citus icon indicating copy to clipboard operation
citus copied to clipboard
verified publisher icon citusdata

Table ownership not working for distributed tables

Open jnels124 opened this issue 2 years ago • 1 comments

There appears to be an issue with table ownership on distributed tables. Creating a table as a specific user and then assigning ownership of the table to another role only allows the original creator to execute commands like truncate. Other users that are members of this role are not able to do so. Commands work correctly for non distributed tables.

(readonly and readwrite already exist) as the postgres user:

create role schemaadmin;
    grant readwrite to schemaadmin;
    grant schemaadmin to a;
    grant schemaadmin to b;
    create schema if not exists temporary authorization schemaadmin;
    grant usage on schema temporary to public;
    revoke create on schema temporary from public;
    grant select on all tables in schema temporary to readonly;
    grant select on all sequences in schema temporary to readonly;
    grant usage on schema temporary to readonly;
    alter default privileges in schema temporary grant select on tables to readonly;
    alter default privileges in schema temporary grant select on sequences to readonly;

    grant select on all tables in schema temporary to readonly;
    grant select on all sequences in schema temporary to readonly;
    grant usage on schema temporary to readonly;
    alter default privileges in schema temporary grant select on tables to readonly;
    alter default privileges in schema temporary grant select on sequences to readonly;

    grant insert, update, delete on all tables in schema temporary to readwrite;
    grant usage on all sequences in schema temporary to readwrite;
    alter default privileges in schema temporary grant insert, update, delete on tables to readwrite;
    alter default privileges in schema temporary grant usage on sequences to readwrite;

Then when logging in as user a and executing:

create unlogged table if not exists temporary.token_temp as table token limit 0;
alter table if exists temporary.token_temp owner to schemaadmin;
select create_distributed_table('temporary.token_temp', 'token_id', colocate_with => 'token');

I am able to successfully

truncate temporary.token_temp

as user a but when i attempt to login with user b I get the following error on the coordinator:

ERROR:  failure on connection marked as essential: 10.224.0.6:7433```

and on the worker i see

ERROR:  permission denied for table nft_temp
STATEMENT:  SET citus.enable_ddl_propagation TO 'off';
	LOCK temporary.nft_temp IN ACCESS EXCLUSIVE MODE;
	SET citus.enable_ddl_propagation TO 'on'

This only happens for distributed tables.

jnels124 avatar Dec 13 '23 14:12 jnels124

ALTER DEFAULT PRIVILEGES is currently not propagated to workers (https://github.com/citusdata/citus/issues/7144). I'm pretty sure that's the cause of the issue you're seeing.

JelteF avatar Dec 13 '23 14:12 JelteF