external
/
citus
mirror of https://github.com/citusdata/citus.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4747 from citusdata/col/grant-access

pull/4750/head^2
Onur Tirtir 2021-02-26 12:46:00 +03:00 committed by GitHub
parent 5ed954844c 54ac924bef
commit 5e6030b87f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 126 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/backend/columnar/sql/columnar--10.0-1--10.0-2.sql Normal file
View File

@ -0,0 +1,5 @@
/* columnar--10.0-1--10.0-2.sql */
-- grant read access for columnar metadata tables to unprivileged user
GRANT USAGE ON SCHEMA columnar TO PUBLIC;
GRANT SELECT ON ALL tables IN SCHEMA columnar TO PUBLIC ;

5
src/backend/columnar/sql/downgrades/columnar--10.0-2--10.0-1.sql Normal file
View File

@ -0,0 +1,5 @@
/* columnar--10.0-2--10.0-1.sql */
-- revoke read access for columnar metadata tables from unprivileged user
REVOKE USAGE ON SCHEMA columnar FROM PUBLIC;
REVOKE SELECT ON ALL tables IN SCHEMA columnar FROM PUBLIC;

3
src/backend/distributed/sql/citus--10.0-1--10.0-2.sql Normal file
View File

@ -0,0 +1,3 @@
-- citus--10.0-1--10.0-2
#include "../../columnar/sql/columnar--10.0-1--10.0-2.sql"

2
src/backend/distributed/sql/citus--10.0-1--10.1-1.sql → src/backend/distributed/sql/citus--10.0-2--10.1-1.sql
View File

@ -1,4 +1,4 @@
-- citus--10.0-1--10.1-1 -- citus--10.0-2--10.1-1
-- bump version to 10.1-1 -- bump version to 10.1-1

2
src/backend/distributed/sql/downgrades/citus--10.0-2--10.0-1.sql Normal file
View File

@ -0,0 +1,2 @@
/* citus--10.0-2--10.0-1.sql */
#include "../../../columnar/sql/downgrades/columnar--10.0-2--10.0-1.sql"

3
src/backend/distributed/sql/downgrades/citus--10.1-1--10.0-1.sql
View File

@ -1,3 +0,0 @@
-- citus--10.1-1--10.0-1
-- this is an empty downgrade path since citus--10.0-1--10.1-1.sql is empty for now

3
src/backend/distributed/sql/downgrades/citus--10.1-1--10.0-2.sql Normal file
View File

@ -0,0 +1,3 @@
-- citus--10.1-1--10.0-2
-- this is an empty downgrade path since citus--10.0-2--10.1-1.sql is empty for now

20
src/test/regress/expected/multi_extension.out
View File

@ -515,8 +515,8 @@ SELECT * FROM print_extension_changes();
| view time_partitions | view time_partitions
(67 rows) (67 rows)
-- Test downgrade to 10.0-1 from 10.1-1 -- Test downgrade to 10.0-1 from 10.0-2
ALTER EXTENSION citus UPDATE TO '10.1-1'; ALTER EXTENSION citus UPDATE TO '10.0-2';
ALTER EXTENSION citus UPDATE TO '10.0-1'; ALTER EXTENSION citus UPDATE TO '10.0-1';
-- Should be empty result since upgrade+downgrade should be a no-op -- Should be empty result since upgrade+downgrade should be a no-op
SELECT * FROM print_extension_changes(); SELECT * FROM print_extension_changes();
@ -524,6 +524,22 @@ SELECT * FROM print_extension_changes();
--------------------------------------------------------------------- ---------------------------------------------------------------------
(0 rows) (0 rows)
-- Snapshot of state at 10.0-2
ALTER EXTENSION citus UPDATE TO '10.0-2';
SELECT * FROM print_extension_changes();
previous_object | current_object
---------------------------------------------------------------------
(0 rows)
-- Test downgrade to 10.0-2 from 10.1-1
ALTER EXTENSION citus UPDATE TO '10.1-1';
ALTER EXTENSION citus UPDATE TO '10.0-2';
-- Should be empty result since upgrade+downgrade should be a no-op
SELECT * FROM print_extension_changes();
previous_object | current_object
---------------------------------------------------------------------
(0 rows)
-- Snapshot of state at 10.1-1 -- Snapshot of state at 10.1-1
ALTER EXTENSION citus UPDATE TO '10.1-1'; ALTER EXTENSION citus UPDATE TO '10.1-1';
SELECT * FROM print_extension_changes(); SELECT * FROM print_extension_changes();

20
src/test/regress/expected/multi_extension_0.out
View File

@ -511,8 +511,8 @@ SELECT * FROM print_extension_changes();
| view time_partitions | view time_partitions
(63 rows) (63 rows)
-- Test downgrade to 10.0-1 from 10.1-1 -- Test downgrade to 10.0-1 from 10.0-2
ALTER EXTENSION citus UPDATE TO '10.1-1'; ALTER EXTENSION citus UPDATE TO '10.0-2';
ALTER EXTENSION citus UPDATE TO '10.0-1'; ALTER EXTENSION citus UPDATE TO '10.0-1';
-- Should be empty result since upgrade+downgrade should be a no-op -- Should be empty result since upgrade+downgrade should be a no-op
SELECT * FROM print_extension_changes(); SELECT * FROM print_extension_changes();
@ -520,6 +520,22 @@ SELECT * FROM print_extension_changes();
--------------------------------------------------------------------- ---------------------------------------------------------------------
(0 rows) (0 rows)
-- Snapshot of state at 10.0-2
ALTER EXTENSION citus UPDATE TO '10.0-2';
SELECT * FROM print_extension_changes();
previous_object | current_object
---------------------------------------------------------------------
(0 rows)
-- Test downgrade to 10.0-2 from 10.1-1
ALTER EXTENSION citus UPDATE TO '10.1-1';
ALTER EXTENSION citus UPDATE TO '10.0-2';
-- Should be empty result since upgrade+downgrade should be a no-op
SELECT * FROM print_extension_changes();
previous_object | current_object
---------------------------------------------------------------------
(0 rows)
-- Snapshot of state at 10.1-1 -- Snapshot of state at 10.1-1
ALTER EXTENSION citus UPDATE TO '10.1-1'; ALTER EXTENSION citus UPDATE TO '10.1-1';
SELECT * FROM print_extension_changes(); SELECT * FROM print_extension_changes();

31
src/test/regress/expected/multi_multiuser.out
View File

@ -256,6 +256,37 @@ SELECT lock_relation_if_exists('test', 'ACCESS SHARE');
SELECT lock_relation_if_exists('test', 'EXCLUSIVE'); SELECT lock_relation_if_exists('test', 'EXCLUSIVE');
ERROR: permission denied for table test ERROR: permission denied for table test
ABORT; ABORT;
-- test creating columnar tables and accessing to columnar metadata tables via unprivileged user
-- all below 5 commands should throw no permission errors
-- read columnar metadata table
SELECT * FROM columnar.stripe;
storage_id | stripe_num | file_offset | data_length | column_count | chunk_row_count | row_count | chunk_group_count
---------------------------------------------------------------------
(0 rows)
-- alter a columnar setting
SET columnar.chunk_group_row_limit = 1050;
DO $proc$
BEGIN
IF substring(current_Setting('server_version'), '\d+')::int >= 12 THEN
EXECUTE $$
-- create columnar table
CREATE TABLE columnar_table (a int) USING columnar;
-- alter a columnar table that is created by that unprivileged user
SELECT alter_columnar_table_set('columnar_table', chunk_group_row_limit => 100);
-- and drop it
DROP TABLE columnar_table;
$$;
END IF;
END$proc$;
-- cannot modify columnar metadata table as unprivileged user
INSERT INTO columnar.stripe VALUES(99);
ERROR: permission denied for table stripe
-- Cannot drop columnar metadata table as unprivileged user.
-- Privileged user also cannot drop but with a different error message.
-- (since citus extension has a dependency to it)
DROP TABLE columnar.chunk;
ERROR: must be owner of table chunk
-- check no permission -- check no permission
SET ROLE no_access; SET ROLE no_access;
EXECUTE prepare_insert(1); EXECUTE prepare_insert(1);

14
src/test/regress/sql/multi_extension.sql
View File

@ -198,12 +198,22 @@ SELECT * FROM print_extension_changes();
ALTER EXTENSION citus UPDATE TO '10.0-1'; ALTER EXTENSION citus UPDATE TO '10.0-1';
SELECT * FROM print_extension_changes(); SELECT * FROM print_extension_changes();
-- Test downgrade to 10.0-1 from 10.1-1 -- Test downgrade to 10.0-1 from 10.0-2
ALTER EXTENSION citus UPDATE TO '10.1-1'; ALTER EXTENSION citus UPDATE TO '10.0-2';
ALTER EXTENSION citus UPDATE TO '10.0-1'; ALTER EXTENSION citus UPDATE TO '10.0-1';
-- Should be empty result since upgrade+downgrade should be a no-op -- Should be empty result since upgrade+downgrade should be a no-op
SELECT * FROM print_extension_changes(); SELECT * FROM print_extension_changes();
-- Snapshot of state at 10.0-2
ALTER EXTENSION citus UPDATE TO '10.0-2';
SELECT * FROM print_extension_changes();
-- Test downgrade to 10.0-2 from 10.1-1
ALTER EXTENSION citus UPDATE TO '10.1-1';
ALTER EXTENSION citus UPDATE TO '10.0-2';
-- Should be empty result since upgrade+downgrade should be a no-op
SELECT * FROM print_extension_changes();
-- Snapshot of state at 10.1-1 -- Snapshot of state at 10.1-1
ALTER EXTENSION citus UPDATE TO '10.1-1'; ALTER EXTENSION citus UPDATE TO '10.1-1';
SELECT * FROM print_extension_changes(); SELECT * FROM print_extension_changes();

28
src/test/regress/sql/multi_multiuser.sql
View File

@ -155,6 +155,34 @@ SELECT lock_relation_if_exists('test', 'ACCESS SHARE');
SELECT lock_relation_if_exists('test', 'EXCLUSIVE'); SELECT lock_relation_if_exists('test', 'EXCLUSIVE');
ABORT; ABORT;
-- test creating columnar tables and accessing to columnar metadata tables via unprivileged user
-- all below 5 commands should throw no permission errors
-- read columnar metadata table
SELECT * FROM columnar.stripe;
-- alter a columnar setting
SET columnar.chunk_group_row_limit = 1050;
DO $proc$
BEGIN
IF substring(current_Setting('server_version'), '\d+')::int >= 12 THEN
EXECUTE $$
-- create columnar table
CREATE TABLE columnar_table (a int) USING columnar;
-- alter a columnar table that is created by that unprivileged user
SELECT alter_columnar_table_set('columnar_table', chunk_group_row_limit => 100);
-- and drop it
DROP TABLE columnar_table;
$$;
END IF;
END$proc$;
-- cannot modify columnar metadata table as unprivileged user
INSERT INTO columnar.stripe VALUES(99);
-- Cannot drop columnar metadata table as unprivileged user.
-- Privileged user also cannot drop but with a different error message.
-- (since citus extension has a dependency to it)
DROP TABLE columnar.chunk;
-- check no permission -- check no permission
SET ROLE no_access; SET ROLE no_access;