diff options
| author | Michael Paquier | 2019-04-14 09:47:51 +0000 |
|---|---|---|
| committer | Michael Paquier | 2019-04-14 09:47:51 +0000 |
| commit | d9f543e9e9be15f92abdeaf870e57ef289020191 (patch) | |
| tree | 9cedbab7e7bd6363c389d5604ec066c35dfd7f41 | |
| parent | 9daefff1226087602d25837b6b30154b3a916ea8 (diff) | |
Switch TAP tests of pg_rewind to use non-superuser role, take two
Up to now the tests of pg_rewind have been using a superuser for all its
tests (which is the default of many tests actually, and something that
ought to be reviewed) when involving an online source server, still it
is possible to use a non-superuser role to do that as long as this role
is granted permissions to execute all the source-side functions used for
the rewind. This is possible since v11, and was already documented as
of bfc8068.
PostgresNode::init is extended so as callers of this routine can add
extra options to configure the authentication of a new node, which gets
used by this commit, and allows the tests to work properly on Windows
where SSPI is used.
This will allow to catch up easily any change in pg_rewind if the tool
begins to use more backend-side functions, so as the properties
introduced by v11 are kept.
Per suggestion from Peter Eisentraut.
Author: Michael Paquier
Reviewed-by: Magnus Hagander
Discussion: https://postgr.es/m/[email protected]
| -rw-r--r-- | src/bin/pg_rewind/t/RewindTest.pm | 23 | ||||
| -rw-r--r-- | src/test/perl/PostgresNode.pm | 3 |
2 files changed, 24 insertions, 2 deletions
diff --git a/src/bin/pg_rewind/t/RewindTest.pm b/src/bin/pg_rewind/t/RewindTest.pm index 900d452d8b..f477ffab1d 100644 --- a/src/bin/pg_rewind/t/RewindTest.pm +++ b/src/bin/pg_rewind/t/RewindTest.pm @@ -129,7 +129,12 @@ sub setup_cluster # Initialize master, data checksums are mandatory $node_master = get_new_node('master' . ($extra_name ? "_${extra_name}" : '')); - $node_master->init(allows_streaming => 1, extra => $extra); + + # Set up pg_hba.conf and pg_ident.conf for the role running + # pg_rewind. This role is used for all the tests, and has + # minimal permissions enough to rewind from an online source. + $node_master->init(allows_streaming => 1, extra => $extra, + auth_extra => ['--create-role', 'rewind_user']); # Set wal_keep_segments to prevent WAL segment recycling after enforced # checkpoints in the tests. @@ -144,6 +149,19 @@ sub start_master { $node_master->start; + # Create custom role which is used to run pg_rewind, and adjust its + # permissions to the minimum necessary. + $node_master->psql('postgres', " + CREATE ROLE rewind_user LOGIN; + GRANT EXECUTE ON function pg_catalog.pg_ls_dir(text, boolean, boolean) + TO rewind_user; + GRANT EXECUTE ON function pg_catalog.pg_stat_file(text, boolean) + TO rewind_user; + GRANT EXECUTE ON function pg_catalog.pg_read_binary_file(text) + TO rewind_user; + GRANT EXECUTE ON function pg_catalog.pg_read_binary_file(text, bigint, bigint, boolean) + TO rewind_user;"); + #### Now run the test-specific parts to initialize the master before setting # up standby @@ -207,6 +225,9 @@ sub run_pg_rewind my $standby_connstr = $node_standby->connstr('postgres'); my $tmp_folder = TestLib::tempdir; + # Append the rewind-specific role to the connection string. + $standby_connstr = "$standby_connstr user=rewind_user"; + # Stop the master and be ready to perform the rewind $node_master->stop; diff --git a/src/test/perl/PostgresNode.pm b/src/test/perl/PostgresNode.pm index 61d78ad4c0..d29889d325 100644 --- a/src/test/perl/PostgresNode.pm +++ b/src/test/perl/PostgresNode.pm @@ -441,7 +441,8 @@ sub init TestLib::system_or_bail('initdb', '-D', $pgdata, '-A', 'trust', '-N', @{ $params{extra} }); - TestLib::system_or_bail($ENV{PG_REGRESS}, '--config-auth', $pgdata); + TestLib::system_or_bail($ENV{PG_REGRESS}, '--config-auth', $pgdata, + @{ $params{auth_extra} }); open my $conf, '>>', "$pgdata/postgresql.conf"; print $conf "\n# Added by PostgresNode.pm\n"; |