NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit2822788

committed

Accept SET SESSION AUTHORIZATION DEFAULT and RESET SESSION AUTHORIZATION

to reset session userid to the originally-authenticated name. Also,relax SET SESSION AUTHORIZATION to allow specifying one's own usernameeven if one is not superuser, so as to avoid unnecessary error messageswhen loading a pg_dump file that uses this command. Per discussion fromseveral months ago.

1 parent15162ae commit2822788Copy full SHA for 2822788

File tree

4 files changed

+88

-27

lines changed

doc/src/sgml/ref
- set_session_auth.sgml
src/backend
- commands
  - variable.c
- parser
  - gram.y
- utils/init
  - miscinit.c

4 files changed

+88

-27

lines changed

`‎doc/src/sgml/ref/set_session_auth.sgml`

Lines changed: 19 additions & 7 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-<!-- $Header: /cvsroot/pgsql/doc/src/sgml/ref/set_session_auth.sgml,v 1.4 2002/01/20 22:19:57 petere Exp $ -->`
	`1`	`+<!-- $Header: /cvsroot/pgsql/doc/src/sgml/ref/set_session_auth.sgml,v 1.5 2002/05/0619:47:30 tgl Exp $ -->`
`2`	`2`	`<refentry id="SQL-SET-SESSION-AUTHORIZATION">`
`3`	`3`	`<docinfo>`
`4`	`4`	`<date>2001-04-21</date>`
`@@ -16,7 +16,9 @@`
`16`	`16`
`17`	`17`	`<refsynopsisdiv>`
`18`	`18`	`<synopsis>`
`19`		`-SET SESSION AUTHORIZATION '<parameter>username</parameter>'`
	`19`	`+SET SESSION AUTHORIZATION <parameter>username</parameter>`
	`20`	`+SET SESSION AUTHORIZATION DEFAULT`
	`21`	`+RESET SESSION AUTHORIZATION`
`20`	`22`	`</synopsis>`
`21`	`23`	`</refsynopsisdiv>`
`22`	`24`
`@@ -26,7 +28,11 @@ SET SESSION AUTHORIZATION '<parameter>username</parameter>'`
`26`	`28`	`<para>`
`27`	`29`	`This command sets the session user identifier and the current user`
`28`	`30`	`identifier of the current SQL-session context to be`
`29`		`- <parameter>username</parameter>.`
	`31`	`+ <parameter>username</parameter>. The user name may be written as`
	`32`	`+ either an identifier or a string literal.`
	`33`	`+ The session user identifier is valid for the duration of a`
	`34`	`+ connection; for example, it is possible to temporarily become an`
	`35`	`+ unprivileged user and later switch back to become a superuser.`
`30`	`36`	`</para>`
`31`	`37`
`32`	`38`	`<para>`
`@@ -39,12 +45,18 @@ SET SESSION AUTHORIZATION '<parameter>username</parameter>'`
`39`	`45`	`</para>`
`40`	`46`
`41`	`47`	`<para>`
`42`		`-Execution of this command is only permitted if the initial session`
	`48`	`+The session user identifier may be changed only if the initial session`
`43`	`49`	`user (the <firstterm>authenticated user</firstterm>) had the`
`44`		`- superuser privilege. This permission is kept for the duration of a`
`45`		`- connection; for example, it is possible to temporarily become an`
`46`		`- unprivileged user and later switch back to become a superuser.`
	`50`	`+ superuser privilege. Otherwise, the command is accepted only if it`
	`51`	`+ specifies the authenticated username.`
`47`	`52`	`</para>`
	`53`	`+`
	`54`	`+ <para>`
	`55`	`+ The <literal>DEFAULT</> and <literal>RESET</> forms reset the session`
	`56`	`+ and current user identifiers to be the originally authenticated user`
	`57`	`+ name. These forms are always accepted.`
	`58`	`+ </para>`
	`59`	`+`
`48`	`60`	`</refsect1>`
`49`	`61`
`50`	`62`	`<refsect1>`

`‎src/backend/commands/variable.c`

Lines changed: 15 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,7 @@`
`9`	`9`	`*`
`10`	`10`	`*`
`11`	`11`	`* IDENTIFICATION`
`12`		`- * $Header: /cvsroot/pgsql/src/backend/commands/variable.c,v 1.65 2002/04/22 15:13:53 thomas Exp $`
	`12`	`+ * $Header: /cvsroot/pgsql/src/backend/commands/variable.c,v 1.66 2002/05/06 19:47:30 tgl Exp $`
`13`	`13`	`*`
`14`	`14`	`*-------------------------------------------------------------------------`
`15`	`15`	`*/`
`@@ -815,6 +815,15 @@ reset_server_encoding(void)`
`815`	`815`	`}`
`816`	`816`
`817`	`817`
	`818`	`+staticbool`
	`819`	`+show_session_authorization(void)`
	`820`	`+{`
	`821`	`+elog(INFO,"Current session authorization is '%s'",`
	`822`	`+GetUserName(GetSessionUserId()));`
	`823`	`+return TRUE;`
	`824`	`+}`
	`825`	`+`
	`826`	`+`
`818`	`827`
`819`	`828`	`/* SetPGVariable()`
`820`	`829`	`* Dispatcher for handling SET commands.`
`@@ -902,6 +911,8 @@ GetPGVariable(const char *name)`
`902`	`911`	`show_server_encoding();`
`903`	`912`	`elseif (strcasecmp(name,"seed")==0)`
`904`	`913`	`show_random_seed();`
	`914`	`+elseif (strcasecmp(name,"session_authorization")==0)`
	`915`	`+show_session_authorization();`
`905`	`916`	`elseif (strcasecmp(name,"all")==0)`
`906`	`917`	`{`
`907`	`918`	`ShowAllGUCConfig();`
`@@ -935,13 +946,16 @@ ResetPGVariable(const char *name)`
`935`	`946`	`reset_server_encoding();`
`936`	`947`	`elseif (strcasecmp(name,"seed")==0)`
`937`	`948`	`reset_random_seed();`
	`949`	`+elseif (strcasecmp(name,"session_authorization")==0)`
	`950`	`+SetSessionAuthorization(NULL);`
`938`	`951`	`elseif (strcasecmp(name,"all")==0)`
`939`	`952`	`{`
`940`	`953`	`reset_random_seed();`
`941`	`954`	`/* reset_server_encoding(); */`
`942`	`955`	`reset_client_encoding();`
`943`	`956`	`reset_datestyle();`
`944`	`957`	`reset_timezone();`
	`958`	`+/* should we reset session authorization here? */`
`945`	`959`
`946`	`960`	`ResetAllOptions(false);`
`947`	`961`	`}`

