Add pg_dist_authinfo schema and validation

This table will be used by Citus Enterprise to populate authentication-
related fields in outbound connections; Citus Community lacks support
for this functionality.

citus.control

@@ -1,6 +1,6 @@
 # Citus extension
 comment = 'Citus distributed database'
-default_version = '7.5-1'
+default_version = '7.5-2'
 module_pathname = '$libdir/citus'
 relocatable = false
 schema = pg_catalog

src/backend/distributed/Makefile

@@ -16,7 +16,7 @@ EXTVERSIONS = 5.0 5.0-1 5.0-2  \
 	7.2-1 7.2-2 7.2-3 \
 	7.3-1 7.3-2 7.3-3 \
 	7.4-1 7.4-2 7.4-3 \
-	7.5-1
+	7.5-1 7.5-2
 
 # All citus--*.sql files in the source directory
 DATA = $(patsubst $(citus_abs_srcdir)/%.sql,%.sql,$(wildcard $(citus_abs_srcdir)/$(EXTENSION)--*--*.sql))
@@ -202,6 +202,8 @@ $(EXTENSION)--7.4-3.sql: $(EXTENSION)--7.4-2.sql $(EXTENSION)--7.4-2--7.4-3.sql
 	cat $^ > $@
 $(EXTENSION)--7.5-1.sql: $(EXTENSION)--7.4-3.sql $(EXTENSION)--7.4-3--7.5-1.sql
 	cat $^ > $@
+$(EXTENSION)--7.5-2.sql: $(EXTENSION)--7.5-1.sql $(EXTENSION)--7.5-1--7.5-2.sql
+	cat $^ > $@
 
 NO_PGXS = 1
 

src/backend/distributed/citus--7.5-1--7.5-2.sql

@@ -0,0 +1,34 @@
+/* citus--7.5-1--7.5-2 */
+SET search_path = 'pg_catalog';
+
+-- note that we're not dropping the older version of the function
+CREATE FUNCTION pg_catalog.role_exists(name)
+    RETURNS boolean
+    LANGUAGE C STRICT
+    AS 'MODULE_PATHNAME', $$role_exists$$;
+COMMENT ON FUNCTION role_exists(name) IS 'returns whether a role exists';
+
+CREATE FUNCTION pg_catalog.authinfo_valid(text)
+	RETURNS boolean
+    LANGUAGE C STRICT
+    AS 'MODULE_PATHNAME', $$authinfo_valid$$;
+COMMENT ON FUNCTION authinfo_valid(text) IS 'returns whether an authinfo is valid';
+
+CREATE TABLE citus.pg_dist_authinfo (
+	nodeid integer NOT NULL,
+	rolename name NOT NULL
+	              CONSTRAINT role_exists
+								CHECK (role_exists(rolename)),
+	authinfo text NOT NULL
+	              CONSTRAINT authinfo_valid
+								CHECK (authinfo_valid(authinfo))
+);
+
+CREATE UNIQUE INDEX pg_dist_authinfo_identification_index
+ON citus.pg_dist_authinfo (rolename, nodeid DESC);
+
+ALTER TABLE citus.pg_dist_authinfo SET SCHEMA pg_catalog;
+
+REVOKE ALL ON pg_catalog.pg_dist_authinfo FROM PUBLIC;
+
+RESET search_path;

src/backend/distributed/citus.control

@@ -1,6 +1,6 @@
 # Citus extension
 comment = 'Citus distributed database'
-default_version = '7.5-1'
+default_version = '7.5-2'
 module_pathname = '$libdir/citus'
 relocatable = false
 schema = pg_catalog

src/backend/distributed/utils/metadata_cache.c

@@ -9,6 +9,7 @@
 
 #include "stdint.h"
 #include "postgres.h"
+#include "libpq-fe.h"
 #include "miscadmin.h"
 
