_role5'_test";
|
||||||
|
grant dist_role2 to dist_role1 with admin option;
|
||||||
|
grant dist_role2 to dist_role3 with admin option granted by dist_role1;
|
||||||
|
grant dist_role3 to dist_role4 with admin option;
|
||||||
|
-- With enable_create_role_propagation on, all grantees are propagated.
|
||||||
|
-- To test non-distributed grantor, set this option off for some roles.
|
||||||
|
set citus.enable_create_role_propagation to off;
|
||||||
|
grant non_dist_role1 to dist_role1 with admin option;
|
||||||
|
reset citus.enable_create_role_propagation;
|
||||||
|
SELECT objid::regrole FROM pg_catalog.pg_dist_object WHERE classid='pg_authid'::regclass::oid AND objid::regrole::text= 'non_dist_role1' ORDER BY 1;
|
||||||
|
objid
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
(0 rows)
|
||||||
|
|
||||||
|
grant dist_role2 to non_dist_role1 with admin option;
|
||||||
|
NOTICE: not propagating GRANT command to other nodes
|
||||||
|
HINT: Since no grantees are distributed, the GRANT command will not be propagated to other nodes.
|
||||||
|
grant dist_role3 to "dist_role5'_test" granted by dist_role4;
|
||||||
|
grant dist_role2 to "dist_role5'_test" granted by dist_role3;
|
||||||
|
grant dist_role2 to dist_role4 granted by non_dist_role1 ;--will not be propagated since grantor is non-distributed
|
||||||
|
NOTICE: not propagating GRANT command to other nodes
|
||||||
|
HINT: Since grantor is not distributed, the GRANT command will not be propagated to other nodes.
|
||||||
|
grant dist_role4 to "dist_role5'_test" with admin option;
|
||||||
|
--below command propagates the non_dist_role1 since non_dist_role1 is already granted to dist_role1
|
||||||
|
--and citus sees granted roles as a dependency and citus propagates the dependent roles
|
||||||
|
grant dist_role4 to dist_role1 with admin option GRANTED BY "dist_role5'_test";
|
||||||
|
SELECT objid::regrole FROM pg_catalog.pg_dist_object WHERE classid='pg_authid'::regclass::oid AND objid::regrole::text= 'non_dist_role1' ORDER BY 1;
|
||||||
|
objid
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
non_dist_role1
|
||||||
|
(1 row)
|
||||||
|
|
||||||
|
grant dist_role4 to dist_role3 with admin option GRANTED BY dist_role1; --fails since already dist_role3 granted to dist_role4
|
||||||
|
ERROR: role "dist_role4" is a member of role "dist_role3"
|
||||||
|
--Below command will not be successful since non_dist_role1 is propagated with the dependency resolution above
|
||||||
|
--however, ADMIN OPTION is not propagated for non_dist_role1 to worker 1 because the citus.enable_create_role_propagation is off
|
||||||
|
grant non_dist_role1 to dist_role4 granted by dist_role1;
|
||||||
|
ERROR: permission denied to grant privileges as role "dist_role1"
|
||||||
|
DETAIL: The grantor must have the ADMIN option on role "non_dist_role1".
|
||||||
|
CONTEXT: while executing command on localhost:xxxxx
|
||||||
|
grant dist_role3 to dist_role1 with admin option GRANTED BY dist_role4;
|
||||||
|
grant "dist_role5'_test" to dist_role1 with admin option;
|
||||||
|
grant "dist_role5'_test" to dist_role3 with admin option GRANTED BY dist_role1;--fails since already dist_role3 granted to "dist_role5'_test"
|
||||||
|
ERROR: role "dist_role5'_test" is a member of role "dist_role3"
|
||||||
|
select result FROM run_command_on_all_nodes(
|
||||||
|
$$
|
||||||
|
SELECT array_to_json(array_agg(row_to_json(t)))
|
||||||
|
FROM (
|
||||||
|
SELECT member::regrole, roleid::regrole as role, grantor::regrole, admin_option
|
||||||
|
FROM pg_auth_members
|
||||||
|
WHERE member::regrole::text in
|
||||||
|
('dist_role1','dist_role2','dist_role3','dist_role4','"role5''_test"')
|
||||||
|
order by member::regrole::text, roleid::regrole::text
|
||||||
|
) t
|
||||||
|
$$
|
||||||
|
);
|
||||||
|
result
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
[{"member":"dist_role1","role":"\"dist_role5'_test\"","grantor":"postgres","admin_option":true},{"member":"dist_role1","role":"dist_role2","grantor":"postgres","admin_option":true},{"member":"dist_role1","role":"dist_role3","grantor":"dist_role4","admin_option":true},{"member":"dist_role1","role":"dist_role4","grantor":"\"dist_role5'_test\"","admin_option":true},{"member":"dist_role1","role":"non_dist_role1","grantor":"postgres","admin_option":true},{"member":"dist_role3","role":"dist_role2","grantor":"dist_role1","admin_option":true},{"member":"dist_role4","role":"dist_role2","grantor":"non_dist_role1","admin_option":false},{"member":"dist_role4","role":"dist_role3","grantor":"postgres","admin_option":true}]
|
||||||
|
[{"member":"dist_role1","role":"\"dist_role5'_test\"","grantor":"postgres","admin_option":true},{"member":"dist_role1","role":"dist_role2","grantor":"postgres","admin_option":true},{"member":"dist_role1","role":"dist_role3","grantor":"dist_role4","admin_option":true},{"member":"dist_role1","role":"dist_role4","grantor":"\"dist_role5'_test\"","admin_option":true},{"member":"dist_role3","role":"dist_role2","grantor":"dist_role1","admin_option":true},{"member":"dist_role4","role":"dist_role3","grantor":"postgres","admin_option":true}]
|
||||||
|
(2 rows)
|
||||||
|
|
||||||
|
select 1 from citus_add_node ('localhost',:worker_2_port);
|
||||||
|
?column?
