Merge remote-tracking branch 'carto/master' into federated_functions
This commit is contained in:
commit
da570c50aa
3
Makefile
3
Makefile
@ -1,7 +1,7 @@
|
|||||||
# cartodb/Makefile
|
# cartodb/Makefile
|
||||||
|
|
||||||
EXTENSION = cartodb
|
EXTENSION = cartodb
|
||||||
EXTVERSION = 0.31.0
|
EXTVERSION = 0.32.0
|
||||||
|
|
||||||
SED = sed
|
SED = sed
|
||||||
AWK = awk
|
AWK = awk
|
||||||
@ -104,6 +104,7 @@ UPGRADABLE = \
|
|||||||
0.29.0 \
|
0.29.0 \
|
||||||
0.30.0 \
|
0.30.0 \
|
||||||
0.31.0 \
|
0.31.0 \
|
||||||
|
0.32.0 \
|
||||||
$(EXTVERSION)dev \
|
$(EXTVERSION)dev \
|
||||||
$(EXTVERSION)next \
|
$(EXTVERSION)next \
|
||||||
$(END)
|
$(END)
|
||||||
|
3
NEWS.md
3
NEWS.md
@ -1,4 +1,5 @@
|
|||||||
0.32.0 (XXXX-XX-XX)
|
0.32.0 (2019-11-08)
|
||||||
|
* Fix oAuth ownership re-assignation for functions
|
||||||
* Some fixes for PG12.
|
* Some fixes for PG12.
|
||||||
* Make PG12 depend on plpython3u instead of plpythonu
|
* Make PG12 depend on plpython3u instead of plpythonu
|
||||||
* CDB_UserDataSize is now compatible with postgis 3 without postgis_raster.
|
* CDB_UserDataSize is now compatible with postgis 3 without postgis_raster.
|
||||||
|
@ -15,13 +15,22 @@ BEGIN
|
|||||||
obj.object_type,
|
obj.object_type,
|
||||||
obj.schema_name,
|
obj.schema_name,
|
||||||
obj.object_identity;
|
obj.object_identity;
|
||||||
SELECT rolname FROM pg_class JOIN pg_roles ON relowner = pg_roles.oid WHERE pg_class.oid = obj.objid INTO creator_role;
|
IF obj.object_type = 'function' THEN
|
||||||
|
SELECT rolname FROM pg_proc JOIN pg_roles ON proowner = pg_roles.oid WHERE pg_proc.oid = obj.objid INTO creator_role;
|
||||||
|
ELSE
|
||||||
|
SELECT rolname FROM pg_class JOIN pg_roles ON relowner = pg_roles.oid WHERE pg_class.oid = obj.objid INTO creator_role;
|
||||||
|
END IF;
|
||||||
SELECT value->>'ownership_role_name' from @extschema@.CDB_Conf_GetConf('api_keys_' || quote_ident(creator_role)) value INTO owner_role;
|
SELECT value->>'ownership_role_name' from @extschema@.CDB_Conf_GetConf('api_keys_' || quote_ident(creator_role)) value INTO owner_role;
|
||||||
IF owner_role IS NULL OR owner_role = '' THEN
|
IF owner_role IS NULL OR owner_role = '' THEN
|
||||||
|
RAISE DEBUG 'owner_role not found';
|
||||||
CONTINUE;
|
CONTINUE;
|
||||||
ELSE
|
ELSE
|
||||||
EXECUTE 'ALTER ' || obj.object_type || ' ' || obj.object_identity || ' OWNER TO ' || quote_ident(owner_role);
|
EXECUTE 'ALTER ' || obj.object_type || ' ' || obj.object_identity || ' OWNER TO ' || quote_ident(owner_role);
|
||||||
EXECUTE 'GRANT ALL ON ' || obj.object_identity || ' TO ' || QUOTE_IDENT(creator_role);
|
IF obj.object_type = 'function' THEN
|
||||||
|
EXECUTE 'GRANT ALL ON FUNCTION ' || obj.object_identity || ' TO ' || QUOTE_IDENT(creator_role);
|
||||||
|
ELSE
|
||||||
|
EXECUTE 'GRANT ALL ON ' || obj.object_identity || ' TO ' || QUOTE_IDENT(creator_role);
|
||||||
|
END IF;
|
||||||
RAISE DEBUG 'Changing ownership from % to %', creator_role, owner_role;
|
RAISE DEBUG 'Changing ownership from % to %', creator_role, owner_role;
|
||||||
END IF;
|
END IF;
|
||||||
END LOOP;
|
END LOOP;
|
||||||
|
@ -2,9 +2,9 @@
|
|||||||
\set QUIET on
|
\set QUIET on
|
||||||
SET client_min_messages TO error;
|
SET client_min_messages TO error;
|
||||||
|
|
||||||
-- The permission error changed between pre PG11 and post 11 (before everythin "relation", now it's "view", "table" and so on
|
-- The permission error changed between pre PG11 and post 11 (before everything was "relation", now it's "view", "table" and so on
|
||||||
CREATE OR REPLACE FUNCTION catch_permission_error(query text)
|
CREATE OR REPLACE FUNCTION catch_permission_error(query text)
|
||||||
RETURNS bool
|
RETURNS bool
|
||||||
AS $$
|
AS $$
|
||||||
BEGIN
|
BEGIN
|
||||||
EXECUTE query;
|
EXECUTE query;
|
||||||
@ -36,14 +36,20 @@ CREATE TABLE test_tablesas AS SELECT * FROM test;
|
|||||||
CREATE VIEW test_view AS SELECT * FROM test;
|
CREATE VIEW test_view AS SELECT * FROM test;
|
||||||
CREATE MATERIALIZED VIEW test_mview AS SELECT * FROM test;
|
CREATE MATERIALIZED VIEW test_mview AS SELECT * FROM test;
|
||||||
SELECT * INTO test_selectinto FROM test;
|
SELECT * INTO test_selectinto FROM test;
|
||||||
|
CREATE FUNCTION test_function() RETURNS integer AS $$ BEGIN RETURN 1; END; $$ LANGUAGE PLPGSQL;
|
||||||
|
|
||||||
SELECT * FROM test;
|
SELECT * FROM test;
|
||||||
SELECT * FROM test_tablesas;
|
SELECT * FROM test_tablesas;
|
||||||
SELECT * FROM test_view;
|
SELECT * FROM test_view;
|
||||||
SELECT * FROM test_mview;
|
SELECT * FROM test_mview;
|
||||||
SELECT * FROM test_selectinto;
|
SELECT * FROM test_selectinto;
|
||||||
|
SELECT test_function();
|
||||||
|
-- Postgres grants default execute privilege on functions to PUBLIC. So in order to check the different permissions
|
||||||
|
-- between creator and owner roles is not enough with performing a selection, we need to DROP the table (which only the owner can do)
|
||||||
|
DROP FUNCTION test_function();
|
||||||
|
|
||||||
\set QUIET on
|
\set QUIET on
|
||||||
|
CREATE FUNCTION test_function() RETURNS integer AS $$ BEGIN RETURN 1; END; $$ LANGUAGE PLPGSQL;
|
||||||
SET SESSION AUTHORIZATION "ownership_role";
|
SET SESSION AUTHORIZATION "ownership_role";
|
||||||
\set QUIET off
|
\set QUIET off
|
||||||
|
|
||||||
@ -52,6 +58,8 @@ SELECT 'denied_tableas', catch_permission_error($$SELECT * FROM test_tablesas;$$
|
|||||||
SELECT 'denied_view', catch_permission_error($$SELECT * FROM test_view;$$);
|
SELECT 'denied_view', catch_permission_error($$SELECT * FROM test_view;$$);
|
||||||
SELECT 'denied_mview', catch_permission_error($$SELECT * FROM test_mview;$$);
|
SELECT 'denied_mview', catch_permission_error($$SELECT * FROM test_mview;$$);
|
||||||
SELECT 'denied_selectinto', catch_permission_error($$SELECT * FROM test_selectinto;$$);
|
SELECT 'denied_selectinto', catch_permission_error($$SELECT * FROM test_selectinto;$$);
|
||||||
|
SELECT test_function();
|
||||||
|
SELECT 'denied_function', catch_permission_error($$DROP FUNCTION test_function();$$);
|
||||||
|
|
||||||
\set QUIET on
|
\set QUIET on
|
||||||
SET SESSION AUTHORIZATION "creator_role";
|
SET SESSION AUTHORIZATION "creator_role";
|
||||||
@ -62,6 +70,7 @@ DROP VIEW test_view;
|
|||||||
DROP MATERIALIZED VIEW test_mview;
|
DROP MATERIALIZED VIEW test_mview;
|
||||||
DROP TABLE test_selectinto;
|
DROP TABLE test_selectinto;
|
||||||
DROP TABLE test;
|
DROP TABLE test;
|
||||||
|
DROP FUNCTION test_function();
|
||||||
|
|
||||||
-- Second part with event trigger but without ownership_role_name in cdb_conf
|
-- Second part with event trigger but without ownership_role_name in cdb_conf
|
||||||
|
|
||||||
@ -77,14 +86,18 @@ CREATE TABLE test2_tablesas AS SELECT * FROM test2;
|
|||||||
CREATE VIEW test2_view AS SELECT * FROM test2;
|
CREATE VIEW test2_view AS SELECT * FROM test2;
|
||||||
CREATE MATERIALIZED VIEW test2_mview AS SELECT * FROM test2;
|
CREATE MATERIALIZED VIEW test2_mview AS SELECT * FROM test2;
|
||||||
SELECT * INTO test2_selectinto FROM test2;
|
SELECT * INTO test2_selectinto FROM test2;
|
||||||
|
CREATE FUNCTION test2_function() RETURNS integer AS $$ BEGIN RETURN 1; END; $$ LANGUAGE PLPGSQL;
|
||||||
|
|
||||||
SELECT * FROM test2;
|
SELECT * FROM test2;
|
||||||
SELECT * FROM test2_tablesas;
|
SELECT * FROM test2_tablesas;
|
||||||
SELECT * FROM test2_view;
|
SELECT * FROM test2_view;
|
||||||
SELECT * FROM test2_mview;
|
SELECT * FROM test2_mview;
|
||||||
SELECT * FROM test2_selectinto;
|
SELECT * FROM test2_selectinto;
|
||||||
|
SELECT test2_function();
|
||||||
|
DROP FUNCTION test2_function();
|
||||||
|
|
||||||
\set QUIET on
|
\set QUIET on
|
||||||
|
CREATE FUNCTION test2_function() RETURNS integer AS $$ BEGIN RETURN 1; END; $$ LANGUAGE PLPGSQL;
|
||||||
SET SESSION AUTHORIZATION "ownership_role";
|
SET SESSION AUTHORIZATION "ownership_role";
|
||||||
\set QUIET off
|
\set QUIET off
|
||||||
|
|
||||||
@ -93,6 +106,8 @@ SELECT 'denied_tableas2', catch_permission_error($$SELECT * FROM test2_tablesas;
|
|||||||
SELECT 'denied_view2', catch_permission_error($$SELECT * FROM test2_view;$$);
|
SELECT 'denied_view2', catch_permission_error($$SELECT * FROM test2_view;$$);
|
||||||
SELECT 'denied_mview2', catch_permission_error($$SELECT * FROM test2_mview;$$);
|
SELECT 'denied_mview2', catch_permission_error($$SELECT * FROM test2_mview;$$);
|
||||||
SELECT 'denied_selectinto2', catch_permission_error($$SELECT * FROM test2_selectinto;$$);
|
SELECT 'denied_selectinto2', catch_permission_error($$SELECT * FROM test2_selectinto;$$);
|
||||||
|
SELECT test2_function();
|
||||||
|
SELECT 'denied_function2', catch_permission_error($$DROP FUNCTION test2_function();$$);
|
||||||
|
|
||||||
\set QUIET on
|
\set QUIET on
|
||||||
SET SESSION AUTHORIZATION "creator_role";
|
SET SESSION AUTHORIZATION "creator_role";
|
||||||
@ -103,6 +118,7 @@ DROP VIEW test2_view;
|
|||||||
DROP MATERIALIZED VIEW test2_mview;
|
DROP MATERIALIZED VIEW test2_mview;
|
||||||
DROP TABLE test2_selectinto;
|
DROP TABLE test2_selectinto;
|
||||||
DROP TABLE test2;
|
DROP TABLE test2;
|
||||||
|
DROP FUNCTION test2_function();
|
||||||
|
|
||||||
-- Third part with event trigger but with empty ownership_role_name in cdb_conf
|
-- Third part with event trigger but with empty ownership_role_name in cdb_conf
|
||||||
|
|
||||||
@ -118,14 +134,18 @@ CREATE TABLE test3_tablesas AS SELECT * FROM test3;
|
|||||||
CREATE VIEW test3_view AS SELECT * FROM test3;
|
CREATE VIEW test3_view AS SELECT * FROM test3;
|
||||||
CREATE MATERIALIZED VIEW test3_mview AS SELECT * FROM test3;
|
CREATE MATERIALIZED VIEW test3_mview AS SELECT * FROM test3;
|
||||||
SELECT * INTO test3_selectinto FROM test3;
|
SELECT * INTO test3_selectinto FROM test3;
|
||||||
|
CREATE FUNCTION test3_function() RETURNS integer AS $$ BEGIN RETURN 1; END; $$ LANGUAGE PLPGSQL;
|
||||||
|
|
||||||
SELECT * FROM test3;
|
SELECT * FROM test3;
|
||||||
SELECT * FROM test3_tablesas;
|
SELECT * FROM test3_tablesas;
|
||||||
SELECT * FROM test3_view;
|
SELECT * FROM test3_view;
|
||||||
SELECT * FROM test3_mview;
|
SELECT * FROM test3_mview;
|
||||||
SELECT * FROM test3_selectinto;
|
SELECT * FROM test3_selectinto;
|
||||||
|
SELECT test3_function();
|
||||||
|
DROP FUNCTION test3_function();
|
||||||
|
|
||||||
\set QUIET on
|
\set QUIET on
|
||||||
|
CREATE FUNCTION test3_function() RETURNS integer AS $$ BEGIN RETURN 1; END; $$ LANGUAGE PLPGSQL;
|
||||||
SET SESSION AUTHORIZATION "ownership_role";
|
SET SESSION AUTHORIZATION "ownership_role";
|
||||||
\set QUIET off
|
\set QUIET off
|
||||||
|
|
||||||
@ -134,6 +154,8 @@ SELECT 'denied_tableas3', catch_permission_error($$SELECT * FROM test3_tablesas;
|
|||||||
SELECT 'denied_view3', catch_permission_error($$SELECT * FROM test3_view;$$);
|
SELECT 'denied_view3', catch_permission_error($$SELECT * FROM test3_view;$$);
|
||||||
SELECT 'denied_mview3', catch_permission_error($$SELECT * FROM test3_mview;$$);
|
SELECT 'denied_mview3', catch_permission_error($$SELECT * FROM test3_mview;$$);
|
||||||
SELECT 'denied_selectinto3', catch_permission_error($$SELECT * FROM test3_selectinto;$$);
|
SELECT 'denied_selectinto3', catch_permission_error($$SELECT * FROM test3_selectinto;$$);
|
||||||
|
SELECT test3_function();
|
||||||
|
SELECT 'denied_function3', catch_permission_error($$DROP FUNCTION test3_function();$$);
|
||||||
|
|
||||||
\set QUIET on
|
\set QUIET on
|
||||||
SET SESSION AUTHORIZATION "creator_role";
|
SET SESSION AUTHORIZATION "creator_role";
|
||||||
@ -144,6 +166,7 @@ DROP VIEW test3_view;
|
|||||||
DROP MATERIALIZED VIEW test3_mview;
|
DROP MATERIALIZED VIEW test3_mview;
|
||||||
DROP TABLE test3_selectinto;
|
DROP TABLE test3_selectinto;
|
||||||
DROP TABLE test3;
|
DROP TABLE test3;
|
||||||
|
DROP FUNCTION test3_function();
|
||||||
|
|
||||||
-- Fourth part with the event trigger active and configured
|
-- Fourth part with the event trigger active and configured
|
||||||
|
|
||||||
@ -159,12 +182,15 @@ CREATE TABLE test4_tablesas AS SELECT * FROM test4;
|
|||||||
CREATE VIEW test4_view AS SELECT * FROM test4;
|
CREATE VIEW test4_view AS SELECT * FROM test4;
|
||||||
CREATE MATERIALIZED VIEW test4_mview AS SELECT * FROM test4;
|
CREATE MATERIALIZED VIEW test4_mview AS SELECT * FROM test4;
|
||||||
SELECT * INTO test4_selectinto FROM test4;
|
SELECT * INTO test4_selectinto FROM test4;
|
||||||
|
CREATE FUNCTION test4_function() RETURNS integer AS $$ BEGIN RETURN 1; END; $$ LANGUAGE PLPGSQL;
|
||||||
|
|
||||||
SELECT * FROM test4;
|
SELECT * FROM test4;
|
||||||
SELECT * FROM test4_tablesas;
|
SELECT * FROM test4_tablesas;
|
||||||
SELECT * FROM test4_view;
|
SELECT * FROM test4_view;
|
||||||
SELECT * FROM test4_mview;
|
SELECT * FROM test4_mview;
|
||||||
SELECT * FROM test4_selectinto;
|
SELECT * FROM test4_selectinto;
|
||||||
|
SELECT test4_function();
|
||||||
|
SELECT 'denied_function4', catch_permission_error($$DROP FUNCTION test4_function();$$);
|
||||||
|
|
||||||
\set QUIET on
|
\set QUIET on
|
||||||
SET SESSION AUTHORIZATION "ownership_role";
|
SET SESSION AUTHORIZATION "ownership_role";
|
||||||
@ -175,6 +201,7 @@ SELECT * FROM test4_tablesas;
|
|||||||
SELECT * FROM test4_view;
|
SELECT * FROM test4_view;
|
||||||
SELECT * FROM test4_mview;
|
SELECT * FROM test4_mview;
|
||||||
SELECT * FROM test4_selectinto;
|
SELECT * FROM test4_selectinto;
|
||||||
|
SELECT test4_function();
|
||||||
|
|
||||||
-- Ownership role drops the tables
|
-- Ownership role drops the tables
|
||||||
DROP TABLE test4_tablesas;
|
DROP TABLE test4_tablesas;
|
||||||
@ -182,6 +209,7 @@ DROP VIEW test4_view;
|
|||||||
DROP MATERIALIZED VIEW test4_mview;
|
DROP MATERIALIZED VIEW test4_mview;
|
||||||
DROP TABLE test4_selectinto;
|
DROP TABLE test4_selectinto;
|
||||||
DROP TABLE test4;
|
DROP TABLE test4;
|
||||||
|
DROP FUNCTION test4_function();
|
||||||
|
|
||||||
-- Cleanup
|
-- Cleanup
|
||||||
\set QUIET on
|
\set QUIET on
|
||||||
|
@ -5,21 +5,27 @@ SELECT 1
|
|||||||
CREATE VIEW
|
CREATE VIEW
|
||||||
SELECT 1
|
SELECT 1
|
||||||
SELECT 1
|
SELECT 1
|
||||||
|
CREATE FUNCTION
|
||||||
1
|
1
|
||||||
1
|
1
|
||||||
1
|
1
|
||||||
1
|
1
|
||||||
1
|
1
|
||||||
|
1
|
||||||
|
DROP FUNCTION
|
||||||
denied_table|t
|
denied_table|t
|
||||||
denied_tableas|t
|
denied_tableas|t
|
||||||
denied_view|t
|
denied_view|t
|
||||||
denied_mview|t
|
denied_mview|t
|
||||||
denied_selectinto|t
|
denied_selectinto|t
|
||||||
|
1
|
||||||
|
denied_function|t
|
||||||
DROP TABLE
|
DROP TABLE
|
||||||
DROP VIEW
|
DROP VIEW
|
||||||
DROP MATERIALIZED VIEW
|
DROP MATERIALIZED VIEW
|
||||||
DROP TABLE
|
DROP TABLE
|
||||||
DROP TABLE
|
DROP TABLE
|
||||||
|
DROP FUNCTION
|
||||||
NOTICE: event trigger "oauth_reassign_tables_trigger" does not exist, skipping
|
NOTICE: event trigger "oauth_reassign_tables_trigger" does not exist, skipping
|
||||||
|
|
||||||
CREATE TABLE
|
CREATE TABLE
|
||||||
@ -28,21 +34,27 @@ SELECT 1
|
|||||||
CREATE VIEW
|
CREATE VIEW
|
||||||
SELECT 1
|
SELECT 1
|
||||||
SELECT 1
|
SELECT 1
|
||||||
|
CREATE FUNCTION
|
||||||
1
|
1
|
||||||
1
|
1
|
||||||
1
|
1
|
||||||
1
|
1
|
||||||
1
|
1
|
||||||
|
1
|
||||||
|
DROP FUNCTION
|
||||||
denied_table2|t
|
denied_table2|t
|
||||||
denied_tableas2|t
|
denied_tableas2|t
|
||||||
denied_view2|t
|
denied_view2|t
|
||||||
denied_mview2|t
|
denied_mview2|t
|
||||||
denied_selectinto2|t
|
denied_selectinto2|t
|
||||||
|
1
|
||||||
|
denied_function2|t
|
||||||
DROP TABLE
|
DROP TABLE
|
||||||
DROP VIEW
|
DROP VIEW
|
||||||
DROP MATERIALIZED VIEW
|
DROP MATERIALIZED VIEW
|
||||||
DROP TABLE
|
DROP TABLE
|
||||||
DROP TABLE
|
DROP TABLE
|
||||||
|
DROP FUNCTION
|
||||||
|
|
||||||
CREATE TABLE
|
CREATE TABLE
|
||||||
INSERT 0 1
|
INSERT 0 1
|
||||||
@ -50,21 +62,27 @@ SELECT 1
|
|||||||
CREATE VIEW
|
CREATE VIEW
|
||||||
SELECT 1
|
SELECT 1
|
||||||
SELECT 1
|
SELECT 1
|
||||||
|
CREATE FUNCTION
|
||||||
1
|
1
|
||||||
1
|
1
|
||||||
1
|
1
|
||||||
1
|
1
|
||||||
1
|
1
|
||||||
|
1
|
||||||
|
DROP FUNCTION
|
||||||
denied_table3|t
|
denied_table3|t
|
||||||
denied_tableas3|t
|
denied_tableas3|t
|
||||||
denied_view3|t
|
denied_view3|t
|
||||||
denied_mview3|t
|
denied_mview3|t
|
||||||
denied_selectinto3|t
|
denied_selectinto3|t
|
||||||
|
1
|
||||||
|
denied_function3|t
|
||||||
DROP TABLE
|
DROP TABLE
|
||||||
DROP VIEW
|
DROP VIEW
|
||||||
DROP MATERIALIZED VIEW
|
DROP MATERIALIZED VIEW
|
||||||
DROP TABLE
|
DROP TABLE
|
||||||
DROP TABLE
|
DROP TABLE
|
||||||
|
DROP FUNCTION
|
||||||
|
|
||||||
CREATE TABLE
|
CREATE TABLE
|
||||||
INSERT 0 1
|
INSERT 0 1
|
||||||
@ -72,12 +90,16 @@ SELECT 1
|
|||||||
CREATE VIEW
|
CREATE VIEW
|
||||||
SELECT 1
|
SELECT 1
|
||||||
SELECT 1
|
SELECT 1
|
||||||
|
CREATE FUNCTION
|
||||||
1
|
1
|
||||||
1
|
1
|
||||||
1
|
1
|
||||||
1
|
1
|
||||||
1
|
1
|
||||||
1
|
1
|
||||||
|
denied_function4|t
|
||||||
|
1
|
||||||
|
1
|
||||||
1
|
1
|
||||||
1
|
1
|
||||||
1
|
1
|
||||||
@ -87,4 +109,5 @@ DROP VIEW
|
|||||||
DROP MATERIALIZED VIEW
|
DROP MATERIALIZED VIEW
|
||||||
DROP TABLE
|
DROP TABLE
|
||||||
DROP TABLE
|
DROP TABLE
|
||||||
|
DROP FUNCTION
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user