Propagate grants in continuous aggregates

Before this commit, grants on continuous aggregates were not propagated
to the materialized hypertable, direct view, and partial view. With
this commit, grants on a continuous aggregate is propagated.

Fixes #2413

src/process_utility.c

@@ -1063,6 +1063,18 @@ process_drop_tablespace(ProcessUtilityArgs *args)
 	return DDL_CONTINUE;
 }
 
+static void
+process_grant_add_by_rel(GrantStmt *stmt, RangeVar *relation)
+{
+	stmt->objects = lappend(stmt->objects, relation);
+}
+
+static void
+process_grant_add_by_name(GrantStmt *stmt, Name schema_name, Name table_name)
+{
+	process_grant_add_by_rel(stmt, makeRangeVar(NameStr(*schema_name), NameStr(*table_name), -1));
+}
+
 /*
  * Handle GRANT / REVOKE.
  *
@@ -1090,6 +1102,7 @@ process_grant_and_revoke(ProcessUtilityArgs *args)
 			ts_tablespace_validate_revoke(stmt);
 			result = DDL_DONE;
 			break;
+
 		case OBJECT_TABLE:
 			/*
 			 * Collect the hypertables in the grant statement. We only need to
@@ -1099,6 +1112,27 @@ process_grant_and_revoke(ProcessUtilityArgs *args)
 				Cache *hcache = ts_hypertable_cache_pin();
 				ListCell *cell;
 
+				/* First process all continuous aggregates in the list and add
+				 * the associated hypertables and views to the list of objects
+				 * to process */
+				foreach (cell, stmt->objects)
+				{
+					RangeVar *relation = lfirst_node(RangeVar, cell);
+					ContinuousAgg *const cagg = ts_continuous_agg_find_by_rv(relation);
+					if (cagg)
+					{
+						Hypertable *ht = ts_hypertable_get_by_id(cagg->data.mat_hypertable_id);
+						process_grant_add_by_name(stmt, &ht->fd.schema_name, &ht->fd.table_name);
+						process_grant_add_by_name(stmt,
+												  &cagg->data.direct_view_schema,
+												  &cagg->data.direct_view_name);
+						process_grant_add_by_name(stmt,
+												  &cagg->data.partial_view_schema,
+												  &cagg->data.partial_view_name);
+					}
+				}
+
+				/* Process all hypertables, including those added in the loop above */
 				foreach (cell, stmt->objects)
 				{
 					RangeVar *relation = lfirst_node(RangeVar, cell);

tsl/test/expected/continuous_aggs_permissions.out

@@ -5,6 +5,27 @@
 \c :TEST_DBNAME :ROLE_SUPERUSER
 -- remove any default jobs, e.g., telemetry so bgw_job isn't polluted
 DELETE FROM _timescaledb_config.bgw_job WHERE TRUE;
+CREATE VIEW cagg_info AS
+WITH
+  caggs AS (
+    SELECT format('%I.%I', user_view_schema, user_view_name)::regclass AS user_view,
+           format('%I.%I', direct_view_schema, direct_view_name)::regclass AS direct_view,
+           format('%I.%I', partial_view_schema, partial_view_name)::regclass AS partial_view,
+           format('%I.%I', ht.schema_name, ht.table_name)::regclass AS mat_relid
+      FROM _timescaledb_catalog.hypertable ht,
+           _timescaledb_catalog.continuous_agg cagg
+     WHERE ht.id = cagg.mat_hypertable_id
+  )
+SELECT user_view,
+       (SELECT relacl FROM pg_class WHERE oid = user_view) AS user_view_perm,
+       relname AS mat_table,
+       (relacl) AS mat_table_perm,
+       direct_view,
+       (SELECT relacl FROM pg_class WHERE oid = direct_view) AS direct_view_perm,
+       partial_view,
+       (SELECT relacl FROM pg_class WHERE oid = partial_view) AS partial_view_perm
+  FROM pg_class JOIN caggs ON pg_class.oid = caggs.mat_relid;
+GRANT SELECT ON cagg_info TO PUBLIC;
 \c :TEST_DBNAME :ROLE_DEFAULT_PERM_USER
 CREATE TABLE conditions (
       timec       INT       NOT NULL,
@@ -188,3 +209,67 @@ SELECT * FROM mat_perm_view_test;
  POR      |  75
 (1 row)
 
+\set VERBOSITY default
+-- Test that grants and revokes are propagated to the implementation
+-- objects, that is, the user view, the partial view, the direct view,
+-- and the materialization table.
+\c :TEST_DBNAME :ROLE_DEFAULT_PERM_USER
+CREATE TABLE devices (
+   time TIMESTAMPTZ NOT NULL,
+   device INT,
+   temp DOUBLE PRECISION NULL,
+   PRIMARY KEY(time, device)
+);
+SELECT create_hypertable('devices', 'time');
+  create_hypertable   
+----------------------
+ (9,public,devices,t)
+(1 row)
+
+GRANT SELECT, TRIGGER ON devices TO :ROLE_DEFAULT_PERM_USER_2;
+INSERT INTO devices
+SELECT time, (random() * 30)::int, random() * 80
+FROM generate_series('2020-02-01 00:00:00'::timestamptz, '2020-03-01 00:00:00', '1 hour') AS time;
+\c :TEST_DBNAME :ROLE_DEFAULT_PERM_USER_2
+CREATE MATERIALIZED VIEW devices_summary
+WITH (timescaledb.continuous, timescaledb.materialized_only=true)
+AS SELECT time_bucket('1 day', time) AS bucket, device, MAX(temp)
+FROM devices GROUP BY bucket, device WITH NO DATA;
+NOTICE:  adding index _materialized_hypertable_10_device_bucket_idx ON _timescaledb_internal._materialized_hypertable_10 USING BTREE(device, bucket)
+\x on
+SELECT * FROM cagg_info WHERE user_view::text = 'devices_summary';
+-[ RECORD 1 ]-----+---------------------------------------
+user_view         | devices_summary
+user_view_perm    | 
+mat_table         | _materialized_hypertable_10
+mat_table_perm    | 
+direct_view       | _timescaledb_internal._direct_view_10
+direct_view_perm  | 
+partial_view      | _timescaledb_internal._partial_view_10
+partial_view_perm | 
+
+GRANT ALL ON devices_summary TO :ROLE_DEFAULT_PERM_USER;
+SELECT * FROM cagg_info WHERE user_view::text = 'devices_summary';
+-[ RECORD 1 ]-----+------------------------------------------------------------------------------------------------
+user_view         | devices_summary
+user_view_perm    | {default_perm_user_2=arwdDxt/default_perm_user_2,default_perm_user=arwdDxt/default_perm_user_2}
+mat_table         | _materialized_hypertable_10
+mat_table_perm    | {default_perm_user_2=arwdDxt/default_perm_user_2,default_perm_user=arwdDxt/default_perm_user_2}
+direct_view       | _timescaledb_internal._direct_view_10
+direct_view_perm  | {default_perm_user_2=arwdDxt/default_perm_user_2,default_perm_user=arwdDxt/default_perm_user_2}
+partial_view      | _timescaledb_internal._partial_view_10
+partial_view_perm | {default_perm_user_2=arwdDxt/default_perm_user_2,default_perm_user=arwdDxt/default_perm_user_2}
+
+REVOKE SELECT, UPDATE ON devices_summary FROM :ROLE_DEFAULT_PERM_USER;
+SELECT * FROM cagg_info WHERE user_view::text = 'devices_summary';
+-[ RECORD 1 ]-----+----------------------------------------------------------------------------------------------
+user_view         | devices_summary
+user_view_perm    | {default_perm_user_2=arwdDxt/default_perm_user_2,default_perm_user=adDxt/default_perm_user_2}
+mat_table         | _materialized_hypertable_10
+mat_table_perm    | {default_perm_user_2=arwdDxt/default_perm_user_2,default_perm_user=adDxt/default_perm_user_2}
+direct_view       | _timescaledb_internal._direct_view_10
+direct_view_perm  | {default_perm_user_2=arwdDxt/default_perm_user_2,default_perm_user=adDxt/default_perm_user_2}
+partial_view      | _timescaledb_internal._partial_view_10
+partial_view_perm | {default_perm_user_2=arwdDxt/default_perm_user_2,default_perm_user=adDxt/default_perm_user_2}
+
+\x off

tsl/test/sql/continuous_aggs_permissions.sql

@@ -8,6 +8,28 @@
 -- remove any default jobs, e.g., telemetry so bgw_job isn't polluted
 DELETE FROM _timescaledb_config.bgw_job WHERE TRUE;
 
+CREATE VIEW cagg_info AS
+WITH
+  caggs AS (
+    SELECT format('%I.%I', user_view_schema, user_view_name)::regclass AS user_view,
+           format('%I.%I', direct_view_schema, direct_view_name)::regclass AS direct_view,
+           format('%I.%I', partial_view_schema, partial_view_name)::regclass AS partial_view,
+           format('%I.%I', ht.schema_name, ht.table_name)::regclass AS mat_relid
+      FROM _timescaledb_catalog.hypertable ht,
+           _timescaledb_catalog.continuous_agg cagg
+     WHERE ht.id = cagg.mat_hypertable_id
+  )
+SELECT user_view,
+       (SELECT relacl FROM pg_class WHERE oid = user_view) AS user_view_perm,
+       relname AS mat_table,
+       (relacl) AS mat_table_perm,
+       direct_view,
+       (SELECT relacl FROM pg_class WHERE oid = direct_view) AS direct_view_perm,
+       partial_view,
+       (SELECT relacl FROM pg_class WHERE oid = partial_view) AS partial_view_perm
+  FROM pg_class JOIN caggs ON pg_class.oid = caggs.mat_relid;
+GRANT SELECT ON cagg_info TO PUBLIC;
+
 \c :TEST_DBNAME :ROLE_DEFAULT_PERM_USER
 
 CREATE TABLE conditions (
@@ -164,3 +186,38 @@ CALL refresh_continuous_aggregate('mat_perm_view_test', NULL, NULL);
 
 --but the old data will still be there
 SELECT * FROM mat_perm_view_test;
+
+\set VERBOSITY default
+
+-- Test that grants and revokes are propagated to the implementation
+-- objects, that is, the user view, the partial view, the direct view,
+-- and the materialization table.
+\c :TEST_DBNAME :ROLE_DEFAULT_PERM_USER
+CREATE TABLE devices (
+   time TIMESTAMPTZ NOT NULL,
+   device INT,
+   temp DOUBLE PRECISION NULL,
+   PRIMARY KEY(time, device)
+);
+
+SELECT create_hypertable('devices', 'time');
+GRANT SELECT, TRIGGER ON devices TO :ROLE_DEFAULT_PERM_USER_2;
+
+INSERT INTO devices
+SELECT time, (random() * 30)::int, random() * 80
+FROM generate_series('2020-02-01 00:00:00'::timestamptz, '2020-03-01 00:00:00', '1 hour') AS time;
+
+\c :TEST_DBNAME :ROLE_DEFAULT_PERM_USER_2
+
+CREATE MATERIALIZED VIEW devices_summary
+WITH (timescaledb.continuous, timescaledb.materialized_only=true)
+AS SELECT time_bucket('1 day', time) AS bucket, device, MAX(temp)
+FROM devices GROUP BY bucket, device WITH NO DATA;
+
+\x on
+SELECT * FROM cagg_info WHERE user_view::text = 'devices_summary';
+GRANT ALL ON devices_summary TO :ROLE_DEFAULT_PERM_USER;
+SELECT * FROM cagg_info WHERE user_view::text = 'devices_summary';
+REVOKE SELECT, UPDATE ON devices_summary FROM :ROLE_DEFAULT_PERM_USER;
+SELECT * FROM cagg_info WHERE user_view::text = 'devices_summary';
+\x off