diff options
| author | Michael Paquier <michael@paquier.xyz> | 2019-04-12 10:46:43 +0900 |
|---|---|---|
| committer | Michael Paquier <michael@paquier.xyz> | 2019-04-12 10:46:43 +0900 |
| commit | d4e2a843e6d6f325c070ee80a0c117ec11675e74 (patch) | |
| tree | edcf3fc156aca9ff9c1421672fd2b3ff04456d55 | |
| parent | d527fda6216780281b90f48820ae978c61c7905c (diff) | |
Switch TAP tests of pg_rewind to use a role with minimal permissions
Up to now the tests of pg_rewind have been using a superuser for all the
tests (which is the default of many tests actually, and something that
ought to be reviewed) when involving an online source server, still it
is possible to use a non-superuser role to do that as long as this role
is granted permissions to execute all the source-side functions used for
the rewind. This is possible since v11, and was already documented as
of bfc8068.
This will allow to catch up easily any change in pg_rewind if the tool
begins to use more backend-side functions, so as the properties
introduced by v11 are kept.
Per suggestion from Peter Eisentraut.
Author: Michael Paquier
Reviewed-by: Magnus Hagander
Discussion: https://postgr.es/m/20190411041336.GM2728@paquier.xyz
| -rw-r--r-- | src/bin/pg_rewind/t/RewindTest.pm | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/src/bin/pg_rewind/t/RewindTest.pm b/src/bin/pg_rewind/t/RewindTest.pm index 900d452d8b7..946d6623f50 100644 --- a/src/bin/pg_rewind/t/RewindTest.pm +++ b/src/bin/pg_rewind/t/RewindTest.pm @@ -144,6 +144,20 @@ sub start_master { $node_master->start; + # Create a custom role which will be used to run pg_rewind. This + # role is used for all the tests, and has minimal permissions enough + # to rewind from an online source. + $node_master->psql('postgres', " + CREATE ROLE rewind_user LOGIN; + GRANT EXECUTE ON function pg_catalog.pg_ls_dir(text, boolean, boolean) + TO rewind_user; + GRANT EXECUTE ON function pg_catalog.pg_stat_file(text, boolean) + TO rewind_user; + GRANT EXECUTE ON function pg_catalog.pg_read_binary_file(text) + TO rewind_user; + GRANT EXECUTE ON function pg_catalog.pg_read_binary_file(text, bigint, bigint, boolean) + TO rewind_user;"); + #### Now run the test-specific parts to initialize the master before setting # up standby @@ -207,6 +221,9 @@ sub run_pg_rewind my $standby_connstr = $node_standby->connstr('postgres'); my $tmp_folder = TestLib::tempdir; + # Append the rewind-specific role to the connection string. + $standby_connstr = "$standby_connstr user=rewind_user"; + # Stop the master and be ready to perform the rewind $node_master->stop; |