- 30 Jul, 2015 11 commits
-
-
Joe Conway authored
Patch by Dean Rasheed. Back-patched to 9.5 where RLS was introduced.
-
Joe Conway authored
When retrieving policies, if not working on the root target relation, we actually want the relation's SELECT policies, regardless of the top level query command type. For example in UPDATE t1...FROM t2 we need to apply t1's UPDATE policies and t2's SELECT policies. Previously top level query command type was applied to all relations, which was wrong. Add some regression coverage to ensure we don't violate this principle in the future. Report and patch by Dean Rasheed. Cherry picked from larger refactoring patch and tweaked by me. Back-patched to 9.5 where RLS was introduced.
-
Tom Lane authored
Although I think on all modern machines floating division by zero results in Infinity not SIGFPE, we still don't want infinities running around in the planner's costing estimates; too much risk of that leading to insane behavior. grouping_planner() failed to consider the possibility that final_rel might be known dummy and hence have zero rowcount. (I wonder if it would be better to set a rows estimate of 1 for dummy relations? But at least in the back branches, changing this convention seems like a bad idea, so I'll leave that for another day.) Make certain that get_variable_numdistinct() produces a nonzero result. The case that can be shown to be broken is with stadistinct < 0.0 and small ntuples; we did not prevent the result from rounding to zero. For good luck I applied clamp_row_est() to all the nonconstant return values. In ExecChooseHashTableSize(), Assert that we compute positive nbuckets and nbatch. I know of no reason to think this isn't the case, but it seems like a good safety check. Per reports from Piotr Stefaniak. Back-patch to all active branches.
-
Heikki Linnakangas authored
When we loop back to the top of doCustom after processing a backslash command, we must reset the "now" timestamp, because that's used to calculate the time spent executing the previous command. Report and fix by Fabien Coelho. Backpatch to 9.5, where this was broken.
-
Heikki Linnakangas authored
The current version is adding a spurious -pthread option on some Darwin systems that don't need it, which leads to a bunch of "unrecognized option '-pthread'" warnings. There is a proposed fix for that in the upstream autoconf archive's bug tracker, see https://savannah.gnu.org/patch/?8186. This commit updates our version of ax_pthread.m4 to the "draft2" version proposed there by Daniel Richard G. I'm using our buildfarm to help Daniel to test this, before he commits this to the upstream repository.
-
Noah Misch authored
Per a suggestion from Tom Lane. Back-patch to 9.0 (all supported versions). While only 9.4 and up have code known to elicit this compiler bug, we were disabling inlining by accident until commit 43d89a23.
-
Noah Misch authored
A top-level "make install" includes pg_upgrade since commit 9fa8b0ee. Back-patch to 9.5, where that commit first appeared.
-
Noah Misch authored
The reverted changes did not narrow the semantic gap between the MSVC build system and the GNU make build system. For targets old and new that run multiple suites (contribcheck, modulescheck, tapcheck), restore vcregress.pl to mimicking "make -k" rather than the "make -S" default. Lack of "-k" would be more burdensome than lack of "-S". Keep changes reflecting contemporary changes to the GNU make build system, and keep updates to Makefile parsing. Keep the loss of --psqldir in "check" and "ecpgcheck" targets; it had been a no-op when used alongside --temp-install. No log message mentioned any of the reverted changes. Based on a germ by Michael Paquier. Back-patch to 9.5.
-
Noah Misch authored
Back-patch to 9.5, where commit 4cb7d671 introduced it.
-
Noah Misch authored
This code relied on knowing exactly where in the source tree temporary installations might appear. A reasonable hacker may not think to update this code when adding use of a temporary installation, making it fragile. Observe that commit 9fa8b0ee broke it unnoticed, and commit dcae5fac fixed it unnoticed. Back-patch to 9.5 only; use of temporary installations is unlikely to change in released versions.
-
Andrew Dunstan authored
Fabrízio de Royes Mello, reviewed by Payal Singh, Alvaro Herrera and Michael Paquier.
-
- 29 Jul, 2015 14 commits
-
-
Joe Conway authored
Policy USING and WITH CHECK expressions were using EXPR_KIND_WHERE for parse analysis, which results in inappropriate ERROR messages when the expression contains unsupported constructs such as aggregates. Create a new ParseExprKind called EXPR_KIND_POLICY and tailor the related messages to fit. Reported by Noah Misch. Reviewed by Dean Rasheed, Alvaro Herrera, and Robert Haas. Back-patch to 9.5 where RLS was introduced.
-
Robert Haas authored
Amit Langote
-
Robert Haas authored
Make it more clear that bgw_main is usually not what you want. Put the background worker flags in a variablelist rather than having them as part of a paragraph. Explain important limits on how bgw_main_arg can be used. Craig Ringer, substantially revised by me.
-
Heikki Linnakangas authored
I neglected that the prove_installcheck rule also needs to also define PG_REGRESS, like prove_check does.
-
Tom Lane authored
A Salesforce colleague of mine griped that the regression tests don't exercise EvalPlanQualFetchRowMarks() and allied routines. Which is a fair complaint. Add test cases that go through the REFERENCE and COPY code paths. Unfortunately we don't have sufficient infrastructure right now to exercise the FDW code path in the isolation tests, but this is surely better than before.
-
Joe Conway authored
AlterPolicy() and CreatePolicy() lacked their respective hook invocations. Noted by Noah Misch, review by Dean Rasheed. Back-patch to 9.5 where RLS was introduced.
-
Heikki Linnakangas authored
On Windows, use listen_address=127.0.0.1 to allow TCP connections. We were already using "pg_regress --config-auth" to set up HBA appropriately. The standard_initdb helper function now sets up the server's unix_socket_directories or listen_addresses in the config file, so that they don't need to be specified in the pg_ctl command line anymore. That way, the pg_ctl invocations in test programs don't need to differ between Windows and Unix. Add another helper function to configure the server's pg_hba.conf to allow replication connections. The configuration is done similarly to "pg_regress --config-auth": trust on domain sockets on Unix, and SSPI authentication on Windows. Replace calls to "cat" and "touch" programs with built-in perl code, as those programs don't normally exist on Windows. Add instructions in the docs on how to install IPC::Run on Windows. Adjust vcregress.pl to not replace PERL5LIB completely in vcregress.pl, because otherwise cannot install IPC::Run in a non-standard location easily. Michael Paquier, reviewed by Noah Misch, some additional tweaking by me.
-
Robert Haas authored
Craig Ringer
-
Andres Freund authored
Noticed-By: Robert Haas Backpatch: 9.5, where the function was added
-
Heikki Linnakangas authored
Amit Langote
-
Peter Eisentraut authored
This option specifies a replication slot for WAL streaming (-X stream), so that there can be continuous replication slot use between WAL streaming during the base backup and the start of regular streaming replication. Reviewed-by: Michael Paquier <michael.paquier@gmail.com>
-
Peter Eisentraut authored
Reviewed-by: Michael Paquier <michael.paquier@gmail.com>
-
Peter Eisentraut authored
Reviewed-by: Michael Paquier <michael.paquier@gmail.com>
-
Tom Lane authored
Buildfarm indicates this is necessary.
-
- 28 Jul, 2015 15 commits
-
-
Tom Lane authored
Also re-pgindent, just because I'm a neatnik.
-
Joe Conway authored
When DefineQueryRewrite() is about to convert a table to a view, it checks the table for features unavailable to views. For example, it rejects tables having triggers. It omits to reject tables having relrowsecurity or a pg_policy record. Fix that. To faciliate the repair, invent relation_has_policies() which indicates the presence of policies on a relation even when row security is disabled for that relation. Reported by Noah Misch. Patch by me, review by Stephen Frost. Back-patch to 9.5 where RLS was introduced.
-
Joe Conway authored
CreatePolicy() and AlterPolicy() omit to create a pg_shdepend entry for each role in the TO clause. Fix this by creating a new shared dependency type called SHARED_DEPENDENCY_POLICY and assigning it to each role. Reported by Noah Misch. Patch by me, reviewed by Alvaro Herrera. Back-patch to 9.5 where RLS was introduced.
-
Tom Lane authored
Although initdb has long discouraged use of a filesystem mount-point directory as a PG data directory, this point was covered nowhere in the user-facing documentation. Also, with the popularity of pg_upgrade, we really need to recommend that the PG user own not only the data directory but its parent directory too. (Without a writable parent directory, operations such as "mv data data.old" fail immediately. pg_upgrade itself doesn't do that, but wrapper scripts for it often do.) Hence, adjust the "Creating a Database Cluster" section to address these points. I also took the liberty of wordsmithing the discussion of NFS a bit. These considerations aren't by any means new, so back-patch to all supported branches.
-
Andrew Dunstan authored
The previous code resulted in memory access beyond the path bounds. The cure is to move it into a code branch that checks the value of lex_level is within the correct bounds. Bug reported and diagnosed by Piotr Stefaniak.
