Fixing Orca permission issue bug introduced during 8.3. merge #121649891

93b0e47a · Venkatesh (Venky) Raghavan · 45f26708 · 93b0e47a · 93b0e47a · 93b0e47a
6 changed file
--- a/src/backend/executor/execMain.c
+++ b/src/backend/executor/execMain.c
@@ -132,8 +132,6 @@ static void ExecSelect(TupleTableSlot *slot,

 static TupleTableSlot *EvalPlanQualNext(EState *estate);
 static void EndEvalPlanQual(EState *estate);
-static void ExecCheckRTPerms(List *rangeTable);
-static void ExecCheckRTEPerms(RangeTblEntry *rte);
 static void ExecCheckXactReadOnly(PlannedStmt *plannedstmt);
 static void EvalPlanQualStart(evalPlanQual *epq, EState *estate,
 				  evalPlanQual *priorepq);
@@ -147,6 +145,9 @@ static void intorel_destroy(DestReceiver *self);

 static void FillSliceTable(EState *estate, PlannedStmt *stmt);

+void ExecCheckRTPerms(List *rangeTable);
+void ExecCheckRTEPerms(RangeTblEntry *rte);
+
 /*
 * For a partitioned insert target only:  
 * This type represents an entry in the per-part hash table stored at
@@ -1219,7 +1220,7 @@ ExecutorRewind(QueryDesc *queryDesc)
 * ExecCheckRTPerms
 *		Check access permissions for all relations listed in a range table.
 */
-static void
+void
 ExecCheckRTPerms(List *rangeTable)
 {
 	ListCell   *l;
@@ -1234,7 +1235,7 @@ ExecCheckRTPerms(List *rangeTable)
 * ExecCheckRTEPerms
 *		Check access permissions for a single RTE.
 */
-static void
+void
 ExecCheckRTEPerms(RangeTblEntry *rte)
 {
 	AclMode		requiredPerms;
@@ -1283,7 +1284,6 @@ ExecCheckRTEPerms(RangeTblEntry *rte)
 	}
 }

-
 /*
 * This function is used to check if the current statement will perform any writes.
 * It is used to enforce:

--- a/src/backend/gpopt/gpdbwrappers.cpp
+++ b/src/backend/gpopt/gpdbwrappers.cpp
@@ -2850,9 +2850,6 @@ gpdb::ICdbHashList
 }

 // check permissions on range table
-// GPDB_83_MERGE_FIXME: This is a no-op, because we do these permission
-// checks in the executor. I think we can remove this, but I wish someone
-// would confirm.
 void
 gpdb::CheckRTPermissions
 	(
@@ -2861,7 +2858,7 @@ gpdb::CheckRTPermissions
 {
 	GP_WRAP_START;
 	{
-		//ExecCheckRTPerms(plRangeTable);	
+		ExecCheckRTPerms(plRangeTable);
 		return;
 	}
 	GP_WRAP_END;

--- a/src/backend/gpopt/translate/CTranslatorQueryToDXL.cpp
+++ b/src/backend/gpopt/translate/CTranslatorQueryToDXL.cpp
@@ -475,8 +475,11 @@ CTranslatorQueryToDXL::PdrgpdxlnCTE() const
 CDXLNode *
 CTranslatorQueryToDXL::PdxlnFromQueryInternal()
 {
-	// GPDB_83_MERGE_FIXME: Why do we check permissions here? The executor
-	// will do it anyway...
+	// The parsed query contains an RTE for the view, which is maintained all the way through planned statement.
+	// This entries is annotated as requiring SELECT permissions for the current user.
+	// In Orca, we only keep range table entries for the base tables in the planned statement, but not for the view itself.
+	// Since permissions are only checked during ExecutorStart, we lose track of the permissions required for the view and the select goes through successfully.
+	// We therefore need to check permissions before we go into optimization for all RTEs, including the ones not explicitly referred in the query, e.g. views.
 	CTranslatorUtils::CheckRTEPermissions(m_pquery->rtable);
 	
 	CDXLNode *pdxlnChild = NULL;

--- a/src/include/gpopt/utils/gpdbdefs.h
+++ b/src/include/gpopt/utils/gpdbdefs.h
@@ -98,6 +98,12 @@ TupleTableSlot *ExecutorRun(QueryDesc *pqueryDesc, ScanDirection direction, long
 extern
 void ExecutorEnd(QueryDesc *pqueryDesc);

+extern
+void ExecCheckRTPerms(List *rangeTable);
+
+extern
+void ExecCheckRTEPerms(RangeTblEntry *rte);
+
 } // end extern C



--- a/src/test/regress/expected/role.out
+++ b/src/test/regress/expected/role.out
@@ -84,3 +84,24 @@ NOTICE:  resource queue required -- using default resource queue "pg_default"
 -- OpenSSL SHA2 returning a different SHA2 to RSA BSAFE!
 --select rolname, rolpassword from pg_authid where rolname = 'sha256';
 drop role sha256;
+drop view if exists t1_view;
+NOTICE:  view "t1_view" does not exist, skipping
+drop table if exists t1;
+NOTICE:  table "t1" does not exist, skipping
+drop role if exists u1;
+drop role if exists superuser;
+create role superuser;
+NOTICE:  resource queue required -- using default resource queue "pg_default"
+create role u1;
+NOTICE:  resource queue required -- using default resource queue "pg_default"
+set role superuser;
+create table t1(a int, b int constraint c check (b>=100));
+NOTICE:  Table doesn't have 'DISTRIBUTED BY' clause -- Using column named 'a' as the Greenplum Database data distribution key for this table.
+HINT:  The 'DISTRIBUTED BY' clause determines the distribution of data. Make sure column(s) chosen are the optimal data distribution key to minimize skew.
+create view t1_view as select * from t1;
+grant all privileges on t1, t1_view to u1;
+set role superuser;
+revoke all privileges on TABLE t1, t1_view FROM u1;
+set role u1;
+select * from t1_view order by 1;
+ERROR:  permission denied for relation t1_view
--- a/src/test/regress/sql/role.sql
+++ b/src/test/regress/sql/role.sql
@@ -57,3 +57,21 @@ create role sha256 password 'abc';
 -- OpenSSL SHA2 returning a different SHA2 to RSA BSAFE!
 --select rolname, rolpassword from pg_authid where rolname = 'sha256';
 drop role sha256;
+
+drop view if exists t1_view;
+drop table if exists t1;
+
+drop role if exists u1;
+drop role if exists superuser;
+
+create role superuser;
+create role u1;
+set role superuser;
+
+create table t1(a int, b int constraint c check (b>=100));
+create view t1_view as select * from t1;
+grant all privileges on t1, t1_view to u1;
+set role superuser;
+revoke all privileges on TABLE t1, t1_view FROM u1;
+set role u1;
+select * from t1_view order by 1;
\ No newline at end of file