any user can access pg_catalog by default

[jeeminso]

Summary of the changes / Why this improves CrateDB

This will allow the user can access generic system data from pg_catalog schema and only the data that the user has the privileges for. ex) From a fresh cluster, super user can see 71 rows from pg_class table. A new user should be able to see them as well without any privileges granted.

1) allow all users to access pg_catalog to handle below observations.

original behaviours on different clients:

crash

cr> show search_path;
SchemaUnknownException[Schema 'pg_catalog' unknown]
cr> select current_schemas(true);
+-----------------------+
| current_schemas       |
+-----------------------+
| ["pg_catalog", "doc"] |
+-----------------------+
SELECT 1 row in set (0.081 sec)

pgcli (cannot log on since it tries to access pg_catalog.pg_settings while logging in)

pgcli postgresql://nuser2@localhost:5432/
Schema 'pg_catalog' unknown

2) protect any rows that users do not have permissions for.

Checklist

• Added an entry in CHANGES.txt for user facing changes
• Updated documentation & sql_features table for user facing changes
• Touched code is covered by tests
• CLA is signed
• This does not contain breaking changes, or if it does:
  • It is released within a major release
  • It is recorded in CHANGES.txt
  • It was marked as deprecated in an earlier release if possible
  • You've thought about the consequences and other components are adapted
    (E.g. AdminUI)

[jeeminso]

handled both 1) and 2).

Regarding 2), there are 17 tables under pg_catalog schema, where 5 will reflect on users' creations and the rest 12 are either empty or fixed tables. The 5 are pg_class, pg_proc, pg_namespace, pg_attribute, and pg_constraint where each has its own privileged access test now.

[jeeminso]

it would be better if I handle the remainder of #11111 (sys schema) and information_schema if necessary separately.

[mfussenegger]

Looks good 👍

Left some minor comments.

[jeeminso]

Thank you @mfussenegger. I have applied all your suggestions.

I have created isBuiltin() on FunctionName which checks no schema and the system schemas.
Replaced isUnderSystemSchemas(..) to a static method from Schemas.

Also, made few fixups. Although blob support will be dropped, I kept the blob related code for now so it can be handled all together.

[mfussenegger]

👍

[jeeminso]

Hello Jordi, @mfussenegger @seut
I had a chance to talk to Basti about this PR and in summary, the concern is with the users being able to access sys by default.
I would like to request you for suggestions before proceeding further.

To briefly explain with an example, if a new user performs select * from pg_catalog.pg_class, sys table names are returned (without DQL to sys schema). I think it makes sense that users should NOT be able to see sys schema related information without the privileges granted.

In my opinion, one way to handle is by backing out this PR except for the part that handles the login issue. Then it would be consistent with how information_schema is protected in CrateDB. Another option could be to allow default accesses to pg_catalog and information_schema (and block sys) which is the behaviour of Postgres.

[mfussenegger]

the concern is with the users being able to access sys by default.

To clarify: You mean that users see entries related to the sys schema within pg_catalog tables? Users still can't access sys tables

In my opinion, one way to handle is by backing out this PR except for the part that handles the login issue. Then it would be consistent with how information_schema is protected in CrateDB. Another option could be to allow default accesses to pg_catalog and information_schema (and block sys) which is the behaviour of Postgres.

I'd opt for the latter option, which was what #11111 was outlined. So I think a follow up that replaces the isSystemSchema checks with a check for only pg_catalog or information_schema should be good enough.

To make things consistent we should probably later on (separately) also make some changes to how the information_schema tables are handled. For example information_schema.tables should probably return the information_schema and pg_catalog tables as well for a user who doesn't have explicit permissions on those tables.

[jeeminso]

To clarify: You mean that users see entries related to the sys schema within pg_catalog tables? Users still can't access sys tables

Yes, users still cannot access sys tables.

I will make the changes and then open an issue to track information_schema to be consistent. Thank you!!