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
1
|
||||||
|
(1 row)
|
||||||
|
|
||||||
|
select result FROM run_command_on_all_nodes(
|
||||||
|
$$
|
||||||
|
SELECT array_to_json(array_agg(row_to_json(t)))
|
||||||
|
FROM (
|
||||||
|
SELECT member::regrole, roleid::regrole as role, grantor::regrole, admin_option
|
||||||
|
FROM pg_auth_members
|
||||||
|
WHERE member::regrole::text in
|
||||||
|
('dist_role1','dist_role2','dist_role3','dist_role4','"role5''_test"')
|
||||||
|
order by member::regrole::text, roleid::regrole::text
|
||||||
|
) t
|
||||||
|
$$
|
||||||
|
);
|
||||||
|
result
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
[{"member":"dist_role1","role":"\"dist_role5'_test\"","grantor":"postgres","admin_option":true},{"member":"dist_role1","role":"dist_role2","grantor":"postgres","admin_option":true},{"member":"dist_role1","role":"dist_role3","grantor":"dist_role4","admin_option":true},{"member":"dist_role1","role":"dist_role4","grantor":"\"dist_role5'_test\"","admin_option":true},{"member":"dist_role1","role":"non_dist_role1","grantor":"postgres","admin_option":true},{"member":"dist_role3","role":"dist_role2","grantor":"dist_role1","admin_option":true},{"member":"dist_role4","role":"dist_role2","grantor":"non_dist_role1","admin_option":false},{"member":"dist_role4","role":"dist_role3","grantor":"postgres","admin_option":true}]
|
||||||
|
[{"member":"dist_role1","role":"\"dist_role5'_test\"","grantor":"postgres","admin_option":true},{"member":"dist_role1","role":"dist_role2","grantor":"postgres","admin_option":true},{"member":"dist_role1","role":"dist_role3","grantor":"dist_role4","admin_option":true},{"member":"dist_role1","role":"dist_role4","grantor":"\"dist_role5'_test\"","admin_option":true},{"member":"dist_role3","role":"dist_role2","grantor":"dist_role1","admin_option":true},{"member":"dist_role4","role":"dist_role3","grantor":"postgres","admin_option":true}]
|
||||||
|
[{"member":"dist_role1","role":"\"dist_role5'_test\"","grantor":"postgres","admin_option":true},{"member":"dist_role1","role":"dist_role2","grantor":"postgres","admin_option":true},{"member":"dist_role1","role":"dist_role3","grantor":"dist_role4","admin_option":true},{"member":"dist_role1","role":"dist_role4","grantor":"\"dist_role5'_test\"","admin_option":true},{"member":"dist_role1","role":"non_dist_role1","grantor":"postgres","admin_option":true},{"member":"dist_role3","role":"dist_role2","grantor":"dist_role1","admin_option":true},{"member":"dist_role4","role":"dist_role2","grantor":"non_dist_role1","admin_option":false},{"member":"dist_role4","role":"dist_role3","grantor":"postgres","admin_option":true}]
|
||||||
|
(3 rows)
|
||||||
|
|
||||||
|
--clean all resources
|
||||||
|
drop role dist_role1,dist_role2,dist_role3,dist_role4,"dist_role5'_test";
|
||||||
|
drop role non_dist_role1;
|
||||||
|
SELECT objid::regrole FROM pg_catalog.pg_dist_object WHERE classid='pg_authid'::regclass::oid AND objid::regrole::text= 'non_dist_role1' ORDER BY 1;
|
||||||
|
objid
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
(0 rows)
|
||||||
|
|
||||||
|
reset citus.enable_create_role_propagation;
|
||||||
|
select result FROM run_command_on_all_nodes(
|
||||||
|
$$
|
||||||
|
SELECT array_to_json(array_agg(row_to_json(t)))
|
||||||
|
FROM (
|
||||||
|
SELECT member::regrole, roleid::regrole as role, grantor::regrole, admin_option
|
||||||
|
FROM pg_auth_members
|
||||||
|
WHERE member::regrole::text in
|
||||||
|
('dist_role1','dist_role2','dist_role3','dist_role4','"role5''_test"')
|
||||||
|
order by member::regrole::text, roleid::regrole::text
|
||||||
|
) t
|
||||||
|
$$
|
||||||
|
);
|
||||||
|
result
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
(3 rows)
|
||||||
|
|
||||||
|
--- Test 2: Tests from non-main database
|
||||||
|
set citus.enable_create_database_propagation to on;
|
||||||
|
create database test_granted_by_support;
|
||||||
|
select 1 from citus_remove_node ('localhost',:worker_2_port);
|
||||||
|
?column?
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
1
|
||||||
|
(1 row)
|
||||||
|
|
||||||
|
SELECT objid::regrole FROM pg_catalog.pg_dist_object WHERE classid='pg_authid'::regclass::oid AND objid::regrole::text= 'non_dist_role1' ORDER BY 1;
|
||||||
|
objid
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
(0 rows)
|
||||||
|
|
||||||
|
\c test_granted_by_support
|
||||||
|
--here in below block since 'citus.enable_create_role_propagation to off ' is not effective,
|
||||||
|
--non_dist_role1 is being propagated to dist_role1 unlike main db scenario
|
||||||
|
--non_dist_role1 will be used for the test scenarios in this section
|
||||||
|
set citus.enable_create_role_propagation to off;
|
||||||
|
create role non_dist_role1;
|
||||||
|
reset citus.enable_create_role_propagation;
|
||||||
|
--dropping since it isn't non-distributed as intended
|
||||||
|
drop role non_dist_role1;
|
||||||
|
--creating non_dist_role1 again in main database
|
||||||
|
--This is actually non-distributed role
|
||||||
|
\c regression
|
||||||
|
set citus.enable_create_role_propagation to off;
|
||||||
|
create role non_dist_role1;
|
||||||
|
NOTICE: not propagating CREATE ROLE/USER commands to other nodes
|
||||||
|
HINT: Connect to other nodes directly to manually create all necessary users and roles.
|
||||||
|
reset citus.enable_create_role_propagation;
|
||||||
|
\c test_granted_by_support
|
||||||
|
create role dist_role1;
|
||||||
|
create role dist_role1;
|
||||||
|
ERROR: role "dist_role1" already exists
|
||||||
|
create role dist_role2;
|
||||||
|
create role dist_role3;
|
||||||
|
create role dist_role4;
|
||||||
|
create role "dist_role5'_test";
|
||||||
|
\c regression - - :master_port
|
||||||
|
SELECT objid::regrole FROM pg_catalog.pg_dist_object WHERE classid='pg_authid'::regclass::oid AND objid::regrole::text= 'non_dist_role1' ORDER BY 1;
|
||||||
|
objid
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
(0 rows)
|
||||||
|
|
||||||
|
\c test_granted_by_support
|
||||||
|
grant dist_role2 to dist_role1 with admin option;
|
||||||
|
grant dist_role2 to dist_role3 with admin option granted by dist_role1;
|
||||||
|
grant dist_role3 to dist_role4 with admin option;
|
||||||
|
-- With enable_create_role_propagation on, all grantees are propagated.
|
||||||
|
-- To test non-distributed grantor, set this option off for some roles.
|
||||||
|
\c regression
|
||||||
|
set citus.enable_create_role_propagation to off;
|
||||||
|
grant non_dist_role1 to dist_role1 with admin option;
|
||||||
|
reset citus.enable_create_role_propagation;
|
||||||
|
\c test_granted_by_support
|
||||||
|
grant dist_role2 to non_dist_role1 with admin option;
|
||||||
|
ERROR: failure on connection marked as essential: localhost:xxxxx
|
||||||
|
CONTEXT: while executing command on localhost:xxxxx
|
||||||
|
\c test_granted_by_support - - :worker_1_port
|
||||||
|
grant dist_role3 to "dist_role5'_test" granted by dist_role4;
|
||||||
|
grant dist_role2 to "dist_role5'_test" granted by dist_role3;
|
||||||
|
grant dist_role2 to dist_role4 granted by non_dist_role1 ;--will not be propagated since grantor is non-distributed
|
||||||
|
ERROR: role "non_dist_role1" does not exist
|
||||||
|
\c regression - - :master_port
|
||||||
|
SELECT objid::regrole FROM pg_catalog.pg_dist_object WHERE classid='pg_authid'::regclass::oid AND objid::regrole::text= 'non_dist_role1' ORDER BY 1;
|
||||||
|
objid
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
(0 rows)
|
||||||
|
|
||||||
|
\c test_granted_by_support - - :worker_1_port
|
||||||
|
grant dist_role4 to "dist_role5'_test" with admin option;
|
||||||
|
\c regression - - :master_port
|
||||||
|
SELECT objid::regrole FROM pg_catalog.pg_dist_object WHERE classid='pg_authid'::regclass::oid AND objid::regrole::text= 'non_dist_role1' ORDER BY 1;
|
||||||
|
objid
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
(0 rows)
|
||||||
|
|
||||||
|
\c test_granted_by_support
|
||||||
|
-- Unlike maindb scenario, non-maindb scenario doesn't propagate 'create non_dist_role1' to
|
||||||
|
--workers as it doesn't create dependency objects for non-distributed roles.
|
||||||
|
grant dist_role4 to dist_role1 with admin option GRANTED BY "dist_role5'_test";
|
||||||
|
\c regression - - :master_port
|
||||||
|
SELECT objid::regrole FROM pg_catalog.pg_dist_object WHERE classid='pg_authid'::regclass::oid AND objid::regrole::text= 'non_dist_role1' ORDER BY 1;
|
||||||
|
objid
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
(0 rows)
|
||||||
|
|
||||||
|
\c test_granted_by_support - - :worker_1_port
|
||||||
|
grant dist_role4 to dist_role3 with admin option GRANTED BY dist_role1; --fails since already dist_role3 granted to dist_role4
|
||||||
|
ERROR: role "dist_role4" is a member of role "dist_role3"
|
||||||
|
grant non_dist_role1 to dist_role4 granted by dist_role1;
|
||||||
|
ERROR: role "non_dist_role1" does not exist
|
||||||
|
grant dist_role3 to dist_role1 with admin option GRANTED BY dist_role4;
|
||||||
|
grant "dist_role5'_test" to dist_role1 with admin option;
|
||||||
|
grant "dist_role5'_test" to dist_role3 with admin option GRANTED BY dist_role1;--fails since already dist_role3 granted to "dist_role5'_test"
|
||||||
|
ERROR: role "dist_role5'_test" is a member of role "dist_role3"
|
||||||
|
\c regression - - :master_port
|
||||||
|
select result FROM run_command_on_all_nodes(
|
||||||
|
$$
|
||||||
|
SELECT array_to_json(array_agg(row_to_json(t)))
|
||||||
|
FROM (
|
||||||
|
SELECT member::regrole, roleid::regrole as role, grantor::regrole, admin_option
|
||||||
|
FROM pg_auth_members
|
||||||
|
WHERE member::regrole::text in
|
||||||
|
('dist_role1','dist_role2','dist_role3','dist_role4','"role5''_test"')
|
||||||
|
order by member::regrole::text, roleid::regrole::text
|
||||||
|
) t
|
||||||
|
$$
|
||||||
|
);
|
||||||
|
result
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
[{"member":"dist_role1","role":"\"dist_role5'_test\"","grantor":"postgres","admin_option":true},{"member":"dist_role1","role":"dist_role2","grantor":"postgres","admin_option":true},{"member":"dist_role1","role":"dist_role3","grantor":"dist_role4","admin_option":true},{"member":"dist_role1","role":"dist_role4","grantor":"\"dist_role5'_test\"","admin_option":true},{"member":"dist_role1","role":"non_dist_role1","grantor":"postgres","admin_option":true},{"member":"dist_role3","role":"dist_role2","grantor":"dist_role1","admin_option":true},{"member":"dist_role4","role":"dist_role3","grantor":"postgres","admin_option":true}]
|
||||||
|
[{"member":"dist_role1","role":"\"dist_role5'_test\"","grantor":"postgres","admin_option":true},{"member":"dist_role1","role":"dist_role2","grantor":"postgres","admin_option":true},{"member":"dist_role1","role":"dist_role3","grantor":"dist_role4","admin_option":true},{"member":"dist_role1","role":"dist_role4","grantor":"\"dist_role5'_test\"","admin_option":true},{"member":"dist_role3","role":"dist_role2","grantor":"dist_role1","admin_option":true},{"member":"dist_role4","role":"dist_role3","grantor":"postgres","admin_option":true}]
|
||||||
|
(2 rows)
|
||||||
|
|
||||||
|
select 1 from citus_add_node ('localhost',:worker_2_port);
|
||||||
|
?column?
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
1
|
||||||
|
(1 row)
|
||||||
|
|
||||||
|
select result FROM run_command_on_all_nodes(
|
||||||
|
$$
|
||||||
|
SELECT array_to_json(array_agg(row_to_json(t)))
|
||||||
|
FROM (
|
||||||
|
SELECT member::regrole, roleid::regrole as role, grantor::regrole, admin_option
|
||||||
|
FROM pg_auth_members
|
||||||
|
WHERE member::regrole::text in
|
||||||
|
('dist_role1','dist_role2','dist_role3','dist_role4','"role5''_test"')
|
||||||
|
order by member::regrole::text, roleid::regrole::text
|
||||||
|
) t
|
||||||
|
$$
|
||||||
|
);
|
||||||
|
result
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
[{"member":"dist_role1","role":"\"dist_role5'_test\"","grantor":"postgres","admin_option":true},{"member":"dist_role1","role":"dist_role2","grantor":"postgres","admin_option":true},{"member":"dist_role1","role":"dist_role3","grantor":"dist_role4","admin_option":true},{"member":"dist_role1","role":"dist_role4","grantor":"\"dist_role5'_test\"","admin_option":true},{"member":"dist_role1","role":"non_dist_role1","grantor":"postgres","admin_option":true},{"member":"dist_role3","role":"dist_role2","grantor":"dist_role1","admin_option":true},{"member":"dist_role4","role":"dist_role3","grantor":"postgres","admin_option":true}]
|
||||||
|
[{"member":"dist_role1","role":"\"dist_role5'_test\"","grantor":"postgres","admin_option":true},{"member":"dist_role1","role":"dist_role2","grantor":"postgres","admin_option":true},{"member":"dist_role1","role":"dist_role3","grantor":"dist_role4","admin_option":true},{"member":"dist_role1","role":"dist_role4","grantor":"\"dist_role5'_test\"","admin_option":true},{"member":"dist_role3","role":"dist_role2","grantor":"dist_role1","admin_option":true},{"member":"dist_role4","role":"dist_role3","grantor":"postgres","admin_option":true}]
|
||||||
|
[{"member":"dist_role1","role":"\"dist_role5'_test\"","grantor":"postgres","admin_option":true},{"member":"dist_role1","role":"dist_role2","grantor":"postgres","admin_option":true},{"member":"dist_role1","role":"dist_role3","grantor":"dist_role4","admin_option":true},{"member":"dist_role1","role":"dist_role4","grantor":"\"dist_role5'_test\"","admin_option":true},{"member":"dist_role3","role":"dist_role2","grantor":"dist_role1","admin_option":true},{"member":"dist_role4","role":"dist_role3","grantor":"postgres","admin_option":true}]
|
||||||
|
(3 rows)
|
||||||
|
|
||||||
|
--clean all resources
|
||||||
|
set citus.enable_create_database_propagation to on;
|
||||||
|
drop database test_granted_by_support;
|
||||||
|
drop role dist_role1,dist_role2,dist_role3,dist_role4,"dist_role5'_test";
|
||||||
|
drop role non_dist_role1;
|
||||||
|
drop role if exists non_dist_role1;
|
||||||
|
NOTICE: role "non_dist_role1" does not exist, skipping
|
||||||
|
select result FROM run_command_on_all_nodes(
|
||||||
|
$$
|
||||||
|
SELECT array_to_json(array_agg(row_to_json(t)))
|
||||||
|
FROM (
|
||||||
|
SELECT member::regrole, roleid::regrole as role, grantor::regrole, admin_option
|
||||||
|
FROM pg_auth_members
|
||||||
|
WHERE member::regrole::text in
|
||||||
|
('dist_role1','dist_role2','dist_role3','dist_role4','"role5''_test"')
|
||||||
|
order by member::regrole::text, roleid::regrole::text
|
||||||
|
) t
|
||||||
|
$$
|
||||||
|
);
|
||||||
|
result
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
(3 rows)
|
||||||
|
|
||||||
|
reset citus.enable_create_database_propagation;
|
||||||
|
|
@ -0,0 +1,303 @@
|
||||||
|
-- Active: 1700033167033@@localhost@9700@gurkanindibay@public
|
||||||
|
--In below tests, complex role hierarchy is created and then granted by support is tested.
|
||||||
|
--- Test 1: Tests from main database
|
||||||
|
select 1 from citus_remove_node ('localhost',:worker_2_port);
|
||||||
|
?column?
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
1
|
||||||
|
(1 row)
|
||||||
|
|
||||||
|
set citus.enable_create_role_propagation to off;
|
||||||
|
create role non_dist_role1;
|
||||||
|
NOTICE: not propagating CREATE ROLE/USER commands to other nodes
|
||||||
|
HINT: Connect to other nodes directly to manually create all necessary users and roles.
|
||||||
|
reset citus.enable_create_role_propagation;
|
||||||
|
SELECT objid::regrole FROM pg_catalog.pg_dist_object WHERE classid='pg_authid'::regclass::oid AND objid::regrole::text= 'non_dist_role1' ORDER BY 1;
|
||||||
|
objid
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
(0 rows)
|
||||||
|
|
||||||
|
create role dist_role1;
|
||||||
|
create role dist_role2;
|
||||||
|
create role dist_role3;
|
||||||
|
create role dist_role4;
|
||||||
|
create role "dist_role5'_test";
|
||||||
|
grant dist_role2 to dist_role1 with admin option;
|
||||||
|
grant dist_role2 to dist_role3 with admin option granted by dist_role1;
|
||||||
|
grant dist_role3 to dist_role4 with admin option;
|
||||||
|
-- With enable_create_role_propagation on, all grantees are propagated.
|
||||||
|
-- To test non-distributed grantor, set this option off for some roles.
|
||||||
|
set citus.enable_create_role_propagation to off;
|
||||||
|
grant non_dist_role1 to dist_role1 with admin option;
|
||||||
|
reset citus.enable_create_role_propagation;
|
||||||
|
SELECT objid::regrole FROM pg_catalog.pg_dist_object WHERE classid='pg_authid'::regclass::oid AND objid::regrole::text= 'non_dist_role1' ORDER BY 1;
|
||||||
|
objid
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
(0 rows)
|
||||||
|
|
||||||
|
grant dist_role2 to non_dist_role1 with admin option;
|
||||||
|
NOTICE: not propagating GRANT command to other nodes
|
||||||
|
HINT: Since no grantees are distributed, the GRANT command will not be propagated to other nodes.
|
||||||
|
grant dist_role3 to "dist_role5'_test" granted by dist_role4;
|
||||||
|
grant dist_role2 to "dist_role5'_test" granted by dist_role3;
|
||||||
|
grant dist_role2 to dist_role4 granted by non_dist_role1 ;--will not be propagated since grantor is non-distributed
|
||||||
|
NOTICE: not propagating GRANT command to other nodes
|
||||||
|
HINT: Since grantor is not distributed, the GRANT command will not be propagated to other nodes.
|
||||||
|
grant dist_role4 to "dist_role5'_test" with admin option;
|
||||||
|
--below command propagates the non_dist_role1 since non_dist_role1 is already granted to dist_role1
|
||||||
|
--and citus sees granted roles as a dependency and citus propagates the dependent roles
|
||||||
|
grant dist_role4 to dist_role1 with admin option GRANTED BY "dist_role5'_test";
|
||||||
|
SELECT objid::regrole FROM pg_catalog.pg_dist_object WHERE classid='pg_authid'::regclass::oid AND objid::regrole::text= 'non_dist_role1' ORDER BY 1;
|
||||||
|
objid
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
non_dist_role1
|
||||||
|
(1 row)
|
||||||
|
|
||||||
|
grant dist_role4 to dist_role3 with admin option GRANTED BY dist_role1; --fails since already dist_role3 granted to dist_role4
|
||||||
|
ERROR: role "dist_role4" is a member of role "dist_role3"
|
||||||
|
--Below command will not be successful since non_dist_role1 is propagated with the dependency resolution above
|
||||||
|
--however, ADMIN OPTION is not propagated for non_dist_role1 to worker 1 because the citus.enable_create_role_propagation is off
|
||||||
|
grant non_dist_role1 to dist_role4 granted by dist_role1;
|
||||||
|
grant dist_role3 to dist_role1 with admin option GRANTED BY dist_role4;
|
||||||
|
grant "dist_role5'_test" to dist_role1 with admin option;
|
||||||
|
grant "dist_role5'_test" to dist_role3 with admin option GRANTED BY dist_role1;--fails since already dist_role3 granted to "dist_role5'_test"
|
||||||
|
ERROR: role "dist_role5'_test" is a member of role "dist_role3"
|
||||||
|
select result FROM run_command_on_all_nodes(
|
||||||
|
$$
|
||||||
|
SELECT array_to_json(array_agg(row_to_json(t)))
|
||||||
|
FROM (
|
||||||
|
SELECT member::regrole, roleid::regrole as role, grantor::regrole, admin_option
|
||||||
|
FROM pg_auth_members
|
||||||
|
WHERE member::regrole::text in
|
||||||
|
('dist_role1','dist_role2','dist_role3','dist_role4','"role5''_test"')
|
||||||
|
order by member::regrole::text, roleid::regrole::text
|
||||||
|
) t
|
||||||
|
$$
|
||||||
|
);
|
||||||
|
result
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
[{"member":"dist_role1","role":"\"dist_role5'_test\"","grantor":"postgres","admin_option":true},{"member":"dist_role1","role":"dist_role2","grantor":"postgres","admin_option":true},{"member":"dist_role1","role":"dist_role3","grantor":"dist_role4","admin_option":true},{"member":"dist_role1","role":"dist_role4","grantor":"\"dist_role5'_test\"","admin_option":true},{"member":"dist_role1","role":"non_dist_role1","grantor":"postgres","admin_option":true},{"member":"dist_role3","role":"dist_role2","grantor":"dist_role1","admin_option":true},{"member":"dist_role4","role":"dist_role2","grantor":"non_dist_role1","admin_option":false},{"member":"dist_role4","role":"dist_role3","grantor":"postgres","admin_option":true},{"member":"dist_role4","role":"non_dist_role1","grantor":"dist_role1","admin_option":false}]
|
||||||
|
[{"member":"dist_role1","role":"\"dist_role5'_test\"","grantor":"postgres","admin_option":true},{"member":"dist_role1","role":"dist_role2","grantor":"postgres","admin_option":true},{"member":"dist_role1","role":"dist_role3","grantor":"dist_role4","admin_option":true},{"member":"dist_role1","role":"dist_role4","grantor":"\"dist_role5'_test\"","admin_option":true},{"member":"dist_role3","role":"dist_role2","grantor":"dist_role1","admin_option":true},{"member":"dist_role4","role":"dist_role3","grantor":"postgres","admin_option":true},{"member":"dist_role4","role":"non_dist_role1","grantor":"dist_role1","admin_option":false}]
|
||||||
|
(2 rows)
|
||||||
|
|
||||||
|
select 1 from citus_add_node ('localhost',:worker_2_port);
|
||||||
|
?column?
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
1
|
||||||
|
(1 row)
|
||||||
|
|
||||||
|
select result FROM run_command_on_all_nodes(
|
||||||
|
$$
|
||||||
|
SELECT array_to_json(array_agg(row_to_json(t)))
|
||||||
|
FROM (
|
||||||
|
SELECT member::regrole, roleid::regrole as role, grantor::regrole, admin_option
|
||||||
|
FROM pg_auth_members
|
||||||
|
WHERE member::regrole::text in
|
||||||
|
('dist_role1','dist_role2','dist_role3','dist_role4','"role5''_test"')
|
||||||
|
order by member::regrole::text, roleid::regrole::text
|
||||||
|
) t
|
||||||
|
$$
|
||||||
|
);
|
||||||
|
result
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
[{"member":"dist_role1","role":"\"dist_role5'_test\"","grantor":"postgres","admin_option":true},{"member":"dist_role1","role":"dist_role2","grantor":"postgres","admin_option":true},{"member":"dist_role1","role":"dist_role3","grantor":"dist_role4","admin_option":true},{"member":"dist_role1","role":"dist_role4","grantor":"\"dist_role5'_test\"","admin_option":true},{"member":"dist_role1","role":"non_dist_role1","grantor":"postgres","admin_option":true},{"member":"dist_role3","role":"dist_role2","grantor":"dist_role1","admin_option":true},{"member":"dist_role4","role":"dist_role2","grantor":"non_dist_role1","admin_option":false},{"member":"dist_role4","role":"dist_role3","grantor":"postgres","admin_option":true},{"member":"dist_role4","role":"non_dist_role1","grantor":"dist_role1","admin_option":false}]
|
||||||
|
[{"member":"dist_role1","role":"\"dist_role5'_test\"","grantor":"postgres","admin_option":true},{"member":"dist_role1","role":"dist_role2","grantor":"postgres","admin_option":true},{"member":"dist_role1","role":"dist_role3","grantor":"dist_role4","admin_option":true},{"member":"dist_role1","role":"dist_role4","grantor":"\"dist_role5'_test\"","admin_option":true},{"member":"dist_role3","role":"dist_role2","grantor":"dist_role1","admin_option":true},{"member":"dist_role4","role":"dist_role3","grantor":"postgres","admin_option":true},{"member":"dist_role4","role":"non_dist_role1","grantor":"dist_role1","admin_option":false}]
|
||||||
|
[{"member":"dist_role1","role":"\"dist_role5'_test\"","grantor":"postgres","admin_option":true},{"member":"dist_role1","role":"dist_role2","grantor":"postgres","admin_option":true},{"member":"dist_role1","role":"dist_role3","grantor":"dist_role4","admin_option":true},{"member":"dist_role1","role":"dist_role4","grantor":"\"dist_role5'_test\"","admin_option":true},{"member":"dist_role1","role":"non_dist_role1","grantor":"postgres","admin_option":true},{"member":"dist_role3","role":"dist_role2","grantor":"dist_role1","admin_option":true},{"member":"dist_role4","role":"dist_role2","grantor":"non_dist_role1","admin_option":false},{"member":"dist_role4","role":"dist_role3","grantor":"postgres","admin_option":true},{"member":"dist_role4","role":"non_dist_role1","grantor":"dist_role1","admin_option":false}]
|
||||||
|
(3 rows)
|
||||||
|
|
||||||
|
--clean all resources
|
||||||
|
drop role dist_role1,dist_role2,dist_role3,dist_role4,"dist_role5'_test";
|
||||||
|
drop role non_dist_role1;
|
||||||
|
SELECT objid::regrole FROM pg_catalog.pg_dist_object WHERE classid='pg_authid'::regclass::oid AND objid::regrole::text= 'non_dist_role1' ORDER BY 1;
|
||||||
|
objid
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
(0 rows)
|
||||||
|
|
||||||
|
reset citus.enable_create_role_propagation;
|
||||||
|
select result FROM run_command_on_all_nodes(
|
||||||
|
$$
|
||||||
|
SELECT array_to_json(array_agg(row_to_json(t)))
|
||||||
|
FROM (
|
||||||
|
SELECT member::regrole, roleid::regrole as role, grantor::regrole, admin_option
|
||||||
|
FROM pg_auth_members
|
||||||
|
WHERE member::regrole::text in
|
||||||
|
('dist_role1','dist_role2','dist_role3','dist_role4','"role5''_test"')
|
||||||
|
order by member::regrole::text, roleid::regrole::text
|
||||||
|
) t
|
||||||
|
$$
|
||||||
|
);
|
||||||
|
result
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
(3 rows)
|
||||||
|
|
||||||
|
--- Test 2: Tests from non-main database
|
||||||
|
set citus.enable_create_database_propagation to on;
|
||||||
|
create database test_granted_by_support;
|
||||||
|
select 1 from citus_remove_node ('localhost',:worker_2_port);
|
||||||
|
?column?
