Fix SHOW ALL command for non-superusers with replication connection

michaelpq · michaelpq · commit ab359624b4c1 · 2019-04-15T12:35:02.000+09:00
Since Postgres 10, SHOW commands can be triggered with replication connections in a WAL sender context, however it missed that a transaction context is needed for syscache lookups. This commit makes sure that the syscache lookups can happen correctly by setting a transaction context when running SHOW commands in a WAL sender. Superuser-only parameters can be displayed using SHOW commands not only to superusers, but also to members of system role pg_read_all_settings, which requires a syscache lookup to check if the connected role is a member of this system role or not, or the instance crashes. Superusers do not need to check the syscache so it worked correctly in this case. New tests are added to cover this issue. Reported-by: Alexander Kukushkin Author: Michael Paquier Reviewed-by: Álvaro Herrera Discussion: https://postgr.es/m/15734-2daa8761eeed8e20@postgresql.org Backpatch-through: 10
diff --git a/src/backend/replication/walsender.c b/src/backend/replication/walsender.c
@@ -1548,7 +1548,10 @@ exec_replication_command(const char *cmd_string)
 				DestReceiver *dest = CreateDestReceiver(DestRemoteSimple);
 				VariableShowStmt *n = (VariableShowStmt *) cmd_node;
 
+				/* syscache access needs a transaction environment */
+				StartTransactionCommand();
 				GetPGVariable(n->name, dest);
+				CommitTransactionCommand();
 			}
 			break;
 
diff --git a/src/test/perl/PostgresNode.pm b/src/test/perl/PostgresNode.pm
@@ -412,7 +412,8 @@ sub init
 
 	TestLib::system_or_bail('initdb', '-D', $pgdata, '-A', 'trust', '-N',
 		@{ $params{extra} });
-	TestLib::system_or_bail($ENV{PG_REGRESS}, '--config-auth', $pgdata);
+	TestLib::system_or_bail($ENV{PG_REGRESS}, '--config-auth', $pgdata,
+		@{ $params{auth_extra} });
 
 	open my $conf, '>>', "$pgdata/postgresql.conf";
 	print $conf "\n# Added by PostgresNode.pm\n";
diff --git a/src/test/recovery/t/001_stream_rep.pl b/src/test/recovery/t/001_stream_rep.pl
@@ -3,11 +3,14 @@
 use warnings;
 use PostgresNode;
 use TestLib;
-use Test::More tests => 26;
+use Test::More tests => 32;
 
 # Initialize master node
 my $node_master = get_new_node('master');
-$node_master->init(allows_streaming => 1);
+# A specific role is created to perform some tests related to replication,
+# and it needs proper authentication configuration.
+$node_master->init(allows_streaming => 1,
+	auth_extra => ['--create-role', 'repl_role']);
 $node_master->start;
 my $backup_name = 'my_backup';
 
@@ -115,6 +118,55 @@ sub test_target_session_attrs
 test_target_session_attrs($node_standby_1, $node_master, $node_standby_1,
 	"any", 0);
 
+# Test for SHOW commands using a WAL sender connection with a replication
+# role.
+note "testing SHOW commands for replication connection";
+
+$node_master->psql('postgres',"
+CREATE ROLE repl_role REPLICATION LOGIN;
+GRANT pg_read_all_settings TO repl_role;");
+my $master_host = $node_master->host;
+my $master_port = $node_master->port;
+my $connstr_common = "host=$master_host port=$master_port user=repl_role";
+my $connstr_rep = "$connstr_common replication=1";
+my $connstr_db = "$connstr_common replication=database dbname=postgres";
+
+# Test SHOW ALL
+my ($ret, $stdout, $stderr) =
+    $node_master->psql('postgres', 'SHOW ALL;',
+		       on_error_die => 1,
+		       extra_params => [ '-d', $connstr_rep ]);
+ok($ret == 0, "SHOW ALL with replication role and physical replication");
+($ret, $stdout, $stderr) =
+    $node_master->psql('postgres', 'SHOW ALL;',
+		       on_error_die => 1,
+		       extra_params => [ '-d', $connstr_db ]);
+ok($ret == 0, "SHOW ALL with replication role and logical replication");
+
+# Test SHOW with a user-settable parameter
+($ret, $stdout, $stderr) =
+    $node_master->psql('postgres', 'SHOW work_mem;',
+		       on_error_die => 1,
+		       extra_params => [ '-d', $connstr_rep ]);
+ok($ret == 0, "SHOW with user-settable parameter, replication role and physical replication");
+($ret, $stdout, $stderr) =
+    $node_master->psql('postgres', 'SHOW work_mem;',
+		       on_error_die => 1,
+		       extra_params => [ '-d', $connstr_db ]);
+ok($ret == 0, "SHOW with user-settable parameter, replication role and logical replication");
+
+# Test SHOW with a superuser-settable parameter
+($ret, $stdout, $stderr) =
+    $node_master->psql('postgres', 'SHOW data_directory;',
+		       on_error_die => 1,
+		       extra_params => [ '-d', $connstr_rep ]);
+ok($ret == 0, "SHOW with superuser-settable parameter, replication role and physical replication");
+($ret, $stdout, $stderr) =
+    $node_master->psql('postgres', 'SHOW data_directory;',
+		       on_error_die => 1,
+		       extra_params => [ '-d', $connstr_db ]);
+ok($ret == 0, "SHOW with superuser-settable parameter, replication role and logical replication");
+
 note "switching to physical replication slot";
 
 # Switch to using a physical replication slot. We can do this without a new

Original file line number	Diff line number	Diff line change
`@@ -1548,7 +1548,10 @@ exec_replication_command(const char *cmd_string)`
`1548`	`1548`	`DestReceiver *dest = CreateDestReceiver(DestRemoteSimple);`
`1549`	`1549`	`VariableShowStmt n = (VariableShowStmt ) cmd_node;`
`1550`	`1550`
	`1551`	`+ /* syscache access needs a transaction environment */`
	`1552`	`+ StartTransactionCommand();`
`1551`	`1553`	`GetPGVariable(n->name, dest);`
	`1554`	`+ CommitTransactionCommand();`
`1552`	`1555`	`}`
`1553`	`1556`	`break;`
`1554`	`1557`