Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Permissions issues when granting SELECT only access to Hypertable via default permissions #4555

Closed
michaelkitson opened this issue Jul 29, 2022 · 3 comments · Fixed by #4580
Closed

[Bug]: Permissions issues when granting SELECT only access to Hypertable via default permissions #4555

michaelkitson opened this issue Jul 29, 2022 · 3 comments · Fixed by #4580
Assignees
@fabriziomello
Labels
bug

Comments

@michaelkitson
Copy link

What type of bug is this?

Unexpected error

What subsystems and features are affected?

Continuous aggregate

What happened?

If a role is granted default permissions to a hypertable, those permissions don't propagate to its continuous aggregates.

This is related to #2630

TimescaleDB version affected

2.7.2

PostgreSQL version used

14.4

What operating system did you use?

MacOS 12.4

What installation method did you use?

Docker

What platform did you run on?

On prem/Self-hosted

Relevant log output and stack trace

ERROR:  permission denied for table _materialized_hypertable_2
CONTEXT:  SQL statement "SELECT max(hour) FROM _timescaledb_internal._materialized_hypertable_2"

How can we reproduce the bug?

CREATE SCHEMA test;
CREATE ROLE read_only;
GRANT USAGE ON SCHEMA "test" TO read_only;
GRANT SELECT ON ALL TABLES IN SCHEMA "test" TO read_only; -- not really necessary here.
ALTER DEFAULT PRIVILEGES IN SCHEMA "test" GRANT SELECT ON TABLES TO read_only;

CREATE USER reader WITH PASSWORD 'test_read';
GRANT read_only TO reader;

CREATE TABLE test.data (
  "time" timestamp with time zone DEFAULT now() NOT NULL,
  "asset" integer NOT NULL,
  value numeric NOT NULL
);
SELECT create_hypertable('test.data', 'time', 'asset', 5, chunk_time_interval => INTERVAL '1 day');

CREATE TABLE test.data_nothyper (
  "time" timestamp with time zone DEFAULT now() NOT NULL,
  "asset" integer NOT NULL,
  value numeric NOT NULL
);

CREATE MATERIALIZED VIEW test.data_1hr
            WITH (timescaledb.continuous) AS
SELECT time_bucket(INTERVAL '1 hour', "time") AS "hour",
  asset,
  avg(value) as "average"
FROM test.data
GROUP BY "hour", asset
WITH NO DATA;

INSERT INTO test.data VALUES (now() - INTERVAL '240 minutes', 1, 12);
INSERT INTO test.data VALUES (now() - INTERVAL '210 minutes', 1, 10);
INSERT INTO test.data VALUES (now() - INTERVAL '180 minutes', 1, 8);
INSERT INTO test.data VALUES (now() - INTERVAL '150 minutes', 1, 14);
INSERT INTO test.data VALUES (now() - INTERVAL '120 minutes', 1, 12);
INSERT INTO test.data VALUES (now() - INTERVAL '90 minutes', 1, 14);
INSERT INTO test.data VALUES (now() - INTERVAL '60 minutes', 1, 19);
INSERT INTO test.data VALUES (now() - INTERVAL '30 minutes', 1, 21);
INSERT INTO test.data VALUES (now() - INTERVAL '1 minutes', 1, 23);

SET ROLE reader;
select * from test.data; -- works
select * from test.data_nothyper ; -- works
select * from test.data_1hr ; -- ERROR:  permission denied for table _materialized_hypertable_2
@svenklemm svenklemm assigned svenklemm and unassigned svenklemm Aug 2, 2022
@fabriziomello fabriziomello self-assigned this Aug 3, 2022
@fabriziomello
Copy link
Contributor

@michaelkitson thanks for reporting this... seems this is an oversight and we're not dealing properly with default privileges for continuous aggregates (propagating to the underlying materialization hypertable). The problem here is that the underlying materialization hypertable resides in another schema (different than defined in the default privilege configuration).

I'm working on a fix for that, but for now the only workaround for this is explicit execute GRANT in the continuous aggregate that will propagate it down to the underlying hypertable.

fabriziomello added a commit to fabriziomello/timescaledb that referenced this issue Aug 6, 2022
@fabriziomello
Handle properly default privileges on CAggs
36f36d0 
If a default privilege is configured and applied to a given Continuous
Aggregate during it creation just the user view has the ACL properly
configured but the underlying materialization hypertable no leading to
permission errors.

Fixed it by copying the privileges from the user view to the
materialization hypertable during the Continous Aggregate creation.

Fixes timescale#4555
@fabriziomello fabriziomello mentioned this issue Aug 6, 2022
Merged
fabriziomello added a commit to fabriziomello/timescaledb that referenced this issue Aug 6, 2022
@fabriziomello
Handle properly default privileges on CAggs
8520e6b 
If a default privilege is configured and applied to a given Continuous
Aggregate during it creation just the user view has the ACL properly
configured but the underlying materialization hypertable no leading to
permission errors.

Fixed it by copying the privileges from the user view to the
materialization hypertable during the Continous Aggregate creation.

Fixes timescale#4555
fabriziomello added a commit to fabriziomello/timescaledb that referenced this issue Aug 7, 2022
@fabriziomello
Fix assertion in GRANT .. ON ALL TABLES IN SCHEMA
2d72010 
When working on a fix for timescale#4555 discovered that executing
`{GRANT|REVOKE} .. ON ALL TABLES IN SCHEMA` in an empty schema lead to
an assertion because we change the way that command is executed by
collecting all objects involved and processing one by one.

Fixed it by executing the previous process utility hook just when the
list of target objects is not empty.

Fixes timescale#4581
@fabriziomello fabriziomello mentioned this issue Aug 7, 2022
Merged
fabriziomello added a commit that referenced this issue Aug 8, 2022
@fabriziomello
Fix assertion in GRANT .. ON ALL TABLES IN SCHEMA
d35ea0f 
When working on a fix for #4555 discovered that executing
`{GRANT|REVOKE} .. ON ALL TABLES IN SCHEMA` in an empty schema lead to
an assertion because we change the way that command is executed by
collecting all objects involved and processing one by one.

Fixed it by executing the previous process utility hook just when the
list of target objects is not empty.

Fixes #4581
fabriziomello added a commit to fabriziomello/timescaledb that referenced this issue Aug 8, 2022
@fabriziomello
Handle properly default privileges on CAggs
5cbb4ff 
If a default privilege is configured and applied to a given Continuous
Aggregate during it creation just the user view has the ACL properly
configured but the underlying materialization hypertable no leading to
permission errors.

Fixed it by copying the privileges from the user view to the
materialization hypertable during the Continous Aggregate creation.

Fixes timescale#4555
fabriziomello added a commit to fabriziomello/timescaledb that referenced this issue Aug 8, 2022
@fabriziomello
Handle properly default privileges on CAggs
30e3b9c 
If a default privilege is configured and applied to a given Continuous
Aggregate during it creation just the user view has the ACL properly
configured but the underlying materialization hypertable no leading to
permission errors.

Fixed it by copying the privileges from the user view to the
materialization hypertable during the Continous Aggregate creation.

Fixes timescale#4555
fabriziomello added a commit to fabriziomello/timescaledb that referenced this issue Aug 8, 2022
@fabriziomello
Handle properly default privileges on CAggs
08d90c4 
If a default privilege is configured and applied to a given Continuous
Aggregate during it creation just the user view has the ACL properly
configured but the underlying materialization hypertable no leading to
permission errors.

Fixed it by copying the privileges from the user view to the
materialization hypertable during the Continous Aggregate creation.

Fixes timescale#4555
fabriziomello added a commit to fabriziomello/timescaledb that referenced this issue Aug 8, 2022
@fabriziomello
Handle properly default privileges on CAggs
a8a6811 
If a default privilege is configured and applied to a given Continuous
Aggregate during it creation just the user view has the ACL properly
configured but the underlying materialization hypertable no leading to
permission errors.

Fixed it by copying the privileges from the user view to the
materialization hypertable during the Continous Aggregate creation.

Fixes timescale#4555
fabriziomello added a commit to fabriziomello/timescaledb that referenced this issue Aug 8, 2022
@fabriziomello
Handle properly default privileges on CAggs
2c6ae8e 
If a default privilege is configured and applied to a given Continuous
Aggregate during it creation just the user view has the ACL properly
configured but the underlying materialization hypertable no leading to
permission errors.

Fixed it by copying the privileges from the user view to the
materialization hypertable during the Continous Aggregate creation.

Fixes timescale#4555
fabriziomello added a commit to fabriziomello/timescaledb that referenced this issue Aug 10, 2022
@fabriziomello
Handle properly default privileges on CAggs
a99a8db 
If a default privilege is configured and applied to a given Continuous
Aggregate during it creation just the user view has the ACL properly
configured but the underlying materialization hypertable no leading to
permission errors.

Fixed it by copying the privileges from the user view to the
materialization hypertable during the Continous Aggregate creation.

Fixes timescale#4555
fabriziomello added a commit to fabriziomello/timescaledb that referenced this issue Aug 10, 2022
@fabriziomello
Handle properly default privileges on CAggs
350757e 
If a default privilege is configured and applied to a given Continuous
Aggregate during it creation just the user view has the ACL properly
configured but the underlying materialization hypertable no leading to
permission errors.

Fixed it by copying the privileges from the user view to the
materialization hypertable during the Continous Aggregate creation.

Fixes timescale#4555
fabriziomello added a commit to fabriziomello/timescaledb that referenced this issue Aug 11, 2022
@fabriziomello
Handle properly default privileges on CAggs
4457e42 
If a default privilege is configured and applied to a given Continuous
Aggregate during it creation just the user view has the ACL properly
configured but the underlying materialization hypertable no leading to
permission errors.

Fixed it by copying the privileges from the user view to the
materialization hypertable during the Continous Aggregate creation.

Fixes timescale#4555
fabriziomello added a commit to fabriziomello/timescaledb that referenced this issue Aug 11, 2022
@fabriziomello
Handle properly default privileges on CAggs
a6c8b56 
If a default privilege is configured and applied to a given Continuous
Aggregate during it creation just the user view has the ACL properly
configured but the underlying materialization hypertable no leading to
permission errors.

Fixed it by copying the privileges from the user view to the
materialization hypertable during the Continous Aggregate creation.

Fixes timescale#4555
fabriziomello added a commit to fabriziomello/timescaledb that referenced this issue Aug 11, 2022
@fabriziomello
Handle properly default privileges on CAggs
10dcf47 
If a default privilege is configured and applied to a given Continuous
Aggregate during it creation just the user view has the ACL properly
configured but the underlying materialization hypertable no leading to
permission errors.

Fixed it by copying the privileges from the user view to the
materialization hypertable during the Continous Aggregate creation.

Fixes timescale#4555
fabriziomello added a commit to fabriziomello/timescaledb that referenced this issue Aug 12, 2022
@fabriziomello
Handle properly default privileges on CAggs
ecaf51d 
If a default privilege is configured and applied to a given Continuous
Aggregate during it creation just the user view has the ACL properly
configured but the underlying materialization hypertable no leading to
permission errors.

Fixed it by copying the privileges from the user view to the
materialization hypertable during the Continous Aggregate creation.

Fixes timescale#4555
fabriziomello added a commit that referenced this issue Aug 12, 2022
@fabriziomello
Handle properly default privileges on CAggs
500c225 
If a default privilege is configured and applied to a given Continuous
Aggregate during it creation just the user view has the ACL properly
configured but the underlying materialization hypertable no leading to
permission errors.

Fixed it by copying the privileges from the user view to the
materialization hypertable during the Continous Aggregate creation.

Fixes #4555
@fabriziomello
Copy link
Contributor

@michaelkitson fixed in PR #4580

@leppaott
Copy link

@fabriziomello does this cover also FOR ROLE:

ALTER DEFAULT PRIVILEGES FOR ROLE :"diagnostics_user" IN SCHEMA "wm_diagnostics"
GRANT SELECT ON TABLES TO :"user";

We are still getting permission denied when creating a cagg on a hypertable in a different schema.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fabriziomello fabriziomello

Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Handle properly default privileges on CAggs fabriziomello/timescaledb
4 participants
@fabriziomello @michaelkitson @leppaott @svenklemm