mirror of https://github.com/citusdata/citus.git
Make citus_internal schema public, but revoke permissions of the existing functions from public.
parent
1cb2e1e4e8
commit
ed967a9c6d
|
@ -12,3 +12,16 @@
|
|||
ALTER TABLE pg_catalog.pg_dist_transaction ADD COLUMN outer_xid xid8;
|
||||
|
||||
#include "udfs/citus_internal_acquire_citus_advisory_object_class_lock/12.2-1.sql"
|
||||
|
||||
GRANT USAGE ON SCHEMA citus_internal TO PUBLIC;
|
||||
REVOKE ALL ON FUNCTION citus_internal.commit_management_command_2pc FROM PUBLIC;
|
||||
REVOKE ALL ON FUNCTION citus_internal.execute_command_on_remote_nodes_as_user FROM PUBLIC;
|
||||
REVOKE ALL ON FUNCTION citus_internal.find_groupid_for_node FROM PUBLIC;
|
||||
REVOKE ALL ON FUNCTION citus_internal.mark_object_distributed FROM PUBLIC;
|
||||
REVOKE ALL ON FUNCTION citus_internal.pg_dist_node_trigger_func FROM PUBLIC;
|
||||
REVOKE ALL ON FUNCTION citus_internal.pg_dist_rebalance_strategy_trigger_func FROM PUBLIC;
|
||||
REVOKE ALL ON FUNCTION citus_internal.pg_dist_shard_placement_trigger_func FROM PUBLIC;
|
||||
REVOKE ALL ON FUNCTION citus_internal.refresh_isolation_tester_prepared_statement FROM PUBLIC;
|
||||
REVOKE ALL ON FUNCTION citus_internal.replace_isolation_tester_func FROM PUBLIC;
|
||||
REVOKE ALL ON FUNCTION citus_internal.restore_isolation_tester_func FROM PUBLIC;
|
||||
REVOKE ALL ON FUNCTION citus_internal.start_management_transaction FROM PUBLIC;
|
||||
|
|
|
@ -0,0 +1,8 @@
|
|||
--- Create a non-superuser role and check if it can access citus_internal schema functions
|
||||
CREATE USER nonsuperuser CREATEROLE;
|
||||
SET ROLE nonsuperuser;
|
||||
--- The non-superuser role should not be able to access citus_internal functions
|
||||
SELECT citus_internal.commit_management_command_2pc();
|
||||
ERROR: permission denied for function commit_management_command_2pc
|
||||
select citus_internal.replace_isolation_tester_func();
|
||||
ERROR: permission denied for function replace_isolation_tester_func
|
|
@ -68,8 +68,7 @@ CREATE USER nonsuperuser CREATEROLE;
|
|||
GRANT ALL ON SCHEMA citus_internal TO nonsuperuser;
|
||||
SET ROLE nonsuperuser;
|
||||
SELECT citus_internal.execute_command_on_remote_nodes_as_user($$SELECT 'dangerous query'$$, 'postgres');
|
||||
ERROR: operation is not allowed
|
||||
HINT: Run the command with a superuser.
|
||||
ERROR: permission denied for function execute_command_on_remote_nodes_as_user
|
||||
\c other_db1
|
||||
SET ROLE nonsuperuser;
|
||||
CREATE USER other_db_user9;
|
||||
|
|
|
@ -109,6 +109,7 @@ test: undistribute_table
|
|||
test: run_command_on_all_nodes
|
||||
test: background_task_queue_monitor
|
||||
test: other_databases
|
||||
test: citus_internal_access
|
||||
|
||||
# Causal clock test
|
||||
test: clock
|
||||
|
|
|
@ -0,0 +1,7 @@
|
|||
--- Create a non-superuser role and check if it can access citus_internal schema functions
|
||||
CREATE USER nonsuperuser CREATEROLE;
|
||||
|
||||
SET ROLE nonsuperuser;
|
||||
--- The non-superuser role should not be able to access citus_internal functions
|
||||
SELECT citus_internal.commit_management_command_2pc();
|
||||
select citus_internal.replace_isolation_tester_func();
|
Loading…
Reference in New Issue