Commit a89505fd authored by Stephen Frost's avatar Stephen Frost

Remove various special checks around default roles

Default roles really should be like regular roles, for the most part.
This removes a number of checks that were trying to make default roles
extra special by not allowing them to be used as regular roles.

We still prevent users from creating roles in the "pg_" namespace or
from altering roles which exist in that namespace via ALTER ROLE, as
we can't preserve such changes, but otherwise the roles are very much
like regular roles.

Based on discussion with Robert and Tom.
parent 6bd356c3
...@@ -423,9 +423,6 @@ ExecuteGrantStmt(GrantStmt *stmt) ...@@ -423,9 +423,6 @@ ExecuteGrantStmt(GrantStmt *stmt)
grantee_uid = ACL_ID_PUBLIC; grantee_uid = ACL_ID_PUBLIC;
break; break;
default: default:
if (!IsBootstrapProcessingMode())
check_rolespec_name((Node *) grantee,
"Cannot GRANT or REVOKE privileges to or from a reserved role.");
grantee_uid = get_rolespec_oid((Node *) grantee, false); grantee_uid = get_rolespec_oid((Node *) grantee, false);
break; break;
} }
...@@ -921,8 +918,6 @@ ExecAlterDefaultPrivilegesStmt(AlterDefaultPrivilegesStmt *stmt) ...@@ -921,8 +918,6 @@ ExecAlterDefaultPrivilegesStmt(AlterDefaultPrivilegesStmt *stmt)
grantee_uid = ACL_ID_PUBLIC; grantee_uid = ACL_ID_PUBLIC;
break; break;
default: default:
check_rolespec_name((Node *) grantee,
"Cannot GRANT or REVOKE default privileges to or from a reserved role.");
grantee_uid = get_rolespec_oid((Node *) grantee, false); grantee_uid = get_rolespec_oid((Node *) grantee, false);
break; break;
} }
...@@ -1013,8 +1008,6 @@ ExecAlterDefaultPrivilegesStmt(AlterDefaultPrivilegesStmt *stmt) ...@@ -1013,8 +1008,6 @@ ExecAlterDefaultPrivilegesStmt(AlterDefaultPrivilegesStmt *stmt)
{ {
RoleSpec *rolespec = lfirst(rolecell); RoleSpec *rolespec = lfirst(rolecell);
check_rolespec_name((Node *) rolespec,
"Cannot alter default privileges for reserved role.");
iacls.roleid = get_rolespec_oid((Node *) rolespec, false); iacls.roleid = get_rolespec_oid((Node *) rolespec, false);
/* /*
......
...@@ -747,9 +747,6 @@ ExecAlterOwnerStmt(AlterOwnerStmt *stmt) ...@@ -747,9 +747,6 @@ ExecAlterOwnerStmt(AlterOwnerStmt *stmt)
{ {
Oid newowner = get_rolespec_oid(stmt->newowner, false); Oid newowner = get_rolespec_oid(stmt->newowner, false);
check_rolespec_name(stmt->newowner,
"Cannot make reserved roles owners of objects.");
switch (stmt->objectType) switch (stmt->objectType)
{ {
case OBJECT_DATABASE: case OBJECT_DATABASE:
......
...@@ -1148,10 +1148,6 @@ CreateUserMapping(CreateUserMappingStmt *stmt) ...@@ -1148,10 +1148,6 @@ CreateUserMapping(CreateUserMappingStmt *stmt)
else else
useId = get_rolespec_oid(stmt->user, false); useId = get_rolespec_oid(stmt->user, false);
/* Additional check to protect reserved role names */
check_rolespec_name(stmt->user,
"Cannot specify reserved role as mapping user.");
/* Check that the server exists. */ /* Check that the server exists. */
srv = GetForeignServerByName(stmt->servername, false); srv = GetForeignServerByName(stmt->servername, false);
...@@ -1252,10 +1248,6 @@ AlterUserMapping(AlterUserMappingStmt *stmt) ...@@ -1252,10 +1248,6 @@ AlterUserMapping(AlterUserMappingStmt *stmt)
else else
useId = get_rolespec_oid(stmt->user, false); useId = get_rolespec_oid(stmt->user, false);
/* Additional check to protect reserved role names */
check_rolespec_name(stmt->user,
"Cannot alter reserved role mapping user.");
srv = GetForeignServerByName(stmt->servername, false); srv = GetForeignServerByName(stmt->servername, false);
umId = GetSysCacheOid2(USERMAPPINGUSERSERVER, umId = GetSysCacheOid2(USERMAPPINGUSERSERVER,
...@@ -1345,11 +1337,6 @@ RemoveUserMapping(DropUserMappingStmt *stmt) ...@@ -1345,11 +1337,6 @@ RemoveUserMapping(DropUserMappingStmt *stmt)
else else
{ {
useId = get_rolespec_oid(stmt->user, stmt->missing_ok); useId = get_rolespec_oid(stmt->user, stmt->missing_ok);
/* Additional check to protect reserved role names */
check_rolespec_name(stmt->user,
"Cannot remove reserved role mapping user.");
if (!OidIsValid(useId)) if (!OidIsValid(useId))
{ {
/* /*
......
...@@ -176,14 +176,9 @@ policy_role_list_to_array(List *roles, int *num_roles) ...@@ -176,14 +176,9 @@ policy_role_list_to_array(List *roles, int *num_roles)
return role_oids; return role_oids;
} }
else else
{
/* Additional check to protect reserved role names */
check_rolespec_name((Node *) spec,
"Cannot specify reserved role as policy target");
role_oids[i++] = role_oids[i++] =
ObjectIdGetDatum(get_rolespec_oid((Node *) spec, false)); ObjectIdGetDatum(get_rolespec_oid((Node *) spec, false));
} }
}
return role_oids; return role_oids;
} }
......
...@@ -65,10 +65,6 @@ CreateSchemaCommand(CreateSchemaStmt *stmt, const char *queryString) ...@@ -65,10 +65,6 @@ CreateSchemaCommand(CreateSchemaStmt *stmt, const char *queryString)
else else
owner_uid = saved_uid; owner_uid = saved_uid;
/* Additional check to protect reserved role names */
check_rolespec_name(stmt->authrole,
"Cannot specify reserved role as owner.");
/* fill schema name with the user name if not specified */ /* fill schema name with the user name if not specified */
if (!schemaName) if (!schemaName)
{ {
......
...@@ -3566,8 +3566,6 @@ ATExecCmd(List **wqueue, AlteredTableInfo *tab, Relation rel, ...@@ -3566,8 +3566,6 @@ ATExecCmd(List **wqueue, AlteredTableInfo *tab, Relation rel,
(List *) cmd->def, lockmode); (List *) cmd->def, lockmode);
break; break;
case AT_ChangeOwner: /* ALTER OWNER */ case AT_ChangeOwner: /* ALTER OWNER */
check_rolespec_name(cmd->newowner,
"Cannot specify reserved role as owner.");
ATExecChangeOwner(RelationGetRelid(rel), ATExecChangeOwner(RelationGetRelid(rel),
get_rolespec_oid(cmd->newowner, false), get_rolespec_oid(cmd->newowner, false),
false, lockmode); false, lockmode);
......
...@@ -256,10 +256,6 @@ CreateTableSpace(CreateTableSpaceStmt *stmt) ...@@ -256,10 +256,6 @@ CreateTableSpace(CreateTableSpaceStmt *stmt)
else else
ownerId = GetUserId(); ownerId = GetUserId();
/* Additional check to protect reserved role names */
check_rolespec_name(stmt->owner,
"Cannot specify reserved role as owner.");
/* Unix-ify the offered path, and strip any trailing slashes */ /* Unix-ify the offered path, and strip any trailing slashes */
location = pstrdup(stmt->location); location = pstrdup(stmt->location);
canonicalize_path(location); canonicalize_path(location);
......
...@@ -1262,18 +1262,10 @@ GrantRole(GrantRoleStmt *stmt) ...@@ -1262,18 +1262,10 @@ GrantRole(GrantRoleStmt *stmt)
ListCell *item; ListCell *item;
if (stmt->grantor) if (stmt->grantor)
{
check_rolespec_name(stmt->grantor,
"Cannot specify reserved role as grantor.");
grantor = get_rolespec_oid(stmt->grantor, false); grantor = get_rolespec_oid(stmt->grantor, false);
}
else else
grantor = GetUserId(); grantor = GetUserId();
foreach(item, stmt->grantee_roles)
check_rolespec_name(lfirst(item),
"Cannot GRANT roles to a reserved role.");
grantee_ids = roleSpecsToIds(stmt->grantee_roles); grantee_ids = roleSpecsToIds(stmt->grantee_roles);
/* AccessShareLock is enough since we aren't modifying pg_authid */ /* AccessShareLock is enough since we aren't modifying pg_authid */
...@@ -1364,9 +1356,6 @@ ReassignOwnedObjects(ReassignOwnedStmt *stmt) ...@@ -1364,9 +1356,6 @@ ReassignOwnedObjects(ReassignOwnedStmt *stmt)
errmsg("permission denied to reassign objects"))); errmsg("permission denied to reassign objects")));
} }
check_rolespec_name(stmt->newrole,
"Cannot specify reserved role as owner.");
/* Must have privileges on the receiving side too */ /* Must have privileges on the receiving side too */
newrole = get_rolespec_oid(stmt->newrole, false); newrole = get_rolespec_oid(stmt->newrole, false);
......
