Movatterモバイル変換


[0]ホーム

URL:


Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Sign up
Appearance settings

Commita609d96

Browse files
committed
Revert "Use a bitmask to represent role attributes"
This reverts commit1826987.The overall design was deemed unacceptable, in discussion following theprevious commit message; we might find some parts of it stillsalvageable, but I don't want to be on the hook for fixing it, so let'swait until we have a new patch.
1 parentd7ee82e commita609d96

File tree

30 files changed

+372
-798
lines changed

30 files changed

+372
-798
lines changed

‎doc/src/sgml/catalogs.sgml

Lines changed: 41 additions & 86 deletions
Original file line numberDiff line numberDiff line change
@@ -1391,134 +1391,89 @@
13911391
</row>
13921392

13931393
<row>
1394-
<entry><structfield>rolattr</structfield></entry>
1395-
<entry><type>bigint</type></entry>
1396-
<entry>
1397-
Role attributes; see <xref linkend="catalog-rolattr-bitmap-table"> and
1398-
<xref linkend="sql-createrole"> for details
1399-
</entry>
1400-
</row>
1401-
1402-
<row>
1403-
<entry><structfield>rolconnlimit</structfield></entry>
1404-
<entry><type>int4</type></entry>
1405-
<entry>
1406-
For roles that can log in, this sets maximum number of concurrent
1407-
connections this role can make. -1 means no limit.
1408-
</entry>
1409-
</row>
1410-
1411-
<row>
1412-
<entry><structfield>rolpassword</structfield></entry>
1413-
<entry><type>text</type></entry>
1414-
<entry>
1415-
Password (possibly encrypted); null if none. If the password
1416-
is encrypted, this column will begin with the string <literal>md5</>
1417-
followed by a 32-character hexadecimal MD5 hash. The MD5 hash
1418-
will be of the user's password concatenated to their user name.
1419-
For example, if user <literal>joe</> has password <literal>xyzzy</>,
1420-
<productname>PostgreSQL</> will store the md5 hash of
1421-
<literal>xyzzyjoe</>. A password that does not follow that
1422-
format is assumed to be unencrypted.
1423-
</entry>
1424-
</row>
1425-
1426-
<row>
1427-
<entry><structfield>rolvaliduntil</structfield></entry>
1428-
<entry><type>timestamptz</type></entry>
1429-
<entry>Password expiry time (only used for password authentication);
1430-
null if no expiration</entry>
1431-
</row>
1432-
</tbody>
1433-
</tgroup>
1434-
</table>
1435-
1436-
<table id="catalog-rolattr-bitmap-table">
1437-
<title>Attributes in <structfield>rolattr</></title>
1438-
1439-
<tgroup cols="4">
1440-
<thead>
1441-
<row>
1442-
<entry>Attribute</entry>
1443-
<entry>CREATE ROLE Option</entry>
1444-
<entry>Description</entry>
1445-
<entry>Position</entry>
1446-
</row>
1447-
</thead>
1448-
1449-
<tbody>
1450-
<row>
1451-
<entry>Superuser</entry>
1452-
<entry>SUPERUSER</entry>
1394+
<entry><structfield>rolsuper</structfield></entry>
1395+
<entry><type>bool</type></entry>
14531396
<entry>Role has superuser privileges</entry>
1454-
<entry><literal>0</literal></entry>
14551397
</row>
14561398

14571399
<row>
1458-
<entry>Inherit</entry>
1459-
<entry>INHERIT</entry>
1460-
<entry>
1461-
Role automatically inherits privileges of roles it is a member of
1462-
</entry>
1463-
<entry><literal>1</literal></entry>
1400+
<entry><structfield>rolinherit</structfield></entry>
1401+
<entry><type>bool</type></entry>
1402+
<entry>Role automatically inherits privileges of roles it is a
1403+
member of</entry>
14641404
</row>
14651405

14661406
<row>
1467-
<entry>Create Role</entry>
1468-
<entry>CREATEROLE</entry>
1407+
<entry><structfield>rolcreaterole</structfield></entry>
1408+
<entry><type>bool</type></entry>
14691409
<entry>Role can create more roles</entry>
1470-
<entry><literal>2</literal></entry>
14711410
</row>
14721411

14731412
<row>
1474-
<entry>Create DB</entry>
1475-
<entry>CREATEDB</entry>
1413+
<entry><structfield>rolcreatedb</structfield></entry>
1414+
<entry><type>bool</type></entry>
14761415
<entry>Role can create databases</entry>
1477-
<entry><literal>3</literal></entry>
14781416
</row>
14791417

14801418
<row>
1481-
<entry>Catalog Update</entry>
1482-
<entry>CATUPDATE</entry>
1419+
<entry><structfield>rolcatupdate</structfield></entry>
1420+
<entry><type>bool</type></entry>
14831421
<entry>
14841422
Role can update system catalogs directly. (Even a superuser cannot do
14851423
this unless this column is true)
14861424
</entry>
1487-
<entry><literal>4</literal></entry>
14881425
</row>
14891426

14901427
<row>
1491-
<entry>Can Login</entry>
1492-
<entry>LOGIN</entry>
1428+
<entry><structfield>rolcanlogin</structfield></entry>
1429+
<entry><type>bool</type></entry>
14931430
<entry>
14941431
Role can log in. That is, this role can be given as the initial
14951432
session authorization identifier
14961433
</entry>
1497-
<entry><literal>5</literal></entry>
14981434
</row>
14991435

15001436
<row>
1501-
<entry>Replication</entry>
1502-
<entry>REPLICATION</entry>
1437+
<entry><structfield>rolreplication</structfield></entry>
1438+
<entry><type>bool</type></entry>
15031439
<entry>
15041440
Role is a replication role. That is, this role can initiate streaming
15051441
replication (see <xref linkend="streaming-replication">) and set/unset
15061442
the system backup mode using <function>pg_start_backup</> and
15071443
<function>pg_stop_backup</>
15081444
</entry>
1509-
<entry><literal>6</literal></entry>
15101445
</row>
15111446

15121447
<row>
1513-
<entry>Bypass Row Level Security</entry>
1514-
<entry>BYPASSRLS</entry>
1448+
<entry><structfield>rolconnlimit</structfield></entry>
1449+
<entry><type>int4</type></entry>
15151450
<entry>
1516-
Role can bypass row level security policies when <literal>row_security</>
1517-
is set <literal>off</>
1451+
For roles that can log in, this sets maximum number of concurrent
1452+
connections this role can make. -1 means no limit.
1453+
</entry>
1454+
</row>
1455+
1456+
<row>
1457+
<entry><structfield>rolpassword</structfield></entry>
1458+
<entry><type>text</type></entry>
1459+
<entry>
1460+
Password (possibly encrypted); null if none. If the password
1461+
is encrypted, this column will begin with the string <literal>md5</>
1462+
followed by a 32-character hexadecimal MD5 hash. The MD5 hash
1463+
will be of the user's password concatenated to their user name.
1464+
For example, if user <literal>joe</> has password <literal>xyzzy</>,
1465+
<productname>PostgreSQL</> will store the md5 hash of
1466+
<literal>xyzzyjoe</>. A password that does not follow that
1467+
format is assumed to be unencrypted.
15181468
</entry>
1519-
<entry><literal>7</literal></entry>
15201469
</row>
15211470

1471+
<row>
1472+
<entry><structfield>rolvaliduntil</structfield></entry>
1473+
<entry><type>timestamptz</type></entry>
1474+
<entry>Password expiry time (only used for password authentication);
1475+
null if no expiration</entry>
1476+
</row>
15221477
</tbody>
15231478
</tgroup>
15241479
</table>

‎doc/src/sgml/func.sgml

Lines changed: 0 additions & 127 deletions
Original file line numberDiff line numberDiff line change
@@ -15139,133 +15139,6 @@ SELECT has_function_privilege('joeuser', 'myfunc(int, text)', 'execute');
1513915139
are immediately available without doing <command>SET ROLE</>.
1514015140
</para>
1514115141

15142-
<para>
15143-
<xref linkend="functions-info-role-attribute-table"> lists functions that
15144-
allow the user to query role attribute information programmatically.
15145-
</para>
15146-
15147-
<table id="functions-info-role-attribute-table">
15148-
<title>Role Attribute Inquiry Functions</title>
15149-
<tgroup cols="3">
15150-
<thead>
15151-
<row><entry>Name</entry> <entry>Return Type</entry> <entry>Description</entry></row>
15152-
</thead>
15153-
<tbody>
15154-
<row>
15155-
<entry><literal><function>pg_has_role_attribute(role, attribute)</function></literal></entry>
15156-
<entry><type>boolean</type></entry>
15157-
<entry>does role have the permissions allowed by named attribute</entry>
15158-
</row>
15159-
<row>
15160-
<entry><literal><function>pg_check_role_attribute(role, attribute)</function></literal></entry>
15161-
<entry><type>boolean</type></entry>
15162-
<entry>does role have the named attribute</entry>
15163-
</row>
15164-
<row>
15165-
<entry><literal><function>pg_check_role_attribute(role_attributes, attribute)</function></literal></entry>
15166-
<entry><type>boolean</type></entry>
15167-
<entry>is attribute set in bitmap of role attributes</entry>
15168-
</row>
15169-
<row>
15170-
<entry><literal><function>pg_all_role_attributes(role_attributes)</function></literal></entry>
15171-
<entry><type>text[]</type></entry>
15172-
<entry>convert bitmap of role attribute representation to text[]</entry>
15173-
</row>
15174-
</tbody>
15175-
</tgroup>
15176-
</table>
15177-
15178-
<indexterm>
15179-
<primary>pg_has_role_attribute</primary>
15180-
</indexterm>
15181-
<indexterm>
15182-
<primary>pg_check_role_attribute</primary>
15183-
</indexterm>
15184-
<indexterm>
15185-
<primary>pg_all_role_attributes</primary>
15186-
</indexterm>
15187-
15188-
<para>
15189-
<function>pg_has_role_attribute</function> checks the attribute permissions
15190-
given to a role. It will always return <literal>true</literal> for roles
15191-
with superuser privileges unless the attribute being checked is
15192-
<literal>CATUPDATE</literal> (superuser cannot bypass
15193-
<literal>CATUPDATE</literal> permissions). The role can be specified by name
15194-
and by OID. The attribute is specified by a text string which must evaluate
15195-
to one of the following role attributes:
15196-
<literal>SUPERUSER</literal>,
15197-
<literal>INHERIT</literal>,
15198-
<literal>CREATEROLE</literal>,
15199-
<literal>CREATEDB</literal>,
15200-
<literal>CATUPDATE</literal>,
15201-
<literal>CANLOGIN</literal>,
15202-
<literal>REPLICATION</literal>, or
15203-
<literal>BYPASSRLS</literal>. See <xref linkend="sql-createrole"> for more
15204-
information. For example:
15205-
<programlisting>
15206-
SELECT pg_has_role_attribute('joe', 'SUPERUSER');
15207-
pg_has_role_attribute
15208-
-----------------------
15209-
f
15210-
(1 row)
15211-
15212-
SELECT rolname, pg_has_role_attribute(oid, 'INHERIT') AS rolinherit FROM pg_roles;
15213-
rolname | rolinherit
15214-
----------+------------
15215-
postgres | t
15216-
joe | t
15217-
(2 rows)
15218-
</programlisting>
15219-
</para>
15220-
15221-
<para>
15222-
<function>pg_check_role_attribute</function> checks the attribute value given
15223-
to a role. The role can be specified by name and by OID. The attribute is
15224-
specified by a text string which must evaluate to a valid role attribute (see
15225-
<function>pg_has_role_attribute</function>). A third variant of this function
15226-
allows for a bitmap representation (<literal>bigint</literal>) of attributes
15227-
to be given instead of a role.
15228-
Example:
15229-
<programlisting>
15230-
SELECT pg_check_role_attribute('joe', 'SUPERUSER');
15231-
pg_check_role_attribute
15232-
-------------------------
15233-
f
15234-
(1 row)
15235-
15236-
SELECT rolname, pg_check_role_attribute(oid, 'INHERIT') as rolinherit FROM pg_roles;
15237-
rolname | rolinherit
15238-
----------+------------
15239-
postgres | t
15240-
joe | t
15241-
(2 rows)
15242-
t
15243-
(1 row)
15244-
15245-
15246-
SELECT rolname, pg_check_role_attribute(rolattr, 'SUPERUSER') AS rolsuper FROM pg_authid;
15247-
rolname | rolsuper
15248-
----------+----------
15249-
postgres | t
15250-
joe | f
15251-
(2 rows)
15252-
</programlisting>
15253-
</para>
15254-
15255-
<para>
15256-
<function>pg_all_role_attributes</function> convert a set of role attributes
15257-
represented by an <literal>bigint</literal> bitmap to a text array.
15258-
Example:
15259-
<programlisting>
15260-
SELECT rolname, pg_all_role_attributes(rolattr) AS attributes FROM pg_authid;
15261-
rolname | attributes
15262-
----------+-----------------------------------------------------------------------------------------------
15263-
postgres | {Superuser,Inherit,"Create Role","Create DB","Catalog Update",Login,Replication,"Bypass RLS"}
15264-
joe | {Inherit,Login}
15265-
(2 rows)
15266-
</programlisting>
15267-
</para>
15268-
1526915142
<para>
1527015143
<xref linkend="functions-info-schema-table"> shows functions that
1527115144
determine whether a certain object is <firstterm>visible</> in the

‎src/backend/access/transam/xlogfuncs.c

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,6 @@
2727
#include"miscadmin.h"
2828
#include"replication/walreceiver.h"
2929
#include"storage/smgr.h"
30-
#include"utils/acl.h"
3130
#include"utils/builtins.h"
3231
#include"utils/numeric.h"
3332
#include"utils/guc.h"
@@ -55,7 +54,7 @@ pg_start_backup(PG_FUNCTION_ARGS)
5554

5655
backupidstr=text_to_cstring(backupid);
5756

58-
if (!have_role_attribute(ROLE_ATTR_REPLICATION))
57+
if (!superuser()&& !has_rolreplication(GetUserId()))
5958
ereport(ERROR,
6059
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
6160
errmsg("must be superuser or replication role to run a backup")));
@@ -83,7 +82,7 @@ pg_stop_backup(PG_FUNCTION_ARGS)
8382
{
8483
XLogRecPtrstoppoint;
8584

86-
if (!have_role_attribute(ROLE_ATTR_REPLICATION))
85+
if (!superuser()&& !has_rolreplication(GetUserId()))
8786
ereport(ERROR,
8887
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
8988
(errmsg("must be superuser or replication role to run a backup"))));

‎src/backend/catalog/Catalog.pm

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -176,7 +176,7 @@ sub Catalogs
176176
}
177177
}
178178
}
179-
$catalogs{$catname} = \%catalogifdefined$catname;
179+
$catalogs{$catname} = \%catalog;
180180
close INPUT_FILE;
181181
}
182182
return \%catalogs;

‎src/backend/catalog/Makefile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@ all: $(BKIFILES) schemapg.h
2828
# indexing.h had better be last, and toasting.h just before it.
2929

3030
POSTGRES_BKI_SRCS =$(addprefix$(top_srcdir)/src/include/catalog/,\
31-
acldefs.hpg_proc.h pg_type.h pg_attribute.h pg_class.h \
31+
pg_proc.h pg_type.h pg_attribute.h pg_class.h \
3232
pg_attrdef.h pg_constraint.h pg_inherits.h pg_index.h pg_operator.h \
3333
pg_opfamily.h pg_opclass.h pg_am.h pg_amop.h pg_amproc.h \
3434
pg_language.h pg_largeobject_metadata.h pg_largeobject.h pg_aggregate.h \

0 commit comments

Comments
 (0)

[8]ページ先頭

©2009-2025 Movatter.jp