From 6d259d5941dcfd96ea5c7d11739b6ac0218edad9 Mon Sep 17 00:00:00 2001 From: gurkanindibay Date: Wed, 10 Jan 2024 22:07:57 +0300 Subject: [PATCH] Fixes review issues --- .../distributed/commands/utility_hook.c | 28 +- src/test/regress/expected/grant_role_2pc.out | 346 ++++-------------- src/test/regress/sql/grant_role_2pc.sql | 84 +++-- 3 files changed, 149 insertions(+), 309 deletions(-) diff --git a/src/backend/distributed/commands/utility_hook.c b/src/backend/distributed/commands/utility_hook.c index e1bccd29f..0468c97d9 100644 --- a/src/backend/distributed/commands/utility_hook.c +++ b/src/backend/distributed/commands/utility_hook.c @@ -95,13 +95,23 @@ #define MARK_OBJECT_DISTRIBUTED \ "SELECT citus_internal.mark_object_distributed(%d, %s, %d)" - +/* + * TwoPcStatementInfo is used to determine whether a statement is supported in 2PC + * and whether it should be marked as distributed in 2PC. +*/ typedef struct TwoPcStatementInfo { int statementType; bool markAsDistributed; } TwoPcStatementInfo; +/* + * twoPcSupportedStatements is a list of statements that are supported in 2PC. + * The list is used to determine whether a statement is supported in 2PC and + * whether it should be marked as distributed in 2PC. + * We use this array to avoid hardcoding the list of supported statements in + * multiple places. +*/ const TwoPcStatementInfo twoPcSupportedStatements[] = { { T_GrantRoleStmt, false }, { T_CreateRoleStmt, true } @@ -137,8 +147,8 @@ static bool IsDropSchemaOrDB(Node *parsetree); static bool ShouldCheckUndistributeCitusLocalTables(void); static void RunPreprocessMainDBCommand(Node *parsetree, const char *queryString); static void RunPostprocessMainDBCommand(Node *parsetree); -static bool IsStatementSupportedIn2Pc(Node *parsetree); -static bool IsStatementMarkDistributedFor2PC(Node *parsetree); +static bool IsStatementSupportedIn2PC(Node *parsetree); +static bool DoesStatementRequireMarkDistributedFor2PC(Node *parsetree); /* * ProcessUtilityParseTree is a convenience method to create a PlannedStmt out of @@ -1618,7 +1628,7 @@ DropSchemaOrDBInProgress(void) static void RunPreprocessMainDBCommand(Node *parsetree, const char *queryString) { - if (!IsStatementSupportedIn2Pc(parsetree)) + if (!IsStatementSupportedIn2PC(parsetree)) { return; } @@ -1644,8 +1654,8 @@ RunPreprocessMainDBCommand(Node *parsetree, const char *queryString) static void RunPostprocessMainDBCommand(Node *parsetree) { - if (!IsStatementSupportedIn2Pc(parsetree) || - !IsStatementMarkDistributedFor2PC(parsetree)) + if (!IsStatementSupportedIn2PC(parsetree) || + !DoesStatementRequireMarkDistributedFor2PC(parsetree)) { return; } @@ -1669,7 +1679,7 @@ RunPostprocessMainDBCommand(Node *parsetree) * IsStatementSupportedIn2Pc returns true if the statement is supported in 2pc */ static bool -IsStatementSupportedIn2Pc(Node *parsetree) +IsStatementSupportedIn2PC(Node *parsetree) { NodeTag type = nodeTag(parsetree); @@ -1687,11 +1697,11 @@ IsStatementSupportedIn2Pc(Node *parsetree) /* - * IsStatementMarkDistributedFor2PC returns true if the statement should be marked + * DoesStatementRequireMarkDistributedFor2PC returns true if the statement should be marked * as distributed in 2pc */ static bool -IsStatementMarkDistributedFor2PC(Node *parsetree) +DoesStatementRequireMarkDistributedFor2PC(Node *parsetree) { NodeTag type = nodeTag(parsetree); diff --git a/src/test/regress/expected/grant_role_2pc.out b/src/test/regress/expected/grant_role_2pc.out index 97d3a9b8c..d783c0a47 100644 --- a/src/test/regress/expected/grant_role_2pc.out +++ b/src/test/regress/expected/grant_role_2pc.out @@ -12,9 +12,6 @@ SHOW citus.main_db; -- check that empty citus.superuser gives error SET citus.superuser TO ''; -CREATE USER empty_superuser; -ERROR: No superuser role is given for Citus main database connection -HINT: Set citus.superuser to a superuser role name SET citus.superuser