PG-1605, PG-1606 Remove grant/revoke helper functions

These helper functions were tricky to use correctly and did not add much vaule. Emulating a role this way does not really work in PostgreSQL. If people want this behavior they should use a real role.
3 months ago · ad8a0f0457
parent 225a23cd35
commit ad8a0f0457
6 changed files with 1 additions and 195 deletions
--- a/contrib/pg_tde/documentation/docs/functions.md
+++ b/contrib/pg_tde/documentation/docs/functions.md
@ -11,26 +11,6 @@ However, database owners can run the “view keys” and “set principal key”
 * `GRANT EXECUTE`
 * `REVOKE EXECUTE`

-The following functions are also provided for easier management of functionality groups:
-
-### Database local key management
-
-Use these functions to grant or revoke permissions to manage the key of the current database. They enable or disable all functions related to the key of the current database:
-
-* `pg_tde_grant_database_key_management_to_role(role)`
-* `pg_tde_revoke_database_key_management_from_role(role)`
-
-### Global scope key management
-
-Managment of the global scope is restricted to superusers only.
-
-### Inspections
-
-Use these functions to grant or revoke the use of query functions, which do not modify the encryption settings:
-
-* `pg_tde_grant_key_viewer_to_role(role)`
-* `pg_tde_revoke_key_viewer_from_role(role)`
-
 ## Key provider management

 A key provider is a system or service responsible for managing encryption keys. `pg_tde` supports the following key providers:
--- a/contrib/pg_tde/expected/access_control.out
+++ b/contrib/pg_tde/expected/access_control.out
@ -27,56 +27,7 @@ ERROR:  permission denied for function pg_tde_verify_server_key
 SELECT pg_tde_verify_default_key();
 ERROR:  permission denied for function pg_tde_verify_default_key
 RESET ROLE;
-SELECT pg_tde_grant_database_key_management_to_role('regress_pg_tde_access_control');
- pg_tde_grant_database_key_management_to_role 
----------------------------------------------
- 
-(1 row)
-
-SELECT pg_tde_grant_key_viewer_to_role('regress_pg_tde_access_control');
- pg_tde_grant_key_viewer_to_role 
---------------------------------
- 
-(1 row)
-
-SET ROLE regress_pg_tde_access_control;
-- should now be allowed
-SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'local-file-provider');
- pg_tde_set_key_using_database_key_provider 
--------------------------------------------
- 
-(1 row)
-
-SELECT * FROM pg_tde_list_all_database_key_providers();
- id |    provider_name    | provider_type |                  options                  
----+---------------------+---------------+-------------------------------------------
-  1 | local-file-provider | file          | {"path" : "/tmp/pg_tde_test_keyring.per"}
-(1 row)
-
-SELECT key_name, key_provider_name, key_provider_id FROM pg_tde_key_info();
-  key_name   |  key_provider_name  | key_provider_id 
-------------+---------------------+-----------------
- test-db-key | local-file-provider |               1
-(1 row)
-
-SELECT key_name, key_provider_name, key_provider_id FROM pg_tde_server_key_info();
-ERROR:  Principal key does not exists for the database
-HINT:  Use set_key interface to set the principal key
-SELECT key_name, key_provider_name, key_provider_id FROM pg_tde_default_key_info();
-ERROR:  Principal key does not exists for the database
-HINT:  Use set_key interface to set the principal key
-SELECT pg_tde_verify_key();
- pg_tde_verify_key 
-------------------
- 
-(1 row)
-
-SELECT pg_tde_verify_server_key();
-ERROR:  principal key not configured for current database
-SELECT pg_tde_verify_default_key();
-ERROR:  principal key not configured for current database
 -- Only superusers can execute key management functions, regardless of role grants
-RESET ROLE;
 GRANT EXECUTE ON FUNCTION pg_tde_add_database_key_provider(TEXT, TEXT, JSON) TO regress_pg_tde_access_control;
 GRANT EXECUTE ON FUNCTION pg_tde_add_global_key_provider(TEXT, TEXT, JSON) TO regress_pg_tde_access_control;
 GRANT EXECUTE ON FUNCTION pg_tde_change_database_key_provider(TEXT, TEXT, JSON) TO regress_pg_tde_access_control;
@ -106,29 +57,4 @@ ERROR:  must be superuser to access global key providers
 SELECT pg_tde_set_server_key_using_global_key_provider('key1', 'global-file-provider');
 ERROR:  must be superuser to access global key providers
 RESET ROLE;
-SELECT pg_tde_revoke_key_viewer_from_role('regress_pg_tde_access_control');
- pg_tde_revoke_key_viewer_from_role 
------------------------------------
- 
-(1 row)
-
-SET ROLE regress_pg_tde_access_control;
-- verify the view access is revoked
-SELECT pg_tde_list_all_database_key_providers();
-ERROR:  permission denied for function pg_tde_list_all_database_key_providers
-SELECT pg_tde_list_all_global_key_providers();
-ERROR:  permission denied for function pg_tde_list_all_global_key_providers
-SELECT pg_tde_key_info();
-ERROR:  permission denied for function pg_tde_key_info
-SELECT pg_tde_server_key_info();
-ERROR:  permission denied for function pg_tde_server_key_info
-SELECT pg_tde_default_key_info();
-ERROR:  permission denied for function pg_tde_default_key_info
-SELECT pg_tde_verify_key();
-ERROR:  permission denied for function pg_tde_verify_key
-SELECT pg_tde_verify_server_key();
-ERROR:  permission denied for function pg_tde_verify_server_key
-SELECT pg_tde_verify_default_key();
-ERROR:  permission denied for function pg_tde_verify_default_key
-RESET ROLE;
 DROP EXTENSION pg_tde CASCADE;
--- a/contrib/pg_tde/expected/relocate.out
+++ b/contrib/pg_tde/expected/relocate.out
@ -9,12 +9,6 @@ SELECT other.pg_tde_add_database_key_provider_file('file-vault', '/tmp/pg_tde_te
 
 (1 row)

-SELECT other.pg_tde_grant_key_viewer_to_role('public');
- pg_tde_grant_key_viewer_to_role 
---------------------------------
- 
-(1 row)
-
 ALTER EXTENSION pg_tde SET SCHEMA public;
 ERROR:  extension "pg_tde" does not support SET SCHEMA
 DROP EXTENSION pg_tde;
--- a/contrib/pg_tde/pg_tde--1.0-rc.sql
+++ b/contrib/pg_tde/pg_tde--1.0-rc.sql
@ -548,65 +548,3 @@ LANGUAGE C
 AS 'MODULE_PATHNAME';
 SELECT pg_tde_extension_initialize();
 DROP FUNCTION pg_tde_extension_initialize();
-
-CREATE FUNCTION pg_tde_grant_database_key_management_to_role(
-    target_role TEXT)
-RETURNS VOID
-LANGUAGE plpgsql
-SET search_path = @extschema@
-AS $$
-BEGIN
-    EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_set_key_using_database_key_provider(TEXT, TEXT, BOOLEAN) TO %I', target_role);
-END;
-$$;
-
-CREATE FUNCTION pg_tde_grant_key_viewer_to_role(
-    target_role TEXT)
-RETURNS VOID
-LANGUAGE plpgsql
-SET search_path = @extschema@
-AS $$
-BEGIN
-    EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_list_all_database_key_providers() TO %I', target_role);
-    EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_list_all_global_key_providers() TO %I', target_role);
-
-    EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_key_info() TO %I', target_role);
-    EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_server_key_info() TO %I', target_role);
-    EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_default_key_info() TO %I', target_role);
-
-    EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_verify_key() TO %I', target_role);
-    EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_verify_server_key() TO %I', target_role);
-    EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_verify_default_key() TO %I', target_role);
-END;
-$$;
-
-CREATE FUNCTION pg_tde_revoke_database_key_management_from_role(
-    target_role TEXT)
-RETURNS VOID
-LANGUAGE plpgsql
-SET search_path = @extschema@
-AS $$
-BEGIN
-    EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_set_key_using_database_key_provider(TEXT, TEXT, BOOLEAN) FROM %I', target_role);
-END;
-$$;
-
-CREATE FUNCTION pg_tde_revoke_key_viewer_from_role(
-    target_role TEXT)
-RETURNS VOID
-LANGUAGE plpgsql
-SET search_path = @extschema@
-AS $$
-BEGIN
-    EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_list_all_database_key_providers() FROM %I', target_role);
-    EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_list_all_global_key_providers() FROM %I', target_role);
-
-    EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_key_info() FROM %I', target_role);
-    EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_server_key_info() FROM %I', target_role);
-    EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_default_key_info() FROM %I', target_role);
-
-    EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_verify_key() FROM %I', target_role);
-    EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_verify_server_key() FROM %I', target_role);
-    EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_verify_default_key() FROM %I', target_role);
-END;
-$$;
--- a/contrib/pg_tde/sql/access_control.sql
+++ b/contrib/pg_tde/sql/access_control.sql
@ -19,23 +19,7 @@ SELECT pg_tde_verify_default_key();

 RESET ROLE;

-SELECT pg_tde_grant_database_key_management_to_role('regress_pg_tde_access_control');
-SELECT pg_tde_grant_key_viewer_to_role('regress_pg_tde_access_control');
-
-SET ROLE regress_pg_tde_access_control;
-
-- should now be allowed
-SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'local-file-provider');
-SELECT * FROM pg_tde_list_all_database_key_providers();
-SELECT key_name, key_provider_name, key_provider_id FROM pg_tde_key_info();
-SELECT key_name, key_provider_name, key_provider_id FROM pg_tde_server_key_info();
-SELECT key_name, key_provider_name, key_provider_id FROM pg_tde_default_key_info();
-SELECT pg_tde_verify_key();
-SELECT pg_tde_verify_server_key();
-SELECT pg_tde_verify_default_key();
-
 -- Only superusers can execute key management functions, regardless of role grants
-RESET ROLE;
 GRANT EXECUTE ON FUNCTION pg_tde_add_database_key_provider(TEXT, TEXT, JSON) TO regress_pg_tde_access_control;
 GRANT EXECUTE ON FUNCTION pg_tde_add_global_key_provider(TEXT, TEXT, JSON) TO regress_pg_tde_access_control;
 GRANT EXECUTE ON FUNCTION pg_tde_change_database_key_provider(TEXT, TEXT, JSON) TO regress_pg_tde_access_control;
@ -47,6 +31,7 @@ GRANT EXECUTE ON FUNCTION pg_tde_set_key_using_global_key_provider(TEXT, TEXT, B
 GRANT EXECUTE ON FUNCTION pg_tde_set_server_key_using_global_key_provider(TEXT, TEXT, BOOLEAN) TO regress_pg_tde_access_control;

 SET ROLE regress_pg_tde_access_control;
+
 SELECT pg_tde_add_database_key_provider_file('local-file-provider', '/tmp/pg_tde_test_keyring.per');
 SELECT pg_tde_change_global_key_provider_file('local-file-provider', '/tmp/pg_tde_test_keyring.per');
 SELECT pg_tde_delete_database_key_provider('local-file-provider');
@ -56,21 +41,6 @@ SELECT pg_tde_delete_global_key_provider('global-file-provider');
 SELECT pg_tde_set_key_using_global_key_provider('key1', 'global-file-provider');
 SELECT pg_tde_set_default_key_using_global_key_provider('key1', 'global-file-provider');
 SELECT pg_tde_set_server_key_using_global_key_provider('key1', 'global-file-provider');
-RESET ROLE;
-
-SELECT pg_tde_revoke_key_viewer_from_role('regress_pg_tde_access_control');
-
-SET ROLE regress_pg_tde_access_control;
-
-- verify the view access is revoked
-SELECT pg_tde_list_all_database_key_providers();
-SELECT pg_tde_list_all_global_key_providers();
-SELECT pg_tde_key_info();
-SELECT pg_tde_server_key_info();
-SELECT pg_tde_default_key_info();
-SELECT pg_tde_verify_key();
-SELECT pg_tde_verify_server_key();
-SELECT pg_tde_verify_default_key();

 RESET ROLE;

--- a/contrib/pg_tde/sql/relocate.sql
+++ b/contrib/pg_tde/sql/relocate.sql
@ -8,8 +8,6 @@ CREATE EXTENSION pg_tde SCHEMA other;

 SELECT other.pg_tde_add_database_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per');

-SELECT other.pg_tde_grant_key_viewer_to_role('public');
-
 ALTER EXTENSION pg_tde SET SCHEMA public;

 DROP EXTENSION pg_tde;