-
Notifications
You must be signed in to change notification settings - Fork 649
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Adds Grant Role support from non-main db (#7404)
DESCRIPTION: Adds support for distributed role-membership management commands from the databases where Citus is not installed (`GRANT <role> TO <role>`) This PR also refactors the code-path that allows executing some of the node-wide commands so that we use send deparsed query string to other nodes instead of the `queryString` passed into utility hook. --------- Co-authored-by: Onur Tirtir <onurcantirtir@gmail.com>
- Loading branch information
1 parent
9a0cdbf
commit 2cbfdbf
Showing
9 changed files
with
591 additions
and
27 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
160 changes: 160 additions & 0 deletions
160
src/test/regress/expected/grant_role_from_non_maindb.out
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,160 @@ | ||
CREATE SCHEMA grant_role2pc; | ||
SET search_path TO grant_role2pc; | ||
set citus.enable_create_database_propagation to on; | ||
CREATE DATABASE grant_role2pc_db; | ||
\c grant_role2pc_db | ||
SHOW citus.main_db; | ||
citus.main_db | ||
--------------------------------------------------------------------- | ||
regression | ||
(1 row) | ||
|
||
SET citus.superuser TO 'postgres'; | ||
CREATE USER grant_role2pc_user1; | ||
CREATE USER grant_role2pc_user2; | ||
CREATE USER grant_role2pc_user3; | ||
CREATE USER grant_role2pc_user4; | ||
CREATE USER grant_role2pc_user5; | ||
CREATE USER grant_role2pc_user6; | ||
CREATE USER grant_role2pc_user7; | ||
\c grant_role2pc_db | ||
--test with empty superuser | ||
SET citus.superuser TO ''; | ||
grant grant_role2pc_user1 to grant_role2pc_user2; | ||
ERROR: No superuser role is given for Citus main database connection | ||
HINT: Set citus.superuser to a superuser role name | ||
SET citus.superuser TO 'postgres'; | ||
grant grant_role2pc_user1 to grant_role2pc_user2 with admin option granted by CURRENT_USER; | ||
\c regression | ||
select result FROM run_command_on_all_nodes( | ||
$$ | ||
SELECT array_to_json(array_agg(row_to_json(t))) | ||
FROM ( | ||
SELECT member::regrole, roleid::regrole as role, grantor::regrole, admin_option | ||
FROM pg_auth_members | ||
WHERE member::regrole::text = 'grant_role2pc_user2' | ||
order by member::regrole::text, roleid::regrole::text | ||
) t | ||
$$ | ||
); | ||
result | ||
--------------------------------------------------------------------- | ||
[{"member":"grant_role2pc_user2","role":"grant_role2pc_user1","grantor":"postgres","admin_option":true}] | ||
[{"member":"grant_role2pc_user2","role":"grant_role2pc_user1","grantor":"postgres","admin_option":true}] | ||
[{"member":"grant_role2pc_user2","role":"grant_role2pc_user1","grantor":"postgres","admin_option":true}] | ||
(3 rows) | ||
|
||
\c grant_role2pc_db | ||
--test grant under transactional context with multiple operations | ||
BEGIN; | ||
grant grant_role2pc_user1,grant_role2pc_user2 to grant_role2pc_user3 WITH ADMIN OPTION; | ||
grant grant_role2pc_user1 to grant_role2pc_user4 granted by grant_role2pc_user3 ; | ||
COMMIT; | ||
BEGIN; | ||
grant grant_role2pc_user1 to grant_role2pc_user5 WITH ADMIN OPTION granted by grant_role2pc_user3; | ||
grant grant_role2pc_user1 to grant_role2pc_user6; | ||
ROLLBACK; | ||
BEGIN; | ||
grant grant_role2pc_user1 to grant_role2pc_user7; | ||
SELECT 1/0; | ||
ERROR: division by zero | ||
commit; | ||
\c regression | ||
select result FROM run_command_on_all_nodes($$ | ||
SELECT array_to_json(array_agg(row_to_json(t))) | ||
FROM ( | ||
SELECT member::regrole, roleid::regrole as role, grantor::regrole, admin_option | ||
FROM pg_auth_members | ||
WHERE member::regrole::text in | ||
('grant_role2pc_user3','grant_role2pc_user4','grant_role2pc_user5','grant_role2pc_user6','grant_role2pc_user7') | ||
order by member::regrole::text, roleid::regrole::text | ||
) t | ||
$$); | ||
result | ||
--------------------------------------------------------------------- | ||
[{"member":"grant_role2pc_user3","role":"grant_role2pc_user1","grantor":"postgres","admin_option":true},{"member":"grant_role2pc_user3","role":"grant_role2pc_user2","grantor":"postgres","admin_option":true},{"member":"grant_role2pc_user4","role":"grant_role2pc_user1","grantor":"grant_role2pc_user3","admin_option":false}] | ||
[{"member":"grant_role2pc_user3","role":"grant_role2pc_user1","grantor":"postgres","admin_option":true},{"member":"grant_role2pc_user3","role":"grant_role2pc_user2","grantor":"postgres","admin_option":true},{"member":"grant_role2pc_user4","role":"grant_role2pc_user1","grantor":"grant_role2pc_user3","admin_option":false}] | ||
[{"member":"grant_role2pc_user3","role":"grant_role2pc_user1","grantor":"postgres","admin_option":true},{"member":"grant_role2pc_user3","role":"grant_role2pc_user2","grantor":"postgres","admin_option":true},{"member":"grant_role2pc_user4","role":"grant_role2pc_user1","grantor":"grant_role2pc_user3","admin_option":false}] | ||
(3 rows) | ||
|
||
\c grant_role2pc_db | ||
grant grant_role2pc_user1,grant_role2pc_user2 to grant_role2pc_user5,grant_role2pc_user6,grant_role2pc_user7 granted by grant_role2pc_user3; | ||
\c regression | ||
select result FROM run_command_on_all_nodes($$ | ||
SELECT array_to_json(array_agg(row_to_json(t))) | ||
FROM ( | ||
SELECT member::regrole, roleid::regrole as role, grantor::regrole, admin_option | ||
FROM pg_auth_members | ||
WHERE member::regrole::text in | ||
('grant_role2pc_user5','grant_role2pc_user6','grant_role2pc_user7') | ||
order by member::regrole::text, roleid::regrole::text | ||
) t | ||
$$); | ||
result | ||
--------------------------------------------------------------------- | ||
[{"member":"grant_role2pc_user5","role":"grant_role2pc_user1","grantor":"grant_role2pc_user3","admin_option":false},{"member":"grant_role2pc_user5","role":"grant_role2pc_user2","grantor":"grant_role2pc_user3","admin_option":false},{"member":"grant_role2pc_user6","role":"grant_role2pc_user1","grantor":"grant_role2pc_user3","admin_option":false},{"member":"grant_role2pc_user6","role":"grant_role2pc_user2","grantor":"grant_role2pc_user3","admin_option":false},{"member":"grant_role2pc_user7","role":"grant_role2pc_user1","grantor":"grant_role2pc_user3","admin_option":false},{"member":"grant_role2pc_user7","role":"grant_role2pc_user2","grantor":"grant_role2pc_user3","admin_option":false}] | ||
[{"member":"grant_role2pc_user5","role":"grant_role2pc_user1","grantor":"grant_role2pc_user3","admin_option":false},{"member":"grant_role2pc_user5","role":"grant_role2pc_user2","grantor":"grant_role2pc_user3","admin_option":false},{"member":"grant_role2pc_user6","role":"grant_role2pc_user1","grantor":"grant_role2pc_user3","admin_option":false},{"member":"grant_role2pc_user6","role":"grant_role2pc_user2","grantor":"grant_role2pc_user3","admin_option":false},{"member":"grant_role2pc_user7","role":"grant_role2pc_user1","grantor":"grant_role2pc_user3","admin_option":false},{"member":"grant_role2pc_user7","role":"grant_role2pc_user2","grantor":"grant_role2pc_user3","admin_option":false}] | ||
[{"member":"grant_role2pc_user5","role":"grant_role2pc_user1","grantor":"grant_role2pc_user3","admin_option":false},{"member":"grant_role2pc_user5","role":"grant_role2pc_user2","grantor":"grant_role2pc_user3","admin_option":false},{"member":"grant_role2pc_user6","role":"grant_role2pc_user1","grantor":"grant_role2pc_user3","admin_option":false},{"member":"grant_role2pc_user6","role":"grant_role2pc_user2","grantor":"grant_role2pc_user3","admin_option":false},{"member":"grant_role2pc_user7","role":"grant_role2pc_user1","grantor":"grant_role2pc_user3","admin_option":false},{"member":"grant_role2pc_user7","role":"grant_role2pc_user2","grantor":"grant_role2pc_user3","admin_option":false}] | ||
(3 rows) | ||
|
||
\c grant_role2pc_db | ||
revoke admin option for grant_role2pc_user1 from grant_role2pc_user5 granted by grant_role2pc_user3; | ||
--test revoke under transactional context with multiple operations | ||
BEGIN; | ||
revoke grant_role2pc_user1 from grant_role2pc_user5 granted by grant_role2pc_user3 ; | ||
revoke grant_role2pc_user1 from grant_role2pc_user4 granted by grant_role2pc_user3; | ||
COMMIT; | ||
\c grant_role2pc_db - - :worker_1_port | ||
BEGIN; | ||
revoke grant_role2pc_user1 from grant_role2pc_user6,grant_role2pc_user7 granted by grant_role2pc_user3; | ||
revoke grant_role2pc_user1 from grant_role2pc_user3 cascade; | ||
COMMIT; | ||
\c regression | ||
select result FROM run_command_on_all_nodes($$ | ||
SELECT array_to_json(array_agg(row_to_json(t))) | ||
FROM ( | ||
SELECT member::regrole, roleid::regrole as role, grantor::regrole, admin_option | ||
FROM pg_auth_members | ||
WHERE member::regrole::text in | ||
('grant_role2pc_user2','grant_role2pc_user3','grant_role2pc_user4','grant_role2pc_user5','grant_role2pc_user6','grant_role2pc_user7') | ||
order by member::regrole::text, roleid::regrole::text | ||
) t | ||
$$); | ||
result | ||
--------------------------------------------------------------------- | ||
[{"member":"grant_role2pc_user2","role":"grant_role2pc_user1","grantor":"postgres","admin_option":true},{"member":"grant_role2pc_user3","role":"grant_role2pc_user2","grantor":"postgres","admin_option":true},{"member":"grant_role2pc_user5","role":"grant_role2pc_user2","grantor":"grant_role2pc_user3","admin_option":false},{"member":"grant_role2pc_user6","role":"grant_role2pc_user2","grantor":"grant_role2pc_user3","admin_option":false},{"member":"grant_role2pc_user7","role":"grant_role2pc_user2","grantor":"grant_role2pc_user3","admin_option":false}] | ||
[{"member":"grant_role2pc_user2","role":"grant_role2pc_user1","grantor":"postgres","admin_option":true},{"member":"grant_role2pc_user3","role":"grant_role2pc_user2","grantor":"postgres","admin_option":true},{"member":"grant_role2pc_user5","role":"grant_role2pc_user2","grantor":"grant_role2pc_user3","admin_option":false},{"member":"grant_role2pc_user6","role":"grant_role2pc_user2","grantor":"grant_role2pc_user3","admin_option":false},{"member":"grant_role2pc_user7","role":"grant_role2pc_user2","grantor":"grant_role2pc_user3","admin_option":false}] | ||
[{"member":"grant_role2pc_user2","role":"grant_role2pc_user1","grantor":"postgres","admin_option":true},{"member":"grant_role2pc_user3","role":"grant_role2pc_user2","grantor":"postgres","admin_option":true},{"member":"grant_role2pc_user5","role":"grant_role2pc_user2","grantor":"grant_role2pc_user3","admin_option":false},{"member":"grant_role2pc_user6","role":"grant_role2pc_user2","grantor":"grant_role2pc_user3","admin_option":false},{"member":"grant_role2pc_user7","role":"grant_role2pc_user2","grantor":"grant_role2pc_user3","admin_option":false}] | ||
(3 rows) | ||
|
||
\c grant_role2pc_db - - :worker_1_port | ||
BEGIN; | ||
grant grant_role2pc_user1 to grant_role2pc_user5 WITH ADMIN OPTION; | ||
grant grant_role2pc_user1 to grant_role2pc_user6; | ||
COMMIT; | ||
\c regression - - :master_port | ||
select result FROM run_command_on_all_nodes($$ | ||
SELECT array_to_json(array_agg(row_to_json(t))) | ||
FROM ( | ||
SELECT member::regrole, roleid::regrole as role, grantor::regrole, admin_option | ||
FROM pg_auth_members | ||
WHERE member::regrole::text in | ||
('grant_role2pc_user5','grant_role2pc_user6') | ||
order by member::regrole::text, roleid::regrole::text | ||
) t | ||
$$); | ||
result | ||
--------------------------------------------------------------------- | ||
[{"member":"grant_role2pc_user5","role":"grant_role2pc_user1","grantor":"postgres","admin_option":true},{"member":"grant_role2pc_user5","role":"grant_role2pc_user2","grantor":"grant_role2pc_user3","admin_option":false},{"member":"grant_role2pc_user6","role":"grant_role2pc_user1","grantor":"postgres","admin_option":false},{"member":"grant_role2pc_user6","role":"grant_role2pc_user2","grantor":"grant_role2pc_user3","admin_option":false}] | ||
[{"member":"grant_role2pc_user5","role":"grant_role2pc_user1","grantor":"postgres","admin_option":true},{"member":"grant_role2pc_user5","role":"grant_role2pc_user2","grantor":"grant_role2pc_user3","admin_option":false},{"member":"grant_role2pc_user6","role":"grant_role2pc_user1","grantor":"postgres","admin_option":false},{"member":"grant_role2pc_user6","role":"grant_role2pc_user2","grantor":"grant_role2pc_user3","admin_option":false}] | ||
[{"member":"grant_role2pc_user5","role":"grant_role2pc_user1","grantor":"postgres","admin_option":true},{"member":"grant_role2pc_user5","role":"grant_role2pc_user2","grantor":"grant_role2pc_user3","admin_option":false},{"member":"grant_role2pc_user6","role":"grant_role2pc_user1","grantor":"postgres","admin_option":false},{"member":"grant_role2pc_user6","role":"grant_role2pc_user2","grantor":"grant_role2pc_user3","admin_option":false}] | ||
(3 rows) | ||
|
||
revoke grant_role2pc_user1 from grant_role2pc_user5,grant_role2pc_user6; | ||
--clean resources | ||
DROP SCHEMA grant_role2pc; | ||
set citus.enable_create_database_propagation to on; | ||
DROP DATABASE grant_role2pc_db; | ||
drop user grant_role2pc_user2,grant_role2pc_user3,grant_role2pc_user4,grant_role2pc_user5,grant_role2pc_user6,grant_role2pc_user7; | ||
drop user grant_role2pc_user1; | ||
reset citus.enable_create_database_propagation; |
Oops, something went wrong.