From b81655d61e61e0ea96b3e283722c089e362a57b4 Mon Sep 17 00:00:00 2001 From: Onur Tirtir Date: Fri, 25 Apr 2025 14:51:11 +0300 Subject: [PATCH] fix --- src/backend/distributed/commands/grant.c | 17 - .../expected/grant_on_table_propagation.out | 900 ++++-------------- .../expected/grant_on_table_propagation_0.out | 900 ++++-------------- .../sql/grant_on_table_propagation.sql | 10 +- 4 files changed, 379 insertions(+), 1448 deletions(-) diff --git a/src/backend/distributed/commands/grant.c b/src/backend/distributed/commands/grant.c index ccde27bfb..c60afa197 100644 --- a/src/backend/distributed/commands/grant.c +++ b/src/backend/distributed/commands/grant.c @@ -182,7 +182,6 @@ PreprocessGrantStmt(Node *node, const char *queryString, appendStringInfo(&ddlString, "REVOKE %s%s ON %s FROM %s", grantOption, privsString.data, targetString.data, granteesString.data); -<<<<<<< HEAD if (grantStmt->behavior == DROP_CASCADE) { @@ -193,23 +192,7 @@ PreprocessGrantStmt(Node *node, const char *queryString, appendStringInfoString(&ddlString, " RESTRICT"); } } -======= ->>>>>>> b233b0a2a6d590e6b2565eb8278aeec4e6021773 - appendStringInfo(&ddlString, "REVOKE %s%s ON %s FROM %s", - grantOption, privsString.data, targetString.data, - granteesString.data); - - if (grantStmt->behavior == DROP_CASCADE) - { - appendStringInfoString(&ddlString, " CASCADE"); - } - else - { - appendStringInfoString(&ddlString, " RESTRICT"); - } - } - DDLJob *ddlJob = palloc0(sizeof(DDLJob)); ObjectAddressSet(ddlJob->targetObjectAddress, RelationRelationId, relationId); ddlJob->metadataSyncCommand = pstrdup(ddlString.data); diff --git a/src/test/regress/expected/grant_on_table_propagation.out b/src/test/regress/expected/grant_on_table_propagation.out index 3e8b95d4f..b279db437 100644 --- a/src/test/regress/expected/grant_on_table_propagation.out +++ b/src/test/regress/expected/grant_on_table_propagation.out @@ -73,8 +73,6 @@ GRANT USAGE ON SCHEMA grant_on_table TO nogrant_user; -- "postgres" special case GRANT SELECT ON ref_table TO grant_user_0; REVOKE SELECT ON ref_table FROM grant_user_0; -ERROR: syntax error at or near "select" -CONTEXT: while executing command on localhost:xxxxx -- -- check we are able to propagate a single attribute privilege -- we use only SELECT @@ -82,10 +80,7 @@ CONTEXT: while executing command on localhost:xxxxx SET ROLE grant_user_0; -- not granted yet: SELECT test_r FROM ref_table; - test_r ---------------------------------------------------------------------- -(0 rows) - +ERROR: permission denied for table ref_table RESET ROLE; GRANT SELECT (test_r) ON ref_table TO grant_user_0; SET ROLE grant_user_0; @@ -97,10 +92,7 @@ SELECT test_r FROM ref_table; -- not granted: SELECT test_a FROM ref_table; - test_a ---------------------------------------------------------------------- -(0 rows) - +ERROR: permission denied for table ref_table SET ROLE grant_user_1; -- not granted: SELECT test_r FROM ref_table; @@ -108,7 +100,7 @@ ERROR: permission denied for table ref_table RESET ROLE; -- check on coordinator and workers :verify_grant_table ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- 57636 | (dist_table,) 57637 | (dist_table,) @@ -116,9 +108,9 @@ RESET ROLE; 57636 | (local_table,) 57637 | (local_table,) 57638 | (local_table,) - 57636 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=r/postgres}") - 57637 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=r/postgres}") - 57638 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=r/postgres}") + 57636 | (ref_table,{postgres=arwdDxtm/postgres}) + 57637 | (ref_table,{postgres=arwdDxtm/postgres}) + 57638 | (ref_table,{postgres=arwdDxtm/postgres}) (9 rows) :verify_grant_attributes ; @@ -131,11 +123,9 @@ RESET ROLE; -- cleanup REVOKE SELECT (test_r) ON ref_table FROM grant_user_0; -ERROR: syntax error at or near "select" -CONTEXT: while executing command on localhost:xxxxx -- check on coordinator and workers :verify_grant_table ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- 57636 | (dist_table,) 57637 | (dist_table,) @@ -143,18 +133,15 @@ CONTEXT: while executing command on localhost:xxxxx 57636 | (local_table,) 57637 | (local_table,) 57638 | (local_table,) - 57636 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=r/postgres}") - 57637 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=r/postgres}") - 57638 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=r/postgres}") + 57636 | (ref_table,{postgres=arwdDxtm/postgres}) + 57637 | (ref_table,{postgres=arwdDxtm/postgres}) + 57638 | (ref_table,{postgres=arwdDxtm/postgres}) (9 rows) :verify_grant_attributes ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- - 57636 | (grant_on_table.ref_table,test_r,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,test_r,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,test_r,{grant_user_0=r/postgres}) -(3 rows) +(0 rows) -- -- check we are able to propagate a privilege to multiple attributes, users and tables at once @@ -184,7 +171,7 @@ UPDATE dist_table SET test_w = 3, test_mix = 3; RESET ROLE; -- check on coordinator and workers :verify_grant_table ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- 57636 | (dist_table,) 57637 | (dist_table,) @@ -192,9 +179,9 @@ RESET ROLE; 57636 | (local_table,) 57637 | (local_table,) 57638 | (local_table,) - 57636 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=r/postgres}") - 57637 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=r/postgres}") - 57638 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=r/postgres}") + 57636 | (ref_table,{postgres=arwdDxtm/postgres}) + 57637 | (ref_table,{postgres=arwdDxtm/postgres}) + 57638 | (ref_table,{postgres=arwdDxtm/postgres}) (9 rows) :verify_grant_attributes ; @@ -221,21 +208,16 @@ RESET ROLE; 57636 | (grant_on_table.ref_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") 57637 | (grant_on_table.ref_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") 57638 | (grant_on_table.ref_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.ref_table,test_r,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,test_r,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,test_r,{grant_user_0=r/postgres}) 57636 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") 57637 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") 57638 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") -(27 rows) +(24 rows) -- cleanup REVOKE INSERT (id, test_a), UPDATE (test_w, test_mix) ON ref_table, dist_table FROM grant_user_0, grant_user_1; -ERROR: syntax error at or near "insert" -CONTEXT: while executing command on localhost:xxxxx -- check on coordinator and workers :verify_grant_table ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- 57636 | (dist_table,) 57637 | (dist_table,) @@ -243,42 +225,15 @@ CONTEXT: while executing command on localhost:xxxxx 57636 | (local_table,) 57637 | (local_table,) 57638 | (local_table,) - 57636 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=r/postgres}") - 57637 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=r/postgres}") - 57638 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=r/postgres}") + 57636 | (ref_table,{postgres=arwdDxtm/postgres}) + 57637 | (ref_table,{postgres=arwdDxtm/postgres}) + 57638 | (ref_table,{postgres=arwdDxtm/postgres}) (9 rows) :verify_grant_attributes ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- - 57636 | (grant_on_table.dist_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.ref_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.ref_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.ref_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.ref_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.ref_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.ref_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.ref_table,test_r,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,test_r,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,test_r,{grant_user_0=r/postgres}) - 57636 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") -(27 rows) +(0 rows) -- -- check we are able to propagate a table privilege associated with an attribute level privilege @@ -287,11 +242,7 @@ CONTEXT: while executing command on localhost:xxxxx SET ROLE grant_user_0; -- not granted yet: SELECT test_r, test_mix FROM ref_table; - test_r | test_mix ---------------------------------------------------------------------- - | 2 -(1 row) - +ERROR: permission denied for table ref_table RESET ROLE; GRANT SELECT (test_r, test_mix), DELETE ON ref_table TO grant_user_0, grant_user_1; SET ROLE grant_user_0; @@ -306,10 +257,7 @@ SELECT test_r, test_mix FROM ref_table; DELETE FROM ref_table; -- not granted: SELECT test_a FROM ref_table; - test_a ---------------------------------------------------------------------- -(0 rows) - +ERROR: permission denied for table ref_table -- not granted: UPDATE ref_table SET null_privs = 3; ERROR: permission denied for table ref_table @@ -324,50 +272,27 @@ RESET ROLE; 57636 | (local_table,) 57637 | (local_table,) 57638 | (local_table,) - 57636 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57637 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57638 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") + 57636 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=d/postgres,grant_user_1=d/postgres}") + 57637 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=d/postgres,grant_user_1=d/postgres}") + 57638 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=d/postgres,grant_user_1=d/postgres}") (9 rows) :verify_grant_attributes ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- - 57636 | (grant_on_table.dist_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.ref_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.ref_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.ref_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=rw/postgres}") - 57637 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=rw/postgres}") - 57638 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=rw/postgres}") + 57636 | (grant_on_table.ref_table,test_mix,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") + 57637 | (grant_on_table.ref_table,test_mix,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") + 57638 | (grant_on_table.ref_table,test_mix,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") 57636 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") 57637 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") 57638 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57636 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") -(27 rows) +(6 rows) -- cleanup REVOKE SELECT (test_r, test_mix), DELETE ON ref_table FROM grant_user_0, grant_user_1; -ERROR: syntax error at or near "select" -CONTEXT: while executing command on localhost:xxxxx -- check on coordinator and workers :verify_grant_table ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- 57636 | (dist_table,) 57637 | (dist_table,) @@ -375,42 +300,15 @@ CONTEXT: while executing command on localhost:xxxxx 57636 | (local_table,) 57637 | (local_table,) 57638 | (local_table,) - 57636 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57637 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57638 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") + 57636 | (ref_table,{postgres=arwdDxtm/postgres}) + 57637 | (ref_table,{postgres=arwdDxtm/postgres}) + 57638 | (ref_table,{postgres=arwdDxtm/postgres}) (9 rows) :verify_grant_attributes ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- - 57636 | (grant_on_table.dist_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.ref_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.ref_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.ref_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=rw/postgres}") - 57637 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=rw/postgres}") - 57638 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=rw/postgres}") - 57636 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57637 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57638 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57636 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") -(27 rows) +(0 rows) -- -- check we also propagate system columns @@ -419,10 +317,7 @@ CONTEXT: while executing command on localhost:xxxxx SET ROLE grant_user_0; -- not granted yet: SELECT ctid, xmin FROM ref_table; - ctid | xmin ---------------------------------------------------------------------- -(0 rows) - +ERROR: permission denied for table ref_table RESET ROLE; GRANT SELECT (ctid, xmin) ON ref_table TO grant_user_0; SET ROLE grant_user_0; @@ -434,14 +329,11 @@ SELECT ctid, xmin FROM ref_table; -- not granted: SELECT ctid, test_a FROM ref_table; - ctid | test_a ---------------------------------------------------------------------- -(0 rows) - +ERROR: permission denied for table ref_table RESET ROLE; -- check on coordinator and workers :verify_grant_table ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- 57636 | (dist_table,) 57637 | (dist_table,) @@ -449,56 +341,27 @@ RESET ROLE; 57636 | (local_table,) 57637 | (local_table,) 57638 | (local_table,) - 57636 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57637 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57638 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") + 57636 | (ref_table,{postgres=arwdDxtm/postgres}) + 57637 | (ref_table,{postgres=arwdDxtm/postgres}) + 57638 | (ref_table,{postgres=arwdDxtm/postgres}) (9 rows) :verify_grant_attributes ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- - 57636 | (grant_on_table.dist_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") 57636 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) 57637 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) 57638 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57636 | (grant_on_table.ref_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.ref_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.ref_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=rw/postgres}") - 57637 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=rw/postgres}") - 57638 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=rw/postgres}") - 57636 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57637 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57638 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57636 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") 57636 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) 57637 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) 57638 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) -(33 rows) +(6 rows) -- cleanup REVOKE SELECT (ctid, xmin) ON ref_table FROM grant_user_0; -ERROR: syntax error at or near "select" -CONTEXT: while executing command on localhost:xxxxx -- check on coordinator and workers :verify_grant_table ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- 57636 | (dist_table,) 57637 | (dist_table,) @@ -506,48 +369,15 @@ CONTEXT: while executing command on localhost:xxxxx 57636 | (local_table,) 57637 | (local_table,) 57638 | (local_table,) - 57636 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57637 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57638 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") + 57636 | (ref_table,{postgres=arwdDxtm/postgres}) + 57637 | (ref_table,{postgres=arwdDxtm/postgres}) + 57638 | (ref_table,{postgres=arwdDxtm/postgres}) (9 rows) :verify_grant_attributes ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- - 57636 | (grant_on_table.dist_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57636 | (grant_on_table.ref_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.ref_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.ref_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=rw/postgres}") - 57637 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=rw/postgres}") - 57638 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=rw/postgres}") - 57636 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57637 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57638 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57636 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) -(33 rows) +(0 rows) -- -- check we correctly propagate ALL, which has a few special cases @@ -556,6 +386,7 @@ CONTEXT: while executing command on localhost:xxxxx SET ROLE grant_user_0; -- not granted yet: INSERT INTO ref_table (id) VALUES (13); +ERROR: permission denied for table ref_table SET ROLE grant_user_1; -- not granted yet: INSERT INTO ref_table (id, test_mix) VALUES (9, 3); @@ -573,9 +404,6 @@ ERROR: syntax error at or near "," SET ROLE grant_user_0; -- granted: INSERT INTO ref_table (id) VALUES (13); -ERROR: duplicate key value violates unique constraint "ref_table_pkey_102012" -DETAIL: Key (id)=(X) already exists. -CONTEXT: while executing command on localhost:xxxxx SET ROLE grant_user_1; -- granted: INSERT INTO ref_table (id, test_mix) VALUES (9, 3); @@ -595,10 +423,11 @@ SELECT null_privs FROM ref_table; ERROR: permission denied for table ref_table -- not granted: DELETE FROM ref_table; +ERROR: permission denied for table ref_table RESET ROLE; -- check on coordinator and workers :verify_grant_table ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- 57636 | (dist_table,) 57637 | (dist_table,) @@ -606,60 +435,29 @@ RESET ROLE; 57636 | (local_table,) 57637 | (local_table,) 57638 | (local_table,) - 57636 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57637 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57638 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") + 57636 | (ref_table,{postgres=arwdDxtm/postgres}) + 57637 | (ref_table,{postgres=arwdDxtm/postgres}) + 57638 | (ref_table,{postgres=arwdDxtm/postgres}) (9 rows) :verify_grant_attributes ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- - 57636 | (grant_on_table.dist_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) 57636 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") 57637 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") 57638 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57636 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=arwx/postgres}") - 57637 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=arwx/postgres}") - 57638 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=arwx/postgres}") - 57636 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57637 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57638 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57636 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) -(33 rows) + 57636 | (grant_on_table.ref_table,test_mix,{grant_user_1=arwx/postgres}) + 57637 | (grant_on_table.ref_table,test_mix,{grant_user_1=arwx/postgres}) + 57638 | (grant_on_table.ref_table,test_mix,{grant_user_1=arwx/postgres}) +(6 rows) -- cleanup REVOKE ALL (id) ON ref_table FROM grant_user_0; -ERROR: syntax error at or near "ALL" -CONTEXT: while executing command on localhost:xxxxx REVOKE ALL (id, test_mix) ON ref_table FROM grant_user_1; -ERROR: syntax error at or near "ALL" -CONTEXT: while executing command on localhost:xxxxx TRUNCATE ref_table; -- check on coordinator and workers :verify_grant_table ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- 57636 | (dist_table,) 57637 | (dist_table,) @@ -667,48 +465,15 @@ TRUNCATE ref_table; 57636 | (local_table,) 57637 | (local_table,) 57638 | (local_table,) - 57636 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57637 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57638 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") + 57636 | (ref_table,{postgres=arwdDxtm/postgres}) + 57637 | (ref_table,{postgres=arwdDxtm/postgres}) + 57638 | (ref_table,{postgres=arwdDxtm/postgres}) (9 rows) :verify_grant_attributes ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- - 57636 | (grant_on_table.dist_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57636 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57637 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57638 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57636 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=arwx/postgres}") - 57637 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=arwx/postgres}") - 57638 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=arwx/postgres}") - 57636 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57637 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57638 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57636 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) -(33 rows) +(0 rows) -- -- check we correctly propagate when mixed with local table, but only on the @@ -720,7 +485,7 @@ SET ROLE grant_user_0; SELECT id FROM ref_table UNION ALL SELECT id FROM dist_table UNION ALL SELECT id FROM local_table; -ERROR: permission denied for table dist_table +ERROR: permission denied for table ref_table RESET ROLE; -- NOTE: -- test special case: ALL TABLES IN SCHEMA is not supposed to be correct @@ -753,7 +518,7 @@ RESET ROLE; -- check on coordinator and workers -- we pay special attention to local_table privileges here: :verify_grant_table ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- 57636 | (dist_table,) 57637 | (dist_table,) @@ -761,68 +526,40 @@ RESET ROLE; 57636 | (local_table,) 57637 | (local_table,) 57638 | (local_table,) - 57636 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57637 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57638 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") + 57636 | (ref_table,{postgres=arwdDxtm/postgres}) + 57637 | (ref_table,{postgres=arwdDxtm/postgres}) + 57638 | (ref_table,{postgres=arwdDxtm/postgres}) (9 rows) :verify_grant_attributes ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- - 57636 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57637 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57638 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") + 57636 | (grant_on_table.dist_table,id,{grant_user_0=r/postgres}) + 57637 | (grant_on_table.dist_table,id,{grant_user_0=r/postgres}) + 57638 | (grant_on_table.dist_table,id,{grant_user_0=r/postgres}) + 57636 | (grant_on_table.dist_table,test_mix,{grant_user_1=r/postgres}) + 57637 | (grant_on_table.dist_table,test_mix,{grant_user_1=r/postgres}) + 57638 | (grant_on_table.dist_table,test_mix,{grant_user_1=r/postgres}) 57636 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) 57637 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) 57638 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") 57636 | (grant_on_table.local_table,id,{grant_user_0=r/postgres}) 57636 | (grant_on_table.local_table,test_mix,"{grant_user_0=a/postgres,grant_user_1=r/postgres}") 57636 | (grant_on_table.local_table,test_r,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57636 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57637 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57638 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57636 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=arwx/postgres}") - 57637 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=arwx/postgres}") - 57638 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=arwx/postgres}") - 57636 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57637 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57638 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57636 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) -(39 rows) + 57636 | (grant_on_table.ref_table,id,{grant_user_0=r/postgres}) + 57637 | (grant_on_table.ref_table,id,{grant_user_0=r/postgres}) + 57638 | (grant_on_table.ref_table,id,{grant_user_0=r/postgres}) +(15 rows) -- cleanup REVOKE SELECT (id) ON ALL TABLES IN SCHEMA grant_on_table FROM grant_user_0; -ERROR: syntax error at or near "select" -CONTEXT: while executing command on localhost:xxxxx -- check non propagation for local table (we'll just check ACL later, no INSERT testing) REVOKE INSERT (test_mix) ON local_table FROM grant_user_0; -- check we can propagate also when mixed with distributed table: REVOKE SELECT (test_r, test_mix) ON local_table, dist_table FROM grant_user_1; -ERROR: syntax error at or near "select" -CONTEXT: while executing command on localhost:xxxxx -- check on coordinator and workers :verify_grant_table ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- 57636 | (dist_table,) 57637 | (dist_table,) @@ -830,54 +567,15 @@ CONTEXT: while executing command on localhost:xxxxx 57636 | (local_table,) 57637 | (local_table,) 57638 | (local_table,) - 57636 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57637 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57638 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") + 57636 | (ref_table,{postgres=arwdDxtm/postgres}) + 57637 | (ref_table,{postgres=arwdDxtm/postgres}) + 57638 | (ref_table,{postgres=arwdDxtm/postgres}) (9 rows) :verify_grant_attributes ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- - 57636 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57637 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57638 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57636 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57637 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57638 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.local_table,id,{grant_user_0=r/postgres}) - 57636 | (grant_on_table.local_table,test_mix,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.local_table,test_r,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57636 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57637 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57638 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57636 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=arwx/postgres}") - 57637 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=arwx/postgres}") - 57638 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=arwx/postgres}") - 57636 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57637 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57638 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57636 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) -(39 rows) +(0 rows) -- -- check TRUNCATE is not propagated (inccorect grammar) @@ -887,27 +585,21 @@ CONTEXT: while executing command on localhost:xxxxx SET ROLE grant_user_0; -- not granted yet: SELECT test_r FROM ref_table; - test_r ---------------------------------------------------------------------- -(0 rows) - +ERROR: permission denied for table ref_table RESET ROLE; GRANT TRUNCATE (null_privs), SELECT (null_privs) ON ref_table TO nogrant_user; ERROR: invalid privilege type TRUNCATE for column SET ROLE grant_user_0; -- still not granted: SELECT test_r FROM ref_table; - test_r ---------------------------------------------------------------------- -(0 rows) - +ERROR: permission denied for table ref_table -- still not granted: TRUNCATE ref_table; ERROR: permission denied for table ref_table RESET ROLE; -- check on coordinator and workers :verify_grant_table ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- 57636 | (dist_table,) 57637 | (dist_table,) @@ -915,54 +607,15 @@ RESET ROLE; 57636 | (local_table,) 57637 | (local_table,) 57638 | (local_table,) - 57636 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57637 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57638 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") + 57636 | (ref_table,{postgres=arwdDxtm/postgres}) + 57637 | (ref_table,{postgres=arwdDxtm/postgres}) + 57638 | (ref_table,{postgres=arwdDxtm/postgres}) (9 rows) :verify_grant_attributes ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- - 57636 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57637 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57638 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57636 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57637 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57638 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.local_table,id,{grant_user_0=r/postgres}) - 57636 | (grant_on_table.local_table,test_mix,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.local_table,test_r,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57636 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57637 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57638 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57636 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=arwx/postgres}") - 57637 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=arwx/postgres}") - 57638 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=arwx/postgres}") - 57636 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57637 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57638 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57636 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) -(39 rows) +(0 rows) -- no cleanup required -- @@ -978,7 +631,7 @@ HINT: Connect to the coordinator and run it again. SET search_path TO grant_on_table; -- check on coordinator and workers :verify_grant_table ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- 57636 | (dist_table,) 57637 | (dist_table,) @@ -986,54 +639,15 @@ SET search_path TO grant_on_table; 57636 | (local_table,) 57637 | (local_table,) 57638 | (local_table,) - 57636 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57637 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57638 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") + 57636 | (ref_table,{postgres=arwdDxtm/postgres}) + 57637 | (ref_table,{postgres=arwdDxtm/postgres}) + 57638 | (ref_table,{postgres=arwdDxtm/postgres}) (9 rows) :verify_grant_attributes ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- - 57636 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57637 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57638 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57636 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57637 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57638 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.local_table,id,{grant_user_0=r/postgres}) - 57636 | (grant_on_table.local_table,test_mix,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.local_table,test_r,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57636 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57637 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57638 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57636 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=arwx/postgres}") - 57637 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=arwx/postgres}") - 57638 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=arwx/postgres}") - 57636 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57637 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57638 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57636 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) -(39 rows) +(0 rows) -- no cleanup required -- @@ -1043,17 +657,11 @@ SET search_path TO grant_on_table; SET ROLE grant_user_0; -- not granted yet: SELECT test_r, test_mix FROM ref_table; - test_r | test_mix ---------------------------------------------------------------------- -(0 rows) - +ERROR: permission denied for table ref_table SET ROLE grant_user_1; -- not granted yet: SELECT test_r, test_mix FROM ref_table; - test_r | test_mix ---------------------------------------------------------------------- -(0 rows) - +ERROR: permission denied for table ref_table RESET ROLE; -- grant with grant option GRANT SELECT (test_r, test_mix) ON ref_table TO grant_user_0 WITH GRANT OPTION; @@ -1070,7 +678,7 @@ SELECT test_r, test_mix FROM ref_table; RESET ROLE; -- check on coordinator and workers :verify_grant_table ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- 57636 | (dist_table,) 57637 | (dist_table,) @@ -1078,65 +686,30 @@ RESET ROLE; 57636 | (local_table,) 57637 | (local_table,) 57638 | (local_table,) - 57636 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57637 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57638 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") + 57636 | (ref_table,{postgres=arwdDxtm/postgres}) + 57637 | (ref_table,{postgres=arwdDxtm/postgres}) + 57638 | (ref_table,{postgres=arwdDxtm/postgres}) (9 rows) :verify_grant_attributes ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- - 57636 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57637 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57638 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57636 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57637 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57638 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.local_table,id,{grant_user_0=r/postgres}) - 57636 | (grant_on_table.local_table,test_mix,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.local_table,test_r,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57636 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57637 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57638 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57636 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.ref_table,test_mix,"{grant_user_0=r*w/postgres,grant_user_1=arwx/postgres,grant_user_1=r/grant_user_0}") - 57637 | (grant_on_table.ref_table,test_mix,"{grant_user_0=r*w/postgres,grant_user_1=arwx/postgres,grant_user_1=r/grant_user_0}") - 57638 | (grant_on_table.ref_table,test_mix,"{grant_user_0=r*w/postgres,grant_user_1=arwx/postgres,grant_user_1=r/grant_user_0}") - 57636 | (grant_on_table.ref_table,test_r,"{grant_user_0=r*/postgres,grant_user_1=r/postgres,grant_user_1=r/grant_user_0}") - 57637 | (grant_on_table.ref_table,test_r,"{grant_user_0=r*/postgres,grant_user_1=r/postgres,grant_user_1=r/grant_user_0}") - 57638 | (grant_on_table.ref_table,test_r,"{grant_user_0=r*/postgres,grant_user_1=r/postgres,grant_user_1=r/grant_user_0}") - 57636 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) -(39 rows) + 57636 | (grant_on_table.ref_table,test_mix,"{grant_user_0=r*/postgres,grant_user_1=r/grant_user_0}") + 57637 | (grant_on_table.ref_table,test_mix,"{grant_user_0=r*/postgres,grant_user_1=r/grant_user_0}") + 57638 | (grant_on_table.ref_table,test_mix,"{grant_user_0=r*/postgres,grant_user_1=r/grant_user_0}") + 57636 | (grant_on_table.ref_table,test_r,"{grant_user_0=r*/postgres,grant_user_1=r/grant_user_0}") + 57637 | (grant_on_table.ref_table,test_r,"{grant_user_0=r*/postgres,grant_user_1=r/grant_user_0}") + 57638 | (grant_on_table.ref_table,test_r,"{grant_user_0=r*/postgres,grant_user_1=r/grant_user_0}") +(6 rows) -- cleanup and further checks: SET ROLE grant_user_0; -- revoke as grant_user_0: REVOKE SELECT (test_r, test_mix) ON ref_table FROM grant_user_1; -ERROR: syntax error at or near "select" -CONTEXT: while executing command on localhost:xxxxx RESET ROLE; -- check on coordinator and workers :verify_grant_table ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- 57636 | (dist_table,) 57637 | (dist_table,) @@ -1144,62 +717,27 @@ RESET ROLE; 57636 | (local_table,) 57637 | (local_table,) 57638 | (local_table,) - 57636 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57637 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57638 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") + 57636 | (ref_table,{postgres=arwdDxtm/postgres}) + 57637 | (ref_table,{postgres=arwdDxtm/postgres}) + 57638 | (ref_table,{postgres=arwdDxtm/postgres}) (9 rows) :verify_grant_attributes ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- - 57636 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57637 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57638 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57636 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57637 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57638 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.local_table,id,{grant_user_0=r/postgres}) - 57636 | (grant_on_table.local_table,test_mix,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.local_table,test_r,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57636 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57637 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57638 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57636 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.ref_table,test_mix,"{grant_user_0=r*w/postgres,grant_user_1=arwx/postgres,grant_user_1=r/grant_user_0}") - 57637 | (grant_on_table.ref_table,test_mix,"{grant_user_0=r*w/postgres,grant_user_1=arwx/postgres,grant_user_1=r/grant_user_0}") - 57638 | (grant_on_table.ref_table,test_mix,"{grant_user_0=r*w/postgres,grant_user_1=arwx/postgres,grant_user_1=r/grant_user_0}") - 57636 | (grant_on_table.ref_table,test_r,"{grant_user_0=r*/postgres,grant_user_1=r/postgres,grant_user_1=r/grant_user_0}") - 57637 | (grant_on_table.ref_table,test_r,"{grant_user_0=r*/postgres,grant_user_1=r/postgres,grant_user_1=r/grant_user_0}") - 57638 | (grant_on_table.ref_table,test_r,"{grant_user_0=r*/postgres,grant_user_1=r/postgres,grant_user_1=r/grant_user_0}") - 57636 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) -(39 rows) + 57636 | (grant_on_table.ref_table,test_mix,{grant_user_0=r*/postgres}) + 57637 | (grant_on_table.ref_table,test_mix,{grant_user_0=r*/postgres}) + 57638 | (grant_on_table.ref_table,test_mix,{grant_user_0=r*/postgres}) + 57636 | (grant_on_table.ref_table,test_r,{grant_user_0=r*/postgres}) + 57637 | (grant_on_table.ref_table,test_r,{grant_user_0=r*/postgres}) + 57638 | (grant_on_table.ref_table,test_r,{grant_user_0=r*/postgres}) +(6 rows) -- revoke only grant options from grant_user_0: REVOKE GRANT OPTION FOR SELECT (test_r, test_mix) ON ref_table FROM grant_user_0; -ERROR: dependent privileges exist -HINT: Use CASCADE to revoke them too. -- check on coordinator and workers :verify_grant_table ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- 57636 | (dist_table,) 57637 | (dist_table,) @@ -1207,62 +745,27 @@ HINT: Use CASCADE to revoke them too. 57636 | (local_table,) 57637 | (local_table,) 57638 | (local_table,) - 57636 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57637 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57638 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") + 57636 | (ref_table,{postgres=arwdDxtm/postgres}) + 57637 | (ref_table,{postgres=arwdDxtm/postgres}) + 57638 | (ref_table,{postgres=arwdDxtm/postgres}) (9 rows) :verify_grant_attributes ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- - 57636 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57637 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57638 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57636 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57637 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57638 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.local_table,id,{grant_user_0=r/postgres}) - 57636 | (grant_on_table.local_table,test_mix,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.local_table,test_r,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57636 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57637 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57638 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57636 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.ref_table,test_mix,"{grant_user_0=r*w/postgres,grant_user_1=arwx/postgres,grant_user_1=r/grant_user_0}") - 57637 | (grant_on_table.ref_table,test_mix,"{grant_user_0=r*w/postgres,grant_user_1=arwx/postgres,grant_user_1=r/grant_user_0}") - 57638 | (grant_on_table.ref_table,test_mix,"{grant_user_0=r*w/postgres,grant_user_1=arwx/postgres,grant_user_1=r/grant_user_0}") - 57636 | (grant_on_table.ref_table,test_r,"{grant_user_0=r*/postgres,grant_user_1=r/postgres,grant_user_1=r/grant_user_0}") - 57637 | (grant_on_table.ref_table,test_r,"{grant_user_0=r*/postgres,grant_user_1=r/postgres,grant_user_1=r/grant_user_0}") - 57638 | (grant_on_table.ref_table,test_r,"{grant_user_0=r*/postgres,grant_user_1=r/postgres,grant_user_1=r/grant_user_0}") - 57636 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) -(39 rows) + 57636 | (grant_on_table.ref_table,test_mix,{grant_user_0=r/postgres}) + 57637 | (grant_on_table.ref_table,test_mix,{grant_user_0=r/postgres}) + 57638 | (grant_on_table.ref_table,test_mix,{grant_user_0=r/postgres}) + 57636 | (grant_on_table.ref_table,test_r,{grant_user_0=r/postgres}) + 57637 | (grant_on_table.ref_table,test_r,{grant_user_0=r/postgres}) + 57638 | (grant_on_table.ref_table,test_r,{grant_user_0=r/postgres}) +(6 rows) -- revoke select from grant_user_0: REVOKE SELECT (test_r, test_mix) ON ref_table FROM grant_user_0; -ERROR: dependent privileges exist -HINT: Use CASCADE to revoke them too. -- check on coordinator and workers :verify_grant_table ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- 57636 | (dist_table,) 57637 | (dist_table,) @@ -1270,54 +773,15 @@ HINT: Use CASCADE to revoke them too. 57636 | (local_table,) 57637 | (local_table,) 57638 | (local_table,) - 57636 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57637 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57638 | (ref_table,"{postgres=arwdDxtm/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") + 57636 | (ref_table,{postgres=arwdDxtm/postgres}) + 57637 | (ref_table,{postgres=arwdDxtm/postgres}) + 57638 | (ref_table,{postgres=arwdDxtm/postgres}) (9 rows) :verify_grant_attributes ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- - 57636 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57637 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57638 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57636 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57637 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57638 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.local_table,id,{grant_user_0=r/postgres}) - 57636 | (grant_on_table.local_table,test_mix,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.local_table,test_r,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57636 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57637 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57638 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57636 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.ref_table,test_mix,"{grant_user_0=r*w/postgres,grant_user_1=arwx/postgres,grant_user_1=r/grant_user_0}") - 57637 | (grant_on_table.ref_table,test_mix,"{grant_user_0=r*w/postgres,grant_user_1=arwx/postgres,grant_user_1=r/grant_user_0}") - 57638 | (grant_on_table.ref_table,test_mix,"{grant_user_0=r*w/postgres,grant_user_1=arwx/postgres,grant_user_1=r/grant_user_0}") - 57636 | (grant_on_table.ref_table,test_r,"{grant_user_0=r*/postgres,grant_user_1=r/postgres,grant_user_1=r/grant_user_0}") - 57637 | (grant_on_table.ref_table,test_r,"{grant_user_0=r*/postgres,grant_user_1=r/postgres,grant_user_1=r/grant_user_0}") - 57638 | (grant_on_table.ref_table,test_r,"{grant_user_0=r*/postgres,grant_user_1=r/postgres,grant_user_1=r/grant_user_0}") - 57636 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) -(39 rows) +(0 rows) -- prevent useless messages on DROP objects. SET client_min_messages TO ERROR; @@ -1373,8 +837,6 @@ RESET ROLE; -- cleanup REVOKE SELECT (id) ON grant_table_propagated FROM grant_user_0; -ERROR: syntax error at or near "select" -CONTEXT: while executing command on localhost:xxxxx :verify_grant_table ; nodeport | unnest --------------------------------------------------------------------- @@ -1384,12 +846,9 @@ CONTEXT: while executing command on localhost:xxxxx (3 rows) :verify_grant_attributes ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- - 57636 | (grant_on_table.grant_table_propagated,id,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.grant_table_propagated,id,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.grant_table_propagated,id,{grant_user_0=r/postgres}) -(3 rows) +(0 rows) -- prevent useless messages on DROP objects. SET client_min_messages TO ERROR; @@ -1443,28 +902,48 @@ SELECT id FROM grant_table_propagated_after; 57638 | (grant_on_table.grant_table_propagated_after,id,{grant_user_0=r/postgres}) (3 rows) --- cleanup and test revoke +-- cleanup and test revoke .. cascade/restrict SET citus.log_remote_commands TO on; set citus.grep_remote_commands = '%REVOKE%'; REVOKE SELECT (id) ON grant_table_propagated_after FROM grant_user_0 CASCADE; -NOTICE: issuing REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 CASCADE +NOTICE: issuing REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 CASCADE DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx -NOTICE: issuing REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 CASCADE +NOTICE: issuing REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 CASCADE +DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx +NOTICE: issuing SELECT worker_apply_shard_ddl_command (102017, 'grant_on_table', 'REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 CASCADE') +DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx +NOTICE: issuing SELECT worker_apply_shard_ddl_command (102018, 'grant_on_table', 'REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 CASCADE') +DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx +NOTICE: issuing SELECT worker_apply_shard_ddl_command (102019, 'grant_on_table', 'REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 CASCADE') +DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx +NOTICE: issuing SELECT worker_apply_shard_ddl_command (102020, 'grant_on_table', 'REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 CASCADE') DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx -ERROR: syntax error at or near "select" -CONTEXT: while executing command on localhost:xxxxx -RESET citus.grep_remote_commands; -RESET citus.log_remote_commands; --- cleanup and test revoke -SET citus.log_remote_commands TO on; -set citus.grep_remote_commands = '%REVOKE%'; REVOKE SELECT (id) ON grant_table_propagated_after FROM grant_user_0 RESTRICT; -NOTICE: issuing REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 RESTRICT +NOTICE: issuing REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 RESTRICT DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx -NOTICE: issuing REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 RESTRICT +NOTICE: issuing REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 RESTRICT +DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx +NOTICE: issuing SELECT worker_apply_shard_ddl_command (102017, 'grant_on_table', 'REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 RESTRICT') +DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx +NOTICE: issuing SELECT worker_apply_shard_ddl_command (102018, 'grant_on_table', 'REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 RESTRICT') +DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx +NOTICE: issuing SELECT worker_apply_shard_ddl_command (102019, 'grant_on_table', 'REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 RESTRICT') +DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx +NOTICE: issuing SELECT worker_apply_shard_ddl_command (102020, 'grant_on_table', 'REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 RESTRICT') +DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx +REVOKE SELECT (id) ON grant_table_propagated_after FROM grant_user_0; -- implicit RESTRICT +NOTICE: issuing REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 RESTRICT +DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx +NOTICE: issuing REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 RESTRICT +DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx +NOTICE: issuing SELECT worker_apply_shard_ddl_command (102017, 'grant_on_table', 'REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 RESTRICT') +DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx +NOTICE: issuing SELECT worker_apply_shard_ddl_command (102018, 'grant_on_table', 'REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 RESTRICT') +DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx +NOTICE: issuing SELECT worker_apply_shard_ddl_command (102019, 'grant_on_table', 'REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 RESTRICT') +DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx +NOTICE: issuing SELECT worker_apply_shard_ddl_command (102020, 'grant_on_table', 'REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 RESTRICT') DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx -ERROR: syntax error at or near "select" -CONTEXT: while executing command on localhost:xxxxx RESET citus.grep_remote_commands; RESET citus.log_remote_commands; :verify_grant_table ; @@ -1476,12 +955,9 @@ RESET citus.log_remote_commands; (3 rows) :verify_grant_attributes ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- - 57636 | (grant_on_table.grant_table_propagated_after,id,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.grant_table_propagated_after,id,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.grant_table_propagated_after,id,{grant_user_0=r/postgres}) -(3 rows) +(0 rows) -- prevent useless messages on DROP objects. SET client_min_messages TO ERROR; diff --git a/src/test/regress/expected/grant_on_table_propagation_0.out b/src/test/regress/expected/grant_on_table_propagation_0.out index 1bc997cca..5cdd94075 100644 --- a/src/test/regress/expected/grant_on_table_propagation_0.out +++ b/src/test/regress/expected/grant_on_table_propagation_0.out @@ -73,8 +73,6 @@ GRANT USAGE ON SCHEMA grant_on_table TO nogrant_user; -- "postgres" special case GRANT SELECT ON ref_table TO grant_user_0; REVOKE SELECT ON ref_table FROM grant_user_0; -ERROR: syntax error at or near "select" -CONTEXT: while executing command on localhost:xxxxx -- -- check we are able to propagate a single attribute privilege -- we use only SELECT @@ -82,10 +80,7 @@ CONTEXT: while executing command on localhost:xxxxx SET ROLE grant_user_0; -- not granted yet: SELECT test_r FROM ref_table; - test_r ---------------------------------------------------------------------- -(0 rows) - +ERROR: permission denied for table ref_table RESET ROLE; GRANT SELECT (test_r) ON ref_table TO grant_user_0; SET ROLE grant_user_0; @@ -97,10 +92,7 @@ SELECT test_r FROM ref_table; -- not granted: SELECT test_a FROM ref_table; - test_a ---------------------------------------------------------------------- -(0 rows) - +ERROR: permission denied for table ref_table SET ROLE grant_user_1; -- not granted: SELECT test_r FROM ref_table; @@ -108,7 +100,7 @@ ERROR: permission denied for table ref_table RESET ROLE; -- check on coordinator and workers :verify_grant_table ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- 57636 | (dist_table,) 57637 | (dist_table,) @@ -116,9 +108,9 @@ RESET ROLE; 57636 | (local_table,) 57637 | (local_table,) 57638 | (local_table,) - 57636 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=r/postgres}") - 57637 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=r/postgres}") - 57638 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=r/postgres}") + 57636 | (ref_table,{postgres=arwdDxt/postgres}) + 57637 | (ref_table,{postgres=arwdDxt/postgres}) + 57638 | (ref_table,{postgres=arwdDxt/postgres}) (9 rows) :verify_grant_attributes ; @@ -131,11 +123,9 @@ RESET ROLE; -- cleanup REVOKE SELECT (test_r) ON ref_table FROM grant_user_0; -ERROR: syntax error at or near "select" -CONTEXT: while executing command on localhost:xxxxx -- check on coordinator and workers :verify_grant_table ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- 57636 | (dist_table,) 57637 | (dist_table,) @@ -143,18 +133,15 @@ CONTEXT: while executing command on localhost:xxxxx 57636 | (local_table,) 57637 | (local_table,) 57638 | (local_table,) - 57636 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=r/postgres}") - 57637 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=r/postgres}") - 57638 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=r/postgres}") + 57636 | (ref_table,{postgres=arwdDxt/postgres}) + 57637 | (ref_table,{postgres=arwdDxt/postgres}) + 57638 | (ref_table,{postgres=arwdDxt/postgres}) (9 rows) :verify_grant_attributes ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- - 57636 | (grant_on_table.ref_table,test_r,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,test_r,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,test_r,{grant_user_0=r/postgres}) -(3 rows) +(0 rows) -- -- check we are able to propagate a privilege to multiple attributes, users and tables at once @@ -184,7 +171,7 @@ UPDATE dist_table SET test_w = 3, test_mix = 3; RESET ROLE; -- check on coordinator and workers :verify_grant_table ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- 57636 | (dist_table,) 57637 | (dist_table,) @@ -192,9 +179,9 @@ RESET ROLE; 57636 | (local_table,) 57637 | (local_table,) 57638 | (local_table,) - 57636 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=r/postgres}") - 57637 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=r/postgres}") - 57638 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=r/postgres}") + 57636 | (ref_table,{postgres=arwdDxt/postgres}) + 57637 | (ref_table,{postgres=arwdDxt/postgres}) + 57638 | (ref_table,{postgres=arwdDxt/postgres}) (9 rows) :verify_grant_attributes ; @@ -221,21 +208,16 @@ RESET ROLE; 57636 | (grant_on_table.ref_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") 57637 | (grant_on_table.ref_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") 57638 | (grant_on_table.ref_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.ref_table,test_r,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,test_r,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,test_r,{grant_user_0=r/postgres}) 57636 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") 57637 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") 57638 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") -(27 rows) +(24 rows) -- cleanup REVOKE INSERT (id, test_a), UPDATE (test_w, test_mix) ON ref_table, dist_table FROM grant_user_0, grant_user_1; -ERROR: syntax error at or near "insert" -CONTEXT: while executing command on localhost:xxxxx -- check on coordinator and workers :verify_grant_table ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- 57636 | (dist_table,) 57637 | (dist_table,) @@ -243,42 +225,15 @@ CONTEXT: while executing command on localhost:xxxxx 57636 | (local_table,) 57637 | (local_table,) 57638 | (local_table,) - 57636 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=r/postgres}") - 57637 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=r/postgres}") - 57638 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=r/postgres}") + 57636 | (ref_table,{postgres=arwdDxt/postgres}) + 57637 | (ref_table,{postgres=arwdDxt/postgres}) + 57638 | (ref_table,{postgres=arwdDxt/postgres}) (9 rows) :verify_grant_attributes ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- - 57636 | (grant_on_table.dist_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.ref_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.ref_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.ref_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.ref_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.ref_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.ref_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.ref_table,test_r,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,test_r,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,test_r,{grant_user_0=r/postgres}) - 57636 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") -(27 rows) +(0 rows) -- -- check we are able to propagate a table privilege associated with an attribute level privilege @@ -287,11 +242,7 @@ CONTEXT: while executing command on localhost:xxxxx SET ROLE grant_user_0; -- not granted yet: SELECT test_r, test_mix FROM ref_table; - test_r | test_mix ---------------------------------------------------------------------- - | 2 -(1 row) - +ERROR: permission denied for table ref_table RESET ROLE; GRANT SELECT (test_r, test_mix), DELETE ON ref_table TO grant_user_0, grant_user_1; SET ROLE grant_user_0; @@ -306,10 +257,7 @@ SELECT test_r, test_mix FROM ref_table; DELETE FROM ref_table; -- not granted: SELECT test_a FROM ref_table; - test_a ---------------------------------------------------------------------- -(0 rows) - +ERROR: permission denied for table ref_table -- not granted: UPDATE ref_table SET null_privs = 3; ERROR: permission denied for table ref_table @@ -324,50 +272,27 @@ RESET ROLE; 57636 | (local_table,) 57637 | (local_table,) 57638 | (local_table,) - 57636 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57637 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57638 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") + 57636 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=d/postgres,grant_user_1=d/postgres}") + 57637 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=d/postgres,grant_user_1=d/postgres}") + 57638 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=d/postgres,grant_user_1=d/postgres}") (9 rows) :verify_grant_attributes ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- - 57636 | (grant_on_table.dist_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.ref_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.ref_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.ref_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=rw/postgres}") - 57637 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=rw/postgres}") - 57638 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=rw/postgres}") + 57636 | (grant_on_table.ref_table,test_mix,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") + 57637 | (grant_on_table.ref_table,test_mix,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") + 57638 | (grant_on_table.ref_table,test_mix,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") 57636 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") 57637 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") 57638 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57636 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") -(27 rows) +(6 rows) -- cleanup REVOKE SELECT (test_r, test_mix), DELETE ON ref_table FROM grant_user_0, grant_user_1; -ERROR: syntax error at or near "select" -CONTEXT: while executing command on localhost:xxxxx -- check on coordinator and workers :verify_grant_table ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- 57636 | (dist_table,) 57637 | (dist_table,) @@ -375,42 +300,15 @@ CONTEXT: while executing command on localhost:xxxxx 57636 | (local_table,) 57637 | (local_table,) 57638 | (local_table,) - 57636 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57637 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57638 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") + 57636 | (ref_table,{postgres=arwdDxt/postgres}) + 57637 | (ref_table,{postgres=arwdDxt/postgres}) + 57638 | (ref_table,{postgres=arwdDxt/postgres}) (9 rows) :verify_grant_attributes ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- - 57636 | (grant_on_table.dist_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.ref_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.ref_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.ref_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=rw/postgres}") - 57637 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=rw/postgres}") - 57638 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=rw/postgres}") - 57636 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57637 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57638 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57636 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") -(27 rows) +(0 rows) -- -- check we also propagate system columns @@ -419,10 +317,7 @@ CONTEXT: while executing command on localhost:xxxxx SET ROLE grant_user_0; -- not granted yet: SELECT ctid, xmin FROM ref_table; - ctid | xmin ---------------------------------------------------------------------- -(0 rows) - +ERROR: permission denied for table ref_table RESET ROLE; GRANT SELECT (ctid, xmin) ON ref_table TO grant_user_0; SET ROLE grant_user_0; @@ -434,14 +329,11 @@ SELECT ctid, xmin FROM ref_table; -- not granted: SELECT ctid, test_a FROM ref_table; - ctid | test_a ---------------------------------------------------------------------- -(0 rows) - +ERROR: permission denied for table ref_table RESET ROLE; -- check on coordinator and workers :verify_grant_table ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- 57636 | (dist_table,) 57637 | (dist_table,) @@ -449,56 +341,27 @@ RESET ROLE; 57636 | (local_table,) 57637 | (local_table,) 57638 | (local_table,) - 57636 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57637 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57638 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") + 57636 | (ref_table,{postgres=arwdDxt/postgres}) + 57637 | (ref_table,{postgres=arwdDxt/postgres}) + 57638 | (ref_table,{postgres=arwdDxt/postgres}) (9 rows) :verify_grant_attributes ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- - 57636 | (grant_on_table.dist_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") 57636 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) 57637 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) 57638 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57636 | (grant_on_table.ref_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.ref_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.ref_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=rw/postgres}") - 57637 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=rw/postgres}") - 57638 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=rw/postgres}") - 57636 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57637 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57638 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57636 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") 57636 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) 57637 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) 57638 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) -(33 rows) +(6 rows) -- cleanup REVOKE SELECT (ctid, xmin) ON ref_table FROM grant_user_0; -ERROR: syntax error at or near "select" -CONTEXT: while executing command on localhost:xxxxx -- check on coordinator and workers :verify_grant_table ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- 57636 | (dist_table,) 57637 | (dist_table,) @@ -506,48 +369,15 @@ CONTEXT: while executing command on localhost:xxxxx 57636 | (local_table,) 57637 | (local_table,) 57638 | (local_table,) - 57636 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57637 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57638 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") + 57636 | (ref_table,{postgres=arwdDxt/postgres}) + 57637 | (ref_table,{postgres=arwdDxt/postgres}) + 57638 | (ref_table,{postgres=arwdDxt/postgres}) (9 rows) :verify_grant_attributes ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- - 57636 | (grant_on_table.dist_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57636 | (grant_on_table.ref_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.ref_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.ref_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=rw/postgres}") - 57637 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=rw/postgres}") - 57638 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=rw/postgres}") - 57636 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57637 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57638 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57636 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) -(33 rows) +(0 rows) -- -- check we correctly propagate ALL, which has a few special cases @@ -556,6 +386,7 @@ CONTEXT: while executing command on localhost:xxxxx SET ROLE grant_user_0; -- not granted yet: INSERT INTO ref_table (id) VALUES (13); +ERROR: permission denied for table ref_table SET ROLE grant_user_1; -- not granted yet: INSERT INTO ref_table (id, test_mix) VALUES (9, 3); @@ -573,9 +404,6 @@ ERROR: syntax error at or near "," SET ROLE grant_user_0; -- granted: INSERT INTO ref_table (id) VALUES (13); -ERROR: duplicate key value violates unique constraint "ref_table_pkey_102012" -DETAIL: Key (id)=(X) already exists. -CONTEXT: while executing command on localhost:xxxxx SET ROLE grant_user_1; -- granted: INSERT INTO ref_table (id, test_mix) VALUES (9, 3); @@ -595,10 +423,11 @@ SELECT null_privs FROM ref_table; ERROR: permission denied for table ref_table -- not granted: DELETE FROM ref_table; +ERROR: permission denied for table ref_table RESET ROLE; -- check on coordinator and workers :verify_grant_table ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- 57636 | (dist_table,) 57637 | (dist_table,) @@ -606,60 +435,29 @@ RESET ROLE; 57636 | (local_table,) 57637 | (local_table,) 57638 | (local_table,) - 57636 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57637 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57638 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") + 57636 | (ref_table,{postgres=arwdDxt/postgres}) + 57637 | (ref_table,{postgres=arwdDxt/postgres}) + 57638 | (ref_table,{postgres=arwdDxt/postgres}) (9 rows) :verify_grant_attributes ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- - 57636 | (grant_on_table.dist_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) 57636 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") 57637 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") 57638 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57636 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=arwx/postgres}") - 57637 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=arwx/postgres}") - 57638 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=arwx/postgres}") - 57636 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57637 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57638 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57636 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) -(33 rows) + 57636 | (grant_on_table.ref_table,test_mix,{grant_user_1=arwx/postgres}) + 57637 | (grant_on_table.ref_table,test_mix,{grant_user_1=arwx/postgres}) + 57638 | (grant_on_table.ref_table,test_mix,{grant_user_1=arwx/postgres}) +(6 rows) -- cleanup REVOKE ALL (id) ON ref_table FROM grant_user_0; -ERROR: syntax error at or near "ALL" -CONTEXT: while executing command on localhost:xxxxx REVOKE ALL (id, test_mix) ON ref_table FROM grant_user_1; -ERROR: syntax error at or near "ALL" -CONTEXT: while executing command on localhost:xxxxx TRUNCATE ref_table; -- check on coordinator and workers :verify_grant_table ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- 57636 | (dist_table,) 57637 | (dist_table,) @@ -667,48 +465,15 @@ TRUNCATE ref_table; 57636 | (local_table,) 57637 | (local_table,) 57638 | (local_table,) - 57636 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57637 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57638 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") + 57636 | (ref_table,{postgres=arwdDxt/postgres}) + 57637 | (ref_table,{postgres=arwdDxt/postgres}) + 57638 | (ref_table,{postgres=arwdDxt/postgres}) (9 rows) :verify_grant_attributes ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- - 57636 | (grant_on_table.dist_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,id,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57636 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57637 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57638 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57636 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=arwx/postgres}") - 57637 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=arwx/postgres}") - 57638 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=arwx/postgres}") - 57636 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57637 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57638 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57636 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) -(33 rows) +(0 rows) -- -- check we correctly propagate when mixed with local table, but only on the @@ -720,7 +485,7 @@ SET ROLE grant_user_0; SELECT id FROM ref_table UNION ALL SELECT id FROM dist_table UNION ALL SELECT id FROM local_table; -ERROR: permission denied for table dist_table +ERROR: permission denied for table ref_table RESET ROLE; -- NOTE: -- test special case: ALL TABLES IN SCHEMA is not supposed to be correct @@ -753,7 +518,7 @@ RESET ROLE; -- check on coordinator and workers -- we pay special attention to local_table privileges here: :verify_grant_table ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- 57636 | (dist_table,) 57637 | (dist_table,) @@ -761,68 +526,40 @@ RESET ROLE; 57636 | (local_table,) 57637 | (local_table,) 57638 | (local_table,) - 57636 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57637 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57638 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") + 57636 | (ref_table,{postgres=arwdDxt/postgres}) + 57637 | (ref_table,{postgres=arwdDxt/postgres}) + 57638 | (ref_table,{postgres=arwdDxt/postgres}) (9 rows) :verify_grant_attributes ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- - 57636 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57637 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57638 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") + 57636 | (grant_on_table.dist_table,id,{grant_user_0=r/postgres}) + 57637 | (grant_on_table.dist_table,id,{grant_user_0=r/postgres}) + 57638 | (grant_on_table.dist_table,id,{grant_user_0=r/postgres}) + 57636 | (grant_on_table.dist_table,test_mix,{grant_user_1=r/postgres}) + 57637 | (grant_on_table.dist_table,test_mix,{grant_user_1=r/postgres}) + 57638 | (grant_on_table.dist_table,test_mix,{grant_user_1=r/postgres}) 57636 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) 57637 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) 57638 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") 57636 | (grant_on_table.local_table,id,{grant_user_0=r/postgres}) 57636 | (grant_on_table.local_table,test_mix,"{grant_user_0=a/postgres,grant_user_1=r/postgres}") 57636 | (grant_on_table.local_table,test_r,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57636 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57637 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57638 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57636 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=arwx/postgres}") - 57637 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=arwx/postgres}") - 57638 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=arwx/postgres}") - 57636 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57637 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57638 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57636 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) -(39 rows) + 57636 | (grant_on_table.ref_table,id,{grant_user_0=r/postgres}) + 57637 | (grant_on_table.ref_table,id,{grant_user_0=r/postgres}) + 57638 | (grant_on_table.ref_table,id,{grant_user_0=r/postgres}) +(15 rows) -- cleanup REVOKE SELECT (id) ON ALL TABLES IN SCHEMA grant_on_table FROM grant_user_0; -ERROR: syntax error at or near "select" -CONTEXT: while executing command on localhost:xxxxx -- check non propagation for local table (we'll just check ACL later, no INSERT testing) REVOKE INSERT (test_mix) ON local_table FROM grant_user_0; -- check we can propagate also when mixed with distributed table: REVOKE SELECT (test_r, test_mix) ON local_table, dist_table FROM grant_user_1; -ERROR: syntax error at or near "select" -CONTEXT: while executing command on localhost:xxxxx -- check on coordinator and workers :verify_grant_table ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- 57636 | (dist_table,) 57637 | (dist_table,) @@ -830,54 +567,15 @@ CONTEXT: while executing command on localhost:xxxxx 57636 | (local_table,) 57637 | (local_table,) 57638 | (local_table,) - 57636 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57637 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57638 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") + 57636 | (ref_table,{postgres=arwdDxt/postgres}) + 57637 | (ref_table,{postgres=arwdDxt/postgres}) + 57638 | (ref_table,{postgres=arwdDxt/postgres}) (9 rows) :verify_grant_attributes ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- - 57636 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57637 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57638 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57636 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57637 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57638 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.local_table,id,{grant_user_0=r/postgres}) - 57636 | (grant_on_table.local_table,test_mix,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.local_table,test_r,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57636 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57637 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57638 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57636 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=arwx/postgres}") - 57637 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=arwx/postgres}") - 57638 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=arwx/postgres}") - 57636 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57637 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57638 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57636 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) -(39 rows) +(0 rows) -- -- check TRUNCATE is not propagated (inccorect grammar) @@ -887,27 +585,21 @@ CONTEXT: while executing command on localhost:xxxxx SET ROLE grant_user_0; -- not granted yet: SELECT test_r FROM ref_table; - test_r ---------------------------------------------------------------------- -(0 rows) - +ERROR: permission denied for table ref_table RESET ROLE; GRANT TRUNCATE (null_privs), SELECT (null_privs) ON ref_table TO nogrant_user; ERROR: invalid privilege type TRUNCATE for column SET ROLE grant_user_0; -- still not granted: SELECT test_r FROM ref_table; - test_r ---------------------------------------------------------------------- -(0 rows) - +ERROR: permission denied for table ref_table -- still not granted: TRUNCATE ref_table; ERROR: permission denied for table ref_table RESET ROLE; -- check on coordinator and workers :verify_grant_table ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- 57636 | (dist_table,) 57637 | (dist_table,) @@ -915,54 +607,15 @@ RESET ROLE; 57636 | (local_table,) 57637 | (local_table,) 57638 | (local_table,) - 57636 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57637 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57638 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") + 57636 | (ref_table,{postgres=arwdDxt/postgres}) + 57637 | (ref_table,{postgres=arwdDxt/postgres}) + 57638 | (ref_table,{postgres=arwdDxt/postgres}) (9 rows) :verify_grant_attributes ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- - 57636 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57637 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57638 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57636 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57637 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57638 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.local_table,id,{grant_user_0=r/postgres}) - 57636 | (grant_on_table.local_table,test_mix,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.local_table,test_r,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57636 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57637 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57638 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57636 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=arwx/postgres}") - 57637 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=arwx/postgres}") - 57638 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=arwx/postgres}") - 57636 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57637 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57638 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57636 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) -(39 rows) +(0 rows) -- no cleanup required -- @@ -978,7 +631,7 @@ HINT: Connect to the coordinator and run it again. SET search_path TO grant_on_table; -- check on coordinator and workers :verify_grant_table ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- 57636 | (dist_table,) 57637 | (dist_table,) @@ -986,54 +639,15 @@ SET search_path TO grant_on_table; 57636 | (local_table,) 57637 | (local_table,) 57638 | (local_table,) - 57636 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57637 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57638 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") + 57636 | (ref_table,{postgres=arwdDxt/postgres}) + 57637 | (ref_table,{postgres=arwdDxt/postgres}) + 57638 | (ref_table,{postgres=arwdDxt/postgres}) (9 rows) :verify_grant_attributes ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- - 57636 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57637 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57638 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57636 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57637 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57638 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.local_table,id,{grant_user_0=r/postgres}) - 57636 | (grant_on_table.local_table,test_mix,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.local_table,test_r,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57636 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57637 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57638 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57636 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=arwx/postgres}") - 57637 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=arwx/postgres}") - 57638 | (grant_on_table.ref_table,test_mix,"{grant_user_0=rw/postgres,grant_user_1=arwx/postgres}") - 57636 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57637 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57638 | (grant_on_table.ref_table,test_r,"{grant_user_0=r/postgres,grant_user_1=r/postgres}") - 57636 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) -(39 rows) +(0 rows) -- no cleanup required -- @@ -1043,17 +657,11 @@ SET search_path TO grant_on_table; SET ROLE grant_user_0; -- not granted yet: SELECT test_r, test_mix FROM ref_table; - test_r | test_mix ---------------------------------------------------------------------- -(0 rows) - +ERROR: permission denied for table ref_table SET ROLE grant_user_1; -- not granted yet: SELECT test_r, test_mix FROM ref_table; - test_r | test_mix ---------------------------------------------------------------------- -(0 rows) - +ERROR: permission denied for table ref_table RESET ROLE; -- grant with grant option GRANT SELECT (test_r, test_mix) ON ref_table TO grant_user_0 WITH GRANT OPTION; @@ -1070,7 +678,7 @@ SELECT test_r, test_mix FROM ref_table; RESET ROLE; -- check on coordinator and workers :verify_grant_table ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- 57636 | (dist_table,) 57637 | (dist_table,) @@ -1078,65 +686,30 @@ RESET ROLE; 57636 | (local_table,) 57637 | (local_table,) 57638 | (local_table,) - 57636 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57637 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57638 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") + 57636 | (ref_table,{postgres=arwdDxt/postgres}) + 57637 | (ref_table,{postgres=arwdDxt/postgres}) + 57638 | (ref_table,{postgres=arwdDxt/postgres}) (9 rows) :verify_grant_attributes ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- - 57636 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57637 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57638 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57636 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57637 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57638 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.local_table,id,{grant_user_0=r/postgres}) - 57636 | (grant_on_table.local_table,test_mix,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.local_table,test_r,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57636 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57637 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57638 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57636 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.ref_table,test_mix,"{grant_user_0=r*w/postgres,grant_user_1=arwx/postgres,grant_user_1=r/grant_user_0}") - 57637 | (grant_on_table.ref_table,test_mix,"{grant_user_0=r*w/postgres,grant_user_1=arwx/postgres,grant_user_1=r/grant_user_0}") - 57638 | (grant_on_table.ref_table,test_mix,"{grant_user_0=r*w/postgres,grant_user_1=arwx/postgres,grant_user_1=r/grant_user_0}") - 57636 | (grant_on_table.ref_table,test_r,"{grant_user_0=r*/postgres,grant_user_1=r/postgres,grant_user_1=r/grant_user_0}") - 57637 | (grant_on_table.ref_table,test_r,"{grant_user_0=r*/postgres,grant_user_1=r/postgres,grant_user_1=r/grant_user_0}") - 57638 | (grant_on_table.ref_table,test_r,"{grant_user_0=r*/postgres,grant_user_1=r/postgres,grant_user_1=r/grant_user_0}") - 57636 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) -(39 rows) + 57636 | (grant_on_table.ref_table,test_mix,"{grant_user_0=r*/postgres,grant_user_1=r/grant_user_0}") + 57637 | (grant_on_table.ref_table,test_mix,"{grant_user_0=r*/postgres,grant_user_1=r/grant_user_0}") + 57638 | (grant_on_table.ref_table,test_mix,"{grant_user_0=r*/postgres,grant_user_1=r/grant_user_0}") + 57636 | (grant_on_table.ref_table,test_r,"{grant_user_0=r*/postgres,grant_user_1=r/grant_user_0}") + 57637 | (grant_on_table.ref_table,test_r,"{grant_user_0=r*/postgres,grant_user_1=r/grant_user_0}") + 57638 | (grant_on_table.ref_table,test_r,"{grant_user_0=r*/postgres,grant_user_1=r/grant_user_0}") +(6 rows) -- cleanup and further checks: SET ROLE grant_user_0; -- revoke as grant_user_0: REVOKE SELECT (test_r, test_mix) ON ref_table FROM grant_user_1; -ERROR: syntax error at or near "select" -CONTEXT: while executing command on localhost:xxxxx RESET ROLE; -- check on coordinator and workers :verify_grant_table ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- 57636 | (dist_table,) 57637 | (dist_table,) @@ -1144,62 +717,27 @@ RESET ROLE; 57636 | (local_table,) 57637 | (local_table,) 57638 | (local_table,) - 57636 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57637 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57638 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") + 57636 | (ref_table,{postgres=arwdDxt/postgres}) + 57637 | (ref_table,{postgres=arwdDxt/postgres}) + 57638 | (ref_table,{postgres=arwdDxt/postgres}) (9 rows) :verify_grant_attributes ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- - 57636 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57637 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57638 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57636 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57637 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57638 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.local_table,id,{grant_user_0=r/postgres}) - 57636 | (grant_on_table.local_table,test_mix,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.local_table,test_r,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57636 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57637 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57638 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57636 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.ref_table,test_mix,"{grant_user_0=r*w/postgres,grant_user_1=arwx/postgres,grant_user_1=r/grant_user_0}") - 57637 | (grant_on_table.ref_table,test_mix,"{grant_user_0=r*w/postgres,grant_user_1=arwx/postgres,grant_user_1=r/grant_user_0}") - 57638 | (grant_on_table.ref_table,test_mix,"{grant_user_0=r*w/postgres,grant_user_1=arwx/postgres,grant_user_1=r/grant_user_0}") - 57636 | (grant_on_table.ref_table,test_r,"{grant_user_0=r*/postgres,grant_user_1=r/postgres,grant_user_1=r/grant_user_0}") - 57637 | (grant_on_table.ref_table,test_r,"{grant_user_0=r*/postgres,grant_user_1=r/postgres,grant_user_1=r/grant_user_0}") - 57638 | (grant_on_table.ref_table,test_r,"{grant_user_0=r*/postgres,grant_user_1=r/postgres,grant_user_1=r/grant_user_0}") - 57636 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) -(39 rows) + 57636 | (grant_on_table.ref_table,test_mix,{grant_user_0=r*/postgres}) + 57637 | (grant_on_table.ref_table,test_mix,{grant_user_0=r*/postgres}) + 57638 | (grant_on_table.ref_table,test_mix,{grant_user_0=r*/postgres}) + 57636 | (grant_on_table.ref_table,test_r,{grant_user_0=r*/postgres}) + 57637 | (grant_on_table.ref_table,test_r,{grant_user_0=r*/postgres}) + 57638 | (grant_on_table.ref_table,test_r,{grant_user_0=r*/postgres}) +(6 rows) -- revoke only grant options from grant_user_0: REVOKE GRANT OPTION FOR SELECT (test_r, test_mix) ON ref_table FROM grant_user_0; -ERROR: dependent privileges exist -HINT: Use CASCADE to revoke them too. -- check on coordinator and workers :verify_grant_table ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- 57636 | (dist_table,) 57637 | (dist_table,) @@ -1207,62 +745,27 @@ HINT: Use CASCADE to revoke them too. 57636 | (local_table,) 57637 | (local_table,) 57638 | (local_table,) - 57636 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57637 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57638 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") + 57636 | (ref_table,{postgres=arwdDxt/postgres}) + 57637 | (ref_table,{postgres=arwdDxt/postgres}) + 57638 | (ref_table,{postgres=arwdDxt/postgres}) (9 rows) :verify_grant_attributes ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- - 57636 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57637 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57638 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57636 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57637 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57638 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.local_table,id,{grant_user_0=r/postgres}) - 57636 | (grant_on_table.local_table,test_mix,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.local_table,test_r,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57636 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57637 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57638 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57636 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.ref_table,test_mix,"{grant_user_0=r*w/postgres,grant_user_1=arwx/postgres,grant_user_1=r/grant_user_0}") - 57637 | (grant_on_table.ref_table,test_mix,"{grant_user_0=r*w/postgres,grant_user_1=arwx/postgres,grant_user_1=r/grant_user_0}") - 57638 | (grant_on_table.ref_table,test_mix,"{grant_user_0=r*w/postgres,grant_user_1=arwx/postgres,grant_user_1=r/grant_user_0}") - 57636 | (grant_on_table.ref_table,test_r,"{grant_user_0=r*/postgres,grant_user_1=r/postgres,grant_user_1=r/grant_user_0}") - 57637 | (grant_on_table.ref_table,test_r,"{grant_user_0=r*/postgres,grant_user_1=r/postgres,grant_user_1=r/grant_user_0}") - 57638 | (grant_on_table.ref_table,test_r,"{grant_user_0=r*/postgres,grant_user_1=r/postgres,grant_user_1=r/grant_user_0}") - 57636 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) -(39 rows) + 57636 | (grant_on_table.ref_table,test_mix,{grant_user_0=r/postgres}) + 57637 | (grant_on_table.ref_table,test_mix,{grant_user_0=r/postgres}) + 57638 | (grant_on_table.ref_table,test_mix,{grant_user_0=r/postgres}) + 57636 | (grant_on_table.ref_table,test_r,{grant_user_0=r/postgres}) + 57637 | (grant_on_table.ref_table,test_r,{grant_user_0=r/postgres}) + 57638 | (grant_on_table.ref_table,test_r,{grant_user_0=r/postgres}) +(6 rows) -- revoke select from grant_user_0: REVOKE SELECT (test_r, test_mix) ON ref_table FROM grant_user_0; -ERROR: dependent privileges exist -HINT: Use CASCADE to revoke them too. -- check on coordinator and workers :verify_grant_table ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- 57636 | (dist_table,) 57637 | (dist_table,) @@ -1270,54 +773,15 @@ HINT: Use CASCADE to revoke them too. 57636 | (local_table,) 57637 | (local_table,) 57638 | (local_table,) - 57636 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57637 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") - 57638 | (ref_table,"{postgres=arwdDxt/postgres,grant_user_0=rd/postgres,grant_user_1=d/postgres}") + 57636 | (ref_table,{postgres=arwdDxt/postgres}) + 57637 | (ref_table,{postgres=arwdDxt/postgres}) + 57638 | (ref_table,{postgres=arwdDxt/postgres}) (9 rows) :verify_grant_attributes ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- - 57636 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,id,"{grant_user_0=ar/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.dist_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57637 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57638 | (grant_on_table.dist_table,test_mix,"{grant_user_0=w/postgres,grant_user_1=rw/postgres}") - 57636 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57637 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57638 | (grant_on_table.dist_table,test_r,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.dist_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.local_table,id,{grant_user_0=r/postgres}) - 57636 | (grant_on_table.local_table,test_mix,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.local_table,test_r,{grant_user_1=r/postgres}) - 57636 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,ctid,{grant_user_0=r/postgres}) - 57636 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57637 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57638 | (grant_on_table.ref_table,id,"{grant_user_0=arwx/postgres,grant_user_1=arwx/postgres}") - 57636 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57637 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57638 | (grant_on_table.ref_table,test_a,"{grant_user_0=a/postgres,grant_user_1=a/postgres}") - 57636 | (grant_on_table.ref_table,test_mix,"{grant_user_0=r*w/postgres,grant_user_1=arwx/postgres,grant_user_1=r/grant_user_0}") - 57637 | (grant_on_table.ref_table,test_mix,"{grant_user_0=r*w/postgres,grant_user_1=arwx/postgres,grant_user_1=r/grant_user_0}") - 57638 | (grant_on_table.ref_table,test_mix,"{grant_user_0=r*w/postgres,grant_user_1=arwx/postgres,grant_user_1=r/grant_user_0}") - 57636 | (grant_on_table.ref_table,test_r,"{grant_user_0=r*/postgres,grant_user_1=r/postgres,grant_user_1=r/grant_user_0}") - 57637 | (grant_on_table.ref_table,test_r,"{grant_user_0=r*/postgres,grant_user_1=r/postgres,grant_user_1=r/grant_user_0}") - 57638 | (grant_on_table.ref_table,test_r,"{grant_user_0=r*/postgres,grant_user_1=r/postgres,grant_user_1=r/grant_user_0}") - 57636 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57637 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57638 | (grant_on_table.ref_table,test_w,"{grant_user_0=w/postgres,grant_user_1=w/postgres}") - 57636 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.ref_table,xmin,{grant_user_0=r/postgres}) -(39 rows) +(0 rows) -- prevent useless messages on DROP objects. SET client_min_messages TO ERROR; @@ -1373,8 +837,6 @@ RESET ROLE; -- cleanup REVOKE SELECT (id) ON grant_table_propagated FROM grant_user_0; -ERROR: syntax error at or near "select" -CONTEXT: while executing command on localhost:xxxxx :verify_grant_table ; nodeport | unnest --------------------------------------------------------------------- @@ -1384,12 +846,9 @@ CONTEXT: while executing command on localhost:xxxxx (3 rows) :verify_grant_attributes ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- - 57636 | (grant_on_table.grant_table_propagated,id,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.grant_table_propagated,id,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.grant_table_propagated,id,{grant_user_0=r/postgres}) -(3 rows) +(0 rows) -- prevent useless messages on DROP objects. SET client_min_messages TO ERROR; @@ -1443,28 +902,48 @@ SELECT id FROM grant_table_propagated_after; 57638 | (grant_on_table.grant_table_propagated_after,id,{grant_user_0=r/postgres}) (3 rows) --- cleanup and test revoke +-- cleanup and test revoke .. cascade/restrict SET citus.log_remote_commands TO on; set citus.grep_remote_commands = '%REVOKE%'; REVOKE SELECT (id) ON grant_table_propagated_after FROM grant_user_0 CASCADE; -NOTICE: issuing REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 CASCADE +NOTICE: issuing REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 CASCADE DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx -NOTICE: issuing REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 CASCADE +NOTICE: issuing REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 CASCADE +DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx +NOTICE: issuing SELECT worker_apply_shard_ddl_command (102017, 'grant_on_table', 'REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 CASCADE') +DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx +NOTICE: issuing SELECT worker_apply_shard_ddl_command (102018, 'grant_on_table', 'REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 CASCADE') +DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx +NOTICE: issuing SELECT worker_apply_shard_ddl_command (102019, 'grant_on_table', 'REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 CASCADE') +DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx +NOTICE: issuing SELECT worker_apply_shard_ddl_command (102020, 'grant_on_table', 'REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 CASCADE') DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx -ERROR: syntax error at or near "select" -CONTEXT: while executing command on localhost:xxxxx -RESET citus.grep_remote_commands; -RESET citus.log_remote_commands; --- cleanup and test revoke -SET citus.log_remote_commands TO on; -set citus.grep_remote_commands = '%REVOKE%'; REVOKE SELECT (id) ON grant_table_propagated_after FROM grant_user_0 RESTRICT; -NOTICE: issuing REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 RESTRICT +NOTICE: issuing REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 RESTRICT DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx -NOTICE: issuing REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 RESTRICT +NOTICE: issuing REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 RESTRICT +DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx +NOTICE: issuing SELECT worker_apply_shard_ddl_command (102017, 'grant_on_table', 'REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 RESTRICT') +DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx +NOTICE: issuing SELECT worker_apply_shard_ddl_command (102018, 'grant_on_table', 'REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 RESTRICT') +DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx +NOTICE: issuing SELECT worker_apply_shard_ddl_command (102019, 'grant_on_table', 'REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 RESTRICT') +DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx +NOTICE: issuing SELECT worker_apply_shard_ddl_command (102020, 'grant_on_table', 'REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 RESTRICT') +DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx +REVOKE SELECT (id) ON grant_table_propagated_after FROM grant_user_0; -- implicit RESTRICT +NOTICE: issuing REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 RESTRICT +DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx +NOTICE: issuing REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 RESTRICT +DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx +NOTICE: issuing SELECT worker_apply_shard_ddl_command (102017, 'grant_on_table', 'REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 RESTRICT') +DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx +NOTICE: issuing SELECT worker_apply_shard_ddl_command (102018, 'grant_on_table', 'REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 RESTRICT') +DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx +NOTICE: issuing SELECT worker_apply_shard_ddl_command (102019, 'grant_on_table', 'REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 RESTRICT') +DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx +NOTICE: issuing SELECT worker_apply_shard_ddl_command (102020, 'grant_on_table', 'REVOKE select (id ) ON grant_table_propagated_after FROM grant_user_0 RESTRICT') DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx -ERROR: syntax error at or near "select" -CONTEXT: while executing command on localhost:xxxxx RESET citus.grep_remote_commands; RESET citus.log_remote_commands; :verify_grant_table ; @@ -1476,12 +955,9 @@ RESET citus.log_remote_commands; (3 rows) :verify_grant_attributes ; - nodeport | unnest + nodeport | unnest --------------------------------------------------------------------- - 57636 | (grant_on_table.grant_table_propagated_after,id,{grant_user_0=r/postgres}) - 57637 | (grant_on_table.grant_table_propagated_after,id,{grant_user_0=r/postgres}) - 57638 | (grant_on_table.grant_table_propagated_after,id,{grant_user_0=r/postgres}) -(3 rows) +(0 rows) -- prevent useless messages on DROP objects. SET client_min_messages TO ERROR; diff --git a/src/test/regress/sql/grant_on_table_propagation.sql b/src/test/regress/sql/grant_on_table_propagation.sql index 77f182a0b..c361513d3 100644 --- a/src/test/regress/sql/grant_on_table_propagation.sql +++ b/src/test/regress/sql/grant_on_table_propagation.sql @@ -424,17 +424,13 @@ SELECT id FROM grant_table_propagated_after; :verify_grant_table ; :verify_grant_attributes ; --- cleanup and test revoke +-- cleanup and test revoke .. cascade/restrict SET citus.log_remote_commands TO on; set citus.grep_remote_commands = '%REVOKE%'; REVOKE SELECT (id) ON grant_table_propagated_after FROM grant_user_0 CASCADE; -RESET citus.grep_remote_commands; -RESET citus.log_remote_commands; - --- cleanup and test revoke -SET citus.log_remote_commands TO on; -set citus.grep_remote_commands = '%REVOKE%'; REVOKE SELECT (id) ON grant_table_propagated_after FROM grant_user_0 RESTRICT; +REVOKE SELECT (id) ON grant_table_propagated_after FROM grant_user_0; -- implicit RESTRICT + RESET citus.grep_remote_commands; RESET citus.log_remote_commands;