mirror of
https://github.com/postgres/postgres.git
synced 2025-07-28 23:42:10 +03:00
Eliminate cache lookup errors in SQL functions for object addresses
When using the following functions, users could see various types of errors of the type "cache lookup failed for OID XXX" with elog(), that can only be used for internal errors: * pg_describe_object() * pg_identify_object() * pg_identify_object_as_address() The set of APIs managing object addresses for all object types are made smarter by gaining a new argument "missing_ok" that allows any caller to control if an error is raised or not on an undefined object. The SQL functions listed above are changed to handle the case where an object is missing. Regression tests are added for all object types for the cases where these are undefined. Before this commit, these cases failed with cache lookup errors, and now they basically return NULL (minus the name of the object type requested). Author: Michael Paquier Reviewed-by: Aleksander Alekseev, Dmitry Dolgov, Daniel Gustafsson, Álvaro Herrera, Kyotaro Horiguchi Discussion: https://postgr.es/m/CAB7nPqSZxrSmdHK-rny7z8mi=EAFXJ5J-0RbzDw6aus=wB5azQ@mail.gmail.com
This commit is contained in:
Michael Paquier
@ -142,7 +142,7 @@ sepgsql_database_drop(Oid databaseId)
|
||||
object.classId = DatabaseRelationId;
|
||||
object.objectId = databaseId;
|
||||
object.objectSubId = 0;
|
||||
audit_name = getObjectIdentity(&object);
|
||||
audit_name = getObjectIdentity(&object, false);
|
||||
|
||||
sepgsql_avc_check_perms(&object,
|
||||
SEPG_CLASS_DB_DATABASE,
|
||||
@ -169,7 +169,7 @@ sepgsql_database_setattr(Oid databaseId)
|
||||
object.classId = DatabaseRelationId;
|
||||
object.objectId = databaseId;
|
||||
object.objectSubId = 0;
|
||||
audit_name = getObjectIdentity(&object);
|
||||
audit_name = getObjectIdentity(&object, false);
|
||||
|
||||
sepgsql_avc_check_perms(&object,
|
||||
SEPG_CLASS_DB_DATABASE,
|
||||
@ -193,7 +193,7 @@ sepgsql_database_relabel(Oid databaseId, const char *seclabel)
|
||||
object.classId = DatabaseRelationId;
|
||||
object.objectId = databaseId;
|
||||
object.objectSubId = 0;
|
||||
audit_name = getObjectIdentity(&object);
|
||||
audit_name = getObjectIdentity(&object, false);
|
||||
|
||||
/*
|
||||
* check db_database:{setattr relabelfrom} permission
|
||||
|
||||
@ -179,7 +179,7 @@ check_relation_privileges(Oid relOid,
|
||||
object.classId = RelationRelationId;
|
||||
object.objectId = relOid;
|
||||
object.objectSubId = 0;
|
||||
audit_name = getObjectIdentity(&object);
|
||||
audit_name = getObjectIdentity(&object, false);
|
||||
switch (relkind)
|
||||
{
|
||||
case RELKIND_RELATION:
|
||||
@ -256,7 +256,7 @@ check_relation_privileges(Oid relOid,
|
||||
object.classId = RelationRelationId;
|
||||
object.objectId = relOid;
|
||||
object.objectSubId = attnum;
|
||||
audit_name = getObjectDescription(&object);
|
||||
audit_name = getObjectDescription(&object, false);
|
||||
|
||||
result = sepgsql_avc_check_perms(&object,
|
||||
SEPG_CLASS_DB_COLUMN,
|
||||
|
||||
@ -355,7 +355,7 @@ sepgsql_fmgr_hook(FmgrHookEventType event,
|
||||
sepgsql_avc_check_perms(&object,
|
||||
SEPG_CLASS_DB_PROCEDURE,
|
||||
SEPG_DB_PROCEDURE__ENTRYPOINT,
|
||||
getObjectDescription(&object),
|
||||
getObjectDescription(&object, false),
|
||||
true);
|
||||
|
||||
sepgsql_avc_check_perms_label(stack->new_label,
|
||||
@ -523,7 +523,7 @@ sepgsql_object_relabel(const ObjectAddress *object, const char *seclabel)
|
||||
ereport(ERROR,
|
||||
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
|
||||
errmsg("sepgsql provider does not support labels on %s",
|
||||
getObjectTypeDescription(object))));
|
||||
getObjectTypeDescription(object, false))));
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
@ -80,7 +80,7 @@ sepgsql_proc_post_create(Oid functionId)
|
||||
sepgsql_avc_check_perms(&object,
|
||||
SEPG_CLASS_DB_SCHEMA,
|
||||
SEPG_DB_SCHEMA__ADD_NAME,
|
||||
getObjectIdentity(&object),
|
||||
getObjectIdentity(&object, false),
|
||||
true);
|
||||
|
||||
/*
|
||||
@ -114,7 +114,7 @@ sepgsql_proc_post_create(Oid functionId)
|
||||
object.classId = TypeRelationId;
|
||||
object.objectId = proForm->proargtypes.values[i];
|
||||
object.objectSubId = 0;
|
||||
appendStringInfoString(&audit_name, getObjectIdentity(&object));
|
||||
appendStringInfoString(&audit_name, getObjectIdentity(&object, false));
|
||||
}
|
||||
appendStringInfoChar(&audit_name, ')');
|
||||
|
||||
@ -164,7 +164,7 @@ sepgsql_proc_drop(Oid functionId)
|
||||
object.classId = NamespaceRelationId;
|
||||
object.objectId = get_func_namespace(functionId);
|
||||
object.objectSubId = 0;
|
||||
audit_name = getObjectIdentity(&object);
|
||||
audit_name = getObjectIdentity(&object, false);
|
||||
|
||||
sepgsql_avc_check_perms(&object,
|
||||
SEPG_CLASS_DB_SCHEMA,
|
||||
@ -179,7 +179,7 @@ sepgsql_proc_drop(Oid functionId)
|
||||
object.classId = ProcedureRelationId;
|
||||
object.objectId = functionId;
|
||||
object.objectSubId = 0;
|
||||
audit_name = getObjectIdentity(&object);
|
||||
audit_name = getObjectIdentity(&object, false);
|
||||
|
||||
sepgsql_avc_check_perms(&object,
|
||||
SEPG_CLASS_DB_PROCEDURE,
|
||||
@ -204,7 +204,7 @@ sepgsql_proc_relabel(Oid functionId, const char *seclabel)
|
||||
object.classId = ProcedureRelationId;
|
||||
object.objectId = functionId;
|
||||
object.objectSubId = 0;
|
||||
audit_name = getObjectIdentity(&object);
|
||||
audit_name = getObjectIdentity(&object, false);
|
||||
|
||||
/*
|
||||
* check db_procedure:{setattr relabelfrom} permission
|
||||
@ -292,7 +292,7 @@ sepgsql_proc_setattr(Oid functionId)
|
||||
object.classId = ProcedureRelationId;
|
||||
object.objectId = functionId;
|
||||
object.objectSubId = 0;
|
||||
audit_name = getObjectIdentity(&object);
|
||||
audit_name = getObjectIdentity(&object, false);
|
||||
|
||||
sepgsql_avc_check_perms(&object,
|
||||
SEPG_CLASS_DB_PROCEDURE,
|
||||
@ -324,7 +324,7 @@ sepgsql_proc_execute(Oid functionId)
|
||||
object.classId = ProcedureRelationId;
|
||||
object.objectId = functionId;
|
||||
object.objectSubId = 0;
|
||||
audit_name = getObjectIdentity(&object);
|
||||
audit_name = getObjectIdentity(&object, false);
|
||||
sepgsql_avc_check_perms(&object,
|
||||
SEPG_CLASS_DB_PROCEDURE,
|
||||
SEPG_DB_PROCEDURE__EXECUTE,
|
||||
|
||||
@ -102,7 +102,7 @@ sepgsql_attribute_post_create(Oid relOid, AttrNumber attnum)
|
||||
|
||||
initStringInfo(&audit_name);
|
||||
appendStringInfo(&audit_name, "%s.%s",
|
||||
getObjectIdentity(&object),
|
||||
getObjectIdentity(&object, false),
|
||||
quote_identifier(NameStr(attForm->attname)));
|
||||
sepgsql_avc_check_perms_label(ncontext,
|
||||
SEPG_CLASS_DB_COLUMN,
|
||||
@ -146,7 +146,7 @@ sepgsql_attribute_drop(Oid relOid, AttrNumber attnum)
|
||||
object.classId = RelationRelationId;
|
||||
object.objectId = relOid;
|
||||
object.objectSubId = attnum;
|
||||
audit_name = getObjectIdentity(&object);
|
||||
audit_name = getObjectIdentity(&object, false);
|
||||
|
||||
sepgsql_avc_check_perms(&object,
|
||||
SEPG_CLASS_DB_COLUMN,
|
||||
@ -178,7 +178,7 @@ sepgsql_attribute_relabel(Oid relOid, AttrNumber attnum,
|
||||
object.classId = RelationRelationId;
|
||||
object.objectId = relOid;
|
||||
object.objectSubId = attnum;
|
||||
audit_name = getObjectIdentity(&object);
|
||||
audit_name = getObjectIdentity(&object, false);
|
||||
|
||||
/*
|
||||
* check db_column:{setattr relabelfrom} permission
|
||||
@ -222,7 +222,7 @@ sepgsql_attribute_setattr(Oid relOid, AttrNumber attnum)
|
||||
object.classId = RelationRelationId;
|
||||
object.objectId = relOid;
|
||||
object.objectSubId = attnum;
|
||||
audit_name = getObjectIdentity(&object);
|
||||
audit_name = getObjectIdentity(&object, false);
|
||||
|
||||
sepgsql_avc_check_perms(&object,
|
||||
SEPG_CLASS_DB_COLUMN,
|
||||
@ -288,7 +288,7 @@ sepgsql_relation_post_create(Oid relOid)
|
||||
sepgsql_avc_check_perms(&object,
|
||||
SEPG_CLASS_DB_SCHEMA,
|
||||
SEPG_DB_SCHEMA__ADD_NAME,
|
||||
getObjectIdentity(&object),
|
||||
getObjectIdentity(&object, false),
|
||||
true);
|
||||
|
||||
switch (classForm->relkind)
|
||||
@ -450,7 +450,7 @@ sepgsql_relation_drop(Oid relOid)
|
||||
object.classId = NamespaceRelationId;
|
||||
object.objectId = get_rel_namespace(relOid);
|
||||
object.objectSubId = 0;
|
||||
audit_name = getObjectIdentity(&object);
|
||||
audit_name = getObjectIdentity(&object, false);
|
||||
|
||||
sepgsql_avc_check_perms(&object,
|
||||
SEPG_CLASS_DB_SCHEMA,
|
||||
@ -472,7 +472,7 @@ sepgsql_relation_drop(Oid relOid)
|
||||
object.classId = RelationRelationId;
|
||||
object.objectId = relOid;
|
||||
object.objectSubId = 0;
|
||||
audit_name = getObjectIdentity(&object);
|
||||
audit_name = getObjectIdentity(&object, false);
|
||||
|
||||
sepgsql_avc_check_perms(&object,
|
||||
tclass,
|
||||
@ -503,7 +503,7 @@ sepgsql_relation_drop(Oid relOid)
|
||||
object.classId = RelationRelationId;
|
||||
object.objectId = relOid;
|
||||
object.objectSubId = attForm->attnum;
|
||||
audit_name = getObjectIdentity(&object);
|
||||
audit_name = getObjectIdentity(&object, false);
|
||||
|
||||
sepgsql_avc_check_perms(&object,
|
||||
SEPG_CLASS_DB_COLUMN,
|
||||
@ -584,7 +584,7 @@ sepgsql_relation_relabel(Oid relOid, const char *seclabel)
|
||||
object.classId = RelationRelationId;
|
||||
object.objectId = relOid;
|
||||
object.objectSubId = 0;
|
||||
audit_name = getObjectIdentity(&object);
|
||||
audit_name = getObjectIdentity(&object, false);
|
||||
|
||||
/*
|
||||
* check db_xxx:{setattr relabelfrom} permission
|
||||
@ -695,7 +695,7 @@ sepgsql_relation_setattr(Oid relOid)
|
||||
object.classId = RelationRelationId;
|
||||
object.objectId = relOid;
|
||||
object.objectSubId = 0;
|
||||
audit_name = getObjectIdentity(&object);
|
||||
audit_name = getObjectIdentity(&object, false);
|
||||
|
||||
sepgsql_avc_check_perms(&object,
|
||||
tclass,
|
||||
|
||||
@ -123,7 +123,7 @@ sepgsql_schema_drop(Oid namespaceId)
|
||||
object.classId = NamespaceRelationId;
|
||||
object.objectId = namespaceId;
|
||||
object.objectSubId = 0;
|
||||
audit_name = getObjectIdentity(&object);
|
||||
audit_name = getObjectIdentity(&object, false);
|
||||
|
||||
sepgsql_avc_check_perms(&object,
|
||||
SEPG_CLASS_DB_SCHEMA,
|
||||
@ -148,7 +148,7 @@ sepgsql_schema_relabel(Oid namespaceId, const char *seclabel)
|
||||
object.classId = NamespaceRelationId;
|
||||
object.objectId = namespaceId;
|
||||
object.objectSubId = 0;
|
||||
audit_name = getObjectIdentity(&object);
|
||||
audit_name = getObjectIdentity(&object, false);
|
||||
|
||||
/*
|
||||
* check db_schema:{setattr relabelfrom} permission
|
||||
@ -186,7 +186,7 @@ check_schema_perms(Oid namespaceId, uint32 required, bool abort_on_violation)
|
||||
object.classId = NamespaceRelationId;
|
||||
object.objectId = namespaceId;
|
||||
object.objectSubId = 0;
|
||||
audit_name = getObjectIdentity(&object);
|
||||
audit_name = getObjectIdentity(&object, false);
|
||||
|
||||
result = sepgsql_avc_check_perms(&object,
|
||||
SEPG_CLASS_DB_SCHEMA,
|
||||
|
||||
Reference in New Issue
Block a user