Commit be90032e authored by Robert Haas's avatar Robert Haas

Remove partial and undocumented GRANT .. FOREIGN TABLE support.

Instead, foreign tables are treated just like views: permissions can
be granted using GRANT privilege ON [TABLE] foreign_table_name TO role,
and revoked similarly.  GRANT/REVOKE .. FOREIGN TABLE is no longer
supported, just as we don't support GRANT/REVOKE .. VIEW.  The set of
accepted permissions for foreign tables is now identical to the set for
regular tables, and views.

Per report from Thom Brown, and subsequent discussion.
parent af0f2009
...@@ -80,8 +80,8 @@ GRANT <replaceable class="PARAMETER">role_name</replaceable> [, ...] TO <replace ...@@ -80,8 +80,8 @@ GRANT <replaceable class="PARAMETER">role_name</replaceable> [, ...] TO <replace
<para> <para>
The <command>GRANT</command> command has two basic variants: one The <command>GRANT</command> command has two basic variants: one
that grants privileges on a database object (table, column, view, sequence, that grants privileges on a database object (table, column, view, foreign
database, foreign-data wrapper, foreign server, function, table, sequence, database, foreign-data wrapper, foreign server, function,
procedural language, schema, or tablespace), and one that grants procedural language, schema, or tablespace), and one that grants
membership in a role. These variants are similar in many ways, but membership in a role. These variants are similar in many ways, but
they are different enough to be described separately. they are different enough to be described separately.
......
...@@ -274,9 +274,6 @@ restrict_and_check_grant(bool is_grant, AclMode avail_goptions, bool all_privs, ...@@ -274,9 +274,6 @@ restrict_and_check_grant(bool is_grant, AclMode avail_goptions, bool all_privs,
case ACL_KIND_FOREIGN_SERVER: case ACL_KIND_FOREIGN_SERVER:
whole_mask = ACL_ALL_RIGHTS_FOREIGN_SERVER; whole_mask = ACL_ALL_RIGHTS_FOREIGN_SERVER;
break; break;
case ACL_KIND_FOREIGN_TABLE:
whole_mask = ACL_ALL_RIGHTS_FOREIGN_TABLE;
break;
default: default:
elog(ERROR, "unrecognized object kind: %d", objkind); elog(ERROR, "unrecognized object kind: %d", objkind);
/* not reached, but keep compiler quiet */ /* not reached, but keep compiler quiet */
...@@ -480,10 +477,6 @@ ExecuteGrantStmt(GrantStmt *stmt) ...@@ -480,10 +477,6 @@ ExecuteGrantStmt(GrantStmt *stmt)
all_privileges = ACL_ALL_RIGHTS_FOREIGN_SERVER; all_privileges = ACL_ALL_RIGHTS_FOREIGN_SERVER;
errormsg = gettext_noop("invalid privilege type %s for foreign server"); errormsg = gettext_noop("invalid privilege type %s for foreign server");
break; break;
case ACL_OBJECT_FOREIGN_TABLE:
all_privileges = ACL_ALL_RIGHTS_FOREIGN_TABLE;
errormsg = gettext_noop("invalid privilege type %s for foreign table");
break;
default: default:
elog(ERROR, "unrecognized GrantStmt.objtype: %d", elog(ERROR, "unrecognized GrantStmt.objtype: %d",
(int) stmt->objtype); (int) stmt->objtype);
...@@ -554,7 +547,6 @@ ExecGrantStmt_oids(InternalGrant *istmt) ...@@ -554,7 +547,6 @@ ExecGrantStmt_oids(InternalGrant *istmt)
{ {
case ACL_OBJECT_RELATION: case ACL_OBJECT_RELATION:
case ACL_OBJECT_SEQUENCE: case ACL_OBJECT_SEQUENCE:
case ACL_OBJECT_FOREIGN_TABLE:
ExecGrant_Relation(istmt); ExecGrant_Relation(istmt);
break; break;
case ACL_OBJECT_DATABASE: case ACL_OBJECT_DATABASE:
...@@ -604,7 +596,6 @@ objectNamesToOids(GrantObjectType objtype, List *objnames) ...@@ -604,7 +596,6 @@ objectNamesToOids(GrantObjectType objtype, List *objnames)
{ {
case ACL_OBJECT_RELATION: case ACL_OBJECT_RELATION:
case ACL_OBJECT_SEQUENCE: case ACL_OBJECT_SEQUENCE:
case ACL_OBJECT_FOREIGN_TABLE:
foreach(cell, objnames) foreach(cell, objnames)
{ {
RangeVar *relvar = (RangeVar *) lfirst(cell); RangeVar *relvar = (RangeVar *) lfirst(cell);
...@@ -1702,21 +1693,11 @@ ExecGrant_Relation(InternalGrant *istmt) ...@@ -1702,21 +1693,11 @@ ExecGrant_Relation(InternalGrant *istmt)
errmsg("\"%s\" is not a sequence", errmsg("\"%s\" is not a sequence",
NameStr(pg_class_tuple->relname)))); NameStr(pg_class_tuple->relname))));
/* Used GRANT FOREIGN TABLE on a non-foreign-table? */
if (istmt->objtype == ACL_OBJECT_FOREIGN_TABLE &&
pg_class_tuple->relkind != RELKIND_FOREIGN_TABLE)
ereport(ERROR,
(errcode(ERRCODE_WRONG_OBJECT_TYPE),
errmsg("\"%s\" is not a foreign table",
NameStr(pg_class_tuple->relname))));
/* Adjust the default permissions based on object type */ /* Adjust the default permissions based on object type */
if (istmt->all_privs && istmt->privileges == ACL_NO_RIGHTS) if (istmt->all_privs && istmt->privileges == ACL_NO_RIGHTS)
{ {
if (pg_class_tuple->relkind == RELKIND_SEQUENCE) if (pg_class_tuple->relkind == RELKIND_SEQUENCE)
this_privileges = ACL_ALL_RIGHTS_SEQUENCE; this_privileges = ACL_ALL_RIGHTS_SEQUENCE;
else if (pg_class_tuple->relkind == RELKIND_FOREIGN_TABLE)
this_privileges = ACL_ALL_RIGHTS_FOREIGN_TABLE;
else else
this_privileges = ACL_ALL_RIGHTS_RELATION; this_privileges = ACL_ALL_RIGHTS_RELATION;
} }
...@@ -1752,16 +1733,6 @@ ExecGrant_Relation(InternalGrant *istmt) ...@@ -1752,16 +1733,6 @@ ExecGrant_Relation(InternalGrant *istmt)
this_privileges &= (AclMode) ACL_ALL_RIGHTS_SEQUENCE; this_privileges &= (AclMode) ACL_ALL_RIGHTS_SEQUENCE;
} }
} }
else if (pg_class_tuple->relkind == RELKIND_FOREIGN_TABLE)
{
if (this_privileges & ~((AclMode) ACL_ALL_RIGHTS_FOREIGN_TABLE))
{
ereport(ERROR,
(errcode(ERRCODE_INVALID_GRANT_OPERATION),
errmsg("foreign table \"%s\" only supports SELECT privileges",
NameStr(pg_class_tuple->relname))));
}
}
else else
{ {
if (this_privileges & ~((AclMode) ACL_ALL_RIGHTS_RELATION)) if (this_privileges & ~((AclMode) ACL_ALL_RIGHTS_RELATION))
...@@ -1819,9 +1790,6 @@ ExecGrant_Relation(InternalGrant *istmt) ...@@ -1819,9 +1790,6 @@ ExecGrant_Relation(InternalGrant *istmt)
case RELKIND_SEQUENCE: case RELKIND_SEQUENCE:
old_acl = acldefault(ACL_OBJECT_SEQUENCE, ownerId); old_acl = acldefault(ACL_OBJECT_SEQUENCE, ownerId);
break; break;
case RELKIND_FOREIGN_TABLE:
old_acl = acldefault(ACL_OBJECT_FOREIGN_TABLE, ownerId);
break;
default: default:
old_acl = acldefault(ACL_OBJECT_RELATION, ownerId); old_acl = acldefault(ACL_OBJECT_RELATION, ownerId);
break; break;
...@@ -1866,9 +1834,6 @@ ExecGrant_Relation(InternalGrant *istmt) ...@@ -1866,9 +1834,6 @@ ExecGrant_Relation(InternalGrant *istmt)
case RELKIND_SEQUENCE: case RELKIND_SEQUENCE:
aclkind = ACL_KIND_SEQUENCE; aclkind = ACL_KIND_SEQUENCE;
break; break;
case RELKIND_FOREIGN_TABLE:
aclkind = ACL_KIND_FOREIGN_TABLE;
