Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix continuous aggregate privileges during update
Copy ACL privileges (grants) from the query view (user-facing object) to the internal objects (e.g., materialized hypertable, direct view, and partial view) when updating the extension to the new version. A previous change added such propagation of privileges when executing `GRANT` statements, but didn't apply it retrospectively to the internal objects of existing continuous aggregates. Having the right permissions on internal objects is also necessary for the watermark function used by real-time aggregation since it queries the materialized hypertable directly. The update script copies the ACL information from the user-facing view of every continuous aggregate to its internal objects (including the materialized hypertable and its chunks). This is done by direct insert into `pg_class` instead of executing a `GRANT` statement in the update script, since the latter will record the grant/ACL as an init privilege (i.e., the system believes the GRANT is for an extension object). The init privilege will prevent this ACL from being included in future dump files, since `pg_dump` only includes non-init privileges as it believes such privileges will be recreated with the extension. Fixes #2825
- Loading branch information
Showing
6 changed files
with
139 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
-- For continuous aggregates: Copy ACL privileges (grants) from the | ||
-- query view (user-facing object) to the internal objects (e.g., | ||
-- materialized hypertable, direct, and partial views). We want to | ||
-- maintain the abstraction that a continuous aggregates is similar to | ||
-- a materialized view (which is one object), so privileges on the | ||
-- user-facing object should apply also to the internal objects that | ||
-- implement the continuous aggregate. Having the right permissions on | ||
-- internal objects is necessary for the watermark function used by | ||
-- real-time aggregation since it queries the materialized hypertable | ||
-- directly. | ||
DO $$ | ||
DECLARE | ||
rels regclass[]; | ||
rel regclass; | ||
acl aclitem[]; | ||
BEGIN | ||
FOR rels, acl IN | ||
-- For each cagg, collect an array of all relations (including | ||
-- chunks) to copy the ACL to | ||
SELECT array_cat(ARRAY[format('%I.%I', h.schema_name, h.table_name)::regclass, | ||
format('%I.%I', direct_view_schema, direct_view_name)::regclass, | ||
format('%I.%I', partial_view_schema, partial_view_name)::regclass], | ||
(SELECT array_agg(inhrelid::regclass) FROM pg_inherits WHERE inhparent = format('%I.%I', h.schema_name, h.table_name)::regclass)), | ||
relacl | ||
FROM _timescaledb_catalog.continuous_agg ca | ||
LEFT JOIN pg_class cl | ||
ON (cl.oid = format('%I.%I', user_view_schema, user_view_name)::regclass) | ||
LEFT JOIN _timescaledb_catalog.hypertable h | ||
ON (ca.mat_hypertable_id = h.id) | ||
WHERE relacl IS NOT NULL | ||
LOOP | ||
-- Set the ACL on all internal cagg relations, including | ||
-- chunks. Note that we cannot use GRANT statements because | ||
-- such statements are recorded as privileges on extension | ||
-- objects when run in an update script. The result is that | ||
-- the privileges will become init privileges, which will then | ||
-- be ignored by, e.g., pg_dump. | ||
FOR rel IN | ||
SELECT * FROM unnest(rels) | ||
LOOP | ||
UPDATE pg_class SET relacl = acl | ||
WHERE oid = rel; | ||
END LOOP; | ||
END LOOP; | ||
END | ||
$$ LANGUAGE PLPGSQL; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
-- This file and its contents are licensed under the Apache License 2.0. | ||
-- Please see the included NOTICE for copyright information and | ||
-- LICENSE-APACHE for a copy of the license. | ||
|
||
CREATE ROLE cagg_user; |