Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
P
Postgres FD Implementation
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Abuhujair Javed
Postgres FD Implementation
Commits
7415e083
Commit
7415e083
authored
Dec 01, 2005
by
Alvaro Herrera
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Refactor some bits in aclchk.c in order to reduce code duplication.
parent
164442fe
Changes
3
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
310 additions
and
413 deletions
+310
-413
src/backend/catalog/aclchk.c
src/backend/catalog/aclchk.c
+271
-397
src/backend/catalog/pg_shdepend.c
src/backend/catalog/pg_shdepend.c
+17
-12
src/include/utils/acl.h
src/include/utils/acl.h
+22
-4
No files found.
src/backend/catalog/aclchk.c
View file @
7415e083
...
...
@@ -8,7 +8,7 @@
*
*
* IDENTIFICATION
* $PostgreSQL: pgsql/src/backend/catalog/aclchk.c,v 1.12
2 2005/11/22 18:17:07 momjian
Exp $
* $PostgreSQL: pgsql/src/backend/catalog/aclchk.c,v 1.12
3 2005/12/01 02:03:00 alvherre
Exp $
*
* NOTES
* See acl.h.
...
...
@@ -42,28 +42,22 @@
#include "utils/syscache.h"
static
void
ExecGrant_Relation
(
bool
is_grant
,
List
*
objects
,
bool
all_privs
,
AclMode
privileges
,
List
*
grantees
,
bool
grant_option
,
DropBehavior
behavior
);
static
void
ExecGrant_Database
(
bool
is_grant
,
List
*
objects
,
bool
all_privs
,
AclMode
privileges
,
List
*
grantees
,
bool
grant_option
,
DropBehavior
behavior
);
static
void
ExecGrant_Function
(
bool
is_grant
,
List
*
objects
,
bool
all_privs
,
AclMode
privileges
,
List
*
grantees
,
bool
grant_option
,
DropBehavior
behavior
);
static
void
ExecGrant_Language
(
bool
is_grant
,
List
*
objects
,
bool
all_privs
,
AclMode
privileges
,
List
*
grantees
,
bool
grant_option
,
DropBehavior
behavior
);
static
void
ExecGrant_Namespace
(
bool
is_grant
,
List
*
objects
,
bool
all_privs
,
AclMode
privileges
,
List
*
grantees
,
bool
grant_option
,
DropBehavior
behavior
);
static
void
ExecGrant_Tablespace
(
bool
is_grant
,
List
*
objects
,
bool
all_privs
,
AclMode
privileges
,
List
*
grantees
,
bool
grant_option
,
DropBehavior
behavior
);
static
List
*
objectNamesToOids
(
GrantObjectType
objtype
,
List
*
objnames
);
static
void
ExecGrant_Relation
(
InternalGrant
*
grantStmt
);
static
void
ExecGrant_Database
(
InternalGrant
*
grantStmt
);
static
void
ExecGrant_Function
(
InternalGrant
*
grantStmt
);
static
void
ExecGrant_Language
(
InternalGrant
*
grantStmt
);
static
void
ExecGrant_Namespace
(
InternalGrant
*
grantStmt
);
static
void
ExecGrant_Tablespace
(
InternalGrant
*
grantStmt
);
static
List
*
objectNamesToOids
(
GrantObjectType
objtype
,
List
*
objnames
);
static
AclMode
string_to_privilege
(
const
char
*
privname
);
static
const
char
*
privilege_to_string
(
AclMode
privilege
);
static
AclMode
restrict_and_check_grant
(
bool
is_grant
,
AclMode
avail_goptions
,
bool
all_privs
,
AclMode
privileges
,
Oid
objectId
,
Oid
grantorId
,
AclObjectKind
objkind
,
char
*
objname
);
static
AclMode
pg_aclmask
(
AclObjectKind
objkind
,
Oid
table_oid
,
Oid
roleid
,
AclMode
mask
,
AclMaskHow
how
);
#ifdef ACLDEBUG
...
...
@@ -153,6 +147,91 @@ merge_acl_with_grant(Acl *old_acl, bool is_grant,
return
new_acl
;
}
/*
* Restrict the privileges to what we can actually grant, and emit
* the standards-mandated warning and error messages.
*/
static
AclMode
restrict_and_check_grant
(
bool
is_grant
,
AclMode
avail_goptions
,
bool
all_privs
,
AclMode
privileges
,
Oid
objectId
,
Oid
grantorId
,
AclObjectKind
objkind
,
char
*
objname
)
{
AclMode
this_privileges
;
AclMode
whole_mask
;
switch
(
objkind
)
{
case
ACL_KIND_CLASS
:
whole_mask
=
ACL_ALL_RIGHTS_RELATION
;
break
;
case
ACL_KIND_DATABASE
:
whole_mask
=
ACL_ALL_RIGHTS_DATABASE
;
break
;
case
ACL_KIND_PROC
:
whole_mask
=
ACL_ALL_RIGHTS_FUNCTION
;
break
;
case
ACL_KIND_LANGUAGE
:
whole_mask
=
ACL_ALL_RIGHTS_LANGUAGE
;
break
;
case
ACL_KIND_NAMESPACE
:
whole_mask
=
ACL_ALL_RIGHTS_NAMESPACE
;
break
;
case
ACL_KIND_TABLESPACE
:
whole_mask
=
ACL_ALL_RIGHTS_TABLESPACE
;
break
;
default:
elog
(
ERROR
,
"unrecognized object kind: %d"
,
objkind
);
/* not reached, but keep compiler quiet */
return
ACL_NO_RIGHTS
;
}
/*
* If we found no grant options, consider whether to issue a hard
* error. Per spec, having any privilege at all on the object will
* get you by here.
*/
if
(
avail_goptions
==
ACL_NO_RIGHTS
)
{
if
(
pg_aclmask
(
objkind
,
objectId
,
grantorId
,
whole_mask
|
ACL_GRANT_OPTION_FOR
(
whole_mask
),
ACLMASK_ANY
)
==
ACL_NO_RIGHTS
)
aclcheck_error
(
ACLCHECK_NO_PRIV
,
objkind
,
objname
);
}
/*
* Restrict the operation to what we can actually grant or revoke, and
* issue a warning if appropriate. (For REVOKE this isn't quite what
* the spec says to do: the spec seems to want a warning only if no
* privilege bits actually change in the ACL. In practice that
* behavior seems much too noisy, as well as inconsistent with the
* GRANT case.)
*/
this_privileges
=
privileges
&
ACL_OPTION_TO_PRIVS
(
avail_goptions
);
if
(
is_grant
)
{
if
(
this_privileges
==
0
)
ereport
(
WARNING
,
(
errcode
(
ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED
),
errmsg
(
"no privileges were granted"
)));
else
if
(
!
all_privs
&&
this_privileges
!=
privileges
)
ereport
(
WARNING
,
(
errcode
(
ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED
),
errmsg
(
"not all privileges were granted"
)));
}
else
{
if
(
this_privileges
==
0
)
ereport
(
WARNING
,
(
errcode
(
ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED
),
errmsg
(
"no privileges could be revoked"
)));
else
if
(
!
all_privs
&&
this_privileges
!=
privileges
)
ereport
(
WARNING
,
(
errcode
(
ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED
),
errmsg
(
"not all privileges could be revoked"
)));
}
return
this_privileges
;
}
/*
* Called to execute the utility commands GRANT and REVOKE
...
...
@@ -160,13 +239,24 @@ merge_acl_with_grant(Acl *old_acl, bool is_grant,
void
ExecuteGrantStmt
(
GrantStmt
*
stmt
)
{
List
*
objects
;
List
*
grantees
=
NIL
;
AclMode
privileges
;
InternalGrant
istmt
;
ListCell
*
cell
;
bool
all_privs
;
AclMode
all_privileges
=
(
AclMode
)
0
;
char
*
errormsg
=
NULL
;
char
*
errormsg
;
AclMode
all_privileges
;
/*
* Turn the regular GrantStmt into the InternalGrant form.
*/
istmt
.
is_grant
=
stmt
->
is_grant
;
istmt
.
objtype
=
stmt
->
objtype
;
istmt
.
objects
=
objectNamesToOids
(
stmt
->
objtype
,
stmt
->
objects
);
/* all_privs to be filled below */
/* privileges to be filled below */
istmt
.
grantees
=
NIL
;
/* filled below */
istmt
.
grant_option
=
stmt
->
grant_option
;
istmt
.
behavior
=
stmt
->
behavior
;
/*
* Convert the PrivGrantee list into an Oid list. Note that at this point
...
...
@@ -180,15 +270,15 @@ ExecuteGrantStmt(GrantStmt *stmt)
PrivGrantee
*
grantee
=
(
PrivGrantee
*
)
lfirst
(
cell
);
if
(
grantee
->
rolname
==
NULL
)
grantees
=
lappend_oid
(
grantees
,
ACL_ID_PUBLIC
);
istmt
.
grantees
=
lappend_oid
(
istmt
.
grantees
,
ACL_ID_PUBLIC
);
else
grantees
=
lappend_oid
(
grantees
,
istmt
.
grantees
=
lappend_oid
(
istmt
.
grantees
,
get_roleid_checked
(
grantee
->
rolname
));
}
/*
* Convert stmt->privileges, a textual list, into an AclMode bitmask
* appropiate for the given object class.
* Convert stmt->privileges, a textual list, into an AclMode bitmask.
*/
switch
(
stmt
->
objtype
)
{
...
...
@@ -217,19 +307,26 @@ ExecuteGrantStmt(GrantStmt *stmt)
errormsg
=
_
(
"invalid privilege type %s for tablespace"
);
break
;
default:
/* keep compiler quiet */
all_privileges
=
ACL_NO_RIGHTS
;
errormsg
=
NULL
;
elog
(
ERROR
,
"unrecognized GrantStmt.objtype: %d"
,
(
int
)
stmt
->
objtype
);
}
if
(
stmt
->
privileges
==
NIL
)
{
all_privs
=
true
;
privileges
=
all_privileges
;
istmt
.
all_privs
=
true
;
/*
* will be turned into ACL_ALL_RIGHTS_* by the internal routines
* depending on the object type
*/
istmt
.
privileges
=
ACL_NO_RIGHTS
;
}
else
{
all_privs
=
false
;
privileges
=
ACL_NO_RIGHTS
;
istmt
.
all_privs
=
false
;
istmt
.
privileges
=
ACL_NO_RIGHTS
;
foreach
(
cell
,
stmt
->
privileges
)
{
char
*
privname
=
strVal
(
lfirst
(
cell
));
...
...
@@ -241,61 +338,44 @@ ExecuteGrantStmt(GrantStmt *stmt)
errmsg
(
errormsg
,
privilege_to_string
(
priv
))));
privileges
|=
priv
;
istmt
.
privileges
|=
priv
;
}
}
/* Turn the list of object names into an Oid list */
objects
=
objectNamesToOids
(
stmt
->
objtype
,
stmt
->
objects
);
ExecGrantStmt_oids
(
stmt
->
is_grant
,
stmt
->
objtype
,
objects
,
all_privs
,
privileges
,
grantees
,
stmt
->
grant_option
,
stmt
->
behavior
);
ExecGrantStmt_oids
(
&
istmt
);
}
/*
* ExecGrantStmt_oids
*
* "Internal" entrypoint for granting and revoking privileges. The arguments
* it receives are lists of Oids or have been otherwise converted from text
* format to internal format.
* "Internal" entrypoint for granting and revoking privileges.
*/
void
ExecGrantStmt_oids
(
bool
is_grant
,
GrantObjectType
objtype
,
List
*
objects
,
bool
all_privs
,
AclMode
privileges
,
List
*
grantees
,
bool
grant_option
,
DropBehavior
behavior
)
ExecGrantStmt_oids
(
InternalGrant
*
istmt
)
{
switch
(
objtype
)
switch
(
istmt
->
objtype
)
{
case
ACL_OBJECT_RELATION
:
ExecGrant_Relation
(
is_grant
,
objects
,
all_privs
,
privileges
,
grantees
,
grant_option
,
behavior
);
ExecGrant_Relation
(
istmt
);
break
;
case
ACL_OBJECT_DATABASE
:
ExecGrant_Database
(
is_grant
,
objects
,
all_privs
,
privileges
,
grantees
,
grant_option
,
behavior
);
ExecGrant_Database
(
istmt
);
break
;
case
ACL_OBJECT_FUNCTION
:
ExecGrant_Function
(
is_grant
,
objects
,
all_privs
,
privileges
,
grantees
,
grant_option
,
behavior
);
ExecGrant_Function
(
istmt
);
break
;
case
ACL_OBJECT_LANGUAGE
:
ExecGrant_Language
(
is_grant
,
objects
,
all_privs
,
privileges
,
grantees
,
grant_option
,
behavior
);
ExecGrant_Language
(
istmt
);
break
;
case
ACL_OBJECT_NAMESPACE
:
ExecGrant_Namespace
(
is_grant
,
objects
,
all_privs
,
privileges
,
grantees
,
grant_option
,
behavior
);
ExecGrant_Namespace
(
istmt
);
break
;
case
ACL_OBJECT_TABLESPACE
:
ExecGrant_Tablespace
(
is_grant
,
objects
,
all_privs
,
privileges
,
grantees
,
grant_option
,
behavior
);
ExecGrant_Tablespace
(
istmt
);
break
;
default:
elog
(
ERROR
,
"unrecognized GrantStmt.objtype: %d"
,
(
int
)
objtype
);
(
int
)
istmt
->
objtype
);
}
}
...
...
@@ -444,19 +524,17 @@ objectNamesToOids(GrantObjectType objtype, List *objnames)
}
static
void
ExecGrant_Relation
(
bool
is_grant
,
List
*
objects
,
bool
all_privs
,
AclMode
privileges
,
List
*
grantees
,
bool
grant_option
,
DropBehavior
behavior
)
ExecGrant_Relation
(
InternalGrant
*
istmt
)
{
Relation
relation
;
ListCell
*
cell
;
if
(
all_privs
&&
privileges
==
ACL_NO_RIGHTS
)
privileges
=
ACL_ALL_RIGHTS_RELATION
;
if
(
istmt
->
all_privs
&&
istmt
->
privileges
==
ACL_NO_RIGHTS
)
istmt
->
privileges
=
ACL_ALL_RIGHTS_RELATION
;
relation
=
heap_open
(
RelationRelationId
,
RowExclusiveLock
);
foreach
(
cell
,
objects
)
foreach
(
cell
,
istmt
->
objects
)
{
Oid
relOid
=
lfirst_oid
(
cell
);
Datum
aclDatum
;
...
...
@@ -512,56 +590,19 @@ ExecGrant_Relation(bool is_grant, List *objects, bool all_privs,
old_acl
=
DatumGetAclPCopy
(
aclDatum
);
/* Determine ID to do the grant as, and available grant options */
select_best_grantor
(
GetUserId
(),
privileges
,
select_best_grantor
(
GetUserId
(),
istmt
->
privileges
,
old_acl
,
ownerId
,
&
grantorId
,
&
avail_goptions
);
/*
* If we found no grant options, consider whether to issue a hard
* error. Per spec, having any privilege at all on the object will
* get you by here.
* Restrict the privileges to what we can actually grant, and emit
* the standards-mandated warning and error messages.
*/
if
(
avail_goptions
==
ACL_NO_RIGHTS
)
{
if
(
pg_class_aclmask
(
relOid
,
grantorId
,
ACL_ALL_RIGHTS_RELATION
|
ACL_GRANT_OPTION_FOR
(
ACL_ALL_RIGHTS_RELATION
),
ACLMASK_ANY
)
==
ACL_NO_RIGHTS
)
aclcheck_error
(
ACLCHECK_NO_PRIV
,
ACL_KIND_CLASS
,
this_privileges
=
restrict_and_check_grant
(
istmt
->
is_grant
,
avail_goptions
,
istmt
->
all_privs
,
istmt
->
privileges
,
relOid
,
grantorId
,
ACL_KIND_CLASS
,
NameStr
(
pg_class_tuple
->
relname
));
}
/*
* Restrict the operation to what we can actually grant or revoke, and
* issue a warning if appropriate. (For REVOKE this isn't quite what
* the spec says to do: the spec seems to want a warning only if no
* privilege bits actually change in the ACL. In practice that
* behavior seems much too noisy, as well as inconsistent with the
* GRANT case.)
*/
this_privileges
=
privileges
&
ACL_OPTION_TO_PRIVS
(
avail_goptions
);
if
(
is_grant
)
{
if
(
this_privileges
==
0
)
ereport
(
WARNING
,
(
errcode
(
ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED
),
errmsg
(
"no privileges were granted"
)));
else
if
(
!
all_privs
&&
this_privileges
!=
privileges
)
ereport
(
WARNING
,
(
errcode
(
ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED
),
errmsg
(
"not all privileges were granted"
)));
}
else
{
if
(
this_privileges
==
0
)
ereport
(
WARNING
,
(
errcode
(
ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED
),
errmsg
(
"no privileges could be revoked"
)));
else
if
(
!
all_privs
&&
this_privileges
!=
privileges
)
ereport
(
WARNING
,
(
errcode
(
ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED
),
errmsg
(
"not all privileges could be revoked"
)));
}
/*
* Generate new ACL.
...
...
@@ -571,9 +612,9 @@ ExecGrant_Relation(bool is_grant, List *objects, bool all_privs,
*/
noldmembers
=
aclmembers
(
old_acl
,
&
oldmembers
);
new_acl
=
merge_acl_with_grant
(
old_acl
,
is_grant
,
grant_option
,
behavior
,
grantees
,
this_privileges
,
new_acl
=
merge_acl_with_grant
(
old_acl
,
is
tmt
->
is
_grant
,
istmt
->
grant_option
,
istmt
->
behavior
,
istmt
->
grantees
,
this_privileges
,
grantorId
,
ownerId
);
nnewmembers
=
aclmembers
(
new_acl
,
&
newmembers
);
...
...
@@ -595,7 +636,7 @@ ExecGrant_Relation(bool is_grant, List *objects, bool all_privs,
/* Update the shared dependency ACL info */
updateAclDependencies
(
RelationRelationId
,
relOid
,
ownerId
,
is_grant
,
ownerId
,
is
tmt
->
is
_grant
,
noldmembers
,
oldmembers
,
nnewmembers
,
newmembers
);
...
...
@@ -611,19 +652,17 @@ ExecGrant_Relation(bool is_grant, List *objects, bool all_privs,
}
static
void
ExecGrant_Database
(
bool
is_grant
,
List
*
objects
,
bool
all_privs
,
AclMode
privileges
,
List
*
grantees
,
bool
grant_option
,
DropBehavior
behavior
)
ExecGrant_Database
(
InternalGrant
*
istmt
)
{
Relation
relation
;
ListCell
*
cell
;
if
(
all_privs
&&
privileges
==
ACL_NO_RIGHTS
)
privileges
=
ACL_ALL_RIGHTS_DATABASE
;
if
(
istmt
->
all_privs
&&
istmt
->
privileges
==
ACL_NO_RIGHTS
)
istmt
->
privileges
=
ACL_ALL_RIGHTS_DATABASE
;
relation
=
heap_open
(
DatabaseRelationId
,
RowExclusiveLock
);
foreach
(
cell
,
objects
)
foreach
(
cell
,
istmt
->
objects
)
{
Oid
datId
=
lfirst_oid
(
cell
);
Form_pg_database
pg_database_tuple
;
...
...
@@ -675,56 +714,19 @@ ExecGrant_Database(bool is_grant, List *objects, bool all_privs,
old_acl
=
DatumGetAclPCopy
(
aclDatum
);
/* Determine ID to do the grant as, and available grant options */
select_best_grantor
(
GetUserId
(),
privileges
,
select_best_grantor
(
GetUserId
(),
istmt
->
privileges
,
old_acl
,
ownerId
,
&
grantorId
,
&
avail_goptions
);
/*
* If we found no grant options, consider whether to issue a hard
* error. Per spec, having any privilege at all on the object will
* get you by here.
* Restrict the privileges to what we can actually grant, and emit
* the standards-mandated warning and error messages.
*/
if
(
avail_goptions
==
ACL_NO_RIGHTS
)
{
if
(
pg_database_aclmask
(
HeapTupleGetOid
(
tuple
),
grantorId
,
ACL_ALL_RIGHTS_DATABASE
|
ACL_GRANT_OPTION_FOR
(
ACL_ALL_RIGHTS_DATABASE
),
ACLMASK_ANY
)
==
ACL_NO_RIGHTS
)
aclcheck_error
(
ACLCHECK_NO_PRIV
,
ACL_KIND_DATABASE
,
this_privileges
=
restrict_and_check_grant
(
istmt
->
is_grant
,
avail_goptions
,
istmt
->
all_privs
,
istmt
->
privileges
,
datId
,
grantorId
,
ACL_KIND_DATABASE
,
NameStr
(
pg_database_tuple
->
datname
));
}
/*
* Restrict the operation to what we can actually grant or revoke, and
* issue a warning if appropriate. (For REVOKE this isn't quite what
* the spec says to do: the spec seems to want a warning only if no
* privilege bits actually change in the ACL. In practice that
* behavior seems much too noisy, as well as inconsistent with the
* GRANT case.)
*/
this_privileges
=
privileges
&
ACL_OPTION_TO_PRIVS
(
avail_goptions
);
if
(
is_grant
)
{
if
(
this_privileges
==
0
)
ereport
(
WARNING
,
(
errcode
(
ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED
),
errmsg
(
"no privileges were granted"
)));
else
if
(
!
all_privs
&&
this_privileges
!=
privileges
)
ereport
(
WARNING
,
(
errcode
(
ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED
),
errmsg
(
"not all privileges were granted"
)));
}
else
{
if
(
this_privileges
==
0
)
ereport
(
WARNING
,
(
errcode
(
ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED
),
errmsg
(
"no privileges could be revoked"
)));
else
if
(
!
all_privs
&&
this_privileges
!=
privileges
)
ereport
(
WARNING
,
(
errcode
(
ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED
),
errmsg
(
"not all privileges could be revoked"
)));
}
/*
* Generate new ACL.
...
...
@@ -734,9 +736,9 @@ ExecGrant_Database(bool is_grant, List *objects, bool all_privs,
*/
noldmembers
=
aclmembers
(
old_acl
,
&
oldmembers
);
new_acl
=
merge_acl_with_grant
(
old_acl
,
is_grant
,
grant_option
,
behavior
,
grantees
,
this_privileges
,
new_acl
=
merge_acl_with_grant
(
old_acl
,
is
tmt
->
is
_grant
,
istmt
->
grant_option
,
istmt
->
behavior
,
istmt
->
grantees
,
this_privileges
,
grantorId
,
ownerId
);
nnewmembers
=
aclmembers
(
new_acl
,
&
newmembers
);
...
...
@@ -759,7 +761,7 @@ ExecGrant_Database(bool is_grant, List *objects, bool all_privs,
/* Update the shared dependency ACL info */
updateAclDependencies
(
DatabaseRelationId
,
HeapTupleGetOid
(
tuple
),
ownerId
,
is_grant
,
ownerId
,
is
tmt
->
is
_grant
,
noldmembers
,
oldmembers
,
nnewmembers
,
newmembers
);
...
...
@@ -775,19 +777,17 @@ ExecGrant_Database(bool is_grant, List *objects, bool all_privs,
}
static
void
ExecGrant_Function
(
bool
is_grant
,
List
*
objects
,
bool
all_privs
,
AclMode
privileges
,
List
*
grantees
,
bool
grant_option
,
DropBehavior
behavior
)
ExecGrant_Function
(
InternalGrant
*
istmt
)
{
Relation
relation
;
ListCell
*
cell
;
if
(
all_privs
&&
privileges
==
ACL_NO_RIGHTS
)
privileges
=
ACL_ALL_RIGHTS_FUNCTION
;
if
(
istmt
->
all_privs
&&
istmt
->
privileges
==
ACL_NO_RIGHTS
)
istmt
->
privileges
=
ACL_ALL_RIGHTS_FUNCTION
;
relation
=
heap_open
(
ProcedureRelationId
,
RowExclusiveLock
);
foreach
(
cell
,
objects
)
foreach
(
cell
,
istmt
->
objects
)
{
Oid
funcId
=
lfirst_oid
(
cell
);
Form_pg_proc
pg_proc_tuple
;
...
...
@@ -830,56 +830,19 @@ ExecGrant_Function(bool is_grant, List *objects, bool all_privs,
old_acl
=
DatumGetAclPCopy
(
aclDatum
);
/* Determine ID to do the grant as, and available grant options */
select_best_grantor
(
GetUserId
(),
privileges
,
select_best_grantor
(
GetUserId
(),
istmt
->
privileges
,
old_acl
,
ownerId
,
&
grantorId
,
&
avail_goptions
);
/*
* If we found no grant options, consider whether to issue a hard
* error. Per spec, having any privilege at all on the object will
* get you by here.
* Restrict the privileges to what we can actually grant, and emit
* the standards-mandated warning and error messages.
