Merge pull request #1062 from citusdata/grant_public_select_access_to_metadata_tables

GRANT SELECT access for metadata tables to public
2016-12-23 16:43:15 +03:00 · 2016-12-23 16:43:15 +03:00 · 5cd21771a9
parent d608ef3311 0851fd2f0b
commit 5cd21771a9
9 changed files with 71 additions and 3 deletions
--- a/src/backend/distributed/Makefile
+++ b/src/backend/distributed/Makefile
@ -9,7 +9,7 @@ EXTVERSIONS = 5.0 5.0-1 5.0-2  \
 	5.1-1 5.1-2 5.1-3 5.1-4 5.1-5 5.1-6 5.1-7 5.1-8 \
 	5.2-1 5.2-2 5.2-3 5.2-4 \
 	6.0-1 6.0-2 6.0-3 6.0-4 6.0-5 6.0-6 6.0-7 6.0-8 6.0-9 6.0-10 6.0-11 6.0-12 6.0-13 6.0-14 6.0-15 6.0-16 6.0-17 6.0-18 \
-	6.1-1 6.1-2 6.1-3 6.1-4 6.1-5 6.1-6 6.1-7 6.1-8 6.1-9
+	6.1-1 6.1-2 6.1-3 6.1-4 6.1-5 6.1-6 6.1-7 6.1-8 6.1-9 6.1-10

 # All citus--*.sql files in the source directory
 DATA = $(patsubst $(citus_abs_srcdir)/%.sql,%.sql,$(wildcard $(citus_abs_srcdir)/$(EXTENSION)--*--*.sql))
@ -113,6 +113,8 @@ $(EXTENSION)--6.1-8.sql: $(EXTENSION)--6.1-7.sql $(EXTENSION)--6.1-7--6.1-8.sql
 	cat $^ > $@
 $(EXTENSION)--6.1-9.sql: $(EXTENSION)--6.1-8.sql $(EXTENSION)--6.1-8--6.1-9.sql
 	cat $^ > $@
+$(EXTENSION)--6.1-10.sql: $(EXTENSION)--6.1-9.sql $(EXTENSION)--6.1-9--6.1-10.sql
+	cat $^ > $@

 NO_PGXS = 1

--- a/src/backend/distributed/citus--6.1-8--6.1-9.sql
+++ b/src/backend/distributed/citus--6.1-8--6.1-9.sql
@ -86,4 +86,4 @@ $cdbdt$;
 COMMENT ON FUNCTION citus_drop_trigger()
    IS 'perform checks and actions at the end of DROP actions';
    
