From 399f165cc4ca15bbd605c4560df6f24406518349 Mon Sep 17 00:00:00 2001 From: Bvsk Patnaik Date: Tue, 23 Jul 2024 10:31:37 -0700 Subject: [PATCH] [#23266] YSQL: Only require YB Admin privileges to run pg_locks Summary: Do not prevent YB Admins who are not superusers from running pg_locks. Jira: DB-12192 Test Plan: Jenkins Test case to let yb_db_admin query pg_locks. ``` ./yb_build.sh --java-test TestPgAuthorization#testPgLocksAuthorization ``` Backport-through: 2.20 Reviewers: smishra, amartsinchyk Reviewed By: amartsinchyk Subscribers: yql Differential Revision: https://phorge.dev.yugabyte.com/D36780 --- .../test/java/org/yb/pgsql/TestPgAuthorization.java | 13 +++++++++++++ src/postgres/src/backend/utils/adt/yb_lockfuncs.c | 4 ++-- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/java/yb-pgsql/src/test/java/org/yb/pgsql/TestPgAuthorization.java b/java/yb-pgsql/src/test/java/org/yb/pgsql/TestPgAuthorization.java index b7df7721055e..4500cc3c652b 100644 --- a/java/yb-pgsql/src/test/java/org/yb/pgsql/TestPgAuthorization.java +++ b/java/yb-pgsql/src/test/java/org/yb/pgsql/TestPgAuthorization.java @@ -3341,4 +3341,17 @@ public void testLongPasswords() throws Exception { } } + @Test + public void testPgLocksAuthorization() throws Exception { + try (Statement statement = connection.createStatement()) { + statement.execute("CREATE ROLE yb_db_admin_member LOGIN"); + statement.execute("GRANT yb_db_admin TO yb_db_admin_member"); + } + + try (Connection connection = getConnectionBuilder().withUser("yb_db_admin_member").connect(); + Statement statement = connection.createStatement()) { + // yb_db_admin_member should be able to query pg_locks without superuser access. + statement.executeQuery("SELECT * FROM pg_locks"); + } + } } diff --git a/src/postgres/src/backend/utils/adt/yb_lockfuncs.c b/src/postgres/src/backend/utils/adt/yb_lockfuncs.c index 1dc882f244d8..10e1ead8bfee 100644 --- a/src/postgres/src/backend/utils/adt/yb_lockfuncs.c +++ b/src/postgres/src/backend/utils/adt/yb_lockfuncs.c @@ -53,10 +53,10 @@ yb_lock_status(PG_FUNCTION_ARGS) } /* - * If this is not a superuser, do not return actual user data. + * If this is not a YB admin, do not return actual user data. * TODO: Remove this as soon as we mask out user data. */ - if (!superuser_arg(GetUserId()) || !IsYbDbAdminUser(GetUserId())) + if (!IsYbDbAdminUser(GetUserId())) { ereport(ERROR, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), errmsg("permission denied: user must must be a "