mirrors/postgres
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Grant memory views to pg_read_all_stats.

Browse Source 
Grant privileges on views pg_backend_memory_contexts and
pg_shmem_allocations to the role pg_read_all_stats. Also grant on the
underlying functions that those views depend on.

Author: Bharath Rupireddy <bharath.rupireddyforpostgres@gmail.com>
Reviewed-by: Nathan Bossart <bossartn@amazon.com>
Discussion: https://postgr.es/m/CALj2ACWAZo3Ar_EVsn2Zf9irG+hYK3cmh1KWhZS_Od45nd01RA@mail.gmail.com
This commit is contained in:
Jeff Davis 2021-10-27 12:37:09 -07:00
parent 8af57ad815
commit 77ea4f9439
5 changed files with 81 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
doc/src/sgml/catalogs.sgml
View File

@ -9916,7 +9916,8 @@ SCRAM-SHA-256$<replaceable>&lt;iteration count&gt;</replaceable>:<replaceable>&l
<para> <para>
By default, the <structname>pg_backend_memory_contexts</structname> view can be By default, the <structname>pg_backend_memory_contexts</structname> view can be
read only by superusers. read only by superusers or members of the <literal>pg_read_all_stats</literal>
role.
</para> </para>
</sect1> </sect1>
@ -12746,7 +12747,8 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx
<para> <para>
By default, the <structname>pg_shmem_allocations</structname> view can be By default, the <structname>pg_shmem_allocations</structname> view can be
read only by superusers. read only by superusers or members of the <literal>pg_read_all_stats</literal>
role.
</para> </para>
</sect1> </sect1>

4
src/backend/catalog/system_views.sql
View File

@ -621,13 +621,17 @@ CREATE VIEW pg_shmem_allocations AS
SELECT * FROM pg_get_shmem_allocations(); SELECT * FROM pg_get_shmem_allocations();
REVOKE ALL ON pg_shmem_allocations FROM PUBLIC; REVOKE ALL ON pg_shmem_allocations FROM PUBLIC;
GRANT SELECT ON pg_shmem_allocations TO pg_read_all_stats;
REVOKE EXECUTE ON FUNCTION pg_get_shmem_allocations() FROM PUBLIC; REVOKE EXECUTE ON FUNCTION pg_get_shmem_allocations() FROM PUBLIC;
GRANT EXECUTE ON FUNCTION pg_get_shmem_allocations() TO pg_read_all_stats;
CREATE VIEW pg_backend_memory_contexts AS CREATE VIEW pg_backend_memory_contexts AS
SELECT * FROM pg_get_backend_memory_contexts(); SELECT * FROM pg_get_backend_memory_contexts();
REVOKE ALL ON pg_backend_memory_contexts FROM PUBLIC; REVOKE ALL ON pg_backend_memory_contexts FROM PUBLIC;
GRANT SELECT ON pg_backend_memory_contexts TO pg_read_all_stats;
REVOKE EXECUTE ON FUNCTION pg_get_backend_memory_contexts() FROM PUBLIC; REVOKE EXECUTE ON FUNCTION pg_get_backend_memory_contexts() FROM PUBLIC;
GRANT EXECUTE ON FUNCTION pg_get_backend_memory_contexts() TO pg_read_all_stats;
-- Statistics views -- Statistics views

2
src/include/catalog/catversion.h
View File

@ -53,6 +53,6 @@
*/ */
/* yyyymmddN */ /* yyyymmddN */
#define CATALOG_VERSION_NO 202110271 #define CATALOG_VERSION_NO 202110272
#endif #endif

47
src/test/regress/expected/privileges.out
View File

@ -2413,3 +2413,50 @@ REVOKE TRUNCATE ON lock_table FROM regress_locktable_user;
-- clean up -- clean up
DROP TABLE lock_table; DROP TABLE lock_table;
DROP USER regress_locktable_user; DROP USER regress_locktable_user;
-- test to check privileges of system views pg_shmem_allocations and
-- pg_backend_memory_contexts.
-- switch to superuser
\c -
CREATE ROLE regress_readallstats;
SELECT has_table_privilege('regress_readallstats','pg_backend_memory_contexts','SELECT'); -- no
has_table_privilege
---------------------
f
(1 row)
SELECT has_table_privilege('regress_readallstats','pg_shmem_allocations','SELECT'); -- no
has_table_privilege
---------------------
f
(1 row)
GRANT pg_read_all_stats TO regress_readallstats;
SELECT has_table_privilege('regress_readallstats','pg_backend_memory_contexts','SELECT'); -- yes
has_table_privilege
---------------------
t
(1 row)
SELECT has_table_privilege('regress_readallstats','pg_shmem_allocations','SELECT'); -- yes
has_table_privilege
---------------------
t
(1 row)
-- run query to ensure that functions within views can be executed
SET ROLE regress_readallstats;
SELECT COUNT(*) >= 0 AS ok FROM pg_backend_memory_contexts;
ok
----
t
(1 row)
SELECT COUNT(*) >= 0 AS ok FROM pg_shmem_allocations;
ok
----
t
(1 row)
RESET ROLE;
-- clean up
DROP ROLE regress_readallstats;

25
src/test/regress/sql/privileges.sql
View File

@ -1476,3 +1476,28 @@ REVOKE TRUNCATE ON lock_table FROM regress_locktable_user;
-- clean up -- clean up
DROP TABLE lock_table; DROP TABLE lock_table;
DROP USER regress_locktable_user; DROP USER regress_locktable_user;
-- test to check privileges of system views pg_shmem_allocations and
-- pg_backend_memory_contexts.
-- switch to superuser
\c -
CREATE ROLE regress_readallstats;
SELECT has_table_privilege('regress_readallstats','pg_backend_memory_contexts','SELECT'); -- no
SELECT has_table_privilege('regress_readallstats','pg_shmem_allocations','SELECT'); -- no
GRANT pg_read_all_stats TO regress_readallstats;
SELECT has_table_privilege('regress_readallstats','pg_backend_memory_contexts','SELECT'); -- yes
SELECT has_table_privilege('regress_readallstats','pg_shmem_allocations','SELECT'); -- yes
-- run query to ensure that functions within views can be executed
SET ROLE regress_readallstats;
SELECT COUNT(*) >= 0 AS ok FROM pg_backend_memory_contexts;
SELECT COUNT(*) >= 0 AS ok FROM pg_shmem_allocations;
RESET ROLE;
-- clean up
DROP ROLE regress_readallstats;