Thread
Commits
-
Move rolenames test out of the core regression tests.
- c91504b958e1 12.0 landed
-
Add an enforcement mechanism for global object names in regression tests.
- 54100f5c6052 12.0 landed
-
Fix regression tests to use only global names beginning with "regress_".
- ca129e58c01f 12.0 landed
-
Disallow user-created replication origins named "pg_xxx".
- a1e61badf97b 12.0 landed
-
Regression tests vs existing users in an installation
Tom Lane <tgl@sss.pgh.pa.us> — 2016-07-15T22:13:37Z
We've talked before about how the regression tests should be circumspect about what role names they create/drop, so as to avoid possibly blowing up an installation's existing users during "make installcheck". In particular I believe there was consensus that such names should begin with, or at least include, "regress". I got around today to instrumenting CreateRole to see what names we were actually creating, and was quite depressed as to how thoroughly that guideline is being ignored (see attached). I propose to go through the regression tests and fix this (in HEAD only). However, there's one place where it's not so easy to just substitute a different name, because rolenames.sql is intentionally doing this: CREATE ROLE "Public"; CREATE ROLE "None"; CREATE ROLE "current_user"; CREATE ROLE "session_user"; CREATE ROLE "user"; in order to test whether we properly distinguish role-related keywords from quoted identifiers. Obviously, modifying these would defeat the point of the test. One could certainly argue that these are safe enough because nobody would ever create real roles by those names anyway. I'm not very comfortable with that though; if we believe that, why did we go to the trouble of making sure these cases work? What I'm inclined to do with this is to reduce the test to be something like BEGIN; CREATE ROLE "Public"; CREATE ROLE "None"; CREATE ROLE "current_user"; CREATE ROLE "session_user"; CREATE ROLE "user"; ROLLBACK; with maybe a couple of ALTERs and GRANTs inside the transaction to verify that the names can be referenced as well as created. This would be safe against modifying any conflicting existing users; the only bad consequence would be a phony failure of the test. I thought about trying to preserve all the existing test cases while still keeping these roles inside a transaction, by inserting savepoints around the intentional failures. But there are enough intentional failures in rolenames.sql that that would be really tedious. The existing test cases seem enormously duplicative to me anyway, so I think a fairly short transaction with a few tests would be sufficient to cover this territory. A more aggressive answer would be to decide we don't need these test cases at all and drop them. An advantage of that is that then we could configure some buildfarm animal to fail the next time somebody ignores the "test role names should contain 'regress'" rule. Comments? regards, tom lane LOG: created role tablespace_testuser1 LOG: created role tablespace_testuser2 LOG: created role regtestrole LOG: created role regress_rol_op1 LOG: created role regress_rol_op3 LOG: created role regress_rol_op4 LOG: created role regress_rol_op5 LOG: created role regress_rol_op6 LOG: created role regression_reindexuser LOG: created role regtest_unpriv_user LOG: created role test_def_superuser LOG: created role test_superuser LOG: created role Public LOG: created role None LOG: created role current_user LOG: created role session_user LOG: created role user LOG: created role testrol0 LOG: created role testrolx LOG: created role testrol2 LOG: created role testrol1 LOG: created role test_def_inherit LOG: created role test_inherit LOG: created role test_def_createrole LOG: created role test_createrole LOG: created role test_def_createdb LOG: created role test_createdb LOG: created role test_def_role_canlogin LOG: created role test_role_canlogin LOG: created role test_def_user_canlogin LOG: created role test_user_canlogin LOG: created role test_def_replication LOG: created role test_replication LOG: created role tu1 LOG: created role tr1 LOG: created role tg1 LOG: created role test_def_bypassrls LOG: created role test_bypassrls LOG: created role view_user1 LOG: created role view_user2 LOG: created role selinto_user LOG: created role regtest_addr_user LOG: created role regress_rls_alice LOG: created role regress_rls_bob LOG: created role regress_rls_carol LOG: created role regress_rls_exempt_user LOG: created role regress_rls_group1 LOG: created role regress_rls_group2 LOG: created role regress_rol_lock1 LOG: created role regressuser1 LOG: created role regressuser2 LOG: created role regressuser3 LOG: created role regressuser4 LOG: created role regressuser5 LOG: created role regressgroup1 LOG: created role regressgroup2 LOG: created role seclabel_user1 LOG: created role seclabel_user2 LOG: created role schemauser1 LOG: created role schemauser2 LOG: renamed role schemauser2 to schemauser_renamed LOG: created role locktable_user LOG: created role regress_rls_eve LOG: created role regress_rls_frank LOG: created role regress_rls_dob_role1 LOG: created role regress_rls_dob_role2 LOG: created role regress_user_mvtest LOG: created role regtest_alter_user3 LOG: created role regtest_alter_user2 LOG: created role regtest_alter_user1 LOG: created role regtest_alter_user LOG: created role regtest_alter_user5 LOG: created role regtest_alter_user6 LOG: created role regression_user LOG: created role regression_user2 LOG: created role regression_user3 LOG: created role regression_group LOG: created role foreign_data_user LOG: created role regress_test_role LOG: created role regress_test_role2 LOG: created role regress_test_role_super LOG: created role regress_test_indirect LOG: created role unprivileged_role LOG: created role regression_user0 LOG: created role regression_user1 LOG: created role regression_user2 LOG: created role temp_reset_user LOG: created role clstr_user LOG: created role regress_alice LOG: created role conversion_test_user LOG: created role regresslo LOG: created role seq_user LOG: created role regression_bob LOG: created role dblink_regression_test LOG: created role file_fdw_superuser LOG: created role file_fdw_user LOG: created role no_priv_user LOG: created role regress_view_owner
