external
/
citus
mirror of https://github.com/citusdata/citus.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add support for grant on database propagation from non-main databases (#7443) 

DESCRIPTION: Adds support for distributed `GRANT .. ON DATABASE TO USER`
commands from the databases where Citus is not installed

---------

Co-authored-by: Onur Tirtir <onurcantirtir@gmail.com>
pull/7492/head
Gürkan İndibay 2024-02-21 13:14:58 +03:00 committed by GitHub
parent 56e014e64e
commit b3ef1b7e39
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
8 changed files with 868 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
src/backend/distributed/commands/utility_hook.c
View File

@ -107,8 +107,20 @@ typedef struct NonMainDbDistributedStatementInfo
{
int statementType;
bool explicitlyMarkAsDistributed;
/*
* checkSupportedObjectTypes is a callback function that checks whether
* type of the object referred to by given statement is supported.
*
* Can be NULL if not applicable for the statement type.
*/
bool (*checkSupportedObjectTypes)(Node *node);
} NonMainDbDistributedStatementInfo;
/*
* MarkObjectDistributedParams is used to pass parameters to the
* MarkObjectDistributedFromNonMainDb function.
*/
typedef struct MarkObjectDistributedParams
{
char *name;
@ -116,15 +128,6 @@ typedef struct MarkObjectDistributedParams
uint16 catalogRelId;
} MarkObjectDistributedParams;
/*
* NonMainDbSupportedStatements is an array of statements that are supported
* from non-main databases.
*/
static const NonMainDbDistributedStatementInfo NonMainDbSupportedStatements[] = {
{ T_GrantRoleStmt, false },
{ T_CreateRoleStmt, true }
};
bool EnableDDLPropagation = true; /* ddl propagation is enabled */
int CreateObjectPropagationMode = CREATE_OBJECT_PROPAGATION_IMMEDIATE;
@ -153,6 +156,12 @@ static void PostStandardProcessUtility(Node *parsetree);
static void DecrementUtilityHookCountersIfNecessary(Node *parsetree);
static bool IsDropSchemaOrDB(Node *parsetree);
static bool ShouldCheckUndistributeCitusLocalTables(void);
/*
* Functions to support commands used to manage node-wide objects from non-main
* databases.
*/
static void RunPreprocessMainDBCommand(Node *parsetree);
static void RunPostprocessMainDBCommand(Node *parsetree);
static bool IsStatementSupportedFromNonMainDb(Node *parsetree);
@ -160,6 +169,25 @@ static bool StatementRequiresMarkDistributedFromNonMainDb(Node *parsetree);
static void MarkObjectDistributedFromNonMainDb(Node *parsetree);
static MarkObjectDistributedParams GetMarkObjectDistributedParams(Node *parsetree);
/*
* checkSupportedObjectTypes callbacks for
* NonMainDbDistributedStatementInfo objects.
*/
static bool NonMainDbCheckSupportedObjectTypeForGrant(Node *node);
/*
* NonMainDbSupportedStatements is an array of statements that are supported
* from non-main databases.
*/
ObjectType supportedObjectTypesForGrantStmt[] = { OBJECT_DATABASE };
static const NonMainDbDistributedStatementInfo NonMainDbSupportedStatements[] = {
{ T_GrantRoleStmt, false, NULL },
{ T_CreateRoleStmt, true, NULL },
{ T_GrantStmt, false, NonMainDbCheckSupportedObjectTypeForGrant }
};
/*
* ProcessUtilityParseTree is a convenience method to create a PlannedStmt out of
* pieces of a utility statement before invoking ProcessUtility.
@ -1692,10 +1720,13 @@ IsStatementSupportedFromNonMainDb(Node *parsetree)
for (int i = 0; i < sizeof(NonMainDbSupportedStatements) /
sizeof(NonMainDbSupportedStatements[0]); i++)
{
if (type == NonMainDbSupportedStatements[i].statementType)
if (type != NonMainDbSupportedStatements[i].statementType)
{
return true;
continue;
}
return !NonMainDbSupportedStatements[i].checkSupportedObjectTypes ||
NonMainDbSupportedStatements[i].checkSupportedObjectTypes(parsetree);
}
return false;
@ -1767,3 +1798,15 @@ GetMarkObjectDistributedParams(Node *parsetree)
elog(ERROR, "unsupported statement type");
}
/*
* NonMainDbCheckSupportedObjectTypeForGrant implements checkSupportedObjectTypes
* callback for GrantStmt.
*/
static bool
NonMainDbCheckSupportedObjectTypeForGrant(Node *node)
{
GrantStmt *stmt = castNode(GrantStmt, node);
return stmt->objtype == OBJECT_DATABASE;
}