TO 'postgres'; CREATE USER grant_role2pc_user1; CREATE USER grant_role2pc_user2; @@ -23,44 +20,34 @@ CREATE USER grant_role2pc_user4; CREATE USER grant_role2pc_user5; CREATE USER grant_role2pc_user6; CREATE USER grant_role2pc_user7; -\c regression -SELECT * FROM public.check_database_privileges('grant_role2pc_user2', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); - permission | result ---------------------------------------------------------------------- - CREATE | f - CREATE | f - CREATE | f - CONNECT | f - CONNECT | f - CONNECT | f - TEMP | f - TEMP | f - TEMP | f - TEMPORARY | f - TEMPORARY | f - TEMPORARY | f -(12 rows) - -grant create,connect,temporary,temp on database grant_role2pc_db to grant_role2pc_user1; \c grant_role2pc_db +--test with empty superuser +SET citus.superuser TO ''; grant grant_role2pc_user1 to grant_role2pc_user2; +ERROR: No superuser role is given for Citus main database connection +HINT: Set citus.superuser to a superuser role name +SET citus.superuser TO 'postgres'; +grant grant_role2pc_user1 to grant_role2pc_user2 with admin option granted by CURRENT_USER; \c regression -SELECT * FROM public.check_database_privileges('grant_role2pc_user2', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); - permission | result +select result FROM run_command_on_all_nodes( + $$ + SELECT array_to_json(array_agg(row_to_json(t))) + FROM ( + SELECT r.rolname AS role, g.rolname AS group, a.rolname AS grantor, m.admin_option + FROM pg_auth_members m + JOIN pg_roles r ON r.oid = m.roleid + JOIN pg_roles g ON g.oid = m.member + JOIN pg_roles a ON a.oid = m.grantor + WHERE g.rolname = 'grant_role2pc_user2' + ) t + $$ +); + result --------------------------------------------------------------------- - CREATE | t - CREATE | t - CREATE | t - CONNECT | t - CONNECT | t - CONNECT | t - TEMP | t - TEMP | t - TEMP | t - TEMPORARY | t - TEMPORARY | t - TEMPORARY | t -(12 rows) + [{"role":"grant_role2pc_user1","group":"grant_role2pc_user2","grantor":"postgres","admin_option":true}] + [{"role":"grant_role2pc_user1","group":"grant_role2pc_user2","grantor":"postgres","admin_option":true}] + [{"role":"grant_role2pc_user1","group":"grant_role2pc_user2","grantor":"postgres","admin_option":true}] +(3 rows) \c grant_role2pc_db --test grant under transactional context with multiple operations @@ -78,147 +65,47 @@ SELECT 1/0; ERROR: division by zero commit; \c regression -SELECT * FROM public.check_database_privileges('grant_role2pc_user3', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); - permission | result +select result FROM run_command_on_all_nodes($$ +SELECT array_to_json(array_agg(row_to_json(t))) +FROM ( + SELECT r.rolname AS role, g.rolname AS group, a.rolname AS grantor, m.admin_option + FROM pg_auth_members m + JOIN pg_roles r ON r.oid = m.roleid + JOIN pg_roles g ON g.oid = m.member + JOIN pg_roles a ON a.oid = m.grantor + WHERE g.rolname in ('grant_role2pc_user3','grant_role2pc_user4','grant_role2pc_user5','grant_role2pc_user6','grant_role2pc_user7') +) t +$$); + result --------------------------------------------------------------------- - CREATE | t - CREATE | t - CREATE | t - CONNECT | t - CONNECT | t - CONNECT | t - TEMP | t - TEMP | t - TEMP | t - TEMPORARY | t - TEMPORARY | t - TEMPORARY | t -(12 rows) - -SELECT * FROM public.check_database_privileges('grant_role2pc_user4', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); - permission | result ---------------------------------------------------------------------- - CREATE | t - CREATE | t - CREATE | t - CONNECT | t - CONNECT | t - CONNECT | t - TEMP | t - TEMP | t - TEMP | t - TEMPORARY | t - TEMPORARY | t - TEMPORARY | t -(12 rows) - -SELECT * FROM public.check_database_privileges('grant_role2pc_user5', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); - permission | result ---------------------------------------------------------------------- - CREATE | f - CREATE | f - CREATE | f - CONNECT | f - CONNECT | f - CONNECT | f - TEMP | f - TEMP | f - TEMP | f - TEMPORARY | f - TEMPORARY | f - TEMPORARY | f -(12 rows) - -SELECT * FROM public.check_database_privileges('grant_role2pc_user6', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); - permission | result ---------------------------------------------------------------------- - CREATE | f - CREATE | f - CREATE | f - CONNECT | f - CONNECT | f - CONNECT | f - TEMP | f - TEMP | f - TEMP | f - TEMPORARY | f - TEMPORARY | f - TEMPORARY | f -(12 rows) - -SELECT * FROM public.check_database_privileges('grant_role2pc_user7', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); - permission | result ---------------------------------------------------------------------- - CREATE | f - CREATE | f - CREATE | f - CONNECT | f - CONNECT | f - CONNECT | f - TEMP | f - TEMP | f - TEMP | f - TEMPORARY | f - TEMPORARY | f - TEMPORARY | f -(12 rows) + [{"role":"grant_role2pc_user1","group":"grant_role2pc_user4","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user1","group":"grant_role2pc_user3","grantor":"postgres","admin_option":false}] + [{"role":"grant_role2pc_user1","group":"grant_role2pc_user4","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user1","group":"grant_role2pc_user3","grantor":"postgres","admin_option":false}] + [{"role":"grant_role2pc_user1","group":"grant_role2pc_user4","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user1","group":"grant_role2pc_user3","grantor":"postgres","admin_option":false}] +(3 rows) \c grant_role2pc_db -grant grant_role2pc_user1 to grant_role2pc_user5,grant_role2pc_user6,grant_role2pc_user7; +grant grant_role2pc_user1,grant_role2pc_user2 to grant_role2pc_user5,grant_role2pc_user6,grant_role2pc_user7; \c regression -SELECT * FROM public.check_database_privileges('grant_role2pc_user5', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); - permission | result +select result FROM run_command_on_all_nodes($$ +SELECT array_to_json(array_agg(row_to_json(t))) +FROM ( + SELECT r.rolname AS role, g.rolname AS group, a.rolname AS grantor, m.admin_option + FROM pg_auth_members m + JOIN pg_roles r ON r.oid = m.roleid + JOIN pg_roles g ON g.oid = m.member + JOIN pg_roles a ON a.oid = m.grantor + WHERE g.rolname in ('grant_role2pc_user5','grant_role2pc_user6','grant_role2pc_user7') +) t +$$); + result --------------------------------------------------------------------- - CREATE | t - CREATE | t - CREATE | t - CONNECT | t - CONNECT | t - CONNECT | t - TEMP | t - TEMP | t - TEMP | t - TEMPORARY | t - TEMPORARY | t - TEMPORARY | t -(12 rows) - -SELECT * FROM public.check_database_privileges('grant_role2pc_user6', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); - permission | result ---------------------------------------------------------------------- - CREATE | t - CREATE | t - CREATE | t - CONNECT | t - CONNECT | t - CONNECT | t - TEMP | t - TEMP | t - TEMP | t - TEMPORARY | t - TEMPORARY | t - TEMPORARY | t -(12 rows) - -SELECT * FROM public.check_database_privileges('grant_role2pc_user7', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); - permission | result ---------------------------------------------------------------------- - CREATE | t - CREATE | t - CREATE | t - CONNECT | t - CONNECT | t - CONNECT | t - TEMP | t - TEMP | t - TEMP | t - TEMPORARY | t - TEMPORARY | t - TEMPORARY | t -(12 