1berry/postgres
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix changing the ownership of ALL TABLES IN SCHEMA publication.

Browse Source 
Ensure that the new owner of ALL TABLES IN SCHEMA publication must be a
superuser. The same is already ensured during CREATE PUBLICATION.

Author: Vignesh C
Reviewed-by: Nathan Bossart, Greg Nancarrow, Michael Paquier, Haiying Tang
Discussion: https://postgr.es/m/CALDaNm0E5U-RqxFuFrkZrQeG7ae5trGa=xs=iRtPPHULtT4zOw@mail.gmail.com
This commit is contained in:
Amit Kapila 2021-12-08 11:31:16 +05:30
parent a61bff2bf4
commit 1a2aaeb0db
5 changed files with 68 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
src/backend/catalog/pg_publication.c
View File

@ -193,6 +193,36 @@ is_publishable_relation(Relation rel)
return is_publishable_class(RelationGetRelid(rel), rel->rd_rel); return is_publishable_class(RelationGetRelid(rel), rel->rd_rel);
} }
/*
* Returns true if any schema is associated with the publication, false if no
* schema is associated with the publication.
*/
bool
is_schema_publication(Oid pubid)
{
Relation pubschsrel;
ScanKeyData scankey;
SysScanDesc scan;
HeapTuple tup;
bool result = false;
pubschsrel = table_open(PublicationNamespaceRelationId, AccessShareLock);
ScanKeyInit(&scankey,
Anum_pg_publication_namespace_pnpubid,
BTEqualStrategyNumber, F_OIDEQ,
ObjectIdGetDatum(pubid));
scan = systable_beginscan(pubschsrel,
PublicationNamespacePnnspidPnpubidIndexId,
true, NULL, 1, &scankey);
tup = systable_getnext(scan);
result = HeapTupleIsValid(tup);
systable_endscan(scan);
table_close(pubschsrel, AccessShareLock);
return result;
}
/* /*
* SQL-callable variant of the above * SQL-callable variant of the above

7
src/backend/commands/publicationcmds.c
View File

@ -1192,6 +1192,13 @@ AlterPublicationOwner_internal(Relation rel, HeapTuple tup, Oid newOwnerId)
errmsg("permission denied to change owner of publication \"%s\"", errmsg("permission denied to change owner of publication \"%s\"",
NameStr(form->pubname)), NameStr(form->pubname)),
errhint("The owner of a FOR ALL TABLES publication must be a superuser."))); errhint("The owner of a FOR ALL TABLES publication must be a superuser.")));
if (!superuser_arg(newOwnerId) && is_schema_publication(form->oid))
ereport(ERROR,
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
errmsg("permission denied to change owner of publication \"%s\"",
NameStr(form->pubname)),
errhint("The owner of a FOR ALL TABLES IN SCHEMA publication must be a superuser.")));
} }
form->pubowner = newOwnerId; form->pubowner = newOwnerId;

1
src/include/catalog/pg_publication.h
View File

@ -122,6 +122,7 @@ extern List *GetPubPartitionOptionRelations(List *result,
Oid relid); Oid relid);
extern bool is_publishable_relation(Relation rel); extern bool is_publishable_relation(Relation rel);
extern bool is_schema_publication(Oid pubid);
extern ObjectAddress publication_add_relation(Oid pubid, PublicationRelInfo *targetrel, extern ObjectAddress publication_add_relation(Oid pubid, PublicationRelInfo *targetrel,
bool if_not_exists); bool if_not_exists);
extern ObjectAddress publication_add_schema(Oid pubid, Oid schemaid, extern ObjectAddress publication_add_schema(Oid pubid, Oid schemaid,

15
src/test/regress/expected/publication.out
View File

@ -373,6 +373,21 @@ ALTER PUBLICATION testpub2 ADD TABLE testpub_tbl1; -- ok
DROP PUBLICATION testpub2; DROP PUBLICATION testpub2;
DROP PUBLICATION testpub3; DROP PUBLICATION testpub3;
SET ROLE regress_publication_user; SET ROLE regress_publication_user;
CREATE ROLE regress_publication_user3;
GRANT regress_publication_user2 TO regress_publication_user3;
SET client_min_messages = 'ERROR';
CREATE PUBLICATION testpub4 FOR ALL TABLES IN SCHEMA pub_test;
RESET client_min_messages;
ALTER PUBLICATION testpub4 OWNER TO regress_publication_user3;
SET ROLE regress_publication_user3;
-- fail - new owner must be superuser
ALTER PUBLICATION testpub4 owner to regress_publication_user2; -- fail
ERROR: permission denied to change owner of publication "testpub4"
HINT: The owner of a FOR ALL TABLES IN SCHEMA publication must be a superuser.
ALTER PUBLICATION testpub4 owner to regress_publication_user; -- ok
SET ROLE regress_publication_user;
DROP PUBLICATION testpub4;
DROP ROLE regress_publication_user3;
REVOKE CREATE ON DATABASE regression FROM regress_publication_user2; REVOKE CREATE ON DATABASE regression FROM regress_publication_user2;
DROP TABLE testpub_parted; DROP TABLE testpub_parted;
DROP TABLE testpub_tbl1; DROP TABLE testpub_tbl1;

15
src/test/regress/sql/publication.sql
View File

@ -218,6 +218,21 @@ DROP PUBLICATION testpub2;
DROP PUBLICATION testpub3; DROP PUBLICATION testpub3;
SET ROLE regress_publication_user; SET ROLE regress_publication_user;
CREATE ROLE regress_publication_user3;
GRANT regress_publication_user2 TO regress_publication_user3;
SET client_min_messages = 'ERROR';
CREATE PUBLICATION testpub4 FOR ALL TABLES IN SCHEMA pub_test;
RESET client_min_messages;
ALTER PUBLICATION testpub4 OWNER TO regress_publication_user3;
SET ROLE regress_publication_user3;
-- fail - new owner must be superuser
ALTER PUBLICATION testpub4 owner to regress_publication_user2; -- fail
ALTER PUBLICATION testpub4 owner to regress_publication_user; -- ok
SET ROLE regress_publication_user;
DROP PUBLICATION testpub4;
DROP ROLE regress_publication_user3;
REVOKE CREATE ON DATABASE regression FROM regress_publication_user2; REVOKE CREATE ON DATABASE regression FROM regress_publication_user2;
DROP TABLE testpub_parted; DROP TABLE testpub_parted;