Privileges on functions and procedural languages

2025-06-13 07:41:39 +03:00 · 2002-02-18 23:11:58 +00:00
parent 5e03503126
commit 8adf56f77a
35 changed files with 2325 additions and 1534 deletions
--- a/doc/src/sgml/catalogs.sgml
+++ b/doc/src/sgml/catalogs.sgml
@ -1,6 +1,6 @@
 <!--
 Documentation of the system catalogs, directed toward PostgreSQL developers
- $Header: /cvsroot/pgsql/doc/src/sgml/catalogs.sgml,v 2.29 2001/11/21 05:53:40 thomas Exp $
+ $Header: /cvsroot/pgsql/doc/src/sgml/catalogs.sgml,v 2.30 2002/02/18 23:10:59 petere Exp $
 -->

 <chapter id="catalogs">
@ -1261,6 +1261,13 @@
      <entry></entry>
      <entry>not currently used</entry>
     </row>
+
+     <row>
+      <entry>lanacl</entry>
+      <entry><type>aclitem[]</type></entry>
+      <entry></entry>
+      <entry>Access permissions</entry>
+     </row>
    </tbody>
   </tgroup>
  </table>
@ -1699,6 +1706,13 @@
      Again, the interpretation is language-specific.
      </entry>
     </row>
+
+     <row>
+      <entry>proacl</entry>
+      <entry><type>aclitem[]</type></entry>
+      <entry></entry>
+      <entry>Access permissions</entry>
+     </row>
    </tbody>
   </tgroup>
  </table>
--- a/doc/src/sgml/ref/create_function.sgml
+++ b/doc/src/sgml/ref/create_function.sgml
@ -1,5 +1,5 @@
 <!--
-$Header: /cvsroot/pgsql/doc/src/sgml/ref/create_function.sgml,v 1.30 2001/12/08 03:24:34 thomas Exp $
+$Header: /cvsroot/pgsql/doc/src/sgml/ref/create_function.sgml,v 1.31 2002/02/18 23:11:02 petere Exp $
 -->

 <refentry id="SQL-CREATEFUNCTION">
@ -270,6 +270,17 @@ CREATE [ OR REPLACE ] FUNCTION <replaceable class="parameter">name</replaceable>
    definition without breaking objects that refer to the function.
   </para>

+  <para>
+   To be able to define a function, the user must have the
+   <literal>USAGE</literal> privilege on the language.
+  </para>
+
+  <para>
+   By default, only the owner (creator) of the function has the right
+   to execute it.  Other users must be granted the
+   <literal>EXECUTE</literal> privilege on the function to be able to
+   use it.
+  </para>
 </refsect1>

  
@ -369,7 +380,9 @@ Point * complex_to_point (Complex *z)

  <para>
   <xref linkend="sql-dropfunction">,
+   <xref linkend="sql-grant">,
   <xref linkend="sql-load">,
+   <xref linkend="sql-revoke">,
   <citetitle>PostgreSQL Programmer's Guide</citetitle>
  </para>
 </refsect1>
--- a/doc/src/sgml/ref/create_language.sgml
+++ b/doc/src/sgml/ref/create_language.sgml
@ -1,5 +1,5 @@
 <!--
-$Header: /cvsroot/pgsql/doc/src/sgml/ref/create_language.sgml,v 1.20 2001/12/08 03:24:34 thomas Exp $
+$Header: /cvsroot/pgsql/doc/src/sgml/ref/create_language.sgml,v 1.21 2002/02/18 23:11:02 petere Exp $
 PostgreSQL documentation
 -->

@ -203,8 +203,8 @@ ERROR:  PL handler function <replaceable class="parameter">funcname</replaceable
   lanname   | lanispl | lanpltrusted | lanplcallfoid | lancompiler
 -------------+---------+--------------+---------------+-------------
 internal    | f       | f            |             0 | n/a
- C           | f       | f            |             0 | /bin/cc
- sql         | f       | f            |             0 | postgres
+ c           | f       | f            |             0 | /bin/cc
+ sql         | f       | t            |             0 | postgres
 </screen>
  </para>

@ -212,6 +212,13 @@ ERROR:  PL handler function <replaceable class="parameter">funcname</replaceable
   At present, the definition of a procedural language cannot be
   changed once it has been created.
  </para>
+
+  <para>
+   To be able to use a procedural language, a user must be granted the
+   <literal>USAGE</literal> privilege.  The
+   <command>createlang</command> program automatically grants
+   permissions to everyone if the language is known to be trusted.
+  </para>
 </refsect1>

 <refsect1 id="sql-createlanguage-examples">
@ -257,6 +264,8 @@ CREATE LANGUAGE plsample
    <member><xref linkend="sql-createfunction"></member>
    <member><xref linkend="app-droplang"></member>
    <member><xref linkend="sql-droplanguage"></member>
+    <member><xref linkend="sql-grant"></member>
+    <member><xref linkend="sql-revoke"></member>
    <member><citetitle>PostgreSQL Programmer's Guide</citetitle></member>
   </simplelist>
  </para>
--- a/doc/src/sgml/ref/grant.sgml
+++ b/doc/src/sgml/ref/grant.sgml
@ -1,5 +1,5 @@
 <!--
-$Header: /cvsroot/pgsql/doc/src/sgml/ref/grant.sgml,v 1.19 2002/01/20 22:19:57 petere Exp $
+$Header: /cvsroot/pgsql/doc/src/sgml/ref/grant.sgml,v 1.20 2002/02/18 23:11:02 petere Exp $
 PostgreSQL documentation
 -->

