external
/
citus
mirror of https://github.com/citusdata/citus.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add citus.skip_advisory_lock_permission_checks (#6293)

pull/6208/head
Önder Kalacı 2022-09-05 18:47:41 +03:00 committed by GitHub
parent 1c5b8588fe
commit bd13836648
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 106 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
src/backend/distributed/shared_library_init.c
View File

@ -2076,6 +2076,20 @@ RegisterCitusConfigVariables(void)
ShowShardsForAppNamePrefixesAssignHook,
NULL);
DefineCustomBoolVariable(
"citus.skip_advisory_lock_permission_checks",
gettext_noop("Postgres would normally enforce some "
"ownership checks while acquiring locks. "
"When this setting is 'off', Citus skips"
"ownership checks on internal advisory "
"locks."),
NULL,
&SkipAdvisoryLockPermissionChecks,
false,
GUC_SUPERUSER_ONLY,
GUC_NO_SHOW_ALL,
NULL, NULL, NULL);
DefineCustomBoolVariable(
"citus.skip_jsonb_validation_in_copy",
gettext_noop("Skip validation of JSONB columns on the coordinator during COPY "

7
src/backend/distributed/utils/resource_lock.c
View File

@ -109,6 +109,8 @@ PG_FUNCTION_INFO_V1(lock_relation_if_exists);
/* Config variable managed via guc.c */
bool EnableAcquiringUnsafeLockFromWorkers = false;
bool SkipAdvisoryLockPermissionChecks = false;
/*
* lock_shard_metadata allows the shard distribution metadata to be locked
@ -248,7 +250,10 @@ lock_shard_resources(PG_FUNCTION_ARGS)
continue;
}
EnsureTablePermissions(relationId, aclMask);
if (!SkipAdvisoryLockPermissionChecks)
{
EnsureTablePermissions(relationId, aclMask);
}
LockShardResource(shardId, lockMode);
}

2
src/include/distributed/resource_lock.h
View File

@ -149,6 +149,7 @@ enum DistLockConfigs
DIST_LOCK_NOWAIT = 2
};
/* Lock shard/relation metadata for safe modifications */
extern void LockShardDistributionMetadata(int64 shardId, LOCKMODE lockMode);
extern void LockPlacementCleanup(void);
@ -194,5 +195,6 @@ extern void AcquireDistributedLockOnRelations(List *relationList, LOCKMODE lockM
extern void PreprocessLockStatement(LockStmt *stmt, ProcessUtilityContext context);
extern bool EnableAcquiringUnsafeLockFromWorkers;
extern bool SkipAdvisoryLockPermissionChecks;
#endif /* RESOURCE_LOCK_H */

41
src/test/regress/expected/adv_lock_permission.out Normal file
View File

@ -0,0 +1,41 @@
CREATE SCHEMA adv_lock_permission;
SET search_path to adv_lock_permission;
-- do not cache any connections, we change some settings and don't want old ones cached
SET citus.max_cached_conns_per_worker TO 0;
CREATE ROLE user_1 WITH LOGIN;
CREATE TABLE reference_table_1 (A int);
SELECT create_reference_table('reference_table_1');
create_reference_table
---------------------------------------------------------------------
(1 row)
CREATE TABLE reference_table_2 (A int);
SELECT create_reference_table('reference_table_2');
create_reference_table
---------------------------------------------------------------------
(1 row)
GRANT USAGE ON SCHEMA adv_lock_permission TO user_1;
GRANT SELECT ON reference_table_1 TO user_1;
GRANT INSERT, UPDATE ON reference_table_2 TO user_1;
SET ROLE user_1;
-- do not cache any connections, we change some settings and don't want old ones cached
SET citus.max_cached_conns_per_worker TO 0;
SET search_path to adv_lock_permission;
INSERT INTO reference_table_2 SELECT * FROM reference_table_1;
ERROR: permission denied for table reference_table_1
CONTEXT: while executing command on localhost:xxxxx
SET ROLE postgres;
-- do not cache any connections, we change some settings and don't want old ones cached
SET citus.max_cached_conns_per_worker TO 0;
-- change the role so that it can skip permission checks
ALTER ROLE user_1 SET citus.skip_advisory_lock_permission_checks TO on;
SET ROLE user_1;
SET citus.max_cached_conns_per_worker TO 0;
INSERT INTO reference_table_2 SELECT * FROM reference_table_1;
SET ROLE postgres;
SET client_min_messages TO ERROR;
DROP SCHEMA adv_lock_permission CASCADE;
DROP ROLE user_1;

2
src/test/regress/multi_schedule
View File

@ -86,7 +86,7 @@ test: multi_agg_type_conversion multi_count_type_conversion recursive_relation_p
test: multi_partition_pruning single_hash_repartition_join unsupported_lateral_subqueries
test: multi_join_pruning multi_hash_pruning intermediate_result_pruning
test: multi_null_minmax_value_pruning cursors
test: modification_correctness
test: modification_correctness adv_lock_permission
test: multi_query_directory_cleanup
test: multi_task_assignment_policy multi_cross_shard
test: multi_utility_statements

42
src/test/regress/sql/adv_lock_permission.sql Normal file
View File

@ -0,0 +1,42 @@
CREATE SCHEMA adv_lock_permission;
SET search_path to adv_lock_permission;
-- do not cache any connections, we change some settings and don't want old ones cached
SET citus.max_cached_conns_per_worker TO 0;
CREATE ROLE user_1 WITH LOGIN;
CREATE TABLE reference_table_1 (A int);
SELECT create_reference_table('reference_table_1');
CREATE TABLE reference_table_2 (A int);
SELECT create_reference_table('reference_table_2');
GRANT USAGE ON SCHEMA adv_lock_permission TO user_1;
GRANT SELECT ON reference_table_1 TO user_1;
GRANT INSERT, UPDATE ON reference_table_2 TO user_1;
SET ROLE user_1;
-- do not cache any connections, we change some settings and don't want old ones cached
SET citus.max_cached_conns_per_worker TO 0;
SET search_path to adv_lock_permission;
INSERT INTO reference_table_2 SELECT * FROM reference_table_1;
SET ROLE postgres;
-- do not cache any connections, we change some settings and don't want old ones cached
SET citus.max_cached_conns_per_worker TO 0;
-- change the role so that it can skip permission checks
ALTER ROLE user_1 SET citus.skip_advisory_lock_permission_checks TO on;
SET ROLE user_1;
SET citus.max_cached_conns_per_worker TO 0;
INSERT INTO reference_table_2 SELECT * FROM reference_table_1;
SET ROLE postgres;
SET client_min_messages TO ERROR;
DROP SCHEMA adv_lock_permission CASCADE;
DROP ROLE user_1;