Add continuous agg permission tests

Make sure that you can't add a view to a schema without CREATE privileges. Nor can you use function where you don't have EXECUTE privileges. The latter case is also tested with background workers.
2025-05-17 02:53:51 +08:00 · 2019-06-19 21:35:31 -04:00 · 2019-06-19 21:35:31 -04:00 · 3c385b8833
commit 3c385b8833
parent afdb3269a8
6 changed files with 207 additions and 14 deletions
--- a/tsl/test/expected/continuous_aggs_bgw.out
+++ b/tsl/test/expected/continuous_aggs_bgw.out
@ -19,6 +19,12 @@ CREATE OR REPLACE FUNCTION ts_bgw_params_reset_time(set_time BIGINT = 0, wait BO
 AS :MODULE_PATHNAME LANGUAGE C VOLATILE;
 --test that this all works under the community license
 ALTER DATABASE :TEST_DBNAME SET timescaledb.license_key='Community';
+--create a function with no permissions to execute
+CREATE FUNCTION get_constant_no_perms() RETURNS INTEGER LANGUAGE SQL IMMUTABLE AS
+$BODY$
+    SELECT 10;
+$BODY$;
+REVOKE EXECUTE ON FUNCTION get_constant_no_perms() FROM PUBLIC;
 \set WAIT_ON_JOB 0
 \set IMMEDIATELY_SET_UNTIL 1
 \set WAIT_FOR_OTHER_TO_ADVANCE 2
@ -290,7 +296,7 @@ SELECT * FROM test_continuous_agg_view ORDER BY 1;
           4 |     9
 (3 rows)

-\x
+\x on
 --check the information views --
 select view_name, view_owner, refresh_lag, refresh_interval, max_interval_per_job, materialization_hypertable
 from timescaledb_information.continuous_aggregates
@ -320,7 +326,34 @@ invalidation_threshold | 6
 job_status             | scheduled
 last_run_duration      | 

-\x
+\x off
+DROP VIEW test_continuous_agg_view CASCADE;
+NOTICE:  drop cascades to table _timescaledb_internal._hyper_3_4_chunk
+--create a view with a function that it has no permission to execute
+CREATE VIEW test_continuous_agg_view
+    WITH (timescaledb.continuous,
+        timescaledb.max_interval_per_job='2',
+        timescaledb.refresh_lag='-2')
+    AS SELECT time_bucket('2', time), SUM(data) as value, get_constant_no_perms()
+        FROM test_continuous_agg_table
+        GROUP BY 1;
+NOTICE:  adding index _materialized_hypertable_4_get_constant_no_perms_time_bucke_idx ON _timescaledb_internal._materialized_hypertable_4 USING BTREE(get_constant_no_perms, time_bucket)
+SELECT job_id FROM _timescaledb_catalog.continuous_agg ORDER BY job_id desc limit 1 \gset
+SELECT ts_bgw_db_scheduler_test_run_and_wait_for_scheduler_finish(25);
+ ts_bgw_db_scheduler_test_run_and_wait_for_scheduler_finish 
+------------------------------------------------------------
+ 
+(1 row)
+
+-- job fails
+SELECT job_id, next_start, last_finish as until_next, last_run_success, total_runs, total_successes, total_failures, total_crashes
+    FROM _timescaledb_internal.bgw_job_stat
+    where job_id=:job_id;
+ job_id |            next_start            |            until_next            | last_run_success | total_runs | total_successes | total_failures | total_crashes 
+--------+----------------------------------+----------------------------------+------------------+------------+-----------------+----------------+---------------
+   1002 | Sat Jan 01 04:00:00.075 2000 PST | Fri Dec 31 16:00:00.075 1999 PST | f                |          1 |               0 |              1 |             0
+(1 row)
+
 --
 -- Test creating continuous aggregate with a user that is the non-owner of the raw table
 --
@ -329,7 +362,7 @@ SELECT create_hypertable('test_continuous_agg_table_w_grant', 'time', chunk_time
 NOTICE:  adding not-null constraint to column "time"
               create_hypertable                
 ------------------------------------------------
- (4,public,test_continuous_agg_table_w_grant,t)
+ (5,public,test_continuous_agg_table_w_grant,t)
 (1 row)