-
Re: Regression tests vs existing users in an installation
Alvaro Herrera <alvherre@2ndquadrant.com> — 2016-07-16T03:54:56Z
Tom Lane wrote: > We've talked before about how the regression tests should be circumspect > about what role names they create/drop, so as to avoid possibly blowing > up an installation's existing users during "make installcheck". In > particular I believe there was consensus that such names should begin > with, or at least include, "regress". I got around today to instrumenting > CreateRole to see what names we were actually creating, and was quite > depressed as to how thoroughly that guideline is being ignored (see > attached). > > I propose to go through the regression tests and fix this (in HEAD only). I would propose that we have one test run near the beginning or right at the beginning of the serial schedule that sets up a small number of roles to cover most of the needs of every other test, so that most such other tests do not need to create any roles at all. (Of course, there would be a few cases where this would defeat the purpose of the test because creating or dropping the role is precisely what is being created; those cases would have additional roles, with the proposed prefix.) So currently we have 97 roles? Probably we can get away with a dozen or so, maybe even less than that. > What I'm inclined to do with this is to reduce the test to be something > like > > BEGIN; > CREATE ROLE "Public"; > CREATE ROLE "None"; > CREATE ROLE "current_user"; > CREATE ROLE "session_user"; > CREATE ROLE "user"; > ROLLBACK; > > with maybe a couple of ALTERs and GRANTs inside the transaction to verify > that the names can be referenced as well as created. This would be safe > against modifying any conflicting existing users; the only bad consequence > would be a phony failure of the test. > > I thought about trying to preserve all the existing test cases while still > keeping these roles inside a transaction, by inserting savepoints around > the intentional failures. But there are enough intentional failures in > rolenames.sql that that would be really tedious. The existing test cases > seem enormously duplicative to me anyway, so I think a fairly short > transaction with a few tests would be sufficient to cover this territory. > A more aggressive answer would be to decide we don't need these test cases > at all and drop them. Hmm ... I think a blanket removal would go against generally accepted principle that our tests need to cover more functionality. Maybe we did go overboard on that one and the rolled-back creation is enough test for that functionality. -- Álvaro Herrera http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
-
Re: Regression tests vs existing users in an installation
Michael Paquier <michael.paquier@gmail.com> — 2016-07-16T11:59:30Z
On Sat, Jul 16, 2016 at 7:13 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote: > We've talked before about how the regression tests should be circumspect > about what role names they create/drop, so as to avoid possibly blowing > up an installation's existing users during "make installcheck". In > particular I believe there was consensus that such names should begin > with, or at least include, "regress". I got around today to instrumenting > CreateRole to see what names we were actually creating, and was quite > depressed as to how thoroughly that guideline is being ignored (see > attached). Thanks for doing this. > A more aggressive answer would be to decide we don't need these test cases > at all and drop them. An advantage of that is that then we could > configure some buildfarm animal to fail the next time somebody ignores > the "test role names should contain 'regress'" rule. I am -1 for dropping the tests. We could just have a CFLAGS that adds an elog(ERROR) in CreateRole and checks that the created role has a wanted prefix, or have a plugin that uses the utility hook to do this filtering. -- Michael
-
Re: Regression tests vs existing users in an installation
Greg Stark <stark@mit.edu> — 2016-07-16T12:19:58Z
On 16 Jul 2016 12:59 pm, "Michael Paquier" <michael.paquier@gmail.com> wrote: > > Thanks for doing this. +1 Though I might highlight this as the kind of issue that a bug tracker would help avoid falling through the cracks and make visible to newcomers. > I am -1 for dropping the tests. We could just have a CFLAGS that adds > an elog(ERROR) in CreateRole and checks that the created role has a > wanted prefix, or have a plugin that uses the utility hook to do this > filtering. If we make a hidden regression_test_safety GUC then we could have pg_regress enable it and have these specific tests disable it explicitly with comments on why it's safe. It might even be handy for other people writing application regression tests depending on what other things it blocked. A hook might even be possible to use the same way. pg_regress would have to build and install a .so which might be tricky.
-
Re: Regression tests vs existing users in an installation
Stephen Frost <sfrost@snowman.net> — 2016-07-16T14:48:01Z
Tom, * Tom Lane (tgl@sss.pgh.pa.us) wrote: > We've talked before about how the regression tests should be circumspect > about what role names they create/drop, so as to avoid possibly blowing > up an installation's existing users during "make installcheck". In > particular I believe there was consensus that such names should begin > with, or at least include, "regress". I got around today to instrumenting > CreateRole to see what names we were actually creating, and was quite > depressed as to how thoroughly that guideline is being ignored (see > attached). I had started in on this but hadn't made as much progress as I had hoped, so I'm glad to see that you're taking a look at it. > I propose to go through the regression tests and fix this (in HEAD only). > However, there's one place where it's not so easy to just substitute a > different name, because rolenames.sql is intentionally doing this: > > CREATE ROLE "Public"; > CREATE ROLE "None"; > CREATE ROLE "current_user"; > CREATE ROLE "session_user"; > CREATE ROLE "user"; > > in order to test whether we properly distinguish role-related keywords > from quoted identifiers. Obviously, modifying these would defeat the > point of the test. > > One could certainly argue that these are safe enough because nobody would > ever create real roles by those names anyway. I'm not very comfortable > with that though; if we believe that, why did we go to the trouble of > making sure these cases work? Sadly, it's not quite so simple: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=831234 Note that Christoph went ahead and closed out the bug report as it was just an issue in the regression test and not unexpected behavior, but if we're going to do something in this area then we may wish to consider fixing the case that caused that bug report. > What I'm inclined to do with this is to reduce the test to be something > like > > BEGIN; > CREATE ROLE "Public"; > CREATE ROLE "None"; > CREATE ROLE "current_user"; > CREATE ROLE "session_user"; > CREATE ROLE "user"; > ROLLBACK; > > with maybe a couple of ALTERs and GRANTs inside the transaction to verify > that the names can be referenced as well as created. This would be safe > against modifying any conflicting existing users; the only bad consequence > would be a phony failure of the test. Unfortunately, the above wouldn't fix the case where someone attempts to run the regression tests as a Unix user named "user". One suggestion discussed on the bug report was to include different result files, but that does seem pretty special-cased and overkill, though if the overall set of tests in rolenames.sql is reduced then perhaps it isn't as much of an issue. Then again, how many different result files would be needed to cover all cases? Seems like there could be quite a few, though, with this specific case, it looks like we'd at least only have to deal with one for each role which is allowed to exist already (such as "user"), without any multiplicative factors (can't run the regression test as more than one Unix user at a time). > A more aggressive answer would be to decide we don't need these test cases > at all and drop them. An advantage of that is that then we could > configure some buildfarm animal to fail the next time somebody ignores > the "test role names should contain 'regress'" rule. I'd really like to have more test coverage rather than less, so I'd find this a bit hard to swallow, but it might still be better than the alternatives. Thanks! Stephen
-
Re: Regression tests vs existing users in an installation
Tom Lane <tgl@sss.pgh.pa.us> — 2016-07-16T15:29:15Z
Stephen Frost <sfrost@snowman.net> writes: > * Tom Lane (tgl@sss.pgh.pa.us) wrote: >> One could certainly argue that these are safe enough because nobody would >> ever create real roles by those names anyway. I'm not very comfortable >> with that though; if we believe that, why did we go to the trouble of >> making sure these cases work? > Sadly, it's not quite so simple: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=831234 Hah. Well, I have zero interest in supporting "user" as the name of the bootstrap superuser. Even if that seemed like a good idea, why not also current_user, session_user, Public, or any other name we might want to use in the tests? The variant-output-files answer definitely doesn't scale. What seems a more useful approach is for packagers to not allow the O/S username to affect the results of "make check". initdb already has the --username switch to override its choice of the bootstrap superuser name, and pg_regress has a --user switch, so in principle it should be possible for a package to ensure that its build tests are run with the standard superuser name rather than something dependent on the environment. I'm not sure how *easy* it is, mind you. We might want to add some Makefile plumbing to make it easier to do that. But that's not what I'm on about today ... >> A more aggressive answer would be to decide we don't need these test cases >> at all and drop them. An advantage of that is that then we could >> configure some buildfarm animal to fail the next time somebody ignores >> the "test role names should contain 'regress'" rule. > I'd really like to have more test coverage rather than less, so I'd find > this a bit hard to swallow, but it might still be better than the > alternatives. As Greg mentioned, we could improve things if we were willing to invent something like a "regression_test_mode" GUC. The rough sketch would be: 1. pg_regress adds "regression_test_mode = on" to the ALTER DATABASE SET settings it already applies to created databases. 