-RESET search_path;
+RESET search_path;
--- a/src/backend/distributed/citus--6.1-9--6.1-10.sql
+++ b/src/backend/distributed/citus--6.1-9--6.1-10.sql
@ -0,0 +1,10 @@
+/* citus--6.1-9--6.1-10.sql */
+
+GRANT SELECT ON pg_catalog.pg_dist_node TO public;
+GRANT SELECT ON pg_catalog.pg_dist_colocation TO public;
+GRANT SELECT ON pg_catalog.pg_dist_colocationid_seq TO public;
+GRANT SELECT ON pg_catalog.pg_dist_groupid_seq TO public;
+GRANT SELECT ON pg_catalog.pg_dist_node_nodeid_seq TO public;
+GRANT SELECT ON pg_catalog.pg_dist_shard_placement_placementid_seq TO public;
+GRANT SELECT ON pg_catalog.pg_dist_shardid_seq TO public;
+GRANT SELECT ON pg_catalog.pg_dist_jobid_seq TO public;
--- a/src/backend/distributed/citus.control
+++ b/src/backend/distributed/citus.control
@ -1,6 +1,6 @@
 # Citus extension
 comment = 'Citus distributed database'
-default_version = '6.1-9'
+default_version = '6.1-10'
 module_pathname = '$libdir/citus'
 relocatable = false
 schema = pg_catalog
--- a/src/test/regress/expected/multi_extension.out
+++ b/src/test/regress/expected/multi_extension.out
@ -67,6 +67,7 @@ ALTER EXTENSION citus UPDATE TO '6.1-6';
 ALTER EXTENSION citus UPDATE TO '6.1-7';
 ALTER EXTENSION citus UPDATE TO '6.1-8';
 ALTER EXTENSION citus UPDATE TO '6.1-9';
+ALTER EXTENSION citus UPDATE TO '6.1-10';
 -- ensure no objects were created outside pg_catalog
 SELECT COUNT(*)
 FROM pg_depend AS pgd,
--- a/src/test/regress/expected/multi_metadata_access.out
+++ b/src/test/regress/expected/multi_metadata_access.out
@ -0,0 +1,27 @@
+--
+-- MULTI_METADATA_ACCESS
+--
+ALTER SEQUENCE pg_catalog.pg_dist_shardid_seq RESTART 1360000;
+ALTER SEQUENCE pg_catalog.pg_dist_jobid_seq RESTART 1360000;
+CREATE USER no_access;
+NOTICE:  not propagating CREATE ROLE/USER commands to worker nodes
+HINT:  Connect to worker nodes directly to manually create all necessary users and roles.
+SET ROLE no_access;
+-- list relations in the citus extension without sufficient privileges
+SELECT pg_class.oid::regclass
+FROM pg_class
+    JOIN pg_namespace nsp ON (pg_class.relnamespace = nsp.oid)
+    JOIN pg_depend dep ON(objid = pg_class.oid)
+    JOIN pg_extension ext ON (ext.oid = dep.refobjid)
+WHERE
+    refclassid = 'pg_extension'::regclass
+    AND classid ='pg_class'::regclass
+    AND ext.extname = 'citus'
+    AND nsp.nspname = 'pg_catalog'
+    AND NOT has_table_privilege(pg_class.oid, 'select');
+ oid 
+-----
+(0 rows)
+
+RESET role;
+DROP USER no_access;
--- a/src/test/regress/multi_schedule
+++ b/src/test/regress/multi_schedule
@ -19,6 +19,7 @@ test: multi_extension
 test: multi_cluster_management
 test: multi_table_ddl
 test: multi_name_lengths
+test: multi_metadata_access

 # ----------
 # The following distributed tests depend on creating a partitioned table and
--- a/src/test/regress/sql/multi_extension.sql
+++ b/src/test/regress/sql/multi_extension.sql
@ -67,6 +67,7 @@ ALTER EXTENSION citus UPDATE TO '6.1-6';
 ALTER EXTENSION citus UPDATE TO '6.1-7';
 ALTER EXTENSION citus UPDATE TO '6.1-8';
 ALTER EXTENSION citus UPDATE TO '6.1-9';
+ALTER EXTENSION citus UPDATE TO '6.1-10';

 -- ensure no objects were created outside pg_catalog
 SELECT COUNT(*)
--- a/src/test/regress/sql/multi_metadata_access.sql
+++ b/src/test/regress/sql/multi_metadata_access.sql
@ -0,0 +1,26 @@
+--
+-- MULTI_METADATA_ACCESS
+--
+
+ALTER SEQUENCE pg_catalog.pg_dist_shardid_seq RESTART 1360000;
+ALTER SEQUENCE pg_catalog.pg_dist_jobid_seq RESTART 1360000;
+
+CREATE USER no_access;
+SET ROLE no_access;
+
+-- list relations in the citus extension without sufficient privileges
+SELECT pg_class.oid::regclass
+FROM pg_class
+    JOIN pg_namespace nsp ON (pg_class.relnamespace = nsp.oid)
+    JOIN pg_depend dep ON(objid = pg_class.oid)
+    JOIN pg_extension ext ON (ext.oid = dep.refobjid)
+WHERE
+    refclassid = 'pg_extension'::regclass
+    AND classid ='pg_class'::regclass
+    AND ext.extname = 'citus'
+    AND nsp.nspname = 'pg_catalog'
+    AND NOT has_table_privilege(pg_class.oid, 'select');
+
+
+RESET role;
+DROP USER no_access;