Open marcocitus opened 3 years ago
There also appears to be an issue with table ownership on distributed tables. (readonly and readwrite already exist) as the postgres user:
create role schemaadmin;
grant readwrite to schemaadmin;
grant schemaadmin to a;
grant schemaadmin to b;
create schema if not exists temporary authorization schemaadmin;
grant usage on schema temporary to public;
revoke create on schema temporary from public;
grant select on all tables in schema temporary to readonly;
grant select on all sequences in schema temporary to readonly;
grant usage on schema temporary to readonly;
alter default privileges in schema temporary grant select on tables to readonly;
alter default privileges in schema temporary grant select on sequences to readonly;
grant select on all tables in schema temporary to readonly;
grant select on all sequences in schema temporary to readonly;
grant usage on schema temporary to readonly;
alter default privileges in schema temporary grant select on tables to readonly;
alter default privileges in schema temporary grant select on sequences to readonly;
grant insert, update, delete on all tables in schema temporary to readwrite;
grant usage on all sequences in schema temporary to readwrite;
alter default privileges in schema temporary grant insert, update, delete on tables to readwrite;
alter default privileges in schema temporary grant usage on sequences to readwrite;
Then when logging in as user a and executing:
create unlogged table if not exists temporary.token_temp as table token limit 0;
alter table if exists temporary.token_temp owner to schemaadmin;
select create_distributed_table('temporary.token_temp', 'token_id', colocate_with => 'token');
I am able to successfully
truncate temporary.token_temp
as user a but when i attempt to login with user b I get the following error on the coordinator:
ERROR: failure on connection marked as essential: 10.224.0.6:7433```
and on the worker i see
ERROR: permission denied for table nft_temp
STATEMENT: SET citus.enable_ddl_propagation TO 'off';
LOCK temporary.nft_temp IN ACCESS EXCLUSIVE MODE;
SET citus.enable_ddl_propagation TO 'on'
This only happens for distributed tables.
The following DDL/utility commands are currently not propagated to worker nodes by Citus:
Database-level statements:
Schema-level statements:
ALTER SCHEMA .. OWNER TO ..
```sql create schema my_schema; create role non_super_user_role; alter schema my_schema owner to non_super_user_role ; SELECT pg_get_userbyid(nspowner) AS schema_owner FROM pg_namespace WHERE nspname = 'my_schema'; ┌─────────────────────┐ │ schema_owner │ ├─────────────────────┤ │ non_super_user_role │ └─────────────────────┘ select result from run_command_on_workers ($$ SELECT pg_get_userbyid(nspowner) AS schema_owner FROM pg_namespace WHERE nspname = 'my_schema' $$); ┌─────────────┐ │ result │ ├─────────────┤ │ onurctirtir │ │ onurctirtir │ └─────────────┘ (2 rows) ```Table-level statements:
Session-level statements:
System-level statements (may be outside of Citus scope):
Statements that are typically only used by extensions (which are already propagated):
Statements work as intended, but could have a distributed implementation: