database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-07-30 11:03:19 +03:00
Code Activity

Stop accessing checkAsUser via RTE in some cases

Browse Source 
A future commit will move the checkAsUser field from RangeTblEntry
to a new node that, unlike RTEs, will only be created for tables
mentioned in the query but not for the inheritance child relations
added to the query by the planner.  So, checkAsUser value for a
given child relation will have to be obtained by referring to that
for its ancestor mentioned in the query.

In preparation, it seems better to expand the use of RelOptInfo.userid
during planning in place of rte->checkAsUser so that there will be
fewer places to adjust for the above change.

Given that the child-to-ancestor mapping is not available during the
execution of a given "child" ForeignScan node, add a checkAsUser
field to ForeignScan to carry the child relation's RelOptInfo.userid.

Author: Amit Langote <amitlangote09@gmail.com>
Discussion: https://postgr.es/m/CA+HiwqGFCs2uq7VRKi7g+FFKbP6Ea_2_HkgZb2HPhUfaAKT3ng@mail.gmail.com
This commit is contained in:
Alvaro Herrera
2022-11-30 12:07:03 +01:00
parent d2a4490401
commit 599b33b949
9 changed files with 39 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
src/backend/utils/adt/selfuncs.c
View File

@ -5155,10 +5155,11 @@ examine_variable(PlannerInfo *root, Node *node, int varRelid,
Assert(rte->rtekind == RTE_RELATION);
/*
* Use checkAsUser if it's set, in case we're
* accessing the table via a view.
* Use onerel->userid if it's set, in case
* we're accessing the table via a view.
*/
userid = rte->checkAsUser ? rte->checkAsUser : GetUserId();
userid = OidIsValid(onerel->userid) ?
onerel->userid : GetUserId();
/*
* For simplicity, we insist on the whole
@ -5210,7 +5211,8 @@ examine_variable(PlannerInfo *root, Node *node, int varRelid,
rte = planner_rt_fetch(varno, root);
Assert(rte->rtekind == RTE_RELATION);
userid = rte->checkAsUser ? rte->checkAsUser : GetUserId();
userid = OidIsValid(onerel->userid) ?
onerel->userid : GetUserId();
vardata->acl_ok =
rte->securityQuals == NIL &&
@ -5290,10 +5292,11 @@ examine_variable(PlannerInfo *root, Node *node, int varRelid,
vardata->freefunc = ReleaseDummy;
/*
* Use checkAsUser if it's set, in case we're accessing
* Use onerel->userid if it's set, in case we're accessing
* the table via a view.
*/
userid = rte->checkAsUser ? rte->checkAsUser : GetUserId();
userid = OidIsValid(onerel->userid) ?
onerel->userid : GetUserId();
/*
* For simplicity, we insist on the whole table being
@ -5341,7 +5344,8 @@ examine_variable(PlannerInfo *root, Node *node, int varRelid,
rte = planner_rt_fetch(varno, root);
Assert(rte->rtekind == RTE_RELATION);
userid = rte->checkAsUser ? rte->checkAsUser : GetUserId();
userid = OidIsValid(onerel->userid) ?
onerel->userid : GetUserId();
vardata->acl_ok =
rte->securityQuals == NIL &&
@ -5402,15 +5406,17 @@ examine_simple_variable(PlannerInfo *root, Var *var,
if (HeapTupleIsValid(vardata->statsTuple))
{
RelOptInfo *onerel = find_base_rel(root, var->varno);
Oid userid;
/*
* Check if user has permission to read this column. We require
* all rows to be accessible, so there must be no securityQuals
* from security barrier views or RLS policies. Use checkAsUser
* if it's set, in case we're accessing the table via a view.
* from security barrier views or RLS policies. Use
* onerel->userid if it's set, in case we're accessing the table
* via a view.
*/
userid = rte->checkAsUser ? rte->checkAsUser : GetUserId();
userid = OidIsValid(onerel->userid) ? onerel->userid : GetUserId();
vardata->acl_ok =
rte->securityQuals == NIL &&
@ -5479,7 +5485,8 @@ examine_simple_variable(PlannerInfo *root, Var *var,
rte = planner_rt_fetch(varno, root);
Assert(rte->rtekind == RTE_RELATION);
userid = rte->checkAsUser ? rte->checkAsUser : GetUserId();
userid = OidIsValid(onerel->userid) ?
onerel->userid : GetUserId();
vardata->acl_ok =
rte->securityQuals == NIL &&