rust/neon
1
0
Fork 0
mirror of https://github.com/neondatabase/neon.git synced 2026-01-03 19:42:55 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
0dbe55180288bc87e159cfd3f0b8fca8aaea6204
neon/test_runner/regress/test_role_grants.py
Conrad Ludgate 5cd7f936f9 fix(neon-rls): optimistically assume role grants are already assigned for replicas (#11811) 
## Problem

Read replicas cannot grant permissions for roles for Neon RLS. Usually
the permission is already granted, so we can optimistically check. See
INC-509

## Summary of changes

Perform a permission lookup prior to actually executing any grants.
2025-05-09 07:48:30 +00:00

49 lines
1.8 KiB
Python
Raw Blame History

import psycopg2
from fixtures.neon_fixtures import NeonEnv
def test_role_grants(neon_simple_env: NeonEnv):
"""basic test for the endpoint that grants permissions for a role against a schema"""
env = neon_simple_env
env.create_branch("test_role_grants")
endpoint = env.endpoints.create_start("test_role_grants")
endpoint.safe_psql("CREATE DATABASE test_role_grants")
endpoint.safe_psql("CREATE SCHEMA IF NOT EXISTS test_schema", dbname="test_role_grants")
endpoint.safe_psql("CREATE ROLE test_role WITH LOGIN", dbname="test_role_grants")
# confirm we do not yet have access
pg_conn = endpoint.connect(dbname="test_role_grants", user="test_role")
with pg_conn.cursor() as cur:
try:
cur.execute('CREATE TABLE "test_schema"."test_table" (id integer primary key)')
raise ValueError("create table should not succeed")
except psycopg2.errors.InsufficientPrivilege:
pass
except BaseException as e:
raise e
client = endpoint.http_client()
res = client.set_role_grants(
"test_role_grants", "test_role", "test_schema", ["CREATE", "USAGE"]
)
# confirm we have access
with pg_conn.cursor() as cur:
cur.execute('CREATE TABLE "test_schema"."test_table" (id integer primary key)')
cur.execute('INSERT INTO "test_schema"."test_table" (id) VALUES (1)')
cur.execute('SELECT id from "test_schema"."test_table"')
res = cur.fetchall()
assert res == [(1,)], "select should not succeed"
# confirm that replicas can also ensure the grants are correctly set.
replica = env.endpoints.new_replica_start(endpoint)
replica_client = replica.http_client()
replica_client.set_role_grants(
"test_role_grants", "test_role", "test_schema", ["CREATE", "USAGE"]
)
Reference in New Issue View Git Blame Copy Permalink