NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commitbb8582a

committed

Remove rolcatupdate

This role attribute is an ancient PostgreSQL feature, but could only beset by directly updating the system catalogs, and it doesn't have anyclearly defined use.Author: Adam Brightwell <adam.brightwell@crunchydatasolutions.com>

1 parent6510c83 commitbb8582aCopy full SHA for bb8582a

File tree

8 files changed

+17

-90

lines changed

doc/src/sgml
- catalogs.sgml
src
- backend
  - catalog
    - aclchk.c
    - system_views.sql
  - commands
    - user.c
- include/catalog
  - catversion.h
  - pg_authid.h
- test/regress/expected
  - privileges.out
  - rules.out

8 files changed

+17

-90

lines changed

`‎doc/src/sgml/catalogs.sgml`

Lines changed: 0 additions & 38 deletions

Original file line number	Diff line number	Diff line change
`@@ -1415,15 +1415,6 @@`
`1415`	`1415`	`<entry>Role can create databases</entry>`
`1416`	`1416`	`</row>`
`1417`	`1417`
`1418`		`- <row>`
`1419`		`- <entry><structfield>rolcatupdate</structfield></entry>`
`1420`		`- <entry><type>bool</type></entry>`
`1421`		`- <entry>`
`1422`		`- Role can update system catalogs directly. (Even a superuser cannot do`
`1423`		`- this unless this column is true)`
`1424`		`- </entry>`
`1425`		`- </row>`
`1426`		`-`
`1427`	`1418`	`<row>`
`1428`	`1419`	`<entry><structfield>rolcanlogin</structfield></entry>`
`1429`	`1420`	`<entry><type>bool</type></entry>`
`@@ -8491,16 +8482,6 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx`
`8491`	`8482`	`<entry>Role can create databases</entry>`
`8492`	`8483`	`</row>`
`8493`	`8484`
`8494`		`- <row>`
`8495`		`- <entry><structfield>rolcatupdate</structfield></entry>`
`8496`		`- <entry><type>bool</type></entry>`
`8497`		`- <entry></entry>`
`8498`		`- <entry>`
`8499`		`- Role can update system catalogs directly. (Even a superuser cannot do`
`8500`		`- this unless this column is true)`
`8501`		`- </entry>`
`8502`		`- </row>`
`8503`		`-`
`8504`	`8485`	`<row>`
`8505`	`8486`	`<entry><structfield>rolcanlogin</structfield></entry>`
`8506`	`8487`	`<entry><type>bool</type></entry>`
`@@ -9019,16 +9000,6 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx`
`9019`	`9000`	`<entry>User is a superuser</entry>`
`9020`	`9001`	`</row>`
`9021`	`9002`
`9022`		`- <row>`
`9023`		`- <entry><structfield>usecatupd</structfield></entry>`
`9024`		`- <entry><type>bool</type></entry>`
`9025`		`- <entry></entry>`
`9026`		`- <entry>`
`9027`		`- User can update system catalogs. (Even a superuser cannot do`
`9028`		`- this unless this column is true.)`
`9029`		`- </entry>`
`9030`		`- </row>`
`9031`		`-`
`9032`	`9003`	`<row>`
`9033`	`9004`	`<entry><structfield>userepl</structfield></entry>`
`9034`	`9005`	`<entry><type>bool</type></entry>`
`@@ -9506,15 +9477,6 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx`
`9506`	`9477`	`<entry>User is a superuser</entry>`
`9507`	`9478`	`</row>`
`9508`	`9479`
`9509`		`- <row>`
`9510`		`- <entry><structfield>usecatupd</structfield></entry>`
`9511`		`- <entry><type>bool</type></entry>`
`9512`		`- <entry>`
`9513`		`- User can update system catalogs. (Even a superuser cannot do`
`9514`		`- this unless this column is true.)`
`9515`		`- </entry>`
`9516`		`- </row>`
`9517`		`-`
`9518`	`9480`	`<row>`
`9519`	`9481`	`<entry><structfield>userepl</structfield></entry>`
`9520`	`9482`	`<entry><type>bool</type></entry>`

`‎src/backend/catalog/aclchk.c`

Lines changed: 2 additions & 23 deletions

Original file line number	Diff line number	Diff line change
`@@ -3423,26 +3423,6 @@ aclcheck_error_type(AclResult aclerr, Oid typeOid)`
`3423`	`3423`	`}`
`3424`	`3424`
`3425`	`3425`
`3426`		`-/* Check if given user has rolcatupdate privilege according to pg_authid */`
`3427`		`-staticbool`
`3428`		`-has_rolcatupdate(Oidroleid)`
`3429`		`-{`
`3430`		`-boolrolcatupdate;`
`3431`		`-HeapTupletuple;`
`3432`		`-`
`3433`		`-tuple=SearchSysCache1(AUTHOID,ObjectIdGetDatum(roleid));`
`3434`		`-if (!HeapTupleIsValid(tuple))`
`3435`		`-ereport(ERROR,`
`3436`		`-(errcode(ERRCODE_UNDEFINED_OBJECT),`
`3437`		`-errmsg("role with OID %u does not exist",roleid)));`
`3438`		`-`
`3439`		`-rolcatupdate= ((Form_pg_authid)GETSTRUCT(tuple))->rolcatupdate;`
`3440`		`-`
`3441`		`-ReleaseSysCache(tuple);`
`3442`		`-`
`3443`		`-returnrolcatupdate;`
`3444`		`-}`
`3445`		`-`
`3446`	`3426`	`/*`
`3447`	`3427`	`* Relay for the various pg_*_mask routines depending on object kind`
`3448`	`3428`	`*/`
`@@ -3620,8 +3600,7 @@ pg_class_aclmask(Oid table_oid, Oid roleid,`
`3620`	`3600`
`3621`	`3601`	`/*`
`3622`	`3602`	`* Deny anyone permission to update a system catalog unless`
`3623`		`- * pg_authid.rolcatupdate is set. (This is to let superusers protect`
`3624`		`- * themselves from themselves.) Also allow it if allowSystemTableMods.`
	`3603`	`+ * pg_authid.rolsuper is set. Also allow it if allowSystemTableMods.`
`3625`	`3604`	`*`
`3626`	`3605`	`* As of 7.4 we have some updatable system views; those shouldn't be`
`3627`	`3606`	`* protected in this way. Assume the view rules can take care of`
`@@ -3630,7 +3609,7 @@ pg_class_aclmask(Oid table_oid, Oid roleid,`
`3630`	`3609`	`if ((mask& (ACL_INSERT \|ACL_UPDATE \|ACL_DELETE \|ACL_TRUNCATE \|ACL_USAGE))&&`
`3631`	`3610`	`IsSystemClass(table_oid,classForm)&&`
`3632`	`3611`	`classForm->relkind!=RELKIND_VIEW&&`
`3633`		`-!has_rolcatupdate(roleid)&&`
	`3612`	`+!superuser_arg(roleid)&&`
`3634`	`3613`	`!allowSystemTableMods)`
`3635`	`3614`	`{`
`3636`	`3615`	`#ifdefACLDEBUG`

`‎src/backend/catalog/system_views.sql`

Lines changed: 0 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,6 @@ CREATE VIEW pg_roles AS`
`13`	`13`	`rolinherit,`
`14`	`14`	`rolcreaterole,`
`15`	`15`	`rolcreatedb,`
`16`		`- rolcatupdate,`
`17`	`16`	`rolcanlogin,`
`18`	`17`	`rolreplication,`
`19`	`18`	`rolconnlimit,`
`@@ -31,7 +30,6 @@ CREATE VIEW pg_shadow AS`
`31`	`30`	`pg_authid.oidAS usesysid,`
`32`	`31`	`rolcreatedbAS usecreatedb,`
`33`	`32`	`rolsuperAS usesuper,`
`34`		`- rolcatupdateAS usecatupd,`
`35`	`33`	`rolreplicationAS userepl,`
`36`	`34`	`rolbypassrlsAS usebypassrls,`
`37`	`35`	`rolpasswordAS passwd,`
`@@ -57,7 +55,6 @@ CREATE VIEW pg_user AS`
`57`	`55`	`usesysid,`
`58`	`56`	`usecreatedb,`
`59`	`57`	`usesuper,`
`60`		`- usecatupd,`
`61`	`58`	`userepl,`
`62`	`59`	`usebypassrls,`
`63`	`60`	`'********'::textas passwd,`

`‎src/backend/commands/user.c`

Lines changed: 1 addition & 11 deletions

Original file line number	Diff line number	Diff line change
`@@ -368,8 +368,6 @@ CreateRole(CreateRoleStmt *stmt)`
`368`	`368`	`new_record[Anum_pg_authid_rolinherit-1]=BoolGetDatum(inherit);`
`369`	`369`	`new_record[Anum_pg_authid_rolcreaterole-1]=BoolGetDatum(createrole);`
`370`	`370`	`new_record[Anum_pg_authid_rolcreatedb-1]=BoolGetDatum(createdb);`
`371`		`-/* superuser gets catupdate right by default */`
`372`		`-new_record[Anum_pg_authid_rolcatupdate-1]=BoolGetDatum(issuper);`
`373`	`371`	`new_record[Anum_pg_authid_rolcanlogin-1]=BoolGetDatum(canlogin);`
`374`	`372`	`new_record[Anum_pg_authid_rolreplication-1]=BoolGetDatum(isreplication);`
`375`	`373`	`new_record[Anum_pg_authid_rolconnlimit-1]=Int32GetDatum(connlimit);`
`@@ -734,20 +732,12 @@ AlterRole(AlterRoleStmt *stmt)`
`734`	`732`	`MemSet(new_record_repl, false,sizeof(new_record_repl));`
`735`	`733`
`736`	`734`	`/*`
`737`		`- * issuper/createrole/catupdate/etc`
`738`		`- *`
`739`		`- * XXX It's rather unclear how to handle catupdate. It's probably best to`
`740`		`- * keep it equal to the superuser status, otherwise you could end up with`
`741`		`- * a situation where no existing superuser can alter the catalogs,`
`742`		`- * including pg_authid!`
	`735`	`+ * issuper/createrole/etc`
`743`	`736`	`*/`
`744`	`737`	`if (issuper >=0)`
`745`	`738`	`{`
`746`	`739`	`new_record[Anum_pg_authid_rolsuper-1]=BoolGetDatum(issuper>0);`
`747`	`740`	`new_record_repl[Anum_pg_authid_rolsuper-1]= true;`
`748`		`-`
`749`		`-new_record[Anum_pg_authid_rolcatupdate-1]=BoolGetDatum(issuper>0);`
`750`		`-new_record_repl[Anum_pg_authid_rolcatupdate-1]= true;`
`751`	`741`	`}`
`752`	`742`
`753`	`743`	`if (inherit >=0)`

`‎src/include/catalog/catversion.h`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,6 @@`
`53`	`53`	`*/`
`54`	`54`
`55`	`55`	`/yyyymmddN /`
`56`		`-#defineCATALOG_VERSION_NO201503031`
	`56`	`+#defineCATALOG_VERSION_NO201503061`
`57`	`57`
`58`	`58`	`#endif`

`‎src/include/catalog/pg_authid.h`

Lines changed: 8 additions & 10 deletions

Original file line number	Diff line number	Diff line change
`@@ -49,7 +49,6 @@ CATALOG(pg_authid,1260) BKI_SHARED_RELATION BKI_ROWTYPE_OID(2842) BKI_SCHEMA_MAC`
`49`	`49`	`boolrolinherit;/* inherit privileges from other roles? */`
`50`	`50`	`boolrolcreaterole;/* allowed to create more roles? */`
`51`	`51`	`boolrolcreatedb;/* allowed to create databases? */`
`52`		`-boolrolcatupdate;/* allowed to alter catalogs manually? */`
`53`	`52`	`boolrolcanlogin;/* allowed to log in as session user? */`
`54`	`53`	`boolrolreplication;/* role used for streaming replication */`
`55`	`54`	`boolrolbypassrls;/* allowed to bypass row level security? */`
`@@ -76,19 +75,18 @@ typedef FormData_pg_authid *Form_pg_authid;`
`76`	`75`	`*compiler constants for pg_authid`
`77`	`76`	`* ----------------`
`78`	`77`	`*/`
`79`		`-#defineNatts_pg_authid12`
	`78`	`+#defineNatts_pg_authid11`
`80`	`79`	`#defineAnum_pg_authid_rolname1`
`81`	`80`	`#defineAnum_pg_authid_rolsuper2`
`82`	`81`	`#defineAnum_pg_authid_rolinherit3`
`83`	`82`	`#defineAnum_pg_authid_rolcreaterole4`
`84`	`83`	`#defineAnum_pg_authid_rolcreatedb5`
`85`		`-#defineAnum_pg_authid_rolcatupdate6`
`86`		`-#defineAnum_pg_authid_rolcanlogin7`
`87`		`-#defineAnum_pg_authid_rolreplication8`
`88`		`-#defineAnum_pg_authid_rolbypassrls9`
`89`		`-#defineAnum_pg_authid_rolconnlimit10`
`90`		`-#defineAnum_pg_authid_rolpassword11`
`91`		`-#defineAnum_pg_authid_rolvaliduntil12`
	`84`	`+#defineAnum_pg_authid_rolcanlogin6`
	`85`	`+#defineAnum_pg_authid_rolreplication7`
	`86`	`+#defineAnum_pg_authid_rolbypassrls8`
	`87`	`+#defineAnum_pg_authid_rolconnlimit9`
	`88`	`+#defineAnum_pg_authid_rolpassword10`
	`89`	`+#defineAnum_pg_authid_rolvaliduntil11`
`92`	`90`
`93`	`91`	`/* ----------------`
`94`	`92`	`*initial contents of pg_authid`
`@@ -97,7 +95,7 @@ typedef FormData_pg_authid *Form_pg_authid;`
`97`	`95`	`* user choices.`
`98`	`96`	`* ----------------`
`99`	`97`	`*/`
`100`		`-DATA(insertOID=10 ("POSTGRES"tttttttt-1_null__null_));`
	`98`	`+DATA(insertOID=10 ("POSTGRES"ttttttt-1_null__null_));`
`101`	`99`
`102`	`100`	`#defineBOOTSTRAP_SUPERUSERID 10`
`103`	`101`

`‎src/test/regress/expected/privileges.out`

Lines changed: 5 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -676,7 +676,11 @@ ERROR: role "nosuchuser" does not exist`
`676`	`676`	`select has_table_privilege('pg_authid','sel');`
`677`	`677`	`ERROR: unrecognized privilege type: "sel"`
`678`	`678`	`select has_table_privilege(-999999,'pg_authid','update');`
`679`		`-ERROR: role with OID 4293967297 does not exist`
	`679`	`+ has_table_privilege`
	`680`	`+---------------------`
	`681`	`+ f`
	`682`	`+(1 row)`
	`683`	`+`
`680`	`684`	`select has_table_privilege(1,'select');`
`681`	`685`	`has_table_privilege`
`682`	`686`	`---------------------`

`‎src/test/regress/expected/rules.out`

Lines changed: 0 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -1406,7 +1406,6 @@ pg_roles\| SELECT pg_authid.rolname,`
`1406`	`1406`	`pg_authid.rolinherit,`
`1407`	`1407`	`pg_authid.rolcreaterole,`
`1408`	`1408`	`pg_authid.rolcreatedb,`
`1409`		`- pg_authid.rolcatupdate,`
`1410`	`1409`	`pg_authid.rolcanlogin,`
`1411`	`1410`	`pg_authid.rolreplication,`
`1412`	`1411`	`pg_authid.rolconnlimit,`
`@@ -1607,7 +1606,6 @@ pg_shadow\| SELECT pg_authid.rolname AS usename,`
`1607`	`1606`	`pg_authid.oid AS usesysid,`
`1608`	`1607`	`pg_authid.rolcreatedb AS usecreatedb,`
`1609`	`1608`	`pg_authid.rolsuper AS usesuper,`
`1610`		`- pg_authid.rolcatupdate AS usecatupd,`
`1611`	`1609`	`pg_authid.rolreplication AS userepl,`
`1612`	`1610`	`pg_authid.rolbypassrls AS usebypassrls,`
`1613`	`1611`	`pg_authid.rolpassword AS passwd,`
`@@ -2062,7 +2060,6 @@ pg_user\| SELECT pg_shadow.usename,`
`2062`	`2060`	`pg_shadow.usesysid,`
`2063`	`2061`	`pg_shadow.usecreatedb,`
`2064`	`2062`	`pg_shadow.usesuper,`
`2065`		`- pg_shadow.usecatupd,`
`2066`	`2063`	`pg_shadow.userepl,`
`2067`	`2064`	`pg_shadow.usebypassrls,`
`2068`	`2065`	`'********'::text AS passwd,`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitbb8582a

File tree

8 files changed

8 files changed

`‎doc/src/sgml/catalogs.sgml`

`‎src/backend/catalog/aclchk.c`

`‎src/backend/catalog/system_views.sql`

`‎src/backend/commands/user.c`

`‎src/include/catalog/catversion.h`

`‎src/include/catalog/pg_authid.h`

`‎src/test/regress/expected/privileges.out`

`‎src/test/regress/expected/rules.out`

0 commit comments