-
Tom Lane authored
Don't print a WARNING if we get ESRCH from a kill() that's attempting to cancel an autovacuum worker. It's possible (and has been seen in the buildfarm) that the worker is already gone by the time we are able to execute the kill, in which case the failure is harmless. About the only plausible reason for reporting such cases would be to help debug corrupted lock table contents, but this is hardly likely to be the most important symptom if that happens. Moreover issuing a WARNING might scare users more than is warranted. Also, since sending a signal to an autovacuum worker is now entirely a routine thing, and the worker will log the query cancel on its end anyway, reduce the message saying we're doing that from LOG to DEBUG1 level. Very minor cosmetic cleanup as well. Since the main practical reason for doing this is to avoid unnecessary buildfarm failures, back-patch to all active branches.
-
Joe Conway authored
As pointed out by Tom, since HEAD has progressed beyond 9.5 in terms of its catalog, we need to be sure catversion of HEAD is advanced beyond that of 9.5. Corrects my mistake in the pg_stats view commit cfa928ff.
-
Joe Conway authored
The pg_stats view is supposed to be restricted to only show rows about tables the user can read. However, it sometimes can leak information which could not otherwise be seen when row level security is enabled. Fix that by not showing pg_stats rows to users that would be subject to RLS on the table the row is related to. This is done by creating/using the newly introduced SQL visible function, row_security_active(). Along the way, clean up three call sites of check_enable_rls(). The second argument of that function should only be specified as other than InvalidOid when we are checking as a different user than the current one, as in when querying through a view. These sites were passing GetUserId() instead of InvalidOid, which can cause the function to return incorrect results if the current user has the BYPASSRLS privilege and row_security has been set to OFF. Additionally fix a bug causing RI Trigger error messages to unintentionally leak information when RLS is enabled, and other minor cleanup and improvements. Also add WITH (security_barrier) to the definition of pg_stats. Bumped CATVERSION due to new SQL functions and pg_stats view definition. Back-patch to 9.5 where RLS was introduced. Reported by Yaroslav. Patch by Joe Conway and Dean Rasheed with review and input by Michael Paquier and Stephen Frost.
-
Andres Freund authored
While postgres' use of SSL renegotiation is a good idea in theory, it turned out to not work well in practice. The specification and openssl's implementation of it have lead to several security issues. Postgres' use of renegotiation also had its share of bugs. Additionally OpenSSL has a bunch of bugs around renegotiation, reported and open for years, that regularly lead to connections breaking with obscure error messages. We tried increasingly complex workarounds to get around these bugs, but we didn't find anything complete. Since these connection breakages often lead to hard to debug problems, e.g. spuriously failing base backups and significant latency spikes when synchronous replication is used, we have decided to change the default setting for ssl renegotiation to 0 (disabled) in the released backbranches and remove it entirely in 9.5 and master. Author: Andres Freund Discussion: 20150624144148.GQ4797@alap3.anarazel.de Backpatch: 9.5 and master, 9.0-9.4 get a different patch
-
Andrew Dunstan authored
Given this it is possible that the buildfarm animals running these tests will be able to capture adequate logging to allow diagnosis of failures.
-
Robert Haas authored
This code was originally written as part of parallel query effort, but it seems to have independent value, because if we make one decision about where to get a PGPROC when we allocate and then put it back on a different list at backend-exit time, bad things happen. This isn't just a theoretical risk; we fixed an actual problem of this type in commit e280c630.
-
Tom Lane authored
join_clause_is_movable_into() is approximate, in the sense that it might sometimes return "false" when actually it would be valid to push the given join clause down to the specified level. This is okay ... but there was an Assert in get_joinrel_parampathinfo() that's only safe if the answers are always exact. Comment out the Assert, and add a bunch of commentary to clarify what's going on. Per fuzz testing by Andreas Seltenreich. The added regression test is a pretty silly query, but it's based on his crasher example. Back-patch to 9.2 where the faulty logic was introduced.
-
Heikki Linnakangas authored
This was broken in 1bc90f7a, which removed the thread-emulation. With modest -j and -c settings the result were usually close enough that you wouldn't notice it easily, but with a high enough thread count it would access uninitialized memory and crash. Per report from Andres Freund offlist.
-
Heikki Linnakangas authored
max_block_id is also reset between reading records. Michael Paquier
-
Joe Conway authored
pg_dump neglected to wrap parenthesis around USING and WITH CHECK expressions -- fixed. Reported by Noah Misch.
-