@ -19,6 +19,14 @@ PostgreSQL documentation
 GRANT { { SELECT | INSERT | UPDATE | DELETE | RULE | REFERENCES | TRIGGER } [,...] | ALL [ PRIVILEGES ] }
    ON [ TABLE ] <replaceable class="PARAMETER">objectname</replaceable> [, ...]
    TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
+
+GRANT { EXECUTE | ALL [ PRIVILEGES ] }
+    ON FUNCTION <replaceable>funcname</replaceable> ([<replaceable>type</replaceable>, ...]) [, ...]
+    TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
+
+GRANT { USAGE | ALL [ PRIVILEGES ] }
+    ON LANGUAGE <replaceable>langname</replaceable> [, ...]
+    TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
 </synopsis>
 </refsynopsisdiv>

@ -27,8 +35,9 @@ GRANT { { SELECT | INSERT | UPDATE | DELETE | RULE | REFERENCES | TRIGGER } [,..

  <para>
   The <command>GRANT</command> command gives specific permissions on
-   an object (table, view, sequence) to one or more users or groups of users.
-   These permissions are added to those already granted, if any.
+   an object (table, view, sequence, function, procedural language) to
+   one or more users or groups of users.  These permissions are added
+   to those already granted, if any.
  </para>

  <para>
@ -134,14 +143,36 @@ GRANT { { SELECT | INSERT | UPDATE | DELETE | RULE | REFERENCES | TRIGGER } [,..
     </listitem>
    </varlistentry>

+    <varlistentry>
+     <term>EXECUTE</term>
+     <listitem>
+      <para>
+       Allows the use of the specified function and the use of any
+       operators that are implemented on top of the function.  This is
+       the only type of privilege that is applicable to functions.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term>USAGE</term>
+     <listitem>
+      <para>
+       Allows the use of the specified procedural language for the
+       creation of functions in that language.  This is the only type
+       of privilege that is applicable to procedural languages.
+      </para>
+     </listitem>
+    </varlistentry>
+
    <varlistentry>
     <term>ALL PRIVILEGES</term>
     <listitem>
      <para>
-       Grant all of the above privileges at once.  The
-       <literal>PRIVILEGES</literal> key word is optional in
-       <productname>PostgreSQL</productname>, though it is
-       required by strict SQL.
+       Grant all of the privileges applicable to the object at once.
+       The <literal>PRIVILEGES</literal> key word is optional in
+       <productname>PostgreSQL</productname>, though it is required by
+       strict SQL.
      </para>
     </listitem>
    </varlistentry>
--- a/doc/src/sgml/ref/revoke.sgml
+++ b/doc/src/sgml/ref/revoke.sgml
@ -1,5 +1,5 @@
 <!--
-$Header: /cvsroot/pgsql/doc/src/sgml/ref/revoke.sgml,v 1.19 2001/12/08 03:24:39 thomas Exp $
+$Header: /cvsroot/pgsql/doc/src/sgml/ref/revoke.sgml,v 1.20 2002/02/18 23:11:03 petere Exp $
 PostgreSQL documentation
 -->

@ -19,6 +19,14 @@ PostgreSQL documentation
 REVOKE { { SELECT | INSERT | UPDATE | DELETE | RULE | REFERENCES | TRIGGER } [,...] | ALL [ PRIVILEGES ] }
    ON [ TABLE ] <replaceable class="PARAMETER">object</replaceable> [, ...]
    FROM { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
+
+REVOKE { EXECUTE | ALL [ PRIVILEGES ] }
+    ON FUNCTION <replaceable>funcname</replaceable> ([<replaceable>type</replaceable>, ...]) [, ...]
+    FROM { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
+
+REVOKE { USAGE | ALL [ PRIVILEGES ] }
+    ON LANGUAGE <replaceable>langname</replaceable> [, ...]
+    FROM { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
 </synopsis>
 </refsynopsisdiv>

--- a/doc/src/sgml/release.sgml
+++ b/doc/src/sgml/release.sgml
@ -1,10 +1,35 @@
 <!--
-$Header: /cvsroot/pgsql/doc/src/sgml/release.sgml,v 1.115 2002/01/31 21:20:03 momjian Exp $
+$Header: /cvsroot/pgsql/doc/src/sgml/release.sgml,v 1.116 2002/02/18 23:11:00 petere Exp $
 -->

 <appendix id="release">
 <title>Release Notes</title>

+ <sect1 id="release-devel">
+  <title>&version; Development Branch</title>
+
+  <para>
+   Below is a subset of the changes that have gone into the
+   development branch of PostgreSQL since version 7.2.  For a complete
+   list of changes, consult the CVS logs.
+  </para>
+
+<!--
+Developers: When you add a feature, mention it here.  This avoids
+lossiness when digging out the information from the CVS logs, and
+furthermore it advertises your feature to external parties at the
+earliest possible moment.
+ 
+CDATA means the content is "SGML-free", so you can write without
+worries about funny characters.
+-->
+<literallayout><![CDATA[
+Access privileges on functions
+Access privileges on procedural languages
+]]></literallayout>
+
+ </sect1>
+
 <sect1 id="release-7-2">
  <title>Release 7.2</title>