citus/src/test/regress/sql/grant_role_2pc.sql

CREATE SCHEMA grant_role2pc;

SET search_path TO grant_role2pc;

set citus.enable_create_database_propagation to on;


CREATE DATABASE grant_role2pc_db;

revoke connect,temp,temporary,create  on database grant_role2pc_db from public;

\c grant_role2pc_db
SHOW citus.main_db;

-- check that empty citus.superuser gives error
SET citus.superuser TO '';
SET citus.superuser TO 'postgres';

CREATE USER grant_role2pc_user1;
CREATE USER grant_role2pc_user2;
CREATE USER grant_role2pc_user3;
CREATE USER grant_role2pc_user4;
CREATE USER grant_role2pc_user5;
CREATE USER grant_role2pc_user6;
CREATE USER grant_role2pc_user7;

\c grant_role2pc_db

--test with empty superuser
SET citus.superuser TO '';
grant grant_role2pc_user1 to grant_role2pc_user2;

SET citus.superuser TO 'postgres';
grant grant_role2pc_user1 to grant_role2pc_user2 with admin option granted by CURRENT_USER;

\c regression

select result FROM run_command_on_all_nodes(
    $$
    SELECT array_to_json(array_agg(row_to_json(t)))
    FROM (
    SELECT r.rolname AS role, g.rolname AS group, a.rolname AS grantor, m.admin_option
    FROM pg_auth_members m
    JOIN pg_roles r ON r.oid = m.roleid
    JOIN pg_roles g ON g.oid = m.member
    JOIN pg_roles a ON a.oid = m.grantor
    WHERE g.rolname = 'grant_role2pc_user2'
    ) t
    $$
);

\c grant_role2pc_db
--test grant under transactional context with multiple operations
BEGIN;
grant grant_role2pc_user1 to grant_role2pc_user3;
grant grant_role2pc_user1 to grant_role2pc_user4;
COMMIT;

BEGIN;
grant grant_role2pc_user1 to grant_role2pc_user5;
grant grant_role2pc_user1 to grant_role2pc_user6;
ROLLBACK;



BEGIN;
grant grant_role2pc_user1 to grant_role2pc_user7;
SELECT 1/0;
commit;


\c regression

select result FROM run_command_on_all_nodes($$
SELECT array_to_json(array_agg(row_to_json(t)))
FROM (
  SELECT r.rolname AS role, g.rolname AS group, a.rolname AS grantor, m.admin_option
  FROM pg_auth_members m
  JOIN pg_roles r ON r.oid = m.roleid
  JOIN pg_roles g ON g.oid = m.member
  JOIN pg_roles a ON a.oid = m.grantor
  WHERE g.rolname in ('grant_role2pc_user3','grant_role2pc_user4','grant_role2pc_user5','grant_role2pc_user6','grant_role2pc_user7')
) t
$$);


\c grant_role2pc_db

grant grant_role2pc_user1,grant_role2pc_user2 to grant_role2pc_user5,grant_role2pc_user6,grant_role2pc_user7;

\c regression

select result FROM run_command_on_all_nodes($$
SELECT array_to_json(array_agg(row_to_json(t)))
FROM (
  SELECT r.rolname AS role, g.rolname AS group, a.rolname AS grantor, m.admin_option
  FROM pg_auth_members m
  JOIN pg_roles r ON r.oid = m.roleid
  JOIN pg_roles g ON g.oid = m.member
  JOIN pg_roles a ON a.oid = m.grantor
  WHERE g.rolname in ('grant_role2pc_user5','grant_role2pc_user6','grant_role2pc_user7')
) t
$$);

\c grant_role2pc_db
revoke admin option for grant_role2pc_user1 from grant_role2pc_user2 granted by CURRENT_USER;

--test revoke under transactional context with multiple operations
BEGIN;
revoke grant_role2pc_user1 from grant_role2pc_user3;
revoke grant_role2pc_user1 from grant_role2pc_user4;
COMMIT;

BEGIN;
revoke grant_role2pc_user1 from grant_role2pc_user5,grant_role2pc_user6;
revoke grant_role2pc_user1 from grant_role2pc_user7;
COMMIT;

\c regression

select result FROM run_command_on_all_nodes($$
SELECT array_to_json(array_agg(row_to_json(t)))
FROM (
  SELECT r.rolname AS role, g.rolname AS group, a.rolname AS grantor, m.admin_option
  FROM pg_auth_members m
  JOIN pg_roles r ON r.oid = m.roleid
  JOIN pg_roles g ON g.oid = m.member
  JOIN pg_roles a ON a.oid = m.grantor
  WHERE g.rolname in ('grant_role2pc_user2','grant_role2pc_user3','grant_role2pc_user4','grant_role2pc_user5','grant_role2pc_user6','grant_role2pc_user7')
) t
$$);

DROP SCHEMA grant_role2pc;



set citus.enable_create_database_propagation to on;
DROP DATABASE grant_role2pc_db;

drop user grant_role2pc_user2,grant_role2pc_user3,grant_role2pc_user4,grant_role2pc_user5,grant_role2pc_user6,grant_role2pc_user7;


drop user grant_role2pc_user1;

grant connect,temp,temporary  on database regression to public;

reset citus.enable_create_database_propagation;