mirror of
https://github.com/postgres/postgres.git
synced 2025-12-19 17:02:53 +03:00
bf379b555c
We have long disallowed all forms of ALTER TABLE if the table is
already opened by some outer SQL command in the same session.
This has the same purpose as obtaining AccessExclusiveLock, but
since a session's own locks don't conflict the lock only blocks use
of the table by other sessions, not our own. Without this check,
the ALTER might confuse the outer SQL command since any previous
inspection of the table would potentially become invalid.
However, the RelisBecomingView code path in DefineQueryRewrite never
got that memo, and assumed that AccessExclusiveLock is sufficient
for performing something morally equivalent to a rather invasive
ALTER TABLE. Unsurprisingly, this can confuse an outer command
that is trying to do something with the table.
This was submitted as a security issue, but the security team
has been unable to identify any consequence worse than a null
pointer dereference (from trying to access rd_tableam methods
that the relation no longer has). Therefore, in accordance
with our usual policy, it's not security material and should
just be fixed as a routine bug.
Fix by disallowing the operation if the table is open locally,
exactly as ALTER TABLE does it.
Per an anonymous security researcher, via Bundesamt für Sicherheit
in der Informationstechnik.
Patch v12-v15 only. In v16 and later, we removed this code
altogether (cf. commit b23cd185f), so that there's no issue.
1057 lines
33 KiB
C
1057 lines
33 KiB
C
/*-------------------------------------------------------------------------
|
|
*
|
|
* rewriteDefine.c
|
|
* routines for defining a rewrite rule
|
|
*
|
|
* Portions Copyright (c) 1996-2022, PostgreSQL Global Development Group
|
|
* Portions Copyright (c) 1994, Regents of the University of California
|
|
*
|
|
*
|
|
* IDENTIFICATION
|
|
* src/backend/rewrite/rewriteDefine.c
|
|
*
|
|
*-------------------------------------------------------------------------
|
|
*/
|
|
#include "postgres.h"
|
|
|
|
#include "access/heapam.h"
|
|
#include "access/htup_details.h"
|
|
#include "access/multixact.h"
|
|
#include "access/tableam.h"
|
|
#include "access/transam.h"
|
|
#include "access/xact.h"
|
|
#include "catalog/catalog.h"
|
|
#include "catalog/dependency.h"
|
|
#include "catalog/heap.h"
|
|
#include "catalog/namespace.h"
|
|
#include "catalog/objectaccess.h"
|
|
#include "catalog/pg_inherits.h"
|
|
#include "catalog/pg_rewrite.h"
|
|
#include "catalog/storage.h"
|
|
#include "commands/policy.h"
|
|
#include "commands/tablecmds.h"
|
|
#include "miscadmin.h"
|
|
#include "nodes/nodeFuncs.h"
|
|
#include "parser/parse_utilcmd.h"
|
|
#include "rewrite/rewriteDefine.h"
|
|
#include "rewrite/rewriteManip.h"
|
|
#include "rewrite/rewriteSupport.h"
|
|
#include "utils/acl.h"
|
|
#include "utils/builtins.h"
|
|
#include "utils/inval.h"
|
|
#include "utils/lsyscache.h"
|
|
#include "utils/rel.h"
|
|
#include "utils/snapmgr.h"
|
|
#include "utils/syscache.h"
|
|
|
|
|
|
static void checkRuleResultList(List *targetList, TupleDesc resultDesc,
|
|
bool isSelect, bool requireColumnNameMatch);
|
|
static bool setRuleCheckAsUser_walker(Node *node, Oid *context);
|
|
static void setRuleCheckAsUser_Query(Query *qry, Oid userid);
|
|
|
|
|
|
/*
|
|
* InsertRule -
|
|
* takes the arguments and inserts them as a row into the system
|
|
* relation "pg_rewrite"
|
|
*/
|
|
static Oid
|
|
InsertRule(const char *rulname,
|
|
int evtype,
|
|
Oid eventrel_oid,
|
|
bool evinstead,
|
|
Node *event_qual,
|
|
List *action,
|
|
bool replace)
|
|
{
|
|
char *evqual = nodeToString(event_qual);
|
|
char *actiontree = nodeToString((Node *) action);
|
|
Datum values[Natts_pg_rewrite];
|
|
bool nulls[Natts_pg_rewrite];
|
|
bool replaces[Natts_pg_rewrite];
|
|
NameData rname;
|
|
Relation pg_rewrite_desc;
|
|
HeapTuple tup,
|
|
oldtup;
|
|
Oid rewriteObjectId;
|
|
ObjectAddress myself,
|
|
referenced;
|
|
bool is_update = false;
|
|
|
|
/*
|
|
* Set up *nulls and *values arrays
|
|
*/
|
|
MemSet(nulls, false, sizeof(nulls));
|
|
|
|
namestrcpy(&rname, rulname);
|
|
values[Anum_pg_rewrite_rulename - 1] = NameGetDatum(&rname);
|
|
values[Anum_pg_rewrite_ev_class - 1] = ObjectIdGetDatum(eventrel_oid);
|
|
values[Anum_pg_rewrite_ev_type - 1] = CharGetDatum(evtype + '0');
|
|
values[Anum_pg_rewrite_ev_enabled - 1] = CharGetDatum(RULE_FIRES_ON_ORIGIN);
|
|
values[Anum_pg_rewrite_is_instead - 1] = BoolGetDatum(evinstead);
|
|
values[Anum_pg_rewrite_ev_qual - 1] = CStringGetTextDatum(evqual);
|
|
values[Anum_pg_rewrite_ev_action - 1] = CStringGetTextDatum(actiontree);
|
|
|
|
/*
|
|
* Ready to store new pg_rewrite tuple
|
|
*/
|
|
pg_rewrite_desc = table_open(RewriteRelationId, RowExclusiveLock);
|
|
|
|
/*
|
|
* Check to see if we are replacing an existing tuple
|
|
*/
|
|
oldtup = SearchSysCache2(RULERELNAME,
|
|
ObjectIdGetDatum(eventrel_oid),
|
|
PointerGetDatum(rulname));
|
|
|
|
if (HeapTupleIsValid(oldtup))
|
|
{
|
|
if (!replace)
|
|
ereport(ERROR,
|
|
(errcode(ERRCODE_DUPLICATE_OBJECT),
|
|
errmsg("rule \"%s\" for relation \"%s\" already exists",
|
|
rulname, get_rel_name(eventrel_oid))));
|
|
|
|
/*
|
|
* When replacing, we don't need to replace every attribute
|
|
*/
|
|
MemSet(replaces, false, sizeof(replaces));
|
|
replaces[Anum_pg_rewrite_ev_type - 1] = true;
|
|
replaces[Anum_pg_rewrite_is_instead - 1] = true;
|
|
replaces[Anum_pg_rewrite_ev_qual - 1] = true;
|
|
replaces[Anum_pg_rewrite_ev_action - 1] = true;
|
|
|
|
tup = heap_modify_tuple(oldtup, RelationGetDescr(pg_rewrite_desc),
|
|
values, nulls, replaces);
|
|
|
|
CatalogTupleUpdate(pg_rewrite_desc, &tup->t_self, tup);
|
|
|
|
ReleaseSysCache(oldtup);
|
|
|
|
rewriteObjectId = ((Form_pg_rewrite) GETSTRUCT(tup))->oid;
|
|
is_update = true;
|
|
}
|
|
else
|
|
{
|
|
rewriteObjectId = GetNewOidWithIndex(pg_rewrite_desc,
|
|
RewriteOidIndexId,
|
|
Anum_pg_rewrite_oid);
|
|
values[Anum_pg_rewrite_oid - 1] = ObjectIdGetDatum(rewriteObjectId);
|
|
|
|
tup = heap_form_tuple(pg_rewrite_desc->rd_att, values, nulls);
|
|
|
|
CatalogTupleInsert(pg_rewrite_desc, tup);
|
|
}
|
|
|
|
|
|
heap_freetuple(tup);
|
|
|
|
/* If replacing, get rid of old dependencies and make new ones */
|
|
if (is_update)
|
|
deleteDependencyRecordsFor(RewriteRelationId, rewriteObjectId, false);
|
|
|
|
/*
|
|
* Install dependency on rule's relation to ensure it will go away on
|
|
* relation deletion. If the rule is ON SELECT, make the dependency
|
|
* implicit --- this prevents deleting a view's SELECT rule. Other kinds
|
|
* of rules can be AUTO.
|
|
*/
|
|
myself.classId = RewriteRelationId;
|
|
myself.objectId = rewriteObjectId;
|
|
myself.objectSubId = 0;
|
|
|
|
referenced.classId = RelationRelationId;
|
|
referenced.objectId = eventrel_oid;
|
|
referenced.objectSubId = 0;
|
|
|
|
recordDependencyOn(&myself, &referenced,
|
|
(evtype == CMD_SELECT) ? DEPENDENCY_INTERNAL : DEPENDENCY_AUTO);
|
|
|
|
/*
|
|
* Also install dependencies on objects referenced in action and qual.
|
|
*/
|
|
recordDependencyOnExpr(&myself, (Node *) action, NIL,
|
|
DEPENDENCY_NORMAL);
|
|
|
|
if (event_qual != NULL)
|
|
{
|
|
/* Find query containing OLD/NEW rtable entries */
|
|
Query *qry = linitial_node(Query, action);
|
|
|
|
qry = getInsertSelectQuery(qry, NULL);
|
|
recordDependencyOnExpr(&myself, event_qual, qry->rtable,
|
|
DEPENDENCY_NORMAL);
|
|
}
|
|
|
|
/* Post creation hook for new rule */
|
|
InvokeObjectPostCreateHook(RewriteRelationId, rewriteObjectId, 0);
|
|
|
|
table_close(pg_rewrite_desc, RowExclusiveLock);
|
|
|
|
return rewriteObjectId;
|
|
}
|
|
|
|
/*
|
|
* DefineRule
|
|
* Execute a CREATE RULE command.
|
|
*/
|
|
ObjectAddress
|
|
DefineRule(RuleStmt *stmt, const char *queryString)
|
|
{
|
|
List *actions;
|
|
Node *whereClause;
|
|
Oid relId;
|
|
|
|
/* Parse analysis. */
|
|
transformRuleStmt(stmt, queryString, &actions, &whereClause);
|
|
|
|
/*
|
|
* Find and lock the relation. Lock level should match
|
|
* DefineQueryRewrite.
|
|
*/
|
|
relId = RangeVarGetRelid(stmt->relation, AccessExclusiveLock, false);
|
|
|
|
/* ... and execute */
|
|
return DefineQueryRewrite(stmt->rulename,
|
|
relId,
|
|
whereClause,
|
|
stmt->event,
|
|
stmt->instead,
|
|
stmt->replace,
|
|
actions);
|
|
}
|
|
|
|
|
|
/*
|
|
* DefineQueryRewrite
|
|
* Create a rule
|
|
*
|
|
* This is essentially the same as DefineRule() except that the rule's
|
|
* action and qual have already been passed through parse analysis.
|
|
*/
|
|
ObjectAddress
|
|
DefineQueryRewrite(const char *rulename,
|
|
Oid event_relid,
|
|
Node *event_qual,
|
|
CmdType event_type,
|
|
bool is_instead,
|
|
bool replace,
|
|
List *action)
|
|
{
|
|
Relation event_relation;
|
|
ListCell *l;
|
|
Query *query;
|
|
bool RelisBecomingView = false;
|
|
Oid ruleId = InvalidOid;
|
|
ObjectAddress address;
|
|
|
|
/*
|
|
* If we are installing an ON SELECT rule, we had better grab
|
|
* AccessExclusiveLock to ensure no SELECTs are currently running on the
|
|
* event relation. For other types of rules, it would be sufficient to
|
|
* grab ShareRowExclusiveLock to lock out insert/update/delete actions and
|
|
* to ensure that we lock out current CREATE RULE statements; but because
|
|
* of race conditions in access to catalog entries, we can't do that yet.
|
|
*
|
|
* Note that this lock level should match the one used in DefineRule.
|
|
*/
|
|
event_relation = table_open(event_relid, AccessExclusiveLock);
|
|
|
|
/*
|
|
* Verify relation is of a type that rules can sensibly be applied to.
|
|
* Internal callers can target materialized views, but transformRuleStmt()
|
|
* blocks them for users. Don't mention them in the error message.
|
|
*/
|
|
if (event_relation->rd_rel->relkind != RELKIND_RELATION &&
|
|
event_relation->rd_rel->relkind != RELKIND_MATVIEW &&
|
|
event_relation->rd_rel->relkind != RELKIND_VIEW &&
|
|
event_relation->rd_rel->relkind != RELKIND_PARTITIONED_TABLE)
|
|
ereport(ERROR,
|
|
(errcode(ERRCODE_WRONG_OBJECT_TYPE),
|
|
errmsg("relation \"%s\" cannot have rules",
|
|
RelationGetRelationName(event_relation)),
|
|
errdetail_relkind_not_supported(event_relation->rd_rel->relkind)));
|
|
|
|
if (!allowSystemTableMods && IsSystemRelation(event_relation))
|
|
ereport(ERROR,
|
|
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
|
|
errmsg("permission denied: \"%s\" is a system catalog",
|
|
RelationGetRelationName(event_relation))));
|
|
|
|
/*
|
|
* Check user has permission to apply rules to this relation.
|
|
*/
|
|
if (!pg_class_ownercheck(event_relid, GetUserId()))
|
|
aclcheck_error(ACLCHECK_NOT_OWNER, get_relkind_objtype(event_relation->rd_rel->relkind),
|
|
RelationGetRelationName(event_relation));
|
|
|
|
/*
|
|
* No rule actions that modify OLD or NEW
|
|
*/
|
|
foreach(l, action)
|
|
{
|
|
query = lfirst_node(Query, l);
|
|
if (query->resultRelation == 0)
|
|
continue;
|
|
/* Don't be fooled by INSERT/SELECT */
|
|
if (query != getInsertSelectQuery(query, NULL))
|
|
continue;
|
|
if (query->resultRelation == PRS2_OLD_VARNO)
|
|
ereport(ERROR,
|
|
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
|
|
errmsg("rule actions on OLD are not implemented"),
|
|
errhint("Use views or triggers instead.")));
|
|
if (query->resultRelation == PRS2_NEW_VARNO)
|
|
ereport(ERROR,
|
|
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
|
|
errmsg("rule actions on NEW are not implemented"),
|
|
errhint("Use triggers instead.")));
|
|
}
|
|
|
|
if (event_type == CMD_SELECT)
|
|
{
|
|
/*
|
|
* Rules ON SELECT are restricted to view definitions
|
|
*
|
|
* So there cannot be INSTEAD NOTHING, ...
|
|
*/
|
|
if (list_length(action) == 0)
|
|
ereport(ERROR,
|
|
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
|
|
errmsg("INSTEAD NOTHING rules on SELECT are not implemented"),
|
|
errhint("Use views instead.")));
|
|
|
|
/*
|
|
* ... there cannot be multiple actions, ...
|
|
*/
|
|
if (list_length(action) > 1)
|
|
ereport(ERROR,
|
|
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
|
|
errmsg("multiple actions for rules on SELECT are not implemented")));
|
|
|
|
/*
|
|
* ... the one action must be a SELECT, ...
|
|
*/
|
|
query = linitial_node(Query, action);
|
|
if (!is_instead ||
|
|
query->commandType != CMD_SELECT)
|
|
ereport(ERROR,
|
|
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
|
|
errmsg("rules on SELECT must have action INSTEAD SELECT")));
|
|
|
|
/*
|
|
* ... it cannot contain data-modifying WITH ...
|
|
*/
|
|
if (query->hasModifyingCTE)
|
|
ereport(ERROR,
|
|
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
|
|
errmsg("rules on SELECT must not contain data-modifying statements in WITH")));
|
|
|
|
/*
|
|
* ... there can be no rule qual, ...
|
|
*/
|
|
if (event_qual != NULL)
|
|
ereport(ERROR,
|
|
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
|
|
errmsg("event qualifications are not implemented for rules on SELECT")));
|
|
|
|
/*
|
|
* ... the targetlist of the SELECT action must exactly match the
|
|
* event relation, ...
|
|
*/
|
|
checkRuleResultList(query->targetList,
|
|
RelationGetDescr(event_relation),
|
|
true,
|
|
event_relation->rd_rel->relkind !=
|
|
RELKIND_MATVIEW);
|
|
|
|
/*
|
|
* ... there must not be another ON SELECT rule already ...
|
|
*/
|
|
if (!replace && event_relation->rd_rules != NULL)
|
|
{
|
|
int i;
|
|
|
|
for (i = 0; i < event_relation->rd_rules->numLocks; i++)
|
|
{
|
|
RewriteRule *rule;
|
|
|
|
rule = event_relation->rd_rules->rules[i];
|
|
if (rule->event == CMD_SELECT)
|
|
ereport(ERROR,
|
|
(errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
|
|
errmsg("\"%s\" is already a view",
|
|
RelationGetRelationName(event_relation))));
|
|
}
|
|
}
|
|
|
|
/*
|
|
* ... and finally the rule must be named _RETURN.
|
|
*/
|
|
if (strcmp(rulename, ViewSelectRuleName) != 0)
|
|
{
|
|
/*
|
|
* In versions before 7.3, the expected name was _RETviewname. For
|
|
* backwards compatibility with old pg_dump output, accept that
|
|
* and silently change it to _RETURN. Since this is just a quick
|
|
* backwards-compatibility hack, limit the number of characters
|
|
* checked to a few less than NAMEDATALEN; this saves having to
|
|
* worry about where a multibyte character might have gotten
|
|
* truncated.
|
|
*/
|
|
if (strncmp(rulename, "_RET", 4) != 0 ||
|
|
strncmp(rulename + 4, RelationGetRelationName(event_relation),
|
|
NAMEDATALEN - 4 - 4) != 0)
|
|
ereport(ERROR,
|
|
(errcode(ERRCODE_INVALID_OBJECT_DEFINITION),
|
|
errmsg("view rule for \"%s\" must be named \"%s\"",
|
|
RelationGetRelationName(event_relation),
|
|
ViewSelectRuleName)));
|
|
rulename = pstrdup(ViewSelectRuleName);
|
|
}
|
|
|
|
/*
|
|
* Are we converting a relation to a view?
|
|
*
|
|
* If so, check that the relation is empty because the storage for the
|
|
* relation is going to be deleted. Also insist that the rel not be
|
|
* involved in partitioning, nor have any triggers, indexes, child or
|
|
* parent tables, RLS policies, or RLS enabled. (Note: some of these
|
|
* tests are too strict, because they will reject relations that once
|
|
* had such but don't anymore. But we don't really care, because this
|
|
* whole business of converting relations to views is just an obsolete
|
|
* kluge to allow dump/reload of views that participate in circular
|
|
* dependencies.)
|
|
*
|
|
* Also ensure the relation isn't being manipulated in any outer SQL
|
|
* command of our own session.
|
|
*/
|
|
if (event_relation->rd_rel->relkind != RELKIND_VIEW &&
|
|
event_relation->rd_rel->relkind != RELKIND_MATVIEW)
|
|
{
|
|
TableScanDesc scanDesc;
|
|
Snapshot snapshot;
|
|
TupleTableSlot *slot;
|
|
|
|
CheckTableNotInUse(event_relation, "CREATE RULE");
|
|
|
|
if (event_relation->rd_rel->relkind == RELKIND_PARTITIONED_TABLE)
|
|
ereport(ERROR,
|
|
(errcode(ERRCODE_WRONG_OBJECT_TYPE),
|
|
errmsg("cannot convert partitioned table \"%s\" to a view",
|
|
RelationGetRelationName(event_relation))));
|
|
|
|
/* only case left: */
|
|
Assert(event_relation->rd_rel->relkind == RELKIND_RELATION);
|
|
|
|
if (event_relation->rd_rel->relispartition)
|
|
ereport(ERROR,
|
|
(errcode(ERRCODE_WRONG_OBJECT_TYPE),
|
|
errmsg("cannot convert partition \"%s\" to a view",
|
|
RelationGetRelationName(event_relation))));
|
|
|
|
snapshot = RegisterSnapshot(GetLatestSnapshot());
|
|
scanDesc = table_beginscan(event_relation, snapshot, 0, NULL);
|
|
slot = table_slot_create(event_relation, NULL);
|
|
if (table_scan_getnextslot(scanDesc, ForwardScanDirection, slot))
|
|
ereport(ERROR,
|
|
(errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
|
|
errmsg("could not convert table \"%s\" to a view because it is not empty",
|
|
RelationGetRelationName(event_relation))));
|
|
ExecDropSingleTupleTableSlot(slot);
|
|
table_endscan(scanDesc);
|
|
UnregisterSnapshot(snapshot);
|
|
|
|
if (event_relation->rd_rel->relhastriggers)
|
|
ereport(ERROR,
|
|
(errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
|
|
errmsg("could not convert table \"%s\" to a view because it has triggers",
|
|
RelationGetRelationName(event_relation)),
|
|
errhint("In particular, the table cannot be involved in any foreign key relationships.")));
|
|
|
|
if (event_relation->rd_rel->relhasindex)
|
|
ereport(ERROR,
|
|
(errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
|
|
errmsg("could not convert table \"%s\" to a view because it has indexes",
|
|
RelationGetRelationName(event_relation))));
|
|
|
|
if (event_relation->rd_rel->relhassubclass)
|
|
ereport(ERROR,
|
|
(errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
|
|
errmsg("could not convert table \"%s\" to a view because it has child tables",
|
|
RelationGetRelationName(event_relation))));
|
|
|
|
if (has_superclass(RelationGetRelid(event_relation)))
|
|
ereport(ERROR,
|
|
(errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
|
|
errmsg("could not convert table \"%s\" to a view because it has parent tables",
|
|
RelationGetRelationName(event_relation))));
|
|
|
|
if (event_relation->rd_rel->relrowsecurity)
|
|
ereport(ERROR,
|
|
(errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
|
|
errmsg("could not convert table \"%s\" to a view because it has row security enabled",
|
|
RelationGetRelationName(event_relation))));
|
|
|
|
if (relation_has_policies(event_relation))
|
|
ereport(ERROR,
|
|
(errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
|
|
errmsg("could not convert table \"%s\" to a view because it has row security policies",
|
|
RelationGetRelationName(event_relation))));
|
|
|
|
RelisBecomingView = true;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
/*
|
|
* For non-SELECT rules, a RETURNING list can appear in at most one of
|
|
* the actions ... and there can't be any RETURNING list at all in a
|
|
* conditional or non-INSTEAD rule. (Actually, there can be at most
|
|
* one RETURNING list across all rules on the same event, but it seems
|
|
* best to enforce that at rule expansion time.) If there is a
|
|
* RETURNING list, it must match the event relation.
|
|
*/
|
|
bool haveReturning = false;
|
|
|
|
foreach(l, action)
|
|
{
|
|
query = lfirst_node(Query, l);
|
|
|
|
if (!query->returningList)
|
|
continue;
|
|
if (haveReturning)
|
|
ereport(ERROR,
|
|
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
|
|
errmsg("cannot have multiple RETURNING lists in a rule")));
|
|
haveReturning = true;
|
|
if (event_qual != NULL)
|
|
ereport(ERROR,
|
|
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
|
|
errmsg("RETURNING lists are not supported in conditional rules")));
|
|
if (!is_instead)
|
|
ereport(ERROR,
|
|
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
|
|
errmsg("RETURNING lists are not supported in non-INSTEAD rules")));
|
|
checkRuleResultList(query->returningList,
|
|
RelationGetDescr(event_relation),
|
|
false, false);
|
|
}
|
|
|
|
/*
|
|
* And finally, if it's not an ON SELECT rule then it must *not* be
|
|
* named _RETURN. This prevents accidentally or maliciously replacing
|
|
* a view's ON SELECT rule with some other kind of rule.
|
|
*/
|
|
if (strcmp(rulename, ViewSelectRuleName) == 0)
|
|
ereport(ERROR,
|
|
(errcode(ERRCODE_INVALID_OBJECT_DEFINITION),
|
|
errmsg("non-view rule for \"%s\" must not be named \"%s\"",
|
|
RelationGetRelationName(event_relation),
|
|
ViewSelectRuleName)));
|
|
}
|
|
|
|
/*
|
|
* This rule is allowed - prepare to install it.
|
|
*/
|
|
|
|
/* discard rule if it's null action and not INSTEAD; it's a no-op */
|
|
if (action != NIL || is_instead)
|
|
{
|
|
ruleId = InsertRule(rulename,
|
|
event_type,
|
|
event_relid,
|
|
is_instead,
|
|
event_qual,
|
|
action,
|
|
replace);
|
|
|
|
/*
|
|
* Set pg_class 'relhasrules' field true for event relation.
|
|
*
|
|
* Important side effect: an SI notice is broadcast to force all
|
|
* backends (including me!) to update relcache entries with the new
|
|
* rule.
|
|
*/
|
|
SetRelationRuleStatus(event_relid, true);
|
|
}
|
|
|
|
/* ---------------------------------------------------------------------
|
|
* If the relation is becoming a view:
|
|
* - delete the associated storage files
|
|
* - get rid of any system attributes in pg_attribute; a view shouldn't
|
|
* have any of those
|
|
* - remove the toast table; there is no need for it anymore, and its
|
|
* presence would make vacuum slightly more complicated
|
|
* - set relkind to RELKIND_VIEW, and adjust other pg_class fields
|
|
* to be appropriate for a view
|
|
*
|
|
* NB: we had better have AccessExclusiveLock to do this ...
|
|
* ---------------------------------------------------------------------
|
|
*/
|
|
if (RelisBecomingView)
|
|
{
|
|
Relation relationRelation;
|
|
Oid toastrelid;
|
|
HeapTuple classTup;
|
|
Form_pg_class classForm;
|
|
|
|
relationRelation = table_open(RelationRelationId, RowExclusiveLock);
|
|
toastrelid = event_relation->rd_rel->reltoastrelid;
|
|
|
|
/* drop storage while table still looks like a table */
|
|
RelationDropStorage(event_relation);
|
|
DeleteSystemAttributeTuples(event_relid);
|
|
|
|
/*
|
|
* Drop the toast table if any. (This won't take care of updating the
|
|
* toast fields in the relation's own pg_class entry; we handle that
|
|
* below.)
|
|
*/
|
|
if (OidIsValid(toastrelid))
|
|
{
|
|
ObjectAddress toastobject;
|
|
|
|
/*
|
|
* Delete the dependency of the toast relation on the main
|
|
* relation so we can drop the former without dropping the latter.
|
|
*/
|
|
deleteDependencyRecordsFor(RelationRelationId, toastrelid,
|
|
false);
|
|
|
|
/* Make deletion of dependency record visible */
|
|
CommandCounterIncrement();
|
|
|
|
/* Now drop toast table, including its index */
|
|
toastobject.classId = RelationRelationId;
|
|
toastobject.objectId = toastrelid;
|
|
toastobject.objectSubId = 0;
|
|
performDeletion(&toastobject, DROP_RESTRICT,
|
|
PERFORM_DELETION_INTERNAL);
|
|
}
|
|
|
|
/*
|
|
* SetRelationRuleStatus may have updated the pg_class row, so we must
|
|
* advance the command counter before trying to update it again.
|
|
*/
|
|
CommandCounterIncrement();
|
|
|
|
/*
|
|
* Fix pg_class entry to look like a normal view's, including setting
|
|
* the correct relkind and removal of reltoastrelid of the toast table
|
|
* we potentially removed above.
|
|
*/
|
|
classTup = SearchSysCacheCopy1(RELOID, ObjectIdGetDatum(event_relid));
|
|
if (!HeapTupleIsValid(classTup))
|
|
elog(ERROR, "cache lookup failed for relation %u", event_relid);
|
|
classForm = (Form_pg_class) GETSTRUCT(classTup);
|
|
|
|
classForm->relam = InvalidOid;
|
|
classForm->reltablespace = InvalidOid;
|
|
classForm->relpages = 0;
|
|
classForm->reltuples = -1;
|
|
classForm->relallvisible = 0;
|
|
classForm->reltoastrelid = InvalidOid;
|
|
classForm->relhasindex = false;
|
|
classForm->relkind = RELKIND_VIEW;
|
|
classForm->relfrozenxid = InvalidTransactionId;
|
|
classForm->relminmxid = InvalidMultiXactId;
|
|
classForm->relreplident = REPLICA_IDENTITY_NOTHING;
|
|
|
|
CatalogTupleUpdate(relationRelation, &classTup->t_self, classTup);
|
|
|
|
heap_freetuple(classTup);
|
|
table_close(relationRelation, RowExclusiveLock);
|
|
}
|
|
|
|
ObjectAddressSet(address, RewriteRelationId, ruleId);
|
|
|
|
/* Close rel, but keep lock till commit... */
|
|
table_close(event_relation, NoLock);
|
|
|
|
return address;
|
|
}
|
|
|
|
/*
|
|
* checkRuleResultList
|
|
* Verify that targetList produces output compatible with a tupledesc
|
|
*
|
|
* The targetList might be either a SELECT targetlist, or a RETURNING list;
|
|
* isSelect tells which. This is used for choosing error messages.
|
|
*
|
|
* A SELECT targetlist may optionally require that column names match.
|
|
*/
|
|
static void
|
|
checkRuleResultList(List *targetList, TupleDesc resultDesc, bool isSelect,
|
|
bool requireColumnNameMatch)
|
|
{
|
|
ListCell *tllist;
|
|
int i;
|
|
|
|
/* Only a SELECT may require a column name match. */
|
|
Assert(isSelect || !requireColumnNameMatch);
|
|
|
|
i = 0;
|
|
foreach(tllist, targetList)
|
|
{
|
|
TargetEntry *tle = (TargetEntry *) lfirst(tllist);
|
|
Oid tletypid;
|
|
int32 tletypmod;
|
|
Form_pg_attribute attr;
|
|
char *attname;
|
|
|
|
/* resjunk entries may be ignored */
|
|
if (tle->resjunk)
|
|
continue;
|
|
i++;
|
|
if (i > resultDesc->natts)
|
|
ereport(ERROR,
|
|
(errcode(ERRCODE_INVALID_OBJECT_DEFINITION),
|
|
isSelect ?
|
|
errmsg("SELECT rule's target list has too many entries") :
|
|
errmsg("RETURNING list has too many entries")));
|
|
|
|
attr = TupleDescAttr(resultDesc, i - 1);
|
|
attname = NameStr(attr->attname);
|
|
|
|
/*
|
|
* Disallow dropped columns in the relation. This is not really
|
|
* expected to happen when creating an ON SELECT rule. It'd be
|
|
* possible if someone tried to convert a relation with dropped
|
|
* columns to a view, but the only case we care about supporting
|
|
* table-to-view conversion for is pg_dump, and pg_dump won't do that.
|
|
*
|
|
* Unfortunately, the situation is also possible when adding a rule
|
|
* with RETURNING to a regular table, and rejecting that case is
|
|
* altogether more annoying. In principle we could support it by
|
|
* modifying the targetlist to include dummy NULL columns
|
|
* corresponding to the dropped columns in the tupdesc. However,
|
|
* places like ruleutils.c would have to be fixed to not process such
|
|
* entries, and that would take an uncertain and possibly rather large
|
|
* amount of work. (Note we could not dodge that by marking the dummy
|
|
* columns resjunk, since it's precisely the non-resjunk tlist columns
|
|
* that are expected to correspond to table columns.)
|
|
*/
|
|
if (attr->attisdropped)
|
|
ereport(ERROR,
|
|
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
|
|
isSelect ?
|
|
errmsg("cannot convert relation containing dropped columns to view") :
|
|
errmsg("cannot create a RETURNING list for a relation containing dropped columns")));
|
|
|
|
/* Check name match if required; no need for two error texts here */
|
|
if (requireColumnNameMatch && strcmp(tle->resname, attname) != 0)
|
|
ereport(ERROR,
|
|
(errcode(ERRCODE_INVALID_OBJECT_DEFINITION),
|
|
errmsg("SELECT rule's target entry %d has different column name from column \"%s\"",
|
|
i, attname),
|
|
errdetail("SELECT target entry is named \"%s\".",
|
|
tle->resname)));
|
|
|
|
/* Check type match. */
|
|
tletypid = exprType((Node *) tle->expr);
|
|
if (attr->atttypid != tletypid)
|
|
ereport(ERROR,
|
|
(errcode(ERRCODE_INVALID_OBJECT_DEFINITION),
|
|
isSelect ?
|
|
errmsg("SELECT rule's target entry %d has different type from column \"%s\"",
|
|
i, attname) :
|
|
errmsg("RETURNING list's entry %d has different type from column \"%s\"",
|
|
i, attname),
|
|
isSelect ?
|
|
errdetail("SELECT target entry has type %s, but column has type %s.",
|
|
format_type_be(tletypid),
|
|
format_type_be(attr->atttypid)) :
|
|
errdetail("RETURNING list entry has type %s, but column has type %s.",
|
|
format_type_be(tletypid),
|
|
format_type_be(attr->atttypid))));
|
|
|
|
/*
|
|
* Allow typmods to be different only if one of them is -1, ie,
|
|
* "unspecified". This is necessary for cases like "numeric", where
|
|
* the table will have a filled-in default length but the select
|
|
* rule's expression will probably have typmod = -1.
|
|
*/
|
|
tletypmod = exprTypmod((Node *) tle->expr);
|
|
if (attr->atttypmod != tletypmod &&
|
|
attr->atttypmod != -1 && tletypmod != -1)
|
|
ereport(ERROR,
|
|
(errcode(ERRCODE_INVALID_OBJECT_DEFINITION),
|
|
isSelect ?
|
|
errmsg("SELECT rule's target entry %d has different size from column \"%s\"",
|
|
i, attname) :
|
|
errmsg("RETURNING list's entry %d has different size from column \"%s\"",
|
|
i, attname),
|
|
isSelect ?
|
|
errdetail("SELECT target entry has type %s, but column has type %s.",
|
|
format_type_with_typemod(tletypid, tletypmod),
|
|
format_type_with_typemod(attr->atttypid,
|
|
attr->atttypmod)) :
|
|
errdetail("RETURNING list entry has type %s, but column has type %s.",
|
|
format_type_with_typemod(tletypid, tletypmod),
|
|
format_type_with_typemod(attr->atttypid,
|
|
attr->atttypmod))));
|
|
}
|
|
|
|
if (i != resultDesc->natts)
|
|
ereport(ERROR,
|
|
(errcode(ERRCODE_INVALID_OBJECT_DEFINITION),
|
|
isSelect ?
|
|
errmsg("SELECT rule's target list has too few entries") :
|
|
errmsg("RETURNING list has too few entries")));
|
|
}
|
|
|
|
/*
|
|
* setRuleCheckAsUser
|
|
* Recursively scan a query or expression tree and set the checkAsUser
|
|
* field to the given userid in all rtable entries.
|
|
*
|
|
* Note: for a view (ON SELECT rule), the checkAsUser field of the OLD
|
|
* RTE entry will be overridden when the view rule is expanded, and the
|
|
* checkAsUser field of the NEW entry is irrelevant because that entry's
|
|
* requiredPerms bits will always be zero. However, for other types of rules
|
|
* it's important to set these fields to match the rule owner. So we just set
|
|
* them always.
|
|
*/
|
|
void
|
|
setRuleCheckAsUser(Node *node, Oid userid)
|
|
{
|
|
(void) setRuleCheckAsUser_walker(node, &userid);
|
|
}
|
|
|
|
static bool
|
|
setRuleCheckAsUser_walker(Node *node, Oid *context)
|
|
{
|
|
if (node == NULL)
|
|
return false;
|
|
if (IsA(node, Query))
|
|
{
|
|
setRuleCheckAsUser_Query((Query *) node, *context);
|
|
return false;
|
|
}
|
|
return expression_tree_walker(node, setRuleCheckAsUser_walker,
|
|
(void *) context);
|
|
}
|
|
|
|
static void
|
|
setRuleCheckAsUser_Query(Query *qry, Oid userid)
|
|
{
|
|
ListCell *l;
|
|
|
|
/* Set all the RTEs in this query node */
|
|
foreach(l, qry->rtable)
|
|
{
|
|
RangeTblEntry *rte = (RangeTblEntry *) lfirst(l);
|
|
|
|
if (rte->rtekind == RTE_SUBQUERY)
|
|
{
|
|
/* Recurse into subquery in FROM */
|
|
setRuleCheckAsUser_Query(rte->subquery, userid);
|
|
}
|
|
else
|
|
rte->checkAsUser = userid;
|
|
}
|
|
|
|
/* Recurse into subquery-in-WITH */
|
|
foreach(l, qry->cteList)
|
|
{
|
|
CommonTableExpr *cte = (CommonTableExpr *) lfirst(l);
|
|
|
|
setRuleCheckAsUser_Query(castNode(Query, cte->ctequery), userid);
|
|
}
|
|
|
|
/* If there are sublinks, search for them and process their RTEs */
|
|
if (qry->hasSubLinks)
|
|
query_tree_walker(qry, setRuleCheckAsUser_walker, (void *) &userid,
|
|
QTW_IGNORE_RC_SUBQUERIES);
|
|
}
|
|
|
|
|
|
/*
|
|
* Change the firing semantics of an existing rule.
|
|
*/
|
|
void
|
|
EnableDisableRule(Relation rel, const char *rulename,
|
|
char fires_when)
|
|
{
|
|
Relation pg_rewrite_desc;
|
|
Oid owningRel = RelationGetRelid(rel);
|
|
Oid eventRelationOid;
|
|
HeapTuple ruletup;
|
|
Form_pg_rewrite ruleform;
|
|
bool changed = false;
|
|
|
|
/*
|
|
* Find the rule tuple to change.
|
|
*/
|
|
pg_rewrite_desc = table_open(RewriteRelationId, RowExclusiveLock);
|
|
ruletup = SearchSysCacheCopy2(RULERELNAME,
|
|
ObjectIdGetDatum(owningRel),
|
|
PointerGetDatum(rulename));
|
|
if (!HeapTupleIsValid(ruletup))
|
|
ereport(ERROR,
|
|
(errcode(ERRCODE_UNDEFINED_OBJECT),
|
|
errmsg("rule \"%s\" for relation \"%s\" does not exist",
|
|
rulename, get_rel_name(owningRel))));
|
|
|
|
ruleform = (Form_pg_rewrite) GETSTRUCT(ruletup);
|
|
|
|
/*
|
|
* Verify that the user has appropriate permissions.
|
|
*/
|
|
eventRelationOid = ruleform->ev_class;
|
|
Assert(eventRelationOid == owningRel);
|
|
if (!pg_class_ownercheck(eventRelationOid, GetUserId()))
|
|
aclcheck_error(ACLCHECK_NOT_OWNER, get_relkind_objtype(get_rel_relkind(eventRelationOid)),
|
|
get_rel_name(eventRelationOid));
|
|
|
|
/*
|
|
* Change ev_enabled if it is different from the desired new state.
|
|
*/
|
|
if (DatumGetChar(ruleform->ev_enabled) !=
|
|
fires_when)
|
|
{
|
|
ruleform->ev_enabled = CharGetDatum(fires_when);
|
|
CatalogTupleUpdate(pg_rewrite_desc, &ruletup->t_self, ruletup);
|
|
|
|
changed = true;
|
|
}
|
|
|
|
InvokeObjectPostAlterHook(RewriteRelationId, ruleform->oid, 0);
|
|
|
|
heap_freetuple(ruletup);
|
|
table_close(pg_rewrite_desc, RowExclusiveLock);
|
|
|
|
/*
|
|
* If we changed anything, broadcast a SI inval message to force each
|
|
* backend (including our own!) to rebuild relation's relcache entry.
|
|
* Otherwise they will fail to apply the change promptly.
|
|
*/
|
|
if (changed)
|
|
CacheInvalidateRelcache(rel);
|
|
}
|
|
|
|
|
|
/*
|
|
* Perform permissions and integrity checks before acquiring a relation lock.
|
|
*/
|
|
static void
|
|
RangeVarCallbackForRenameRule(const RangeVar *rv, Oid relid, Oid oldrelid,
|
|
void *arg)
|
|
{
|
|
HeapTuple tuple;
|
|
Form_pg_class form;
|
|
|
|
tuple = SearchSysCache1(RELOID, ObjectIdGetDatum(relid));
|
|
if (!HeapTupleIsValid(tuple))
|
|
return; /* concurrently dropped */
|
|
form = (Form_pg_class) GETSTRUCT(tuple);
|
|
|
|
/* only tables and views can have rules */
|
|
if (form->relkind != RELKIND_RELATION &&
|
|
form->relkind != RELKIND_VIEW &&
|
|
form->relkind != RELKIND_PARTITIONED_TABLE)
|
|
ereport(ERROR,
|
|
(errcode(ERRCODE_WRONG_OBJECT_TYPE),
|
|
errmsg("relation \"%s\" cannot have rules", rv->relname),
|
|
errdetail_relkind_not_supported(form->relkind)));
|
|
|
|
if (!allowSystemTableMods && IsSystemClass(relid, form))
|
|
ereport(ERROR,
|
|
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
|
|
errmsg("permission denied: \"%s\" is a system catalog",
|
|
rv->relname)));
|
|
|
|
/* you must own the table to rename one of its rules */
|
|
if (!pg_class_ownercheck(relid, GetUserId()))
|
|
aclcheck_error(ACLCHECK_NOT_OWNER, get_relkind_objtype(get_rel_relkind(relid)), rv->relname);
|
|
|
|
ReleaseSysCache(tuple);
|
|
}
|
|
|
|
/*
|
|
* Rename an existing rewrite rule.
|
|
*/
|
|
ObjectAddress
|
|
RenameRewriteRule(RangeVar *relation, const char *oldName,
|
|
const char *newName)
|
|
{
|
|
Oid relid;
|
|
Relation targetrel;
|
|
Relation pg_rewrite_desc;
|
|
HeapTuple ruletup;
|
|
Form_pg_rewrite ruleform;
|
|
Oid ruleOid;
|
|
ObjectAddress address;
|
|
|
|
/*
|
|
* Look up name, check permissions, and acquire lock (which we will NOT
|
|
* release until end of transaction).
|
|
*/
|
|
relid = RangeVarGetRelidExtended(relation, AccessExclusiveLock,
|
|
0,
|
|
RangeVarCallbackForRenameRule,
|
|
NULL);
|
|
|
|
/* Have lock already, so just need to build relcache entry. */
|
|
targetrel = relation_open(relid, NoLock);
|
|
|
|
/* Prepare to modify pg_rewrite */
|
|
pg_rewrite_desc = table_open(RewriteRelationId, RowExclusiveLock);
|
|
|
|
/* Fetch the rule's entry (it had better exist) */
|
|
ruletup = SearchSysCacheCopy2(RULERELNAME,
|
|
ObjectIdGetDatum(relid),
|
|
PointerGetDatum(oldName));
|
|
if (!HeapTupleIsValid(ruletup))
|
|
ereport(ERROR,
|
|
(errcode(ERRCODE_UNDEFINED_OBJECT),
|
|
errmsg("rule \"%s\" for relation \"%s\" does not exist",
|
|
oldName, RelationGetRelationName(targetrel))));
|
|
ruleform = (Form_pg_rewrite) GETSTRUCT(ruletup);
|
|
ruleOid = ruleform->oid;
|
|
|
|
/* rule with the new name should not already exist */
|
|
if (IsDefinedRewriteRule(relid, newName))
|
|
ereport(ERROR,
|
|
(errcode(ERRCODE_DUPLICATE_OBJECT),
|
|
errmsg("rule \"%s\" for relation \"%s\" already exists",
|
|
newName, RelationGetRelationName(targetrel))));
|
|
|
|
/*
|
|
* We disallow renaming ON SELECT rules, because they should always be
|
|
* named "_RETURN".
|
|
*/
|
|
if (ruleform->ev_type == CMD_SELECT + '0')
|
|
ereport(ERROR,
|
|
(errcode(ERRCODE_INVALID_OBJECT_DEFINITION),
|
|
errmsg("renaming an ON SELECT rule is not allowed")));
|
|
|
|
/* OK, do the update */
|
|
namestrcpy(&(ruleform->rulename), newName);
|
|
|
|
CatalogTupleUpdate(pg_rewrite_desc, &ruletup->t_self, ruletup);
|
|
|
|
InvokeObjectPostAlterHook(RewriteRelationId, ruleOid, 0);
|
|
|
|
heap_freetuple(ruletup);
|
|
table_close(pg_rewrite_desc, RowExclusiveLock);
|
|
|
|
/*
|
|
* Invalidate relation's relcache entry so that other backends (and this
|
|
* one too!) are sent SI message to make them rebuild relcache entries.
|
|
* (Ideally this should happen automatically...)
|
|
*/
|
|
CacheInvalidateRelcache(targetrel);
|
|
|
|
ObjectAddressSet(address, RewriteRelationId, ruleOid);
|
|
|
|
/*
|
|
* Close rel, but keep exclusive lock!
|
|
*/
|
|
relation_close(targetrel, NoLock);
|
|
|
|
return address;
|
|
}
|