percona · jeltz · Jun 3, 2025 · May 30, 2025
@@ -11,26 +11,6 @@ However, database owners can run the “view keys” and “set principal key”
 * `GRANT EXECUTE`
 * `REVOKE EXECUTE`
 
-The following functions are also provided for easier management of functionality groups:
-
-### Database local key management
-
-Use these functions to grant or revoke permissions to manage the key of the current database. They enable or disable all functions related to the key of the current database:
-
-* `pg_tde_grant_database_key_management_to_role(role)`
-* `pg_tde_revoke_database_key_management_from_role(role)`
-
-### Global scope key management
-
-Managment of the global scope is restricted to superusers only.
-
-### Inspections
-
-Use these functions to grant or revoke the use of query functions, which do not modify the encryption settings:
-
-* `pg_tde_grant_key_viewer_to_role(role)`
-* `pg_tde_revoke_key_viewer_from_role(role)`
-
 ## Key provider management
 
 A key provider is a system or service responsible for managing encryption keys. `pg_tde` supports the following key providers:

@@ -27,56 +27,7 @@ ERROR:  permission denied for function pg_tde_verify_server_key
 SELECT pg_tde_verify_default_key();
 ERROR:  permission denied for function pg_tde_verify_default_key
 RESET ROLE;
-SELECT pg_tde_grant_database_key_management_to_role('regress_pg_tde_access_control');
- pg_tde_grant_database_key_management_to_role 
-----------------------------------------------
-
-(1 row)
-
-SELECT pg_tde_grant_key_viewer_to_role('regress_pg_tde_access_control');
- pg_tde_grant_key_viewer_to_role 
----------------------------------
-
-(1 row)
-
-SET ROLE regress_pg_tde_access_control;
--- should now be allowed
-SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'local-file-provider');
- pg_tde_set_key_using_database_key_provider 
---------------------------------------------
-
-(1 row)
-
-SELECT * FROM pg_tde_list_all_database_key_providers();
- id |    provider_name    | provider_type |                  options                  
-----+---------------------+---------------+-------------------------------------------
-  1 | local-file-provider | file          | {"path" : "/tmp/pg_tde_test_keyring.per"}
-(1 row)
-
-SELECT key_name, key_provider_name, key_provider_id FROM pg_tde_key_info();
-  key_name   |  key_provider_name  | key_provider_id 
--------------+---------------------+-----------------
- test-db-key | local-file-provider |               1
-(1 row)
-
-SELECT key_name, key_provider_name, key_provider_id FROM pg_tde_server_key_info();
-ERROR:  Principal key does not exists for the database
-HINT:  Use set_key interface to set the principal key
-SELECT key_name, key_provider_name, key_provider_id FROM pg_tde_default_key_info();
-ERROR:  Principal key does not exists for the database
-HINT:  Use set_key interface to set the principal key
-SELECT pg_tde_verify_key();
- pg_tde_verify_key 
--------------------
-
-(1 row)
-
-SELECT pg_tde_verify_server_key();
-ERROR:  principal key not configured for current database
-SELECT pg_tde_verify_default_key();
-ERROR:  principal key not configured for current database
 -- Only superusers can execute key management functions, regardless of role grants
-RESET ROLE;
 GRANT EXECUTE ON FUNCTION pg_tde_add_database_key_provider(TEXT, TEXT, JSON) TO regress_pg_tde_access_control;
 GRANT EXECUTE ON FUNCTION pg_tde_add_global_key_provider(TEXT, TEXT, JSON) TO regress_pg_tde_access_control;
 GRANT EXECUTE ON FUNCTION pg_tde_change_database_key_provider(TEXT, TEXT, JSON) TO regress_pg_tde_access_control;
@@ -106,29 +57,4 @@ ERROR:  must be superuser to access global key providers
 SELECT pg_tde_set_server_key_using_global_key_provider('key1', 'global-file-provider');
 ERROR:  must be superuser to access global key providers
 RESET ROLE;
-SELECT pg_tde_revoke_key_viewer_from_role('regress_pg_tde_access_control');
- pg_tde_revoke_key_viewer_from_role 
-------------------------------------
-
-(1 row)
-
-SET ROLE regress_pg_tde_access_control;
--- verify the view access is revoked
-SELECT pg_tde_list_all_database_key_providers();
-ERROR:  permission denied for function pg_tde_list_all_database_key_providers
-SELECT pg_tde_list_all_global_key_providers();
-ERROR:  permission denied for function pg_tde_list_all_global_key_providers
-SELECT pg_tde_key_info();
-ERROR:  permission denied for function pg_tde_key_info
-SELECT pg_tde_server_key_info();
-ERROR:  permission denied for function pg_tde_server_key_info
-SELECT pg_tde_default_key_info();
-ERROR:  permission denied for function pg_tde_default_key_info
-SELECT pg_tde_verify_key();
-ERROR:  permission denied for function pg_tde_verify_key
-SELECT pg_tde_verify_server_key();
-ERROR:  permission denied for function pg_tde_verify_server_key
-SELECT pg_tde_verify_default_key();
-ERROR:  permission denied for function pg_tde_verify_default_key
-RESET ROLE;
 DROP EXTENSION pg_tde CASCADE;
@@ -9,12 +9,6 @@ SELECT other.pg_tde_add_database_key_provider_file('file-vault', '/tmp/pg_tde_te
 
 (1 row)
 
-SELECT other.pg_tde_grant_key_viewer_to_role('public');
- pg_tde_grant_key_viewer_to_role 
----------------------------------
-
-(1 row)
-
 ALTER EXTENSION pg_tde SET SCHEMA public;
 ERROR:  extension "pg_tde" does not support SET SCHEMA
 DROP EXTENSION pg_tde;

@@ -548,65 +548,3 @@ LANGUAGE C
 AS 'MODULE_PATHNAME';
 SELECT pg_tde_extension_initialize();
 DROP FUNCTION pg_tde_extension_initialize();
-
-CREATE FUNCTION pg_tde_grant_database_key_management_to_role(
-    target_role TEXT)
-RETURNS VOID
-LANGUAGE plpgsql
-SET search_path = @extschema@
-AS $$
-BEGIN
-    EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_set_key_using_database_key_provider(TEXT, TEXT, BOOLEAN) TO %I', target_role);
-END;
-$$;
-
-CREATE FUNCTION pg_tde_grant_key_viewer_to_role(
-    target_role TEXT)
-RETURNS VOID
-LANGUAGE plpgsql
-SET search_path = @extschema@
-AS $$
-BEGIN
-    EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_list_all_database_key_providers() TO %I', target_role);
-    EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_list_all_global_key_providers() TO %I', target_role);
-
-    EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_key_info() TO %I', target_role);
-    EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_server_key_info() TO %I', target_role);
-    EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_default_key_info() TO %I', target_role);
-
-    EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_verify_key() TO %I', target_role);
-    EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_verify_server_key() TO %I', target_role);
-    EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_verify_default_key() TO %I', target_role);
-END;
-$$;
-
-CREATE FUNCTION pg_tde_revoke_database_key_management_from_role(
-    target_role TEXT)
-RETURNS VOID
-LANGUAGE plpgsql
-SET search_path = @extschema@
-AS $$
-BEGIN
-    EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_set_key_using_database_key_provider(TEXT, TEXT, BOOLEAN) FROM %I', target_role);
-END;
-$$;
-
-CREATE FUNCTION pg_tde_revoke_key_viewer_from_role(
-    target_role TEXT)
-RETURNS VOID
-LANGUAGE plpgsql
-SET search_path = @extschema@
-AS $$
-BEGIN
-    EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_list_all_database_key_providers() FROM %I', target_role);
-    EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_list_all_global_key_providers() FROM %I', target_role);
-
-    EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_key_info() FROM %I', target_role);
-    EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_server_key_info() FROM %I', target_role);
-    EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_default_key_info() FROM %I', target_role);
-
-    EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_verify_key() FROM %I', target_role);
-    EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_verify_server_key() FROM %I', target_role);
-    EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_verify_default_key() FROM %I', target_role);
-END;
-$$;
@@ -19,23 +19,7 @@ SELECT pg_tde_verify_default_key();
 
 RESET ROLE;
 
-SELECT pg_tde_grant_database_key_management_to_role('regress_pg_tde_access_control');
-SELECT pg_tde_grant_key_viewer_to_role('regress_pg_tde_access_control');
-
-SET ROLE regress_pg_tde_access_control;
-
--- should now be allowed
-SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'local-file-provider');
-SELECT * FROM pg_tde_list_all_database_key_providers();
-SELECT key_name, key_provider_name, key_provider_id FROM pg_tde_key_info();
-SELECT key_name, key_provider_name, key_provider_id FROM pg_tde_server_key_info();
-SELECT key_name, key_provider_name, key_provider_id FROM pg_tde_default_key_info();
-SELECT pg_tde_verify_key();
-SELECT pg_tde_verify_server_key();
-SELECT pg_tde_verify_default_key();
-
 -- Only superusers can execute key management functions, regardless of role grants
-RESET ROLE;
 GRANT EXECUTE ON FUNCTION pg_tde_add_database_key_provider(TEXT, TEXT, JSON) TO regress_pg_tde_access_control;
 GRANT EXECUTE ON FUNCTION pg_tde_add_global_key_provider(TEXT, TEXT, JSON) TO regress_pg_tde_access_control;
 GRANT EXECUTE ON FUNCTION pg_tde_change_database_key_provider(TEXT, TEXT, JSON) TO regress_pg_tde_access_control;
@@ -47,6 +31,7 @@ GRANT EXECUTE ON FUNCTION pg_tde_set_key_using_global_key_provider(TEXT, TEXT, B
 GRANT EXECUTE ON FUNCTION pg_tde_set_server_key_using_global_key_provider(TEXT, TEXT, BOOLEAN) TO regress_pg_tde_access_control;
 
 SET ROLE regress_pg_tde_access_control;
+
 SELECT pg_tde_add_database_key_provider_file('local-file-provider', '/tmp/pg_tde_test_keyring.per');
 SELECT pg_tde_change_global_key_provider_file('local-file-provider', '/tmp/pg_tde_test_keyring.per');
 SELECT pg_tde_delete_database_key_provider('local-file-provider');
@@ -56,21 +41,6 @@ SELECT pg_tde_delete_global_key_provider('global-file-provider');
 SELECT pg_tde_set_key_using_global_key_provider('key1', 'global-file-provider');
 SELECT pg_tde_set_default_key_using_global_key_provider('key1', 'global-file-provider');
 SELECT pg_tde_set_server_key_using_global_key_provider('key1', 'global-file-provider');
-RESET ROLE;
-
-SELECT pg_tde_revoke_key_viewer_from_role('regress_pg_tde_access_control');
-
-SET ROLE regress_pg_tde_access_control;
-
--- verify the view access is revoked
-SELECT pg_tde_list_all_database_key_providers();
-SELECT pg_tde_list_all_global_key_providers();
-SELECT pg_tde_key_info();
-SELECT pg_tde_server_key_info();
-SELECT pg_tde_default_key_info();
-SELECT pg_tde_verify_key();
-SELECT pg_tde_verify_server_key();
-SELECT pg_tde_verify_default_key();
 
 RESET ROLE;
 

@@ -8,8 +8,6 @@ CREATE EXTENSION pg_tde SCHEMA other;
 
 SELECT other.pg_tde_add_database_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per');
 
-SELECT other.pg_tde_grant_key_viewer_to_role('public');
-
 ALTER EXTENSION pg_tde SET SCHEMA public;
 
 DROP EXTENSION pg_tde;