Merge pull request #2483 from citusdata/fix_udf_permissions

Fix permissions checks in lesser-known UDFs
2018-11-20 14:51:57 +01:00 · 2018-11-20 14:51:57 +01:00 · 9ff6f1c552
parent fc9f981525 e17025e1d4
commit 9ff6f1c552
6 changed files with 179 additions and 16 deletions
--- a/src/backend/distributed/utils/colocation_utils.c
+++ b/src/backend/distributed/utils/colocation_utils.c
@ -78,8 +78,9 @@ mark_tables_colocated(PG_FUNCTION_ARGS)
 							   "operation")));
 	}

-	EnsureCoordinator();
 	CheckCitusVersion(ERROR);
+	EnsureCoordinator();
+	EnsureTableOwner(sourceRelationId);

 	relationIdDatumArray = DeconstructArrayObject(relationIdArrayObject);

@ -87,6 +88,9 @@ mark_tables_colocated(PG_FUNCTION_ARGS)
 	{
 		Oid nextRelationOid = DatumGetObjectId(relationIdDatumArray[relationIndex]);

+		/* we require that the user either owns all tables or is superuser */
+		EnsureTableOwner(nextRelationOid);
+
 		MarkTablesColocated(sourceRelationId, nextRelationOid);
 	}

--- a/src/backend/distributed/utils/reference_table_utils.c
+++ b/src/backend/distributed/utils/reference_table_utils.c
@ -60,8 +60,9 @@ upgrade_to_reference_table(PG_FUNCTION_ARGS)
 	uint64 shardId = INVALID_SHARD_ID;
 	DistTableCacheEntry *tableEntry = NULL;

-	EnsureCoordinator();
 	CheckCitusVersion(ERROR);
+	EnsureCoordinator();
+	EnsureTableOwner(relationId);

 	if (!IsDistributedTable(relationId))
 	{
--- a/src/backend/distributed/utils/resource_lock.c
+++ b/src/backend/distributed/utils/resource_lock.c
@ -19,6 +19,7 @@

 #include "access/xact.h"
 #include "catalog/namespace.h"
+#include "commands/tablecmds.h"
 #include "distributed/colocation_utils.h"
 #include "distributed/listutils.h"
 #include "distributed/master_metadata_utility.h"
@ -36,6 +37,7 @@
 #include "distributed/version_compat.h"
 #include "storage/lmgr.h"
 #include "utils/builtins.h"
+#include "utils/lsyscache.h"
 #if (PG_VERSION_NUM >= 100000)
 #include "utils/varlena.h"
 #endif
@ -73,6 +75,9 @@ static void LockShardListResources(List *shardIntervalList, LOCKMODE lockMode);
 static void LockShardListResourcesOnFirstWorker(LOCKMODE lockmode,
 												List *shardIntervalList);
 static bool IsFirstWorkerNode();
+static void CitusRangeVarCallbackForLockTable(const RangeVar *rangeVar, Oid relationId,
+											  Oid oldRelationId, void *arg);
+static AclResult CitusLockTableAclCheck(Oid relationId, LOCKMODE lockmode, Oid userId);


 /* exports for SQL callable functions */
@ -742,16 +747,11 @@ lock_relation_if_exists(PG_FUNCTION_ARGS)
 	List *relationNameList = NIL;
 	RangeVar *relation = NULL;
 	LOCKMODE lockMode = NoLock;
+	bool relationExists = false;

    /* ensure that we're in a transaction block */
 	RequireTransactionBlock(true, "lock_relation_if_exists");

-	relationId = ResolveRelationId(relationName, true);
-	if (!OidIsValid(relationId))
-	{
-		PG_RETURN_BOOL(false);
-	}
-
    /* get the lock mode */
 	lockMode = LockModeTextToLockMode(lockModeCString);

@ -760,7 +760,85 @@ lock_relation_if_exists(PG_FUNCTION_ARGS)
 	relation = makeRangeVarFromNameList(relationNameList);

    /* lock the relation with the lock mode */
-	RangeVarGetRelid(relation, lockMode, false);
+	relationId = RangeVarGetRelidInternal(relation, lockMode, RVR_MISSING_OK,
+										  CitusRangeVarCallbackForLockTable,
+										  (void *) &lockMode);
+	relationExists = OidIsValid(relationId);

-	PG_RETURN_BOOL(true);
+	PG_RETURN_BOOL(relationExists);
+}
+
+
+/*
+ * CitusRangeVarCallbackForLockTable is a callback for RangeVarGetRelidExtended used
+ * to check whether the user has permission to lock a table in a particular mode.
+ *
+ * This function is a copy of RangeVarCallbackForLockTable in lockcmds.c adapted to
+ * Citus code style.
+ */
+static void
+CitusRangeVarCallbackForLockTable(const RangeVar *rangeVar, Oid relationId,
+								  Oid oldRelationId, void *arg)
+{
+	LOCKMODE lockmode = *(LOCKMODE *) arg;
+	AclResult aclResult;
+
+	if (!OidIsValid(relationId))
+	{
+        /* table doesn't exist, so no permissions check */
+		return;
+	}
+
+    /* we only allow tables and views to be locked */
+	if (!RegularTable(relationId))
+	{
+		ereport(ERROR, (errcode(ERRCODE_WRONG_OBJECT_TYPE),
+						errmsg("\"%s\" is not a table", rangeVar->relname)));
+	}
+
+    /* check permissions */
+	aclResult = CitusLockTableAclCheck(relationId, lockmode, GetUserId());
+	if (aclResult != ACLCHECK_OK)
+	{
+#if (PG_VERSION_NUM >= 110000)
+		aclcheck_error(aclResult, get_relkind_objtype(get_rel_relkind(relationId)),
+					   rangeVar->relname);
+#else
+
+		aclcheck_error(aclResult, ACL_KIND_CLASS, rangeVar->relname);
+#endif
+	}
+}
+
+
+/*
+ * CitusLockTableAclCheck checks whether a user has permission to lock a relation
+ * in the given lock mode.
+ *
+ * This function is a copy of LockTableAclCheck in lockcmds.c adapted to Citus
+ * code style.
+ */
+static AclResult
+CitusLockTableAclCheck(Oid relationId, LOCKMODE lockmode, Oid userId)
+{
+	AclResult aclResult;
+	AclMode aclMask;
+
+    /* verify adequate privilege */
+	if (lockmode == AccessShareLock)
+	{
+		aclMask = ACL_SELECT;
+	}
+	else if (lockmode == RowExclusiveLock)
+	{
+		aclMask = ACL_INSERT | ACL_UPDATE | ACL_DELETE | ACL_TRUNCATE;
+	}
+	else
+	{
+		aclMask = ACL_UPDATE | ACL_DELETE | ACL_TRUNCATE;
+	}
+
+	aclResult = pg_class_aclcheck(relationId, userId, aclMask);
+
+	return aclResult;
 }
--- a/src/test/regress/expected/multi_multiuser.out
+++ b/src/test/regress/expected/multi_multiuser.out
@ -21,6 +21,21 @@ SELECT create_distributed_table('test', 'id');
 
 (1 row)

+CREATE TABLE test_coloc (id integer, val integer);
+SELECT create_distributed_table('test_coloc', 'id', colocate_with := 'none');
+ create_distributed_table 
+--------------------------
+ 
+(1 row)
+
+SET citus.shard_count TO 1;
+CREATE TABLE singleshard (id integer, val integer);
+SELECT create_distributed_table('singleshard', 'id');
+ create_distributed_table 
+--------------------------
+ 
+(1 row)
+
 -- turn off propagation to avoid Enterprise processing the following section
 SET citus.enable_ddl_propagation TO off;
 CREATE USER full_access;
@ -157,6 +172,17 @@ SELECT count(*) FROM test a JOIN test b ON (a.val = b.val) WHERE a.id = 1 AND b.
 COPY "postgresql.conf" TO STDOUT WITH (format transmit);
 ERROR:  operation is not allowed
 HINT:  Run the command with a superuser.
+-- should not be allowed to take aggressive locks on table
+BEGIN;
+SELECT lock_relation_if_exists('test', 'ACCESS SHARE');
+ lock_relation_if_exists 
+-------------------------
+ t
+(1 row)
+
+SELECT lock_relation_if_exists('test', 'EXCLUSIVE');
+ERROR:  permission denied for table test
+ABORT;
 SET citus.task_executor_type TO 'real-time';
 -- check no permission
 SET ROLE no_access;
@ -212,6 +238,12 @@ ERROR:  permission denied for table test
 ABORT;
 SELECT * FROM citus_stat_statements_reset();
 ERROR:  permission denied for function citus_stat_statements_reset
+-- should not be allowed to upgrade to reference table
+SELECT upgrade_to_reference_table('singleshard');
+ERROR:  must be owner of table singleshard
+-- should not be allowed to co-located tables
+SELECT mark_tables_colocated('test', ARRAY['test_coloc'::regclass]);
+ERROR:  must be owner of table test
 -- table owner should be the same on the shards, even when distributing the table as superuser
 SET ROLE full_access;
 CREATE TABLE my_table (id integer, val integer);
@ -229,8 +261,7 @@ SELECT result FROM run_command_on_workers($$SELECT tableowner FROM pg_tables WHE
 full_access
 (2 rows)

-DROP TABLE my_table;
-DROP TABLE test;
+DROP TABLE my_table, singleshard, test, test_coloc;
 DROP USER full_access;
 DROP USER read_access;
 DROP USER no_access;
--- a/src/test/regress/expected/multi_multiuser_0.out
+++ b/src/test/regress/expected/multi_multiuser_0.out
@ -21,6 +21,21 @@ SELECT create_distributed_table('test', 'id');
 
 (1 row)

+CREATE TABLE test_coloc (id integer, val integer);
+SELECT create_distributed_table('test_coloc', 'id', colocate_with := 'none');
+ create_distributed_table 
+--------------------------
+ 
+(1 row)
+
+SET citus.shard_count TO 1;
+CREATE TABLE singleshard (id integer, val integer);
+SELECT create_distributed_table('singleshard', 'id');
+ create_distributed_table 
+--------------------------
+ 
+(1 row)
+
 -- turn off propagation to avoid Enterprise processing the following section
 SET citus.enable_ddl_propagation TO off;
 CREATE USER full_access;
@ -157,6 +172,17 @@ SELECT count(*) FROM test a JOIN test b ON (a.val = b.val) WHERE a.id = 1 AND b.
 COPY "postgresql.conf" TO STDOUT WITH (format transmit);
 ERROR:  operation is not allowed
 HINT:  Run the command with a superuser.
+-- should not be allowed to take aggressive locks on table
+BEGIN;
+SELECT lock_relation_if_exists('test', 'ACCESS SHARE');
+ lock_relation_if_exists 
+-------------------------
+ t
+(1 row)
+
+SELECT lock_relation_if_exists('test', 'EXCLUSIVE');
+ERROR:  permission denied for relation test
+ABORT;
 SET citus.task_executor_type TO 'real-time';
 -- check no permission
 SET ROLE no_access;
@ -212,6 +238,12 @@ ERROR:  permission denied for relation test
 ABORT;
 SELECT * FROM citus_stat_statements_reset();
 ERROR:  permission denied for function citus_stat_statements_reset
+-- should not be allowed to upgrade to reference table
+SELECT upgrade_to_reference_table('singleshard');
+ERROR:  must be owner of relation singleshard
+-- should not be allowed to co-located tables
+SELECT mark_tables_colocated('test', ARRAY['test_coloc'::regclass]);
+ERROR:  must be owner of relation test
 -- table owner should be the same on the shards, even when distributing the table as superuser
 SET ROLE full_access;
 CREATE TABLE my_table (id integer, val integer);
@ -229,8 +261,7 @@ SELECT result FROM run_command_on_workers($$SELECT tableowner FROM pg_tables WHE
 full_access
 (2 rows)

-DROP TABLE my_table;
-DROP TABLE test;
+DROP TABLE my_table, singleshard, test, test_coloc;
 DROP USER full_access;
 DROP USER read_access;
 DROP USER no_access;
--- a/src/test/regress/sql/multi_multiuser.sql
+++ b/src/test/regress/sql/multi_multiuser.sql
@ -16,6 +16,13 @@ SET citus.shard_replication_factor TO 1;
 CREATE TABLE test (id integer, val integer);
 SELECT create_distributed_table('test', 'id');

+CREATE TABLE test_coloc (id integer, val integer);
+SELECT create_distributed_table('test_coloc', 'id', colocate_with := 'none');
+
+SET citus.shard_count TO 1;
+CREATE TABLE singleshard (id integer, val integer);
+SELECT create_distributed_table('singleshard', 'id');
+
 -- turn off propagation to avoid Enterprise processing the following section
 SET citus.enable_ddl_propagation TO off;

@ -102,6 +109,12 @@ SELECT count(*) FROM test a JOIN test b ON (a.val = b.val) WHERE a.id = 1 AND b.
 -- should not be able to transmit directly
 COPY "postgresql.conf" TO STDOUT WITH (format transmit);

+-- should not be allowed to take aggressive locks on table
+BEGIN;
+SELECT lock_relation_if_exists('test', 'ACCESS SHARE');
+SELECT lock_relation_if_exists('test', 'EXCLUSIVE');
+ABORT;
+
 SET citus.task_executor_type TO 'real-time';

 -- check no permission
@ -138,6 +151,12 @@ ABORT;

 SELECT * FROM citus_stat_statements_reset();

+-- should not be allowed to upgrade to reference table
+SELECT upgrade_to_reference_table('singleshard');
+
+-- should not be allowed to co-located tables
+SELECT mark_tables_colocated('test', ARRAY['test_coloc'::regclass]);
+
 -- table owner should be the same on the shards, even when distributing the table as superuser
 SET ROLE full_access;
 CREATE TABLE my_table (id integer, val integer);
@ -145,8 +164,7 @@ RESET ROLE;
 SELECT create_distributed_table('my_table', 'id');
 SELECT result FROM run_command_on_workers($$SELECT tableowner FROM pg_tables WHERE tablename LIKE 'my_table_%' LIMIT 1$$);

-DROP TABLE my_table;
-DROP TABLE test;
+DROP TABLE my_table, singleshard, test, test_coloc;
 DROP USER full_access;
 DROP USER read_access;
 DROP USER no_access;