NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commita609d96

committed

Revert "Use a bitmask to represent role attributes"

This reverts commit1826987.The overall design was deemed unacceptable, in discussion following theprevious commit message; we might find some parts of it stillsalvageable, but I don't want to be on the hook for fixing it, so let'swait until we have a new patch.

1 parentd7ee82e commita609d96Copy full SHA for a609d96

File tree

30 files changed

+372

-798

lines changed

doc/src/sgml
- catalogs.sgml
- func.sgml
src
- backend
  - access/transam
    - xlogfuncs.c
  - catalog
  - commands
  - replication
    - logical
      - logicalfuncs.c
    - slotfuncs.c
  - rewrite
    - rowsecurity.c
  - utils
    - adt
      - acl.c
      - ri_triggers.c
    - init
      - miscinit.c
      - postinit.c
    - misc
      - superuser.c
- bin/pg_dump
  - pg_dumpall.c
- include
  - catalog
  - nodes
    - parsenodes.h
  - utils
    - acl.h
    - builtins.h
- test/regress/expected
  - rules.out

30 files changed

+372

-798

lines changed

`‎doc/src/sgml/catalogs.sgml`

Lines changed: 41 additions & 86 deletions

Original file line number	Diff line number	Diff line change
`@@ -1391,134 +1391,89 @@`
`1391`	`1391`	`</row>`
`1392`	`1392`
`1393`	`1393`	`<row>`
`1394`		`- <entry><structfield>rolattr</structfield></entry>`
`1395`		`- <entry><type>bigint</type></entry>`
`1396`		`- <entry>`
`1397`		`- Role attributes; see <xref linkend="catalog-rolattr-bitmap-table"> and`
`1398`		`- <xref linkend="sql-createrole"> for details`
`1399`		`- </entry>`
`1400`		`- </row>`
`1401`		`-`
`1402`		`- <row>`
`1403`		`- <entry><structfield>rolconnlimit</structfield></entry>`
`1404`		`- <entry><type>int4</type></entry>`
`1405`		`- <entry>`
`1406`		`- For roles that can log in, this sets maximum number of concurrent`
`1407`		`- connections this role can make. -1 means no limit.`
`1408`		`- </entry>`
`1409`		`- </row>`
`1410`		`-`
`1411`		`- <row>`
`1412`		`- <entry><structfield>rolpassword</structfield></entry>`
`1413`		`- <entry><type>text</type></entry>`
`1414`		`- <entry>`
`1415`		`- Password (possibly encrypted); null if none. If the password`
`1416`		`- is encrypted, this column will begin with the string <literal>md5</>`
`1417`		`- followed by a 32-character hexadecimal MD5 hash. The MD5 hash`
`1418`		`- will be of the user's password concatenated to their user name.`
`1419`		`- For example, if user <literal>joe</> has password <literal>xyzzy</>,`
`1420`		`- <productname>PostgreSQL</> will store the md5 hash of`
`1421`		`- <literal>xyzzyjoe</>. A password that does not follow that`
`1422`		`- format is assumed to be unencrypted.`
`1423`		`- </entry>`
`1424`		`- </row>`
`1425`		`-`
`1426`		`- <row>`
`1427`		`- <entry><structfield>rolvaliduntil</structfield></entry>`
`1428`		`- <entry><type>timestamptz</type></entry>`
`1429`		`- <entry>Password expiry time (only used for password authentication);`
`1430`		`- null if no expiration</entry>`
`1431`		`- </row>`
`1432`		`- </tbody>`
`1433`		`- </tgroup>`
`1434`		`- </table>`
`1435`		`-`
`1436`		`- <table id="catalog-rolattr-bitmap-table">`
`1437`		`- <title>Attributes in <structfield>rolattr</></title>`
`1438`		`-`
`1439`		`- <tgroup cols="4">`
`1440`		`- <thead>`
`1441`		`- <row>`
`1442`		`- <entry>Attribute</entry>`
`1443`		`- <entry>CREATE ROLE Option</entry>`
`1444`		`- <entry>Description</entry>`
`1445`		`- <entry>Position</entry>`
`1446`		`- </row>`
`1447`		`- </thead>`
`1448`		`-`
`1449`		`- <tbody>`
`1450`		`- <row>`
`1451`		`- <entry>Superuser</entry>`
`1452`		`- <entry>SUPERUSER</entry>`
	`1394`	`+ <entry><structfield>rolsuper</structfield></entry>`
	`1395`	`+ <entry><type>bool</type></entry>`
`1453`	`1396`	`<entry>Role has superuser privileges</entry>`
`1454`		`- <entry><literal>0</literal></entry>`
`1455`	`1397`	`</row>`
`1456`	`1398`
`1457`	`1399`	`<row>`
`1458`		`- <entry>Inherit</entry>`
`1459`		`- <entry>INHERIT</entry>`
`1460`		`- <entry>`
`1461`		`- Role automatically inherits privileges of roles it is a member of`
`1462`		`- </entry>`
`1463`		`- <entry><literal>1</literal></entry>`
	`1400`	`+ <entry><structfield>rolinherit</structfield></entry>`
	`1401`	`+ <entry><type>bool</type></entry>`
	`1402`	`+ <entry>Role automatically inherits privileges of roles it is a`
	`1403`	`+ member of</entry>`
`1464`	`1404`	`</row>`
`1465`	`1405`
`1466`	`1406`	`<row>`
`1467`		`- <entry>Create Role</entry>`
`1468`		`- <entry>CREATEROLE</entry>`
	`1407`	`+ <entry><structfield>rolcreaterole</structfield></entry>`
	`1408`	`+ <entry><type>bool</type></entry>`
`1469`	`1409`	`<entry>Role can create more roles</entry>`
`1470`		`- <entry><literal>2</literal></entry>`
`1471`	`1410`	`</row>`
`1472`	`1411`
`1473`	`1412`	`<row>`
`1474`		`- <entry>Create DB</entry>`
`1475`		`- <entry>CREATEDB</entry>`
	`1413`	`+ <entry><structfield>rolcreatedb</structfield></entry>`
	`1414`	`+ <entry><type>bool</type></entry>`
`1476`	`1415`	`<entry>Role can create databases</entry>`
`1477`		`- <entry><literal>3</literal></entry>`
`1478`	`1416`	`</row>`
`1479`	`1417`
`1480`	`1418`	`<row>`
`1481`		`- <entry>Catalog Update</entry>`
`1482`		`- <entry>CATUPDATE</entry>`
	`1419`	`+ <entry><structfield>rolcatupdate</structfield></entry>`
	`1420`	`+ <entry><type>bool</type></entry>`
`1483`	`1421`	`<entry>`
`1484`	`1422`	`Role can update system catalogs directly. (Even a superuser cannot do`
`1485`	`1423`	`this unless this column is true)`
`1486`	`1424`	`</entry>`
`1487`		`- <entry><literal>4</literal></entry>`
`1488`	`1425`	`</row>`
`1489`	`1426`
`1490`	`1427`	`<row>`
`1491`		`- <entry>Can Login</entry>`
`1492`		`- <entry>LOGIN</entry>`
	`1428`	`+ <entry><structfield>rolcanlogin</structfield></entry>`
	`1429`	`+ <entry><type>bool</type></entry>`
`1493`	`1430`	`<entry>`
`1494`	`1431`	`Role can log in. That is, this role can be given as the initial`
`1495`	`1432`	`session authorization identifier`
`1496`	`1433`	`</entry>`
`1497`		`- <entry><literal>5</literal></entry>`
`1498`	`1434`	`</row>`
`1499`	`1435`
`1500`	`1436`	`<row>`
`1501`		`- <entry>Replication</entry>`
`1502`		`- <entry>REPLICATION</entry>`
	`1437`	`+ <entry><structfield>rolreplication</structfield></entry>`
	`1438`	`+ <entry><type>bool</type></entry>`
`1503`	`1439`	`<entry>`
`1504`	`1440`	`Role is a replication role. That is, this role can initiate streaming`
`1505`	`1441`	`replication (see <xref linkend="streaming-replication">) and set/unset`
`1506`	`1442`	`the system backup mode using <function>pg_start_backup</> and`
`1507`	`1443`	`<function>pg_stop_backup</>`
`1508`	`1444`	`</entry>`
`1509`		`- <entry><literal>6</literal></entry>`
`1510`	`1445`	`</row>`
`1511`	`1446`
`1512`	`1447`	`<row>`
`1513`		`- <entry>Bypass Row Level Security</entry>`
`1514`		`- <entry>BYPASSRLS</entry>`
	`1448`	`+ <entry><structfield>rolconnlimit</structfield></entry>`
	`1449`	`+ <entry><type>int4</type></entry>`
`1515`	`1450`	`<entry>`
`1516`		`- Role can bypass row level security policies when <literal>row_security</>`
`1517`		`- is set <literal>off</>`
	`1451`	`+ For roles that can log in, this sets maximum number of concurrent`
	`1452`	`+ connections this role can make. -1 means no limit.`
	`1453`	`+ </entry>`
	`1454`	`+ </row>`
	`1455`	`+`
	`1456`	`+ <row>`
	`1457`	`+ <entry><structfield>rolpassword</structfield></entry>`
	`1458`	`+ <entry><type>text</type></entry>`
	`1459`	`+ <entry>`
	`1460`	`+ Password (possibly encrypted); null if none. If the password`
	`1461`	`+ is encrypted, this column will begin with the string <literal>md5</>`
	`1462`	`+ followed by a 32-character hexadecimal MD5 hash. The MD5 hash`
	`1463`	`+ will be of the user's password concatenated to their user name.`
	`1464`	`+ For example, if user <literal>joe</> has password <literal>xyzzy</>,`
	`1465`	`+ <productname>PostgreSQL</> will store the md5 hash of`
	`1466`	`+ <literal>xyzzyjoe</>. A password that does not follow that`
	`1467`	`+ format is assumed to be unencrypted.`
`1518`	`1468`	`</entry>`
`1519`		`- <entry><literal>7</literal></entry>`
`1520`	`1469`	`</row>`
`1521`	`1470`
	`1471`	`+ <row>`
	`1472`	`+ <entry><structfield>rolvaliduntil</structfield></entry>`
	`1473`	`+ <entry><type>timestamptz</type></entry>`
	`1474`	`+ <entry>Password expiry time (only used for password authentication);`
	`1475`	`+ null if no expiration</entry>`
	`1476`	`+ </row>`
`1522`	`1477`	`</tbody>`
`1523`	`1478`	`</tgroup>`
`1524`	`1479`	`</table>`

`‎doc/src/sgml/func.sgml`

Lines changed: 0 additions & 127 deletions

Original file line number	Diff line number	Diff line change
`@@ -15139,133 +15139,6 @@ SELECT has_function_privilege('joeuser', 'myfunc(int, text)', 'execute');`
`15139`	`15139`	`are immediately available without doing <command>SET ROLE</>.`
`15140`	`15140`	`</para>`
`15141`	`15141`
`15142`		`- <para>`
`15143`		`- <xref linkend="functions-info-role-attribute-table"> lists functions that`
`15144`		`- allow the user to query role attribute information programmatically.`
`15145`		`- </para>`
`15146`		`-`
`15147`		`- <table id="functions-info-role-attribute-table">`
`15148`		`- <title>Role Attribute Inquiry Functions</title>`
`15149`		`- <tgroup cols="3">`
`15150`		`- <thead>`
`15151`		`- <row><entry>Name</entry> <entry>Return Type</entry> <entry>Description</entry></row>`
`15152`		`- </thead>`
`15153`		`- <tbody>`
`15154`		`- <row>`
`15155`		`- <entry><literal><function>pg_has_role_attribute(role, attribute)</function></literal></entry>`
`15156`		`- <entry><type>boolean</type></entry>`
`15157`		`- <entry>does role have the permissions allowed by named attribute</entry>`
`15158`		`- </row>`
`15159`		`- <row>`
`15160`		`- <entry><literal><function>pg_check_role_attribute(role, attribute)</function></literal></entry>`
`15161`		`- <entry><type>boolean</type></entry>`
`15162`		`- <entry>does role have the named attribute</entry>`
`15163`		`- </row>`
`15164`		`- <row>`
`15165`		`- <entry><literal><function>pg_check_role_attribute(role_attributes, attribute)</function></literal></entry>`
`15166`		`- <entry><type>boolean</type></entry>`
`15167`		`- <entry>is attribute set in bitmap of role attributes</entry>`
`15168`		`- </row>`
`15169`		`- <row>`
`15170`		`- <entry><literal><function>pg_all_role_attributes(role_attributes)</function></literal></entry>`
`15171`		`- <entry><type>text[]</type></entry>`
`15172`		`- <entry>convert bitmap of role attribute representation to text[]</entry>`
`15173`		`- </row>`
`15174`		`- </tbody>`
`15175`		`- </tgroup>`
`15176`		`- </table>`
`15177`		`-`
`15178`		`- <indexterm>`
`15179`		`- <primary>pg_has_role_attribute</primary>`
`15180`		`- </indexterm>`
`15181`		`- <indexterm>`
`15182`		`- <primary>pg_check_role_attribute</primary>`
`15183`		`- </indexterm>`
`15184`		`- <indexterm>`
`15185`		`- <primary>pg_all_role_attributes</primary>`
`15186`		`- </indexterm>`
`15187`		`-`
`15188`		`- <para>`
`15189`		`- <function>pg_has_role_attribute</function> checks the attribute permissions`
`15190`		`- given to a role. It will always return <literal>true</literal> for roles`
`15191`		`- with superuser privileges unless the attribute being checked is`
`15192`		`- <literal>CATUPDATE</literal> (superuser cannot bypass`
`15193`		`- <literal>CATUPDATE</literal> permissions). The role can be specified by name`
`15194`		`- and by OID. The attribute is specified by a text string which must evaluate`
`15195`		`- to one of the following role attributes:`
`15196`		`- <literal>SUPERUSER</literal>,`
`15197`		`- <literal>INHERIT</literal>,`
`15198`		`- <literal>CREATEROLE</literal>,`
`15199`		`- <literal>CREATEDB</literal>,`
`15200`		`- <literal>CATUPDATE</literal>,`
`15201`		`- <literal>CANLOGIN</literal>,`
`15202`		`- <literal>REPLICATION</literal>, or`
`15203`		`- <literal>BYPASSRLS</literal>. See <xref linkend="sql-createrole"> for more`
`15204`		`- information. For example:`
`15205`		`-<programlisting>`
`15206`		`-SELECT pg_has_role_attribute('joe', 'SUPERUSER');`
`15207`		`- pg_has_role_attribute`
`15208`		`------------------------`
`15209`		`- f`
`15210`		`-(1 row)`
`15211`		`-`
`15212`		`-SELECT rolname, pg_has_role_attribute(oid, 'INHERIT') AS rolinherit FROM pg_roles;`
`15213`		`- rolname \| rolinherit`
`15214`		`-----------+------------`
`15215`		`- postgres \| t`
`15216`		`- joe \| t`
`15217`		`-(2 rows)`
`15218`		`-</programlisting>`
`15219`		`- </para>`
`15220`		`-`
`15221`		`- <para>`
`15222`		`- <function>pg_check_role_attribute</function> checks the attribute value given`
`15223`		`- to a role. The role can be specified by name and by OID. The attribute is`
`15224`		`- specified by a text string which must evaluate to a valid role attribute (see`
`15225`		`- <function>pg_has_role_attribute</function>). A third variant of this function`
`15226`		`- allows for a bitmap representation (<literal>bigint</literal>) of attributes`
`15227`		`- to be given instead of a role.`
`15228`		`- Example:`
`15229`		`-<programlisting>`
`15230`		`-SELECT pg_check_role_attribute('joe', 'SUPERUSER');`
`15231`		`- pg_check_role_attribute`
`15232`		`--------------------------`
`15233`		`- f`
`15234`		`-(1 row)`
`15235`		`-`
`15236`		`-SELECT rolname, pg_check_role_attribute(oid, 'INHERIT') as rolinherit FROM pg_roles;`
`15237`		`- rolname \| rolinherit`
`15238`		`-----------+------------`
`15239`		`- postgres \| t`
`15240`		`- joe \| t`
`15241`		`-(2 rows)`
`15242`		`- t`
`15243`		`-(1 row)`
`15244`		`-`
`15245`		`-`
`15246`		`-SELECT rolname, pg_check_role_attribute(rolattr, 'SUPERUSER') AS rolsuper FROM pg_authid;`
`15247`		`- rolname \| rolsuper`
`15248`		`-----------+----------`
`15249`		`- postgres \| t`
`15250`		`- joe \| f`
`15251`		`-(2 rows)`
`15252`		`-</programlisting>`
`15253`		`- </para>`
`15254`		`-`
`15255`		`- <para>`
`15256`		`- <function>pg_all_role_attributes</function> convert a set of role attributes`
`15257`		`- represented by an <literal>bigint</literal> bitmap to a text array.`
`15258`		`- Example:`
`15259`		`-<programlisting>`
`15260`		`-SELECT rolname, pg_all_role_attributes(rolattr) AS attributes FROM pg_authid;`
`15261`		`- rolname \| attributes`
`15262`		`-----------+-----------------------------------------------------------------------------------------------`
`15263`		`- postgres \| {Superuser,Inherit,"Create Role","Create DB","Catalog Update",Login,Replication,"Bypass RLS"}`
`15264`		`- joe \| {Inherit,Login}`
`15265`		`-(2 rows)`
`15266`		`-</programlisting>`
`15267`		`- </para>`
`15268`		`-`
`15269`	`15142`	`<para>`
`15270`	`15143`	`<xref linkend="functions-info-schema-table"> shows functions that`
`15271`	`15144`	`determine whether a certain object is <firstterm>visible</> in the`

`‎src/backend/access/transam/xlogfuncs.c`

Lines changed: 2 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -27,7 +27,6 @@`
`27`	`27`	`#include"miscadmin.h"`
`28`	`28`	`#include"replication/walreceiver.h"`
`29`	`29`	`#include"storage/smgr.h"`
`30`		`-#include"utils/acl.h"`
`31`	`30`	`#include"utils/builtins.h"`
`32`	`31`	`#include"utils/numeric.h"`
`33`	`32`	`#include"utils/guc.h"`
`@@ -55,7 +54,7 @@ pg_start_backup(PG_FUNCTION_ARGS)`
`55`	`54`
`56`	`55`	`backupidstr=text_to_cstring(backupid);`
`57`	`56`
`58`		`-if (!have_role_attribute(ROLE_ATTR_REPLICATION))`
	`57`	`+if (!superuser()&& !has_rolreplication(GetUserId()))`
`59`	`58`	`ereport(ERROR,`
`60`	`59`	`(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),`
`61`	`60`	`errmsg("must be superuser or replication role to run a backup")));`
`@@ -83,7 +82,7 @@ pg_stop_backup(PG_FUNCTION_ARGS)`
`83`	`82`	`{`
`84`	`83`	`XLogRecPtrstoppoint;`
`85`	`84`
`86`		`-if (!have_role_attribute(ROLE_ATTR_REPLICATION))`
	`85`	`+if (!superuser()&& !has_rolreplication(GetUserId()))`
`87`	`86`	`ereport(ERROR,`
`88`	`87`	`(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),`
`89`	`88`	`(errmsg("must be superuser or replication role to run a backup"))));`

`‎src/backend/catalog/Catalog.pm`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -176,7 +176,7 @@ sub Catalogs`
`176`	`176`	`}`
`177`	`177`	`}`
`178`	`178`	`}`
`179`		`-$catalogs{$catname} = \%catalogifdefined$catname;`
	`179`	`+$catalogs{$catname} = \%catalog;`
`180`	`180`	`close INPUT_FILE;`
`181`	`181`	`}`
`182`	`182`	`return \%catalogs;`

`‎src/backend/catalog/Makefile`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@ all: $(BKIFILES) schemapg.h`
`28`	`28`	`# indexing.h had better be last, and toasting.h just before it.`
`29`	`29`
`30`	`30`	`POSTGRES_BKI_SRCS =$(addprefix$(top_srcdir)/src/include/catalog/,\`
`31`		`-acldefs.hpg_proc.h pg_type.h pg_attribute.h pg_class.h \`
	`31`	`+pg_proc.h pg_type.h pg_attribute.h pg_class.h \`
`32`	`32`	`pg_attrdef.h pg_constraint.h pg_inherits.h pg_index.h pg_operator.h \`
`33`	`33`	`pg_opfamily.h pg_opclass.h pg_am.h pg_amop.h pg_amproc.h \`
`34`	`34`	`pg_language.h pg_largeobject_metadata.h pg_largeobject.h pg_aggregate.h \`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commita609d96

File tree

30 files changed

30 files changed

`‎doc/src/sgml/catalogs.sgml`

`‎doc/src/sgml/func.sgml`

`‎src/backend/access/transam/xlogfuncs.c`

`‎src/backend/catalog/Catalog.pm`

`‎src/backend/catalog/Makefile`

0 commit comments