external
/
citus
mirror of https://github.com/citusdata/citus.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fixes review issues

grant_database_2pc_onur_1
gurkanindibay 2024-01-10 22:07:57 +03:00
parent 665c65cf0e
commit 6d259d5941
3 changed files with 149 additions and 309 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
src/backend/distributed/commands/utility_hook.c
View File

@ -95,13 +95,23 @@
#define MARK_OBJECT_DISTRIBUTED \ #define MARK_OBJECT_DISTRIBUTED \
"SELECT citus_internal.mark_object_distributed(%d, %s, %d)" "SELECT citus_internal.mark_object_distributed(%d, %s, %d)"
/*
* TwoPcStatementInfo is used to determine whether a statement is supported in 2PC
* and whether it should be marked as distributed in 2PC.
*/
typedef struct TwoPcStatementInfo typedef struct TwoPcStatementInfo
{ {
int statementType; int statementType;
bool markAsDistributed; bool markAsDistributed;
} TwoPcStatementInfo; } TwoPcStatementInfo;
/*
* twoPcSupportedStatements is a list of statements that are supported in 2PC.
* The list is used to determine whether a statement is supported in 2PC and
* whether it should be marked as distributed in 2PC.
* We use this array to avoid hardcoding the list of supported statements in
* multiple places.
*/
const TwoPcStatementInfo twoPcSupportedStatements[] = { const TwoPcStatementInfo twoPcSupportedStatements[] = {
{ T_GrantRoleStmt, false }, { T_GrantRoleStmt, false },
{ T_CreateRoleStmt, true } { T_CreateRoleStmt, true }
@ -137,8 +147,8 @@ static bool IsDropSchemaOrDB(Node *parsetree);
static bool ShouldCheckUndistributeCitusLocalTables(void); static bool ShouldCheckUndistributeCitusLocalTables(void);
static void RunPreprocessMainDBCommand(Node *parsetree, const char *queryString); static void RunPreprocessMainDBCommand(Node *parsetree, const char *queryString);
static void RunPostprocessMainDBCommand(Node *parsetree); static void RunPostprocessMainDBCommand(Node *parsetree);
static bool IsStatementSupportedIn2Pc(Node *parsetree); static bool IsStatementSupportedIn2PC(Node *parsetree);
static bool IsStatementMarkDistributedFor2PC(Node *parsetree); static bool DoesStatementRequireMarkDistributedFor2PC(Node *parsetree);
/* /*
* ProcessUtilityParseTree is a convenience method to create a PlannedStmt out of * ProcessUtilityParseTree is a convenience method to create a PlannedStmt out of
@ -1618,7 +1628,7 @@ DropSchemaOrDBInProgress(void)
static void static void
RunPreprocessMainDBCommand(Node *parsetree, const char *queryString) RunPreprocessMainDBCommand(Node *parsetree, const char *queryString)
{ {
if (!IsStatementSupportedIn2Pc(parsetree)) if (!IsStatementSupportedIn2PC(parsetree))
{ {
return; return;
} }
@ -1644,8 +1654,8 @@ RunPreprocessMainDBCommand(Node *parsetree, const char *queryString)
static void static void
RunPostprocessMainDBCommand(Node *parsetree) RunPostprocessMainDBCommand(Node *parsetree)
{ {
if (!IsStatementSupportedIn2Pc(parsetree) || if (!IsStatementSupportedIn2PC(parsetree) ||
!IsStatementMarkDistributedFor2PC(parsetree)) !DoesStatementRequireMarkDistributedFor2PC(parsetree))
{ {
return; return;
} }
@ -1669,7 +1679,7 @@ RunPostprocessMainDBCommand(Node *parsetree)
* IsStatementSupportedIn2Pc returns true if the statement is supported in 2pc * IsStatementSupportedIn2Pc returns true if the statement is supported in 2pc
*/ */
static bool static bool
IsStatementSupportedIn2Pc(Node *parsetree) IsStatementSupportedIn2PC(Node *parsetree)
{ {
NodeTag type = nodeTag(parsetree); NodeTag type = nodeTag(parsetree);
@ -1687,11 +1697,11 @@ IsStatementSupportedIn2Pc(Node *parsetree)
/* /*
* IsStatementMarkDistributedFor2PC returns true if the statement should be marked * DoesStatementRequireMarkDistributedFor2PC returns true if the statement should be marked
* as distributed in 2pc * as distributed in 2pc
*/ */
static bool static bool
IsStatementMarkDistributedFor2PC(Node *parsetree) DoesStatementRequireMarkDistributedFor2PC(Node *parsetree)
{ {
NodeTag type = nodeTag(parsetree); NodeTag type = nodeTag(parsetree);

346
src/test/regress/expected/grant_role_2pc.out
View File

@ -12,9 +12,6 @@ SHOW citus.main_db;
-- check that empty citus.superuser gives error -- check that empty citus.superuser gives error
SET citus.superuser TO ''; SET citus.superuser TO '';
CREATE USER empty_superuser;
ERROR: No superuser role is given for Citus main database connection
HINT: Set citus.superuser to a superuser role name
SET citus.superuser TO 'postgres'; SET citus.superuser TO 'postgres';
CREATE USER grant_role2pc_user1; CREATE USER grant_role2pc_user1;
CREATE USER grant_role2pc_user2; CREATE USER grant_role2pc_user2;
@ -23,44 +20,34 @@ CREATE USER grant_role2pc_user4;
CREATE USER grant_role2pc_user5; CREATE USER grant_role2pc_user5;
CREATE USER grant_role2pc_user6; CREATE USER grant_role2pc_user6;
CREATE USER grant_role2pc_user7; CREATE USER grant_role2pc_user7;
\c regression
SELECT * FROM public.check_database_privileges('grant_role2pc_user2', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
permission | result
---------------------------------------------------------------------
CREATE | f
CREATE | f
CREATE | f
CONNECT | f
CONNECT | f
CONNECT | f
TEMP | f
TEMP | f
TEMP | f
TEMPORARY | f
TEMPORARY | f
TEMPORARY | f
(12 rows)
grant create,connect,temporary,temp on database grant_role2pc_db to grant_role2pc_user1;
\c grant_role2pc_db \c grant_role2pc_db
--test with empty superuser
SET citus.superuser TO '';
grant grant_role2pc_user1 to grant_role2pc_user2; grant grant_role2pc_user1 to grant_role2pc_user2;
ERROR: No superuser role is given for Citus main database connection
HINT: Set citus.superuser to a superuser role name
SET citus.superuser TO 'postgres';
grant grant_role2pc_user1 to grant_role2pc_user2 with admin option granted by CURRENT_USER;
\c regression \c regression
SELECT * FROM public.check_database_privileges('grant_role2pc_user2', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); select result FROM run_command_on_all_nodes(
permission | result $$
SELECT array_to_json(array_agg(row_to_json(t)))
FROM (
SELECT r.rolname AS role, g.rolname AS group, a.rolname AS grantor, m.admin_option
FROM pg_auth_members m
JOIN pg_roles r ON r.oid = m.roleid
JOIN pg_roles g ON g.oid = m.member
JOIN pg_roles a ON a.oid = m.grantor
WHERE g.rolname = 'grant_role2pc_user2'
) t
$$
);
result
--------------------------------------------------------------------- ---------------------------------------------------------------------
CREATE | t [{"role":"grant_role2pc_user1","group":"grant_role2pc_user2","grantor":"postgres","admin_option":true}]
CREATE | t [{"role":"grant_role2pc_user1","group":"grant_role2pc_user2","grantor":"postgres","admin_option":true}]
CREATE | t [{"role":"grant_role2pc_user1","group":"grant_role2pc_user2","grantor":"postgres","admin_option":true}]
CONNECT | t (3 rows)
CONNECT | t
CONNECT | t
TEMP | t
TEMP | t
TEMP | t
TEMPORARY | t
TEMPORARY | t
TEMPORARY | t
(12 rows)
\c grant_role2pc_db \c grant_role2pc_db
--test grant under transactional context with multiple operations --test grant under transactional context with multiple operations
@ -78,147 +65,47 @@ SELECT 1/0;
ERROR: division by zero ERROR: division by zero
commit; commit;
\c regression \c regression
SELECT * FROM public.check_database_privileges('grant_role2pc_user3', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); select result FROM run_command_on_all_nodes($$
permission | result SELECT array_to_json(array_agg(row_to_json(t)))
FROM (
SELECT r.rolname AS role, g.rolname AS group, a.rolname AS grantor, m.admin_option
FROM pg_auth_members m
JOIN pg_roles r ON r.oid = m.roleid
JOIN pg_roles g ON g.oid = m.member
JOIN pg_roles a ON a.oid = m.grantor
WHERE g.rolname in ('grant_role2pc_user3','grant_role2pc_user4','grant_role2pc_user5','grant_role2pc_user6','grant_role2pc_user7')
) t
$$);
result
--------------------------------------------------------------------- ---------------------------------------------------------------------
CREATE | t [{"role":"grant_role2pc_user1","group":"grant_role2pc_user4","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user1","group":"grant_role2pc_user3","grantor":"postgres","admin_option":false}]
CREATE | t [{"role":"grant_role2pc_user1","group":"grant_role2pc_user4","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user1","group":"grant_role2pc_user3","grantor":"postgres","admin_option":false}]
CREATE | t [{"role":"grant_role2pc_user1","group":"grant_role2pc_user4","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user1","group":"grant_role2pc_user3","grantor":"postgres","admin_option":false}]
CONNECT | t (3 rows)
CONNECT | t
CONNECT | t
TEMP | t
TEMP | t
TEMP | t
TEMPORARY | t
TEMPORARY | t
TEMPORARY | t
(12 rows)
SELECT * FROM public.check_database_privileges('grant_role2pc_user4', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
permission | result
---------------------------------------------------------------------
CREATE | t
CREATE | t
CREATE | t
CONNECT | t
CONNECT | t
CONNECT | t
TEMP | t
TEMP | t
TEMP | t
TEMPORARY | t
TEMPORARY | t
TEMPORARY | t
(12 rows)
SELECT * FROM public.check_database_privileges('grant_role2pc_user5', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
permission | result
---------------------------------------------------------------------
CREATE | f
CREATE | f
CREATE | f
CONNECT | f
CONNECT | f
CONNECT | f
TEMP | f
TEMP | f
TEMP | f
TEMPORARY | f
TEMPORARY | f
TEMPORARY | f
(12 rows)
SELECT * FROM public.check_database_privileges('grant_role2pc_user6', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
permission | result
---------------------------------------------------------------------
CREATE | f
CREATE | f
CREATE | f
CONNECT | f
CONNECT | f
CONNECT | f
TEMP | f
TEMP | f
TEMP | f
TEMPORARY | f
TEMPORARY | f
TEMPORARY | f
(12 rows)
SELECT * FROM public.check_database_privileges('grant_role2pc_user7', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
permission | result
---------------------------------------------------------------------
CREATE | f
CREATE | f
CREATE | f
CONNECT | f
CONNECT | f
CONNECT | f
TEMP | f
TEMP | f
TEMP | f
TEMPORARY | f
TEMPORARY | f
TEMPORARY | f
(12 rows)
\c grant_role2pc_db \c grant_role2pc_db
grant grant_role2pc_user1 to grant_role2pc_user5,grant_role2pc_user6,grant_role2pc_user7; grant grant_role2pc_user1,grant_role2pc_user2 to grant_role2pc_user5,grant_role2pc_user6,grant_role2pc_user7;
\c regression \c regression
SELECT * FROM public.check_database_privileges('grant_role2pc_user5', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); select result FROM run_command_on_all_nodes($$
permission | result SELECT array_to_json(array_agg(row_to_json(t)))
FROM (
SELECT r.rolname AS role, g.rolname AS group, a.rolname AS grantor, m.admin_option
FROM pg_auth_members m
JOIN pg_roles r ON r.oid = m.roleid
JOIN pg_roles g ON g.oid = m.member
JOIN pg_roles a ON a.oid = m.grantor
WHERE g.rolname in ('grant_role2pc_user5','grant_role2pc_user6','grant_role2pc_user7')
) t
$$);
result
--------------------------------------------------------------------- ---------------------------------------------------------------------
CREATE | t [{"role":"grant_role2pc_user1","group":"grant_role2pc_user7","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user1","group":"grant_role2pc_user6","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user1","group":"grant_role2pc_user5","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user2","group":"grant_role2pc_user7","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user2","group":"grant_role2pc_user6","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user2","group":"grant_role2pc_user5","grantor":"postgres","admin_option":false}]
CREATE | t [{"role":"grant_role2pc_user1","group":"grant_role2pc_user7","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user1","group":"grant_role2pc_user6","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user1","group":"grant_role2pc_user5","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user2","group":"grant_role2pc_user7","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user2","group":"grant_role2pc_user6","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user2","group":"grant_role2pc_user5","grantor":"postgres","admin_option":false}]
CREATE | t [{"role":"grant_role2pc_user1","group":"grant_role2pc_user7","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user1","group":"grant_role2pc_user6","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user1","group":"grant_role2pc_user5","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user2","group":"grant_role2pc_user7","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user2","group":"grant_role2pc_user6","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user2","group":"grant_role2pc_user5","grantor":"postgres","admin_option":false}]
CONNECT | t (3 rows)
CONNECT | t
CONNECT | t
TEMP | t
TEMP | t
TEMP | t
TEMPORARY | t
TEMPORARY | t
TEMPORARY | t
(12 rows)
SELECT * FROM public.check_database_privileges('grant_role2pc_user6', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
permission | result
---------------------------------------------------------------------
CREATE | t
CREATE | t
CREATE | t
CONNECT | t
CONNECT | t
CONNECT | t
TEMP | t
TEMP | t
TEMP | t
TEMPORARY | t
TEMPORARY | t
TEMPORARY | t
(12 rows)
SELECT * FROM public.check_database_privileges('grant_role2pc_user7', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
permission | result
---------------------------------------------------------------------
CREATE | t
CREATE | t
CREATE | t
CONNECT | t
CONNECT | t
CONNECT | t
TEMP | t
TEMP | t
TEMP | t
TEMPORARY | t
TEMPORARY | t
TEMPORARY | t
(12 rows)
\c grant_role2pc_db \c grant_role2pc_db
revoke grant_role2pc_user1 from grant_role2pc_user2; revoke admin option for grant_role2pc_user1 from grant_role2pc_user2 granted by CURRENT_USER;
--test revoke under transactional context with multiple operations --test revoke under transactional context with multiple operations
BEGIN; BEGIN;
revoke grant_role2pc_user1 from grant_role2pc_user3; revoke grant_role2pc_user1 from grant_role2pc_user3;
@ -229,110 +116,25 @@ revoke grant_role2pc_user1 from grant_role2pc_user5,grant_role2pc_user6;
revoke grant_role2pc_user1 from grant_role2pc_user7; revoke grant_role2pc_user1 from grant_role2pc_user7;
COMMIT; COMMIT;
\c regression \c regression
SELECT * FROM public.check_database_privileges('grant_role2pc_user2', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); select result FROM run_command_on_all_nodes($$
permission | result SELECT array_to_json(array_agg(row_to_json(t)))
FROM (
SELECT r.rolname AS role, g.rolname AS group, a.rolname AS grantor, m.admin_option
FROM pg_auth_members m
JOIN pg_roles r ON r.oid = m.roleid
JOIN pg_roles g ON g.oid = m.member
JOIN pg_roles a ON a.oid = m.grantor
WHERE g.rolname in ('grant_role2pc_user2','grant_role2pc_user3','grant_role2pc_user4','grant_role2pc_user5','grant_role2pc_user6','grant_role2pc_user7')
) t
$$);
result
--------------------------------------------------------------------- ---------------------------------------------------------------------
CREATE | f [{"role":"grant_role2pc_user1","group":"grant_role2pc_user2","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user2","group":"grant_role2pc_user7","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user2","group":"grant_role2pc_user6","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user2","group":"grant_role2pc_user5","grantor":"postgres","admin_option":false}]
CREATE | f [{"role":"grant_role2pc_user1","group":"grant_role2pc_user2","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user2","group":"grant_role2pc_user7","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user2","group":"grant_role2pc_user6","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user2","group":"grant_role2pc_user5","grantor":"postgres","admin_option":false}]
CREATE | f [{"role":"grant_role2pc_user1","group":"grant_role2pc_user2","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user2","group":"grant_role2pc_user7","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user2","group":"grant_role2pc_user6","grantor":"postgres","admin_option":false},{"role":"grant_role2pc_user2","group":"grant_role2pc_user5","grantor":"postgres","admin_option":false}]
CONNECT | f (3 rows)
CONNECT | f
CONNECT | f
TEMP | f
TEMP | f
TEMP | f
TEMPORARY | f
TEMPORARY | f
TEMPORARY | f
(12 rows)
SELECT * FROM public.check_database_privileges('grant_role2pc_user3', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
permission | result
---------------------------------------------------------------------
CREATE | f
CREATE | f
CREATE | f
CONNECT | f
CONNECT | f
CONNECT | f
TEMP | f
TEMP | f
TEMP | f
TEMPORARY | f
TEMPORARY | f
TEMPORARY | f
(12 rows)
SELECT * FROM public.check_database_privileges('grant_role2pc_user4', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
permission | result
---------------------------------------------------------------------
CREATE | f
CREATE | f
CREATE | f
CONNECT | f
CONNECT | f
CONNECT | f
TEMP | f
TEMP | f
TEMP | f
TEMPORARY | f
TEMPORARY | f
TEMPORARY | f
(12 rows)
SELECT * FROM public.check_database_privileges('grant_role2pc_user5', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
permission | result
---------------------------------------------------------------------
CREATE | f
CREATE | f
CREATE | f
CONNECT | f
CONNECT | f
CONNECT | f
TEMP | f
TEMP | f
TEMP | f
TEMPORARY | f
TEMPORARY | f
TEMPORARY | f
(12 rows)
SELECT * FROM public.check_database_privileges('grant_role2pc_user6', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
permission | result
---------------------------------------------------------------------
CREATE | f
CREATE | f
CREATE | f
CONNECT | f
CONNECT | f
CONNECT | f
TEMP | f
TEMP | f
TEMP | f
TEMPORARY | f
TEMPORARY | f
TEMPORARY | f
(12 rows)
SELECT * FROM public.check_database_privileges('grant_role2pc_user7', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
permission | result
---------------------------------------------------------------------
CREATE | f
CREATE | f
CREATE | f
CONNECT | f
CONNECT | f
CONNECT | f
TEMP | f
TEMP | f
TEMP | f
TEMPORARY | f
TEMPORARY | f
TEMPORARY | f
(12 rows)
DROP SCHEMA grant_role2pc; DROP SCHEMA grant_role2pc;
REVOKE ALL PRIVILEGES ON DATABASE grant_role2pc_db FROM grant_role2pc_user1;
set citus.enable_create_database_propagation to on; set citus.enable_create_database_propagation to on;
DROP DATABASE grant_role2pc_db; DROP DATABASE grant_role2pc_db;
drop user grant_role2pc_user2,grant_role2pc_user3,grant_role2pc_user4,grant_role2pc_user5,grant_role2pc_user6,grant_role2pc_user7; drop user grant_role2pc_user2,grant_role2pc_user3,grant_role2pc_user4,grant_role2pc_user5,grant_role2pc_user6,grant_role2pc_user7;

84
src/test/regress/sql/grant_role_2pc.sql
View File

@ -16,7 +16,6 @@ SHOW citus.main_db;
-- check that empty citus.superuser gives error -- check that empty citus.superuser gives error
SET citus.superuser TO ''; SET citus.superuser TO '';
CREATE USER empty_superuser;
SET citus.superuser TO 'postgres'; SET citus.superuser TO 'postgres';
CREATE USER grant_role2pc_user1; CREATE USER grant_role2pc_user1;
@ -27,22 +26,30 @@ CREATE USER grant_role2pc_user5;
CREATE USER grant_role2pc_user6; CREATE USER grant_role2pc_user6;
CREATE USER grant_role2pc_user7; CREATE USER grant_role2pc_user7;
\c regression
SELECT * FROM public.check_database_privileges('grant_role2pc_user2', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
grant create,connect,temporary,temp on database grant_role2pc_db to grant_role2pc_user1;
\c grant_role2pc_db \c grant_role2pc_db
--test with empty superuser
SET citus.superuser TO '';
grant grant_role2pc_user1 to grant_role2pc_user2; grant grant_role2pc_user1 to grant_role2pc_user2;
SET citus.superuser TO 'postgres';
grant grant_role2pc_user1 to grant_role2pc_user2 with admin option granted by CURRENT_USER;
\c regression \c regression
select result FROM run_command_on_all_nodes(
SELECT * FROM public.check_database_privileges('grant_role2pc_user2', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); $$
SELECT array_to_json(array_agg(row_to_json(t)))
FROM (
SELECT r.rolname AS role, g.rolname AS group, a.rolname AS grantor, m.admin_option
FROM pg_auth_members m
JOIN pg_roles r ON r.oid = m.roleid
JOIN pg_roles g ON g.oid = m.member
JOIN pg_roles a ON a.oid = m.grantor
WHERE g.rolname = 'grant_role2pc_user2'
) t
$$
);
\c grant_role2pc_db \c grant_role2pc_db
--test grant under transactional context with multiple operations --test grant under transactional context with multiple operations
@ -66,23 +73,39 @@ commit;
\c regression \c regression
SELECT * FROM public.check_database_privileges('grant_role2pc_user3', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); select result FROM run_command_on_all_nodes($$
SELECT * FROM public.check_database_privileges('grant_role2pc_user4', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); SELECT array_to_json(array_agg(row_to_json(t)))
SELECT * FROM public.check_database_privileges('grant_role2pc_user5', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); FROM (
SELECT * FROM public.check_database_privileges('grant_role2pc_user6', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); SELECT r.rolname AS role, g.rolname AS group, a.rolname AS grantor, m.admin_option
SELECT * FROM public.check_database_privileges('grant_role2pc_user7', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); FROM pg_auth_members m
JOIN pg_roles r ON r.oid = m.roleid
JOIN pg_roles g ON g.oid = m.member
JOIN pg_roles a ON a.oid = m.grantor
WHERE g.rolname in ('grant_role2pc_user3','grant_role2pc_user4','grant_role2pc_user5','grant_role2pc_user6','grant_role2pc_user7')
) t
$$);
\c grant_role2pc_db \c grant_role2pc_db
grant grant_role2pc_user1 to grant_role2pc_user5,grant_role2pc_user6,grant_role2pc_user7; grant grant_role2pc_user1,grant_role2pc_user2 to grant_role2pc_user5,grant_role2pc_user6,grant_role2pc_user7;
\c regression \c regression
SELECT * FROM public.check_database_privileges('grant_role2pc_user5', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
SELECT * FROM public.check_database_privileges('grant_role2pc_user6', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); select result FROM run_command_on_all_nodes($$
SELECT * FROM public.check_database_privileges('grant_role2pc_user7', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); SELECT array_to_json(array_agg(row_to_json(t)))
FROM (
SELECT r.rolname AS role, g.rolname AS group, a.rolname AS grantor, m.admin_option
FROM pg_auth_members m
JOIN pg_roles r ON r.oid = m.roleid
JOIN pg_roles g ON g.oid = m.member
JOIN pg_roles a ON a.oid = m.grantor
WHERE g.rolname in ('grant_role2pc_user5','grant_role2pc_user6','grant_role2pc_user7')
) t
$$);
\c grant_role2pc_db \c grant_role2pc_db
revoke grant_role2pc_user1 from grant_role2pc_user2; revoke admin option for grant_role2pc_user1 from grant_role2pc_user2 granted by CURRENT_USER;
--test revoke under transactional context with multiple operations --test revoke under transactional context with multiple operations
BEGIN; BEGIN;
@ -97,16 +120,21 @@ COMMIT;
\c regression \c regression
SELECT * FROM public.check_database_privileges('grant_role2pc_user2', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); select result FROM run_command_on_all_nodes($$
SELECT * FROM public.check_database_privileges('grant_role2pc_user3', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); SELECT array_to_json(array_agg(row_to_json(t)))
SELECT * FROM public.check_database_privileges('grant_role2pc_user4', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); FROM (
SELECT * FROM public.check_database_privileges('grant_role2pc_user5', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); SELECT r.rolname AS role, g.rolname AS group, a.rolname AS grantor, m.admin_option
SELECT * FROM public.check_database_privileges('grant_role2pc_user6', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); FROM pg_auth_members m
SELECT * FROM public.check_database_privileges('grant_role2pc_user7', 'grant_role2pc_db', ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']); JOIN pg_roles r ON r.oid = m.roleid
JOIN pg_roles g ON g.oid = m.member
JOIN pg_roles a ON a.oid = m.grantor
WHERE g.rolname in ('grant_role2pc_user2','grant_role2pc_user3','grant_role2pc_user4','grant_role2pc_user5','grant_role2pc_user6','grant_role2pc_user7')
) t
$$);
DROP SCHEMA grant_role2pc; DROP SCHEMA grant_role2pc;
REVOKE ALL PRIVILEGES ON DATABASE grant_role2pc_db FROM grant_role2pc_user1;
set citus.enable_create_database_propagation to on; set citus.enable_create_database_propagation to on;
DROP DATABASE grant_role2pc_db; DROP DATABASE grant_role2pc_db;