Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit59b96dd

Browse files
committed
row level security and ownership checking
1 parentaf70495 commit59b96dd

13 files changed

+143
-2022
lines changed

‎hash.sql

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,8 @@ DECLARE
2727
v_init_callbackREGPROCEDURE;
2828

2929
BEGIN
30+
PERFORM @extschema@.check_permissions(parent_relid);
31+
3032
IF partition_data= true THEN
3133
/* Acquire data modification lock*/
3234
PERFORM @extschema@.prevent_relation_modification(parent_relid);
@@ -35,7 +37,6 @@ BEGIN
3537
PERFORM @extschema@.lock_partitioned_relation(parent_relid);
3638
END IF;
3739

38-
PERFORM @extschema@.validate_relname(parent_relid);
3940
attribute :=lower(attribute);
4041
PERFORM @extschema@.common_relation_checks(parent_relid, attribute);
4142

‎init.sql

Lines changed: 37 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,39 @@ CREATE TABLE IF NOT EXISTS @extschema@.pathman_config_params (
4242
CREATEUNIQUE INDEXi_pathman_config_params
4343
ON @extschema@.pathman_config_params(partrel);
4444

45+
GRANTSELECT, INSERT,UPDATE,DELETE
46+
ON @extschema@.pathman_config, @extschema@.pathman_config_params
47+
TO public;
48+
49+
/*
50+
* Check if current user can alter/drop specified relation
51+
*/
52+
CREATEOR REPLACE FUNCTION @extschema@.can_manage_relation(relation regclass)
53+
RETURNS BOOLAS'pg_pathman','can_manage_relation' LANGUAGE C STRICT;
54+
55+
/*
56+
* Check user permissions. If permission denied then throw an error.
57+
*/
58+
CREATEOR REPLACE FUNCTION @extschema@.check_permissions(relation regclass)
59+
RETURNS BOOLAS'pg_pathman','check_permissions' LANGUAGE C STRICT;
60+
61+
/*
62+
* Row security policy to restrict partitioning operations to owner and
63+
* superusers only
64+
*/
65+
CREATE POLICY deny_modificationON @extschema@.pathman_config
66+
FOR ALL USING (can_manage_relation(partrel));
67+
68+
CREATE POLICY deny_modificationON @extschema@.pathman_config_params
69+
FOR ALL USING (can_manage_relation(partrel));
70+
71+
CREATE POLICY allow_selectON @extschema@.pathman_config FORSELECT USING (true);
72+
73+
CREATE POLICY allow_selectON @extschema@.pathman_config_params FORSELECT USING (true);
74+
75+
ALTERTABLE @extschema@.pathman_config ENABLE ROW LEVEL SECURITY;
76+
ALTERTABLE @extschema@.pathman_config_params ENABLE ROW LEVEL SECURITY;
77+
4578
/*
4679
* Invalidate relcache every time someone changes parameters config.
4780
*/
@@ -96,6 +129,8 @@ CREATE OR REPLACE FUNCTION @extschema@.pathman_set_param(
96129
RETURNS VOIDAS
97130
$$
98131
BEGIN
132+
PERFORM @extschema@.check_permissions(relation);
133+
99134
EXECUTE format('INSERT INTO @extschema@.pathman_config_params
100135
(partrel, %1$s) VALUES ($1, $2)
101136
ON CONFLICT (partrel) DO UPDATE SET %1$s = $2', param)
@@ -301,7 +336,7 @@ CREATE OR REPLACE FUNCTION @extschema@.disable_pathman_for(
301336
RETURNS VOIDAS
302337
$$
303338
BEGIN
304-
PERFORM @extschema@.validate_relname(parent_relid);
339+
PERFORM @extschema@.check_permissions(parent_relid);
305340

306341
DELETEFROM @extschema@.pathman_configWHERE partrel= parent_relid;
307342
PERFORM @extschema@.drop_triggers(parent_relid);
@@ -400,28 +435,6 @@ END
400435
$$
401436
LANGUAGE plpgsql STRICT;
402437

403-
/*
404-
* Validates relation name. It must be schema qualified.
405-
*/
406-
CREATEOR REPLACE FUNCTION @extschema@.validate_relname(
407-
clsREGCLASS)
408-
RETURNSTEXTAS
409-
$$
410-
DECLARE
411-
relnameTEXT;
412-
413-
BEGIN
414-
relname= @extschema@.get_schema_qualified_name(cls);
415-
416-
IF relname ISNULL THEN
417-
RAISE EXCEPTION'relation %s does not exist', cls;
418-
END IF;
419-
420-
RETURN relname;
421-
END
422-
$$
423-
LANGUAGE plpgsql;
424-
425438
/*
426439
* Check if two relations have equal structures.
427440
*/
@@ -517,7 +530,7 @@ DECLARE
517530
v_relkindCHAR;
518531

519532
BEGIN
520-
PERFORM @extschema@.validate_relname(parent_relid);
533+
PERFORM @extschema@.check_permissions(parent_relid);
521534

522535
/* Drop trigger first*/
523536
PERFORM @extschema@.drop_triggers(parent_relid);
@@ -586,9 +599,6 @@ DECLARE
586599
recRECORD;
587600

588601
BEGIN
589-
PERFORM @extschema@.validate_relname(parent_relid);
590-
PERFORM @extschema@.validate_relname(partition);
591-
592602
FOR recIN (SELECToidas conidFROMpg_catalog.pg_constraint
593603
WHERE conrelid= parent_relidAND contype='f')
594604
LOOP

‎range.sql

Lines changed: 8 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -95,6 +95,8 @@ DECLARE
9595
iINTEGER;
9696

9797
BEGIN
98+
PERFORM @extschema@.check_permissions(parent_relid);
99+
98100
IF partition_data= true THEN
99101
/* Acquire data modification lock*/
100102
PERFORM @extschema@.prevent_relation_modification(parent_relid);
@@ -103,7 +105,6 @@ BEGIN
103105
PERFORM @extschema@.lock_partitioned_relation(parent_relid);
104106
END IF;
105107

106-
PERFORM @extschema@.validate_relname(parent_relid);
107108
p_attribute :=lower(p_attribute);
108109
PERFORM @extschema@.common_relation_checks(parent_relid, p_attribute);
109110

@@ -207,6 +208,8 @@ DECLARE
207208
iINTEGER;
208209

209210
BEGIN
211+
PERFORM @extschema@.check_permissions(parent_relid);
212+
210213
IF partition_data= true THEN
211214
/* Acquire data modification lock*/
212215
PERFORM @extschema@.prevent_relation_modification(parent_relid);
@@ -215,7 +218,6 @@ BEGIN
215218
PERFORM @extschema@.lock_partitioned_relation(parent_relid);
216219
END IF;
217220

218-
PERFORM @extschema@.validate_relname(parent_relid);
219221
p_attribute :=lower(p_attribute);
220222
PERFORM @extschema@.common_relation_checks(parent_relid, p_attribute);
221223

@@ -314,6 +316,8 @@ DECLARE
314316
part_countINTEGER :=0;
315317

316318
BEGIN
319+
PERFORM @extschema@.check_permissions(parent_relid);
320+
317321
IF partition_data= true THEN
318322
/* Acquire data modification lock*/
319323
PERFORM @extschema@.prevent_relation_modification(parent_relid);
@@ -322,7 +326,6 @@ BEGIN
322326
PERFORM @extschema@.lock_partitioned_relation(parent_relid);
323327
END IF;
324328

325-
PERFORM @extschema@.validate_relname(parent_relid);
326329
p_attribute :=lower(p_attribute);
327330
PERFORM @extschema@.common_relation_checks(parent_relid, p_attribute);
328331

@@ -387,6 +390,8 @@ DECLARE
387390
part_countINTEGER :=0;
388391

389392
BEGIN
393+
PERFORM @extschema@.check_permissions(parent_relid);
394+
390395
IF partition_data= true THEN
391396
/* Acquire data modification lock*/
392397
PERFORM @extschema@.prevent_relation_modification(parent_relid);
@@ -395,7 +400,6 @@ BEGIN
395400
PERFORM @extschema@.lock_partitioned_relation(parent_relid);
396401
END IF;
397402

398-
PERFORM @extschema@.validate_relname(parent_relid);
399403
p_attribute :=lower(p_attribute);
400404
PERFORM @extschema@.common_relation_checks(parent_relid, p_attribute);
401405

@@ -559,7 +563,6 @@ DECLARE
559563
v_check_nameTEXT;
560564

561565
BEGIN
562-
PERFORM @extschema@.validate_relname(p_partition);
563566
v_parent= @extschema@.get_parent_of_partition(p_partition);
564567

565568
/* Acquire lock on parent*/

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp