2010-09-28 02:55:27 +02:00
|
|
|
/* -------------------------------------------------------------------------
|
|
|
|
|
*
|
|
|
|
|
* seclabel.c
|
|
|
|
|
* routines to support security label feature.
|
|
|
|
|
*
|
2023-01-02 21:00:37 +01:00
|
|
|
* Portions Copyright (c) 1996-2023, PostgreSQL Global Development Group
|
2010-09-28 02:55:27 +02:00
|
|
|
* Portions Copyright (c) 1994, Regents of the University of California
|
|
|
|
|
*
|
|
|
|
|
* -------------------------------------------------------------------------
|
|
|
|
|
*/
|
|
|
|
|
#include "postgres.h"
|
|
|
|
|
|
2019-12-27 00:09:00 +01:00
|
|
|
#include "access/genam.h"
|
2012-08-30 22:15:44 +02:00
|
|
|
#include "access/htup_details.h"
|
2019-01-21 19:18:20 +01:00
|
|
|
#include "access/relation.h"
|
|
|
|
|
#include "access/table.h"
|
2010-09-28 02:55:27 +02:00
|
|
|
#include "catalog/catalog.h"
|
|
|
|
|
#include "catalog/indexing.h"
|
|
|
|
|
#include "catalog/pg_seclabel.h"
|
2011-07-20 19:18:24 +02:00
|
|
|
#include "catalog/pg_shseclabel.h"
|
2010-09-28 02:55:27 +02:00
|
|
|
#include "commands/seclabel.h"
|
|
|
|
|
#include "miscadmin.h"
|
|
|
|
|
#include "utils/builtins.h"
|
|
|
|
|
#include "utils/fmgroids.h"
|
|
|
|
|
#include "utils/memutils.h"
|
2011-03-26 04:10:07 +01:00
|
|
|
#include "utils/rel.h"
|
2010-09-28 02:55:27 +02:00
|
|
|
|
|
|
|
|
typedef struct
|
|
|
|
|
{
|
|
|
|
|
const char *provider_name;
|
|
|
|
|
check_object_relabel_type hook;
|
|
|
|
|
} LabelProvider;
|
|
|
|
|
|
|
|
|
|
static List *label_provider_list = NIL;
|
|
|
|
|
|
2020-06-13 09:03:28 +02:00
|
|
|
static bool
|
|
|
|
|
SecLabelSupportsObjectType(ObjectType objtype)
|
|
|
|
|
{
|
|
|
|
|
switch (objtype)
|
|
|
|
|
{
|
|
|
|
|
case OBJECT_AGGREGATE:
|
|
|
|
|
case OBJECT_COLUMN:
|
|
|
|
|
case OBJECT_DATABASE:
|
|
|
|
|
case OBJECT_DOMAIN:
|
|
|
|
|
case OBJECT_EVENT_TRIGGER:
|
|
|
|
|
case OBJECT_FOREIGN_TABLE:
|
|
|
|
|
case OBJECT_FUNCTION:
|
|
|
|
|
case OBJECT_LANGUAGE:
|
|
|
|
|
case OBJECT_LARGEOBJECT:
|
|
|
|
|
case OBJECT_MATVIEW:
|
|
|
|
|
case OBJECT_PROCEDURE:
|
|
|
|
|
case OBJECT_PUBLICATION:
|
|
|
|
|
case OBJECT_ROLE:
|
|
|
|
|
case OBJECT_ROUTINE:
|
|
|
|
|
case OBJECT_SCHEMA:
|
|
|
|
|
case OBJECT_SEQUENCE:
|
|
|
|
|
case OBJECT_SUBSCRIPTION:
|
|
|
|
|
case OBJECT_TABLE:
|
|
|
|
|
case OBJECT_TABLESPACE:
|
|
|
|
|
case OBJECT_TYPE:
|
|
|
|
|
case OBJECT_VIEW:
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
case OBJECT_ACCESS_METHOD:
|
|
|
|
|
case OBJECT_AMOP:
|
|
|
|
|
case OBJECT_AMPROC:
|
|
|
|
|
case OBJECT_ATTRIBUTE:
|
|
|
|
|
case OBJECT_CAST:
|
|
|
|
|
case OBJECT_COLLATION:
|
|
|
|
|
case OBJECT_CONVERSION:
|
|
|
|
|
case OBJECT_DEFAULT:
|
|
|
|
|
case OBJECT_DEFACL:
|
|
|
|
|
case OBJECT_DOMCONSTRAINT:
|
|
|
|
|
case OBJECT_EXTENSION:
|
|
|
|
|
case OBJECT_FDW:
|
|
|
|
|
case OBJECT_FOREIGN_SERVER:
|
|
|
|
|
case OBJECT_INDEX:
|
|
|
|
|
case OBJECT_OPCLASS:
|
|
|
|
|
case OBJECT_OPERATOR:
|
|
|
|
|
case OBJECT_OPFAMILY:
|
2022-04-06 19:24:33 +02:00
|
|
|
case OBJECT_PARAMETER_ACL:
|
2020-06-13 09:03:28 +02:00
|
|
|
case OBJECT_POLICY:
|
Allow publishing the tables of schema.
A new option "FOR ALL TABLES IN SCHEMA" in Create/Alter Publication allows
one or more schemas to be specified, whose tables are selected by the
publisher for sending the data to the subscriber.
The new syntax allows specifying both the tables and schemas. For example:
CREATE PUBLICATION pub1 FOR TABLE t1,t2,t3, ALL TABLES IN SCHEMA s1,s2;
OR
ALTER PUBLICATION pub1 ADD TABLE t1,t2,t3, ALL TABLES IN SCHEMA s1,s2;
A new system table "pg_publication_namespace" has been added, to maintain
the schemas that the user wants to publish through the publication.
Modified the output plugin (pgoutput) to publish the changes if the
relation is part of schema publication.
Updates pg_dump to identify and dump schema publications. Updates the \d
family of commands to display schema publications and \dRp+ variant will
now display associated schemas if any.
Author: Vignesh C, Hou Zhijie, Amit Kapila
Syntax-Suggested-by: Tom Lane, Alvaro Herrera
Reviewed-by: Greg Nancarrow, Masahiko Sawada, Hou Zhijie, Amit Kapila, Haiying Tang, Ajin Cherian, Rahila Syed, Bharath Rupireddy, Mark Dilger
Tested-by: Haiying Tang
Discussion: https://www.postgresql.org/message-id/CALDaNm0OANxuJ6RXqwZsM1MSY4s19nuH3734j4a72etDwvBETQ@mail.gmail.com
2021-10-27 04:14:52 +02:00
|
|
|
case OBJECT_PUBLICATION_NAMESPACE:
|
2020-06-13 09:03:28 +02:00
|
|
|
case OBJECT_PUBLICATION_REL:
|
|
|
|
|
case OBJECT_RULE:
|
|
|
|
|
case OBJECT_STATISTIC_EXT:
|
|
|
|
|
case OBJECT_TABCONSTRAINT:
|
|
|
|
|
case OBJECT_TRANSFORM:
|
|
|
|
|
case OBJECT_TRIGGER:
|
|
|
|
|
case OBJECT_TSCONFIGURATION:
|
|
|
|
|
case OBJECT_TSDICTIONARY:
|
|
|
|
|
case OBJECT_TSPARSER:
|
|
|
|
|
case OBJECT_TSTEMPLATE:
|
|
|
|
|
case OBJECT_USER_MAPPING:
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* There's intentionally no default: case here; we want the
|
|
|
|
|
* compiler to warn if a new ObjectType hasn't been handled above.
|
|
|
|
|
*/
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Shouldn't get here, but if we do, say "no support" */
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2010-09-28 02:55:27 +02:00
|
|
|
/*
|
|
|
|
|
* ExecSecLabelStmt --
|
|
|
|
|
*
|
|
|
|
|
* Apply a security label to a database object.
|
Change many routines to return ObjectAddress rather than OID
The changed routines are mostly those that can be directly called by
ProcessUtilitySlow; the intention is to make the affected object
information more precise, in support for future event trigger changes.
Originally it was envisioned that the OID of the affected object would
be enough, and in most cases that is correct, but upon actually
implementing the event trigger changes it turned out that ObjectAddress
is more widely useful.
Additionally, some command execution routines grew an output argument
that's an object address which provides further info about the executed
command. To wit:
* for ALTER DOMAIN / ADD CONSTRAINT, it corresponds to the address of
the new constraint
* for ALTER OBJECT / SET SCHEMA, it corresponds to the address of the
schema that originally contained the object.
* for ALTER EXTENSION {ADD, DROP} OBJECT, it corresponds to the address
of the object added to or dropped from the extension.
There's no user-visible change in this commit, and no functional change
either.
Discussion: 20150218213255.GC6717@tamriel.snowman.net
Reviewed-By: Stephen Frost, Andres Freund
2015-03-03 18:10:50 +01:00
|
|
|
*
|
|
|
|
|
* Returns the ObjectAddress of the object to which the policy was applied.
|
2010-09-28 02:55:27 +02:00
|
|
|
*/
|
Change many routines to return ObjectAddress rather than OID
The changed routines are mostly those that can be directly called by
ProcessUtilitySlow; the intention is to make the affected object
information more precise, in support for future event trigger changes.
Originally it was envisioned that the OID of the affected object would
be enough, and in most cases that is correct, but upon actually
implementing the event trigger changes it turned out that ObjectAddress
is more widely useful.
Additionally, some command execution routines grew an output argument
that's an object address which provides further info about the executed
command. To wit:
* for ALTER DOMAIN / ADD CONSTRAINT, it corresponds to the address of
the new constraint
* for ALTER OBJECT / SET SCHEMA, it corresponds to the address of the
schema that originally contained the object.
* for ALTER EXTENSION {ADD, DROP} OBJECT, it corresponds to the address
of the object added to or dropped from the extension.
There's no user-visible change in this commit, and no functional change
either.
Discussion: 20150218213255.GC6717@tamriel.snowman.net
Reviewed-By: Stephen Frost, Andres Freund
2015-03-03 18:10:50 +01:00
|
|
|
ObjectAddress
|
2010-09-28 02:55:27 +02:00
|
|
|
ExecSecLabelStmt(SecLabelStmt *stmt)
|
|
|
|
|
{
|
|
|
|
|
LabelProvider *provider = NULL;
|
|
|
|
|
ObjectAddress address;
|
|
|
|
|
Relation relation;
|
|
|
|
|
ListCell *lc;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Find the named label provider, or if none specified, check whether
|
|
|
|
|
* there's exactly one, and if so use it.
|
|
|
|
|
*/
|
|
|
|
|
if (stmt->provider == NULL)
|
|
|
|
|
{
|
|
|
|
|
if (label_provider_list == NIL)
|
|
|
|
|
ereport(ERROR,
|
|
|
|
|
(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
|
2010-10-26 20:54:31 +02:00
|
|
|
errmsg("no security label providers have been loaded")));
|
Represent Lists as expansible arrays, not chains of cons-cells.
Originally, Postgres Lists were a more or less exact reimplementation of
Lisp lists, which consist of chains of separately-allocated cons cells,
each having a value and a next-cell link. We'd hacked that once before
(commit d0b4399d8) to add a separate List header, but the data was still
in cons cells. That makes some operations -- notably list_nth() -- O(N),
and it's bulky because of the next-cell pointers and per-cell palloc
overhead, and it's very cache-unfriendly if the cons cells end up
scattered around rather than being adjacent.
In this rewrite, we still have List headers, but the data is in a
resizable array of values, with no next-cell links. Now we need at
most two palloc's per List, and often only one, since we can allocate
some values in the same palloc call as the List header. (Of course,
extending an existing List may require repalloc's to enlarge the array.
But this involves just O(log N) allocations not O(N).)
Of course this is not without downsides. The key difficulty is that
addition or deletion of a list entry may now cause other entries to
move, which it did not before.
For example, that breaks foreach() and sister macros, which historically
used a pointer to the current cons-cell as loop state. We can repair
those macros transparently by making their actual loop state be an
integer list index; the exposed "ListCell *" pointer is no longer state
carried across loop iterations, but is just a derived value. (In
practice, modern compilers can optimize things back to having just one
loop state value, at least for simple cases with inline loop bodies.)
In principle, this is a semantics change for cases where the loop body
inserts or deletes list entries ahead of the current loop index; but
I found no such cases in the Postgres code.
The change is not at all transparent for code that doesn't use foreach()
but chases lists "by hand" using lnext(). The largest share of such
code in the backend is in loops that were maintaining "prev" and "next"
variables in addition to the current-cell pointer, in order to delete
list cells efficiently using list_delete_cell(). However, we no longer
need a previous-cell pointer to delete a list cell efficiently. Keeping
a next-cell pointer doesn't work, as explained above, but we can improve
matters by changing such code to use a regular foreach() loop and then
using the new macro foreach_delete_current() to delete the current cell.
(This macro knows how to update the associated foreach loop's state so
that no cells will be missed in the traversal.)
There remains a nontrivial risk of code assuming that a ListCell *
pointer will remain good over an operation that could now move the list
contents. To help catch such errors, list.c can be compiled with a new
define symbol DEBUG_LIST_MEMORY_USAGE that forcibly moves list contents
whenever that could possibly happen. This makes list operations
significantly more expensive so it's not normally turned on (though it
is on by default if USE_VALGRIND is on).
There are two notable API differences from the previous code:
* lnext() now requires the List's header pointer in addition to the
current cell's address.
* list_delete_cell() no longer requires a previous-cell argument.
These changes are somewhat unfortunate, but on the other hand code using
either function needs inspection to see if it is assuming anything
it shouldn't, so it's not all bad.
Programmers should be aware of these significant performance changes:
* list_nth() and related functions are now O(1); so there's no
major access-speed difference between a list and an array.
* Inserting or deleting a list element now takes time proportional to
the distance to the end of the list, due to moving the array elements.
(However, it typically *doesn't* require palloc or pfree, so except in
long lists it's probably still faster than before.) Notably, lcons()
used to be about the same cost as lappend(), but that's no longer true
if the list is long. Code that uses lcons() and list_delete_first()
to maintain a stack might usefully be rewritten to push and pop at the
end of the list rather than the beginning.
* There are now list_insert_nth...() and list_delete_nth...() functions
that add or remove a list cell identified by index. These have the
data-movement penalty explained above, but there's no search penalty.
* list_concat() and variants now copy the second list's data into
storage belonging to the first list, so there is no longer any
sharing of cells between the input lists. The second argument is
now declared "const List *" to reflect that it isn't changed.
This patch just does the minimum needed to get the new implementation
in place and fix bugs exposed by the regression tests. As suggested
by the foregoing, there's a fair amount of followup work remaining to
do.
Also, the ENABLE_LIST_COMPAT macros are finally removed in this
commit. Code using those should have been gone a dozen years ago.
Patch by me; thanks to David Rowley, Jesper Pedersen, and others
for review.
Discussion: https://postgr.es/m/11587.1550975080@sss.pgh.pa.us
2019-07-15 19:41:58 +02:00
|
|
|
if (list_length(label_provider_list) != 1)
|
2010-09-28 02:55:27 +02:00
|
|
|
ereport(ERROR,
|
|
|
|
|
(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
|
|
|
|
|
errmsg("must specify provider when multiple security label providers have been loaded")));
|
|
|
|
|
provider = (LabelProvider *) linitial(label_provider_list);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
foreach(lc, label_provider_list)
|
|
|
|
|
{
|
|
|
|
|
LabelProvider *lp = lfirst(lc);
|
|
|
|
|
|
|
|
|
|
if (strcmp(stmt->provider, lp->provider_name) == 0)
|
|
|
|
|
{
|
|
|
|
|
provider = lp;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (provider == NULL)
|
|
|
|
|
ereport(ERROR,
|
|
|
|
|
(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
|
|
|
|
|
errmsg("security label provider \"%s\" is not loaded",
|
|
|
|
|
stmt->provider)));
|
|
|
|
|
}
|
|
|
|
|
|
2020-06-13 09:03:28 +02:00
|
|
|
if (!SecLabelSupportsObjectType(stmt->objtype))
|
|
|
|
|
ereport(ERROR,
|
|
|
|
|
(errcode(ERRCODE_WRONG_OBJECT_TYPE),
|
|
|
|
|
errmsg("security labels are not supported for this type of object")));
|
|
|
|
|
|
2010-09-28 02:55:27 +02:00
|
|
|
/*
|
|
|
|
|
* Translate the parser representation which identifies this object into
|
|
|
|
|
* an ObjectAddress. get_object_address() will throw an error if the
|
|
|
|
|
* object does not exist, and will also acquire a lock on the target to
|
|
|
|
|
* guard against concurrent modifications.
|
|
|
|
|
*/
|
Remove objname/objargs split for referring to objects
In simpler times, it might have worked to refer to all kinds of objects
by a list of name components and an optional argument list. But this
doesn't work for all objects, which has resulted in a collection of
hacks to place various other nodes types into these fields, which have
to be unpacked at the other end. This makes it also weird to represent
lists of such things in the grammar, because they would have to be lists
of singleton lists, to make the unpacking work consistently. The other
problem is that keeping separate name and args fields makes it awkward
to deal with lists of functions.
Change that by dropping the objargs field and have objname, renamed to
object, be a generic Node, which can then be flexibly assigned and
managed using the normal Node mechanisms. In many cases it will still
be a List of names, in some cases it will be a string Value, for types
it will be the existing Typename, for functions it will now use the
existing ObjectWithArgs node type. Some of the more obscure object
types still use somewhat arbitrary nested lists.
Reviewed-by: Jim Nasby <Jim.Nasby@BlueTreble.com>
Reviewed-by: Michael Paquier <michael.paquier@gmail.com>
2016-11-12 18:00:00 +01:00
|
|
|
address = get_object_address(stmt->objtype, stmt->object,
|
2011-06-28 03:17:25 +02:00
|
|
|
&relation, ShareUpdateExclusiveLock, false);
|
2010-09-28 02:55:27 +02:00
|
|
|
|
2011-03-04 23:26:37 +01:00
|
|
|
/* Require ownership of the target object. */
|
|
|
|
|
check_object_ownership(GetUserId(), stmt->objtype, address,
|
Remove objname/objargs split for referring to objects
In simpler times, it might have worked to refer to all kinds of objects
by a list of name components and an optional argument list. But this
doesn't work for all objects, which has resulted in a collection of
hacks to place various other nodes types into these fields, which have
to be unpacked at the other end. This makes it also weird to represent
lists of such things in the grammar, because they would have to be lists
of singleton lists, to make the unpacking work consistently. The other
problem is that keeping separate name and args fields makes it awkward
to deal with lists of functions.
Change that by dropping the objargs field and have objname, renamed to
object, be a generic Node, which can then be flexibly assigned and
managed using the normal Node mechanisms. In many cases it will still
be a List of names, in some cases it will be a string Value, for types
it will be the existing Typename, for functions it will now use the
existing ObjectWithArgs node type. Some of the more obscure object
types still use somewhat arbitrary nested lists.
Reviewed-by: Jim Nasby <Jim.Nasby@BlueTreble.com>
Reviewed-by: Michael Paquier <michael.paquier@gmail.com>
2016-11-12 18:00:00 +01:00
|
|
|
stmt->object, relation);
|
2011-03-04 23:26:37 +01:00
|
|
|
|
|
|
|
|
/* Perform other integrity checks as needed. */
|
2010-09-28 02:55:27 +02:00
|
|
|
switch (stmt->objtype)
|
|
|
|
|
{
|
|
|
|
|
case OBJECT_COLUMN:
|
2011-04-10 17:42:00 +02:00
|
|
|
|
2011-03-04 23:26:37 +01:00
|
|
|
/*
|
|
|
|
|
* Allow security labels only on columns of tables, views,
|
2013-03-04 01:23:31 +01:00
|
|
|
* materialized views, composite types, and foreign tables (which
|
|
|
|
|
* are the only relkinds for which pg_dump will dump labels).
|
2011-03-04 23:26:37 +01:00
|
|
|
*/
|
|
|
|
|
if (relation->rd_rel->relkind != RELKIND_RELATION &&
|
|
|
|
|
relation->rd_rel->relkind != RELKIND_VIEW &&
|
2013-03-04 01:23:31 +01:00
|
|
|
relation->rd_rel->relkind != RELKIND_MATVIEW &&
|
2011-03-04 23:26:37 +01:00
|
|
|
relation->rd_rel->relkind != RELKIND_COMPOSITE_TYPE &&
|
Implement table partitioning.
Table partitioning is like table inheritance and reuses much of the
existing infrastructure, but there are some important differences.
The parent is called a partitioned table and is always empty; it may
not have indexes or non-inherited constraints, since those make no
sense for a relation with no data of its own. The children are called
partitions and contain all of the actual data. Each partition has an
implicit partitioning constraint. Multiple inheritance is not
allowed, and partitioning and inheritance can't be mixed. Partitions
can't have extra columns and may not allow nulls unless the parent
does. Tuples inserted into the parent are automatically routed to the
correct partition, so tuple-routing ON INSERT triggers are not needed.
Tuple routing isn't yet supported for partitions which are foreign
tables, and it doesn't handle updates that cross partition boundaries.
Currently, tables can be range-partitioned or list-partitioned. List
partitioning is limited to a single column, but range partitioning can
involve multiple columns. A partitioning "column" can be an
expression.
Because table partitioning is less general than table inheritance, it
is hoped that it will be easier to reason about properties of
partitions, and therefore that this will serve as a better foundation
for a variety of possible optimizations, including query planner
optimizations. The tuple routing based which this patch does based on
the implicit partitioning constraints is an example of this, but it
seems likely that many other useful optimizations are also possible.
Amit Langote, reviewed and tested by Robert Haas, Ashutosh Bapat,
Amit Kapila, Rajkumar Raghuwanshi, Corey Huinker, Jaime Casanova,
Rushabh Lathia, Erik Rijkers, among others. Minor revisions by me.
2016-12-07 19:17:43 +01:00
|
|
|
relation->rd_rel->relkind != RELKIND_FOREIGN_TABLE &&
|
|
|
|
|
relation->rd_rel->relkind != RELKIND_PARTITIONED_TABLE)
|
2010-09-28 02:55:27 +02:00
|
|
|
ereport(ERROR,
|
2011-03-04 23:26:37 +01:00
|
|
|
(errcode(ERRCODE_WRONG_OBJECT_TYPE),
|
Improve error messages about mismatching relkind
Most error messages about a relkind that was not supported or
appropriate for the command was of the pattern
"relation \"%s\" is not a table, foreign table, or materialized view"
This style can become verbose and tedious to maintain. Moreover, it's
not very helpful: If I'm trying to create a comment on a TOAST table,
which is not supported, then the information that I could have created
a comment on a materialized view is pointless.
Instead, write the primary error message shorter and saying more
directly that what was attempted is not possible. Then, in the detail
message, explain that the operation is not supported for the relkind
the object was. To simplify that, add a new function
errdetail_relkind_not_supported() that does this.
In passing, make use of RELKIND_HAS_STORAGE() where appropriate,
instead of listing out the relkinds individually.
Reviewed-by: Michael Paquier <michael@paquier.xyz>
Reviewed-by: Alvaro Herrera <alvherre@alvh.no-ip.org>
Discussion: https://www.postgresql.org/message-id/flat/dc35a398-37d0-75ce-07ea-1dd71d98f8ec@2ndquadrant.com
2021-07-08 09:38:52 +02:00
|
|
|
errmsg("cannot set security label on relation \"%s\"",
|
|
|
|
|
RelationGetRelationName(relation)),
|
|
|
|
|
errdetail_relkind_not_supported(relation->rd_rel->relkind)));
|
2010-09-28 02:55:27 +02:00
|
|
|
break;
|
|
|
|
|
default:
|
2011-03-04 23:26:37 +01:00
|
|
|
break;
|
2010-09-28 02:55:27 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Provider gets control here, may throw ERROR to veto new label. */
|
2017-09-07 18:06:23 +02:00
|
|
|
provider->hook(&address, stmt->label);
|
2010-09-28 02:55:27 +02:00
|
|
|
|
|
|
|
|
/* Apply new label. */
|
|
|
|
|
SetSecurityLabel(&address, provider->provider_name, stmt->label);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* If get_object_address() opened the relation for us, we close it to keep
|
|
|
|
|
* the reference count correct - but we retain any locks acquired by
|
|
|
|
|
* get_object_address() until commit time, to guard against concurrent
|
|
|
|
|
* activity.
|
|
|
|
|
*/
|
|
|
|
|
if (relation != NULL)
|
|
|
|
|
relation_close(relation, NoLock);
|
2012-12-29 13:55:37 +01:00
|
|
|
|
Change many routines to return ObjectAddress rather than OID
The changed routines are mostly those that can be directly called by
ProcessUtilitySlow; the intention is to make the affected object
information more precise, in support for future event trigger changes.
Originally it was envisioned that the OID of the affected object would
be enough, and in most cases that is correct, but upon actually
implementing the event trigger changes it turned out that ObjectAddress
is more widely useful.
Additionally, some command execution routines grew an output argument
that's an object address which provides further info about the executed
command. To wit:
* for ALTER DOMAIN / ADD CONSTRAINT, it corresponds to the address of
the new constraint
* for ALTER OBJECT / SET SCHEMA, it corresponds to the address of the
schema that originally contained the object.
* for ALTER EXTENSION {ADD, DROP} OBJECT, it corresponds to the address
of the object added to or dropped from the extension.
There's no user-visible change in this commit, and no functional change
either.
Discussion: 20150218213255.GC6717@tamriel.snowman.net
Reviewed-By: Stephen Frost, Andres Freund
2015-03-03 18:10:50 +01:00
|
|
|
return address;
|
2010-09-28 02:55:27 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
2011-07-20 19:18:24 +02:00
|
|
|
* GetSharedSecurityLabel returns the security label for a shared object for
|
|
|
|
|
* a given provider, or NULL if there is no such label.
|
|
|
|
|
*/
|
|
|
|
|
static char *
|
|
|
|
|
GetSharedSecurityLabel(const ObjectAddress *object, const char *provider)
|
|
|
|
|
{
|
|
|
|
|
Relation pg_shseclabel;
|
|
|
|
|
ScanKeyData keys[3];
|
|
|
|
|
SysScanDesc scan;
|
|
|
|
|
HeapTuple tuple;
|
|
|
|
|
Datum datum;
|
|
|
|
|
bool isnull;
|
|
|
|
|
char *seclabel = NULL;
|
|
|
|
|
|
|
|
|
|
ScanKeyInit(&keys[0],
|
|
|
|
|
Anum_pg_shseclabel_objoid,
|
|
|
|
|
BTEqualStrategyNumber, F_OIDEQ,
|
|
|
|
|
ObjectIdGetDatum(object->objectId));
|
|
|
|
|
ScanKeyInit(&keys[1],
|
|
|
|
|
Anum_pg_shseclabel_classoid,
|
|
|
|
|
BTEqualStrategyNumber, F_OIDEQ,
|
|
|
|
|
ObjectIdGetDatum(object->classId));
|
|
|
|
|
ScanKeyInit(&keys[2],
|
|
|
|
|
Anum_pg_shseclabel_provider,
|
2015-05-19 16:40:04 +02:00
|
|
|
BTEqualStrategyNumber, F_TEXTEQ,
|
|
|
|
|
CStringGetTextDatum(provider));
|
2011-07-20 19:18:24 +02:00
|
|
|
|
2019-01-21 19:32:19 +01:00
|
|
|
pg_shseclabel = table_open(SharedSecLabelRelationId, AccessShareLock);
|
2011-07-20 19:18:24 +02:00
|
|
|
|
2021-10-14 21:24:00 +02:00
|
|
|
scan = systable_beginscan(pg_shseclabel, SharedSecLabelObjectIndexId,
|
|
|
|
|
criticalSharedRelcachesBuilt, NULL, 3, keys);
|
2011-07-20 19:18:24 +02:00
|
|
|
|
|
|
|
|
tuple = systable_getnext(scan);
|
|
|
|
|
if (HeapTupleIsValid(tuple))
|
|
|
|
|
{
|
|
|
|
|
datum = heap_getattr(tuple, Anum_pg_shseclabel_label,
|
|
|
|
|
RelationGetDescr(pg_shseclabel), &isnull);
|
|
|
|
|
if (!isnull)
|
|
|
|
|
seclabel = TextDatumGetCString(datum);
|
|
|
|
|
}
|
|
|
|
|
systable_endscan(scan);
|
|
|
|
|
|
2019-01-21 19:32:19 +01:00
|
|
|
table_close(pg_shseclabel, AccessShareLock);
|
2011-07-20 19:18:24 +02:00
|
|
|
|
|
|
|
|
return seclabel;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* GetSecurityLabel returns the security label for a shared or database object
|
|
|
|
|
* for a given provider, or NULL if there is no such label.
|
2010-09-28 02:55:27 +02:00
|
|
|
*/
|
|
|
|
|
char *
|
|
|
|
|
GetSecurityLabel(const ObjectAddress *object, const char *provider)
|
|
|
|
|
{
|
|
|
|
|
Relation pg_seclabel;
|
|
|
|
|
ScanKeyData keys[4];
|
|
|
|
|
SysScanDesc scan;
|
|
|
|
|
HeapTuple tuple;
|
|
|
|
|
Datum datum;
|
|
|
|
|
bool isnull;
|
|
|
|
|
char *seclabel = NULL;
|
|
|
|
|
|
2011-07-20 19:18:24 +02:00
|
|
|
/* Shared objects have their own security label catalog. */
|
|
|
|
|
if (IsSharedRelation(object->classId))
|
|
|
|
|
return GetSharedSecurityLabel(object, provider);
|
2010-09-28 02:55:27 +02:00
|
|
|
|
2011-07-20 19:18:24 +02:00
|
|
|
/* Must be an unshared object, so examine pg_seclabel. */
|
2010-09-28 02:55:27 +02:00
|
|
|
ScanKeyInit(&keys[0],
|
|
|
|
|
Anum_pg_seclabel_objoid,
|
|
|
|
|
BTEqualStrategyNumber, F_OIDEQ,
|
|
|
|
|
ObjectIdGetDatum(object->objectId));
|
|
|
|
|
ScanKeyInit(&keys[1],
|
|
|
|
|
Anum_pg_seclabel_classoid,
|
|
|
|
|
BTEqualStrategyNumber, F_OIDEQ,
|
|
|
|
|
ObjectIdGetDatum(object->classId));
|
|
|
|
|
ScanKeyInit(&keys[2],
|
|
|
|
|
Anum_pg_seclabel_objsubid,
|
|
|
|
|
BTEqualStrategyNumber, F_INT4EQ,
|
|
|
|
|
Int32GetDatum(object->objectSubId));
|
|
|
|
|
ScanKeyInit(&keys[3],
|
|
|
|
|
Anum_pg_seclabel_provider,
|
2015-05-19 16:40:04 +02:00
|
|
|
BTEqualStrategyNumber, F_TEXTEQ,
|
|
|
|
|
CStringGetTextDatum(provider));
|
2010-09-28 02:55:27 +02:00
|
|
|
|
2019-01-21 19:32:19 +01:00
|
|
|
pg_seclabel = table_open(SecLabelRelationId, AccessShareLock);
|
2010-09-28 02:55:27 +02:00
|
|
|
|
|
|
|
|
scan = systable_beginscan(pg_seclabel, SecLabelObjectIndexId, true,
|
Use an MVCC snapshot, rather than SnapshotNow, for catalog scans.
SnapshotNow scans have the undesirable property that, in the face of
concurrent updates, the scan can fail to see either the old or the new
versions of the row. In many cases, we work around this by requiring
DDL operations to hold AccessExclusiveLock on the object being
modified; in some cases, the existing locking is inadequate and random
failures occur as a result. This commit doesn't change anything
related to locking, but will hopefully pave the way to allowing lock
strength reductions in the future.
The major issue has held us back from making this change in the past
is that taking an MVCC snapshot is significantly more expensive than
using a static special snapshot such as SnapshotNow. However, testing
of various worst-case scenarios reveals that this problem is not
severe except under fairly extreme workloads. To mitigate those
problems, we avoid retaking the MVCC snapshot for each new scan;
instead, we take a new snapshot only when invalidation messages have
been processed. The catcache machinery already requires that
invalidation messages be sent before releasing the related heavyweight
lock; else other backends might rely on locally-cached data rather
than scanning the catalog at all. Thus, making snapshot reuse
dependent on the same guarantees shouldn't break anything that wasn't
already subtly broken.
Patch by me. Review by Michael Paquier and Andres Freund.
2013-07-02 15:47:01 +02:00
|
|
|
NULL, 4, keys);
|
2010-09-28 02:55:27 +02:00
|
|
|
|
|
|
|
|
tuple = systable_getnext(scan);
|
|
|
|
|
if (HeapTupleIsValid(tuple))
|
|
|
|
|
{
|
|
|
|
|
datum = heap_getattr(tuple, Anum_pg_seclabel_label,
|
|
|
|
|
RelationGetDescr(pg_seclabel), &isnull);
|
|
|
|
|
if (!isnull)
|
|
|
|
|
seclabel = TextDatumGetCString(datum);
|
|
|
|
|
}
|
|
|
|
|
systable_endscan(scan);
|
|
|
|
|
|
2019-01-21 19:32:19 +01:00
|
|
|
table_close(pg_seclabel, AccessShareLock);
|
2010-09-28 02:55:27 +02:00
|
|
|
|
|
|
|
|
return seclabel;
|
|
|
|
|
}
|
|
|
|
|
|
2011-07-20 19:18:24 +02:00
|
|
|
/*
|
|
|
|
|
* SetSharedSecurityLabel is a helper function of SetSecurityLabel to
|
|
|
|
|
* handle shared database objects.
|
|
|
|
|
*/
|
|
|
|
|
static void
|
|
|
|
|
SetSharedSecurityLabel(const ObjectAddress *object,
|
|
|
|
|
const char *provider, const char *label)
|
|
|
|
|
{
|
|
|
|
|
Relation pg_shseclabel;
|
|
|
|
|
ScanKeyData keys[4];
|
|
|
|
|
SysScanDesc scan;
|
|
|
|
|
HeapTuple oldtup;
|
|
|
|
|
HeapTuple newtup = NULL;
|
|
|
|
|
Datum values[Natts_pg_shseclabel];
|
|
|
|
|
bool nulls[Natts_pg_shseclabel];
|
|
|
|
|
bool replaces[Natts_pg_shseclabel];
|
|
|
|
|
|
|
|
|
|
/* Prepare to form or update a tuple, if necessary. */
|
|
|
|
|
memset(nulls, false, sizeof(nulls));
|
|
|
|
|
memset(replaces, false, sizeof(replaces));
|
|
|
|
|
values[Anum_pg_shseclabel_objoid - 1] = ObjectIdGetDatum(object->objectId);
|
|
|
|
|
values[Anum_pg_shseclabel_classoid - 1] = ObjectIdGetDatum(object->classId);
|
2015-05-19 16:40:04 +02:00
|
|
|
values[Anum_pg_shseclabel_provider - 1] = CStringGetTextDatum(provider);
|
2011-07-20 19:18:24 +02:00
|
|
|
if (label != NULL)
|
|
|
|
|
values[Anum_pg_shseclabel_label - 1] = CStringGetTextDatum(label);
|
|
|
|
|
|
|
|
|
|
/* Use the index to search for a matching old tuple */
|
|
|
|
|
ScanKeyInit(&keys[0],
|
|
|
|
|
Anum_pg_shseclabel_objoid,
|
|
|
|
|
BTEqualStrategyNumber, F_OIDEQ,
|
|
|
|
|
ObjectIdGetDatum(object->objectId));
|
|
|
|
|
ScanKeyInit(&keys[1],
|
|
|
|
|
Anum_pg_shseclabel_classoid,
|
|
|
|
|
BTEqualStrategyNumber, F_OIDEQ,
|
|
|
|
|
ObjectIdGetDatum(object->classId));
|
|
|
|
|
ScanKeyInit(&keys[2],
|
|
|
|
|
Anum_pg_shseclabel_provider,
|
2015-05-19 16:40:04 +02:00
|
|
|
BTEqualStrategyNumber, F_TEXTEQ,
|
|
|
|
|
CStringGetTextDatum(provider));
|
2011-07-20 19:18:24 +02:00
|
|
|
|
2019-01-21 19:32:19 +01:00
|
|
|
pg_shseclabel = table_open(SharedSecLabelRelationId, RowExclusiveLock);
|
2011-07-20 19:18:24 +02:00
|
|
|
|
|
|
|
|
scan = systable_beginscan(pg_shseclabel, SharedSecLabelObjectIndexId, true,
|
Use an MVCC snapshot, rather than SnapshotNow, for catalog scans.
SnapshotNow scans have the undesirable property that, in the face of
concurrent updates, the scan can fail to see either the old or the new
versions of the row. In many cases, we work around this by requiring
DDL operations to hold AccessExclusiveLock on the object being
modified; in some cases, the existing locking is inadequate and random
failures occur as a result. This commit doesn't change anything
related to locking, but will hopefully pave the way to allowing lock
strength reductions in the future.
The major issue has held us back from making this change in the past
is that taking an MVCC snapshot is significantly more expensive than
using a static special snapshot such as SnapshotNow. However, testing
of various worst-case scenarios reveals that this problem is not
severe except under fairly extreme workloads. To mitigate those
problems, we avoid retaking the MVCC snapshot for each new scan;
instead, we take a new snapshot only when invalidation messages have
been processed. The catcache machinery already requires that
invalidation messages be sent before releasing the related heavyweight
lock; else other backends might rely on locally-cached data rather
than scanning the catalog at all. Thus, making snapshot reuse
dependent on the same guarantees shouldn't break anything that wasn't
already subtly broken.
Patch by me. Review by Michael Paquier and Andres Freund.
2013-07-02 15:47:01 +02:00
|
|
|
NULL, 3, keys);
|
2011-07-20 19:18:24 +02:00
|
|
|
|
|
|
|
|
oldtup = systable_getnext(scan);
|
|
|
|
|
if (HeapTupleIsValid(oldtup))
|
|
|
|
|
{
|
|
|
|
|
if (label == NULL)
|
2017-02-01 22:13:30 +01:00
|
|
|
CatalogTupleDelete(pg_shseclabel, &oldtup->t_self);
|
2011-07-20 19:18:24 +02:00
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
replaces[Anum_pg_shseclabel_label - 1] = true;
|
|
|
|
|
newtup = heap_modify_tuple(oldtup, RelationGetDescr(pg_shseclabel),
|
|
|
|
|
values, nulls, replaces);
|
2017-01-31 22:42:24 +01:00
|
|
|
CatalogTupleUpdate(pg_shseclabel, &oldtup->t_self, newtup);
|
2011-07-20 19:18:24 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
systable_endscan(scan);
|
|
|
|
|
|
|
|
|
|
/* If we didn't find an old tuple, insert a new one */
|
|
|
|
|
if (newtup == NULL && label != NULL)
|
|
|
|
|
{
|
|
|
|
|
newtup = heap_form_tuple(RelationGetDescr(pg_shseclabel),
|
|
|
|
|
values, nulls);
|
2017-01-31 22:42:24 +01:00
|
|
|
CatalogTupleInsert(pg_shseclabel, newtup);
|
2011-07-20 19:18:24 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (newtup != NULL)
|
|
|
|
|
heap_freetuple(newtup);
|
|
|
|
|
|
2019-01-21 19:32:19 +01:00
|
|
|
table_close(pg_shseclabel, RowExclusiveLock);
|
2011-07-20 19:18:24 +02:00
|
|
|
}
|
|
|
|
|
|
2010-09-28 02:55:27 +02:00
|
|
|
/*
|
|
|
|
|
* SetSecurityLabel attempts to set the security label for the specified
|
|
|
|
|
* provider on the specified object to the given value. NULL means that any
|
2018-09-08 21:24:19 +02:00
|
|
|
* existing label should be deleted.
|
2010-09-28 02:55:27 +02:00
|
|
|
*/
|
|
|
|
|
void
|
|
|
|
|
SetSecurityLabel(const ObjectAddress *object,
|
|
|
|
|
const char *provider, const char *label)
|
|
|
|
|
{
|
|
|
|
|
Relation pg_seclabel;
|
|
|
|
|
ScanKeyData keys[4];
|
|
|
|
|
SysScanDesc scan;
|
|
|
|
|
HeapTuple oldtup;
|
|
|
|
|
HeapTuple newtup = NULL;
|
|
|
|
|
Datum values[Natts_pg_seclabel];
|
|
|
|
|
bool nulls[Natts_pg_seclabel];
|
|
|
|
|
bool replaces[Natts_pg_seclabel];
|
|
|
|
|
|
2011-07-20 19:18:24 +02:00
|
|
|
/* Shared objects have their own security label catalog. */
|
|
|
|
|
if (IsSharedRelation(object->classId))
|
|
|
|
|
{
|
|
|
|
|
SetSharedSecurityLabel(object, provider, label);
|
|
|
|
|
return;
|
|
|
|
|
}
|
2010-09-28 02:55:27 +02:00
|
|
|
|
|
|
|
|
/* Prepare to form or update a tuple, if necessary. */
|
|
|
|
|
memset(nulls, false, sizeof(nulls));
|
|
|
|
|
memset(replaces, false, sizeof(replaces));
|
|
|
|
|
values[Anum_pg_seclabel_objoid - 1] = ObjectIdGetDatum(object->objectId);
|
|
|
|
|
values[Anum_pg_seclabel_classoid - 1] = ObjectIdGetDatum(object->classId);
|
|
|
|
|
values[Anum_pg_seclabel_objsubid - 1] = Int32GetDatum(object->objectSubId);
|
2015-05-19 16:40:04 +02:00
|
|
|
values[Anum_pg_seclabel_provider - 1] = CStringGetTextDatum(provider);
|
2010-09-28 02:55:27 +02:00
|
|
|
if (label != NULL)
|
|
|
|
|
values[Anum_pg_seclabel_label - 1] = CStringGetTextDatum(label);
|
|
|
|
|
|
|
|
|
|
/* Use the index to search for a matching old tuple */
|
|
|
|
|
ScanKeyInit(&keys[0],
|
|
|
|
|
Anum_pg_seclabel_objoid,
|
|
|
|
|
BTEqualStrategyNumber, F_OIDEQ,
|
|
|
|
|
ObjectIdGetDatum(object->objectId));
|
|
|
|
|
ScanKeyInit(&keys[1],
|
|
|
|
|
Anum_pg_seclabel_classoid,
|
|
|
|
|
BTEqualStrategyNumber, F_OIDEQ,
|
|
|
|
|
ObjectIdGetDatum(object->classId));
|
|
|
|
|
ScanKeyInit(&keys[2],
|
|
|
|
|
Anum_pg_seclabel_objsubid,
|
|
|
|
|
BTEqualStrategyNumber, F_INT4EQ,
|
|
|
|
|
Int32GetDatum(object->objectSubId));
|
|
|
|
|
ScanKeyInit(&keys[3],
|
|
|
|
|
Anum_pg_seclabel_provider,
|
2015-05-19 16:40:04 +02:00
|
|
|
BTEqualStrategyNumber, F_TEXTEQ,
|
|
|
|
|
CStringGetTextDatum(provider));
|
2010-09-28 02:55:27 +02:00
|
|
|
|
2019-01-21 19:32:19 +01:00
|
|
|
pg_seclabel = table_open(SecLabelRelationId, RowExclusiveLock);
|
2010-09-28 02:55:27 +02:00
|
|
|
|
|
|
|
|
scan = systable_beginscan(pg_seclabel, SecLabelObjectIndexId, true,
|
Use an MVCC snapshot, rather than SnapshotNow, for catalog scans.
SnapshotNow scans have the undesirable property that, in the face of
concurrent updates, the scan can fail to see either the old or the new
versions of the row. In many cases, we work around this by requiring
DDL operations to hold AccessExclusiveLock on the object being
modified; in some cases, the existing locking is inadequate and random
failures occur as a result. This commit doesn't change anything
related to locking, but will hopefully pave the way to allowing lock
strength reductions in the future.
The major issue has held us back from making this change in the past
is that taking an MVCC snapshot is significantly more expensive than
using a static special snapshot such as SnapshotNow. However, testing
of various worst-case scenarios reveals that this problem is not
severe except under fairly extreme workloads. To mitigate those
problems, we avoid retaking the MVCC snapshot for each new scan;
instead, we take a new snapshot only when invalidation messages have
been processed. The catcache machinery already requires that
invalidation messages be sent before releasing the related heavyweight
lock; else other backends might rely on locally-cached data rather
than scanning the catalog at all. Thus, making snapshot reuse
dependent on the same guarantees shouldn't break anything that wasn't
already subtly broken.
Patch by me. Review by Michael Paquier and Andres Freund.
2013-07-02 15:47:01 +02:00
|
|
|
NULL, 4, keys);
|
2010-09-28 02:55:27 +02:00
|
|
|
|
|
|
|
|
oldtup = systable_getnext(scan);
|
|
|
|
|
if (HeapTupleIsValid(oldtup))
|
|
|
|
|
{
|
|
|
|
|
if (label == NULL)
|
2017-02-01 22:13:30 +01:00
|
|
|
CatalogTupleDelete(pg_seclabel, &oldtup->t_self);
|
2010-09-28 02:55:27 +02:00
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
replaces[Anum_pg_seclabel_label - 1] = true;
|
|
|
|
|
newtup = heap_modify_tuple(oldtup, RelationGetDescr(pg_seclabel),
|
|
|
|
|
values, nulls, replaces);
|
2017-01-31 22:42:24 +01:00
|
|
|
CatalogTupleUpdate(pg_seclabel, &oldtup->t_self, newtup);
|
2010-09-28 02:55:27 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
systable_endscan(scan);
|
|
|
|
|
|
|
|
|
|
/* If we didn't find an old tuple, insert a new one */
|
|
|
|
|
if (newtup == NULL && label != NULL)
|
|
|
|
|
{
|
|
|
|
|
newtup = heap_form_tuple(RelationGetDescr(pg_seclabel),
|
|
|
|
|
values, nulls);
|
2017-01-31 22:42:24 +01:00
|
|
|
CatalogTupleInsert(pg_seclabel, newtup);
|
2010-09-28 02:55:27 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Update indexes, if necessary */
|
|
|
|
|
if (newtup != NULL)
|
|
|
|
|
heap_freetuple(newtup);
|
|
|
|
|
|
2019-01-21 19:32:19 +01:00
|
|
|
table_close(pg_seclabel, RowExclusiveLock);
|
2010-09-28 02:55:27 +02:00
|
|
|
}
|
|
|
|
|
|
2011-07-20 19:18:24 +02:00
|
|
|
/*
|
|
|
|
|
* DeleteSharedSecurityLabel is a helper function of DeleteSecurityLabel
|
|
|
|
|
* to handle shared database objects.
|
|
|
|
|
*/
|
|
|
|
|
void
|
|
|
|
|
DeleteSharedSecurityLabel(Oid objectId, Oid classId)
|
|
|
|
|
{
|
|
|
|
|
Relation pg_shseclabel;
|
|
|
|
|
ScanKeyData skey[2];
|
|
|
|
|
SysScanDesc scan;
|
|
|
|
|
HeapTuple oldtup;
|
|
|
|
|
|
|
|
|
|
ScanKeyInit(&skey[0],
|
|
|
|
|
Anum_pg_shseclabel_objoid,
|
|
|
|
|
BTEqualStrategyNumber, F_OIDEQ,
|
|
|
|
|
ObjectIdGetDatum(objectId));
|
|
|
|
|
ScanKeyInit(&skey[1],
|
|
|
|
|
Anum_pg_shseclabel_classoid,
|
|
|
|
|
BTEqualStrategyNumber, F_OIDEQ,
|
|
|
|
|
ObjectIdGetDatum(classId));
|
|
|
|
|
|
2019-01-21 19:32:19 +01:00
|
|
|
pg_shseclabel = table_open(SharedSecLabelRelationId, RowExclusiveLock);
|
2011-07-20 19:18:24 +02:00
|
|
|
|
|
|
|
|
scan = systable_beginscan(pg_shseclabel, SharedSecLabelObjectIndexId, true,
|
Use an MVCC snapshot, rather than SnapshotNow, for catalog scans.
SnapshotNow scans have the undesirable property that, in the face of
concurrent updates, the scan can fail to see either the old or the new
versions of the row. In many cases, we work around this by requiring
DDL operations to hold AccessExclusiveLock on the object being
modified; in some cases, the existing locking is inadequate and random
failures occur as a result. This commit doesn't change anything
related to locking, but will hopefully pave the way to allowing lock
strength reductions in the future.
The major issue has held us back from making this change in the past
is that taking an MVCC snapshot is significantly more expensive than
using a static special snapshot such as SnapshotNow. However, testing
of various worst-case scenarios reveals that this problem is not
severe except under fairly extreme workloads. To mitigate those
problems, we avoid retaking the MVCC snapshot for each new scan;
instead, we take a new snapshot only when invalidation messages have
been processed. The catcache machinery already requires that
invalidation messages be sent before releasing the related heavyweight
lock; else other backends might rely on locally-cached data rather
than scanning the catalog at all. Thus, making snapshot reuse
dependent on the same guarantees shouldn't break anything that wasn't
already subtly broken.
Patch by me. Review by Michael Paquier and Andres Freund.
2013-07-02 15:47:01 +02:00
|
|
|
NULL, 2, skey);
|
2011-07-20 19:18:24 +02:00
|
|
|
while (HeapTupleIsValid(oldtup = systable_getnext(scan)))
|
2017-02-01 22:13:30 +01:00
|
|
|
CatalogTupleDelete(pg_shseclabel, &oldtup->t_self);
|
2011-07-20 19:18:24 +02:00
|
|
|
systable_endscan(scan);
|
|
|
|
|
|
2019-01-21 19:32:19 +01:00
|
|
|
table_close(pg_shseclabel, RowExclusiveLock);
|
2011-07-20 19:18:24 +02:00
|
|
|
}
|
|
|
|
|
|
2010-09-28 02:55:27 +02:00
|
|
|
/*
|
|
|
|
|
* DeleteSecurityLabel removes all security labels for an object (and any
|
|
|
|
|
* sub-objects, if applicable).
|
|
|
|
|
*/
|
|
|
|
|
void
|
|
|
|
|
DeleteSecurityLabel(const ObjectAddress *object)
|
|
|
|
|
{
|
|
|
|
|
Relation pg_seclabel;
|
|
|
|
|
ScanKeyData skey[3];
|
|
|
|
|
SysScanDesc scan;
|
|
|
|
|
HeapTuple oldtup;
|
|
|
|
|
int nkeys;
|
|
|
|
|
|
2011-07-20 19:18:24 +02:00
|
|
|
/* Shared objects have their own security label catalog. */
|
2010-09-28 02:55:27 +02:00
|
|
|
if (IsSharedRelation(object->classId))
|
2011-07-20 19:18:24 +02:00
|
|
|
{
|
|
|
|
|
Assert(object->objectSubId == 0);
|
|
|
|
|
DeleteSharedSecurityLabel(object->objectId, object->classId);
|
2010-09-28 02:55:27 +02:00
|
|
|
return;
|
2011-07-20 19:18:24 +02:00
|
|
|
}
|
2010-09-28 02:55:27 +02:00
|
|
|
|
|
|
|
|
ScanKeyInit(&skey[0],
|
|
|
|
|
Anum_pg_seclabel_objoid,
|
|
|
|
|
BTEqualStrategyNumber, F_OIDEQ,
|
|
|
|
|
ObjectIdGetDatum(object->objectId));
|
|
|
|
|
ScanKeyInit(&skey[1],
|
|
|
|
|
Anum_pg_seclabel_classoid,
|
|
|
|
|
BTEqualStrategyNumber, F_OIDEQ,
|
|
|
|
|
ObjectIdGetDatum(object->classId));
|
|
|
|
|
if (object->objectSubId != 0)
|
|
|
|
|
{
|
|
|
|
|
ScanKeyInit(&skey[2],
|
|
|
|
|
Anum_pg_seclabel_objsubid,
|
|
|
|
|
BTEqualStrategyNumber, F_INT4EQ,
|
|
|
|
|
Int32GetDatum(object->objectSubId));
|
|
|
|
|
nkeys = 3;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
nkeys = 2;
|
|
|
|
|
|
2019-01-21 19:32:19 +01:00
|
|
|
pg_seclabel = table_open(SecLabelRelationId, RowExclusiveLock);
|
2010-09-28 02:55:27 +02:00
|
|
|
|
|
|
|
|
scan = systable_beginscan(pg_seclabel, SecLabelObjectIndexId, true,
|
Use an MVCC snapshot, rather than SnapshotNow, for catalog scans.
SnapshotNow scans have the undesirable property that, in the face of
concurrent updates, the scan can fail to see either the old or the new
versions of the row. In many cases, we work around this by requiring
DDL operations to hold AccessExclusiveLock on the object being
modified; in some cases, the existing locking is inadequate and random
failures occur as a result. This commit doesn't change anything
related to locking, but will hopefully pave the way to allowing lock
strength reductions in the future.
The major issue has held us back from making this change in the past
is that taking an MVCC snapshot is significantly more expensive than
using a static special snapshot such as SnapshotNow. However, testing
of various worst-case scenarios reveals that this problem is not
severe except under fairly extreme workloads. To mitigate those
problems, we avoid retaking the MVCC snapshot for each new scan;
instead, we take a new snapshot only when invalidation messages have
been processed. The catcache machinery already requires that
invalidation messages be sent before releasing the related heavyweight
lock; else other backends might rely on locally-cached data rather
than scanning the catalog at all. Thus, making snapshot reuse
dependent on the same guarantees shouldn't break anything that wasn't
already subtly broken.
Patch by me. Review by Michael Paquier and Andres Freund.
2013-07-02 15:47:01 +02:00
|
|
|
NULL, nkeys, skey);
|
2010-09-28 02:55:27 +02:00
|
|
|
while (HeapTupleIsValid(oldtup = systable_getnext(scan)))
|
2017-02-01 22:13:30 +01:00
|
|
|
CatalogTupleDelete(pg_seclabel, &oldtup->t_self);
|
2010-09-28 02:55:27 +02:00
|
|
|
systable_endscan(scan);
|
|
|
|
|
|
2019-01-21 19:32:19 +01:00
|
|
|
table_close(pg_seclabel, RowExclusiveLock);
|
2010-09-28 02:55:27 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
register_label_provider(const char *provider_name, check_object_relabel_type hook)
|
|
|
|
|
{
|
|
|
|
|
LabelProvider *provider;
|
|
|
|
|
MemoryContext oldcxt;
|
|
|
|
|
|
|
|
|
|
oldcxt = MemoryContextSwitchTo(TopMemoryContext);
|
|
|
|
|
provider = palloc(sizeof(LabelProvider));
|
|
|
|
|
provider->provider_name = pstrdup(provider_name);
|
|
|
|
|
provider->hook = hook;
|
|
|
|
|
label_provider_list = lappend(label_provider_list, provider);
|
|
|
|
|
MemoryContextSwitchTo(oldcxt);
|
|
|
|
|
}
|
