Skip to content

Commit 77ea4f9

Browse files
committed
Grant memory views to pg_read_all_stats.
Grant privileges on views pg_backend_memory_contexts and pg_shmem_allocations to the role pg_read_all_stats. Also grant on the underlying functions that those views depend on. Author: Bharath Rupireddy <bharath.rupireddyforpostgres@gmail.com> Reviewed-by: Nathan Bossart <bossartn@amazon.com> Discussion: https://postgr.es/m/CALj2ACWAZo3Ar_EVsn2Zf9irG+hYK3cmh1KWhZS_Od45nd01RA@mail.gmail.com
1 parent 8af57ad commit 77ea4f9

File tree

5 files changed

+81
-3
lines changed

5 files changed

+81
-3
lines changed

doc/src/sgml/catalogs.sgml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9916,7 +9916,8 @@ SCRAM-SHA-256$<replaceable>&lt;iteration count&gt;</replaceable>:<replaceable>&l
99169916

99179917
<para>
99189918
By default, the <structname>pg_backend_memory_contexts</structname> view can be
9919-
read only by superusers.
9919+
read only by superusers or members of the <literal>pg_read_all_stats</literal>
9920+
role.
99209921
</para>
99219922
</sect1>
99229923

@@ -12746,7 +12747,8 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx
1274612747

1274712748
<para>
1274812749
By default, the <structname>pg_shmem_allocations</structname> view can be
12749-
read only by superusers.
12750+
read only by superusers or members of the <literal>pg_read_all_stats</literal>
12751+
role.
1275012752
</para>
1275112753
</sect1>
1275212754

src/backend/catalog/system_views.sql

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -621,13 +621,17 @@ CREATE VIEW pg_shmem_allocations AS
621621
SELECT * FROM pg_get_shmem_allocations();
622622

623623
REVOKE ALL ON pg_shmem_allocations FROM PUBLIC;
624+
GRANT SELECT ON pg_shmem_allocations TO pg_read_all_stats;
624625
REVOKE EXECUTE ON FUNCTION pg_get_shmem_allocations() FROM PUBLIC;
626+
GRANT EXECUTE ON FUNCTION pg_get_shmem_allocations() TO pg_read_all_stats;
625627

626628
CREATE VIEW pg_backend_memory_contexts AS
627629
SELECT * FROM pg_get_backend_memory_contexts();
628630

629631
REVOKE ALL ON pg_backend_memory_contexts FROM PUBLIC;
632+
GRANT SELECT ON pg_backend_memory_contexts TO pg_read_all_stats;
630633
REVOKE EXECUTE ON FUNCTION pg_get_backend_memory_contexts() FROM PUBLIC;
634+
GRANT EXECUTE ON FUNCTION pg_get_backend_memory_contexts() TO pg_read_all_stats;
631635

632636
-- Statistics views
633637

src/include/catalog/catversion.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,6 @@
5353
*/
5454

5555
/* yyyymmddN */
56-
#define CATALOG_VERSION_NO 202110271
56+
#define CATALOG_VERSION_NO 202110272
5757

5858
#endif

src/test/regress/expected/privileges.out

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2413,3 +2413,50 @@ REVOKE TRUNCATE ON lock_table FROM regress_locktable_user;
24132413
-- clean up
24142414
DROP TABLE lock_table;
24152415
DROP USER regress_locktable_user;
2416+
-- test to check privileges of system views pg_shmem_allocations and
2417+
-- pg_backend_memory_contexts.
2418+
-- switch to superuser
2419+
\c -
2420+
CREATE ROLE regress_readallstats;
2421+
SELECT has_table_privilege('regress_readallstats','pg_backend_memory_contexts','SELECT'); -- no
2422+
has_table_privilege
2423+
---------------------
2424+
f
2425+
(1 row)
2426+
2427+
SELECT has_table_privilege('regress_readallstats','pg_shmem_allocations','SELECT'); -- no
2428+
has_table_privilege
2429+
---------------------
2430+
f
2431+
(1 row)
2432+
2433+
GRANT pg_read_all_stats TO regress_readallstats;
2434+
SELECT has_table_privilege('regress_readallstats','pg_backend_memory_contexts','SELECT'); -- yes
2435+
has_table_privilege
2436+
---------------------
2437+
t
2438+
(1 row)
2439+
2440+
SELECT has_table_privilege('regress_readallstats','pg_shmem_allocations','SELECT'); -- yes
2441+
has_table_privilege
2442+
---------------------
2443+
t
2444+
(1 row)
2445+
2446+
-- run query to ensure that functions within views can be executed
2447+
SET ROLE regress_readallstats;
2448+
SELECT COUNT(*) >= 0 AS ok FROM pg_backend_memory_contexts;
2449+
ok
2450+
----
2451+
t
2452+
(1 row)
2453+
2454+
SELECT COUNT(*) >= 0 AS ok FROM pg_shmem_allocations;
2455+
ok
2456+
----
2457+
t
2458+
(1 row)
2459+
2460+
RESET ROLE;
2461+
-- clean up
2462+
DROP ROLE regress_readallstats;

src/test/regress/sql/privileges.sql

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1476,3 +1476,28 @@ REVOKE TRUNCATE ON lock_table FROM regress_locktable_user;
14761476
-- clean up
14771477
DROP TABLE lock_table;
14781478
DROP USER regress_locktable_user;
1479+
1480+
-- test to check privileges of system views pg_shmem_allocations and
1481+
-- pg_backend_memory_contexts.
1482+
1483+
-- switch to superuser
1484+
\c -
1485+
1486+
CREATE ROLE regress_readallstats;
1487+
1488+
SELECT has_table_privilege('regress_readallstats','pg_backend_memory_contexts','SELECT'); -- no
1489+
SELECT has_table_privilege('regress_readallstats','pg_shmem_allocations','SELECT'); -- no
1490+
1491+
GRANT pg_read_all_stats TO regress_readallstats;
1492+
1493+
SELECT has_table_privilege('regress_readallstats','pg_backend_memory_contexts','SELECT'); -- yes
1494+
SELECT has_table_privilege('regress_readallstats','pg_shmem_allocations','SELECT'); -- yes
1495+
1496+
-- run query to ensure that functions within views can be executed
1497+
SET ROLE regress_readallstats;
1498+
SELECT COUNT(*) >= 0 AS ok FROM pg_backend_memory_contexts;
1499+
SELECT COUNT(*) >= 0 AS ok FROM pg_shmem_allocations;
1500+
RESET ROLE;
1501+
1502+
-- clean up
1503+
DROP ROLE regress_readallstats;

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy