Propagate SECURITY LABEL ON ROLE stmt #7304
Conversation
naisila
force-pushed
the
naisila/sec_label_role
branch
3 times, most recently
from
aca5abf
to
14394a9
Compare
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #7304 +/- ##
==========================================
- Coverage 89.58% 89.44% -0.15%
==========================================
Files 275 277 +2
Lines 59610 59687 +77
Branches 7427 7437 +10
==========================================
- Hits 53403 53388 -15
- Misses 4076 4137 +61
- Partials 2131 2162 +31 |
naisila
force-pushed
the
naisila/sec_label_role
branch
from
14394a9
to
b88b4e6
Compare
naisila
force-pushed
the
naisila/sec_label_role
branch
from
7b66b96
to
d37fed2
Compare
naisila
force-pushed
the
naisila/sec_label_role
branch
2 times, most recently
from
d92e621
to
d4b0b32
Compare
naisila
force-pushed
the
naisila/sec_label_role
branch
4 times, most recently
from
1251ab5
to
963e1b9
Compare
naisila
force-pushed
the
naisila/sec_label_role
branch
from
6cbde49
to
9a8be06
Compare
naisila
force-pushed
the
naisila/sec_label_role
branch
2 times, most recently
from
b4111ed
to
5ebaa80
Compare
| @@ -550,3 +550,35 @@ BEGIN | |||
| RETURN result; | |||
| END; | |||
| $func$ LANGUAGE plpgsql; | |||
|
|
|||
| -- Returns pg_seclabels entries from all nodes in the cluster | |||
| -- for which the provider is citus_tests_label_provider and the object name is the input | |||
There was a problem hiding this comment.
nit: missing dot
| -- for which the provider is citus_tests_label_provider and the object name is the input | |
| -- for which the provider is citus_tests_label_provider and the object name is the input. |
| SECURITY LABEL for citus_tests_label_provider ON ROLE user1 IS NULL; | ||
| NOTICE: issuing SECURITY LABEL FOR citus_tests_label_provider ON ROLE user1 IS NULL | ||
| DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx | ||
| SECURITY LABEL for citus_tests_label_provider ON ROLE user1 IS 'citus unclassified'; |
There was a problem hiding this comment.
Should we also add a test where we don't provide the "provider" at all?
SECURITY LABEL ON ROLE brand_new_role IS 'citus unclassified';From the docs:
The name of the provider with which this label is to be associated. The named provider must be loaded and must consent to the proposed labeling operation. If exactly one provider is loaded, the provider name may be omitted for brevity.
There was a problem hiding this comment.
I am skipping this test since I am loading two providers to test the character escaping thing.
There was a problem hiding this comment.
Can't we reduce the number of providers we have to one; such that we only have the one that requires proper quoting?
There was a problem hiding this comment.
Hmm okay, then we will not be testing the general case with name that doesn't need quoting, therefore I didn't want to do that. But it's okay I guess.
naisila
force-pushed
the
naisila/sec_label_role
branch
from
a6eb324
to
58f55e7
Compare
| return; | ||
| } | ||
|
|
||
| ereport(ERROR, |
There was a problem hiding this comment.
let's add such a test for that to make codecov happy, if possible
There was a problem hiding this comment.
Actually I have added this test, I don't know why codecov is not happy xD
| SECURITY LABEL for citus_tests_label_provider ON ROLE user1 IS NULL; | ||
| NOTICE: issuing SECURITY LABEL FOR citus_tests_label_provider ON ROLE user1 IS NULL | ||
| DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx | ||
| SECURITY LABEL for citus_tests_label_provider ON ROLE user1 IS 'citus unclassified'; |
There was a problem hiding this comment.
Can't we reduce the number of providers we have to one; such that we only have the one that requires proper quoting?
initial commit
naisila
force-pushed
the
naisila/sec_label_role
branch
from
58f55e7
to
c36a71a
Compare
DESCRIPTION: Propagates SECURITY LABEL ON ROLE statement
See official docs for explanation on how this command works: https://www.postgresql.org/docs/current/sql-security-label.html This command stores the label in the
pg_shseclabelcatalog table.We propagate
SECURITY LABEL [for provider] ON ROLE rolename IS labelnameto the worker nodes.We also make sure to run the relevant
SecLabelStmtcommands on a newly added node by looking at roles found inpg_shseclabel.This commit also fixes the regex string in
check_gucs_are_alphabetically_sorted.shscript such that it escapes the dot. Previously it was looking for all strings starting with "citus" instead of "citus." as it should.New Note to reviewer: To test this feature, I currently make use of a special GUC to control label provider registration in PG_init when creating the Citus extension.
Old Note to reviewer: in the current test, I did what I could to ensure that I am connecting to the worker node with the same connection. This is needed to ensure that when I create the label provider, it is visible by the next command. If there is a better way to ensure commands to be in the same connection, let me know. There is a small issue in
citus_add_node()- I couldn't find a way to test the successful completion of that one. However, through logged remote commands, we can see it fails when trying to propagate the SecLabel statement.Old TODOs: