[YSQL] support for roles and permissions in YSQL #869
Comments
ravimurthy
changed the title
ravimurthy
added
the
kind/enhancement
|
We'll utilize the PostgreSQL metadata cache heavily on every node. |
yugabyte-ci
pushed a commit
that referenced
this issue
Jul 10, 2019
… server shared memory Summary: This diff adds a generic `SharedMemorySegment` class, which can be used to create or open anonymous shared memory segments. `SharedMemorySegment` provides an abstraction around platform specific details of shared memory, provides ownership (RAII), and allows anonymous shared memory to be passed through the `exec` family of system calls (using a file descriptor). Another class `TServerSharedMemory` was added as a thin wrapper around a `SharedMemorySegment`, which is used to share memory between a tablet server and any local Postgres backends. Each tablet server stores its `ysql_catalog_version` in shared memory, which is accessed by the local postgres instance before every query. This allows postgres to refresh the catalog cache before executing a query, rather than checking on the t-server, which fails and retries if a refresh is needed. This change is also required for #869, as certain queries like `SET ROLE` never reach a tablet server. May fix/mitigate #1457 + #1358 as well. Test Plan: Added integration tests to `TestPgCacheConsistency.java`. Without the refreshing change made in this diff, most of the added tests fail. Some fail due to failed catalog version checks during a non-retryable query, and others simply slip under the radar and proceed with the query using the stale catalog (giving an incorrect result). Added shared memory specific unit tests to `shared_mem-test.cc` and `tserver_shared_mem-test.cc`. Manually tested in the following configurations: - Building from source and running in OSX, Centos 7, and Ubuntu 18.04. - Building from source and running in Centos 7 and Ubuntu 18.04 docker containers, running on Centos 7. - Building a release on Centos 7 and deploying the release in an Ubuntu 18.04 docker container, running on Centos 7 and OSX. Manual testing was performed primarily to ensure that the system-specific compile-time and run-time checks in `shared_mem.cc` work as expected. The expected (and observed) results were as follows: - When running outside docker, OSX creates shared memory files under `/tmp`, Centos 7 creates shared memory files under `/dev/shm`, and Ubuntu 18.04 uses `memfd_create`. - When running inside Ubuntu 18.04 docker containers, `/dev/shm` is used when the container runs on Centos 7 (using host kernel), and `memfd_create` is used when running on OSX. - Releases built on a version of linux which does not support `memfd_create` still use `memfd_create` when deployed on a version of the kernel which does support the system call. Reviewers: mihnea, dmitry, sergei, mikhail Reviewed By: sergei, mikhail Subscribers: kannan, yql Differential Revision: https://phabricator.dev.yugabyte.com/D6716
srhickma
added a commit
that referenced
this issue
Aug 6, 2019
Summary: This diff adds support for postgres roles, object ownership, and permissions, which makes up the majority of RBAC. The two remaining steps are to add support for customizing config files (e.g. `pg_hba.conf`), and to add row-level security. For the time being, roles can be used in the database to their full extent, however our default `pg_hba.conf` allows any connection from any host to connect as any role, without having to provide a password. To make roles practical, one must manually change the `pg_hba.conf` on all nodes to enforce more strict authentication methods (e.g. see the hba supplied in `TestPgAuthorization`). This can be done by either editing the default generated hba created by initdb, or by passing the relative file path to a custom hba file using the `pgsql_hba_conf_file` gflag in tests. Test Plan: Enabled the `roleattributes`, `rolenames`, `password`, `privileges`, and `init_privs` postgres regression tests with some minor modifications (and some unsupported features commented out). Added `TestPgRegressAuthorization.java` to test these pg regress tests. Added `TestPgAuthorization` with java tests, covering areas which were not tested sufficiently by the above regress tests (especially multi-node tests, and tests related to login/connection). Added `ClusterCleaner` interface, along with several implementations, as a faster and simpler way to clean up postgres between tests. Added `ConnectionBuilder` to simplify connection creation with many parameters. Reviewers: mihnea, neha Reviewed By: neha Subscribers: yql Differential Revision: https://phabricator.dev.yugabyte.com/D6776
|
Support for roles and permissions is added by e89d75b, which includes roles, permissions, and object ownership, but does not include RLS or a (better) method for configuring host-based authentication parameters. Currently, these parameters can only be modified by manually changing the |
|
Excellent work @srhickma !!! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Enable support for roles and permissions.
In particular, the following commands :-
. CREATE/DROP/ALTER ROLE
. GRANT/REVOKE
. SET ROLE
. SET SESSION AUTHORIZATION
The text was updated successfully, but these errors were encountered: