diff options
| author | Joe Conway <mail@joeconway.com> | 2015-07-28 16:01:53 -0700 |
|---|---|---|
| committer | Joe Conway <mail@joeconway.com> | 2015-07-28 16:01:53 -0700 |
| commit | f781a0f1d88411978c9df5f05cbb4f46aabe3d24 (patch) | |
| tree | 23fdbf53c265ac15dcc82d529b771ac11b2d42f0 /src/test/regress | |
| parent | 8c72a7fab47a7f501d211468d6e477e1f3a20599 (diff) | |
| download | postgresql-f781a0f1d88411978c9df5f05cbb4f46aabe3d24.tar.gz | |
Create a pg_shdepend entry for each role in TO clause of policies.
CreatePolicy() and AlterPolicy() omit to create a pg_shdepend entry for
each role in the TO clause. Fix this by creating a new shared dependency
type called SHARED_DEPENDENCY_POLICY and assigning it to each role.
Reported by Noah Misch. Patch by me, reviewed by Alvaro Herrera.
Back-patch to 9.5 where RLS was introduced.
Diffstat (limited to 'src/test/regress')
| -rw-r--r-- | src/test/regress/expected/rowsecurity.out | 55 | ||||
| -rw-r--r-- | src/test/regress/sql/rowsecurity.sql | 44 |
2 files changed, 99 insertions, 0 deletions
diff --git a/src/test/regress/expected/rowsecurity.out b/src/test/regress/expected/rowsecurity.out index fd8e180f8a..4749efc567 100644 --- a/src/test/regress/expected/rowsecurity.out +++ b/src/test/regress/expected/rowsecurity.out @@ -2942,6 +2942,61 @@ SELECT * FROM coll_t; ROLLBACK; -- +-- Shared Object Dependencies +-- +RESET SESSION AUTHORIZATION; +BEGIN; +CREATE ROLE alice; +CREATE ROLE bob; +CREATE TABLE tbl1 (c) AS VALUES ('bar'::text); +GRANT SELECT ON TABLE tbl1 TO alice; +CREATE POLICY P ON tbl1 TO alice, bob USING (true); +SELECT refclassid::regclass, deptype + FROM pg_depend + WHERE classid = 'pg_policy'::regclass + AND refobjid = 'tbl1'::regclass; + refclassid | deptype +------------+--------- + pg_class | a +(1 row) + +SELECT refclassid::regclass, deptype + FROM pg_shdepend + WHERE classid = 'pg_policy'::regclass + AND refobjid IN ('alice'::regrole, 'bob'::regrole); + refclassid | deptype +------------+--------- + pg_authid | r + pg_authid | r +(2 rows) + +SAVEPOINT q; +DROP ROLE alice; --fails due to dependency on POLICY p +ERROR: role "alice" cannot be dropped because some objects depend on it +DETAIL: target of policy p on table tbl1 +privileges for table tbl1 +ROLLBACK TO q; +ALTER POLICY p ON tbl1 TO bob USING (true); +SAVEPOINT q; +DROP ROLE alice; --fails due to dependency on GRANT SELECT +ERROR: role "alice" cannot be dropped because some objects depend on it +DETAIL: privileges for table tbl1 +ROLLBACK TO q; +REVOKE ALL ON TABLE tbl1 FROM alice; +SAVEPOINT q; +DROP ROLE alice; --succeeds +ROLLBACK TO q; +SAVEPOINT q; +DROP ROLE bob; --fails due to dependency on POLICY p +ERROR: role "bob" cannot be dropped because some objects depend on it +DETAIL: target of policy p on table tbl1 +ROLLBACK TO q; +DROP POLICY p ON tbl1; +SAVEPOINT q; +DROP ROLE bob; -- succeeds +ROLLBACK TO q; +ROLLBACK; -- cleanup +-- -- Clean up objects -- RESET SESSION AUTHORIZATION; diff --git a/src/test/regress/sql/rowsecurity.sql b/src/test/regress/sql/rowsecurity.sql index 32f10d8649..529edd01c7 100644 --- a/src/test/regress/sql/rowsecurity.sql +++ b/src/test/regress/sql/rowsecurity.sql @@ -1217,6 +1217,50 @@ SELECT * FROM coll_t; ROLLBACK; -- +-- Shared Object Dependencies +-- +RESET SESSION AUTHORIZATION; +BEGIN; +CREATE ROLE alice; +CREATE ROLE bob; +CREATE TABLE tbl1 (c) AS VALUES ('bar'::text); +GRANT SELECT ON TABLE tbl1 TO alice; +CREATE POLICY P ON tbl1 TO alice, bob USING (true); +SELECT refclassid::regclass, deptype + FROM pg_depend + WHERE classid = 'pg_policy'::regclass + AND refobjid = 'tbl1'::regclass; +SELECT refclassid::regclass, deptype + FROM pg_shdepend + WHERE classid = 'pg_policy'::regclass + AND refobjid IN ('alice'::regrole, 'bob'::regrole); + +SAVEPOINT q; +DROP ROLE alice; --fails due to dependency on POLICY p +ROLLBACK TO q; + +ALTER POLICY p ON tbl1 TO bob USING (true); +SAVEPOINT q; +DROP ROLE alice; --fails due to dependency on GRANT SELECT +ROLLBACK TO q; + +REVOKE ALL ON TABLE tbl1 FROM alice; +SAVEPOINT q; +DROP ROLE alice; --succeeds +ROLLBACK TO q; + +SAVEPOINT q; +DROP ROLE bob; --fails due to dependency on POLICY p +ROLLBACK TO q; + +DROP POLICY p ON tbl1; +SAVEPOINT q; +DROP ROLE bob; -- succeeds +ROLLBACK TO q; + +ROLLBACK; -- cleanup + +-- -- Clean up objects -- RESET SESSION AUTHORIZATION; |