From 5ed954844c29d7197f51cdf76171399597819310 Mon Sep 17 00:00:00 2001 From: Onur Tirtir Date: Fri, 26 Feb 2021 12:27:51 +0300 Subject: [PATCH] Ensure table owner when using alter_columnar_table_set/alter_columnar_table_reset (#4748) --- src/backend/columnar/cstore_tableam.c | 4 ++++ src/test/regress/expected/pg12.out | 16 +++++++++++++++- src/test/regress/sql/pg12.sql | 14 ++++++++++++++ 3 files changed, 33 insertions(+), 1 deletion(-) diff --git a/src/backend/columnar/cstore_tableam.c b/src/backend/columnar/cstore_tableam.c index f68f20dcb..7f3d197fa 100644 --- a/src/backend/columnar/cstore_tableam.c +++ b/src/backend/columnar/cstore_tableam.c @@ -1662,6 +1662,8 @@ alter_columnar_table_set(PG_FUNCTION_ARGS) quote_identifier(RelationGetRelationName(rel))))); } + EnsureTableOwner(relationId); + ColumnarOptions options = { 0 }; if (!ReadColumnarOptions(relationId, &options)) { @@ -1769,6 +1771,8 @@ alter_columnar_table_reset(PG_FUNCTION_ARGS) quote_identifier(RelationGetRelationName(rel))))); } + EnsureTableOwner(relationId); + ColumnarOptions options = { 0 }; if (!ReadColumnarOptions(relationId, &options)) { diff --git a/src/test/regress/expected/pg12.out b/src/test/regress/expected/pg12.out index cd7674552..1f7f00b14 100644 --- a/src/test/regress/expected/pg12.out +++ b/src/test/regress/expected/pg12.out @@ -650,8 +650,22 @@ SELECT citus_remove_node('localhost', :master_port); (1 row) +CREATE TABLE superuser_columnar_table (a int) USING columnar; +CREATE USER read_access; +NOTICE: not propagating CREATE ROLE/USER commands to worker nodes +HINT: Connect to worker nodes directly to manually create all necessary users and roles. +SET ROLE read_access; +-- user shouldn't be able to execute alter_columnar_table_set +-- or alter_columnar_table_reset for a columnar table that it +-- doesn't own +SELECT alter_columnar_table_set('test_pg12.superuser_columnar_table', chunk_group_row_limit => 100); +ERROR: permission denied for schema test_pg12 +SELECT alter_columnar_table_reset('test_pg12.superuser_columnar_table'); +ERROR: permission denied for schema test_pg12 +RESET ROLE; +DROP USER read_access; \set VERBOSITY terse drop schema test_pg12 cascade; -NOTICE: drop cascades to 15 other objects +NOTICE: drop cascades to 16 other objects \set VERBOSITY default SET citus.shard_replication_factor to 2; diff --git a/src/test/regress/sql/pg12.sql b/src/test/regress/sql/pg12.sql index 83e76867a..2211288f4 100644 --- a/src/test/regress/sql/pg12.sql +++ b/src/test/regress/sql/pg12.sql @@ -383,6 +383,20 @@ ROLLBACK; RESET citus.replicate_reference_tables_on_activate; SELECT citus_remove_node('localhost', :master_port); +CREATE TABLE superuser_columnar_table (a int) USING columnar; + +CREATE USER read_access; +SET ROLE read_access; + +-- user shouldn't be able to execute alter_columnar_table_set +-- or alter_columnar_table_reset for a columnar table that it +-- doesn't own +SELECT alter_columnar_table_set('test_pg12.superuser_columnar_table', chunk_group_row_limit => 100); +SELECT alter_columnar_table_reset('test_pg12.superuser_columnar_table'); + +RESET ROLE; +DROP USER read_access; + \set VERBOSITY terse drop schema test_pg12 cascade; \set VERBOSITY default