[#23266] YSQL: Only require YB Admin privileges to run pg_locks

Summary: Do not prevent YB Admins who are not superusers from running pg_locks. Jira: DB-12192 Test Plan: Jenkins Test case to let yb_db_admin query pg_locks. ``` ./yb_build.sh --java-test TestPgAuthorization#testPgLocksAuthorization ``` Backport-through: 2.20 Reviewers: smishra, amartsinchyk Reviewed By: amartsinchyk Subscribers: yql Differential Revision: https://phorge.dev.yugabyte.com/D36780
yugabyte · Jul 25, 2024 · 399f165 · 399f165
1 parent 1b3585f
commit 399f165
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 2 deletions.
diff --git a/java/yb-pgsql/src/test/java/org/yb/pgsql/TestPgAuthorization.java b/java/yb-pgsql/src/test/java/org/yb/pgsql/TestPgAuthorization.java
@@ -3341,4 +3341,17 @@ public void testLongPasswords() throws Exception {
     }
   }
 
+  @Test
+  public void testPgLocksAuthorization() throws Exception {
+    try (Statement statement = connection.createStatement()) {
+      statement.execute("CREATE ROLE yb_db_admin_member LOGIN");
+      statement.execute("GRANT yb_db_admin TO yb_db_admin_member");
+    }
+
+    try (Connection connection = getConnectionBuilder().withUser("yb_db_admin_member").connect();
+         Statement statement = connection.createStatement()) {
+      // yb_db_admin_member should be able to query pg_locks without superuser access.
+      statement.executeQuery("SELECT * FROM pg_locks");
+    }
+  }
 }
diff --git a/src/postgres/src/backend/utils/adt/yb_lockfuncs.c b/src/postgres/src/backend/utils/adt/yb_lockfuncs.c
@@ -53,10 +53,10 @@ yb_lock_status(PG_FUNCTION_ARGS)
 	}
 
 	/*
-	 *  If this is not a superuser, do not return actual user data.
+	 *  If this is not a YB admin, do not return actual user data.
 	 *  TODO: Remove this as soon as we mask out user data.
 	 */
-	if (!superuser_arg(GetUserId()) || !IsYbDbAdminUser(GetUserId()))
+	if (!IsYbDbAdminUser(GetUserId()))
 	{
 		ereport(ERROR, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 						errmsg("permission denied: user must must be a "