Re: Switch TAP tests of pg_rewind to use role with only function permissions

On Thu, Apr 11, 2019 at 6:13 AM Michael Paquier <michael(at)paquier(dot)xyz> wrote:

> Hi all,
>
> Recent commit bfc80683 has added some documentation in pg_rewind about
> the fact that it is possible to do the operation with a non-superuser,
> assuming that this role has sufficient grant rights to execute the
> functions used by pg_rewind.
>
> Peter Eisentraut has suggested to have some tests for this kind of
> user here:
>
> https://www.postgresql.org/message-id/e1570ba6-4459-d9b2-1321-9449adaaef4c@2ndquadrant.com
>
> Attached is a patch which switches all the TAP tests of pg_rewind to
> do that. As of now, the tests depend on a superuser for everything,
> and it seems to me that it makes little sense to make the tests more
> pluggable by being able to switch the roles used on-the-fly (the
> invocation of pg_rewind is stuck into RewindTest.pm) as a superuser
> has no restrictions.
>
> Any thoughts?
>

+1.

I definitely think having tests for this is good, otherwise we'll just end
up making a change at some point that then suddenly breaks it and we won't
notice.

If we haven't already (and knowing you it wouldn't surprise me if you had
:P), we should probably look through the rest of the tests to see if we
have other similar cases. In general I think any case where "can be run by
non-superuser with specific permissions or a superuser" is the case, we
should be testing it with the "non-superuser with permissions". Because,
well, superusers will never have permission problems (and they will both
test the functionality).

I do think it's perfectly reasonable to have that hardcoded in the
RewindTest.pm module. It doesn't have to be pluggable.

--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>