`‎src/backend/parser/gram.y`

Lines changed: 23 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@`
`11`	`11`	`*`
`12`	`12`	`*`
`13`	`13`	`* IDENTIFICATION`
`14`		`- * $Header: /cvsroot/pgsql/src/backend/parser/gram.y,v 2.312 2002/05/03 00:32:16 tgl Exp $`
	`14`	`+ * $Header: /cvsroot/pgsql/src/backend/parser/gram.y,v 2.313 2002/05/06 19:47:30 tgl Exp $`
`15`	`15`	`*`
`16`	`16`	`* HISTORY`
`17`	`17`	`* AUTHORDATEMAJOR EVENT`
`@@ -281,7 +281,7 @@ static void doNegateFloat(Value *v);`
`281`	`281`	`%type<ival>Iconst`
`282`	`282`	`%type<str>Sconst,comment_text`
`283`	`283`	`%type<str>UserId,opt_boolean,ColId_or_Sconst`
`284`		`-%type<list>var_list`
	`284`	`+%type<list>var_list,var_list_or_default`
`285`	`285`	`%type<str>ColId,ColLabel,type_name`
`286`	`286`	`%type<node>var_value,zone_value`
`287`	`287`
`@@ -833,14 +833,14 @@ schema_stmt: CreateStmt`
`833`	`833`	`*`
`834`	`834`	`*****************************************************************************/`
`835`	`835`
`836`		`-VariableSetStmt:SETColIdTOvar_list`
	`836`	`+VariableSetStmt:SETColIdTOvar_list_or_default`
`837`	`837`	`{`
`838`	`838`	`VariableSetStmt *n = makeNode(VariableSetStmt);`
`839`	`839`	`n->name =$2;`
`840`	`840`	`n->args =$4;`
`841`	`841`	`$$ = (Node *) n;`
`842`	`842`	`}`
`843`		`-\|SETColId'='var_list`
	`843`	`+\|SETColId'='var_list_or_default`
`844`	`844`	`{`
`845`	`845`	`VariableSetStmt *n = makeNode(VariableSetStmt);`
`846`	`846`	`n->name =$2;`
`@@ -884,14 +884,25 @@ VariableSetStmt: SET ColId TO var_list`
`884`	`884`	`n->args = makeList1(makeStringConst($4,NULL));`
`885`	`885`	`$$ = (Node *) n;`
`886`	`886`	`}`
	`887`	`+\|SETSESSIONAUTHORIZATIONDEFAULT`
	`888`	`+{`
	`889`	`+VariableSetStmt *n = makeNode(VariableSetStmt);`
	`890`	`+n->name ="session_authorization";`
	`891`	`+n->args = NIL;`
	`892`	`+$$ = (Node *) n;`
	`893`	`+}`
	`894`	`+;`
	`895`	`+`
	`896`	`+var_list_or_default:var_list`
	`897`	`+{$$ =$1; }`
	`898`	`+\|DEFAULT`
	`899`	`+{$$ = NIL; }`
`887`	`900`	`;`
`888`	`901`
`889`	`902`	`var_list:var_value`
`890`	`903`	`{$$ = makeList1($1); }`
`891`	`904`	`\|var_list','var_value`
`892`	`905`	`{$$ = lappend($1,$3); }`
`893`		`-\|DEFAULT`
`894`		`-{$$ = NIL; }`
`895`	`906`	`;`
`896`	`907`
`897`	`908`	`var_value:opt_boolean`
`@@ -1017,6 +1028,12 @@ VariableResetStmt:RESET ColId`
`1017`	`1028`	`n->name ="XactIsoLevel";`
`1018`	`1029`	`$$ = (Node *) n;`
`1019`	`1030`	`}`
	`1031`	`+\|RESETSESSIONAUTHORIZATION`
	`1032`	`+{`
	`1033`	`+VariableResetStmt *n = makeNode(VariableResetStmt);`
	`1034`	`+n->name ="session_authorization";`
	`1035`	`+$$ = (Node *) n;`
	`1036`	`+}`
`1020`	`1037`	`\|RESETALL`
`1021`	`1038`	`{`
`1022`	`1039`	`VariableResetStmt *n = makeNode(VariableResetStmt);`

`‎src/backend/utils/init/miscinit.c`

Lines changed: 31 additions & 13 deletions

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@`
`8`	`8`	`*`
`9`	`9`	`*`
`10`	`10`	`* IDENTIFICATION`
`11`		`- * $Header: /cvsroot/pgsql/src/backend/utils/init/miscinit.c,v 1.89 2002/05/05 00:03:29 tgl Exp $`
	`11`	`+ * $Header: /cvsroot/pgsql/src/backend/utils/init/miscinit.c,v 1.90 2002/05/06 19:47:30 tgl Exp $`
`12`	`12`	`*`
`13`	`13`	`*-------------------------------------------------------------------------`
`14`	`14`	`*/`
`@@ -529,15 +529,17 @@ GetCharSetByHost(char TableName, int host, const char DataDir)`
`529`	`529`	`/* ----------------------------------------------------------------`
`530`	`530`	`*User ID things`
`531`	`531`	`*`
`532`		`- * The session user is determined at connection start and never`
`533`		`- * changes. The current user may change when "setuid" functions`
	`532`	`+ * The authenticated user is determined at connection start and never`
	`533`	`+ * changes. The session user can be changed only by SET SESSION`
	`534`	`+ * AUTHORIZATION. The current user may change when "setuid" functions`
`534`	`535`	`* are implemented. Conceptually there is a stack, whose bottom`
`535`	`536`	`* is the session user. You are yourself responsible to save and`
`536`	`537`	`* restore the current user id if you need to change it.`
`537`	`538`	`* ----------------------------------------------------------------`
`538`	`539`	`*/`
`539`		`-staticOidCurrentUserId=InvalidOid;`
	`540`	`+staticOidAuthenticatedUserId=InvalidOid;`
`540`	`541`	`staticOidSessionUserId=InvalidOid;`
	`542`	`+staticOidCurrentUserId=InvalidOid;`
`541`	`543`
`542`	`544`	`staticboolAuthenticatedUserIsSuperuser= false;`
`543`	`545`
`@@ -588,6 +590,7 @@ InitializeSessionUserId(const char *username)`
`588`	`590`	`HeapTupleuserTup;`
`589`	`591`	`Datumdatum;`
`590`	`592`	`boolisnull;`
	`593`	`+Oidusesysid;`
`591`	`594`
`592`	`595`	`/*`
`593`	`596`	`* Don't do scans if we're bootstrapping, none of the system catalogs`
`@@ -596,18 +599,22 @@ InitializeSessionUserId(const char *username)`
`596`	`599`	`AssertState(!IsBootstrapProcessingMode());`
`597`	`600`
`598`	`601`	`/* call only once */`
`599`		`-AssertState(!OidIsValid(SessionUserId));`
	`602`	`+AssertState(!OidIsValid(AuthenticatedUserId));`
`600`	`603`
`601`	`604`	`userTup=SearchSysCache(SHADOWNAME,`
`602`	`605`	`PointerGetDatum(username),`
`603`	`606`	`0,0,0);`
`604`	`607`	`if (!HeapTupleIsValid(userTup))`
`605`	`608`	`elog(FATAL,"user \"%s\" does not exist",username);`
`606`	`609`
`607`		`-SetSessionUserId(((Form_pg_shadow)GETSTRUCT(userTup))->usesysid);`
	`610`	`+usesysid= ((Form_pg_shadow)GETSTRUCT(userTup))->usesysid;`
`608`	`611`
	`612`	`+AuthenticatedUserId=usesysid;`
`609`	`613`	`AuthenticatedUserIsSuperuser= ((Form_pg_shadow)GETSTRUCT(userTup))->usesuper;`
`610`	`614`
	`615`	`+SetSessionUserId(usesysid);/* sets CurrentUserId too */`
	`616`	`+`
	`617`	`+`
`611`	`618`	`/*`
`612`	`619`	`* Set up user-specific configuration variables. This is a good`
`613`	`620`	`* place to do it so we don't have to read pg_shadow twice during`
`@@ -633,25 +640,36 @@ InitializeSessionUserIdStandalone(void)`
`633`	`640`	`AssertState(!IsUnderPostmaster);`
`634`	`641`
`635`	`642`	`/* call only once */`
`636`		`-AssertState(!OidIsValid(SessionUserId));`
	`643`	`+AssertState(!OidIsValid(AuthenticatedUserId));`
`637`	`644`
`638`		`-SetSessionUserId(BOOTSTRAP_USESYSID);`
	`645`	`+AuthenticatedUserId=BOOTSTRAP_USESYSID;`
`639`	`646`	`AuthenticatedUserIsSuperuser= true;`
	`647`	`+`
	`648`	`+SetSessionUserId(BOOTSTRAP_USESYSID);`
`640`	`649`	`}`
`641`	`650`
`642`	`651`
`643`	`652`	`/*`
`644`	`653`	`* Change session auth ID while running`
	`654`	`+ *`
	`655`	`+ * Only a superuser may set auth ID to something other than himself.`
	`656`	`+ *`
	`657`	`+ * username == NULL implies reset to default (AuthenticatedUserId).`
`645`	`658`	`*/`
`646`	`659`	`void`
`647`	`660`	`SetSessionAuthorization(constchar*username)`
`648`	`661`	`{`
`649`		`-int32userid;`
`650`		`-`
`651`		`-if (!AuthenticatedUserIsSuperuser)`
`652`		`-elog(ERROR,"permission denied");`
	`662`	`+Oiduserid;`
`653`	`663`
`654`		`-userid=get_usesysid(username);`
	`664`	`+if (username==NULL)`
	`665`	`+userid=AuthenticatedUserId;`
	`666`	`+else`
	`667`	`+{`
	`668`	`+userid=get_usesysid(username);`
	`669`	`+if (userid!=AuthenticatedUserId&&`
	`670`	`+!AuthenticatedUserIsSuperuser)`
	`671`	`+elog(ERROR,"permission denied");`
	`672`	`+}`
`655`	`673`
`656`	`674`	`SetSessionUserId(userid);`
`657`	`675`	`SetUserId(userid);`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit2822788

File tree

4 files changed

4 files changed

`‎doc/src/sgml/ref/set_session_auth.sgml`

`‎src/backend/commands/variable.c`

`‎src/backend/parser/gram.y`

`‎src/backend/utils/init/miscinit.c`

0 commit comments