Re: Updates of SE-PostgreSQL 8.4devel patches (r1324)

KaiGai Kohei wrote:
> Bruce Momjian wrote:
> > KaiGai Kohei wrote:
> >> - Two new system columns ("security_acl" and "security_label") are added.
> >>   The first one is for the Row-level ACLs, and the other is for the guest
> >>   of PGACE security framework which is chosen by user.
> > 
> > This is certainly an impressive patch.  I see you went with storing the
> > values inline rather than using pg_security, which is wise, I think.
> > "security_acl" is 'aclitem' (12 bytes) and "security_label" is 'text'.
> 
> No, the "security_acl" also uses pg_security to translate between
> security id (4bytes) and "aclitem[]" (variable length).
> 
> The Row-level ACLs facility internally translate the given acl array
> into its own text representation, and stores it within pg_security.
> We can use a common facility here to manage both of "acl" and "label".

OK, then I am confused.  I see this added to
src/include/catalog/pg_attribute.h:

+ DATA(insert ( 1247 security_acl   1034 0 -1  -8 1 -1 -1 f x i t f f t 0));
+ DATA(insert ( 1247 security_label   25 0 -1  -9 0 -1 -1 f x i t f f t 0));

1034 and 25 are the oids for 'acllist' and 'text' and they are being
added to system tables.  Are you saying system tables don't use
pg_security but other tables do?

I do see pg_security being defined:
+ CATALOG(pg_security,3400) BKI_SHARED_RELATION+ {+   text        seclabel;       /* text representation of security
label*/+ } FormData_pg_security;
 

and I assume both security columns reference that.

--  Bruce Momjian  <bruce@momjian.us>        http://momjian.us EnterpriseDB
http://enterprisedb.com
 + If your life is a hard drive, Christ can be your backup. +