From 0851fd2f0bb28778253f38098c438ae20381e606 Mon Sep 17 00:00:00 2001
From: Burak Yucesoy <burak@citusdata.com>
Date: Fri, 23 Dec 2016 13:24:40 +0300
Subject: [PATCH] GRANT SELECT access for metadata tables to public

Previously, we errored out if non-user tries to SELECT query for some metadata tables. It
seems that we already GRANT SELECT access to some metadata tables but not others. With
this change, we GRANT SELECT access to all existing Citus metadata tables.
---
 src/backend/distributed/Makefile              |  4 ++-
 .../distributed/citus--6.1-8--6.1-9.sql       |  2 +-
 .../distributed/citus--6.1-9--6.1-10.sql      | 10 +++++++
 src/backend/distributed/citus.control         |  2 +-
 src/test/regress/expected/multi_extension.out |  1 +
 .../expected/multi_metadata_access.out        | 27 +++++++++++++++++++
 src/test/regress/multi_schedule               |  1 +
 src/test/regress/sql/multi_extension.sql      |  1 +
 .../regress/sql/multi_metadata_access.sql     | 26 ++++++++++++++++++
 9 files changed, 71 insertions(+), 3 deletions(-)
 create mode 100644 src/backend/distributed/citus--6.1-9--6.1-10.sql
 create mode 100644 src/test/regress/expected/multi_metadata_access.out
 create mode 100644 src/test/regress/sql/multi_metadata_access.sql

diff --git a/src/backend/distributed/Makefile b/src/backend/distributed/Makefile
index 2b723556c..ea8dcca1b 100644
--- a/src/backend/distributed/Makefile
+++ b/src/backend/distributed/Makefile
@@ -9,7 +9,7 @@ EXTVERSIONS = 5.0 5.0-1 5.0-2  \
 	5.1-1 5.1-2 5.1-3 5.1-4 5.1-5 5.1-6 5.1-7 5.1-8 \
 	5.2-1 5.2-2 5.2-3 5.2-4 \
 	6.0-1 6.0-2 6.0-3 6.0-4 6.0-5 6.0-6 6.0-7 6.0-8 6.0-9 6.0-10 6.0-11 6.0-12 6.0-13 6.0-14 6.0-15 6.0-16 6.0-17 6.0-18 \
-	6.1-1 6.1-2 6.1-3 6.1-4 6.1-5 6.1-6 6.1-7 6.1-8 6.1-9
+	6.1-1 6.1-2 6.1-3 6.1-4 6.1-5 6.1-6 6.1-7 6.1-8 6.1-9 6.1-10
 
 # All citus--*.sql files in the source directory
 DATA = $(patsubst $(citus_abs_srcdir)/%.sql,%.sql,$(wildcard $(citus_abs_srcdir)/$(EXTENSION)--*--*.sql))
@@ -113,6 +113,8 @@ $(EXTENSION)--6.1-8.sql: $(EXTENSION)--6.1-7.sql $(EXTENSION)--6.1-7--6.1-8.sql
 	cat $^ > $@
 $(EXTENSION)--6.1-9.sql: $(EXTENSION)--6.1-8.sql $(EXTENSION)--6.1-8--6.1-9.sql
 	cat $^ > $@
+$(EXTENSION)--6.1-10.sql: $(EXTENSION)--6.1-9.sql $(EXTENSION)--6.1-9--6.1-10.sql
+	cat $^ > $@
 
 NO_PGXS = 1
 
diff --git a/src/backend/distributed/citus--6.1-8--6.1-9.sql b/src/backend/distributed/citus--6.1-8--6.1-9.sql
index a1bfd7634..180efa828 100644
--- a/src/backend/distributed/citus--6.1-8--6.1-9.sql
+++ b/src/backend/distributed/citus--6.1-8--6.1-9.sql
@@ -86,4 +86,4 @@ $cdbdt$;
 COMMENT ON FUNCTION citus_drop_trigger()
     IS 'perform checks and actions at the end of DROP actions';
     
-RESET search_path;
\ No newline at end of file
+RESET search_path;
diff --git a/src/backend/distributed/citus--6.1-9--6.1-10.sql b/src/backend/distributed/citus--6.1-9--6.1-10.sql
new file mode 100644
index 000000000..7a8ced7c0
--- /dev/null
+++ b/src/backend/distributed/citus--6.1-9--6.1-10.sql
@@ -0,0 +1,10 @@
+/* citus--6.1-9--6.1-10.sql */
+
+GRANT SELECT ON pg_catalog.pg_dist_node TO public;
+GRANT SELECT ON pg_catalog.pg_dist_colocation TO public;
+GRANT SELECT ON pg_catalog.pg_dist_colocationid_seq TO public;
+GRANT SELECT ON pg_catalog.pg_dist_groupid_seq TO public;
+GRANT SELECT ON pg_catalog.pg_dist_node_nodeid_seq TO public;
+GRANT SELECT ON pg_catalog.pg_dist_shard_placement_placementid_seq TO public;
+GRANT SELECT ON pg_catalog.pg_dist_shardid_seq TO public;
+GRANT SELECT ON pg_catalog.pg_dist_jobid_seq TO public;
diff --git a/src/backend/distributed/citus.control b/src/backend/distributed/citus.control
index 1413d9ba1..916243b9c 100644
--- a/src/backend/distributed/citus.control
+++ b/src/backend/distributed/citus.control
@@ -1,6 +1,6 @@
 # Citus extension
 comment = 'Citus distributed database'
-default_version = '6.1-9'
+default_version = '6.1-10'
 module_pathname = '$libdir/citus'
 relocatable = false
 schema = pg_catalog
diff --git a/src/test/regress/expected/multi_extension.out b/src/test/regress/expected/multi_extension.out
index 1c9e7539c..1efe9a1c1 100644
--- a/src/test/regress/expected/multi_extension.out
+++ b/src/test/regress/expected/multi_extension.out
@@ -67,6 +67,7 @@ ALTER EXTENSION citus UPDATE TO '6.1-6';
 ALTER EXTENSION citus UPDATE TO '6.1-7';
 ALTER EXTENSION citus UPDATE TO '6.1-8';
 ALTER EXTENSION citus UPDATE TO '6.1-9';
+ALTER EXTENSION citus UPDATE TO '6.1-10';
 -- ensure no objects were created outside pg_catalog
 SELECT COUNT(*)
 FROM pg_depend AS pgd,
diff --git a/src/test/regress/expected/multi_metadata_access.out b/src/test/regress/expected/multi_metadata_access.out
new file mode 100644
index 000000000..8e7b74904
--- /dev/null
+++ b/src/test/regress/expected/multi_metadata_access.out
@@ -0,0 +1,27 @@
+--
+-- MULTI_METADATA_ACCESS
+--
+ALTER SEQUENCE pg_catalog.pg_dist_shardid_seq RESTART 1360000;
+ALTER SEQUENCE pg_catalog.pg_dist_jobid_seq RESTART 1360000;
+CREATE USER no_access;
+NOTICE:  not propagating CREATE ROLE/USER commands to worker nodes
+HINT:  Connect to worker nodes directly to manually create all necessary users and roles.
+SET ROLE no_access;
+-- list relations in the citus extension without sufficient privileges
+SELECT pg_class.oid::regclass
+FROM pg_class
+    JOIN pg_namespace nsp ON (pg_class.relnamespace = nsp.oid)
+    JOIN pg_depend dep ON(objid = pg_class.oid)
+    JOIN pg_extension ext ON (ext.oid = dep.refobjid)
+WHERE
+    refclassid = 'pg_extension'::regclass
+    AND classid ='pg_class'::regclass
+    AND ext.extname = 'citus'
+    AND nsp.nspname = 'pg_catalog'
+    AND NOT has_table_privilege(pg_class.oid, 'select');
+ oid 
+-----
+(0 rows)
+
+RESET role;
+DROP USER no_access;
diff --git a/src/test/regress/multi_schedule b/src/test/regress/multi_schedule
index 5b57052f4..ec5b60acf 100644
--- a/src/test/regress/multi_schedule
+++ b/src/test/regress/multi_schedule
@@ -19,6 +19,7 @@ test: multi_extension
 test: multi_cluster_management
 test: multi_table_ddl
 test: multi_name_lengths
+test: multi_metadata_access
 
 # ----------
 # The following distributed tests depend on creating a partitioned table and
diff --git a/src/test/regress/sql/multi_extension.sql b/src/test/regress/sql/multi_extension.sql
index ebeb66a3f..c1bee41eb 100644
--- a/src/test/regress/sql/multi_extension.sql
+++ b/src/test/regress/sql/multi_extension.sql
@@ -67,6 +67,7 @@ ALTER EXTENSION citus UPDATE TO '6.1-6';
 ALTER EXTENSION citus UPDATE TO '6.1-7';
 ALTER EXTENSION citus UPDATE TO '6.1-8';
 ALTER EXTENSION citus UPDATE TO '6.1-9';
+ALTER EXTENSION citus UPDATE TO '6.1-10';
 
 -- ensure no objects were created outside pg_catalog
 SELECT COUNT(*)
diff --git a/src/test/regress/sql/multi_metadata_access.sql b/src/test/regress/sql/multi_metadata_access.sql
new file mode 100644
index 000000000..eac112e38
--- /dev/null
+++ b/src/test/regress/sql/multi_metadata_access.sql
@@ -0,0 +1,26 @@
+--
+-- MULTI_METADATA_ACCESS
+--
+
+ALTER SEQUENCE pg_catalog.pg_dist_shardid_seq RESTART 1360000;
+ALTER SEQUENCE pg_catalog.pg_dist_jobid_seq RESTART 1360000;
+
+CREATE USER no_access;
+SET ROLE no_access;
+
+-- list relations in the citus extension without sufficient privileges
+SELECT pg_class.oid::regclass
+FROM pg_class
+    JOIN pg_namespace nsp ON (pg_class.relnamespace = nsp.oid)
+    JOIN pg_depend dep ON(objid = pg_class.oid)
+    JOIN pg_extension ext ON (ext.oid = dep.refobjid)
+WHERE
+    refclassid = 'pg_extension'::regclass
+    AND classid ='pg_class'::regclass
+    AND ext.extname = 'citus'
+    AND nsp.nspname = 'pg_catalog'
+    AND NOT has_table_privilege(pg_class.oid, 'select');
+
+
+RESET role;
+DROP USER no_access;