rdelaage
/
postgresql
mirror of https://git.postgresql.org/git/postgresql.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
postgresql/src/backend/catalog/aclchk.c

2220 lines
59 KiB
C
Raw Normal View History

Postgres95 1.01 Distribution - Virgin Sources
1996-07-09 08:22:35 +02:00
/*-------------------------------------------------------------------------
*
Change my-function-name-- to my_function_name, and optimizer renames.
1999-02-14 00:22:53 +01:00
* aclchk.c
Massive commit to run PGINDENT on all *.c and *.h files.
1997-09-07 07:04:48 +02:00
* Routines to check access control permissions.
Postgres95 1.01 Distribution - Virgin Sources
1996-07-09 08:22:35 +02:00
*
Tag appropriate files for rc3 Also performed an initial run through of upgrading our Copyright date to extend to 2005 ... first run here was very simple ... change everything where: grep 1996-2004 && the word 'Copyright' ... scanned through the generated list with 'less' first, and after, to make sure that I only picked up the right entries ...
2004-12-31 23:04:05 +01:00
* Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group
Add: * Portions Copyright (c) 1996-2000, PostgreSQL, Inc to all files copyright Regents of Berkeley. Man, that's a lot of files.
2000-01-26 06:58:53 +01:00
* Portions Copyright (c) 1994, Regents of the University of California
Postgres95 1.01 Distribution - Virgin Sources
1996-07-09 08:22:35 +02:00
*
*
* IDENTIFICATION
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
* $PostgreSQL: pgsql/src/backend/catalog/aclchk.c,v 1.120 2005/10/15 02:49:12 momjian Exp $
Postgres95 1.01 Distribution - Virgin Sources
1996-07-09 08:22:35 +02:00
*
* NOTES
Massive commit to run PGINDENT on all *.c and *.h files.
1997-09-07 07:04:48 +02:00
* See acl.h.
Postgres95 1.01 Distribution - Virgin Sources
1996-07-09 08:22:35 +02:00
*
*-------------------------------------------------------------------------
*/
Produce a clean compile of backend...
1996-11-03 07:54:38 +01:00
#include "postgres.h"
Postgres95 1.01 Distribution - Virgin Sources
1996-07-09 08:22:35 +02:00
#include "access/heapam.h"
#include "catalog/catalog.h"
Track dependencies on shared objects (which is to say, roles; we already have adequate mechanisms for tracking the contents of databases and tablespaces). This solves the longstanding problem that you can drop a user who still owns objects and/or has access permissions. Alvaro Herrera, with some kibitzing from Tom Lane.
2005-07-07 22:40:02 +02:00
#include "catalog/dependency.h"
Final cleanup.
1999-07-16 07:00:38 +02:00
#include "catalog/indexing.h"
pg_class has a relnamespace column. You can create and access tables in schemas other than the system namespace; however, there's no search path yet, and not all operations work yet on tables outside the system namespace.
2002-03-26 20:17:02 +01:00
#include "catalog/namespace.h"
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
#include "catalog/pg_auth_members.h"
#include "catalog/pg_authid.h"
COMMENT ON casts, conversions, languages, operator classes, and large objects. Dump all these in pg_dump; also add code to pg_dump user-defined conversions. Make psql's large object code rely on the backend for inserting/deleting LOB comments, instead of trying to hack pg_description directly. Documentation and regression tests added. Christopher Kings-Lynne, code reviewed by Tom
2003-11-21 23:32:49 +01:00
#include "catalog/pg_conversion.h"
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
#include "catalog/pg_database.h"
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
#include "catalog/pg_language.h"
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
#include "catalog/pg_namespace.h"
Implement CREATE/DROP OPERATOR CLASS. Work still remains: need more documentation (xindex.sgml should be rewritten), need to teach pg_dump about it, need to update contrib modules that currently build pg_opclass entries by hand. Original patch by Bill Studenmund, grammar adjustments and general update for 7.3 by Tom Lane.
2002-07-30 00:14:11 +02:00
#include "catalog/pg_opclass.h"
Changed make to gmake. Added needed include file.
1996-10-31 06:55:24 +01:00
#include "catalog/pg_operator.h"
Compile and warning cleanup
1996-11-08 07:02:30 +01:00
#include "catalog/pg_proc.h"
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
#include "catalog/pg_tablespace.h"
This patch... 1. Removes the unnecessary "#define AbcRegProcedure 123"'s from pg_proc.h. 2. Changes those #defines to use the names already defined in fmgr.h. 3. Forces the make of fmgr.h in backend/Makefile instead of having it made as a dependency in access/common/Makefile *hack*hack*hack* 4. Rearranged the #includes to a less helter-skelter arrangement, also changing <file.h> to "file.h" to signify a non-system header. 5. Removed "pg_proc.h" from files where its only purpose was for the #defines removed in item #1. 6. Added "fmgr.h" to each file changed for completeness sake. Turns out that #6 was not necessary for some files because fmgr.h was being included in a roundabout way SIX levels deep by the first include. "access/genam.h" ->"access/relscan.h" ->"utils/rel.h" ->"access/strat.h" ->"access/skey.h" ->"fmgr.h" So adding fmgr.h really didn't add anything to the compile, hopefully just made it clearer to the programmer. S Darren.
1998-04-27 06:08:07 +02:00
#include "catalog/pg_type.h"
Final cleanup.
1999-07-16 07:00:38 +02:00
#include "miscadmin.h"
Break parser functions into smaller files, group together.
1997-11-25 23:07:18 +01:00
#include "parser/parse_func.h"
Final cleanup.
1999-07-16 07:00:38 +02:00
#include "utils/acl.h"
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
#include "utils/fmgroids.h"
#include "utils/lsyscache.h"
Postgres95 1.01 Distribution - Virgin Sources
1996-07-09 08:22:35 +02:00
#include "utils/syscache.h"
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
static void ExecuteGrantStmt_Relation(GrantStmt *stmt);
static void ExecuteGrantStmt_Database(GrantStmt *stmt);
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
static void ExecuteGrantStmt_Function(GrantStmt *stmt);
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
static void ExecuteGrantStmt_Language(GrantStmt *stmt);
static void ExecuteGrantStmt_Namespace(GrantStmt *stmt);
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
static void ExecuteGrantStmt_Tablespace(GrantStmt *stmt);
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
Bring syntax of role-related commands into SQL compliance. To avoid syntactic conflicts, both privilege and role GRANT/REVOKE commands have to use the same production for scanning the list of tokens that might eventually turn out to be privileges or role names. So, change the existing GRANT/REVOKE code to expect a list of strings not pre-reduced AclMode values. Fix a couple other minor issues while at it, such as InitializeAcl function name conflicting with a Windows system function.
2005-06-28 21:51:26 +02:00
static AclMode string_to_privilege(const char *privname);
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
static const char *privilege_to_string(AclMode privilege);
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
Make default ACL be consistent --- ie, starting point for ChangeAcl is the same as the access permissions granted when a relation's relacl field is NULL, ie, owner=all rights, world=no rights.
2000-10-02 06:49:28 +02:00
Make UPDATE and DELETE privileges distinct. Add REFERENCES and TRIGGER privileges. INSERT and COPY FROM now require INSERT (only). Add privileges regression test.
2001-05-27 11:59:30 +02:00
#ifdef ACLDEBUG
Fix declaration of dumpacl, per Alvaro.
2005-08-17 21:45:51 +02:00
static void
Add typdefs to pgindent run.
1997-09-08 22:59:27 +02:00
dumpacl(Acl *acl)
Postgres95 1.01 Distribution - Virgin Sources
1996-07-09 08:22:35 +02:00
{
Make acl-related functions safe for TOAST. Mark pg_class.relacl as compressible but not externally storable (since we're not sure about whether creating a toast relation for pg_class would work).
2000-08-01 00:39:17 +02:00
int i;
Another PGINDENT run that changes variable indenting and case label indenting. Also static variable indenting.
1997-09-08 04:41:22 +02:00
AclItem *aip;
Massive commit to run PGINDENT on all *.c and *.h files.
1997-09-07 07:04:48 +02:00
Make debug_ GUC varables output DEBUG1 rather than LOG, and mention in docs that CLIENT/LOG_MIN_MESSAGES now controls debug_* output location. Doc changes included.
2003-05-27 19:49:47 +02:00
elog(DEBUG2, "acl size = %d, # acls = %d",
Massive commit to run PGINDENT on all *.c and *.h files.
1997-09-07 07:04:48 +02:00
ACL_SIZE(acl), ACL_NUM(acl));
Make acl-related functions safe for TOAST. Mark pg_class.relacl as compressible but not externally storable (since we're not sure about whether creating a toast relation for pg_class would work).
2000-08-01 00:39:17 +02:00
aip = ACL_DAT(acl);
Massive commit to run PGINDENT on all *.c and *.h files.
1997-09-07 07:04:48 +02:00
for (i = 0; i < ACL_NUM(acl); ++i)
Make debug_ GUC varables output DEBUG1 rather than LOG, and mention in docs that CLIENT/LOG_MIN_MESSAGES now controls debug_* output location. Doc changes included.
2003-05-27 19:49:47 +02:00
elog(DEBUG2, " acl[%d]: %s", i,
Make acl-related functions safe for TOAST. Mark pg_class.relacl as compressible but not externally storable (since we're not sure about whether creating a toast relation for pg_class would work).
2000-08-01 00:39:17 +02:00
DatumGetCString(DirectFunctionCall1(aclitemout,
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
PointerGetDatum(aip + i))));
Postgres95 1.01 Distribution - Virgin Sources
1996-07-09 08:22:35 +02:00
}
New pgindent run with fixes suggested by Tom. Patch manually reviewed, initdb/regression tests pass.
2001-11-05 18:46:40 +01:00
#endif /* ACLDEBUG */
Postgres95 1.01 Distribution - Virgin Sources
1996-07-09 08:22:35 +02:00
Allow GRANT/REVOKE to/from more than one user per invocation. Command tag for GRANT/REVOKE is now just that, not "CHANGE". On the way, migrate some of the aclitem internal representation away from the parser and build a real parse tree instead. Also add some 'const' qualifiers.
2001-06-10 01:21:55 +02:00
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
/*
* If is_grant is true, adds the given privileges for the list of
* grantees to the existing old_acl. If is_grant is false, the
* privileges for the given grantees are removed from old_acl.
Avoid consuming unreasonable amounts of memory when GRANT has many grantees.
2003-09-04 17:53:04 +02:00
*
* NB: the original old_acl is pfree'd.
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
*/
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
static Acl *
merge_acl_with_grant(Acl *old_acl, bool is_grant,
When revoking privileges from the owner, don't revoke the grant options, to avoid recursively revoking everything from everyone.
2003-10-05 23:49:12 +02:00
bool grant_option, DropBehavior behavior,
When a superuser does GRANT or REVOKE on an object he doesn't own, process the command as though it were issued by the object owner. This prevents creating weird scenarios in which the same privileges may appear to flow from different sources, and ensures that a superuser can in fact revoke all privileges if he wants to. In particular this means that the regression tests work when run by a superuser other than the original bootstrap userid. Per report from Larry Rosenman.
2003-10-31 21:00:49 +01:00
List *grantees, AclMode privileges,
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
Oid grantorId, Oid ownerId)
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
{
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
unsigned modechg;
Reimplement the linked list data structure used throughout the backend. In the past, we used a 'Lispy' linked list implementation: a "list" was merely a pointer to the head node of the list. The problem with that design is that it makes lappend() and length() linear time. This patch fixes that problem (and others) by maintaining a count of the list length and a pointer to the tail node along with each head node pointer. A "list" is now a pointer to a structure containing some meta-data about the list; the head and tail pointers in that structure refer to ListCell structures that maintain the actual linked list of nodes. The function names of the list API have also been changed to, I hope, be more logically consistent. By default, the old function names are still available; they will be disabled-by-default once the rest of the tree has been updated to use the new API names.
2004-05-26 06:41:50 +02:00
ListCell *j;
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
Acl *new_acl;
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
modechg = is_grant ? ACL_MODECHG_ADD : ACL_MODECHG_DEL;
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
#ifdef ACLDEBUG
dumpacl(old_acl);
#endif
new_acl = old_acl;
foreach(j, grantees)
{
PrivGrantee *grantee = (PrivGrantee *) lfirst(j);
Pgindent run for 8.0.
2004-08-29 07:07:03 +02:00
AclItem aclitem;
Avoid consuming unreasonable amounts of memory when GRANT has many grantees.
2003-09-04 17:53:04 +02:00
Acl *newer_acl;
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
if (grantee->rolname)
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
aclitem. ai_grantee = get_roleid_checked(grantee->rolname);
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
else
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
aclitem. ai_grantee = ACL_ID_PUBLIC;
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
Grant options, and cascading revoke. Grant options are allowed only for users right now, not groups. Extension of has_foo_privileges functions to query the grant options. Extension of aclitem type to store grantor.
2003-01-24 00:39:07 +01:00
/*
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
* Grant options can only be granted to individual roles, not PUBLIC.
* The reason is that if a user would re-grant a privilege that he
* held through PUBLIC, and later the user is removed, the situation
* is impossible to clean up.
Grant options, and cascading revoke. Grant options are allowed only for users right now, not groups. Extension of has_foo_privileges functions to query the grant options. Extension of aclitem type to store grantor.
2003-01-24 00:39:07 +01:00
*/
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
if (is_grant && grant_option && aclitem.ai_grantee == ACL_ID_PUBLIC)
Error message editing in backend/catalog.
2003-07-21 03:59:11 +02:00
ereport(ERROR,
(errcode(ERRCODE_INVALID_GRANT_OPERATION),
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
errmsg("grant options can only be granted to roles")));
Grant options, and cascading revoke. Grant options are allowed only for users right now, not groups. Extension of has_foo_privileges functions to query the grant options. Extension of aclitem type to store grantor.
2003-01-24 00:39:07 +01:00
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
aclitem. ai_grantor = grantorId;
Grant options, and cascading revoke. Grant options are allowed only for users right now, not groups. Extension of has_foo_privileges functions to query the grant options. Extension of aclitem type to store grantor.
2003-01-24 00:39:07 +01:00
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
/*
* The asymmetry in the conditions here comes from the spec. In
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
* GRANT, the grant_option flag signals WITH GRANT OPTION, which means
* to grant both the basic privilege and its grant option. But in
* REVOKE, plain revoke revokes both the basic privilege and its grant
* option, while REVOKE GRANT OPTION revokes only the option.
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
*/
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
ACLITEM_SET_PRIVS_GOPTIONS(aclitem,
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
(is_grant || !grant_option) ? privileges : ACL_NO_RIGHTS,
(!is_grant || grant_option) ? privileges : ACL_NO_RIGHTS);
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
newer_acl = aclupdate(new_acl, &aclitem, modechg, ownerId, behavior);
Avoid consuming unreasonable amounts of memory when GRANT has many grantees.
2003-09-04 17:53:04 +02:00
/* avoid memory leak when there are many grantees */
pfree(new_acl);
new_acl = newer_acl;
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
#ifdef ACLDEBUG
dumpacl(new_acl);
#endif
}
return new_acl;
}
Postgres95 1.01 Distribution - Virgin Sources
1996-07-09 08:22:35 +02:00
/*
Allow GRANT/REVOKE to/from more than one user per invocation. Command tag for GRANT/REVOKE is now just that, not "CHANGE". On the way, migrate some of the aclitem internal representation away from the parser and build a real parse tree instead. Also add some 'const' qualifiers.
2001-06-10 01:21:55 +02:00
* Called to execute the utility commands GRANT and REVOKE
Postgres95 1.01 Distribution - Virgin Sources
1996-07-09 08:22:35 +02:00
*/
void
Allow GRANT/REVOKE to/from more than one user per invocation. Command tag for GRANT/REVOKE is now just that, not "CHANGE". On the way, migrate some of the aclitem internal representation away from the parser and build a real parse tree instead. Also add some 'const' qualifiers.
2001-06-10 01:21:55 +02:00
ExecuteGrantStmt(GrantStmt *stmt)
Postgres95 1.01 Distribution - Virgin Sources
1996-07-09 08:22:35 +02:00
{
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
switch (stmt->objtype)
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
{
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
case ACL_OBJECT_RELATION:
ExecuteGrantStmt_Relation(stmt);
break;
case ACL_OBJECT_DATABASE:
ExecuteGrantStmt_Database(stmt);
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
break;
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
case ACL_OBJECT_FUNCTION:
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
ExecuteGrantStmt_Function(stmt);
break;
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
case ACL_OBJECT_LANGUAGE:
ExecuteGrantStmt_Language(stmt);
break;
case ACL_OBJECT_NAMESPACE:
ExecuteGrantStmt_Namespace(stmt);
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
break;
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
case ACL_OBJECT_TABLESPACE:
ExecuteGrantStmt_Tablespace(stmt);
break;
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
default:
Error message editing in backend/catalog.
2003-07-21 03:59:11 +02:00
elog(ERROR, "unrecognized GrantStmt.objtype: %d",
(int) stmt->objtype);
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
}
}
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
static void
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
ExecuteGrantStmt_Relation(GrantStmt *stmt)
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
{
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
AclMode privileges;
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
bool all_privs;
Reimplement the linked list data structure used throughout the backend. In the past, we used a 'Lispy' linked list implementation: a "list" was merely a pointer to the head node of the list. The problem with that design is that it makes lappend() and length() linear time. This patch fixes that problem (and others) by maintaining a count of the list length and a pointer to the tail node along with each head node pointer. A "list" is now a pointer to a structure containing some meta-data about the list; the head and tail pointers in that structure refer to ListCell structures that maintain the actual linked list of nodes. The function names of the list API have also been changed to, I hope, be more logically consistent. By default, the old function names are still available; they will be disabled-by-default once the rest of the tree has been updated to use the new API names.
2004-05-26 06:41:50 +02:00
ListCell *i;
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
Bring syntax of role-related commands into SQL compliance. To avoid syntactic conflicts, both privilege and role GRANT/REVOKE commands have to use the same production for scanning the list of tokens that might eventually turn out to be privileges or role names. So, change the existing GRANT/REVOKE code to expect a list of strings not pre-reduced AclMode values. Fix a couple other minor issues while at it, such as InitializeAcl function name conflicting with a Windows system function.
2005-06-28 21:51:26 +02:00
if (stmt->privileges == NIL)
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
{
all_privs = true;
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
privileges = ACL_ALL_RIGHTS_RELATION;
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
}
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
else
{
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
all_privs = false;
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
privileges = ACL_NO_RIGHTS;
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
foreach(i, stmt->privileges)
{
Bring syntax of role-related commands into SQL compliance. To avoid syntactic conflicts, both privilege and role GRANT/REVOKE commands have to use the same production for scanning the list of tokens that might eventually turn out to be privileges or role names. So, change the existing GRANT/REVOKE code to expect a list of strings not pre-reduced AclMode values. Fix a couple other minor issues while at it, such as InitializeAcl function name conflicting with a Windows system function.
2005-06-28 21:51:26 +02:00
char *privname = strVal(lfirst(i));
AclMode priv = string_to_privilege(privname);
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
if (priv & ~((AclMode) ACL_ALL_RIGHTS_RELATION))
Error message editing in backend/catalog.
2003-07-21 03:59:11 +02:00
ereport(ERROR,
(errcode(ERRCODE_INVALID_GRANT_OPERATION),
errmsg("invalid privilege type %s for table",
privilege_to_string(priv))));
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
privileges |= priv;
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
}
}
foreach(i, stmt->objects)
Make acl-related functions safe for TOAST. Mark pg_class.relacl as compressible but not externally storable (since we're not sure about whether creating a toast relation for pg_class would work).
2000-08-01 00:39:17 +02:00
{
pg_class has a relnamespace column. You can create and access tables in schemas other than the system namespace; however, there's no search path yet, and not all operations work yet on tables outside the system namespace.
2002-03-26 20:17:02 +01:00
RangeVar *relvar = (RangeVar *) lfirst(i);
Oid relOid;
Allow GRANT/REVOKE to/from more than one user per invocation. Command tag for GRANT/REVOKE is now just that, not "CHANGE". On the way, migrate some of the aclitem internal representation away from the parser and build a real parse tree instead. Also add some 'const' qualifiers.
2001-06-10 01:21:55 +02:00
Relation relation;
HeapTuple tuple;
Form_pg_class pg_class_tuple;
Datum aclDatum;
bool isNull;
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
AclMode avail_goptions;
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
AclMode this_privileges;
Allow GRANT/REVOKE to/from more than one user per invocation. Command tag for GRANT/REVOKE is now just that, not "CHANGE". On the way, migrate some of the aclitem internal representation away from the parser and build a real parse tree instead. Also add some 'const' qualifiers.
2001-06-10 01:21:55 +02:00
Acl *old_acl;
Acl *new_acl;
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
Oid grantorId;
Oid ownerId;
Allow GRANT/REVOKE to/from more than one user per invocation. Command tag for GRANT/REVOKE is now just that, not "CHANGE". On the way, migrate some of the aclitem internal representation away from the parser and build a real parse tree instead. Also add some 'const' qualifiers.
2001-06-10 01:21:55 +02:00
HeapTuple newtuple;
Datum values[Natts_pg_class];
char nulls[Natts_pg_class];
char replaces[Natts_pg_class];
Track dependencies on shared objects (which is to say, roles; we already have adequate mechanisms for tracking the contents of databases and tablespaces). This solves the longstanding problem that you can drop a user who still owns objects and/or has access permissions. Alvaro Herrera, with some kibitzing from Tom Lane.
2005-07-07 22:40:02 +02:00
int noldmembers;
int nnewmembers;
Oid *oldmembers;
Oid *newmembers;
Allow GRANT/REVOKE to/from more than one user per invocation. Command tag for GRANT/REVOKE is now just that, not "CHANGE". On the way, migrate some of the aclitem internal representation away from the parser and build a real parse tree instead. Also add some 'const' qualifiers.
2001-06-10 01:21:55 +02:00
/* open pg_class */
Completion of project to use fixed OIDs for all system catalogs and indexes. Replace all heap_openr and index_openr calls by heap_open and index_open. Remove runtime lookups of catalog OID numbers in various places. Remove relcache's support for looking up system catalogs by name. Bulky but mostly very boring patch ...
2005-04-14 22:03:27 +02:00
relation = heap_open(RelationRelationId, RowExclusiveLock);
pg_class has a relnamespace column. You can create and access tables in schemas other than the system namespace; however, there's no search path yet, and not all operations work yet on tables outside the system namespace.
2002-03-26 20:17:02 +01:00
relOid = RangeVarGetRelid(relvar, false);
tuple = SearchSysCache(RELOID,
ObjectIdGetDatum(relOid),
Allow GRANT/REVOKE to/from more than one user per invocation. Command tag for GRANT/REVOKE is now just that, not "CHANGE". On the way, migrate some of the aclitem internal representation away from the parser and build a real parse tree instead. Also add some 'const' qualifiers.
2001-06-10 01:21:55 +02:00
0, 0, 0);
if (!HeapTupleIsValid(tuple))
Error message editing in backend/catalog.
2003-07-21 03:59:11 +02:00
elog(ERROR, "cache lookup failed for relation %u", relOid);
Allow GRANT/REVOKE to/from more than one user per invocation. Command tag for GRANT/REVOKE is now just that, not "CHANGE". On the way, migrate some of the aclitem internal representation away from the parser and build a real parse tree instead. Also add some 'const' qualifiers.
2001-06-10 01:21:55 +02:00
pg_class_tuple = (Form_pg_class) GETSTRUCT(tuple);
Error message editing in backend/catalog.
2003-07-21 03:59:11 +02:00
/* Not sensible to grant on an index */
Allow GRANT/REVOKE to/from more than one user per invocation. Command tag for GRANT/REVOKE is now just that, not "CHANGE". On the way, migrate some of the aclitem internal representation away from the parser and build a real parse tree instead. Also add some 'const' qualifiers.
2001-06-10 01:21:55 +02:00
if (pg_class_tuple->relkind == RELKIND_INDEX)
Error message editing in backend/catalog.
2003-07-21 03:59:11 +02:00
ereport(ERROR,
(errcode(ERRCODE_WRONG_OBJECT_TYPE),
errmsg("\"%s\" is an index",
relvar->relname)));
Allow GRANT/REVOKE to/from more than one user per invocation. Command tag for GRANT/REVOKE is now just that, not "CHANGE". On the way, migrate some of the aclitem internal representation away from the parser and build a real parse tree instead. Also add some 'const' qualifiers.
2001-06-10 01:21:55 +02:00
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
/* Composite types aren't tables either */
if (pg_class_tuple->relkind == RELKIND_COMPOSITE_TYPE)
ereport(ERROR,
(errcode(ERRCODE_WRONG_OBJECT_TYPE),
errmsg("\"%s\" is a composite type",
relvar->relname)));
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
/*
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
* Get owner ID and working copy of existing ACL. If there's no ACL,
* substitute the proper default.
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
*/
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
ownerId = pg_class_tuple->relowner;
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
aclDatum = SysCacheGetAttr(RELOID, tuple, Anum_pg_class_relacl,
&isNull);
if (isNull)
old_acl = acldefault(ACL_OBJECT_RELATION, ownerId);
else
old_acl = DatumGetAclPCopy(aclDatum);
/* Determine ID to do the grant as, and available grant options */
select_best_grantor(GetUserId(), privileges,
old_acl, ownerId,
&grantorId, &avail_goptions);
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
/*
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
* If we found no grant options, consider whether to issue a hard
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
* error. Per spec, having any privilege at all on the object will
* get you by here.
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
*/
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
if (avail_goptions == ACL_NO_RIGHTS)
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
{
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
if (pg_class_aclmask(relOid,
grantorId,
ACL_ALL_RIGHTS_RELATION | ACL_GRANT_OPTION_FOR(ACL_ALL_RIGHTS_RELATION),
ACLMASK_ANY) == ACL_NO_RIGHTS)
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
aclcheck_error(ACLCHECK_NO_PRIV, ACL_KIND_CLASS,
relvar->relname);
}
/*
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
* Restrict the operation to what we can actually grant or revoke, and
* issue a warning if appropriate. (For REVOKE this isn't quite what
* the spec says to do: the spec seems to want a warning only if no
* privilege bits actually change in the ACL. In practice that
* behavior seems much too noisy, as well as inconsistent with the
* GRANT case.)
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
*/
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
this_privileges = privileges & ACL_OPTION_TO_PRIVS(avail_goptions);
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
if (stmt->is_grant)
{
if (this_privileges == 0)
ereport(WARNING,
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED),
errmsg("no privileges were granted")));
else if (!all_privs && this_privileges != privileges)
ereport(WARNING,
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED),
errmsg("not all privileges were granted")));
}
else
{
if (this_privileges == 0)
ereport(WARNING,
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED),
errmsg("no privileges could be revoked")));
else if (!all_privs && this_privileges != privileges)
ereport(WARNING,
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED),
errmsg("not all privileges could be revoked")));
}
Allow GRANT/REVOKE to/from more than one user per invocation. Command tag for GRANT/REVOKE is now just that, not "CHANGE". On the way, migrate some of the aclitem internal representation away from the parser and build a real parse tree instead. Also add some 'const' qualifiers.
2001-06-10 01:21:55 +02:00
/*
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
* Generate new ACL.
*
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
* We need the members of both old and new ACLs so we can correct the
* shared dependency information.
Track dependencies on shared objects (which is to say, roles; we already have adequate mechanisms for tracking the contents of databases and tablespaces). This solves the longstanding problem that you can drop a user who still owns objects and/or has access permissions. Alvaro Herrera, with some kibitzing from Tom Lane.
2005-07-07 22:40:02 +02:00
*/
noldmembers = aclmembers(old_acl, &oldmembers);
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
new_acl = merge_acl_with_grant(old_acl, stmt->is_grant,
When revoking privileges from the owner, don't revoke the grant options, to avoid recursively revoking everything from everyone.
2003-10-05 23:49:12 +02:00
stmt->grant_option, stmt->behavior,
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
stmt->grantees, this_privileges,
When a superuser does GRANT or REVOKE on an object he doesn't own, process the command as though it were issued by the object owner. This prevents creating weird scenarios in which the same privileges may appear to flow from different sources, and ensures that a superuser can in fact revoke all privileges if he wants to. In particular this means that the regression tests work when run by a superuser other than the original bootstrap userid. Per report from Larry Rosenman.
2003-10-31 21:00:49 +01:00
grantorId, ownerId);
Allow GRANT/REVOKE to/from more than one user per invocation. Command tag for GRANT/REVOKE is now just that, not "CHANGE". On the way, migrate some of the aclitem internal representation away from the parser and build a real parse tree instead. Also add some 'const' qualifiers.
2001-06-10 01:21:55 +02:00
Track dependencies on shared objects (which is to say, roles; we already have adequate mechanisms for tracking the contents of databases and tablespaces). This solves the longstanding problem that you can drop a user who still owns objects and/or has access permissions. Alvaro Herrera, with some kibitzing from Tom Lane.
2005-07-07 22:40:02 +02:00
nnewmembers = aclmembers(new_acl, &newmembers);
Allow GRANT/REVOKE to/from more than one user per invocation. Command tag for GRANT/REVOKE is now just that, not "CHANGE". On the way, migrate some of the aclitem internal representation away from the parser and build a real parse tree instead. Also add some 'const' qualifiers.
2001-06-10 01:21:55 +02:00
/* finished building new ACL value, now insert it */
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
MemSet(values, 0, sizeof(values));
MemSet(nulls, ' ', sizeof(nulls));
MemSet(replaces, ' ', sizeof(replaces));
Allow GRANT/REVOKE to/from more than one user per invocation. Command tag for GRANT/REVOKE is now just that, not "CHANGE". On the way, migrate some of the aclitem internal representation away from the parser and build a real parse tree instead. Also add some 'const' qualifiers.
2001-06-10 01:21:55 +02:00
replaces[Anum_pg_class_relacl - 1] = 'r';
values[Anum_pg_class_relacl - 1] = PointerGetDatum(new_acl);
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
Change heap_modifytuple() to require a TupleDesc rather than a Relation. Patch from Alvaro Herrera, minor editorializing by Neil Conway.
2005-01-28 00:24:11 +01:00
newtuple = heap_modifytuple(tuple, RelationGetDescr(relation), values, nulls, replaces);
Postgres95 1.01 Distribution - Virgin Sources
1996-07-09 08:22:35 +02:00
Allow GRANT/REVOKE to/from more than one user per invocation. Command tag for GRANT/REVOKE is now just that, not "CHANGE". On the way, migrate some of the aclitem internal representation away from the parser and build a real parse tree instead. Also add some 'const' qualifiers.
2001-06-10 01:21:55 +02:00
simple_heap_update(relation, &newtuple->t_self, newtuple);
Massive commit to run PGINDENT on all *.c and *.h files.
1997-09-07 07:04:48 +02:00
Restructure system-catalog index updating logic. Instead of having hardwired lists of index names for each catalog, use the relcache's mechanism for caching lists of OIDs of indexes of any table. This reduces the common case of updating system catalog indexes to a single line, makes it much easier to add a new system index (in fact, you can now do so on-the-fly if you want to), and as a nice side benefit improves performance a little. Per recent pghackers discussion.
2002-08-05 05:29:17 +02:00
/* keep the catalog indexes up to date */
CatalogUpdateIndexes(relation, newtuple);
Massive commit to run PGINDENT on all *.c and *.h files.
1997-09-07 07:04:48 +02:00
Track dependencies on shared objects (which is to say, roles; we already have adequate mechanisms for tracking the contents of databases and tablespaces). This solves the longstanding problem that you can drop a user who still owns objects and/or has access permissions. Alvaro Herrera, with some kibitzing from Tom Lane.
2005-07-07 22:40:02 +02:00
/* Update the shared dependency ACL info */
updateAclDependencies(RelationRelationId, relOid,
ownerId, stmt->is_grant,
noldmembers, oldmembers,
nnewmembers, newmembers);
ReleaseSysCache(tuple);
Allow GRANT/REVOKE to/from more than one user per invocation. Command tag for GRANT/REVOKE is now just that, not "CHANGE". On the way, migrate some of the aclitem internal representation away from the parser and build a real parse tree instead. Also add some 'const' qualifiers.
2001-06-10 01:21:55 +02:00
pfree(new_acl);
Make default ACL be consistent --- ie, starting point for ChangeAcl is the same as the access permissions granted when a relation's relacl field is NULL, ie, owner=all rights, world=no rights.
2000-10-02 06:49:28 +02:00
Allow GRANT/REVOKE to/from more than one user per invocation. Command tag for GRANT/REVOKE is now just that, not "CHANGE". On the way, migrate some of the aclitem internal representation away from the parser and build a real parse tree instead. Also add some 'const' qualifiers.
2001-06-10 01:21:55 +02:00
heap_close(relation, RowExclusiveLock);
> Gavin Sherry <swm@linuxworld.com.au> writes: > > I ran across this yesterday on HEAD: > > > template1=# grant select on foo, foo to swm; > > ERROR: tuple already updated by self > > Seems to fail similarly in every version back to 7.2; probably further, > but that's all I have running at the moment. > > > We could do away with the error by producing a unique list of object names > > -- but that would impose an extra cost on the common case. > > CommandCounterIncrement in the GRANT loop would be easier, likely. > I'm having a hard time getting excited about it though... Yeah, its not that exciting but that error message would throw your average user. I've attached a patch which calls CommandCounterIncrement() in each of the grant loops. Gavin Sherry
2005-08-12 23:20:24 +02:00
/* prevent error when processing duplicate objects */
CommandCounterIncrement();
Allow GRANT/REVOKE to/from more than one user per invocation. Command tag for GRANT/REVOKE is now just that, not "CHANGE". On the way, migrate some of the aclitem internal representation away from the parser and build a real parse tree instead. Also add some 'const' qualifiers.
2001-06-10 01:21:55 +02:00
}
Postgres95 1.01 Distribution - Virgin Sources
1996-07-09 08:22:35 +02:00
}
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
static void
ExecuteGrantStmt_Database(GrantStmt *stmt)
{
AclMode privileges;
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
bool all_privs;
Reimplement the linked list data structure used throughout the backend. In the past, we used a 'Lispy' linked list implementation: a "list" was merely a pointer to the head node of the list. The problem with that design is that it makes lappend() and length() linear time. This patch fixes that problem (and others) by maintaining a count of the list length and a pointer to the tail node along with each head node pointer. A "list" is now a pointer to a structure containing some meta-data about the list; the head and tail pointers in that structure refer to ListCell structures that maintain the actual linked list of nodes. The function names of the list API have also been changed to, I hope, be more logically consistent. By default, the old function names are still available; they will be disabled-by-default once the rest of the tree has been updated to use the new API names.
2004-05-26 06:41:50 +02:00
ListCell *i;
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
Bring syntax of role-related commands into SQL compliance. To avoid syntactic conflicts, both privilege and role GRANT/REVOKE commands have to use the same production for scanning the list of tokens that might eventually turn out to be privileges or role names. So, change the existing GRANT/REVOKE code to expect a list of strings not pre-reduced AclMode values. Fix a couple other minor issues while at it, such as InitializeAcl function name conflicting with a Windows system function.
2005-06-28 21:51:26 +02:00
if (stmt->privileges == NIL)
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
{
all_privs = true;
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
privileges = ACL_ALL_RIGHTS_DATABASE;
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
}
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
else
{
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
all_privs = false;
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
privileges = ACL_NO_RIGHTS;
foreach(i, stmt->privileges)
{
Bring syntax of role-related commands into SQL compliance. To avoid syntactic conflicts, both privilege and role GRANT/REVOKE commands have to use the same production for scanning the list of tokens that might eventually turn out to be privileges or role names. So, change the existing GRANT/REVOKE code to expect a list of strings not pre-reduced AclMode values. Fix a couple other minor issues while at it, such as InitializeAcl function name conflicting with a Windows system function.
2005-06-28 21:51:26 +02:00
char *privname = strVal(lfirst(i));
AclMode priv = string_to_privilege(privname);
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
if (priv & ~((AclMode) ACL_ALL_RIGHTS_DATABASE))
Error message editing in backend/catalog.
2003-07-21 03:59:11 +02:00
ereport(ERROR,
(errcode(ERRCODE_INVALID_GRANT_OPERATION),
errmsg("invalid privilege type %s for database",
privilege_to_string(priv))));
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
privileges |= priv;
}
}
foreach(i, stmt->objects)
{
char *dbname = strVal(lfirst(i));
Relation relation;
ScanKeyData entry[1];
HeapScanDesc scan;
HeapTuple tuple;
Form_pg_database pg_database_tuple;
Datum aclDatum;
bool isNull;
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
AclMode avail_goptions;
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
AclMode this_privileges;
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
Acl *old_acl;
Acl *new_acl;
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
Oid grantorId;
Oid ownerId;
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
HeapTuple newtuple;
Datum values[Natts_pg_database];
char nulls[Natts_pg_database];
char replaces[Natts_pg_database];
Track dependencies on shared objects (which is to say, roles; we already have adequate mechanisms for tracking the contents of databases and tablespaces). This solves the longstanding problem that you can drop a user who still owns objects and/or has access permissions. Alvaro Herrera, with some kibitzing from Tom Lane.
2005-07-07 22:40:02 +02:00
int noldmembers;
int nnewmembers;
Oid *oldmembers;
Oid *newmembers;
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
Completion of project to use fixed OIDs for all system catalogs and indexes. Replace all heap_openr and index_openr calls by heap_open and index_open. Remove runtime lookups of catalog OID numbers in various places. Remove relcache's support for looking up system catalogs by name. Bulky but mostly very boring patch ...
2005-04-14 22:03:27 +02:00
relation = heap_open(DatabaseRelationId, RowExclusiveLock);
Cross-data-type comparisons are now indexable by btrees, pursuant to my pghackers proposal of 8-Nov. All the existing cross-type comparison operators (int2/int4/int8 and float4/float8) have appropriate support. The original proposal of storing the right-hand-side datatype as part of the primary key for pg_amop and pg_amproc got modified a bit in the event; it is easier to store zero as the 'default' case and only store a nonzero when the operator is actually cross-type. Along the way, remove the long-since-defunct bigbox_ops operator class.
2003-11-12 22:15:59 +01:00
ScanKeyInit(&entry[0],
Anum_pg_database_datname,
BTEqualStrategyNumber, F_NAMEEQ,
CStringGetDatum(dbname));
Restructure indexscan API (index_beginscan, index_getnext) per yesterday's proposal to pghackers. Also remove unnecessary parameters to heap_beginscan, heap_rescan. I modified pg_proc.h to reflect the new numbers of parameters for the AM interface routines, but did not force an initdb because nothing actually looks at those fields.
2002-05-21 01:51:44 +02:00
scan = heap_beginscan(relation, SnapshotNow, 1, entry);
tuple = heap_getnext(scan, ForwardScanDirection);
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
if (!HeapTupleIsValid(tuple))
Error message editing in backend/catalog.
2003-07-21 03:59:11 +02:00
ereport(ERROR,
(errcode(ERRCODE_UNDEFINED_DATABASE),
errmsg("database \"%s\" does not exist", dbname)));
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
pg_database_tuple = (Form_pg_database) GETSTRUCT(tuple);
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
/*
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
* Get owner ID and working copy of existing ACL. If there's no ACL,
* substitute the proper default.
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
*/
When a superuser does GRANT or REVOKE on an object he doesn't own, process the command as though it were issued by the object owner. This prevents creating weird scenarios in which the same privileges may appear to flow from different sources, and ensures that a superuser can in fact revoke all privileges if he wants to. In particular this means that the regression tests work when run by a superuser other than the original bootstrap userid. Per report from Larry Rosenman.
2003-10-31 21:00:49 +01:00
ownerId = pg_database_tuple->datdba;
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
aclDatum = heap_getattr(tuple, Anum_pg_database_datacl,
RelationGetDescr(relation), &isNull);
if (isNull)
old_acl = acldefault(ACL_OBJECT_DATABASE, ownerId);
else
old_acl = DatumGetAclPCopy(aclDatum);
/* Determine ID to do the grant as, and available grant options */
select_best_grantor(GetUserId(), privileges,
old_acl, ownerId,
&grantorId, &avail_goptions);
When a superuser does GRANT or REVOKE on an object he doesn't own, process the command as though it were issued by the object owner. This prevents creating weird scenarios in which the same privileges may appear to flow from different sources, and ensures that a superuser can in fact revoke all privileges if he wants to. In particular this means that the regression tests work when run by a superuser other than the original bootstrap userid. Per report from Larry Rosenman.
2003-10-31 21:00:49 +01:00
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
/*
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
* If we found no grant options, consider whether to issue a hard
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
* error. Per spec, having any privilege at all on the object will
* get you by here.
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
*/
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
if (avail_goptions == ACL_NO_RIGHTS)
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
{
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
if (pg_database_aclmask(HeapTupleGetOid(tuple),
grantorId,
ACL_ALL_RIGHTS_DATABASE | ACL_GRANT_OPTION_FOR(ACL_ALL_RIGHTS_DATABASE),
ACLMASK_ANY) == ACL_NO_RIGHTS)
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
aclcheck_error(ACLCHECK_NO_PRIV, ACL_KIND_DATABASE,
NameStr(pg_database_tuple->datname));
}
/*
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
* Restrict the operation to what we can actually grant or revoke, and
* issue a warning if appropriate. (For REVOKE this isn't quite what
* the spec says to do: the spec seems to want a warning only if no
* privilege bits actually change in the ACL. In practice that
* behavior seems much too noisy, as well as inconsistent with the
* GRANT case.)
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
*/
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
this_privileges = privileges & ACL_OPTION_TO_PRIVS(avail_goptions);
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
if (stmt->is_grant)
{
if (this_privileges == 0)
ereport(WARNING,
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED),
errmsg("no privileges were granted")));
else if (!all_privs && this_privileges != privileges)
ereport(WARNING,
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED),
errmsg("not all privileges were granted")));
}
else
{
if (this_privileges == 0)
ereport(WARNING,
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED),
errmsg("no privileges could be revoked")));
else if (!all_privs && this_privileges != privileges)
ereport(WARNING,
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED),
errmsg("not all privileges could be revoked")));
}
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
/*
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
* Generate new ACL.
*
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
* We need the members of both old and new ACLs so we can correct the
* shared dependency information.
Track dependencies on shared objects (which is to say, roles; we already have adequate mechanisms for tracking the contents of databases and tablespaces). This solves the longstanding problem that you can drop a user who still owns objects and/or has access permissions. Alvaro Herrera, with some kibitzing from Tom Lane.
2005-07-07 22:40:02 +02:00
*/
noldmembers = aclmembers(old_acl, &oldmembers);
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
new_acl = merge_acl_with_grant(old_acl, stmt->is_grant,
When revoking privileges from the owner, don't revoke the grant options, to avoid recursively revoking everything from everyone.
2003-10-05 23:49:12 +02:00
stmt->grant_option, stmt->behavior,
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
stmt->grantees, this_privileges,
When a superuser does GRANT or REVOKE on an object he doesn't own, process the command as though it were issued by the object owner. This prevents creating weird scenarios in which the same privileges may appear to flow from different sources, and ensures that a superuser can in fact revoke all privileges if he wants to. In particular this means that the regression tests work when run by a superuser other than the original bootstrap userid. Per report from Larry Rosenman.
2003-10-31 21:00:49 +01:00
grantorId, ownerId);
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
Track dependencies on shared objects (which is to say, roles; we already have adequate mechanisms for tracking the contents of databases and tablespaces). This solves the longstanding problem that you can drop a user who still owns objects and/or has access permissions. Alvaro Herrera, with some kibitzing from Tom Lane.
2005-07-07 22:40:02 +02:00
nnewmembers = aclmembers(new_acl, &newmembers);
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
/* finished building new ACL value, now insert it */
MemSet(values, 0, sizeof(values));
MemSet(nulls, ' ', sizeof(nulls));
MemSet(replaces, ' ', sizeof(replaces));
replaces[Anum_pg_database_datacl - 1] = 'r';
values[Anum_pg_database_datacl - 1] = PointerGetDatum(new_acl);
Change heap_modifytuple() to require a TupleDesc rather than a Relation. Patch from Alvaro Herrera, minor editorializing by Neil Conway.
2005-01-28 00:24:11 +01:00
newtuple = heap_modifytuple(tuple, RelationGetDescr(relation), values, nulls, replaces);
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
simple_heap_update(relation, &newtuple->t_self, newtuple);
Restructure system-catalog index updating logic. Instead of having hardwired lists of index names for each catalog, use the relcache's mechanism for caching lists of OIDs of indexes of any table. This reduces the common case of updating system catalog indexes to a single line, makes it much easier to add a new system index (in fact, you can now do so on-the-fly if you want to), and as a nice side benefit improves performance a little. Per recent pghackers discussion.
2002-08-05 05:29:17 +02:00
/* keep the catalog indexes up to date */
CatalogUpdateIndexes(relation, newtuple);
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
Track dependencies on shared objects (which is to say, roles; we already have adequate mechanisms for tracking the contents of databases and tablespaces). This solves the longstanding problem that you can drop a user who still owns objects and/or has access permissions. Alvaro Herrera, with some kibitzing from Tom Lane.
2005-07-07 22:40:02 +02:00
/* Update the shared dependency ACL info */
updateAclDependencies(DatabaseRelationId, HeapTupleGetOid(tuple),
ownerId, stmt->is_grant,
noldmembers, oldmembers,
nnewmembers, newmembers);
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
pfree(new_acl);
heap_endscan(scan);
heap_close(relation, RowExclusiveLock);
> Gavin Sherry <swm@linuxworld.com.au> writes: > > I ran across this yesterday on HEAD: > > > template1=# grant select on foo, foo to swm; > > ERROR: tuple already updated by self > > Seems to fail similarly in every version back to 7.2; probably further, > but that's all I have running at the moment. > > > We could do away with the error by producing a unique list of object names > > -- but that would impose an extra cost on the common case. > > CommandCounterIncrement in the GRANT loop would be easier, likely. > I'm having a hard time getting excited about it though... Yeah, its not that exciting but that error message would throw your average user. I've attached a patch which calls CommandCounterIncrement() in each of the grant loops. Gavin Sherry
2005-08-12 23:20:24 +02:00
/* prevent error when processing duplicate objects */
CommandCounterIncrement();
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
}
}
Allow GRANT/REVOKE to/from more than one user per invocation. Command tag for GRANT/REVOKE is now just that, not "CHANGE". On the way, migrate some of the aclitem internal representation away from the parser and build a real parse tree instead. Also add some 'const' qualifiers.
2001-06-10 01:21:55 +02:00
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
static void
ExecuteGrantStmt_Function(GrantStmt *stmt)
{
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
AclMode privileges;
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
bool all_privs;
Reimplement the linked list data structure used throughout the backend. In the past, we used a 'Lispy' linked list implementation: a "list" was merely a pointer to the head node of the list. The problem with that design is that it makes lappend() and length() linear time. This patch fixes that problem (and others) by maintaining a count of the list length and a pointer to the tail node along with each head node pointer. A "list" is now a pointer to a structure containing some meta-data about the list; the head and tail pointers in that structure refer to ListCell structures that maintain the actual linked list of nodes. The function names of the list API have also been changed to, I hope, be more logically consistent. By default, the old function names are still available; they will be disabled-by-default once the rest of the tree has been updated to use the new API names.
2004-05-26 06:41:50 +02:00
ListCell *i;
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
Bring syntax of role-related commands into SQL compliance. To avoid syntactic conflicts, both privilege and role GRANT/REVOKE commands have to use the same production for scanning the list of tokens that might eventually turn out to be privileges or role names. So, change the existing GRANT/REVOKE code to expect a list of strings not pre-reduced AclMode values. Fix a couple other minor issues while at it, such as InitializeAcl function name conflicting with a Windows system function.
2005-06-28 21:51:26 +02:00
if (stmt->privileges == NIL)
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
{
all_privs = true;
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
privileges = ACL_ALL_RIGHTS_FUNCTION;
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
}
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
else
{
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
all_privs = false;
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
privileges = ACL_NO_RIGHTS;
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
foreach(i, stmt->privileges)
{
Bring syntax of role-related commands into SQL compliance. To avoid syntactic conflicts, both privilege and role GRANT/REVOKE commands have to use the same production for scanning the list of tokens that might eventually turn out to be privileges or role names. So, change the existing GRANT/REVOKE code to expect a list of strings not pre-reduced AclMode values. Fix a couple other minor issues while at it, such as InitializeAcl function name conflicting with a Windows system function.
2005-06-28 21:51:26 +02:00
char *privname = strVal(lfirst(i));
AclMode priv = string_to_privilege(privname);
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
if (priv & ~((AclMode) ACL_ALL_RIGHTS_FUNCTION))
Error message editing in backend/catalog.
2003-07-21 03:59:11 +02:00
ereport(ERROR,
(errcode(ERRCODE_INVALID_GRANT_OPERATION),
errmsg("invalid privilege type %s for function",
privilege_to_string(priv))));
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
privileges |= priv;
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
}
}
foreach(i, stmt->objects)
{
FuncWithArgs *func = (FuncWithArgs *) lfirst(i);
Oid oid;
Relation relation;
HeapTuple tuple;
Form_pg_proc pg_proc_tuple;
Datum aclDatum;
bool isNull;
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
AclMode avail_goptions;
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
AclMode this_privileges;
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
Acl *old_acl;
Acl *new_acl;
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
Oid grantorId;
Oid ownerId;
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
HeapTuple newtuple;
Datum values[Natts_pg_proc];
char nulls[Natts_pg_proc];
char replaces[Natts_pg_proc];
Track dependencies on shared objects (which is to say, roles; we already have adequate mechanisms for tracking the contents of databases and tablespaces). This solves the longstanding problem that you can drop a user who still owns objects and/or has access permissions. Alvaro Herrera, with some kibitzing from Tom Lane.
2005-07-07 22:40:02 +02:00
int noldmembers;
int nnewmembers;
Oid *oldmembers;
Oid *newmembers;
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
Some early work on error message editing. Operator-not-found and function-not-found messages now distinguish the cases no-match and ambiguous-match, and they follow the style guidelines too.
2003-07-04 04:51:34 +02:00
oid = LookupFuncNameTypeNames(func->funcname, func->funcargs, false);
REVOKE ALL ON FUNCTION nonexistant() FROM PUBLIC; Used to report that GRANT could not find function nonexistant. Rod Taylor
2002-07-18 06:50:10 +02:00
Completion of project to use fixed OIDs for all system catalogs and indexes. Replace all heap_openr and index_openr calls by heap_open and index_open. Remove runtime lookups of catalog OID numbers in various places. Remove relcache's support for looking up system catalogs by name. Bulky but mostly very boring patch ...
2005-04-14 22:03:27 +02:00
relation = heap_open(ProcedureRelationId, RowExclusiveLock);
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
tuple = SearchSysCache(PROCOID,
ObjectIdGetDatum(oid),
0, 0, 0);
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
if (!HeapTupleIsValid(tuple))
Error message editing in backend/catalog.
2003-07-21 03:59:11 +02:00
elog(ERROR, "cache lookup failed for function %u", oid);
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
pg_proc_tuple = (Form_pg_proc) GETSTRUCT(tuple);
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
/*
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
* Get owner ID and working copy of existing ACL. If there's no ACL,
* substitute the proper default.
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
*/
When a superuser does GRANT or REVOKE on an object he doesn't own, process the command as though it were issued by the object owner. This prevents creating weird scenarios in which the same privileges may appear to flow from different sources, and ensures that a superuser can in fact revoke all privileges if he wants to. In particular this means that the regression tests work when run by a superuser other than the original bootstrap userid. Per report from Larry Rosenman.
2003-10-31 21:00:49 +01:00
ownerId = pg_proc_tuple->proowner;
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
aclDatum = SysCacheGetAttr(PROCOID, tuple, Anum_pg_proc_proacl,
&isNull);
if (isNull)
old_acl = acldefault(ACL_OBJECT_FUNCTION, ownerId);
else
old_acl = DatumGetAclPCopy(aclDatum);
/* Determine ID to do the grant as, and available grant options */
select_best_grantor(GetUserId(), privileges,
old_acl, ownerId,
&grantorId, &avail_goptions);
When a superuser does GRANT or REVOKE on an object he doesn't own, process the command as though it were issued by the object owner. This prevents creating weird scenarios in which the same privileges may appear to flow from different sources, and ensures that a superuser can in fact revoke all privileges if he wants to. In particular this means that the regression tests work when run by a superuser other than the original bootstrap userid. Per report from Larry Rosenman.
2003-10-31 21:00:49 +01:00
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
/*
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
* If we found no grant options, consider whether to issue a hard
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
* error. Per spec, having any privilege at all on the object will
* get you by here.
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
*/
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
if (avail_goptions == ACL_NO_RIGHTS)
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
{
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
if (pg_proc_aclmask(oid,
grantorId,
ACL_ALL_RIGHTS_FUNCTION | ACL_GRANT_OPTION_FOR(ACL_ALL_RIGHTS_FUNCTION),
ACLMASK_ANY) == ACL_NO_RIGHTS)
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
aclcheck_error(ACLCHECK_NO_PRIV, ACL_KIND_PROC,
NameStr(pg_proc_tuple->proname));
}
/*
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
* Restrict the operation to what we can actually grant or revoke, and
* issue a warning if appropriate. (For REVOKE this isn't quite what
* the spec says to do: the spec seems to want a warning only if no
* privilege bits actually change in the ACL. In practice that
* behavior seems much too noisy, as well as inconsistent with the
* GRANT case.)
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
*/
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
this_privileges = privileges & ACL_OPTION_TO_PRIVS(avail_goptions);
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
if (stmt->is_grant)
{
if (this_privileges == 0)
ereport(WARNING,
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED),
errmsg("no privileges were granted")));
else if (!all_privs && this_privileges != privileges)
ereport(WARNING,
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED),
errmsg("not all privileges were granted")));
}
else
{
if (this_privileges == 0)
ereport(WARNING,
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED),
errmsg("no privileges could be revoked")));
else if (!all_privs && this_privileges != privileges)
ereport(WARNING,
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED),
errmsg("not all privileges could be revoked")));
}
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
/*
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
* Generate new ACL.
*
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
* We need the members of both old and new ACLs so we can correct the
* shared dependency information.
Track dependencies on shared objects (which is to say, roles; we already have adequate mechanisms for tracking the contents of databases and tablespaces). This solves the longstanding problem that you can drop a user who still owns objects and/or has access permissions. Alvaro Herrera, with some kibitzing from Tom Lane.
2005-07-07 22:40:02 +02:00
*/
noldmembers = aclmembers(old_acl, &oldmembers);
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
new_acl = merge_acl_with_grant(old_acl, stmt->is_grant,
When revoking privileges from the owner, don't revoke the grant options, to avoid recursively revoking everything from everyone.
2003-10-05 23:49:12 +02:00
stmt->grant_option, stmt->behavior,
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
stmt->grantees, this_privileges,
When a superuser does GRANT or REVOKE on an object he doesn't own, process the command as though it were issued by the object owner. This prevents creating weird scenarios in which the same privileges may appear to flow from different sources, and ensures that a superuser can in fact revoke all privileges if he wants to. In particular this means that the regression tests work when run by a superuser other than the original bootstrap userid. Per report from Larry Rosenman.
2003-10-31 21:00:49 +01:00
grantorId, ownerId);
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
Track dependencies on shared objects (which is to say, roles; we already have adequate mechanisms for tracking the contents of databases and tablespaces). This solves the longstanding problem that you can drop a user who still owns objects and/or has access permissions. Alvaro Herrera, with some kibitzing from Tom Lane.
2005-07-07 22:40:02 +02:00
nnewmembers = aclmembers(new_acl, &newmembers);
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
/* finished building new ACL value, now insert it */
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
MemSet(values, 0, sizeof(values));
MemSet(nulls, ' ', sizeof(nulls));
MemSet(replaces, ' ', sizeof(replaces));
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
replaces[Anum_pg_proc_proacl - 1] = 'r';
values[Anum_pg_proc_proacl - 1] = PointerGetDatum(new_acl);
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
Change heap_modifytuple() to require a TupleDesc rather than a Relation. Patch from Alvaro Herrera, minor editorializing by Neil Conway.
2005-01-28 00:24:11 +01:00
newtuple = heap_modifytuple(tuple, RelationGetDescr(relation), values, nulls, replaces);
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
simple_heap_update(relation, &newtuple->t_self, newtuple);
Restructure system-catalog index updating logic. Instead of having hardwired lists of index names for each catalog, use the relcache's mechanism for caching lists of OIDs of indexes of any table. This reduces the common case of updating system catalog indexes to a single line, makes it much easier to add a new system index (in fact, you can now do so on-the-fly if you want to), and as a nice side benefit improves performance a little. Per recent pghackers discussion.
2002-08-05 05:29:17 +02:00
/* keep the catalog indexes up to date */
CatalogUpdateIndexes(relation, newtuple);
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
Track dependencies on shared objects (which is to say, roles; we already have adequate mechanisms for tracking the contents of databases and tablespaces). This solves the longstanding problem that you can drop a user who still owns objects and/or has access permissions. Alvaro Herrera, with some kibitzing from Tom Lane.
2005-07-07 22:40:02 +02:00
/* Update the shared dependency ACL info */
updateAclDependencies(ProcedureRelationId, oid,
ownerId, stmt->is_grant,
noldmembers, oldmembers,
nnewmembers, newmembers);
ReleaseSysCache(tuple);
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
pfree(new_acl);
heap_close(relation, RowExclusiveLock);
> Gavin Sherry <swm@linuxworld.com.au> writes: > > I ran across this yesterday on HEAD: > > > template1=# grant select on foo, foo to swm; > > ERROR: tuple already updated by self > > Seems to fail similarly in every version back to 7.2; probably further, > but that's all I have running at the moment. > > > We could do away with the error by producing a unique list of object names > > -- but that would impose an extra cost on the common case. > > CommandCounterIncrement in the GRANT loop would be easier, likely. > I'm having a hard time getting excited about it though... Yeah, its not that exciting but that error message would throw your average user. I've attached a patch which calls CommandCounterIncrement() in each of the grant loops. Gavin Sherry
2005-08-12 23:20:24 +02:00
/* prevent error when processing duplicate objects */
CommandCounterIncrement();
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
}
}
static void
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
ExecuteGrantStmt_Language(GrantStmt *stmt)
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
{
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
AclMode privileges;
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
bool all_privs;
Reimplement the linked list data structure used throughout the backend. In the past, we used a 'Lispy' linked list implementation: a "list" was merely a pointer to the head node of the list. The problem with that design is that it makes lappend() and length() linear time. This patch fixes that problem (and others) by maintaining a count of the list length and a pointer to the tail node along with each head node pointer. A "list" is now a pointer to a structure containing some meta-data about the list; the head and tail pointers in that structure refer to ListCell structures that maintain the actual linked list of nodes. The function names of the list API have also been changed to, I hope, be more logically consistent. By default, the old function names are still available; they will be disabled-by-default once the rest of the tree has been updated to use the new API names.
2004-05-26 06:41:50 +02:00
ListCell *i;
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
Bring syntax of role-related commands into SQL compliance. To avoid syntactic conflicts, both privilege and role GRANT/REVOKE commands have to use the same production for scanning the list of tokens that might eventually turn out to be privileges or role names. So, change the existing GRANT/REVOKE code to expect a list of strings not pre-reduced AclMode values. Fix a couple other minor issues while at it, such as InitializeAcl function name conflicting with a Windows system function.
2005-06-28 21:51:26 +02:00
if (stmt->privileges == NIL)
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
{
all_privs = true;
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
privileges = ACL_ALL_RIGHTS_LANGUAGE;
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
}
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
else
{
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
all_privs = false;
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
privileges = ACL_NO_RIGHTS;
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
foreach(i, stmt->privileges)
{
Bring syntax of role-related commands into SQL compliance. To avoid syntactic conflicts, both privilege and role GRANT/REVOKE commands have to use the same production for scanning the list of tokens that might eventually turn out to be privileges or role names. So, change the existing GRANT/REVOKE code to expect a list of strings not pre-reduced AclMode values. Fix a couple other minor issues while at it, such as InitializeAcl function name conflicting with a Windows system function.
2005-06-28 21:51:26 +02:00
char *privname = strVal(lfirst(i));
AclMode priv = string_to_privilege(privname);
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
if (priv & ~((AclMode) ACL_ALL_RIGHTS_LANGUAGE))
Error message editing in backend/catalog.
2003-07-21 03:59:11 +02:00
ereport(ERROR,
(errcode(ERRCODE_INVALID_GRANT_OPERATION),
errmsg("invalid privilege type %s for language",
privilege_to_string(priv))));
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
privileges |= priv;
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
}
}
foreach(i, stmt->objects)
{
char *langname = strVal(lfirst(i));
Relation relation;
HeapTuple tuple;
Form_pg_language pg_language_tuple;
Datum aclDatum;
bool isNull;
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
AclMode avail_goptions;
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
AclMode this_privileges;
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
Acl *old_acl;
Acl *new_acl;
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
Oid grantorId;
Oid ownerId;
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
HeapTuple newtuple;
Datum values[Natts_pg_language];
char nulls[Natts_pg_language];
char replaces[Natts_pg_language];
Track dependencies on shared objects (which is to say, roles; we already have adequate mechanisms for tracking the contents of databases and tablespaces). This solves the longstanding problem that you can drop a user who still owns objects and/or has access permissions. Alvaro Herrera, with some kibitzing from Tom Lane.
2005-07-07 22:40:02 +02:00
int noldmembers;
int nnewmembers;
Oid *oldmembers;
Oid *newmembers;
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
Completion of project to use fixed OIDs for all system catalogs and indexes. Replace all heap_openr and index_openr calls by heap_open and index_open. Remove runtime lookups of catalog OID numbers in various places. Remove relcache's support for looking up system catalogs by name. Bulky but mostly very boring patch ...
2005-04-14 22:03:27 +02:00
relation = heap_open(LanguageRelationId, RowExclusiveLock);
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
tuple = SearchSysCache(LANGNAME,
PointerGetDatum(langname),
0, 0, 0);
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
if (!HeapTupleIsValid(tuple))
Error message editing in backend/catalog.
2003-07-21 03:59:11 +02:00
ereport(ERROR,
(errcode(ERRCODE_UNDEFINED_OBJECT),
errmsg("language \"%s\" does not exist", langname)));
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
pg_language_tuple = (Form_pg_language) GETSTRUCT(tuple);
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
if (!pg_language_tuple->lanpltrusted)
ereport(ERROR,
(errcode(ERRCODE_WRONG_OBJECT_TYPE),
Add hint about using GRANT with non-trusted languages. James William Pye
2004-08-29 05:04:15 +02:00
errmsg("language \"%s\" is not trusted", langname),
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
errhint("Only superusers may use untrusted languages.")));
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
When a superuser does GRANT or REVOKE on an object he doesn't own, process the command as though it were issued by the object owner. This prevents creating weird scenarios in which the same privileges may appear to flow from different sources, and ensures that a superuser can in fact revoke all privileges if he wants to. In particular this means that the regression tests work when run by a superuser other than the original bootstrap userid. Per report from Larry Rosenman.
2003-10-31 21:00:49 +01:00
/*
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
* Get owner ID and working copy of existing ACL. If there's no ACL,
* substitute the proper default.
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
*
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
* Note: for now, languages are treated as owned by the bootstrap user.
* We should add an owner column to pg_language instead.
When a superuser does GRANT or REVOKE on an object he doesn't own, process the command as though it were issued by the object owner. This prevents creating weird scenarios in which the same privileges may appear to flow from different sources, and ensures that a superuser can in fact revoke all privileges if he wants to. In particular this means that the regression tests work when run by a superuser other than the original bootstrap userid. Per report from Larry Rosenman.
2003-10-31 21:00:49 +01:00
*/
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
ownerId = BOOTSTRAP_SUPERUSERID;
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
aclDatum = SysCacheGetAttr(LANGNAME, tuple, Anum_pg_language_lanacl,
&isNull);
if (isNull)
old_acl = acldefault(ACL_OBJECT_LANGUAGE, ownerId);
else
old_acl = DatumGetAclPCopy(aclDatum);
/* Determine ID to do the grant as, and available grant options */
select_best_grantor(GetUserId(), privileges,
old_acl, ownerId,
&grantorId, &avail_goptions);
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
/*
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
* If we found no grant options, consider whether to issue a hard
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
* error. Per spec, having any privilege at all on the object will
* get you by here.
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
*/
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
if (avail_goptions == ACL_NO_RIGHTS)
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
{
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
if (pg_language_aclmask(HeapTupleGetOid(tuple),
grantorId,
ACL_ALL_RIGHTS_LANGUAGE | ACL_GRANT_OPTION_FOR(ACL_ALL_RIGHTS_LANGUAGE),
ACLMASK_ANY) == ACL_NO_RIGHTS)
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
aclcheck_error(ACLCHECK_NO_PRIV, ACL_KIND_LANGUAGE,
NameStr(pg_language_tuple->lanname));
}
Grant options, and cascading revoke. Grant options are allowed only for users right now, not groups. Extension of has_foo_privileges functions to query the grant options. Extension of aclitem type to store grantor.
2003-01-24 00:39:07 +01:00
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
/*
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
* Restrict the operation to what we can actually grant or revoke, and
* issue a warning if appropriate. (For REVOKE this isn't quite what
* the spec says to do: the spec seems to want a warning only if no
* privilege bits actually change in the ACL. In practice that
* behavior seems much too noisy, as well as inconsistent with the
* GRANT case.)
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
*/
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
this_privileges = privileges & ACL_OPTION_TO_PRIVS(avail_goptions);
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
if (stmt->is_grant)
{
if (this_privileges == 0)
ereport(WARNING,
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED),
errmsg("no privileges were granted")));
else if (!all_privs && this_privileges != privileges)
ereport(WARNING,
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED),
errmsg("not all privileges were granted")));
}
else
{
if (this_privileges == 0)
ereport(WARNING,
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED),
errmsg("no privileges could be revoked")));
else if (!all_privs && this_privileges != privileges)
ereport(WARNING,
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED),
errmsg("not all privileges could be revoked")));
}
When a superuser does GRANT or REVOKE on an object he doesn't own, process the command as though it were issued by the object owner. This prevents creating weird scenarios in which the same privileges may appear to flow from different sources, and ensures that a superuser can in fact revoke all privileges if he wants to. In particular this means that the regression tests work when run by a superuser other than the original bootstrap userid. Per report from Larry Rosenman.
2003-10-31 21:00:49 +01:00
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
/*
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
* Generate new ACL.
*
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
* We need the members of both old and new ACLs so we can correct the
* shared dependency information.
Track dependencies on shared objects (which is to say, roles; we already have adequate mechanisms for tracking the contents of databases and tablespaces). This solves the longstanding problem that you can drop a user who still owns objects and/or has access permissions. Alvaro Herrera, with some kibitzing from Tom Lane.
2005-07-07 22:40:02 +02:00
*/
noldmembers = aclmembers(old_acl, &oldmembers);
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
new_acl = merge_acl_with_grant(old_acl, stmt->is_grant,
When revoking privileges from the owner, don't revoke the grant options, to avoid recursively revoking everything from everyone.
2003-10-05 23:49:12 +02:00
stmt->grant_option, stmt->behavior,
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
stmt->grantees, this_privileges,
When a superuser does GRANT or REVOKE on an object he doesn't own, process the command as though it were issued by the object owner. This prevents creating weird scenarios in which the same privileges may appear to flow from different sources, and ensures that a superuser can in fact revoke all privileges if he wants to. In particular this means that the regression tests work when run by a superuser other than the original bootstrap userid. Per report from Larry Rosenman.
2003-10-31 21:00:49 +01:00
grantorId, ownerId);
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
Track dependencies on shared objects (which is to say, roles; we already have adequate mechanisms for tracking the contents of databases and tablespaces). This solves the longstanding problem that you can drop a user who still owns objects and/or has access permissions. Alvaro Herrera, with some kibitzing from Tom Lane.
2005-07-07 22:40:02 +02:00
nnewmembers = aclmembers(new_acl, &newmembers);
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
/* finished building new ACL value, now insert it */
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
MemSet(values, 0, sizeof(values));
MemSet(nulls, ' ', sizeof(nulls));
MemSet(replaces, ' ', sizeof(replaces));
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
replaces[Anum_pg_language_lanacl - 1] = 'r';
values[Anum_pg_language_lanacl - 1] = PointerGetDatum(new_acl);
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
Change heap_modifytuple() to require a TupleDesc rather than a Relation. Patch from Alvaro Herrera, minor editorializing by Neil Conway.
2005-01-28 00:24:11 +01:00
newtuple = heap_modifytuple(tuple, RelationGetDescr(relation), values, nulls, replaces);
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
simple_heap_update(relation, &newtuple->t_self, newtuple);
Restructure system-catalog index updating logic. Instead of having hardwired lists of index names for each catalog, use the relcache's mechanism for caching lists of OIDs of indexes of any table. This reduces the common case of updating system catalog indexes to a single line, makes it much easier to add a new system index (in fact, you can now do so on-the-fly if you want to), and as a nice side benefit improves performance a little. Per recent pghackers discussion.
2002-08-05 05:29:17 +02:00
/* keep the catalog indexes up to date */
CatalogUpdateIndexes(relation, newtuple);
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
Track dependencies on shared objects (which is to say, roles; we already have adequate mechanisms for tracking the contents of databases and tablespaces). This solves the longstanding problem that you can drop a user who still owns objects and/or has access permissions. Alvaro Herrera, with some kibitzing from Tom Lane.
2005-07-07 22:40:02 +02:00
/* Update the shared dependency ACL info */
updateAclDependencies(LanguageRelationId, HeapTupleGetOid(tuple),
ownerId, stmt->is_grant,
noldmembers, oldmembers,
nnewmembers, newmembers);
ReleaseSysCache(tuple);
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
pfree(new_acl);
heap_close(relation, RowExclusiveLock);
> Gavin Sherry <swm@linuxworld.com.au> writes: > > I ran across this yesterday on HEAD: > > > template1=# grant select on foo, foo to swm; > > ERROR: tuple already updated by self > > Seems to fail similarly in every version back to 7.2; probably further, > but that's all I have running at the moment. > > > We could do away with the error by producing a unique list of object names > > -- but that would impose an extra cost on the common case. > > CommandCounterIncrement in the GRANT loop would be easier, likely. > I'm having a hard time getting excited about it though... Yeah, its not that exciting but that error message would throw your average user. I've attached a patch which calls CommandCounterIncrement() in each of the grant loops. Gavin Sherry
2005-08-12 23:20:24 +02:00
/* prevent error when processing duplicate objects */
CommandCounterIncrement();
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
}
}
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
static void
ExecuteGrantStmt_Namespace(GrantStmt *stmt)
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
{
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
AclMode privileges;
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
bool all_privs;
Reimplement the linked list data structure used throughout the backend. In the past, we used a 'Lispy' linked list implementation: a "list" was merely a pointer to the head node of the list. The problem with that design is that it makes lappend() and length() linear time. This patch fixes that problem (and others) by maintaining a count of the list length and a pointer to the tail node along with each head node pointer. A "list" is now a pointer to a structure containing some meta-data about the list; the head and tail pointers in that structure refer to ListCell structures that maintain the actual linked list of nodes. The function names of the list API have also been changed to, I hope, be more logically consistent. By default, the old function names are still available; they will be disabled-by-default once the rest of the tree has been updated to use the new API names.
2004-05-26 06:41:50 +02:00
ListCell *i;
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
Bring syntax of role-related commands into SQL compliance. To avoid syntactic conflicts, both privilege and role GRANT/REVOKE commands have to use the same production for scanning the list of tokens that might eventually turn out to be privileges or role names. So, change the existing GRANT/REVOKE code to expect a list of strings not pre-reduced AclMode values. Fix a couple other minor issues while at it, such as InitializeAcl function name conflicting with a Windows system function.
2005-06-28 21:51:26 +02:00
if (stmt->privileges == NIL)
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
{
all_privs = true;
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
privileges = ACL_ALL_RIGHTS_NAMESPACE;
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
}
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
else
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
{
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
all_privs = false;
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
privileges = ACL_NO_RIGHTS;
foreach(i, stmt->privileges)
{
Bring syntax of role-related commands into SQL compliance. To avoid syntactic conflicts, both privilege and role GRANT/REVOKE commands have to use the same production for scanning the list of tokens that might eventually turn out to be privileges or role names. So, change the existing GRANT/REVOKE code to expect a list of strings not pre-reduced AclMode values. Fix a couple other minor issues while at it, such as InitializeAcl function name conflicting with a Windows system function.
2005-06-28 21:51:26 +02:00
char *privname = strVal(lfirst(i));
AclMode priv = string_to_privilege(privname);
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
if (priv & ~((AclMode) ACL_ALL_RIGHTS_NAMESPACE))
Error message editing in backend/catalog.
2003-07-21 03:59:11 +02:00
ereport(ERROR,
(errcode(ERRCODE_INVALID_GRANT_OPERATION),
errmsg("invalid privilege type %s for schema",
privilege_to_string(priv))));
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
privileges |= priv;
}
}
foreach(i, stmt->objects)
{
char *nspname = strVal(lfirst(i));
Relation relation;
HeapTuple tuple;
Form_pg_namespace pg_namespace_tuple;
Datum aclDatum;
bool isNull;
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
AclMode avail_goptions;
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
AclMode this_privileges;
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
Acl *old_acl;
Acl *new_acl;
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
Oid grantorId;
Oid ownerId;
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
HeapTuple newtuple;
Datum values[Natts_pg_namespace];
char nulls[Natts_pg_namespace];
char replaces[Natts_pg_namespace];
Track dependencies on shared objects (which is to say, roles; we already have adequate mechanisms for tracking the contents of databases and tablespaces). This solves the longstanding problem that you can drop a user who still owns objects and/or has access permissions. Alvaro Herrera, with some kibitzing from Tom Lane.
2005-07-07 22:40:02 +02:00
int noldmembers;
int nnewmembers;
Oid *oldmembers;
Oid *newmembers;
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
Completion of project to use fixed OIDs for all system catalogs and indexes. Replace all heap_openr and index_openr calls by heap_open and index_open. Remove runtime lookups of catalog OID numbers in various places. Remove relcache's support for looking up system catalogs by name. Bulky but mostly very boring patch ...
2005-04-14 22:03:27 +02:00
relation = heap_open(NamespaceRelationId, RowExclusiveLock);
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
tuple = SearchSysCache(NAMESPACENAME,
CStringGetDatum(nspname),
0, 0, 0);
if (!HeapTupleIsValid(tuple))
Error message editing in backend/catalog.
2003-07-21 03:59:11 +02:00
ereport(ERROR,
(errcode(ERRCODE_UNDEFINED_SCHEMA),
errmsg("schema \"%s\" does not exist", nspname)));
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
pg_namespace_tuple = (Form_pg_namespace) GETSTRUCT(tuple);
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
/*
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
* Get owner ID and working copy of existing ACL. If there's no ACL,
* substitute the proper default.
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
*/
When a superuser does GRANT or REVOKE on an object he doesn't own, process the command as though it were issued by the object owner. This prevents creating weird scenarios in which the same privileges may appear to flow from different sources, and ensures that a superuser can in fact revoke all privileges if he wants to. In particular this means that the regression tests work when run by a superuser other than the original bootstrap userid. Per report from Larry Rosenman.
2003-10-31 21:00:49 +01:00
ownerId = pg_namespace_tuple->nspowner;
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
aclDatum = SysCacheGetAttr(NAMESPACENAME, tuple,
Anum_pg_namespace_nspacl,
&isNull);
if (isNull)
old_acl = acldefault(ACL_OBJECT_NAMESPACE, ownerId);
else
old_acl = DatumGetAclPCopy(aclDatum);
/* Determine ID to do the grant as, and available grant options */
select_best_grantor(GetUserId(), privileges,
old_acl, ownerId,
&grantorId, &avail_goptions);
When a superuser does GRANT or REVOKE on an object he doesn't own, process the command as though it were issued by the object owner. This prevents creating weird scenarios in which the same privileges may appear to flow from different sources, and ensures that a superuser can in fact revoke all privileges if he wants to. In particular this means that the regression tests work when run by a superuser other than the original bootstrap userid. Per report from Larry Rosenman.
2003-10-31 21:00:49 +01:00
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
/*
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
* If we found no grant options, consider whether to issue a hard
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
* error. Per spec, having any privilege at all on the object will
* get you by here.
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
*/
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
if (avail_goptions == ACL_NO_RIGHTS)
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
{
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
if (pg_namespace_aclmask(HeapTupleGetOid(tuple),
grantorId,
ACL_ALL_RIGHTS_NAMESPACE | ACL_GRANT_OPTION_FOR(ACL_ALL_RIGHTS_NAMESPACE),
ACLMASK_ANY) == ACL_NO_RIGHTS)
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
aclcheck_error(ACLCHECK_NO_PRIV, ACL_KIND_NAMESPACE,
nspname);
}
/*
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
* Restrict the operation to what we can actually grant or revoke, and
* issue a warning if appropriate. (For REVOKE this isn't quite what
* the spec says to do: the spec seems to want a warning only if no
* privilege bits actually change in the ACL. In practice that
* behavior seems much too noisy, as well as inconsistent with the
* GRANT case.)
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
*/
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
this_privileges = privileges & ACL_OPTION_TO_PRIVS(avail_goptions);
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
if (stmt->is_grant)
{
if (this_privileges == 0)
ereport(WARNING,
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED),
errmsg("no privileges were granted")));
else if (!all_privs && this_privileges != privileges)
ereport(WARNING,
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED),
errmsg("not all privileges were granted")));
}
else
{
if (this_privileges == 0)
ereport(WARNING,
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED),
errmsg("no privileges could be revoked")));
else if (!all_privs && this_privileges != privileges)
ereport(WARNING,
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED),
errmsg("not all privileges could be revoked")));
}
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
/*
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
* Generate new ACL.
*
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
* We need the members of both old and new ACLs so we can correct the
* shared dependency information.
Track dependencies on shared objects (which is to say, roles; we already have adequate mechanisms for tracking the contents of databases and tablespaces). This solves the longstanding problem that you can drop a user who still owns objects and/or has access permissions. Alvaro Herrera, with some kibitzing from Tom Lane.
2005-07-07 22:40:02 +02:00
*/
noldmembers = aclmembers(old_acl, &oldmembers);
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
new_acl = merge_acl_with_grant(old_acl, stmt->is_grant,
When revoking privileges from the owner, don't revoke the grant options, to avoid recursively revoking everything from everyone.
2003-10-05 23:49:12 +02:00
stmt->grant_option, stmt->behavior,
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
stmt->grantees, this_privileges,
When a superuser does GRANT or REVOKE on an object he doesn't own, process the command as though it were issued by the object owner. This prevents creating weird scenarios in which the same privileges may appear to flow from different sources, and ensures that a superuser can in fact revoke all privileges if he wants to. In particular this means that the regression tests work when run by a superuser other than the original bootstrap userid. Per report from Larry Rosenman.
2003-10-31 21:00:49 +01:00
grantorId, ownerId);
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
Track dependencies on shared objects (which is to say, roles; we already have adequate mechanisms for tracking the contents of databases and tablespaces). This solves the longstanding problem that you can drop a user who still owns objects and/or has access permissions. Alvaro Herrera, with some kibitzing from Tom Lane.
2005-07-07 22:40:02 +02:00
nnewmembers = aclmembers(new_acl, &newmembers);
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
/* finished building new ACL value, now insert it */
MemSet(values, 0, sizeof(values));
MemSet(nulls, ' ', sizeof(nulls));
MemSet(replaces, ' ', sizeof(replaces));
replaces[Anum_pg_namespace_nspacl - 1] = 'r';
values[Anum_pg_namespace_nspacl - 1] = PointerGetDatum(new_acl);
Change heap_modifytuple() to require a TupleDesc rather than a Relation. Patch from Alvaro Herrera, minor editorializing by Neil Conway.
2005-01-28 00:24:11 +01:00
newtuple = heap_modifytuple(tuple, RelationGetDescr(relation), values, nulls, replaces);
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
simple_heap_update(relation, &newtuple->t_self, newtuple);
Restructure system-catalog index updating logic. Instead of having hardwired lists of index names for each catalog, use the relcache's mechanism for caching lists of OIDs of indexes of any table. This reduces the common case of updating system catalog indexes to a single line, makes it much easier to add a new system index (in fact, you can now do so on-the-fly if you want to), and as a nice side benefit improves performance a little. Per recent pghackers discussion.
2002-08-05 05:29:17 +02:00
/* keep the catalog indexes up to date */
CatalogUpdateIndexes(relation, newtuple);
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
Track dependencies on shared objects (which is to say, roles; we already have adequate mechanisms for tracking the contents of databases and tablespaces). This solves the longstanding problem that you can drop a user who still owns objects and/or has access permissions. Alvaro Herrera, with some kibitzing from Tom Lane.
2005-07-07 22:40:02 +02:00
/* Update the shared dependency ACL info */
updateAclDependencies(NamespaceRelationId, HeapTupleGetOid(tuple),
ownerId, stmt->is_grant,
noldmembers, oldmembers,
nnewmembers, newmembers);
ReleaseSysCache(tuple);
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
pfree(new_acl);
heap_close(relation, RowExclusiveLock);
> Gavin Sherry <swm@linuxworld.com.au> writes: > > I ran across this yesterday on HEAD: > > > template1=# grant select on foo, foo to swm; > > ERROR: tuple already updated by self > > Seems to fail similarly in every version back to 7.2; probably further, > but that's all I have running at the moment. > > > We could do away with the error by producing a unique list of object names > > -- but that would impose an extra cost on the common case. > > CommandCounterIncrement in the GRANT loop would be easier, likely. > I'm having a hard time getting excited about it though... Yeah, its not that exciting but that error message would throw your average user. I've attached a patch which calls CommandCounterIncrement() in each of the grant loops. Gavin Sherry
2005-08-12 23:20:24 +02:00
/* prevent error when processing duplicate objects */
CommandCounterIncrement();
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
}
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
}
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
static void
ExecuteGrantStmt_Tablespace(GrantStmt *stmt)
{
AclMode privileges;
bool all_privs;
ListCell *i;
Bring syntax of role-related commands into SQL compliance. To avoid syntactic conflicts, both privilege and role GRANT/REVOKE commands have to use the same production for scanning the list of tokens that might eventually turn out to be privileges or role names. So, change the existing GRANT/REVOKE code to expect a list of strings not pre-reduced AclMode values. Fix a couple other minor issues while at it, such as InitializeAcl function name conflicting with a Windows system function.
2005-06-28 21:51:26 +02:00
if (stmt->privileges == NIL)
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
{
all_privs = true;
privileges = ACL_ALL_RIGHTS_TABLESPACE;
}
else
{
all_privs = false;
privileges = ACL_NO_RIGHTS;
foreach(i, stmt->privileges)
{
Bring syntax of role-related commands into SQL compliance. To avoid syntactic conflicts, both privilege and role GRANT/REVOKE commands have to use the same production for scanning the list of tokens that might eventually turn out to be privileges or role names. So, change the existing GRANT/REVOKE code to expect a list of strings not pre-reduced AclMode values. Fix a couple other minor issues while at it, such as InitializeAcl function name conflicting with a Windows system function.
2005-06-28 21:51:26 +02:00
char *privname = strVal(lfirst(i));
AclMode priv = string_to_privilege(privname);
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
if (priv & ~((AclMode) ACL_ALL_RIGHTS_TABLESPACE))
ereport(ERROR,
(errcode(ERRCODE_INVALID_GRANT_OPERATION),
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
errmsg("invalid privilege type %s for tablespace",
privilege_to_string(priv))));
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
privileges |= priv;
}
}
foreach(i, stmt->objects)
{
char *spcname = strVal(lfirst(i));
Relation relation;
ScanKeyData entry[1];
HeapScanDesc scan;
HeapTuple tuple;
Form_pg_tablespace pg_tablespace_tuple;
Datum aclDatum;
bool isNull;
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
AclMode avail_goptions;
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
AclMode this_privileges;
Acl *old_acl;
Acl *new_acl;
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
Oid grantorId;
Oid ownerId;
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
HeapTuple newtuple;
Datum values[Natts_pg_tablespace];
char nulls[Natts_pg_tablespace];
char replaces[Natts_pg_tablespace];
Track dependencies on shared objects (which is to say, roles; we already have adequate mechanisms for tracking the contents of databases and tablespaces). This solves the longstanding problem that you can drop a user who still owns objects and/or has access permissions. Alvaro Herrera, with some kibitzing from Tom Lane.
2005-07-07 22:40:02 +02:00
int noldmembers;
int nnewmembers;
Oid *oldmembers;
Oid *newmembers;
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
Completion of project to use fixed OIDs for all system catalogs and indexes. Replace all heap_openr and index_openr calls by heap_open and index_open. Remove runtime lookups of catalog OID numbers in various places. Remove relcache's support for looking up system catalogs by name. Bulky but mostly very boring patch ...
2005-04-14 22:03:27 +02:00
relation = heap_open(TableSpaceRelationId, RowExclusiveLock);
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
ScanKeyInit(&entry[0],
Anum_pg_tablespace_spcname,
BTEqualStrategyNumber, F_NAMEEQ,
CStringGetDatum(spcname));
scan = heap_beginscan(relation, SnapshotNow, 1, entry);
tuple = heap_getnext(scan, ForwardScanDirection);
if (!HeapTupleIsValid(tuple))
ereport(ERROR,
(errcode(ERRCODE_UNDEFINED_OBJECT),
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
errmsg("tablespace \"%s\" does not exist", spcname)));
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
pg_tablespace_tuple = (Form_pg_tablespace) GETSTRUCT(tuple);
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
/*
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
* Get owner ID and working copy of existing ACL. If there's no ACL,
* substitute the proper default.
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
*/
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
ownerId = pg_tablespace_tuple->spcowner;
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
aclDatum = heap_getattr(tuple, Anum_pg_tablespace_spcacl,
RelationGetDescr(relation), &isNull);
if (isNull)
old_acl = acldefault(ACL_OBJECT_TABLESPACE, ownerId);
else
old_acl = DatumGetAclPCopy(aclDatum);
/* Determine ID to do the grant as, and available grant options */
select_best_grantor(GetUserId(), privileges,
old_acl, ownerId,
&grantorId, &avail_goptions);
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
/*
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
* If we found no grant options, consider whether to issue a hard
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
* error. Per spec, having any privilege at all on the object will
* get you by here.
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
*/
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
if (avail_goptions == ACL_NO_RIGHTS)
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
{
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
if (pg_tablespace_aclmask(HeapTupleGetOid(tuple),
grantorId,
ACL_ALL_RIGHTS_TABLESPACE | ACL_GRANT_OPTION_FOR(ACL_ALL_RIGHTS_TABLESPACE),
ACLMASK_ANY) == ACL_NO_RIGHTS)
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
aclcheck_error(ACLCHECK_NO_PRIV, ACL_KIND_TABLESPACE,
spcname);
}
/*
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
* Restrict the operation to what we can actually grant or revoke, and
* issue a warning if appropriate. (For REVOKE this isn't quite what
* the spec says to do: the spec seems to want a warning only if no
* privilege bits actually change in the ACL. In practice that
* behavior seems much too noisy, as well as inconsistent with the
* GRANT case.)
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
*/
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
this_privileges = privileges & ACL_OPTION_TO_PRIVS(avail_goptions);
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
if (stmt->is_grant)
{
if (this_privileges == 0)
ereport(WARNING,
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED),
errmsg("no privileges were granted")));
else if (!all_privs && this_privileges != privileges)
ereport(WARNING,
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED),
errmsg("not all privileges were granted")));
}
else
{
if (this_privileges == 0)
ereport(WARNING,
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED),
errmsg("no privileges could be revoked")));
else if (!all_privs && this_privileges != privileges)
ereport(WARNING,
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED),
errmsg("not all privileges could be revoked")));
}
/*
Fix the problem of GRANTs creating "dangling" privileges not directly traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 20:49:04 +02:00
* Generate new ACL.
*
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
* We need the members of both old and new ACLs so we can correct the
* shared dependency information.
Track dependencies on shared objects (which is to say, roles; we already have adequate mechanisms for tracking the contents of databases and tablespaces). This solves the longstanding problem that you can drop a user who still owns objects and/or has access permissions. Alvaro Herrera, with some kibitzing from Tom Lane.
2005-07-07 22:40:02 +02:00
*/
noldmembers = aclmembers(old_acl, &oldmembers);
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
new_acl = merge_acl_with_grant(old_acl, stmt->is_grant,
stmt->grant_option, stmt->behavior,
stmt->grantees, this_privileges,
grantorId, ownerId);
Track dependencies on shared objects (which is to say, roles; we already have adequate mechanisms for tracking the contents of databases and tablespaces). This solves the longstanding problem that you can drop a user who still owns objects and/or has access permissions. Alvaro Herrera, with some kibitzing from Tom Lane.
2005-07-07 22:40:02 +02:00
nnewmembers = aclmembers(new_acl, &newmembers);
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
/* finished building new ACL value, now insert it */
MemSet(values, 0, sizeof(values));
MemSet(nulls, ' ', sizeof(nulls));
MemSet(replaces, ' ', sizeof(replaces));
replaces[Anum_pg_tablespace_spcacl - 1] = 'r';
values[Anum_pg_tablespace_spcacl - 1] = PointerGetDatum(new_acl);
Change heap_modifytuple() to require a TupleDesc rather than a Relation. Patch from Alvaro Herrera, minor editorializing by Neil Conway.
2005-01-28 00:24:11 +01:00
newtuple = heap_modifytuple(tuple, RelationGetDescr(relation), values, nulls, replaces);
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
simple_heap_update(relation, &newtuple->t_self, newtuple);
/* keep the catalog indexes up to date */
CatalogUpdateIndexes(relation, newtuple);
Track dependencies on shared objects (which is to say, roles; we already have adequate mechanisms for tracking the contents of databases and tablespaces). This solves the longstanding problem that you can drop a user who still owns objects and/or has access permissions. Alvaro Herrera, with some kibitzing from Tom Lane.
2005-07-07 22:40:02 +02:00
/* Update the shared dependency ACL info */
updateAclDependencies(TableSpaceRelationId, HeapTupleGetOid(tuple),
ownerId, stmt->is_grant,
noldmembers, oldmembers,
nnewmembers, newmembers);
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
pfree(new_acl);
heap_endscan(scan);
heap_close(relation, RowExclusiveLock);
> Gavin Sherry <swm@linuxworld.com.au> writes: > > I ran across this yesterday on HEAD: > > > template1=# grant select on foo, foo to swm; > > ERROR: tuple already updated by self > > Seems to fail similarly in every version back to 7.2; probably further, > but that's all I have running at the moment. > > > We could do away with the error by producing a unique list of object names > > -- but that would impose an extra cost on the common case. > > CommandCounterIncrement in the GRANT loop would be easier, likely. > I'm having a hard time getting excited about it though... Yeah, its not that exciting but that error message would throw your average user. I've attached a patch which calls CommandCounterIncrement() in each of the grant loops. Gavin Sherry
2005-08-12 23:20:24 +02:00
/* prevent error when processing duplicate objects */
CommandCounterIncrement();
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
}
}
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
Bring syntax of role-related commands into SQL compliance. To avoid syntactic conflicts, both privilege and role GRANT/REVOKE commands have to use the same production for scanning the list of tokens that might eventually turn out to be privileges or role names. So, change the existing GRANT/REVOKE code to expect a list of strings not pre-reduced AclMode values. Fix a couple other minor issues while at it, such as InitializeAcl function name conflicting with a Windows system function.
2005-06-28 21:51:26 +02:00
static AclMode
string_to_privilege(const char *privname)
{
if (strcmp(privname, "insert") == 0)
return ACL_INSERT;
if (strcmp(privname, "select") == 0)
return ACL_SELECT;
if (strcmp(privname, "update") == 0)
return ACL_UPDATE;
if (strcmp(privname, "delete") == 0)
return ACL_DELETE;
if (strcmp(privname, "rule") == 0)
return ACL_RULE;
if (strcmp(privname, "references") == 0)
return ACL_REFERENCES;
if (strcmp(privname, "trigger") == 0)
return ACL_TRIGGER;
if (strcmp(privname, "execute") == 0)
return ACL_EXECUTE;
if (strcmp(privname, "usage") == 0)
return ACL_USAGE;
if (strcmp(privname, "create") == 0)
return ACL_CREATE;
if (strcmp(privname, "temporary") == 0)
return ACL_CREATE_TEMP;
if (strcmp(privname, "temp") == 0)
return ACL_CREATE_TEMP;
ereport(ERROR,
(errcode(ERRCODE_SYNTAX_ERROR),
errmsg("unrecognized privilege type \"%s\"", privname)));
return 0; /* appease compiler */
}
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
static const char *
privilege_to_string(AclMode privilege)
{
switch (privilege)
{
case ACL_INSERT:
return "INSERT";
case ACL_SELECT:
return "SELECT";
case ACL_UPDATE:
return "UPDATE";
case ACL_DELETE:
return "DELETE";
case ACL_RULE:
return "RULE";
case ACL_REFERENCES:
return "REFERENCES";
case ACL_TRIGGER:
return "TRIGGER";
case ACL_EXECUTE:
return "EXECUTE";
case ACL_USAGE:
return "USAGE";
case ACL_CREATE:
return "CREATE";
case ACL_CREATE_TEMP:
return "TEMP";
default:
Error message editing in backend/catalog.
2003-07-21 03:59:11 +02:00
elog(ERROR, "unrecognized privilege: %d", (int) privilege);
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
}
return NULL; /* appease compiler */
}
Restructure aclcheck error reporting to make permission-failure messages more uniform and internationalizable: the global array aclcheck_error_strings[] is gone in favor of a subroutine aclcheck_error(). Partial implementation of namespace-related permission checks --- not all done yet.
2002-04-27 05:45:03 +02:00
/*
* Standardized reporting of aclcheck permissions failures.
Adjust 'permission denied' messages to be more useful and consistent.
2003-08-01 02:15:26 +02:00
*
* Note: we do not double-quote the %s's below, because many callers
* supply strings that might be already quoted.
Restructure aclcheck error reporting to make permission-failure messages more uniform and internationalizable: the global array aclcheck_error_strings[] is gone in favor of a subroutine aclcheck_error(). Partial implementation of namespace-related permission checks --- not all done yet.
2002-04-27 05:45:03 +02:00
*/
Adjust 'permission denied' messages to be more useful and consistent.
2003-08-01 02:15:26 +02:00
pgindent run.
2003-08-04 02:43:34 +02:00
static const char *const no_priv_msg[MAX_ACL_KIND] =
Adjust 'permission denied' messages to be more useful and consistent.
2003-08-01 02:15:26 +02:00
{
/* ACL_KIND_CLASS */
gettext_noop("permission denied for relation %s"),
/* ACL_KIND_DATABASE */
gettext_noop("permission denied for database %s"),
/* ACL_KIND_PROC */
gettext_noop("permission denied for function %s"),
/* ACL_KIND_OPER */
gettext_noop("permission denied for operator %s"),
/* ACL_KIND_TYPE */
gettext_noop("permission denied for type %s"),
/* ACL_KIND_LANGUAGE */
gettext_noop("permission denied for language %s"),
/* ACL_KIND_NAMESPACE */
gettext_noop("permission denied for schema %s"),
/* ACL_KIND_OPCLASS */
gettext_noop("permission denied for operator class %s"),
/* ACL_KIND_CONVERSION */
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
gettext_noop("permission denied for conversion %s"),
/* ACL_KIND_TABLESPACE */
gettext_noop("permission denied for tablespace %s")
Adjust 'permission denied' messages to be more useful and consistent.
2003-08-01 02:15:26 +02:00
};
pgindent run.
2003-08-04 02:43:34 +02:00
static const char *const not_owner_msg[MAX_ACL_KIND] =
Adjust 'permission denied' messages to be more useful and consistent.
2003-08-01 02:15:26 +02:00
{
/* ACL_KIND_CLASS */
gettext_noop("must be owner of relation %s"),
/* ACL_KIND_DATABASE */
gettext_noop("must be owner of database %s"),
/* ACL_KIND_PROC */
gettext_noop("must be owner of function %s"),
/* ACL_KIND_OPER */
gettext_noop("must be owner of operator %s"),
/* ACL_KIND_TYPE */
gettext_noop("must be owner of type %s"),
/* ACL_KIND_LANGUAGE */
gettext_noop("must be owner of language %s"),
/* ACL_KIND_NAMESPACE */
gettext_noop("must be owner of schema %s"),
/* ACL_KIND_OPCLASS */
gettext_noop("must be owner of operator class %s"),
/* ACL_KIND_CONVERSION */
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
gettext_noop("must be owner of conversion %s"),
/* ACL_KIND_TABLESPACE */
gettext_noop("must be owner of tablespace %s")
Adjust 'permission denied' messages to be more useful and consistent.
2003-08-01 02:15:26 +02:00
};
Restructure aclcheck error reporting to make permission-failure messages more uniform and internationalizable: the global array aclcheck_error_strings[] is gone in favor of a subroutine aclcheck_error(). Partial implementation of namespace-related permission checks --- not all done yet.
2002-04-27 05:45:03 +02:00
void
Adjust 'permission denied' messages to be more useful and consistent.
2003-08-01 02:15:26 +02:00
aclcheck_error(AclResult aclerr, AclObjectKind objectkind,
const char *objectname)
Restructure aclcheck error reporting to make permission-failure messages more uniform and internationalizable: the global array aclcheck_error_strings[] is gone in favor of a subroutine aclcheck_error(). Partial implementation of namespace-related permission checks --- not all done yet.
2002-04-27 05:45:03 +02:00
{
Error message editing in backend/catalog.
2003-07-21 03:59:11 +02:00
switch (aclerr)
Restructure aclcheck error reporting to make permission-failure messages more uniform and internationalizable: the global array aclcheck_error_strings[] is gone in favor of a subroutine aclcheck_error(). Partial implementation of namespace-related permission checks --- not all done yet.
2002-04-27 05:45:03 +02:00
{
case ACLCHECK_OK:
/* no error, so return to caller */
break;
case ACLCHECK_NO_PRIV:
Error message editing in backend/catalog.
2003-07-21 03:59:11 +02:00
ereport(ERROR,
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
Adjust 'permission denied' messages to be more useful and consistent.
2003-08-01 02:15:26 +02:00
errmsg(no_priv_msg[objectkind], objectname)));
Restructure aclcheck error reporting to make permission-failure messages more uniform and internationalizable: the global array aclcheck_error_strings[] is gone in favor of a subroutine aclcheck_error(). Partial implementation of namespace-related permission checks --- not all done yet.
2002-04-27 05:45:03 +02:00
break;
case ACLCHECK_NOT_OWNER:
Error message editing in backend/catalog.
2003-07-21 03:59:11 +02:00
ereport(ERROR,
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
Adjust 'permission denied' messages to be more useful and consistent.
2003-08-01 02:15:26 +02:00
errmsg(not_owner_msg[objectkind], objectname)));
Restructure aclcheck error reporting to make permission-failure messages more uniform and internationalizable: the global array aclcheck_error_strings[] is gone in favor of a subroutine aclcheck_error(). Partial implementation of namespace-related permission checks --- not all done yet.
2002-04-27 05:45:03 +02:00
break;
default:
Error message editing in backend/catalog.
2003-07-21 03:59:11 +02:00
elog(ERROR, "unrecognized AclResult: %d", (int) aclerr);
Restructure aclcheck error reporting to make permission-failure messages more uniform and internationalizable: the global array aclcheck_error_strings[] is gone in favor of a subroutine aclcheck_error(). Partial implementation of namespace-related permission checks --- not all done yet.
2002-04-27 05:45:03 +02:00
break;
}
}
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
/* Check if given user has rolcatupdate privilege according to pg_authid */
Avoid unnecessary fetch from pg_shadow in the normal case in pg_class_aclmask(). We only need to do this when we have to check pg_shadow.usecatupd, and that's not relevant unless the target table is a system catalog. So we can usually avoid one syscache lookup.
2005-05-30 01:38:05 +02:00
static bool
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
has_rolcatupdate(Oid roleid)
Avoid unnecessary fetch from pg_shadow in the normal case in pg_class_aclmask(). We only need to do this when we have to check pg_shadow.usecatupd, and that's not relevant unless the target table is a system catalog. So we can usually avoid one syscache lookup.
2005-05-30 01:38:05 +02:00
{
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
bool rolcatupdate;
Avoid unnecessary fetch from pg_shadow in the normal case in pg_class_aclmask(). We only need to do this when we have to check pg_shadow.usecatupd, and that's not relevant unless the target table is a system catalog. So we can usually avoid one syscache lookup.
2005-05-30 01:38:05 +02:00
HeapTuple tuple;
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
tuple = SearchSysCache(AUTHOID,
ObjectIdGetDatum(roleid),
Avoid unnecessary fetch from pg_shadow in the normal case in pg_class_aclmask(). We only need to do this when we have to check pg_shadow.usecatupd, and that's not relevant unless the target table is a system catalog. So we can usually avoid one syscache lookup.
2005-05-30 01:38:05 +02:00
0, 0, 0);
if (!HeapTupleIsValid(tuple))
ereport(ERROR,
(errcode(ERRCODE_UNDEFINED_OBJECT),
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
errmsg("role with OID %u does not exist", roleid)));
Avoid unnecessary fetch from pg_shadow in the normal case in pg_class_aclmask(). We only need to do this when we have to check pg_shadow.usecatupd, and that's not relevant unless the target table is a system catalog. So we can usually avoid one syscache lookup.
2005-05-30 01:38:05 +02:00
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
rolcatupdate = ((Form_pg_authid) GETSTRUCT(tuple))->rolcatupdate;
Avoid unnecessary fetch from pg_shadow in the normal case in pg_class_aclmask(). We only need to do this when we have to check pg_shadow.usecatupd, and that's not relevant unless the target table is a system catalog. So we can usually avoid one syscache lookup.
2005-05-30 01:38:05 +02:00
ReleaseSysCache(tuple);
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
return rolcatupdate;
Avoid unnecessary fetch from pg_shadow in the normal case in pg_class_aclmask(). We only need to do this when we have to check pg_shadow.usecatupd, and that's not relevant unless the target table is a system catalog. So we can usually avoid one syscache lookup.
2005-05-30 01:38:05 +02:00
}
Correct permissions-checking bugs associated with ancient decision to copy PUBLIC access rights into each newly created ACL entry. Instead treat each ACL entry as independent flags. Also clean up some ugliness in acl.h API.
2001-06-05 21:34:56 +02:00
/*
Refactor low-level aclcheck code to provide useful interfaces for multi-bit permissions tests in about the same amount of code as before. Exactly what the GRANT/REVOKE code ought to be doing is still up for debate, but this should be helpful in any case, and it already solves an efficiency problem in executor startup.
2004-05-11 19:36:13 +02:00
* Exported routine for examining a user's privileges for a table
*
* See aclmask() for a description of the API.
Error message editing in backend/catalog.
2003-07-21 03:59:11 +02:00
*
* Note: we give lookup failure the full ereport treatment because the
* has_table_privilege() family of functions allow users to pass
* any random OID to this function. Likewise for the sibling functions
* below.
Correct permissions-checking bugs associated with ancient decision to copy PUBLIC access rights into each newly created ACL entry. Instead treat each ACL entry as independent flags. Also clean up some ugliness in acl.h API.
2001-06-05 21:34:56 +02:00
*/
Refactor low-level aclcheck code to provide useful interfaces for multi-bit permissions tests in about the same amount of code as before. Exactly what the GRANT/REVOKE code ought to be doing is still up for debate, but this should be helpful in any case, and it already solves an efficiency problem in executor startup.
2004-05-11 19:36:13 +02:00
AclMode
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
pg_class_aclmask(Oid table_oid, Oid roleid,
Refactor low-level aclcheck code to provide useful interfaces for multi-bit permissions tests in about the same amount of code as before. Exactly what the GRANT/REVOKE code ought to be doing is still up for debate, but this should be helpful in any case, and it already solves an efficiency problem in executor startup.
2004-05-11 19:36:13 +02:00
AclMode mask, AclMaskHow how)
Postgres95 1.01 Distribution - Virgin Sources
1996-07-09 08:22:35 +02:00
{
Refactor low-level aclcheck code to provide useful interfaces for multi-bit permissions tests in about the same amount of code as before. Exactly what the GRANT/REVOKE code ought to be doing is still up for debate, but this should be helpful in any case, and it already solves an efficiency problem in executor startup.
2004-05-11 19:36:13 +02:00
AclMode result;
Make default ACL be consistent --- ie, starting point for ChangeAcl is the same as the access permissions granted when a relation's relacl field is NULL, ie, owner=all rights, world=no rights.
2000-10-02 06:49:28 +02:00
HeapTuple tuple;
The no-updates-to-system-catalogs-unless-usecatupd restriction should not apply to system views. It never mattered before 7.4, but it does now.
2004-01-14 04:44:53 +01:00
Form_pg_class classForm;
Make default ACL be consistent --- ie, starting point for ChangeAcl is the same as the access permissions granted when a relation's relacl field is NULL, ie, owner=all rights, world=no rights.
2000-10-02 06:49:28 +02:00
Datum aclDatum;
bool isNull;
Acl *acl;
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
Oid ownerId;
Massive commit to run PGINDENT on all *.c and *.h files.
1997-09-07 07:04:48 +02:00
Correct permissions-checking bugs associated with ancient decision to copy PUBLIC access rights into each newly created ACL entry. Instead treat each ACL entry as independent flags. Also clean up some ugliness in acl.h API.
2001-06-05 21:34:56 +02:00
/*
Avoid unnecessary fetch from pg_shadow in the normal case in pg_class_aclmask(). We only need to do this when we have to check pg_shadow.usecatupd, and that's not relevant unless the target table is a system catalog. So we can usually avoid one syscache lookup.
2005-05-30 01:38:05 +02:00
* Must get the relation's tuple from pg_class
Change the aclchk.c routines to uniformly use OIDs to identify the objects to be privilege-checked. Some change in their APIs would be necessary no matter what in the schema environment, and simply getting rid of the name-based interface entirely seems like the best way.
2002-03-22 00:27:25 +01:00
*/
tuple = SearchSysCache(RELOID,
ObjectIdGetDatum(table_oid),
0, 0, 0);
if (!HeapTupleIsValid(tuple))
Error message editing in backend/catalog.
2003-07-21 03:59:11 +02:00
ereport(ERROR,
(errcode(ERRCODE_UNDEFINED_TABLE),
Refactor low-level aclcheck code to provide useful interfaces for multi-bit permissions tests in about the same amount of code as before. Exactly what the GRANT/REVOKE code ought to be doing is still up for debate, but this should be helpful in any case, and it already solves an efficiency problem in executor startup.
2004-05-11 19:36:13 +02:00
errmsg("relation with OID %u does not exist",
table_oid)));
The no-updates-to-system-catalogs-unless-usecatupd restriction should not apply to system views. It never mattered before 7.4, but it does now.
2004-01-14 04:44:53 +01:00
classForm = (Form_pg_class) GETSTRUCT(tuple);
Massive commit to run PGINDENT on all *.c and *.h files.
1997-09-07 07:04:48 +02:00
/*
* Deny anyone permission to update a system catalog unless
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
* pg_authid.rolcatupdate is set. (This is to let superusers protect
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
* themselves from themselves.) Also allow it if allowSystemTableMods.
The no-updates-to-system-catalogs-unless-usecatupd restriction should not apply to system views. It never mattered before 7.4, but it does now.
2004-01-14 04:44:53 +01:00
*
Pgindent run for 8.0.
2004-08-29 07:07:03 +02:00
* As of 7.4 we have some updatable system views; those shouldn't be
* protected in this way. Assume the view rules can take care of
* themselves.
Massive commit to run PGINDENT on all *.c and *.h files.
1997-09-07 07:04:48 +02:00
*/
Refactor low-level aclcheck code to provide useful interfaces for multi-bit permissions tests in about the same amount of code as before. Exactly what the GRANT/REVOKE code ought to be doing is still up for debate, but this should be helpful in any case, and it already solves an efficiency problem in executor startup.
2004-05-11 19:36:13 +02:00
if ((mask & (ACL_INSERT | ACL_UPDATE | ACL_DELETE)) &&
The no-updates-to-system-catalogs-unless-usecatupd restriction should not apply to system views. It never mattered before 7.4, but it does now.
2004-01-14 04:44:53 +01:00
IsSystemClass(classForm) &&
classForm->relkind != RELKIND_VIEW &&
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
!has_rolcatupdate(roleid) &&
The no-updates-to-system-catalogs-unless-usecatupd restriction should not apply to system views. It never mattered before 7.4, but it does now.
2004-01-14 04:44:53 +01:00
!allowSystemTableMods)
Massive commit to run PGINDENT on all *.c and *.h files.
1997-09-07 07:04:48 +02:00
{
Correct permissions-checking bugs associated with ancient decision to copy PUBLIC access rights into each newly created ACL entry. Instead treat each ACL entry as independent flags. Also clean up some ugliness in acl.h API.
2001-06-05 21:34:56 +02:00
#ifdef ACLDEBUG
Error message editing in backend/catalog.
2003-07-21 03:59:11 +02:00
elog(DEBUG2, "permission denied for system catalog update");
Correct permissions-checking bugs associated with ancient decision to copy PUBLIC access rights into each newly created ACL entry. Instead treat each ACL entry as independent flags. Also clean up some ugliness in acl.h API.
2001-06-05 21:34:56 +02:00
#endif
Refactor low-level aclcheck code to provide useful interfaces for multi-bit permissions tests in about the same amount of code as before. Exactly what the GRANT/REVOKE code ought to be doing is still up for debate, but this should be helpful in any case, and it already solves an efficiency problem in executor startup.
2004-05-11 19:36:13 +02:00
mask &= ~(ACL_INSERT | ACL_UPDATE | ACL_DELETE);
Massive commit to run PGINDENT on all *.c and *.h files.
1997-09-07 07:04:48 +02:00
}
/*
* Otherwise, superusers bypass all permission-checking.
*/
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
if (superuser_arg(roleid))
Massive commit to run PGINDENT on all *.c and *.h files.
1997-09-07 07:04:48 +02:00
{
Make UPDATE and DELETE privileges distinct. Add REFERENCES and TRIGGER privileges. INSERT and COPY FROM now require INSERT (only). Add privileges regression test.
2001-05-27 11:59:30 +02:00
#ifdef ACLDEBUG
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
elog(DEBUG2, "OID %u is superuser, home free", roleid);
Postgres95 1.01 Distribution - Virgin Sources
1996-07-09 08:22:35 +02:00
#endif
Change SearchSysCache coding conventions so that a reference count is maintained for each cache entry. A cache entry will not be freed until the matching ReleaseSysCache call has been executed. This eliminates worries about cache entries getting dropped while still in use. See my posting to pg-hackers of even date for more info.
2000-11-16 23:30:52 +01:00
ReleaseSysCache(tuple);
Refactor low-level aclcheck code to provide useful interfaces for multi-bit permissions tests in about the same amount of code as before. Exactly what the GRANT/REVOKE code ought to be doing is still up for debate, but this should be helpful in any case, and it already solves an efficiency problem in executor startup.
2004-05-11 19:36:13 +02:00
return mask;
Massive commit to run PGINDENT on all *.c and *.h files.
1997-09-07 07:04:48 +02:00
}
Postgres95 1.01 Distribution - Virgin Sources
1996-07-09 08:22:35 +02:00
Make default ACL be consistent --- ie, starting point for ChangeAcl is the same as the access permissions granted when a relation's relacl field is NULL, ie, owner=all rights, world=no rights.
2000-10-02 06:49:28 +02:00
/*
* Normal case: get the relation's ACL from pg_class
*/
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
ownerId = classForm->relowner;
Change the aclchk.c routines to uniformly use OIDs to identify the objects to be privilege-checked. Some change in their APIs would be necessary no matter what in the schema environment, and simply getting rid of the name-based interface entirely seems like the best way.
2002-03-22 00:27:25 +01:00
aclDatum = SysCacheGetAttr(RELOID, tuple, Anum_pg_class_relacl,
Make default ACL be consistent --- ie, starting point for ChangeAcl is the same as the access permissions granted when a relation's relacl field is NULL, ie, owner=all rights, world=no rights.
2000-10-02 06:49:28 +02:00
&isNull);
if (isNull)
{
When a superuser does GRANT or REVOKE on an object he doesn't own, process the command as though it were issued by the object owner. This prevents creating weird scenarios in which the same privileges may appear to flow from different sources, and ensures that a superuser can in fact revoke all privileges if he wants to. In particular this means that the regression tests work when run by a superuser other than the original bootstrap userid. Per report from Larry Rosenman.
2003-10-31 21:00:49 +01:00
/* No ACL, so build default ACL */
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
acl = acldefault(ACL_OBJECT_RELATION, ownerId);
Correct permissions-checking bugs associated with ancient decision to copy PUBLIC access rights into each newly created ACL entry. Instead treat each ACL entry as independent flags. Also clean up some ugliness in acl.h API.
2001-06-05 21:34:56 +02:00
aclDatum = (Datum) 0;
Massive commit to run PGINDENT on all *.c and *.h files.
1997-09-07 07:04:48 +02:00
}
Make default ACL be consistent --- ie, starting point for ChangeAcl is the same as the access permissions granted when a relation's relacl field is NULL, ie, owner=all rights, world=no rights.
2000-10-02 06:49:28 +02:00
else
Mega-commit to make heap_open/heap_openr/heap_close take an additional argument specifying the kind of lock to acquire/release (or 'NoLock' to do no lock processing). Ensure that all relations are locked with some appropriate lock level before being examined --- this ensures that relevant shared-inval messages have been processed and should prevent problems caused by concurrent VACUUM. Fix several bugs having to do with mismatched increment/decrement of relation ref count and mismatched heap_open/close (which amounts to the same thing). A bogus ref count on a relation doesn't matter much *unless* a SI Inval message happens to arrive at the wrong time, which is probably why we got away with this sloppiness for so long. Repair missing grab of AccessExclusiveLock in DROP TABLE, ALTER/RENAME TABLE, etc, as noted by Hiroshi. Recommend 'make clean all' after pulling this update; I modified the Relation struct layout slightly. Will post further discussion to pghackers list shortly.
1999-09-18 21:08:25 +02:00
{
Correct permissions-checking bugs associated with ancient decision to copy PUBLIC access rights into each newly created ACL entry. Instead treat each ACL entry as independent flags. Also clean up some ugliness in acl.h API.
2001-06-05 21:34:56 +02:00
/* detoast rel's ACL if necessary */
acl = DatumGetAclP(aclDatum);
Postgres95 1.01 Distribution - Virgin Sources
1996-07-09 08:22:35 +02:00
}
Make default ACL be consistent --- ie, starting point for ChangeAcl is the same as the access permissions granted when a relation's relacl field is NULL, ie, owner=all rights, world=no rights.
2000-10-02 06:49:28 +02:00
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
result = aclmask(acl, roleid, ownerId, mask, how);
Change SearchSysCache coding conventions so that a reference count is maintained for each cache entry. A cache entry will not be freed until the matching ReleaseSysCache call has been executed. This eliminates worries about cache entries getting dropped while still in use. See my posting to pg-hackers of even date for more info.
2000-11-16 23:30:52 +01:00
Correct permissions-checking bugs associated with ancient decision to copy PUBLIC access rights into each newly created ACL entry. Instead treat each ACL entry as independent flags. Also clean up some ugliness in acl.h API.
2001-06-05 21:34:56 +02:00
/* if we have a detoasted copy, free it */
if (acl && (Pointer) acl != DatumGetPointer(aclDatum))
Massive commit to run PGINDENT on all *.c and *.h files.
1997-09-07 07:04:48 +02:00
pfree(acl);
Correct permissions-checking bugs associated with ancient decision to copy PUBLIC access rights into each newly created ACL entry. Instead treat each ACL entry as independent flags. Also clean up some ugliness in acl.h API.
2001-06-05 21:34:56 +02:00
Change SearchSysCache coding conventions so that a reference count is maintained for each cache entry. A cache entry will not be freed until the matching ReleaseSysCache call has been executed. This eliminates worries about cache entries getting dropped while still in use. See my posting to pg-hackers of even date for more info.
2000-11-16 23:30:52 +01:00
ReleaseSysCache(tuple);
Renaming cleanup, no pgindent yet.
1998-09-01 05:29:17 +02:00
return result;
Postgres95 1.01 Distribution - Virgin Sources
1996-07-09 08:22:35 +02:00
}
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
/*
Refactor low-level aclcheck code to provide useful interfaces for multi-bit permissions tests in about the same amount of code as before. Exactly what the GRANT/REVOKE code ought to be doing is still up for debate, but this should be helpful in any case, and it already solves an efficiency problem in executor startup.
2004-05-11 19:36:13 +02:00
* Exported routine for examining a user's privileges for a database
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
*/
Refactor low-level aclcheck code to provide useful interfaces for multi-bit permissions tests in about the same amount of code as before. Exactly what the GRANT/REVOKE code ought to be doing is still up for debate, but this should be helpful in any case, and it already solves an efficiency problem in executor startup.
2004-05-11 19:36:13 +02:00
AclMode
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
pg_database_aclmask(Oid db_oid, Oid roleid,
Refactor low-level aclcheck code to provide useful interfaces for multi-bit permissions tests in about the same amount of code as before. Exactly what the GRANT/REVOKE code ought to be doing is still up for debate, but this should be helpful in any case, and it already solves an efficiency problem in executor startup.
2004-05-11 19:36:13 +02:00
AclMode mask, AclMaskHow how)
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
{
Refactor low-level aclcheck code to provide useful interfaces for multi-bit permissions tests in about the same amount of code as before. Exactly what the GRANT/REVOKE code ought to be doing is still up for debate, but this should be helpful in any case, and it already solves an efficiency problem in executor startup.
2004-05-11 19:36:13 +02:00
AclMode result;
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
Relation pg_database;
ScanKeyData entry[1];
HeapScanDesc scan;
HeapTuple tuple;
Datum aclDatum;
bool isNull;
Acl *acl;
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
Oid ownerId;
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
/* Superusers bypass all permission checking. */
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
if (superuser_arg(roleid))
Refactor low-level aclcheck code to provide useful interfaces for multi-bit permissions tests in about the same amount of code as before. Exactly what the GRANT/REVOKE code ought to be doing is still up for debate, but this should be helpful in any case, and it already solves an efficiency problem in executor startup.
2004-05-11 19:36:13 +02:00
return mask;
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
/*
* Get the database's ACL from pg_database
*
* There's no syscache for pg_database, so must look the hard way
*/
Completion of project to use fixed OIDs for all system catalogs and indexes. Replace all heap_openr and index_openr calls by heap_open and index_open. Remove runtime lookups of catalog OID numbers in various places. Remove relcache's support for looking up system catalogs by name. Bulky but mostly very boring patch ...
2005-04-14 22:03:27 +02:00
pg_database = heap_open(DatabaseRelationId, AccessShareLock);
Cross-data-type comparisons are now indexable by btrees, pursuant to my pghackers proposal of 8-Nov. All the existing cross-type comparison operators (int2/int4/int8 and float4/float8) have appropriate support. The original proposal of storing the right-hand-side datatype as part of the primary key for pg_amop and pg_amproc got modified a bit in the event; it is easier to store zero as the 'default' case and only store a nonzero when the operator is actually cross-type. Along the way, remove the long-since-defunct bigbox_ops operator class.
2003-11-12 22:15:59 +01:00
ScanKeyInit(&entry[0],
ObjectIdAttributeNumber,
BTEqualStrategyNumber, F_OIDEQ,
ObjectIdGetDatum(db_oid));
Restructure indexscan API (index_beginscan, index_getnext) per yesterday's proposal to pghackers. Also remove unnecessary parameters to heap_beginscan, heap_rescan. I modified pg_proc.h to reflect the new numbers of parameters for the AM interface routines, but did not force an initdb because nothing actually looks at those fields.
2002-05-21 01:51:44 +02:00
scan = heap_beginscan(pg_database, SnapshotNow, 1, entry);
tuple = heap_getnext(scan, ForwardScanDirection);
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
if (!HeapTupleIsValid(tuple))
Error message editing in backend/catalog.
2003-07-21 03:59:11 +02:00
ereport(ERROR,
(errcode(ERRCODE_UNDEFINED_DATABASE),
errmsg("database with OID %u does not exist", db_oid)));
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
ownerId = ((Form_pg_database) GETSTRUCT(tuple))->datdba;
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
aclDatum = heap_getattr(tuple, Anum_pg_database_datacl,
RelationGetDescr(pg_database), &isNull);
if (isNull)
{
/* No ACL, so build default ACL */
acl = acldefault(ACL_OBJECT_DATABASE, ownerId);
aclDatum = (Datum) 0;
}
else
{
/* detoast ACL if necessary */
acl = DatumGetAclP(aclDatum);
}
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
result = aclmask(acl, roleid, ownerId, mask, how);
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
/* if we have a detoasted copy, free it */
if (acl && (Pointer) acl != DatumGetPointer(aclDatum))
pfree(acl);
heap_endscan(scan);
heap_close(pg_database, AccessShareLock);
return result;
}
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
/*
Refactor low-level aclcheck code to provide useful interfaces for multi-bit permissions tests in about the same amount of code as before. Exactly what the GRANT/REVOKE code ought to be doing is still up for debate, but this should be helpful in any case, and it already solves an efficiency problem in executor startup.
2004-05-11 19:36:13 +02:00
* Exported routine for examining a user's privileges for a function
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
*/
Refactor low-level aclcheck code to provide useful interfaces for multi-bit permissions tests in about the same amount of code as before. Exactly what the GRANT/REVOKE code ought to be doing is still up for debate, but this should be helpful in any case, and it already solves an efficiency problem in executor startup.
2004-05-11 19:36:13 +02:00
AclMode
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
pg_proc_aclmask(Oid proc_oid, Oid roleid,
Refactor low-level aclcheck code to provide useful interfaces for multi-bit permissions tests in about the same amount of code as before. Exactly what the GRANT/REVOKE code ought to be doing is still up for debate, but this should be helpful in any case, and it already solves an efficiency problem in executor startup.
2004-05-11 19:36:13 +02:00
AclMode mask, AclMaskHow how)
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
{
Refactor low-level aclcheck code to provide useful interfaces for multi-bit permissions tests in about the same amount of code as before. Exactly what the GRANT/REVOKE code ought to be doing is still up for debate, but this should be helpful in any case, and it already solves an efficiency problem in executor startup.
2004-05-11 19:36:13 +02:00
AclMode result;
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
HeapTuple tuple;
Datum aclDatum;
bool isNull;
Acl *acl;
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
Oid ownerId;
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
Change the aclchk.c routines to uniformly use OIDs to identify the objects to be privilege-checked. Some change in their APIs would be necessary no matter what in the schema environment, and simply getting rid of the name-based interface entirely seems like the best way.
2002-03-22 00:27:25 +01:00
/* Superusers bypass all permission checking. */
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
if (superuser_arg(roleid))
Refactor low-level aclcheck code to provide useful interfaces for multi-bit permissions tests in about the same amount of code as before. Exactly what the GRANT/REVOKE code ought to be doing is still up for debate, but this should be helpful in any case, and it already solves an efficiency problem in executor startup.
2004-05-11 19:36:13 +02:00
return mask;
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
/*
Change the aclchk.c routines to uniformly use OIDs to identify the objects to be privilege-checked. Some change in their APIs would be necessary no matter what in the schema environment, and simply getting rid of the name-based interface entirely seems like the best way.
2002-03-22 00:27:25 +01:00
* Get the function's ACL from pg_proc
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
*/
tuple = SearchSysCache(PROCOID,
ObjectIdGetDatum(proc_oid),
0, 0, 0);
if (!HeapTupleIsValid(tuple))
Error message editing in backend/catalog.
2003-07-21 03:59:11 +02:00
ereport(ERROR,
(errcode(ERRCODE_UNDEFINED_FUNCTION),
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
errmsg("function with OID %u does not exist", proc_oid)));
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
ownerId = ((Form_pg_proc) GETSTRUCT(tuple))->proowner;
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
aclDatum = SysCacheGetAttr(PROCOID, tuple, Anum_pg_proc_proacl,
&isNull);
if (isNull)
{
/* No ACL, so build default ACL */
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
acl = acldefault(ACL_OBJECT_FUNCTION, ownerId);
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
aclDatum = (Datum) 0;
}
else
{
/* detoast ACL if necessary */
acl = DatumGetAclP(aclDatum);
}
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
result = aclmask(acl, roleid, ownerId, mask, how);
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
/* if we have a detoasted copy, free it */
if (acl && (Pointer) acl != DatumGetPointer(aclDatum))
pfree(acl);
ReleaseSysCache(tuple);
return result;
}
/*
Refactor low-level aclcheck code to provide useful interfaces for multi-bit permissions tests in about the same amount of code as before. Exactly what the GRANT/REVOKE code ought to be doing is still up for debate, but this should be helpful in any case, and it already solves an efficiency problem in executor startup.
2004-05-11 19:36:13 +02:00
* Exported routine for examining a user's privileges for a language
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
*/
Refactor low-level aclcheck code to provide useful interfaces for multi-bit permissions tests in about the same amount of code as before. Exactly what the GRANT/REVOKE code ought to be doing is still up for debate, but this should be helpful in any case, and it already solves an efficiency problem in executor startup.
2004-05-11 19:36:13 +02:00
AclMode
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
pg_language_aclmask(Oid lang_oid, Oid roleid,
Refactor low-level aclcheck code to provide useful interfaces for multi-bit permissions tests in about the same amount of code as before. Exactly what the GRANT/REVOKE code ought to be doing is still up for debate, but this should be helpful in any case, and it already solves an efficiency problem in executor startup.
2004-05-11 19:36:13 +02:00
AclMode mask, AclMaskHow how)
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
{
Refactor low-level aclcheck code to provide useful interfaces for multi-bit permissions tests in about the same amount of code as before. Exactly what the GRANT/REVOKE code ought to be doing is still up for debate, but this should be helpful in any case, and it already solves an efficiency problem in executor startup.
2004-05-11 19:36:13 +02:00
AclMode result;
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
HeapTuple tuple;
Datum aclDatum;
bool isNull;
Acl *acl;
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
Oid ownerId;
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
Change the aclchk.c routines to uniformly use OIDs to identify the objects to be privilege-checked. Some change in their APIs would be necessary no matter what in the schema environment, and simply getting rid of the name-based interface entirely seems like the best way.
2002-03-22 00:27:25 +01:00
/* Superusers bypass all permission checking. */
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
if (superuser_arg(roleid))
Refactor low-level aclcheck code to provide useful interfaces for multi-bit permissions tests in about the same amount of code as before. Exactly what the GRANT/REVOKE code ought to be doing is still up for debate, but this should be helpful in any case, and it already solves an efficiency problem in executor startup.
2004-05-11 19:36:13 +02:00
return mask;
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
/*
Error message editing in backend/catalog.
2003-07-21 03:59:11 +02:00
* Get the language's ACL from pg_language
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
*/
tuple = SearchSysCache(LANGOID,
ObjectIdGetDatum(lang_oid),
0, 0, 0);
if (!HeapTupleIsValid(tuple))
Error message editing in backend/catalog.
2003-07-21 03:59:11 +02:00
ereport(ERROR,
(errcode(ERRCODE_UNDEFINED_OBJECT),
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
errmsg("language with OID %u does not exist", lang_oid)));
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
/* XXX pg_language should have an owner column, but doesn't */
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
ownerId = BOOTSTRAP_SUPERUSERID;
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
aclDatum = SysCacheGetAttr(LANGOID, tuple, Anum_pg_language_lanacl,
&isNull);
if (isNull)
{
/* No ACL, so build default ACL */
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
acl = acldefault(ACL_OBJECT_LANGUAGE, ownerId);
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
aclDatum = (Datum) 0;
}
else
{
/* detoast ACL if necessary */
acl = DatumGetAclP(aclDatum);
}
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
result = aclmask(acl, roleid, ownerId, mask, how);
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
/* if we have a detoasted copy, free it */
if (acl && (Pointer) acl != DatumGetPointer(aclDatum))
pfree(acl);
ReleaseSysCache(tuple);
return result;
}
/*
Refactor low-level aclcheck code to provide useful interfaces for multi-bit permissions tests in about the same amount of code as before. Exactly what the GRANT/REVOKE code ought to be doing is still up for debate, but this should be helpful in any case, and it already solves an efficiency problem in executor startup.
2004-05-11 19:36:13 +02:00
* Exported routine for examining a user's privileges for a namespace
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
*/
Refactor low-level aclcheck code to provide useful interfaces for multi-bit permissions tests in about the same amount of code as before. Exactly what the GRANT/REVOKE code ought to be doing is still up for debate, but this should be helpful in any case, and it already solves an efficiency problem in executor startup.
2004-05-11 19:36:13 +02:00
AclMode
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
pg_namespace_aclmask(Oid nsp_oid, Oid roleid,
Refactor low-level aclcheck code to provide useful interfaces for multi-bit permissions tests in about the same amount of code as before. Exactly what the GRANT/REVOKE code ought to be doing is still up for debate, but this should be helpful in any case, and it already solves an efficiency problem in executor startup.
2004-05-11 19:36:13 +02:00
AclMode mask, AclMaskHow how)
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
{
Refactor low-level aclcheck code to provide useful interfaces for multi-bit permissions tests in about the same amount of code as before. Exactly what the GRANT/REVOKE code ought to be doing is still up for debate, but this should be helpful in any case, and it already solves an efficiency problem in executor startup.
2004-05-11 19:36:13 +02:00
AclMode result;
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
HeapTuple tuple;
Datum aclDatum;
bool isNull;
Acl *acl;
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
Oid ownerId;
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
/* Superusers bypass all permission checking. */
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
if (superuser_arg(roleid))
Refactor low-level aclcheck code to provide useful interfaces for multi-bit permissions tests in about the same amount of code as before. Exactly what the GRANT/REVOKE code ought to be doing is still up for debate, but this should be helpful in any case, and it already solves an efficiency problem in executor startup.
2004-05-11 19:36:13 +02:00
return mask;
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
*) inet_(client|server)_(addr|port)() and necessary documentation for the four functions. > Also, please justify the temp-related changes. I was not aware that we > had any breakage there. patch-tmp-schema.txt contains the following bits: *) Changes pg_namespace_aclmask() so that the superuser is always able to create objects in the temp namespace. *) Changes pg_namespace_aclmask() so that if this is a temp namespace, objects are only allowed to be created in the temp namespace if the user has TEMP privs on the database. This encompasses all object creation, not just TEMP tables. *) InitTempTableNamespace() checks to see if the current user, not the session user, has access to create a temp namespace. The first two changes are necessary to support the third change. Now it's possible to revoke all temp table privs from non-super users and limiting all creation of temp tables/schemas via a function that's executed with elevated privs (security definer). Before this change, it was not possible to have a setuid function to create a temp table/schema if the session user had no TEMP privs. patch-area-path.txt contains: *) Can now determine the area of a closed path. patch-dfmgr.txt contains: *) Small tweak to add the library path that's being expanded. I was using $lib/foo.so and couldn't easily figure out what the error message, "invalid macro name in dynamic library path" meant without looking through the source code. With the path in there, at least I know where to start looking in my config file. Sean Chittenden
2004-05-26 20:35:51 +02:00
/*
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
* If we have been assigned this namespace as a temp namespace, check to
* make sure we have CREATE TEMP permission on the database, and if so act
* as though we have all standard (but not GRANT OPTION) permissions on
* the namespace. If we don't have CREATE TEMP, act as though we have
* only USAGE (and not CREATE) rights.
*) inet_(client|server)_(addr|port)() and necessary documentation for the four functions. > Also, please justify the temp-related changes. I was not aware that we > had any breakage there. patch-tmp-schema.txt contains the following bits: *) Changes pg_namespace_aclmask() so that the superuser is always able to create objects in the temp namespace. *) Changes pg_namespace_aclmask() so that if this is a temp namespace, objects are only allowed to be created in the temp namespace if the user has TEMP privs on the database. This encompasses all object creation, not just TEMP tables. *) InitTempTableNamespace() checks to see if the current user, not the session user, has access to create a temp namespace. The first two changes are necessary to support the third change. Now it's possible to revoke all temp table privs from non-super users and limiting all creation of temp tables/schemas via a function that's executed with elevated privs (security definer). Before this change, it was not possible to have a setuid function to create a temp table/schema if the session user had no TEMP privs. patch-area-path.txt contains: *) Can now determine the area of a closed path. patch-dfmgr.txt contains: *) Small tweak to add the library path that's being expanded. I was using $lib/foo.so and couldn't easily figure out what the error message, "invalid macro name in dynamic library path" meant without looking through the source code. With the path in there, at least I know where to start looking in my config file. Sean Chittenden
2004-05-26 20:35:51 +02:00
*
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
* This may seem redundant given the check in InitTempTableNamespace, but it
* really isn't since current user ID may have changed since then. The
* upshot of this behavior is that a SECURITY DEFINER function can create
* temp tables that can then be accessed (if permission is granted) by
* code in the same session that doesn't have permissions to create temp
* tables.
Fix thinko in recent patch to change temp-table permissions behavior: this is an aclmask function and does not have the same return convention as aclcheck functions. Also adjust the behavior so that users without CREATE TEMP permission still have USAGE permission on their session's temp schema. This allows privileged code to create a temp table and make it accessible to code that's not got the same privilege. (Since the default permissions on a table are no-access, an explicit grant on the table will still be needed; but I see no reason that the temp schema itself should prohibit such access.)
2004-05-28 18:17:14 +02:00
*
* XXX Would it be safe to ereport a special error message as
* InitTempTableNamespace does? Returning zero here means we'll get a
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
* generic "permission denied for schema pg_temp_N" message, which is not
* remarkably user-friendly.
*) inet_(client|server)_(addr|port)() and necessary documentation for the four functions. > Also, please justify the temp-related changes. I was not aware that we > had any breakage there. patch-tmp-schema.txt contains the following bits: *) Changes pg_namespace_aclmask() so that the superuser is always able to create objects in the temp namespace. *) Changes pg_namespace_aclmask() so that if this is a temp namespace, objects are only allowed to be created in the temp namespace if the user has TEMP privs on the database. This encompasses all object creation, not just TEMP tables. *) InitTempTableNamespace() checks to see if the current user, not the session user, has access to create a temp namespace. The first two changes are necessary to support the third change. Now it's possible to revoke all temp table privs from non-super users and limiting all creation of temp tables/schemas via a function that's executed with elevated privs (security definer). Before this change, it was not possible to have a setuid function to create a temp table/schema if the session user had no TEMP privs. patch-area-path.txt contains: *) Can now determine the area of a closed path. patch-dfmgr.txt contains: *) Small tweak to add the library path that's being expanded. I was using $lib/foo.so and couldn't easily figure out what the error message, "invalid macro name in dynamic library path" meant without looking through the source code. With the path in there, at least I know where to start looking in my config file. Sean Chittenden
2004-05-26 20:35:51 +02:00
*/
Fix thinko in recent patch to change temp-table permissions behavior: this is an aclmask function and does not have the same return convention as aclcheck functions. Also adjust the behavior so that users without CREATE TEMP permission still have USAGE permission on their session's temp schema. This allows privileged code to create a temp table and make it accessible to code that's not got the same privilege. (Since the default permissions on a table are no-access, an explicit grant on the table will still be needed; but I see no reason that the temp schema itself should prohibit such access.)
2004-05-28 18:17:14 +02:00
if (isTempNamespace(nsp_oid))
{
if (pg_database_aclcheck(MyDatabaseId, GetUserId(),
ACL_CREATE_TEMP) == ACLCHECK_OK)
return mask & ACL_ALL_RIGHTS_NAMESPACE;
else
return mask & ACL_USAGE;
*) inet_(client|server)_(addr|port)() and necessary documentation for the four functions. > Also, please justify the temp-related changes. I was not aware that we > had any breakage there. patch-tmp-schema.txt contains the following bits: *) Changes pg_namespace_aclmask() so that the superuser is always able to create objects in the temp namespace. *) Changes pg_namespace_aclmask() so that if this is a temp namespace, objects are only allowed to be created in the temp namespace if the user has TEMP privs on the database. This encompasses all object creation, not just TEMP tables. *) InitTempTableNamespace() checks to see if the current user, not the session user, has access to create a temp namespace. The first two changes are necessary to support the third change. Now it's possible to revoke all temp table privs from non-super users and limiting all creation of temp tables/schemas via a function that's executed with elevated privs (security definer). Before this change, it was not possible to have a setuid function to create a temp table/schema if the session user had no TEMP privs. patch-area-path.txt contains: *) Can now determine the area of a closed path. patch-dfmgr.txt contains: *) Small tweak to add the library path that's being expanded. I was using $lib/foo.so and couldn't easily figure out what the error message, "invalid macro name in dynamic library path" meant without looking through the source code. With the path in there, at least I know where to start looking in my config file. Sean Chittenden
2004-05-26 20:35:51 +02:00
}
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
/*
Error message editing in backend/catalog.
2003-07-21 03:59:11 +02:00
* Get the schema's ACL from pg_namespace
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
*/
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
tuple = SearchSysCache(NAMESPACEOID,
ObjectIdGetDatum(nsp_oid),
0, 0, 0);
if (!HeapTupleIsValid(tuple))
Error message editing in backend/catalog.
2003-07-21 03:59:11 +02:00
ereport(ERROR,
(errcode(ERRCODE_UNDEFINED_SCHEMA),
errmsg("schema with OID %u does not exist", nsp_oid)));
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion of bug report #1150. Also, arrange that the object owner's irrevocable grant-option permissions are handled implicitly by the system rather than being listed in the ACL as self-granted rights (which was wrong anyway). I did not take the further step of showing these permissions in an explicit 'granted by _SYSTEM' ACL entry, as that seemed more likely to bollix up existing clients than to do anything really useful. It's still a possible future direction, though.
2004-06-01 23:49:23 +02:00
ownerId = ((Form_pg_namespace) GETSTRUCT(tuple))->nspowner;
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
aclDatum = SysCacheGetAttr(NAMESPACEOID, tuple, Anum_pg_namespace_nspacl,
&isNull);
if (isNull)
{
/* No ACL, so build default ACL */
acl = acldefault(ACL_OBJECT_NAMESPACE, ownerId);
aclDatum = (Datum) 0;
}
else
{
/* detoast ACL if necessary */
acl = DatumGetAclP(aclDatum);
}
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
result = aclmask(acl, roleid, ownerId, mask, how);
Privileges on functions and procedural languages
2002-02-19 00:11:58 +01:00
/* if we have a detoasted copy, free it */
if (acl && (Pointer) acl != DatumGetPointer(aclDatum))
pfree(acl);
ReleaseSysCache(tuple);
return result;
}
Change the aclchk.c routines to uniformly use OIDs to identify the objects to be privilege-checked. Some change in their APIs would be necessary no matter what in the schema environment, and simply getting rid of the name-based interface entirely seems like the best way.
2002-03-22 00:27:25 +01:00
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
/*
* Exported routine for examining a user's privileges for a tablespace
*/
AclMode
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
pg_tablespace_aclmask(Oid spc_oid, Oid roleid,
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
AclMode mask, AclMaskHow how)
{
AclMode result;
Relation pg_tablespace;
ScanKeyData entry[1];
HeapScanDesc scan;
HeapTuple tuple;
Datum aclDatum;
bool isNull;
Acl *acl;
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
Oid ownerId;
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
/*
Pgindent run for 8.0.
2004-08-29 07:07:03 +02:00
* Only shared relations can be stored in global space; don't let even
* superusers override this
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
*/
if (spc_oid == GLOBALTABLESPACE_OID && !IsBootstrapProcessingMode())
return 0;
/* Otherwise, superusers bypass all permission checking. */
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
if (superuser_arg(roleid))
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
return mask;
/*
* Get the tablespace's ACL from pg_tablespace
*
* There's no syscache for pg_tablespace, so must look the hard way
*/
Completion of project to use fixed OIDs for all system catalogs and indexes. Replace all heap_openr and index_openr calls by heap_open and index_open. Remove runtime lookups of catalog OID numbers in various places. Remove relcache's support for looking up system catalogs by name. Bulky but mostly very boring patch ...
2005-04-14 22:03:27 +02:00
pg_tablespace = heap_open(TableSpaceRelationId, AccessShareLock);
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
ScanKeyInit(&entry[0],
ObjectIdAttributeNumber,
BTEqualStrategyNumber, F_OIDEQ,
ObjectIdGetDatum(spc_oid));
scan = heap_beginscan(pg_tablespace, SnapshotNow, 1, entry);
tuple = heap_getnext(scan, ForwardScanDirection);
if (!HeapTupleIsValid(tuple))
ereport(ERROR,
(errcode(ERRCODE_UNDEFINED_OBJECT),
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
errmsg("tablespace with OID %u does not exist", spc_oid)));
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
ownerId = ((Form_pg_tablespace) GETSTRUCT(tuple))->spcowner;
aclDatum = heap_getattr(tuple, Anum_pg_tablespace_spcacl,
RelationGetDescr(pg_tablespace), &isNull);
if (isNull)
{
/* No ACL, so build default ACL */
acl = acldefault(ACL_OBJECT_TABLESPACE, ownerId);
aclDatum = (Datum) 0;
}
else
{
/* detoast ACL if necessary */
acl = DatumGetAclP(aclDatum);
}
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
result = aclmask(acl, roleid, ownerId, mask, how);
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
/* if we have a detoasted copy, free it */
if (acl && (Pointer) acl != DatumGetPointer(aclDatum))
pfree(acl);
heap_endscan(scan);
heap_close(pg_tablespace, AccessShareLock);
return result;
}
Change the aclchk.c routines to uniformly use OIDs to identify the objects to be privilege-checked. Some change in their APIs would be necessary no matter what in the schema environment, and simply getting rid of the name-based interface entirely seems like the best way.
2002-03-22 00:27:25 +01:00
Refactor low-level aclcheck code to provide useful interfaces for multi-bit permissions tests in about the same amount of code as before. Exactly what the GRANT/REVOKE code ought to be doing is still up for debate, but this should be helpful in any case, and it already solves an efficiency problem in executor startup.
2004-05-11 19:36:13 +02:00
/*
* Exported routine for checking a user's access privileges to a table
*
* Returns ACLCHECK_OK if the user has any of the privileges identified by
* 'mode'; otherwise returns a suitable error code (in practice, always
* ACLCHECK_NO_PRIV).
*/
AclResult
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
pg_class_aclcheck(Oid table_oid, Oid roleid, AclMode mode)
Refactor low-level aclcheck code to provide useful interfaces for multi-bit permissions tests in about the same amount of code as before. Exactly what the GRANT/REVOKE code ought to be doing is still up for debate, but this should be helpful in any case, and it already solves an efficiency problem in executor startup.
2004-05-11 19:36:13 +02:00
{
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
if (pg_class_aclmask(table_oid, roleid, mode, ACLMASK_ANY) != 0)
Refactor low-level aclcheck code to provide useful interfaces for multi-bit permissions tests in about the same amount of code as before. Exactly what the GRANT/REVOKE code ought to be doing is still up for debate, but this should be helpful in any case, and it already solves an efficiency problem in executor startup.
2004-05-11 19:36:13 +02:00
return ACLCHECK_OK;
else
return ACLCHECK_NO_PRIV;
}
/*
* Exported routine for checking a user's access privileges to a database
*/
AclResult
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
pg_database_aclcheck(Oid db_oid, Oid roleid, AclMode mode)
Refactor low-level aclcheck code to provide useful interfaces for multi-bit permissions tests in about the same amount of code as before. Exactly what the GRANT/REVOKE code ought to be doing is still up for debate, but this should be helpful in any case, and it already solves an efficiency problem in executor startup.
2004-05-11 19:36:13 +02:00
{
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
if (pg_database_aclmask(db_oid, roleid, mode, ACLMASK_ANY) != 0)
Refactor low-level aclcheck code to provide useful interfaces for multi-bit permissions tests in about the same amount of code as before. Exactly what the GRANT/REVOKE code ought to be doing is still up for debate, but this should be helpful in any case, and it already solves an efficiency problem in executor startup.
2004-05-11 19:36:13 +02:00
return ACLCHECK_OK;
else
return ACLCHECK_NO_PRIV;
}
/*
* Exported routine for checking a user's access privileges to a function
*/
AclResult
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
pg_proc_aclcheck(Oid proc_oid, Oid roleid, AclMode mode)
Refactor low-level aclcheck code to provide useful interfaces for multi-bit permissions tests in about the same amount of code as before. Exactly what the GRANT/REVOKE code ought to be doing is still up for debate, but this should be helpful in any case, and it already solves an efficiency problem in executor startup.
2004-05-11 19:36:13 +02:00
{
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
if (pg_proc_aclmask(proc_oid, roleid, mode, ACLMASK_ANY) != 0)
Refactor low-level aclcheck code to provide useful interfaces for multi-bit permissions tests in about the same amount of code as before. Exactly what the GRANT/REVOKE code ought to be doing is still up for debate, but this should be helpful in any case, and it already solves an efficiency problem in executor startup.
2004-05-11 19:36:13 +02:00
return ACLCHECK_OK;
else
return ACLCHECK_NO_PRIV;
}
/*
* Exported routine for checking a user's access privileges to a language
*/
AclResult
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
pg_language_aclcheck(Oid lang_oid, Oid roleid, AclMode mode)
Refactor low-level aclcheck code to provide useful interfaces for multi-bit permissions tests in about the same amount of code as before. Exactly what the GRANT/REVOKE code ought to be doing is still up for debate, but this should be helpful in any case, and it already solves an efficiency problem in executor startup.
2004-05-11 19:36:13 +02:00
{
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
if (pg_language_aclmask(lang_oid, roleid, mode, ACLMASK_ANY) != 0)
Refactor low-level aclcheck code to provide useful interfaces for multi-bit permissions tests in about the same amount of code as before. Exactly what the GRANT/REVOKE code ought to be doing is still up for debate, but this should be helpful in any case, and it already solves an efficiency problem in executor startup.
2004-05-11 19:36:13 +02:00
return ACLCHECK_OK;
else
return ACLCHECK_NO_PRIV;
}
/*
* Exported routine for checking a user's access privileges to a namespace
*/
AclResult
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
pg_namespace_aclcheck(Oid nsp_oid, Oid roleid, AclMode mode)
Refactor low-level aclcheck code to provide useful interfaces for multi-bit permissions tests in about the same amount of code as before. Exactly what the GRANT/REVOKE code ought to be doing is still up for debate, but this should be helpful in any case, and it already solves an efficiency problem in executor startup.
2004-05-11 19:36:13 +02:00
{
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
if (pg_namespace_aclmask(nsp_oid, roleid, mode, ACLMASK_ANY) != 0)
Refactor low-level aclcheck code to provide useful interfaces for multi-bit permissions tests in about the same amount of code as before. Exactly what the GRANT/REVOKE code ought to be doing is still up for debate, but this should be helpful in any case, and it already solves an efficiency problem in executor startup.
2004-05-11 19:36:13 +02:00
return ACLCHECK_OK;
else
return ACLCHECK_NO_PRIV;
}
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
/*
* Exported routine for checking a user's access privileges to a tablespace
*/
AclResult
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
pg_tablespace_aclcheck(Oid spc_oid, Oid roleid, AclMode mode)
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
{
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
if (pg_tablespace_aclmask(spc_oid, roleid, mode, ACLMASK_ANY) != 0)
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
return ACLCHECK_OK;
else
return ACLCHECK_NO_PRIV;
}
Refactor low-level aclcheck code to provide useful interfaces for multi-bit permissions tests in about the same amount of code as before. Exactly what the GRANT/REVOKE code ought to be doing is still up for debate, but this should be helpful in any case, and it already solves an efficiency problem in executor startup.
2004-05-11 19:36:13 +02:00
Change the aclchk.c routines to uniformly use OIDs to identify the objects to be privilege-checked. Some change in their APIs would be necessary no matter what in the schema environment, and simply getting rid of the name-based interface entirely seems like the best way.
2002-03-22 00:27:25 +01:00
/*
* Ownership check for a relation (specified by OID).
*/
bool
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
pg_class_ownercheck(Oid class_oid, Oid roleid)
Change the aclchk.c routines to uniformly use OIDs to identify the objects to be privilege-checked. Some change in their APIs would be necessary no matter what in the schema environment, and simply getting rid of the name-based interface entirely seems like the best way.
2002-03-22 00:27:25 +01:00
{
HeapTuple tuple;
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
Oid ownerId;
Change the aclchk.c routines to uniformly use OIDs to identify the objects to be privilege-checked. Some change in their APIs would be necessary no matter what in the schema environment, and simply getting rid of the name-based interface entirely seems like the best way.
2002-03-22 00:27:25 +01:00
/* Superusers bypass all permission checking. */
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
if (superuser_arg(roleid))
Change the aclchk.c routines to uniformly use OIDs to identify the objects to be privilege-checked. Some change in their APIs would be necessary no matter what in the schema environment, and simply getting rid of the name-based interface entirely seems like the best way.
2002-03-22 00:27:25 +01:00
return true;
tuple = SearchSysCache(RELOID,
ObjectIdGetDatum(class_oid),
0, 0, 0);
if (!HeapTupleIsValid(tuple))
Error message editing in backend/catalog.
2003-07-21 03:59:11 +02:00
ereport(ERROR,
(errcode(ERRCODE_UNDEFINED_TABLE),
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
errmsg("relation with OID %u does not exist", class_oid)));
Change the aclchk.c routines to uniformly use OIDs to identify the objects to be privilege-checked. Some change in their APIs would be necessary no matter what in the schema environment, and simply getting rid of the name-based interface entirely seems like the best way.
2002-03-22 00:27:25 +01:00
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
ownerId = ((Form_pg_class) GETSTRUCT(tuple))->relowner;
Change the aclchk.c routines to uniformly use OIDs to identify the objects to be privilege-checked. Some change in their APIs would be necessary no matter what in the schema environment, and simply getting rid of the name-based interface entirely seems like the best way.
2002-03-22 00:27:25 +01:00
ReleaseSysCache(tuple);
Add a role property 'rolinherit' which, when false, denotes that the role doesn't automatically inherit the privileges of roles it is a member of; for such a role, membership in another role can be exploited only by doing explicit SET ROLE. The default inherit setting is TRUE, so by default the behavior doesn't change, but creating a user with NOINHERIT gives closer adherence to our current reading of SQL99. Documentation still lacking, and I think the information schema needs another look.
2005-07-26 18:38:29 +02:00
return has_privs_of_role(roleid, ownerId);
Change the aclchk.c routines to uniformly use OIDs to identify the objects to be privilege-checked. Some change in their APIs would be necessary no matter what in the schema environment, and simply getting rid of the name-based interface entirely seems like the best way.
2002-03-22 00:27:25 +01:00
}
/*
* Ownership check for a type (specified by OID).
*/
bool
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
pg_type_ownercheck(Oid type_oid, Oid roleid)
Change the aclchk.c routines to uniformly use OIDs to identify the objects to be privilege-checked. Some change in their APIs would be necessary no matter what in the schema environment, and simply getting rid of the name-based interface entirely seems like the best way.
2002-03-22 00:27:25 +01:00
{
HeapTuple tuple;
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
Oid ownerId;
Change the aclchk.c routines to uniformly use OIDs to identify the objects to be privilege-checked. Some change in their APIs would be necessary no matter what in the schema environment, and simply getting rid of the name-based interface entirely seems like the best way.
2002-03-22 00:27:25 +01:00
/* Superusers bypass all permission checking. */
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
if (superuser_arg(roleid))
Change the aclchk.c routines to uniformly use OIDs to identify the objects to be privilege-checked. Some change in their APIs would be necessary no matter what in the schema environment, and simply getting rid of the name-based interface entirely seems like the best way.
2002-03-22 00:27:25 +01:00
return true;
tuple = SearchSysCache(TYPEOID,
ObjectIdGetDatum(type_oid),
0, 0, 0);
if (!HeapTupleIsValid(tuple))
Error message editing in backend/catalog.
2003-07-21 03:59:11 +02:00
ereport(ERROR,
(errcode(ERRCODE_UNDEFINED_OBJECT),
errmsg("type with OID %u does not exist", type_oid)));
Change the aclchk.c routines to uniformly use OIDs to identify the objects to be privilege-checked. Some change in their APIs would be necessary no matter what in the schema environment, and simply getting rid of the name-based interface entirely seems like the best way.
2002-03-22 00:27:25 +01:00
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
ownerId = ((Form_pg_type) GETSTRUCT(tuple))->typowner;
Change the aclchk.c routines to uniformly use OIDs to identify the objects to be privilege-checked. Some change in their APIs would be necessary no matter what in the schema environment, and simply getting rid of the name-based interface entirely seems like the best way.
2002-03-22 00:27:25 +01:00
ReleaseSysCache(tuple);
Add a role property 'rolinherit' which, when false, denotes that the role doesn't automatically inherit the privileges of roles it is a member of; for such a role, membership in another role can be exploited only by doing explicit SET ROLE. The default inherit setting is TRUE, so by default the behavior doesn't change, but creating a user with NOINHERIT gives closer adherence to our current reading of SQL99. Documentation still lacking, and I think the information schema needs another look.
2005-07-26 18:38:29 +02:00
return has_privs_of_role(roleid, ownerId);
Change the aclchk.c routines to uniformly use OIDs to identify the objects to be privilege-checked. Some change in their APIs would be necessary no matter what in the schema environment, and simply getting rid of the name-based interface entirely seems like the best way.
2002-03-22 00:27:25 +01:00
}
/*
* Ownership check for an operator (specified by OID).
*/
bool
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
pg_oper_ownercheck(Oid oper_oid, Oid roleid)
Change the aclchk.c routines to uniformly use OIDs to identify the objects to be privilege-checked. Some change in their APIs would be necessary no matter what in the schema environment, and simply getting rid of the name-based interface entirely seems like the best way.
2002-03-22 00:27:25 +01:00
{
HeapTuple tuple;
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
Oid ownerId;
Change the aclchk.c routines to uniformly use OIDs to identify the objects to be privilege-checked. Some change in their APIs would be necessary no matter what in the schema environment, and simply getting rid of the name-based interface entirely seems like the best way.
2002-03-22 00:27:25 +01:00
/* Superusers bypass all permission checking. */
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
if (superuser_arg(roleid))
Change the aclchk.c routines to uniformly use OIDs to identify the objects to be privilege-checked. Some change in their APIs would be necessary no matter what in the schema environment, and simply getting rid of the name-based interface entirely seems like the best way.
2002-03-22 00:27:25 +01:00
return true;
tuple = SearchSysCache(OPEROID,
ObjectIdGetDatum(oper_oid),
0, 0, 0);
if (!HeapTupleIsValid(tuple))
Error message editing in backend/catalog.
2003-07-21 03:59:11 +02:00
ereport(ERROR,
(errcode(ERRCODE_UNDEFINED_FUNCTION),
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
errmsg("operator with OID %u does not exist", oper_oid)));
Change the aclchk.c routines to uniformly use OIDs to identify the objects to be privilege-checked. Some change in their APIs would be necessary no matter what in the schema environment, and simply getting rid of the name-based interface entirely seems like the best way.
2002-03-22 00:27:25 +01:00
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
ownerId = ((Form_pg_operator) GETSTRUCT(tuple))->oprowner;
Change the aclchk.c routines to uniformly use OIDs to identify the objects to be privilege-checked. Some change in their APIs would be necessary no matter what in the schema environment, and simply getting rid of the name-based interface entirely seems like the best way.
2002-03-22 00:27:25 +01:00
ReleaseSysCache(tuple);
Add a role property 'rolinherit' which, when false, denotes that the role doesn't automatically inherit the privileges of roles it is a member of; for such a role, membership in another role can be exploited only by doing explicit SET ROLE. The default inherit setting is TRUE, so by default the behavior doesn't change, but creating a user with NOINHERIT gives closer adherence to our current reading of SQL99. Documentation still lacking, and I think the information schema needs another look.
2005-07-26 18:38:29 +02:00
return has_privs_of_role(roleid, ownerId);
Change the aclchk.c routines to uniformly use OIDs to identify the objects to be privilege-checked. Some change in their APIs would be necessary no matter what in the schema environment, and simply getting rid of the name-based interface entirely seems like the best way.
2002-03-22 00:27:25 +01:00
}
/*
* Ownership check for a function (specified by OID).
*/
bool
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
pg_proc_ownercheck(Oid proc_oid, Oid roleid)
Change the aclchk.c routines to uniformly use OIDs to identify the objects to be privilege-checked. Some change in their APIs would be necessary no matter what in the schema environment, and simply getting rid of the name-based interface entirely seems like the best way.
2002-03-22 00:27:25 +01:00
{
HeapTuple tuple;
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
Oid ownerId;
Change the aclchk.c routines to uniformly use OIDs to identify the objects to be privilege-checked. Some change in their APIs would be necessary no matter what in the schema environment, and simply getting rid of the name-based interface entirely seems like the best way.
2002-03-22 00:27:25 +01:00
/* Superusers bypass all permission checking. */
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
if (superuser_arg(roleid))
Change the aclchk.c routines to uniformly use OIDs to identify the objects to be privilege-checked. Some change in their APIs would be necessary no matter what in the schema environment, and simply getting rid of the name-based interface entirely seems like the best way.
2002-03-22 00:27:25 +01:00
return true;
tuple = SearchSysCache(PROCOID,
ObjectIdGetDatum(proc_oid),
0, 0, 0);
if (!HeapTupleIsValid(tuple))
Error message editing in backend/catalog.
2003-07-21 03:59:11 +02:00
ereport(ERROR,
(errcode(ERRCODE_UNDEFINED_FUNCTION),
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
errmsg("function with OID %u does not exist", proc_oid)));
Change the aclchk.c routines to uniformly use OIDs to identify the objects to be privilege-checked. Some change in their APIs would be necessary no matter what in the schema environment, and simply getting rid of the name-based interface entirely seems like the best way.
2002-03-22 00:27:25 +01:00
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
ownerId = ((Form_pg_proc) GETSTRUCT(tuple))->proowner;
Change the aclchk.c routines to uniformly use OIDs to identify the objects to be privilege-checked. Some change in their APIs would be necessary no matter what in the schema environment, and simply getting rid of the name-based interface entirely seems like the best way.
2002-03-22 00:27:25 +01:00
ReleaseSysCache(tuple);
Add a role property 'rolinherit' which, when false, denotes that the role doesn't automatically inherit the privileges of roles it is a member of; for such a role, membership in another role can be exploited only by doing explicit SET ROLE. The default inherit setting is TRUE, so by default the behavior doesn't change, but creating a user with NOINHERIT gives closer adherence to our current reading of SQL99. Documentation still lacking, and I think the information schema needs another look.
2005-07-26 18:38:29 +02:00
return has_privs_of_role(roleid, ownerId);
Change the aclchk.c routines to uniformly use OIDs to identify the objects to be privilege-checked. Some change in their APIs would be necessary no matter what in the schema environment, and simply getting rid of the name-based interface entirely seems like the best way.
2002-03-22 00:27:25 +01:00
}
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
/*
* Ownership check for a namespace (specified by OID).
*/
bool
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
pg_namespace_ownercheck(Oid nsp_oid, Oid roleid)
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
{
HeapTuple tuple;
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
Oid ownerId;
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
/* Superusers bypass all permission checking. */
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
if (superuser_arg(roleid))
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
return true;
tuple = SearchSysCache(NAMESPACEOID,
ObjectIdGetDatum(nsp_oid),
0, 0, 0);
if (!HeapTupleIsValid(tuple))
Error message editing in backend/catalog.
2003-07-21 03:59:11 +02:00
ereport(ERROR,
(errcode(ERRCODE_UNDEFINED_SCHEMA),
errmsg("schema with OID %u does not exist", nsp_oid)));
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
ownerId = ((Form_pg_namespace) GETSTRUCT(tuple))->nspowner;
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
ReleaseSysCache(tuple);
Add a role property 'rolinherit' which, when false, denotes that the role doesn't automatically inherit the privileges of roles it is a member of; for such a role, membership in another role can be exploited only by doing explicit SET ROLE. The default inherit setting is TRUE, so by default the behavior doesn't change, but creating a user with NOINHERIT gives closer adherence to our current reading of SQL99. Documentation still lacking, and I think the information schema needs another look.
2005-07-26 18:38:29 +02:00
return has_privs_of_role(roleid, ownerId);
Restructure AclItem representation so that we can have more than eight different privilege bits (might as well make use of the space we were wasting on padding). EXECUTE and USAGE bits for procedures, languages now are separate privileges instead of being overlaid on SELECT. Add privileges for namespaces and databases. The GRANT and REVOKE commands work for these object types, but we don't actually enforce the privileges yet...
2002-04-21 02:26:44 +02:00
}
Implement CREATE/DROP OPERATOR CLASS. Work still remains: need more documentation (xindex.sgml should be rewritten), need to teach pg_dump about it, need to update contrib modules that currently build pg_opclass entries by hand. Original patch by Bill Studenmund, grammar adjustments and general update for 7.3 by Tom Lane.
2002-07-30 00:14:11 +02:00
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
/*
* Ownership check for a tablespace (specified by OID).
*/
bool
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
pg_tablespace_ownercheck(Oid spc_oid, Oid roleid)
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
{
Relation pg_tablespace;
ScanKeyData entry[1];
HeapScanDesc scan;
HeapTuple spctuple;
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
Oid spcowner;
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
/* Superusers bypass all permission checking. */
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
if (superuser_arg(roleid))
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
return true;
/* There's no syscache for pg_tablespace, so must look the hard way */
Completion of project to use fixed OIDs for all system catalogs and indexes. Replace all heap_openr and index_openr calls by heap_open and index_open. Remove runtime lookups of catalog OID numbers in various places. Remove relcache's support for looking up system catalogs by name. Bulky but mostly very boring patch ...
2005-04-14 22:03:27 +02:00
pg_tablespace = heap_open(TableSpaceRelationId, AccessShareLock);
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
ScanKeyInit(&entry[0],
ObjectIdAttributeNumber,
BTEqualStrategyNumber, F_OIDEQ,
ObjectIdGetDatum(spc_oid));
scan = heap_beginscan(pg_tablespace, SnapshotNow, 1, entry);
spctuple = heap_getnext(scan, ForwardScanDirection);
if (!HeapTupleIsValid(spctuple))
ereport(ERROR,
(errcode(ERRCODE_UNDEFINED_OBJECT),
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
errmsg("tablespace with OID %u does not exist", spc_oid)));
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
spcowner = ((Form_pg_tablespace) GETSTRUCT(spctuple))->spcowner;
heap_endscan(scan);
heap_close(pg_tablespace, AccessShareLock);
Add a role property 'rolinherit' which, when false, denotes that the role doesn't automatically inherit the privileges of roles it is a member of; for such a role, membership in another role can be exploited only by doing explicit SET ROLE. The default inherit setting is TRUE, so by default the behavior doesn't change, but creating a user with NOINHERIT gives closer adherence to our current reading of SQL99. Documentation still lacking, and I think the information schema needs another look.
2005-07-26 18:38:29 +02:00
return has_privs_of_role(roleid, spcowner);
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
}
Implement CREATE/DROP OPERATOR CLASS. Work still remains: need more documentation (xindex.sgml should be rewritten), need to teach pg_dump about it, need to update contrib modules that currently build pg_opclass entries by hand. Original patch by Bill Studenmund, grammar adjustments and general update for 7.3 by Tom Lane.
2002-07-30 00:14:11 +02:00
/*
* Ownership check for an operator class (specified by OID).
*/
bool
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
pg_opclass_ownercheck(Oid opc_oid, Oid roleid)
Implement CREATE/DROP OPERATOR CLASS. Work still remains: need more documentation (xindex.sgml should be rewritten), need to teach pg_dump about it, need to update contrib modules that currently build pg_opclass entries by hand. Original patch by Bill Studenmund, grammar adjustments and general update for 7.3 by Tom Lane.
2002-07-30 00:14:11 +02:00
{
HeapTuple tuple;
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
Oid ownerId;
Implement CREATE/DROP OPERATOR CLASS. Work still remains: need more documentation (xindex.sgml should be rewritten), need to teach pg_dump about it, need to update contrib modules that currently build pg_opclass entries by hand. Original patch by Bill Studenmund, grammar adjustments and general update for 7.3 by Tom Lane.
2002-07-30 00:14:11 +02:00
/* Superusers bypass all permission checking. */
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
if (superuser_arg(roleid))
Implement CREATE/DROP OPERATOR CLASS. Work still remains: need more documentation (xindex.sgml should be rewritten), need to teach pg_dump about it, need to update contrib modules that currently build pg_opclass entries by hand. Original patch by Bill Studenmund, grammar adjustments and general update for 7.3 by Tom Lane.
2002-07-30 00:14:11 +02:00
return true;
tuple = SearchSysCache(CLAOID,
ObjectIdGetDatum(opc_oid),
0, 0, 0);
if (!HeapTupleIsValid(tuple))
Error message editing in backend/catalog.
2003-07-21 03:59:11 +02:00
ereport(ERROR,
(errcode(ERRCODE_UNDEFINED_OBJECT),
errmsg("operator class with OID %u does not exist",
opc_oid)));
Implement CREATE/DROP OPERATOR CLASS. Work still remains: need more documentation (xindex.sgml should be rewritten), need to teach pg_dump about it, need to update contrib modules that currently build pg_opclass entries by hand. Original patch by Bill Studenmund, grammar adjustments and general update for 7.3 by Tom Lane.
2002-07-30 00:14:11 +02:00
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
ownerId = ((Form_pg_opclass) GETSTRUCT(tuple))->opcowner;
Implement CREATE/DROP OPERATOR CLASS. Work still remains: need more documentation (xindex.sgml should be rewritten), need to teach pg_dump about it, need to update contrib modules that currently build pg_opclass entries by hand. Original patch by Bill Studenmund, grammar adjustments and general update for 7.3 by Tom Lane.
2002-07-30 00:14:11 +02:00
ReleaseSysCache(tuple);
Add a role property 'rolinherit' which, when false, denotes that the role doesn't automatically inherit the privileges of roles it is a member of; for such a role, membership in another role can be exploited only by doing explicit SET ROLE. The default inherit setting is TRUE, so by default the behavior doesn't change, but creating a user with NOINHERIT gives closer adherence to our current reading of SQL99. Documentation still lacking, and I think the information schema needs another look.
2005-07-26 18:38:29 +02:00
return has_privs_of_role(roleid, ownerId);
Implement CREATE/DROP OPERATOR CLASS. Work still remains: need more documentation (xindex.sgml should be rewritten), need to teach pg_dump about it, need to update contrib modules that currently build pg_opclass entries by hand. Original patch by Bill Studenmund, grammar adjustments and general update for 7.3 by Tom Lane.
2002-07-30 00:14:11 +02:00
}
First batch of object rename commands.
2003-06-27 16:45:32 +02:00
/*
Tablespaces. Alternate database locations are dead, long live tablespaces. There are various things left to do: contrib dbsize and oid2name modules need work, and so does the documentation. Also someone should think about COMMENT ON TABLESPACE and maybe RENAME TABLESPACE. Also initlocation is dead, it just doesn't know it yet. Gavin Sherry and Tom Lane.
2004-06-18 08:14:31 +02:00
* Ownership check for a database (specified by OID).
First batch of object rename commands.
2003-06-27 16:45:32 +02:00
*/
bool
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
pg_database_ownercheck(Oid db_oid, Oid roleid)
First batch of object rename commands.
2003-06-27 16:45:32 +02:00
{
Relation pg_database;
ScanKeyData entry[1];
HeapScanDesc scan;
HeapTuple dbtuple;
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
Oid dba;
First batch of object rename commands.
2003-06-27 16:45:32 +02:00
/* Superusers bypass all permission checking. */
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
if (superuser_arg(roleid))
First batch of object rename commands.
2003-06-27 16:45:32 +02:00
return true;
/* There's no syscache for pg_database, so must look the hard way */
Completion of project to use fixed OIDs for all system catalogs and indexes. Replace all heap_openr and index_openr calls by heap_open and index_open. Remove runtime lookups of catalog OID numbers in various places. Remove relcache's support for looking up system catalogs by name. Bulky but mostly very boring patch ...
2005-04-14 22:03:27 +02:00
pg_database = heap_open(DatabaseRelationId, AccessShareLock);
Cross-data-type comparisons are now indexable by btrees, pursuant to my pghackers proposal of 8-Nov. All the existing cross-type comparison operators (int2/int4/int8 and float4/float8) have appropriate support. The original proposal of storing the right-hand-side datatype as part of the primary key for pg_amop and pg_amproc got modified a bit in the event; it is easier to store zero as the 'default' case and only store a nonzero when the operator is actually cross-type. Along the way, remove the long-since-defunct bigbox_ops operator class.
2003-11-12 22:15:59 +01:00
ScanKeyInit(&entry[0],
ObjectIdAttributeNumber,
BTEqualStrategyNumber, F_OIDEQ,
ObjectIdGetDatum(db_oid));
First batch of object rename commands.
2003-06-27 16:45:32 +02:00
scan = heap_beginscan(pg_database, SnapshotNow, 1, entry);
dbtuple = heap_getnext(scan, ForwardScanDirection);
if (!HeapTupleIsValid(dbtuple))
Error message editing in backend/catalog.
2003-07-21 03:59:11 +02:00
ereport(ERROR,
(errcode(ERRCODE_UNDEFINED_DATABASE),
errmsg("database with OID %u does not exist", db_oid)));
First batch of object rename commands.
2003-06-27 16:45:32 +02:00
dba = ((Form_pg_database) GETSTRUCT(dbtuple))->datdba;
heap_endscan(scan);
heap_close(pg_database, AccessShareLock);
Add a role property 'rolinherit' which, when false, denotes that the role doesn't automatically inherit the privileges of roles it is a member of; for such a role, membership in another role can be exploited only by doing explicit SET ROLE. The default inherit setting is TRUE, so by default the behavior doesn't change, but creating a user with NOINHERIT gives closer adherence to our current reading of SQL99. Documentation still lacking, and I think the information schema needs another look.
2005-07-26 18:38:29 +02:00
return has_privs_of_role(roleid, dba);
First batch of object rename commands.
2003-06-27 16:45:32 +02:00
}
COMMENT ON casts, conversions, languages, operator classes, and large objects. Dump all these in pg_dump; also add code to pg_dump user-defined conversions. Make psql's large object code rely on the backend for inserting/deleting LOB comments, instead of trying to hack pg_description directly. Documentation and regression tests added. Christopher Kings-Lynne, code reviewed by Tom
2003-11-21 23:32:49 +01:00
/*
* Ownership check for a conversion (specified by OID).
*/
bool
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
pg_conversion_ownercheck(Oid conv_oid, Oid roleid)
COMMENT ON casts, conversions, languages, operator classes, and large objects. Dump all these in pg_dump; also add code to pg_dump user-defined conversions. Make psql's large object code rely on the backend for inserting/deleting LOB comments, instead of trying to hack pg_description directly. Documentation and regression tests added. Christopher Kings-Lynne, code reviewed by Tom
2003-11-21 23:32:49 +01:00
{
HeapTuple tuple;
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
Oid ownerId;
COMMENT ON casts, conversions, languages, operator classes, and large objects. Dump all these in pg_dump; also add code to pg_dump user-defined conversions. Make psql's large object code rely on the backend for inserting/deleting LOB comments, instead of trying to hack pg_description directly. Documentation and regression tests added. Christopher Kings-Lynne, code reviewed by Tom
2003-11-21 23:32:49 +01:00
/* Superusers bypass all permission checking. */
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
if (superuser_arg(roleid))
COMMENT ON casts, conversions, languages, operator classes, and large objects. Dump all these in pg_dump; also add code to pg_dump user-defined conversions. Make psql's large object code rely on the backend for inserting/deleting LOB comments, instead of trying to hack pg_description directly. Documentation and regression tests added. Christopher Kings-Lynne, code reviewed by Tom
2003-11-21 23:32:49 +01:00
return true;
tuple = SearchSysCache(CONOID,
ObjectIdGetDatum(conv_oid),
0, 0, 0);
if (!HeapTupleIsValid(tuple))
ereport(ERROR,
(errcode(ERRCODE_UNDEFINED_OBJECT),
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
errmsg("conversion with OID %u does not exist", conv_oid)));
COMMENT ON casts, conversions, languages, operator classes, and large objects. Dump all these in pg_dump; also add code to pg_dump user-defined conversions. Make psql's large object code rely on the backend for inserting/deleting LOB comments, instead of trying to hack pg_description directly. Documentation and regression tests added. Christopher Kings-Lynne, code reviewed by Tom
2003-11-21 23:32:49 +01:00
Replace pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. There are still many loose ends to finish in this patch (no documentation, no regression tests, no pg_dump support for instance). But I'm going to commit it now anyway so that Alvaro can make some progress on shared dependencies. The catalog changes should be pretty much done.
2005-06-28 07:09:14 +02:00
ownerId = ((Form_pg_conversion) GETSTRUCT(tuple))->conowner;
COMMENT ON casts, conversions, languages, operator classes, and large objects. Dump all these in pg_dump; also add code to pg_dump user-defined conversions. Make psql's large object code rely on the backend for inserting/deleting LOB comments, instead of trying to hack pg_description directly. Documentation and regression tests added. Christopher Kings-Lynne, code reviewed by Tom
2003-11-21 23:32:49 +01:00
ReleaseSysCache(tuple);
Add a role property 'rolinherit' which, when false, denotes that the role doesn't automatically inherit the privileges of roles it is a member of; for such a role, membership in another role can be exploited only by doing explicit SET ROLE. The default inherit setting is TRUE, so by default the behavior doesn't change, but creating a user with NOINHERIT gives closer adherence to our current reading of SQL99. Documentation still lacking, and I think the information schema needs another look.
2005-07-26 18:38:29 +02:00
return has_privs_of_role(roleid, ownerId);
COMMENT ON casts, conversions, languages, operator classes, and large objects. Dump all these in pg_dump; also add code to pg_dump user-defined conversions. Make psql's large object code rely on the backend for inserting/deleting LOB comments, instead of trying to hack pg_description directly. Documentation and regression tests added. Christopher Kings-Lynne, code reviewed by Tom
2003-11-21 23:32:49 +01:00
}