Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix dropping role with table privileges granted by non-neon_superuser #10964

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix dropping role with table privileges granted by non-neon_superuser #10964

wants to merge 1 commit into from
+86 −9

Conversation

tristan957
Copy link
Member

We were previously only revoking privileges granted by neon_superuser. However, we need to do it for all grantors.

@tristan957 tristan957 requested a review from a team as a code owner February 24, 2025 23:43
tristan957
tristan957 commented Feb 24, 2025
View reviewed changes
compute_tools/src/sql/pre_drop_role_revoke_privileges.sql Outdated
Comment on lines 21 to 28
SET LOCAL ROLE neon_superuser;

revoke_query := format(
'REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA %I FROM {role_name} GRANTED BY neon_superuser;',
'REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA %I FROM {role_name} GRANTED BY neon_superuser',
schema
);

EXECUTE revoke_query;
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is not at all clear to me why I need to keep this statement around, but if I don't, test_compute_drop_role will fail. Help in diagnosing this is appreciated.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Keeping this statement around tells me there is probably something more to look at than just information_schema.role_table_grants.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tried:

        FOR grantor IN
            SELECT DISTINCT t.grantor
            FROM (
                SELECT DISTINCT rtg.grantor
                FROM information_schema.role_table_grants AS rtg
                WHERE grantee = '{role_name}'
            UNION
                SELECT DISTINCT tp.grantor
                FROM information_schema.table_privileges AS tp
                WHERE grantee = '{role_name}') AS t
        LOOP

But that doesn't work for test_compute_drop_role.

@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 25, 2025
edited
Loading

7755 tests run: 7377 passed, 0 failed, 378 skipped (full report)

Flaky tests (3)

Postgres 17

Code coverage* (full report)

  • functions: 32.8% (8638 of 26362 functions)
  • lines: 48.6% (73099 of 150465 lines)

* collected from Rust tests only

The comment gets automatically updated with the latest test results
fff6e6e at 2025-02-27T05:12:05.225Z :recycle:

@tristan957
Fix dropping role with table privileges granted by non-neon_superuser
fff6e6e 
We were previously only revoking privileges granted by neon_superuser.
However, we need to do it for all grantors.

Signed-off-by: Tristan Partin <tristan@neon.tech>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knizhnik knizhnik Awaiting requested review from knizhnik knizhnik is a code owner automatically assigned from neondatabase/compute

@lubennikovaav lubennikovaav Awaiting requested review from lubennikovaav lubennikovaav is a code owner automatically assigned from neondatabase/compute

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@tristan957