1996-07-09 08:22:35 +02:00
|
|
|
/*-------------------------------------------------------------------------
|
|
|
|
|
*
|
|
|
|
|
* pg_dump.h
|
2002-05-11 00:36:27 +02:00
|
|
|
* Common header file for the pg_dump utility
|
1996-07-09 08:22:35 +02:00
|
|
|
*
|
2016-01-02 19:33:40 +01:00
|
|
|
* Portions Copyright (c) 1996-2016, PostgreSQL Global Development Group
|
2000-01-26 06:58:53 +01:00
|
|
|
* Portions Copyright (c) 1994, Regents of the University of California
|
1996-07-09 08:22:35 +02:00
|
|
|
*
|
2010-09-20 22:08:53 +02:00
|
|
|
* src/bin/pg_dump/pg_dump.h
|
2000-09-15 06:35:16 +02:00
|
|
|
*
|
1996-07-09 08:22:35 +02:00
|
|
|
*-------------------------------------------------------------------------
|
|
|
|
|
*/
|
|
|
|
|
|
1999-10-23 05:13:33 +02:00
|
|
|
#ifndef PG_DUMP_H
|
|
|
|
|
#define PG_DUMP_H
|
|
|
|
|
|
2014-10-14 20:00:55 +02:00
|
|
|
#include "pg_backup.h"
|
2003-12-06 04:00:16 +01:00
|
|
|
|
2006-10-10 01:36:59 +02:00
|
|
|
|
2014-10-14 20:00:55 +02:00
|
|
|
#define oidcmp(x,y) ( ((x) < (y) ? -1 : ((x) > (y)) ? 1 : 0) )
|
|
|
|
|
#define oideq(x,y) ( (x) == (y) )
|
|
|
|
|
#define oidle(x,y) ( (x) <= (y) )
|
|
|
|
|
#define oidge(x,y) ( (x) >= (y) )
|
|
|
|
|
#define oidzero(x) ( (x) == 0 )
|
1999-10-23 05:13:33 +02:00
|
|
|
|
2002-05-11 00:36:27 +02:00
|
|
|
/*
|
2003-12-06 04:00:16 +01:00
|
|
|
* The data structures used to store system catalog information. Every
|
|
|
|
|
* dumpable object is a subclass of DumpableObject.
|
2002-05-11 00:36:27 +02:00
|
|
|
*
|
|
|
|
|
* NOTE: the structures described here live for the entire pg_dump run;
|
|
|
|
|
* and in most cases we make a struct for every object we can find in the
|
2014-05-06 18:12:18 +02:00
|
|
|
* catalogs, not only those we are actually going to dump. Hence, it's
|
2002-05-11 00:36:27 +02:00
|
|
|
* best to store a minimal amount of per-object info in these structs,
|
|
|
|
|
* and retrieve additional per-object info when and if we dump a specific
|
2014-05-06 18:12:18 +02:00
|
|
|
* object. In particular, try to avoid retrieving expensive-to-compute
|
2003-12-06 04:00:16 +01:00
|
|
|
* information until it's known to be needed. We do, however, have to
|
|
|
|
|
* store enough info to determine whether an object should be dumped and
|
|
|
|
|
* what order to dump in.
|
2002-05-11 00:36:27 +02:00
|
|
|
*/
|
|
|
|
|
|
2003-12-06 04:00:16 +01:00
|
|
|
typedef enum
|
|
|
|
|
{
|
2004-03-03 22:28:55 +01:00
|
|
|
/* When modifying this enum, update priority tables in pg_dump_sort.c! */
|
2003-12-06 04:00:16 +01:00
|
|
|
DO_NAMESPACE,
|
2011-02-08 22:08:41 +01:00
|
|
|
DO_EXTENSION,
|
2003-12-06 04:00:16 +01:00
|
|
|
DO_TYPE,
|
2006-03-02 02:18:26 +01:00
|
|
|
DO_SHELL_TYPE,
|
2003-12-06 04:00:16 +01:00
|
|
|
DO_FUNC,
|
|
|
|
|
DO_AGG,
|
|
|
|
|
DO_OPERATOR,
|
2016-03-24 03:01:35 +01:00
|
|
|
DO_ACCESS_METHOD,
|
2003-12-06 04:00:16 +01:00
|
|
|
DO_OPCLASS,
|
2007-01-23 18:54:50 +01:00
|
|
|
DO_OPFAMILY,
|
Improve pg_dump's dependency-sorting logic to enforce section dump order.
As of 9.2, with the --section option, it is very important that the concept
of "pre data", "data", and "post data" sections of the output be honored
strictly; else a dump divided into separate sectional files might be
unrestorable. However, the dependency-sorting logic knew nothing of
sections and would happily select output orderings that didn't fit that
structure. Doing so was mostly harmless before 9.2, but now we need to be
sure it doesn't do that. To fix, create dummy objects representing the
section boundaries and add dependencies between them and all the normal
objects. (This might sound expensive but it seems to only add a percent or
two to pg_dump's runtime.)
This also fixes a problem introduced in 9.1 by the feature that allows
incomplete GROUP BY lists when a primary key is given in GROUP BY.
That means that views can depend on primary key constraints. Previously,
pg_dump would deal with that by simply emitting the primary key constraint
before the view definition (and hence before the data section of the
output). That's bad enough for simple serial restores, where creating an
index before the data is loaded works, but is undesirable for speed
reasons. But it could lead to outright failure of parallel restores, as
seen in bug #6699 from Joe Van Dyk. That happened because pg_restore would
switch into parallel mode as soon as it reached the constraint, and then
very possibly would try to emit the view definition before the primary key
was committed (as a consequence of another bug that causes the view not to
be correctly marked as depending on the constraint). Adding the section
boundary constraints forces the dependency-sorting code to break the view
into separate table and rule declarations, allowing the rule, and hence the
primary key constraint it depends on, to revert to their intended location
in the post-data section. This also somewhat accidentally works around the
bogus-dependency-marking problem, because the rule will be correctly shown
as depending on the constraint, so parallel pg_restore will now do the
right thing. (We will fix the bogus-dependency problem for real in a
separate patch, but that patch is not easily back-portable to 9.1, so the
fact that this patch is enough to dodge the only known symptom is
fortunate.)
Back-patch to 9.1, except for the hunk that adds verification that the
finished archive TOC list is in correct section order; the place where
it was convenient to add that doesn't exist in 9.1.
2012-06-26 03:19:10 +02:00
|
|
|
DO_COLLATION,
|
2003-12-06 04:00:16 +01:00
|
|
|
DO_CONVERSION,
|
|
|
|
|
DO_TABLE,
|
|
|
|
|
DO_ATTRDEF,
|
|
|
|
|
DO_INDEX,
|
|
|
|
|
DO_RULE,
|
|
|
|
|
DO_TRIGGER,
|
|
|
|
|
DO_CONSTRAINT,
|
|
|
|
|
DO_FK_CONSTRAINT, /* see note for ConstraintInfo */
|
|
|
|
|
DO_PROCLANG,
|
|
|
|
|
DO_CAST,
|
2004-03-03 22:28:55 +01:00
|
|
|
DO_TABLE_DATA,
|
2009-01-18 21:44:45 +01:00
|
|
|
DO_DUMMY_TYPE,
|
2007-08-21 03:11:32 +02:00
|
|
|
DO_TSPARSER,
|
|
|
|
|
DO_TSDICT,
|
|
|
|
|
DO_TSTEMPLATE,
|
|
|
|
|
DO_TSCONFIG,
|
2008-12-19 17:25:19 +01:00
|
|
|
DO_FDW,
|
|
|
|
|
DO_FOREIGN_SERVER,
|
2009-10-05 21:24:49 +02:00
|
|
|
DO_DEFAULT_ACL,
|
2015-04-26 16:33:14 +02:00
|
|
|
DO_TRANSFORM,
|
2010-02-18 02:29:10 +01:00
|
|
|
DO_BLOB,
|
2011-02-12 14:54:13 +01:00
|
|
|
DO_BLOB_DATA,
|
Improve pg_dump's dependency-sorting logic to enforce section dump order.
As of 9.2, with the --section option, it is very important that the concept
of "pre data", "data", and "post data" sections of the output be honored
strictly; else a dump divided into separate sectional files might be
unrestorable. However, the dependency-sorting logic knew nothing of
sections and would happily select output orderings that didn't fit that
structure. Doing so was mostly harmless before 9.2, but now we need to be
sure it doesn't do that. To fix, create dummy objects representing the
section boundaries and add dependencies between them and all the normal
objects. (This might sound expensive but it seems to only add a percent or
two to pg_dump's runtime.)
This also fixes a problem introduced in 9.1 by the feature that allows
incomplete GROUP BY lists when a primary key is given in GROUP BY.
That means that views can depend on primary key constraints. Previously,
pg_dump would deal with that by simply emitting the primary key constraint
before the view definition (and hence before the data section of the
output). That's bad enough for simple serial restores, where creating an
index before the data is loaded works, but is undesirable for speed
reasons. But it could lead to outright failure of parallel restores, as
seen in bug #6699 from Joe Van Dyk. That happened because pg_restore would
switch into parallel mode as soon as it reached the constraint, and then
very possibly would try to emit the view definition before the primary key
was committed (as a consequence of another bug that causes the view not to
be correctly marked as depending on the constraint). Adding the section
boundary constraints forces the dependency-sorting code to break the view
into separate table and rule declarations, allowing the rule, and hence the
primary key constraint it depends on, to revert to their intended location
in the post-data section. This also somewhat accidentally works around the
bogus-dependency-marking problem, because the rule will be correctly shown
as depending on the constraint, so parallel pg_restore will now do the
right thing. (We will fix the bogus-dependency problem for real in a
separate patch, but that patch is not easily back-portable to 9.1, so the
fact that this patch is enough to dodge the only known symptom is
fortunate.)
Back-patch to 9.1, except for the hunk that adds verification that the
finished archive TOC list is in correct section order; the place where
it was convenient to add that doesn't exist in 9.1.
2012-06-26 03:19:10 +02:00
|
|
|
DO_PRE_DATA_BOUNDARY,
|
2012-07-18 16:16:16 +02:00
|
|
|
DO_POST_DATA_BOUNDARY,
|
2013-03-04 01:23:31 +01:00
|
|
|
DO_EVENT_TRIGGER,
|
Row-Level Security Policies (RLS)
Building on the updatable security-barrier views work, add the
ability to define policies on tables to limit the set of rows
which are returned from a query and which are allowed to be added
to a table. Expressions defined by the policy for filtering are
added to the security barrier quals of the query, while expressions
defined to check records being added to a table are added to the
with-check options of the query.
New top-level commands are CREATE/ALTER/DROP POLICY and are
controlled by the table owner. Row Security is able to be enabled
and disabled by the owner on a per-table basis using
ALTER TABLE .. ENABLE/DISABLE ROW SECURITY.
Per discussion, ROW SECURITY is disabled on tables by default and
must be enabled for policies on the table to be used. If no
policies exist on a table with ROW SECURITY enabled, a default-deny
policy is used and no records will be visible.
By default, row security is applied at all times except for the
table owner and the superuser. A new GUC, row_security, is added
which can be set to ON, OFF, or FORCE. When set to FORCE, row
security will be applied even for the table owner and superusers.
When set to OFF, row security will be disabled when allowed and an
error will be thrown if the user does not have rights to bypass row
security.
Per discussion, pg_dump sets row_security = OFF by default to ensure
that exports and backups will have all data in the table or will
error if there are insufficient privileges to bypass row security.
A new option has been added to pg_dump, --enable-row-security, to
ask pg_dump to export with row security enabled.
A new role capability, BYPASSRLS, which can only be set by the
superuser, is added to allow other users to be able to bypass row
security using row_security = OFF.
Many thanks to the various individuals who have helped with the
design, particularly Robert Haas for his feedback.
Authors include Craig Ringer, KaiGai Kohei, Adam Brightwell, Dean
Rasheed, with additional changes and rework by me.
Reviewers have included all of the above, Greg Smith,
Jeff McCormick, and Robert Haas.
2014-09-19 17:18:35 +02:00
|
|
|
DO_REFRESH_MATVIEW,
|
Rename pg_rowsecurity -> pg_policy and other fixes
As pointed out by Robert, we should really have named pg_rowsecurity
pg_policy, as the objects stored in that catalog are policies. This
patch fixes that and updates the column names to start with 'pol' to
match the new catalog name.
The security consideration for COPY with row level security, also
pointed out by Robert, has also been addressed by remembering and
re-checking the OID of the relation initially referenced during COPY
processing, to make sure it hasn't changed under us by the time we
finish planning out the query which has been built.
Robert and Alvaro also commented on missing OCLASS and OBJECT entries
for POLICY (formerly ROWSECURITY or POLICY, depending) in various
places. This patch fixes that too, which also happens to add the
ability to COMMENT on policies.
In passing, attempt to improve the consistency of messages, comments,
and documentation as well. This removes various incarnations of
'row-security', 'row-level security', 'Row-security', etc, in favor
of 'policy', 'row level security' or 'row_security' as appropriate.
Happy Thanksgiving!
2014-11-27 07:06:36 +01:00
|
|
|
DO_POLICY
|
2003-12-06 04:00:16 +01:00
|
|
|
} DumpableObjectType;
|
|
|
|
|
|
2016-04-07 03:45:32 +02:00
|
|
|
/* component types of an object which can be selected for dumping */
|
|
|
|
|
typedef uint32 DumpComponents; /* a bitmask of dump object components */
|
|
|
|
|
#define DUMP_COMPONENT_NONE (0)
|
|
|
|
|
#define DUMP_COMPONENT_DEFINITION (1 << 0)
|
|
|
|
|
#define DUMP_COMPONENT_DATA (1 << 1)
|
|
|
|
|
#define DUMP_COMPONENT_COMMENT (1 << 2)
|
|
|
|
|
#define DUMP_COMPONENT_SECLABEL (1 << 3)
|
|
|
|
|
#define DUMP_COMPONENT_ACL (1 << 4)
|
|
|
|
|
#define DUMP_COMPONENT_POLICY (1 << 5)
|
|
|
|
|
#define DUMP_COMPONENT_USERMAP (1 << 6)
|
|
|
|
|
#define DUMP_COMPONENT_ALL (0xFFFF)
|
|
|
|
|
|
2003-12-06 04:00:16 +01:00
|
|
|
typedef struct _dumpableObject
|
|
|
|
|
{
|
|
|
|
|
DumpableObjectType objType;
|
|
|
|
|
CatalogId catId; /* zero if not a cataloged object */
|
|
|
|
|
DumpId dumpId; /* assigned by AssignDumpId() */
|
2004-03-03 22:28:55 +01:00
|
|
|
char *name; /* object name (should never be NULL) */
|
|
|
|
|
struct _namespaceInfo *namespace; /* containing namespace, or NULL */
|
2016-04-07 03:45:32 +02:00
|
|
|
DumpComponents dump; /* bitmask of components to dump */
|
|
|
|
|
DumpComponents dump_contains; /* as above, but for contained objects */
|
2011-02-10 01:17:33 +01:00
|
|
|
bool ext_member; /* true if object is member of extension */
|
2003-12-06 04:00:16 +01:00
|
|
|
DumpId *dependencies; /* dumpIds of objects this one depends on */
|
|
|
|
|
int nDeps; /* number of valid dependencies */
|
|
|
|
|
int allocDeps; /* allocated size of dependencies[] */
|
|
|
|
|
} DumpableObject;
|
|
|
|
|
|
2002-05-11 00:36:27 +02:00
|
|
|
typedef struct _namespaceInfo
|
|
|
|
|
{
|
2003-12-06 04:00:16 +01:00
|
|
|
DumpableObject dobj;
|
2005-08-15 04:36:30 +02:00
|
|
|
char *rolname; /* name of owner, or empty string */
|
2002-05-11 00:36:27 +02:00
|
|
|
char *nspacl;
|
2016-04-07 03:45:32 +02:00
|
|
|
char *rnspacl;
|
|
|
|
|
char *initnspacl;
|
|
|
|
|
char *initrnspacl;
|
2002-05-11 00:36:27 +02:00
|
|
|
} NamespaceInfo;
|
1997-09-07 07:04:48 +02:00
|
|
|
|
2011-02-08 22:08:41 +01:00
|
|
|
typedef struct _extensionInfo
|
|
|
|
|
{
|
|
|
|
|
DumpableObject dobj;
|
2011-04-10 17:42:00 +02:00
|
|
|
char *namespace; /* schema containing extension's objects */
|
2011-02-10 01:17:33 +01:00
|
|
|
bool relocatable;
|
|
|
|
|
char *extversion;
|
2011-04-10 17:42:00 +02:00
|
|
|
char *extconfig; /* info about configuration tables */
|
|
|
|
|
char *extcondition;
|
2011-02-08 22:08:41 +01:00
|
|
|
} ExtensionInfo;
|
|
|
|
|
|
1997-09-07 07:04:48 +02:00
|
|
|
typedef struct _typeInfo
|
|
|
|
|
{
|
2003-12-06 04:00:16 +01:00
|
|
|
DumpableObject dobj;
|
2004-08-29 07:07:03 +02:00
|
|
|
|
2004-03-03 22:28:55 +01:00
|
|
|
/*
|
|
|
|
|
* Note: dobj.name is the pg_type.typname entry. format_type() might
|
|
|
|
|
* produce something different than typname
|
|
|
|
|
*/
|
2005-08-15 04:36:30 +02:00
|
|
|
char *rolname; /* name of owner, or empty string */
|
2012-12-09 06:08:23 +01:00
|
|
|
char *typacl;
|
2016-04-07 03:45:32 +02:00
|
|
|
char *rtypacl;
|
|
|
|
|
char *inittypacl;
|
|
|
|
|
char *initrtypacl;
|
2003-12-06 04:00:16 +01:00
|
|
|
Oid typelem;
|
|
|
|
|
Oid typrelid;
|
2002-08-15 18:36:08 +02:00
|
|
|
char typrelkind; /* 'r', 'v', 'c', etc */
|
2002-05-11 00:36:27 +02:00
|
|
|
char typtype; /* 'b', 'c', etc */
|
Support arrays of composite types, including the rowtypes of regular tables
and views (but not system catalogs, nor sequences or toast tables). Get rid
of the hardwired convention that a type's array type is named exactly "_type",
instead using a new column pg_type.typarray to provide the linkage. (It still
will be named "_type", though, except in odd corner cases such as
maximum-length type names.)
Along the way, make tracking of owner and schema dependencies for types more
uniform: a type directly created by the user has these dependencies, while a
table rowtype or auto-generated array type does not have them, but depends on
its parent object instead.
David Fetter, Andrew Dunstan, Tom Lane
2007-05-11 19:57:14 +02:00
|
|
|
bool isArray; /* true if auto-generated array type */
|
2002-05-11 00:36:27 +02:00
|
|
|
bool isDefined; /* true if typisdefined */
|
2015-08-05 01:34:12 +02:00
|
|
|
/* If needed, we'll create a "shell type" entry for it; link that here: */
|
2006-03-02 02:18:26 +01:00
|
|
|
struct _shellTypeInfo *shellType; /* shell-type entry, or NULL */
|
2003-12-06 04:00:16 +01:00
|
|
|
/* If it's a domain, we store links to its constraints here: */
|
|
|
|
|
int nDomChecks;
|
|
|
|
|
struct _constraintInfo *domChecks;
|
1997-09-08 23:56:23 +02:00
|
|
|
} TypeInfo;
|
1997-09-07 07:04:48 +02:00
|
|
|
|
2006-03-02 02:18:26 +01:00
|
|
|
typedef struct _shellTypeInfo
|
|
|
|
|
{
|
|
|
|
|
DumpableObject dobj;
|
|
|
|
|
|
|
|
|
|
TypeInfo *baseType; /* back link to associated base type */
|
|
|
|
|
} ShellTypeInfo;
|
|
|
|
|
|
1997-09-07 07:04:48 +02:00
|
|
|
typedef struct _funcInfo
|
|
|
|
|
{
|
2003-12-06 04:00:16 +01:00
|
|
|
DumpableObject dobj;
|
2005-08-15 04:36:30 +02:00
|
|
|
char *rolname; /* name of owner, or empty string */
|
2001-08-10 20:57:42 +02:00
|
|
|
Oid lang;
|
1997-09-08 04:41:22 +02:00
|
|
|
int nargs;
|
2003-12-06 04:00:16 +01:00
|
|
|
Oid *argtypes;
|
|
|
|
|
Oid prorettype;
|
2002-05-19 12:08:25 +02:00
|
|
|
char *proacl;
|
2016-04-07 03:45:32 +02:00
|
|
|
char *rproacl;
|
|
|
|
|
char *initproacl;
|
|
|
|
|
char *initrproacl;
|
1997-09-08 23:56:23 +02:00
|
|
|
} FuncInfo;
|
1997-09-07 07:04:48 +02:00
|
|
|
|
2003-12-06 04:00:16 +01:00
|
|
|
/* AggInfo is a superset of FuncInfo */
|
2002-05-11 00:36:27 +02:00
|
|
|
typedef struct _aggInfo
|
2000-07-04 16:25:28 +02:00
|
|
|
{
|
2003-12-06 04:00:16 +01:00
|
|
|
FuncInfo aggfn;
|
2006-07-27 21:52:07 +02:00
|
|
|
/* we don't require any other fields at the moment */
|
2002-05-11 00:36:27 +02:00
|
|
|
} AggInfo;
|
|
|
|
|
|
|
|
|
|
typedef struct _oprInfo
|
|
|
|
|
{
|
2003-12-06 04:00:16 +01:00
|
|
|
DumpableObject dobj;
|
2005-08-15 04:36:30 +02:00
|
|
|
char *rolname;
|
2012-01-05 19:34:07 +01:00
|
|
|
char oprkind;
|
2003-12-06 04:00:16 +01:00
|
|
|
Oid oprcode;
|
2002-05-11 00:36:27 +02:00
|
|
|
} OprInfo;
|
2000-07-04 16:25:28 +02:00
|
|
|
|
2016-03-24 03:01:35 +01:00
|
|
|
typedef struct _accessMethodInfo
|
|
|
|
|
{
|
|
|
|
|
DumpableObject dobj;
|
|
|
|
|
char amtype;
|
|
|
|
|
char *amhandler;
|
|
|
|
|
} AccessMethodInfo;
|
|
|
|
|
|
2002-07-30 23:56:04 +02:00
|
|
|
typedef struct _opclassInfo
|
|
|
|
|
{
|
2003-12-06 04:00:16 +01:00
|
|
|
DumpableObject dobj;
|
2005-08-15 04:36:30 +02:00
|
|
|
char *rolname;
|
2002-07-30 23:56:04 +02:00
|
|
|
} OpclassInfo;
|
|
|
|
|
|
2007-01-23 18:54:50 +01:00
|
|
|
typedef struct _opfamilyInfo
|
|
|
|
|
{
|
|
|
|
|
DumpableObject dobj;
|
|
|
|
|
char *rolname;
|
2007-11-15 23:25:18 +01:00
|
|
|
} OpfamilyInfo;
|
2007-01-23 18:54:50 +01:00
|
|
|
|
2011-02-12 14:54:13 +01:00
|
|
|
typedef struct _collInfo
|
|
|
|
|
{
|
|
|
|
|
DumpableObject dobj;
|
|
|
|
|
char *rolname;
|
|
|
|
|
} CollInfo;
|
|
|
|
|
|
2003-11-21 23:32:49 +01:00
|
|
|
typedef struct _convInfo
|
|
|
|
|
{
|
2003-12-06 04:00:16 +01:00
|
|
|
DumpableObject dobj;
|
2005-08-15 04:36:30 +02:00
|
|
|
char *rolname;
|
2003-11-21 23:32:49 +01:00
|
|
|
} ConvInfo;
|
|
|
|
|
|
1997-09-07 07:04:48 +02:00
|
|
|
typedef struct _tableInfo
|
|
|
|
|
{
|
2002-05-11 00:36:27 +02:00
|
|
|
/*
|
|
|
|
|
* These fields are collected for every table in the database.
|
|
|
|
|
*/
|
2003-12-06 04:00:16 +01:00
|
|
|
DumpableObject dobj;
|
2005-08-15 04:36:30 +02:00
|
|
|
char *rolname; /* name of owner, or empty string */
|
1997-09-08 04:41:22 +02:00
|
|
|
char *relacl;
|
2016-04-07 03:45:32 +02:00
|
|
|
char *rrelacl;
|
|
|
|
|
char *initrelacl;
|
|
|
|
|
char *initrrelacl;
|
2002-01-12 00:21:55 +01:00
|
|
|
char relkind;
|
2011-04-10 17:42:00 +02:00
|
|
|
char relpersistence; /* relation persistence */
|
2013-05-29 22:58:43 +02:00
|
|
|
bool relispopulated; /* relation is populated */
|
2015-08-12 15:52:10 +02:00
|
|
|
char relreplident; /* replica identifier */
|
2004-06-18 08:14:31 +02:00
|
|
|
char *reltablespace; /* relation tablespace */
|
2006-07-02 04:23:23 +02:00
|
|
|
char *reloptions; /* options specified by WITH (...) */
|
2016-01-03 01:04:45 +01:00
|
|
|
char *checkoption; /* WITH CHECK OPTION, if any */
|
2014-03-29 22:34:00 +01:00
|
|
|
char *toast_reloptions; /* WITH options for the TOAST table */
|
2002-01-12 00:21:55 +01:00
|
|
|
bool hasindex; /* does it have any indexes? */
|
2002-05-11 00:36:27 +02:00
|
|
|
bool hasrules; /* does it have any rules? */
|
2008-11-09 22:24:33 +01:00
|
|
|
bool hastriggers; /* does it have any triggers? */
|
Rename pg_rowsecurity -> pg_policy and other fixes
As pointed out by Robert, we should really have named pg_rowsecurity
pg_policy, as the objects stored in that catalog are policies. This
patch fixes that and updates the column names to start with 'pol' to
match the new catalog name.
The security consideration for COPY with row level security, also
pointed out by Robert, has also been addressed by remembering and
re-checking the OID of the relation initially referenced during COPY
processing, to make sure it hasn't changed under us by the time we
finish planning out the query which has been built.
Robert and Alvaro also commented on missing OCLASS and OBJECT entries
for POLICY (formerly ROWSECURITY or POLICY, depending) in various
places. This patch fixes that too, which also happens to add the
ability to COMMENT on policies.
In passing, attempt to improve the consistency of messages, comments,
and documentation as well. This removes various incarnations of
'row-security', 'row-level security', 'Row-security', etc, in favor
of 'policy', 'row level security' or 'row_security' as appropriate.
Happy Thanksgiving!
2014-11-27 07:06:36 +01:00
|
|
|
bool rowsec; /* is row security enabled? */
|
2015-10-05 03:05:08 +02:00
|
|
|
bool forcerowsec; /* is row security forced? */
|
2001-08-10 20:57:42 +02:00
|
|
|
bool hasoids; /* does it have OIDs? */
|
2015-12-24 16:42:58 +01:00
|
|
|
uint32 frozenxid; /* table's relfrozenxid */
|
|
|
|
|
uint32 minmxid; /* table's relminmxid */
|
|
|
|
|
Oid toast_oid; /* toast table's OID, or 0 if none */
|
|
|
|
|
uint32 toast_frozenxid; /* toast table's relfrozenxid, if any */
|
|
|
|
|
uint32 toast_minmxid; /* toast table's relminmxid */
|
2002-05-11 00:36:27 +02:00
|
|
|
int ncheck; /* # of CHECK expressions */
|
2010-01-29 00:21:13 +01:00
|
|
|
char *reloftype; /* underlying type for typed table */
|
2006-08-21 02:57:26 +02:00
|
|
|
/* these two are set only if table is a sequence owned by a column: */
|
2003-12-06 04:00:16 +01:00
|
|
|
Oid owning_tab; /* OID of table owning sequence */
|
2002-08-19 21:33:36 +02:00
|
|
|
int owning_col; /* attr # of column owning sequence */
|
2014-03-29 22:34:00 +01:00
|
|
|
int relpages; /* table's size in pages (from pg_class) */
|
2002-05-11 00:36:27 +02:00
|
|
|
|
|
|
|
|
bool interesting; /* true if need to collect more data */
|
2014-03-29 22:34:00 +01:00
|
|
|
bool postponed_def; /* matview must be postponed into post-data */
|
2002-05-11 00:36:27 +02:00
|
|
|
|
|
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* These fields are computed only if we decide the table is interesting
|
|
|
|
|
* (it's either a table to dump, or a direct parent of a dumpable table).
|
2002-05-11 00:36:27 +02:00
|
|
|
*/
|
1997-09-08 04:41:22 +02:00
|
|
|
int numatts; /* number of attributes */
|
|
|
|
|
char **attnames; /* the attribute names */
|
2002-05-11 00:36:27 +02:00
|
|
|
char **atttypnames; /* attribute type names */
|
|
|
|
|
int *atttypmod; /* type-specific type modifiers */
|
2002-07-31 19:19:54 +02:00
|
|
|
int *attstattarget; /* attribute statistics targets */
|
2003-08-04 02:43:34 +02:00
|
|
|
char *attstorage; /* attribute storage scheme */
|
|
|
|
|
char *typstorage; /* type storage scheme */
|
2002-08-19 21:33:36 +02:00
|
|
|
bool *attisdropped; /* true if attr is dropped; don't dump it */
|
2009-02-17 16:41:50 +01:00
|
|
|
int *attlen; /* attribute length, used by binary_upgrade */
|
|
|
|
|
char *attalign; /* attribute align, used by binary_upgrade */
|
2002-10-09 18:20:25 +02:00
|
|
|
bool *attislocal; /* true if attr has local definition */
|
2010-01-22 17:40:19 +01:00
|
|
|
char **attoptions; /* per-attribute options */
|
2011-03-10 23:30:18 +01:00
|
|
|
Oid *attcollation; /* per-attribute collation selection */
|
2011-08-05 19:24:03 +02:00
|
|
|
char **attfdwoptions; /* per-attribute fdw options */
|
2012-02-10 19:28:05 +01:00
|
|
|
bool *notnull; /* NOT NULL constraints on attributes */
|
2002-05-11 00:36:27 +02:00
|
|
|
bool *inhNotNull; /* true if NOT NULL is inherited */
|
2012-02-10 19:28:05 +01:00
|
|
|
struct _attrDefInfo **attrdefs; /* DEFAULT expressions */
|
2004-08-29 07:07:03 +02:00
|
|
|
struct _constraintInfo *checkexprs; /* CHECK constraints */
|
2002-05-11 00:36:27 +02:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Stuff computed only for dumpable tables.
|
|
|
|
|
*/
|
|
|
|
|
int numParents; /* number of (immediate) parent tables */
|
2004-08-29 07:07:03 +02:00
|
|
|
struct _tableInfo **parents; /* TableInfos of immediate parents */
|
2009-06-11 16:49:15 +02:00
|
|
|
struct _tableDataInfo *dataObj; /* TableDataInfo, if dumping its data */
|
2016-02-04 06:26:10 +01:00
|
|
|
int numTriggers; /* number of triggers for table */
|
|
|
|
|
struct _triggerInfo *triggers; /* array of TriggerInfo structs */
|
1997-09-08 23:56:23 +02:00
|
|
|
} TableInfo;
|
1997-09-07 07:04:48 +02:00
|
|
|
|
2003-12-06 04:00:16 +01:00
|
|
|
typedef struct _attrDefInfo
|
|
|
|
|
{
|
2012-02-10 19:28:05 +01:00
|
|
|
DumpableObject dobj; /* note: dobj.name is name of table */
|
2003-12-06 04:00:16 +01:00
|
|
|
TableInfo *adtable; /* link to table of attribute */
|
|
|
|
|
int adnum;
|
|
|
|
|
char *adef_expr; /* decompiled DEFAULT expression */
|
|
|
|
|
bool separate; /* TRUE if must dump as separate item */
|
|
|
|
|
} AttrDefInfo;
|
|
|
|
|
|
|
|
|
|
typedef struct _tableDataInfo
|
|
|
|
|
{
|
|
|
|
|
DumpableObject dobj;
|
|
|
|
|
TableInfo *tdtable; /* link to table to dump */
|
|
|
|
|
bool oids; /* include OIDs in data? */
|
2011-02-08 22:08:41 +01:00
|
|
|
char *filtercond; /* WHERE condition to limit rows dumped */
|
2003-12-06 04:00:16 +01:00
|
|
|
} TableDataInfo;
|
|
|
|
|
|
|
|
|
|
typedef struct _indxInfo
|
|
|
|
|
{
|
|
|
|
|
DumpableObject dobj;
|
|
|
|
|
TableInfo *indextable; /* link to table the index is for */
|
|
|
|
|
char *indexdef;
|
2004-08-02 06:28:29 +02:00
|
|
|
char *tablespace; /* tablespace in which index is stored */
|
2016-01-03 01:04:45 +01:00
|
|
|
char *indreloptions; /* options specified by WITH (...) */
|
2016-04-08 20:52:13 +02:00
|
|
|
int indnkeys;
|
|
|
|
|
Oid *indkeys;
|
2003-12-06 04:00:16 +01:00
|
|
|
bool indisclustered;
|
2013-11-08 18:30:43 +01:00
|
|
|
bool indisreplident;
|
2003-12-06 04:00:16 +01:00
|
|
|
/* if there is an associated constraint object, its dumpId: */
|
|
|
|
|
DumpId indexconstraint;
|
2013-03-24 16:27:20 +01:00
|
|
|
int relpages; /* relpages of the underlying table */
|
2003-12-06 04:00:16 +01:00
|
|
|
} IndxInfo;
|
|
|
|
|
|
|
|
|
|
typedef struct _ruleInfo
|
|
|
|
|
{
|
|
|
|
|
DumpableObject dobj;
|
|
|
|
|
TableInfo *ruletable; /* link to table the rule is for */
|
|
|
|
|
char ev_type;
|
|
|
|
|
bool is_instead;
|
2007-03-20 00:38:32 +01:00
|
|
|
char ev_enabled;
|
2004-12-14 23:16:32 +01:00
|
|
|
bool separate; /* TRUE if must dump as separate item */
|
2009-01-27 13:40:15 +01:00
|
|
|
/* separate is always true for non-ON SELECT rules */
|
2012-08-21 21:18:36 +02:00
|
|
|
char *reloptions; /* options specified by WITH (...) */
|
|
|
|
|
/* reloptions is only set if we need to dump the options with the rule */
|
2003-12-06 04:00:16 +01:00
|
|
|
} RuleInfo;
|
|
|
|
|
|
|
|
|
|
typedef struct _triggerInfo
|
|
|
|
|
{
|
|
|
|
|
DumpableObject dobj;
|
|
|
|
|
TableInfo *tgtable; /* link to table the trigger is for */
|
|
|
|
|
char *tgfname;
|
|
|
|
|
int tgtype;
|
|
|
|
|
int tgnargs;
|
|
|
|
|
char *tgargs;
|
|
|
|
|
bool tgisconstraint;
|
|
|
|
|
char *tgconstrname;
|
|
|
|
|
Oid tgconstrrelid;
|
|
|
|
|
char *tgconstrrelname;
|
2007-03-20 00:38:32 +01:00
|
|
|
char tgenabled;
|
2003-12-06 04:00:16 +01:00
|
|
|
bool tgdeferrable;
|
|
|
|
|
bool tginitdeferred;
|
2009-10-09 23:02:56 +02:00
|
|
|
char *tgdef;
|
2003-12-06 04:00:16 +01:00
|
|
|
} TriggerInfo;
|
|
|
|
|
|
2012-07-18 16:16:16 +02:00
|
|
|
typedef struct _evttriggerInfo
|
|
|
|
|
{
|
|
|
|
|
DumpableObject dobj;
|
|
|
|
|
char *evtname;
|
|
|
|
|
char *evtevent;
|
|
|
|
|
char *evtowner;
|
|
|
|
|
char *evttags;
|
|
|
|
|
char *evtfname;
|
|
|
|
|
char evtenabled;
|
|
|
|
|
} EventTriggerInfo;
|
|
|
|
|
|
2003-12-06 04:00:16 +01:00
|
|
|
/*
|
2014-05-06 18:12:18 +02:00
|
|
|
* struct ConstraintInfo is used for all constraint types. However we
|
2003-12-06 04:00:16 +01:00
|
|
|
* use a different objType for foreign key constraints, to make it easier
|
|
|
|
|
* to sort them the way we want.
|
2009-07-29 22:56:21 +02:00
|
|
|
*
|
|
|
|
|
* Note: condeferrable and condeferred are currently only valid for
|
2014-05-06 18:12:18 +02:00
|
|
|
* unique/primary-key constraints. Otherwise that info is in condef.
|
2003-12-06 04:00:16 +01:00
|
|
|
*/
|
|
|
|
|
typedef struct _constraintInfo
|
|
|
|
|
{
|
|
|
|
|
DumpableObject dobj;
|
|
|
|
|
TableInfo *contable; /* NULL if domain constraint */
|
|
|
|
|
TypeInfo *condomain; /* NULL if table constraint */
|
|
|
|
|
char contype;
|
|
|
|
|
char *condef; /* definition, if CHECK or FOREIGN KEY */
|
2008-09-08 17:26:23 +02:00
|
|
|
Oid confrelid; /* referenced table, if FOREIGN KEY */
|
2003-12-06 04:00:16 +01:00
|
|
|
DumpId conindex; /* identifies associated index if any */
|
2009-07-29 22:56:21 +02:00
|
|
|
bool condeferrable; /* TRUE if constraint is DEFERRABLE */
|
|
|
|
|
bool condeferred; /* TRUE if constraint is INITIALLY DEFERRED */
|
2008-05-10 01:32:05 +02:00
|
|
|
bool conislocal; /* TRUE if constraint has local definition */
|
2003-12-06 04:00:16 +01:00
|
|
|
bool separate; /* TRUE if must dump as separate item */
|
|
|
|
|
} ConstraintInfo;
|
|
|
|
|
|
|
|
|
|
typedef struct _procLangInfo
|
|
|
|
|
{
|
|
|
|
|
DumpableObject dobj;
|
|
|
|
|
bool lanpltrusted;
|
|
|
|
|
Oid lanplcallfoid;
|
2009-09-23 01:43:43 +02:00
|
|
|
Oid laninline;
|
2003-12-06 04:00:16 +01:00
|
|
|
Oid lanvalidator;
|
|
|
|
|
char *lanacl;
|
2016-04-07 03:45:32 +02:00
|
|
|
char *rlanacl;
|
|
|
|
|
char *initlanacl;
|
|
|
|
|
char *initrlanacl;
|
2005-12-03 22:06:18 +01:00
|
|
|
char *lanowner; /* name of owner, or empty string */
|
2003-12-06 04:00:16 +01:00
|
|
|
} ProcLangInfo;
|
|
|
|
|
|
|
|
|
|
typedef struct _castInfo
|
|
|
|
|
{
|
|
|
|
|
DumpableObject dobj;
|
|
|
|
|
Oid castsource;
|
|
|
|
|
Oid casttarget;
|
|
|
|
|
Oid castfunc;
|
|
|
|
|
char castcontext;
|
2008-10-31 09:39:22 +01:00
|
|
|
char castmethod;
|
2003-12-06 04:00:16 +01:00
|
|
|
} CastInfo;
|
|
|
|
|
|
2015-04-26 16:33:14 +02:00
|
|
|
typedef struct _transformInfo
|
|
|
|
|
{
|
|
|
|
|
DumpableObject dobj;
|
|
|
|
|
Oid trftype;
|
|
|
|
|
Oid trflang;
|
|
|
|
|
Oid trffromsql;
|
|
|
|
|
Oid trftosql;
|
|
|
|
|
} TransformInfo;
|
|
|
|
|
|
2003-12-06 04:00:16 +01:00
|
|
|
/* InhInfo isn't a DumpableObject, just temporary state */
|
1997-09-07 07:04:48 +02:00
|
|
|
typedef struct _inhInfo
|
|
|
|
|
{
|
2003-12-06 04:00:16 +01:00
|
|
|
Oid inhrelid; /* OID of a child table */
|
|
|
|
|
Oid inhparent; /* OID of its parent */
|
1997-09-08 23:56:23 +02:00
|
|
|
} InhInfo;
|
1997-09-07 07:04:48 +02:00
|
|
|
|
2007-08-21 03:11:32 +02:00
|
|
|
typedef struct _prsInfo
|
|
|
|
|
{
|
|
|
|
|
DumpableObject dobj;
|
|
|
|
|
Oid prsstart;
|
|
|
|
|
Oid prstoken;
|
|
|
|
|
Oid prsend;
|
|
|
|
|
Oid prsheadline;
|
|
|
|
|
Oid prslextype;
|
2007-11-15 23:25:18 +01:00
|
|
|
} TSParserInfo;
|
2007-08-21 03:11:32 +02:00
|
|
|
|
|
|
|
|
typedef struct _dictInfo
|
|
|
|
|
{
|
|
|
|
|
DumpableObject dobj;
|
|
|
|
|
char *rolname;
|
|
|
|
|
Oid dicttemplate;
|
2007-11-15 22:14:46 +01:00
|
|
|
char *dictinitoption;
|
2007-11-15 23:25:18 +01:00
|
|
|
} TSDictInfo;
|
2007-08-21 03:11:32 +02:00
|
|
|
|
|
|
|
|
typedef struct _tmplInfo
|
|
|
|
|
{
|
|
|
|
|
DumpableObject dobj;
|
|
|
|
|
Oid tmplinit;
|
|
|
|
|
Oid tmpllexize;
|
2007-11-15 23:25:18 +01:00
|
|
|
} TSTemplateInfo;
|
2007-08-21 03:11:32 +02:00
|
|
|
|
|
|
|
|
typedef struct _cfgInfo
|
|
|
|
|
{
|
|
|
|
|
DumpableObject dobj;
|
|
|
|
|
char *rolname;
|
|
|
|
|
Oid cfgparser;
|
2007-11-15 23:25:18 +01:00
|
|
|
} TSConfigInfo;
|
1996-07-09 08:22:35 +02:00
|
|
|
|
2008-12-19 17:25:19 +01:00
|
|
|
typedef struct _fdwInfo
|
|
|
|
|
{
|
|
|
|
|
DumpableObject dobj;
|
|
|
|
|
char *rolname;
|
2011-02-19 06:06:18 +01:00
|
|
|
char *fdwhandler;
|
2009-02-24 11:06:36 +01:00
|
|
|
char *fdwvalidator;
|
2008-12-19 17:25:19 +01:00
|
|
|
char *fdwoptions;
|
|
|
|
|
char *fdwacl;
|
2016-04-07 03:45:32 +02:00
|
|
|
char *rfdwacl;
|
|
|
|
|
char *initfdwacl;
|
|
|
|
|
char *initrfdwacl;
|
2008-12-19 17:25:19 +01:00
|
|
|
} FdwInfo;
|
|
|
|
|
|
|
|
|
|
typedef struct _foreignServerInfo
|
|
|
|
|
{
|
|
|
|
|
DumpableObject dobj;
|
|
|
|
|
char *rolname;
|
|
|
|
|
Oid srvfdw;
|
|
|
|
|
char *srvtype;
|
|
|
|
|
char *srvversion;
|
|
|
|
|
char *srvacl;
|
2016-04-07 03:45:32 +02:00
|
|
|
char *rsrvacl;
|
|
|
|
|
char *initsrvacl;
|
|
|
|
|
char *initrsrvacl;
|
2008-12-19 17:25:19 +01:00
|
|
|
char *srvoptions;
|
|
|
|
|
} ForeignServerInfo;
|
|
|
|
|
|
2009-10-05 21:24:49 +02:00
|
|
|
typedef struct _defaultACLInfo
|
|
|
|
|
{
|
|
|
|
|
DumpableObject dobj;
|
|
|
|
|
char *defaclrole;
|
2010-02-26 03:01:40 +01:00
|
|
|
char defaclobjtype;
|
2009-10-05 21:24:49 +02:00
|
|
|
char *defaclacl;
|
|
|
|
|
} DefaultACLInfo;
|
|
|
|
|
|
2010-02-18 02:29:10 +01:00
|
|
|
typedef struct _blobInfo
|
|
|
|
|
{
|
2010-02-26 03:01:40 +01:00
|
|
|
DumpableObject dobj;
|
2010-02-18 02:29:10 +01:00
|
|
|
char *rolname;
|
|
|
|
|
char *blobacl;
|
2016-04-07 03:45:32 +02:00
|
|
|
char *rblobacl;
|
|
|
|
|
char *initblobacl;
|
|
|
|
|
char *initrblobacl;
|
2010-02-18 02:29:10 +01:00
|
|
|
} BlobInfo;
|
|
|
|
|
|
Row-Level Security Policies (RLS)
Building on the updatable security-barrier views work, add the
ability to define policies on tables to limit the set of rows
which are returned from a query and which are allowed to be added
to a table. Expressions defined by the policy for filtering are
added to the security barrier quals of the query, while expressions
defined to check records being added to a table are added to the
with-check options of the query.
New top-level commands are CREATE/ALTER/DROP POLICY and are
controlled by the table owner. Row Security is able to be enabled
and disabled by the owner on a per-table basis using
ALTER TABLE .. ENABLE/DISABLE ROW SECURITY.
Per discussion, ROW SECURITY is disabled on tables by default and
must be enabled for policies on the table to be used. If no
policies exist on a table with ROW SECURITY enabled, a default-deny
policy is used and no records will be visible.
By default, row security is applied at all times except for the
table owner and the superuser. A new GUC, row_security, is added
which can be set to ON, OFF, or FORCE. When set to FORCE, row
security will be applied even for the table owner and superusers.
When set to OFF, row security will be disabled when allowed and an
error will be thrown if the user does not have rights to bypass row
security.
Per discussion, pg_dump sets row_security = OFF by default to ensure
that exports and backups will have all data in the table or will
error if there are insufficient privileges to bypass row security.
A new option has been added to pg_dump, --enable-row-security, to
ask pg_dump to export with row security enabled.
A new role capability, BYPASSRLS, which can only be set by the
superuser, is added to allow other users to be able to bypass row
security using row_security = OFF.
Many thanks to the various individuals who have helped with the
design, particularly Robert Haas for his feedback.
Authors include Craig Ringer, KaiGai Kohei, Adam Brightwell, Dean
Rasheed, with additional changes and rework by me.
Reviewers have included all of the above, Greg Smith,
Jeff McCormick, and Robert Haas.
2014-09-19 17:18:35 +02:00
|
|
|
/*
|
Rename pg_rowsecurity -> pg_policy and other fixes
As pointed out by Robert, we should really have named pg_rowsecurity
pg_policy, as the objects stored in that catalog are policies. This
patch fixes that and updates the column names to start with 'pol' to
match the new catalog name.
The security consideration for COPY with row level security, also
pointed out by Robert, has also been addressed by remembering and
re-checking the OID of the relation initially referenced during COPY
processing, to make sure it hasn't changed under us by the time we
finish planning out the query which has been built.
Robert and Alvaro also commented on missing OCLASS and OBJECT entries
for POLICY (formerly ROWSECURITY or POLICY, depending) in various
places. This patch fixes that too, which also happens to add the
ability to COMMENT on policies.
In passing, attempt to improve the consistency of messages, comments,
and documentation as well. This removes various incarnations of
'row-security', 'row-level security', 'Row-security', etc, in favor
of 'policy', 'row level security' or 'row_security' as appropriate.
Happy Thanksgiving!
2014-11-27 07:06:36 +01:00
|
|
|
* The PolicyInfo struct is used to represent policies on a table and
|
Row-Level Security Policies (RLS)
Building on the updatable security-barrier views work, add the
ability to define policies on tables to limit the set of rows
which are returned from a query and which are allowed to be added
to a table. Expressions defined by the policy for filtering are
added to the security barrier quals of the query, while expressions
defined to check records being added to a table are added to the
with-check options of the query.
New top-level commands are CREATE/ALTER/DROP POLICY and are
controlled by the table owner. Row Security is able to be enabled
and disabled by the owner on a per-table basis using
ALTER TABLE .. ENABLE/DISABLE ROW SECURITY.
Per discussion, ROW SECURITY is disabled on tables by default and
must be enabled for policies on the table to be used. If no
policies exist on a table with ROW SECURITY enabled, a default-deny
policy is used and no records will be visible.
By default, row security is applied at all times except for the
table owner and the superuser. A new GUC, row_security, is added
which can be set to ON, OFF, or FORCE. When set to FORCE, row
security will be applied even for the table owner and superusers.
When set to OFF, row security will be disabled when allowed and an
error will be thrown if the user does not have rights to bypass row
security.
Per discussion, pg_dump sets row_security = OFF by default to ensure
that exports and backups will have all data in the table or will
error if there are insufficient privileges to bypass row security.
A new option has been added to pg_dump, --enable-row-security, to
ask pg_dump to export with row security enabled.
A new role capability, BYPASSRLS, which can only be set by the
superuser, is added to allow other users to be able to bypass row
security using row_security = OFF.
Many thanks to the various individuals who have helped with the
design, particularly Robert Haas for his feedback.
Authors include Craig Ringer, KaiGai Kohei, Adam Brightwell, Dean
Rasheed, with additional changes and rework by me.
Reviewers have included all of the above, Greg Smith,
Jeff McCormick, and Robert Haas.
2014-09-19 17:18:35 +02:00
|
|
|
* to indicate if a table has RLS enabled (ENABLE ROW SECURITY). If
|
Rename pg_rowsecurity -> pg_policy and other fixes
As pointed out by Robert, we should really have named pg_rowsecurity
pg_policy, as the objects stored in that catalog are policies. This
patch fixes that and updates the column names to start with 'pol' to
match the new catalog name.
The security consideration for COPY with row level security, also
pointed out by Robert, has also been addressed by remembering and
re-checking the OID of the relation initially referenced during COPY
processing, to make sure it hasn't changed under us by the time we
finish planning out the query which has been built.
Robert and Alvaro also commented on missing OCLASS and OBJECT entries
for POLICY (formerly ROWSECURITY or POLICY, depending) in various
places. This patch fixes that too, which also happens to add the
ability to COMMENT on policies.
In passing, attempt to improve the consistency of messages, comments,
and documentation as well. This removes various incarnations of
'row-security', 'row-level security', 'Row-security', etc, in favor
of 'policy', 'row level security' or 'row_security' as appropriate.
Happy Thanksgiving!
2014-11-27 07:06:36 +01:00
|
|
|
* polname is NULL, then the record indicates ENABLE ROW SECURITY, while if
|
Row-Level Security Policies (RLS)
Building on the updatable security-barrier views work, add the
ability to define policies on tables to limit the set of rows
which are returned from a query and which are allowed to be added
to a table. Expressions defined by the policy for filtering are
added to the security barrier quals of the query, while expressions
defined to check records being added to a table are added to the
with-check options of the query.
New top-level commands are CREATE/ALTER/DROP POLICY and are
controlled by the table owner. Row Security is able to be enabled
and disabled by the owner on a per-table basis using
ALTER TABLE .. ENABLE/DISABLE ROW SECURITY.
Per discussion, ROW SECURITY is disabled on tables by default and
must be enabled for policies on the table to be used. If no
policies exist on a table with ROW SECURITY enabled, a default-deny
policy is used and no records will be visible.
By default, row security is applied at all times except for the
table owner and the superuser. A new GUC, row_security, is added
which can be set to ON, OFF, or FORCE. When set to FORCE, row
security will be applied even for the table owner and superusers.
When set to OFF, row security will be disabled when allowed and an
error will be thrown if the user does not have rights to bypass row
security.
Per discussion, pg_dump sets row_security = OFF by default to ensure
that exports and backups will have all data in the table or will
error if there are insufficient privileges to bypass row security.
A new option has been added to pg_dump, --enable-row-security, to
ask pg_dump to export with row security enabled.
A new role capability, BYPASSRLS, which can only be set by the
superuser, is added to allow other users to be able to bypass row
security using row_security = OFF.
Many thanks to the various individuals who have helped with the
design, particularly Robert Haas for his feedback.
Authors include Craig Ringer, KaiGai Kohei, Adam Brightwell, Dean
Rasheed, with additional changes and rework by me.
Reviewers have included all of the above, Greg Smith,
Jeff McCormick, and Robert Haas.
2014-09-19 17:18:35 +02:00
|
|
|
* it's non-NULL then this is a regular policy definition.
|
|
|
|
|
*/
|
Rename pg_rowsecurity -> pg_policy and other fixes
As pointed out by Robert, we should really have named pg_rowsecurity
pg_policy, as the objects stored in that catalog are policies. This
patch fixes that and updates the column names to start with 'pol' to
match the new catalog name.
The security consideration for COPY with row level security, also
pointed out by Robert, has also been addressed by remembering and
re-checking the OID of the relation initially referenced during COPY
processing, to make sure it hasn't changed under us by the time we
finish planning out the query which has been built.
Robert and Alvaro also commented on missing OCLASS and OBJECT entries
for POLICY (formerly ROWSECURITY or POLICY, depending) in various
places. This patch fixes that too, which also happens to add the
ability to COMMENT on policies.
In passing, attempt to improve the consistency of messages, comments,
and documentation as well. This removes various incarnations of
'row-security', 'row-level security', 'Row-security', etc, in favor
of 'policy', 'row level security' or 'row_security' as appropriate.
Happy Thanksgiving!
2014-11-27 07:06:36 +01:00
|
|
|
typedef struct _policyInfo
|
Row-Level Security Policies (RLS)
Building on the updatable security-barrier views work, add the
ability to define policies on tables to limit the set of rows
which are returned from a query and which are allowed to be added
to a table. Expressions defined by the policy for filtering are
added to the security barrier quals of the query, while expressions
defined to check records being added to a table are added to the
with-check options of the query.
New top-level commands are CREATE/ALTER/DROP POLICY and are
controlled by the table owner. Row Security is able to be enabled
and disabled by the owner on a per-table basis using
ALTER TABLE .. ENABLE/DISABLE ROW SECURITY.
Per discussion, ROW SECURITY is disabled on tables by default and
must be enabled for policies on the table to be used. If no
policies exist on a table with ROW SECURITY enabled, a default-deny
policy is used and no records will be visible.
By default, row security is applied at all times except for the
table owner and the superuser. A new GUC, row_security, is added
which can be set to ON, OFF, or FORCE. When set to FORCE, row
security will be applied even for the table owner and superusers.
When set to OFF, row security will be disabled when allowed and an
error will be thrown if the user does not have rights to bypass row
security.
Per discussion, pg_dump sets row_security = OFF by default to ensure
that exports and backups will have all data in the table or will
error if there are insufficient privileges to bypass row security.
A new option has been added to pg_dump, --enable-row-security, to
ask pg_dump to export with row security enabled.
A new role capability, BYPASSRLS, which can only be set by the
superuser, is added to allow other users to be able to bypass row
security using row_security = OFF.
Many thanks to the various individuals who have helped with the
design, particularly Robert Haas for his feedback.
Authors include Craig Ringer, KaiGai Kohei, Adam Brightwell, Dean
Rasheed, with additional changes and rework by me.
Reviewers have included all of the above, Greg Smith,
Jeff McCormick, and Robert Haas.
2014-09-19 17:18:35 +02:00
|
|
|
{
|
2014-10-17 18:19:05 +02:00
|
|
|
DumpableObject dobj;
|
Rename pg_rowsecurity -> pg_policy and other fixes
As pointed out by Robert, we should really have named pg_rowsecurity
pg_policy, as the objects stored in that catalog are policies. This
patch fixes that and updates the column names to start with 'pol' to
match the new catalog name.
The security consideration for COPY with row level security, also
pointed out by Robert, has also been addressed by remembering and
re-checking the OID of the relation initially referenced during COPY
processing, to make sure it hasn't changed under us by the time we
finish planning out the query which has been built.
Robert and Alvaro also commented on missing OCLASS and OBJECT entries
for POLICY (formerly ROWSECURITY or POLICY, depending) in various
places. This patch fixes that too, which also happens to add the
ability to COMMENT on policies.
In passing, attempt to improve the consistency of messages, comments,
and documentation as well. This removes various incarnations of
'row-security', 'row-level security', 'Row-security', etc, in favor
of 'policy', 'row level security' or 'row_security' as appropriate.
Happy Thanksgiving!
2014-11-27 07:06:36 +01:00
|
|
|
TableInfo *poltable;
|
2015-05-24 03:35:49 +02:00
|
|
|
char *polname; /* null indicates RLS is enabled on rel */
|
Rename pg_rowsecurity -> pg_policy and other fixes
As pointed out by Robert, we should really have named pg_rowsecurity
pg_policy, as the objects stored in that catalog are policies. This
patch fixes that and updates the column names to start with 'pol' to
match the new catalog name.
