Remove rolcatupdate
This role attribute is an ancient PostgreSQL feature, but could only be set by directly updating the system catalogs, and it doesn't have any clearly defined use. Author: Adam Brightwell <adam.brightwell@crunchydatasolutions.com>
This commit is contained in:
parent
6510c832bb
commit
bb8582abf3
|
@ -1415,15 +1415,6 @@
|
||||||
<entry>Role can create databases</entry>
|
<entry>Role can create databases</entry>
|
||||||
</row>
|
</row>
|
||||||
|
|
||||||
<row>
|
|
||||||
<entry><structfield>rolcatupdate</structfield></entry>
|
|
||||||
<entry><type>bool</type></entry>
|
|
||||||
<entry>
|
|
||||||
Role can update system catalogs directly. (Even a superuser cannot do
|
|
||||||
this unless this column is true)
|
|
||||||
</entry>
|
|
||||||
</row>
|
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
<entry><structfield>rolcanlogin</structfield></entry>
|
<entry><structfield>rolcanlogin</structfield></entry>
|
||||||
<entry><type>bool</type></entry>
|
<entry><type>bool</type></entry>
|
||||||
|
@ -8491,16 +8482,6 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx
|
||||||
<entry>Role can create databases</entry>
|
<entry>Role can create databases</entry>
|
||||||
</row>
|
</row>
|
||||||
|
|
||||||
<row>
|
|
||||||
<entry><structfield>rolcatupdate</structfield></entry>
|
|
||||||
<entry><type>bool</type></entry>
|
|
||||||
<entry></entry>
|
|
||||||
<entry>
|
|
||||||
Role can update system catalogs directly. (Even a superuser cannot do
|
|
||||||
this unless this column is true)
|
|
||||||
</entry>
|
|
||||||
</row>
|
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
<entry><structfield>rolcanlogin</structfield></entry>
|
<entry><structfield>rolcanlogin</structfield></entry>
|
||||||
<entry><type>bool</type></entry>
|
<entry><type>bool</type></entry>
|
||||||
|
@ -9019,16 +9000,6 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx
|
||||||
<entry>User is a superuser</entry>
|
<entry>User is a superuser</entry>
|
||||||
</row>
|
</row>
|
||||||
|
|
||||||
<row>
|
|
||||||
<entry><structfield>usecatupd</structfield></entry>
|
|
||||||
<entry><type>bool</type></entry>
|
|
||||||
<entry></entry>
|
|
||||||
<entry>
|
|
||||||
User can update system catalogs. (Even a superuser cannot do
|
|
||||||
this unless this column is true.)
|
|
||||||
</entry>
|
|
||||||
</row>
|
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
<entry><structfield>userepl</structfield></entry>
|
<entry><structfield>userepl</structfield></entry>
|
||||||
<entry><type>bool</type></entry>
|
<entry><type>bool</type></entry>
|
||||||
|
@ -9506,15 +9477,6 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx
|
||||||
<entry>User is a superuser</entry>
|
<entry>User is a superuser</entry>
|
||||||
</row>
|
</row>
|
||||||
|
|
||||||
<row>
|
|
||||||
<entry><structfield>usecatupd</structfield></entry>
|
|
||||||
<entry><type>bool</type></entry>
|
|
||||||
<entry>
|
|
||||||
User can update system catalogs. (Even a superuser cannot do
|
|
||||||
this unless this column is true.)
|
|
||||||
</entry>
|
|
||||||
</row>
|
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
<entry><structfield>userepl</structfield></entry>
|
<entry><structfield>userepl</structfield></entry>
|
||||||
<entry><type>bool</type></entry>
|
<entry><type>bool</type></entry>
|
||||||
|
|
|
@ -3423,26 +3423,6 @@ aclcheck_error_type(AclResult aclerr, Oid typeOid)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/* Check if given user has rolcatupdate privilege according to pg_authid */
|
|
||||||
static bool
|
|
||||||
has_rolcatupdate(Oid roleid)
|
|
||||||
{
|
|
||||||
bool rolcatupdate;
|
|
||||||
HeapTuple tuple;
|
|
||||||
|
|
||||||
tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
|
|
||||||
if (!HeapTupleIsValid(tuple))
|
|
||||||
ereport(ERROR,
|
|
||||||
(errcode(ERRCODE_UNDEFINED_OBJECT),
|
|
||||||
errmsg("role with OID %u does not exist", roleid)));
|
|
||||||
|
|
||||||
rolcatupdate = ((Form_pg_authid) GETSTRUCT(tuple))->rolcatupdate;
|
|
||||||
|
|
||||||
ReleaseSysCache(tuple);
|
|
||||||
|
|
||||||
return rolcatupdate;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Relay for the various pg_*_mask routines depending on object kind
|
* Relay for the various pg_*_mask routines depending on object kind
|
||||||
*/
|
*/
|
||||||
|
@ -3620,8 +3600,7 @@ pg_class_aclmask(Oid table_oid, Oid roleid,
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Deny anyone permission to update a system catalog unless
|
* Deny anyone permission to update a system catalog unless
|
||||||
* pg_authid.rolcatupdate is set. (This is to let superusers protect
|
* pg_authid.rolsuper is set. Also allow it if allowSystemTableMods.
|
||||||
* themselves from themselves.) Also allow it if allowSystemTableMods.
|
|
||||||
*
|
*
|
||||||
* As of 7.4 we have some updatable system views; those shouldn't be
|
* As of 7.4 we have some updatable system views; those shouldn't be
|
||||||
* protected in this way. Assume the view rules can take care of
|
* protected in this way. Assume the view rules can take care of
|
||||||
|
@ -3630,7 +3609,7 @@ pg_class_aclmask(Oid table_oid, Oid roleid,
|
||||||
if ((mask & (ACL_INSERT | ACL_UPDATE | ACL_DELETE | ACL_TRUNCATE | ACL_USAGE)) &&
|
if ((mask & (ACL_INSERT | ACL_UPDATE | ACL_DELETE | ACL_TRUNCATE | ACL_USAGE)) &&
|
||||||
IsSystemClass(table_oid, classForm) &&
|
IsSystemClass(table_oid, classForm) &&
|
||||||
classForm->relkind != RELKIND_VIEW &&
|
classForm->relkind != RELKIND_VIEW &&
|
||||||
!has_rolcatupdate(roleid) &&
|
!superuser_arg(roleid) &&
|
||||||
!allowSystemTableMods)
|
!allowSystemTableMods)
|
||||||
{
|
{
|
||||||
#ifdef ACLDEBUG
|
#ifdef ACLDEBUG
|
||||||
|
|
|
@ -13,7 +13,6 @@ CREATE VIEW pg_roles AS
|
||||||
rolinherit,
|
rolinherit,
|
||||||
rolcreaterole,
|
rolcreaterole,
|
||||||
rolcreatedb,
|
rolcreatedb,
|
||||||
rolcatupdate,
|
|
||||||
rolcanlogin,
|
rolcanlogin,
|
||||||
rolreplication,
|
rolreplication,
|
||||||
rolconnlimit,
|
rolconnlimit,
|
||||||
|
@ -31,7 +30,6 @@ CREATE VIEW pg_shadow AS
|
||||||
pg_authid.oid AS usesysid,
|
pg_authid.oid AS usesysid,
|
||||||
rolcreatedb AS usecreatedb,
|
rolcreatedb AS usecreatedb,
|
||||||
rolsuper AS usesuper,
|
rolsuper AS usesuper,
|
||||||
rolcatupdate AS usecatupd,
|
|
||||||
rolreplication AS userepl,
|
rolreplication AS userepl,
|
||||||
rolbypassrls AS usebypassrls,
|
rolbypassrls AS usebypassrls,
|
||||||
rolpassword AS passwd,
|
rolpassword AS passwd,
|
||||||
|
@ -57,7 +55,6 @@ CREATE VIEW pg_user AS
|
||||||
usesysid,
|
usesysid,
|
||||||
usecreatedb,
|
usecreatedb,
|
||||||
usesuper,
|
usesuper,
|
||||||
usecatupd,
|
|
||||||
userepl,
|
userepl,
|
||||||
usebypassrls,
|
usebypassrls,
|
||||||
'********'::text as passwd,
|
'********'::text as passwd,
|
||||||
|
|
|
@ -368,8 +368,6 @@ CreateRole(CreateRoleStmt *stmt)
|
||||||
new_record[Anum_pg_authid_rolinherit - 1] = BoolGetDatum(inherit);
|
new_record[Anum_pg_authid_rolinherit - 1] = BoolGetDatum(inherit);
|
||||||
new_record[Anum_pg_authid_rolcreaterole - 1] = BoolGetDatum(createrole);
|
new_record[Anum_pg_authid_rolcreaterole - 1] = BoolGetDatum(createrole);
|
||||||
new_record[Anum_pg_authid_rolcreatedb - 1] = BoolGetDatum(createdb);
|
new_record[Anum_pg_authid_rolcreatedb - 1] = BoolGetDatum(createdb);
|
||||||
/* superuser gets catupdate right by default */
|
|
||||||
new_record[Anum_pg_authid_rolcatupdate - 1] = BoolGetDatum(issuper);
|
|
||||||
new_record[Anum_pg_authid_rolcanlogin - 1] = BoolGetDatum(canlogin);
|
new_record[Anum_pg_authid_rolcanlogin - 1] = BoolGetDatum(canlogin);
|
||||||
new_record[Anum_pg_authid_rolreplication - 1] = BoolGetDatum(isreplication);
|
new_record[Anum_pg_authid_rolreplication - 1] = BoolGetDatum(isreplication);
|
||||||
new_record[Anum_pg_authid_rolconnlimit - 1] = Int32GetDatum(connlimit);
|
new_record[Anum_pg_authid_rolconnlimit - 1] = Int32GetDatum(connlimit);
|
||||||
|
@ -734,20 +732,12 @@ AlterRole(AlterRoleStmt *stmt)
|
||||||
MemSet(new_record_repl, false, sizeof(new_record_repl));
|
MemSet(new_record_repl, false, sizeof(new_record_repl));
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* issuper/createrole/catupdate/etc
|
* issuper/createrole/etc
|
||||||
*
|
|
||||||
* XXX It's rather unclear how to handle catupdate. It's probably best to
|
|
||||||
* keep it equal to the superuser status, otherwise you could end up with
|
|
||||||
* a situation where no existing superuser can alter the catalogs,
|
|
||||||
* including pg_authid!
|
|
||||||
*/
|
*/
|
||||||
if (issuper >= 0)
|
if (issuper >= 0)
|
||||||
{
|
{
|
||||||
new_record[Anum_pg_authid_rolsuper - 1] = BoolGetDatum(issuper > 0);
|
new_record[Anum_pg_authid_rolsuper - 1] = BoolGetDatum(issuper > 0);
|
||||||
new_record_repl[Anum_pg_authid_rolsuper - 1] = true;
|
new_record_repl[Anum_pg_authid_rolsuper - 1] = true;
|
||||||
|
|
||||||
new_record[Anum_pg_authid_rolcatupdate - 1] = BoolGetDatum(issuper > 0);
|
|
||||||
new_record_repl[Anum_pg_authid_rolcatupdate - 1] = true;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (inherit >= 0)
|
if (inherit >= 0)
|
||||||
|
|
|
@ -53,6 +53,6 @@
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/* yyyymmddN */
|
/* yyyymmddN */
|
||||||
#define CATALOG_VERSION_NO 201503031
|
#define CATALOG_VERSION_NO 201503061
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
|
|
@ -49,7 +49,6 @@ CATALOG(pg_authid,1260) BKI_SHARED_RELATION BKI_ROWTYPE_OID(2842) BKI_SCHEMA_MAC
|
||||||
bool rolinherit; /* inherit privileges from other roles? */
|
bool rolinherit; /* inherit privileges from other roles? */
|
||||||
bool rolcreaterole; /* allowed to create more roles? */
|
bool rolcreaterole; /* allowed to create more roles? */
|
||||||
bool rolcreatedb; /* allowed to create databases? */
|
bool rolcreatedb; /* allowed to create databases? */
|
||||||
bool rolcatupdate; /* allowed to alter catalogs manually? */
|
|
||||||
bool rolcanlogin; /* allowed to log in as session user? */
|
bool rolcanlogin; /* allowed to log in as session user? */
|
||||||
bool rolreplication; /* role used for streaming replication */
|
bool rolreplication; /* role used for streaming replication */
|
||||||
bool rolbypassrls; /* allowed to bypass row level security? */
|
bool rolbypassrls; /* allowed to bypass row level security? */
|
||||||
|
@ -76,19 +75,18 @@ typedef FormData_pg_authid *Form_pg_authid;
|
||||||
* compiler constants for pg_authid
|
* compiler constants for pg_authid
|
||||||
* ----------------
|
* ----------------
|
||||||
*/
|
*/
|
||||||
#define Natts_pg_authid 12
|
#define Natts_pg_authid 11
|
||||||
#define Anum_pg_authid_rolname 1
|
#define Anum_pg_authid_rolname 1
|
||||||
#define Anum_pg_authid_rolsuper 2
|
#define Anum_pg_authid_rolsuper 2
|
||||||
#define Anum_pg_authid_rolinherit 3
|
#define Anum_pg_authid_rolinherit 3
|
||||||
#define Anum_pg_authid_rolcreaterole 4
|
#define Anum_pg_authid_rolcreaterole 4
|
||||||
#define Anum_pg_authid_rolcreatedb 5
|
#define Anum_pg_authid_rolcreatedb 5
|
||||||
#define Anum_pg_authid_rolcatupdate 6
|
#define Anum_pg_authid_rolcanlogin 6
|
||||||
#define Anum_pg_authid_rolcanlogin 7
|
#define Anum_pg_authid_rolreplication 7
|
||||||
#define Anum_pg_authid_rolreplication 8
|
#define Anum_pg_authid_rolbypassrls 8
|
||||||
#define Anum_pg_authid_rolbypassrls 9
|
#define Anum_pg_authid_rolconnlimit 9
|
||||||
#define Anum_pg_authid_rolconnlimit 10
|
#define Anum_pg_authid_rolpassword 10
|
||||||
#define Anum_pg_authid_rolpassword 11
|
#define Anum_pg_authid_rolvaliduntil 11
|
||||||
#define Anum_pg_authid_rolvaliduntil 12
|
|
||||||
|
|
||||||
/* ----------------
|
/* ----------------
|
||||||
* initial contents of pg_authid
|
* initial contents of pg_authid
|
||||||
|
@ -97,7 +95,7 @@ typedef FormData_pg_authid *Form_pg_authid;
|
||||||
* user choices.
|
* user choices.
|
||||||
* ----------------
|
* ----------------
|
||||||
*/
|
*/
|
||||||
DATA(insert OID = 10 ( "POSTGRES" t t t t t t t t -1 _null_ _null_));
|
DATA(insert OID = 10 ( "POSTGRES" t t t t t t t -1 _null_ _null_));
|
||||||
|
|
||||||
#define BOOTSTRAP_SUPERUSERID 10
|
#define BOOTSTRAP_SUPERUSERID 10
|
||||||
|
|
||||||
|
|
|
@ -676,7 +676,11 @@ ERROR: role "nosuchuser" does not exist
|
||||||
select has_table_privilege('pg_authid','sel');
|
select has_table_privilege('pg_authid','sel');
|
||||||
ERROR: unrecognized privilege type: "sel"
|
ERROR: unrecognized privilege type: "sel"
|
||||||
select has_table_privilege(-999999,'pg_authid','update');
|
select has_table_privilege(-999999,'pg_authid','update');
|
||||||
ERROR: role with OID 4293967297 does not exist
|
has_table_privilege
|
||||||
|
---------------------
|
||||||
|
f
|
||||||
|
(1 row)
|
||||||
|
|
||||||
select has_table_privilege(1,'select');
|
select has_table_privilege(1,'select');
|
||||||
has_table_privilege
|
has_table_privilege
|
||||||
---------------------
|
---------------------
|
||||||
|
|
|
@ -1406,7 +1406,6 @@ pg_roles| SELECT pg_authid.rolname,
|
||||||
pg_authid.rolinherit,
|
pg_authid.rolinherit,
|
||||||
pg_authid.rolcreaterole,
|
pg_authid.rolcreaterole,
|
||||||
pg_authid.rolcreatedb,
|
pg_authid.rolcreatedb,
|
||||||
pg_authid.rolcatupdate,
|
|
||||||
pg_authid.rolcanlogin,
|
pg_authid.rolcanlogin,
|
||||||
pg_authid.rolreplication,
|
pg_authid.rolreplication,
|
||||||
pg_authid.rolconnlimit,
|
pg_authid.rolconnlimit,
|
||||||
|
@ -1607,7 +1606,6 @@ pg_shadow| SELECT pg_authid.rolname AS usename,
|
||||||
pg_authid.oid AS usesysid,
|
pg_authid.oid AS usesysid,
|
||||||
pg_authid.rolcreatedb AS usecreatedb,
|
pg_authid.rolcreatedb AS usecreatedb,
|
||||||
pg_authid.rolsuper AS usesuper,
|
pg_authid.rolsuper AS usesuper,
|
||||||
pg_authid.rolcatupdate AS usecatupd,
|
|
||||||
pg_authid.rolreplication AS userepl,
|
pg_authid.rolreplication AS userepl,
|
||||||
pg_authid.rolbypassrls AS usebypassrls,
|
pg_authid.rolbypassrls AS usebypassrls,
|
||||||
pg_authid.rolpassword AS passwd,
|
pg_authid.rolpassword AS passwd,
|
||||||
|
@ -2062,7 +2060,6 @@ pg_user| SELECT pg_shadow.usename,
|
||||||
pg_shadow.usesysid,
|
pg_shadow.usesysid,
|
||||||
pg_shadow.usecreatedb,
|
pg_shadow.usecreatedb,
|
||||||
pg_shadow.usesuper,
|
pg_shadow.usesuper,
|
||||||
pg_shadow.usecatupd,
|
|
||||||
pg_shadow.userepl,
|
pg_shadow.userepl,
|
||||||
pg_shadow.usebypassrls,
|
pg_shadow.usebypassrls,
|
||||||
'********'::text AS passwd,
|
'********'::text AS passwd,
|
||||||
|
|
Loading…
Reference in New Issue