首页 项目目录 关于我们
Sign In
rust
/
Materialize
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
Materialize
/
test
/
sqllogictest
/
role_membership.slt

role_membership.slt 16 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932 
  1. # Copyright Materialize, Inc. and contributors. All rights reserved.
    2. 

  2. #
    3. 

  3. # Use of this software is governed by the Business Source License
    4. 

  4. # included in the LICENSE file at the root of this repository.
    5. 

  5. #
    6. 

  6. # As of the Change Date specified in that file, in accordance with
    7. 

  7. # the Business Source License, use of this software will be governed
    8. 

  8. # by the Apache License, Version 2.0.
    9. 

  9. 

  10. mode cockroach
    11. 

  11. 

  12. reset-server
    13. 

  13. 

  14. # Give materialize the CREATEROLE system privilege.
    15. 

  15. simple conn=mz_system,user=mz_system
    16. 

  16. GRANT CREATEROLE ON SYSTEM TO materialize;
    17. 

  17. ----
    18. 

  18. COMPLETE 0
    19. 

  19. 

  20. statement ok
    21. 

  21. CREATE VIEW role_members AS
    22. 

  22.   SELECT
    23. 

  23.     role.name AS role,
    24. 

  24.     member.name AS member,
    25. 

  25.     grantor.name AS grantor
    26. 

  26.   FROM mz_role_members membership
    27. 

  27.   LEFT JOIN mz_roles role ON membership.role_id = role.id
    28. 

  28.   LEFT JOIN mz_roles member ON membership.member = member.id
    29. 

  29.   LEFT JOIN mz_roles grantor ON membership.grantor = grantor.id
    30. 

  30. 

  31. statement ok
    32. 

  32. CREATE ROLE joe
    33. 

  33. 

  34. statement ok
    35. 

  35. CREATE ROLE group1
    36. 

  36. 

  37. query TTT rowsort
    38. 

  38. SELECT * FROM role_members
    39. 

  39. ----
    40. 

  40. 

  41. query B rowsort
    42. 

  42. SELECT pg_has_role('joe', 'group1', 'USAGE')
    43. 

  43. ----
    44. 

  44. false
    45. 

  45. 

  46. query B rowsort
    47. 

  47. SELECT has_role('joe', 'group1', 'USAGE')
    48. 

  48. ----
    49. 

  49. false
    50. 

  50. 

  51. query B rowsort
    52. 

  52. SELECT pg_has_role((SELECT oid FROM mz_roles WHERE name = 'joe'), 'group1', 'USAGE')
    53. 

  53. ----
    54. 

  54. false
    55. 

  55. 

  56. query B rowsort
    57. 

  57. SELECT has_role((SELECT oid FROM mz_roles WHERE name = 'joe'), 'group1', 'USAGE')
    58. 

  58. ----
    59. 

  59. false
    60. 

  60. 

  61. query B rowsort
    62. 

  62. SELECT pg_has_role('joe', (SELECT oid FROM mz_roles WHERE name = 'group1'), 'USAGE')
    63. 

  63. ----
    64. 

  64. false
    65. 

  65. 

  66. query B rowsort
    67. 

  67. SELECT has_role('joe', (SELECT oid FROM mz_roles WHERE name = 'group1'), 'USAGE')
    68. 

  68. ----
    69. 

  69. false
    70. 

  70. 

  71. query B rowsort
    72. 

  72. SELECT pg_has_role((SELECT oid FROM mz_roles WHERE name = 'joe'), (SELECT oid FROM mz_roles WHERE name = 'group1'), 'USAGE')
    73. 

  73. ----
    74. 

  74. false
    75. 

  75. 

  76. query B rowsort
    77. 

  77. SELECT has_role((SELECT oid FROM mz_roles WHERE name = 'joe'), (SELECT oid FROM mz_roles WHERE name = 'group1'), 'USAGE')
    78. 

  78. ----
    79. 

  79. false
    80. 

  80. 

  81. statement ok
    82. 

  82. GRANT group1 TO joe
    83. 

  83. 

  84. query TTT rowsort
    85. 

  85. SELECT * FROM role_members
    86. 

  86. ----
    87. 

  87. group1  joe  mz_system
    88. 

  88. 

  89. query B rowsort
    90. 

  90. SELECT pg_has_role('joe', 'group1', 'USAGE')
    91. 

  91. ----
    92. 

  92. true
    93. 

  93. 

  94. query B rowsort
    95. 

  95. SELECT has_role('joe', 'group1', 'USAGE')
    96. 

  96. ----
    97. 

  97. true
    98. 

  98. 

  99. query B rowsort
    100. 

  100. SELECT pg_has_role((SELECT oid FROM mz_roles WHERE name = 'joe'), 'group1', 'USAGE')
    101. 

  101. ----
    102. 

  102. true
    103. 

  103. 

  104. query B rowsort
    105. 

  105. SELECT has_role((SELECT oid FROM mz_roles WHERE name = 'joe'), 'group1', 'USAGE')
    106. 

  106. ----
    107. 

  107. true
    108. 

  108. 

  109. query B rowsort
    110. 

  110. SELECT pg_has_role('joe', (SELECT oid FROM mz_roles WHERE name = 'group1'), 'USAGE')
    111. 

  111. ----
    112. 

  112. true
    113. 

  113. 

  114. query B rowsort
    115. 

  115. SELECT has_role('joe', (SELECT oid FROM mz_roles WHERE name = 'group1'), 'USAGE')
    116. 

  116. ----
    117. 

  117. true
    118. 

  118. 

  119. query B rowsort
    120. 

  120. SELECT pg_has_role((SELECT oid FROM mz_roles WHERE name = 'joe'), (SELECT oid FROM mz_roles WHERE name = 'group1'), 'USAGE')
    121. 

  121. ----
    122. 

  122. true
    123. 

  123. 

  124. query B rowsort
    125. 

  125. SELECT has_role((SELECT oid FROM mz_roles WHERE name = 'joe'), (SELECT oid FROM mz_roles WHERE name = 'group1'), 'USAGE')
    126. 

  126. ----
    127. 

  127. true
    128. 

  128. 

  129. # Dropping a role also removes it from role_members
    130. 

  130. simple conn=mz_system,user=mz_system
    131. 

  131. DROP ROLE group1
    132. 

  132. ----
    133. 

  133. COMPLETE 0
    134. 

  134. 

  135. query TTT rowsort
    136. 

  136. SELECT * FROM mz_role_members
    137. 

  137. ----
    138. 

  138. 

  139. statement ok
    140. 

  140. CREATE ROLE group1
    141. 

  141. 

  142. query B rowsort
    143. 

  143. SELECT pg_has_role('joe', 'group1', 'USAGE')
    144. 

  144. ----
    145. 

  145. false
    146. 

  146. 

  147. query B rowsort
    148. 

  148. SELECT has_role('joe', 'group1', 'USAGE')
    149. 

  149. ----
    150. 

  150. false
    151. 

  151. 

  152. statement ok
    153. 

  153. GRANT group1 TO joe
    154. 

  154. 

  155. query TTT rowsort
    156. 

  156. SELECT * FROM role_members
    157. 

  157. ----
    158. 

  158. group1  joe  mz_system
    159. 

  159. 

  160. query B rowsort
    161. 

  161. SELECT pg_has_role('joe', 'group1', 'USAGE')
    162. 

  162. ----
    163. 

  163. true
    164. 

  164. 

  165. query B rowsort
    166. 

  166. SELECT has_role('joe', 'group1', 'USAGE')
    167. 

  167. ----
    168. 

  168. true
    169. 

  169. 

  170. # Dropped roles have their membership revoked
    171. 

  171. 

  172. simple conn=mz_system,user=mz_system
    173. 

  173. DROP ROLE joe
    174. 

  174. ----
    175. 

  175. COMPLETE 0
    176. 

  176. 

  177. query TTT rowsort
    178. 

  178. SELECT * FROM mz_role_members
    179. 

  179. ----
    180. 

  180. 

  181. statement ok
    182. 

  182. CREATE ROLE joe
    183. 

  183. 

  184. statement ok
    185. 

  185. GRANT group1 TO joe
    186. 

  186. 

  187. statement ok
    188. 

  188. CREATE ROLE group2
    189. 

  189. 

  190. simple conn=mz_system,user=mz_system
    191. 

  191. GRANT group2 TO joe
    192. 

  192. ----
    193. 

  193. COMPLETE 0
    194. 

  194. 

  195. query TTT rowsort
    196. 

  196. SELECT * FROM role_members
    197. 

  197. ----
    198. 

  198. group1  joe  mz_system
    199. 

  199. group2  joe  mz_system
    200. 

  200. 

  201. query B rowsort
    202. 

  202. SELECT pg_has_role('joe', 'group1', 'USAGE')
    203. 

  203. ----
    204. 

  204. true
    205. 

  205. 

  206. query B rowsort
    207. 

  207. SELECT has_role('joe', 'group1', 'USAGE')
    208. 

  208. ----
    209. 

  209. true
    210. 

  210. 

  211. query B rowsort
    212. 

  212. SELECT pg_has_role('joe', 'group2', 'USAGE')
    213. 

  213. ----
    214. 

  214. true
    215. 

  215. 

  216. query B rowsort
    217. 

  217. SELECT has_role('joe', 'group2', 'USAGE')
    218. 

  218. ----
    219. 

  219. true
    220. 

  220. 

  221. query B rowsort
    222. 

  222. SELECT pg_has_role('group1', 'group2', 'USAGE')
    223. 

  223. ----
    224. 

  224. false
    225. 

  225. 

  226. query B rowsort
    227. 

  227. SELECT has_role('group1', 'group2', 'USAGE')
    228. 

  228. ----
    229. 

  229. false
    230. 

  230. 

  231. statement ok
    232. 

  232. GRANT group2 TO group1
    233. 

  233. 

  234. query TTT rowsort
    235. 

  235. SELECT * FROM role_members
    236. 

  236. ----
    237. 

  237. group1  joe     mz_system
    238. 

  238. group2  joe     mz_system
    239. 

  239. group2  group1  mz_system
    240. 

  240. 

  241. query B rowsort
    242. 

  242. SELECT pg_has_role('joe', 'group1', 'USAGE')
    243. 

  243. ----
    244. 

  244. true
    245. 

  245. 

  246. query B rowsort
    247. 

  247. SELECT has_role('joe', 'group1', 'USAGE')
    248. 

  248. ----
    249. 

  249. true
    250. 

  250. 

  251. query B rowsort
    252. 

  252. SELECT pg_has_role('joe', 'group2', 'USAGE')
    253. 

  253. ----
    254. 

  254. true
    255. 

  255. 

  256. query B rowsort
    257. 

  257. SELECT has_role('joe', 'group2', 'USAGE')
    258. 

  258. ----
    259. 

  259. true
    260. 

  260. 

  261. query B rowsort
    262. 

  262. SELECT pg_has_role('group1', 'group2', 'USAGE')
    263. 

  263. ----
    264. 

  264. true
    265. 

  265. 

  266. query B rowsort
    267. 

  267. SELECT has_role('group1', 'group2', 'USAGE')
    268. 

  268. ----
    269. 

  269. true
    270. 

  270. 

  271. # Redundant grants don't error or show up multiple times in mz_role_membership or change the grantor
    272. 

  272. simple conn=mz_system,user=mz_system
    273. 

  273. GRANT group1 TO joe
    274. 

  274. ----
    275. 

  275. COMPLETE 0
    276. 

  276. 

  277. query TTT rowsort
    278. 

  278. SELECT * FROM role_members
    279. 

  279. ----
    280. 

  280. group1  joe     mz_system
    281. 

  281. group2  joe     mz_system
    282. 

  282. group2  group1  mz_system
    283. 

  283. 

  284. # Test circular membership errors
    285. 

  285. 

  286. statement error role "joe" is a member of role "joe"
    287. 

  287. GRANT joe TO joe
    288. 

  288. 

  289. statement error role "joe" is a member of role "group1"
    290. 

  290. GRANT joe TO group1
    291. 

  291. 

  292. statement ok
    293. 

  293. REVOKE group1 FROM joe
    294. 

  294. 

  295. query TTT rowsort
    296. 

  296. SELECT * FROM role_members
    297. 

  297. ----
    298. 

  298. group2  joe     mz_system
    299. 

  299. group2  group1  mz_system
    300. 

  300. 

  301. query B rowsort
    302. 

  302. SELECT pg_has_role('joe', 'group2', 'USAGE')
    303. 

  303. ----
    304. 

  304. true
    305. 

  305. 

  306. query B rowsort
    307. 

  307. SELECT has_role('joe', 'group2', 'USAGE')
    308. 

  308. ----
    309. 

  309. true
    310. 

  310. 

  311. query B rowsort
    312. 

  312. SELECT pg_has_role('joe', 'group1', 'USAGE')
    313. 

  313. ----
    314. 

  314. false
    315. 

  315. 

  316. query B rowsort
    317. 

  317. SELECT has_role('joe', 'group1', 'USAGE')
    318. 

  318. ----
    319. 

  319. false
    320. 

  320. 

  321. query B rowsort
    322. 

  322. SELECT pg_has_role('group1', 'joe', 'USAGE')
    323. 

  323. ----
    324. 

  324. false
    325. 

  325. 

  326. query B rowsort
    327. 

  327. SELECT has_role('group1', 'joe', 'USAGE')
    328. 

  328. ----
    329. 

  329. false
    330. 

  330. 

  331. query B rowsort
    332. 

  332. SELECT pg_has_role('group1', 'group2', 'USAGE')
    333. 

  333. ----
    334. 

  334. true
    335. 

  335. 

  336. query B rowsort
    337. 

  337. SELECT has_role('group1', 'group2', 'USAGE')
    338. 

  338. ----
    339. 

  339. true
    340. 

  340. 

  341. query B rowsort
    342. 

  342. SELECT pg_has_role('group2', 'joe', 'USAGE')
    343. 

  343. ----
    344. 

  344. false
    345. 

  345. 

  346. query B rowsort
    347. 

  347. SELECT has_role('group2', 'joe', 'USAGE')
    348. 

  348. ----
    349. 

  349. false
    350. 

  350. 

  351. query B rowsort
    352. 

  352. SELECT pg_has_role('group2', 'group1', 'USAGE')
    353. 

  353. ----
    354. 

  354. false
    355. 

  355. 

  356. query B rowsort
    357. 

  357. SELECT has_role('group2', 'group1', 'USAGE')
    358. 

  358. ----
    359. 

  359. false
    360. 

  360. 

  361. # Redundant revokes don't error
    362. 

  362. 

  363. statement ok
    364. 

  364. REVOKE group1 FROM joe
    365. 

  365. 

  366. query TTT rowsort
    367. 

  367. SELECT * FROM role_members
    368. 

  368. ----
    369. 

  369. group2  joe     mz_system
    370. 

  370. group2  group1  mz_system
    371. 

  371. 

  372. # Dropped roles are revoked from all members
    373. 

  373. 

  374. statement ok
    375. 

  375. DROP ROLE group2
    376. 

  376. 

  377. query TTT rowsort
    378. 

  378. SELECT * FROM mz_role_members
    379. 

  379. ----
    380. 

  380. 

  381. query TTT rowsort
    382. 

  382. SELECT * FROM role_members
    383. 

  383. ----
    384. 

  384. 

  385. # Dropped roles have their membership revoked
    386. 

  386. 

  387. statement ok
    388. 

  388. DROP ROLE joe
    389. 

  389. 

  390. query TTT rowsort
    391. 

  391. SELECT * FROM role_members
    392. 

  392. ----
    393. 

  393. 

  394. statement ok
    395. 

  395. CREATE ROLE joe
    396. 

  396. 

  397. # Cannot grant or revoke system role
    398. 

  398. 

  399. statement error db error: ERROR: role name "mz_system" cannot be granted
    400. 

  400. GRANT mz_system TO joe
    401. 

  401. 

  402. statement error role name "mz_system" is reserved
    403. 

  403. GRANT joe TO mz_system
    404. 

  404. 

  405. statement error db error: ERROR: role name "mz_system" cannot be granted
    406. 

  406. REVOKE mz_system FROM joe
    407. 

  407. 

  408. statement error role name "mz_system" is reserved
    409. 

  409. REVOKE joe FROM mz_system
    410. 

  410. 

  411. # Prevent granting and revoking to/from PUBLIC role
    412. 

  412. 

  413. statement error role name "public" is reserved
    414. 

  414. GRANT group1 TO public
    415. 

  415. 

  416. statement error db error: ERROR: role name "public" cannot be granted
    417. 

  417. GRANT public TO group1
    418. 

  418. 

  419. statement error role name "public" is reserved
    420. 

  420. REVOKE group1 FROM public
    421. 

  421. 

  422. statement error db error: ERROR: role name "public" cannot be granted
    423. 

  423. REVOKE public FROM group1
    424. 

  424. 

  425. statement ok
    426. 

  426. DROP ROLE group1
    427. 

  427. 

  428. statement ok
    429. 

  429. DROP ROLE joe
    430. 

  430. 

  431. # SHOW ROLES/USERS
    432. 

  432. query TT rowsort
    433. 

  433. show roles
    434. 

  434. ----
    435. 

  435. materialize (empty)
    436. 

  436. 

  437. query TT rowsort
    438. 

  438. show users
    439. 

  439. ----
    440. 

  440. materialize (empty)
    441. 

  441. 

  442. # Test grant/revoke multiple roles
    443. 

  443. 

  444. statement ok
    445. 

  445. CREATE ROLE joe
    446. 

  446. 

  447. statement ok
    448. 

  448. CREATE ROLE group1
    449. 

  449. 

  450. statement ok
    451. 

  451. CREATE ROLE group2
    452. 

  452. 

  453. statement ok
    454. 

  454. CREATE ROLE group3
    455. 

  455. 

  456. statement error unknown role 'bob'
    457. 

  457. GRANT group3 TO joe, group1, bob
    458. 

  458. 

  459. query TTT rowsort
    460. 

  460. SELECT * FROM role_members
    461. 

  461. ----
    462. 

  462. 

  463. statement error role name "mz_system" is reserved
    464. 

  464. GRANT group3 TO joe, group1, mz_system
    465. 

  465. 

  466. query TTT rowsort
    467. 

  467. SELECT * FROM role_members
    468. 

  468. ----
    469. 

  469. 

  470. statement ok
    471. 

  471. GRANT group3 TO joe, group1
    472. 

  472. 

  473. query TTT rowsort
    474. 

  474. SELECT * FROM role_members
    475. 

  475. ----
    476. 

  476. group3  joe     mz_system
    477. 

  477. group3  group1  mz_system
    478. 

  478. 

  479. statement error role "joe" is a member of role "group3"
    480. 

  480. GRANT joe TO group1, group3
    481. 

  481. 

  482. query TTT rowsort
    483. 

  483. SELECT * FROM role_members
    484. 

  484. ----
    485. 

  485. group3  joe     mz_system
    486. 

  486. group3  group1  mz_system
    487. 

  487. 

  488. statement ok
    489. 

  489. GRANT group3 TO group1, group2
    490. 

  490. 

  491. query TTT rowsort
    492. 

  492. SELECT * FROM role_members
    493. 

  493. ----
    494. 

  494. group3  joe     mz_system
    495. 

  495. group3  group1  mz_system
    496. 

  496. group3  group2  mz_system
    497. 

  497. 

  498. statement error unknown role 'bob'
    499. 

  499. REVOKE group3 FROM joe, group1, bob
    500. 

  500. 

  501. query TTT rowsort
    502. 

  502. SELECT * FROM role_members
    503. 

  503. ----
    504. 

  504. group3  joe     mz_system
    505. 

  505. group3  group1  mz_system
    506. 

  506. group3  group2  mz_system
    507. 

  507. 

  508. statement error role name "mz_system" is reserved
    509. 

  509. REVOKE group3 FROM joe, group1, mz_system
    510. 

  510. 

  511. query TTT rowsort
    512. 

  512. SELECT * FROM role_members
    513. 

  513. ----
    514. 

  514. group3  joe     mz_system
    515. 

  515. group3  group1  mz_system
    516. 

  516. group3  group2  mz_system
    517. 

  517. 

  518. statement ok
    519. 

  519. REVOKE group3 FROM joe, group1
    520. 

  520. 

  521. query TTT rowsort
    522. 

  522. SELECT * FROM role_members
    523. 

  523. ----
    524. 

  524. group3  group2  mz_system
    525. 

  525. 

  526. statement ok
    527. 

  527. REVOKE group3 FROM joe, group2
    528. 

  528. 

  529. query TTT rowsort
    530. 

  530. SELECT * FROM role_members
    531. 

  531. ----
    532. 

  532. 

  533. # Test pg_auth_members
    534. 

  534. 

  535. statement ok
    536. 

  536. GRANT group3 TO joe, group1, group2
    537. 

  537. 

  538. statement ok
    539. 

  539. GRANT group1 TO joe
    540. 

  540. 

  541. query I rowsort
    542. 

  542. SELECT COUNT(*) FROM pg_auth_members
    543. 

  543. ----
    544. 

  544. 4
    545. 

  545. 

  546. query TTTB rowsort
    547. 

  547. SELECT role.name, member.name, grantor.name, members.admin_option
    548. 

  548. FROM pg_auth_members members
    549. 

  549. LEFT JOIN mz_roles role ON members.roleid = role.oid
    550. 

  550. LEFT JOIN mz_roles member ON members.member = member.oid
    551. 

  551. LEFT JOIN mz_roles grantor ON members.grantor = grantor.oid
    552. 

  552. ----
    553. 

  553. group1  joe     mz_system  false
    554. 

  554. group3  joe     mz_system  false
    555. 

  555. group3  group1  mz_system  false
    556. 

  556. group3  group2  mz_system  false
    557. 

  557. 

  558. statement ok
    559. 

  559. DROP ROLE group1, group2, group3, joe
    560. 

  560. 

  561. statement ok
    562. 

  562. CREATE ROLE joe
    563. 

  563. 

  564. statement ok
    565. 

  565. CREATE ROLE mike
    566. 

  566. 

  567. statement ok
    568. 

  568. CREATE ROLE group1
    569. 

  569. 

  570. statement ok
    571. 

  571. CREATE ROLE group2
    572. 

  572. 

  573. statement ok
    574. 

  574. GRANT group1, group2 TO joe, mike
    575. 

  575. 

  576. query TTTB rowsort
    577. 

  577. SELECT role.name, member.name, grantor.name, members.admin_option
    578. 

  578. FROM pg_auth_members members
    579. 

  579. LEFT JOIN mz_roles role ON members.roleid = role.oid
    580. 

  580. LEFT JOIN mz_roles member ON members.member = member.oid
    581. 

  581. LEFT JOIN mz_roles grantor ON members.grantor = grantor.oid
    582. 

  582. ----
    583. 

  583. group1  joe     mz_system  false
    584. 

  584. group2  joe     mz_system  false
    585. 

  585. group1  mike    mz_system  false
    586. 

  586. group2  mike    mz_system  false
    587. 

  587. 

  588. statement ok
    589. 

  589. REVOKE group1, group2 FROM joe, mike
    590. 

  590. 

  591. query TTTB rowsort
    592. 

  592. SELECT role.name, member.name, grantor.name, members.admin_option
    593. 

  593. FROM pg_auth_members members
    594. 

  594. LEFT JOIN mz_roles role ON members.roleid = role.oid
    595. 

  595. LEFT JOIN mz_roles member ON members.member = member.oid
    596. 

  596. LEFT JOIN mz_roles grantor ON members.grantor = grantor.oid
    597. 

  597. ----
    598. 

  598. 

  599. statement ok
    600. 

  600. DROP ROLE group1, group2, joe, mike
    601. 

  601. 

  602. 

  603. # Test recursive check of pg_has_role
    604. 

  604. 

  605. simple conn=mz_system,user=mz_system
    606. 

  606. CREATE ROLE group1;
    607. 

  607. ----
    608. 

  608. COMPLETE 0
    609. 

  609. 

  610. simple conn=mz_system,user=mz_system
    611. 

  611. CREATE ROLE group2;
    612. 

  612. ----
    613. 

  613. COMPLETE 0
    614. 

  614. 

  615. simple conn=mz_system,user=mz_system
    616. 

  616. CREATE ROLE joe;
    617. 

  617. ----
    618. 

  618. COMPLETE 0
    619. 

  619. 

  620. simple conn=mz_system,user=mz_system
    621. 

  621. CREATE ROLE other;
    622. 

  622. ----
    623. 

  623. COMPLETE 0
    624. 

  624. 

  625. 

  626. simple conn=mz_system,user=mz_system
    627. 

  627. GRANT group1 to joe;
    628. 

  628. ----
    629. 

  629. COMPLETE 0
    630. 

  630. 

  631. simple conn=mz_system,user=mz_system
    632. 

  632. GRANT group2 to group1;
    633. 

  633. ----
    634. 

  634. COMPLETE 0
    635. 

  635. 

  636. simple conn=mz_system,user=mz_system
    637. 

  637. GRANT group1 to other;
    638. 

  638. ----
    639. 

  639. COMPLETE 0
    640. 

  640. 

  641. query B rowsort
    642. 

  642. SELECT pg_has_role('joe', 'group2', 'USAGE')
    643. 

  643. ----
    644. 

  644. true
    645. 

  645. 

  646. query B rowsort
    647. 

  647. SELECT has_role('joe', 'group2', 'USAGE')
    648. 

  648. ----
    649. 

  649. true
    650. 

  650. 

  651. query B rowsort
    652. 

  652. SELECT pg_has_role('joe', 'group1', 'USAGE')
    653. 

  653. ----
    654. 

  654. true
    655. 

  655. 

  656. query B rowsort
    657. 

  657. SELECT has_role('joe', 'group1', 'USAGE')
    658. 

  658. ----
    659. 

  659. true
    660. 

  660. 

  661. query B rowsort
    662. 

  662. SELECT pg_has_role('group1', 'joe', 'USAGE')
    663. 

  663. ----
    664. 

  664. false
    665. 

  665. 

  666. query B rowsort
    667. 

  667. SELECT has_role('group1', 'joe', 'USAGE')
    668. 

  668. ----
    669. 

  669. false
    670. 

  670. 

  671. query B rowsort
    672. 

  672. SELECT pg_has_role('group1', 'group2', 'USAGE')
    673. 

  673. ----
    674. 

  674. true
    675. 

  675. 

  676. query B rowsort
    677. 

  677. SELECT has_role('group1', 'group2', 'USAGE')
    678. 

  678. ----
    679. 

  679. true
    680. 

  680. 

  681. query B rowsort
    682. 

  682. SELECT pg_has_role('group2', 'joe', 'USAGE')
    683. 

  683. ----
    684. 

  684. false
    685. 

  685. 

  686. query B rowsort
    687. 

  687. SELECT has_role('group2', 'joe', 'USAGE')
    688. 

  688. ----
    689. 

  689. false
    690. 

  690. 

  691. query B rowsort
    692. 

  692. SELECT pg_has_role('group2', 'group1', 'USAGE')
    693. 

  693. ----
    694. 

  694. false
    695. 

  695. 

  696. query B rowsort
    697. 

  697. SELECT has_role('group2', 'group1', 'USAGE')
    698. 

  698. ----
    699. 

  699. false
    700. 

  700. 

  701. simple conn=mz_system,user=mz_system
    702. 

  702. DROP ROLE group1, group2, joe, other;
    703. 

  703. ----
    704. 

  704. COMPLETE 0
    705. 

  705. 

  706. # Test two input variant of pg_has_role.
    707. 

  707. 

  708. simple conn=mz_system,user=mz_system
    709. 

  709. CREATE ROLE group1;
    710. 

  710. ----
    711. 

  711. COMPLETE 0
    712. 

  712. 

  713. query B rowsort
    714. 

  714. SELECT pg_has_role('group1', 'USAGE')
    715. 

  715. ----
    716. 

  716. false
    717. 

  717. 

  718. query B rowsort
    719. 

  719. SELECT has_role('group1', 'USAGE')
    720. 

  720. ----
    721. 

  721. false
    722. 

  722. 

  723. query B rowsort
    724. 

  724. SELECT pg_has_role('group1', 'MEMBER')
    725. 

  725. ----
    726. 

  726. false
    727. 

  727. 

  728. query B rowsort
    729. 

  729. SELECT has_role('group1', 'MEMBER')
    730. 

  730. ----
    731. 

  731. false
    732. 

  732. 

  733. simple conn=mz_system,user=mz_system
    734. 

  734. GRANT group1 TO materialize
    735. 

  735. ----
    736. 

  736. COMPLETE 0
    737. 

  737. 

  738. query B rowsort
    739. 

  739. SELECT pg_has_role('group1', 'USAGE')
    740. 

  740. ----
    741. 

  741. true
    742. 

  742. 

  743. query B rowsort
    744. 

  744. SELECT has_role('group1', 'USAGE')
    745. 

  745. ----
    746. 

  746. true
    747. 

  747. 

  748. query B rowsort
    749. 

  749. SELECT pg_has_role('group1', 'MEMBER')
    750. 

  750. ----
    751. 

  751. true
    752. 

  752. 

  753. query B rowsort
    754. 

  754. SELECT has_role('group1', 'MEMBER')
    755. 

  755. ----
    756. 

  756. true
    757. 

  757. 

  758. simple conn=mz_system,user=mz_system
    759. 

  759. REVOKE group1 FROM materialize
    760. 

  760. ----
    761. 

  761. COMPLETE 0
    762. 

  762. 

  763. query B rowsort
    764. 

  764. SELECT pg_has_role('group1', 'USAGE')
    765. 

  765. ----
    766. 

  766. false
    767. 

  767. 

  768. query B rowsort
    769. 

  769. SELECT has_role('group1', 'USAGE')
    770. 

  770. ----
    771. 

  771. false
    772. 

  772. 

  773. query B rowsort
    774. 

  774. SELECT pg_has_role('group1', 'MEMBER')
    775. 

  775. ----
    776. 

  776. false
    777. 

  777. 

  778. query B rowsort
    779. 

  779. SELECT has_role('group1', 'MEMBER')
    780. 

  780. ----
    781. 

  781. false
    782. 

  782. 

  783. simple conn=mz_system,user=mz_system
    784. 

  784. DROP ROLE group1
    785. 

  785. ----
    786. 

  786. COMPLETE 0
    787. 

  787. 

  788. # Test pg_has_role error scenarios.
    789. 

  789. 

  790. ## If any input is NULL then the result is NULL.
    791. 

  791. 

  792. query B rowsort
    793. 

  793. SELECT pg_has_role(NULL, 'materialize', 'USAGE')
    794. 

  794. ----
    795. 

  795. NULL
    796. 

  796. 

  797. query B rowsort
    798. 

  798. SELECT has_role(NULL, 'materialize', 'USAGE')
    799. 

  799. ----
    800. 

  800. NULL
    801. 

  801. 

  802. query B rowsort
    803. 

  803. SELECT pg_has_role('materialize', NULL, 'MEMBER')
    804. 

  804. ----
    805. 

  805. NULL
    806. 

  806. 

  807. query B rowsort
    808. 

  808. SELECT has_role('materialize', NULL, 'MEMBER')
    809. 

  809. ----
    810. 

  810. NULL
    811. 

  811. 

  812. query B rowsort
    813. 

  813. SELECT pg_has_role('materialize', 'materialize', NULL)
    814. 

  814. ----
    815. 

  815. NULL
    816. 

  816. 

  817. query B rowsort
    818. 

  818. SELECT has_role('materialize', 'materialize', NULL)
    819. 

  819. ----
    820. 

  820. NULL
    821. 

  821. 

  822. ## If any of the text inputs are invalid then the query should error.
    823. 

  823. 

  824. query error role "fake-role" does not exist
    825. 

  825. SELECT pg_has_role('fake-role', 'materialize', 'USAGE')
    826. 

  826. 

  827. query error role "fake-role" does not exist
    828. 

  828. SELECT pg_has_role('materialize', 'fake-role', 'USAGE')
    829. 

  829. 

  830. query error unrecognized privilege type: "fake privilege"
    831. 

  831. SELECT pg_has_role('materialize', 'materialize', 'fake privilege')
    832. 

  832. 

  833. ## If any of the oid inputs are invalid then the query should be false.
    834. 

  834. 

  835. query B rowsort
    836. 

  836. SELECT pg_has_role(((SELECT MAX(oid::int8) FROM mz_roles) + 1)::text::oid, 'materialize', 'MEMBER')
    837. 

  837. ----
    838. 

  838. false
    839. 

  839. 

  840. query B rowsort
    841. 

  841. SELECT has_role(((SELECT MAX(oid::int8) FROM mz_roles) + 1)::text::oid, 'materialize', 'MEMBER')
    842. 

  842. ----
    843. 

  843. false
    844. 

  844. 

  845. query B rowsort
    846. 

  846. SELECT pg_has_role('materialize', ((SELECT MAX(oid::int8) FROM mz_roles) + 1)::text::oid, 'USAGE')
    847. 

  847. ----
    848. 

  848. false
    849. 

  849. 

  850. query B rowsort
    851. 

  851. SELECT has_role('materialize', ((SELECT MAX(oid::int8) FROM mz_roles) + 1)::text::oid, 'USAGE')
    852. 

  852. ----
    853. 

  853. false
    854. 

  854. 

  855. ## Public role isn't accepted
    856. 

  856. 

  857. query error role "public" does not exist
    858. 

  858. SELECT pg_has_role('materialize', 'public', 'USAGE')
    859. 

  859. 

  860. query error role "public" does not exist
    861. 

  861. SELECT pg_has_role('public', 'materialize', 'USAGE')
    862. 

  862. 

  863. # Test information_schema.applicable_roles
    864. 

  864. 

  865. statement ok
    866. 

  866. CREATE ROLE r1
    867. 

  867. 

  868. statement ok
    869. 

  869. CREATE ROLE r2
    870. 

  870. 

  871. statement ok
    872. 

  872. CREATE ROLE r3
    873. 

  873. 

  874. statement ok
    875. 

  875. CREATE ROLE r4
    876. 

  876. 

  877. statement ok
    878. 

  878. GRANT r2 TO r1
    879. 

  879. 

  880. statement ok
    881. 

  881. GRANT r3 TO r2
    882. 

  882. 

  883. statement ok
    884. 

  884. GRANT r3 TO r4
    885. 

  885. 

  886. simple conn=r1,user=r1
    887. 

  887. SELECT * FROM information_schema.applicable_roles
    888. 

  888. ----
    889. 

  889. r1,r2,NO
    890. 

  890. r2,r3,NO
    891. 

  891. COMPLETE 2
    892. 

  892. 

  893. simple conn=mz_system,user=mz_system
    894. 

  894. SELECT * FROM information_schema.applicable_roles
    895. 

  895. ----
    896. 

  896. r1,r2,NO
    897. 

  897. r2,r3,NO
    898. 

  898. r4,r3,NO
    899. 

  899. COMPLETE 3
    900. 

  900. 

  901. simple conn=r1,user=r1,rowsort
    902. 

  902. SELECT * FROM information_schema.enabled_roles
    903. 

  903. ----
    904. 

  904. r1
    905. 

  905. r2
    906. 

  906. r3
    907. 

  907. COMPLETE 3
    908. 

  908. 

  909. simple conn=mz_system,user=mz_system,rowsort
    910. 

  910. SELECT * FROM information_schema.enabled_roles
    911. 

  911. ----
    912. 

  912. r1
    913. 

  913. r2
    914. 

  914. r3
    915. 

  915. r4
    916. 

  916. mz_system
    917. 

  917. mz_monitor
    918. 

  918. mz_support
    919. 

  919. materialize
    920. 

  920. mz_analytics
    921. 

  921. mz_monitor_redacted
    922. 

  922. COMPLETE 10
    923. 

  923. 

  924. statement ok
    925. 

  925. DROP ROLE r1, r2, r3, r4
    926. 

  926. 

  927. # Disable RBAC checks
    928. 

  928. 

  929. simple conn=mz_system,user=mz_system
    930. 

  930. ALTER SYSTEM SET enable_rbac_checks TO false;
    931. 

  931. ----
    932. 

  932. COMPLETE 0
    933.