Google Git
Sign in
apache / cloudberry / HEAD / . / src / test / isolation2 / output / parallel_retrieve_cursor / privilege.source
blob: 30a0bc1f158ad561bc3faa537a6071a31a46422a [file] [log] [blame]
-- @Description Tests the privileges related with endpoints
--
DROP TABLE IF EXISTS t1;
DROP
DROP USER IF EXISTS adminuser;
DROP
DROP USER IF EXISTS u1;
DROP
DROP USER IF EXISTS uu1;
DROP
DROP USER IF EXISTS u2;
DROP
CREATE USER adminuser;
CREATE
ALTER USER adminuser WITH SUPERUSER;
ALTER
CREATE USER u1 with CREATEROLE;
CREATE
CREATE USER u2;
CREATE
SET SESSION AUTHORIZATION u1;
SET
CREATE TABLE t1 (a INT) DISTRIBUTED by (a);
CREATE
insert into t1 select generate_series(1,10);
INSERT 10
CREATE USER uu1;
CREATE
GRANT ALL PRIVILEGES ON t1 TO uu1;
GRANT
GRANT uu1 TO u1;
GRANT
RESET SESSION AUTHORIZATION;
RESET
--------- Test1: Admin should be able to see other user's endpoint, retrieve role auth should check token and user
--- c1 is declared by superuser
1: SET SESSION AUTHORIZATION adminuser;
SET
1: SELECT SESSION_USER, CURRENT_USER;
session_user | current_user
--------------+--------------
adminuser | adminuser
(1 row)
1: BEGIN;
BEGIN
1: DECLARE c1 PARALLEL RETRIEVE CURSOR FOR SELECT * FROM t1;
DECLARE
1: @post_run 'parse_endpoint_info 1 1 2 3 4' : SELECT endpointname,auth_token,hostname,port,state FROM gp_get_endpoints() WHERE cursorname='c1';
endpoint_id1 | token_id | host_id | port_id | READY
endpoint_id1 | token_id | host_id | port_id | READY
endpoint_id1 | token_id | host_id | port_id | READY
(3 rows)
1: SET SESSION AUTHORIZATION u1;
SET
1: SELECT SESSION_USER, CURRENT_USER;
session_user | current_user
--------------+--------------
u1 | u1
(1 row)
--- c2 is declared by u1
1: DECLARE c2 PARALLEL RETRIEVE CURSOR FOR SELECT * FROM t1;
DECLARE
--- c12 is declared by u1 on entry db
1: DECLARE c12 PARALLEL RETRIEVE CURSOR FOR SELECT * FROM generate_series(1,10);
DECLARE
--- u1 is able to see all endpoints created by himself.
1: SELECT DISTINCT(cursorname), username FROM gp_get_endpoints();
cursorname | username
------------+----------
c12 | u1
c2 | u1
(2 rows)
--- adminuser should be able to see all the endpoints declared by u1 with state READY
2: SET SESSION AUTHORIZATION adminuser;
SET
2: SELECT SESSION_USER, CURRENT_USER;
session_user | current_user
--------------+--------------
adminuser | adminuser
(1 row)
2: @post_run 'parse_endpoint_info 2 1 2 3 4' : SELECT endpointname,auth_token,hostname,port,state FROM gp_get_endpoints() WHERE cursorname='c2';
endpoint_id2 | token_id | host_id | port_id | READY
endpoint_id2 | token_id | host_id | port_id | READY
endpoint_id2 | token_id | host_id | port_id | READY
(3 rows)
2: @post_run 'parse_endpoint_info 12 1 2 3 4' : SELECT endpointname,auth_token,hostname,port,state FROM gp_get_endpoints() WHERE cursorname='c12';
endpoint_id12 | token_id | host_id | port_id | READY
(1 row)
2: SELECT DISTINCT(cursorname), username FROM gp_get_endpoints();
cursorname | username
------------+-----------
c1 | adminuser
c12 | u1
c2 | u1
(3 rows)
--- adminuser should be able to see the cursor state change to READY
2: SELECT auth_token, username, state FROM gp_get_endpoints() endpoints order by username;
auth_token | username | state
----------------------------------+-----------+-------
token_id | adminuser | READY
token_id | adminuser | READY
token_id | adminuser | READY
token_id | u1 | READY
token_id | u1 | READY
token_id | u1 | READY
token_id | u1 | READY
(7 rows)
--- adminuser should be able to see all endpoints declared by u1 in utility mode
3: @pre_run 'export CURRENT_ENDPOINT_POSTFIX=1 ; export RETRIEVE_USER="adminuser"; echo $RAW_STR ' : SELECT 1;
?column?
----------
1
(1 row)
0R: SELECT SESSION_USER, CURRENT_USER;
ERROR: This is a retrieve connection, but the query is not a RETRIEVE.
0U: SELECT auth_token, username FROM gp_get_segment_endpoints();
auth_token | username
----------------------------------+-----------
token_id | adminuser
token_id | u1
(2 rows)
0R: @pre_run 'set_endpoint_variable @ENDPOINT1': RETRIEVE ALL FROM ENDPOINT "@ENDPOINT1";
a
---
2
3
4
7
8
(5 rows)
0Rq: ... <quitting>
3: @pre_run 'export CURRENT_ENDPOINT_POSTFIX=2 ; export RETRIEVE_USER="u1"; echo $RAW_STR ' : SELECT 1;
?column?
----------
1
(1 row)
--- Login as u1 and retrieve all to finish the test
0R: SELECT SESSION_USER, CURRENT_USER;
ERROR: This is a retrieve connection, but the query is not a RETRIEVE.
0R: @pre_run 'set_endpoint_variable @ENDPOINT2': RETRIEVE ALL FROM ENDPOINT "@ENDPOINT2";
a
---
2
3
4
7
8
(5 rows)
1: SET ROLE uu1;
SET
1: SELECT SESSION_USER, CURRENT_USER;
session_user | current_user
--------------+--------------
u1 | uu1
(1 row)
1: DECLARE c3 PARALLEL RETRIEVE CURSOR FOR SELECT * FROM t1;
DECLARE
2: @post_run 'parse_endpoint_info 3 1 2 3 4' : SELECT endpointname,auth_token,hostname,port,state FROM gp_get_endpoints() WHERE cursorname='c3';
endpoint_id3 | token_id | host_id | port_id | READY
endpoint_id3 | token_id | host_id | port_id | READY
endpoint_id3 | token_id | host_id | port_id | READY
(3 rows)
1: SELECT DISTINCT(cursorname), username FROM gp_get_endpoints();
cursorname | username
------------+----------
c3 | uu1
(1 row)
--- u1 can not see uu1's endpoints.
1: SET ROLE u1;
SET
1: SELECT DISTINCT(cursorname), username FROM gp_get_endpoints();
cursorname | username
------------+----------
c2 | u1
c12 | u1
(2 rows)
2: SELECT DISTINCT(cursorname), username FROM gp_get_endpoints();
cursorname | username
------------+-----------
c1 | adminuser
c12 | u1
c2 | u1
c3 | uu1
(4 rows)
3: @pre_run 'export RETRIEVE_USER="uu1"; echo $RAW_STR ' : SELECT 1;
?column?
----------
1
(1 row)
--- Login as uu1 and retrieve
3R: @pre_run 'set_endpoint_variable @ENDPOINT3': RETRIEVE ALL FROM ENDPOINT "@ENDPOINT3";
a
---
2
3
4
7
8
(5 rows)
--- Retrieve c2(which belongs to u1) but current user is uu1.
3R: @pre_run 'set_endpoint_variable @ENDPOINT2': RETRIEVE ALL FROM ENDPOINT "@ENDPOINT2";
ERROR: the PARALLEL RETRIEVE CURSOR was created by a different user
HINT: Use the same user as the PARALLEL RETRIEVE CURSOR creator to retrieve.
0Rq: ... <quitting>
3Rq: ... <quitting>
1<: <... completed>
FAILED: Execution failed
1: END;
END
2q: ... <quitting>
3: @pre_run 'unset RETRIEVE_USER; echo $RAW_STR ' : SELECT 1;
?column?
----------
1
(1 row)
3q: ... <quitting>
--------- Test2: Admin should NOT be able to retrieve from other's PARALLEL RETRIEVE CURSOR
1: SET SESSION AUTHORIZATION adminuser;
SET
1: SELECT SESSION_USER, CURRENT_USER;
session_user | current_user
--------------+--------------
adminuser | adminuser
(1 row)
1: BEGIN;
BEGIN
-- Used to let super login to retrieve session so then it can change user in session.
1: DECLARE c0 PARALLEL RETRIEVE CURSOR FOR SELECT * FROM t1;
DECLARE
1: SET SESSION AUTHORIZATION u1;
SET
--- c1 is declared and executed by u1
1: DECLARE c1 PARALLEL RETRIEVE CURSOR FOR SELECT * FROM t1;
DECLARE
1&: SELECT * FROM gp_wait_parallel_retrieve_cursor('c1', -1); <waiting ...>
2: @post_run 'parse_endpoint_info 40 1 2 3 4' : SELECT endpointname,auth_token,hostname,port,state FROM gp_get_endpoints() WHERE cursorname='c0';
endpoint_id40 | token_id | host_id | port_id | READY
endpoint_id40 | token_id | host_id | port_id | READY
endpoint_id40 | token_id | host_id | port_id | READY
(3 rows)
2: @post_run 'parse_endpoint_info 4 1 2 3 4' : SELECT endpointname,auth_token,hostname,port,state FROM gp_get_endpoints() WHERE cursorname='c1';
endpoint_id4 | token_id | host_id | port_id | READY
endpoint_id4 | token_id | host_id | port_id | READY
endpoint_id4 | token_id | host_id | port_id | READY
(3 rows)
--- adminuser should NOT be able to retrieve from other's PARALLEL RETRIEVE CURSOR
3: @pre_run 'export CURRENT_ENDPOINT_POSTFIX=40 ; export RETRIEVE_USER="adminuser"; echo $RAW_STR ' : SELECT 1;
?column?
----------
1
(1 row)
*R: SET SESSION AUTHORIZATION adminuser;
#-1retrieve> connection to server at "host_id", port port_id failed: FATAL: retrieve auth token is invalid
ERROR: This is a retrieve connection, but the query is not a RETRIEVE.
ERROR: This is a retrieve connection, but the query is not a RETRIEVE.
ERROR: This is a retrieve connection, but the query is not a RETRIEVE.
*R: SELECT SESSION_USER, CURRENT_USER;
#-1retrieve> connection to server at "host_id", port port_id failed: FATAL: retrieve auth token is invalid
ERROR: This is a retrieve connection, but the query is not a RETRIEVE.
ERROR: This is a retrieve connection, but the query is not a RETRIEVE.
ERROR: This is a retrieve connection, but the query is not a RETRIEVE.
*R: @pre_run 'set_endpoint_variable @ENDPOINT4': RETRIEVE ALL FROM ENDPOINT "@ENDPOINT4";
#-1retrieve> connection to server at "host_id", port port_id failed: FATAL: retrieve auth token is invalid
ERROR: the PARALLEL RETRIEVE CURSOR was created by a different user
HINT: Use the same user as the PARALLEL RETRIEVE CURSOR creator to retrieve.
ERROR: the PARALLEL RETRIEVE CURSOR was created by a different user
HINT: Use the same user as the PARALLEL RETRIEVE CURSOR creator to retrieve.
ERROR: the PARALLEL RETRIEVE CURSOR was created by a different user
HINT: Use the same user as the PARALLEL RETRIEVE CURSOR creator to retrieve.
-- cancel the no privilege retrieving endpoints, otherwise it will wait until statement_timeout
42: select pg_cancel_backend(pid) from pg_stat_activity where query like 'SELECT * FROM gp_wait_parallel_retrieve_cursor(''c1'', -1);';
pg_cancel_backend
-------------------
t
(1 row)
1<: <... completed>
ERROR: canceling statement due to user request
1: CLOSE c1;
ERROR: current transaction is aborted, commands ignored until end of transaction block
1: END;
END
1q: ... <quitting>
3q: ... <quitting>
0Rq: ... <quitting>
1Rq: ... <quitting>
2Rq: ... <quitting>
--------- Test3: Admin should be able to close PARALLEL RETRIEVE CURSOR
--- c1 is declared and executed by u1
1: SET SESSION AUTHORIZATION u1;
SET
1: BEGIN;
BEGIN
1: DECLARE c1 PARALLEL RETRIEVE CURSOR FOR SELECT * FROM t1;
DECLARE
--- Close c1 by adminuser
1: SET SESSION AUTHORIZATION adminuser;
SET
1: CLOSE c1;
CLOSE
1: END;
END
--------- Test4: u2 should NOT be able to see or retrieve from u1's endpoints
1: SET SESSION AUTHORIZATION adminuser;
SET
1: SELECT SESSION_USER, CURRENT_USER;
session_user | current_user
--------------+--------------
adminuser | adminuser
(1 row)
1: BEGIN;
BEGIN
-- Used to let super login to retrieve session so then it can change user in session.
1: DECLARE c0 PARALLEL RETRIEVE CURSOR FOR SELECT * FROM t1;
DECLARE
1: @post_run 'parse_endpoint_info 50 1 2 3 4' : SELECT endpointname,auth_token,hostname,port,state FROM gp_get_endpoints() WHERE cursorname='c0';
endpoint_id50 | token_id | host_id | port_id | READY
endpoint_id50 | token_id | host_id | port_id | READY
endpoint_id50 | token_id | host_id | port_id | READY
(3 rows)
1: SET SESSION AUTHORIZATION u1;
SET
--- c4 is declared and executed by u1
1: DECLARE c4 PARALLEL RETRIEVE CURSOR FOR SELECT * FROM t1;
DECLARE
1: @post_run 'parse_endpoint_info 5 1 2 3 4' : SELECT endpointname,auth_token,hostname,port,state FROM gp_get_endpoints() WHERE cursorname='c4';
endpoint_id5 | token_id | host_id | port_id | READY
endpoint_id5 | token_id | host_id | port_id | READY
endpoint_id5 | token_id | host_id | port_id | READY
(3 rows)
--- u2 is not able to see u1's endpoints on master
1: SET SESSION AUTHORIZATION u2;
SET
1: SELECT * from gp_get_endpoints();
gp_segment_id | auth_token | cursorname | sessionid | hostname | port | username | state | endpointname
---------------+------------+------------+-----------+----------+------+----------+-------+--------------
(0 rows)
--- execute the cursor by u1
1: SET SESSION AUTHORIZATION u1;
SET
1&: SELECT * FROM gp_wait_parallel_retrieve_cursor('c4', -1); <waiting ...>
--- u2 is not able to see u1's endpoints in RETRIEVE mode
*R: @pre_run 'export CURRENT_ENDPOINT_POSTFIX=50 ; export RETRIEVE_USER="adminuser" ; echo $RAW_STR' : SET SESSION AUTHORIZATION u2;
#-1retrieve> connection to server at "host_id", port port_id failed: FATAL: retrieve auth token is invalid
ERROR: This is a retrieve connection, but the query is not a RETRIEVE.
ERROR: This is a retrieve connection, but the query is not a RETRIEVE.
ERROR: This is a retrieve connection, but the query is not a RETRIEVE.
*U: SELECT auth_token, username FROM gp_get_segment_endpoints();
auth_token | username
------------+----------
(0 rows)
auth_token | username
----------------------------------+-----------
token_id | adminuser
token_id | u1
(2 rows)
auth_token | username
----------------------------------+-----------
token_id | adminuser
token_id | u1
(2 rows)
auth_token | username
----------------------------------+-----------
token_id | adminuser
token_id | u1
(2 rows)
--- u2 is not able to retrieve from u1's endpoints in RETRIEVE mode
*R: @pre_run 'set_endpoint_variable @ENDPOINT5': RETRIEVE ALL FROM ENDPOINT "@ENDPOINT5";
#-1retrieve> connection to server at "host_id", port port_id failed: FATAL: retrieve auth token is invalid
ERROR: the PARALLEL RETRIEVE CURSOR was created by a different user
HINT: Use the same user as the PARALLEL RETRIEVE CURSOR creator to retrieve.
ERROR: the PARALLEL RETRIEVE CURSOR was created by a different user
HINT: Use the same user as the PARALLEL RETRIEVE CURSOR creator to retrieve.
ERROR: the PARALLEL RETRIEVE CURSOR was created by a different user
HINT: Use the same user as the PARALLEL RETRIEVE CURSOR creator to retrieve.
-- cancel the no privilege retrieving endpoints, otherwise it will wait until statement_timeout
42: select pg_cancel_backend(pid) from pg_stat_activity where query like 'SELECT * FROM gp_wait_parallel_retrieve_cursor(''c4'', -1);';
pg_cancel_backend
-------------------
t
(1 row)
1<: <... completed>
ERROR: canceling statement due to user request
1: CLOSE c4;
ERROR: current transaction is aborted, commands ignored until end of transaction block
1: END;
END
0Rq: ... <quitting>
1Rq: ... <quitting>
2Rq: ... <quitting>