 GRANT SELECT, TRIGGER ON test_continuous_agg_table_w_grant TO public;
@ -355,9 +388,9 @@ SELECT ts_bgw_db_scheduler_test_run_and_wait_for_scheduler_finish(25);
 SELECT job_id, next_start, last_finish as until_next, last_run_success, total_runs, total_successes, total_failures, total_crashes
    FROM _timescaledb_internal.bgw_job_stat
    where job_id=:job_id;
- job_id |            next_start            |            until_next            | last_run_success | total_runs | total_successes | total_failures | total_crashes 
--------+----------------------------------+----------------------------------+------------------+------------+-----------------+----------------+---------------
-   1002 | Fri Dec 31 16:00:00.075 1999 PST | Fri Dec 31 16:00:00.075 1999 PST | t                |          1 |               1 |              0 |             0
+ job_id |           next_start           |           until_next           | last_run_success | total_runs | total_successes | total_failures | total_crashes 
+--------+--------------------------------+--------------------------------+------------------+------------+-----------------+----------------+---------------
+   1003 | Fri Dec 31 16:00:00.1 1999 PST | Fri Dec 31 16:00:00.1 1999 PST | t                |          1 |               1 |              0 |             0
 (1 row)

 --view is populated
@ -371,6 +404,7 @@ SELECT * FROM test_continuous_agg_view_user_2;
 --revoke permissions from the continuous agg view owner to select from raw table
 --no further updates to cont agg should happen
 REVOKE SELECT ON test_continuous_agg_table_w_grant FROM public;
+INSERT INTO test_continuous_agg_table_w_grant VALUES(1,1);
 \c :TEST_DBNAME :ROLE_DEFAULT_PERM_USER_2
 SELECT ts_bgw_db_scheduler_test_run_and_wait_for_scheduler_finish(25, 25);
 ts_bgw_db_scheduler_test_run_and_wait_for_scheduler_finish 
@ -382,9 +416,9 @@ SELECT ts_bgw_db_scheduler_test_run_and_wait_for_scheduler_finish(25, 25);
 SELECT job_id, next_start, last_finish as until_next, last_run_success, total_runs, total_successes, total_failures, total_crashes
    FROM _timescaledb_internal.bgw_job_stat
    where job_id=:job_id;
- job_id |           next_start           |           until_next           | last_run_success | total_runs | total_successes | total_failures | total_crashes 
--------+--------------------------------+--------------------------------+------------------+------------+-----------------+----------------+---------------
-   1002 | Sat Jan 01 04:00:00.1 2000 PST | Fri Dec 31 16:00:00.1 1999 PST | f                |          2 |               1 |              1 |             0
+ job_id |            next_start            |            until_next            | last_run_success | total_runs | total_successes | total_failures | total_crashes 
+--------+----------------------------------+----------------------------------+------------------+------------+-----------------+----------------+---------------
+   1003 | Sat Jan 01 04:00:00.125 2000 PST | Fri Dec 31 16:00:00.125 1999 PST | f                |          2 |               1 |              1 |             0
 (1 row)

 --view was NOT updated; but the old stuff is still there
--- a/tsl/test/expected/continuous_aggs_permissions-10.out
+++ b/tsl/test/expected/continuous_aggs_permissions-10.out
@ -88,6 +88,13 @@ insert into conditions_for_perm_check_w_grant
 select generate_series(0, 30, 10), 'POR', 55, 75, 40, 70, NULL;
 --need both select and trigger permissions to create a materialized view on top of it.
 GRANT SELECT, TRIGGER ON conditions_for_perm_check_w_grant TO public;
+\c  :TEST_DBNAME :ROLE_SUPERUSER
+create schema custom_schema;
+CREATE FUNCTION get_constant() RETURNS INTEGER LANGUAGE SQL IMMUTABLE AS
+$BODY$
+    SELECT 10;
+$BODY$;
+REVOKE EXECUTE ON FUNCTION get_constant() FROM PUBLIC;
 \c  :TEST_DBNAME :ROLE_DEFAULT_PERM_USER_2
 \set ON_ERROR_STOP 0
 select from alter_job_schedule(:cagg_job_id, max_runtime => NULL);
@ -115,6 +122,31 @@ from conditions_for_perm_check
 group by time_bucket(100, timec), location;
 NOTICE:  adding index _materialized_hypertable_5_location_time_partition_col_idx ON _timescaledb_internal._materialized_hypertable_5 USING BTREE(location, time_partition_col)
 ERROR:  permission denied for relation conditions_for_perm_check
+--cannot create mat view in a schema without create privileges
+create or replace view custom_schema.mat_perm_view_test
+WITH ( timescaledb.continuous, timescaledb.refresh_lag = '-200')
+as
+select location, max(humidity)
+from conditions_for_perm_check_w_grant
+group by time_bucket(100, timec), location;
+NOTICE:  adding index _materialized_hypertable_6_location_time_partition_col_idx ON _timescaledb_internal._materialized_hypertable_6 USING BTREE(location, time_partition_col)
+ERROR:  permission denied for schema custom_schema
+--cannot use a function without EXECUTE privileges
+--you can create a VIEW but cannot refresh it
+create or replace view mat_perm_view_test
+WITH ( timescaledb.continuous, timescaledb.refresh_lag = '-200')
+as
+select location, max(humidity), get_constant()
+from conditions_for_perm_check_w_grant
+group by time_bucket(100, timec), location;
+NOTICE:  adding index _materialized_hypertable_7_location_time_partition_col_idx ON _timescaledb_internal._materialized_hypertable_7 USING BTREE(location, time_partition_col)
+NOTICE:  adding index _materialized_hypertable_7_get_constant_time_partition_col_idx ON _timescaledb_internal._materialized_hypertable_7 USING BTREE(get_constant, time_partition_col)
+--this should fail
+REFRESH MATERIALIZED VIEW mat_perm_view_test;
+INFO:  new materialization range for public.conditions_for_perm_check_w_grant (time column timec) (200)
+INFO:  materializing continuous aggregate public.mat_perm_view_test: new range up to 200
+ERROR:  permission denied for function get_constant
+DROP VIEW mat_perm_view_test CASCADE;
 --can create a mat view on something with select and trigger grants
 create or replace view mat_perm_view_test
 WITH ( timescaledb.continuous, timescaledb.refresh_lag = '-200')
@ -122,7 +154,7 @@ as
 select location, max(humidity)
 from conditions_for_perm_check_w_grant
 group by time_bucket(100, timec), location;
-NOTICE:  adding index _materialized_hypertable_6_location_time_partition_col_idx ON _timescaledb_internal._materialized_hypertable_6 USING BTREE(location, time_partition_col)
+NOTICE:  adding index _materialized_hypertable_8_location_time_partition_col_idx ON _timescaledb_internal._materialized_hypertable_8 USING BTREE(location, time_partition_col)
 REFRESH MATERIALIZED VIEW mat_perm_view_test;
 INFO:  new materialization range for public.conditions_for_perm_check_w_grant (time column timec) (200)
 INFO:  materializing continuous aggregate public.mat_perm_view_test: new range up to 200
--- a/tsl/test/expected/continuous_aggs_permissions-11.out
+++ b/tsl/test/expected/continuous_aggs_permissions-11.out
@ -88,6 +88,13 @@ insert into conditions_for_perm_check_w_grant
 select generate_series(0, 30, 10), 'POR', 55, 75, 40, 70, NULL;
 --need both select and trigger permissions to create a materialized view on top of it.
 GRANT SELECT, TRIGGER ON conditions_for_perm_check_w_grant TO public;
+\c  :TEST_DBNAME :ROLE_SUPERUSER
+create schema custom_schema;
+CREATE FUNCTION get_constant() RETURNS INTEGER LANGUAGE SQL IMMUTABLE AS
+$BODY$
+    SELECT 10;
+$BODY$;
+REVOKE EXECUTE ON FUNCTION get_constant() FROM PUBLIC;
 \c  :TEST_DBNAME :ROLE_DEFAULT_PERM_USER_2
 \set ON_ERROR_STOP 0
 select from alter_job_schedule(:cagg_job_id, max_runtime => NULL);
@ -115,6 +122,31 @@ from conditions_for_perm_check
 group by time_bucket(100, timec), location;
 NOTICE:  adding index _materialized_hypertable_5_location_time_partition_col_idx ON _timescaledb_internal._materialized_hypertable_5 USING BTREE(location, time_partition_col)
 ERROR:  permission denied for table conditions_for_perm_check
+--cannot create mat view in a schema without create privileges
+create or replace view custom_schema.mat_perm_view_test
+WITH ( timescaledb.continuous, timescaledb.refresh_lag = '-200')
+as
+select location, max(humidity)
+from conditions_for_perm_check_w_grant
+group by time_bucket(100, timec), location;
+NOTICE:  adding index _materialized_hypertable_6_location_time_partition_col_idx ON _timescaledb_internal._materialized_hypertable_6 USING BTREE(location, time_partition_col)
+ERROR:  permission denied for schema custom_schema
+--cannot use a function without EXECUTE privileges
+--you can create a VIEW but cannot refresh it
+create or replace view mat_perm_view_test
+WITH ( timescaledb.continuous, timescaledb.refresh_lag = '-200')
+as
+select location, max(humidity), get_constant()
+from conditions_for_perm_check_w_grant
+group by time_bucket(100, timec), location;
+NOTICE:  adding index _materialized_hypertable_7_location_time_partition_col_idx ON _timescaledb_internal._materialized_hypertable_7 USING BTREE(location, time_partition_col)
+NOTICE:  adding index _materialized_hypertable_7_get_constant_time_partition_col_idx ON _timescaledb_internal._materialized_hypertable_7 USING BTREE(get_constant, time_partition_col)
+--this should fail
+REFRESH MATERIALIZED VIEW mat_perm_view_test;
+INFO:  new materialization range for public.conditions_for_perm_check_w_grant (time column timec) (200)
+INFO:  materializing continuous aggregate public.mat_perm_view_test: new range up to 200
+ERROR:  permission denied for function get_constant
+DROP VIEW mat_perm_view_test CASCADE;
 --can create a mat view on something with select and trigger grants
 create or replace view mat_perm_view_test
 WITH ( timescaledb.continuous, timescaledb.refresh_lag = '-200')
@ -122,7 +154,7 @@ as
 select location, max(humidity)
 from conditions_for_perm_check_w_grant
 group by time_bucket(100, timec), location;
-NOTICE:  adding index _materialized_hypertable_6_location_time_partition_col_idx ON _timescaledb_internal._materialized_hypertable_6 USING BTREE(location, time_partition_col)
+NOTICE:  adding index _materialized_hypertable_8_location_time_partition_col_idx ON _timescaledb_internal._materialized_hypertable_8 USING BTREE(location, time_partition_col)
 REFRESH MATERIALIZED VIEW mat_perm_view_test;
 INFO:  new materialization range for public.conditions_for_perm_check_w_grant (time column timec) (200)
 INFO:  materializing continuous aggregate public.mat_perm_view_test: new range up to 200
--- a/tsl/test/expected/continuous_aggs_permissions-9.6.out
+++ b/tsl/test/expected/continuous_aggs_permissions-9.6.out
@ -88,6 +88,13 @@ insert into conditions_for_perm_check_w_grant
 select generate_series(0, 30, 10), 'POR', 55, 75, 40, 70, NULL;
 --need both select and trigger permissions to create a materialized view on top of it.
 GRANT SELECT, TRIGGER ON conditions_for_perm_check_w_grant TO public;
+\c  :TEST_DBNAME :ROLE_SUPERUSER
+create schema custom_schema;
+CREATE FUNCTION get_constant() RETURNS INTEGER LANGUAGE SQL IMMUTABLE AS
+$BODY$
+    SELECT 10;
+$BODY$;
+REVOKE EXECUTE ON FUNCTION get_constant() FROM PUBLIC;
 \c  :TEST_DBNAME :ROLE_DEFAULT_PERM_USER_2
 \set ON_ERROR_STOP 0
 select from alter_job_schedule(:cagg_job_id, max_runtime => NULL);
@ -115,6 +122,31 @@ from conditions_for_perm_check
 group by time_bucket(100, timec), location;
 NOTICE:  adding index _materialized_hypertable_5_location_time_partition_col_idx ON _timescaledb_internal._materialized_hypertable_5 USING BTREE(location, time_partition_col)
 ERROR:  permission denied for relation conditions_for_perm_check
+--cannot create mat view in a schema without create privileges
+create or replace view custom_schema.mat_perm_view_test
+WITH ( timescaledb.continuous, timescaledb.refresh_lag = '-200')
+as
+select location, max(humidity)
+from conditions_for_perm_check_w_grant
+group by time_bucket(100, timec), location;
+NOTICE:  adding index _materialized_hypertable_6_location_time_partition_col_idx ON _timescaledb_internal._materialized_hypertable_6 USING BTREE(location, time_partition_col)
+ERROR:  permission denied for schema custom_schema
+--cannot use a function without EXECUTE privileges
+--you can create a VIEW but cannot refresh it
+create or replace view mat_perm_view_test
+WITH ( timescaledb.continuous, timescaledb.refresh_lag = '-200')
+as
+select location, max(humidity), get_constant()
+from conditions_for_perm_check_w_grant
+group by time_bucket(100, timec), location;
+NOTICE:  adding index _materialized_hypertable_7_location_time_partition_col_idx ON _timescaledb_internal._materialized_hypertable_7 USING BTREE(location, time_partition_col)
+NOTICE:  adding index _materialized_hypertable_7_get_constant_time_partition_col_idx ON _timescaledb_internal._materialized_hypertable_7 USING BTREE(get_constant, time_partition_col)
+--this should fail
+REFRESH MATERIALIZED VIEW mat_perm_view_test;
+INFO:  new materialization range for public.conditions_for_perm_check_w_grant (time column timec) (200)
+INFO:  materializing continuous aggregate public.mat_perm_view_test: new range up to 200
+ERROR:  permission denied for function get_constant
+DROP VIEW mat_perm_view_test CASCADE;
 --can create a mat view on something with select and trigger grants
 create or replace view mat_perm_view_test
 WITH ( timescaledb.continuous, timescaledb.refresh_lag = '-200')
@ -122,7 +154,7 @@ as
 select location, max(humidity)
 from conditions_for_perm_check_w_grant
 group by time_bucket(100, timec), location;
-NOTICE:  adding index _materialized_hypertable_6_location_time_partition_col_idx ON _timescaledb_internal._materialized_hypertable_6 USING BTREE(location, time_partition_col)
+NOTICE:  adding index _materialized_hypertable_8_location_time_partition_col_idx ON _timescaledb_internal._materialized_hypertable_8 USING BTREE(location, time_partition_col)
 REFRESH MATERIALIZED VIEW mat_perm_view_test;
 INFO:  new materialization range for public.conditions_for_perm_check_w_grant (time column timec) (200)
 INFO:  materializing continuous aggregate public.mat_perm_view_test: new range up to 200
--- a/tsl/test/sql/continuous_aggs_bgw.sql
+++ b/tsl/test/sql/continuous_aggs_bgw.sql
@ -27,6 +27,14 @@ AS :MODULE_PATHNAME LANGUAGE C VOLATILE;
 --test that this all works under the community license
 ALTER DATABASE :TEST_DBNAME SET timescaledb.license_key='Community';

+--create a function with no permissions to execute
+
+CREATE FUNCTION get_constant_no_perms() RETURNS INTEGER LANGUAGE SQL IMMUTABLE AS
+$BODY$
+    SELECT 10;
+$BODY$;
+REVOKE EXECUTE ON FUNCTION get_constant_no_perms() FROM PUBLIC;
+
 \set WAIT_ON_JOB 0
 \set IMMEDIATELY_SET_UNTIL 1
 \set WAIT_FOR_OTHER_TO_ADVANCE 2
@ -164,7 +172,7 @@ SELECT job_id, next_start, last_finish as until_next, last_run_success, total_ru
 -- data at 4
 SELECT * FROM test_continuous_agg_view ORDER BY 1;

-\x
+\x on
 --check the information views --
 select view_name, view_owner, refresh_lag, refresh_interval, max_interval_per_job, materialization_hypertable
 from timescaledb_information.continuous_aggregates
@ -175,7 +183,28 @@ where view_name::text like '%test_continuous_agg_view';

 select view_name, completed_threshold, invalidation_threshold, job_status, last_run_duration from timescaledb_information.continuous_aggregate_stats where view_name::text like '%test_continuous_agg_view';

-\x
+\x off
+
+DROP VIEW test_continuous_agg_view CASCADE;
+
+--create a view with a function that it has no permission to execute
+CREATE VIEW test_continuous_agg_view
+    WITH (timescaledb.continuous,
+        timescaledb.max_interval_per_job='2',
+        timescaledb.refresh_lag='-2')
+    AS SELECT time_bucket('2', time), SUM(data) as value, get_constant_no_perms()
+        FROM test_continuous_agg_table
+        GROUP BY 1;
+
+SELECT job_id FROM _timescaledb_catalog.continuous_agg ORDER BY job_id desc limit 1 \gset
+
+SELECT ts_bgw_db_scheduler_test_run_and_wait_for_scheduler_finish(25);
+
+-- job fails
+SELECT job_id, next_start, last_finish as until_next, last_run_success, total_runs, total_successes, total_failures, total_crashes
+    FROM _timescaledb_internal.bgw_job_stat
+    where job_id=:job_id;
+

 --
 -- Test creating continuous aggregate with a user that is the non-owner of the raw table
@ -215,6 +244,8 @@ SELECT * FROM test_continuous_agg_view_user_2;
 --no further updates to cont agg should happen
 REVOKE SELECT ON test_continuous_agg_table_w_grant FROM public;

+INSERT INTO test_continuous_agg_table_w_grant VALUES(1,1);
+
 \c :TEST_DBNAME :ROLE_DEFAULT_PERM_USER_2
 SELECT ts_bgw_db_scheduler_test_run_and_wait_for_scheduler_finish(25, 25);

--- a/tsl/test/sql/continuous_aggs_permissions.sql.in
+++ b/tsl/test/sql/continuous_aggs_permissions.sql.in
@ -87,6 +87,17 @@ select generate_series(0, 30, 10), 'POR', 55, 75, 40, 70, NULL;
 --need both select and trigger permissions to create a materialized view on top of it.
 GRANT SELECT, TRIGGER ON conditions_for_perm_check_w_grant TO public;

+\c  :TEST_DBNAME :ROLE_SUPERUSER
+
+create schema custom_schema;
+
+CREATE FUNCTION get_constant() RETURNS INTEGER LANGUAGE SQL IMMUTABLE AS
+$BODY$
+    SELECT 10;
+$BODY$;
+
+REVOKE EXECUTE ON FUNCTION get_constant() FROM PUBLIC;
+
 \c  :TEST_DBNAME :ROLE_DEFAULT_PERM_USER_2
 \set ON_ERROR_STOP 0
 select from alter_job_schedule(:cagg_job_id, max_runtime => NULL);
@ -108,6 +119,27 @@ select location, max(humidity)
 from conditions_for_perm_check
 group by time_bucket(100, timec), location;

+--cannot create mat view in a schema without create privileges
+create or replace view custom_schema.mat_perm_view_test
+WITH ( timescaledb.continuous, timescaledb.refresh_lag = '-200')
+as
+select location, max(humidity)
+from conditions_for_perm_check_w_grant
+group by time_bucket(100, timec), location;
+
+--cannot use a function without EXECUTE privileges
+--you can create a VIEW but cannot refresh it
+create or replace view mat_perm_view_test
+WITH ( timescaledb.continuous, timescaledb.refresh_lag = '-200')
+as
+select location, max(humidity), get_constant()
+from conditions_for_perm_check_w_grant
+group by time_bucket(100, timec), location;
+
+--this should fail
+REFRESH MATERIALIZED VIEW mat_perm_view_test;
+DROP VIEW mat_perm_view_test CASCADE;
+
 --can create a mat view on something with select and trigger grants
 create or replace view mat_perm_view_test
 WITH ( timescaledb.continuous, timescaledb.refresh_lag = '-200')