Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qm6rB-005fvu-Cq for pgsql-hackers@arkaria.postgresql.org; Fri, 29 Sep 2023 06:20:12 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1qm6r8-002DVI-1o for pgsql-hackers@arkaria.postgresql.org; Fri, 29 Sep 2023 06:20:06 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qm6r6-002DV3-HA for pgsql-hackers@lists.postgresql.org; Fri, 29 Sep 2023 06:20:05 +0000 Received: from out5-smtp.messagingengine.com ([66.111.4.29]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qm6qx-008Dzt-FY for pgsql-hackers@lists.postgresql.org; Fri, 29 Sep 2023 06:20:03 +0000 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 276EE5C0340; Fri, 29 Sep 2023 02:19:53 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Fri, 29 Sep 2023 02:19:53 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paquier.xyz; h= cc:cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:sender :subject:subject:to:to; s=fm2; t=1695968393; x=1696054793; bh=7j 7zqJYPB2l/BP+vODABGQjgzzpdtsM6xrTAmBV1acQ=; b=h/q/qQ8HvD5nxMsVoM QP8W2ebzSc9sRRE8qm7qcp9q6IXZSNBc2S8uoCOy3xHOC25/LAeILHRs+Mqv8YS+ qXV6GTFwDgNUrNA5WahtrJObqqsbUptVIk6Y902L7/a/NxT3ZbqHvcEt7m48PwBG i5KJwGThQ/uA3DZqTbNmAy2YlU9i73h4GIiR5Mqbu7GQ/XVyeEQQ0ZQt4k6tP8kx 4EORqz2+GtOVx3n+wxK8TgZ4XMVwfOXG5PXsetGk6ZYajpSvNdzUeYyITiXcPlju fjtityy5EchyjVxkWlgWUd1oto3++NbkVXMoZyWiFXqUxsX6sVPhSlkipB00CCIn mtQA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; t=1695968393; x=1696054793; bh=7j7zqJYPB2l/B P+vODABGQjgzzpdtsM6xrTAmBV1acQ=; b=CrzFln7fvpMZVRSTpnbsY011CqjWC YbdcrmYbnI5KdF3hHzu11pC1GViSvi57EqfRDo1CzYTEPHinZHEOzf2GTXrfVI3V sz80zPTcCAKjsjtcfgJyLWgRpyYMhBrRDqjZs9OpNvxsIqoZ8ak2hpN/brolCPgd 86cb3z+j5QRqYosEMv+AXgiIorHPFT76fx1ce60QkR8gblu7o4H8nh8NnD8qjnUj u1eQ7enaS8rmmoa9LQtaSaZe8n/v4O60I6MM8EjTMSEEaJZOCtnE3CoOV9RtP1yb CbRq8E/PMeEabldlYV1siNsAovKJPTp6t/kJfa+Nmdd9QQLvaiG8LeuYA== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrtddugddutdekucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne gfrhhlucfvnfffucdljedtmdenucfjughrpeffhffvvefukfhfgggtuggjsehgtderredt tddvnecuhfhrohhmpefoihgthhgrvghlucfrrghquhhivghruceomhhitghhrggvlhesph grqhhuihgvrhdrgiihiieqnecuggftrfgrthhtvghrnhepteelieefudffhffhtdetleeg geegfffhkeeuveetiefgudduvedutefggeeivdejnecuvehluhhsthgvrhfuihiivgeptd enucfrrghrrghmpehmrghilhhfrhhomhepmhhitghhrggvlhesphgrqhhuihgvrhdrgiih ii X-ME-Proxy: Feedback-ID: i0fe9450f:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri, 29 Sep 2023 02:19:51 -0400 (EDT) Date: Fri, 29 Sep 2023 15:19:47 +0900 From: Michael Paquier To: "Drouvot, Bertrand" Cc: PostgreSQL Hackers Subject: Re: Add a new BGWORKER_BYPASS_ROLELOGINCHECK flag Message-ID: References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="IptVjffxY4qoX+Y5" Content-Disposition: inline In-Reply-To: List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --IptVjffxY4qoX+Y5 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Sep 28, 2023 at 02:37:02PM +0200, Drouvot, Bertrand wrote: > This patch allows the role provided in BackgroundWorkerInitializeConnection() > and BackgroundWorkerInitializeConnectionByOid() to lack login authorization. Interesting. Yes, there would be use cases for that, I suppose. > + uint32 flags, > char *out_dbname) > { This may be more adapted with a bits32 for the flags. > +# Ask the background workers to connect with this role with the flag in place. > +$node->append_conf( > + 'postgresql.conf', q{ > +worker_spi.role = 'nologrole' > +worker_spi.bypass_login_check = true > +}); > +$node->restart; > + > +# An error message should not be issued. > +ok( !$node->log_contains( > + "role \"nologrole\" is not permitted to log in", $log_start), > + "nologrole allowed to connect if BGWORKER_BYPASS_ROLELOGINCHECK is set"); > + > done_testing(); It would be cheaper to use a dynamic background worker for such tests. Something that I've been tempted to do in this module is to extend the amount of data that's given to bgw_main_arg when launching a worker with worker_spi_launch(). How about extending the SQL function so as it is possible to give in input a role name (or a regrole), a database name (or a database OID) and a text[] for the flags? This would require a bit more refactoring, but this would be benefitial to show or one can pass down a full structure from the registration to the main() routine. On top of that, it would make the addition of the new GUCs worker_spi.bypass_login_check and worker_spi.role unnecessary. > +# return the size of logfile of $node in bytes > +sub get_log_size > +{ > + my ($node) = @_; > + > + return (stat $node->logfile)[7]; > +} Just use -s here. See other tests that want to check the contents of the logs from an offset. > - * Allow bypassing datallowconn restrictions when connecting to database > + * Allow bypassing datallowconn restrictions and login check when connecting > + * to database > */ > -#define BGWORKER_BYPASS_ALLOWCONN 1 > +#define BGWORKER_BYPASS_ALLOWCONN 0x0001 > +#define BGWORKER_BYPASS_ROLELOGINCHECK 0x0002 The structure of the patch is inconsistent. These flags are in bgworker.h, but they are used also by InitPostgres(). Perhaps a second boolean flag would be OK rather than a second set of flags for InitPostgres() mapping with the bgworker set. -- Michael --IptVjffxY4qoX+Y5 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEG72nH6vTowiyblFKnvQgOdbyQH0FAmUWbIMACgkQnvQgOdby QH0OZw//QYfGWM70T9ynnnzTaRi6iJ69zgSUhCRQ522XT528X8CB+YMZ62SIxi64 lCSh6ddyPTw83kgP2navMDIoh7vvsBVllxxIaMCfJ/TVEs3d0Mpq14mDetZ+SMyH WWXZ7bBrwJth/FilbtvKqApp2JdKtY+tB0SF9NB0PX+YhCc2eebs/UgJD3HP2yrM rOZVskdMkiBrCS5XgyJd7j8QVyM0riZFN8FUAj+2sB8d7nK2/yG+BHrLiwfAHlFF 5PfmLUk2+R2txSsqCDzNN4KOMcCOhManmoAHidGfaQGWoy4NmUiocXyhG/AWwan4 QfTRhf79LSvIR98T7n0lpbrS7X4YknNiowpSSfVoaWEx9KIAAGf0CzV6O2HPzAuN EwPOgH/NdxwWxo0LmA1Sg7GFIbcO0yba82queuc28MdYE8IfdoYGh8qYDDJ+xUUA Wxbe5tJvoFrJQrLWYeejFfurkvVdfRxGQhCnwecXBXrbEELi1nTqOj4AkLO0Kd6T c1KtyZGbYD+9YByCuKViPwTKlUEbGXtb6hQvkd5LGIOjLT8gYFgk3G5tsac82V9o h2Azi0Uk391NNoE/X42IGdBKujHieO7rAj4pvSFdQW+v7r9FE+7MoRLeKwIaaGyH WebBH1hU6OlY9mZSsgzfBp5CZ14m4pRhw8eWp64kKciZenIMDeY= =43V4 -----END PGP SIGNATURE----- --IptVjffxY4qoX+Y5--