2. One of the effects of the GUC would be to throw an error (or warning?) for creation of disallowed-by-convention role names. 3. The rolenames test could turn off the GUC during creation of these specific test names. Or if we make it report WARNING not ERROR, we don't even have to do that, just include the warnings in the expected output. I find myself liking this idea, because there would be other uses for such a GUC. One thing that is awful darn tempting right now is to get rid of the "force_parallel_mode = regress" wart, making that variable back into a plain bool, and instead have that behavior emerge from having both force_parallel_mode and regression_test_mode turned on. We'd still want creation of these specific role names to be wrapped in a rolled-back transaction, so that we could document that only role names beginning with "regress_" are at hazard from "make installcheck". But I don't think that doing that really represents any meaningful loss of coverage. regards, tom lane
-
Re: Regression tests vs existing users in an installation
Tom Lane <tgl@sss.pgh.pa.us> — 2016-07-16T15:38:34Z
Alvaro Herrera <alvherre@2ndquadrant.com> writes: > Tom Lane wrote: >> We've talked before about how the regression tests should be circumspect >> about what role names they create/drop, so as to avoid possibly blowing >> up an installation's existing users during "make installcheck". In >> particular I believe there was consensus that such names should begin >> with, or at least include, "regress". I got around today to instrumenting >> CreateRole to see what names we were actually creating, and was quite >> depressed as to how thoroughly that guideline is being ignored (see >> attached). > I would propose that we have one test run near the beginning or right at > the beginning of the serial schedule that sets up a small number of > roles to cover most of the needs of every other test, so that most such > other tests do not need to create any roles at all. I don't think that's a very attractive idea. It would create hazards for concurrent test cases, I fear. Moreover, an un-enforced convention of "don't create roles" isn't really any safer than an un-enforced convention of "only create roles named thus-and-such"; it just takes one person who is not familiar with the convention, and one committer not paying close attention, and we're right back where we started. I'm coming to the conclusion that the only thing that will make this materially better in the long run is automatic enforcement of a convention about what role names may be created in the regression tests. See my response to Stephen just now for a concrete proposal. regards, tom lane
-
Re: Regression tests vs existing users in an installation
Tom Lane <tgl@sss.pgh.pa.us> — 2016-07-17T22:46:30Z
I've gone ahead and pushed a patch that does all of the cosmetic renamings needed to clean up the global-object-names situation. I've not done anything yet about those special cases in the rolenames test, since it's open for discussion exactly what to do there. I figured that this patch was bulky enough, and mechanical enough, that there wasn't much point in putting it up for review; the buildfarm will do a lot better at finding any mistakes I may have made. regards, tom lane
-
Re: Regression tests vs existing users in an installation
Robert Haas <robertmhaas@gmail.com> — 2016-07-18T01:37:58Z
On Sat, Jul 16, 2016 at 11:38 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote: > I'm coming to the conclusion that the only thing that will make this > materially better in the long run is automatic enforcement of a convention > about what role names may be created in the regression tests. See my > response to Stephen just now for a concrete proposal. We could also do this by loading a C module during the regression tests, which seems maybe less ugly than adding a GUC. I don't particularly like your suggestion of spooky action at a distance between force_parallel_mode and regression_test_mode. That just seems kooky. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
-
Re: Regression tests vs existing users in an installation
Michael Paquier <michael.paquier@gmail.com> — 2016-07-18T05:34:50Z
On Mon, Jul 18, 2016 at 10:37 AM, Robert Haas <robertmhaas@gmail.com> wrote: > On Sat, Jul 16, 2016 at 11:38 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote: > We could also do this by loading a C module during the regression > tests, which seems maybe less ugly than adding a GUC. > I don't particularly like your suggestion of spooky action at a > distance between force_parallel_mode and regression_test_mode. That > just seems kooky. One downside of the plugin is that any users willing to do make installcheck would need to install it as well. -- Michael
-
Re: Regression tests vs existing users in an installation
Tom Lane <tgl@sss.pgh.pa.us> — 2016-07-18T15:13:02Z
Robert Haas <robertmhaas@gmail.com> writes: > On Sat, Jul 16, 2016 at 11:38 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote: >> I'm coming to the conclusion that the only thing that will make this >> materially better in the long run is automatic enforcement of a convention >> about what role names may be created in the regression tests. See my >> response to Stephen just now for a concrete proposal. > We could also do this by loading a C module during the regression > tests, which seems maybe less ugly than adding a GUC. Meh, I'm not convinced. As Michael points out, arranging for such a module to get loaded in an installcheck context would be difficult --- maybe not impossible, but complicated. Also, we'd have to add hook function calls in all the places it would need to get control; most of those places would probably be one-off hooks with no other conceivable use. And we'd still need to have a GUC, because I think it's inevitable that we'd need to be able to turn off the restrictions for specific tests. So that seems like a lot of work and complication just to make a GUC be custom to some undocumented extension rather than built-in. If we had no other debugging GUCs then there might be some point in rejecting this one, but we have a bunch: https://www.postgresql.org/docs/devel/static/runtime-config-developer.html > I don't particularly like your suggestion of spooky action at a > distance between force_parallel_mode and regression_test_mode. That > just seems kooky. It's certainly a judgment call as to which way is cleaner, but I don't understand your objection. There are plenty of ways in which multiple GUCs determine a given behavior already. Also, breaking this behavior into two variables would let us document the user-useful behavior (do this to test parallel safety of functions) in a different place from the developer-useful behavior (do this to make EXPLAIN lie to you, which surely has no possible use except for regression testing). Possibly a single "regression_test_mode" variable is a bad idea and we should instead have distinct developer-oriented GUCs for each special behavior we decide we need. I'm not particularly set on that, but to me it seems like less of a mess to have just one. regards, tom lane
-
Re: Regression tests vs existing users in an installation
Peter Eisentraut <peter.eisentraut@2ndquadrant.com> — 2016-07-18T16:47:56Z
On 7/15/16 6:13 PM, Tom Lane wrote: > We've talked before about how the regression tests should be circumspect > about what role names they create/drop, so as to avoid possibly blowing > up an installation's existing users during "make installcheck". I'm not particularly sure that that is a useful goal anymore. Setting up a new instance is cheap, so if users are concerned, they should not run the tests against their important instance. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
-
Re: Regression tests vs existing users in an installation
Tom Lane <tgl@sss.pgh.pa.us> — 2016-07-18T16:58:45Z
Peter Eisentraut <peter.eisentraut@2ndquadrant.com> writes: > On 7/15/16 6:13 PM, Tom Lane wrote: >> We've talked before about how the regression tests should be circumspect >> about what role names they create/drop, so as to avoid possibly blowing >> up an installation's existing users during "make installcheck". > I'm not particularly sure that that is a useful goal anymore. Setting > up a new instance is cheap, so if users are concerned, they should not > run the tests against their important instance. To my mind, the main point of "make installcheck" is to verify that your actual installation, not some other instance, is working right. This is far from a trivial issue; for instance on a SELinux machine, you need to be able to verify that the installed policy allows the DB to work, and that is very likely to be path-sensitive. So this remains an important requirement to me. It's true that it might be something you need to run only right after making the installation --- but that doesn't mean the DB is empty. Consider wanting to test a freshly pg_upgrade'd installation, for example. regards, tom lane
-
Re: Regression tests vs existing users in an installation
Robert Haas <robertmhaas@gmail.com> — 2016-07-21T16:26:35Z
On Mon, Jul 18, 2016 at 1:34 AM, Michael Paquier <michael.paquier@gmail.com> wrote: > One downside of the plugin is that any users willing to do make > installcheck would need to install it as well. Not really. If the only purpose of the plugin is to verify that we're not creating regression users whose names don't start with "regress", it should be good enough to run it for "make check" but not for "make installcheck". It's not there to test functionality, just to verify that we've followed our own rules for regression tests. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
-
Re: Regression tests vs existing users in an installation
Robert Haas <robertmhaas@gmail.com> — 2016-07-21T16:42:33Z
On Mon, Jul 18, 2016 at 11:13 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote: >> I don't particularly like your suggestion of spooky action at a >> distance between force_parallel_mode and regression_test_mode. That >> just seems kooky. > > It's certainly a judgment call as to which way is cleaner, but I don't > understand your objection. There are plenty of ways in which multiple > GUCs determine a given behavior already. Also, breaking this behavior > into two variables would let us document the user-useful behavior (do > this to test parallel safety of functions) in a different place from the > developer-useful behavior (do this to make EXPLAIN lie to you, which > surely has no possible use except for regression testing). There are certainly cases where the behavior that you get depends on multiple GUCs. For example, the vacuum cost limit stuff is like that, and so are the cost factors which control the query planner. But in each of those cases, each GUC has a function that is fully orthogonal to each other GUC. That doesn't seem to be the case here. You're saying that force_parallel_mode will decide whether we get behavior A, and regression_test_mode will decide whether we get behavior B, but if you ask for both A and B you will also get an additional behavior C which would not have been selected by either GUC taken alone. Because the different settings are now non-orthogonal, there's now no way to get A and B without C, or A and C without B. Moreover, I don't want to end up in a situation where regression_test_mode=on enables a score of minor behavior changes that can't be separated out and tested individually. It's true that checking the names of regression roles is such a very minor thing that a generic name like regression_test_mode might be OK, with the idea that anything else similarly minor that comes along later can be folded into that as well. But I fear that it will become a crutch: my code makes the regression test fail. Instead of writing better tests, add another thing that's conditional on regression_test_mode! Eventually, we'll have a bug that the regression tests fail to catch because regression_test_mode papers over the problem. We're some distance from such a situation now, of course, but I bet the temptation to be undisciplined about hooking more behavior into that GUC will be almost irresistible for new developers, and in some cases experienced ones, too. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
-
Re: [HACKERS] Regression tests vs existing users in an installation
Tom Lane <tgl@sss.pgh.pa.us> — 2019-06-26T03:33:22Z
[ blast from the past department ] So, this thread about ensuring the regression tests don't create random globally-visible names seems to have got lost in the weeds. I'm going to resurrect it after noticing that two different places have grown violations of the rule since I fixed things in 18555b132. I think we were largely overdesigning the fix. The right thing is to do something approximately as attached, and then make at least one buildfarm critter build with -DENFORCE_REGRESSION_TEST_NAME_RESTRICTIONS. This proposed patch intentionally emits only WARNINGs, not ERRORS. This is so that TAP tests won't fail if the warnings fire. Since TAP tests never run against an existing installation, there's no reason for them to follow the restriction. Admittedly, this is a pretty ad-hoc way of getting that end result, but I'm tired of waiting for somebody to implement a less ad-hoc way. There are still two things we'd have to argue about before committing this. One is the already-discussed-upthread point that rolenames.sql insists on creating and then deleting users with names like "user". I remain of the opinion that that's just a damfool idea; there is nearly zero chance that those test cases will ever catch a bug, and much more than zero chance that they'll cause problems in some pre-existing installation. So my vote is to take them out. The other is that we've also grown a bunch of tests that create subscriptions and replication origins with randomly-chosen names. Since those objects also have globally-visible names, I think the "name them regress_something" policy should apply to them too, and the attached patch tries to enforce it. But of course that causes a bunch of failures right now. (While I'm looking at that, I wonder why we don't have a restriction against "pg_xxx" names for those object types.) Comments? regards, tom lane
-
Re: [HACKERS] Regression tests vs existing users in an installation
Robert Haas <robertmhaas@gmail.com> — 2019-06-27T17:31:10Z
On Tue, Jun 25, 2019 at 11:33 PM Tom Lane <tgl@sss.pgh.pa.us> wrote: > Comments? LGTM. s/must/should/ ? -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
-
Re: [HACKERS] Regression tests vs existing users in an installation
Tom Lane <tgl@sss.pgh.pa.us> — 2019-06-27T20:50:06Z
Robert Haas <robertmhaas@gmail.com> writes: > On Tue, Jun 25, 2019 at 11:33 PM Tom Lane <tgl@sss.pgh.pa.us> wrote: >> Comments? > LGTM. Thanks for looking! > s/must/should/ ? Sure, if you like. Further on the rolenames test mess: I started to work on removing that script's creation of out-of-spec user names, but my heart just sank to the floor when I noticed that it was also doing stuff like this: ALTER USER ALL SET application_name to 'SLAP'; ALTER USER ALL RESET application_name; The extent to which that's Not OK inside a production installation is hard to overstate. At the same time, I can see that we'd want to have some coverage for that code path, so just deleting those tests isn't attractive. So I think the only real solution is to cordon off this test script in some environment where it won't get run by "make installcheck". I thought briefly about recasting it as a TAP test, but that looked like a huge amount of make-work. What I propose that we do instead is invent an empty "module" under src/test/modules/ and install rolenames as a test for that. We already have this in src/test/modules/README: src/test/modules contains PostgreSQL extensions that are primarily or entirely intended for testing PostgreSQL and/or to serve as example code. The extensions here aren't intended to be installed in a production server and aren't suitable for "real work". So I think we could just extend that verbiage to insist that neither "make install" nor "make installcheck" are good ideas against production servers. Perhaps like Furthermore, while you can do "make install" and "make installcheck" in this directory or its children, it is HIGHLY NOT ADVISED to do so with a server containing valuable data. Some of these tests may have undesirable side-effects on roles or other global objects within the tested server. Defining things this way also makes it a non-problem that src/test/modules/test_pg_dump creates global objects and doesn't drop them. (src/test/Makefile is already on board with this definition.) Now, this doesn't in itself fix the problem that my proposed patch will emit warnings about the rolenames test script creating "Public" and so on. We could fix that by maintaining a variant expected-file that includes those warnings, but probably a less painful answer is just to jack client_min_messages up to ERROR for that short segment of the test script. We could make the new subdirectory be something specific like "src/test/modules/test_rolenames", but I think very likely we'll be wanting some additional test scripts that we likewise deem unsafe to run during "installcheck". So I'd rather choose a more generic module name, but I'm not sure what ... "unsafe_tests"? Comments? regards, tom lane -
Re: [HACKERS] Regression tests vs existing users in an installation
Alvaro Herrera <alvherre@2ndquadrant.com> — 2019-06-27T21:21:48Z
On 2019-Jun-27, Tom Lane wrote: > Further on the rolenames test mess: I started to work on removing > that script's creation of out-of-spec user names, but my heart just > sank to the floor when I noticed that it was also doing stuff like > this: > > ALTER USER ALL SET application_name to 'SLAP'; > ALTER USER ALL RESET application_name; > > The extent to which that's Not OK inside a production installation > is hard to overstate. Uh-oh. I don't remember doing that, but evidently I did :-( > At the same time, I can see that we'd want to have some coverage > for that code path, so just deleting those tests isn't attractive. Yeah ... > What I propose that we do instead is invent an empty "module" under > src/test/modules/ and install rolenames as a test for that. Hmm, that's an idea, yes. > Now, this doesn't in itself fix the problem that my proposed patch will > emit warnings about the rolenames test script creating "Public" and so on. > We could fix that by maintaining a variant expected-file that includes > those warnings, but probably a less painful answer is just to jack > client_min_messages up to ERROR for that short segment of the test script. +1 > We could make the new subdirectory be something specific like > "src/test/modules/test_rolenames", but I think very likely we'll be > wanting some additional test scripts that we likewise deem unsafe to > run during "installcheck". So I'd rather choose a more generic module > name, but I'm not sure what ... "unsafe_tests"? +0 for unsafe_tests, -1 for test_rolenames. -- Álvaro Herrera https://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
-
Re: [HACKERS] Regression tests vs existing users in an installation
Stephen Frost <sfrost@snowman.net> — 2019-06-28T15:41:11Z
Greetings, * Tom Lane (tgl@sss.pgh.pa.us) wrote: > Furthermore, while you can do "make install" and "make installcheck" > in this directory or its children, it is HIGHLY NOT ADVISED to do so > with a server containing valuable data. Some of these tests may have > undesirable side-effects on roles or other global objects within the > tested server. > > Defining things this way also makes it a non-problem that > src/test/modules/test_pg_dump creates global objects and doesn't drop > them. Sounds like a good approach to me and I'm happy that it'd address the test_pg_dump case too. > Now, this doesn't in itself fix the problem that my proposed patch will > emit warnings about the rolenames test script creating "Public" and so on. > We could fix that by maintaining a variant expected-file that includes > those warnings, but probably a less painful answer is just to jack > client_min_messages up to ERROR for that short segment of the test script. Seems alright. > We could make the new subdirectory be something specific like > "src/test/modules/test_rolenames", but I think very likely we'll be > wanting some additional test scripts that we likewise deem unsafe to > run during "installcheck". So I'd rather choose a more generic module > name, but I'm not sure what ... "unsafe_tests"? Agreed but haven't got any particularly good suggestions on names.. Thanks, Stephen
-
Re: [HACKERS] Regression tests vs existing users in an installation
Tom Lane <tgl@sss.pgh.pa.us> — 2019-06-28T18:42:49Z
OK, here's a completed patch to add checking for naming-rule violations. I updated regress.sgml to clarify the naming rules (and failed to resist the temptation to update a lot of other somewhat-obsolete statements there, too). Also worth noting is that I added an IsReservedName check to pg_replication_origin_create(), ie it will no longer allow user-selected origin names starting with "pg_". This seems like a good idea considering that we generate internal origin names that look like that. I have not done anything equivalent for subscription names, but should we consider doing so? I touched the TAP tests only to the extent necessary to make them pass cleanly --- mostly I had to fool with pg_dump/t/010_dump_connstr.pl because it whines if the restore step emits any warnings. Perhaps there's another way to address that with less invasive changes to that test script; but I couldn't think of one other than ignoring warnings, which didn't seem like a great idea. This patch doesn't address the issue that we think rolenames.sql is unsafe to run in "make installcheck" mode. That seems like a separable problem, and we'd have to adjust that script as shown here anyway. Barring objections, I'll push this shortly (to HEAD only) and turn on the enabling switch on one or two of my buildfarm critters. regards, tom lane
-
Re: [HACKERS] Regression tests vs existing users in an installation
Tom Lane <tgl@sss.pgh.pa.us> — 2019-06-29T17:21:48Z
Stephen Frost <sfrost@snowman.net> writes: > * Tom Lane (tgl@sss.pgh.pa.us) wrote: >> We could make the new subdirectory be something specific like >> "src/test/modules/test_rolenames", but I think very likely we'll be >> wanting some additional test scripts that we likewise deem unsafe to >> run during "installcheck". So I'd rather choose a more generic module >> name, but I'm not sure what ... "unsafe_tests"? > Agreed but haven't got any particularly good suggestions on names.. Hearing no better suggestions, I went with "unsafe_tests" in the attached. This patch just moves rolenames.sql lock-stock-and-barrel into src/test/modules/unsafe_tests. Another approach would be to split the test script into a portion that doesn't violate any installcheck rule and could be kept in the core tests, versus the unsafe tests. I lack the interest to do that, but if somebody else is excited enough about it, have at it. I'm wondering whether we ought to back-patch this. The odds that somebody would be affected by "make installcheck" resetting the application_name property of existing roles seem pretty small, but it could be nasty if it did matter. Perhaps squeezing this into v12 is good enough. Another idea would be to just take out the ALTER USER ALL tests in the back branches. Thoughts? regards, tom lane
-
Re: [HACKERS] Regression tests vs existing users in an installation
Peter Eisentraut <peter.eisentraut@2ndquadrant.com> — 2019-11-26T21:10:15Z
On 2019-06-29 19:21, Tom Lane wrote: > Stephen Frost<sfrost@snowman.net> writes: >> * Tom Lane (tgl@sss.pgh.pa.us) wrote: >>> We could make the new subdirectory be something specific like >>> "src/test/modules/test_rolenames", but I think very likely we'll be >>> wanting some additional test scripts that we likewise deem unsafe to >>> run during "installcheck". So I'd rather choose a more generic module >>> name, but I'm not sure what ... "unsafe_tests"? >> Agreed but haven't got any particularly good suggestions on names.. > Hearing no better suggestions, I went with "unsafe_tests" in the > attached. I found this directory, and it seems like a good place to add some more tests (other thread), but I'm puzzled why it's hidden under modules/, since it's not, well, a module. Why is it not in src/test/? -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
-
Re: [HACKERS] Regression tests vs existing users in an installation
Tom Lane <tgl@sss.pgh.pa.us> — 2019-11-26T22:32:16Z
Peter Eisentraut <peter.eisentraut@2ndquadrant.com> writes: > I found this directory, and it seems like a good place to add some more > tests (other thread), but I'm puzzled why it's hidden under modules/, > since it's not, well, a module. Why is it not in src/test/? Doing it like this allowed it to be picked up automatically by the buildfarm script. If we'd put it in a new src/test directory, the buildfarm script would have had to be taught about that, and we'd have no coverage until owners updated their machines. So it seemed expedient to do it like this. regards, tom lane