Skip to content

Commit fd49612

Browse files
tglsfdctglsfdc
committed
Clean up some mess in row-security patches.
Fix unsafe coding around PG_TRY in RelationBuildRowSecurity: can't change a variable inside PG_TRY and then use it in PG_CATCH without marking it "volatile". In this case though it seems saner to avoid that by doing a single assignment before entering the TRY block. I started out just intending to fix that, but the more I looked at the row-security code the more distressed I got. This patch also fixes incorrect construction of the RowSecurityPolicy cache entries (there was not sufficient care taken to copy pass-by-ref data into the cache memory context) and a whole bunch of sloppiness around the definition and use of pg_policy.polcmd. You can't use nulls in that column because initdb will mark it NOT NULL --- and I see no particular reason why a null entry would be a good idea anyway, so changing initdb's behavior is not the right answer. The internal value of '\0' wouldn't be suitable in a "char" column either, so after a bit of thought I settled on using '*' to represent ALL. Chasing those changes down also revealed that somebody wasn't paying attention to what the underlying values of ACL_UPDATE_CHR etc really were, and there was a great deal of lackadaiscalness in the catalogs.sgml documentation for pg_policy and pg_policies too. This doesn't pretend to be a complete code review for the row-security stuff, it just fixes the things that were in my face while dealing with the bugs in RelationBuildRowSecurity.
1 parent f8a4dd2 commit fd49612

File tree

11 files changed

+241
-236
lines changed

11 files changed

+241
-236
lines changed

doc/src/sgml/catalogs.sgml

Lines changed: 115 additions & 111 deletions
Original file line numberDiff line numberDiff line change
@@ -218,6 +218,11 @@
218218
<entry>template data for procedural languages</entry>
219219
</row>
220220

221+
<row>
222+
<entry><link linkend="catalog-pg-policy"><structname>pg_policy</structname></link></entry>
223+
<entry>row-security policies</entry>
224+
</row>
225+
221226
<row>
222227
<entry><link linkend="catalog-pg-proc"><structname>pg_proc</structname></link></entry>
223228
<entry>functions and procedures</entry>
@@ -238,11 +243,6 @@
238243
<entry>replication slot information</entry>
239244
</row>
240245

241-
<row>
242-
<entry><link linkend="catalog-pg-policy"><structname>pg_policy</structname></link></entry>
243-
<entry>table policies</entry>
244-
</row>
245-
246246
<row>
247247
<entry><link linkend="catalog-pg-seclabel"><structname>pg_seclabel</structname></link></entry>
248248
<entry>security labels on database objects</entry>
@@ -1940,20 +1940,20 @@
19401940
</row>
19411941

19421942
<row>
1943-
<entry><structfield>relrowsecurity</structfield></entry>
1943+
<entry><structfield>relhassubclass</structfield></entry>
19441944
<entry><type>bool</type></entry>
19451945
<entry></entry>
1946-
<entry>
1947-
True if table has row level security enabled; see
1948-
<link linkend="catalog-pg-policy"><structname>pg_policy</structname></link> catalog
1949-
</entry>
1946+
<entry>True if table has (or once had) any inheritance children</entry>
19501947
</row>
19511948

19521949
<row>
1953-
<entry><structfield>relhassubclass</structfield></entry>
1950+
<entry><structfield>relrowsecurity</structfield></entry>
19541951
<entry><type>bool</type></entry>
19551952
<entry></entry>
1956-
<entry>True if table has (or once had) any inheritance children</entry>
1953+
<entry>
1954+
True if table has row-level security enabled; see
1955+
<link linkend="catalog-pg-policy"><structname>pg_policy</structname></link> catalog
1956+
</entry>
19571957
</row>
19581958

19591959
<row>
@@ -4711,6 +4711,98 @@
47114711

47124712
</sect1>
47134713

4714+
<sect1 id="catalog-pg-policy">
4715+
<title><structname>pg_policy</structname></title>
4716+
4717+
<indexterm zone="catalog-pg-policy">
4718+
<primary>pg_policy</primary>
4719+
</indexterm>
4720+
4721+
<para>
4722+
The catalog <structname>pg_policy</structname> stores row-level
4723+
security policies for tables. A policy includes the kind of
4724+
command that it applies to (possibly all commands), the roles that it
4725+
applies to, the expression to be added as a security-barrier
4726+
qualification to queries that include the table, and the expression
4727+
to be added as a <literal>WITH CHECK</> option for queries that attempt to
4728+
add new records to the table.
4729+
</para>
4730+
4731+
<table>
4732+
4733+
<title><structname>pg_policy</structname> Columns</title>
4734+
4735+
<tgroup cols="4">
4736+
<thead>
4737+
<row>
4738+
<entry>Name</entry>
4739+
<entry>Type</entry>
4740+
<entry>References</entry>
4741+
<entry>Description</entry>
4742+
</row>
4743+
</thead>
4744+
4745+
<tbody>
4746+
<row>
4747+
<entry><structfield>polname</structfield></entry>
4748+
<entry><type>name</type></entry>
4749+
<entry></entry>
4750+
<entry>The name of the policy</entry>
4751+
</row>
4752+
4753+
<row>
4754+
<entry><structfield>polrelid</structfield></entry>
4755+
<entry><type>oid</type></entry>
4756+
<entry><literal><link linkend="catalog-pg-class"><structname>pg_class</structname></link>.oid</literal></entry>
4757+
<entry>The table to which the policy applies</entry>
4758+
</row>
4759+
4760+
<row>
4761+
<entry><structfield>polcmd</structfield></entry>
4762+
<entry><type>char</type></entry>
4763+
<entry></entry>
4764+
<entry>The command type to which the policy is applied:
4765+
<literal>r</> for <command>SELECT</>,
4766+
<literal>a</> for <command>INSERT</>,
4767+
<literal>w</> for <command>UPDATE</>,
4768+
<literal>d</> for <command>DELETE</>,
4769+
or <literal>*</> for all</entry>
4770+
</row>
4771+
4772+
<row>
4773+
<entry><structfield>polroles</structfield></entry>
4774+
<entry><type>oid[]</type></entry>
4775+
<entry><literal><link linkend="catalog-pg-authid"><structname>pg_authid</structname></link>.oid</literal></entry>
4776+
<entry>The roles to which the policy is applied</entry>
4777+
</row>
4778+
4779+
<row>
4780+
<entry><structfield>polqual</structfield></entry>
4781+
<entry><type>pg_node_tree</type></entry>
4782+
<entry></entry>
4783+
<entry>The expression tree to be added to the security barrier qualifications for queries that use the table</entry>
4784+
</row>
4785+
4786+
<row>
4787+
<entry><structfield>polwithcheck</structfield></entry>
4788+
<entry><type>pg_node_tree</type></entry>
4789+
<entry></entry>
4790+
<entry>The expression tree to be added to the WITH CHECK qualifications for queries that attempt to add rows to the table</entry>
4791+
</row>
4792+
4793+
</tbody>
4794+
</tgroup>
4795+
</table>
4796+
4797+
<note>
4798+
<para>
4799+
Policies stored in <structname>pg_policy</> are applied only when
4800+
<structname>pg_class</>.<structfield>relrowsecurity</> is set for
4801+
their table.
4802+
</para>
4803+
</note>
4804+
4805+
</sect1>
47144806

47154807
<sect1 id="catalog-pg-proc">
47164808
<title><structname>pg_proc</structname></title>
@@ -5342,94 +5434,6 @@
53425434
</table>
53435435
</sect1>
53445436

5345-
<sect1 id="catalog-pg-policy">
5346-
<title><structname>pg_policy</structname></title>
5347-
5348-
<indexterm zone="catalog-pg-policy">
5349-
<primary>pg_policy</primary>
5350-
</indexterm>
5351-
5352-
<para>
5353-
The catalog <structname>pg_policy</structname> stores row-level
5354-
security policies for each table. A policy includes the kind of
5355-
command which it applies to (or all commands), the roles which it
5356-
applies to, the expression to be added as a security-barrier
5357-
qualification to queries which include the table and the expression
5358-
to be added as a with-check option for queries which attempt to add
5359-
new records to the table.
5360-
</para>
5361-
5362-
<table>
5363-
5364-
<title><structname>pg_policy</structname> Columns</title>
5365-
5366-
<tgroup cols="4">
5367-
<thead>
5368-
<row>
5369-
<entry>Name</entry>
5370-
<entry>Type</entry>
5371-
<entry>References</entry>
5372-
<entry>Description</entry>
5373-
</row>
5374-
</thead>
5375-
5376-
<tbody>
5377-
<row>
5378-
<entry><structfield>polname</structfield></entry>
5379-
<entry><type>name</type></entry>
5380-
<entry></entry>
5381-
<entry>The name of the policy</entry>
5382-
</row>
5383-
5384-
<row>
5385-
<entry><structfield>polrelid</structfield></entry>
5386-
<entry><type>oid</type></entry>
5387-
<entry><literal><link linkend="catalog-pg-class"><structname>pg_class</structname></link>.oid</literal></entry>
5388-
<entry>The table to which the policy belongs</entry>
5389-
</row>
5390-
5391-
<row>
5392-
<entry><structfield>polcmd</structfield></entry>
5393-
<entry><type>char</type></entry>
5394-
<entry></entry>
5395-
<entry>The command type to which the policy is applied.</entry>
5396-
</row>
5397-
5398-
<row>
5399-
<entry><structfield>polroles</structfield></entry>
5400-
<entry><type>char</type></entry>
5401-
<entry></entry>
5402-
<entry>The roles to which the policy is applied.</entry>
5403-
</row>
5404-
5405-
<row>
5406-
<entry><structfield>polqual</structfield></entry>
5407-
<entry><type>pg_node_tree</type></entry>
5408-
<entry></entry>
5409-
<entry>The expression tree to be added to the security barrier qualifications for queries which use the table.</entry>
5410-
</row>
5411-
5412-
<row>
5413-
<entry><structfield>polwithcheck</structfield></entry>
5414-
<entry><type>pg_node_tree</type></entry>
5415-
<entry></entry>
5416-
<entry>The expression tree to be added to the with check qualifications for queries which attempt to add rows to the table.</entry>
5417-
</row>
5418-
5419-
</tbody>
5420-
</tgroup>
5421-
</table>
5422-
5423-
<note>
5424-
<para>
5425-
<literal>pg_class.relrowsecurity</literal>
5426-
True if the table has row security enabled. Policies will not be applied
5427-
unless row security is enabled on the table.
5428-
</para>
5429-
</note>
5430-
5431-
</sect1>
5432-
54335437
<sect1 id="catalog-pg-seclabel">
54345438
<title><structname>pg_seclabel</structname></title>
54355439

@@ -8166,7 +8170,7 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx
81668170

81678171
<para>
81688172
The view <structname>pg_policies</structname> provides access to
8169-
useful information about each policy in the database.
8173+
useful information about each row-level security policy in the database.
81708174
</para>
81718175

81728176
<table>
@@ -8197,34 +8201,34 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx
81978201
<row>
81988202
<entry><structfield>policyname</structfield></entry>
81998203
<entry><type>name</type></entry>
8200-
<entry><literal><link linkend="catalog-pg-class"><structname>pg_class</structname></link>.relname</literal></entry>
8204+
<entry><literal><link linkend="catalog-pg-policy"><structname>pg_policy</structname></link>.polname</literal></entry>
82018205
<entry>Name of policy</entry>
82028206
</row>
82038207
<row>
8204-
<entry><structfield>cmd</structfield></entry>
8205-
<entry><type>text</type></entry>
8208+
<entry><structfield>roles</structfield></entry>
8209+
<entry><type>name[]</type></entry>
82068210
<entry></entry>
8207-
<entry>The command type to which the policy is applied.</entry>
8211+
<entry>The roles to which this policy applies</entry>
82088212
</row>
82098213
<row>
8210-
<entry><structfield>roles</structfield></entry>
8211-
<entry><type>name[]</type></entry>
8214+
<entry><structfield>cmd</structfield></entry>
8215+
<entry><type>text</type></entry>
82128216
<entry></entry>
8213-
<entry>The roles to which this policy applies.</entry>
8217+
<entry>The command type to which the policy is applied</entry>
82148218
</row>
82158219
<row>
82168220
<entry><structfield>qual</structfield></entry>
82178221
<entry><type>text</type></entry>
82188222
<entry></entry>
82198223
<entry>The expression added to the security barrier qualifications for
8220-
queries which this policy applies to.</entry>
8224+
queries that this policy applies to</entry>
82218225
</row>
82228226
<row>
82238227
<entry><structfield>with_check</structfield></entry>
82248228
<entry><type>text</type></entry>
82258229
<entry></entry>
8226-
<entry>The expression added to the with check qualifications for
8227-
queries which attempt to add rows to this table.</entry>
8230+
<entry>The expression added to the WITH CHECK qualifications for
8231+
queries that attempt to add rows to this table</entry>
82288232
</row>
82298233
</tbody>
82308234
</tgroup>

src/backend/catalog/system_views.sql

Lines changed: 6 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -79,13 +79,12 @@ CREATE VIEW pg_policies AS
7979
WHERE oid = ANY (pol.polroles) ORDER BY 1
8080
)
8181
END AS roles,
82-
CASE WHEN pol.polcmd IS NULL THEN 'ALL' ELSE
83-
CASE pol.polcmd
84-
WHEN 'r' THEN 'SELECT'
85-
WHEN 'a' THEN 'INSERT'
86-
WHEN 'u' THEN 'UPDATE'
87-
WHEN 'd' THEN 'DELETE'
88-
END
82+
CASE pol.polcmd
83+
WHEN 'r' THEN 'SELECT'
84+
WHEN 'a' THEN 'INSERT'
85+
WHEN 'w' THEN 'UPDATE'
86+
WHEN 'd' THEN 'DELETE'
87+
WHEN '*' THEN 'ALL'
8988
END AS cmd,
9089
pg_catalog.pg_get_expr(pol.polqual, pol.polrelid) AS qual,
9190
pg_catalog.pg_get_expr(pol.polwithcheck, pol.polrelid) AS with_check

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy