1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
|
-- This is borderline unsafe in that an additional login-capable user exists
-- during the test run. Under installcheck, a too-permissive pg_hba.conf
-- might allow unwanted logins as regress_authenticated_user_ssa.
-- Setup catalog state.
ALTER USER regress_authenticated_user_db_ssa superuser;
ALTER USER regress_authenticated_user_ssa superuser;
CREATE ROLE regress_session_user;
CREATE ROLE regress_current_user;
GRANT regress_current_user TO regress_authenticated_user_db_sr;
GRANT regress_current_user TO regress_authenticated_user_sr;
GRANT regress_session_user TO regress_authenticated_user_db_ssa;
GRANT regress_session_user TO regress_authenticated_user_ssa;
DO $$BEGIN EXECUTE format(
'ALTER DATABASE %I SET session_authorization = regress_session_user',
current_catalog); END$$;
ALTER ROLE regress_authenticated_user_ssa
SET session_authorization = regress_session_user;
ALTER ROLE regress_authenticated_user_sr SET ROLE = regress_current_user;
-- Test ALTER DATABASE consequences
-- The longstanding historical behavior is that session_authorization in
-- setconfig has no effect. Hence, session_user remains
-- regress_authenticated_user_ssa. See comment in InitializeSessionUserId().
\c - regress_authenticated_user_db_ssa
SELECT current_user, session_user;
current_user | session_user
-----------------------------------+-----------------------------------
regress_authenticated_user_db_ssa | regress_authenticated_user_db_ssa
(1 row)
-- We document "The DEFAULT and RESET forms reset the session and current user
-- identifiers to be the originally authenticated user name." If we let
-- session_authorization in setconfig have an effect, we'll need to decide
-- whether to make RESET differ from DEFAULT.
RESET SESSION AUTHORIZATION;
SELECT current_user, session_user;
current_user | session_user
-----------------------------------+-----------------------------------
regress_authenticated_user_db_ssa | regress_authenticated_user_db_ssa
(1 row)
DO $$BEGIN
EXECUTE format(
'ALTER DATABASE %I RESET session_authorization', current_catalog);
EXECUTE format(
'ALTER DATABASE %I SET role = regress_current_user', current_catalog);
END$$;
\c - regress_authenticated_user_db_sr
SELECT current_user, session_user;
current_user | session_user
----------------------+----------------------------------
regress_current_user | regress_authenticated_user_db_sr
(1 row)
-- Back to superuser, to reverse ALTER DATABASE
\c - regress_authenticated_user_db_ssa
SELECT current_user, session_user;
current_user | session_user
----------------------+-----------------------------------
regress_current_user | regress_authenticated_user_db_ssa
(1 row)
SET ROLE NONE;
DO $$BEGIN EXECUTE format(
'ALTER DATABASE %I RESET role', current_catalog); END$$;
-- Test connection string options
\c -reuse-previous=on "user=regress_authenticated_user_db_sr options=-crole=regress_current_user"
SELECT current_user, session_user;
current_user | session_user
----------------------+----------------------------------
regress_current_user | regress_authenticated_user_db_sr
(1 row)
-- As above, session_authorization has no effect.
\c -reuse-previous=on "user=regress_authenticated_user_db_ssa options=-csession_authorization=regress_session_user"
SELECT current_user, session_user;
current_user | session_user
-----------------------------------+-----------------------------------
regress_authenticated_user_db_ssa | regress_authenticated_user_db_ssa
(1 row)
-- Test ALTER ROLE consequences
\c -reuse-previous=on "user=regress_authenticated_user_sr options="
SELECT current_user, session_user;
current_user | session_user
----------------------+-------------------------------
regress_current_user | regress_authenticated_user_sr
(1 row)
-- As above, session_authorization has no effect.
\c - regress_authenticated_user_ssa
SELECT current_user, session_user;
current_user | session_user
--------------------------------+--------------------------------
regress_authenticated_user_ssa | regress_authenticated_user_ssa
(1 row)
RESET SESSION AUTHORIZATION;
DROP USER regress_session_user;
DROP USER regress_current_user;
|
