diff --git a/citus.control b/citus.control index b2105c054..702b3b705 100644 --- a/citus.control +++ b/citus.control @@ -1,6 +1,6 @@ # Citus extension comment = 'Citus distributed database' -default_version = '7.5-1' +default_version = '7.5-2' module_pathname = '$libdir/citus' relocatable = false schema = pg_catalog diff --git a/src/backend/distributed/Makefile b/src/backend/distributed/Makefile index 8a65bb9f0..2131f5eb1 100644 --- a/src/backend/distributed/Makefile +++ b/src/backend/distributed/Makefile @@ -16,7 +16,7 @@ EXTVERSIONS = 5.0 5.0-1 5.0-2 \ 7.2-1 7.2-2 7.2-3 \ 7.3-1 7.3-2 7.3-3 \ 7.4-1 7.4-2 7.4-3 \ - 7.5-1 + 7.5-1 7.5-2 # All citus--*.sql files in the source directory DATA = $(patsubst $(citus_abs_srcdir)/%.sql,%.sql,$(wildcard $(citus_abs_srcdir)/$(EXTENSION)--*--*.sql)) @@ -202,6 +202,8 @@ $(EXTENSION)--7.4-3.sql: $(EXTENSION)--7.4-2.sql $(EXTENSION)--7.4-2--7.4-3.sql cat $^ > $@ $(EXTENSION)--7.5-1.sql: $(EXTENSION)--7.4-3.sql $(EXTENSION)--7.4-3--7.5-1.sql cat $^ > $@ +$(EXTENSION)--7.5-2.sql: $(EXTENSION)--7.5-1.sql $(EXTENSION)--7.5-1--7.5-2.sql + cat $^ > $@ NO_PGXS = 1 diff --git a/src/backend/distributed/citus--7.5-1--7.5-2.sql b/src/backend/distributed/citus--7.5-1--7.5-2.sql new file mode 100644 index 000000000..1f6dafedf --- /dev/null +++ b/src/backend/distributed/citus--7.5-1--7.5-2.sql @@ -0,0 +1,34 @@ +/* citus--7.5-1--7.5-2 */ +SET search_path = 'pg_catalog'; + +-- note that we're not dropping the older version of the function +CREATE FUNCTION pg_catalog.role_exists(name) + RETURNS boolean + LANGUAGE C STRICT + AS 'MODULE_PATHNAME', $$role_exists$$; +COMMENT ON FUNCTION role_exists(name) IS 'returns whether a role exists'; + +CREATE FUNCTION pg_catalog.authinfo_valid(text) + RETURNS boolean + LANGUAGE C STRICT + AS 'MODULE_PATHNAME', $$authinfo_valid$$; +COMMENT ON FUNCTION authinfo_valid(text) IS 'returns whether an authinfo is valid'; + +CREATE TABLE citus.pg_dist_authinfo ( + nodeid integer NOT NULL, + rolename name NOT NULL + CONSTRAINT role_exists + CHECK (role_exists(rolename)), + authinfo text NOT NULL + CONSTRAINT authinfo_valid + CHECK (authinfo_valid(authinfo)) +); + +CREATE UNIQUE INDEX pg_dist_authinfo_identification_index +ON citus.pg_dist_authinfo (rolename, nodeid DESC); + +ALTER TABLE citus.pg_dist_authinfo SET SCHEMA pg_catalog; + +REVOKE ALL ON pg_catalog.pg_dist_authinfo FROM PUBLIC; + +RESET search_path; diff --git a/src/backend/distributed/citus.control b/src/backend/distributed/citus.control index b2105c054..702b3b705 100644 --- a/src/backend/distributed/citus.control +++ b/src/backend/distributed/citus.control @@ -1,6 +1,6 @@ # Citus extension comment = 'Citus distributed database' -default_version = '7.5-1' +default_version = '7.5-2' module_pathname = '$libdir/citus' relocatable = false schema = pg_catalog diff --git a/src/backend/distributed/utils/metadata_cache.c b/src/backend/distributed/utils/metadata_cache.c index 480ec695c..e42ea025e 100644 --- a/src/backend/distributed/utils/metadata_cache.c +++ b/src/backend/distributed/utils/metadata_cache.c @@ -9,6 +9,7 @@ #include "stdint.h" #include "postgres.h" +#include "libpq-fe.h" #include "miscadmin.h" #include "access/genam.h" @@ -26,6 +27,7 @@ #include "commands/extension.h" #include "commands/trigger.h" #include "distributed/colocation_utils.h" +#include "distributed/connection_management.h" #include "distributed/citus_ruleutils.h" #include "distributed/master_metadata_utility.h" #include "distributed/metadata_cache.h" @@ -48,6 +50,7 @@ #include "utils/builtins.h" #include "utils/catcache.h" #include "utils/datum.h" +#include "utils/elog.h" #include "utils/hsearch.h" #include "utils/inval.h" #include "utils/fmgroids.h" @@ -209,6 +212,8 @@ PG_FUNCTION_INFO_V1(master_dist_shard_cache_invalidate); PG_FUNCTION_INFO_V1(master_dist_placement_cache_invalidate); PG_FUNCTION_INFO_V1(master_dist_node_cache_invalidate); PG_FUNCTION_INFO_V1(master_dist_local_group_cache_invalidate); +PG_FUNCTION_INFO_V1(role_exists); +PG_FUNCTION_INFO_V1(authinfo_valid); /* @@ -3429,3 +3434,34 @@ DistNodeMetadata(void) return metadata; } + + +/* + * role_exists is a check constraint which ensures that roles referenced in the + * pg_dist_authinfo catalog actually exist (at least at the time of insertion). + */ +Datum +role_exists(PG_FUNCTION_ARGS) +{ + Name roleName = PG_GETARG_NAME(0); + bool roleExists = SearchSysCacheExists1(AUTHNAME, NameGetDatum(roleName)); + + PG_RETURN_BOOL(roleExists); +} + + +/* + * authinfo_valid is a check constraint which errors on all rows, intended for + * use in prohibiting writes to pg_dist_authinfo in Citus Community. + */ +Datum +authinfo_valid(PG_FUNCTION_ARGS) +{ + ereport(ERROR, (errcode(ERRCODE_FEATURE_NOT_SUPPORTED), + errmsg("cannot write to pg_dist_authinfo"), + errdetail("Citus Community Edition does not support the use of " + "custom authentication options."), + errhint("To learn more about using advanced authentication schemes " + "with Citus, please contact us at " + "https://citusdata.com/about/contact_us"))); +} diff --git a/src/test/regress/expected/multi_metadata_access.out b/src/test/regress/expected/multi_metadata_access.out index 63ea37dd1..fa6e09250 100644 --- a/src/test/regress/expected/multi_metadata_access.out +++ b/src/test/regress/expected/multi_metadata_access.out @@ -18,9 +18,10 @@ WHERE AND ext.extname = 'citus' AND nsp.nspname = 'pg_catalog' AND NOT has_table_privilege(pg_class.oid, 'select'); - oid ------ -(0 rows) + oid +------------------ + pg_dist_authinfo +(1 row) RESET role; DROP USER no_access; diff --git a/src/test/regress/expected/multi_utility_warnings.out b/src/test/regress/expected/multi_utility_warnings.out index 94d54133c..ed9ecbcd5 100644 --- a/src/test/regress/expected/multi_utility_warnings.out +++ b/src/test/regress/expected/multi_utility_warnings.out @@ -14,3 +14,7 @@ HINT: Connect to worker nodes directly to manually create all necessary users a CREATE USER new_user; NOTICE: not propagating CREATE ROLE/USER commands to worker nodes HINT: Connect to worker nodes directly to manually create all necessary users and roles. +INSERT INTO pg_dist_authinfo VALUES (0, 'new_user', 'password=1234'); +ERROR: cannot write to pg_dist_authinfo +DETAIL: Citus Community Edition does not support the use of custom authentication options. +HINT: To learn more about using advanced authentication schemes with Citus, please contact us at https://citusdata.com/about/contact_us diff --git a/src/test/regress/multi_schedule b/src/test/regress/multi_schedule index a2b3a4428..89ee73b47 100644 --- a/src/test/regress/multi_schedule +++ b/src/test/regress/multi_schedule @@ -129,7 +129,7 @@ test: multi_create_schema # ---------- # Tests to check if we inform the user about potential caveats of creating new -# databases, schemas, and roles. +# databases, schemas, roles, and authentication information. # ---------- test: multi_utility_warnings diff --git a/src/test/regress/sql/multi_utility_warnings.sql b/src/test/regress/sql/multi_utility_warnings.sql index 426c23474..cfb03675f 100644 --- a/src/test/regress/sql/multi_utility_warnings.sql +++ b/src/test/regress/sql/multi_utility_warnings.sql @@ -14,3 +14,5 @@ CREATE DATABASE new_database; CREATE ROLE new_role; CREATE USER new_user; + +INSERT INTO pg_dist_authinfo VALUES (0, 'new_user', 'password=1234'); diff --git a/windows/include/citus_version.h b/windows/include/citus_version.h index a7e345cb3..4e03799a1 100644 --- a/windows/include/citus_version.h +++ b/windows/include/citus_version.h @@ -5,7 +5,7 @@ #define CITUS_EDITION "community" /* Extension version expected by this Citus build */ -#define CITUS_EXTENSIONVERSION "7.5-1" +#define CITUS_EXTENSIONVERSION "7.5-2" /* Citus major version as a string */ #define CITUS_MAJORVERSION "7.5"