[YSQL] Incorrect permission check logic #23266
Assignees
Labels
2.20 Backport Required
2024.1 Backport Required
area/ysql
Yugabyte SQL (YSQL)
kind/bug
This issue is a bug
priority/medium
Medium priority issue
Comments
andrei-mart
added
area/ysql
yugabyte-ci
added
kind/bug
pao214
added a commit
that referenced
this issue
Jul 25, 2024
Summary: Do not prevent YB Admins who are not superusers from running pg_locks. Jira: DB-12192 Test Plan: Jenkins Test case to let yb_db_admin query pg_locks. ``` ./yb_build.sh --java-test TestPgAuthorization#testPgLocksAuthorization ``` Backport-through: 2.20 Reviewers: smishra, amartsinchyk Reviewed By: amartsinchyk Subscribers: yql Differential Revision: https://phorge.dev.yugabyte.com/D36780
pao214
added a commit
that referenced
this issue
Jul 25, 2024
… pg_locks Summary: Original commit: 399f165 / D36780 Do not prevent YB Admins who are not superusers from running pg_locks. Jira: DB-12192 Test Plan: Jenkins Test case to let yb_db_admin query pg_locks. ``` ./yb_build.sh --java-test TestPgAuthorization#testPgLocksAuthorization ``` Backport-through: 2.20 Reviewers: smishra, amartsinchyk Reviewed By: amartsinchyk Subscribers: yql Tags: #jenkins-ready Differential Revision: https://phorge.dev.yugabyte.com/D36829
pao214
added a commit
that referenced
this issue
Jul 25, 2024
…un pg_locks Summary: Original commit: 399f165 / D36780 Do not prevent YB Admins who are not superusers from running pg_locks. Jira: DB-12192 Test Plan: Jenkins Test case to let yb_db_admin query pg_locks. ``` ./yb_build.sh --java-test TestPgAuthorization#testPgLocksAuthorization ``` Backport-through: 2.20 Reviewers: smishra, amartsinchyk Reviewed By: amartsinchyk Subscribers: yql Tags: #jenkins-ready Differential Revision: https://phorge.dev.yugabyte.com/D36828
|
Landed on master, 2024.1, 2.20. |
jasonyb
pushed a commit
that referenced
this issue
Jul 25, 2024
Summary: 5aa0c0a [PLAT-14078] Add local provider test for update databases cdd97f8 remove ea badge (#23276) 2813d78 [PLAT-14156][PLAT-14323]: Move all UI Driven flags to INTERNAL and remove YBM key as its not used 49523f5 [PLAT-14733]: Add support for OIDC attributes jwt_jwks_path and jwt_jwks_url b039d1a [PLAT-14366] Basic local provider test for master auto failover 700fd49 [#23275] docdb: Fix missing home icon on master UI 89e434e [#13254] YSQL: import pgtap v1.3.3 1b3585f [doc][cdc] Updated diagrams (#23262) 399f165 [#23266] YSQL: Only require YB Admin privileges to run pg_locks 5a4bbd4 [#19954] docdb: Register both tablet split children atomically b4c4294 [PLAT-14617] Add support for numerical search and enable extra search fields forxCluster 84fb7ad [#22449] YSQL: wal2json YB specific changes afe84d4 [#13254] YSQL: add pgtap to build adf3c54 [#23272] YSQL, ASH: Fix incorrect popping of query id from nested query ids stack 3b42c2e [docs] Add syntax documentation for logical replication (#23270) Test Plan: Jenkins: rebase: pg15-cherrypicks Reviewers: jason, tfoucher Tags: #jenkins-ready Differential Revision: https://phorge.dev.yugabyte.com/D36841
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Jira Link: DB-12192
Description
https://github.com/yugabyte/yugabyte-db/blob/master/src/postgres/src/backend/utils/adt/yb_lockfuncs.c#L59
Trivial bug in the permission check condition, permission denied if user is (not superuser and not yb_db_admin), not if user is (not superuser or not yb_db_admin). Or means user has to be both to pass.
The superuser is a yb_db_admin, that's why the bug went undiscovered for so long.
In fact, since superuser is a yb_db_admin, it is sufficient to check if user is (not yb_db_admin) to deny the permission.
Issue Type
kind/bug
Warning: Please confirm that this issue does not contain any sensitive information
The text was updated successfully, but these errors were encountered: