Introduce mdb_read_all_data/mdb_write_all_data

Author: reshke

src/backend/catalog/aclchk.c

@@ -3290,6 +3290,8 @@ pg_class_aclmask_ext(Oid table_oid, Oid roleid, AclMode mask,
 	bool		isNull;
 	Acl		   *acl;
 	Oid			ownerId;
+	Oid			mdb_read_all_data_oid;
+	Oid			mdb_write_all_data_oid;
 
 	/*
 	 * Must get the relation's tuple from pg_class
@@ -3340,6 +3342,9 @@ pg_class_aclmask_ext(Oid table_oid, Oid roleid, AclMode mask,
 	 */
 	ownerId = classForm->relowner;
 
+	mdb_read_all_data_oid = get_role_oid("mdb_read_all_data", true);
+	mdb_write_all_data_oid = get_role_oid("mdb_write_all_data", true);
+
 	aclDatum = SysCacheGetAttr(RELOID, tuple, Anum_pg_class_relacl,
 							   &isNull);
 	if (isNull)
@@ -3379,6 +3384,17 @@ pg_class_aclmask_ext(Oid table_oid, Oid roleid, AclMode mask,
 		has_privs_of_role(roleid, ROLE_PG_READ_ALL_DATA))
 		result |= ACL_SELECT;
 
+
+	/*
+	 * Check if ACL_SELECT is being checked and, if so, and not set already as
+	 * part of the result, then check if the user is a member of the
+	 * mdb_read_all_data role, and this is not some dangerous relation to grant SELECT to
+	 */
+	if (mask & ACL_SELECT && !(result & ACL_SELECT) &&
+		has_privs_of_role(roleid, mdb_read_all_data_oid) && 
+		!has_privs_of_unwanted_system_role(ownerId))
+		result |= ACL_SELECT;
+
 	/*
 	 * Check if ACL_INSERT, ACL_UPDATE, or ACL_DELETE is being checked and, if
 	 * so, and not set already as part of the result, then check if the user
@@ -3391,6 +3407,19 @@ pg_class_aclmask_ext(Oid table_oid, Oid roleid, AclMode mask,
 		has_privs_of_role(roleid, ROLE_PG_WRITE_ALL_DATA))
 		result |= (mask & (ACL_INSERT | ACL_UPDATE | ACL_DELETE));
 
+
+	/*
+	 * Check if ACL_INSERT, ACL_UPDATE, or ACL_DELETE is being checked and, if
+	 * so, and not set already as part of the result, then check if the user
+	 * is a member of the mdb_write_all_data role, and this is not some 
+	 * dangerous relation to grant write access.
+	 */
+	if (mask & (ACL_INSERT | ACL_UPDATE | ACL_DELETE) &&
+		!(result & (ACL_INSERT | ACL_UPDATE | ACL_DELETE)) &&
+		has_privs_of_role(roleid, mdb_write_all_data_oid) &&
+		!has_privs_of_unwanted_system_role(ownerId))
+		result |= (mask & (ACL_INSERT | ACL_UPDATE | ACL_DELETE));
+
 	/*
 	 * Check if ACL_MAINTAIN is being checked and, if so, and not already set
 	 * as part of the result, then check if the user is a member of the

src/test/regress/expected/mdb_read_write_roles.out

@@ -0,0 +1,82 @@
+CREATE ROLE regress_mdb_superuser_user1;
+CREATE ROLE regress_mdb_superuser_user2;
+CREATE ROLE regress_mdb_superuser_user3;
+CREATE ROLE regress_superuser WITH SUPERUSER;
+GRANT mdb_superuser TO regress_mdb_superuser_user1;
+GRANT CREATE ON DATABASE regression TO regress_mdb_superuser_user2;
+SET ROLE regress_superuser;
+CREATE TABLE regress_superuser_table();
+SET ROLE pg_read_server_files;
+CREATE TABLE regress_pgrsf_table();
+SET ROLE pg_write_server_files;
+CREATE TABLE regress_pgwsf_table();
+SET ROLE pg_execute_server_program;
+CREATE TABLE regress_pgxsp_table();
+SET ROLE pg_read_all_data;
+CREATE TABLE regress_pgrad_table();
+SET ROLE pg_write_all_data;
+CREATE TABLE regress_pgrwd_table();
+SET ROLE regress_mdb_superuser_user1;
+CREATE TABLE regress_mdbsu_table();
+SET ROLE regress_mdb_superuser_user2;
+CREATE TABLE regress_mdbsu_table2();
+SET ROLE mdb_read_all_data;
+-- cannot read all data (fail)
+TABLE pg_authid;
+ERROR:  permission denied for table pg_authid
+TABLE regress_superuser_table;
+ERROR:  permission denied for table regress_superuser_table
+TABLE regress_pgrsf_table;
+ERROR:  permission denied for table regress_pgrsf_table
+TABLE regress_pgwsf_table;
+ERROR:  permission denied for table regress_pgwsf_table
+TABLE regress_pgxsp_table;
+ERROR:  permission denied for table regress_pgxsp_table
+TABLE regress_pgrad_table;
+ERROR:  permission denied for table regress_pgrad_table
+TABLE regress_pgwsf_table;
+ERROR:  permission denied for table regress_pgwsf_table
+-- is allow to read all other data
+TABLE regress_mdbsu_table;
+--
+(0 rows)
+
+TABLE regress_mdbsu_table2;
+--
+(0 rows)
+
+SET ROLE mdb_write_all_data;
+CREATE TABLE regress_tt_dat();
+-- cannot read all data (fail)
+INSERT INTO regress_superuser_table TABLE regress_tt_dat;
+ERROR:  permission denied for table regress_superuser_table
+INSERT INTO regress_pgrsf_table TABLE regress_tt_dat;
+ERROR:  permission denied for table regress_pgrsf_table
+INSERT INTO regress_pgwsf_table TABLE regress_tt_dat;
+ERROR:  permission denied for table regress_pgwsf_table
+INSERT INTO regress_pgxsp_table TABLE regress_tt_dat;
+ERROR:  permission denied for table regress_pgxsp_table
+INSERT INTO regress_pgrad_table TABLE regress_tt_dat;
+ERROR:  permission denied for table regress_pgrad_table
+INSERT INTO regress_pgwsf_table TABLE regress_tt_dat;
+ERROR:  permission denied for table regress_pgwsf_table
+-- is allow to read all other data
+INSERT INTO regress_mdbsu_table TABLE regress_tt_dat;
+INSERT INTO regress_mdbsu_table2 TABLE regress_tt_dat;
+-- end tests
+RESET SESSION AUTHORIZATION;
+--
+DROP TABLE regress_pgrsf_table;
+DROP TABLE regress_pgwsf_table;
+DROP TABLE regress_pgxsp_table;
+DROP TABLE regress_pgrad_table;
+DROP TABLE regress_pgrwd_table;
+DROP TABLE regress_mdbsu_table;
+DROP TABLE regress_mdbsu_table2;
+DROP TABLE regress_superuser_table;
+REVOKE CREATE ON DATABASE regression FROM regress_mdb_superuser_user2;
+REVOKE CREATE ON DATABASE regression FROM regress_mdb_superuser_user3;
+DROP ROLE regress_mdb_superuser_user1;
+DROP ROLE regress_mdb_superuser_user2;
+DROP ROLE regress_mdb_superuser_user3;
+DROP ROLE regress_superuser;

src/test/regress/expected/mdb_superuser.out

@@ -4,7 +4,6 @@ CREATE ROLE regress_mdb_superuser_user3;
 CREATE ROLE regress_mdb_su_role_o1;
 CREATE ROLE regress_mdb_su_role_o2;
 GRANT mdb_superuser TO regress_mdb_su_role_o1;
-GRANT mdb_admin TO mdb_superuser;
 CREATE ROLE regress_superuser WITH SUPERUSER;
 GRANT mdb_superuser TO regress_mdb_superuser_user1;
 GRANT CREATE ON DATABASE regression TO regress_mdb_superuser_user2;
@@ -59,7 +58,7 @@ DROP TABLE regress_pgwsf_table;
 DROP TABLE regress_pgxsp_table;
 DROP TABLE regress_pgrad_table;
 DROP TABLE regress_pgrwd_table;
--- does allowed to creare database, role or extension
+-- does NOT allowed to create database, role or extension
 -- or grant such priviledge 
 CREATE DATABASE regress_db_fail;
 ERROR:  permission denied to create database
@@ -128,3 +127,4 @@ DROP SCHEMA regress_mdb_superuser_schema;
 DROP ROLE regress_mdb_superuser_user1;
 DROP ROLE regress_mdb_superuser_user2;
 DROP ROLE regress_mdb_superuser_user3;
+DROP ROLE regress_superuser;

src/test/regress/expected/test_setup.out

@@ -237,5 +237,8 @@ create function fipshash(text)
     return substr(encode(sha256($1::bytea), 'hex'), 1, 32);
 CREATE ROLE mdb_admin;
 CREATE ROLE mdb_superuser;
+CREATE ROLE mdb_read_all_data;
+CREATE ROLE mdb_write_all_data;
 CREATE ROLE mdb_replication;
+GRANT mdb_admin TO mdb_superuser;
 GRANT pg_create_subscription TO mdb_admin;

src/test/regress/parallel_schedule

@@ -21,6 +21,8 @@ test: mdb_replication
 
 test: mdb_copy
 
+test: mdb_read_write_roles
+
 # ----------
 # The first group of parallel tests
 # ----------

src/test/regress/sql/mdb_read_write_roles.sql

@@ -0,0 +1,89 @@
+CREATE ROLE regress_mdb_superuser_user1;
+CREATE ROLE regress_mdb_superuser_user2;
+CREATE ROLE regress_mdb_superuser_user3;
+
+CREATE ROLE regress_superuser WITH SUPERUSER;
+
+GRANT mdb_superuser TO regress_mdb_superuser_user1;
+
+GRANT CREATE ON DATABASE regression TO regress_mdb_superuser_user2;
+
+SET ROLE regress_superuser;
+CREATE TABLE regress_superuser_table();
+
+SET ROLE pg_read_server_files;
+CREATE TABLE regress_pgrsf_table();
+
+SET ROLE pg_write_server_files;
+CREATE TABLE regress_pgwsf_table();
+
+SET ROLE pg_execute_server_program;
+CREATE TABLE regress_pgxsp_table();
+
+SET ROLE pg_read_all_data;
+CREATE TABLE regress_pgrad_table();
+
+SET ROLE pg_write_all_data;
+CREATE TABLE regress_pgrwd_table();
+
+SET ROLE regress_mdb_superuser_user1;
+CREATE TABLE regress_mdbsu_table();
+
+SET ROLE regress_mdb_superuser_user2;
+CREATE TABLE regress_mdbsu_table2();
+
+SET ROLE mdb_read_all_data;
+-- cannot read all data (fail)
+TABLE pg_authid;
+TABLE regress_superuser_table;
+TABLE regress_pgrsf_table;
+TABLE regress_pgwsf_table;
+TABLE regress_pgxsp_table;
+TABLE regress_pgrad_table;
+TABLE regress_pgwsf_table;
+
+
+-- is allow to read all other data
+
+TABLE regress_mdbsu_table;
+TABLE regress_mdbsu_table2;
+
+
+SET ROLE mdb_write_all_data;
+CREATE TABLE regress_tt_dat();
+-- cannot read all data (fail)
+INSERT INTO regress_superuser_table TABLE regress_tt_dat;
+INSERT INTO regress_pgrsf_table TABLE regress_tt_dat;
+INSERT INTO regress_pgwsf_table TABLE regress_tt_dat;
+INSERT INTO regress_pgxsp_table TABLE regress_tt_dat;
+INSERT INTO regress_pgrad_table TABLE regress_tt_dat;
+INSERT INTO regress_pgwsf_table TABLE regress_tt_dat;
+
+
+-- is allow to read all other data
+
+INSERT INTO regress_mdbsu_table TABLE regress_tt_dat;
+INSERT INTO regress_mdbsu_table2 TABLE regress_tt_dat;
+
+-- end tests
+
+RESET SESSION AUTHORIZATION;
+--
+
+DROP TABLE regress_pgrsf_table;
+DROP TABLE regress_pgwsf_table;
+DROP TABLE regress_pgxsp_table;
+DROP TABLE regress_pgrad_table;
+DROP TABLE regress_pgrwd_table;
+
+DROP TABLE regress_mdbsu_table;
+DROP TABLE regress_mdbsu_table2;
+DROP TABLE regress_superuser_table;
+
+REVOKE CREATE ON DATABASE regression FROM regress_mdb_superuser_user2;
+REVOKE CREATE ON DATABASE regression FROM regress_mdb_superuser_user3;
+
+DROP ROLE regress_mdb_superuser_user1;
+DROP ROLE regress_mdb_superuser_user2;
+DROP ROLE regress_mdb_superuser_user3;
+DROP ROLE regress_superuser;

src/test/regress/sql/mdb_superuser.sql

@@ -7,8 +7,6 @@ CREATE ROLE regress_mdb_su_role_o2;
 
 GRANT mdb_superuser TO regress_mdb_su_role_o1;
 
-GRANT mdb_admin TO mdb_superuser;
-
 CREATE ROLE regress_superuser WITH SUPERUSER;
 
 GRANT mdb_superuser TO regress_mdb_superuser_user1;
@@ -90,7 +88,7 @@ DROP TABLE regress_pgrad_table;
 DROP TABLE regress_pgrwd_table;
 
 
--- does allowed to creare database, role or extension
+-- does NOT allowed to create database, role or extension
 -- or grant such priviledge 
 
 CREATE DATABASE regress_db_fail;
@@ -162,3 +160,4 @@ DROP SCHEMA regress_mdb_superuser_schema;
 DROP ROLE regress_mdb_superuser_user1;
 DROP ROLE regress_mdb_superuser_user2;
 DROP ROLE regress_mdb_superuser_user3;
+DROP ROLE regress_superuser;

src/test/regress/sql/test_setup.sql

@@ -292,6 +292,9 @@ create function fipshash(text)
 
 CREATE ROLE mdb_admin;
 CREATE ROLE mdb_superuser;
+CREATE ROLE mdb_read_all_data;
+CREATE ROLE mdb_write_all_data;
 CREATE ROLE mdb_replication;
 
+GRANT mdb_admin TO mdb_superuser;
 GRANT pg_create_subscription TO mdb_admin;