Обсуждение: TODO item question [pg_hba.conf]

Поиск
Список
Период
Сортировка

TODO item question [pg_hba.conf]

От
"Gevik Babakhani"
Дата:
Hi,

As advised, I spend a moment reading the code regarding the GRANT and REVOKE
In order to add a new privilege to the ACL, I have created a mini patch.
Could this be checked to see if I am on the right track?

http://www.xs4all.nl/~gevik/patch/alpha.patch


Thank you.







Re: TODO item question [pg_hba.conf]

От
Alvaro Herrera
Дата:
Gevik Babakhani wrote:

> As advised, I spend a moment reading the code regarding the GRANT and REVOKE
> In order to add a new privilege to the ACL, I have created a mini patch.
> Could this be checked to see if I am on the right track?
> 
> http://www.xs4all.nl/~gevik/patch/alpha.patch

You are missing an ACL_*_CHR symbol and updating the ACL_ALL_RIGHTS_STR
symbol.

Also, you should know that changing this requires a change in
CATALOG_VERSION_NO in catversion.h as well.

-- 
Alvaro Herrera                                http://www.CommandPrompt.com/
PostgreSQL Replication, Consulting, Custom Development, 24x7 support


Re: TODO item question [pg_hba.conf]

От
"Gevik Babakhani"
Дата:
Thank you :)

> You are missing an ACL_*_CHR symbol and updating the ACL_ALL_RIGHTS_STR
> symbol.

That is why I could not see the new permission in pg_database.
I was actually looking for that for sometime :)

I have added the ACL_*_CHR 'D' Is this okay?

> Also, you should know that changing this requires a change in
> CATALOG_VERSION_NO in catversion.h as well.

Why is this needed? Is this a functional requirement?
I have changed it to

#define CATALOG_VERSION_NO    200604211
Is this okay?


Regards,
Gevik.

gevik=# create role user1;
CREATE ROLE
gevik=# grant connection on database db2 to user1;
GRANT
gevik=# select datname,datacl from pg_catalog.pg_database; datname  |                  datacl
-----------+------------------------------------------postgres  |db1       | {=T/gevik,gevik=CTD/gevik}template1 |
{gevik=CTD/gevik}template0| {gevik=CTD/gevik}gevik     | {=T/gevik,gevik=CTD/gevik}db2       |
{=T/gevik,gevik=CTD/gevik,user1=D/gevik}
(6 rows)



Re: TODO item question [pg_hba.conf]

От
Alvaro Herrera
Дата:
Gevik Babakhani wrote:
> Thank you :)
> 
> > You are missing an ACL_*_CHR symbol and updating the ACL_ALL_RIGHTS_STR
> > symbol.
> 
> That is why I could not see the new permission in pg_database.
> I was actually looking for that for sometime :)
> 
> I have added the ACL_*_CHR 'D' Is this okay?

Hum, you literally added a symbol ACL_*_CHR?  I was actually thinking in
ACL_CONNECT_CHR or something like that ...

While at it, why D?  Isn't 'c' more natural?  (And conveniently unused.)


> > Also, you should know that changing this requires a change in
> > CATALOG_VERSION_NO in catversion.h as well.
> 
> Why is this needed? Is this a functional requirement?

To force an initdb, because you are causing a system catalog change.
Now that I think about it, maybe it's not needed, because the default
state of the system should be the same as if no privilege has changed.

OTOH you need to speficy the interpretation of the initial state of the
ACL for a database.  I think it should mean that PUBLIC has the CONNECT
privilege.

-- 
Alvaro Herrera                                http://www.CommandPrompt.com/
PostgreSQL Replication, Consulting, Custom Development, 24x7 support


Re: TODO item question [pg_hba.conf]

От
Tom Lane
Дата:
"Gevik Babakhani" <pgdev@xs4all.nl> writes:
> I have added the ACL_*_CHR 'D' Is this okay?

That seems an excessively random choice of character for CONNECT
privilege.  I see that 'C' is already taken, but we could use 'c'.

>> Also, you should know that changing this requires a change in
>> CATALOG_VERSION_NO in catversion.h as well.

> Why is this needed? Is this a functional requirement?

It's just something we do to avoid bogus bug reports from people
who haven't initdb'd after something that requires a catalog change.
In this case, since the system would stop working (or at least stop
letting you connect) if you hadn't initdb'd, I think a catversion
bump is indicated.
        regards, tom lane


Re: TODO item question [pg_hba.conf]

От
Gevik Babakhani
Дата:
Hi,

I have created a new patch. Please check to see if I am on the right
track.


1) The GRANT and REVOKE statements look like:
GRANT CONNECTION ON DATABASE db1 TO user1 (,user2,user3)
REVOKE CONNECTION ON DATABASE db1 TO user1 (,user2,user3)

2) The file parsenodes.h is updated to support
#define ACL_DATABASE_CONNECT

3) The file acl.h is updated to support
#define ACL_DATABASE_CONNECT_CHR      'c'

4) Functions "string_to_privilege" and "privilege_to_string" in
aclchk.c are updated to support ACL_DATABASE_CONNECT

5) Function "aclparse" in acl.c is updated to support
ACL_DATABASE_CONNECT

6) Catalog version number is updated to
CATALOG_VERSION_NO    200604211

7) File postinit.c method "ReverifyMyDatabase" is updated by following:
First we check to make sure we are not in bootstrap processing mode.
If not, we check to see if the connected user has ACL_DATABASE_CONNECT.
If not, ereport(FATAL,.....)
(Perhaps we should change the error message later)

8) File dbcommands.c method "createdb" is updated by following:
When a new database is being created we add a default ACL by 
calling acldefault(ACL_OBJECT_DATABASE,.... and adding the default ACL
by new_record[Anum_pg_database_datacl - 1] =
PointerGetDatum(defaultAcl);

This would mean, every time a new database gets created the owner of the
database gets the ACL_OBJECT_DATABASE privilege and can login. Other
users not having the privilege to that database get an error message.
Because the catalog version is changed a pg_dump is necessarily, means
all the new roles created from that point will get the
ACL_OBJECT_DATABASE and everything should be "backward-compatible"

At this moment the owner of the database CAN REVOKE himself form the
ACL_OBJECT_DATABASE. If the implementation above is acceptable then I
can work on this one :)

http://www.xs4all.nl/~gevik/patch/patch-0.1.diff

Did I forget something? Please advice.