The security consideration for COPY with row level security, also
pointed out by Robert, has also been addressed by remembering and
re-checking the OID of the relation initially referenced during COPY
processing, to make sure it hasn't changed under us by the time we
finish planning out the query which has been built.
Robert and Alvaro also commented on missing OCLASS and OBJECT entries
for POLICY (formerly ROWSECURITY or POLICY, depending) in various
places. This patch fixes that too, which also happens to add the
ability to COMMENT on policies.
In passing, attempt to improve the consistency of messages, comments,
and documentation as well. This removes various incarnations of
'row-security', 'row-level security', 'Row-security', etc, in favor
of 'policy', 'row level security' or 'row_security' as appropriate.
Happy Thanksgiving!
2014-11-27 07:06:36 +01:00
|
|
|
char *polcmd;
|
|
|
|
|
char *polroles;
|
|
|
|
|
char *polqual;
|
|
|
|
|
char *polwithcheck;
|
|
|
|
|
} PolicyInfo;
|
Row-Level Security Policies (RLS)
Building on the updatable security-barrier views work, add the
ability to define policies on tables to limit the set of rows
which are returned from a query and which are allowed to be added
to a table. Expressions defined by the policy for filtering are
added to the security barrier quals of the query, while expressions
defined to check records being added to a table are added to the
with-check options of the query.
New top-level commands are CREATE/ALTER/DROP POLICY and are
controlled by the table owner. Row Security is able to be enabled
and disabled by the owner on a per-table basis using
ALTER TABLE .. ENABLE/DISABLE ROW SECURITY.
Per discussion, ROW SECURITY is disabled on tables by default and
must be enabled for policies on the table to be used. If no
policies exist on a table with ROW SECURITY enabled, a default-deny
policy is used and no records will be visible.
By default, row security is applied at all times except for the
table owner and the superuser. A new GUC, row_security, is added
which can be set to ON, OFF, or FORCE. When set to FORCE, row
security will be applied even for the table owner and superusers.
When set to OFF, row security will be disabled when allowed and an
error will be thrown if the user does not have rights to bypass row
security.
Per discussion, pg_dump sets row_security = OFF by default to ensure
that exports and backups will have all data in the table or will
error if there are insufficient privileges to bypass row security.
A new option has been added to pg_dump, --enable-row-security, to
ask pg_dump to export with row security enabled.
A new role capability, BYPASSRLS, which can only be set by the
superuser, is added to allow other users to be able to bypass row
security using row_security = OFF.
Many thanks to the various individuals who have helped with the
design, particularly Robert Haas for his feedback.
Authors include Craig Ringer, KaiGai Kohei, Adam Brightwell, Dean
Rasheed, with additional changes and rework by me.
Reviewers have included all of the above, Greg Smith,
Jeff McCormick, and Robert Haas.
2014-09-19 17:18:35 +02:00
|
|
|
|
Handle extension members when first setting object dump flags in pg_dump.
pg_dump's original approach to handling extension member objects was to
run around and clear (or set) their dump flags rather late in its data
collection process. Unfortunately, quite a lot of code expects those flags
to be valid before that; which was an entirely reasonable expectation
before we added extensions. In particular, this explains Karsten Hilbert's
recent report of pg_upgrade failing on a database in which an extension
has been installed into the pg_catalog schema. Its objects are initially
marked as not-to-be-dumped on the strength of their schema, and later we
change them to must-dump because we're doing a binary upgrade of their
extension; but we've already skipped essential tasks like making associated
DO_SHELL_TYPE objects.
To fix, collect extension membership data first, and incorporate it in the
initial setting of the dump flags, so that those are once again correct
from the get-go. This has the undesirable side effect of slightly
lengthening the time taken before pg_dump acquires table locks, but testing
suggests that the increase in that window is not very much.
Along the way, get rid of ugly special-case logic for deciding whether
to dump procedural languages, FDWs, and foreign servers; dump decisions
for those are now correct up-front, too.
In 9.3 and up, this also fixes erroneous logic about when to dump event
triggers (basically, they were *always* dumped before). In 9.5 and up,
transform objects had that problem too.
Since this problem came in with extensions, back-patch to all supported
versions.
2016-01-14 00:55:27 +01:00
|
|
|
/*
|
|
|
|
|
* We build an array of these with an entry for each object that is an
|
|
|
|
|
* extension member according to pg_depend.
|
|
|
|
|
*/
|
|
|
|
|
typedef struct _extensionMemberId
|
|
|
|
|
{
|
|
|
|
|
CatalogId catId; /* tableoid+oid of some member object */
|
|
|
|
|
ExtensionInfo *ext; /* owning extension */
|
|
|
|
|
} ExtensionMemberId;
|
|
|
|
|
|
1996-07-09 08:22:35 +02:00
|
|
|
/* global decls */
|
2001-08-22 22:23:24 +02:00
|
|
|
extern bool force_quotes; /* double-quotes for identifiers flag */
|
1997-09-08 04:41:22 +02:00
|
|
|
extern bool g_verbose; /* verbose flag */
|
1996-07-09 08:22:35 +02:00
|
|
|
|
|
|
|
|
/* placeholders for comment starting and ending delimiters */
|
1997-09-08 04:41:22 +02:00
|
|
|
extern char g_comment_start[10];
|
|
|
|
|
extern char g_comment_end[10];
|
1996-07-09 08:22:35 +02:00
|
|
|
|
1997-09-08 04:41:22 +02:00
|
|
|
extern char g_opaque_type[10]; /* name for the opaque type */
|
1996-07-09 08:22:35 +02:00
|
|
|
|
|
|
|
|
/*
|
1997-09-07 07:04:48 +02:00
|
|
|
* common utility functions
|
2002-05-11 00:36:27 +02:00
|
|
|
*/
|
1996-07-09 08:22:35 +02:00
|
|
|
|
2016-01-13 23:48:33 +01:00
|
|
|
extern TableInfo *getSchemaData(Archive *fout, int *numTablesPtr);
|
2000-09-15 06:35:16 +02:00
|
|
|
|
2003-12-06 04:00:16 +01:00
|
|
|
extern void AssignDumpId(DumpableObject *dobj);
|
|
|
|
|
extern DumpId createDumpId(void);
|
|
|
|
|
extern DumpId getMaxDumpId(void);
|
|
|
|
|
extern DumpableObject *findObjectByDumpId(DumpId dumpId);
|
|
|
|
|
extern DumpableObject *findObjectByCatalogId(CatalogId catalogId);
|
|
|
|
|
extern void getDumpableObjects(DumpableObject ***objs, int *numObjs);
|
|
|
|
|
|
|
|
|
|
extern void addObjectDependency(DumpableObject *dobj, DumpId refId);
|
|
|
|
|
extern void removeObjectDependency(DumpableObject *dobj, DumpId refId);
|
|
|
|
|
|
|
|
|
|
extern TableInfo *findTableByOid(Oid oid);
|
|
|
|
|
extern TypeInfo *findTypeByOid(Oid oid);
|
|
|
|
|
extern FuncInfo *findFuncByOid(Oid oid);
|
|
|
|
|
extern OprInfo *findOprByOid(Oid oid);
|
2011-03-10 23:30:18 +01:00
|
|
|
extern CollInfo *findCollationByOid(Oid oid);
|
2012-05-25 20:35:37 +02:00
|
|
|
extern NamespaceInfo *findNamespaceByOid(Oid oid);
|
Handle extension members when first setting object dump flags in pg_dump.
pg_dump's original approach to handling extension member objects was to
run around and clear (or set) their dump flags rather late in its data
collection process. Unfortunately, quite a lot of code expects those flags
to be valid before that; which was an entirely reasonable expectation
before we added extensions. In particular, this explains Karsten Hilbert's
recent report of pg_upgrade failing on a database in which an extension
has been installed into the pg_catalog schema. Its objects are initially
marked as not-to-be-dumped on the strength of their schema, and later we
change them to must-dump because we're doing a binary upgrade of their
extension; but we've already skipped essential tasks like making associated
DO_SHELL_TYPE objects.
To fix, collect extension membership data first, and incorporate it in the
initial setting of the dump flags, so that those are once again correct
from the get-go. This has the undesirable side effect of slightly
lengthening the time taken before pg_dump acquires table locks, but testing
suggests that the increase in that window is not very much.
Along the way, get rid of ugly special-case logic for deciding whether
to dump procedural languages, FDWs, and foreign servers; dump decisions
for those are now correct up-front, too.
In 9.3 and up, this also fixes erroneous logic about when to dump event
triggers (basically, they were *always* dumped before). In 9.5 and up,
transform objects had that problem too.
Since this problem came in with extensions, back-patch to all supported
versions.
2016-01-14 00:55:27 +01:00
|
|
|
extern ExtensionInfo *findExtensionByOid(Oid oid);
|
|
|
|
|
|
|
|
|
|
extern void setExtensionMembership(ExtensionMemberId *extmems, int nextmems);
|
|
|
|
|
extern ExtensionInfo *findOwningExtension(CatalogId catalogId);
|
1996-07-09 08:22:35 +02:00
|
|
|
|
2003-12-06 04:00:16 +01:00
|
|
|
extern void parseOidArray(const char *str, Oid *array, int arraysize);
|
|
|
|
|
|
Improve pg_dump's dependency-sorting logic to enforce section dump order.
As of 9.2, with the --section option, it is very important that the concept
of "pre data", "data", and "post data" sections of the output be honored
strictly; else a dump divided into separate sectional files might be
unrestorable. However, the dependency-sorting logic knew nothing of
sections and would happily select output orderings that didn't fit that
structure. Doing so was mostly harmless before 9.2, but now we need to be
sure it doesn't do that. To fix, create dummy objects representing the
section boundaries and add dependencies between them and all the normal
objects. (This might sound expensive but it seems to only add a percent or
two to pg_dump's runtime.)
This also fixes a problem introduced in 9.1 by the feature that allows
incomplete GROUP BY lists when a primary key is given in GROUP BY.
That means that views can depend on primary key constraints. Previously,
pg_dump would deal with that by simply emitting the primary key constraint
before the view definition (and hence before the data section of the
output). That's bad enough for simple serial restores, where creating an
index before the data is loaded works, but is undesirable for speed
reasons. But it could lead to outright failure of parallel restores, as
seen in bug #6699 from Joe Van Dyk. That happened because pg_restore would
switch into parallel mode as soon as it reached the constraint, and then
very possibly would try to emit the view definition before the primary key
was committed (as a consequence of another bug that causes the view not to
be correctly marked as depending on the constraint). Adding the section
boundary constraints forces the dependency-sorting code to break the view
into separate table and rule declarations, allowing the rule, and hence the
primary key constraint it depends on, to revert to their intended location
in the post-data section. This also somewhat accidentally works around the
bogus-dependency-marking problem, because the rule will be correctly shown
as depending on the constraint, so parallel pg_restore will now do the
right thing. (We will fix the bogus-dependency problem for real in a
separate patch, but that patch is not easily back-portable to 9.1, so the
fact that this patch is enough to dodge the only known symptom is
fortunate.)
Back-patch to 9.1, except for the hunk that adds verification that the
finished archive TOC list is in correct section order; the place where
it was convenient to add that doesn't exist in 9.1.
2012-06-26 03:19:10 +02:00
|
|
|
extern void sortDumpableObjects(DumpableObject **objs, int numObjs,
|
|
|
|
|
DumpId preBoundaryId, DumpId postBoundaryId);
|
2004-03-03 22:28:55 +01:00
|
|
|
extern void sortDumpableObjectsByTypeName(DumpableObject **objs, int numObjs);
|
|
|
|
|
extern void sortDumpableObjectsByTypeOid(DumpableObject **objs, int numObjs);
|
2013-03-24 16:27:20 +01:00
|
|
|
extern void sortDataAndIndexObjectsBySize(DumpableObject **objs, int numObjs);
|
1996-07-09 08:22:35 +02:00
|
|
|
|
|
|
|
|
/*
|
1997-09-07 07:04:48 +02:00
|
|
|
* version specific routines
|
1996-07-09 08:22:35 +02:00
|
|
|
*/
|
2012-02-06 20:07:55 +01:00
|
|
|
extern NamespaceInfo *getNamespaces(Archive *fout, int *numNamespaces);
|
2016-01-13 23:48:33 +01:00
|
|
|
extern ExtensionInfo *getExtensions(Archive *fout, int *numExtensions);
|
2012-02-06 20:07:55 +01:00
|
|
|
extern TypeInfo *getTypes(Archive *fout, int *numTypes);
|
2016-01-13 23:48:33 +01:00
|
|
|
extern FuncInfo *getFuncs(Archive *fout, int *numFuncs);
|
|
|
|
|
extern AggInfo *getAggregates(Archive *fout, int *numAggregates);
|
2012-02-06 20:07:55 +01:00
|
|
|
extern OprInfo *getOperators(Archive *fout, int *numOperators);
|
2016-03-24 03:01:35 +01:00
|
|
|
extern AccessMethodInfo *getAccessMethods(Archive *fout, int *numAccessMethods);
|
2012-02-06 20:07:55 +01:00
|
|
|
extern OpclassInfo *getOpclasses(Archive *fout, int *numOpclasses);
|
|
|
|
|
extern OpfamilyInfo *getOpfamilies(Archive *fout, int *numOpfamilies);
|
|
|
|
|
extern CollInfo *getCollations(Archive *fout, int *numCollations);
|
|
|
|
|
extern ConvInfo *getConversions(Archive *fout, int *numConversions);
|
2016-01-13 23:48:33 +01:00
|
|
|
extern TableInfo *getTables(Archive *fout, int *numTables);
|
2012-03-31 20:42:17 +02:00
|
|
|
extern void getOwnedSeqs(Archive *fout, TableInfo tblinfo[], int numTables);
|
2012-02-06 20:07:55 +01:00
|
|
|
extern InhInfo *getInherits(Archive *fout, int *numInherits);
|
|
|
|
|
extern void getIndexes(Archive *fout, TableInfo tblinfo[], int numTables);
|
|
|
|
|
extern void getConstraints(Archive *fout, TableInfo tblinfo[], int numTables);
|
|
|
|
|
extern RuleInfo *getRules(Archive *fout, int *numRules);
|
|
|
|
|
extern void getTriggers(Archive *fout, TableInfo tblinfo[], int numTables);
|
|
|
|
|
extern ProcLangInfo *getProcLangs(Archive *fout, int *numProcLangs);
|
2016-01-13 23:48:33 +01:00
|
|
|
extern CastInfo *getCasts(Archive *fout, int *numCasts);
|
2015-04-26 16:33:14 +02:00
|
|
|
extern TransformInfo *getTransforms(Archive *fout, int *numTransforms);
|
2016-01-13 23:48:33 +01:00
|
|
|
extern void getTableAttrs(Archive *fout, TableInfo *tbinfo, int numTables);
|
2014-10-14 20:00:55 +02:00
|
|
|
extern bool shouldPrintColumn(DumpOptions *dopt, TableInfo *tbinfo, int colno);
|
2012-02-06 20:07:55 +01:00
|
|
|
extern TSParserInfo *getTSParsers(Archive *fout, int *numTSParsers);
|
|
|
|
|
extern TSDictInfo *getTSDictionaries(Archive *fout, int *numTSDicts);
|
|
|
|
|
extern TSTemplateInfo *getTSTemplates(Archive *fout, int *numTSTemplates);
|
|
|
|
|
extern TSConfigInfo *getTSConfigurations(Archive *fout, int *numTSConfigs);
|
|
|
|
|
extern FdwInfo *getForeignDataWrappers(Archive *fout,
|
|
|
|
|
int *numForeignDataWrappers);
|
|
|
|
|
extern ForeignServerInfo *getForeignServers(Archive *fout,
|
|
|
|
|
int *numForeignServers);
|
2016-01-13 23:48:33 +01:00
|
|
|
extern DefaultACLInfo *getDefaultACLs(Archive *fout, int *numDefaultACLs);
|
|
|
|
|
extern void getExtensionMembership(Archive *fout, ExtensionInfo extinfo[],
|
2012-02-06 20:07:55 +01:00
|
|
|
int numExtensions);
|
Handle extension members when first setting object dump flags in pg_dump.
pg_dump's original approach to handling extension member objects was to
run around and clear (or set) their dump flags rather late in its data
collection process. Unfortunately, quite a lot of code expects those flags
to be valid before that; which was an entirely reasonable expectation
before we added extensions. In particular, this explains Karsten Hilbert's
recent report of pg_upgrade failing on a database in which an extension
has been installed into the pg_catalog schema. Its objects are initially
marked as not-to-be-dumped on the strength of their schema, and later we
change them to must-dump because we're doing a binary upgrade of their
extension; but we've already skipped essential tasks like making associated
DO_SHELL_TYPE objects.
To fix, collect extension membership data first, and incorporate it in the
initial setting of the dump flags, so that those are once again correct
from the get-go. This has the undesirable side effect of slightly
lengthening the time taken before pg_dump acquires table locks, but testing
suggests that the increase in that window is not very much.
Along the way, get rid of ugly special-case logic for deciding whether
to dump procedural languages, FDWs, and foreign servers; dump decisions
for those are now correct up-front, too.
In 9.3 and up, this also fixes erroneous logic about when to dump event
triggers (basically, they were *always* dumped before). In 9.5 and up,
transform objects had that problem too.
Since this problem came in with extensions, back-patch to all supported
versions.
2016-01-14 00:55:27 +01:00
|
|
|
extern void processExtensionTables(Archive *fout, ExtensionInfo extinfo[],
|
|
|
|
|
int numExtensions);
|
2012-07-18 16:16:16 +02:00
|
|
|
extern EventTriggerInfo *getEventTriggers(Archive *fout, int *numEventTriggers);
|
Rename pg_rowsecurity -> pg_policy and other fixes
As pointed out by Robert, we should really have named pg_rowsecurity
pg_policy, as the objects stored in that catalog are policies. This
patch fixes that and updates the column names to start with 'pol' to
match the new catalog name.
The security consideration for COPY with row level security, also
pointed out by Robert, has also been addressed by remembering and
re-checking the OID of the relation initially referenced during COPY
processing, to make sure it hasn't changed under us by the time we
finish planning out the query which has been built.
Robert and Alvaro also commented on missing OCLASS and OBJECT entries
for POLICY (formerly ROWSECURITY or POLICY, depending) in various
places. This patch fixes that too, which also happens to add the
ability to COMMENT on policies.
In passing, attempt to improve the consistency of messages, comments,
and documentation as well. This removes various incarnations of
'row-security', 'row-level security', 'Row-security', etc, in favor
of 'policy', 'row level security' or 'row_security' as appropriate.
Happy Thanksgiving!
2014-11-27 07:06:36 +01:00
|
|
|
extern void getPolicies(Archive *fout, TableInfo tblinfo[], int numTables);
|
2001-10-28 07:26:15 +01:00
|
|
|
|
2001-11-05 18:46:40 +01:00
|
|
|
#endif /* PG_DUMP_H */
|
