|
|
|
@ -2,9 +2,9 @@
|
|
|
|
|
\set QUIET on
|
|
|
|
|
SET client_min_messages TO error;
|
|
|
|
|
|
|
|
|
|
-- The permission error changed between pre PG11 and post 11 (before everythin "relation", now it's "view", "table" and so on
|
|
|
|
|
-- The permission error changed between pre PG11 and post 11 (before everything was "relation", now it's "view", "table" and so on
|
|
|
|
|
CREATE OR REPLACE FUNCTION catch_permission_error(query text)
|
|
|
|
|
RETURNS bool
|
|
|
|
|
RETURNS bool
|
|
|
|
|
AS $$
|
|
|
|
|
BEGIN
|
|
|
|
|
EXECUTE query;
|
|
|
|
@ -36,14 +36,20 @@ CREATE TABLE test_tablesas AS SELECT * FROM test;
|
|
|
|
|
CREATE VIEW test_view AS SELECT * FROM test;
|
|
|
|
|
CREATE MATERIALIZED VIEW test_mview AS SELECT * FROM test;
|
|
|
|
|
SELECT * INTO test_selectinto FROM test;
|
|
|
|
|
CREATE FUNCTION test_function() RETURNS integer AS $$ BEGIN RETURN 1; END; $$ LANGUAGE PLPGSQL;
|
|
|
|
|
|
|
|
|
|
SELECT * FROM test;
|
|
|
|
|
SELECT * FROM test_tablesas;
|
|
|
|
|
SELECT * FROM test_view;
|
|
|
|
|
SELECT * FROM test_mview;
|
|
|
|
|
SELECT * FROM test_selectinto;
|
|
|
|
|
SELECT test_function();
|
|
|
|
|
-- Postgres grants default execute privilege on functions to PUBLIC. So in order to check the different permissions
|
|
|
|
|
-- between creator and owner roles is not enough with performing a selection, we need to DROP the table (which only the owner can do)
|
|
|
|
|
DROP FUNCTION test_function();
|
|
|
|
|
|
|
|
|
|
\set QUIET on
|
|
|
|
|
CREATE FUNCTION test_function() RETURNS integer AS $$ BEGIN RETURN 1; END; $$ LANGUAGE PLPGSQL;
|
|
|
|
|
SET SESSION AUTHORIZATION "ownership_role";
|
|
|
|
|
\set QUIET off
|
|
|
|
|
|
|
|
|
@ -52,6 +58,8 @@ SELECT 'denied_tableas', catch_permission_error($$SELECT * FROM test_tablesas;$$
|
|
|
|
|
SELECT 'denied_view', catch_permission_error($$SELECT * FROM test_view;$$);
|
|
|
|
|
SELECT 'denied_mview', catch_permission_error($$SELECT * FROM test_mview;$$);
|
|
|
|
|
SELECT 'denied_selectinto', catch_permission_error($$SELECT * FROM test_selectinto;$$);
|
|
|
|
|
SELECT test_function();
|
|
|
|
|
SELECT 'denied_function', catch_permission_error($$DROP FUNCTION test_function();$$);
|
|
|
|
|
|
|
|
|
|
\set QUIET on
|
|
|
|
|
SET SESSION AUTHORIZATION "creator_role";
|
|
|
|
@ -62,6 +70,7 @@ DROP VIEW test_view;
|
|
|
|
|
DROP MATERIALIZED VIEW test_mview;
|
|
|
|
|
DROP TABLE test_selectinto;
|
|
|
|
|
DROP TABLE test;
|
|
|
|
|
DROP FUNCTION test_function();
|
|
|
|
|
|
|
|
|
|
-- Second part with event trigger but without ownership_role_name in cdb_conf
|
|
|
|
|
|
|
|
|
@ -77,14 +86,18 @@ CREATE TABLE test2_tablesas AS SELECT * FROM test2;
|
|
|
|
|
CREATE VIEW test2_view AS SELECT * FROM test2;
|
|
|
|
|
CREATE MATERIALIZED VIEW test2_mview AS SELECT * FROM test2;
|
|
|
|
|
SELECT * INTO test2_selectinto FROM test2;
|
|
|
|
|
CREATE FUNCTION test2_function() RETURNS integer AS $$ BEGIN RETURN 1; END; $$ LANGUAGE PLPGSQL;
|
|
|
|
|
|
|
|
|
|
SELECT * FROM test2;
|
|
|
|
|
SELECT * FROM test2_tablesas;
|
|
|
|
|
SELECT * FROM test2_view;
|
|
|
|
|
SELECT * FROM test2_mview;
|
|
|
|
|
SELECT * FROM test2_selectinto;
|
|
|
|
|
SELECT test2_function();
|
|
|
|
|
DROP FUNCTION test2_function();
|
|
|
|
|
|
|
|
|
|
\set QUIET on
|
|
|
|
|
CREATE FUNCTION test2_function() RETURNS integer AS $$ BEGIN RETURN 1; END; $$ LANGUAGE PLPGSQL;
|
|
|
|
|
SET SESSION AUTHORIZATION "ownership_role";
|
|
|
|
|
\set QUIET off
|
|
|
|
|
|
|
|
|
@ -93,6 +106,8 @@ SELECT 'denied_tableas2', catch_permission_error($$SELECT * FROM test2_tablesas;
|
|
|
|
|
SELECT 'denied_view2', catch_permission_error($$SELECT * FROM test2_view;$$);
|
|
|
|
|
SELECT 'denied_mview2', catch_permission_error($$SELECT * FROM test2_mview;$$);
|
|
|
|
|
SELECT 'denied_selectinto2', catch_permission_error($$SELECT * FROM test2_selectinto;$$);
|
|
|
|
|
SELECT test2_function();
|
|
|
|
|
SELECT 'denied_function2', catch_permission_error($$DROP FUNCTION test2_function();$$);
|
|
|
|
|
|
|
|
|
|
\set QUIET on
|
|
|
|
|
SET SESSION AUTHORIZATION "creator_role";
|
|
|
|
@ -103,6 +118,7 @@ DROP VIEW test2_view;
|
|
|
|
|
DROP MATERIALIZED VIEW test2_mview;
|
|
|
|
|
DROP TABLE test2_selectinto;
|
|
|
|
|
DROP TABLE test2;
|
|
|
|
|
DROP FUNCTION test2_function();
|
|
|
|
|
|
|
|
|
|
-- Third part with event trigger but with empty ownership_role_name in cdb_conf
|
|
|
|
|
|
|
|
|
@ -118,14 +134,18 @@ CREATE TABLE test3_tablesas AS SELECT * FROM test3;
|
|
|
|
|
CREATE VIEW test3_view AS SELECT * FROM test3;
|
|
|
|
|
CREATE MATERIALIZED VIEW test3_mview AS SELECT * FROM test3;
|
|
|
|
|
SELECT * INTO test3_selectinto FROM test3;
|
|
|
|
|
CREATE FUNCTION test3_function() RETURNS integer AS $$ BEGIN RETURN 1; END; $$ LANGUAGE PLPGSQL;
|
|
|
|
|
|
|
|
|
|
SELECT * FROM test3;
|
|
|
|
|
SELECT * FROM test3_tablesas;
|
|
|
|
|
SELECT * FROM test3_view;
|
|
|
|
|
SELECT * FROM test3_mview;
|
|
|
|
|
SELECT * FROM test3_selectinto;
|
|
|
|
|
SELECT test3_function();
|
|
|
|
|
DROP FUNCTION test3_function();
|
|
|
|
|
|
|
|
|
|
\set QUIET on
|
|
|
|
|
CREATE FUNCTION test3_function() RETURNS integer AS $$ BEGIN RETURN 1; END; $$ LANGUAGE PLPGSQL;
|
|
|
|
|
SET SESSION AUTHORIZATION "ownership_role";
|
|
|
|
|
\set QUIET off
|
|
|
|
|
|
|
|
|
@ -134,6 +154,8 @@ SELECT 'denied_tableas3', catch_permission_error($$SELECT * FROM test3_tablesas;
|
|
|
|
|
SELECT 'denied_view3', catch_permission_error($$SELECT * FROM test3_view;$$);
|
|
|
|
|
SELECT 'denied_mview3', catch_permission_error($$SELECT * FROM test3_mview;$$);
|
|
|
|
|
SELECT 'denied_selectinto3', catch_permission_error($$SELECT * FROM test3_selectinto;$$);
|
|
|
|
|
SELECT test3_function();
|
|
|
|
|
SELECT 'denied_function3', catch_permission_error($$DROP FUNCTION test3_function();$$);
|
|
|
|
|
|
|
|
|
|
\set QUIET on
|
|
|
|
|
SET SESSION AUTHORIZATION "creator_role";
|
|
|
|
@ -144,6 +166,7 @@ DROP VIEW test3_view;
|
|
|
|
|
DROP MATERIALIZED VIEW test3_mview;
|
|
|
|
|
DROP TABLE test3_selectinto;
|
|
|
|
|
DROP TABLE test3;
|
|
|
|
|
DROP FUNCTION test3_function();
|
|
|
|
|
|
|
|
|
|
-- Fourth part with the event trigger active and configured
|
|
|
|
|
|
|
|
|
@ -159,12 +182,15 @@ CREATE TABLE test4_tablesas AS SELECT * FROM test4;
|
|
|
|
|
CREATE VIEW test4_view AS SELECT * FROM test4;
|
|
|
|
|
CREATE MATERIALIZED VIEW test4_mview AS SELECT * FROM test4;
|
|
|
|
|
SELECT * INTO test4_selectinto FROM test4;
|
|
|
|
|
CREATE FUNCTION test4_function() RETURNS integer AS $$ BEGIN RETURN 1; END; $$ LANGUAGE PLPGSQL;
|
|
|
|
|
|
|
|
|
|
SELECT * FROM test4;
|
|
|
|
|
SELECT * FROM test4_tablesas;
|
|
|
|
|
SELECT * FROM test4_view;
|
|
|
|
|
SELECT * FROM test4_mview;
|
|
|
|
|
SELECT * FROM test4_selectinto;
|
|
|
|
|
SELECT test4_function();
|
|
|
|
|
SELECT 'denied_function4', catch_permission_error($$DROP FUNCTION test4_function();$$);
|
|
|
|
|
|
|
|
|
|
\set QUIET on
|
|
|
|
|
SET SESSION AUTHORIZATION "ownership_role";
|
|
|
|
@ -175,6 +201,7 @@ SELECT * FROM test4_tablesas;
|
|
|
|
|
SELECT * FROM test4_view;
|
|
|
|
|
SELECT * FROM test4_mview;
|
|
|
|
|
SELECT * FROM test4_selectinto;
|
|
|
|
|
SELECT test4_function();
|
|
|
|
|
|
|
|
|
|
-- Ownership role drops the tables
|
|
|
|
|
DROP TABLE test4_tablesas;
|
|
|
|
@ -182,6 +209,7 @@ DROP VIEW test4_view;
|
|
|
|
|
DROP MATERIALIZED VIEW test4_mview;
|
|
|
|
|
DROP TABLE test4_selectinto;
|
|
|
|
|
DROP TABLE test4;
|
|
|
|
|
DROP FUNCTION test4_function();
|
|
|
|
|
|
|
|
|
|
-- Cleanup
|
|
|
|
|
\set QUIET on
|
|
|
|
|