471
src/test/regress/expected/grant_on_database_propagation_from_non_maindb.out Normal file
View File

@ -0,0 +1,471 @@
-- Public role has connect,temp,temporary privileges on database
-- To test these scenarios, we need to revoke these privileges from public role
-- since public role privileges are inherited by new roles/users
set citus.enable_create_database_propagation to on;
create database test_2pc_db;
show citus.main_db;
citus.main_db
---------------------------------------------------------------------
regression
(1 row)
revoke connect,temp,temporary on database test_2pc_db from public;
CREATE SCHEMA grant_on_database_propagation_non_maindb;
SET search_path TO grant_on_database_propagation_non_maindb;
-- test grant/revoke CREATE privilege propagation on database
create user "myuser'_test";
\c test_2pc_db - - :master_port
grant create on database test_2pc_db to "myuser'_test";
\c regression - - :master_port;
select check_database_privileges('myuser''_test','test_2pc_db',ARRAY['CREATE']);
check_database_privileges
---------------------------------------------------------------------
(CREATE,t)
(CREATE,t)
(CREATE,t)
(3 rows)
\c test_2pc_db - - :master_port
revoke create on database test_2pc_db from "myuser'_test";
\c regression - - :master_port;
select check_database_privileges('myuser''_test','test_2pc_db',ARRAY['CREATE']);
check_database_privileges
---------------------------------------------------------------------
(CREATE,f)
(CREATE,f)
(CREATE,f)
(3 rows)
drop user "myuser'_test";
---------------------------------------------------------------------
-- test grant/revoke CONNECT privilege propagation on database
\c regression - - :master_port
create user myuser2;
\c test_2pc_db - - :master_port
grant CONNECT on database test_2pc_db to myuser2;
\c regression - - :master_port;
select check_database_privileges('myuser2','test_2pc_db',ARRAY['CONNECT']);
check_database_privileges
---------------------------------------------------------------------
(CONNECT,t)
(CONNECT,t)
(CONNECT,t)
(3 rows)
\c test_2pc_db - - :master_port
revoke connect on database test_2pc_db from myuser2;
\c regression - - :master_port
select check_database_privileges('myuser2','test_2pc_db',ARRAY['CONNECT']);
check_database_privileges
---------------------------------------------------------------------
(CONNECT,f)
(CONNECT,f)
(CONNECT,f)
(3 rows)
drop user myuser2;
---------------------------------------------------------------------
-- test grant/revoke TEMP privilege propagation on database
\c regression - - :master_port
create user myuser3;
-- test grant/revoke temp on database
\c test_2pc_db - - :master_port
grant TEMP on database test_2pc_db to myuser3;
\c regression - - :master_port;
select check_database_privileges('myuser3','test_2pc_db',ARRAY['TEMP']);
check_database_privileges
---------------------------------------------------------------------
(TEMP,t)
(TEMP,t)
(TEMP,t)
(3 rows)
\c test_2pc_db - - :worker_1_port
revoke TEMP on database test_2pc_db from myuser3;
\c regression - - :master_port;
select check_database_privileges('myuser3','test_2pc_db',ARRAY['TEMP']);
check_database_privileges
---------------------------------------------------------------------
(TEMP,f)
(TEMP,f)
(TEMP,f)
(3 rows)
drop user myuser3;
---------------------------------------------------------------------
\c regression - - :master_port
-- test temporary privilege on database
create user myuser4;
-- test grant/revoke temporary on database
\c test_2pc_db - - :worker_1_port
grant TEMPORARY on database test_2pc_db to myuser4;
\c regression - - :master_port
select check_database_privileges('myuser4','test_2pc_db',ARRAY['TEMPORARY']);
check_database_privileges
---------------------------------------------------------------------
(TEMPORARY,t)
(TEMPORARY,t)
(TEMPORARY,t)
(3 rows)
\c test_2pc_db - - :master_port
revoke TEMPORARY on database test_2pc_db from myuser4;
\c regression - - :master_port;
select check_database_privileges('myuser4','test_2pc_db',ARRAY['TEMPORARY']);
check_database_privileges
---------------------------------------------------------------------
(TEMPORARY,f)
(TEMPORARY,f)
(TEMPORARY,f)
(3 rows)
drop user myuser4;
---------------------------------------------------------------------
-- test ALL privileges with ALL statement on database
create user myuser5;
grant ALL on database test_2pc_db to myuser5;
\c regression - - :master_port
select check_database_privileges('myuser5','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
check_database_privileges
---------------------------------------------------------------------
(CREATE,t)
(CREATE,t)
(CREATE,t)
(CONNECT,t)
