Permalink
Browse files

Add support for privileges on types

This adds support for the more or less SQL-conforming USAGE privilege
on types and domains.  The intent is to be able restrict which users
can create dependencies on types, which restricts the way in which
owners can alter types.

reviewed by Yeb Havinga
  • Loading branch information...
petere committed Dec 19, 2011
1 parent 05e992e commit 729205571e81b4767efc42ad7beb53663e08d1ff
Showing with 1,249 additions and 201 deletions.
  1. +20 −15 doc/src/sgml/information_schema.sgml
  2. +11 −1 doc/src/sgml/ref/alter_default_privileges.sgml
  3. +2 −0 doc/src/sgml/ref/alter_foreign_table.sgml
  4. +3 −0 doc/src/sgml/ref/alter_table.sgml
  5. +2 −0 doc/src/sgml/ref/alter_type.sgml
  6. +7 −0 doc/src/sgml/ref/create_aggregate.sgml
  7. +5 −4 doc/src/sgml/ref/create_cast.sgml
  8. +5 −0 doc/src/sgml/ref/create_domain.sgml
  9. +5 −0 doc/src/sgml/ref/create_foreign_table.sgml
  10. +5 −0 doc/src/sgml/ref/create_function.sgml
  11. +7 −0 doc/src/sgml/ref/create_operator.sgml
  12. +6 −0 doc/src/sgml/ref/create_table.sgml
  13. +5 −0 doc/src/sgml/ref/create_type.sgml
  14. +18 −1 doc/src/sgml/ref/grant.sgml
  15. +3 −3 doc/src/sgml/ref/psql-ref.sgml
  16. +12 −0 doc/src/sgml/ref/revoke.sgml
  17. +9 −0 src/backend/access/common/tupdesc.c
  18. +271 −0 src/backend/catalog/aclchk.c
  19. +63 −21 src/backend/catalog/information_schema.sql
  20. +23 −0 src/backend/catalog/pg_aggregate.c
  21. +9 −0 src/backend/catalog/pg_type.c
  22. +24 −0 src/backend/commands/functioncmds.c
  23. +24 −0 src/backend/commands/operatorcmds.c
  24. +22 −0 src/backend/commands/tablecmds.c
  25. +5 −0 src/backend/commands/typecmds.c
  26. +15 −0 src/backend/executor/execMain.c
  27. +18 −1 src/backend/parser/gram.y
  28. +207 −0 src/backend/utils/adt/acl.c
  29. +12 −0 src/bin/psql/describe.c
  30. +7 −1 src/bin/psql/tab-complete.c
  31. +1 −1 src/include/catalog/catversion.h
  32. +1 −1 src/include/catalog/pg_class.h
  33. +1 −0 src/include/catalog/pg_default_acl.h
  34. +13 −0 src/include/catalog/pg_proc.h
  35. +155 −150 src/include/catalog/pg_type.h
  36. +3 −1 src/include/nodes/parsenodes.h
  37. +1 −0 src/include/parser/kwlist.h
  38. +4 −0 src/include/utils/acl.h
  39. +6 −0 src/include/utils/builtins.h
  40. +115 −1 src/test/regress/expected/privileges.out
  41. +124 −0 src/test/regress/sql/privileges.sql
@@ -284,6 +284,8 @@
the attributes of composite data types defined in the database.
(Note that the view does not give information about table columns,
which are sometimes called attributes in PostgreSQL contexts.)
+ Only those attributes are shown that the current user has access to (by way
+ of being the owner of or having some privilege on the type).
</para>
<table>
@@ -1915,8 +1917,10 @@
<title><literal>domain_constraints</literal></title>
<para>
- The view <literal>domain_constraints</literal> contains all
- constraints belonging to domains defined in the current database.
+ The view <literal>domain_constraints</literal> contains all constraints
+ belonging to domains defined in the current database. Only those domains
+ are shown that the current user has access to (by way of being the owner or
+ having some privilege).
</para>
<table>
@@ -2052,8 +2056,9 @@
<title><literal>domains</literal></title>
<para>
- The view <literal>domains</literal> contains all domains defined in
- the current database.
+ The view <literal>domains</literal> contains all domains defined in the
+ current database. Only those domains are shown that the current user has
+ access to (by way of being the owner or having some privilege).
</para>
<table>
@@ -5778,15 +5783,13 @@ ORDER BY c.ordinal_position;
<title><literal>udt_privileges</literal></title>
<para>
- The view <literal>udt_privileges</literal> is intended to identify
- <literal>USAGE</literal> privileges granted on user-defined types
- to a currently enabled role or by a currently enabled role. Since
- data types do not have real privileges
- in <productname>PostgreSQL</productname>, this view shows implicit
- non-grantable <literal>USAGE</literal> privileges granted by the
- owner to <literal>PUBLIC</literal> for all types, including
- built-in ones (except domains,
- see <xref linkend="infoschema-usage-privileges"> for that).
+ The view <literal>udt_privileges</literal> identifies
+ <literal>USAGE</literal> privileges granted on user-defined types to a
+ currently enabled role or by a currently enabled role. There is one row for
+ each combination of column, grantor, and grantee. This view shows only
+ composite types (see under <xref linkend="infoschema-user-defined-types">
+ for why); see
+ <xref linkend="infoschema-usage-privileges"> for domain privileges.
</para>
<table>
@@ -5861,10 +5864,10 @@ ORDER BY c.ordinal_position;
</para>
<para>
- Since collations and domains do not have real privileges
+ Since collations do not have real privileges
in <productname>PostgreSQL</productname>, this view shows implicit
non-grantable <literal>USAGE</literal> privileges granted by the
- owner to <literal>PUBLIC</literal> for all collations and domains. The other
+ owner to <literal>PUBLIC</literal> for all collations. The other
object types, however, show real privileges.
</para>
@@ -5940,6 +5943,8 @@ ORDER BY c.ordinal_position;
<para>
The view <literal>user_defined_types</literal> currently contains
all composite types defined in the current database.
+ Only those types are shown that the current user has access to (by way
+ of being the owner or having some privilege).
</para>
<para>
@@ -42,6 +42,10 @@ GRANT { EXECUTE | ALL [ PRIVILEGES ] }
ON FUNCTIONS
TO { [ GROUP ] <replaceable class="PARAMETER">role_name</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]
+GRANT { USAGE | ALL [ PRIVILEGES ] }
+ ON TYPES
+ TO { [ GROUP ] <replaceable class="PARAMETER">role_name</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]
+
REVOKE [ GRANT OPTION FOR ]
{ { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER }
[, ...] | ALL [ PRIVILEGES ] }
@@ -61,6 +65,12 @@ REVOKE [ GRANT OPTION FOR ]
ON FUNCTIONS
FROM { [ GROUP ] <replaceable class="PARAMETER">role_name</replaceable> | PUBLIC } [, ...]
[ CASCADE | RESTRICT ]
+
+REVOKE [ GRANT OPTION FOR ]
+ { USAGE | ALL [ PRIVILEGES ] }
+ ON TYPES
+ FROM { [ GROUP ] <replaceable class="PARAMETER">role_name</replaceable> | PUBLIC } [, ...]
+ [ CASCADE | RESTRICT ]
</synopsis>
</refsynopsisdiv>
@@ -72,7 +82,7 @@ REVOKE [ GRANT OPTION FOR ]
that will be applied to objects created in the future. (It does not
affect privileges assigned to already-existing objects.) Currently,
only the privileges for tables (including views and foreign tables),
- sequences, and functions can be altered.
+ sequences, functions, and types (including domains) can be altered.
</para>
<para>
@@ -157,6 +157,8 @@ ALTER FOREIGN TABLE <replaceable class="PARAMETER">name</replaceable>
the table's schema. (These restrictions enforce that altering the owner
doesn't do anything you couldn't do by dropping and recreating the table.
However, a superuser can alter ownership of any table anyway.)
+ To add a column or alter a column type, you must also
+ have <literal>USAGE</literal> privilege on the data type.
</para>
</refsect1>
@@ -594,6 +594,9 @@ ALTER TABLE <replaceable class="PARAMETER">name</replaceable>
the table's schema. (These restrictions enforce that altering the owner
doesn't do anything you couldn't do by dropping and recreating the table.
However, a superuser can alter ownership of any table anyway.)
+ To add a column or alter a column type or use the <literal>OF</literal>
+ clause, you must also have <literal>USAGE</literal> privilege on the data
+ type.
</para>
</refsect1>
@@ -156,6 +156,8 @@ ALTER TYPE <replaceable class="PARAMETER">name</replaceable> ADD VALUE <replacea
the type's schema. (These restrictions enforce that altering the owner
doesn't do anything you couldn't do by dropping and recreating the type.
However, a superuser can alter ownership of any type anyway.)
+ To add an attribute or alter an attribute type, you must also
+ have <literal>USAGE</literal> privilege on the data type.
</para>
</refsect1>
@@ -163,6 +163,13 @@ SELECT col FROM tab ORDER BY col USING sortop LIMIT 1;
than</quote> or <quote>greater than</quote> strategy member of a B-tree
index operator class.
</para>
+
+ <para>
+ To be able to create an aggregate function, you must
+ have <literal>USAGE</literal> privilege on the argument types, the state
+ type, and the return type, as well as <literal>EXECUTE</literal> privilege
+ on the transition and final functions.
+ </para>
</refsect1>
<refsect1>
@@ -159,10 +159,11 @@ SELECT CAST ( 2 AS numeric ) + 4.0;
</note>
<para>
- To be able to create a cast, you must own the source or the target
- data type. To create a binary-coercible cast, you must be superuser.
- (This restriction is made because an erroneous binary-coercible cast
- conversion can easily crash the server.)
+ To be able to create a cast, you must own the source or the target data type
+ and have <literal>USAGE</literal> privilege on the other type. To create a
+ binary-coercible cast, you must be superuser. (This restriction is made
+ because an erroneous binary-coercible cast conversion can easily crash the
+ server.)
</para>
</refsect1>
@@ -59,6 +59,11 @@ CREATE DOMAIN <replaceable class="parameter">name</replaceable> [ AS ] <replacea
Define a domain rather than setting up each table's constraint
individually.
</para>
+
+ <para>
+ To be able to create a domain, you must have <literal>USAGE</literal>
+ privilege on the underlying type.
+ </para>
</refsect1>
<refsect1>
@@ -52,6 +52,11 @@ CREATE FOREIGN TABLE [ IF NOT EXISTS ] <replaceable class="PARAMETER">table_name
the foreign table. Therefore, foreign tables cannot have the same
name as any existing data type in the same schema.
</para>
+
+ <para>
+ To be able to create a table, you must have <literal>USAGE</literal>
+ privilege on all column types.
+ </para>
</refsect1>
<refsect1>
@@ -92,6 +92,11 @@ CREATE [ OR REPLACE ] FUNCTION
<para>
The user that creates the function becomes the owner of the function.
</para>
+
+ <para>
+ To be able to create a function, you must have <literal>USAGE</literal>
+ privilege on the argument types and the return type.
+ </para>
</refsect1>
<refsect1>
@@ -103,6 +103,13 @@ CREATE OPERATOR <replaceable>name</replaceable> (
The other clauses specify optional operator optimization clauses.
Their meaning is detailed in <xref linkend="xoper-optimization">.
</para>
+
+ <para>
+ To be able to create an operator, you must have <literal>USAGE</literal>
+ privilege on the argument types and the return type, as well
+ as <literal>EXECUTE</literal> privilege on the underlying function. If a
+ commutator or negator operator is specified, you must own these operators.
+ </para>
</refsect1>
<refsect1>
@@ -124,6 +124,12 @@ CREATE [ [ GLOBAL | LOCAL ] { TEMPORARY | TEMP } | UNLOGGED ] TABLE [ IF NOT EXI
a column constraint is only a notational convenience for use when the
constraint only affects one column.
</para>
+
+ <para>
+ To be able to create a table, you must have <literal>USAGE</literal>
+ privilege on all column types or the type in the <literal>OF</literal>
+ clause, respectively.
+ </para>
</refsect1>
<refsect1>
@@ -104,6 +104,11 @@ CREATE TYPE <replaceable class="parameter">name</replaceable>
A stand-alone composite type is useful, for example, as the argument or
return type of a function.
</para>
+
+ <para>
+ To be able to create a composite type, you must
+ have <literal>USAGE</literal> privilege on all attribute types.
+ </para>
</refsect2>
<refsect2 id="SQL-CREATETYPE-enum">
@@ -42,6 +42,10 @@ GRANT { { CREATE | CONNECT | TEMPORARY | TEMP } [, ...] | ALL [ PRIVILEGES ] }
ON DATABASE <replaceable>database_name</replaceable> [, ...]
TO { [ GROUP ] <replaceable class="PARAMETER">role_name</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]
+GRANT { USAGE | ALL [ PRIVILEGES ] }
+ ON DOMAIN <replaceable>domain_name</replaceable> [, ...]
+ TO { [ GROUP ] <replaceable class="PARAMETER">role_name</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]
+
GRANT { USAGE | ALL [ PRIVILEGES ] }
ON FOREIGN DATA WRAPPER <replaceable>fdw_name</replaceable> [, ...]
TO { [ GROUP ] <replaceable class="PARAMETER">role_name</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]
@@ -71,6 +75,10 @@ GRANT { CREATE | ALL [ PRIVILEGES ] }
ON TABLESPACE <replaceable>tablespace_name</replaceable> [, ...]
TO { [ GROUP ] <replaceable class="PARAMETER">role_name</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]
+GRANT { USAGE | ALL [ PRIVILEGES ] }
+ ON TYPE <replaceable>type_name</replaceable> [, ...]
+ TO { [ GROUP ] <replaceable class="PARAMETER">role_name</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]
+
GRANT <replaceable class="PARAMETER">role_name</replaceable> [, ...] TO <replaceable class="PARAMETER">role_name</replaceable> [, ...] [ WITH ADMIN OPTION ]
</synopsis>
</refsynopsisdiv>
@@ -335,6 +343,15 @@ GRANT <replaceable class="PARAMETER">role_name</replaceable> [, ...] TO <replace
For sequences, this privilege allows the use of the
<function>currval</function> and <function>nextval</function> functions.
</para>
+ <para>
+ For types and domains, this privilege allow the use of the type or
+ domain in the creation of tables, functions, and other schema objects.
+ (Note that it does not control general <quote>usage</quote> of the type,
+ such as values of the type appearing in queries. It only prevents
+ objects from being created that depend on the type. The main purpose of
+ the privilege is controlling which users create dependencies on a type,
+ which could prevent the owner from changing the type later.)
+ </para>
<para>
For foreign-data wrappers, this privilege enables the grantee
to create new servers using that foreign-data wrapper.
@@ -616,7 +633,7 @@ GRANT admins TO joe;
<para>
The SQL standard provides for a <literal>USAGE</literal> privilege
on other kinds of objects: character sets, collations,
- translations, domains.
+ translations.
</para>
<para>
@@ -1048,7 +1048,7 @@ testdb=&gt;
pattern or the <literal>S</literal> modifier to include system
objects.
If <literal>+</literal> is appended to the command name, each object
- is listed with its associated description.
+ is listed with its associated permissions and description.
</para>
</listitem>
</varlistentry>
@@ -1387,8 +1387,8 @@ testdb=&gt;
If <replaceable class="parameter">pattern</replaceable> is
specified, only types whose names match the pattern are listed.
If <literal>+</literal> is appended to the command name, each type is
- listed with its internal name and size, as well as its allowed values
- if it is an <type>enum</> type.
+ listed with its internal name and size, its allowed values
+ if it is an <type>enum</> type, and its associated permissions.
By default, only user-created objects are shown; supply a
pattern or the <literal>S</literal> modifier to include system
objects.
@@ -50,6 +50,12 @@ REVOKE [ GRANT OPTION FOR ]
FROM { [ GROUP ] <replaceable class="PARAMETER">role_name</replaceable> | PUBLIC } [, ...]
[ CASCADE | RESTRICT ]
+REVOKE [ GRANT OPTION FOR ]
+ { USAGE | ALL [ PRIVILEGES ] }
+ ON DOMAIN <replaceable>domain_name</replaceable> [, ...]
+ FROM { [ GROUP ] <replaceable class="PARAMETER">role_name</replaceable> | PUBLIC } [, ...]
+ [ CASCADE | RESTRICT ]
+
REVOKE [ GRANT OPTION FOR ]
{ USAGE | ALL [ PRIVILEGES ] }
ON FOREIGN DATA WRAPPER <replaceable>fdw_name</replaceable> [, ...]
@@ -93,6 +99,12 @@ REVOKE [ GRANT OPTION FOR ]
FROM { [ GROUP ] <replaceable class="PARAMETER">role_name</replaceable> | PUBLIC } [, ...]
[ CASCADE | RESTRICT ]
+REVOKE [ GRANT OPTION FOR ]
+ { USAGE | ALL [ PRIVILEGES ] }
+ ON TYPE <replaceable>type_name</replaceable> [, ...]
+ FROM { [ GROUP ] <replaceable class="PARAMETER">role_name</replaceable> | PUBLIC } [, ...]
+ [ CASCADE | RESTRICT ]
+
REVOKE [ ADMIN OPTION FOR ]
<replaceable class="PARAMETER">role_name</replaceable> [, ...] FROM <replaceable class="PARAMETER">role_name</replaceable> [, ...]
[ CASCADE | RESTRICT ]
@@ -20,7 +20,9 @@
#include "postgres.h"
#include "catalog/pg_type.h"
+#include "miscadmin.h"
#include "parser/parse_type.h"
+#include "utils/acl.h"
#include "utils/builtins.h"
#include "utils/resowner.h"
#include "utils/syscache.h"
@@ -557,6 +559,7 @@ BuildDescForRelation(List *schema)
foreach(l, schema)
{
ColumnDef *entry = lfirst(l);
+ AclResult aclresult;
/*
* for each entry in the list, get the name and type information from
@@ -567,6 +570,12 @@ BuildDescForRelation(List *schema)
attname = entry->colname;
typenameTypeIdAndMod(NULL, entry->typeName, &atttypid, &atttypmod);
+
+ aclresult = pg_type_aclcheck(atttypid, GetUserId(), ACL_USAGE);
+ if (aclresult != ACLCHECK_OK)
+ aclcheck_error(aclresult, ACL_KIND_TYPE,
+ format_type_be(atttypid));
+
attcollation = GetColumnDefCollation(NULL, entry, atttypid);
attdim = list_length(entry->typeName->arrayBounds);
Oops, something went wrong.

0 comments on commit 7292055

Please sign in to comment.