MDB-32132: fix grantor selection for mdb_superuser (#4)

Author: reshke

src/backend/utils/adt/acl.c

@@ -5349,7 +5349,7 @@ select_best_grantor(Oid roleId, AclMode privileges,
 
 	if (is_member_of_role(GetUserId(), mdb_superuser_roleoid)
 	&& has_privs_of_role(GetUserId(), ownerId)) {
-		*grantorId = mdb_superuser_roleoid;
+		*grantorId = ownerId;
 		AclMode mdb_superuser_allowed_privs = needed_goptions;
 		*grantOptions = mdb_superuser_allowed_privs;
 		return;

src/test/regress/expected/mdb_superuser.out

@@ -1,11 +1,15 @@
 CREATE ROLE regress_mdb_superuser_user1;
 CREATE ROLE regress_mdb_superuser_user2;
 CREATE ROLE regress_mdb_superuser_user3;
+CREATE ROLE regress_mdb_su_role_o1;
+CREATE ROLE regress_mdb_su_role_o2;
+GRANT mdb_superuser TO regress_mdb_su_role_o1;
 GRANT mdb_admin TO mdb_superuser;
 CREATE ROLE regress_superuser WITH SUPERUSER;
 GRANT mdb_superuser TO regress_mdb_superuser_user1;
 GRANT CREATE ON DATABASE regression TO regress_mdb_superuser_user2;
 GRANT CREATE ON DATABASE regression TO regress_mdb_superuser_user3;
+GRANT CREATE ON DATABASE regression TO regress_mdb_su_role_o2;
 SET ROLE regress_mdb_superuser_user2;
 CREATE FUNCTION regress_mdb_superuser_add(integer, integer) RETURNS integer
     AS 'SELECT $1 + $2;'
@@ -85,13 +89,30 @@ ERROR:  permission denied for schema regtest
 SET ROLE regress_mdb_superuser_user1;
 GRANT ALL ON TABLE regtest.regtest TO regress_mdb_superuser_user1;
 ALTER TABLE regtest.regtest OWNER TO regress_mdb_superuser_user1;
+-- Check grantor
+SET ROLE regress_mdb_su_role_o2;
+CREATE TABLE public.role_o2_t();
+SET ROLE mdb_superuser;
+GRANT SELECT ON public.role_o2_t TO regress_mdb_su_role_o1;
+SELECT
+ grantor
+from information_schema.role_table_grants
+where grantee='regress_mdb_su_role_o1' AND table_name = 'role_o2_t';
+        grantor         
+------------------------
+ regress_mdb_su_role_o2
+(1 row)
+
 \c regression
 DROP DATABASE regress_check_owner;
 -- end tests
 RESET SESSION AUTHORIZATION;
 --
 REVOKE CREATE ON DATABASE regression FROM regress_mdb_superuser_user2;
 REVOKE CREATE ON DATABASE regression FROM regress_mdb_superuser_user3;
+REVOKE CREATE ON DATABASE regression FROM regress_mdb_su_role_o2;
+DROP ROLE regress_mdb_su_role_o1;
+DROP ROLE regress_mdb_su_role_o2;
 DROP VIEW regress_mdb_superuser_view;
 DROP FUNCTION regress_mdb_superuser_add;
 DROP TABLE regress_mdb_superuser_schema.regress_mdb_superuser_table;

src/test/regress/sql/mdb_superuser.sql

@@ -2,6 +2,11 @@ CREATE ROLE regress_mdb_superuser_user1;
 CREATE ROLE regress_mdb_superuser_user2;
 CREATE ROLE regress_mdb_superuser_user3;
 
+CREATE ROLE regress_mdb_su_role_o1;
+CREATE ROLE regress_mdb_su_role_o2;
+
+GRANT mdb_superuser TO regress_mdb_su_role_o1;
+
 GRANT mdb_admin TO mdb_superuser;
 
 CREATE ROLE regress_superuser WITH SUPERUSER;
@@ -10,7 +15,7 @@ GRANT mdb_superuser TO regress_mdb_superuser_user1;
 
 GRANT CREATE ON DATABASE regression TO regress_mdb_superuser_user2;
 GRANT CREATE ON DATABASE regression TO regress_mdb_superuser_user3;
-
+GRANT CREATE ON DATABASE regression TO regress_mdb_su_role_o2;
 
 SET ROLE regress_mdb_superuser_user2;
 
@@ -118,6 +123,21 @@ SET ROLE regress_mdb_superuser_user1;
 GRANT ALL ON TABLE regtest.regtest TO regress_mdb_superuser_user1;
 ALTER TABLE regtest.regtest OWNER TO regress_mdb_superuser_user1;
 
+-- Check grantor
+
+SET ROLE regress_mdb_su_role_o2;
+
+CREATE TABLE public.role_o2_t();
+
+SET ROLE mdb_superuser;
+
+GRANT SELECT ON public.role_o2_t TO regress_mdb_su_role_o1;
+
+SELECT
+ grantor
+from information_schema.role_table_grants
+where grantee='regress_mdb_su_role_o1' AND table_name = 'role_o2_t';
+
 \c regression
 DROP DATABASE regress_check_owner;
 
@@ -127,6 +147,10 @@ RESET SESSION AUTHORIZATION;
 --
 REVOKE CREATE ON DATABASE regression FROM regress_mdb_superuser_user2;
 REVOKE CREATE ON DATABASE regression FROM regress_mdb_superuser_user3;
+REVOKE CREATE ON DATABASE regression FROM regress_mdb_su_role_o2;
+
+DROP ROLE regress_mdb_su_role_o1;
+DROP ROLE regress_mdb_su_role_o2;
 
 DROP VIEW regress_mdb_superuser_view;
 DROP FUNCTION regress_mdb_superuser_add;