Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Major improvements to auth #983

Merged
merged 1 commit into from
Nov 20, 2024
Merged

Major improvements to auth #983

merged 1 commit into from
Nov 20, 2024

Conversation

Hydrocharged
Copy link
Collaborator

This adds a myriad of tests, in addition to:

  • Schema-Wide Table Privileges
  • Schema Privileges
  • Database Privileges
  • Role Memberships

There are also many smaller changes, such as disallowing non-superusers from modifying superusers, and many more.

@Hydrocharged Hydrocharged requested a review from zachmu November 19, 2024 01:09
@Hydrocharged Hydrocharged mentioned this pull request Nov 19, 2024
Merged
@Hydrocharged Hydrocharged force-pushed the daylon/auth-improvements branch from c8cf295 to 369e9f6 Compare November 19, 2024 01:12
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Nov 19, 2024
edited
Loading

Main PR
Total 42090 42090
Successful 14517 14534
Failures 27573 27556
Partial Successes1 4689 4689
Main PR
Successful 34.4904% 34.5308%
Failures 65.5096% 65.4692%

${\color{lightgreen}Progressions}$

alter_generic

QUERY: GRANT ALL ON SCHEMA alt_nsp1, alt_nsp2 TO public;

create_function_sql

QUERY: GRANT ALL ON SCHEMA temp_func_test TO public;

create_index

QUERY: GRANT USAGE ON SCHEMA pg_toast TO regress_reindexuser;

create_operator

QUERY: GRANT USAGE ON SCHEMA schema_op1 TO PUBLIC;

dependency

QUERY: GRANT CREATE ON DATABASE regression TO regress_dep_user1;

lock

QUERY: GRANT USAGE ON SCHEMA lock_schema1 TO regress_rol_lock1;

matview

QUERY: GRANT ALL ON SCHEMA matview_schema TO public;

publication

QUERY: GRANT CREATE ON DATABASE regression TO regress_publication_user2;

QUERY: GRANT regress_publication_user TO regress_publication_user2;

QUERY: REVOKE CREATE ON DATABASE regression FROM regress_publication_user2;

rowsecurity

QUERY: GRANT regress_rls_group1 TO regress_rls_bob;

QUERY: GRANT regress_rls_group2 TO regress_rls_carol;

QUERY: GRANT ALL ON SCHEMA regress_rls_schema to public;

select_into

QUERY: GRANT ALL ON SCHEMA selinto_schema TO public;

stats_ext

QUERY: GRANT USAGE ON SCHEMA tststats TO regress_stats_user1;

tablespace

QUERY: GRANT USAGE ON SCHEMA testschema TO regress_tablespace_user2;

test_setup

QUERY: GRANT ALL ON SCHEMA public TO public;

${\color{lightgreen}Total Progressions: 17}$

Footnotes

  1. These are tests that we're marking as Successful, however they do not match the expected output in some way. This is due to small differences, such as different wording on the error messages, or the column names being incorrect while the data itself is correct.

@Hydrocharged Hydrocharged force-pushed the daylon/auth-improvements branch from 369e9f6 to cfffd00 Compare November 19, 2024 02:05
@Hydrocharged Hydrocharged mentioned this pull request Nov 19, 2024
Merged
@Hydrocharged Hydrocharged force-pushed the daylon/auth-improvements branch from cfffd00 to 5f3c529 Compare November 19, 2024 11:19
zachmu
zachmu approved these changes Nov 20, 2024
View reviewed changes
Copy link
Member

@zachmu zachmu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, just minor comments

server/auth/auth_handler.go
return fmt.Errorf("table identifiers has an unsupported count: %d", len(auth.TargetNames))
}
for i := 0; i < len(auth.TargetNames); i += 3 {
// TODO: handle database
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might do a check for current DB and error if it doesn't match

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment elsewhere this happens

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we access other DBs in the workbench. At least, tests seemingly related to those fail when I enforce this. So I reverted it and left these as TODOs for now

server/auth/ownership.go Outdated Show resolved Hide resolved
server/node/grant.go Outdated Show resolved Hide resolved
@Hydrocharged Hydrocharged force-pushed the daylon/auth-improvements branch from 5f3c529 to 50f35fe Compare November 20, 2024 08:20
@Hydrocharged Hydrocharged force-pushed the daylon/auth-improvements branch from 50f35fe to ce8fa1e Compare November 20, 2024 08:53
@Hydrocharged Hydrocharged force-pushed the daylon/auth-improvements branch from ce8fa1e to af650d2 Compare November 20, 2024 09:07
@Hydrocharged Hydrocharged merged commit 02da22e into main Nov 20, 2024
13 checks passed
@Hydrocharged Hydrocharged deleted the daylon/auth-improvements branch November 20, 2024 09:29
@BrewTestBot BrewTestBot mentioned this pull request Dec 10, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zachmu zachmu zachmu approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Hydrocharged @zachmu