diff --git a/contrib/pg_tde/documentation/docs/functions.md b/contrib/pg_tde/documentation/docs/functions.md index 33d4f6922cfcf..ea5095fa8acb8 100644 --- a/contrib/pg_tde/documentation/docs/functions.md +++ b/contrib/pg_tde/documentation/docs/functions.md @@ -11,26 +11,6 @@ However, database owners can run the “view keys” and “set principal key” * `GRANT EXECUTE` * `REVOKE EXECUTE` -The following functions are also provided for easier management of functionality groups: - -### Database local key management - -Use these functions to grant or revoke permissions to manage the key of the current database. They enable or disable all functions related to the key of the current database: - -* `pg_tde_grant_database_key_management_to_role(role)` -* `pg_tde_revoke_database_key_management_from_role(role)` - -### Global scope key management - -Managment of the global scope is restricted to superusers only. - -### Inspections - -Use these functions to grant or revoke the use of query functions, which do not modify the encryption settings: - -* `pg_tde_grant_key_viewer_to_role(role)` -* `pg_tde_revoke_key_viewer_from_role(role)` - ## Key provider management A key provider is a system or service responsible for managing encryption keys. `pg_tde` supports the following key providers: diff --git a/contrib/pg_tde/expected/access_control.out b/contrib/pg_tde/expected/access_control.out index 9a10fb7906b91..8996168f54fc6 100644 --- a/contrib/pg_tde/expected/access_control.out +++ b/contrib/pg_tde/expected/access_control.out @@ -27,56 +27,7 @@ ERROR: permission denied for function pg_tde_verify_server_key SELECT pg_tde_verify_default_key(); ERROR: permission denied for function pg_tde_verify_default_key RESET ROLE; -SELECT pg_tde_grant_database_key_management_to_role('regress_pg_tde_access_control'); - pg_tde_grant_database_key_management_to_role ----------------------------------------------- - -(1 row) - -SELECT pg_tde_grant_key_viewer_to_role('regress_pg_tde_access_control'); - pg_tde_grant_key_viewer_to_role ---------------------------------- - -(1 row) - -SET ROLE regress_pg_tde_access_control; --- should now be allowed -SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'local-file-provider'); - pg_tde_set_key_using_database_key_provider --------------------------------------------- - -(1 row) - -SELECT * FROM pg_tde_list_all_database_key_providers(); - id | provider_name | provider_type | options -----+---------------------+---------------+------------------------------------------- - 1 | local-file-provider | file | {"path" : "/tmp/pg_tde_test_keyring.per"} -(1 row) - -SELECT key_name, key_provider_name, key_provider_id FROM pg_tde_key_info(); - key_name | key_provider_name | key_provider_id --------------+---------------------+----------------- - test-db-key | local-file-provider | 1 -(1 row) - -SELECT key_name, key_provider_name, key_provider_id FROM pg_tde_server_key_info(); -ERROR: Principal key does not exists for the database -HINT: Use set_key interface to set the principal key -SELECT key_name, key_provider_name, key_provider_id FROM pg_tde_default_key_info(); -ERROR: Principal key does not exists for the database -HINT: Use set_key interface to set the principal key -SELECT pg_tde_verify_key(); - pg_tde_verify_key -------------------- - -(1 row) - -SELECT pg_tde_verify_server_key(); -ERROR: principal key not configured for current database -SELECT pg_tde_verify_default_key(); -ERROR: principal key not configured for current database -- Only superusers can execute key management functions, regardless of role grants -RESET ROLE; GRANT EXECUTE ON FUNCTION pg_tde_add_database_key_provider(TEXT, TEXT, JSON) TO regress_pg_tde_access_control; GRANT EXECUTE ON FUNCTION pg_tde_add_global_key_provider(TEXT, TEXT, JSON) TO regress_pg_tde_access_control; GRANT EXECUTE ON FUNCTION pg_tde_change_database_key_provider(TEXT, TEXT, JSON) TO regress_pg_tde_access_control; @@ -106,29 +57,4 @@ ERROR: must be superuser to access global key providers SELECT pg_tde_set_server_key_using_global_key_provider('key1', 'global-file-provider'); ERROR: must be superuser to access global key providers RESET ROLE; -SELECT pg_tde_revoke_key_viewer_from_role('regress_pg_tde_access_control'); - pg_tde_revoke_key_viewer_from_role ------------------------------------- - -(1 row) - -SET ROLE regress_pg_tde_access_control; --- verify the view access is revoked -SELECT pg_tde_list_all_database_key_providers(); -ERROR: permission denied for function pg_tde_list_all_database_key_providers -SELECT pg_tde_list_all_global_key_providers(); -ERROR: permission denied for function pg_tde_list_all_global_key_providers -SELECT pg_tde_key_info(); -ERROR: permission denied for function pg_tde_key_info -SELECT pg_tde_server_key_info(); -ERROR: permission denied for function pg_tde_server_key_info -SELECT pg_tde_default_key_info(); -ERROR: permission denied for function pg_tde_default_key_info -SELECT pg_tde_verify_key(); -ERROR: permission denied for function pg_tde_verify_key -SELECT pg_tde_verify_server_key(); -ERROR: permission denied for function pg_tde_verify_server_key -SELECT pg_tde_verify_default_key(); -ERROR: permission denied for function pg_tde_verify_default_key -RESET ROLE; DROP EXTENSION pg_tde CASCADE; diff --git a/contrib/pg_tde/expected/relocate.out b/contrib/pg_tde/expected/relocate.out index ce611ce3d3fa8..740a69696e89b 100644 --- a/contrib/pg_tde/expected/relocate.out +++ b/contrib/pg_tde/expected/relocate.out @@ -9,12 +9,6 @@ SELECT other.pg_tde_add_database_key_provider_file('file-vault', '/tmp/pg_tde_te (1 row) -SELECT other.pg_tde_grant_key_viewer_to_role('public'); - pg_tde_grant_key_viewer_to_role ---------------------------------- - -(1 row) - ALTER EXTENSION pg_tde SET SCHEMA public; ERROR: extension "pg_tde" does not support SET SCHEMA DROP EXTENSION pg_tde; diff --git a/contrib/pg_tde/pg_tde--1.0-rc.sql b/contrib/pg_tde/pg_tde--1.0-rc.sql index b53b6bcce36a3..352ca049f636f 100644 --- a/contrib/pg_tde/pg_tde--1.0-rc.sql +++ b/contrib/pg_tde/pg_tde--1.0-rc.sql @@ -548,65 +548,3 @@ LANGUAGE C AS 'MODULE_PATHNAME'; SELECT pg_tde_extension_initialize(); DROP FUNCTION pg_tde_extension_initialize(); - -CREATE FUNCTION pg_tde_grant_database_key_management_to_role( - target_role TEXT) -RETURNS VOID -LANGUAGE plpgsql -SET search_path = @extschema@ -AS $$ -BEGIN - EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_set_key_using_database_key_provider(TEXT, TEXT, BOOLEAN) TO %I', target_role); -END; -$$; - -CREATE FUNCTION pg_tde_grant_key_viewer_to_role( - target_role TEXT) -RETURNS VOID -LANGUAGE plpgsql -SET search_path = @extschema@ -AS $$ -BEGIN - EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_list_all_database_key_providers() TO %I', target_role); - EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_list_all_global_key_providers() TO %I', target_role); - - EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_key_info() TO %I', target_role); - EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_server_key_info() TO %I', target_role); - EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_default_key_info() TO %I', target_role); - - EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_verify_key() TO %I', target_role); - EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_verify_server_key() TO %I', target_role); - EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_verify_default_key() TO %I', target_role); -END; -$$; - -CREATE FUNCTION pg_tde_revoke_database_key_management_from_role( - target_role TEXT) -RETURNS VOID -LANGUAGE plpgsql -SET search_path = @extschema@ -AS $$ -BEGIN - EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_set_key_using_database_key_provider(TEXT, TEXT, BOOLEAN) FROM %I', target_role); -END; -$$; - -CREATE FUNCTION pg_tde_revoke_key_viewer_from_role( - target_role TEXT) -RETURNS VOID -LANGUAGE plpgsql -SET search_path = @extschema@ -AS $$ -BEGIN - EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_list_all_database_key_providers() FROM %I', target_role); - EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_list_all_global_key_providers() FROM %I', target_role); - - EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_key_info() FROM %I', target_role); - EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_server_key_info() FROM %I', target_role); - EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_default_key_info() FROM %I', target_role); - - EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_verify_key() FROM %I', target_role); - EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_verify_server_key() FROM %I', target_role); - EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_verify_default_key() FROM %I', target_role); -END; -$$; diff --git a/contrib/pg_tde/sql/access_control.sql b/contrib/pg_tde/sql/access_control.sql index dfcea5e2781b7..90ca5e9c60bc7 100644 --- a/contrib/pg_tde/sql/access_control.sql +++ b/contrib/pg_tde/sql/access_control.sql @@ -19,23 +19,7 @@ SELECT pg_tde_verify_default_key(); RESET ROLE; -SELECT pg_tde_grant_database_key_management_to_role('regress_pg_tde_access_control'); -SELECT pg_tde_grant_key_viewer_to_role('regress_pg_tde_access_control'); - -SET ROLE regress_pg_tde_access_control; - --- should now be allowed -SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'local-file-provider'); -SELECT * FROM pg_tde_list_all_database_key_providers(); -SELECT key_name, key_provider_name, key_provider_id FROM pg_tde_key_info(); -SELECT key_name, key_provider_name, key_provider_id FROM pg_tde_server_key_info(); -SELECT key_name, key_provider_name, key_provider_id FROM pg_tde_default_key_info(); -SELECT pg_tde_verify_key(); -SELECT pg_tde_verify_server_key(); -SELECT pg_tde_verify_default_key(); - -- Only superusers can execute key management functions, regardless of role grants -RESET ROLE; GRANT EXECUTE ON FUNCTION pg_tde_add_database_key_provider(TEXT, TEXT, JSON) TO regress_pg_tde_access_control; GRANT EXECUTE ON FUNCTION pg_tde_add_global_key_provider(TEXT, TEXT, JSON) TO regress_pg_tde_access_control; GRANT EXECUTE ON FUNCTION pg_tde_change_database_key_provider(TEXT, TEXT, JSON) TO regress_pg_tde_access_control; @@ -47,6 +31,7 @@ GRANT EXECUTE ON FUNCTION pg_tde_set_key_using_global_key_provider(TEXT, TEXT, B GRANT EXECUTE ON FUNCTION pg_tde_set_server_key_using_global_key_provider(TEXT, TEXT, BOOLEAN) TO regress_pg_tde_access_control; SET ROLE regress_pg_tde_access_control; + SELECT pg_tde_add_database_key_provider_file('local-file-provider', '/tmp/pg_tde_test_keyring.per'); SELECT pg_tde_change_global_key_provider_file('local-file-provider', '/tmp/pg_tde_test_keyring.per'); SELECT pg_tde_delete_database_key_provider('local-file-provider'); @@ -56,21 +41,6 @@ SELECT pg_tde_delete_global_key_provider('global-file-provider'); SELECT pg_tde_set_key_using_global_key_provider('key1', 'global-file-provider'); SELECT pg_tde_set_default_key_using_global_key_provider('key1', 'global-file-provider'); SELECT pg_tde_set_server_key_using_global_key_provider('key1', 'global-file-provider'); -RESET ROLE; - -SELECT pg_tde_revoke_key_viewer_from_role('regress_pg_tde_access_control'); - -SET ROLE regress_pg_tde_access_control; - --- verify the view access is revoked -SELECT pg_tde_list_all_database_key_providers(); -SELECT pg_tde_list_all_global_key_providers(); -SELECT pg_tde_key_info(); -SELECT pg_tde_server_key_info(); -SELECT pg_tde_default_key_info(); -SELECT pg_tde_verify_key(); -SELECT pg_tde_verify_server_key(); -SELECT pg_tde_verify_default_key(); RESET ROLE; diff --git a/contrib/pg_tde/sql/relocate.sql b/contrib/pg_tde/sql/relocate.sql index d9ce03b34f937..f3a79b279789e 100644 --- a/contrib/pg_tde/sql/relocate.sql +++ b/contrib/pg_tde/sql/relocate.sql @@ -8,8 +8,6 @@ CREATE EXTENSION pg_tde SCHEMA other; SELECT other.pg_tde_add_database_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per'); -SELECT other.pg_tde_grant_key_viewer_to_role('public'); - ALTER EXTENSION pg_tde SET SCHEMA public; DROP EXTENSION pg_tde;