rows) + [{"role":"grant_role2pc_user1","group":"grant_role2pc_user7","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user1","group":"grant_role2pc_user6","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user1","group":"grant_role2pc_user5","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user2","group":"grant_role2pc_user7","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user2","group":"grant_role2pc_user6","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user2","group":"grant_role2pc_user5","grantor":"postgres","admin_option":false}] + [{"role":"grant_role2pc_user1","group":"grant_role2pc_user7","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user1","group":"grant_role2pc_user6","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user1","group":"grant_role2pc_user5","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user2","group":"grant_role2pc_user7","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user2","group":"grant_role2pc_user6","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user2","group":"grant_role2pc_user5","grantor":"postgres","admin_option":false}] + [{"role":"grant_role2pc_user1","group":"grant_role2pc_user7","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user1","group":"grant_role2pc_user6","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user1","group":"grant_role2pc_user5","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user2","group":"grant_role2pc_user7","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user2","group":"grant_role2pc_user6","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user2","group":"grant_role2pc_user5","grantor":"postgres","admin_option":false}] +(3 rows) \c grant_role2pc_db -revoke grant_role2pc_user1 from grant_role2pc_user2; +revoke admin option for grant_role2pc_user1 from grant_role2pc_user2 granted by CURRENT_USER; --test revoke under transactional context with multiple operations BEGIN; revoke grant_role2pc_user1 from grant_role2pc_user3; @@ -229,110 +116,25 @@ revoke grant_role2pc_user1 from grant_role2pc_user5,grant_role2pc_user6; revoke grant_role2pc_user1 from grant_role2pc_user7; COMMIT; \c regression -SELECT * FROM public.check_database_privileges('grant_role2pc_user2', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); - permission | result +select result FROM run_command_on_all_nodes($$ +SELECT array_to_json(array_agg(row_to_json(t))) +FROM ( + SELECT r.rolname AS role, g.rolname AS group, a.rolname AS grantor, m.admin_option + FROM pg_auth_members m + JOIN pg_roles r ON r.oid = m.roleid + JOIN pg_roles g ON g.oid = m.member + JOIN pg_roles a ON a.oid = m.grantor + WHERE g.rolname in ('grant_role2pc_user2','grant_role2pc_user3','grant_role2pc_user4','grant_role2pc_user5','grant_role2pc_user6','grant_role2pc_user7') +) t +$$); + result --------------------------------------------------------------------- - CREATE | f - CREATE | f - CREATE | f - CONNECT | f - CONNECT | f - CONNECT | f - TEMP | f - TEMP | f - TEMP | f - TEMPORARY | f - TEMPORARY | f - TEMPORARY | f -(12 rows) - -SELECT * FROM public.check_database_privileges('grant_role2pc_user3', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); - permission | result ---------------------------------------------------------------------- - CREATE | f - CREATE | f - CREATE | f - CONNECT | f - CONNECT | f - CONNECT | f - TEMP | f - TEMP | f - TEMP | f - TEMPORARY | f - TEMPORARY | f - TEMPORARY | f -(12 rows) - -SELECT * FROM public.check_database_privileges('grant_role2pc_user4', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); - permission | result ---------------------------------------------------------------------- - CREATE | f - CREATE | f - CREATE | f - CONNECT | f - CONNECT | f - CONNECT | f - TEMP | f - TEMP | f - TEMP | f - TEMPORARY | f - TEMPORARY | f - TEMPORARY | f -(12 rows) - -SELECT * FROM public.check_database_privileges('grant_role2pc_user5', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); - permission | result ---------------------------------------------------------------------- - CREATE | f - CREATE | f - CREATE | f - CONNECT | f - CONNECT | f - CONNECT | f - TEMP | f - TEMP | f - TEMP | f - TEMPORARY | f - TEMPORARY | f - TEMPORARY | f -(12 rows) - -SELECT * FROM public.check_database_privileges('grant_role2pc_user6', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); - permission | result ---------------------------------------------------------------------- - CREATE | f - CREATE | f - CREATE | f - CONNECT | f - CONNECT | f - CONNECT | f - TEMP | f - TEMP | f - TEMP | f - TEMPORARY | f - TEMPORARY | f - TEMPORARY | f -(12 rows) - -SELECT * FROM public.check_database_privileges('grant_role2pc_user7', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); - permission | result ---------------------------------------------------------------------- - CREATE | f - CREATE | f - CREATE | f - CONNECT | f - CONNECT | f - CONNECT | f - TEMP | f - TEMP | f - TEMP | f - TEMPORARY | f - TEMPORARY | f - TEMPORARY | f -(12 rows) + [{"role":"grant_role2pc_user1","group":"grant_role2pc_user2","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user2","group":"grant_role2pc_user7","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user2","group":"grant_role2pc_user6","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user2","group":"grant_role2pc_user5","grantor":"postgres","admin_option":false}] + [{"role":"grant_role2pc_user1","group":"grant_role2pc_user2","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user2","group":"grant_role2pc_user7","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user2","group":"grant_role2pc_user6","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user2","group":"grant_role2pc_user5","grantor":"postgres","admin_option":false}] + [{"role":"grant_role2pc_user1","group":"grant_role2pc_user2","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user2","group":"grant_role2pc_user7","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user2","group":"grant_role2pc_user6","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user2","group":"grant_role2pc_user5","grantor":"postgres","admin_option":false}] +(3 rows) DROP SCHEMA grant_role2pc; -REVOKE ALL PRIVILEGES ON DATABASE grant_role2pc_db FROM grant_role2pc_user1; set citus.enable_create_database_propagation to on; DROP DATABASE grant_role2pc_db; drop user grant_role2pc_user2,grant_role2pc_user3,grant_role2pc_user4,grant_role2pc_user5,grant_role2pc_user6,grant_role2pc_user7; diff --git a/src/test/regress/sql/grant_role_2pc.sql b/src/test/regress/sql/grant_role_2pc.sql index 4494f29bc..8b0adb0ad 100644 --- a/src/test/regress/sql/grant_role_2pc.sql +++ b/src/test/regress/sql/grant_role_2pc.sql @@ -16,7 +16,6 @@ SHOW citus.main_db; -- check that empty citus.superuser gives error SET citus.superuser TO ''; -CREATE USER empty_superuser; SET citus.superuser TO 'postgres'; CREATE USER grant_role2pc_user1; @@ -27,22 +26,30 @@ CREATE USER grant_role2pc_user5; CREATE USER grant_role2pc_user6; CREATE USER grant_role2pc_user7; - -\c regression - -SELECT * FROM public.check_database_privileges('grant_role2pc_user2', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); - -grant create,connect,temporary,temp on database grant_role2pc_db to grant_role2pc_user1; - \c grant_role2pc_db +--test with empty superuser +SET citus.superuser TO ''; grant grant_role2pc_user1 to grant_role2pc_user2; +SET citus.superuser TO 'postgres'; +grant grant_role2pc_user1 to grant_role2pc_user2 with admin option granted by CURRENT_USER; + \c regression - -SELECT * FROM public.check_database_privileges('grant_role2pc_user2', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); - +select result FROM run_command_on_all_nodes( + $$ + SELECT array_to_json(array_agg(row_to_json(t))) + FROM ( + SELECT r.rolname AS role, g.rolname AS group, a.rolname AS grantor, m.admin_option + FROM pg_auth_members m + JOIN pg_roles r ON r.oid = m.roleid + JOIN pg_roles g ON g.oid = m.member + JOIN pg_roles a ON a.oid = m.grantor + WHERE g.rolname = 'grant_role2pc_user2' + ) t + $$ +); \c grant_role2pc_db --test grant under transactional context with multiple operations @@ -66,23 +73,39 @@ commit; \c regression -SELECT * FROM public.check_database_privileges('grant_role2pc_user3', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); -SELECT * FROM public.check_database_privileges('grant_role2pc_user4', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); -SELECT * FROM public.check_database_privileges('grant_role2pc_user5', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); -SELECT * FROM public.check_database_privileges('grant_role2pc_user6', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); -SELECT * FROM public.check_database_privileges('grant_role2pc_user7', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); +select result FROM run_command_on_all_nodes($$ +SELECT array_to_json(array_agg(row_to_json(t))) +FROM ( + SELECT r.rolname AS role, g.rolname AS group, a.rolname AS grantor, m.admin_option + FROM pg_auth_members m + JOIN pg_roles r ON r.oid = m.roleid + JOIN pg_roles g ON g.oid = m.member + JOIN pg_roles a ON a.oid = m.grantor + WHERE g.rolname in ('grant_role2pc_user3','grant_role2pc_user4','grant_role2pc_user5','grant_role2pc_user6','grant_role2pc_user7') +) t +$$); + \c grant_role2pc_db -grant grant_role2pc_user1 to grant_role2pc_user5,grant_role2pc_user6,grant_role2pc_user7; +grant grant_role2pc_user1,grant_role2pc_user2 to grant_role2pc_user5,grant_role2pc_user6,grant_role2pc_user7; \c regression -SELECT * FROM public.check_database_privileges('grant_role2pc_user5', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); -SELECT * FROM public.check_database_privileges('grant_role2pc_user6', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); -SELECT * FROM public.check_database_privileges('grant_role2pc_user7', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); + +select result FROM run_command_on_all_nodes($$ +SELECT array_to_json(array_agg(row_to_json(t))) +FROM ( + SELECT r.rolname AS role, g.rolname AS group, a.rolname AS grantor, m.admin_option + FROM pg_auth_members m + JOIN pg_roles r ON r.oid = m.roleid + JOIN pg_roles g ON g.oid = m.member + JOIN pg_roles a ON a.oid = m.grantor + WHERE g.rolname in ('grant_role2pc_user5','grant_role2pc_user6','grant_role2pc_user7') +) t +$$); \c grant_role2pc_db -revoke grant_role2pc_user1 from grant_role2pc_user2; +revoke admin option for grant_role2pc_user1 from grant_role2pc_user2 granted by CURRENT_USER; --test revoke under transactional context with multiple operations BEGIN; @@ -97,16 +120,21 @@ COMMIT; \c regression -SELECT * FROM public.check_database_privileges('grant_role2pc_user2', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); -SELECT * FROM public.check_database_privileges('grant_role2pc_user3', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); -SELECT * FROM public.check_database_privileges('grant_role2pc_user4', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); -SELECT * FROM public.check_database_privileges('grant_role2pc_user5', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); -SELECT * FROM public.check_database_privileges('grant_role2pc_user6', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); -SELECT * FROM public.check_database_privileges('grant_role2pc_user7', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); +select result FROM run_command_on_all_nodes($$ +SELECT array_to_json(array_agg(row_to_json(t))) +FROM ( + SELECT r.rolname AS role, g.rolname AS group, a.rolname AS grantor, m.admin_option + FROM pg_auth_members m + JOIN pg_roles r ON r.oid = m.roleid + JOIN pg_roles g ON g.oid = m.member + JOIN pg_roles a ON a.oid = m.grantor + WHERE g.rolname in ('grant_role2pc_user2','grant_role2pc_user3','grant_role2pc_user4','grant_role2pc_user5','grant_role2pc_user6','grant_role2pc_user7') +) t +$$); DROP SCHEMA grant_role2pc; -REVOKE ALL PRIVILEGES ON DATABASE grant_role2pc_db FROM grant_role2pc_user1; + set citus.enable_create_database_propagation to on; DROP DATABASE grant_role2pc_db;