Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit4899aaf

Browse files
committed
Add GRANT CONNECTION ON DATABASE, to be used in addition to pg_hba.conf.
Gevik Babakhani
1 parent87db3ad commit4899aaf

File tree

9 files changed

+61
-19
lines changed

9 files changed

+61
-19
lines changed

‎doc/src/sgml/client-auth.sgml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.87 2006/03/10 19:10:47 momjian Exp $ -->
1+
<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.88 2006/04/30 02:09:06 momjian Exp $ -->
22

33
<chapter id="client-authentication">
44
<title>Client Authentication</title>
@@ -206,6 +206,8 @@ hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable>
206206
Multiple user names can be supplied by separating them with commas.
207207
A separate file containing user names can be specified by preceding the
208208
file name with <literal>@</>.
209+
User and group connectivity can also be restricted by <command>GRANT
210+
CONNECTION ON DATABASE</>.
209211
</para>
210212
</listitem>
211213
</varlistentry>

‎doc/src/sgml/ref/grant.sgml

Lines changed: 15 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
<!--
2-
$PostgreSQL: pgsql/doc/src/sgml/ref/grant.sgml,v 1.52 2006/02/14 03:32:14 momjian Exp $
2+
$PostgreSQL: pgsql/doc/src/sgml/ref/grant.sgml,v 1.53 2006/04/30 02:09:06 momjian Exp $
33
PostgreSQL documentation
44
-->
55

@@ -30,7 +30,7 @@ GRANT { { USAGE | SELECT | UPDATE }
3030
ON SEQUENCE <replaceable class="PARAMETER">sequencename</replaceable> [, ...]
3131
TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]
3232

33-
GRANT { { CREATE | TEMPORARY | TEMP } [,...] | ALL [ PRIVILEGES ] }
33+
GRANT { { CREATE | TEMPORARY | TEMP| CONNECTION} [,...] | ALL [ PRIVILEGES ] }
3434
ON DATABASE <replaceable>dbname</replaceable> [, ...]
3535
TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]
3636

@@ -229,6 +229,18 @@ GRANT <replaceable class="PARAMETER">role</replaceable> [, ...]
229229
</listitem>
230230
</varlistentry>
231231

232+
<varlistentry>
233+
<term>CONNECTION</term>
234+
<listitem>
235+
<para>
236+
Allows the ability to connect to the specified database.
237+
By default, Grant permissions allow users to connect to any database,
238+
though <filename>pg_hba.conf</> can add additional connection
239+
restrictions.
240+
</para>
241+
</listitem>
242+
</varlistentry>
243+
232244
<varlistentry>
233245
<term>TEMPORARY</term>
234246
<term>TEMP</term>
@@ -417,6 +429,7 @@ GRANT <replaceable class="PARAMETER">role</replaceable> [, ...]
417429
X -- EXECUTE
418430
U -- USAGE
419431
C -- CREATE
432+
c -- CONNECTION
420433
T -- TEMPORARY
421434
arwdRxt -- ALL PRIVILEGES (for tables)
422435
* -- grant option for preceding privilege

‎doc/src/sgml/ref/revoke.sgml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
<!--
2-
$PostgreSQL: pgsql/doc/src/sgml/ref/revoke.sgml,v 1.36 2006/01/21 02:16:18 momjian Exp $
2+
$PostgreSQL: pgsql/doc/src/sgml/ref/revoke.sgml,v 1.37 2006/04/30 02:09:06 momjian Exp $
33
PostgreSQL documentation
44
-->
55

@@ -35,7 +35,7 @@ REVOKE [ GRANT OPTION FOR ]
3535
[ CASCADE | RESTRICT ]
3636

3737
REVOKE [ GRANT OPTION FOR ]
38-
{ { CREATE | TEMPORARY | TEMP } [,...] | ALL [ PRIVILEGES ] }
38+
{ { CREATE | TEMPORARY | TEMP| CONNECTION} [,...] | ALL [ PRIVILEGES ] }
3939
ON DATABASE <replaceable>dbname</replaceable> [, ...]
4040
FROM { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
4141
[ CASCADE | RESTRICT ]

‎src/backend/catalog/aclchk.c

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
*
99
*
1010
* IDENTIFICATION
11-
* $PostgreSQL: pgsql/src/backend/catalog/aclchk.c,v 1.125 2006/03/05 15:58:22 momjian Exp $
11+
* $PostgreSQL: pgsql/src/backend/catalog/aclchk.c,v 1.126 2006/04/30 02:09:07 momjian Exp $
1212
*
1313
* NOTES
1414
* See acl.h.
@@ -1368,6 +1368,8 @@ string_to_privilege(const char *privname)
13681368
returnACL_CREATE_TEMP;
13691369
if (strcmp(privname,"temp")==0)
13701370
returnACL_CREATE_TEMP;
1371+
if (strcmp(privname,"connection")==0)
1372+
returnACL_CONNECT;
13711373
ereport(ERROR,
13721374
(errcode(ERRCODE_SYNTAX_ERROR),
13731375
errmsg("unrecognized privilege type \"%s\"",privname)));
@@ -1401,6 +1403,8 @@ privilege_to_string(AclMode privilege)
14011403
return"CREATE";
14021404
caseACL_CREATE_TEMP:
14031405
return"TEMP";
1406+
caseACL_CONNECT:
1407+
return"CONNECTION";
14041408
default:
14051409
elog(ERROR,"unrecognized privilege: %d", (int)privilege);
14061410
}

‎src/backend/utils/adt/acl.c

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
*
99
*
1010
* IDENTIFICATION
11-
* $PostgreSQL: pgsql/src/backend/utils/adt/acl.c,v 1.131 2006/03/05 15:58:40 momjian Exp $
11+
* $PostgreSQL: pgsql/src/backend/utils/adt/acl.c,v 1.132 2006/04/30 02:09:07 momjian Exp $
1212
*
1313
*-------------------------------------------------------------------------
1414
*/
@@ -287,6 +287,9 @@ aclparse(const char *s, AclItem *aip)
287287
caseACL_CREATE_TEMP_CHR:
288288
read=ACL_CREATE_TEMP;
289289
break;
290+
caseACL_CONNECT_CHR:
291+
read=ACL_CONNECT;
292+
break;
290293
default:
291294
ereport(ERROR,
292295
(errcode(ERRCODE_INVALID_TEXT_REPRESENTATION),
@@ -550,7 +553,7 @@ acldefault(GrantObjectType objtype, Oid ownerId)
550553
owner_default=ACL_ALL_RIGHTS_SEQUENCE;
551554
break;
552555
caseACL_OBJECT_DATABASE:
553-
world_default=ACL_CREATE_TEMP;/* not NO_RIGHTS! */
556+
world_default=ACL_CREATE_TEMP |ACL_CONNECT;/* not NO_RIGHTS! */
554557
owner_default=ACL_ALL_RIGHTS_DATABASE;
555558
break;
556559
caseACL_OBJECT_FUNCTION:

‎src/backend/utils/init/postinit.c

Lines changed: 22 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
*
99
*
1010
* IDENTIFICATION
11-
* $PostgreSQL: pgsql/src/backend/utils/init/postinit.c,v 1.162 2006/03/29 21:17:39 tgl Exp $
11+
* $PostgreSQL: pgsql/src/backend/utils/init/postinit.c,v 1.163 2006/04/30 02:09:07 momjian Exp $
1212
*
1313
*
1414
*-------------------------------------------------------------------------
@@ -51,7 +51,7 @@
5151

5252

5353
staticboolFindMyDatabase(constchar*name,Oid*db_id,Oid*db_tablespace);
54-
staticvoidReverifyMyDatabase(constchar*name);
54+
staticvoidReverifyMyDatabase(constchar*name,constchar*user_name);
5555
staticvoidInitCommunication(void);
5656
staticvoidShutdownPostgres(intcode,Datumarg);
5757
staticboolThereIsAtLeastOneRole(void);
@@ -130,8 +130,9 @@ FindMyDatabase(const char *name, Oid *db_id, Oid *db_tablespace)
130130
* during session startup, this place is also fitting to set up any
131131
* database-specific configuration variables.
132132
*/
133+
133134
staticvoid
134-
ReverifyMyDatabase(constchar*name)
135+
ReverifyMyDatabase(constchar*name,constchar*user_name)
135136
{
136137
Relationpgdbrel;
137138
SysScanDescpgdbscan;
@@ -211,6 +212,23 @@ ReverifyMyDatabase(const char *name)
211212
(errcode(ERRCODE_TOO_MANY_CONNECTIONS),
212213
errmsg("too many connections for database \"%s\"",
213214
name)));
215+
216+
/*
217+
* Checking for privilege to connect to the database
218+
* We want to bypass the test if we are running in bootstrap mode
219+
*/
220+
if (!IsBootstrapProcessingMode())
221+
{
222+
if(pg_database_aclcheck(MyDatabaseId,GetUserId()
223+
,ACL_CONNECT)!=ACLCHECK_OK )
224+
{
225+
ereport(FATAL,
226+
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
227+
errmsg("couldn't connect to database %s",NameStr(dbform->datname)),
228+
errdetail("User %s doesn't have the CONNECTION privilege for database %s.",
229+
user_name,NameStr(dbform->datname))));
230+
}
231+
}
214232
}
215233

216234
/*
@@ -487,7 +505,7 @@ InitPostgres(const char *dbname, const char *username)
487505
* superuser, so the above stuff has to happen first.)
488506
*/
489507
if (!bootstrap)
490-
ReverifyMyDatabase(dbname);
508+
ReverifyMyDatabase(dbname,username);
491509

492510
/*
493511
* Final phase of relation cache startup: write a new cache file if

‎src/include/catalog/catversion.h

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,7 @@
3737
* Portions Copyright (c) 1996-2006, PostgreSQL Global Development Group
3838
* Portions Copyright (c) 1994, Regents of the University of California
3939
*
40-
* $PostgreSQL: pgsql/src/include/catalog/catversion.h,v 1.326 2006/04/26 22:33:13 momjian Exp $
40+
* $PostgreSQL: pgsql/src/include/catalog/catversion.h,v 1.327 2006/04/30 02:09:07 momjian Exp $
4141
*
4242
*-------------------------------------------------------------------------
4343
*/
@@ -53,6 +53,6 @@
5353
*/
5454

5555
/*yyyymmddN */
56-
#defineCATALOG_VERSION_NO200604262
56+
#defineCATALOG_VERSION_NO200604291
5757

5858
#endif

‎src/include/nodes/parsenodes.h

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@
77
* Portions Copyright (c) 1996-2006, PostgreSQL Global Development Group
88
* Portions Copyright (c) 1994, Regents of the University of California
99
*
10-
* $PostgreSQL: pgsql/src/include/nodes/parsenodes.h,v 1.308 2006/04/27 00:33:46 momjian Exp $
10+
* $PostgreSQL: pgsql/src/include/nodes/parsenodes.h,v 1.309 2006/04/30 02:09:07 momjian Exp $
1111
*
1212
*-------------------------------------------------------------------------
1313
*/
@@ -57,7 +57,8 @@ typedef uint32 AclMode;/* a bitmask of privilege bits */
5757
#defineACL_USAGE(1<<8)/* for languages and namespaces */
5858
#defineACL_CREATE(1<<9)/* for namespaces and databases */
5959
#defineACL_CREATE_TEMP (1<<10)/* for databases */
60-
#defineN_ACL_RIGHTS11/* 1 plus the last 1<<x */
60+
#defineACL_CONNECT(1<<11)/* for database connection privilege */
61+
#defineN_ACL_RIGHTS12/* 1 plus the last 1<<x */
6162
#defineACL_NO_RIGHTS0
6263
/* Currently, SELECT ... FOR UPDATE/FOR SHARE requires UPDATE privileges */
6364
#defineACL_SELECT_FOR_UPDATEACL_UPDATE

‎src/include/utils/acl.h

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@
77
* Portions Copyright (c) 1996-2006, PostgreSQL Global Development Group
88
* Portions Copyright (c) 1994, Regents of the University of California
99
*
10-
* $PostgreSQL: pgsql/src/include/utils/acl.h,v 1.93 2006/03/05 15:59:06 momjian Exp $
10+
* $PostgreSQL: pgsql/src/include/utils/acl.h,v 1.94 2006/04/30 02:09:07 momjian Exp $
1111
*
1212
* NOTES
1313
* An ACL array is simply an array of AclItems, representing the union
@@ -135,16 +135,17 @@ typedef ArrayType Acl;
135135
#defineACL_USAGE_CHR'U'
136136
#defineACL_CREATE_CHR'C'
137137
#defineACL_CREATE_TEMP_CHR'T'
138+
#defineACL_CONNECT_CHR'c'
138139

139140
/* string holding all privilege code chars, in order by bitmask position */
140-
#defineACL_ALL_RIGHTS_STR"arwdRxtXUCT"
141+
#defineACL_ALL_RIGHTS_STR"arwdRxtXUCTc"
141142

142143
/*
143144
* Bitmasks defining "all rights" for each supported object type
144145
*/
145146
#defineACL_ALL_RIGHTS_RELATION(ACL_INSERT|ACL_SELECT|ACL_UPDATE|ACL_DELETE|ACL_RULE|ACL_REFERENCES|ACL_TRIGGER)
146147
#defineACL_ALL_RIGHTS_SEQUENCE(ACL_USAGE|ACL_SELECT|ACL_UPDATE)
147-
#defineACL_ALL_RIGHTS_DATABASE(ACL_CREATE|ACL_CREATE_TEMP)
148+
#defineACL_ALL_RIGHTS_DATABASE(ACL_CREATE|ACL_CREATE_TEMP|ACL_CONNECT)
148149
#defineACL_ALL_RIGHTS_FUNCTION(ACL_EXECUTE)
149150
#defineACL_ALL_RIGHTS_LANGUAGE(ACL_USAGE)
150151
#defineACL_ALL_RIGHTS_NAMESPACE(ACL_USAGE|ACL_CREATE)

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp