diff options
| author | Masahiko Sawada | 2023-06-09 01:43:03 +0000 |
|---|---|---|
| committer | Masahiko Sawada | 2023-06-09 01:43:03 +0000 |
| commit | a83edeaf684a70da02fa2bce8b7e3aefa3f906f5 (patch) | |
| tree | 0d5cc97af81c521754ca0ac919de5a4ae835e7d3 /src/test | |
| parent | 26eaf82e7138890022d5d06b77eb745524542fb7 (diff) | |
Honor run_as_owner option in tablesync worker.
Commit 482675987 introduced "run_as_owner" subscription option so that
subscription runs with either the permissions of the subscription
owner or the permission of the table owner. However, tablesync workers
did not use this option for the initial data copy.
With this change, tablesync workers run with appropriate permissions
based on "run_as_owner" option.
Ajin Cherian, with changes and regression tests added by me.
Reported-By: Amit Kapila
Author: Ajin Cherian, Masahiko Sawada
Reviewed-by: Ajin Cherian, Amit Kapila
Discussion: https://postgr.es/m/CAA4eK1L=qzRHPEn+qeMoKQGFBzqGoLBzt_ov0A89iFFiut+ppA@mail.gmail.com
Diffstat (limited to 'src/test')
| -rw-r--r-- | src/test/subscription/t/033_run_as_table_owner.pl | 38 |
1 files changed, 36 insertions, 2 deletions
diff --git a/src/test/subscription/t/033_run_as_table_owner.pl b/src/test/subscription/t/033_run_as_table_owner.pl index 0aa8a093efc..2d0e0e78e3e 100644 --- a/src/test/subscription/t/033_run_as_table_owner.pl +++ b/src/test/subscription/t/033_run_as_table_owner.pl @@ -70,8 +70,8 @@ sub revoke_superuser # Create publisher and subscriber nodes with schemas owned and published by # "regress_alice" but subscribed and replicated by different role -# "regress_admin". For partitioned tables, layout the partitions differently -# on the publisher than on the subscriber. +# "regress_admin" and "regress_admin2". For partitioned tables, layout the +# partitions differently on the publisher than on the subscriber. # $node_publisher = PostgreSQL::Test::Cluster->new('publisher'); $node_subscriber = PostgreSQL::Test::Cluster->new('subscriber'); @@ -86,6 +86,7 @@ for my $node ($node_publisher, $node_subscriber) $node->safe_psql( 'postgres', qq( CREATE ROLE regress_admin SUPERUSER LOGIN; + CREATE ROLE regress_admin2 SUPERUSER LOGIN; CREATE ROLE regress_alice NOSUPERUSER LOGIN; GRANT CREATE ON DATABASE postgres TO regress_alice; SET SESSION AUTHORIZATION regress_alice; @@ -192,4 +193,37 @@ GRANT regress_alice TO regress_admin WITH INHERIT TRUE, SET FALSE; expect_replication("alice.unpartitioned", 3, 7, 13, "with INHERIT but not SET ROLE can replicate"); +# Remove the subscrition and truncate the table for the initial data sync +# tests. +$node_subscriber->safe_psql( + 'postgres', qq( +DROP SUBSCRIPTION admin_sub; +TRUNCATE alice.unpartitioned; +)); + +# Create a new subscription "admin_sub" owned by regress_admin2. It's +# disabled so that we revoke superuser privilege after creation. +$node_subscriber->safe_psql( + 'postgres', qq( +SET SESSION AUTHORIZATION regress_admin2; +CREATE SUBSCRIPTION admin_sub CONNECTION '$publisher_connstr' PUBLICATION alice +WITH (run_as_owner = false, password_required = false, copy_data = true, enabled = false); +)); + +# Revoke superuser privilege for "regress_admin2", and give it the +# ability to SET ROLE. Then enable the subscription "admin_sub". +revoke_superuser("regress_admin2"); +$node_subscriber->safe_psql( + 'postgres', qq( +GRANT regress_alice TO regress_admin2 WITH INHERIT FALSE, SET TRUE; +ALTER SUBSCRIPTION admin_sub ENABLE; +)); + +# Because the initial data sync is working as the table owner, all +# data should be copied. +$node_subscriber->wait_for_subscription_sync($node_publisher, + 'admin_sub'); +expect_replication("alice.unpartitioned", 3, 7, 13, + "table owner can do the initial data copy"); + done_testing(); |