|
|
|
|
@ -2,10 +2,38 @@ CREATE EXTENSION IF NOT EXISTS pg_tde; |
|
|
|
|
CREATE USER regress_pg_tde_access_control; |
|
|
|
|
SET ROLE regress_pg_tde_access_control; |
|
|
|
|
-- should throw access denied |
|
|
|
|
SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per'); |
|
|
|
|
SELECT pg_tde_add_database_key_provider_file('local-file-provider', '/tmp/pg_tde_test_keyring.per'); |
|
|
|
|
ERROR: permission denied for function pg_tde_add_database_key_provider_file |
|
|
|
|
SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'file-vault'); |
|
|
|
|
SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'local-file-provider'); |
|
|
|
|
ERROR: permission denied for function pg_tde_set_key_using_database_key_provider |
|
|
|
|
SELECT pg_tde_add_global_key_provider_file('global-file-provider', '/tmp/pg_tde_test_keyring.per'); |
|
|
|
|
ERROR: must be superuser to modify global key providers |
|
|
|
|
SELECT pg_tde_set_key_using_global_key_provider('test-db-key', 'global-file-provider'); |
|
|
|
|
ERROR: must be superuser to access global key providers |
|
|
|
|
SELECT pg_tde_set_server_key_using_global_key_provider('wal-key','global-file-provider'); |
|
|
|
|
ERROR: must be superuser to access global key providers |
|
|
|
|
SELECT pg_tde_set_default_key_using_global_key_provider('def-key', 'global-file-provider'); |
|
|
|
|
ERROR: must be superuser to access global key providers |
|
|
|
|
SELECT pg_tde_delete_database_key_provider('local-file-provider'); |
|
|
|
|
ERROR: permission denied for function pg_tde_delete_database_key_provider |
|
|
|
|
SELECT pg_tde_delete_global_key_provider('global-file-provider'); |
|
|
|
|
ERROR: must be superuser to modify global key providers |
|
|
|
|
SELECT pg_tde_list_all_database_key_providers(); |
|
|
|
|
ERROR: permission denied for function pg_tde_list_all_database_key_providers |
|
|
|
|
SELECT pg_tde_list_all_global_key_providers(); |
|
|
|
|
ERROR: permission denied for function pg_tde_list_all_global_key_providers |
|
|
|
|
SELECT pg_tde_key_info(); |
|
|
|
|
ERROR: permission denied for function pg_tde_key_info |
|
|
|
|
SELECT pg_tde_server_key_info(); |
|
|
|
|
ERROR: permission denied for function pg_tde_server_key_info |
|
|
|
|
SELECT pg_tde_default_key_info(); |
|
|
|
|
ERROR: permission denied for function pg_tde_default_key_info |
|
|
|
|
SELECT pg_tde_verify_key(); |
|
|
|
|
ERROR: permission denied for function pg_tde_verify_key |
|
|
|
|
SELECT pg_tde_verify_server_key(); |
|
|
|
|
ERROR: permission denied for function pg_tde_verify_server_key |
|
|
|
|
SELECT pg_tde_verify_default_key(); |
|
|
|
|
ERROR: permission denied for function pg_tde_verify_default_key |
|
|
|
|
RESET ROLE; |
|
|
|
|
SELECT pg_tde_grant_database_key_management_to_role('regress_pg_tde_access_control'); |
|
|
|
|
pg_tde_grant_database_key_management_to_role |
|
|
|
|
@ -21,42 +49,48 @@ SELECT pg_tde_grant_key_viewer_to_role('regress_pg_tde_access_control'); |
|
|
|
|
|
|
|
|
|
SET ROLE regress_pg_tde_access_control; |
|
|
|
|
-- should now be allowed |
|
|
|
|
SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per'); |
|
|
|
|
SELECT pg_tde_add_database_key_provider_file('local-file-provider', '/tmp/pg_tde_test_keyring.per'); |
|
|
|
|
pg_tde_add_database_key_provider_file |
|
|
|
|
--------------------------------------- |
|
|
|
|
1 |
|
|
|
|
(1 row) |
|
|
|
|
|
|
|
|
|
SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'file-vault'); |
|
|
|
|
SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'local-file-provider'); |
|
|
|
|
pg_tde_set_key_using_database_key_provider |
|
|
|
|
-------------------------------------------- |
|
|
|
|
|
|
|
|
|
(1 row) |
|
|
|
|
|
|
|
|
|
SELECT * FROM pg_tde_list_all_database_key_providers(); |
|
|
|
|
id | provider_name | provider_type | options |
|
|
|
|
----+---------------+---------------+------------------------------------------------------------ |
|
|
|
|
1 | file-vault | file | {"type" : "file", "path" : "/tmp/pg_tde_test_keyring.per"} |
|
|
|
|
id | provider_name | provider_type | options |
|
|
|
|
----+---------------------+---------------+------------------------------------------------------------ |
|
|
|
|
1 | local-file-provider | file | {"type" : "file", "path" : "/tmp/pg_tde_test_keyring.per"} |
|
|
|
|
(1 row) |
|
|
|
|
|
|
|
|
|
SELECT key_name, key_provider_name, key_provider_id FROM pg_tde_key_info(); |
|
|
|
|
key_name | key_provider_name | key_provider_id |
|
|
|
|
-------------+-------------------+----------------- |
|
|
|
|
test-db-key | file-vault | 1 |
|
|
|
|
key_name | key_provider_name | key_provider_id |
|
|
|
|
-------------+---------------------+----------------- |
|
|
|
|
test-db-key | local-file-provider | 1 |
|
|
|
|
(1 row) |
|
|
|
|
|
|
|
|
|
SELECT pg_tde_verify_key(); |
|
|
|
|
pg_tde_verify_key |
|
|
|
|
------------------- |
|
|
|
|
|
|
|
|
|
(1 row) |
|
|
|
|
|
|
|
|
|
-- only superuser |
|
|
|
|
SELECT pg_tde_add_global_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per'); |
|
|
|
|
SELECT pg_tde_add_global_key_provider_file('global-file-provider', '/tmp/pg_tde_test_keyring.per'); |
|
|
|
|
ERROR: must be superuser to modify global key providers |
|
|
|
|
SELECT pg_tde_change_global_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per'); |
|
|
|
|
SELECT pg_tde_change_global_key_provider_file('global-file-provider', '/tmp/pg_tde_test_keyring.per'); |
|
|
|
|
ERROR: must be superuser to modify global key providers |
|
|
|
|
SELECT pg_tde_delete_global_key_provider('file-vault'); |
|
|
|
|
SELECT pg_tde_delete_global_key_provider('global-file-provider'); |
|
|
|
|
ERROR: must be superuser to modify global key providers |
|
|
|
|
SELECT pg_tde_set_key_using_global_key_provider('key1', 'file-vault'); |
|
|
|
|
SELECT pg_tde_set_key_using_global_key_provider('key1', 'global-file-provider'); |
|
|
|
|
ERROR: must be superuser to access global key providers |
|
|
|
|
SELECT pg_tde_set_default_key_using_global_key_provider('key1', 'file-vault'); |
|
|
|
|
SELECT pg_tde_set_default_key_using_global_key_provider('key1', 'global-file-provider'); |
|
|
|
|
ERROR: must be superuser to access global key providers |
|
|
|
|
SELECT pg_tde_set_server_key_using_global_key_provider('key1', 'file-vault'); |
|
|
|
|
SELECT pg_tde_set_server_key_using_global_key_provider('key1', 'global-file-provider'); |
|
|
|
|
ERROR: must be superuser to access global key providers |
|
|
|
|
RESET ROLE; |
|
|
|
|
SELECT pg_tde_revoke_key_viewer_from_role('regress_pg_tde_access_control'); |
|
|
|
|
@ -71,5 +105,15 @@ SELECT * FROM pg_tde_list_all_database_key_providers(); |
|
|
|
|
ERROR: permission denied for function pg_tde_list_all_database_key_providers |
|
|
|
|
SELECT key_name, key_provider_name, key_provider_id FROM pg_tde_key_info(); |
|
|
|
|
ERROR: permission denied for function pg_tde_key_info |
|
|
|
|
SELECT pg_tde_verify_key(); |
|
|
|
|
ERROR: permission denied for function pg_tde_verify_key |
|
|
|
|
SELECT pg_tde_server_key_info(); |
|
|
|
|
ERROR: permission denied for function pg_tde_server_key_info |
|
|
|
|
SELECT pg_tde_default_key_info(); |
|
|
|
|
ERROR: permission denied for function pg_tde_default_key_info |
|
|
|
|
SELECT pg_tde_verify_server_key(); |
|
|
|
|
ERROR: permission denied for function pg_tde_verify_server_key |
|
|
|
|
SELECT pg_tde_verify_default_key(); |
|
|
|
|
ERROR: permission denied for function pg_tde_verify_default_key |
|
|
|
|
RESET ROLE; |
|
|
|
|
DROP EXTENSION pg_tde CASCADE; |
|
|
|
|
|
Mohit Joshi
5 months ago
committed by