Revise the permission checking on user mapping DDL commands.

CREATE/ALTER/DROP USER MAPPING are now allowed either by the server owner or by a user with USAGE privileges for his own user name. This is more or less what the SQL standard wants anyway (plus "implementation-defined") Hide information_schema.user_mapping_options.option_value, unless the current user is the one associated with the user mapping, or is the server owner and the mapping is for PUBLIC, or is a superuser. This is to protect passwords. Also, fix a bug in information_schema._pg_foreign_servers, which hid servers using wrappers where the current user did not have privileges on the wrapper. The correct behavior is to hide servers where the current user has no privileges on the server.
author: Peter Eisentraut <peter_e@gmx.net> 2009-01-20 09:10:20 +0000
committer: Peter Eisentraut <peter_e@gmx.net> 2009-01-20 09:10:20 +0000
commit: 93a6be63a55a8cd0d73b3fa81eb6a46013a3a974 (patch)
tree: 687e12b06f610c10bd3acf2210275fbeb7cdfb84 /src/test
parent: fe626982182bd1c8cd2606027a4d49a2f31a01c3 (diff)
download: postgresql-93a6be63a55a8cd0d73b3fa81eb6a46013a3a974.tar.gz
postgresql-93a6be63a55a8cd0d73b3fa81eb6a46013a3a974.zip
2 files changed, 14 insertions, 5 deletions
diff --git a/src/test/regress/expected/foreign_data.out b/src/test/regress/expected/foreign_data.out
index 35dcae672b4..62d060b209a 100644
--- a/src/test/regress/expected/foreign_data.out
+++ b/src/test/regress/expected/foreign_data.out
@@ -545,7 +545,7 @@ SET ROLE regress_test_role;
 CREATE USER MAPPING FOR current_user SERVER s5;
 CREATE USER MAPPING FOR current_user SERVER s6 OPTIONS (username 'test');
 CREATE USER MAPPING FOR current_user SERVER s7;             -- ERROR
-ERROR:  must be owner of foreign server s7
+ERROR:  permission denied for foreign server s7
 CREATE USER MAPPING FOR public SERVER s8;                   -- ERROR
 ERROR:  must be owner of foreign server s8
 RESET ROLE;
@@ -736,6 +736,13 @@ SELECT * FROM information_schema.role_usage_grants WHERE object_type LIKE 'FOREI
 (2 rows)
 
 DROP USER MAPPING FOR current_user SERVER st1;
+SET ROLE regress_test_role2;
+SELECT * FROM information_schema.user_mapping_options ORDER BY 1, 2, 3, 4;
+ authorization_identifier | foreign_server_catalog | foreign_server_name | option_name | option_value 
+--------------------------+------------------------+---------------------+-------------+--------------
+ regress_test_role        | regression             | s6                  | username    | 
+(1 row)
+
 RESET ROLE;
 -- has_foreign_data_wrapper_privilege
 SELECT has_foreign_data_wrapper_privilege('regress_test_role',
@@ -932,8 +939,7 @@ ALTER SERVER s9 VERSION '1.2';                                  -- ERROR
 ERROR:  must be owner of foreign server s9
 GRANT USAGE ON FOREIGN SERVER s9 TO regress_test_role;          -- WARNING
 WARNING:  no privileges were granted for "s9"
-CREATE USER MAPPING FOR current_user SERVER s9;                 -- ERROR
-ERROR:  must be owner of foreign server s9
+CREATE USER MAPPING FOR current_user SERVER s9;
 DROP SERVER s9 CASCADE;                                         -- ERROR
 ERROR:  must be owner of foreign server s9
 RESET ROLE;
@@ -953,11 +959,12 @@ NOTICE:  drop cascades to user mapping for public
 DROP SERVER st2;
 DROP USER MAPPING FOR regress_test_role SERVER s6;
 DROP FOREIGN DATA WRAPPER foo CASCADE;
-NOTICE:  drop cascades to 4 other objects
+NOTICE:  drop cascades to 5 other objects
 DETAIL:  drop cascades to server s4
 drop cascades to user mapping for foreign_data_user
 drop cascades to server s6
 drop cascades to server s9
+drop cascades to user mapping for unprivileged_role
 DROP SERVER s8 CASCADE;
 NOTICE:  drop cascades to 2 other objects
 DETAIL:  drop cascades to user mapping for foreign_data_user
diff --git a/src/test/regress/sql/foreign_data.sql b/src/test/regress/sql/foreign_data.sql
index 1424fc68f08..c52fe912c1d 100644
--- a/src/test/regress/sql/foreign_data.sql
+++ b/src/test/regress/sql/foreign_data.sql
@@ -273,6 +273,8 @@ SELECT * FROM information_schema.user_mapping_options ORDER BY 1, 2, 3, 4;
 SELECT * FROM information_schema.usage_privileges WHERE object_type LIKE 'FOREIGN%' ORDER BY 1, 2, 3, 4, 5;
 SELECT * FROM information_schema.role_usage_grants WHERE object_type LIKE 'FOREIGN%' ORDER BY 1, 2, 3, 4, 5;
 DROP USER MAPPING FOR current_user SERVER st1;
+SET ROLE regress_test_role2;
+SELECT * FROM information_schema.user_mapping_options ORDER BY 1, 2, 3, 4;
 RESET ROLE;
 
 
@@ -365,7 +367,7 @@ GRANT USAGE ON FOREIGN SERVER s9 TO unprivileged_role;
 SET ROLE unprivileged_role;
 ALTER SERVER s9 VERSION '1.2';                                  -- ERROR
 GRANT USAGE ON FOREIGN SERVER s9 TO regress_test_role;          -- WARNING
-CREATE USER MAPPING FOR current_user SERVER s9;                 -- ERROR
+CREATE USER MAPPING FOR current_user SERVER s9;
 DROP SERVER s9 CASCADE;                                         -- ERROR
 RESET ROLE;
author	Peter Eisentraut <peter_e@gmx.net>	2009-01-20 09:10:20 +0000
committer	Peter Eisentraut <peter_e@gmx.net>	2009-01-20 09:10:20 +0000
commit	93a6be63a55a8cd0d73b3fa81eb6a46013a3a974 (patch)
tree	687e12b06f610c10bd3acf2210275fbeb7cdfb84 /src/test
parent	fe626982182bd1c8cd2606027a4d49a2f31a01c3 (diff)
download	postgresql-93a6be63a55a8cd0d73b3fa81eb6a46013a3a974.tar.gz postgresql-93a6be63a55a8cd0d73b3fa81eb6a46013a3a974.zip