(CONNECT,t)
(CONNECT,t)
(TEMP,t)
(TEMP,t)
(TEMP,t)
(TEMPORARY,t)
(TEMPORARY,t)
(TEMPORARY,t)
(12 rows)
\c test_2pc_db - - :master_port
revoke ALL on database test_2pc_db from myuser5;
\c regression - - :master_port
select check_database_privileges('myuser5','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
check_database_privileges
---------------------------------------------------------------------
(CREATE,f)
(CREATE,f)
(CREATE,f)
(CONNECT,f)
(CONNECT,f)
(CONNECT,f)
(TEMP,f)
(TEMP,f)
(TEMP,f)
(TEMPORARY,f)
(TEMPORARY,f)
(TEMPORARY,f)
(12 rows)
drop user myuser5;
---------------------------------------------------------------------
-- test CREATE,CONNECT,TEMP,TEMPORARY privileges one by one on database
create user myuser6;
\c test_2pc_db - - :master_port
grant CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db to myuser6;
\c regression - - :master_port
select check_database_privileges('myuser6','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
check_database_privileges
---------------------------------------------------------------------
(CREATE,t)
(CREATE,t)
(CREATE,t)
(CONNECT,t)
(CONNECT,t)
(CONNECT,t)
(TEMP,t)
(TEMP,t)
(TEMP,t)
(TEMPORARY,t)
(TEMPORARY,t)
(TEMPORARY,t)
(12 rows)
\c test_2pc_db - - :master_port
revoke CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db from myuser6;
\c regression - - :master_port
select check_database_privileges('myuser6','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
check_database_privileges
---------------------------------------------------------------------
(CREATE,f)
(CREATE,f)
(CREATE,f)
(CONNECT,f)
(CONNECT,f)
(CONNECT,f)
(TEMP,f)
(TEMP,f)
(TEMP,f)
(TEMPORARY,f)
(TEMPORARY,f)
(TEMPORARY,f)
(12 rows)
drop user myuser6;
---------------------------------------------------------------------
-- test CREATE,CONNECT,TEMP,TEMPORARY privileges one by one on database with grant option
create user myuser7;
create user myuser_1;
\c test_2pc_db - - :master_port
grant CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db to myuser7;
set role myuser7;
--here since myuser7 does not have grant option, it should fail
grant CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db to myuser_1;
WARNING: no privileges were granted for "test_2pc_db"
\c regression - - :master_port
select check_database_privileges('myuser_1','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
check_database_privileges
---------------------------------------------------------------------
(CREATE,f)
(CREATE,f)
(CREATE,f)
(CONNECT,f)
(CONNECT,f)
(CONNECT,f)
(TEMP,f)
(TEMP,f)
(TEMP,f)
(TEMPORARY,f)
(TEMPORARY,f)
(TEMPORARY,f)
(12 rows)
\c test_2pc_db - - :master_port
RESET ROLE;
grant CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db to myuser7 with grant option;
set role myuser7;
--here since myuser have grant option, it should succeed
grant CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db to myuser_1 granted by myuser7;
\c regression - - :master_port
select check_database_privileges('myuser_1','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
check_database_privileges
---------------------------------------------------------------------
(CREATE,t)
(CREATE,t)
(CREATE,t)
(CONNECT,t)
(CONNECT,t)
(CONNECT,t)
(TEMP,t)
(TEMP,t)
(TEMP,t)
(TEMPORARY,t)
(TEMPORARY,t)
(TEMPORARY,t)
(12 rows)
\c test_2pc_db - - :master_port
RESET ROLE;
--below test should fail and should throw an error since myuser_1 still have the dependent privileges
revoke CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db from myuser7 restrict;
ERROR: dependent privileges exist
HINT: Use CASCADE to revoke them too.
--below test should fail and should throw an error since myuser_1 still have the dependent privileges
revoke grant option for CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db from myuser7 restrict ;
ERROR: dependent privileges exist
HINT: Use CASCADE to revoke them too.
--below test should succeed and should not throw any error since myuser_1 privileges are revoked with cascade
revoke grant option for CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db from myuser7 cascade ;
--here we test if myuser7 still have the privileges after revoke grant option for
\c regression - - :master_port
select check_database_privileges('myuser7','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
check_database_privileges
---------------------------------------------------------------------
(CREATE,t)
(CREATE,t)
(CREATE,t)
(CONNECT,t)
(CONNECT,t)
(CONNECT,t)
(TEMP,t)
(TEMP,t)
(TEMP,t)
(TEMPORARY,t)
(TEMPORARY,t)
(TEMPORARY,t)
(12 rows)
\c test_2pc_db - - :master_port
reset role;
revoke CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db from myuser7;
revoke CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db from myuser_1;
\c regression - - :master_port
drop user myuser_1;
drop user myuser7;
---------------------------------------------------------------------
-- test CREATE,CONNECT,TEMP,TEMPORARY privileges one by one on database multi database
-- and multi user
\c regression - - :master_port
create user myuser8;
create user myuser_2;
set citus.enable_create_database_propagation to on;
create database test_db;
revoke connect,temp,temporary on database test_db from public;
\c test_2pc_db - - :master_port
grant CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db,test_db to myuser8,myuser_2;
\c regression - - :master_port
select check_database_privileges('myuser8','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
check_database_privileges
---------------------------------------------------------------------
(CREATE,t)
(CREATE,t)
(CREATE,t)
(CONNECT,t)
(CONNECT,t)
(CONNECT,t)
(TEMP,t)
(TEMP,t)
(TEMP,t)
(TEMPORARY,t)
(TEMPORARY,t)
(TEMPORARY,t)
(12 rows)
select check_database_privileges('myuser8','test_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
check_database_privileges
---------------------------------------------------------------------
(CREATE,t)
(CREATE,t)
(CREATE,t)
(CONNECT,t)
(CONNECT,t)
(CONNECT,t)
(TEMP,t)
(TEMP,t)
(TEMP,t)
(TEMPORARY,t)
(TEMPORARY,t)
(TEMPORARY,t)
(12 rows)
select check_database_privileges('myuser_2','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
check_database_privileges
---------------------------------------------------------------------
(CREATE,t)
(CREATE,t)
(CREATE,t)
(CONNECT,t)
(CONNECT,t)
(CONNECT,t)
(TEMP,t)
(TEMP,t)
(TEMP,t)
(TEMPORARY,t)
(TEMPORARY,t)
(TEMPORARY,t)
(12 rows)
select check_database_privileges('myuser_2','test_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
check_database_privileges
---------------------------------------------------------------------
(CREATE,t)
(CREATE,t)
(CREATE,t)
(CONNECT,t)
(CONNECT,t)
(CONNECT,t)
(TEMP,t)
(TEMP,t)
(TEMP,t)
(TEMPORARY,t)
(TEMPORARY,t)
(TEMPORARY,t)
(12 rows)
\c test_2pc_db - - :master_port
RESET ROLE;
revoke CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db,test_db from myuser8 ;
--below test should succeed and should not throw any error
revoke CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db,test_db from myuser_2;
--below test should succeed and should not throw any error
revoke CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db,test_db from myuser8 cascade;
\c regression - - :master_port
select check_database_privileges('myuser8','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
check_database_privileges
---------------------------------------------------------------------
(CREATE,f)
(CREATE,f)
(CREATE,f)
(CONNECT,f)
(CONNECT,f)
(CONNECT,f)
(TEMP,f)
(TEMP,f)
(TEMP,f)
(TEMPORARY,f)
(TEMPORARY,f)
(TEMPORARY,f)
(12 rows)
select check_database_privileges('myuser8','test_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
check_database_privileges
---------------------------------------------------------------------
(CREATE,f)
(CREATE,f)
(CREATE,f)
(CONNECT,f)
(CONNECT,f)
(CONNECT,f)
(TEMP,f)
(TEMP,f)
(TEMP,f)
(TEMPORARY,f)
(TEMPORARY,f)
(TEMPORARY,f)
(12 rows)
select check_database_privileges('myuser_2','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
check_database_privileges
---------------------------------------------------------------------
(CREATE,f)
(CREATE,f)
(CREATE,f)
(CONNECT,f)
(CONNECT,f)
(CONNECT,f)
(TEMP,f)
(TEMP,f)
(TEMP,f)
(TEMPORARY,f)
(TEMPORARY,f)
(TEMPORARY,f)
(12 rows)
select check_database_privileges('myuser_2','test_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
check_database_privileges
---------------------------------------------------------------------
(CREATE,f)
(CREATE,f)
(CREATE,f)
(CONNECT,f)
(CONNECT,f)
(CONNECT,f)
(TEMP,f)
(TEMP,f)
(TEMP,f)
(TEMPORARY,f)
(TEMPORARY,f)
(TEMPORARY,f)
(12 rows)
\c test_2pc_db - - :master_port
reset role;
\c regression - - :master_port
drop user myuser_2;
drop user myuser8;
set citus.enable_create_database_propagation to on;
drop database test_db;
---------------------------------------------------------------------
-- rollbacks public role database privileges to original state
grant connect,temp,temporary on database test_2pc_db to public;
drop database test_2pc_db;
set citus.enable_create_database_propagation to off;
DROP SCHEMA grant_on_database_propagation_non_maindb CASCADE;
reset citus.enable_create_database_propagation;
reset search_path;
---------------------------------------------------------------------

71
src/test/regress/expected/metadata_sync_from_non_maindb.out
View File

@ -2,6 +2,7 @@ CREATE SCHEMA metadata_sync_2pc_schema;
SET search_path TO metadata_sync_2pc_schema;
set citus.enable_create_database_propagation to on;
CREATE DATABASE metadata_sync_2pc_db;
revoke connect,temp,temporary on database metadata_sync_2pc_db from public;
\c metadata_sync_2pc_db
SHOW citus.main_db;
citus.main_db
@ -24,7 +25,41 @@ select 1 from citus_remove_node('localhost', :worker_2_port);
\c metadata_sync_2pc_db
grant "grant_role2pc'_user1","grant_role2pc'_user2" to "grant_role2pc'_user3" WITH ADMIN OPTION;
grant "grant_role2pc'_user1","grant_role2pc'_user2" to grant_role2pc_user4,grant_role2pc_user5 granted by "grant_role2pc'_user3";
--test for grant on database
\c metadata_sync_2pc_db - - :master_port
grant create on database metadata_sync_2pc_db to "grant_role2pc'_user1";
grant connect on database metadata_sync_2pc_db to "grant_role2pc'_user2";
grant ALL on database metadata_sync_2pc_db to "grant_role2pc'_user3";
\c regression
select check_database_privileges('grant_role2pc''_user1','metadata_sync_2pc_db',ARRAY['CREATE']);
check_database_privileges
---------------------------------------------------------------------
(CREATE,t)
(CREATE,t)
(2 rows)
select check_database_privileges('grant_role2pc''_user2','metadata_sync_2pc_db',ARRAY['CONNECT']);
check_database_privileges
---------------------------------------------------------------------
(CONNECT,t)
(CONNECT,t)
(2 rows)
select check_database_privileges('grant_role2pc''_user3','metadata_sync_2pc_db',ARRAY['CREATE','CONNECT','TEMP','TEMPORARY']);
check_database_privileges
---------------------------------------------------------------------
(CREATE,t)
(CREATE,t)
(CONNECT,t)
(CONNECT,t)
(TEMP,t)
(TEMP,t)
(TEMPORARY,t)
(TEMPORARY,t)
(8 rows)
\c regression
set citus.enable_create_database_propagation to on;
select 1 from citus_add_node('localhost', :worker_2_port);
?column?
---------------------------------------------------------------------
@ -48,10 +83,46 @@ $$);
[{"member":"\"grant_role2pc'_user3\"","role":"\"grant_role2pc'_user1\"","grantor":"postgres","admin_option":true},{"member":"\"grant_role2pc'_user3\"","role":"\"grant_role2pc'_user2\"","grantor":"postgres","admin_option":true},{"member":"grant_role2pc_user4","role":"\"grant_role2pc'_user1\"","grantor":"\"grant_role2pc'_user3\"","admin_option":false},{"member":"grant_role2pc_user4","role":"\"grant_role2pc'_user2\"","grantor":"\"grant_role2pc'_user3\"","admin_option":false},{"member":"grant_role2pc_user5","role":"\"grant_role2pc'_user1\"","grantor":"\"grant_role2pc'_user3\"","admin_option":false},{"member":"grant_role2pc_user5","role":"\"grant_role2pc'_user2\"","grantor":"\"grant_role2pc'_user3\"","admin_option":false}]
(3 rows)
select check_database_privileges('grant_role2pc''_user1','metadata_sync_2pc_db',ARRAY['CREATE']);
check_database_privileges
---------------------------------------------------------------------
(CREATE,t)
(CREATE,t)
(CREATE,t)
(3 rows)
select check_database_privileges('grant_role2pc''_user2','metadata_sync_2pc_db',ARRAY['CONNECT']);
check_database_privileges
---------------------------------------------------------------------
(CONNECT,t)
(CONNECT,t)
(CONNECT,t)
(3 rows)
select check_database_privileges('grant_role2pc''_user3','metadata_sync_2pc_db',ARRAY['CREATE','CONNECT','TEMP','TEMPORARY']);
check_database_privileges
---------------------------------------------------------------------
(CREATE,t)
(CREATE,t)
(CREATE,t)
(CONNECT,t)
(CONNECT,t)
(CONNECT,t)
(TEMP,t)
(TEMP,t)
(TEMP,t)
(TEMPORARY,t)
(TEMPORARY,t)
(TEMPORARY,t)
(12 rows)
\c metadata_sync_2pc_db
revoke "grant_role2pc'_user1","grant_role2pc'_user2" from grant_role2pc_user4,grant_role2pc_user5 granted by "grant_role2pc'_user3";
revoke admin option for "grant_role2pc'_user1","grant_role2pc'_user2" from "grant_role2pc'_user3";
revoke "grant_role2pc'_user1","grant_role2pc'_user2" from "grant_role2pc'_user3";
revoke ALL on database metadata_sync_2pc_db from "grant_role2pc'_user3";
revoke CONNECT on database metadata_sync_2pc_db from "grant_role2pc'_user2";
revoke CREATE on database metadata_sync_2pc_db from "grant_role2pc'_user1";
\c regression
drop user "grant_role2pc'_user1","grant_role2pc'_user2","grant_role2pc'_user3",grant_role2pc_user4,grant_role2pc_user5;
set citus.enable_create_database_propagation to on;

3
src/test/regress/expected/multi_test_helpers.out
View File

@ -634,7 +634,8 @@ DECLARE
BEGIN
FOREACH permission IN ARRAY permissions
LOOP
RETURN QUERY EXECUTE format($inner$SELECT '%s', result FROM run_command_on_all_nodes($$select has_database_privilege('%s','%s', '%s'); $$)$inner$, permission, role_name, db_name, permission);
RETURN QUERY EXECUTE format($inner$SELECT %s, result FROM run_command_on_all_nodes($$select has_database_privilege(%s,%s,%s); $$)$inner$,
quote_literal(permission), quote_literal(role_name), quote_literal(db_name), quote_literal(permission));
END LOOP;
END;
$func$ LANGUAGE plpgsql;

2
src/test/regress/multi_1_schedule
View File

@ -58,7 +58,7 @@ test: multi_metadata_attributes
test: multi_read_from_secondaries
test: grant_on_database_propagation
test: grant_on_database_propagation grant_on_database_propagation_from_non_maindb
test: alter_database_propagation
test: citus_shards

246
src/test/regress/sql/grant_on_database_propagation_from_non_maindb.sql Normal file
View File

@ -0,0 +1,246 @@
-- Public role has connect,temp,temporary privileges on database
-- To test these scenarios, we need to revoke these privileges from public role
-- since public role privileges are inherited by new roles/users
set citus.enable_create_database_propagation to on;
create database test_2pc_db;
show citus.main_db;
revoke connect,temp,temporary on database test_2pc_db from public;
CREATE SCHEMA grant_on_database_propagation_non_maindb;
SET search_path TO grant_on_database_propagation_non_maindb;
-- test grant/revoke CREATE privilege propagation on database
create user "myuser'_test";
\c test_2pc_db - - :master_port
grant create on database test_2pc_db to "myuser'_test";
\c regression - - :master_port;
select check_database_privileges('myuser''_test','test_2pc_db',ARRAY['CREATE']);
\c test_2pc_db - - :master_port
revoke create on database test_2pc_db from "myuser'_test";
\c regression - - :master_port;
select check_database_privileges('myuser''_test','test_2pc_db',ARRAY['CREATE']);
drop user "myuser'_test";
-----------------------------------------------------------------------
-- test grant/revoke CONNECT privilege propagation on database
\c regression - - :master_port
create user myuser2;
\c test_2pc_db - - :master_port
grant CONNECT on database test_2pc_db to myuser2;
\c regression - - :master_port;
select check_database_privileges('myuser2','test_2pc_db',ARRAY['CONNECT']);
\c test_2pc_db - - :master_port
revoke connect on database test_2pc_db from myuser2;
\c regression - - :master_port
select check_database_privileges('myuser2','test_2pc_db',ARRAY['CONNECT']);
drop user myuser2;
-----------------------------------------------------------------------
-- test grant/revoke TEMP privilege propagation on database
\c regression - - :master_port
create user myuser3;
-- test grant/revoke temp on database
\c test_2pc_db - - :master_port
grant TEMP on database test_2pc_db to myuser3;
\c regression - - :master_port;
select check_database_privileges('myuser3','test_2pc_db',ARRAY['TEMP']);
\c test_2pc_db - - :worker_1_port
revoke TEMP on database test_2pc_db from myuser3;
\c regression - - :master_port;
select check_database_privileges('myuser3','test_2pc_db',ARRAY['TEMP']);
drop user myuser3;
-----------------------------------------------------------------------
\c regression - - :master_port
-- test temporary privilege on database
create user myuser4;
-- test grant/revoke temporary on database
\c test_2pc_db - - :worker_1_port
grant TEMPORARY on database test_2pc_db to myuser4;
\c regression - - :master_port
select check_database_privileges('myuser4','test_2pc_db',ARRAY['TEMPORARY']);
\c test_2pc_db - - :master_port
revoke TEMPORARY on database test_2pc_db from myuser4;
\c regression - - :master_port;
select check_database_privileges('myuser4','test_2pc_db',ARRAY['TEMPORARY']);
drop user myuser4;
-----------------------------------------------------------------------
-- test ALL privileges with ALL statement on database
create user myuser5;
grant ALL on database test_2pc_db to myuser5;
\c regression - - :master_port
select check_database_privileges('myuser5','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
\c test_2pc_db - - :master_port
revoke ALL on database test_2pc_db from myuser5;
\c regression - - :master_port
select check_database_privileges('myuser5','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
drop user myuser5;
-----------------------------------------------------------------------
-- test CREATE,CONNECT,TEMP,TEMPORARY privileges one by one on database
create user myuser6;
\c test_2pc_db - - :master_port
grant CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db to myuser6;
\c regression - - :master_port
select check_database_privileges('myuser6','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
\c test_2pc_db - - :master_port
revoke CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db from myuser6;
\c regression - - :master_port
select check_database_privileges('myuser6','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
drop user myuser6;
-----------------------------------------------------------------------
-- test CREATE,CONNECT,TEMP,TEMPORARY privileges one by one on database with grant option
create user myuser7;
create user myuser_1;
\c test_2pc_db - - :master_port
grant CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db to myuser7;
set role myuser7;
--here since myuser7 does not have grant option, it should fail
grant CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db to myuser_1;
\c regression - - :master_port
select check_database_privileges('myuser_1','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
\c test_2pc_db - - :master_port
RESET ROLE;
grant CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db to myuser7 with grant option;
set role myuser7;
--here since myuser have grant option, it should succeed
grant CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db to myuser_1 granted by myuser7;
\c regression - - :master_port
select check_database_privileges('myuser_1','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
\c test_2pc_db - - :master_port
RESET ROLE;
--below test should fail and should throw an error since myuser_1 still have the dependent privileges
revoke CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db from myuser7 restrict;
--below test should fail and should throw an error since myuser_1 still have the dependent privileges
revoke grant option for CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db from myuser7 restrict ;
--below test should succeed and should not throw any error since myuser_1 privileges are revoked with cascade
revoke grant option for CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db from myuser7 cascade ;
--here we test if myuser7 still have the privileges after revoke grant option for
\c regression - - :master_port
select check_database_privileges('myuser7','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
\c test_2pc_db - - :master_port
reset role;
revoke CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db from myuser7;
revoke CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db from myuser_1;
\c regression - - :master_port
drop user myuser_1;
drop user myuser7;
-----------------------------------------------------------------------
-- test CREATE,CONNECT,TEMP,TEMPORARY privileges one by one on database multi database
-- and multi user
\c regression - - :master_port
create user myuser8;
create user myuser_2;
set citus.enable_create_database_propagation to on;
create database test_db;
revoke connect,temp,temporary on database test_db from public;
\c test_2pc_db - - :master_port
grant CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db,test_db to myuser8,myuser_2;
\c regression - - :master_port
select check_database_privileges('myuser8','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
select check_database_privileges('myuser8','test_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
select check_database_privileges('myuser_2','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
select check_database_privileges('myuser_2','test_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
\c test_2pc_db - - :master_port
RESET ROLE;
revoke CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db,test_db from myuser8 ;
--below test should succeed and should not throw any error
revoke CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db,test_db from myuser_2;
--below test should succeed and should not throw any error
revoke CREATE,CONNECT,TEMP,TEMPORARY on database test_2pc_db,test_db from myuser8 cascade;
\c regression - - :master_port
select check_database_privileges('myuser8','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
select check_database_privileges('myuser8','test_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
select check_database_privileges('myuser_2','test_2pc_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
select check_database_privileges('myuser_2','test_db',ARRAY['CREATE', 'CONNECT', 'TEMP', 'TEMPORARY']);
\c test_2pc_db - - :master_port
reset role;
\c regression - - :master_port
drop user myuser_2;
drop user myuser8;
set citus.enable_create_database_propagation to on;
drop database test_db;
---------------------------------------------------------------------------
-- rollbacks public role database privileges to original state
grant connect,temp,temporary on database test_2pc_db to public;
drop database test_2pc_db;
set citus.enable_create_database_propagation to off;
DROP SCHEMA grant_on_database_propagation_non_maindb CASCADE;
reset citus.enable_create_database_propagation;
reset search_path;
---------------------------------------------------------------------------

21
src/test/regress/sql/metadata_sync_from_non_maindb.sql
View File

@ -3,6 +3,8 @@ SET search_path TO metadata_sync_2pc_schema;
set citus.enable_create_database_propagation to on;
CREATE DATABASE metadata_sync_2pc_db;
revoke connect,temp,temporary on database metadata_sync_2pc_db from public;
\c metadata_sync_2pc_db
SHOW citus.main_db;
@ -19,7 +21,19 @@ select 1 from citus_remove_node('localhost', :worker_2_port);
grant "grant_role2pc'_user1","grant_role2pc'_user2" to "grant_role2pc'_user3" WITH ADMIN OPTION;
grant "grant_role2pc'_user1","grant_role2pc'_user2" to grant_role2pc_user4,grant_role2pc_user5 granted by "grant_role2pc'_user3";
--test for grant on database
\c metadata_sync_2pc_db - - :master_port
grant create on database metadata_sync_2pc_db to "grant_role2pc'_user1";
grant connect on database metadata_sync_2pc_db to "grant_role2pc'_user2";
grant ALL on database metadata_sync_2pc_db to "grant_role2pc'_user3";
\c regression
select check_database_privileges('grant_role2pc''_user1','metadata_sync_2pc_db',ARRAY['CREATE']);
select check_database_privileges('grant_role2pc''_user2','metadata_sync_2pc_db',ARRAY['CONNECT']);
select check_database_privileges('grant_role2pc''_user3','metadata_sync_2pc_db',ARRAY['CREATE','CONNECT','TEMP','TEMPORARY']);
\c regression
set citus.enable_create_database_propagation to on;
select 1 from citus_add_node('localhost', :worker_2_port);
select result FROM run_command_on_all_nodes($$
@ -33,12 +47,19 @@ FROM (
) t
$$);
select check_database_privileges('grant_role2pc''_user1','metadata_sync_2pc_db',ARRAY['CREATE']);
select check_database_privileges('grant_role2pc''_user2','metadata_sync_2pc_db',ARRAY['CONNECT']);
select check_database_privileges('grant_role2pc''_user3','metadata_sync_2pc_db',ARRAY['CREATE','CONNECT','TEMP','TEMPORARY']);
\c metadata_sync_2pc_db
revoke "grant_role2pc'_user1","grant_role2pc'_user2" from grant_role2pc_user4,grant_role2pc_user5 granted by "grant_role2pc'_user3";
revoke admin option for "grant_role2pc'_user1","grant_role2pc'_user2" from "grant_role2pc'_user3";
revoke "grant_role2pc'_user1","grant_role2pc'_user2" from "grant_role2pc'_user3";
revoke ALL on database metadata_sync_2pc_db from "grant_role2pc'_user3";
revoke CONNECT on database metadata_sync_2pc_db from "grant_role2pc'_user2";
revoke CREATE on database metadata_sync_2pc_db from "grant_role2pc'_user1";
\c regression

3
src/test/regress/sql/multi_test_helpers.sql
View File

@ -661,7 +661,8 @@ DECLARE
BEGIN
FOREACH permission IN ARRAY permissions
LOOP
RETURN QUERY EXECUTE format($inner$SELECT '%s', result FROM run_command_on_all_nodes($$select has_database_privilege('%s','%s', '%s'); $$)$inner$, permission, role_name, db_name, permission);
RETURN QUERY EXECUTE format($inner$SELECT %s, result FROM run_command_on_all_nodes($$select has_database_privilege(%s,%s,%s); $$)$inner$,
quote_literal(permission), quote_literal(role_name), quote_literal(db_name), quote_literal(permission));
END LOOP;
END;
$func$ LANGUAGE plpgsql;