Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix permission handling for compressed chunks on PG16
Before this patch we required the user to have select permissions on the compressed chunks in addition to permissions on the hypertable. This patch changes our code to not require permission on the compressed chunk when querying through the uncompressed hypertable or chunk similar to how we handle this on PG < 16. This fixes views with security_barrier that have constraints on the user. Fixes: #6425
- Loading branch information
Showing
5 changed files
with
97 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
Fixes: #6439 Fix compressed chunk permission handling on PG16 | ||
|
||
Thanks: @adriangb for reporting an issue with security barrier views on pg16 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
-- This file and its contents are licensed under the Timescale License. | ||
-- Please see the included NOTICE for copyright information and | ||
-- LICENSE-TIMESCALE for a copy of the license. | ||
\c :TEST_DBNAME :ROLE_SUPERUSER | ||
CREATE TABLE test_security_barrier (time TIMESTAMPTZ NOT NULL, tenant TEXT NOT NULL, data TEXT); | ||
SELECT FROM create_hypertable('test_security_barrier', by_range('time')); | ||
(1 row) | ||
|
||
INSERT INTO test_security_barrier(time, tenant, data) VALUES | ||
('2020-01-01', :'ROLE_DEFAULT_PERM_USER','data1'), | ||
('2020-01-01', :'ROLE_DEFAULT_PERM_USER_2','data2'); | ||
CREATE VIEW test_security_barrier_view WITH (security_barrier) AS SELECT * FROM test_security_barrier WHERE tenant = current_user; | ||
GRANT SELECT ON test_security_barrier_view TO :ROLE_DEFAULT_PERM_USER; | ||
GRANT SELECT ON test_security_barrier_view TO :ROLE_DEFAULT_PERM_USER_2; | ||
SET ROLE :ROLE_DEFAULT_PERM_USER; | ||
SELECT * FROM test_security_barrier_view; | ||
time | tenant | data | ||
------------------------------+-------------------+------- | ||
Wed Jan 01 00:00:00 2020 PST | default_perm_user | data1 | ||
(1 row) | ||
|
||
RESET ROLE; | ||
SET ROLE :ROLE_DEFAULT_PERM_USER_2; | ||
SELECT * FROM test_security_barrier_view; | ||
time | tenant | data | ||
------------------------------+---------------------+------- | ||
Wed Jan 01 00:00:00 2020 PST | default_perm_user_2 | data2 | ||
(1 row) | ||
|
||
RESET ROLE; | ||
ALTER TABLE test_security_barrier SET (timescaledb.compress); | ||
-- Compress the chunk | ||
SELECT compress_chunk(show_chunks('test_security_barrier')); | ||
compress_chunk | ||
_timescaledb_internal._hyper_X_X_chunk | ||
(1 row) | ||
|
||
SET ROLE :ROLE_DEFAULT_PERM_USER; | ||
SELECT * FROM test_security_barrier_view; | ||
time | tenant | data | ||
------------------------------+-------------------+------- | ||
Wed Jan 01 00:00:00 2020 PST | default_perm_user | data1 | ||
(1 row) | ||
|
||
RESET ROLE; | ||
SET ROLE :ROLE_DEFAULT_PERM_USER_2; | ||
SELECT * FROM test_security_barrier_view; | ||
time | tenant | data | ||
------------------------------+---------------------+------- | ||
Wed Jan 01 00:00:00 2020 PST | default_perm_user_2 | data2 | ||
(1 row) | ||
|
||
RESET ROLE; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
-- This file and its contents are licensed under the Timescale License. | ||
-- Please see the included NOTICE for copyright information and | ||
-- LICENSE-TIMESCALE for a copy of the license. | ||
|
||
\c :TEST_DBNAME :ROLE_SUPERUSER | ||
|
||
CREATE TABLE test_security_barrier (time TIMESTAMPTZ NOT NULL, tenant TEXT NOT NULL, data TEXT); | ||
SELECT FROM create_hypertable('test_security_barrier', by_range('time')); | ||
|
||
INSERT INTO test_security_barrier(time, tenant, data) VALUES | ||
('2020-01-01', :'ROLE_DEFAULT_PERM_USER','data1'), | ||
('2020-01-01', :'ROLE_DEFAULT_PERM_USER_2','data2'); | ||
|
||
CREATE VIEW test_security_barrier_view WITH (security_barrier) AS SELECT * FROM test_security_barrier WHERE tenant = current_user; | ||
|
||
GRANT SELECT ON test_security_barrier_view TO :ROLE_DEFAULT_PERM_USER; | ||
GRANT SELECT ON test_security_barrier_view TO :ROLE_DEFAULT_PERM_USER_2; | ||
|
||
SET ROLE :ROLE_DEFAULT_PERM_USER; | ||
SELECT * FROM test_security_barrier_view; | ||
RESET ROLE; | ||
|
||
SET ROLE :ROLE_DEFAULT_PERM_USER_2; | ||
SELECT * FROM test_security_barrier_view; | ||
RESET ROLE; | ||
|
||
ALTER TABLE test_security_barrier SET (timescaledb.compress); | ||
|
||
-- Compress the chunk | ||
SELECT compress_chunk(show_chunks('test_security_barrier')); | ||
|
||
SET ROLE :ROLE_DEFAULT_PERM_USER; | ||
SELECT * FROM test_security_barrier_view; | ||
RESET ROLE; | ||
|
||
SET ROLE :ROLE_DEFAULT_PERM_USER_2; | ||
SELECT * FROM test_security_barrier_view; | ||
RESET ROLE; | ||
|