external
/
citus
mirror of https://github.com/citusdata/citus.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fixes system role filters

granted_by_propagation
gurkanindibay 2024-03-11 15:09:05 +03:00
parent 6ba4ee036c
commit b151c41a13
3 changed files with 15 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
src/backend/distributed/commands/role.c
View File

@ -1317,7 +1317,7 @@ UnmarkRolesDistributed(List *roles)
List * List *
FilterDistributedRoles(List *roles) FilterDistributedRoles(List *roles)
{ {
List *distributedRoles = NIL; List *validRoles = NIL;
Node *roleNode = NULL; Node *roleNode = NULL;
foreach_ptr(roleNode, roles) foreach_ptr(roleNode, roles)
{ {
@ -1333,12 +1333,13 @@ FilterDistributedRoles(List *roles)
} }
ObjectAddress *roleAddress = palloc0(sizeof(ObjectAddress)); ObjectAddress *roleAddress = palloc0(sizeof(ObjectAddress));
ObjectAddressSet(*roleAddress, AuthIdRelationId, roleOid); ObjectAddressSet(*roleAddress, AuthIdRelationId, roleOid);
if (IsAnyObjectDistributed(list_make1(roleAddress))) bool isSystemRole = IsReservedName(role->rolename);
if (IsAnyObjectDistributed(list_make1(roleAddress)) || isSystemRole)
{ {
distributedRoles = lappend(distributedRoles, role); validRoles = lappend(validRoles, role);
} }
} }
return distributedRoles; return validRoles;
} }
@ -1349,7 +1350,7 @@ FilterDistributedRoles(List *roles)
List * List *
FilterDistributedGrantedRoles(List *roles) FilterDistributedGrantedRoles(List *roles)
{ {
List *distributedRoles = NIL; List *validRoles = NIL;
Node *roleNode = NULL; Node *roleNode = NULL;
foreach_ptr(roleNode, roles) foreach_ptr(roleNode, roles)
{ {
@ -1365,12 +1366,13 @@ FilterDistributedGrantedRoles(List *roles)
} }
ObjectAddress *roleAddress = palloc0(sizeof(ObjectAddress)); ObjectAddress *roleAddress = palloc0(sizeof(ObjectAddress));
ObjectAddressSet(*roleAddress, AuthIdRelationId, roleOid); ObjectAddressSet(*roleAddress, AuthIdRelationId, roleOid);
if (IsAnyObjectDistributed(list_make1(roleAddress))) bool isSystemRole = IsReservedName(role->priv_name);
if (IsAnyObjectDistributed(list_make1(roleAddress)) || isSystemRole)
{ {
distributedRoles = lappend(distributedRoles, role); validRoles = lappend(validRoles, role);
} }
} }
return distributedRoles; return validRoles;
} }

2
src/test/regress/expected/granted_by_support.out
View File

@ -55,6 +55,8 @@ SELECT objid::regrole FROM pg_catalog.pg_dist_object WHERE classid='pg_authid'::
grant dist_role4 to dist_role3 with admin option GRANTED BY dist_role1; --fails since already dist_role3 granted to dist_role4 grant dist_role4 to dist_role3 with admin option GRANTED BY dist_role1; --fails since already dist_role3 granted to dist_role4
ERROR: role "dist_role4" is a member of role "dist_role3" ERROR: role "dist_role4" is a member of role "dist_role3"
--Below command will not be successful since non_dist_role1 is propagated with the dependency resolution above
--however, ADMIN OPTION is not propagated for non_dist_role1 to worker 1 because the citus.enable_create_role_propagation is off
grant non_dist_role1 to dist_role4 granted by dist_role1; grant non_dist_role1 to dist_role4 granted by dist_role1;
ERROR: permission denied to grant privileges as role "dist_role1" ERROR: permission denied to grant privileges as role "dist_role1"
DETAIL: The grantor must have the ADMIN option on role "non_dist_role1". DETAIL: The grantor must have the ADMIN option on role "non_dist_role1".

7
src/test/regress/sql/granted_by_support.sql
View File

@ -45,9 +45,10 @@ SELECT objid::regrole FROM pg_catalog.pg_dist_object WHERE classid='pg_authid'::
grant dist_role4 to dist_role3 with admin option GRANTED BY dist_role1; --fails since already dist_role3 granted to dist_role4 grant dist_role4 to dist_role3 with admin option GRANTED BY dist_role1; --fails since already dist_role3 granted to dist_role4
--Below command will not be successful since non_dist_role1 is propagated with the dependency resolution above
--however, ADMIN OPTION is not propagated for non_dist_role1 to worker 1 because the citus.enable_create_role_propagation is off
grant non_dist_role1 to dist_role4 granted by dist_role1; grant non_dist_role1 to dist_role4 granted by dist_role1;
grant dist_role3 to dist_role1 with admin option GRANTED BY dist_role4; grant dist_role3 to dist_role1 with admin option GRANTED BY dist_role4;
grant "dist_role5'_test" to dist_role1 with admin option; grant "dist_role5'_test" to dist_role1 with admin option;
grant "dist_role5'_test" to dist_role3 with admin option GRANTED BY dist_role1;--fails since already dist_role3 granted to "dist_role5'_test" grant "dist_role5'_test" to dist_role3 with admin option GRANTED BY dist_role1;--fails since already dist_role3 granted to "dist_role5'_test"
@ -218,12 +219,10 @@ set citus.enable_create_database_propagation to on;
drop database test_granted_by_support; drop database test_granted_by_support;
drop role dist_role1,dist_role2,dist_role3,dist_role4,"dist_role5'_test"; drop role dist_role1,dist_role2,dist_role3,dist_role4,"dist_role5'_test";
drop role non_dist_role1; drop role non_dist_role1;
drop role if exists non_dist_role1; drop role if exists non_dist_role1;
select result FROM run_command_on_all_nodes( select result FROM run_command_on_all_nodes(
$$ $$
SELECT array_to_json(array_agg(row_to_json(t))) SELECT array_to_json(array_agg(row_to_json(t)))