Allow TAM chunk creation as non-owner

erimatnor · erimatnor · commit 5fb5bef5effd · 2025-04-04T15:13:38.000+02:00
When using Hypercore TAM on the hypertable, new chunks are created as
hypercore chunks, including the compressed relation. This means that
the compressed relation is created as the inserting user. However, if
the inserting user is not the table owner, this operation failed.

The reason it failed was because some toast settings were changed on
the compressed chunk during its creation without switching to a role
with proper permissions. This is easily fixed by extending the section
of code that is executed under the permissive role.
diff --git a/test/runner.sh b/test/runner.sh
@@ -82,6 +82,7 @@ if mkdir ${TEST_OUTPUT_DIR}/.pg_init 2>/dev/null; then
 
     ALTER USER ${TEST_ROLE_SUPERUSER} WITH SUPERUSER;
     ALTER USER ${TEST_ROLE_CLUSTER_SUPERUSER} WITH SUPERUSER;
+    ALTER USER ${TEST_ROLE_DEFAULT_PERM_USER} WITH CREATEROLE;
     ALTER USER ${TEST_ROLE_1} WITH CREATEDB CREATEROLE;
     ALTER USER ${TEST_ROLE_2} WITH CREATEDB PASSWORD '${TEST_ROLE_2_PASS}';
     ALTER USER ${TEST_ROLE_3} WITH CREATEDB PASSWORD '${TEST_ROLE_3_PASS}';
diff --git a/tsl/src/compression/compression_storage.c b/tsl/src/compression/compression_storage.c
@@ -139,11 +139,11 @@ compression_chunk_create(Chunk *src_chunk, Chunk *chunk, List *column_defs, Oid
 		transformRelOptions((Datum) 0, create->options, "toast", validnsps, true, false);
 	(void) heap_reloptions(RELKIND_TOASTVALUE, toast_options, true);
 	NewRelationCreateToastTable(chunk->table_id, toast_options);
-	ts_catalog_restore_user(&sec_ctx);
-	modify_compressed_toast_table_storage(settings, column_defs, chunk->table_id);
 
+	modify_compressed_toast_table_storage(settings, column_defs, chunk->table_id);
 	set_statistics_on_compressed_chunk(chunk->table_id);
 	set_toast_tuple_target_on_chunk(chunk->table_id);
+	ts_catalog_restore_user(&sec_ctx);
 
 	create_compressed_chunk_indexes(chunk, settings);
 
diff --git a/tsl/test/expected/hypercore_create.out b/tsl/test/expected/hypercore_create.out
@@ -1097,3 +1097,82 @@ select count(*) from :chunk;
 (1 row)
 
 \set ON_ERROR_STOP 1
+set timescaledb.enable_transparent_decompression=true;
+-- Test chunk creation with non-owner user
+CREATE TABLE conditions (	-- create a regular table
+    time        timestamptz not null,
+    location    text not null,
+    temperature double precision null
+);
+select create_hypertable('conditions', 'time');	-- turn it into a hypertable
+    create_hypertable     
+--------------------------
+ (12,public,conditions,t)
+(1 row)
+
+-------------------------------------------------------------------------------
+-- Create a new user and grant privileges to work on conditions
+-------------------------------------------------------------------------------
+create role testuser;
+-- Grant ability to switch to testuser
+grant testuser to :ROLE_DEFAULT_PERM_USER;
+grant select,insert,update,delete on conditions to testuser;
+alter table conditions set (
+  timescaledb.compress,
+  timescaledb.compress_segmentby = 'location,temperature',
+  timescaledb.compress_orderby = 'time'
+);
+-------------------------------------------------------------------------------
+-- Set hypercore access method on the hypertable
+-------------------------------------------------------------------------------
+alter table conditions set access method hypercore;
+-- Switch to testuser and make sure it can insert into conditions
+set role testuser;
+select current_user;
+ current_user 
+--------------
+ testuser
+(1 row)
+
+select * from show_chunks('conditions') ch
+join _timescaledb_catalog.compression_settings cs on (cs.relid = ch);
+ ch | relid | compress_relid | segmentby | orderby | orderby_desc | orderby_nullsfirst 
+----+-------+----------------+-----------+---------+--------------+--------------------
+(0 rows)
+
+-- An insert should create a new hypercore chunk, including the compressed chunk
+insert into conditions values ('2024-01-02', 'school', 99.5);
+select chunk, amname, cs.compress_relid
+  from show_chunks('conditions') as chunk
+  join pg_class on (pg_class.oid = chunk)
+  join pg_am on (relam = pg_am.oid)
+  join _timescaledb_catalog.compression_settings cs on (cs.relid = chunk);
+                  chunk                   |  amname   |                  compress_relid                  
+------------------------------------------+-----------+--------------------------------------------------
+ _timescaledb_internal._hyper_12_49_chunk | hypercore | _timescaledb_internal.compress_hyper_13_50_chunk
+(1 row)
+
+-- Data is not compressed
+select _timescaledb_debug.is_compressed_tid(ctid), * from conditions;
+ is_compressed_tid |             time             | location | temperature 
+-------------------+------------------------------+----------+-------------
+ f                 | Tue Jan 02 00:00:00 2024 PST | school   |        99.5
+(1 row)
+
+select compress_chunk(ch) from show_chunks('conditions') ch;
+              compress_chunk              
+------------------------------------------
+ _timescaledb_internal._hyper_12_49_chunk
+(1 row)
+
+-- Now the data is compressed
+select _timescaledb_debug.is_compressed_tid(ctid), * from conditions;
+ is_compressed_tid |             time             | location | temperature 
+-------------------+------------------------------+----------+-------------
+ t                 | Tue Jan 02 00:00:00 2024 PST | school   |        99.5
+(1 row)
+
+reset role;
+-- Need to revoke privileges to drop user
+revoke all on conditions from testuser;
+drop role testuser;
diff --git a/tsl/test/sql/hypercore_create.sql b/tsl/test/sql/hypercore_create.sql
@@ -529,3 +529,60 @@ alter table :chunk set access method heap;
 vacuum full :chunk;
 select count(*) from :chunk;
 \set ON_ERROR_STOP 1
+
+set timescaledb.enable_transparent_decompression=true;
+
+-- Test chunk creation with non-owner user
+CREATE TABLE conditions (	-- create a regular table
+    time        timestamptz not null,
+    location    text not null,
+    temperature double precision null
+);
+
+select create_hypertable('conditions', 'time');	-- turn it into a hypertable
+
+-------------------------------------------------------------------------------
+-- Create a new user and grant privileges to work on conditions
+-------------------------------------------------------------------------------
+create role testuser;
+-- Grant ability to switch to testuser
+grant testuser to :ROLE_DEFAULT_PERM_USER;
+grant select,insert,update,delete on conditions to testuser;
+
+alter table conditions set (
+  timescaledb.compress,
+  timescaledb.compress_segmentby = 'location,temperature',
+  timescaledb.compress_orderby = 'time'
+);
+
+
+-------------------------------------------------------------------------------
+-- Set hypercore access method on the hypertable
+-------------------------------------------------------------------------------
+alter table conditions set access method hypercore;
+
+-- Switch to testuser and make sure it can insert into conditions
+set role testuser;
+select current_user;
+select * from show_chunks('conditions') ch
+join _timescaledb_catalog.compression_settings cs on (cs.relid = ch);
+
+-- An insert should create a new hypercore chunk, including the compressed chunk
+insert into conditions values ('2024-01-02', 'school', 99.5);
+
+select chunk, amname, cs.compress_relid
+  from show_chunks('conditions') as chunk
+  join pg_class on (pg_class.oid = chunk)
+  join pg_am on (relam = pg_am.oid)
+  join _timescaledb_catalog.compression_settings cs on (cs.relid = chunk);
+
+-- Data is not compressed
+select _timescaledb_debug.is_compressed_tid(ctid), * from conditions;
+select compress_chunk(ch) from show_chunks('conditions') ch;
+-- Now the data is compressed
+select _timescaledb_debug.is_compressed_tid(ctid), * from conditions;
+reset role;
+
+-- Need to revoke privileges to drop user
+revoke all on conditions from testuser;
+drop role testuser;
