-- This test script fails if debug_discard_caches is enabled, because cache -- flushes cause extra calls of the OAT hook in recomputeNamespacePath, -- resulting in more NOTICE messages than are in the expected output. SET debug_discard_caches = 0; -- Creating privileges on a placeholder GUC should create entries in the -- pg_parameter_acl catalog which conservatively grant no privileges to public. CREATE ROLE regress_role_joe; GRANT SET ON PARAMETER test_oat_hooks.user_var1 TO regress_role_joe; GRANT SET ON PARAMETER test_oat_hooks.super_var1 TO regress_role_joe; -- SET commands fire both the ProcessUtility_hook and the -- object_access_hook_str. Since the auditing GUC starts out false, we miss the -- initial "attempting" audit message from the ProcessUtility_hook, but we -- should thereafter see the audit messages. LOAD 'test_oat_hooks'; SET test_oat_hooks.audit = true; NOTICE: in object_access_hook_str: superuser attempting alter (subId=0x1000, set) [test_oat_hooks.audit] NOTICE: in object_access_hook_str: superuser finished alter (subId=0x1000, set) [test_oat_hooks.audit] NOTICE: in process utility: superuser finished SET -- Creating privileges on an existent custom GUC should create precisely the -- right privileges, not overly conservative ones. GRANT SET ON PARAMETER test_oat_hooks.user_var2 TO regress_role_joe; NOTICE: in process utility: superuser attempting GRANT NOTICE: in process utility: superuser finished GRANT GRANT SET ON PARAMETER test_oat_hooks.super_var2 TO regress_role_joe; NOTICE: in process utility: superuser attempting GRANT NOTICE: in process utility: superuser finished GRANT -- Granting multiple privileges on a parameter should be reported correctly to -- the OAT hook, but beware that WITH GRANT OPTION is not represented. GRANT SET, ALTER SYSTEM ON PARAMETER none.such TO regress_role_joe; NOTICE: in process utility: superuser attempting GRANT NOTICE: in process utility: superuser finished GRANT GRANT SET, ALTER SYSTEM ON PARAMETER another.bogus TO regress_role_joe WITH GRANT OPTION; NOTICE: in process utility: superuser attempting GRANT NOTICE: in process utility: superuser finished GRANT -- Check when the hooks fire relative to dependency based abort of a drop DROP ROLE regress_role_joe; NOTICE: in process utility: superuser attempting DROP ROLE NOTICE: in object access: superuser attempting drop (subId=0x0) [] NOTICE: in object access: superuser finished drop (subId=0x0) [] ERROR: role "regress_role_joe" cannot be dropped because some objects depend on it DETAIL: privileges for parameter test_oat_hooks.user_var1 privileges for parameter test_oat_hooks.super_var1 privileges for parameter test_oat_hooks.user_var2 privileges for parameter test_oat_hooks.super_var2 privileges for parameter none.such privileges for parameter another.bogus -- Check the behavior of the hooks relative to do-nothing grants and revokes GRANT SET ON PARAMETER maintenance_work_mem TO PUBLIC; NOTICE: in process utility: superuser attempting GRANT NOTICE: in process utility: superuser finished GRANT REVOKE SET ON PARAMETER maintenance_work_mem FROM PUBLIC; NOTICE: in process utility: superuser attempting REVOKE NOTICE: in process utility: superuser finished REVOKE REVOKE ALTER SYSTEM ON PARAMETER maintenance_work_mem FROM PUBLIC; NOTICE: in process utility: superuser attempting REVOKE NOTICE: in process utility: superuser finished REVOKE -- Check the behavior of the hooks relative to unrecognized parameters GRANT ALL ON PARAMETER "none.such" TO PUBLIC; NOTICE: in process utility: superuser attempting GRANT NOTICE: in process utility: superuser finished GRANT -- Check relative to an operation that causes the catalog entry to be deleted REVOKE ALL ON PARAMETER "none.such" FROM PUBLIC; NOTICE: in process utility: superuser attempting REVOKE NOTICE: in process utility: superuser finished REVOKE -- Create objects for use in the test CREATE USER regress_test_user; NOTICE: in process utility: superuser attempting CREATE ROLE NOTICE: in object access: superuser attempting create (subId=0x0) [explicit] NOTICE: in object access: superuser finished create (subId=0x0) [explicit] NOTICE: in process utility: superuser finished CREATE ROLE CREATE TABLE regress_test_table (t text); NOTICE: in process utility: superuser attempting CREATE TABLE NOTICE: in object access: superuser attempting namespace search (subId=0x0) [no report on violation, allowed] LINE 1: CREATE TABLE regress_test_table (t text); ^ NOTICE: in object access: superuser finished namespace search (subId=0x0) [no report on violation, allowed] LINE 1: CREATE TABLE regress_test_table (t text); ^ NOTICE: in object access: superuser attempting create (subId=0x0) [explicit] NOTICE: in object access: superuser finished create (subId=0x0) [explicit] NOTICE: in object access: superuser attempting create (subId=0x0) [explicit] NOTICE: in object access: superuser finished create (subId=0x0) [explicit] NOTICE: in object access: superuser attempting create (subId=0x0) [explicit] NOTICE: in object access: superuser finished create (subId=0x0) [explicit] NOTICE: in object access: superuser attempting create (subId=0x0) [internal] NOTICE: in object access: superuser finished create (subId=0x0) [internal] NOTICE: in object access: superuser attempting create (subId=0x0) [internal] NOTICE: in object access: superuser finished create (subId=0x0) [internal] NOTICE: in process utility: superuser finished CREATE TABLE CREATE INDEX regress_test_table_t_idx ON regress_test_table (t); NOTICE: in process utility: superuser attempting CREATE INDEX NOTICE: in object access: superuser attempting namespace search (subId=0x0) [no report on violation, allowed] NOTICE: in object access: superuser finished namespace search (subId=0x0) [no report on violation, allowed] NOTICE: in object access: superuser attempting create (subId=0x0) [explicit] NOTICE: in object access: superuser finished create (subId=0x0) [explicit] NOTICE: in process utility: superuser finished CREATE INDEX GRANT SELECT ON Table regress_test_table TO public; NOTICE: in process utility: superuser attempting GRANT NOTICE: in object access: superuser attempting namespace search (subId=0x0) [no report on violation, allowed] NOTICE: in object access: superuser finished namespace search (subId=0x0) [no report on violation, allowed] NOTICE: in process utility: superuser finished GRANT CREATE FUNCTION regress_test_func (t text) RETURNS text AS $$ SELECT $1; $$ LANGUAGE sql; NOTICE: in process utility: superuser attempting CREATE FUNCTION NOTICE: in object access: superuser attempting create (subId=0x0) [explicit] NOTICE: in object access: superuser finished create (subId=0x0) [explicit] NOTICE: in process utility: superuser finished CREATE FUNCTION GRANT EXECUTE ON FUNCTION regress_test_func (text) TO public; NOTICE: in process utility: superuser attempting GRANT NOTICE: in process utility: superuser finished GRANT -- Do a few things as superuser SELECT * FROM regress_test_table; NOTICE: in executor check perms: superuser attempting execute NOTICE: in executor check perms: superuser finished execute t --- (0 rows) SELECT regress_test_func('arg'); NOTICE: in executor check perms: superuser attempting execute NOTICE: in executor check perms: superuser finished execute regress_test_func ------------------- arg (1 row) SET work_mem = 8192; NOTICE: in process utility: superuser attempting SET NOTICE: in object_access_hook_str: superuser attempting alter (subId=0x1000, set) [work_mem] NOTICE: in object_access_hook_str: superuser finished alter (subId=0x1000, set) [work_mem] NOTICE: in process utility: superuser finished SET RESET work_mem; NOTICE: in process utility: superuser attempting RESET NOTICE: in object_access_hook_str: superuser attempting alter (subId=0x1000, set) [work_mem] NOTICE: in object_access_hook_str: superuser finished alter (subId=0x1000, set) [work_mem] NOTICE: in process utility: superuser finished RESET ALTER SYSTEM SET work_mem = 8192; NOTICE: in process utility: superuser attempting ALTER SYSTEM NOTICE: in object_access_hook_str: superuser attempting alter (subId=0x2000, alter system) [work_mem] NOTICE: in object_access_hook_str: superuser finished alter (subId=0x2000, alter system) [work_mem] NOTICE: in process utility: superuser finished ALTER SYSTEM ALTER SYSTEM RESET work_mem; NOTICE: in process utility: superuser attempting ALTER SYSTEM NOTICE: in object_access_hook_str: superuser attempting alter (subId=0x2000, alter system) [work_mem] NOTICE: in object_access_hook_str: superuser finished alter (subId=0x2000, alter system) [work_mem] NOTICE: in process utility: superuser finished ALTER SYSTEM -- Do those same things as non-superuser SET SESSION AUTHORIZATION regress_test_user; NOTICE: in process utility: superuser attempting SET NOTICE: in object_access_hook_str: non-superuser attempting alter (subId=0x1000, set) [session_authorization] NOTICE: in object_access_hook_str: non-superuser finished alter (subId=0x1000, set) [session_authorization] NOTICE: in process utility: non-superuser finished SET SELECT * FROM regress_test_table; NOTICE: in object access: non-superuser attempting namespace search (subId=0x0) [no report on violation, allowed] LINE 1: SELECT * FROM regress_test_table; ^ NOTICE: in object access: non-superuser finished namespace search (subId=0x0) [no report on violation, allowed] LINE 1: SELECT * FROM regress_test_table; ^ NOTICE: in executor check perms: non-superuser attempting execute NOTICE: in executor check perms: non-superuser finished execute t --- (0 rows) SELECT regress_test_func('arg'); NOTICE: in executor check perms: non-superuser attempting execute NOTICE: in executor check perms: non-superuser finished execute regress_test_func ------------------- arg (1 row) SET work_mem = 8192; NOTICE: in process utility: non-superuser attempting SET NOTICE: in object_access_hook_str: non-superuser attempting alter (subId=0x1000, set) [work_mem] NOTICE: in object_access_hook_str: non-superuser finished alter (subId=0x1000, set) [work_mem] NOTICE: in process utility: non-superuser finished SET RESET work_mem; NOTICE: in process utility: non-superuser attempting RESET NOTICE: in object_access_hook_str: non-superuser attempting alter (subId=0x1000, set) [work_mem] NOTICE: in object_access_hook_str: non-superuser finished alter (subId=0x1000, set) [work_mem] NOTICE: in process utility: non-superuser finished RESET ALTER SYSTEM SET work_mem = 8192; NOTICE: in process utility: non-superuser attempting ALTER SYSTEM ERROR: permission denied to set parameter "work_mem" ALTER SYSTEM RESET work_mem; NOTICE: in process utility: non-superuser attempting ALTER SYSTEM ERROR: permission denied to set parameter "work_mem" SET test_oat_hooks.user_var1 = true; NOTICE: in process utility: non-superuser attempting SET NOTICE: in object_access_hook_str: non-superuser attempting alter (subId=0x1000, set) [test_oat_hooks.user_var1] NOTICE: in object_access_hook_str: non-superuser finished alter (subId=0x1000, set) [test_oat_hooks.user_var1] NOTICE: in process utility: non-superuser finished SET SET test_oat_hooks.super_var1 = true; NOTICE: in process utility: non-superuser attempting SET ERROR: permission denied to set parameter "test_oat_hooks.super_var1" ALTER SYSTEM SET test_oat_hooks.user_var1 = true; NOTICE: in process utility: non-superuser attempting ALTER SYSTEM ERROR: permission denied to set parameter "test_oat_hooks.user_var1" ALTER SYSTEM SET test_oat_hooks.super_var1 = true; NOTICE: in process utility: non-superuser attempting ALTER SYSTEM ERROR: permission denied to set parameter "test_oat_hooks.super_var1" SET test_oat_hooks.user_var2 = true; NOTICE: in process utility: non-superuser attempting SET NOTICE: in object_access_hook_str: non-superuser attempting alter (subId=0x1000, set) [test_oat_hooks.user_var2] NOTICE: in object_access_hook_str: non-superuser finished alter (subId=0x1000, set) [test_oat_hooks.user_var2] NOTICE: in process utility: non-superuser finished SET SET test_oat_hooks.super_var2 = true; NOTICE: in process utility: non-superuser attempting SET ERROR: permission denied to set parameter "test_oat_hooks.super_var2" ALTER SYSTEM SET test_oat_hooks.user_var2 = true; NOTICE: in process utility: non-superuser attempting ALTER SYSTEM ERROR: permission denied to set parameter "test_oat_hooks.user_var2" ALTER SYSTEM SET test_oat_hooks.super_var2 = true; NOTICE: in process utility: non-superuser attempting ALTER SYSTEM ERROR: permission denied to set parameter "test_oat_hooks.super_var2" RESET SESSION AUTHORIZATION; NOTICE: in process utility: non-superuser attempting RESET NOTICE: in object_access_hook_str: superuser attempting alter (subId=0x1000, set) [session_authorization] NOTICE: in object_access_hook_str: superuser finished alter (subId=0x1000, set) [session_authorization] NOTICE: in process utility: superuser finished RESET -- Turn off non-superuser permissions SET test_oat_hooks.deny_set_variable = true; NOTICE: in process utility: superuser attempting SET NOTICE: in object_access_hook_str: superuser attempting alter (subId=0x1000, set) [test_oat_hooks.deny_set_variable] NOTICE: in object_access_hook_str: superuser finished alter (subId=0x1000, set) [test_oat_hooks.deny_set_variable] NOTICE: in process utility: superuser finished SET SET test_oat_hooks.deny_alter_system = true; NOTICE: in process utility: superuser attempting SET NOTICE: in object_access_hook_str: superuser attempting alter (subId=0x1000, set) [test_oat_hooks.deny_alter_system] NOTICE: in object_access_hook_str: superuser finished alter (subId=0x1000, set) [test_oat_hooks.deny_alter_system] NOTICE: in process utility: superuser finished SET SET test_oat_hooks.deny_object_access = true; NOTICE: in process utility: superuser attempting SET NOTICE: in object_access_hook_str: superuser attempting alter (subId=0x1000, set) [test_oat_hooks.deny_object_access] NOTICE: in object_access_hook_str: superuser finished alter (subId=0x1000, set) [test_oat_hooks.deny_object_access] NOTICE: in process utility: superuser finished SET SET test_oat_hooks.deny_exec_perms = true; NOTICE: in process utility: superuser attempting SET NOTICE: in object_access_hook_str: superuser attempting alter (subId=0x1000, set) [test_oat_hooks.deny_exec_perms] NOTICE: in object_access_hook_str: superuser finished alter (subId=0x1000, set) [test_oat_hooks.deny_exec_perms] NOTICE: in process utility: superuser finished SET SET test_oat_hooks.deny_utility_commands = true; NOTICE: in process utility: superuser attempting SET NOTICE: in object_access_hook_str: superuser attempting alter (subId=0x1000, set) [test_oat_hooks.deny_utility_commands] NOTICE: in object_access_hook_str: superuser finished alter (subId=0x1000, set) [test_oat_hooks.deny_utility_commands] NOTICE: in process utility: superuser finished SET -- Try again as non-superuser with permissions denied SET SESSION AUTHORIZATION regress_test_user; NOTICE: in process utility: superuser attempting SET NOTICE: in object_access_hook_str: non-superuser attempting alter (subId=0x1000, set) [session_authorization] ERROR: permission denied: set session_authorization SELECT * FROM regress_test_table; NOTICE: in object access: superuser attempting namespace search (subId=0x0) [no report on violation, allowed] LINE 1: SELECT * FROM regress_test_table; ^ NOTICE: in object access: superuser finished namespace search (subId=0x0) [no report on violation, allowed] LINE 1: SELECT * FROM regress_test_table; ^ NOTICE: in executor check perms: superuser attempting execute NOTICE: in executor check perms: superuser finished execute t --- (0 rows) SELECT regress_test_func('arg'); NOTICE: in executor check perms: superuser attempting execute NOTICE: in executor check perms: superuser finished execute regress_test_func ------------------- arg (1 row) SET work_mem = 8192; NOTICE: in process utility: superuser attempting SET NOTICE: in object_access_hook_str: superuser attempting alter (subId=0x1000, set) [work_mem] NOTICE: in object_access_hook_str: superuser finished alter (subId=0x1000, set) [work_mem] NOTICE: in process utility: superuser finished SET RESET work_mem; NOTICE: in process utility: superuser attempting RESET NOTICE: in object_access_hook_str: superuser attempting alter (subId=0x1000, set) [work_mem] NOTICE: in object_access_hook_str: superuser finished alter (subId=0x1000, set) [work_mem] NOTICE: in process utility: superuser finished RESET ALTER SYSTEM SET work_mem = 8192; NOTICE: in process utility: superuser attempting ALTER SYSTEM NOTICE: in object_access_hook_str: superuser attempting alter (subId=0x2000, alter system) [work_mem] NOTICE: in object_access_hook_str: superuser finished alter (subId=0x2000, alter system) [work_mem] NOTICE: in process utility: superuser finished ALTER SYSTEM ALTER SYSTEM RESET work_mem; NOTICE: in process utility: superuser attempting ALTER SYSTEM NOTICE: in object_access_hook_str: superuser attempting alter (subId=0x2000, alter system) [work_mem] NOTICE: in object_access_hook_str: superuser finished alter (subId=0x2000, alter system) [work_mem] NOTICE: in process utility: superuser finished ALTER SYSTEM -- try labelled drops RESET SESSION AUTHORIZATION; NOTICE: in process utility: superuser attempting RESET NOTICE: in object_access_hook_str: superuser attempting alter (subId=0x1000, set) [session_authorization] NOTICE: in object_access_hook_str: superuser finished alter (subId=0x1000, set) [session_authorization] NOTICE: in process utility: superuser finished RESET DROP INDEX CONCURRENTLY regress_test_table_t_idx; NOTICE: in process utility: superuser attempting DROP INDEX NOTICE: in object access: superuser attempting drop (subId=0x0) [concurrent drop,] NOTICE: in object access: superuser finished drop (subId=0x0) [concurrent drop,] NOTICE: in process utility: superuser finished DROP INDEX -- Clean up SET test_oat_hooks.audit = false; NOTICE: in process utility: superuser attempting SET DROP ROLE regress_role_joe; -- fails ERROR: role "regress_role_joe" cannot be dropped because some objects depend on it DETAIL: privileges for parameter test_oat_hooks.user_var1 privileges for parameter test_oat_hooks.super_var1 privileges for parameter test_oat_hooks.user_var2 privileges for parameter test_oat_hooks.super_var2 privileges for parameter none.such privileges for parameter another.bogus REVOKE ALL PRIVILEGES ON PARAMETER none.such, another.bogus, test_oat_hooks.user_var1, test_oat_hooks.super_var1, test_oat_hooks.user_var2, test_oat_hooks.super_var2 FROM regress_role_joe; DROP ROLE regress_role_joe; DROP ROLE regress_test_user;