2002-04-15 07:22:04 +02:00
|
|
|
/*-------------------------------------------------------------------------
|
|
|
|
*
|
|
|
|
* schemacmds.c
|
2002-07-18 18:47:26 +02:00
|
|
|
* schema creation/manipulation commands
|
2002-04-15 07:22:04 +02:00
|
|
|
*
|
2016-01-02 19:33:40 +01:00
|
|
|
* Portions Copyright (c) 1996-2016, PostgreSQL Global Development Group
|
2002-04-15 07:22:04 +02:00
|
|
|
* Portions Copyright (c) 1994, Regents of the University of California
|
|
|
|
*
|
|
|
|
*
|
|
|
|
* IDENTIFICATION
|
2010-09-20 22:08:53 +02:00
|
|
|
* src/backend/commands/schemacmds.c
|
2002-04-15 07:22:04 +02:00
|
|
|
*
|
|
|
|
*-------------------------------------------------------------------------
|
|
|
|
*/
|
|
|
|
#include "postgres.h"
|
|
|
|
|
2012-08-30 22:15:44 +02:00
|
|
|
#include "access/htup_details.h"
|
2012-09-20 16:03:04 +02:00
|
|
|
#include "access/heapam.h"
|
2006-07-13 18:49:20 +02:00
|
|
|
#include "access/xact.h"
|
2002-04-15 07:22:04 +02:00
|
|
|
#include "catalog/catalog.h"
|
2002-07-18 18:47:26 +02:00
|
|
|
#include "catalog/dependency.h"
|
2003-06-27 16:45:32 +02:00
|
|
|
#include "catalog/indexing.h"
|
2002-05-17 22:53:33 +02:00
|
|
|
#include "catalog/namespace.h"
|
Allow CURRENT/SESSION_USER to be used in certain commands
Commands such as ALTER USER, ALTER GROUP, ALTER ROLE, GRANT, and the
various ALTER OBJECT / OWNER TO, as well as ad-hoc clauses related to
roles such as the AUTHORIZATION clause of CREATE SCHEMA, the FOR clause
of CREATE USER MAPPING, and the FOR ROLE clause of ALTER DEFAULT
PRIVILEGES can now take the keywords CURRENT_USER and SESSION_USER as
user specifiers in place of an explicit user name.
This commit also fixes some quite ugly handling of special standards-
mandated syntax in CREATE USER MAPPING, which in particular would fail
to work in presence of a role named "current_user".
The special role specifiers PUBLIC and NONE also have more consistent
handling now.
Also take the opportunity to add location tracking to user specifiers.
Authors: Kyotaro Horiguchi. Heavily reworked by Álvaro Herrera.
Reviewed by: Rushabh Lathia, Adam Brightwell, Marti Raudsepp.
2015-03-09 19:41:54 +01:00
|
|
|
#include "catalog/pg_authid.h"
|
2013-03-18 03:55:14 +01:00
|
|
|
#include "catalog/objectaccess.h"
|
2002-04-15 07:22:04 +02:00
|
|
|
#include "catalog/pg_namespace.h"
|
2003-06-27 16:45:32 +02:00
|
|
|
#include "commands/dbcommands.h"
|
Allow on-the-fly capture of DDL event details
This feature lets user code inspect and take action on DDL events.
Whenever a ddl_command_end event trigger is installed, DDL actions
executed are saved to a list which can be inspected during execution of
a function attached to ddl_command_end.
The set-returning function pg_event_trigger_ddl_commands can be used to
list actions so captured; it returns data about the type of command
executed, as well as the affected object. This is sufficient for many
uses of this feature. For the cases where it is not, we also provide a
"command" column of a new pseudo-type pg_ddl_command, which is a
pointer to a C structure that can be accessed by C code. The struct
contains all the info necessary to completely inspect and even
reconstruct the executed command.
There is no actual deparse code here; that's expected to come later.
What we have is enough infrastructure that the deparsing can be done in
an external extension. The intention is that we will add some deparsing
code in a later release, as an in-core extension.
A new test module is included. It's probably insufficient as is, but it
should be sufficient as a starting point for a more complete and
future-proof approach.
Authors: Álvaro Herrera, with some help from Andres Freund, Ian Barwick,
Abhijit Menon-Sen.
Reviews by Andres Freund, Robert Haas, Amit Kapila, Michael Paquier,
Craig Ringer, David Steele.
Additional input from Chris Browne, Dimitri Fontaine, Stephen Frost,
Petr Jelínek, Tom Lane, Jim Nasby, Steven Singer, Pavel Stěhule.
Based on original work by Dimitri Fontaine, though I didn't use his
code.
Discussion:
https://www.postgresql.org/message-id/m2txrsdzxa.fsf@2ndQuadrant.fr
https://www.postgresql.org/message-id/20131108153322.GU5809@eldon.alvh.no-ip.org
https://www.postgresql.org/message-id/20150215044814.GL3391@alvh.no-ip.org
2015-05-12 00:14:31 +02:00
|
|
|
#include "commands/event_trigger.h"
|
2002-04-15 07:22:04 +02:00
|
|
|
#include "commands/schemacmds.h"
|
|
|
|
#include "miscadmin.h"
|
2007-06-24 00:12:52 +02:00
|
|
|
#include "parser/parse_utilcmd.h"
|
2002-04-15 07:22:04 +02:00
|
|
|
#include "tcop/utility.h"
|
2002-04-27 05:45:03 +02:00
|
|
|
#include "utils/acl.h"
|
2003-06-27 19:07:03 +02:00
|
|
|
#include "utils/builtins.h"
|
2011-02-23 18:18:09 +01:00
|
|
|
#include "utils/rel.h"
|
2002-07-18 18:47:26 +02:00
|
|
|
#include "utils/syscache.h"
|
2002-04-15 07:22:04 +02:00
|
|
|
|
|
|
|
|
2005-11-21 13:49:33 +01:00
|
|
|
static void AlterSchemaOwner_internal(HeapTuple tup, Relation rel, Oid newOwnerId);
|
|
|
|
|
2002-04-15 07:22:04 +02:00
|
|
|
/*
|
|
|
|
* CREATE SCHEMA
|
|
|
|
*/
|
2012-12-24 00:25:03 +01:00
|
|
|
Oid
|
2007-03-13 01:33:44 +01:00
|
|
|
CreateSchemaCommand(CreateSchemaStmt *stmt, const char *queryString)
|
2002-04-15 07:22:04 +02:00
|
|
|
{
|
2015-05-24 03:35:49 +02:00
|
|
|
const char *schemaName = stmt->schemaname;
|
2002-05-17 22:53:33 +02:00
|
|
|
Oid namespaceId;
|
2007-03-23 20:53:52 +01:00
|
|
|
OverrideSearchPath *overridePath;
|
2002-04-15 07:22:04 +02:00
|
|
|
List *parsetree_list;
|
2004-05-26 06:41:50 +02:00
|
|
|
ListCell *parsetree_item;
|
2005-10-15 04:49:52 +02:00
|
|
|
Oid owner_uid;
|
|
|
|
Oid saved_uid;
|
Prevent indirect security attacks via changing session-local state within
an allegedly immutable index function. It was previously recognized that
we had to prevent such a function from executing SET/RESET ROLE/SESSION
AUTHORIZATION, or it could trivially obtain the privileges of the session
user. However, since there is in general no privilege checking for changes
of session-local state, it is also possible for such a function to change
settings in a way that might subvert later operations in the same session.
Examples include changing search_path to cause an unexpected function to
be called, or replacing an existing prepared statement with another one
that will execute a function of the attacker's choosing.
The present patch secures VACUUM, ANALYZE, and CREATE INDEX/REINDEX against
these threats, which are the same places previously deemed to need protection
against the SET ROLE issue. GUC changes are still allowed, since there are
many useful cases for that, but we prevent security problems by forcing a
rollback of any GUC change after completing the operation. Other cases are
handled by throwing an error if any change is attempted; these include temp
table creation, closing a cursor, and creating or deleting a prepared
statement. (In 7.4, the infrastructure to roll back GUC changes doesn't
exist, so we settle for rejecting changes of "search_path" in these contexts.)
Original report and patch by Gurjeet Singh, additional analysis by
Tom Lane.
Security: CVE-2009-4136
2009-12-09 22:57:51 +01:00
|
|
|
int save_sec_context;
|
2002-04-27 05:45:03 +02:00
|
|
|
AclResult aclresult;
|
Allow on-the-fly capture of DDL event details
This feature lets user code inspect and take action on DDL events.
Whenever a ddl_command_end event trigger is installed, DDL actions
executed are saved to a list which can be inspected during execution of
a function attached to ddl_command_end.
The set-returning function pg_event_trigger_ddl_commands can be used to
list actions so captured; it returns data about the type of command
executed, as well as the affected object. This is sufficient for many
uses of this feature. For the cases where it is not, we also provide a
"command" column of a new pseudo-type pg_ddl_command, which is a
pointer to a C structure that can be accessed by C code. The struct
contains all the info necessary to completely inspect and even
reconstruct the executed command.
There is no actual deparse code here; that's expected to come later.
What we have is enough infrastructure that the deparsing can be done in
an external extension. The intention is that we will add some deparsing
code in a later release, as an in-core extension.
A new test module is included. It's probably insufficient as is, but it
should be sufficient as a starting point for a more complete and
future-proof approach.
Authors: Álvaro Herrera, with some help from Andres Freund, Ian Barwick,
Abhijit Menon-Sen.
Reviews by Andres Freund, Robert Haas, Amit Kapila, Michael Paquier,
Craig Ringer, David Steele.
Additional input from Chris Browne, Dimitri Fontaine, Stephen Frost,
Petr Jelínek, Tom Lane, Jim Nasby, Steven Singer, Pavel Stěhule.
Based on original work by Dimitri Fontaine, though I didn't use his
code.
Discussion:
https://www.postgresql.org/message-id/m2txrsdzxa.fsf@2ndQuadrant.fr
https://www.postgresql.org/message-id/20131108153322.GU5809@eldon.alvh.no-ip.org
https://www.postgresql.org/message-id/20150215044814.GL3391@alvh.no-ip.org
2015-05-12 00:14:31 +02:00
|
|
|
ObjectAddress address;
|
2002-04-15 07:22:04 +02:00
|
|
|
|
Prevent indirect security attacks via changing session-local state within
an allegedly immutable index function. It was previously recognized that
we had to prevent such a function from executing SET/RESET ROLE/SESSION
AUTHORIZATION, or it could trivially obtain the privileges of the session
user. However, since there is in general no privilege checking for changes
of session-local state, it is also possible for such a function to change
settings in a way that might subvert later operations in the same session.
Examples include changing search_path to cause an unexpected function to
be called, or replacing an existing prepared statement with another one
that will execute a function of the attacker's choosing.
The present patch secures VACUUM, ANALYZE, and CREATE INDEX/REINDEX against
these threats, which are the same places previously deemed to need protection
against the SET ROLE issue. GUC changes are still allowed, since there are
many useful cases for that, but we prevent security problems by forcing a
rollback of any GUC change after completing the operation. Other cases are
handled by throwing an error if any change is attempted; these include temp
table creation, closing a cursor, and creating or deleting a prepared
statement. (In 7.4, the infrastructure to roll back GUC changes doesn't
exist, so we settle for rejecting changes of "search_path" in these contexts.)
Original report and patch by Gurjeet Singh, additional analysis by
Tom Lane.
Security: CVE-2009-4136
2009-12-09 22:57:51 +01:00
|
|
|
GetUserIdAndSecContext(&saved_uid, &save_sec_context);
|
2002-04-15 07:22:04 +02:00
|
|
|
|
2002-04-27 05:45:03 +02:00
|
|
|
/*
|
2005-07-14 23:46:30 +02:00
|
|
|
* Who is supposed to own the new schema?
|
2002-04-27 05:45:03 +02:00
|
|
|
*/
|
Allow CURRENT/SESSION_USER to be used in certain commands
Commands such as ALTER USER, ALTER GROUP, ALTER ROLE, GRANT, and the
various ALTER OBJECT / OWNER TO, as well as ad-hoc clauses related to
roles such as the AUTHORIZATION clause of CREATE SCHEMA, the FOR clause
of CREATE USER MAPPING, and the FOR ROLE clause of ALTER DEFAULT
PRIVILEGES can now take the keywords CURRENT_USER and SESSION_USER as
user specifiers in place of an explicit user name.
This commit also fixes some quite ugly handling of special standards-
mandated syntax in CREATE USER MAPPING, which in particular would fail
to work in presence of a role named "current_user".
The special role specifiers PUBLIC and NONE also have more consistent
handling now.
Also take the opportunity to add location tracking to user specifiers.
Authors: Kyotaro Horiguchi. Heavily reworked by Álvaro Herrera.
Reviewed by: Rushabh Lathia, Adam Brightwell, Marti Raudsepp.
2015-03-09 19:41:54 +01:00
|
|
|
if (stmt->authrole)
|
|
|
|
owner_uid = get_rolespec_oid(stmt->authrole, false);
|
2002-09-04 22:31:48 +02:00
|
|
|
else
|
2005-06-28 07:09:14 +02:00
|
|
|
owner_uid = saved_uid;
|
2002-04-15 07:22:04 +02:00
|
|
|
|
Allow CURRENT/SESSION_USER to be used in certain commands
Commands such as ALTER USER, ALTER GROUP, ALTER ROLE, GRANT, and the
various ALTER OBJECT / OWNER TO, as well as ad-hoc clauses related to
roles such as the AUTHORIZATION clause of CREATE SCHEMA, the FOR clause
of CREATE USER MAPPING, and the FOR ROLE clause of ALTER DEFAULT
PRIVILEGES can now take the keywords CURRENT_USER and SESSION_USER as
user specifiers in place of an explicit user name.
This commit also fixes some quite ugly handling of special standards-
mandated syntax in CREATE USER MAPPING, which in particular would fail
to work in presence of a role named "current_user".
The special role specifiers PUBLIC and NONE also have more consistent
handling now.
Also take the opportunity to add location tracking to user specifiers.
Authors: Kyotaro Horiguchi. Heavily reworked by Álvaro Herrera.
Reviewed by: Rushabh Lathia, Adam Brightwell, Marti Raudsepp.
2015-03-09 19:41:54 +01:00
|
|
|
/* fill schema name with the user name if not specified */
|
|
|
|
if (!schemaName)
|
|
|
|
{
|
2015-05-24 03:35:49 +02:00
|
|
|
HeapTuple tuple;
|
Allow CURRENT/SESSION_USER to be used in certain commands
Commands such as ALTER USER, ALTER GROUP, ALTER ROLE, GRANT, and the
various ALTER OBJECT / OWNER TO, as well as ad-hoc clauses related to
roles such as the AUTHORIZATION clause of CREATE SCHEMA, the FOR clause
of CREATE USER MAPPING, and the FOR ROLE clause of ALTER DEFAULT
PRIVILEGES can now take the keywords CURRENT_USER and SESSION_USER as
user specifiers in place of an explicit user name.
This commit also fixes some quite ugly handling of special standards-
mandated syntax in CREATE USER MAPPING, which in particular would fail
to work in presence of a role named "current_user".
The special role specifiers PUBLIC and NONE also have more consistent
handling now.
Also take the opportunity to add location tracking to user specifiers.
Authors: Kyotaro Horiguchi. Heavily reworked by Álvaro Herrera.
Reviewed by: Rushabh Lathia, Adam Brightwell, Marti Raudsepp.
2015-03-09 19:41:54 +01:00
|
|
|
|
|
|
|
tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(owner_uid));
|
|
|
|
if (!HeapTupleIsValid(tuple))
|
|
|
|
elog(ERROR, "cache lookup failed for role %u", owner_uid);
|
|
|
|
schemaName =
|
|
|
|
pstrdup(NameStr(((Form_pg_authid) GETSTRUCT(tuple))->rolname));
|
|
|
|
ReleaseSysCache(tuple);
|
|
|
|
}
|
|
|
|
|
2002-04-27 05:45:03 +02:00
|
|
|
/*
|
2005-07-14 23:46:30 +02:00
|
|
|
* To create a schema, must have schema-create privilege on the current
|
|
|
|
* database and must be able to become the target role (this does not
|
|
|
|
* imply that the target role itself must have create-schema privilege).
|
2014-05-06 18:12:18 +02:00
|
|
|
* The latter provision guards against "giveaway" attacks. Note that a
|
2005-10-15 04:49:52 +02:00
|
|
|
* superuser will always have both of these privileges a fortiori.
|
2002-04-27 05:45:03 +02:00
|
|
|
*/
|
2005-06-28 07:09:14 +02:00
|
|
|
aclresult = pg_database_aclcheck(MyDatabaseId, saved_uid, ACL_CREATE);
|
2002-04-27 05:45:03 +02:00
|
|
|
if (aclresult != ACLCHECK_OK)
|
2003-08-01 02:15:26 +02:00
|
|
|
aclcheck_error(aclresult, ACL_KIND_DATABASE,
|
|
|
|
get_database_name(MyDatabaseId));
|
2002-04-27 05:45:03 +02:00
|
|
|
|
2005-07-14 23:46:30 +02:00
|
|
|
check_is_member_of_role(saved_uid, owner_uid);
|
|
|
|
|
|
|
|
/* Additional check to protect reserved schema names */
|
2002-04-15 07:22:04 +02:00
|
|
|
if (!allowSystemTableMods && IsReservedName(schemaName))
|
2003-07-19 01:20:33 +02:00
|
|
|
ereport(ERROR,
|
|
|
|
(errcode(ERRCODE_RESERVED_NAME),
|
|
|
|
errmsg("unacceptable schema name \"%s\"", schemaName),
|
2005-10-15 04:49:52 +02:00
|
|
|
errdetail("The prefix \"pg_\" is reserved for system schemas.")));
|
2002-04-15 07:22:04 +02:00
|
|
|
|
2012-10-04 01:47:11 +02:00
|
|
|
/*
|
|
|
|
* If if_not_exists was given and the schema already exists, bail out.
|
|
|
|
* (Note: we needn't check this when not if_not_exists, because
|
|
|
|
* NamespaceCreate will complain anyway.) We could do this before making
|
|
|
|
* the permissions checks, but since CREATE TABLE IF NOT EXISTS makes its
|
|
|
|
* creation-permission check first, we do likewise.
|
|
|
|
*/
|
|
|
|
if (stmt->if_not_exists &&
|
|
|
|
SearchSysCacheExists1(NAMESPACENAME, PointerGetDatum(schemaName)))
|
|
|
|
{
|
|
|
|
ereport(NOTICE,
|
|
|
|
(errcode(ERRCODE_DUPLICATE_SCHEMA),
|
|
|
|
errmsg("schema \"%s\" already exists, skipping",
|
|
|
|
schemaName)));
|
2012-12-24 00:25:03 +01:00
|
|
|
return InvalidOid;
|
2012-10-04 01:47:11 +02:00
|
|
|
}
|
|
|
|
|
2005-07-14 23:46:30 +02:00
|
|
|
/*
|
|
|
|
* If the requested authorization is different from the current user,
|
2005-10-15 04:49:52 +02:00
|
|
|
* temporarily set the current user so that the object(s) will be created
|
|
|
|
* with the correct ownership.
|
2005-07-14 23:46:30 +02:00
|
|
|
*
|
2009-06-11 16:49:15 +02:00
|
|
|
* (The setting will be restored at the end of this routine, or in case of
|
|
|
|
* error, transaction abort will clean things up.)
|
2005-07-14 23:46:30 +02:00
|
|
|
*/
|
|
|
|
if (saved_uid != owner_uid)
|
Prevent indirect security attacks via changing session-local state within
an allegedly immutable index function. It was previously recognized that
we had to prevent such a function from executing SET/RESET ROLE/SESSION
AUTHORIZATION, or it could trivially obtain the privileges of the session
user. However, since there is in general no privilege checking for changes
of session-local state, it is also possible for such a function to change
settings in a way that might subvert later operations in the same session.
Examples include changing search_path to cause an unexpected function to
be called, or replacing an existing prepared statement with another one
that will execute a function of the attacker's choosing.
The present patch secures VACUUM, ANALYZE, and CREATE INDEX/REINDEX against
these threats, which are the same places previously deemed to need protection
against the SET ROLE issue. GUC changes are still allowed, since there are
many useful cases for that, but we prevent security problems by forcing a
rollback of any GUC change after completing the operation. Other cases are
handled by throwing an error if any change is attempted; these include temp
table creation, closing a cursor, and creating or deleting a prepared
statement. (In 7.4, the infrastructure to roll back GUC changes doesn't
exist, so we settle for rejecting changes of "search_path" in these contexts.)
Original report and patch by Gurjeet Singh, additional analysis by
Tom Lane.
Security: CVE-2009-4136
2009-12-09 22:57:51 +01:00
|
|
|
SetUserIdAndSecContext(owner_uid,
|
2010-02-26 03:01:40 +01:00
|
|
|
save_sec_context | SECURITY_LOCAL_USERID_CHANGE);
|
2005-07-14 23:46:30 +02:00
|
|
|
|
2002-04-15 07:22:04 +02:00
|
|
|
/* Create the schema's namespace */
|
2012-03-08 21:52:26 +01:00
|
|
|
namespaceId = NamespaceCreate(schemaName, owner_uid, false);
|
2002-04-15 07:22:04 +02:00
|
|
|
|
2002-05-17 22:53:33 +02:00
|
|
|
/* Advance cmd counter to make the namespace visible */
|
2002-04-15 07:22:04 +02:00
|
|
|
CommandCounterIncrement();
|
|
|
|
|
2002-05-17 22:53:33 +02:00
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* Temporarily make the new namespace be the front of the search path, as
|
|
|
|
* well as the default creation target namespace. This will be undone at
|
|
|
|
* the end of this routine, or upon error.
|
2002-05-17 22:53:33 +02:00
|
|
|
*/
|
2007-03-23 20:53:52 +01:00
|
|
|
overridePath = GetOverrideSearchPath(CurrentMemoryContext);
|
|
|
|
overridePath->schemas = lcons_oid(namespaceId, overridePath->schemas);
|
|
|
|
/* XXX should we clear overridePath->useTemp? */
|
|
|
|
PushOverrideSearchPath(overridePath);
|
2002-05-17 22:53:33 +02:00
|
|
|
|
Allow on-the-fly capture of DDL event details
This feature lets user code inspect and take action on DDL events.
Whenever a ddl_command_end event trigger is installed, DDL actions
executed are saved to a list which can be inspected during execution of
a function attached to ddl_command_end.
The set-returning function pg_event_trigger_ddl_commands can be used to
list actions so captured; it returns data about the type of command
executed, as well as the affected object. This is sufficient for many
uses of this feature. For the cases where it is not, we also provide a
"command" column of a new pseudo-type pg_ddl_command, which is a
pointer to a C structure that can be accessed by C code. The struct
contains all the info necessary to completely inspect and even
reconstruct the executed command.
There is no actual deparse code here; that's expected to come later.
What we have is enough infrastructure that the deparsing can be done in
an external extension. The intention is that we will add some deparsing
code in a later release, as an in-core extension.
A new test module is included. It's probably insufficient as is, but it
should be sufficient as a starting point for a more complete and
future-proof approach.
Authors: Álvaro Herrera, with some help from Andres Freund, Ian Barwick,
Abhijit Menon-Sen.
Reviews by Andres Freund, Robert Haas, Amit Kapila, Michael Paquier,
Craig Ringer, David Steele.
Additional input from Chris Browne, Dimitri Fontaine, Stephen Frost,
Petr Jelínek, Tom Lane, Jim Nasby, Steven Singer, Pavel Stěhule.
Based on original work by Dimitri Fontaine, though I didn't use his
code.
Discussion:
https://www.postgresql.org/message-id/m2txrsdzxa.fsf@2ndQuadrant.fr
https://www.postgresql.org/message-id/20131108153322.GU5809@eldon.alvh.no-ip.org
https://www.postgresql.org/message-id/20150215044814.GL3391@alvh.no-ip.org
2015-05-12 00:14:31 +02:00
|
|
|
/*
|
|
|
|
* Report the new schema to possibly interested event triggers. Note we
|
|
|
|
* must do this here and not in ProcessUtilitySlow because otherwise the
|
|
|
|
* objects created below are reported before the schema, which would be
|
|
|
|
* wrong.
|
|
|
|
*/
|
|
|
|
ObjectAddressSet(address, NamespaceRelationId, namespaceId);
|
|
|
|
EventTriggerCollectSimpleCommand(address, InvalidObjectAddress,
|
|
|
|
(Node *) stmt);
|
|
|
|
|
2002-04-15 07:22:04 +02:00
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* Examine the list of commands embedded in the CREATE SCHEMA command, and
|
|
|
|
* reorganize them into a sequentially executable order with no forward
|
2014-05-06 18:12:18 +02:00
|
|
|
* references. Note that the result is still a list of raw parsetrees ---
|
2007-11-15 22:14:46 +01:00
|
|
|
* we cannot, in general, run parse analysis on one statement until we
|
|
|
|
* have actually executed the prior ones.
|
2002-04-15 07:22:04 +02:00
|
|
|
*/
|
2007-06-24 00:12:52 +02:00
|
|
|
parsetree_list = transformCreateSchemaStmt(stmt);
|
2002-04-15 07:22:04 +02:00
|
|
|
|
|
|
|
/*
|
2007-11-15 22:14:46 +01:00
|
|
|
* Execute each command contained in the CREATE SCHEMA. Since the grammar
|
|
|
|
* allows only utility commands in CREATE SCHEMA, there is no need to pass
|
|
|
|
* them through parse_analyze() or the rewriter; we can just hand them
|
|
|
|
* straight to ProcessUtility.
|
2002-04-15 07:22:04 +02:00
|
|
|
*/
|
|
|
|
foreach(parsetree_item, parsetree_list)
|
|
|
|
{
|
2007-06-24 00:12:52 +02:00
|
|
|
Node *stmt = (Node *) lfirst(parsetree_item);
|
|
|
|
|
|
|
|
/* do this step */
|
|
|
|
ProcessUtility(stmt,
|
|
|
|
queryString,
|
2013-04-28 06:18:45 +02:00
|
|
|
PROCESS_UTILITY_SUBCOMMAND,
|
2007-06-24 00:12:52 +02:00
|
|
|
NULL,
|
|
|
|
None_Receiver,
|
2013-04-28 06:18:45 +02:00
|
|
|
NULL);
|
2007-06-24 00:12:52 +02:00
|
|
|
/* make sure later steps can see the object created here */
|
|
|
|
CommandCounterIncrement();
|
2002-04-15 07:22:04 +02:00
|
|
|
}
|
|
|
|
|
2002-05-17 22:53:33 +02:00
|
|
|
/* Reset search path to normal state */
|
2007-03-23 20:53:52 +01:00
|
|
|
PopOverrideSearchPath();
|
2002-05-17 22:53:33 +02:00
|
|
|
|
Prevent indirect security attacks via changing session-local state within
an allegedly immutable index function. It was previously recognized that
we had to prevent such a function from executing SET/RESET ROLE/SESSION
AUTHORIZATION, or it could trivially obtain the privileges of the session
user. However, since there is in general no privilege checking for changes
of session-local state, it is also possible for such a function to change
settings in a way that might subvert later operations in the same session.
Examples include changing search_path to cause an unexpected function to
be called, or replacing an existing prepared statement with another one
that will execute a function of the attacker's choosing.
The present patch secures VACUUM, ANALYZE, and CREATE INDEX/REINDEX against
these threats, which are the same places previously deemed to need protection
against the SET ROLE issue. GUC changes are still allowed, since there are
many useful cases for that, but we prevent security problems by forcing a
rollback of any GUC change after completing the operation. Other cases are
handled by throwing an error if any change is attempted; these include temp
table creation, closing a cursor, and creating or deleting a prepared
statement. (In 7.4, the infrastructure to roll back GUC changes doesn't
exist, so we settle for rejecting changes of "search_path" in these contexts.)
Original report and patch by Gurjeet Singh, additional analysis by
Tom Lane.
Security: CVE-2009-4136
2009-12-09 22:57:51 +01:00
|
|
|
/* Reset current user and security context */
|
|
|
|
SetUserIdAndSecContext(saved_uid, save_sec_context);
|
2012-12-24 00:25:03 +01:00
|
|
|
|
|
|
|
return namespaceId;
|
2002-04-15 07:22:04 +02:00
|
|
|
}
|
2002-07-18 18:47:26 +02:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Guts of schema deletion.
|
|
|
|
*/
|
|
|
|
void
|
|
|
|
RemoveSchemaById(Oid schemaOid)
|
|
|
|
{
|
|
|
|
Relation relation;
|
|
|
|
HeapTuple tup;
|
|
|
|
|
2005-04-14 22:03:27 +02:00
|
|
|
relation = heap_open(NamespaceRelationId, RowExclusiveLock);
|
2002-07-18 18:47:26 +02:00
|
|
|
|
2010-02-14 19:42:19 +01:00
|
|
|
tup = SearchSysCache1(NAMESPACEOID,
|
|
|
|
ObjectIdGetDatum(schemaOid));
|
2003-08-04 02:43:34 +02:00
|
|
|
if (!HeapTupleIsValid(tup)) /* should not happen */
|
2003-07-28 02:09:16 +02:00
|
|
|
elog(ERROR, "cache lookup failed for namespace %u", schemaOid);
|
2002-07-18 18:47:26 +02:00
|
|
|
|
|
|
|
simple_heap_delete(relation, &tup->t_self);
|
|
|
|
|
|
|
|
ReleaseSysCache(tup);
|
|
|
|
|
|
|
|
heap_close(relation, RowExclusiveLock);
|
|
|
|
}
|
2003-06-27 16:45:32 +02:00
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Rename schema
|
|
|
|
*/
|
Change many routines to return ObjectAddress rather than OID
The changed routines are mostly those that can be directly called by
ProcessUtilitySlow; the intention is to make the affected object
information more precise, in support for future event trigger changes.
Originally it was envisioned that the OID of the affected object would
be enough, and in most cases that is correct, but upon actually
implementing the event trigger changes it turned out that ObjectAddress
is more widely useful.
Additionally, some command execution routines grew an output argument
that's an object address which provides further info about the executed
command. To wit:
* for ALTER DOMAIN / ADD CONSTRAINT, it corresponds to the address of
the new constraint
* for ALTER OBJECT / SET SCHEMA, it corresponds to the address of the
schema that originally contained the object.
* for ALTER EXTENSION {ADD, DROP} OBJECT, it corresponds to the address
of the object added to or dropped from the extension.
There's no user-visible change in this commit, and no functional change
either.
Discussion: 20150218213255.GC6717@tamriel.snowman.net
Reviewed-By: Stephen Frost, Andres Freund
2015-03-03 18:10:50 +01:00
|
|
|
ObjectAddress
|
2003-06-27 16:45:32 +02:00
|
|
|
RenameSchema(const char *oldname, const char *newname)
|
|
|
|
{
|
2012-12-24 00:25:03 +01:00
|
|
|
Oid nspOid;
|
2003-06-27 16:45:32 +02:00
|
|
|
HeapTuple tup;
|
|
|
|
Relation rel;
|
|
|
|
AclResult aclresult;
|
Change many routines to return ObjectAddress rather than OID
The changed routines are mostly those that can be directly called by
ProcessUtilitySlow; the intention is to make the affected object
information more precise, in support for future event trigger changes.
Originally it was envisioned that the OID of the affected object would
be enough, and in most cases that is correct, but upon actually
implementing the event trigger changes it turned out that ObjectAddress
is more widely useful.
Additionally, some command execution routines grew an output argument
that's an object address which provides further info about the executed
command. To wit:
* for ALTER DOMAIN / ADD CONSTRAINT, it corresponds to the address of
the new constraint
* for ALTER OBJECT / SET SCHEMA, it corresponds to the address of the
schema that originally contained the object.
* for ALTER EXTENSION {ADD, DROP} OBJECT, it corresponds to the address
of the object added to or dropped from the extension.
There's no user-visible change in this commit, and no functional change
either.
Discussion: 20150218213255.GC6717@tamriel.snowman.net
Reviewed-By: Stephen Frost, Andres Freund
2015-03-03 18:10:50 +01:00
|
|
|
ObjectAddress address;
|
2003-06-27 16:45:32 +02:00
|
|
|
|
2005-04-14 22:03:27 +02:00
|
|
|
rel = heap_open(NamespaceRelationId, RowExclusiveLock);
|
2003-06-27 16:45:32 +02:00
|
|
|
|
2010-02-14 19:42:19 +01:00
|
|
|
tup = SearchSysCacheCopy1(NAMESPACENAME, CStringGetDatum(oldname));
|
2003-06-27 16:45:32 +02:00
|
|
|
if (!HeapTupleIsValid(tup))
|
|
|
|
ereport(ERROR,
|
2003-07-19 01:20:33 +02:00
|
|
|
(errcode(ERRCODE_UNDEFINED_SCHEMA),
|
2003-06-27 16:45:32 +02:00
|
|
|
errmsg("schema \"%s\" does not exist", oldname)));
|
|
|
|
|
2012-12-24 00:25:03 +01:00
|
|
|
nspOid = HeapTupleGetOid(tup);
|
|
|
|
|
2003-06-27 16:45:32 +02:00
|
|
|
/* make sure the new name doesn't exist */
|
2010-08-05 16:45:09 +02:00
|
|
|
if (OidIsValid(get_namespace_oid(newname, true)))
|
2003-06-27 16:45:32 +02:00
|
|
|
ereport(ERROR,
|
2003-07-19 01:20:33 +02:00
|
|
|
(errcode(ERRCODE_DUPLICATE_SCHEMA),
|
2003-06-27 16:45:32 +02:00
|
|
|
errmsg("schema \"%s\" already exists", newname)));
|
|
|
|
|
|
|
|
/* must be owner */
|
|
|
|
if (!pg_namespace_ownercheck(HeapTupleGetOid(tup), GetUserId()))
|
2003-08-01 02:15:26 +02:00
|
|
|
aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_NAMESPACE,
|
|
|
|
oldname);
|
2003-06-27 16:45:32 +02:00
|
|
|
|
|
|
|
/* must have CREATE privilege on database */
|
|
|
|
aclresult = pg_database_aclcheck(MyDatabaseId, GetUserId(), ACL_CREATE);
|
|
|
|
if (aclresult != ACLCHECK_OK)
|
2003-08-01 02:15:26 +02:00
|
|
|
aclcheck_error(aclresult, ACL_KIND_DATABASE,
|
|
|
|
get_database_name(MyDatabaseId));
|
2003-06-27 16:45:32 +02:00
|
|
|
|
|
|
|
if (!allowSystemTableMods && IsReservedName(newname))
|
2003-07-19 01:20:33 +02:00
|
|
|
ereport(ERROR,
|
|
|
|
(errcode(ERRCODE_RESERVED_NAME),
|
|
|
|
errmsg("unacceptable schema name \"%s\"", newname),
|
2005-10-15 04:49:52 +02:00
|
|
|
errdetail("The prefix \"pg_\" is reserved for system schemas.")));
|
2003-06-27 16:45:32 +02:00
|
|
|
|
|
|
|
/* rename */
|
|
|
|
namestrcpy(&(((Form_pg_namespace) GETSTRUCT(tup))->nspname), newname);
|
|
|
|
simple_heap_update(rel, &tup->t_self, tup);
|
|
|
|
CatalogUpdateIndexes(rel, tup);
|
|
|
|
|
2013-03-18 03:55:14 +01:00
|
|
|
InvokeObjectPostAlterHook(NamespaceRelationId, HeapTupleGetOid(tup), 0);
|
|
|
|
|
Change many routines to return ObjectAddress rather than OID
The changed routines are mostly those that can be directly called by
ProcessUtilitySlow; the intention is to make the affected object
information more precise, in support for future event trigger changes.
Originally it was envisioned that the OID of the affected object would
be enough, and in most cases that is correct, but upon actually
implementing the event trigger changes it turned out that ObjectAddress
is more widely useful.
Additionally, some command execution routines grew an output argument
that's an object address which provides further info about the executed
command. To wit:
* for ALTER DOMAIN / ADD CONSTRAINT, it corresponds to the address of
the new constraint
* for ALTER OBJECT / SET SCHEMA, it corresponds to the address of the
schema that originally contained the object.
* for ALTER EXTENSION {ADD, DROP} OBJECT, it corresponds to the address
of the object added to or dropped from the extension.
There's no user-visible change in this commit, and no functional change
either.
Discussion: 20150218213255.GC6717@tamriel.snowman.net
Reviewed-By: Stephen Frost, Andres Freund
2015-03-03 18:10:50 +01:00
|
|
|
ObjectAddressSet(address, NamespaceRelationId, nspOid);
|
|
|
|
|
2003-06-27 16:45:32 +02:00
|
|
|
heap_close(rel, NoLock);
|
|
|
|
heap_freetuple(tup);
|
2012-12-24 00:25:03 +01:00
|
|
|
|
Change many routines to return ObjectAddress rather than OID
The changed routines are mostly those that can be directly called by
ProcessUtilitySlow; the intention is to make the affected object
information more precise, in support for future event trigger changes.
Originally it was envisioned that the OID of the affected object would
be enough, and in most cases that is correct, but upon actually
implementing the event trigger changes it turned out that ObjectAddress
is more widely useful.
Additionally, some command execution routines grew an output argument
that's an object address which provides further info about the executed
command. To wit:
* for ALTER DOMAIN / ADD CONSTRAINT, it corresponds to the address of
the new constraint
* for ALTER OBJECT / SET SCHEMA, it corresponds to the address of the
schema that originally contained the object.
* for ALTER EXTENSION {ADD, DROP} OBJECT, it corresponds to the address
of the object added to or dropped from the extension.
There's no user-visible change in this commit, and no functional change
either.
Discussion: 20150218213255.GC6717@tamriel.snowman.net
Reviewed-By: Stephen Frost, Andres Freund
2015-03-03 18:10:50 +01:00
|
|
|
return address;
|
2003-06-27 16:45:32 +02:00
|
|
|
}
|
2004-06-25 23:55:59 +02:00
|
|
|
|
2005-11-21 13:49:33 +01:00
|
|
|
void
|
|
|
|
AlterSchemaOwner_oid(Oid oid, Oid newOwnerId)
|
|
|
|
{
|
|
|
|
HeapTuple tup;
|
|
|
|
Relation rel;
|
|
|
|
|
|
|
|
rel = heap_open(NamespaceRelationId, RowExclusiveLock);
|
|
|
|
|
2010-02-14 19:42:19 +01:00
|
|
|
tup = SearchSysCache1(NAMESPACEOID, ObjectIdGetDatum(oid));
|
2005-11-21 13:49:33 +01:00
|
|
|
if (!HeapTupleIsValid(tup))
|
|
|
|
elog(ERROR, "cache lookup failed for schema %u", oid);
|
|
|
|
|
|
|
|
AlterSchemaOwner_internal(tup, rel, newOwnerId);
|
|
|
|
|
|
|
|
ReleaseSysCache(tup);
|
|
|
|
|
|
|
|
heap_close(rel, RowExclusiveLock);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2004-06-25 23:55:59 +02:00
|
|
|
/*
|
|
|
|
* Change schema owner
|
|
|
|
*/
|
Change many routines to return ObjectAddress rather than OID
The changed routines are mostly those that can be directly called by
ProcessUtilitySlow; the intention is to make the affected object
information more precise, in support for future event trigger changes.
Originally it was envisioned that the OID of the affected object would
be enough, and in most cases that is correct, but upon actually
implementing the event trigger changes it turned out that ObjectAddress
is more widely useful.
Additionally, some command execution routines grew an output argument
that's an object address which provides further info about the executed
command. To wit:
* for ALTER DOMAIN / ADD CONSTRAINT, it corresponds to the address of
the new constraint
* for ALTER OBJECT / SET SCHEMA, it corresponds to the address of the
schema that originally contained the object.
* for ALTER EXTENSION {ADD, DROP} OBJECT, it corresponds to the address
of the object added to or dropped from the extension.
There's no user-visible change in this commit, and no functional change
either.
Discussion: 20150218213255.GC6717@tamriel.snowman.net
Reviewed-By: Stephen Frost, Andres Freund
2015-03-03 18:10:50 +01:00
|
|
|
ObjectAddress
|
2005-06-28 07:09:14 +02:00
|
|
|
AlterSchemaOwner(const char *name, Oid newOwnerId)
|
2004-06-25 23:55:59 +02:00
|
|
|
{
|
2012-12-24 00:25:03 +01:00
|
|
|
Oid nspOid;
|
2004-06-25 23:55:59 +02:00
|
|
|
HeapTuple tup;
|
|
|
|
Relation rel;
|
Change many routines to return ObjectAddress rather than OID
The changed routines are mostly those that can be directly called by
ProcessUtilitySlow; the intention is to make the affected object
information more precise, in support for future event trigger changes.
Originally it was envisioned that the OID of the affected object would
be enough, and in most cases that is correct, but upon actually
implementing the event trigger changes it turned out that ObjectAddress
is more widely useful.
Additionally, some command execution routines grew an output argument
that's an object address which provides further info about the executed
command. To wit:
* for ALTER DOMAIN / ADD CONSTRAINT, it corresponds to the address of
the new constraint
* for ALTER OBJECT / SET SCHEMA, it corresponds to the address of the
schema that originally contained the object.
* for ALTER EXTENSION {ADD, DROP} OBJECT, it corresponds to the address
of the object added to or dropped from the extension.
There's no user-visible change in this commit, and no functional change
either.
Discussion: 20150218213255.GC6717@tamriel.snowman.net
Reviewed-By: Stephen Frost, Andres Freund
2015-03-03 18:10:50 +01:00
|
|
|
ObjectAddress address;
|
2004-06-25 23:55:59 +02:00
|
|
|
|
2005-04-14 22:03:27 +02:00
|
|
|
rel = heap_open(NamespaceRelationId, RowExclusiveLock);
|
2004-06-25 23:55:59 +02:00
|
|
|
|
2010-02-14 19:42:19 +01:00
|
|
|
tup = SearchSysCache1(NAMESPACENAME, CStringGetDatum(name));
|
2004-06-25 23:55:59 +02:00
|
|
|
if (!HeapTupleIsValid(tup))
|
|
|
|
ereport(ERROR,
|
|
|
|
(errcode(ERRCODE_UNDEFINED_SCHEMA),
|
|
|
|
errmsg("schema \"%s\" does not exist", name)));
|
2005-11-21 13:49:33 +01:00
|
|
|
|
2012-12-24 00:25:03 +01:00
|
|
|
nspOid = HeapTupleGetOid(tup);
|
|
|
|
|
2005-11-21 13:49:33 +01:00
|
|
|
AlterSchemaOwner_internal(tup, rel, newOwnerId);
|
|
|
|
|
Change many routines to return ObjectAddress rather than OID
The changed routines are mostly those that can be directly called by
ProcessUtilitySlow; the intention is to make the affected object
information more precise, in support for future event trigger changes.
Originally it was envisioned that the OID of the affected object would
be enough, and in most cases that is correct, but upon actually
implementing the event trigger changes it turned out that ObjectAddress
is more widely useful.
Additionally, some command execution routines grew an output argument
that's an object address which provides further info about the executed
command. To wit:
* for ALTER DOMAIN / ADD CONSTRAINT, it corresponds to the address of
the new constraint
* for ALTER OBJECT / SET SCHEMA, it corresponds to the address of the
schema that originally contained the object.
* for ALTER EXTENSION {ADD, DROP} OBJECT, it corresponds to the address
of the object added to or dropped from the extension.
There's no user-visible change in this commit, and no functional change
either.
Discussion: 20150218213255.GC6717@tamriel.snowman.net
Reviewed-By: Stephen Frost, Andres Freund
2015-03-03 18:10:50 +01:00
|
|
|
ObjectAddressSet(address, NamespaceRelationId, nspOid);
|
|
|
|
|
2005-11-21 13:49:33 +01:00
|
|
|
ReleaseSysCache(tup);
|
|
|
|
|
|
|
|
heap_close(rel, RowExclusiveLock);
|
2012-12-24 00:25:03 +01:00
|
|
|
|
Change many routines to return ObjectAddress rather than OID
The changed routines are mostly those that can be directly called by
ProcessUtilitySlow; the intention is to make the affected object
information more precise, in support for future event trigger changes.
Originally it was envisioned that the OID of the affected object would
be enough, and in most cases that is correct, but upon actually
implementing the event trigger changes it turned out that ObjectAddress
is more widely useful.
Additionally, some command execution routines grew an output argument
that's an object address which provides further info about the executed
command. To wit:
* for ALTER DOMAIN / ADD CONSTRAINT, it corresponds to the address of
the new constraint
* for ALTER OBJECT / SET SCHEMA, it corresponds to the address of the
schema that originally contained the object.
* for ALTER EXTENSION {ADD, DROP} OBJECT, it corresponds to the address
of the object added to or dropped from the extension.
There's no user-visible change in this commit, and no functional change
either.
Discussion: 20150218213255.GC6717@tamriel.snowman.net
Reviewed-By: Stephen Frost, Andres Freund
2015-03-03 18:10:50 +01:00
|
|
|
return address;
|
2005-11-21 13:49:33 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
AlterSchemaOwner_internal(HeapTuple tup, Relation rel, Oid newOwnerId)
|
|
|
|
{
|
|
|
|
Form_pg_namespace nspForm;
|
|
|
|
|
|
|
|
Assert(tup->t_tableOid == NamespaceRelationId);
|
|
|
|
Assert(RelationGetRelid(rel) == NamespaceRelationId);
|
|
|
|
|
2004-06-25 23:55:59 +02:00
|
|
|
nspForm = (Form_pg_namespace) GETSTRUCT(tup);
|
|
|
|
|
2004-08-29 07:07:03 +02:00
|
|
|
/*
|
2004-06-25 23:55:59 +02:00
|
|
|
* If the new owner is the same as the existing owner, consider the
|
|
|
|
* command to have succeeded. This is for dump restoration purposes.
|
|
|
|
*/
|
2005-06-28 07:09:14 +02:00
|
|
|
if (nspForm->nspowner != newOwnerId)
|
2004-06-25 23:55:59 +02:00
|
|
|
{
|
2004-08-01 22:30:49 +02:00
|
|
|
Datum repl_val[Natts_pg_namespace];
|
2008-11-02 02:45:28 +01:00
|
|
|
bool repl_null[Natts_pg_namespace];
|
|
|
|
bool repl_repl[Natts_pg_namespace];
|
2004-08-29 07:07:03 +02:00
|
|
|
Acl *newAcl;
|
2004-08-01 22:30:49 +02:00
|
|
|
Datum aclDatum;
|
|
|
|
bool isNull;
|
|
|
|
HeapTuple newtuple;
|
2005-07-14 23:46:30 +02:00
|
|
|
AclResult aclresult;
|
|
|
|
|
|
|
|
/* Otherwise, must be owner of the existing object */
|
2005-10-15 04:49:52 +02:00
|
|
|
if (!pg_namespace_ownercheck(HeapTupleGetOid(tup), GetUserId()))
|
2005-07-14 23:46:30 +02:00
|
|
|
aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_NAMESPACE,
|
2005-11-21 13:49:33 +01:00
|
|
|
NameStr(nspForm->nspname));
|
2005-07-14 23:46:30 +02:00
|
|
|
|
|
|
|
/* Must be able to become new owner */
|
2005-10-15 04:49:52 +02:00
|
|
|
check_is_member_of_role(GetUserId(), newOwnerId);
|
2004-08-01 22:30:49 +02:00
|
|
|
|
2005-07-14 23:46:30 +02:00
|
|
|
/*
|
|
|
|
* must have create-schema rights
|
|
|
|
*
|
2005-10-15 04:49:52 +02:00
|
|
|
* NOTE: This is different from other alter-owner checks in that the
|
|
|
|
* current user is checked for create privileges instead of the
|
|
|
|
* destination owner. This is consistent with the CREATE case for
|
|
|
|
* schemas. Because superusers will always have this right, we need
|
|
|
|
* no special case for them.
|
2005-07-14 23:46:30 +02:00
|
|
|
*/
|
|
|
|
aclresult = pg_database_aclcheck(MyDatabaseId, GetUserId(),
|
|
|
|
ACL_CREATE);
|
|
|
|
if (aclresult != ACLCHECK_OK)
|
|
|
|
aclcheck_error(aclresult, ACL_KIND_DATABASE,
|
|
|
|
get_database_name(MyDatabaseId));
|
2004-06-25 23:55:59 +02:00
|
|
|
|
2008-11-02 02:45:28 +01:00
|
|
|
memset(repl_null, false, sizeof(repl_null));
|
|
|
|
memset(repl_repl, false, sizeof(repl_repl));
|
2004-06-25 23:55:59 +02:00
|
|
|
|
2008-11-02 02:45:28 +01:00
|
|
|
repl_repl[Anum_pg_namespace_nspowner - 1] = true;
|
2005-06-28 07:09:14 +02:00
|
|
|
repl_val[Anum_pg_namespace_nspowner - 1] = ObjectIdGetDatum(newOwnerId);
|
2004-06-25 23:55:59 +02:00
|
|
|
|
2004-08-01 22:30:49 +02:00
|
|
|
/*
|
|
|
|
* Determine the modified ACL for the new owner. This is only
|
|
|
|
* necessary when the ACL is non-null.
|
|
|
|
*/
|
|
|
|
aclDatum = SysCacheGetAttr(NAMESPACENAME, tup,
|
|
|
|
Anum_pg_namespace_nspacl,
|
|
|
|
&isNull);
|
|
|
|
if (!isNull)
|
|
|
|
{
|
|
|
|
newAcl = aclnewowner(DatumGetAclP(aclDatum),
|
2005-06-28 07:09:14 +02:00
|
|
|
nspForm->nspowner, newOwnerId);
|
2008-11-02 02:45:28 +01:00
|
|
|
repl_repl[Anum_pg_namespace_nspacl - 1] = true;
|
2004-08-01 22:30:49 +02:00
|
|
|
repl_val[Anum_pg_namespace_nspacl - 1] = PointerGetDatum(newAcl);
|
|
|
|
}
|
|
|
|
|
2008-11-02 02:45:28 +01:00
|
|
|
newtuple = heap_modify_tuple(tup, RelationGetDescr(rel), repl_val, repl_null, repl_repl);
|
2004-08-01 22:30:49 +02:00
|
|
|
|
|
|
|
simple_heap_update(rel, &newtuple->t_self, newtuple);
|
|
|
|
CatalogUpdateIndexes(rel, newtuple);
|
2004-06-25 23:55:59 +02:00
|
|
|
|
2004-08-01 22:30:49 +02:00
|
|
|
heap_freetuple(newtuple);
|
2005-07-07 22:40:02 +02:00
|
|
|
|
|
|
|
/* Update owner dependency reference */
|
|
|
|
changeDependencyOnOwner(NamespaceRelationId, HeapTupleGetOid(tup),
|
|
|
|
newOwnerId);
|
2004-08-01 22:30:49 +02:00
|
|
|
}
|
2004-08-29 07:07:03 +02:00
|
|
|
|
2013-03-18 03:55:14 +01:00
|
|
|
InvokeObjectPostAlterHook(NamespaceRelationId,
|
|
|
|
HeapTupleGetOid(tup), 0);
|
2004-06-25 23:55:59 +02:00
|
|
|
}
|