database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-09-02 04:21:28 +03:00
Code Activity

Clean up some mess in row-security patches.

Browse Source 
Fix unsafe coding around PG_TRY in RelationBuildRowSecurity: can't change
a variable inside PG_TRY and then use it in PG_CATCH without marking it
"volatile".  In this case though it seems saner to avoid that by doing
a single assignment before entering the TRY block.

I started out just intending to fix that, but the more I looked at the
row-security code the more distressed I got.  This patch also fixes
incorrect construction of the RowSecurityPolicy cache entries (there was
not sufficient care taken to copy pass-by-ref data into the cache memory
context) and a whole bunch of sloppiness around the definition and use of
pg_policy.polcmd.  You can't use nulls in that column because initdb will
mark it NOT NULL --- and I see no particular reason why a null entry would
be a good idea anyway, so changing initdb's behavior is not the right
answer.  The internal value of '\0' wouldn't be suitable in a "char" column
either, so after a bit of thought I settled on using '*' to represent ALL.
Chasing those changes down also revealed that somebody wasn't paying
attention to what the underlying values of ACL_UPDATE_CHR etc really were,
and there was a great deal of lackadaiscalness in the catalogs.sgml
documentation for pg_policy and pg_policies too.

This doesn't pretend to be a complete code review for the row-security
stuff, it just fixes the things that were in my face while dealing with
the bugs in RelationBuildRowSecurity.
This commit is contained in:
Tom Lane
2015-01-24 16:16:22 -05:00
parent f8a4dd2e14
commit fd496129d1
11 changed files with 245 additions and 240 deletions
Download Patch File Download Diff File Expand all files Collapse all files

234
doc/src/sgml/catalogs.sgml
View File

@@ -218,6 +218,11 @@
<entry>template data for procedural languages</entry>
</row>
<row>
<entry><link linkend="catalog-pg-policy"><structname>pg_policy</structname></link></entry>
<entry>row-security policies</entry>
</row>
<row>
<entry><link linkend="catalog-pg-proc"><structname>pg_proc</structname></link></entry>
<entry>functions and procedures</entry>
@@ -238,11 +243,6 @@
<entry>replication slot information</entry>
</row>
<row>
<entry><link linkend="catalog-pg-policy"><structname>pg_policy</structname></link></entry>
<entry>table policies</entry>
</row>
<row>
<entry><link linkend="catalog-pg-seclabel"><structname>pg_seclabel</structname></link></entry>
<entry>security labels on database objects</entry>
@@ -1939,16 +1939,6 @@
</entry>
</row>
<row>
<entry><structfield>relrowsecurity</structfield></entry>
<entry><type>bool</type></entry>
<entry></entry>
<entry>
True if table has row level security enabled; see
<link linkend="catalog-pg-policy"><structname>pg_policy</structname></link> catalog
</entry>
</row>
<row>
<entry><structfield>relhassubclass</structfield></entry>
<entry><type>bool</type></entry>
@@ -1956,6 +1946,16 @@
<entry>True if table has (or once had) any inheritance children</entry>
</row>
<row>
<entry><structfield>relrowsecurity</structfield></entry>
<entry><type>bool</type></entry>
<entry></entry>
<entry>
True if table has row-level security enabled; see
<link linkend="catalog-pg-policy"><structname>pg_policy</structname></link> catalog
</entry>
</row>
<row>
<entry><structfield>relispopulated</structfield></entry>
<entry><type>bool</type></entry>
@@ -4711,6 +4711,98 @@
</sect1>
<sect1 id="catalog-pg-policy">
<title><structname>pg_policy</structname></title>
<indexterm zone="catalog-pg-policy">
<primary>pg_policy</primary>
</indexterm>
<para>
The catalog <structname>pg_policy</structname> stores row-level
security policies for tables. A policy includes the kind of
command that it applies to (possibly all commands), the roles that it
applies to, the expression to be added as a security-barrier
qualification to queries that include the table, and the expression
to be added as a <literal>WITH CHECK</> option for queries that attempt to
add new records to the table.
</para>
<table>
<title><structname>pg_policy</structname> Columns</title>
<tgroup cols="4">
<thead>
<row>
<entry>Name</entry>
<entry>Type</entry>
<entry>References</entry>
<entry>Description</entry>
</row>
</thead>
<tbody>
<row>
<entry><structfield>polname</structfield></entry>
<entry><type>name</type></entry>
<entry></entry>
<entry>The name of the policy</entry>
</row>
<row>
<entry><structfield>polrelid</structfield></entry>
<entry><type>oid</type></entry>
<entry><literal><link linkend="catalog-pg-class"><structname>pg_class</structname></link>.oid</literal></entry>
<entry>The table to which the policy applies</entry>
</row>
<row>
<entry><structfield>polcmd</structfield></entry>
<entry><type>char</type></entry>
<entry></entry>
<entry>The command type to which the policy is applied:
<literal>r</> for <command>SELECT</>,
<literal>a</> for <command>INSERT</>,
<literal>w</> for <command>UPDATE</>,
<literal>d</> for <command>DELETE</>,
or <literal>*</> for all</entry>
</row>
<row>
<entry><structfield>polroles</structfield></entry>
<entry><type>oid[]</type></entry>
<entry><literal><link linkend="catalog-pg-authid"><structname>pg_authid</structname></link>.oid</literal></entry>
<entry>The roles to which the policy is applied</entry>
</row>
<row>
<entry><structfield>polqual</structfield></entry>
<entry><type>pg_node_tree</type></entry>
<entry></entry>
<entry>The expression tree to be added to the security barrier qualifications for queries that use the table</entry>
</row>
<row>
<entry><structfield>polwithcheck</structfield></entry>
<entry><type>pg_node_tree</type></entry>
<entry></entry>
<entry>The expression tree to be added to the WITH CHECK qualifications for queries that attempt to add rows to the table</entry>
</row>
</tbody>
</tgroup>
</table>
<note>
<para>
Policies stored in <structname>pg_policy</> are applied only when
<structname>pg_class</>.<structfield>relrowsecurity</> is set for
their table.
</para>
</note>
</sect1>
<sect1 id="catalog-pg-proc">
<title><structname>pg_proc</structname></title>
@@ -5342,94 +5434,6 @@
</table>
</sect1>
<sect1 id="catalog-pg-policy">
<title><structname>pg_policy</structname></title>
<indexterm zone="catalog-pg-policy">
<primary>pg_policy</primary>
</indexterm>
<para>
The catalog <structname>pg_policy</structname> stores row-level
security policies for each table. A policy includes the kind of
command which it applies to (or all commands), the roles which it
applies to, the expression to be added as a security-barrier
qualification to queries which include the table and the expression
to be added as a with-check option for queries which attempt to add
new records to the table.
</para>
<table>
<title><structname>pg_policy</structname> Columns</title>
<tgroup cols="4">
<thead>
<row>
<entry>Name</entry>
<entry>Type</entry>
<entry>References</entry>
<entry>Description</entry>
</row>
</thead>
<tbody>
<row>
<entry><structfield>polname</structfield></entry>
<entry><type>name</type></entry>
<entry></entry>
<entry>The name of the policy</entry>
</row>
<row>
<entry><structfield>polrelid</structfield></entry>
<entry><type>oid</type></entry>
<entry><literal><link linkend="catalog-pg-class"><structname>pg_class</structname></link>.oid</literal></entry>
<entry>The table to which the policy belongs</entry>
</row>
<row>
<entry><structfield>polcmd</structfield></entry>
<entry><type>char</type></entry>
<entry></entry>
<entry>The command type to which the policy is applied.</entry>
</row>
<row>
<entry><structfield>polroles</structfield></entry>
<entry><type>char</type></entry>
<entry></entry>
<entry>The roles to which the policy is applied.</entry>
</row>
<row>
<entry><structfield>polqual</structfield></entry>
<entry><type>pg_node_tree</type></entry>
<entry></entry>
<entry>The expression tree to be added to the security barrier qualifications for queries which use the table.</entry>
</row>
<row>
<entry><structfield>polwithcheck</structfield></entry>
<entry><type>pg_node_tree</type></entry>
<entry></entry>
<entry>The expression tree to be added to the with check qualifications for queries which attempt to add rows to the table.</entry>
</row>
</tbody>
</tgroup>
</table>
<note>
<para>
<literal>pg_class.relrowsecurity</literal>
True if the table has row security enabled. Policies will not be applied
unless row security is enabled on the table.
</para>
</note>
</sect1>
<sect1 id="catalog-pg-seclabel">
<title><structname>pg_seclabel</structname></title>
@@ -8166,7 +8170,7 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx
<para>
The view <structname>pg_policies</structname> provides access to
useful information about each policy in the database.
useful information about each row-level security policy in the database.
</para>
<table>
@@ -8197,34 +8201,34 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx
<row>
<entry><structfield>policyname</structfield></entry>
<entry><type>name</type></entry>
<entry><literal><link linkend="catalog-pg-class"><structname>pg_class</structname></link>.relname</literal></entry>
<entry><literal><link linkend="catalog-pg-policy"><structname>pg_policy</structname></link>.polname</literal></entry>
<entry>Name of policy</entry>
</row>
<row>
<entry><structfield>cmd</structfield></entry>
<entry><type>text</type></entry>
<entry></entry>
<entry>The command type to which the policy is applied.</entry>
</row>
<row>
<entry><structfield>roles</structfield></entry>
<entry><type>name[]</type></entry>
<entry></entry>
<entry>The roles to which this policy applies.</entry>
<entry>The roles to which this policy applies</entry>
</row>
<row>
<entry><structfield>cmd</structfield></entry>
<entry><type>text</type></entry>
<entry></entry>
<entry>The command type to which the policy is applied</entry>
</row>
<row>
<entry><structfield>qual</structfield></entry>
<entry><type>text</type></entry>
<entry></entry>
<entry>The expression added to the security barrier qualifications for
queries which this policy applies to.</entry>
queries that this policy applies to</entry>
</row>
<row>
<entry><structfield>with_check</structfield></entry>
<entry><type>text</type></entry>
<entry></entry>
<entry>The expression added to the with check qualifications for
queries which attempt to add rows to this table.</entry>
<entry>The expression added to the WITH CHECK qualifications for
queries that attempt to add rows to this table</entry>
</row>
</tbody>
</tgroup>