On Mon, Feb 12, 2024 at 09:49:45AM -0600, Nathan Bossart wrote: > Okay. I'll plan on committing this in the next few days.
Here is what I have staged for commit. -- Nathan Bossart Amazon Web Services: https://aws.amazon.com
>From bfe542c5d7b3c981e75ac6551abb34fbdf646eea Mon Sep 17 00:00:00 2001 From: Nathan Bossart <nat...@postgresql.org> Date: Tue, 13 Feb 2024 15:12:36 -0600 Subject: [PATCH v2 1/1] Allow pg_monitor to execute pg_current_logfile(). We allow roles with privileges of pg_monitor to execute functions like pg_ls_logdir(), so it seems natural that such roles would also be able to execute this function. Bumps catversion. Co-authored-by: Pavlo Golub Discussion: https://postgr.es/m/CAK7ymcLmEYWyQkiCZ64WC-HCzXAB0omM%3DYpj9B3rXe8vUAFMqw%40mail.gmail.com --- doc/src/sgml/func.sgml | 5 +++++ src/backend/catalog/system_functions.sql | 4 ++++ src/include/catalog/catversion.h | 2 +- src/test/regress/expected/misc_functions.out | 20 ++++++++++++++++++++ src/test/regress/sql/misc_functions.sql | 11 +++++++++++ 5 files changed, 41 insertions(+), 1 deletion(-) diff --git a/doc/src/sgml/func.sgml b/doc/src/sgml/func.sgml index 11d537b341..c4e5b4967e 100644 --- a/doc/src/sgml/func.sgml +++ b/doc/src/sgml/func.sgml @@ -23735,6 +23735,11 @@ SELECT * FROM pg_ls_dir('.') WITH ORDINALITY AS t(ls,n); <xref linkend="guc-log-destination"/>. The result reflects the contents of the <filename>current_logfiles</filename> file. + </para> + <para> + This function is restricted to superusers and roles with privileges of + the <literal>pg_monitor</literal> role by default, but other users can + be granted EXECUTE to run the function. </para></entry> </row> diff --git a/src/backend/catalog/system_functions.sql b/src/backend/catalog/system_functions.sql index 346cfb98a0..fe2bb50f46 100644 --- a/src/backend/catalog/system_functions.sql +++ b/src/backend/catalog/system_functions.sql @@ -777,6 +777,10 @@ GRANT EXECUTE ON FUNCTION pg_ls_logicalmapdir() TO pg_monitor; GRANT EXECUTE ON FUNCTION pg_ls_replslotdir(text) TO pg_monitor; +GRANT EXECUTE ON FUNCTION pg_current_logfile() TO pg_monitor; + +GRANT EXECUTE ON FUNCTION pg_current_logfile(text) TO pg_monitor; + GRANT pg_read_all_settings TO pg_monitor; GRANT pg_read_all_stats TO pg_monitor; diff --git a/src/include/catalog/catversion.h b/src/include/catalog/catversion.h index 9fc8ac9290..80a4c19565 100644 --- a/src/include/catalog/catversion.h +++ b/src/include/catalog/catversion.h @@ -57,6 +57,6 @@ */ /* yyyymmddN */ -#define CATALOG_VERSION_NO 202401301 +#define CATALOG_VERSION_NO 202402131 #endif diff --git a/src/test/regress/expected/misc_functions.out b/src/test/regress/expected/misc_functions.out index 7c15477104..d5f61dfad9 100644 --- a/src/test/regress/expected/misc_functions.out +++ b/src/test/regress/expected/misc_functions.out @@ -683,3 +683,23 @@ SELECT gist_stratnum_identity(18::smallint); 18 (1 row) +-- pg_current_logfile +CREATE ROLE regress_current_logfile; +-- not available by default +SELECT has_function_privilege('regress_current_logfile', + 'pg_current_logfile()', 'EXECUTE'); + has_function_privilege +------------------------ + f +(1 row) + +GRANT pg_monitor TO regress_current_logfile; +-- role has privileges of pg_monitor and can execute the function +SELECT has_function_privilege('regress_current_logfile', + 'pg_current_logfile()', 'EXECUTE'); + has_function_privilege +------------------------ + t +(1 row) + +DROP ROLE regress_current_logfile; diff --git a/src/test/regress/sql/misc_functions.sql b/src/test/regress/sql/misc_functions.sql index 851dad90f4..928b04db7f 100644 --- a/src/test/regress/sql/misc_functions.sql +++ b/src/test/regress/sql/misc_functions.sql @@ -254,3 +254,14 @@ FROM pg_walfile_name_offset('0/0'::pg_lsn + :segment_size - 1), -- test stratnum support functions SELECT gist_stratnum_identity(3::smallint); SELECT gist_stratnum_identity(18::smallint); + +-- pg_current_logfile +CREATE ROLE regress_current_logfile; +-- not available by default +SELECT has_function_privilege('regress_current_logfile', + 'pg_current_logfile()', 'EXECUTE'); +GRANT pg_monitor TO regress_current_logfile; +-- role has privileges of pg_monitor and can execute the function +SELECT has_function_privilege('regress_current_logfile', + 'pg_current_logfile()', 'EXECUTE'); +DROP ROLE regress_current_logfile; -- 2.25.1
