8000 Add basic regression tests for default monitoring roles · postgrespro/postgres@f535d5f · GitHub
[go: up one dir, main page]
Skip to content

Commit f535d5f

Browse files
michaelpqmichaelpq
committed
Add basic regression tests for default monitoring roles
The following default roles gain some coverage: - pg_read_all_stats - pg_read_all_settings Author: Alexandra Ryzhevich Discussion: https://postgr.es/m/CAOt4E5S5WJmDc9YpS1BfyAMQ5C1NEmiYynD6nUz42qVxphqkpA@mail.gmail.com
1 parent 8d28bf5 commit f535d5f

File tree

2 files changed

+80
-0
lines changed

2 files changed

+80
-0
lines changed

src/test/regress/expected/rolenames.out

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -944,9 +944,56 @@ SELECT proname, proacl FROM pg_proc WHERE proname LIKE 'testagg_';
944944
testagg9 |
945945
(9 rows)
946946

947+
-- DEFAULT MONITORING ROLES
948+
CREATE ROLE regress_role_haspriv;
949+
CREATE ROLE regress_role_nopriv;
950+
-- pg_read_all_stats
951+
GRANT pg_read_all_stats TO regress_role_haspriv;
952+
SET SESSION AUTHORIZATION regress_role_haspriv;
953+
-- returns true with role member of pg_read_all_stats
954+
SELECT COUNT(*) = 0 AS haspriv FROM pg_stat_activity
955+
WHERE query = '<insufficient privilege>';
956+
haspriv
957+
---------
958+
t
959+
(1 row)
960+
961+
SET SESSION AUTHORIZATION regress_role_nopriv;
962+
-- returns false with role not member of pg_read_all_stats
963+
SELECT COUNT(*) = 0 AS haspriv FROM pg_stat_activity
964+
WHERE query = '<insufficient privilege>';
965+
haspriv
966+
---------
967+
f
968+
(1 row)
969+
970+
RESET SESSION AUTHORIZATION;
971+
REVOKE pg_read_all_stats FROM regress_role_haspriv;
972+
-- pg_read_all_settings
973+
GRANT pg_read_all_settings TO regress_role_haspriv;
974+
BEGIN;
975+
-- A GUC using GUC_SUPERUSER_ONLY is useful for negative tests.
976+
SET LOCAL session_preload_libraries TO 'path-to-preload-libraries';
977+
SET SESSION AUTHORIZATION regress_role_haspriv;
978+
-- passes with role member of pg_read_all_settings
979+
SHOW session_preload_libraries;
980+
session_preload_libraries
981+
-----------------------------
982+
"path-to-preload-libraries"
983+
(1 row)
984+
985+
SET SESSION AUTHORIZATION regress_role_nopriv;
986+
-- fails with role not member of pg_read_all_settings
987+
SHOW session_preload_libraries;
988+
ERROR: must be superuser or a member of pg_read_all_settings to examine "session_preload_libraries"
989+
RESET SESSION AUTHORIZATION;
990+
ERROR: current transaction is aborted, commands ignored until end of transaction block
991+
ROLLBACK;
992+
REVOKE pg_read_all_settings FROM regress_role_haspriv;
947993
-- clean up
948994
\c
949995
DROP SCHEMA test_roles_schema;
950996
DROP OWNED BY regress_testrol0, "Public", "current_user", regress_testrol1, regress_testrol2, regress_testrolx CASCADE;
951997
DROP ROLE regress_testrol0, regress_testrol1, regress_testrol2, regress_testrolx;
952998
DROP ROLE "Public", "None", "current_user", "session_user", "user";
999+
DROP ROLE regress_role_haspriv, regress_role_nopriv;

src/test/regress/sql/rolenames.sql

Lines changed: 33 additions & 0 deletions
< CFDD tr class="diff-line-row">
Original file line numberDiff line numberDiff line change
@@ -438,10 +438,43 @@ REVOKE ALL PRIVILEGES ON FUNCTION testagg9(int2) FROM "none"; --error
438438

439439
SELECT proname, proacl FROM pg_proc WHERE proname LIKE 'testagg_';
440440

441+
-- DEFAULT MONITORING ROLES
442+
CREATE ROLE regress_role_haspriv;
443+
CREATE ROLE regress_role_nopriv;
444+
445+
-- pg_read_all_stats
446+
GRANT pg_read_all_stats TO regress_role_haspriv;
447+
SET SESSION AUTHORIZATION regress_role_haspriv;
448+
-- returns true with role member of pg_read_all_stats
449+
SELECT COUNT(*) = 0 AS haspriv FROM pg_stat_activity
450+
WHERE query = '<insufficient privilege>';
451+
SET SESSION AUTHORIZATION regress_role_nopriv;
452+
-- returns false with role not member of pg_read_all_stats
453+
SELECT COUNT(*) = 0 AS haspriv FROM pg_stat_activity
454+
WHERE query = '<insufficient privilege>';
455+
RESET SESSION AUTHORIZATION;
456+
REVOKE pg_read_all_stats FROM regress_role_haspriv;
457+
458+
-- pg_read_all_settings
459+
GRANT pg_read_all_settings TO regress_role_haspriv;
460+
BEGIN;
461+
-- A GUC using GUC_SUPERUSER_ONLY is useful for negative tests.
462+
SET LOCAL session_preload_libraries TO 'path-to-preload-libraries';
463+
SET SESSION AUTHORIZATION regress_role_haspriv;
464+
-- passes with role member of pg_read_all_settings
465+
SHOW session_preload_libraries;
466+
SET SESSION AUTHORIZATION regress_role_nopriv;
467+
-- fails with role not member of pg_read_all_settings
468+
SHOW session_preload_libraries;
469+
RESET SESSION AUTHORIZATION;
470+
ROLLBACK;
471+
REVOKE pg_read_all_settings FROM regress_role_haspriv;
472+
441473
-- clean up
442474
\c
443475

444476
DROP SCHEMA test_roles_schema;
445477
DROP OWNED BY regress_testrol0, "Public", "current_user", regress_testrol1, regress_testrol2, regress_testrolx CASCADE;
446478
DROP ROLE regress_testrol0, regress_testrol1, regress_testrol2, regress_testrolx;
447479
DROP ROLE "Public", "None", "current_user", "session_user", "user";
480+
DROP ROLE regress_role_haspriv, regress_role_nopriv;

0 commit comments

Comments
 (0)
0