diff options
| author | Jeff Davis <jdavis@postgresql.org> | 2021-10-27 12:37:09 -0700 |
|---|---|---|
| committer | Jeff Davis <jdavis@postgresql.org> | 2021-10-27 14:06:30 -0700 |
| commit | 77ea4f94393eb4a16df32b573bf053bedaef2e09 (patch) | |
| tree | c4849ddde9fbba92cbf1ea620741cb48ede59123 | |
| parent | 8af57ad81578f825ac8c46840c841833db205106 (diff) | |
| download | postgresql-77ea4f94393eb4a16df32b573bf053bedaef2e09.tar.gz postgresql-77ea4f94393eb4a16df32b573bf053bedaef2e09.zip | |
Grant memory views to pg_read_all_stats.
Grant privileges on views pg_backend_memory_contexts and
pg_shmem_allocations to the role pg_read_all_stats. Also grant on the
underlying functions that those views depend on.
Author: Bharath Rupireddy <bharath.rupireddyforpostgres@gmail.com>
Reviewed-by: Nathan Bossart <bossartn@amazon.com>
Discussion: https://postgr.es/m/CALj2ACWAZo3Ar_EVsn2Zf9irG+hYK3cmh1KWhZS_Od45nd01RA@mail.gmail.com
| -rw-r--r-- | doc/src/sgml/catalogs.sgml | 6 | ||||
| -rw-r--r-- | src/backend/catalog/system_views.sql | 4 | ||||
| -rw-r--r-- | src/include/catalog/catversion.h | 2 | ||||
| -rw-r--r-- | src/test/regress/expected/privileges.out | 47 | ||||
| -rw-r--r-- | src/test/regress/sql/privileges.sql | 25 |
5 files changed, 81 insertions, 3 deletions
diff --git a/doc/src/sgml/catalogs.sgml b/doc/src/sgml/catalogs.sgml index 00b648a4333..c1d11be73f7 100644 --- a/doc/src/sgml/catalogs.sgml +++ b/doc/src/sgml/catalogs.sgml @@ -9916,7 +9916,8 @@ SCRAM-SHA-256$<replaceable><iteration count></replaceable>:<replaceable>&l <para> By default, the <structname>pg_backend_memory_contexts</structname> view can be - read only by superusers. + read only by superusers or members of the <literal>pg_read_all_stats</literal> + role. </para> </sect1> @@ -12746,7 +12747,8 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx <para> By default, the <structname>pg_shmem_allocations</structname> view can be - read only by superusers. + read only by superusers or members of the <literal>pg_read_all_stats</literal> + role. </para> </sect1> diff --git a/src/backend/catalog/system_views.sql b/src/backend/catalog/system_views.sql index 55f6e3711d8..eb560955cda 100644 --- a/src/backend/catalog/system_views.sql +++ b/src/backend/catalog/system_views.sql @@ -621,13 +621,17 @@ CREATE VIEW pg_shmem_allocations AS SELECT * FROM pg_get_shmem_allocations(); REVOKE ALL ON pg_shmem_allocations FROM PUBLIC; +GRANT SELECT ON pg_shmem_allocations TO pg_read_all_stats; REVOKE EXECUTE ON FUNCTION pg_get_shmem_allocations() FROM PUBLIC; +GRANT EXECUTE ON FUNCTION pg_get_shmem_allocations() TO pg_read_all_stats; CREATE VIEW pg_backend_memory_contexts AS SELECT * FROM pg_get_backend_memory_contexts(); REVOKE ALL ON pg_backend_memory_contexts FROM PUBLIC; +GRANT SELECT ON pg_backend_memory_contexts TO pg_read_all_stats; REVOKE EXECUTE ON FUNCTION pg_get_backend_memory_contexts() FROM PUBLIC; +GRANT EXECUTE ON FUNCTION pg_get_backend_memory_contexts() TO pg_read_all_stats; -- Statistics views diff --git a/src/include/catalog/catversion.h b/src/include/catalog/catversion.h index 4e276ba6f4d..9faf017457a 100644 --- a/src/include/catalog/catversion.h +++ b/src/include/catalog/catversion.h @@ -53,6 +53,6 @@ */ /* yyyymmddN */ -#define CATALOG_VERSION_NO 202110271 +#define CATALOG_VERSION_NO 202110272 #endif diff --git a/src/test/regress/expected/privileges.out b/src/test/regress/expected/privileges.out index 83cff902f31..9b91865dcc4 100644 --- a/src/test/regress/expected/privileges.out +++ b/src/test/regress/expected/privileges.out @@ -2413,3 +2413,50 @@ REVOKE TRUNCATE ON lock_table FROM regress_locktable_user; -- clean up DROP TABLE lock_table; DROP USER regress_locktable_user; +-- test to check privileges of system views pg_shmem_allocations and +-- pg_backend_memory_contexts. +-- switch to superuser +\c - +CREATE ROLE regress_readallstats; +SELECT has_table_privilege('regress_readallstats','pg_backend_memory_contexts','SELECT'); -- no + has_table_privilege +--------------------- + f +(1 row) + +SELECT has_table_privilege('regress_readallstats','pg_shmem_allocations','SELECT'); -- no + has_table_privilege +--------------------- + f +(1 row) + +GRANT pg_read_all_stats TO regress_readallstats; +SELECT has_table_privilege('regress_readallstats','pg_backend_memory_contexts','SELECT'); -- yes + has_table_privilege +--------------------- + t +(1 row) + +SELECT has_table_privilege('regress_readallstats','pg_shmem_allocations','SELECT'); -- yes + has_table_privilege +--------------------- + t +(1 row) + +-- run query to ensure that functions within views can be executed +SET ROLE regress_readallstats; +SELECT COUNT(*) >= 0 AS ok FROM pg_backend_memory_contexts; + ok +---- + t +(1 row) + +SELECT COUNT(*) >= 0 AS ok FROM pg_shmem_allocations; + ok +---- + t +(1 row) + +RESET ROLE; +-- clean up +DROP ROLE regress_readallstats; diff --git a/src/test/regress/sql/privileges.sql b/src/test/regress/sql/privileges.sql index 3d1a1db9870..6353a1cb8cc 100644 --- a/src/test/regress/sql/privileges.sql +++ b/src/test/regress/sql/privileges.sql @@ -1476,3 +1476,28 @@ REVOKE TRUNCATE ON lock_table FROM regress_locktable_user; -- clean up DROP TABLE lock_table; DROP USER regress_locktable_user; + +-- test to check privileges of system views pg_shmem_allocations and +-- pg_backend_memory_contexts. + +-- switch to superuser +\c - + +CREATE ROLE regress_readallstats; + +SELECT has_table_privilege('regress_readallstats','pg_backend_memory_contexts','SELECT'); -- no +SELECT has_table_privilege('regress_readallstats','pg_shmem_allocations','SELECT'); -- no + +GRANT pg_read_all_stats TO regress_readallstats; + +SELECT has_table_privilege('regress_readallstats','pg_backend_memory_contexts','SELECT'); -- yes +SELECT has_table_privilege('regress_readallstats','pg_shmem_allocations','SELECT'); -- yes + +-- run query to ensure that functions within views can be executed +SET ROLE regress_readallstats; +SELECT COUNT(*) >= 0 AS ok FROM pg_backend_memory_contexts; +SELECT COUNT(*) >= 0 AS ok FROM pg_shmem_allocations; +RESET ROLE; + +-- clean up +DROP ROLE regress_readallstats; |