*/
if
(
avail_goptions
==
ACL_NO_RIGHTS
)
{
if
(
pg_proc_aclmask
(
funcId
,
grantorId
,
ACL_ALL_RIGHTS_FUNCTION
|
ACL_GRANT_OPTION_FOR
(
ACL_ALL_RIGHTS_FUNCTION
),
ACLMASK_ANY
)
==
ACL_NO_RIGHTS
)
aclcheck_error
(
ACLCHECK_NO_PRIV
,
ACL_KIND_PROC
,
this_privileges
=
restrict_and_check_grant
(
istmt
->
is_grant
,
avail_goptions
,
istmt
->
all_privs
,
istmt
->
privileges
,
funcId
,
grantorId
,
ACL_KIND_PROC
,
NameStr
(
pg_proc_tuple
->
proname
));
}
/*
* Restrict the operation to what we can actually grant or revoke, and
* issue a warning if appropriate. (For REVOKE this isn't quite what
* the spec says to do: the spec seems to want a warning only if no
* privilege bits actually change in the ACL. In practice that
* behavior seems much too noisy, as well as inconsistent with the
* GRANT case.)
*/
this_privileges
=
privileges
&
ACL_OPTION_TO_PRIVS
(
avail_goptions
);
if
(
is_grant
)
{
if
(
this_privileges
==
0
)
ereport
(
WARNING
,
(
errcode
(
ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED
),
errmsg
(
"no privileges were granted"
)));
else
if
(
!
all_privs
&&
this_privileges
!=
privileges
)
ereport
(
WARNING
,
(
errcode
(
ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED
),
errmsg
(
"not all privileges were granted"
)));
}
else
{
if
(
this_privileges
==
0
)
ereport
(
WARNING
,
(
errcode
(
ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED
),
errmsg
(
"no privileges could be revoked"
)));
else
if
(
!
all_privs
&&
this_privileges
!=
privileges
)
ereport
(
WARNING
,
(
errcode
(
ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED
),
errmsg
(
"not all privileges could be revoked"
)));
}
/*
* Generate new ACL.
...
...
@@ -889,9 +852,9 @@ ExecGrant_Function(bool is_grant, List *objects, bool all_privs,
*/
noldmembers
=
aclmembers
(
old_acl
,
&
oldmembers
);
new_acl
=
merge_acl_with_grant
(
old_acl
,
is_grant
,
grant_option
,
behavior
,
grantees
,
this_privileges
,
new_acl
=
merge_acl_with_grant
(
old_acl
,
is
tmt
->
is
_grant
,
istmt
->
grant_option
,
istmt
->
behavior
,
istmt
->
grantees
,
this_privileges
,
grantorId
,
ownerId
);
nnewmembers
=
aclmembers
(
new_acl
,
&
newmembers
);
...
...
@@ -914,7 +877,7 @@ ExecGrant_Function(bool is_grant, List *objects, bool all_privs,
/* Update the shared dependency ACL info */
updateAclDependencies
(
ProcedureRelationId
,
funcId
,
ownerId
,
is_grant
,
ownerId
,
is
tmt
->
is
_grant
,
noldmembers
,
oldmembers
,
nnewmembers
,
newmembers
);
...
...
@@ -930,21 +893,19 @@ ExecGrant_Function(bool is_grant, List *objects, bool all_privs,
}
static
void
ExecGrant_Language
(
bool
is_grant
,
List
*
objects
,
bool
all_privs
,
AclMode
privileges
,
List
*
grantees
,
bool
grant_option
,
DropBehavior
behavior
)
ExecGrant_Language
(
InternalGrant
*
istmt
)
{
Relation
relation
;
ListCell
*
cell
;
if
(
all_privs
&&
privileges
==
ACL_NO_RIGHTS
)
privileges
=
ACL_ALL_RIGHTS_LANGUAGE
;
if
(
istmt
->
all_privs
&&
istmt
->
privileges
==
ACL_NO_RIGHTS
)
istmt
->
privileges
=
ACL_ALL_RIGHTS_LANGUAGE
;
relation
=
heap_open
(
LanguageRelationId
,
RowExclusiveLock
);
foreach
(
cell
,
objects
)
foreach
(
cell
,
istmt
->
objects
)
{
Oid
lang
i
d
=
lfirst_oid
(
cell
);
Oid
lang
I
d
=
lfirst_oid
(
cell
);
Form_pg_language
pg_language_tuple
;
Datum
aclDatum
;
bool
isNull
;
...
...
@@ -965,10 +926,10 @@ ExecGrant_Language(bool is_grant, List *objects, bool all_privs,
Oid
*
newmembers
;
tuple
=
SearchSysCache
(
LANGOID
,
ObjectIdGetDatum
(
lang
i
d
),
ObjectIdGetDatum
(
lang
I
d
),
0
,
0
,
0
);
if
(
!
HeapTupleIsValid
(
tuple
))
elog
(
ERROR
,
"cache lookup failed for language %u"
,
lang
i
d
);
elog
(
ERROR
,
"cache lookup failed for language %u"
,
lang
I
d
);
pg_language_tuple
=
(
Form_pg_language
)
GETSTRUCT
(
tuple
);
...
...
@@ -995,56 +956,19 @@ ExecGrant_Language(bool is_grant, List *objects, bool all_privs,
old_acl
=
DatumGetAclPCopy
(
aclDatum
);
/* Determine ID to do the grant as, and available grant options */
select_best_grantor
(
GetUserId
(),
privileges
,
select_best_grantor
(
GetUserId
(),
istmt
->
privileges
,
old_acl
,
ownerId
,
&
grantorId
,
&
avail_goptions
);
/*
* If we found no grant options, consider whether to issue a hard
* error. Per spec, having any privilege at all on the object will
* get you by here.
* Restrict the privileges to what we can actually grant, and emit
* the standards-mandated warning and error messages.
*/
if
(
avail_goptions
==
ACL_NO_RIGHTS
)
{
if
(
pg_language_aclmask
(
HeapTupleGetOid
(
tuple
),
grantorId
,
ACL_ALL_RIGHTS_LANGUAGE
|
ACL_GRANT_OPTION_FOR
(
ACL_ALL_RIGHTS_LANGUAGE
),
ACLMASK_ANY
)
==
ACL_NO_RIGHTS
)
aclcheck_error
(
ACLCHECK_NO_PRIV
,
ACL_KIND_LANGUAGE
,
this_privileges
=
restrict_and_check_grant
(
istmt
->
is_grant
,
avail_goptions
,
istmt
->
all_privs
,
istmt
->
privileges
,
langId
,
grantorId
,
ACL_KIND_LANGUAGE
,
NameStr
(
pg_language_tuple
->
lanname
));
}
/*
* Restrict the operation to what we can actually grant or revoke, and
* issue a warning if appropriate. (For REVOKE this isn't quite what
* the spec says to do: the spec seems to want a warning only if no
* privilege bits actually change in the ACL. In practice that
* behavior seems much too noisy, as well as inconsistent with the
* GRANT case.)
*/
this_privileges
=
privileges
&
ACL_OPTION_TO_PRIVS
(
avail_goptions
);
if
(
is_grant
)
{
if
(
this_privileges
==
0
)
ereport
(
WARNING
,
(
errcode
(
ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED
),
errmsg
(
"no privileges were granted"
)));
else
if
(
!
all_privs
&&
this_privileges
!=
privileges
)
ereport
(
WARNING
,
(
errcode
(
ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED
),
errmsg
(
"not all privileges were granted"
)));
}
else
{
if
(
this_privileges
==
0
)
ereport
(
WARNING
,
(
errcode
(
ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED
),
errmsg
(
"no privileges could be revoked"
)));
else
if
(
!
all_privs
&&
this_privileges
!=
privileges
)
ereport
(
WARNING
,
(
errcode
(
ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED
),
errmsg
(
"not all privileges could be revoked"
)));
}
/*
* Generate new ACL.
...
...
@@ -1054,9 +978,9 @@ ExecGrant_Language(bool is_grant, List *objects, bool all_privs,
*/
noldmembers
=
aclmembers
(
old_acl
,
&
oldmembers
);
new_acl
=
merge_acl_with_grant
(
old_acl
,
is_grant
,
grant_option
,
behavior
,
grantees
,
this_privileges
,
new_acl
=
merge_acl_with_grant
(
old_acl
,
is
tmt
->
is
_grant
,
istmt
->
grant_option
,
istmt
->
behavior
,
istmt
->
grantees
,
this_privileges
,
grantorId
,
ownerId
);
nnewmembers
=
aclmembers
(
new_acl
,
&
newmembers
);
...
...
@@ -1079,7 +1003,7 @@ ExecGrant_Language(bool is_grant, List *objects, bool all_privs,
/* Update the shared dependency ACL info */
updateAclDependencies
(
LanguageRelationId
,
HeapTupleGetOid
(
tuple
),
ownerId
,
is_grant
,
ownerId
,
is
tmt
->
is
_grant
,
noldmembers
,
oldmembers
,
nnewmembers
,
newmembers
);
...
...
@@ -1095,19 +1019,17 @@ ExecGrant_Language(bool is_grant, List *objects, bool all_privs,
}
static
void
ExecGrant_Namespace
(
bool
is_grant
,
List
*
objects
,
bool
all_privs
,
AclMode
privileges
,
List
*
grantees
,
bool
grant_option
,
DropBehavior
behavior
)
ExecGrant_Namespace
(
InternalGrant
*
istmt
)
{
Relation
relation
;
ListCell
*
cell
;
if
(
all_privs
&&
privileges
==
ACL_NO_RIGHTS
)
privileges
=
ACL_ALL_RIGHTS_NAMESPACE
;
if
(
istmt
->
all_privs
&&
istmt
->
privileges
==
ACL_NO_RIGHTS
)
istmt
->
privileges
=
ACL_ALL_RIGHTS_NAMESPACE
;
relation
=
heap_open
(
NamespaceRelationId
,
RowExclusiveLock
);
foreach
(
cell
,
objects
)
foreach
(
cell
,
istmt
->
objects
)
{
Oid
nspid
=
lfirst_oid
(
cell
);
Form_pg_namespace
pg_namespace_tuple
;
...
...
@@ -1151,56 +1073,19 @@ ExecGrant_Namespace(bool is_grant, List *objects, bool all_privs,
old_acl
=
DatumGetAclPCopy
(
aclDatum
);
/* Determine ID to do the grant as, and available grant options */
select_best_grantor
(
GetUserId
(),
privileges
,
select_best_grantor
(
GetUserId
(),
istmt
->
privileges
,
old_acl
,
ownerId
,
&
grantorId
,
&
avail_goptions
);
/*
* If we found no grant options, consider whether to issue a hard
* error. Per spec, having any privilege at all on the object will
* get you by here.
* Restrict the privileges to what we can actually grant, and emit
* the standards-mandated warning and error messages.
*/
if
(
avail_goptions
==
ACL_NO_RIGHTS
)
{
if
(
pg_namespace_aclmask
(
HeapTupleGetOid
(
tuple
),
grantorId
,
ACL_ALL_RIGHTS_NAMESPACE
|
ACL_GRANT_OPTION_FOR
(
ACL_ALL_RIGHTS_NAMESPACE
),
ACLMASK_ANY
)
==
ACL_NO_RIGHTS
)
aclcheck_error
(
ACLCHECK_NO_PRIV
,
ACL_KIND_NAMESPACE
,
this_privileges
=
restrict_and_check_grant
(
istmt
->
is_grant
,
avail_goptions
,
istmt
->
all_privs
,
istmt
->
privileges
,
nspid
,
grantorId
,
ACL_KIND_NAMESPACE
,
NameStr
(
pg_namespace_tuple
->
nspname
));
}
/*
* Restrict the operation to what we can actually grant or revoke, and
* issue a warning if appropriate. (For REVOKE this isn't quite what
* the spec says to do: the spec seems to want a warning only if no
* privilege bits actually change in the ACL. In practice that
* behavior seems much too noisy, as well as inconsistent with the
* GRANT case.)
*/
this_privileges
=
privileges
&
ACL_OPTION_TO_PRIVS
(
avail_goptions
);
if
(
is_grant
)
{
if
(
this_privileges
==
0
)
ereport
(
WARNING
,
(
errcode
(
ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED
),
errmsg
(
"no privileges were granted"
)));
else
if
(
!
all_privs
&&
this_privileges
!=
privileges
)
ereport
(
WARNING
,
(
errcode
(
ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED
),
errmsg
(
"not all privileges were granted"
)));
}
else
{
if
(
this_privileges
==
0
)
ereport
(
WARNING
,
(
errcode
(
ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED
),
errmsg
(
"no privileges could be revoked"
)));
else
if
(
!
all_privs
&&
this_privileges
!=
privileges
)
ereport
(
WARNING
,
(
errcode
(
ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED
),
errmsg
(
"not all privileges could be revoked"
)));
}
/*
* Generate new ACL.
...
...
@@ -1210,9 +1095,9 @@ ExecGrant_Namespace(bool is_grant, List *objects, bool all_privs,
*/
noldmembers
=
aclmembers
(
old_acl
,
&
oldmembers
);
new_acl
=
merge_acl_with_grant
(
old_acl
,
is_grant
,
grant_option
,
behavior
,
grantees
,
this_privileges
,
new_acl
=
merge_acl_with_grant
(
old_acl
,
is
tmt
->
is
_grant
,
istmt
->
grant_option
,
istmt
->
behavior
,
istmt
->
grantees
,
this_privileges
,
grantorId
,
ownerId
);
nnewmembers
=
aclmembers
(
new_acl
,
&
newmembers
);
...
...
@@ -1235,7 +1120,7 @@ ExecGrant_Namespace(bool is_grant, List *objects, bool all_privs,
/* Update the shared dependency ACL info */
updateAclDependencies
(
NamespaceRelationId
,
HeapTupleGetOid
(
tuple
),
ownerId
,
is_grant
,
ownerId
,
is
tmt
->
is
_grant
,
noldmembers
,
oldmembers
,
nnewmembers
,
newmembers
);
...
...
@@ -1251,19 +1136,17 @@ ExecGrant_Namespace(bool is_grant, List *objects, bool all_privs,
}
static
void
ExecGrant_Tablespace
(
bool
is_grant
,
List
*
objects
,
bool
all_privs
,
AclMode
privileges
,
List
*
grantees
,
bool
grant_option
,
DropBehavior
behavior
)
ExecGrant_Tablespace
(
InternalGrant
*
istmt
)
{
Relation
relation
;
ListCell
*
cell
;
if
(
all_privs
&&
privileges
==
ACL_NO_RIGHTS
)
privileges
=
ACL_ALL_RIGHTS_TABLESPACE
;
if
(
istmt
->
all_privs
&&
istmt
->
privileges
==
ACL_NO_RIGHTS
)
istmt
->
privileges
=
ACL_ALL_RIGHTS_TABLESPACE
;
relation
=
heap_open
(
TableSpaceRelationId
,
RowExclusiveLock
);
foreach
(
cell
,
objects
)
foreach
(
cell
,
istmt
->
objects
)
{
Oid
tblId
=
lfirst_oid
(
cell
);
Form_pg_tablespace
pg_tablespace_tuple
;
...
...
@@ -1313,56 +1196,19 @@ ExecGrant_Tablespace(bool is_grant, List *objects, bool all_privs,
old_acl
=
DatumGetAclPCopy
(
aclDatum
);
/* Determine ID to do the grant as, and available grant options */
select_best_grantor
(
GetUserId
(),
privileges
,
select_best_grantor
(
GetUserId
(),
istmt
->
privileges
,
old_acl
,
ownerId
,
&
grantorId
,
&
avail_goptions
);
/*
* If we found no grant options, consider whether to issue a hard
* error. Per spec, having any privilege at all on the object will
* get you by here.
* Restrict the privileges to what we can actually grant, and emit
* the standards-mandated warning and error messages.
*/
if
(
avail_goptions
==
ACL_NO_RIGHTS
)
{
if
(
pg_tablespace_aclmask
(
HeapTupleGetOid
(
tuple
),
grantorId
,
ACL_ALL_RIGHTS_TABLESPACE
|
ACL_GRANT_OPTION_FOR
(
ACL_ALL_RIGHTS_TABLESPACE
),
ACLMASK_ANY
)
==
ACL_NO_RIGHTS
)
aclcheck_error
(
ACLCHECK_NO_PRIV
,
ACL_KIND_TABLESPACE
,
this_privileges
=
restrict_and_check_grant
(
istmt
->
is_grant
,
avail_goptions
,
istmt
->
all_privs
,
istmt
->
privileges
,
tblId
,
grantorId
,
ACL_KIND_TABLESPACE
,
NameStr
(
pg_tablespace_tuple
->
spcname
));
}
/*
* Restrict the operation to what we can actually grant or revoke, and
* issue a warning if appropriate. (For REVOKE this isn't quite what
* the spec says to do: the spec seems to want a warning only if no
* privilege bits actually change in the ACL. In practice that
* behavior seems much too noisy, as well as inconsistent with the
* GRANT case.)
*/
this_privileges
=
privileges
&
ACL_OPTION_TO_PRIVS
(
avail_goptions
);
if
(
is_grant
)
{
if
(
this_privileges
==
0
)
ereport
(
WARNING
,
(
errcode
(
ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED
),
errmsg
(
"no privileges were granted"
)));
else
if
(
!
all_privs
&&
this_privileges
!=
privileges
)
ereport
(
WARNING
,
(
errcode
(
ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED
),
errmsg
(
"not all privileges were granted"
)));
}
else
{
if
(
this_privileges
==
0
)
ereport
(
WARNING
,
(
errcode
(
ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED
),
errmsg
(
"no privileges could be revoked"
)));
else
if
(
!
all_privs
&&
this_privileges
!=
privileges
)
ereport
(
WARNING
,
(
errcode
(
ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED
),
errmsg
(
"not all privileges could be revoked"
)));
}
/*
* Generate new ACL.
...
...
@@ -1372,9 +1218,9 @@ ExecGrant_Tablespace(bool is_grant, List *objects, bool all_privs,
*/
noldmembers
=
aclmembers
(
old_acl
,
&
oldmembers
);
new_acl
=
merge_acl_with_grant
(
old_acl
,
is_grant
,
grant_option
,
behavior
,
grantees
,
this_privileges
,
new_acl
=
merge_acl_with_grant
(
old_acl
,
is
tmt
->
is
_grant
,
istmt
->
grant_option
,
istmt
->
behavior
,
istmt
->
grantees
,
this_privileges
,
grantorId
,
ownerId
);
nnewmembers
=
aclmembers
(
new_acl
,
&
newmembers
);
...
...
@@ -1397,7 +1243,7 @@ ExecGrant_Tablespace(bool is_grant, List *objects, bool all_privs,
/* Update the shared dependency ACL info */
updateAclDependencies
(
TableSpaceRelationId
,
tblId
,
ownerId
,
is_grant
,
ownerId
,
is
tmt
->
is
_grant
,
noldmembers
,
oldmembers
,
nnewmembers
,
newmembers
);
...
...
@@ -1583,6 +1429,34 @@ has_rolcatupdate(Oid roleid)
return
rolcatupdate
;
}
/*
* Relay for the various pg_*_mask routines depending on object kind
*/
static
AclMode
pg_aclmask
(
AclObjectKind
objkind
,
Oid
table_oid
,
Oid
roleid
,
AclMode
mask
,
AclMaskHow
how
)
{
switch
(
objkind
)
{
case
ACL_KIND_CLASS
:
return
pg_class_aclmask
(
table_oid
,
roleid
,
mask
,
how
);
case
ACL_KIND_DATABASE
:
return
pg_database_aclmask
(
table_oid
,
roleid
,
mask
,
how
);
case
ACL_KIND_PROC
:
return
pg_proc_aclmask
(
table_oid
,
roleid
,
mask
,
how
);
case
ACL_KIND_LANGUAGE
:
return
pg_language_aclmask
(
table_oid
,
roleid
,
mask
,
how
);
case
ACL_KIND_NAMESPACE
:
return
pg_namespace_aclmask
(
table_oid
,
roleid
,
mask
,
how
);
case
ACL_KIND_TABLESPACE
:
return
pg_tablespace_aclmask
(
table_oid
,
roleid
,
mask
,
how
);
default:
elog
(
ERROR
,
"unrecognized objkind: %d"
,
(
int
)
objkind
);
/* not reached, but keep compiler quiet */
return
ACL_NO_RIGHTS
;
}
}
/*
* Exported routine for examining a user's privileges for a table
...
...
src/backend/catalog/pg_shdepend.c
View file @
7415e083
...
...
@@ -8,7 +8,7 @@
*
*
* IDENTIFICATION
* $PostgreSQL: pgsql/src/backend/catalog/pg_shdepend.c,v 1.
5 2005/11/22 18:17:08 momjian
Exp $
* $PostgreSQL: pgsql/src/backend/catalog/pg_shdepend.c,v 1.
6 2005/12/01 02:03:00 alvherre
Exp $
*
*-------------------------------------------------------------------------
*/
...
...
@@ -1122,6 +1122,7 @@ shdepDropOwned(List *roleids, DropBehavior behavior)
{
ObjectAddress
obj
;
GrantObjectType
objtype
;
InternalGrant
istmt
;
/* Shouldn't happen */
case
SHARED_DEPENDENCY_PIN
:
...
...
@@ -1132,22 +1133,22 @@ shdepDropOwned(List *roleids, DropBehavior behavior)
switch
(
sdepForm
->
classid
)
{
case
RelationRelationId
:
objtype
=
ACL_OBJECT_RELATION
;
istmt
.
objtype
=
ACL_OBJECT_RELATION
;
break
;
case
DatabaseRelationId
:
objtype
=
ACL_OBJECT_DATABASE
;
istmt
.
objtype
=
ACL_OBJECT_DATABASE
;
break
;
case
ProcedureRelationId
:
objtype
=
ACL_OBJECT_FUNCTION
;
istmt
.
objtype
=
ACL_OBJECT_FUNCTION
;
break
;
case
LanguageRelationId
:
objtype
=
ACL_OBJECT_LANGUAGE
;
istmt
.
objtype
=
ACL_OBJECT_LANGUAGE
;
break
;
case
NamespaceRelationId
:
objtype
=
ACL_OBJECT_NAMESPACE
;
istmt
.
objtype
=
ACL_OBJECT_NAMESPACE
;
break
;
case
TableSpaceRelationId
:
objtype
=
ACL_OBJECT_TABLESPACE
;
istmt
.
objtype
=
ACL_OBJECT_TABLESPACE
;
break
;
default:
elog
(
ERROR
,
"unexpected object type %d"
,
...
...
@@ -1156,11 +1157,15 @@ shdepDropOwned(List *roleids, DropBehavior behavior)
objtype
=
(
GrantObjectType
)
0
;
break
;
}
ExecGrantStmt_oids
(
false
,
objtype
,
list_make1_oid
(
sdepForm
->
objid
),
true
,
ACL_NO_RIGHTS
,
list_make1_oid
(
roleid
),
false
,
DROP_CASCADE
);
istmt
.
is_grant
=
false
;
istmt
.
objects
=
list_make1_oid
(
sdepForm
->
objid
);
istmt
.
all_privs
=
true
;
istmt
.
privileges
=
ACL_NO_RIGHTS
;
istmt
.
grantees
=
list_make1_oid
(
roleid
);
istmt
.
grant_option
=
false
;
istmt
.
behavior
=
DROP_CASCADE
;
ExecGrantStmt_oids
(
&
istmt
);
break
;
case
SHARED_DEPENDENCY_OWNER
:
...
...
src/include/utils/acl.h
View file @
7415e083
...
...
@@ -7,7 +7,7 @@
* Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group
* Portions Copyright (c) 1994, Regents of the University of California
*
* $PostgreSQL: pgsql/src/include/utils/acl.h,v 1.9
0 2005/11/22 18:17:31 momjian
Exp $
* $PostgreSQL: pgsql/src/include/utils/acl.h,v 1.9
1 2005/12/01 02:03:01 alvherre
Exp $
*
* NOTES
* An ACL array is simply an array of AclItems, representing the union
...
...
@@ -181,6 +181,26 @@ typedef enum AclObjectKind
MAX_ACL_KIND
/* MUST BE LAST */
}
AclObjectKind
;
/*
* The information about one Grant/Revoke statement, in internal format: object
* and grantees names have been turned into Oids, the privilege list is an
* AclMode bitmask. If 'privileges' is ACL_NO_RIGHTS (the 0 value) and
* all_privs is true, it will be internally turned into the right kind of
* ACL_ALL_RIGHTS_*, depending on the object type (NB - this will modify the
* InternalGrant struct!)
*/
typedef
struct
{
bool
is_grant
;
GrantObjectType
objtype
;
List
*
objects
;
bool
all_privs
;
AclMode
privileges
;
List
*
grantees
;
bool
grant_option
;
DropBehavior
behavior
;
}
InternalGrant
;
/*
* routines used internally
*/
...
...
@@ -221,9 +241,7 @@ extern Datum hash_aclitem(PG_FUNCTION_ARGS);
* prototypes for functions in aclchk.c
*/
extern
void
ExecuteGrantStmt
(
GrantStmt
*
stmt
);
extern
void
ExecGrantStmt_oids
(
bool
is_grant
,
GrantObjectType
objtype
,
List
*
objects
,
bool
all_privs
,
AclMode
privileges
,
List
*
grantees
,
bool
grant_option
,
DropBehavior
behavior
);
extern
void
ExecGrantStmt_oids
(
InternalGrant
*
istmt
);
extern
AclMode
pg_class_aclmask
(
Oid
table_oid
,
Oid
roleid
,
AclMode
mask
,
AclMaskHow
how
);
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment