Propagate SECURITY LABEL ON ROLE stmt #7304
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
naisila
force-pushed
the
naisila/sec_label_role
branch
3 times, most recently
from
aca5abf to
14394a9
Compare
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #7304 +/- ##
==========================================
- Coverage 89.58% 89.44% -0.15%
==========================================
Files 275 277 +2
Lines 59610 59687 +77
Branches 7427 7437 +10
==========================================
- Hits 53403 53388 -15
- Misses 4076 4137 +61
- Partials 2131 2162 +31 |
naisila
force-pushed
the
naisila/sec_label_role
branch
from
14394a9 to
b88b4e6
Compare
naisila
force-pushed
the
naisila/sec_label_role
branch
from
7b66b96 to
d37fed2
Compare
naisila
force-pushed
the
naisila/sec_label_role
branch
2 times, most recently
from
d92e621 to
d4b0b32
Compare
onurctirtir
reviewed
Nov 8, 2023
onurctirtir
reviewed
Nov 8, 2023
JelteF
reviewed
Nov 8, 2023
naisila
force-pushed
the
naisila/sec_label_role
branch
4 times, most recently
from
1251ab5 to
963e1b9
Compare
naisila
force-pushed
the
naisila/sec_label_role
branch
from
6cbde49 to
9a8be06
Compare
gurkanindibay
approved these changes
Nov 9, 2023
onurctirtir
reviewed
Nov 10, 2023
JelteF
reviewed
Nov 10, 2023
onurctirtir
reviewed
Nov 10, 2023
JelteF
reviewed
Nov 10, 2023
naisila
force-pushed
the
naisila/sec_label_role
branch
2 times, most recently
from
b4111ed to
5ebaa80
Compare
onurctirtir
reviewed
Nov 14, 2023
| @@ -550,3 +550,35 @@ BEGIN | |||
| RETURN result; | |||
| END; | |||
| $func$ LANGUAGE plpgsql; | |||
|
|
|||
| -- Returns pg_seclabels entries from all nodes in the cluster | |||
| -- for which the provider is citus_tests_label_provider and the object name is the input | |||
There was a problem hiding this comment.
nit: missing dot
Suggested change
| -- for which the provider is citus_tests_label_provider and the object name is the input | |
| -- for which the provider is citus_tests_label_provider and the object name is the input. |
onurctirtir
reviewed
Nov 14, 2023
| SECURITY LABEL for citus_tests_label_provider ON ROLE user1 IS NULL; | ||
| NOTICE: issuing SECURITY LABEL FOR citus_tests_label_provider ON ROLE user1 IS NULL | ||
| DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx | ||
| SECURITY LABEL for citus_tests_label_provider ON ROLE user1 IS 'citus unclassified'; |
There was a problem hiding this comment.
Should we also add a test where we don't provide the "provider" at all?
SECURITY LABEL ON ROLE brand_new_role IS 'citus unclassified';From the docs:
The name of the provider with which this label is to be associated. The named provider must be loaded and must consent to the proposed labeling operation. If exactly one provider is loaded, the provider name may be omitted for brevity.
There was a problem hiding this comment.
I am skipping this test since I am loading two providers to test the character escaping thing.
There was a problem hiding this comment.
Can't we reduce the number of providers we have to one; such that we only have the one that requires proper quoting?
There was a problem hiding this comment.
Hmm okay, then we will not be testing the general case with name that doesn't need quoting, therefore I didn't want to do that. But it's okay I guess.
naisila
force-pushed
the
naisila/sec_label_role
branch
from
a6eb324 to
58f55e7
Compare
onurctirtir
approved these changes
Nov 15, 2023
| return; | ||
| } | ||
|
|
||
| ereport(ERROR, |
There was a problem hiding this comment.
let's add such a test for that to make codecov happy, if possible
There was a problem hiding this comment.
Actually I have added this test, I don't know why codecov is not happy xD
| SECURITY LABEL for citus_tests_label_provider ON ROLE user1 IS NULL; | ||
| NOTICE: issuing SECURITY LABEL FOR citus_tests_label_provider ON ROLE user1 IS NULL | ||
| DETAIL: on server postgres@localhost:xxxxx connectionId: xxxxxxx | ||
| SECURITY LABEL for citus_tests_label_provider ON ROLE user1 IS 'citus unclassified'; |
There was a problem hiding this comment.
Can't we reduce the number of providers we have to one; such that we only have the one that requires proper quoting?
initial commit
naisila
force-pushed
the
naisila/sec_label_role
branch
from
58f55e7 to
c36a71a
Compare
emelsimsek
pushed a commit
that referenced
this pull request
Nov 13, 2024
We propagate `SECURITY LABEL [for provider] ON ROLE rolename IS labelname` to the worker nodes. We also make sure to run the relevant `SecLabelStmt` commands on a newly added node by looking at roles found in `pg_shseclabel`. See official docs for explanation on how this command works: https://www.postgresql.org/docs/current/sql-security-label.html This command stores the role label in the `pg_shseclabel` catalog table. This commit also fixes the regex string in `check_gucs_are_alphabetically_sorted.sh` script such that it escapes the dot. Previously it was looking for all strings starting with "citus" instead of "citus." as it should. To test this feature, I currently make use of a special GUC to control label provider registration in PG_init when creating the Citus extension. (cherry picked from commit 0d1f188)
hanefi
pushed a commit
that referenced
this pull request
Nov 13, 2024
We propagate `SECURITY LABEL [for provider] ON ROLE rolename IS labelname` to the worker nodes. We also make sure to run the relevant `SecLabelStmt` commands on a newly added node by looking at roles found in `pg_shseclabel`. See official docs for explanation on how this command works: https://www.postgresql.org/docs/current/sql-security-label.html This command stores the role label in the `pg_shseclabel` catalog table. This commit also fixes the regex string in `check_gucs_are_alphabetically_sorted.sh` script such that it escapes the dot. Previously it was looking for all strings starting with "citus" instead of "citus." as it should. To test this feature, I currently make use of a special GUC to control label provider registration in PG_init when creating the Citus extension. (cherry picked from commit 0d1f188)
Closed
hanefi
pushed a commit
that referenced
this pull request
Nov 13, 2024
Propagates SECURITY LABEL ON ROLE stmt (#7304) We propagate `SECURITY LABEL [for provider] ON ROLE rolename IS labelname` to the worker nodes. We also make sure to run the relevant `SecLabelStmt` commands on a newly added node by looking at roles found in `pg_shseclabel`. See official docs for explanation on how this command works: https://www.postgresql.org/docs/current/sql-security-label.html This command stores the role label in the `pg_shseclabel` catalog table. This commit also fixes the regex string in `check_gucs_are_alphabetically_sorted.sh` script such that it escapes the dot. Previously it was looking for all strings starting with "citus" instead of "citus." as it should. To test this feature, I currently make use of a special GUC to control label provider registration in PG_init when creating the Citus extension. (cherry picked from commit 0d1f188) Co-authored-by: Naisila Puka <37271756+naisila@users.noreply.github.com>
naisila
pushed a commit
that referenced
this pull request
Jan 13, 2025
Propagates SECURITY LABEL ON ROLE stmt (#7304) We propagate `SECURITY LABEL [for provider] ON ROLE rolename IS labelname` to the worker nodes. We also make sure to run the relevant `SecLabelStmt` commands on a newly added node by looking at roles found in `pg_shseclabel`. See official docs for explanation on how this command works: https://www.postgresql.org/docs/current/sql-security-label.html This command stores the role label in the `pg_shseclabel` catalog table. This commit also fixes the regex string in `check_gucs_are_alphabetically_sorted.sh` script such that it escapes the dot. Previously it was looking for all strings starting with "citus" instead of "citus." as it should. To test this feature, I currently make use of a special GUC to control label provider registration in PG_init when creating the Citus extension. (cherry picked from commit 0d1f188) Co-authored-by: Naisila Puka <37271756+naisila@users.noreply.github.com> (cherry picked from commit 686d2b4)
naisila
pushed a commit
that referenced
this pull request
Jan 13, 2025
Propagates SECURITY LABEL ON ROLE stmt (#7304) We propagate `SECURITY LABEL [for provider] ON ROLE rolename IS labelname` to the worker nodes. We also make sure to run the relevant `SecLabelStmt` commands on a newly added node by looking at roles found in `pg_shseclabel`. See official docs for explanation on how this command works: https://www.postgresql.org/docs/current/sql-security-label.html This command stores the role label in the `pg_shseclabel` catalog table. This commit also fixes the regex string in `check_gucs_are_alphabetically_sorted.sh` script such that it escapes the dot. Previously it was looking for all strings starting with "citus" instead of "citus." as it should. To test this feature, I currently make use of a special GUC to control label provider registration in PG_init when creating the Citus extension. (cherry picked from commit 0d1f188) Co-authored-by: Naisila Puka <37271756+naisila@users.noreply.github.com> (cherry picked from commit 686d2b4)
naisila
pushed a commit
that referenced
this pull request
Jan 13, 2025
Propagates SECURITY LABEL ON ROLE stmt (#7304) We propagate `SECURITY LABEL [for provider] ON ROLE rolename IS labelname` to the worker nodes. We also make sure to run the relevant `SecLabelStmt` commands on a newly added node by looking at roles found in `pg_shseclabel`. See official docs for explanation on how this command works: https://www.postgresql.org/docs/current/sql-security-label.html This command stores the role label in the `pg_shseclabel` catalog table. This commit also fixes the regex string in `check_gucs_are_alphabetically_sorted.sh` script such that it escapes the dot. Previously it was looking for all strings starting with "citus" instead of "citus." as it should. To test this feature, I currently make use of a special GUC to control label provider registration in PG_init when creating the Citus extension. (cherry picked from commit 0d1f188) Co-authored-by: Naisila Puka <37271756+naisila@users.noreply.github.com> (cherry picked from commit 686d2b4)
naisila
pushed a commit
that referenced
this pull request
Jan 13, 2025
Propagates SECURITY LABEL ON ROLE stmt (#7304) We propagate `SECURITY LABEL [for provider] ON ROLE rolename IS labelname` to the worker nodes. We also make sure to run the relevant `SecLabelStmt` commands on a newly added node by looking at roles found in `pg_shseclabel`. See official docs for explanation on how this command works: https://www.postgresql.org/docs/current/sql-security-label.html This command stores the role label in the `pg_shseclabel` catalog table. This commit also fixes the regex string in `check_gucs_are_alphabetically_sorted.sh` script such that it escapes the dot. Previously it was looking for all strings starting with "citus" instead of "citus." as it should. To test this feature, I currently make use of a special GUC to control label provider registration in PG_init when creating the Citus extension. (cherry picked from commit 0d1f188) Co-authored-by: Naisila Puka <37271756+naisila@users.noreply.github.com> (cherry picked from commit 686d2b4)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
DESCRIPTION: Propagates SECURITY LABEL ON ROLE statement
See official docs for explanation on how this command works: https://www.postgresql.org/docs/current/sql-security-label.html This command stores the label in the
pg_shseclabelcatalog table.We propagate
SECURITY LABEL [for provider] ON ROLE rolename IS labelnameto the worker nodes.We also make sure to run the relevant
SecLabelStmtcommands on a newly added node by looking at roles found inpg_shseclabel.This commit also fixes the regex string in
check_gucs_are_alphabetically_sorted.shscript such that it escapes the dot. Previously it was looking for all strings starting with "citus" instead of "citus." as it should.New Note to reviewer: To test this feature, I currently make use of a special GUC to control label provider registration in PG_init when creating the Citus extension.
Old Note to reviewer: in the current test, I did what I could to ensure that I am connecting to the worker node with the same connection. This is needed to ensure that when I create the label provider, it is visible by the next command. If there is a better way to ensure commands to be in the same connection, let me know. There is a small issue in
citus_add_node()- I couldn't find a way to test the successful completion of that one. However, through logged remote commands, we can see it fails when trying to propagate the SecLabel statement.Old TODOs: