1996-08-27 21:59:28 -04:00
|
|
|
/*-------------------------------------------------------------------------
|
|
|
|
|
*
|
1999-02-13 18:22:53 -05:00
|
|
|
* acl.h
|
1996-08-27 21:59:28 -04:00
|
|
|
* Definition of (and support for) access control list data structures.
|
|
|
|
|
*
|
|
|
|
|
*
|
2025-01-01 11:21:55 -05:00
|
|
|
* Portions Copyright (c) 1996-2025, PostgreSQL Global Development Group
|
2000-01-26 00:58:53 -05:00
|
|
|
* Portions Copyright (c) 1994, Regents of the University of California
|
1996-08-27 21:59:28 -04:00
|
|
|
*
|
2010-09-20 16:08:53 -04:00
|
|
|
* src/include/utils/acl.h
|
1996-08-27 21:59:28 -04:00
|
|
|
*
|
|
|
|
|
* NOTES
|
2003-10-29 17:20:54 -05:00
|
|
|
* An ACL array is simply an array of AclItems, representing the union
|
|
|
|
|
* of the privileges represented by the individual items. A zero-length
|
2017-09-13 20:02:09 -04:00
|
|
|
* array represents "no privileges".
|
|
|
|
|
*
|
|
|
|
|
* The order of items in the array is important as client utilities (in
|
|
|
|
|
* particular, pg_dump, though possibly other clients) expect to be able
|
|
|
|
|
* to issue GRANTs in the ordering of the items in the array. The reason
|
|
|
|
|
* this matters is that GRANTs WITH GRANT OPTION must be before any GRANTs
|
|
|
|
|
* which depend on it. This happens naturally in the backend during
|
|
|
|
|
* operations as we update ACLs in-place, new items are appended, and
|
|
|
|
|
* existing entries are only removed if there's no dependency on them (no
|
|
|
|
|
* GRANT can been based on it, or, if there was, those GRANTs are also
|
|
|
|
|
* removed).
|
1996-08-27 21:59:28 -04:00
|
|
|
*
|
2003-10-29 17:20:54 -05:00
|
|
|
* For backward-compatibility purposes we have to allow null ACL entries
|
|
|
|
|
* in system catalogs. A null ACL will be treated as meaning "default
|
|
|
|
|
* protection" (i.e., whatever acldefault() returns).
|
1996-08-27 21:59:28 -04:00
|
|
|
*-------------------------------------------------------------------------
|
|
|
|
|
*/
|
|
|
|
|
#ifndef ACL_H
|
|
|
|
|
#define ACL_H
|
|
|
|
|
|
Allow CURRENT/SESSION_USER to be used in certain commands
Commands such as ALTER USER, ALTER GROUP, ALTER ROLE, GRANT, and the
various ALTER OBJECT / OWNER TO, as well as ad-hoc clauses related to
roles such as the AUTHORIZATION clause of CREATE SCHEMA, the FOR clause
of CREATE USER MAPPING, and the FOR ROLE clause of ALTER DEFAULT
PRIVILEGES can now take the keywords CURRENT_USER and SESSION_USER as
user specifiers in place of an explicit user name.
This commit also fixes some quite ugly handling of special standards-
mandated syntax in CREATE USER MAPPING, which in particular would fail
to work in presence of a role named "current_user".
The special role specifiers PUBLIC and NONE also have more consistent
handling now.
Also take the opportunity to add location tracking to user specifiers.
Authors: Kyotaro Horiguchi. Heavily reworked by Álvaro Herrera.
Reviewed by: Rushabh Lathia, Adam Brightwell, Marti Raudsepp.
2015-03-09 14:41:54 -04:00
|
|
|
#include "access/htup.h"
|
1999-07-15 19:04:24 -04:00
|
|
|
#include "nodes/parsenodes.h"
|
2016-09-06 12:00:00 -04:00
|
|
|
#include "parser/parse_node.h"
|
2009-12-10 22:34:57 -05:00
|
|
|
#include "utils/snapshot.h"
|
2002-03-21 18:27:25 -05:00
|
|
|
|
1996-08-27 21:59:28 -04:00
|
|
|
|
2014-12-23 13:35:49 -05:00
|
|
|
/*
|
|
|
|
|
* typedef AclMode is declared in parsenodes.h, also the individual privilege
|
|
|
|
|
* bit meanings are defined there
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#define ACL_ID_PUBLIC 0 /* placeholder for id in a PUBLIC acl item */
|
|
|
|
|
|
1996-08-27 21:59:28 -04:00
|
|
|
/*
|
|
|
|
|
* AclItem
|
2002-04-20 20:26:44 -04:00
|
|
|
*
|
|
|
|
|
* Note: must be same size on all platforms, because the size is hardcoded
|
|
|
|
|
* in the pg_type.h entry for aclitem.
|
1996-08-27 21:59:28 -04:00
|
|
|
*/
|
|
|
|
|
typedef struct AclItem
|
|
|
|
|
{
|
2005-06-28 01:09:14 -04:00
|
|
|
Oid ai_grantee; /* ID that this item grants privs to */
|
|
|
|
|
Oid ai_grantor; /* grantor of privs */
|
|
|
|
|
AclMode ai_privs; /* privilege bits */
|
1996-08-27 21:59:28 -04:00
|
|
|
} AclItem;
|
1997-09-07 01:04:48 -04:00
|
|
|
|
2002-04-20 20:26:44 -04:00
|
|
|
/*
|
2022-11-23 14:41:30 -05:00
|
|
|
* The upper 32 bits of the ai_privs field of an AclItem are the grant option
|
|
|
|
|
* bits, and the lower 32 bits are the actual privileges. We use "rights"
|
2004-06-01 17:49:23 -04:00
|
|
|
* to mean the combined grant option and privilege bits fields.
|
2002-04-20 20:26:44 -04:00
|
|
|
*/
|
2022-11-23 14:41:30 -05:00
|
|
|
#define ACLITEM_GET_PRIVS(item) ((item).ai_privs & 0xFFFFFFFF)
|
|
|
|
|
#define ACLITEM_GET_GOPTIONS(item) (((item).ai_privs >> 32) & 0xFFFFFFFF)
|
2005-06-28 01:09:14 -04:00
|
|
|
#define ACLITEM_GET_RIGHTS(item) ((item).ai_privs)
|
2003-01-23 18:39:07 -05:00
|
|
|
|
2022-11-23 14:41:30 -05:00
|
|
|
#define ACL_GRANT_OPTION_FOR(privs) (((AclMode) (privs) & 0xFFFFFFFF) << 32)
|
|
|
|
|
#define ACL_OPTION_TO_PRIVS(privs) (((AclMode) (privs) >> 32) & 0xFFFFFFFF)
|
2003-01-23 18:39:07 -05:00
|
|
|
|
|
|
|
|
#define ACLITEM_SET_PRIVS(item,privs) \
|
2022-11-23 14:41:30 -05:00
|
|
|
((item).ai_privs = ((item).ai_privs & ~((AclMode) 0xFFFFFFFF)) | \
|
|
|
|
|
((AclMode) (privs) & 0xFFFFFFFF))
|
2003-01-23 18:39:07 -05:00
|
|
|
#define ACLITEM_SET_GOPTIONS(item,goptions) \
|
2022-11-23 14:41:30 -05:00
|
|
|
((item).ai_privs = ((item).ai_privs & ~(((AclMode) 0xFFFFFFFF) << 32)) | \
|
|
|
|
|
(((AclMode) (goptions) & 0xFFFFFFFF) << 32))
|
2004-06-01 17:49:23 -04:00
|
|
|
#define ACLITEM_SET_RIGHTS(item,rights) \
|
2005-06-28 01:09:14 -04:00
|
|
|
((item).ai_privs = (AclMode) (rights))
|
|
|
|
|
|
|
|
|
|
#define ACLITEM_SET_PRIVS_GOPTIONS(item,privs,goptions) \
|
2022-11-23 14:41:30 -05:00
|
|
|
((item).ai_privs = ((AclMode) (privs) & 0xFFFFFFFF) | \
|
|
|
|
|
(((AclMode) (goptions) & 0xFFFFFFFF) << 32))
|
2003-06-11 05:23:55 -04:00
|
|
|
|
1996-08-27 21:59:28 -04:00
|
|
|
|
2022-11-23 14:41:30 -05:00
|
|
|
#define ACLITEM_ALL_PRIV_BITS ((AclMode) 0xFFFFFFFF)
|
|
|
|
|
#define ACLITEM_ALL_GOPTION_BITS ((AclMode) 0xFFFFFFFF << 32)
|
2000-07-31 18:39:17 -04:00
|
|
|
|
1996-08-27 21:59:28 -04:00
|
|
|
/*
|
2005-11-17 21:38:24 -05:00
|
|
|
* Definitions for convenient access to Acl (array of AclItem).
|
|
|
|
|
* These are standard PostgreSQL arrays, but are restricted to have one
|
|
|
|
|
* dimension and no nulls. We also ignore the lower bound when reading,
|
2004-08-06 14:05:49 -04:00
|
|
|
* and set it to one when writing.
|
2000-07-31 18:39:17 -04:00
|
|
|
*
|
2003-01-23 18:39:07 -05:00
|
|
|
* CAUTION: as of PostgreSQL 7.1, these arrays are toastable (just like all
|
2000-07-31 18:39:17 -04:00
|
|
|
* other array types). Therefore, be careful to detoast them with the
|
|
|
|
|
* macros provided, unless you know for certain that a particular array
|
2005-06-28 01:09:14 -04:00
|
|
|
* can't have been toasted.
|
1996-08-27 21:59:28 -04:00
|
|
|
*/
|
2000-07-31 18:39:17 -04:00
|
|
|
|
1996-08-27 21:59:28 -04:00
|
|
|
|
|
|
|
|
/*
|
2003-01-23 18:39:07 -05:00
|
|
|
* Acl a one-dimensional array of AclItem
|
1996-08-27 21:59:28 -04:00
|
|
|
*/
|
2019-08-16 13:33:30 -04:00
|
|
|
typedef struct ArrayType Acl;
|
1997-09-07 01:04:48 -04:00
|
|
|
|
2000-07-31 18:39:17 -04:00
|
|
|
#define ACL_NUM(ACL) (ARR_DIMS(ACL)[0])
|
1996-08-27 21:59:28 -04:00
|
|
|
#define ACL_DAT(ACL) ((AclItem *) ARR_DATA_PTR(ACL))
|
2005-11-17 17:14:56 -05:00
|
|
|
#define ACL_N_SIZE(N) (ARR_OVERHEAD_NONULLS(1) + ((N) * sizeof(AclItem)))
|
1996-08-27 21:59:28 -04:00
|
|
|
#define ACL_SIZE(ACL) ARR_SIZE(ACL)
|
|
|
|
|
|
2000-07-31 18:39:17 -04:00
|
|
|
/*
|
|
|
|
|
* fmgr macros for these types
|
|
|
|
|
*/
|
|
|
|
|
#define DatumGetAclItemP(X) ((AclItem *) DatumGetPointer(X))
|
|
|
|
|
#define PG_GETARG_ACLITEM_P(n) DatumGetAclItemP(PG_GETARG_DATUM(n))
|
|
|
|
|
#define PG_RETURN_ACLITEM_P(x) PG_RETURN_POINTER(x)
|
|
|
|
|
|
|
|
|
|
#define DatumGetAclP(X) ((Acl *) PG_DETOAST_DATUM(X))
|
|
|
|
|
#define DatumGetAclPCopy(X) ((Acl *) PG_DETOAST_DATUM_COPY(X))
|
|
|
|
|
#define PG_GETARG_ACL_P(n) DatumGetAclP(PG_GETARG_DATUM(n))
|
|
|
|
|
#define PG_GETARG_ACL_P_COPY(n) DatumGetAclPCopy(PG_GETARG_DATUM(n))
|
|
|
|
|
#define PG_RETURN_ACL_P(x) PG_RETURN_POINTER(x)
|
|
|
|
|
|
2000-10-02 00:49:28 -04:00
|
|
|
/*
|
2004-06-01 17:49:23 -04:00
|
|
|
* ACL modification opcodes for aclupdate
|
2000-10-02 00:49:28 -04:00
|
|
|
*/
|
|
|
|
|
#define ACL_MODECHG_ADD 1
|
|
|
|
|
#define ACL_MODECHG_DEL 2
|
|
|
|
|
#define ACL_MODECHG_EQL 3
|
|
|
|
|
|
2002-04-20 20:26:44 -04:00
|
|
|
/*
|
|
|
|
|
* External representations of the privilege bits --- aclitemin/aclitemout
|
|
|
|
|
* represent each possible privilege bit with a distinct 1-character code
|
|
|
|
|
*/
|
|
|
|
|
#define ACL_INSERT_CHR 'a' /* formerly known as "append" */
|
|
|
|
|
#define ACL_SELECT_CHR 'r' /* formerly known as "read" */
|
|
|
|
|
#define ACL_UPDATE_CHR 'w' /* formerly known as "write" */
|
|
|
|
|
#define ACL_DELETE_CHR 'd'
|
2008-09-07 20:47:41 -04:00
|
|
|
#define ACL_TRUNCATE_CHR 'D' /* super-delete, as it were */
|
2002-04-20 20:26:44 -04:00
|
|
|
#define ACL_REFERENCES_CHR 'x'
|
|
|
|
|
#define ACL_TRIGGER_CHR 't'
|
|
|
|
|
#define ACL_EXECUTE_CHR 'X'
|
|
|
|
|
#define ACL_USAGE_CHR 'U'
|
|
|
|
|
#define ACL_CREATE_CHR 'C'
|
|
|
|
|
#define ACL_CREATE_TEMP_CHR 'T'
|
2006-04-29 22:09:07 -04:00
|
|
|
#define ACL_CONNECT_CHR 'c'
|
2022-04-06 13:24:33 -04:00
|
|
|
#define ACL_SET_CHR 's'
|
2022-03-22 09:06:15 -04:00
|
|
|
#define ACL_ALTER_SYSTEM_CHR 'A'
|
2024-03-13 15:49:26 -04:00
|
|
|
#define ACL_MAINTAIN_CHR 'm'
|
2002-04-20 20:26:44 -04:00
|
|
|
|
|
|
|
|
/* string holding all privilege code chars, in order by bitmask position */
|
2024-03-13 15:49:26 -04:00
|
|
|
#define ACL_ALL_RIGHTS_STR "arwdDxtXUCTcsAm"
|
2002-04-20 20:26:44 -04:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Bitmasks defining "all rights" for each supported object type
|
|
|
|
|
*/
|
2009-01-22 15:16:10 -05:00
|
|
|
#define ACL_ALL_RIGHTS_COLUMN (ACL_INSERT|ACL_SELECT|ACL_UPDATE|ACL_REFERENCES)
|
2024-03-13 15:49:26 -04:00
|
|
|
#define ACL_ALL_RIGHTS_RELATION (ACL_INSERT|ACL_SELECT|ACL_UPDATE|ACL_DELETE|ACL_TRUNCATE|ACL_REFERENCES|ACL_TRIGGER|ACL_MAINTAIN)
|
2006-01-20 21:16:21 -05:00
|
|
|
#define ACL_ALL_RIGHTS_SEQUENCE (ACL_USAGE|ACL_SELECT|ACL_UPDATE)
|
2006-04-30 17:15:33 -04:00
|
|
|
#define ACL_ALL_RIGHTS_DATABASE (ACL_CREATE|ACL_CREATE_TEMP|ACL_CONNECT)
|
2008-12-19 11:25:19 -05:00
|
|
|
#define ACL_ALL_RIGHTS_FDW (ACL_USAGE)
|
|
|
|
|
#define ACL_ALL_RIGHTS_FOREIGN_SERVER (ACL_USAGE)
|
2002-04-20 20:26:44 -04:00
|
|
|
#define ACL_ALL_RIGHTS_FUNCTION (ACL_EXECUTE)
|
|
|
|
|
#define ACL_ALL_RIGHTS_LANGUAGE (ACL_USAGE)
|
2009-12-10 22:34:57 -05:00
|
|
|
#define ACL_ALL_RIGHTS_LARGEOBJECT (ACL_SELECT|ACL_UPDATE)
|
2022-04-06 13:24:33 -04:00
|
|
|
#define ACL_ALL_RIGHTS_PARAMETER_ACL (ACL_SET|ACL_ALTER_SYSTEM)
|
2017-10-11 18:35:19 -04:00
|
|
|
#define ACL_ALL_RIGHTS_SCHEMA (ACL_USAGE|ACL_CREATE)
|
2004-06-18 02:14:31 -04:00
|
|
|
#define ACL_ALL_RIGHTS_TABLESPACE (ACL_CREATE)
|
2011-12-19 17:05:19 -05:00
|
|
|
#define ACL_ALL_RIGHTS_TYPE (ACL_USAGE)
|
2002-04-20 20:26:44 -04:00
|
|
|
|
2004-05-11 13:36:13 -04:00
|
|
|
/* operation codes for pg_*_aclmask */
|
|
|
|
|
typedef enum
|
|
|
|
|
{
|
|
|
|
|
ACLMASK_ALL, /* normal case: compute all bits */
|
|
|
|
|
ACLMASK_ANY, /* return when result is known nonzero */
|
|
|
|
|
} AclMaskHow;
|
1996-08-27 21:59:28 -04:00
|
|
|
|
2002-03-21 18:27:25 -05:00
|
|
|
/* result codes for pg_*_aclcheck */
|
2002-04-26 23:45:03 -04:00
|
|
|
typedef enum
|
|
|
|
|
{
|
|
|
|
|
ACLCHECK_OK = 0,
|
|
|
|
|
ACLCHECK_NO_PRIV,
|
|
|
|
|
ACLCHECK_NOT_OWNER,
|
|
|
|
|
} AclResult;
|
1996-08-27 21:59:28 -04:00
|
|
|
|
2005-11-30 21:03:01 -05:00
|
|
|
|
1996-08-27 21:59:28 -04:00
|
|
|
/*
|
2000-10-06 20:58:23 -04:00
|
|
|
* routines used internally
|
1996-08-27 21:59:28 -04:00
|
|
|
*/
|
2017-10-11 18:35:19 -04:00
|
|
|
extern Acl *acldefault(ObjectType objtype, Oid ownerId);
|
|
|
|
|
extern Acl *get_user_default_acl(ObjectType objtype, Oid ownerId,
|
2009-10-05 15:24:49 -04:00
|
|
|
Oid nsp_oid);
|
Fix missing role dependencies for some schema and type ACLs.
This patch fixes several related cases in which pg_shdepend entries were
never made, or were lost, for references to roles appearing in the ACLs of
schemas and/or types. While that did no immediate harm, if a referenced
role were later dropped, the drop would be allowed and would leave a
dangling reference in the object's ACL. That still wasn't a big problem
for normal database usage, but it would cause obscure failures in
subsequent dump/reload or pg_upgrade attempts, taking the form of
attempts to grant privileges to all-numeric role names. (I think I've
seen field reports matching that symptom, but can't find any right now.)
Several cases are fixed here:
1. ALTER DOMAIN SET/DROP DEFAULT would lose the dependencies for any
existing ACL entries for the domain. This case is ancient, dating
back as far as we've had pg_shdepend tracking at all.
2. If a default type privilege applies, CREATE TYPE recorded the
ACL properly but forgot to install dependency entries for it.
This dates to the addition of default privileges for types in 9.2.
3. If a default schema privilege applies, CREATE SCHEMA recorded the
ACL properly but forgot to install dependency entries for it.
This dates to the addition of default privileges for schemas in v10
(commit ab89e465c).
Another somewhat-related problem is that when creating a relation
rowtype or implicit array type, TypeCreate would apply any available
default type privileges to that type, which we don't really want
since such an object isn't supposed to have privileges of its own.
(You can't, for example, drop such privileges once they've been added
to an array type.)
ab89e465c is also to blame for a race condition in the regression tests:
privileges.sql transiently installed globally-applicable default
privileges on schemas, which sometimes got absorbed into the ACLs of
schemas created by concurrent test scripts. This should have resulted
in failures when privileges.sql tried to drop the role holding such
privileges; but thanks to the bug fixed here, it instead led to dangling
ACLs in the final state of the regression database. We'd managed not to
notice that, but it became obvious in the wake of commit da906766c, which
allowed the race condition to occur in pg_upgrade tests.
To fix, add a function recordDependencyOnNewAcl to encapsulate what
callers of get_user_default_acl need to do; while the original call
sites got that right via ad-hoc code, none of the later-added ones
have. Also change GenerateTypeDependencies to generate these
dependencies, which requires adding the typacl to its parameter list.
(That might be annoying if there are any extensions calling that
function directly; but if there are, they're most likely buggy in the
same way as the core callers were, so they need work anyway.) While
I was at it, I changed GenerateTypeDependencies to accept most of its
parameters in the form of a Form_pg_type pointer, making its parameter
list a bit less unwieldy and mistake-prone.
The test race condition is fixed just by wrapping the addition and
removal of default privileges into a single transaction, so that that
state is never visible externally. We might eventually prefer to
separate out tests of default privileges into a script that runs by
itself, but that would be a bigger change and would make the tests
run slower overall.
Back-patch relevant parts to all supported branches.
Discussion: https://postgr.es/m/15719.1541725287@sss.pgh.pa.us
2018-11-09 20:42:03 -05:00
|
|
|
extern void recordDependencyOnNewAcl(Oid classId, Oid objectId, int32 objsubId,
|
|
|
|
|
Oid ownerId, Acl *acl);
|
2009-10-05 15:24:49 -04:00
|
|
|
|
2004-06-01 17:49:23 -04:00
|
|
|
extern Acl *aclupdate(const Acl *old_acl, const AclItem *mod_aip,
|
2005-06-28 01:09:14 -04:00
|
|
|
int modechg, Oid ownerId, DropBehavior behavior);
|
|
|
|
|
extern Acl *aclnewowner(const Acl *old_acl, Oid oldOwnerId, Oid newOwnerId);
|
2009-10-05 15:24:49 -04:00
|
|
|
extern Acl *make_empty_acl(void);
|
2009-01-22 15:16:10 -05:00
|
|
|
extern Acl *aclcopy(const Acl *orig_acl);
|
|
|
|
|
extern Acl *aclconcat(const Acl *left_acl, const Acl *right_acl);
|
2009-10-05 15:24:49 -04:00
|
|
|
extern Acl *aclmerge(const Acl *left_acl, const Acl *right_acl, Oid ownerId);
|
|
|
|
|
extern void aclitemsort(Acl *acl);
|
|
|
|
|
extern bool aclequal(const Acl *left_acl, const Acl *right_acl);
|
2004-08-29 01:07:03 -04:00
|
|
|
|
2005-06-28 01:09:14 -04:00
|
|
|
extern AclMode aclmask(const Acl *acl, Oid roleid, Oid ownerId,
|
2004-06-01 17:49:23 -04:00
|
|
|
AclMode mask, AclMaskHow how);
|
2005-07-07 16:40:02 -04:00
|
|
|
extern int aclmembers(const Acl *acl, Oid **roleids);
|
1996-08-27 21:59:28 -04:00
|
|
|
|
2005-07-26 12:38:29 -04:00
|
|
|
extern bool has_privs_of_role(Oid member, Oid role);
|
Add a SET option to the GRANT command.
Similar to how the INHERIT option controls whether or not the
permissions of the granted role are automatically available to the
grantee, the new SET permission controls whether or not the grantee
may use the SET ROLE command to assume the privileges of the granted
role.
In addition, the new SET permission controls whether or not it
is possible to transfer ownership of objects to the target role
or to create new objects owned by the target role using commands
such as CREATE DATABASE .. OWNER. We could alternatively have made
this controlled by the INHERIT option, or allow it when either
option is given. An advantage of this approach is that if you
are granted a predefined role with INHERIT TRUE, SET FALSE, you
can't go and create objects owned by that role.
The underlying theory here is that the ability to create objects
as a target role is not a privilege per se, and thus does not
depend on whether you inherit the target role's privileges. However,
it's surely something you could do anyway if you could SET ROLE
to the target role, and thus making it contingent on whether you
have that ability is reasonable.
Design review by Nathan Bossat, Wolfgang Walther, Jeff Davis,
Peter Eisentraut, and Stephen Frost.
Discussion: http://postgr.es/m/CA+Tgmob+zDSRS6JXYrgq0NWdzCXuTNzT5eK54Dn2hhgt17nm8A@mail.gmail.com
2022-11-18 12:32:50 -05:00
|
|
|
extern bool member_can_set_role(Oid member, Oid role);
|
|
|
|
|
extern void check_can_set_role(Oid member, Oid role);
|
2005-06-28 01:09:14 -04:00
|
|
|
extern bool is_member_of_role(Oid member, Oid role);
|
2005-11-04 12:25:15 -05:00
|
|
|
extern bool is_member_of_role_nosuper(Oid member, Oid role);
|
2005-06-29 16:34:15 -04:00
|
|
|
extern bool is_admin_of_role(Oid member, Oid role);
|
Make role grant system more consistent with other privileges.
Previously, membership of role A in role B could be recorded in the
catalog tables only once. This meant that a new grant of role A to
role B would overwrite the previous grant. For other object types, a
new grant of permission on an object - in this case role A - exists
along side the existing grant provided that the grantor is different.
Either grant can be revoked independently of the other, and
permissions remain so long as at least one grant remains. Make role
grants work similarly.
Previously, when granting membership in a role, the superuser could
specify any role whatsoever as the grantor, but for other object types,
the grantor of record must be either the owner of the object, or a
role that currently has privileges to perform a similar GRANT.
Implement the same scheme for role grants, treating the bootstrap
superuser as the role owner since roles do not have owners. This means
that attempting to revoke a grant, or admin option on a grant, can now
fail if there are dependent privileges, and that CASCADE can be used
to revoke these. It also means that you can't grant ADMIN OPTION on
a role back to a user who granted it directly or indirectly to you,
similar to how you can't give WITH GRANT OPTION on a privilege back
to a role which granted it directly or indirectly to you.
Previously, only the superuser could specify GRANTED BY with a user
other than the current user. Relax that rule to allow the grantor
to be any role whose privileges the current user posseses. This
doesn't improve compatibility with what we do for other object types,
where support for GRANTED BY is entirely vestigial, but it makes this
feature more usable and seems to make sense to change at the same time
we're changing related behaviors.
Along the way, fix "ALTER GROUP group_name ADD USER user_name" to
require the same privileges as "GRANT group_name TO user_name".
Previously, CREATEROLE privileges were sufficient for either, but
only the former form was permissible with ADMIN OPTION on the role.
Now, either CREATEROLE or ADMIN OPTION on the role suffices for
either spelling.
Patch by me, reviewed by Stephen Frost.
Discussion: http://postgr.es/m/CA+TgmoaFr-RZeQ+WoQ5nKPv97oT9+aDgK_a5+qWHSgbDsMp1Vg@mail.gmail.com
2022-08-22 11:35:17 -04:00
|
|
|
extern Oid select_best_admin(Oid member, Oid role);
|
2022-09-20 16:09:30 -04:00
|
|
|
extern Oid get_role_oid(const char *rolname, bool missing_ok);
|
|
|
|
|
extern Oid get_role_oid_or_public(const char *rolname);
|
2016-12-28 12:00:00 -05:00
|
|
|
extern Oid get_rolespec_oid(const RoleSpec *role, bool missing_ok);
|
|
|
|
|
extern void check_rolespec_name(const RoleSpec *role, const char *detail_msg);
|
|
|
|
|
extern HeapTuple get_rolespec_tuple(const RoleSpec *role);
|
|
|
|
|
extern char *get_rolespec_name(const RoleSpec *role);
|
2005-06-28 01:09:14 -04:00
|
|
|
|
2005-10-10 14:49:04 -04:00
|
|
|
extern void select_best_grantor(Oid roleId, AclMode privileges,
|
|
|
|
|
const Acl *acl, Oid ownerId,
|
|
|
|
|
Oid *grantorId, AclMode *grantOptions);
|
|
|
|
|
|
2005-06-28 15:51:26 -04:00
|
|
|
extern void initialize_acl(void);
|
2005-06-28 01:09:14 -04:00
|
|
|
|
1996-08-27 21:59:28 -04:00
|
|
|
/*
|
|
|
|
|
* prototypes for functions in aclchk.c
|
|
|
|
|
*/
|
2001-06-09 19:21:55 -04:00
|
|
|
extern void ExecuteGrantStmt(GrantStmt *stmt);
|
2016-09-06 12:00:00 -04:00
|
|
|
extern void ExecAlterDefaultPrivilegesStmt(ParseState *pstate, AlterDefaultPrivilegesStmt *stmt);
|
2009-10-05 15:24:49 -04:00
|
|
|
|
|
|
|
|
extern void RemoveRoleFromObjectACL(Oid roleid, Oid classid, Oid objid);
|
1996-08-27 21:59:28 -04:00
|
|
|
|
2005-06-28 01:09:14 -04:00
|
|
|
extern AclMode pg_class_aclmask(Oid table_oid, Oid roleid,
|
2004-05-11 13:36:13 -04:00
|
|
|
AclMode mask, AclMaskHow how);
|
|
|
|
|
|
Harden has_xxx_privilege() functions against concurrent object drops.
The versions of these functions that accept object OIDs are supposed
to return NULL, rather than failing, if the target object has been
dropped. This makes it safe(r) to use them in queries that scan
catalogs, since the functions will be applied to objects that are
visible in the query's snapshot but might now be gone according to
the catalog snapshot. In most cases we implemented this by doing
a SearchSysCacheExists test and assuming that if that succeeds, we
can safely invoke the appropriate aclchk.c function, which will
immediately re-fetch the same syscache entry. It was argued that
if the existence test succeeds then the followup fetch must succeed
as well, for lack of any intervening AcceptInvalidationMessages call.
Alexander Lakhin demonstrated that this is not so when
CATCACHE_FORCE_RELEASE is enabled: the syscache entry will be forcibly
dropped at the end of SearchSysCacheExists, and then it is possible
for the catalog snapshot to get advanced while re-fetching the entry.
Alexander's test case requires the operation to happen inside a
parallel worker, but that seems incidental to the fundamental problem.
What remains obscure is whether there is a way for this to happen in a
non-debug build. Nonetheless, CATCACHE_FORCE_RELEASE is a very useful
test methodology, so we'd better make the code safe for it.
After some discussion we concluded that the most future-proof fix
is to give up the assumption that checking SearchSysCacheExists can
guarantee success of a later fetch. At best that assumption leads
to fragile code --- for example, has_type_privilege appears broken
for array types even if you believe the assumption holds. And it's
not even particularly efficient.
There had already been some work towards extending the aclchk.c
APIs to include "is_missing" output flags, so this patch extends
that work to cover all the aclchk.c functions that are used by the
has_xxx_privilege() functions. (This allows getting rid of some
ad-hoc decisions about not throwing errors in certain places in
aclchk.c.)
In passing, this fixes the has_sequence_privilege() functions to
provide the same guarantees as their cousins: for some reason the
SearchSysCacheExists tests never got added to those.
There is more work to do to remove the unsafe coding pattern with
SearchSysCacheExists in other places, but this is a pretty
self-contained patch so I'll commit it separately.
Per bug #18014 from Alexander Lakhin. Given the lack of hard evidence
that there's a bug in non-debug builds, I'm content to fix this only
in HEAD. (Perhaps we should clean up the has_sequence_privilege()
oversight in the back branches, but in the absence of field complaints
I'm not too excited about that either.)
Discussion: https://postgr.es/m/18014-28c81cb79d44295d@postgresql.org
2023-10-14 14:49:50 -04:00
|
|
|
/* generic functions */
|
|
|
|
|
extern AclResult object_aclcheck(Oid classid, Oid objectid,
|
|
|
|
|
Oid roleid, AclMode mode);
|
|
|
|
|
extern AclResult object_aclcheck_ext(Oid classid, Oid objectid,
|
|
|
|
|
Oid roleid, AclMode mode,
|
|
|
|
|
bool *is_missing);
|
2022-11-13 02:11:17 -05:00
|
|
|
|
|
|
|
|
/* special cases */
|
2009-01-22 15:16:10 -05:00
|
|
|
extern AclResult pg_attribute_aclcheck(Oid table_oid, AttrNumber attnum,
|
|
|
|
|
Oid roleid, AclMode mode);
|
Fix has_column_privilege function corner case
According to the comments, when an invalid or dropped column oid is passed
to has_column_privilege(), the intention has always been to return NULL.
However, when the caller had table level privilege the invalid/missing
column was never discovered, because table permissions were checked first.
Fix that by introducing extended versions of pg_attribute_acl(check|mask)
and pg_class_acl(check|mask) which take a new argument, is_missing. When
is_missing is NULL, the old behavior is preserved. But when is_missing is
passed by the caller, no ERROR is thrown for dropped or missing
columns/relations, and is_missing is flipped to true. This in turn allows
has_column_privilege to check for column privileges first, providing the
desired semantics.
Not backpatched since it is a user visible behavioral change with no previous
complaints, and the fix is a bit on the invasive side.
Author: Joe Conway
Reviewed-By: Tom Lane
Reported by: Ian Barwick
Discussion: https://postgr.es/m/flat/9b5f4311-157b-4164-7fe7-077b4fe8ed84%40joeconway.com
2021-03-31 13:55:25 -04:00
|
|
|
extern AclResult pg_attribute_aclcheck_ext(Oid table_oid, AttrNumber attnum,
|
|
|
|
|
Oid roleid, AclMode mode,
|
|
|
|
|
bool *is_missing);
|
2009-01-22 15:16:10 -05:00
|
|
|
extern AclResult pg_attribute_aclcheck_all(Oid table_oid, Oid roleid,
|
|
|
|
|
AclMode mode, AclMaskHow how);
|
Harden has_xxx_privilege() functions against concurrent object drops.
The versions of these functions that accept object OIDs are supposed
to return NULL, rather than failing, if the target object has been
dropped. This makes it safe(r) to use them in queries that scan
catalogs, since the functions will be applied to objects that are
visible in the query's snapshot but might now be gone according to
the catalog snapshot. In most cases we implemented this by doing
a SearchSysCacheExists test and assuming that if that succeeds, we
can safely invoke the appropriate aclchk.c function, which will
immediately re-fetch the same syscache entry. It was argued that
if the existence test succeeds then the followup fetch must succeed
as well, for lack of any intervening AcceptInvalidationMessages call.
Alexander Lakhin demonstrated that this is not so when
CATCACHE_FORCE_RELEASE is enabled: the syscache entry will be forcibly
dropped at the end of SearchSysCacheExists, and then it is possible
for the catalog snapshot to get advanced while re-fetching the entry.
Alexander's test case requires the operation to happen inside a
parallel worker, but that seems incidental to the fundamental problem.
What remains obscure is whether there is a way for this to happen in a
non-debug build. Nonetheless, CATCACHE_FORCE_RELEASE is a very useful
test methodology, so we'd better make the code safe for it.
After some discussion we concluded that the most future-proof fix
is to give up the assumption that checking SearchSysCacheExists can
guarantee success of a later fetch. At best that assumption leads
to fragile code --- for example, has_type_privilege appears broken
for array types even if you believe the assumption holds. And it's
not even particularly efficient.
There had already been some work towards extending the aclchk.c
APIs to include "is_missing" output flags, so this patch extends
that work to cover all the aclchk.c functions that are used by the
has_xxx_privilege() functions. (This allows getting rid of some
ad-hoc decisions about not throwing errors in certain places in
aclchk.c.)
In passing, this fixes the has_sequence_privilege() functions to
provide the same guarantees as their cousins: for some reason the
SearchSysCacheExists tests never got added to those.
There is more work to do to remove the unsafe coding pattern with
SearchSysCacheExists in other places, but this is a pretty
self-contained patch so I'll commit it separately.
Per bug #18014 from Alexander Lakhin. Given the lack of hard evidence
that there's a bug in non-debug builds, I'm content to fix this only
in HEAD. (Perhaps we should clean up the has_sequence_privilege()
oversight in the back branches, but in the absence of field complaints
I'm not too excited about that either.)
Discussion: https://postgr.es/m/18014-28c81cb79d44295d@postgresql.org
2023-10-14 14:49:50 -04:00
|
|
|
extern AclResult pg_attribute_aclcheck_all_ext(Oid table_oid, Oid roleid,
|
|
|
|
|
AclMode mode, AclMaskHow how,
|
|
|
|
|
bool *is_missing);
|
2005-06-28 01:09:14 -04:00
|
|
|
extern AclResult pg_class_aclcheck(Oid table_oid, Oid roleid, AclMode mode);
|
Fix has_column_privilege function corner case
According to the comments, when an invalid or dropped column oid is passed
to has_column_privilege(), the intention has always been to return NULL.
However, when the caller had table level privilege the invalid/missing
column was never discovered, because table permissions were checked first.
Fix that by introducing extended versions of pg_attribute_acl(check|mask)
and pg_class_acl(check|mask) which take a new argument, is_missing. When
is_missing is NULL, the old behavior is preserved. But when is_missing is
passed by the caller, no ERROR is thrown for dropped or missing
columns/relations, and is_missing is flipped to true. This in turn allows
has_column_privilege to check for column privileges first, providing the
desired semantics.
Not backpatched since it is a user visible behavioral change with no previous
complaints, and the fix is a bit on the invasive side.
Author: Joe Conway
Reviewed-By: Tom Lane
Reported by: Ian Barwick
Discussion: https://postgr.es/m/flat/9b5f4311-157b-4164-7fe7-077b4fe8ed84%40joeconway.com
2021-03-31 13:55:25 -04:00
|
|
|
extern AclResult pg_class_aclcheck_ext(Oid table_oid, Oid roleid,
|
|
|
|
|
AclMode mode, bool *is_missing);
|
2022-04-06 13:24:33 -04:00
|
|
|
extern AclResult pg_parameter_aclcheck(const char *name, Oid roleid,
|
|
|
|
|
AclMode mode);
|
2022-09-20 16:09:30 -04:00
|
|
|
extern AclResult pg_largeobject_aclcheck_snapshot(Oid lobj_oid, Oid roleid,
|
2009-12-10 22:34:57 -05:00
|
|
|
AclMode mode, Snapshot snapshot);
|
2002-04-26 23:45:03 -04:00
|
|
|
|
2017-12-02 09:26:34 -05:00
|
|
|
extern void aclcheck_error(AclResult aclerr, ObjectType objtype,
|
2003-07-31 20:15:26 -04:00
|
|
|
const char *objectname);
|
2002-02-18 18:11:58 -05:00
|
|
|
|
2017-12-02 09:26:34 -05:00
|
|
|
extern void aclcheck_error_col(AclResult aclerr, ObjectType objtype,
|
2009-01-22 15:16:10 -05:00
|
|
|
const char *objectname, const char *colname);
|
|
|
|
|
|
2012-06-15 15:55:03 -04:00
|
|
|
extern void aclcheck_error_type(AclResult aclerr, Oid typeOid);
|
|
|
|
|
|
2017-01-29 23:05:07 -05:00
|
|
|
extern void recordExtObjInitPriv(Oid objoid, Oid classoid);
|
|
|
|
|
extern void removeExtObjInitPriv(Oid objoid, Oid classoid);
|
Improve tracking of role dependencies of pg_init_privs entries.
Commit 534287403 invented SHARED_DEPENDENCY_INITACL entries in
pg_shdepend, but installed them only for non-owner roles mentioned
in a pg_init_privs entry. This turns out to be the wrong thing,
because there is nothing to cue REASSIGN OWNED to go and update
pg_init_privs entries when the object's ownership is reassigned.
That leads to leaving dangling entries in pg_init_privs, as
reported by Hannu Krosing. Instead, install INITACL entries for
all roles mentioned in pg_init_privs entries (except pinned roles),
and change ALTER OWNER to not touch them, just as it doesn't
touch pg_init_privs entries.
REASSIGN OWNED will now substitute the new owner OID for the old
in pg_init_privs entries. This feels like perhaps not quite the
right thing, since pg_init_privs ought to be a historical record
of the state of affairs just after CREATE EXTENSION. However,
it's hard to see what else to do, if we don't want to disallow
dropping the object's original owner. In any case this is
better than the previous do-nothing behavior, and we're unlikely
to come up with a superior solution in time for v17.
While here, tighten up some coding rules about how ACLs in
pg_init_privs should never be null or empty. There's not any
obvious reason to allow that, and perhaps asserting that it's
not so will catch some bugs. (We were previously inconsistent
on the point, with some code paths taking care not to store
empty ACLs and others not.)
This leaves recordExtensionInitPrivWorker not doing anything
with its ownerId argument, but we'll deal with that separately.
catversion bump forced because of change of expected contents
of pg_shdepend when pg_init_privs entries exist.
Discussion: https://postgr.es/m/CAMT0RQSVgv48G5GArUvOVhottWqZLrvC5wBzBa4HrUdXe9VRXw@mail.gmail.com
2024-06-17 12:55:10 -04:00
|
|
|
extern void ReplaceRoleInInitPriv(Oid oldroleid, Oid newroleid,
|
|
|
|
|
Oid classid, Oid objid, int32 objsubid);
|
Fix failure to track role dependencies of pg_init_privs entries.
If an ACL recorded in pg_init_privs mentions a non-pinned role,
that reference must also be noted in pg_shdepend so that we know
that the role can't go away without removing the ACL reference.
Otherwise, DROP ROLE could succeed and leave dangling entries
behind, which is what's causing the recent upgrade-check failures
on buildfarm member copperhead.
This has been wrong since pg_init_privs was introduced, but it's
escaped notice because typical pg_init_privs entries would only
mention the bootstrap superuser (pinned) or at worst the owner
of the extension (who can't go away before the extension does).
We lack even a representation of such a role reference for
pg_shdepend. My first thought for a solution was entries listing
pg_init_privs in classid, but that doesn't work because then there's
noplace to put the granted-on object's classid. Rather than adding
a new column to pg_shdepend, let's add a new deptype code
SHARED_DEPENDENCY_INITACL. Much of the associated boilerplate
code can be cribbed from code for SHARED_DEPENDENCY_ACL.
A lot of the bulk of this patch just stems from the new need to pass
the object's owner ID to recordExtensionInitPriv, so that we can
consult it while updating pg_shdepend. While many callers have that
at hand already, a few places now need to fetch the owner ID of an
arbitrary privilege-bearing object. For that, we assume that there
is a catcache on the relevant catalog's OID column, which is an
assumption already made in ExecGrant_common so it seems okay here.
We do need an entirely new routine RemoveRoleFromInitPriv to perform
cleanup of pg_init_privs ACLs during DROP OWNED BY. It's analogous
to RemoveRoleFromObjectACL, but we can't share logic because that
function operates by building a command parsetree and invoking
existing GRANT/REVOKE infrastructure. There is of course no SQL
command that would update pg_init_privs entries when we're not in
process of creating their extension, so we need a routine that can
do the updates directly.
catversion bump because this changes the expected contents of
pg_shdepend. For the same reason, there's no hope of back-patching
this, even though it fixes a longstanding bug. Fortunately, the
case where it's a problem seems to be near nonexistent in the field.
If it weren't for the buildfarm breakage, I'd have been content to
leave this for v18.
Patch by me; thanks to Daniel Gustafsson for review and discussion.
Discussion: https://postgr.es/m/1745535.1712358659@sss.pgh.pa.us
2024-04-29 19:26:19 -04:00
|
|
|
extern void RemoveRoleFromInitPriv(Oid roleid,
|
|
|
|
|
Oid classid, Oid objid, int32 objsubid);
|
2017-01-29 23:05:07 -05:00
|
|
|
|
|
|
|
|
|
2002-03-21 18:27:25 -05:00
|
|
|
/* ownercheck routines just return true (owner) or false (not) */
|
2022-11-13 02:11:17 -05:00
|
|
|
extern bool object_ownercheck(Oid classid, Oid objectid, Oid roleid);
|
2014-12-23 13:35:49 -05:00
|
|
|
extern bool has_createrole_privilege(Oid roleid);
|
|
|
|
|
extern bool has_bypassrls_privilege(Oid roleid);
|
2002-03-21 18:27:25 -05:00
|
|
|
|
1996-08-27 21:59:28 -04:00
|
|
|
#endif /* ACL_H */
|
