Added BYPASSRLS|NOBYPASSRLS option while creating a Role. #6392

This commit is contained in:
Akshay Joshi 2024-01-11 19:14:01 +05:30
parent 4ce65ea770
commit 5240e8ccf8
29 changed files with 85 additions and 42 deletions

Binary file not shown.

Before

Width:  |  Height:  |  Size: 49 KiB

After

Width:  |  Height:  |  Size: 79 KiB

View File

@ -11,6 +11,7 @@ notes for it.
.. toctree::
:maxdepth: 1
release_notes_8_3
release_notes_8_2
release_notes_8_1
release_notes_8_0

View File

@ -0,0 +1,30 @@
***********
Version 8.3
***********
Release date: 2024-02-08
This release contains a number of bug fixes and new features since the release of pgAdmin 4 v8.2.
Supported Database Servers
**************************
**PostgreSQL**: 12, 13, 14, 15, and 16
**EDB Advanced Server**: 12, 13, 14, 15, and 16
Bundled PostgreSQL Utilities
****************************
**psql**, **pg_dump**, **pg_dumpall**, **pg_restore**: 16.0
New features
************
| `Issue #6392 <https://github.com/pgadmin-org/pgadmin4/issues/6392>`_ - Added BYPASSRLS|NOBYPASSRLS option while creating a Role.
Housekeeping
************
Bug fixes
*********

View File

@ -57,15 +57,13 @@ Use the *Privileges* tab to grant privileges to the role.
drop roles. The default value is *No*.
* Move the *Create databases* switch to the *Yes* position to control whether a
role can create databases. The default value is *No*.
* The *Update catalog?* switch is disabled until the role is given superuser
privileges. Move the *Update catalogs?* switch to the *No* position to control
whether a role can update catalogs. The default value is *Yes* when the
*Superuser* switch is in the *Yes* position.
* Move the *Inherit rights from the parent roles?* switch to the *No* position
if a role does not inherit privileges. The default value is *Yes*.
* Move the *Can initiate streaming replication and backups?* switch to the *Yes*
position to control whether a role can initiate streaming replication or put
the system in and out of backup mode. The default value is *No*.
* Move the *Bypass RLS?* switch to the *Yes* position to control whether a
role can bypasses every row-level security (RLS) policy. The default value is *No*.
.. image:: images/role_membership.png
:alt: Role dialog membership tab

View File

@ -631,7 +631,6 @@ rolmembership:{
self.role = row['rolname']
self.rolCanLogin = row['rolcanlogin']
self.rolCatUpdate = row['rolcatupdate']
self.rolSuper = row['rolsuper']
return False, ''
@ -677,7 +676,8 @@ rolmembership:{
self.alterKeys = [
'rolcanlogin', 'rolsuper', 'rolcreatedb',
'rolcreaterole', 'rolinherit', 'rolreplication',
'rolconnlimit', 'rolvaliduntil', 'rolpassword'
'rolconnlimit', 'rolvaliduntil', 'rolpassword',
'rolbypassrls'
] if self.manager.version >= 90200 else [
'rolcanlogin', 'rolsuper', 'rolcreatedb',
'rolcreaterole', 'rolinherit', 'rolconnlimit',
@ -977,7 +977,6 @@ rolmembership:{
conn=self.conn,
role=self.role,
rolCanLogin=self.rolCanLogin,
rolCatUpdate=self.rolCatUpdate,
rolSuper=self.rolSuper,
alterKeys=self.alterKeys
)
@ -1034,7 +1033,6 @@ rolmembership:{
conn=self.conn,
role=self.role,
rolCanLogin=self.rolCanLogin,
rolCatUpdate=self.rolCatUpdate,
rolSuper=self.rolSuper,
alterKeys=self.alterKeys
).strip('\n')

View File

@ -25,7 +25,7 @@ define('pgadmin.node.role', [
type: 'coll-role',
columns: [
'rolname', 'rolvaliduntil', 'rolconnlimit', 'rolcanlogin',
'rolsuper', 'rolcreaterole', 'rolcreatedb', 'rolcatupdate',
'rolsuper', 'rolcreaterole', 'rolcreatedb',
'rolinherit', 'rolreplication',
],
canDrop: true,

View File

@ -24,13 +24,13 @@ export default class RoleSchema extends BaseUISchema {
rolcreaterole: false,
rolcreatedb: false,
rolinherit: true,
rolcatupdate: false,
rolreplication: false,
rolmembership: [],
rolmembers: [],
rolvaliduntil: null,
seclabels: [],
variables: [],
rolbypassrls: false,
});
this.getVariableSchema = getVariableSchema;
this.getMembershipSchema = getMembershipSchema;
@ -124,7 +124,7 @@ export default class RoleSchema extends BaseUISchema {
type: 'switch',
group: gettext('Privileges'),
depChange: (state) => {
state.rolcatupdate = state.rolcreaterole = state.rolcreatedb = state.rolsuper;
state.rolcreaterole = state.rolcreatedb = state.rolbypassrls = state.rolsuper;
},
disabled: obj.readOnly,
},
@ -140,18 +140,6 @@ export default class RoleSchema extends BaseUISchema {
type: 'switch',
disabled: obj.readOnly,
},
{
id: 'rolcatupdate', label: gettext('Update catalog?'),
max_version: 90400,
group: gettext('Privileges'),
type: 'switch',
disabled: (state) => {
return !state.rolsuper;
},
readonly: () => {
return !(obj.user.is_superuser || obj.user.can_create_role);
}
},
{
id: 'rolinherit', group: gettext('Privileges'),
label: gettext('Inherit rights from the parent roles?'),
@ -165,6 +153,12 @@ export default class RoleSchema extends BaseUISchema {
min_version: 90100,
disabled: obj.readOnly,
},
{
id: 'rolbypassrls', group: gettext('Privileges'),
label: gettext('Bypass RLS?'),
type: 'switch',
disabled: obj.readOnly,
},
{
id: 'rolmembership', label: gettext('Member of'), group: gettext('Membership'),
disabled: obj.readOnly,

View File

@ -24,7 +24,11 @@ CREATE ROLE {{ conn|qtIdent(data.rolname) }} WITH{% if data.rolcanlogin and data
REPLICATION{% else %}
NOREPLICATION{% endif %}{% if 'rolconnlimit' in data and data.rolconnlimit is number and data.rolconnlimit >= -1 %}
NOREPLICATION{% endif %}{% if data.rolbypassrls %}
BYPASSRLS{% else %}
NOBYPASSRLS{% endif %}{% if 'rolconnlimit' in data and data.rolconnlimit is number and data.rolconnlimit >= -1 %}
CONNECTION LIMIT {{ data.rolconnlimit }}{% endif %}{% if data.rolvaliduntil and data.rolvaliduntil is not none %}

View File

@ -1,5 +1,5 @@
SELECT
rolname, rolcanlogin, rolsuper AS rolcatupdate, rolsuper
rolname, rolcanlogin, rolsuper
FROM
pg_catalog.pg_roles
WHERE oid = {{ rid }}::OID

View File

@ -1,5 +1,5 @@
SELECT
r.oid, r.*, r.rolsuper as rolcatupdate,
r.oid, r.*,
pg_catalog.shobj_description(r.oid, 'pg_authid') AS description,
ARRAY(
SELECT

View File

@ -13,7 +13,8 @@ FROM
CASE WHEN rolcreatedb THEN 'CREATEDB' ELSE 'NOCREATEDB' END || E'\n ' ||
CASE WHEN rolcreaterole THEN 'CREATEROLE' ELSE 'NOCREATEROLE' END || E'\n ' ||
-- PostgreSQL >= 9.1
CASE WHEN rolreplication THEN 'REPLICATION' ELSE 'NOREPLICATION' END ||
CASE WHEN rolreplication THEN 'REPLICATION' ELSE 'NOREPLICATION' END || E'\n ' ||
CASE WHEN rolbypassrls THEN 'BYPASSRLS' ELSE 'NOBYPASSRLS' END ||
CASE WHEN rolconnlimit > 0 THEN E'\n CONNECTION LIMIT ' || rolconnlimit ELSE '' END ||
{% if show_password %}
(SELECT CASE

View File

@ -33,7 +33,11 @@ ALTER ROLE {{ conn|qtIdent(rolname) }}{% if 'rolcanlogin' in data %}
{% if data.rolreplication %}
REPLICATION{% else %}
NOREPLICATION{% endif %}{% endif %}{% if 'rolconnlimit' in data and data.rolconnlimit is number and data.rolconnlimit >= -1 %}
NOREPLICATION{% endif %}{% endif %}{% if 'rolbypassrls' in data %}
{% if data.rolbypassrls %}
BYPASSRLS{% else %}
NOBYPASSRLS{% endif %}{% endif %}{% if 'rolconnlimit' in data and data.rolconnlimit is number and data.rolconnlimit >= -1 %}
CONNECTION LIMIT {{ data.rolconnlimit }}
{% endif %}{% if 'rolvaliduntil' in data %}

View File

@ -7,6 +7,7 @@ CREATE ROLE "Role1_$%{}[]()&*^!@""'`\/#" WITH
INHERIT
CREATEDB
CREATEROLE
REPLICATION;
REPLICATION
BYPASSRLS;
COMMENT ON ROLE "Role1_$%{}[]()&*^!@""'`\/#" IS 'This is detailed description';

View File

@ -7,6 +7,7 @@ CREATE ROLE "Role2_$%{}[]()&*^!@""'`\/#" WITH
INHERIT
CREATEDB
CREATEROLE
REPLICATION;
REPLICATION
BYPASSRLS;
COMMENT ON ROLE "Role2_$%{}[]()&*^!@""'`\/#" IS 'This is detailed description';

View File

@ -2,6 +2,7 @@ ALTER ROLE "Role2_$%{}[]()&*^!@""'`\/#"
NOSUPERUSER
NOCREATEDB
NOREPLICATION
NOBYPASSRLS
CONNECTION LIMIT 100
VALID UNTIL '2050-01-01T00:00:00+05:30'

View File

@ -8,6 +8,7 @@ CREATE ROLE "Role2_$%{}[]()&*^!@""'`\/#" WITH
NOCREATEDB
CREATEROLE
NOREPLICATION
NOBYPASSRLS
CONNECTION LIMIT 100
ENCRYPTED PASSWORD '<PASSWORD>'
VALID UNTIL '<TIMESTAMPTZ_1>';

View File

@ -7,6 +7,7 @@ CREATE ROLE "Role1_$%{}[]()&*^!@""'`\/#" WITH
INHERIT
NOCREATEDB
NOCREATEROLE
NOREPLICATION;
NOREPLICATION
NOBYPASSRLS;
COMMENT ON ROLE "Role1_$%{}[]()&*^!@""'`\/#" IS 'This is detailed description';

View File

@ -7,6 +7,7 @@ CREATE ROLE "Role2_$%{}[]()&*^!@""'`\/#" WITH
INHERIT
NOCREATEDB
NOCREATEROLE
NOREPLICATION;
NOREPLICATION
NOBYPASSRLS;
COMMENT ON ROLE "Role2_$%{}[]()&*^!@""'`\/#" IS 'This is detailed description';

View File

@ -8,6 +8,7 @@ CREATE ROLE "Role2_$%{}[]()&*^!@""'`\/#" WITH
CREATEDB
NOCREATEROLE
NOREPLICATION
NOBYPASSRLS
CONNECTION LIMIT 100
ENCRYPTED PASSWORD '<PASSWORD>'
VALID UNTIL '<TIMESTAMPTZ_1>';

View File

@ -8,6 +8,7 @@ CREATE ROLE "Role2_$%{}[]()&*^!@""'`\/#" WITH
CREATEDB
NOCREATEROLE
NOREPLICATION
NOBYPASSRLS
CONNECTION LIMIT 100
ENCRYPTED PASSWORD '<PASSWORD>'
VALID UNTIL '2050-01-01 00:00:00+05:30';

View File

@ -8,6 +8,7 @@ CREATE ROLE "Role2_$%{}[]()&*^!@""'`\/#" WITH
CREATEDB
NOCREATEROLE
NOREPLICATION
NOBYPASSRLS
CONNECTION LIMIT 100
ENCRYPTED PASSWORD '<PASSWORD>'
VALID UNTIL '2050-01-01 00:00:00+05:30';

View File

@ -8,6 +8,7 @@ CREATE ROLE "Role2_$%{}[]()&*^!@""'`\/#" WITH
CREATEDB
NOCREATEROLE
NOREPLICATION
NOBYPASSRLS
CONNECTION LIMIT 100
ENCRYPTED PASSWORD '<PASSWORD>'
VALID UNTIL '2050-01-01 00:00:00+05:30';

View File

@ -5,5 +5,6 @@ CREATE ROLE "Role1_$%{}[]()&*^!@""'`\/#" WITH
CREATEROLE
INHERIT
REPLICATION
BYPASSRLS
CONNECTION LIMIT -1
PASSWORD 'xxxxxx';

View File

@ -7,4 +7,5 @@ CREATE ROLE "Role1_$%{}[]()&*^!@""'`\/#" WITH
INHERIT
CREATEDB
CREATEROLE
REPLICATION;
REPLICATION
BYPASSRLS;

View File

@ -5,5 +5,6 @@ CREATE ROLE "Role1_$%{}[]()&*^!@""'`\/#" WITH
NOCREATEROLE
INHERIT
NOREPLICATION
NOBYPASSRLS
CONNECTION LIMIT -1
PASSWORD 'xxxxxx';

View File

@ -7,4 +7,5 @@ CREATE ROLE "Role1_$%{}[]()&*^!@""'`\/#" WITH
INHERIT
NOCREATEDB
NOCREATEROLE
NOREPLICATION;
NOREPLICATION
NOBYPASSRLS;

View File

@ -14,7 +14,6 @@
"rolcreaterole": false,
"rolcreatedb": false,
"rolinherit": true,
"rolcatupdate": false,
"rolreplication": false,
"rolmembership": [],
"seclabels": [],
@ -36,7 +35,6 @@
"rolcreaterole": false,
"rolcreatedb": false,
"rolinherit": true,
"rolcatupdate": false,
"rolreplication": false,
"rolmembership": [],
"seclabels": [],
@ -59,7 +57,6 @@
"rolcreaterole": false,
"rolcreatedb": false,
"rolinherit": true,
"rolcatupdate": false,
"rolreplication": false,
"rolmembership": [],
"seclabels": [],
@ -189,8 +186,8 @@
"rolcreaterole": true,
"rolcreatedb": true,
"rolinherit": true,
"rolcatupdate": true,
"rolreplication": true,
"rolbypassrls": true,
"rolmembership": [],
"seclabels": [],
"variables": []
@ -232,6 +229,7 @@
"rolsuper": false,
"rolcreatedb": false,
"rolreplication": false,
"rolbypassrls": false,
"rolpassword": "abc123",
"rolconnlimit": 100,
"rolvaliduntil": "2050-01-01 00:00:00 +05:30",

View File

@ -78,6 +78,7 @@ def get_role_data(lr_pwd):
"rolconnlimit": -1,
"rolcreaterole": "true",
"rolinherit": "true",
"rolbypassrls": "true",
"rolmembership": [],
"rolname": "test_role_%s" % str(uuid.uuid4())[1:8],
"rolpassword": lr_pwd,

View File

@ -808,7 +808,7 @@ define('pgadmin.browser.node', [
id: panelId,
title: panelTitle,
manualClose: true,
icon: `dialog-node-icon ${evalFunc(this, this.node_image, dialogProps.itemNodeData) ?? ('icon-' + this.type)}`,
icon: `dialog-node-icon ${evalFunc(this, this.node_image, dialogProps.nodeData) ?? ('icon-' + this.type)}`,
content: (
<ErrorBoundary>
<ObjectNodeProperties