diff --git a/src/backend/distributed/commands/parameter.c b/src/backend/distributed/commands/parameter.c index 5ea10c53b..6d11d3b69 100644 --- a/src/backend/distributed/commands/parameter.c +++ b/src/backend/distributed/commands/parameter.c @@ -107,7 +107,7 @@ CheckPermissionsAndGrants(AclItem *aclItem, AclMode modes[], int numModes) for (int i = 0; i < numModes; i++) { AclMode mode = modes[i]; - if (!(grants & mode) || (permissions & mode)) + if ((grants & mode) && !(permissions & mode)) { #if PG_VERSION_NUM >= PG_VERSION_16 ereport(ERROR, (errmsg("ACL item has no grant option for mode %lu", mode))); diff --git a/src/test/regress/expected/grant_on_parameter_propagation.out b/src/test/regress/expected/grant_on_parameter_propagation.out index 8ea428007..9c66a4e3f 100644 --- a/src/test/regress/expected/grant_on_parameter_propagation.out +++ b/src/test/regress/expected/grant_on_parameter_propagation.out @@ -209,27 +209,39 @@ SELECT check_parameter_privileges(ARRAY['grant_param_user3','grant_param_user5-\ (16 rows) SELECT 1 FROM citus_add_node('localhost', :worker_2_port); -ERROR: ACL item has no grant option for mode 4096 + ?column? +--------------------------------------------------------------------- + 1 +(1 row) + SELECT check_parameter_privileges(ARRAY['grant_param_user3','grant_param_user5-\!'],ARRAY['max_connections','shared_buffers'], ARRAY['SET','ALTER SYSTEM']); check_parameter_privileges --------------------------------------------------------------------- (t,grant_param_user3,max_connections,SET) (t,grant_param_user3,max_connections,SET) + (t,grant_param_user3,max_connections,SET) + (t,grant_param_user3,max_connections,"ALTER SYSTEM") (t,grant_param_user3,max_connections,"ALTER SYSTEM") (t,grant_param_user3,max_connections,"ALTER SYSTEM") (t,grant_param_user3,shared_buffers,SET) (t,grant_param_user3,shared_buffers,SET) + (t,grant_param_user3,shared_buffers,SET) + (t,grant_param_user3,shared_buffers,"ALTER SYSTEM") (t,grant_param_user3,shared_buffers,"ALTER SYSTEM") (t,grant_param_user3,shared_buffers,"ALTER SYSTEM") (t,"grant_param_user5-\\!",max_connections,SET) (t,"grant_param_user5-\\!",max_connections,SET) + (t,"grant_param_user5-\\!",max_connections,SET) + (t,"grant_param_user5-\\!",max_connections,"ALTER SYSTEM") (t,"grant_param_user5-\\!",max_connections,"ALTER SYSTEM") (t,"grant_param_user5-\\!",max_connections,"ALTER SYSTEM") (t,"grant_param_user5-\\!",shared_buffers,SET) (t,"grant_param_user5-\\!",shared_buffers,SET) + (t,"grant_param_user5-\\!",shared_buffers,SET) (t,"grant_param_user5-\\!",shared_buffers,"ALTER SYSTEM") (t,"grant_param_user5-\\!",shared_buffers,"ALTER SYSTEM") -(16 rows) + (t,"grant_param_user5-\\!",shared_buffers,"ALTER SYSTEM") +(24 rows) REVOKE SET,ALTER SYSTEM ON PARAMETER max_connections,shared_buffers FROM grant_param_user3,"grant_param_user5-\!" cascade; --clean all resources