mirror of https://github.com/citusdata/citus.git
d4dd44e715
Issue #7709 asks for security labels on columns to be propagated, to support the `anon` extension. Before, Citus supported security labels on roles (#7735) and this PR adds support for propagating security labels on tables and columns. All scenarios that involve propagating metadata for a Citus table now include the security labels on the table and on the columns of the table. These scenarios are: - When a table becomes distributed using `create_distributed_table()` or `create_reference_table()`, its security labels (if any) are propageted. - When a security label is defined on a distributed table, or one of its columns, the label is propagated. - When a node is added to a Citus cluster, all distributed tables have their security labels propagated. - When a column of a distributed table is dropped, any security labels on the column are also dropped. - When a column is added to a distributed table, security labels can be defined on the column and are propagated. - Security labels on a distributed table or its columns are not propagated when `citus.enable_metadata_sync` is enabled. Regress test `seclabel` is extended with tests to cover these scenarios. The implementation is somewhat involved because it impacts DDL propagation of Citus tables, but can be broken down as follows: - distributed_object_ops has `Role_SecLabel`, `Table_SecLabel` and `Column_SecLabel` to take care of security labels on roles, tables and columns. `Any_SecLabel` is used for all other security labels and is essentially a nop. - Deparser support - `DeparseRoleSecLabelStmt()`, `DeparseTableSecLabelStmt()` and `DeparseColumnSecLabelStmt()` take care of deparsing security label statements on roles, tables and columns respectively. - When reconstructing the DDL for a citus table, security labels on the table or its columns are included by having `GetPreLoadTableCreationCommands()` call a new function `CreateSecurityLabelCommands()` to take care of any security labels on the table or its columns. - When changing a distributed table name to a shard name before running a command locally on a worker, function `RelayEventExtendNames()` checks for security labels on a table or its columns. |
||
|---|---|---|
| .. | ||
| citus_create_restore_point.c | ||
| citus_split_shard_by_split_points.c | ||
| citus_tools.c | ||
| create_shards.c | ||
| delete_protocol.c | ||
| health_check.c | ||
| isolate_shards.c | ||
| modify_multiple_shards.c | ||
| node_protocol.c | ||
| partitioning.c | ||
| replicate_none_dist_table_shard.c | ||
| shard_cleaner.c | ||
| shard_rebalancer.c | ||
| shard_split.c | ||
| shard_transfer.c | ||
| stage_protocol.c | ||
| worker_copy_table_to_node_udf.c | ||
| worker_node_manager.c | ||
| worker_shard_copy.c | ||
| worker_split_copy_udf.c | ||
| worker_split_shard_release_dsm_udf.c | ||
| worker_split_shard_replication_setup_udf.c | ||