cartodb4/cartodb-postgresql
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'carto/master' into federated_functions

Browse Source
This commit is contained in:
Raúl Marín 2019-11-15 13:50:21 +01:00
commit da570c50aa
5 changed files with 68 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Makefile
View File

@ -1,7 +1,7 @@
# cartodb/Makefile
EXTENSION = cartodb
EXTVERSION = 0.31.0
EXTVERSION = 0.32.0
SED = sed
AWK = awk
@ -104,6 +104,7 @@ UPGRADABLE = \
0.29.0 \
0.30.0 \
0.31.0 \
0.32.0 \
$(EXTVERSION)dev \
$(EXTVERSION)next \
$(END)

3
NEWS.md
View File

@ -1,4 +1,5 @@
0.32.0 (XXXX-XX-XX)
0.32.0 (2019-11-08)
* Fix oAuth ownership re-assignation for functions
* Some fixes for PG12.
* Make PG12 depend on plpython3u instead of plpythonu
* CDB_UserDataSize is now compatible with postgis 3 without postgis_raster.

13
scripts-available/CDB_OAuth.sql
View File

@ -15,13 +15,22 @@ BEGIN
obj.object_type,
obj.schema_name,
obj.object_identity;
SELECT rolname FROM pg_class JOIN pg_roles ON relowner = pg_roles.oid WHERE pg_class.oid = obj.objid INTO creator_role;
IF obj.object_type = 'function' THEN
SELECT rolname FROM pg_proc JOIN pg_roles ON proowner = pg_roles.oid WHERE pg_proc.oid = obj.objid INTO creator_role;
ELSE
SELECT rolname FROM pg_class JOIN pg_roles ON relowner = pg_roles.oid WHERE pg_class.oid = obj.objid INTO creator_role;
END IF;
SELECT value->>'ownership_role_name' from @extschema@.CDB_Conf_GetConf('api_keys_' || quote_ident(creator_role)) value INTO owner_role;
IF owner_role IS NULL OR owner_role = '' THEN
RAISE DEBUG 'owner_role not found';
CONTINUE;
ELSE
EXECUTE 'ALTER ' || obj.object_type || ' ' || obj.object_identity || ' OWNER TO ' || quote_ident(owner_role);
EXECUTE 'GRANT ALL ON ' || obj.object_identity || ' TO ' || QUOTE_IDENT(creator_role);
IF obj.object_type = 'function' THEN
EXECUTE 'GRANT ALL ON FUNCTION ' || obj.object_identity || ' TO ' || QUOTE_IDENT(creator_role);
ELSE
EXECUTE 'GRANT ALL ON ' || obj.object_identity || ' TO ' || QUOTE_IDENT(creator_role);
END IF;
RAISE DEBUG 'Changing ownership from % to %', creator_role, owner_role;
END IF;
END LOOP;

32
test/CDB_OAuth.sql
View File

@ -2,9 +2,9 @@
\set QUIET on
SET client_min_messages TO error;
-- The permission error changed between pre PG11 and post 11 (before everythin "relation", now it's "view", "table" and so on
-- The permission error changed between pre PG11 and post 11 (before everything was "relation", now it's "view", "table" and so on
CREATE OR REPLACE FUNCTION catch_permission_error(query text)
RETURNS bool
RETURNS bool
AS $$
BEGIN
EXECUTE query;
@ -36,14 +36,20 @@ CREATE TABLE test_tablesas AS SELECT * FROM test;
CREATE VIEW test_view AS SELECT * FROM test;
CREATE MATERIALIZED VIEW test_mview AS SELECT * FROM test;
SELECT * INTO test_selectinto FROM test;
CREATE FUNCTION test_function() RETURNS integer AS $$ BEGIN RETURN 1; END; $$ LANGUAGE PLPGSQL;
SELECT * FROM test;
SELECT * FROM test_tablesas;
SELECT * FROM test_view;
SELECT * FROM test_mview;
SELECT * FROM test_selectinto;
SELECT test_function();
-- Postgres grants default execute privilege on functions to PUBLIC. So in order to check the different permissions
-- between creator and owner roles is not enough with performing a selection, we need to DROP the table (which only the owner can do)
DROP FUNCTION test_function();
\set QUIET on
CREATE FUNCTION test_function() RETURNS integer AS $$ BEGIN RETURN 1; END; $$ LANGUAGE PLPGSQL;
SET SESSION AUTHORIZATION "ownership_role";
\set QUIET off
@ -52,6 +58,8 @@ SELECT 'denied_tableas', catch_permission_error($$SELECT * FROM test_tablesas;$$
SELECT 'denied_view', catch_permission_error($$SELECT * FROM test_view;$$);
SELECT 'denied_mview', catch_permission_error($$SELECT * FROM test_mview;$$);
SELECT 'denied_selectinto', catch_permission_error($$SELECT * FROM test_selectinto;$$);
SELECT test_function();
SELECT 'denied_function', catch_permission_error($$DROP FUNCTION test_function();$$);
\set QUIET on
SET SESSION AUTHORIZATION "creator_role";
@ -62,6 +70,7 @@ DROP VIEW test_view;
DROP MATERIALIZED VIEW test_mview;
DROP TABLE test_selectinto;
DROP TABLE test;
DROP FUNCTION test_function();
-- Second part with event trigger but without ownership_role_name in cdb_conf
@ -77,14 +86,18 @@ CREATE TABLE test2_tablesas AS SELECT * FROM test2;
CREATE VIEW test2_view AS SELECT * FROM test2;
CREATE MATERIALIZED VIEW test2_mview AS SELECT * FROM test2;
SELECT * INTO test2_selectinto FROM test2;
CREATE FUNCTION test2_function() RETURNS integer AS $$ BEGIN RETURN 1; END; $$ LANGUAGE PLPGSQL;
SELECT * FROM test2;
SELECT * FROM test2_tablesas;
SELECT * FROM test2_view;
SELECT * FROM test2_mview;
SELECT * FROM test2_selectinto;
SELECT test2_function();
DROP FUNCTION test2_function();
\set QUIET on
CREATE FUNCTION test2_function() RETURNS integer AS $$ BEGIN RETURN 1; END; $$ LANGUAGE PLPGSQL;
SET SESSION AUTHORIZATION "ownership_role";
\set QUIET off
@ -93,6 +106,8 @@ SELECT 'denied_tableas2', catch_permission_error($$SELECT * FROM test2_tablesas;
SELECT 'denied_view2', catch_permission_error($$SELECT * FROM test2_view;$$);
SELECT 'denied_mview2', catch_permission_error($$SELECT * FROM test2_mview;$$);
SELECT 'denied_selectinto2', catch_permission_error($$SELECT * FROM test2_selectinto;$$);
SELECT test2_function();
SELECT 'denied_function2', catch_permission_error($$DROP FUNCTION test2_function();$$);
\set QUIET on
SET SESSION AUTHORIZATION "creator_role";
@ -103,6 +118,7 @@ DROP VIEW test2_view;
DROP MATERIALIZED VIEW test2_mview;
DROP TABLE test2_selectinto;
DROP TABLE test2;
DROP FUNCTION test2_function();
-- Third part with event trigger but with empty ownership_role_name in cdb_conf
@ -118,14 +134,18 @@ CREATE TABLE test3_tablesas AS SELECT * FROM test3;
CREATE VIEW test3_view AS SELECT * FROM test3;
CREATE MATERIALIZED VIEW test3_mview AS SELECT * FROM test3;
SELECT * INTO test3_selectinto FROM test3;
CREATE FUNCTION test3_function() RETURNS integer AS $$ BEGIN RETURN 1; END; $$ LANGUAGE PLPGSQL;
SELECT * FROM test3;
SELECT * FROM test3_tablesas;
SELECT * FROM test3_view;
SELECT * FROM test3_mview;
SELECT * FROM test3_selectinto;
SELECT test3_function();
DROP FUNCTION test3_function();
\set QUIET on
CREATE FUNCTION test3_function() RETURNS integer AS $$ BEGIN RETURN 1; END; $$ LANGUAGE PLPGSQL;
SET SESSION AUTHORIZATION "ownership_role";
\set QUIET off
@ -134,6 +154,8 @@ SELECT 'denied_tableas3', catch_permission_error($$SELECT * FROM test3_tablesas;
SELECT 'denied_view3', catch_permission_error($$SELECT * FROM test3_view;$$);
SELECT 'denied_mview3', catch_permission_error($$SELECT * FROM test3_mview;$$);
SELECT 'denied_selectinto3', catch_permission_error($$SELECT * FROM test3_selectinto;$$);
SELECT test3_function();
SELECT 'denied_function3', catch_permission_error($$DROP FUNCTION test3_function();$$);
\set QUIET on
SET SESSION AUTHORIZATION "creator_role";
@ -144,6 +166,7 @@ DROP VIEW test3_view;
DROP MATERIALIZED VIEW test3_mview;
DROP TABLE test3_selectinto;
DROP TABLE test3;
DROP FUNCTION test3_function();
-- Fourth part with the event trigger active and configured
@ -159,12 +182,15 @@ CREATE TABLE test4_tablesas AS SELECT * FROM test4;
CREATE VIEW test4_view AS SELECT * FROM test4;
CREATE MATERIALIZED VIEW test4_mview AS SELECT * FROM test4;
SELECT * INTO test4_selectinto FROM test4;
CREATE FUNCTION test4_function() RETURNS integer AS $$ BEGIN RETURN 1; END; $$ LANGUAGE PLPGSQL;
SELECT * FROM test4;
SELECT * FROM test4_tablesas;
SELECT * FROM test4_view;
SELECT * FROM test4_mview;
SELECT * FROM test4_selectinto;
SELECT test4_function();
SELECT 'denied_function4', catch_permission_error($$DROP FUNCTION test4_function();$$);
\set QUIET on
SET SESSION AUTHORIZATION "ownership_role";
@ -175,6 +201,7 @@ SELECT * FROM test4_tablesas;
SELECT * FROM test4_view;
SELECT * FROM test4_mview;
SELECT * FROM test4_selectinto;
SELECT test4_function();
-- Ownership role drops the tables
DROP TABLE test4_tablesas;
@ -182,6 +209,7 @@ DROP VIEW test4_view;
DROP MATERIALIZED VIEW test4_mview;
DROP TABLE test4_selectinto;
DROP TABLE test4;
DROP FUNCTION test4_function();
-- Cleanup
\set QUIET on

23
test/CDB_OAuth_expect
View File

@ -5,21 +5,27 @@ SELECT 1
CREATE VIEW
SELECT 1
SELECT 1
CREATE FUNCTION
1
1
1
1
1
1
DROP FUNCTION
denied_table|t
denied_tableas|t
denied_view|t
denied_mview|t
denied_selectinto|t
1
denied_function|t
DROP TABLE
DROP VIEW
DROP MATERIALIZED VIEW
DROP TABLE
DROP TABLE
DROP FUNCTION
NOTICE: event trigger "oauth_reassign_tables_trigger" does not exist, skipping
CREATE TABLE
@ -28,21 +34,27 @@ SELECT 1
CREATE VIEW
SELECT 1
SELECT 1
CREATE FUNCTION
1
1
1
1
1
1
DROP FUNCTION
denied_table2|t
denied_tableas2|t
denied_view2|t
denied_mview2|t
denied_selectinto2|t
1
denied_function2|t
DROP TABLE
DROP VIEW
DROP MATERIALIZED VIEW
DROP TABLE
DROP TABLE
DROP FUNCTION
CREATE TABLE
INSERT 0 1
@ -50,21 +62,27 @@ SELECT 1
CREATE VIEW
SELECT 1
SELECT 1
CREATE FUNCTION
1
1
1
1
1
1
DROP FUNCTION
denied_table3|t
denied_tableas3|t
denied_view3|t
denied_mview3|t
denied_selectinto3|t
1
denied_function3|t
DROP TABLE
DROP VIEW
DROP MATERIALIZED VIEW
DROP TABLE
DROP TABLE
DROP FUNCTION
CREATE TABLE
INSERT 0 1
@ -72,12 +90,16 @@ SELECT 1
CREATE VIEW
SELECT 1
SELECT 1
CREATE FUNCTION
1
1
1
1
1
1
denied_function4|t
1
1
1
1
1
@ -87,4 +109,5 @@ DROP VIEW
DROP MATERIALIZED VIEW
DROP TABLE
DROP TABLE
DROP FUNCTION