break;
default: default:
aclkind = ACL_KIND_CLASS; aclkind = ACL_KIND_CLASS;
break; break;
...@@ -1963,16 +1928,6 @@ ExecGrant_Relation(InternalGrant *istmt) ...@@ -1963,16 +1928,6 @@ ExecGrant_Relation(InternalGrant *istmt)
this_privileges &= (AclMode) ACL_SELECT; this_privileges &= (AclMode) ACL_SELECT;
} }
else if (pg_class_tuple->relkind == RELKIND_FOREIGN_TABLE &&
this_privileges & ~((AclMode) ACL_SELECT))
{
/* Foreign tables have the same restriction as sequences. */
ereport(WARNING,
(errcode(ERRCODE_INVALID_GRANT_OPERATION),
errmsg("foreign table \"%s\" only supports SELECT column privileges",
NameStr(pg_class_tuple->relname))));
this_privileges &= (AclMode) ACL_SELECT;
}
expand_col_privileges(col_privs->cols, relOid, expand_col_privileges(col_privs->cols, relOid,
this_privileges, this_privileges,
...@@ -3147,8 +3102,6 @@ static const char *const no_priv_msg[MAX_ACL_KIND] = ...@@ -3147,8 +3102,6 @@ static const char *const no_priv_msg[MAX_ACL_KIND] =
gettext_noop("permission denied for foreign-data wrapper %s"), gettext_noop("permission denied for foreign-data wrapper %s"),
/* ACL_KIND_FOREIGN_SERVER */ /* ACL_KIND_FOREIGN_SERVER */
gettext_noop("permission denied for foreign server %s"), gettext_noop("permission denied for foreign server %s"),
/* ACL_KIND_FOREIGN_TABLE */
gettext_noop("permission denied for foreign table %s"),
/* ACL_KIND_EXTENSION */ /* ACL_KIND_EXTENSION */
gettext_noop("permission denied for extension %s"), gettext_noop("permission denied for extension %s"),
}; };
...@@ -3193,8 +3146,6 @@ static const char *const not_owner_msg[MAX_ACL_KIND] = ...@@ -3193,8 +3146,6 @@ static const char *const not_owner_msg[MAX_ACL_KIND] =
gettext_noop("must be owner of foreign-data wrapper %s"), gettext_noop("must be owner of foreign-data wrapper %s"),
/* ACL_KIND_FOREIGN_SERVER */ /* ACL_KIND_FOREIGN_SERVER */
gettext_noop("must be owner of foreign server %s"), gettext_noop("must be owner of foreign server %s"),
/* ACL_KIND_FOREIGN_TABLE */
gettext_noop("must be owner of foreign table %s"),
/* ACL_KIND_EXTENSION */ /* ACL_KIND_EXTENSION */
gettext_noop("must be owner of extension %s"), gettext_noop("must be owner of extension %s"),
}; };
...@@ -3491,9 +3442,6 @@ pg_class_aclmask(Oid table_oid, Oid roleid, ...@@ -3491,9 +3442,6 @@ pg_class_aclmask(Oid table_oid, Oid roleid,
case RELKIND_SEQUENCE: case RELKIND_SEQUENCE:
acl = acldefault(ACL_OBJECT_SEQUENCE, ownerId); acl = acldefault(ACL_OBJECT_SEQUENCE, ownerId);
break; break;
case RELKIND_FOREIGN_TABLE:
acl = acldefault(ACL_OBJECT_FOREIGN_TABLE, ownerId);
break;
default: default:
acl = acldefault(ACL_OBJECT_RELATION, ownerId); acl = acldefault(ACL_OBJECT_RELATION, ownerId);
break; break;
......
...@@ -5408,14 +5408,6 @@ privilege_target: ...@@ -5408,14 +5408,6 @@ privilege_target:
n->objs = $3; n->objs = $3;
$$ = n; $$ = n;
} }
| FOREIGN TABLE qualified_name_list
{
PrivTarget *n = (PrivTarget *) palloc(sizeof(PrivTarget));
n->targtype = ACL_TARGET_OBJECT;
n->objtype = ACL_OBJECT_FOREIGN_TABLE;
n->objs = $3;
$$ = n;
}
| FUNCTION function_with_argtypes_list | FUNCTION function_with_argtypes_list
{ {
PrivTarget *n = (PrivTarget *) palloc(sizeof(PrivTarget)); PrivTarget *n = (PrivTarget *) palloc(sizeof(PrivTarget));
......
...@@ -782,10 +782,6 @@ acldefault(GrantObjectType objtype, Oid ownerId) ...@@ -782,10 +782,6 @@ acldefault(GrantObjectType objtype, Oid ownerId)
world_default = ACL_NO_RIGHTS; world_default = ACL_NO_RIGHTS;
owner_default = ACL_ALL_RIGHTS_FOREIGN_SERVER; owner_default = ACL_ALL_RIGHTS_FOREIGN_SERVER;
break; break;
case ACL_OBJECT_FOREIGN_TABLE:
world_default = ACL_NO_RIGHTS;
owner_default = ACL_ALL_RIGHTS_FOREIGN_TABLE;
break;
default: default:
elog(ERROR, "unrecognized objtype: %d", (int) objtype); elog(ERROR, "unrecognized objtype: %d", (int) objtype);
world_default = ACL_NO_RIGHTS; /* keep compiler quiet */ world_default = ACL_NO_RIGHTS; /* keep compiler quiet */
......
...@@ -1282,7 +1282,6 @@ typedef enum GrantObjectType ...@@ -1282,7 +1282,6 @@ typedef enum GrantObjectType
ACL_OBJECT_DATABASE, /* database */ ACL_OBJECT_DATABASE, /* database */
ACL_OBJECT_FDW, /* foreign-data wrapper */ ACL_OBJECT_FDW, /* foreign-data wrapper */
ACL_OBJECT_FOREIGN_SERVER, /* foreign server */ ACL_OBJECT_FOREIGN_SERVER, /* foreign server */
ACL_OBJECT_FOREIGN_TABLE, /* foreign table */
ACL_OBJECT_FUNCTION, /* function */ ACL_OBJECT_FUNCTION, /* function */
ACL_OBJECT_LANGUAGE, /* procedural language */ ACL_OBJECT_LANGUAGE, /* procedural language */
ACL_OBJECT_LARGEOBJECT, /* largeobject */ ACL_OBJECT_LARGEOBJECT, /* largeobject */
......
...@@ -150,7 +150,6 @@ typedef ArrayType Acl; ...@@ -150,7 +150,6 @@ typedef ArrayType Acl;
#define ACL_ALL_RIGHTS_DATABASE (ACL_CREATE|ACL_CREATE_TEMP|ACL_CONNECT) #define ACL_ALL_RIGHTS_DATABASE (ACL_CREATE|ACL_CREATE_TEMP|ACL_CONNECT)
#define ACL_ALL_RIGHTS_FDW (ACL_USAGE) #define ACL_ALL_RIGHTS_FDW (ACL_USAGE)
#define ACL_ALL_RIGHTS_FOREIGN_SERVER (ACL_USAGE) #define ACL_ALL_RIGHTS_FOREIGN_SERVER (ACL_USAGE)
#define ACL_ALL_RIGHTS_FOREIGN_TABLE (ACL_SELECT)
#define ACL_ALL_RIGHTS_FUNCTION (ACL_EXECUTE) #define ACL_ALL_RIGHTS_FUNCTION (ACL_EXECUTE)
#define ACL_ALL_RIGHTS_LANGUAGE (ACL_USAGE) #define ACL_ALL_RIGHTS_LANGUAGE (ACL_USAGE)
#define ACL_ALL_RIGHTS_LARGEOBJECT (ACL_SELECT|ACL_UPDATE) #define ACL_ALL_RIGHTS_LARGEOBJECT (ACL_SELECT|ACL_UPDATE)
...@@ -195,7 +194,6 @@ typedef enum AclObjectKind ...@@ -195,7 +194,6 @@ typedef enum AclObjectKind
ACL_KIND_TSCONFIGURATION, /* pg_ts_config */ ACL_KIND_TSCONFIGURATION, /* pg_ts_config */
ACL_KIND_FDW, /* pg_foreign_data_wrapper */ ACL_KIND_FDW, /* pg_foreign_data_wrapper */
ACL_KIND_FOREIGN_SERVER, /* pg_foreign_server */ ACL_KIND_FOREIGN_SERVER, /* pg_foreign_server */
ACL_KIND_FOREIGN_TABLE, /* pg_foreign_table */
ACL_KIND_EXTENSION, /* pg_extension */ ACL_KIND_EXTENSION, /* pg_extension */
MAX_ACL_KIND /* MUST BE LAST */ MAX_ACL_KIND /* MUST BE LAST */
} AclObjectKind; } AclObjectKind;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment