Add support for grant on database propagation from non-main databases (#7443)

DESCRIPTION: Adds support for distributed `GRANT .. ON DATABASE TO USER`
commands from the databases where Citus is not installed

---------

Co-authored-by: Onur Tirtir <onurcantirtir@gmail.com>

src/backend/distributed/commands/utility_hook.c

@@ -107,8 +107,20 @@ typedef struct NonMainDbDistributedStatementInfo
 {
 	int statementType;
 	bool explicitlyMarkAsDistributed;
+
+	/*
+	 * checkSupportedObjectTypes is a callback function that checks whether
+	 * type of the object referred to by given statement is supported.
+	 *
+	 * Can be NULL if not applicable for the statement type.
+	 */
+	bool (*checkSupportedObjectTypes)(Node *node);
 } NonMainDbDistributedStatementInfo;
 
+/*
+ * MarkObjectDistributedParams is used to pass parameters to the
+ * MarkObjectDistributedFromNonMainDb function.
+ */
 typedef struct MarkObjectDistributedParams
 {
 	char *name;
@@ -116,15 +128,6 @@ typedef struct MarkObjectDistributedParams
 	uint16 catalogRelId;
 } MarkObjectDistributedParams;
 
-/*
- * NonMainDbSupportedStatements is an array of statements that are supported
- * from non-main databases.
- */
-static const NonMainDbDistributedStatementInfo NonMainDbSupportedStatements[] = {
-	{ T_GrantRoleStmt, false },
-	{ T_CreateRoleStmt, true }
-};
-
 
 bool EnableDDLPropagation = true; /* ddl propagation is enabled */
 int CreateObjectPropagationMode = CREATE_OBJECT_PROPAGATION_IMMEDIATE;
@@ -153,6 +156,12 @@ static void PostStandardProcessUtility(Node *parsetree);
 static void DecrementUtilityHookCountersIfNecessary(Node *parsetree);
 static bool IsDropSchemaOrDB(Node *parsetree);
 static bool ShouldCheckUndistributeCitusLocalTables(void);
+
+
+/*
+ * Functions to support commands used to manage node-wide objects from non-main
+ * databases.
+ */
 static void RunPreprocessMainDBCommand(Node *parsetree);
 static void RunPostprocessMainDBCommand(Node *parsetree);
 static bool IsStatementSupportedFromNonMainDb(Node *parsetree);
@@ -160,6 +169,25 @@ static bool StatementRequiresMarkDistributedFromNonMainDb(Node *parsetree);
 static void MarkObjectDistributedFromNonMainDb(Node *parsetree);
 static MarkObjectDistributedParams GetMarkObjectDistributedParams(Node *parsetree);
 
+/*
+ * checkSupportedObjectTypes callbacks for
+ * NonMainDbDistributedStatementInfo objects.
+ */
+static bool NonMainDbCheckSupportedObjectTypeForGrant(Node *node);
+
+
+/*
+ * NonMainDbSupportedStatements is an array of statements that are supported
+ * from non-main databases.
+ */
+ObjectType supportedObjectTypesForGrantStmt[] = { OBJECT_DATABASE };
+static const NonMainDbDistributedStatementInfo NonMainDbSupportedStatements[] = {
+	{ T_GrantRoleStmt, false, NULL },
+	{ T_CreateRoleStmt, true, NULL },
+	{ T_GrantStmt, false, NonMainDbCheckSupportedObjectTypeForGrant }
+};
+
+
 /*
  * ProcessUtilityParseTree is a convenience method to create a PlannedStmt out of
  * pieces of a utility statement before invoking ProcessUtility.
@@ -1692,10 +1720,13 @@ IsStatementSupportedFromNonMainDb(Node *parsetree)
 	for (int i = 0; i < sizeof(NonMainDbSupportedStatements) /
 		 sizeof(NonMainDbSupportedStatements[0]); i++)
 	{
-		if (type == NonMainDbSupportedStatements[i].statementType)
+		if (type != NonMainDbSupportedStatements[i].statementType)
 		{
-			return true;
+			continue;
 		}
+
+		return !NonMainDbSupportedStatements[i].checkSupportedObjectTypes ||
+			   NonMainDbSupportedStatements[i].checkSupportedObjectTypes(parsetree);
 	}
 
 	return false;
@@ -1767,3 +1798,15 @@ GetMarkObjectDistributedParams(Node *parsetree)
 
 	elog(ERROR, "unsupported statement type");
 }
+
+
+/*
+ * NonMainDbCheckSupportedObjectTypeForGrant implements checkSupportedObjectTypes
+ * callback for GrantStmt.
+ */
+static bool
+NonMainDbCheckSupportedObjectTypeForGrant(Node *node)
+{
+	GrantStmt *stmt = castNode(GrantStmt, node);
+	return stmt->objtype == OBJECT_DATABASE;
+}

src/test/regress/expected/grant_on_database_propagation_from_non_maindb.out

@@ -0,0 +1,471 @@
+-- Public role has connect,temp,temporary privileges on database
+-- To test these scenarios, we need to revoke these privileges from public role
+-- since public role privileges are inherited by new roles/users
+set citus.enable_create_database_propagation to on;
+create database test_2pc_db;
+show citus.main_db;
+ citus.main_db
+---------------------------------------------------------------------
+ regression
+(1 row)
+
+revoke connect,temp,temporary  on database test_2pc_db from public;
+CREATE SCHEMA grant_on_database_propagation_non_maindb;
+SET search_path TO grant_on_database_propagation_non_maindb;
+-- test grant/revoke CREATE privilege propagation on database
+create user "myuser'_test";
+\c test_2pc_db - - :master_port
+grant create on database test_2pc_db to "myuser'_test";
+\c regression - - :master_port;
+select check_database_privileges('myuser''_test','test_2pc_db',ARRAY['CREATE']);
+ check_database_privileges
+---------------------------------------------------------------------
+ (CREATE,t)
+ (CREATE,t)
+ (CREATE,t)
+(3 rows)
+
+\c test_2pc_db - - :master_port
+revoke create on database test_2pc_db from "myuser'_test";
+\c regression - - :master_port;
+select check_database_privileges('myuser''_test','test_2pc_db',ARRAY['CREATE']);
+ check_database_privileges
+---------------------------------------------------------------------
+ (CREATE,f)
+ (CREATE,f)
+ (CREATE,f)
+(3 rows)
+
+drop user "myuser'_test";
+---------------------------------------------------------------------
+-- test grant/revoke CONNECT privilege propagation on database
+\c regression - - :master_port
+create user myuser2;
+\c test_2pc_db - - :master_port
+grant CONNECT on database test_2pc_db to myuser2;
+\c regression - - :master_port;
+select check_database_privileges('myuser2','test_2pc_db',ARRAY['CONNECT']);
+ check_database_privileges
+---------------------------------------------------------------------
+ (CONNECT,t)
+ (CONNECT,t)
+ (CONNECT,t)
+(3 rows)
+
+\c test_2pc_db - - :master_port
+revoke connect on database test_2pc_db from myuser2;
+\c regression - - :master_port
+select check_database_privileges('myuser2','test_2pc_db',ARRAY['CONNECT']);
+ check_database_privileges
+---------------------------------------------------------------------
+ (CONNECT,f)
+ (CONNECT,f)
+ (CONNECT,f)
+(3 rows)
+
+drop user myuser2;
+---------------------------------------------------------------------
+-- test grant/revoke TEMP privilege propagation on database
+\c regression - - :master_port
+create user myuser3;
+-- test grant/revoke temp on database
+\c test_2pc_db - - :master_port
+grant TEMP on database test_2pc_db to myuser3;
+\c regression - - :master_port;
+select check_database_privileges('myuser3','test_2pc_db',ARRAY['TEMP']);
+ check_database_privileges
+---------------------------------------------------------------------
+ (TEMP,t)
+ (TEMP,t)
+ (TEMP,t)
+(3 rows)
+
+\c test_2pc_db - - :worker_1_port
+revoke TEMP on database test_2pc_db from myuser3;
+\c regression - - :master_port;
+select check_database_privileges('myuser3','test_2pc_db',ARRAY['TEMP']);
+ check_database_privileges
+---------------------------------------------------------------------
+ (TEMP,f)
+ (TEMP,f)
+ (TEMP,f)
+(3 rows)
+
+drop user myuser3;
+---------------------------------------------------------------------
+\c regression - - :master_port
+-- test temporary privilege on database
+create user myuser4;
+-- test grant/revoke temporary on database
+\c test_2pc_db - - :worker_1_port
+grant TEMPORARY on database test_2pc_db to myuser4;
+\c regression - - :master_port
+select check_database_privileges('myuser4','test_2pc_db',ARRAY['TEMPORARY']);
+ check_database_privileges
+---------------------------------------------------------------------
+ (TEMPORARY,t)
+ (TEMPORARY,t)
+ (TEMPORARY,t)
+(3 rows)
+
+\c test_2pc_db - - :master_port
+revoke TEMPORARY on database test_2pc_db from myuser4;
+\c regression - - :master_port;
+select check_database_privileges('myuser4','test_2pc_db',ARRAY['TEMPORARY']);
+ check_database_privileges
+---------------------------------------------------------------------
+ (TEMPORARY,f)
+ (TEMPORARY,f)
+ (TEMPORARY,f)
+(3 rows)
+
+drop user myuser4;
+---------------------------------------------------------------------
+-- test ALL privileges with ALL statement on database
+create user myuser5;
+grant ALL on database test_2pc_db to myuser5;
+\c regression - - :master_port
+select check_database_privileges('myuser5','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
+ check_database_privileges
+---------------------------------------------------------------------
+ (CREATE,t)
+ (CREATE,t)
+ (CREATE,t)
+ (CONNECT,t)
+ (CONNECT,t)
+ (CONNECT,t)
+ (TEMP,t)
+ (TEMP,t)
+ (TEMP,t)
+ (TEMPORARY,t)
+ (TEMPORARY,t)
+ (TEMPORARY,t)
+(12 rows)
+
+\c test_2pc_db - - :master_port
+revoke ALL on database test_2pc_db from myuser5;
+\c regression - - :master_port
+select check_database_privileges('myuser5','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
+ check_database_privileges
+---------------------------------------------------------------------
+ (CREATE,f)
+ (CREATE,f)
+ (CREATE,f)
+ (CONNECT,f)
+ (CONNECT,f)
+ (CONNECT,f)
+ (TEMP,f)
+ (TEMP,f)
+ (TEMP,f)
+ (TEMPORARY,f)
+ (TEMPORARY,f)
+ (TEMPORARY,f)
+(12 rows)
+
+drop user myuser5;
+---------------------------------------------------------------------
+-- test CREATE,CONNECT,TEMP,TEMPORARY privileges one by one on database
+create user myuser6;
+\c test_2pc_db - - :master_port
+grant CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db to myuser6;
+\c regression - - :master_port
+select check_database_privileges('myuser6','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
+ check_database_privileges
+---------------------------------------------------------------------
+ (CREATE,t)
+ (CREATE,t)
+ (CREATE,t)
+ (CONNECT,t)
+ (CONNECT,t)
+ (CONNECT,t)
+ (TEMP,t)
+ (TEMP,t)
+ (TEMP,t)
+ (TEMPORARY,t)
+ (TEMPORARY,t)
+ (TEMPORARY,t)
+(12 rows)
+
+\c test_2pc_db - - :master_port
+revoke CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db from myuser6;
+\c regression - - :master_port
+select check_database_privileges('myuser6','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
+ check_database_privileges
+---------------------------------------------------------------------
+ (CREATE,f)
+ (CREATE,f)
+ (CREATE,f)
+ (CONNECT,f)
+ (CONNECT,f)
+ (CONNECT,f)
+ (TEMP,f)
+ (TEMP,f)
+ (TEMP,f)
+ (TEMPORARY,f)
+ (TEMPORARY,f)
+ (TEMPORARY,f)
+(12 rows)
+
+drop user myuser6;
+---------------------------------------------------------------------
+-- test CREATE,CONNECT,TEMP,TEMPORARY privileges one by one on database with grant option
+create user myuser7;
+create user myuser_1;
+\c test_2pc_db - - :master_port
+grant CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db to myuser7;
+set role myuser7;
+--here since myuser7 does not have grant option, it should fail
+grant CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db to myuser_1;
+WARNING:  no privileges were granted for "test_2pc_db"
+\c regression - - :master_port
+select check_database_privileges('myuser_1','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
+ check_database_privileges
+---------------------------------------------------------------------
+ (CREATE,f)
+ (CREATE,f)
+ (CREATE,f)
+ (CONNECT,f)
+ (CONNECT,f)
+ (CONNECT,f)
+ (TEMP,f)
+ (TEMP,f)
+ (TEMP,f)
+ (TEMPORARY,f)
+ (TEMPORARY,f)
+ (TEMPORARY,f)
+(12 rows)
+
+\c test_2pc_db - - :master_port
+RESET ROLE;
+grant CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db to myuser7 with grant option;
+set role myuser7;
+--here since myuser have grant option, it should succeed
+grant CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db to myuser_1 granted by myuser7;
+\c regression - - :master_port
+select check_database_privileges('myuser_1','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
+ check_database_privileges
+---------------------------------------------------------------------
+ (CREATE,t)
+ (CREATE,t)
+ (CREATE,t)
+ (CONNECT,t)
+ (CONNECT,t)
+ (CONNECT,t)
+ (TEMP,t)
+ (TEMP,t)
+ (TEMP,t)
+ (TEMPORARY,t)
+ (TEMPORARY,t)
+ (TEMPORARY,t)
+(12 rows)
+
+\c test_2pc_db - - :master_port
+RESET ROLE;
+--below test should fail and should throw an error since myuser_1 still have the dependent privileges
+revoke  CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db from myuser7 restrict;
+ERROR:  dependent privileges exist
+HINT:  Use CASCADE to revoke them too.
+--below test should fail and should throw an error since myuser_1 still have the dependent privileges
+revoke grant option for CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db from myuser7 restrict ;
+ERROR:  dependent privileges exist
+HINT:  Use CASCADE to revoke them too.
+--below test should succeed and should not throw any error since myuser_1 privileges are revoked with cascade
+revoke grant option for CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db from myuser7 cascade ;
+--here we test if myuser7 still have the privileges after revoke grant option for
+\c regression - - :master_port
+select check_database_privileges('myuser7','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
+ check_database_privileges
+---------------------------------------------------------------------
+ (CREATE,t)
+ (CREATE,t)
+ (CREATE,t)
+ (CONNECT,t)
+ (CONNECT,t)
+ (CONNECT,t)
+ (TEMP,t)
+ (TEMP,t)
+ (TEMP,t)
+ (TEMPORARY,t)
+ (TEMPORARY,t)
+ (TEMPORARY,t)
+(12 rows)
+
+\c test_2pc_db - - :master_port
+reset role;
+revoke  CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db from myuser7;
+revoke CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db from myuser_1;
+\c regression - - :master_port
+drop user myuser_1;
+drop user myuser7;
+---------------------------------------------------------------------
+-- test CREATE,CONNECT,TEMP,TEMPORARY privileges one by one on database multi database
+-- and multi user
+\c regression - - :master_port
+create user myuser8;
+create user myuser_2;
+set citus.enable_create_database_propagation to on;
+create database test_db;
+revoke connect,temp,temporary  on database test_db from public;
+\c test_2pc_db - - :master_port
+grant CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db,test_db to myuser8,myuser_2;
+\c regression - - :master_port
+select check_database_privileges('myuser8','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
+ check_database_privileges
+---------------------------------------------------------------------
+ (CREATE,t)
+ (CREATE,t)
+ (CREATE,t)
+ (CONNECT,t)
+ (CONNECT,t)
+ (CONNECT,t)
+ (TEMP,t)
+ (TEMP,t)
+ (TEMP,t)
+ (TEMPORARY,t)
+ (TEMPORARY,t)
+ (TEMPORARY,t)
+(12 rows)
+
+select check_database_privileges('myuser8','test_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
+ check_database_privileges
+---------------------------------------------------------------------
+ (CREATE,t)
+ (CREATE,t)
+ (CREATE,t)
+ (CONNECT,t)
+ (CONNECT,t)
+ (CONNECT,t)
+ (TEMP,t)
+ (TEMP,t)
+ (TEMP,t)
+ (TEMPORARY,t)
+ (TEMPORARY,t)
+ (TEMPORARY,t)
+(12 rows)
+
+select check_database_privileges('myuser_2','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
+ check_database_privileges
+---------------------------------------------------------------------
+ (CREATE,t)
+ (CREATE,t)
+ (CREATE,t)
+ (CONNECT,t)
+ (CONNECT,t)
+ (CONNECT,t)
+ (TEMP,t)
+ (TEMP,t)
+ (TEMP,t)
+ (TEMPORARY,t)
+ (TEMPORARY,t)
+ (TEMPORARY,t)
+(12 rows)
+
+select check_database_privileges('myuser_2','test_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
+ check_database_privileges
+---------------------------------------------------------------------
+ (CREATE,t)
+ (CREATE,t)
+ (CREATE,t)
+ (CONNECT,t)
+ (CONNECT,t)
+ (CONNECT,t)
+ (TEMP,t)
+ (TEMP,t)
+ (TEMP,t)
+ (TEMPORARY,t)
+ (TEMPORARY,t)
+ (TEMPORARY,t)
+(12 rows)
+
+\c test_2pc_db - - :master_port
+RESET ROLE;
+revoke  CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db,test_db from myuser8 ;
+--below test should succeed and should not throw any error
+revoke  CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db,test_db from myuser_2;
+--below test should succeed and should not throw any error
+revoke  CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db,test_db from myuser8 cascade;
+\c regression - - :master_port
+select check_database_privileges('myuser8','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
+ check_database_privileges
+---------------------------------------------------------------------
+ (CREATE,f)
+ (CREATE,f)
+ (CREATE,f)
+ (CONNECT,f)
+ (CONNECT,f)
+ (CONNECT,f)
+ (TEMP,f)
+ (TEMP,f)
+ (TEMP,f)
+ (TEMPORARY,f)
+ (TEMPORARY,f)
+ (TEMPORARY,f)
+(12 rows)
+
+select check_database_privileges('myuser8','test_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
+ check_database_privileges
+---------------------------------------------------------------------
+ (CREATE,f)
+ (CREATE,f)
+ (CREATE,f)
+ (CONNECT,f)
+ (CONNECT,f)
+ (CONNECT,f)
+ (TEMP,f)
+ (TEMP,f)
+ (TEMP,f)
+ (TEMPORARY,f)
+ (TEMPORARY,f)
+ (TEMPORARY,f)
+(12 rows)
+
+select check_database_privileges('myuser_2','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
+ check_database_privileges
+---------------------------------------------------------------------
+ (CREATE,f)
+ (CREATE,f)
+ (CREATE,f)
+ (CONNECT,f)
+ (CONNECT,f)
+ (CONNECT,f)
+ (TEMP,f)
+ (TEMP,f)
+ (TEMP,f)
+ (TEMPORARY,f)
+ (TEMPORARY,f)
+ (TEMPORARY,f)
+(12 rows)
+
+select check_database_privileges('myuser_2','test_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
+ check_database_privileges
+---------------------------------------------------------------------
+ (CREATE,f)
+ (CREATE,f)
+ (CREATE,f)
+ (CONNECT,f)
+ (CONNECT,f)
+ (CONNECT,f)
+ (TEMP,f)
+ (TEMP,f)
+ (TEMP,f)
+ (TEMPORARY,f)
+ (TEMPORARY,f)
+ (TEMPORARY,f)
+(12 rows)
+
+\c test_2pc_db - - :master_port
+reset role;
+\c regression - - :master_port
+drop user myuser_2;
+drop user myuser8;
+set citus.enable_create_database_propagation to on;
+drop database test_db;
+---------------------------------------------------------------------
+-- rollbacks public role database privileges to original state
+grant connect,temp,temporary  on database test_2pc_db to public;
+drop database test_2pc_db;
+set citus.enable_create_database_propagation to off;
+DROP SCHEMA grant_on_database_propagation_non_maindb CASCADE;
+reset citus.enable_create_database_propagation;
+reset search_path;
+---------------------------------------------------------------------

src/test/regress/expected/metadata_sync_from_non_maindb.out

@@ -2,6 +2,7 @@ CREATE SCHEMA metadata_sync_2pc_schema;
 SET search_path TO metadata_sync_2pc_schema;
 set citus.enable_create_database_propagation to on;
 CREATE DATABASE metadata_sync_2pc_db;
+revoke connect,temp,temporary  on database metadata_sync_2pc_db from public;
 \c metadata_sync_2pc_db
 SHOW citus.main_db;
  citus.main_db
@@ -24,7 +25,41 @@ select 1 from citus_remove_node('localhost', :worker_2_port);
 \c metadata_sync_2pc_db
 grant "grant_role2pc'_user1","grant_role2pc'_user2" to "grant_role2pc'_user3" WITH ADMIN OPTION;
 grant "grant_role2pc'_user1","grant_role2pc'_user2" to grant_role2pc_user4,grant_role2pc_user5 granted by "grant_role2pc'_user3";
+--test for grant on database
+\c metadata_sync_2pc_db - - :master_port
+grant create on database metadata_sync_2pc_db to "grant_role2pc'_user1";
+grant connect on database metadata_sync_2pc_db to "grant_role2pc'_user2";
+grant ALL on database metadata_sync_2pc_db to "grant_role2pc'_user3";
 \c regression
+select check_database_privileges('grant_role2pc''_user1','metadata_sync_2pc_db',ARRAY['CREATE']);
+ check_database_privileges
+---------------------------------------------------------------------
+ (CREATE,t)
+ (CREATE,t)
+(2 rows)
+
+select check_database_privileges('grant_role2pc''_user2','metadata_sync_2pc_db',ARRAY['CONNECT']);
+ check_database_privileges
+---------------------------------------------------------------------
+ (CONNECT,t)
+ (CONNECT,t)
+(2 rows)
+
+select check_database_privileges('grant_role2pc''_user3','metadata_sync_2pc_db',ARRAY['CREATE','CONNECT','TEMP','TEMPORARY']);
+ check_database_privileges
+---------------------------------------------------------------------
+ (CREATE,t)
+ (CREATE,t)
+ (CONNECT,t)
+ (CONNECT,t)
+ (TEMP,t)
+ (TEMP,t)
+ (TEMPORARY,t)
+ (TEMPORARY,t)
+(8 rows)
+
+\c regression
+set citus.enable_create_database_propagation to on;
 select 1 from citus_add_node('localhost', :worker_2_port);
  ?column?
 ---------------------------------------------------------------------
@@ -48,10 +83,46 @@ $$);
  [{"member":"\"grant_role2pc'_user3\"","role":"\"grant_role2pc'_user1\"","grantor":"postgres","admin_option":true},{"member":"\"grant_role2pc'_user3\"","role":"\"grant_role2pc'_user2\"","grantor":"postgres","admin_option":true},{"member":"grant_role2pc_user4","role":"\"grant_role2pc'_user1\"","grantor":"\"grant_role2pc'_user3\"","admin_option":false},{"member":"grant_role2pc_user4","role":"\"grant_role2pc'_user2\"","grantor":"\"grant_role2pc'_user3\"","admin_option":false},{"member":"grant_role2pc_user5","role":"\"grant_role2pc'_user1\"","grantor":"\"grant_role2pc'_user3\"","admin_option":false},{"member":"grant_role2pc_user5","role":"\"grant_role2pc'_user2\"","grantor":"\"grant_role2pc'_user3\"","admin_option":false}]
 (3 rows)
 
+select check_database_privileges('grant_role2pc''_user1','metadata_sync_2pc_db',ARRAY['CREATE']);
+ check_database_privileges
+---------------------------------------------------------------------
+ (CREATE,t)
+ (CREATE,t)
+ (CREATE,t)
+(3 rows)
+
+select check_database_privileges('grant_role2pc''_user2','metadata_sync_2pc_db',ARRAY['CONNECT']);
+ check_database_privileges
+---------------------------------------------------------------------
+ (CONNECT,t)
+ (CONNECT,t)
+ (CONNECT,t)
+(3 rows)
+
+select check_database_privileges('grant_role2pc''_user3','metadata_sync_2pc_db',ARRAY['CREATE','CONNECT','TEMP','TEMPORARY']);
+ check_database_privileges
+---------------------------------------------------------------------
+ (CREATE,t)
+ (CREATE,t)
+ (CREATE,t)
+ (CONNECT,t)
+ (CONNECT,t)
+ (CONNECT,t)
+ (TEMP,t)
+ (TEMP,t)
+ (TEMP,t)
+ (TEMPORARY,t)
+ (TEMPORARY,t)
+ (TEMPORARY,t)
+(12 rows)
+
 \c metadata_sync_2pc_db
 revoke "grant_role2pc'_user1","grant_role2pc'_user2" from grant_role2pc_user4,grant_role2pc_user5 granted by "grant_role2pc'_user3";
 revoke admin option for "grant_role2pc'_user1","grant_role2pc'_user2" from "grant_role2pc'_user3";
 revoke "grant_role2pc'_user1","grant_role2pc'_user2" from "grant_role2pc'_user3";
+revoke ALL on database metadata_sync_2pc_db from "grant_role2pc'_user3";
+revoke CONNECT on database metadata_sync_2pc_db from "grant_role2pc'_user2";
+revoke CREATE on database metadata_sync_2pc_db from "grant_role2pc'_user1";
 \c regression
 drop user "grant_role2pc'_user1","grant_role2pc'_user2","grant_role2pc'_user3",grant_role2pc_user4,grant_role2pc_user5;
 set citus.enable_create_database_propagation to on;

src/test/regress/expected/multi_test_helpers.out

@@ -634,7 +634,8 @@ DECLARE
 BEGIN
     FOREACH permission IN ARRAY permissions
     LOOP
-        RETURN QUERY EXECUTE format($inner$SELECT '%s', result FROM run_command_on_all_nodes($$select has_database_privilege('%s','%s', '%s'); $$)$inner$, permission, role_name, db_name, permission);
+        RETURN QUERY EXECUTE format($inner$SELECT %s, result FROM run_command_on_all_nodes($$select has_database_privilege(%s,%s,%s); $$)$inner$,
+        quote_literal(permission), quote_literal(role_name), quote_literal(db_name), quote_literal(permission));
     END LOOP;
 END;
 $func$ LANGUAGE plpgsql;

src/test/regress/multi_1_schedule

@@ -58,7 +58,7 @@ test: multi_metadata_attributes
 
 test: multi_read_from_secondaries
 
-test: grant_on_database_propagation
+test: grant_on_database_propagation grant_on_database_propagation_from_non_maindb
 test: alter_database_propagation
 
 test: citus_shards

src/test/regress/sql/grant_on_database_propagation_from_non_maindb.sql

@@ -0,0 +1,246 @@
+-- Public role has connect,temp,temporary privileges on database
+-- To test these scenarios, we need to revoke these privileges from public role
+-- since public role privileges are inherited by new roles/users
+set citus.enable_create_database_propagation to on;
+create database test_2pc_db;
+show citus.main_db;
+revoke connect,temp,temporary  on database test_2pc_db from public;
+
+CREATE SCHEMA grant_on_database_propagation_non_maindb;
+SET search_path TO grant_on_database_propagation_non_maindb;
+
+-- test grant/revoke CREATE privilege propagation on database
+create user "myuser'_test";
+
+\c test_2pc_db - - :master_port
+grant create on database test_2pc_db to "myuser'_test";
+
+\c regression - - :master_port;
+select check_database_privileges('myuser''_test','test_2pc_db',ARRAY['CREATE']);
+
+\c test_2pc_db - - :master_port
+revoke create on database test_2pc_db from "myuser'_test";
+
+\c regression - - :master_port;
+select check_database_privileges('myuser''_test','test_2pc_db',ARRAY['CREATE']);
+
+drop user "myuser'_test";
+-----------------------------------------------------------------------
+
+-- test grant/revoke CONNECT privilege propagation on database
+\c regression - - :master_port
+create user myuser2;
+
+\c test_2pc_db - - :master_port
+grant CONNECT on database test_2pc_db to myuser2;
+
+\c regression - - :master_port;
+select check_database_privileges('myuser2','test_2pc_db',ARRAY['CONNECT']);
+
+\c test_2pc_db - - :master_port
+revoke connect on database test_2pc_db from myuser2;
+
+\c regression - - :master_port
+select check_database_privileges('myuser2','test_2pc_db',ARRAY['CONNECT']);
+
+drop user myuser2;
+
+-----------------------------------------------------------------------
+
+-- test grant/revoke TEMP privilege propagation on database
+\c regression - - :master_port
+create user myuser3;
+
+-- test grant/revoke temp on database
+\c test_2pc_db - - :master_port
+grant TEMP on database test_2pc_db to myuser3;
+
+\c regression - - :master_port;
+select check_database_privileges('myuser3','test_2pc_db',ARRAY['TEMP']);
+
+
+\c test_2pc_db - - :worker_1_port
+revoke TEMP on database test_2pc_db from myuser3;
+
+\c regression - - :master_port;
+select check_database_privileges('myuser3','test_2pc_db',ARRAY['TEMP']);
+
+drop user myuser3;
+
+-----------------------------------------------------------------------
+
+\c regression - - :master_port
+-- test temporary privilege on database
+create user myuser4;
+
+-- test grant/revoke temporary on database
+\c test_2pc_db - - :worker_1_port
+grant TEMPORARY on database test_2pc_db to myuser4;
+
+\c regression - - :master_port
+select check_database_privileges('myuser4','test_2pc_db',ARRAY['TEMPORARY']);
+
+\c test_2pc_db - - :master_port
+revoke TEMPORARY on database test_2pc_db from myuser4;
+
+\c regression - - :master_port;
+select check_database_privileges('myuser4','test_2pc_db',ARRAY['TEMPORARY']);
+
+drop user myuser4;
+-----------------------------------------------------------------------
+
+-- test ALL privileges with ALL statement on database
+create user myuser5;
+
+grant ALL on database test_2pc_db to myuser5;
+
+\c regression - - :master_port
+select check_database_privileges('myuser5','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
+
+
+\c test_2pc_db - - :master_port
+revoke ALL on database test_2pc_db from myuser5;
+
+\c regression - - :master_port
+select check_database_privileges('myuser5','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
+
+drop user myuser5;
+-----------------------------------------------------------------------
+
+-- test CREATE,CONNECT,TEMP,TEMPORARY privileges one by one on database
+create user myuser6;
+
+\c test_2pc_db - - :master_port
+grant CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db to myuser6;
+
+\c regression - - :master_port
+select check_database_privileges('myuser6','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
+
+\c test_2pc_db - - :master_port
+revoke CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db from myuser6;
+
+\c regression - - :master_port
+select check_database_privileges('myuser6','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
+
+
+drop user myuser6;
+-----------------------------------------------------------------------
+
+-- test CREATE,CONNECT,TEMP,TEMPORARY privileges one by one on database with grant option
+create user myuser7;
+create user myuser_1;
+
+\c test_2pc_db - - :master_port
+grant CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db to myuser7;
+
+set role myuser7;
+--here since myuser7 does not have grant option, it should fail
+grant CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db to myuser_1;
+
+\c regression - - :master_port
+select check_database_privileges('myuser_1','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
+
+\c test_2pc_db - - :master_port
+
+RESET ROLE;
+
+grant CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db to myuser7 with grant option;
+set role myuser7;
+
+--here since myuser have grant option, it should succeed
+grant CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db to myuser_1 granted by myuser7;
+
+\c regression - - :master_port
+select check_database_privileges('myuser_1','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
+
+\c test_2pc_db - - :master_port
+
+RESET ROLE;
+
+--below test should fail and should throw an error since myuser_1 still have the dependent privileges
+revoke  CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db from myuser7 restrict;
+--below test should fail and should throw an error since myuser_1 still have the dependent privileges
+revoke grant option for CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db from myuser7 restrict ;
+
+--below test should succeed and should not throw any error since myuser_1 privileges are revoked with cascade
+revoke grant option for CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db from myuser7 cascade ;
+
+--here we test if myuser7 still have the privileges after revoke grant option for
+
+\c regression - - :master_port
+select check_database_privileges('myuser7','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
+
+
+\c test_2pc_db - - :master_port
+
+reset role;
+
+revoke  CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db from myuser7;
+revoke CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db from myuser_1;
+
+\c regression - - :master_port
+drop user myuser_1;
+drop user myuser7;
+
+-----------------------------------------------------------------------
+
+-- test CREATE,CONNECT,TEMP,TEMPORARY privileges one by one on database multi database
+-- and multi user
+\c regression - - :master_port
+create user myuser8;
+create user myuser_2;
+
+set citus.enable_create_database_propagation to on;
+create database test_db;
+
+revoke connect,temp,temporary  on database test_db from public;
+
+\c test_2pc_db - - :master_port
+grant CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db,test_db to myuser8,myuser_2;
+
+\c regression - - :master_port
+select check_database_privileges('myuser8','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
+select check_database_privileges('myuser8','test_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
+select check_database_privileges('myuser_2','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
+select check_database_privileges('myuser_2','test_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
+
+
+\c test_2pc_db - - :master_port
+
+RESET ROLE;
+revoke  CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db,test_db from myuser8 ;
+
+--below test should succeed and should not throw any error
+revoke  CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db,test_db from myuser_2;
+
+--below test should succeed and should not throw any error
+revoke  CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db,test_db from myuser8 cascade;
+
+\c regression - - :master_port
+select check_database_privileges('myuser8','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
+select check_database_privileges('myuser8','test_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
+select check_database_privileges('myuser_2','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
+select check_database_privileges('myuser_2','test_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
+
+
+\c test_2pc_db - - :master_port
+
+reset role;
+
+\c regression - - :master_port
+drop user myuser_2;
+drop user myuser8;
+
+set citus.enable_create_database_propagation to on;
+drop database test_db;
+
+---------------------------------------------------------------------------
+-- rollbacks public role database privileges to original state
+grant connect,temp,temporary  on database test_2pc_db to public;
+drop database test_2pc_db;
+set citus.enable_create_database_propagation to off;
+DROP SCHEMA grant_on_database_propagation_non_maindb CASCADE;
+
+reset citus.enable_create_database_propagation;
+reset search_path;
+---------------------------------------------------------------------------

src/test/regress/sql/metadata_sync_from_non_maindb.sql

@@ -3,6 +3,8 @@ SET search_path TO metadata_sync_2pc_schema;
 set citus.enable_create_database_propagation to on;
 CREATE DATABASE metadata_sync_2pc_db;
 
+revoke connect,temp,temporary  on database metadata_sync_2pc_db from public;
+
 \c metadata_sync_2pc_db
 SHOW citus.main_db;
 
@@ -19,7 +21,19 @@ select 1 from citus_remove_node('localhost', :worker_2_port);
 grant "grant_role2pc'_user1","grant_role2pc'_user2" to "grant_role2pc'_user3" WITH ADMIN OPTION;
 grant "grant_role2pc'_user1","grant_role2pc'_user2" to grant_role2pc_user4,grant_role2pc_user5 granted by "grant_role2pc'_user3";
 
+--test for grant on database
+\c metadata_sync_2pc_db - - :master_port
+grant create on database metadata_sync_2pc_db to "grant_role2pc'_user1";
+grant connect on database metadata_sync_2pc_db to "grant_role2pc'_user2";
+grant ALL on database metadata_sync_2pc_db to "grant_role2pc'_user3";
+
 \c regression
+select check_database_privileges('grant_role2pc''_user1','metadata_sync_2pc_db',ARRAY['CREATE']);
+select check_database_privileges('grant_role2pc''_user2','metadata_sync_2pc_db',ARRAY['CONNECT']);
+select check_database_privileges('grant_role2pc''_user3','metadata_sync_2pc_db',ARRAY['CREATE','CONNECT','TEMP','TEMPORARY']);
+
+\c regression
+set citus.enable_create_database_propagation to on;
 select 1 from citus_add_node('localhost', :worker_2_port);
 
 select result FROM run_command_on_all_nodes($$
@@ -33,12 +47,19 @@ FROM (
 ) t
 $$);
 
+select check_database_privileges('grant_role2pc''_user1','metadata_sync_2pc_db',ARRAY['CREATE']);
+select check_database_privileges('grant_role2pc''_user2','metadata_sync_2pc_db',ARRAY['CONNECT']);
+select check_database_privileges('grant_role2pc''_user3','metadata_sync_2pc_db',ARRAY['CREATE','CONNECT','TEMP','TEMPORARY']);
+
 \c metadata_sync_2pc_db
 revoke "grant_role2pc'_user1","grant_role2pc'_user2" from grant_role2pc_user4,grant_role2pc_user5 granted by "grant_role2pc'_user3";
 
 revoke admin option for "grant_role2pc'_user1","grant_role2pc'_user2" from "grant_role2pc'_user3";
 
 revoke "grant_role2pc'_user1","grant_role2pc'_user2" from "grant_role2pc'_user3";
+revoke ALL on database metadata_sync_2pc_db from "grant_role2pc'_user3";
+revoke CONNECT on database metadata_sync_2pc_db from "grant_role2pc'_user2";
+revoke CREATE on database metadata_sync_2pc_db from "grant_role2pc'_user1";
 
 \c regression
 

src/test/regress/sql/multi_test_helpers.sql

@@ -661,7 +661,8 @@ DECLARE
 BEGIN
     FOREACH permission IN ARRAY permissions
     LOOP
-        RETURN QUERY EXECUTE format($inner$SELECT '%s', result FROM run_command_on_all_nodes($$select has_database_privilege('%s','%s', '%s'); $$)$inner$, permission, role_name, db_name, permission);
+        RETURN QUERY EXECUTE format($inner$SELECT %s, result FROM run_command_on_all_nodes($$select has_database_privilege(%s,%s,%s); $$)$inner$,
+        quote_literal(permission), quote_literal(role_name), quote_literal(db_name), quote_literal(permission));
     END LOOP;
 END;
 $func$ LANGUAGE plpgsql;