 #include "access/genam.h"
@@ -26,6 +27,7 @@
 #include "commands/extension.h"
 #include "commands/trigger.h"
 #include "distributed/colocation_utils.h"
+#include "distributed/connection_management.h"
 #include "distributed/citus_ruleutils.h"
 #include "distributed/master_metadata_utility.h"
 #include "distributed/metadata_cache.h"
@@ -48,6 +50,7 @@
 #include "utils/builtins.h"
 #include "utils/catcache.h"
 #include "utils/datum.h"
+#include "utils/elog.h"
 #include "utils/hsearch.h"
 #include "utils/inval.h"
 #include "utils/fmgroids.h"
@@ -209,6 +212,8 @@ PG_FUNCTION_INFO_V1(master_dist_shard_cache_invalidate);
 PG_FUNCTION_INFO_V1(master_dist_placement_cache_invalidate);
 PG_FUNCTION_INFO_V1(master_dist_node_cache_invalidate);
 PG_FUNCTION_INFO_V1(master_dist_local_group_cache_invalidate);
+PG_FUNCTION_INFO_V1(role_exists);
+PG_FUNCTION_INFO_V1(authinfo_valid);
 
 
 /*
@@ -3429,3 +3434,34 @@ DistNodeMetadata(void)
 
 	return metadata;
 }
+
+
+/*
+ * role_exists is a check constraint which ensures that roles referenced in the
+ * pg_dist_authinfo catalog actually exist (at least at the time of insertion).
+ */
+Datum
+role_exists(PG_FUNCTION_ARGS)
+{
+	Name roleName = PG_GETARG_NAME(0);
+	bool roleExists = SearchSysCacheExists1(AUTHNAME, NameGetDatum(roleName));
+
+	PG_RETURN_BOOL(roleExists);
+}
+
+
+/*
+ * authinfo_valid is a check constraint which errors on all rows, intended for
+ * use in prohibiting writes to pg_dist_authinfo in Citus Community.
+ */
+Datum
+authinfo_valid(PG_FUNCTION_ARGS)
+{
+	ereport(ERROR, (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
+					errmsg("cannot write to pg_dist_authinfo"),
+					errdetail("Citus Community Edition does not support the use of "
+							  "custom authentication options."),
+					errhint("To learn more about using advanced authentication schemes "
+							"with Citus, please contact us at "
+							"https://citusdata.com/about/contact_us")));
+}

src/test/regress/expected/multi_metadata_access.out

@@ -19,8 +19,9 @@ WHERE
     AND nsp.nspname = 'pg_catalog'
     AND NOT has_table_privilege(pg_class.oid, 'select');
        oid        
------
+------------------
-(0 rows)
+ pg_dist_authinfo
+(1 row)
 
 RESET role;
 DROP USER no_access;

src/test/regress/expected/multi_utility_warnings.out

@@ -14,3 +14,7 @@ HINT:  Connect to worker nodes directly to manually create all necessary users a
 CREATE USER new_user;
 NOTICE:  not propagating CREATE ROLE/USER commands to worker nodes
 HINT:  Connect to worker nodes directly to manually create all necessary users and roles.
+INSERT INTO pg_dist_authinfo VALUES (0, 'new_user', 'password=1234');
+ERROR:  cannot write to pg_dist_authinfo
+DETAIL:  Citus Community Edition does not support the use of custom authentication options.
+HINT:  To learn more about using advanced authentication schemes with Citus, please contact us at https://citusdata.com/about/contact_us

src/test/regress/multi_schedule

@@ -129,7 +129,7 @@ test: multi_create_schema
 
 # ----------
 # Tests to check if we inform the user about potential caveats of creating new
-# databases, schemas, and roles.
+# databases, schemas, roles, and authentication information.
 # ----------
 test: multi_utility_warnings
 

src/test/regress/sql/multi_utility_warnings.sql

@@ -14,3 +14,5 @@ CREATE DATABASE new_database;
 CREATE ROLE new_role;
 
 CREATE USER new_user;
+
+INSERT INTO pg_dist_authinfo VALUES (0, 'new_user', 'password=1234');

windows/include/citus_version.h

@@ -5,7 +5,7 @@
 #define CITUS_EDITION "community"
 
 /* Extension version expected by this Citus build */
-#define CITUS_EXTENSIONVERSION "7.5-1"
+#define CITUS_EXTENSIONVERSION "7.5-2"
 
 /* Citus major version as a string */
 #define CITUS_MAJORVERSION "7.5"