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
1
|
||||||
|
(1 row)
|
||||||
|
|
||||||
|
SELECT objid::regrole FROM pg_catalog.pg_dist_object WHERE classid='pg_authid'::regclass::oid AND objid::regrole::text= 'non_dist_role1' ORDER BY 1;
|
||||||
|
objid
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
(0 rows)
|
||||||
|
|
||||||
|
\c test_granted_by_support
|
||||||
|
--here in below block since 'citus.enable_create_role_propagation to off ' is not effective,
|
||||||
|
--non_dist_role1 is being propagated to dist_role1 unlike main db scenario
|
||||||
|
--non_dist_role1 will be used for the test scenarios in this section
|
||||||
|
set citus.enable_create_role_propagation to off;
|
||||||
|
create role non_dist_role1;
|
||||||
|
reset citus.enable_create_role_propagation;
|
||||||
|
--dropping since it isn't non-distributed as intended
|
||||||
|
drop role non_dist_role1;
|
||||||
|
--creating non_dist_role1 again in main database
|
||||||
|
--This is actually non-distributed role
|
||||||
|
\c regression
|
||||||
|
set citus.enable_create_role_propagation to off;
|
||||||
|
create role non_dist_role1;
|
||||||
|
NOTICE: not propagating CREATE ROLE/USER commands to other nodes
|
||||||
|
HINT: Connect to other nodes directly to manually create all necessary users and roles.
|
||||||
|
reset citus.enable_create_role_propagation;
|
||||||
|
\c test_granted_by_support
|
||||||
|
create role dist_role1;
|
||||||
|
create role dist_role1;
|
||||||
|
ERROR: role "dist_role1" already exists
|
||||||
|
create role dist_role2;
|
||||||
|
create role dist_role3;
|
||||||
|
create role dist_role4;
|
||||||
|
create role "dist_role5'_test";
|
||||||
|
\c regression - - :master_port
|
||||||
|
SELECT objid::regrole FROM pg_catalog.pg_dist_object WHERE classid='pg_authid'::regclass::oid AND objid::regrole::text= 'non_dist_role1' ORDER BY 1;
|
||||||
|
objid
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
(0 rows)
|
||||||
|
|
||||||
|
\c test_granted_by_support
|
||||||
|
grant dist_role2 to dist_role1 with admin option;
|
||||||
|
grant dist_role2 to dist_role3 with admin option granted by dist_role1;
|
||||||
|
grant dist_role3 to dist_role4 with admin option;
|
||||||
|
-- With enable_create_role_propagation on, all grantees are propagated.
|
||||||
|
-- To test non-distributed grantor, set this option off for some roles.
|
||||||
|
\c regression
|
||||||
|
set citus.enable_create_role_propagation to off;
|
||||||
|
grant non_dist_role1 to dist_role1 with admin option;
|
||||||
|
reset citus.enable_create_role_propagation;
|
||||||
|
\c test_granted_by_support
|
||||||
|
grant dist_role2 to non_dist_role1 with admin option;
|
||||||
|
ERROR: failure on connection marked as essential: localhost:xxxxx
|
||||||
|
CONTEXT: while executing command on localhost:xxxxx
|
||||||
|
\c test_granted_by_support - - :worker_1_port
|
||||||
|
grant dist_role3 to "dist_role5'_test" granted by dist_role4;
|
||||||
|
grant dist_role2 to "dist_role5'_test" granted by dist_role3;
|
||||||
|
grant dist_role2 to dist_role4 granted by non_dist_role1 ;--will not be propagated since grantor is non-distributed
|
||||||
|
ERROR: role "non_dist_role1" does not exist
|
||||||
|
\c regression - - :master_port
|
||||||
|
SELECT objid::regrole FROM pg_catalog.pg_dist_object WHERE classid='pg_authid'::regclass::oid AND objid::regrole::text= 'non_dist_role1' ORDER BY 1;
|
||||||
|
objid
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
(0 rows)
|
||||||
|
|
||||||
|
\c test_granted_by_support - - :worker_1_port
|
||||||
|
grant dist_role4 to "dist_role5'_test" with admin option;
|
||||||
|
\c regression - - :master_port
|
||||||
|
SELECT objid::regrole FROM pg_catalog.pg_dist_object WHERE classid='pg_authid'::regclass::oid AND objid::regrole::text= 'non_dist_role1' ORDER BY 1;
|
||||||
|
objid
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
(0 rows)
|
||||||
|
|
||||||
|
\c test_granted_by_support
|
||||||
|
-- Unlike maindb scenario, non-maindb scenario doesn't propagate 'create non_dist_role1' to
|
||||||
|
--workers as it doesn't create dependency objects for non-distributed roles.
|
||||||
|
grant dist_role4 to dist_role1 with admin option GRANTED BY "dist_role5'_test";
|
||||||
|
\c regression - - :master_port
|
||||||
|
SELECT objid::regrole FROM pg_catalog.pg_dist_object WHERE classid='pg_authid'::regclass::oid AND objid::regrole::text= 'non_dist_role1' ORDER BY 1;
|
||||||
|
objid
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
(0 rows)
|
||||||
|
|
||||||
|
\c test_granted_by_support - - :worker_1_port
|
||||||
|
grant dist_role4 to dist_role3 with admin option GRANTED BY dist_role1; --fails since already dist_role3 granted to dist_role4
|
||||||
|
ERROR: role "dist_role4" is a member of role "dist_role3"
|
||||||
|
grant non_dist_role1 to dist_role4 granted by dist_role1;
|
||||||
|
ERROR: role "non_dist_role1" does not exist
|
||||||
|
grant dist_role3 to dist_role1 with admin option GRANTED BY dist_role4;
|
||||||
|
grant "dist_role5'_test" to dist_role1 with admin option;
|
||||||
|
grant "dist_role5'_test" to dist_role3 with admin option GRANTED BY dist_role1;--fails since already dist_role3 granted to "dist_role5'_test"
|
||||||
|
ERROR: role "dist_role5'_test" is a member of role "dist_role3"
|
||||||
|
\c regression - - :master_port
|
||||||
|
select result FROM run_command_on_all_nodes(
|
||||||
|
$$
|
||||||
|
SELECT array_to_json(array_agg(row_to_json(t)))
|
||||||
|
FROM (
|
||||||
|
SELECT member::regrole, roleid::regrole as role, grantor::regrole, admin_option
|
||||||
|
FROM pg_auth_members
|
||||||
|
WHERE member::regrole::text in
|
||||||
|
('dist_role1','dist_role2','dist_role3','dist_role4','"role5''_test"')
|
||||||
|
order by member::regrole::text, roleid::regrole::text
|
||||||
|
) t
|
||||||
|
$$
|
||||||
|
);
|
||||||
|
result
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
[{"member":"dist_role1","role":"\"dist_role5'_test\"","grantor":"postgres","admin_option":true},{"member":"dist_role1","role":"dist_role2","grantor":"postgres","admin_option":true},{"member":"dist_role1","role":"dist_role3","grantor":"dist_role4","admin_option":true},{"member":"dist_role1","role":"dist_role4","grantor":"\"dist_role5'_test\"","admin_option":true},{"member":"dist_role1","role":"non_dist_role1","grantor":"postgres","admin_option":true},{"member":"dist_role3","role":"dist_role2","grantor":"dist_role1","admin_option":true},{"member":"dist_role4","role":"dist_role3","grantor":"postgres","admin_option":true}]
|
||||||
|
[{"member":"dist_role1","role":"\"dist_role5'_test\"","grantor":"postgres","admin_option":true},{"member":"dist_role1","role":"dist_role2","grantor":"postgres","admin_option":true},{"member":"dist_role1","role":"dist_role3","grantor":"dist_role4","admin_option":true},{"member":"dist_role1","role":"dist_role4","grantor":"\"dist_role5'_test\"","admin_option":true},{"member":"dist_role3","role":"dist_role2","grantor":"dist_role1","admin_option":true},{"member":"dist_role4","role":"dist_role3","grantor":"postgres","admin_option":true}]
|
||||||
|
(2 rows)
|
||||||
|
|
||||||
|
select 1 from citus_add_node ('localhost',:worker_2_port);
|
||||||
|
?column?
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
1
|
||||||
|
(1 row)
|
||||||
|
|
||||||
|
select result FROM run_command_on_all_nodes(
|
||||||
|
$$
|
||||||
|
SELECT array_to_json(array_agg(row_to_json(t)))
|
||||||
|
FROM (
|
||||||
|
SELECT member::regrole, roleid::regrole as role, grantor::regrole, admin_option
|
||||||
|
FROM pg_auth_members
|
||||||
|
WHERE member::regrole::text in
|
||||||
|
('dist_role1','dist_role2','dist_role3','dist_role4','"role5''_test"')
|
||||||
|
order by member::regrole::text, roleid::regrole::text
|
||||||
|
) t
|
||||||
|
$$
|
||||||
|
);
|
||||||
|
result
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
[{"member":"dist_role1","role":"\"dist_role5'_test\"","grantor":"postgres","admin_option":true},{"member":"dist_role1","role":"dist_role2","grantor":"postgres","admin_option":true},{"member":"dist_role1","role":"dist_role3","grantor":"dist_role4","admin_option":true},{"member":"dist_role1","role":"dist_role4","grantor":"\"dist_role5'_test\"","admin_option":true},{"member":"dist_role1","role":"non_dist_role1","grantor":"postgres","admin_option":true},{"member":"dist_role3","role":"dist_role2","grantor":"dist_role1","admin_option":true},{"member":"dist_role4","role":"dist_role3","grantor":"postgres","admin_option":true}]
|
||||||
|
[{"member":"dist_role1","role":"\"dist_role5'_test\"","grantor":"postgres","admin_option":true},{"member":"dist_role1","role":"dist_role2","grantor":"postgres","admin_option":true},{"member":"dist_role1","role":"dist_role3","grantor":"dist_role4","admin_option":true},{"member":"dist_role1","role":"dist_role4","grantor":"\"dist_role5'_test\"","admin_option":true},{"member":"dist_role3","role":"dist_role2","grantor":"dist_role1","admin_option":true},{"member":"dist_role4","role":"dist_role3","grantor":"postgres","admin_option":true}]
|
||||||
|
[{"member":"dist_role1","role":"\"dist_role5'_test\"","grantor":"postgres","admin_option":true},{"member":"dist_role1","role":"dist_role2","grantor":"postgres","admin_option":true},{"member":"dist_role1","role":"dist_role3","grantor":"dist_role4","admin_option":true},{"member":"dist_role1","role":"dist_role4","grantor":"\"dist_role5'_test\"","admin_option":true},{"member":"dist_role3","role":"dist_role2","grantor":"dist_role1","admin_option":true},{"member":"dist_role4","role":"dist_role3","grantor":"postgres","admin_option":true}]
|
||||||
|
(3 rows)
|
||||||
|
|
||||||
|
--clean all resources
|
||||||
|
set citus.enable_create_database_propagation to on;
|
||||||
|
drop database test_granted_by_support;
|
||||||
|
drop role dist_role1,dist_role2,dist_role3,dist_role4,"dist_role5'_test";
|
||||||
|
drop role non_dist_role1;
|
||||||
|
drop role if exists non_dist_role1;
|
||||||
|
NOTICE: role "non_dist_role1" does not exist, skipping
|
||||||
|
select result FROM run_command_on_all_nodes(
|
||||||
|
$$
|
||||||
|
SELECT array_to_json(array_agg(row_to_json(t)))
|
||||||
|
FROM (
|
||||||
|
SELECT member::regrole, roleid::regrole as role, grantor::regrole, admin_option
|
||||||
|
FROM pg_auth_members
|
||||||
|
WHERE member::regrole::text in
|
||||||
|
('dist_role1','dist_role2','dist_role3','dist_role4','"role5''_test"')
|
||||||
|
order by member::regrole::text, roleid::regrole::text
|
||||||
|
) t
|
||||||
|
$$
|
||||||
|
);
|
||||||
|
result
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
(3 rows)
|
||||||
|
|
||||||
|
reset citus.enable_create_database_propagation;
|
||||||
|
|
@ -1033,7 +1033,15 @@ CREATE ROLE role5;
|
||||||
RESET citus.enable_ddl_propagation;
|
RESET citus.enable_ddl_propagation;
|
||||||
-- by default, admin option is false, inherit is true, set is true
|
-- by default, admin option is false, inherit is true, set is true
|
||||||
GRANT role3 TO role4;
|
GRANT role3 TO role4;
|
||||||
|
NOTICE: not propagating GRANT command to other nodes
|
||||||
|
HINT: Since no grantees are distributed, the GRANT command will not be propagated to other nodes.
|
||||||
|
NOTICE: not propagating GRANT command to other nodes
|
||||||
|
HINT: Since no granted roles are distributed, the GRANT command will not be propagated to other nodes.
|
||||||
GRANT role3 TO role5 WITH ADMIN TRUE, INHERIT FALSE, SET FALSE;
|
GRANT role3 TO role5 WITH ADMIN TRUE, INHERIT FALSE, SET FALSE;
|
||||||
|
NOTICE: not propagating GRANT command to other nodes
|
||||||
|
HINT: Since no grantees are distributed, the GRANT command will not be propagated to other nodes.
|
||||||
|
NOTICE: not propagating GRANT command to other nodes
|
||||||
|
HINT: Since no granted roles are distributed, the GRANT command will not be propagated to other nodes.
|
||||||
SELECT roleid::regrole::text AS role, member::regrole::text, admin_option, inherit_option, set_option FROM pg_auth_members
|
SELECT roleid::regrole::text AS role, member::regrole::text, admin_option, inherit_option, set_option FROM pg_auth_members
|
||||||
WHERE roleid::regrole::text = 'role3' ORDER BY 1, 2;
|
WHERE roleid::regrole::text = 'role3' ORDER BY 1, 2;
|
||||||
role | member | admin_option | inherit_option | set_option
|
role | member | admin_option | inherit_option | set_option
|
||||||
|
|
|
||||||
|
|
@ -62,6 +62,7 @@ test: alter_database_propagation
|
||||||
|
|
||||||
test: citus_shards
|
test: citus_shards
|
||||||
test: reassign_owned
|
test: reassign_owned
|
||||||
|
test: granted_by_support
|
||||||
|
|
||||||
# ----------
|
# ----------
|
||||||
# multi_citus_tools tests utility functions written for citus tools
|
# multi_citus_tools tests utility functions written for citus tools
|
||||||
|
|
|
||||||
|
|
@ -75,12 +75,12 @@ SELECT roleid::regrole::text AS role, member::regrole::text, grantor::regrole::t
|
||||||
|
|
||||||
\c - - - :master_port
|
\c - - - :master_port
|
||||||
|
|
||||||
create role test_admin_role;
|
|
||||||
|
|
||||||
-- test grants with distributed and non-distributed roles
|
-- test grants with distributed and non-distributed roles
|
||||||
|
|
||||||
SELECT master_remove_node('localhost', :worker_2_port);
|
SELECT master_remove_node('localhost', :worker_2_port);
|
||||||
|
|
||||||
|
create role test_admin_role;
|
||||||
|
|
||||||
CREATE ROLE dist_role_1 SUPERUSER;
|
CREATE ROLE dist_role_1 SUPERUSER;
|
||||||
CREATE ROLE dist_role_2;
|
CREATE ROLE dist_role_2;
|
||||||
CREATE ROLE dist_role_3;
|
CREATE ROLE dist_role_3;
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,238 @@
|
||||||
|
-- Active: 1700033167033@@localhost@9700@gurkanindibay@public
|
||||||
|
--In below tests, complex role hierarchy is created and then granted by support is tested.
|
||||||
|
|
||||||
|
--- Test 1: Tests from main database
|
||||||
|
select 1 from citus_remove_node ('localhost',:worker_2_port);
|
||||||
|
set citus.enable_create_role_propagation to off;
|
||||||
|
create role non_dist_role1;
|
||||||
|
reset citus.enable_create_role_propagation;
|
||||||
|
SELECT objid::regrole FROM pg_catalog.pg_dist_object WHERE classid='pg_authid'::regclass::oid AND objid::regrole::text= 'non_dist_role1' ORDER BY 1;
|
||||||
|
|
||||||
|
create role dist_role1;
|
||||||
|
create role dist_role2;
|
||||||
|
create role dist_role3;
|
||||||
|
create role dist_role4;
|
||||||
|
create role "dist_role5'_test";
|
||||||
|
|
||||||
|
grant dist_role2 to dist_role1 with admin option;
|
||||||
|
grant dist_role2 to dist_role3 with admin option granted by dist_role1;
|
||||||
|
grant dist_role3 to dist_role4 with admin option;
|
||||||
|
|
||||||
|
-- With enable_create_role_propagation on, all grantees are propagated.
|
||||||
|
-- To test non-distributed grantor, set this option off for some roles.
|
||||||
|
set citus.enable_create_role_propagation to off;
|
||||||
|
grant non_dist_role1 to dist_role1 with admin option;
|
||||||
|
reset citus.enable_create_role_propagation;
|
||||||
|
|
||||||
|
SELECT objid::regrole FROM pg_catalog.pg_dist_object WHERE classid='pg_authid'::regclass::oid AND objid::regrole::text= 'non_dist_role1' ORDER BY 1;
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
grant dist_role2 to non_dist_role1 with admin option;
|
||||||
|
|
||||||
|
grant dist_role3 to "dist_role5'_test" granted by dist_role4;
|
||||||
|
grant dist_role2 to "dist_role5'_test" granted by dist_role3;
|
||||||
|
grant dist_role2 to dist_role4 granted by non_dist_role1 ;--will not be propagated since grantor is non-distributed
|
||||||
|
|
||||||
|
|
||||||
|
grant dist_role4 to "dist_role5'_test" with admin option;
|
||||||
|
|
||||||
|
--below command propagates the non_dist_role1 since non_dist_role1 is already granted to dist_role1
|
||||||
|
--and citus sees granted roles as a dependency and citus propagates the dependent roles
|
||||||
|
grant dist_role4 to dist_role1 with admin option GRANTED BY "dist_role5'_test";
|
||||||
|
|
||||||
|
SELECT objid::regrole FROM pg_catalog.pg_dist_object WHERE classid='pg_authid'::regclass::oid AND objid::regrole::text= 'non_dist_role1' ORDER BY 1;
|
||||||
|
|
||||||
|
grant dist_role4 to dist_role3 with admin option GRANTED BY dist_role1; --fails since already dist_role3 granted to dist_role4
|
||||||
|
|
||||||
|
--Below command will not be successful since non_dist_role1 is propagated with the dependency resolution above
|
||||||
|
--however, ADMIN OPTION is not propagated for non_dist_role1 to worker 1 because the citus.enable_create_role_propagation is off
|
||||||
|
grant non_dist_role1 to dist_role4 granted by dist_role1;
|
||||||
|
|
||||||
|
grant dist_role3 to dist_role1 with admin option GRANTED BY dist_role4;
|
||||||
|
grant "dist_role5'_test" to dist_role1 with admin option;
|
||||||
|
grant "dist_role5'_test" to dist_role3 with admin option GRANTED BY dist_role1;--fails since already dist_role3 granted to "dist_role5'_test"
|
||||||
|
|
||||||
|
|
||||||
|
select result FROM run_command_on_all_nodes(
|
||||||
|
$$
|
||||||
|
SELECT array_to_json(array_agg(row_to_json(t)))
|
||||||
|
FROM (
|
||||||
|
SELECT member::regrole, roleid::regrole as role, grantor::regrole, admin_option
|
||||||
|
FROM pg_auth_members
|
||||||
|
WHERE member::regrole::text in
|
||||||
|
('dist_role1','dist_role2','dist_role3','dist_role4','"role5''_test"')
|
||||||
|
order by member::regrole::text, roleid::regrole::text
|
||||||
|
) t
|
||||||
|
$$
|
||||||
|
);
|
||||||
|
|
||||||
|
select 1 from citus_add_node ('localhost',:worker_2_port);
|
||||||
|
|
||||||
|
select result FROM run_command_on_all_nodes(
|
||||||
|
$$
|
||||||
|
SELECT array_to_json(array_agg(row_to_json(t)))
|
||||||
|
FROM (
|
||||||
|
SELECT member::regrole, roleid::regrole as role, grantor::regrole, admin_option
|
||||||
|
FROM pg_auth_members
|
||||||
|
WHERE member::regrole::text in
|
||||||
|
('dist_role1','dist_role2','dist_role3','dist_role4','"role5''_test"')
|
||||||
|
order by member::regrole::text, roleid::regrole::text
|
||||||
|
) t
|
||||||
|
$$
|
||||||
|
);
|
||||||
|
|
||||||
|
--clean all resources
|
||||||
|
drop role dist_role1,dist_role2,dist_role3,dist_role4,"dist_role5'_test";
|
||||||
|
drop role non_dist_role1;
|
||||||
|
|
||||||
|
SELECT objid::regrole FROM pg_catalog.pg_dist_object WHERE classid='pg_authid'::regclass::oid AND objid::regrole::text= 'non_dist_role1' ORDER BY 1;
|
||||||
|
reset citus.enable_create_role_propagation;
|
||||||
|
|
||||||
|
select result FROM run_command_on_all_nodes(
|
||||||
|
$$
|
||||||
|
SELECT array_to_json(array_agg(row_to_json(t)))
|
||||||
|
FROM (
|
||||||
|
SELECT member::regrole, roleid::regrole as role, grantor::regrole, admin_option
|
||||||
|
FROM pg_auth_members
|
||||||
|
WHERE member::regrole::text in
|
||||||
|
('dist_role1','dist_role2','dist_role3','dist_role4','"role5''_test"')
|
||||||
|
order by member::regrole::text, roleid::regrole::text
|
||||||
|
) t
|
||||||
|
$$
|
||||||
|
);
|
||||||
|
|
||||||
|
--- Test 2: Tests from non-main database
|
||||||
|
set citus.enable_create_database_propagation to on;
|
||||||
|
create database test_granted_by_support;
|
||||||
|
|
||||||
|
select 1 from citus_remove_node ('localhost',:worker_2_port);
|
||||||
|
|
||||||
|
SELECT objid::regrole FROM pg_catalog.pg_dist_object WHERE classid='pg_authid'::regclass::oid AND objid::regrole::text= 'non_dist_role1' ORDER BY 1;
|
||||||
|
|
||||||
|
\c test_granted_by_support
|
||||||
|
--here in below block since 'citus.enable_create_role_propagation to off ' is not effective,
|
||||||
|
--non_dist_role1 is being propagated to dist_role1 unlike main db scenario
|
||||||
|
--non_dist_role1 will be used for the test scenarios in this section
|
||||||
|
set citus.enable_create_role_propagation to off;
|
||||||
|
create role non_dist_role1;
|
||||||
|
reset citus.enable_create_role_propagation;
|
||||||
|
|
||||||
|
--dropping since it isn't non-distributed as intended
|
||||||
|
drop role non_dist_role1;
|
||||||
|
|
||||||
|
--creating non_dist_role1 again in main database
|
||||||
|
--This is actually non-distributed role
|
||||||
|
\c regression
|
||||||
|
set citus.enable_create_role_propagation to off;
|
||||||
|
create role non_dist_role1;
|
||||||
|
reset citus.enable_create_role_propagation;
|
||||||
|
|
||||||
|
\c test_granted_by_support
|
||||||
|
create role dist_role1;
|
||||||
|
create role dist_role1;
|
||||||
|
create role dist_role2;
|
||||||
|
create role dist_role3;
|
||||||
|
create role dist_role4;
|
||||||
|
create role "dist_role5'_test";
|
||||||
|
\c regression - - :master_port
|
||||||
|
SELECT objid::regrole FROM pg_catalog.pg_dist_object WHERE classid='pg_authid'::regclass::oid AND objid::regrole::text= 'non_dist_role1' ORDER BY 1;
|
||||||
|
|
||||||
|
|
||||||
|
\c test_granted_by_support
|
||||||
|
grant dist_role2 to dist_role1 with admin option;
|
||||||
|
grant dist_role2 to dist_role3 with admin option granted by dist_role1;
|
||||||
|
grant dist_role3 to dist_role4 with admin option;
|
||||||
|
|
||||||
|
-- With enable_create_role_propagation on, all grantees are propagated.
|
||||||
|
-- To test non-distributed grantor, set this option off for some roles.
|
||||||
|
|
||||||
|
\c regression
|
||||||
|
set citus.enable_create_role_propagation to off;
|
||||||
|
grant non_dist_role1 to dist_role1 with admin option;
|
||||||
|
reset citus.enable_create_role_propagation;
|
||||||
|
|
||||||
|
\c test_granted_by_support
|
||||||
|
grant dist_role2 to non_dist_role1 with admin option;
|
||||||
|
|
||||||
|
\c test_granted_by_support - - :worker_1_port
|
||||||
|
grant dist_role3 to "dist_role5'_test" granted by dist_role4;
|
||||||
|
grant dist_role2 to "dist_role5'_test" granted by dist_role3;
|
||||||
|
grant dist_role2 to dist_role4 granted by non_dist_role1 ;--will not be propagated since grantor is non-distributed
|
||||||
|
\c regression - - :master_port
|
||||||
|
SELECT objid::regrole FROM pg_catalog.pg_dist_object WHERE classid='pg_authid'::regclass::oid AND objid::regrole::text= 'non_dist_role1' ORDER BY 1;
|
||||||
|
\c test_granted_by_support - - :worker_1_port
|
||||||
|
grant dist_role4 to "dist_role5'_test" with admin option;
|
||||||
|
|
||||||
|
\c regression - - :master_port
|
||||||
|
SELECT objid::regrole FROM pg_catalog.pg_dist_object WHERE classid='pg_authid'::regclass::oid AND objid::regrole::text= 'non_dist_role1' ORDER BY 1;
|
||||||
|
|
||||||
|
\c test_granted_by_support
|
||||||
|
|
||||||
|
-- Unlike maindb scenario, non-maindb scenario doesn't propagate 'create non_dist_role1' to
|
||||||
|
--workers as it doesn't create dependency objects for non-distributed roles.
|
||||||
|
grant dist_role4 to dist_role1 with admin option GRANTED BY "dist_role5'_test";
|
||||||
|
|
||||||
|
\c regression - - :master_port
|
||||||
|
SELECT objid::regrole FROM pg_catalog.pg_dist_object WHERE classid='pg_authid'::regclass::oid AND objid::regrole::text= 'non_dist_role1' ORDER BY 1;
|
||||||
|
|
||||||
|
|
||||||
|
\c test_granted_by_support - - :worker_1_port
|
||||||
|
grant dist_role4 to dist_role3 with admin option GRANTED BY dist_role1; --fails since already dist_role3 granted to dist_role4
|
||||||
|
grant non_dist_role1 to dist_role4 granted by dist_role1;
|
||||||
|
grant dist_role3 to dist_role1 with admin option GRANTED BY dist_role4;
|
||||||
|
grant "dist_role5'_test" to dist_role1 with admin option;
|
||||||
|
grant "dist_role5'_test" to dist_role3 with admin option GRANTED BY dist_role1;--fails since already dist_role3 granted to "dist_role5'_test"
|
||||||
|
|
||||||
|
\c regression - - :master_port
|
||||||
|
|
||||||
|
select result FROM run_command_on_all_nodes(
|
||||||
|
$$
|
||||||
|
SELECT array_to_json(array_agg(row_to_json(t)))
|
||||||
|
FROM (
|
||||||
|
SELECT member::regrole, roleid::regrole as role, grantor::regrole, admin_option
|
||||||
|
FROM pg_auth_members
|
||||||
|
WHERE member::regrole::text in
|
||||||
|
('dist_role1','dist_role2','dist_role3','dist_role4','"role5''_test"')
|
||||||
|
order by member::regrole::text, roleid::regrole::text
|
||||||
|
) t
|
||||||
|
$$
|
||||||
|
);
|
||||||
|
select 1 from citus_add_node ('localhost',:worker_2_port);
|
||||||
|
|
||||||
|
select result FROM run_command_on_all_nodes(
|
||||||
|
$$
|
||||||
|
SELECT array_to_json(array_agg(row_to_json(t)))
|
||||||
|
FROM (
|
||||||
|
SELECT member::regrole, roleid::regrole as role, grantor::regrole, admin_option
|
||||||
|
FROM pg_auth_members
|
||||||
|
WHERE member::regrole::text in
|
||||||
|
('dist_role1','dist_role2','dist_role3','dist_role4','"role5''_test"')
|
||||||
|
order by member::regrole::text, roleid::regrole::text
|
||||||
|
) t
|
||||||
|
$$
|
||||||
|
);
|
||||||
|
|
||||||
|
--clean all resources
|
||||||
|
|
||||||
|
set citus.enable_create_database_propagation to on;
|
||||||
|
drop database test_granted_by_support;
|
||||||
|
drop role dist_role1,dist_role2,dist_role3,dist_role4,"dist_role5'_test";
|
||||||
|
drop role non_dist_role1;
|
||||||
|
|
||||||
|
drop role if exists non_dist_role1;
|
||||||
|
|
||||||
|
|
||||||
|
select result FROM run_command_on_all_nodes(
|
||||||
|
$$
|
||||||
|
SELECT array_to_json(array_agg(row_to_json(t)))
|
||||||
|
FROM (
|
||||||
|
SELECT member::regrole, roleid::regrole as role, grantor::regrole, admin_option
|
||||||
|
FROM pg_auth_members
|
||||||
|
WHERE member::regrole::text in
|
||||||
|
('dist_role1','dist_role2','dist_role3','dist_role4','"role5''_test"')
|
||||||
|
order by member::regrole::text, roleid::regrole::text
|
||||||
|
) t
|
||||||
|
$$
|
||||||
|
);
|
||||||
|
reset citus.enable_create_database_propagation;
|
||||||
Loading…
Reference in New Issue