...@@ -794,10 +794,6 @@ check_session_authorization(char **newval, void **extra, GucSource source) ...@@ -794,10 +794,6 @@ check_session_authorization(char **newval, void **extra, GucSource source)
return false; return false;
} }
/* Do not allow setting role to a reserved role. */
if (strncmp(*newval, "pg_", 3) == 0)
return false;
/* Look up the username */ /* Look up the username */
roleTup = SearchSysCache1(AUTHNAME, PointerGetDatum(*newval)); roleTup = SearchSysCache1(AUTHNAME, PointerGetDatum(*newval));
if (!HeapTupleIsValid(roleTup)) if (!HeapTupleIsValid(roleTup))
...@@ -858,9 +854,6 @@ check_role(char **newval, void **extra, GucSource source) ...@@ -858,9 +854,6 @@ check_role(char **newval, void **extra, GucSource source)
roleid = InvalidOid; roleid = InvalidOid;
is_superuser = false; is_superuser = false;
} }
/* Do not allow setting role to a reserved role. */
else if (strncmp(*newval, "pg_", 3) == 0)
return false;
else else
{ {
if (!IsTransactionState()) if (!IsTransactionState())
......
...@@ -816,19 +816,11 @@ LINE 1: DROP USER MAPPING IF EXISTS FOR CURRENT_ROLE SERVER sv9; ...@@ -816,19 +816,11 @@ LINE 1: DROP USER MAPPING IF EXISTS FOR CURRENT_ROLE SERVER sv9;
DROP USER MAPPING IF EXISTS FOR nonexistent SERVER sv9; -- error DROP USER MAPPING IF EXISTS FOR nonexistent SERVER sv9; -- error
NOTICE: role "nonexistent" does not exist, skipping NOTICE: role "nonexistent" does not exist, skipping
-- GRANT/REVOKE -- GRANT/REVOKE
GRANT testrol0 TO pg_abc; -- error GRANT testrol0 TO pg_signal_backend; -- success
ERROR: role "pg_abc" is reserved SET ROLE pg_signal_backend; --success
DETAIL: Cannot GRANT roles to a reserved role. RESET ROLE;
GRANT pg_abc TO pg_abcdef; -- error CREATE SCHEMA test_schema AUTHORIZATION pg_signal_backend; --success
ERROR: role "pg_abcdef" is reserved SET ROLE testrol2;
DETAIL: Cannot GRANT roles to a reserved role.
SET ROLE pg_testrole; -- error
ERROR: invalid value for parameter "role": "pg_testrole"
SET ROLE pg_signal_backend; --error
ERROR: invalid value for parameter "role": "pg_signal_backend"
CREATE SCHEMA test_schema AUTHORIZATION pg_signal_backend; --error
ERROR: role "pg_signal_backend" is reserved
DETAIL: Cannot specify reserved role as owner.
UPDATE pg_proc SET proacl = null WHERE proname LIKE 'testagg_'; UPDATE pg_proc SET proacl = null WHERE proname LIKE 'testagg_';
SELECT proname, proacl FROM pg_proc WHERE proname LIKE 'testagg_'; SELECT proname, proacl FROM pg_proc WHERE proname LIKE 'testagg_';
proname | proacl proname | proacl
......
...@@ -381,12 +381,12 @@ DROP USER MAPPING IF EXISTS FOR CURRENT_ROLE SERVER sv9; --error ...@@ -381,12 +381,12 @@ DROP USER MAPPING IF EXISTS FOR CURRENT_ROLE SERVER sv9; --error
DROP USER MAPPING IF EXISTS FOR nonexistent SERVER sv9; -- error DROP USER MAPPING IF EXISTS FOR nonexistent SERVER sv9; -- error
-- GRANT/REVOKE -- GRANT/REVOKE
GRANT testrol0 TO pg_abc; -- error GRANT testrol0 TO pg_signal_backend; -- success
GRANT pg_abc TO pg_abcdef; -- error
SET ROLE pg_testrole; -- error SET ROLE pg_signal_backend; --success
SET ROLE pg_signal_backend; --error RESET ROLE;
CREATE SCHEMA test_schema AUTHORIZATION pg_signal_backend; --error CREATE SCHEMA test_schema AUTHORIZATION pg_signal_backend; --success
SET ROLE testrol2;
UPDATE pg_proc SET proacl = null WHERE proname LIKE 'testagg_'; UPDATE pg_proc SET proacl = null WHERE proname LIKE 'testagg_';
SELECT proname, proacl FROM pg_proc WHERE proname LIKE 'testagg_'; SELECT proname, proacl FROM pg_proc WHERE proname LIKE 'testagg_';
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment