Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FOR Testing !!! Tests granted by support using grantor dependency resolution #7549

Draft
wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

FOR Testing !!! Tests granted by support using grantor dependency resolution #7549

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
7d9ff34
Moves test_atmin_role after node removal
gurkanindibay Feb 26, 2024
6ed8ad2
Fixes grantor order issue
gurkanindibay Mar 4, 2024
c0e88f3
Merge branch 'main' into granted_by_propagation
gurkanindibay Mar 4, 2024
a50fc40
Adds some logs
gurkanindibay Mar 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions src/backend/distributed/commands/dependencies.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -344,9 +344,25 @@ DeferErrorIfCircularDependencyExists(const ObjectAddress *objectAddress)
{
char *objectDescription = getObjectDescription(objectAddress, false);

// Iterate all objects in the 'dependencies' list, get the object names and create a string
ListCell *cell;
StringInfo objectNames = makeStringInfo();
foreach(cell, dependencies)
{
ObjectAddress *dependency1 = (ObjectAddress *) lfirst(cell);
char *objectName = getObjectDescription(dependency1, false);
appendStringInfo(objectNames, "%s\n", objectName);
}
//to show the circular dependency





StringInfo detailInfo = makeStringInfo();
appendStringInfo(detailInfo, "\"%s\" circularly depends itself, resolve "
"circular dependency first", objectDescription);
appendStringInfo(detailInfo, "ependencies are:\n%s", objectNames->data);

return DeferredError(ERRCODE_FEATURE_NOT_SUPPORTED,
"Citus can not handle circular dependencies "
Expand Down
15 changes: 15 additions & 0 deletions src/backend/distributed/metadata/dependency.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1819,6 +1819,8 @@ ExpandRolesToGroups(Oid roleid)
true, NULL, scanKeyCount, scanKey);

List *roles = NIL;

elog(NOTICE, "Originator Roleid: %s", GetUserNameFromId(roleid, true));
while ((tuple = systable_getnext(scanDescriptor)) != NULL)
{
Form_pg_auth_members membership = (Form_pg_auth_members) GETSTRUCT(tuple);
Expand All @@ -1827,8 +1829,21 @@ ExpandRolesToGroups(Oid roleid)
definition->mode = DependencyObjectAddress;
ObjectAddressSet(definition->data.address, AuthIdRelationId, membership->roleid);

//log the name of the membership->roleid
elog(NOTICE, "Dependency roleid granted: %s", GetUserNameFromId(membership->roleid, true));


roles = lappend(roles, definition);

DependencyDefinition *definition1 = palloc0(sizeof(DependencyDefinition));
definition1->mode = DependencyObjectAddress;
ObjectAddressSet(definition1->data.address, AuthIdRelationId, membership->grantor);
elog(NOTICE, "Dependency roleid grantor: %s",GetUserNameFromId( membership->grantor,true));
elog(NOTICE, "Dependency roleid member: %s",GetUserNameFromId( membership->member,true));

roles = lappend(roles, definition1);
}
elog(NOTICE, "Originator Roleid: %s completed", GetUserNameFromId(roleid, true));

systable_endscan(scanDescriptor);
table_close(pgAuthMembers, AccessShareLock);
Expand Down
2 changes: 1 addition & 1 deletion src/test/regress/expected/create_role_propagation.out
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -196,14 +196,14 @@ SELECT roleid::regrole::text AS role, member::regrole::text, grantor::regrole::t
(1 row)

\c - - - :master_port
create role test_admin_role;
-- test grants with distributed and non-distributed roles
SELECT master_remove_node('localhost', :worker_2_port);
master_remove_node
---------------------------------------------------------------------

(1 row)

create role test_admin_role;
CREATE ROLE dist_role_1 SUPERUSER;
CREATE ROLE dist_role_2;
CREATE ROLE dist_role_3;
Expand Down
109 changes: 109 additions & 0 deletions src/test/regress/expected/granted_by_support.out
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
-- Active: 1700033167033@@localhost@9700@gurkanindibay@public
--In below tests, complex role hierarchy is created and then granted by support is tested.
select 1 from citus_remove_node ('localhost',:worker_2_port);
?column?
---------------------------------------------------------------------
1
(1 row)

create role role1;
create role role2;
create role role3;
create role role4;
create role "role5'_test";
grant role2 to role1 with admin option;
grant role2 to role3 with admin option granted by role1;
grant role3 to role4 with admin option;
grant role3 to "role5'_test" granted by role4;
grant role2 to "role5'_test" granted by role3;
grant role4 to "role5'_test" with admin option;
grant role4 to role1 with admin option GRANTED BY "role5'_test";
ERROR: Citus can not handle circular dependencies between distributed objects
DETAIL: "role role1" circularly depends itself, resolve circular dependency first
grant role4 to role3 with admin option GRANTED BY role1;
ERROR: permission denied to grant privileges as role "role1"
DETAIL: The grantor must have the ADMIN option on role "role4".
grant role3 to role1 with admin option GRANTED BY role4;
ERROR: Citus can not handle circular dependencies between distributed objects
DETAIL: "role role1" circularly depends itself, resolve circular dependency first
grant "role5'_test" to role1 with admin option;
ERROR: Citus can not handle circular dependencies between distributed objects
DETAIL: "role role1" circularly depends itself, resolve circular dependency first
grant "role5'_test" to role3 with admin option GRANTED BY role1;
ERROR: permission denied to grant privileges as role "role1"
DETAIL: The grantor must have the ADMIN option on role "role5'_test".
SELECT roleid::regrole::text AS role, member::regrole::text, grantor::regrole::text, admin_option, inherit_option,set_option FROM pg_auth_members pa;
role | member | grantor | admin_option | inherit_option | set_option
---------------------------------------------------------------------
pg_read_all_settings | pg_monitor | postgres | f | t | t
pg_read_all_stats | pg_monitor | postgres | f | t | t
pg_stat_scan_tables | pg_monitor | postgres | f | t | t
role2 | role1 | postgres | t | t | t
role2 | role3 | role1 | t | t | t
role3 | role4 | postgres | t | t | t
role3 | "role5'_test" | role4 | f | t | t
role2 | "role5'_test" | role3 | f | t | t
role4 | "role5'_test" | postgres | t | t | t
(9 rows)

select result FROM run_command_on_all_nodes(
$$
SELECT array_to_json(array_agg(row_to_json(t)))
FROM (
SELECT member::regrole, roleid::regrole as role, grantor::regrole, admin_option
FROM pg_auth_members
WHERE member::regrole::text in
('role1','role2','role3','role4','"role5''_test"')
order by member::regrole::text, roleid::regrole::text
) t
$$
);
result
---------------------------------------------------------------------
[{"member":"\"role5'_test\"","role":"role2","grantor":"role3","admin_option":false},{"member":"\"role5'_test\"","role":"role3","grantor":"role4","admin_option":false},{"member":"\"role5'_test\"","role":"role4","grantor":"postgres","admin_option":true},{"member":"role1","role":"role2","grantor":"postgres","admin_option":true},{"member":"role3","role":"role2","grantor":"role1","admin_option":true},{"member":"role4","role":"role3","grantor":"postgres","admin_option":true}]
[{"member":"\"role5'_test\"","role":"role2","grantor":"role3","admin_option":false},{"member":"\"role5'_test\"","role":"role3","grantor":"role4","admin_option":false},{"member":"\"role5'_test\"","role":"role4","grantor":"postgres","admin_option":true},{"member":"role1","role":"role2","grantor":"postgres","admin_option":true},{"member":"role3","role":"role2","grantor":"role1","admin_option":true},{"member":"role4","role":"role3","grantor":"postgres","admin_option":true}]
(2 rows)

set citus.log_remote_commands to on;
set citus.grep_remote_commands to '%GRANT%';
select 1 from citus_add_node ('localhost',:worker_2_port);
NOTICE: issuing CREATE SCHEMA IF NOT EXISTS public AUTHORIZATION pg_database_owner;SET ROLE pg_database_owner;GRANT USAGE ON SCHEMA public TO pg_database_owner;;GRANT CREATE ON SCHEMA public TO pg_database_owner;;RESET ROLE;SET ROLE pg_database_owner;GRANT USAGE ON SCHEMA public TO PUBLIC;;RESET ROLE
DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx
NOTICE: issuing CREATE SCHEMA IF NOT EXISTS information_schema AUTHORIZATION postgres;SET ROLE postgres;GRANT USAGE ON SCHEMA information_schema TO postgres;;GRANT CREATE ON SCHEMA information_schema TO postgres;;RESET ROLE;SET ROLE postgres;GRANT USAGE ON SCHEMA information_schema TO PUBLIC;;RESET ROLE
DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx
NOTICE: issuing SELECT worker_create_or_alter_role('role1', 'CREATE ROLE role1 NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT NOLOGIN NOREPLICATION NOBYPASSRLS CONNECTION LIMIT -1 PASSWORD NULL VALID UNTIL ''infinity''', 'ALTER ROLE role1 NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT NOLOGIN NOREPLICATION NOBYPASSRLS CONNECTION LIMIT -1 PASSWORD NULL VALID UNTIL ''infinity''');GRANT role2 TO role1 WITH INHERIT TRUE, ADMIN OPTION GRANTED BY postgres;
DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx
NOTICE: issuing SELECT worker_create_or_alter_role('role3', 'CREATE ROLE role3 NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT NOLOGIN NOREPLICATION NOBYPASSRLS CONNECTION LIMIT -1 PASSWORD NULL VALID UNTIL ''infinity''', 'ALTER ROLE role3 NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT NOLOGIN NOREPLICATION NOBYPASSRLS CONNECTION LIMIT -1 PASSWORD NULL VALID UNTIL ''infinity''');GRANT role2 TO role3 WITH INHERIT TRUE, ADMIN OPTION GRANTED BY role1;
DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx
NOTICE: issuing SELECT worker_create_or_alter_role('role4', 'CREATE ROLE role4 NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT NOLOGIN NOREPLICATION NOBYPASSRLS CONNECTION LIMIT -1 PASSWORD NULL VALID UNTIL ''infinity''', 'ALTER ROLE role4 NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT NOLOGIN NOREPLICATION NOBYPASSRLS CONNECTION LIMIT -1 PASSWORD NULL VALID UNTIL ''infinity''');GRANT role3 TO role4 WITH INHERIT TRUE, ADMIN OPTION GRANTED BY postgres;
DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx
NOTICE: issuing SELECT worker_create_or_alter_role('role5''_test', 'CREATE ROLE "role5''_test" NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT NOLOGIN NOREPLICATION NOBYPASSRLS CONNECTION LIMIT -1 PASSWORD NULL VALID UNTIL ''infinity''', 'ALTER ROLE "role5''_test" NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT NOLOGIN NOREPLICATION NOBYPASSRLS CONNECTION LIMIT -1 PASSWORD NULL VALID UNTIL ''infinity''');GRANT role2 TO "role5'_test" WITH INHERIT TRUE GRANTED BY role3;;GRANT role3 TO "role5'_test" WITH INHERIT TRUE GRANTED BY role4;;GRANT role4 TO "role5'_test" WITH INHERIT TRUE, ADMIN OPTION GRANTED BY postgres;
DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx
?column?
---------------------------------------------------------------------
1
(1 row)

set citus.log_remote_commands to off;
reset citus.grep_remote_commands;
--clean all resources
drop role role1,role2,role3,role4,"role5'_test";
select result FROM run_command_on_all_nodes(
$$
SELECT array_to_json(array_agg(row_to_json(t)))
FROM (
SELECT member::regrole, roleid::regrole as role, grantor::regrole, admin_option
FROM pg_auth_members
WHERE member::regrole::text in
('role1','role2','role3','role4','"role5''_test"')
order by member::regrole::text, roleid::regrole::text
) t
$$
);
result
---------------------------------------------------------------------



(3 rows)

1 change: 1 addition & 0 deletions src/test/regress/multi_1_schedule
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@ test: alter_database_propagation

test: citus_shards
test: reassign_owned
test: granted_by_support

# ----------
# multi_citus_tools tests utility functions written for citus tools
Expand Down
4 changes: 2 additions & 2 deletions src/test/regress/sql/create_role_propagation.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,12 +75,12 @@ SELECT roleid::regrole::text AS role, member::regrole::text, grantor::regrole::t

\c - - - :master_port

create role test_admin_role;

-- test grants with distributed and non-distributed roles

SELECT master_remove_node('localhost', :worker_2_port);

create role test_admin_role;

CREATE ROLE dist_role_1 SUPERUSER;
CREATE ROLE dist_role_2;
CREATE ROLE dist_role_3;
Expand Down
83 changes: 83 additions & 0 deletions src/test/regress/sql/granted_by_support.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
-- Active: 1700033167033@@localhost@9700@gurkanindibay@public
--In below tests, complex role hierarchy is created and then granted by support is tested.

select 1 from citus_remove_node ('localhost',:worker_2_port);

create role role1;

create role role2;

create role role3;

create role role4;

create role "role5'_test";

grant role2 to role1 with admin option;

grant role2 to role3 with admin option granted by role1;

grant role3 to role4 with admin option;

grant role3 to "role5'_test" granted by role4;

grant role2 to "role5'_test" granted by role3;

grant role4 to "role5'_test" with admin option;

grant role4 to role1 with admin option GRANTED BY "role5'_test";

SELECT roleid::regrole::text AS role, member::regrole::text, grantor::regrole::text, admin_option, inherit_option,set_option FROM pg_auth_members pa;

grant role4 to role3 with admin option GRANTED BY role1;

grant role3 to role1 with admin option GRANTED BY role4;

grant "role5'_test" to role1 with admin option;

grant "role5'_test" to role3 with admin option GRANTED BY role1;


SELECT roleid::regrole::text AS role, member::regrole::text, grantor::regrole::text, admin_option, inherit_option,set_option FROM pg_auth_members pa;


select result FROM run_command_on_all_nodes(
$$
SELECT array_to_json(array_agg(row_to_json(t)))
FROM (
SELECT member::regrole, roleid::regrole as role, grantor::regrole, admin_option
FROM pg_auth_members
WHERE member::regrole::text in
('role1','role2','role3','role4','"role5''_test"')
order by member::regrole::text, roleid::regrole::text
) t
$$
);



set citus.log_remote_commands to on;

set citus.grep_remote_commands to '%GRANT%';

select 1 from citus_add_node ('localhost',:worker_2_port);

set citus.log_remote_commands to off;
reset citus.grep_remote_commands;

--clean all resources

drop role role1,role2,role3,role4,"role5'_test";

select result FROM run_command_on_all_nodes(
$$
SELECT array_to_json(array_agg(row_to_json(t)))
FROM (
SELECT member::regrole, roleid::regrole as role, grantor::regrole, admin_option
FROM pg_auth_members
WHERE member::regrole::text in
('role1','role2','role3','role4','"role5''_test"')
order by member::regrole::text, roleid::regrole::text
) t
$$
);
Loading