From ed967a9c6d476aaca02079faf99214f985800630 Mon Sep 17 00:00:00 2001
From: eaydingol <ebruaydin@gmail.com>
Date: Tue, 23 Jan 2024 12:27:48 +0000
Subject: [PATCH] Make citus_internal schema public, but revoke permissions of
 the existing functions from public.

---
 .../distributed/sql/citus--12.1-1--12.2-1.sql       | 13 +++++++++++++
 src/test/regress/expected/citus_internal_access.out |  8 ++++++++
 src/test/regress/expected/other_databases.out       |  3 +--
 src/test/regress/multi_schedule                     |  1 +
 src/test/regress/sql/citus_internal_access.sql      |  7 +++++++
 5 files changed, 30 insertions(+), 2 deletions(-)
 create mode 100644 src/test/regress/expected/citus_internal_access.out
 create mode 100644 src/test/regress/sql/citus_internal_access.sql

diff --git a/src/backend/distributed/sql/citus--12.1-1--12.2-1.sql b/src/backend/distributed/sql/citus--12.1-1--12.2-1.sql
index 72ef46e6f..b4520ecb5 100644
--- a/src/backend/distributed/sql/citus--12.1-1--12.2-1.sql
+++ b/src/backend/distributed/sql/citus--12.1-1--12.2-1.sql
@@ -12,3 +12,16 @@
 ALTER TABLE pg_catalog.pg_dist_transaction ADD COLUMN outer_xid xid8;
 
 #include "udfs/citus_internal_acquire_citus_advisory_object_class_lock/12.2-1.sql"
+
+GRANT USAGE ON SCHEMA citus_internal TO PUBLIC;
+REVOKE ALL ON FUNCTION citus_internal.commit_management_command_2pc FROM PUBLIC;
+REVOKE ALL ON FUNCTION citus_internal.execute_command_on_remote_nodes_as_user FROM PUBLIC;
+REVOKE ALL ON FUNCTION citus_internal.find_groupid_for_node FROM PUBLIC;
+REVOKE ALL ON FUNCTION citus_internal.mark_object_distributed FROM PUBLIC;
+REVOKE ALL ON FUNCTION citus_internal.pg_dist_node_trigger_func FROM PUBLIC;
+REVOKE ALL ON FUNCTION citus_internal.pg_dist_rebalance_strategy_trigger_func FROM PUBLIC;
+REVOKE ALL ON FUNCTION citus_internal.pg_dist_shard_placement_trigger_func FROM PUBLIC;
+REVOKE ALL ON FUNCTION citus_internal.refresh_isolation_tester_prepared_statement FROM PUBLIC;
+REVOKE ALL ON FUNCTION citus_internal.replace_isolation_tester_func FROM PUBLIC;
+REVOKE ALL ON FUNCTION citus_internal.restore_isolation_tester_func FROM PUBLIC;
+REVOKE ALL ON FUNCTION citus_internal.start_management_transaction FROM PUBLIC;
diff --git a/src/test/regress/expected/citus_internal_access.out b/src/test/regress/expected/citus_internal_access.out
new file mode 100644
index 000000000..d6f50f170
--- /dev/null
+++ b/src/test/regress/expected/citus_internal_access.out
@@ -0,0 +1,8 @@
+--- Create a non-superuser role and check if it can access citus_internal schema functions
+CREATE USER nonsuperuser CREATEROLE;
+SET ROLE nonsuperuser;
+--- The non-superuser role should not be able to access citus_internal functions
+SELECT citus_internal.commit_management_command_2pc();
+ERROR:  permission denied for function commit_management_command_2pc
+select citus_internal.replace_isolation_tester_func();
+ERROR:  permission denied for function replace_isolation_tester_func
diff --git a/src/test/regress/expected/other_databases.out b/src/test/regress/expected/other_databases.out
index 9e170861e..fed83adaf 100644
--- a/src/test/regress/expected/other_databases.out
+++ b/src/test/regress/expected/other_databases.out
@@ -68,8 +68,7 @@ CREATE USER nonsuperuser CREATEROLE;
 GRANT ALL ON SCHEMA citus_internal TO nonsuperuser;
 SET ROLE nonsuperuser;
 SELECT citus_internal.execute_command_on_remote_nodes_as_user($$SELECT 'dangerous query'$$, 'postgres');
-ERROR:  operation is not allowed
-HINT:  Run the command with a superuser.
+ERROR:  permission denied for function execute_command_on_remote_nodes_as_user
 \c other_db1
 SET ROLE nonsuperuser;
 CREATE USER other_db_user9;
diff --git a/src/test/regress/multi_schedule b/src/test/regress/multi_schedule
index 5c9d8a45c..f599363a9 100644
--- a/src/test/regress/multi_schedule
+++ b/src/test/regress/multi_schedule
@@ -109,6 +109,7 @@ test: undistribute_table
 test: run_command_on_all_nodes
 test: background_task_queue_monitor
 test: other_databases
+test: citus_internal_access
 
 # Causal clock test
 test: clock
diff --git a/src/test/regress/sql/citus_internal_access.sql b/src/test/regress/sql/citus_internal_access.sql
new file mode 100644
index 000000000..d8d389588
--- /dev/null
+++ b/src/test/regress/sql/citus_internal_access.sql
@@ -0,0 +1,7 @@
+--- Create a non-superuser role and check if it can access citus_internal schema functions
+CREATE USER nonsuperuser CREATEROLE;
+
+SET ROLE nonsuperuser;
+--- The non-superuser role should not be able to access citus_internal functions
+SELECT citus_internal.commit_management_command_2pc();
+select citus_internal.replace_isolation_tester_func();