database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-08-30 06:01:21 +03:00
Code Activity

Altering default privileges on schemas

Browse Source 
Extend ALTER DEFAULT PRIVILEGES command to schemas.

Author: Matheus Oliveira
Reviewed-by: Petr Jelínek, Ashutosh Sharma

https://commitfest.postgresql.org/13/887/
This commit is contained in:
Teodor Sigaev
2017-03-28 18:58:55 +03:00
parent 85163641f8
commit ab89e465cb
13 changed files with 176 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
src/backend/catalog/aclchk.c
View File

@@ -959,6 +959,10 @@ ExecAlterDefaultPrivilegesStmt(ParseState *pstate, AlterDefaultPrivilegesStmt *s
all_privileges = ACL_ALL_RIGHTS_TYPE;
errormsg = gettext_noop("invalid privilege type %s for type");
break;
case ACL_OBJECT_NAMESPACE:
all_privileges = ACL_ALL_RIGHTS_NAMESPACE;
errormsg = gettext_noop("invalid privilege type %s for schema");
break;
default:
elog(ERROR, "unrecognized GrantStmt.objtype: %d",
(int) action->objtype);
@@ -1146,6 +1150,16 @@ SetDefaultACL(InternalDefaultACL *iacls)
this_privileges = ACL_ALL_RIGHTS_TYPE;
break;
case ACL_OBJECT_NAMESPACE:
if (OidIsValid(iacls->nspid))
ereport(ERROR,
(errcode(ERRCODE_INVALID_GRANT_OPERATION),
errmsg("cannot use IN SCHEMA clause when using GRANT/REVOKE ON SCHEMAS")));
objtype = DEFACLOBJ_NAMESPACE;
if (iacls->all_privs && this_privileges == ACL_NO_RIGHTS)
this_privileges = ACL_ALL_RIGHTS_NAMESPACE;
break;
default:
elog(ERROR, "unrecognized objtype: %d",
(int) iacls->objtype);
@@ -1369,6 +1383,9 @@ RemoveRoleFromObjectACL(Oid roleid, Oid classid, Oid objid)
case DEFACLOBJ_TYPE:
iacls.objtype = ACL_OBJECT_TYPE;
break;
case DEFACLOBJ_NAMESPACE:
iacls.objtype = ACL_OBJECT_NAMESPACE;
break;
default:
/* Shouldn't get here */
elog(ERROR, "unexpected default ACL type: %d",
@@ -5259,6 +5276,10 @@ get_user_default_acl(GrantObjectType objtype, Oid ownerId, Oid nsp_oid)
defaclobjtype = DEFACLOBJ_TYPE;
break;
case ACL_OBJECT_NAMESPACE:
defaclobjtype = DEFACLOBJ_NAMESPACE;
break;
default:
return NULL;
}

14
src/backend/catalog/objectaddress.c
View File

@@ -1843,11 +1843,14 @@ get_object_address_defacl(List *object, bool missing_ok)
case DEFACLOBJ_TYPE:
objtype_str = "types";
break;
case DEFACLOBJ_NAMESPACE:
objtype_str = "schemas";
break;
default:
ereport(ERROR,
(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
errmsg("unrecognized default ACL object type %c", objtype),
errhint("Valid object types are \"r\", \"S\", \"f\", and \"T\".")));
errhint("Valid object types are \"r\", \"S\", \"f\", \"T\" and \"s\".")));
}
/*
@@ -3255,6 +3258,11 @@ getObjectDescription(const ObjectAddress *object)
_("default privileges on new types belonging to role %s"),
GetUserNameFromId(defacl->defaclrole, false));
break;
case DEFACLOBJ_NAMESPACE:
appendStringInfo(&buffer,
_("default privileges on new schemas belonging to role %s"),
GetUserNameFromId(defacl->defaclrole, false));
break;
default:
/* shouldn't get here */
appendStringInfo(&buffer,
@@ -4762,6 +4770,10 @@ getObjectIdentityParts(const ObjectAddress *object,
appendStringInfoString(&buffer,
" on types");
break;
case DEFACLOBJ_NAMESPACE:
appendStringInfoString(&buffer,
" on schemas");
break;
}
if (objname)

21
src/backend/catalog/pg_namespace.c
View File

@@ -31,10 +31,11 @@
* Create a namespace (schema) with the given name and owner OID.
*
* If isTemp is true, this schema is a per-backend schema for holding
* temporary tables. Currently, the only effect of that is to prevent it
* from being linked as a member of any active extension. (If someone
* does CREATE TEMP TABLE in an extension script, we don't want the temp
* schema to become part of the extension.)
* temporary tables. Currently, it is used to prevent it from being
* linked as a member of any active extension. (If someone does CREATE
* TEMP TABLE in an extension script, we don't want the temp schema to
* become part of the extension). And to avoid checking for default ACL
* for temp namespace (as it is not necessary).
* ---------------
*/
Oid
@@ -49,6 +50,7 @@ NamespaceCreate(const char *nspName, Oid ownerId, bool isTemp)
TupleDesc tupDesc;
ObjectAddress myself;
int i;
Acl *nspacl;
/* sanity checks */
if (!nspName)
@@ -60,6 +62,12 @@ NamespaceCreate(const char *nspName, Oid ownerId, bool isTemp)
(errcode(ERRCODE_DUPLICATE_SCHEMA),
errmsg("schema \"%s\" already exists", nspName)));
if (!isTemp)
nspacl = get_user_default_acl(ACL_OBJECT_NAMESPACE, ownerId,
InvalidOid);
else
nspacl = NULL;
/* initialize nulls and values */
for (i = 0; i < Natts_pg_namespace; i++)
{
@@ -69,7 +77,10 @@ NamespaceCreate(const char *nspName, Oid ownerId, bool isTemp)
namestrcpy(&nname, nspName);
values[Anum_pg_namespace_nspname - 1] = NameGetDatum(&nname);
values[Anum_pg_namespace_nspowner - 1] = ObjectIdGetDatum(ownerId);
nulls[Anum_pg_namespace_nspacl - 1] = true;
if (nspacl != NULL)
values[Anum_pg_namespace_nspacl - 1] = PointerGetDatum(nspacl);
else
nulls[Anum_pg_namespace_nspacl - 1] = true;
nspdesc = heap_open(NamespaceRelationId, RowExclusiveLock);
tupDesc = nspdesc->rd_att;

4
src/backend/parser/gram.y
View File

@@ -668,7 +668,7 @@ static Node *makeRecursiveViewSelect(char *relname, List *aliases, Node *query);
RESET RESTART RESTRICT RETURNING RETURNS REVOKE RIGHT ROLE ROLLBACK ROLLUP
ROW ROWS RULE
SAVEPOINT SCHEMA SCROLL SEARCH SECOND_P SECURITY SELECT SEQUENCE SEQUENCES
SAVEPOINT SCHEMA SCHEMAS SCROLL SEARCH SECOND_P SECURITY SELECT SEQUENCE SEQUENCES
SERIALIZABLE SERVER SESSION SESSION_USER SET SETS SETOF SHARE SHOW
SIMILAR SIMPLE SKIP SLOT SMALLINT SNAPSHOT SOME SQL_P STABLE STANDALONE_P
START STATEMENT STATISTICS STDIN STDOUT STORAGE STRICT_P STRIP_P
@@ -7035,6 +7035,7 @@ defacl_privilege_target:
| FUNCTIONS { $$ = ACL_OBJECT_FUNCTION; }
| SEQUENCES { $$ = ACL_OBJECT_SEQUENCE; }
| TYPES_P { $$ = ACL_OBJECT_TYPE; }
| SCHEMAS { $$ = ACL_OBJECT_NAMESPACE; }
;
@@ -14713,6 +14714,7 @@ unreserved_keyword:
| RULE
| SAVEPOINT
| SCHEMA
| SCHEMAS
| SCROLL
| SEARCH
| SECOND_P