open-dsi
/
postgres
mirror of https://github.com/postgres/postgres
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Reintroduce MAINTAIN privilege and pg_maintain predefined role.

Browse Source 
Roles with MAINTAIN on a relation may run VACUUM, ANALYZE, REINDEX,
REFRESH MATERIALIZE VIEW, CLUSTER, and LOCK TABLE on the relation.
Roles with privileges of pg_maintain may run those same commands on
all relations.

This was previously committed for v16, but it was reverted in
commit 151c22deee due to concerns about search_path tricks that
could be used to escalate privileges to the table owner.  Commits
2af07e2f74, 59825d1639, and c7ea3f4229 resolved these concerns by
restricting search_path when running maintenance commands.

Bumps catversion.

Reviewed-by: Jeff Davis
Discussion: https://postgr.es/m/20240305161235.GA3478007%40nathanxps13
pull/159/head
Nathan Bossart 1 year ago
parent 2041bc4276
commit ecb0fd3372
42 changed files with 457 additions and 180 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 35
      doc/src/sgml/ddl.sgml
  2. 2
      doc/src/sgml/func.sgml
  3. 4
      doc/src/sgml/ref/alter_default_privileges.sgml
  4. 6
      doc/src/sgml/ref/analyze.sgml
  5. 10
      doc/src/sgml/ref/cluster.sgml
  6. 3
      doc/src/sgml/ref/grant.sgml
  7. 4
      doc/src/sgml/ref/lock.sgml
  8. 5
      doc/src/sgml/ref/refresh_materialized_view.sgml
  9. 23
      doc/src/sgml/ref/reindex.sgml
  10. 2
      doc/src/sgml/ref/revoke.sgml
  11. 6
      doc/src/sgml/ref/vacuum.sgml
  12. 12
      doc/src/sgml/user-manag.sgml
  13. 15
      src/backend/catalog/aclchk.c
  14. 13
      src/backend/commands/analyze.c
  15. 43
      src/backend/commands/cluster.c
  16. 34
      src/backend/commands/indexcmds.c
  17. 2
      src/backend/commands/lockcmds.c
  18. 3
      src/backend/commands/matview.c
  19. 18
      src/backend/commands/tablecmds.c
  20. 76
      src/backend/commands/vacuum.c
  21. 1
      src/backend/postmaster/autovacuum.c
  22. 8
      src/backend/utils/adt/acl.c
  23. 1
      src/bin/pg_dump/dumputils.c
  24. 2
      src/bin/pg_dump/t/002_pg_dump.pl
  25. 6
      src/bin/psql/tab-complete.c
  26. 2
      src/include/catalog/catversion.h
  27. 5
      src/include/catalog/pg_authid.dat
  28. 5
      src/include/commands/tablecmds.h
  29. 5
      src/include/commands/vacuum.h
  30. 3
      src/include/nodes/parsenodes.h
  31. 5
      src/include/utils/acl.h
  32. 8
      src/test/isolation/expected/cluster-conflict-partition.out
  33. 2
      src/test/isolation/specs/cluster-conflict-partition.spec
  34. 11
      src/test/perl/PostgreSQL/Test/AdjustUpgrade.pm
  35. 7
      src/test/regress/expected/cluster.out
  36. 4
      src/test/regress/expected/create_index.out
  37. 22
      src/test/regress/expected/dependency.out
  38. 116
      src/test/regress/expected/privileges.out
  39. 34
      src/test/regress/expected/rowsecurity.out
  40. 5
      src/test/regress/sql/cluster.sql
  41. 2
      src/test/regress/sql/dependency.sql
  42. 67
      src/test/regress/sql/privileges.sql

35
doc/src/sgml/ddl.sgml
Unescape View File

@ -1868,8 +1868,8 @@ ALTER TABLE products RENAME TO items;
<literal>INSERT</literal>, <literal>UPDATE</literal>, <literal>DELETE</literal>, <literal>INSERT</literal>, <literal>UPDATE</literal>, <literal>DELETE</literal>,
<literal>TRUNCATE</literal>, <literal>REFERENCES</literal>, <literal>TRIGGER</literal>, <literal>TRUNCATE</literal>, <literal>REFERENCES</literal>, <literal>TRIGGER</literal>,
<literal>CREATE</literal>, <literal>CONNECT</literal>, <literal>TEMPORARY</literal>, <literal>CREATE</literal>, <literal>CONNECT</literal>, <literal>TEMPORARY</literal>,
<literal>EXECUTE</literal>, <literal>USAGE</literal>, <literal>SET</literal> <literal>EXECUTE</literal>, <literal>USAGE</literal>, <literal>SET</literal>,
and <literal>ALTER SYSTEM</literal>. <literal>ALTER SYSTEM</literal>, and <literal>MAINTAIN</literal>.
The privileges applicable to a particular The privileges applicable to a particular
object vary depending on the object's type (table, function, etc.). object vary depending on the object's type (table, function, etc.).
More detail about the meanings of these privileges appears below. More detail about the meanings of these privileges appears below.
@ -2160,7 +2160,19 @@ REVOKE ALL ON accounts FROM PUBLIC;
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist>
<varlistentry id="ddl-priv-maintain">
<term><literal>MAINTAIN</literal></term>
<listitem>
<para>
Allows <command>VACUUM</command>, <command>ANALYZE</command>,
<command>CLUSTER</command>, <command>REFRESH MATERIALIZED VIEW</command>,
<command>REINDEX</command>, and <command>LOCK TABLE</command> on a
relation.
</para>
</listitem>
</varlistentry>
</variablelist>
The privileges required by other commands are listed on the The privileges required by other commands are listed on the
reference page of the respective command. reference page of the respective command.
@ -2309,6 +2321,11 @@ REVOKE ALL ON accounts FROM PUBLIC;
<entry><literal>A</literal></entry> <entry><literal>A</literal></entry>
<entry><literal>PARAMETER</literal></entry> <entry><literal>PARAMETER</literal></entry>
</row> </row>
<row>
<entry><literal>MAINTAIN</literal></entry>
<entry><literal>m</literal></entry>
<entry><literal>TABLE</literal></entry>
</row>
</tbody> </tbody>
</tgroup> </tgroup>
</table> </table>
@ -2399,7 +2416,7 @@ REVOKE ALL ON accounts FROM PUBLIC;
</row> </row>
<row> <row>
<entry><literal>TABLE</literal> (and table-like objects)</entry> <entry><literal>TABLE</literal> (and table-like objects)</entry>
<entry><literal>arwdDxt</literal></entry> <entry><literal>arwdDxtm</literal></entry>
<entry>none</entry> <entry>none</entry>
<entry><literal>\dp</literal></entry> <entry><literal>\dp</literal></entry>
</row> </row>
@ -2465,11 +2482,11 @@ GRANT SELECT (col1), UPDATE (col1) ON mytable TO miriam_rw;
<programlisting> <programlisting>
=&gt; \dp mytable =&gt; \dp mytable
Access privileges Access privileges
Schema | Name | Type | Access privileges | Column privileges | Policies Schema | Name | Type | Access privileges | Column privileges | Policies
--------+---------+-------+-----------------------+-----------------------+---------- --------+---------+-------+------------------------+-----------------------+----------
public | mytable | table | miriam=arwdDxt/miriam+| col1: +| public | mytable | table | miriam=arwdDxtm/miriam+| col1: +|
| | | =r/miriam +| miriam_rw=rw/miriam | | | | =r/miriam +| miriam_rw=rw/miriam |
| | | admin=arw/miriam | | | | | admin=arw/miriam | |
(1 row) (1 row)
</programlisting> </programlisting>
</para> </para>

2
doc/src/sgml/func.sgml
Unescape View File

@ -24232,7 +24232,7 @@ SELECT has_function_privilege('joeuser', 'myfunc(int, text)', 'execute');
are <literal>SELECT</literal>, <literal>INSERT</literal>, are <literal>SELECT</literal>, <literal>INSERT</literal>,
<literal>UPDATE</literal>, <literal>DELETE</literal>, <literal>UPDATE</literal>, <literal>DELETE</literal>,
<literal>TRUNCATE</literal>, <literal>REFERENCES</literal>, <literal>TRUNCATE</literal>, <literal>REFERENCES</literal>,
and <literal>TRIGGER</literal>. <literal>TRIGGER</literal>, and <literal>MAINTAIN</literal>.
</para></entry> </para></entry>
</row> </row>

4
doc/src/sgml/ref/alter_default_privileges.sgml
Unescape View File

@ -28,7 +28,7 @@ ALTER DEFAULT PRIVILEGES
<phrase>where <replaceable class="parameter">abbreviated_grant_or_revoke</replaceable> is one of:</phrase> <phrase>where <replaceable class="parameter">abbreviated_grant_or_revoke</replaceable> is one of:</phrase>
GRANT { { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER } GRANT { { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER | MAINTAIN }
[, ...] | ALL [ PRIVILEGES ] } [, ...] | ALL [ PRIVILEGES ] }
ON TABLES ON TABLES
TO { [ GROUP ] <replaceable class="parameter">role_name</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ] TO { [ GROUP ] <replaceable class="parameter">role_name</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]
@ -51,7 +51,7 @@ GRANT { USAGE | CREATE | ALL [ PRIVILEGES ] }
TO { [ GROUP ] <replaceable class="parameter">role_name</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ] TO { [ GROUP ] <replaceable class="parameter">role_name</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]
REVOKE [ GRANT OPTION FOR ] REVOKE [ GRANT OPTION FOR ]
{ { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER } { { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER | MAINTAIN }
[, ...] | ALL [ PRIVILEGES ] } [, ...] | ALL [ PRIVILEGES ] }
ON TABLES ON TABLES
FROM { [ GROUP ] <replaceable class="parameter">role_name</replaceable> | PUBLIC } [, ...] FROM { [ GROUP ] <replaceable class="parameter">role_name</replaceable> | PUBLIC } [, ...]

6
doc/src/sgml/ref/analyze.sgml
Unescape View File

@ -174,11 +174,9 @@ ANALYZE [ ( <replaceable class="parameter">option</replaceable> [, ...] ) ] [ <r
<title>Notes</title> <title>Notes</title>
<para> <para>
To analyze a table, one must ordinarily be the table's owner or a To analyze a table, one must ordinarily have the <literal>MAINTAIN</literal>
superuser. However, database owners are allowed to privilege on the table. However, database owners are allowed to
analyze all tables in their databases, except shared catalogs. analyze all tables in their databases, except shared catalogs.
(The restriction for shared catalogs means that a true database-wide
<command>ANALYZE</command> can only be performed by a superuser.)
<command>ANALYZE</command> will skip over any tables that the calling user <command>ANALYZE</command> will skip over any tables that the calling user
does not have permission to analyze. does not have permission to analyze.
</para> </para>

10
doc/src/sgml/ref/cluster.sgml
Unescape View File

@ -68,9 +68,8 @@ CLUSTER [ ( <replaceable class="parameter">option</replaceable> [, ...] ) ] [ <r
<command>CLUSTER</command> without a <command>CLUSTER</command> without a
<replaceable class="parameter">table_name</replaceable> reclusters all the <replaceable class="parameter">table_name</replaceable> reclusters all the
previously-clustered tables in the current database that the calling user previously-clustered tables in the current database that the calling user
owns, or all such tables if called by a superuser. This has privileges for. This form of <command>CLUSTER</command> cannot be
form of <command>CLUSTER</command> cannot be executed inside a transaction executed inside a transaction block.
block.
</para> </para>
<para> <para>
@ -131,6 +130,11 @@ CLUSTER [ ( <replaceable class="parameter">option</replaceable> [, ...] ) ] [ <r
<refsect1> <refsect1>
<title>Notes</title> <title>Notes</title>
<para>
To cluster a table, one must have the <literal>MAINTAIN</literal> privilege
on the table.
</para>
<para> <para>
In cases where you are accessing single rows randomly In cases where you are accessing single rows randomly
within a table, the actual order of the data in the within a table, the actual order of the data in the

3
doc/src/sgml/ref/grant.sgml
Unescape View File

@ -21,7 +21,7 @@ PostgreSQL documentation
<refsynopsisdiv> <refsynopsisdiv>
<synopsis> <synopsis>
GRANT { { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER } GRANT { { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER | MAINTAIN }
[, ...] | ALL [ PRIVILEGES ] } [, ...] | ALL [ PRIVILEGES ] }
ON { [ TABLE ] <replaceable class="parameter">table_name</replaceable> [, ...] ON { [ TABLE ] <replaceable class="parameter">table_name</replaceable> [, ...]
| ALL TABLES IN SCHEMA <replaceable class="parameter">schema_name</replaceable> [, ...] } | ALL TABLES IN SCHEMA <replaceable class="parameter">schema_name</replaceable> [, ...] }
@ -193,6 +193,7 @@ GRANT <replaceable class="parameter">role_name</replaceable> [, ...] TO <replace
<term><literal>USAGE</literal></term> <term><literal>USAGE</literal></term>
<term><literal>SET</literal></term> <term><literal>SET</literal></term>
<term><literal>ALTER SYSTEM</literal></term> <term><literal>ALTER SYSTEM</literal></term>
<term><literal>MAINTAIN</literal></term>
<listitem> <listitem>
<para> <para>
Specific types of privileges, as defined in <xref linkend="ddl-priv"/>. Specific types of privileges, as defined in <xref linkend="ddl-priv"/>.

4
doc/src/sgml/ref/lock.sgml
Unescape View File

@ -166,8 +166,8 @@ LOCK [ TABLE ] [ ONLY ] <replaceable class="parameter">name</replaceable> [ * ]
<para> <para>
To lock a table, the user must have the right privilege for the specified To lock a table, the user must have the right privilege for the specified
<replaceable class="parameter">lockmode</replaceable>, or be the table's <replaceable class="parameter">lockmode</replaceable>.
owner or a superuser. If the user has If the user has <literal>MAINTAIN</literal>,
<literal>UPDATE</literal>, <literal>DELETE</literal>, or <literal>UPDATE</literal>, <literal>DELETE</literal>, or
<literal>TRUNCATE</literal> privileges on the table, any <replaceable <literal>TRUNCATE</literal> privileges on the table, any <replaceable
class="parameter">lockmode</replaceable> is permitted. If the user has class="parameter">lockmode</replaceable> is permitted. If the user has

5
doc/src/sgml/ref/refresh_materialized_view.sgml
Unescape View File

@ -31,8 +31,9 @@ REFRESH MATERIALIZED VIEW [ CONCURRENTLY ] <replaceable class="parameter">name</
<para> <para>
<command>REFRESH MATERIALIZED VIEW</command> completely replaces the <command>REFRESH MATERIALIZED VIEW</command> completely replaces the
contents of a materialized view. To execute this command you must be the contents of a materialized view. To execute this command you must have the
owner of the materialized view. The old contents are discarded. If <literal>MAINTAIN</literal>
privilege on the materialized view. The old contents are discarded. If
<literal>WITH DATA</literal> is specified (or defaults) the backing query <literal>WITH DATA</literal> is specified (or defaults) the backing query
is executed to provide the new data, and the materialized view is left in a is executed to provide the new data, and the materialized view is left in a
scannable state. If <literal>WITH NO DATA</literal> is specified no new scannable state. If <literal>WITH NO DATA</literal> is specified no new

23
doc/src/sgml/ref/reindex.sgml
Unescape View File

@ -298,16 +298,21 @@ REINDEX [ ( <replaceable class="parameter">option</replaceable> [, ...] ) ] { DA
</para> </para>
<para> <para>
Reindexing a single index or table requires being the owner of that Reindexing a single index or table requires
index or table. Reindexing a schema or database requires being the having the <literal>MAINTAIN</literal> privilege on the
owner of that schema or database. Note specifically that it's thus table. Note that while <command>REINDEX</command> on a partitioned index or
table requires having the <literal>MAINTAIN</literal> privilege on the
partitioned table, such commands skip the privilege checks when processing
the individual partitions. Reindexing a schema or database requires being the
owner of that schema or database or having privileges of the
<link linkend="predefined-roles-table"><literal>pg_maintain</literal></link>
role. Note specifically that it's thus
possible for non-superusers to rebuild indexes of tables owned by possible for non-superusers to rebuild indexes of tables owned by
other users. However, as a special exception, when other users. However, as a special exception,
<command>REINDEX DATABASE</command>, <command>REINDEX SCHEMA</command> <command>REINDEX DATABASE</command>, <command>REINDEX SCHEMA</command>,
or <command>REINDEX SYSTEM</command> is issued by a non-superuser, and <command>REINDEX SYSTEM</command> will skip indexes on shared catalogs
indexes on shared catalogs will be skipped unless the user owns the unless the user has the <literal>MAINTAIN</literal> privilege on the
catalog (which typically won't be the case). Of course, superusers catalog.
can always reindex anything.
</para> </para>
<para> <para>

2
doc/src/sgml/ref/revoke.sgml
Unescape View File

@ -22,7 +22,7 @@ PostgreSQL documentation
<refsynopsisdiv> <refsynopsisdiv>
<synopsis> <synopsis>
REVOKE [ GRANT OPTION FOR ] REVOKE [ GRANT OPTION FOR ]
{ { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER } { { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER | MAINTAIN }
[, ...] | ALL [ PRIVILEGES ] } [, ...] | ALL [ PRIVILEGES ] }
ON { [ TABLE ] <replaceable class="parameter">table_name</replaceable> [, ...] ON { [ TABLE ] <replaceable class="parameter">table_name</replaceable> [, ...]
| ALL TABLES IN SCHEMA <replaceable>schema_name</replaceable> [, ...] } | ALL TABLES IN SCHEMA <replaceable>schema_name</replaceable> [, ...] }

6
doc/src/sgml/ref/vacuum.sgml
Unescape View File

@ -434,11 +434,9 @@ VACUUM [ ( <replaceable class="parameter">option</replaceable> [, ...] ) ] [ <re
<title>Notes</title> <title>Notes</title>
<para> <para>
To vacuum a table, one must ordinarily be the table's owner or a To vacuum a table, one must ordinarily have the <literal>MAINTAIN</literal>
superuser. However, database owners are allowed to privilege on the table. However, database owners are allowed to
vacuum all tables in their databases, except shared catalogs. vacuum all tables in their databases, except shared catalogs.
(The restriction for shared catalogs means that a true database-wide
<command>VACUUM</command> can only be performed by a superuser.)
<command>VACUUM</command> will skip over any tables that the calling user <command>VACUUM</command> will skip over any tables that the calling user
does not have permission to vacuum. does not have permission to vacuum.
</para> </para>

12
doc/src/sgml/user-manag.sgml
Unescape View File

@ -682,6 +682,18 @@ DROP ROLE doomed_role;
the <link linkend="sql-checkpoint"><command>CHECKPOINT</command></link> the <link linkend="sql-checkpoint"><command>CHECKPOINT</command></link>
command.</entry> command.</entry>
</row> </row>
<row>
<entry>pg_maintain</entry>
<entry>Allow executing
<link linkend="sql-vacuum"><command>VACUUM</command></link>,
<link linkend="sql-analyze"><command>ANALYZE</command></link>,
<link linkend="sql-cluster"><command>CLUSTER</command></link>,
<link linkend="sql-refreshmaterializedview"><command>REFRESH MATERIALIZED VIEW</command></link>,
<link linkend="sql-reindex"><command>REINDEX</command></link>,
and <link linkend="sql-lock"><command>LOCK TABLE</command></link> on all
relations, as if having <literal>MAINTAIN</literal> rights on those
objects, even without having it explicitly.</entry>
</row>
<row> <row>
<entry>pg_use_reserved_connections</entry> <entry>pg_use_reserved_connections</entry>
<entry>Allow use of connection slots reserved via <entry>Allow use of connection slots reserved via

15
src/backend/catalog/aclchk.c
Unescape View File

@ -2627,6 +2627,8 @@ string_to_privilege(const char *privname)
return ACL_SET; return ACL_SET;
if (strcmp(privname, "alter system") == 0) if (strcmp(privname, "alter system") == 0)
return ACL_ALTER_SYSTEM; return ACL_ALTER_SYSTEM;
if (strcmp(privname, "maintain") == 0)
return ACL_MAINTAIN;
if (strcmp(privname, "rule") == 0) if (strcmp(privname, "rule") == 0)
return 0; /* ignore old RULE privileges */ return 0; /* ignore old RULE privileges */
ereport(ERROR, ereport(ERROR,
@ -2668,6 +2670,8 @@ privilege_to_string(AclMode privilege)
return "SET"; return "SET";
case ACL_ALTER_SYSTEM: case ACL_ALTER_SYSTEM:
return "ALTER SYSTEM"; return "ALTER SYSTEM";
case ACL_MAINTAIN:
return "MAINTAIN";
default: default:
elog(ERROR, "unrecognized privilege: %d", (int) privilege); elog(ERROR, "unrecognized privilege: %d", (int) privilege);
} }
@ -3426,6 +3430,17 @@ pg_class_aclmask_ext(Oid table_oid, Oid roleid, AclMode mask,
has_privs_of_role(roleid, ROLE_PG_WRITE_ALL_DATA)) has_privs_of_role(roleid, ROLE_PG_WRITE_ALL_DATA))
result |= (mask & (ACL_INSERT | ACL_UPDATE | ACL_DELETE)); result |= (mask & (ACL_INSERT | ACL_UPDATE | ACL_DELETE));
/*
* Check if ACL_MAINTAIN is being checked and, if so, and not already set
* as part of the result, then check if the user is a member of the
* pg_maintain role, which allows VACUUM, ANALYZE, CLUSTER, REFRESH
* MATERIALIZED VIEW, and REINDEX on all relations.
*/
if (mask & ACL_MAINTAIN &&
!(result & ACL_MAINTAIN) &&
has_privs_of_role(roleid, ROLE_PG_MAINTAIN))
result |= ACL_MAINTAIN;
return result; return result;
} }

13
src/backend/commands/analyze.c
Unescape View File

@ -149,16 +149,15 @@ analyze_rel(Oid relid, RangeVar *relation,
return; return;
/* /*
* Check if relation needs to be skipped based on ownership. This check * Check if relation needs to be skipped based on privileges. This check
* happens also when building the relation list to analyze for a manual * happens also when building the relation list to analyze for a manual
* operation, and needs to be done additionally here as ANALYZE could * operation, and needs to be done additionally here as ANALYZE could
* happen across multiple transactions where relation ownership could have * happen across multiple transactions where privileges could have changed
* changed in-between. Make sure to generate only logs for ANALYZE in * in-between. Make sure to generate only logs for ANALYZE in this case.
* this case.
*/ */
if (!vacuum_is_relation_owner(RelationGetRelid(onerel), if (!vacuum_is_permitted_for_relation(RelationGetRelid(onerel),
onerel->rd_rel, onerel->rd_rel,
params->options & VACOPT_ANALYZE)) params->options & ~VACOPT_VACUUM))
{ {
relation_close(onerel, ShareUpdateExclusiveLock); relation_close(onerel, ShareUpdateExclusiveLock);
return; return;

43
src/backend/commands/cluster.c
Unescape View File

@ -77,6 +77,7 @@ static void copy_table_data(Oid OIDNewHeap, Oid OIDOldHeap, Oid OIDOldIndex,
static List *get_tables_to_cluster(MemoryContext cluster_context); static List *get_tables_to_cluster(MemoryContext cluster_context);
static List *get_tables_to_cluster_partitioned(MemoryContext cluster_context, static List *get_tables_to_cluster_partitioned(MemoryContext cluster_context,
Oid indexOid); Oid indexOid);
static bool cluster_is_permitted_for_relation(Oid relid, Oid userid);
/*--------------------------------------------------------------------------- /*---------------------------------------------------------------------------
@ -144,7 +145,8 @@ cluster(ParseState *pstate, ClusterStmt *stmt, bool isTopLevel)
tableOid = RangeVarGetRelidExtended(stmt->relation, tableOid = RangeVarGetRelidExtended(stmt->relation,
AccessExclusiveLock, AccessExclusiveLock,
0, 0,
RangeVarCallbackOwnsTable, NULL); RangeVarCallbackMaintainsTable,
NULL);
rel = table_open(tableOid, NoLock); rel = table_open(tableOid, NoLock);
/* /*
@ -362,8 +364,8 @@ cluster_rel(Oid tableOid, Oid indexOid, ClusterParams *params)
*/ */
if (recheck) if (recheck)
{ {
/* Check that the user still owns the relation */ /* Check that the user still has privileges for the relation */
if (!object_ownercheck(RelationRelationId, tableOid, save_userid)) if (!cluster_is_permitted_for_relation(tableOid, save_userid))
{ {
relation_close(OldHeap, AccessExclusiveLock); relation_close(OldHeap, AccessExclusiveLock);
goto out; goto out;
@ -1619,7 +1621,7 @@ finish_heap_swap(Oid OIDOldHeap, Oid OIDNewHeap,
/* /*
* Get a list of tables that the current user owns and * Get a list of tables that the current user has privileges on and
* have indisclustered set. Return the list in a List * of RelToCluster * have indisclustered set. Return the list in a List * of RelToCluster
* (stored in the specified memory context), each one giving the tableOid * (stored in the specified memory context), each one giving the tableOid
* and the indexOid on which the table is already clustered. * and the indexOid on which the table is already clustered.
@ -1636,8 +1638,8 @@ get_tables_to_cluster(MemoryContext cluster_context)
List *rtcs = NIL; List *rtcs = NIL;
/* /*
* Get all indexes that have indisclustered set and are owned by * Get all indexes that have indisclustered set and that the current user
* appropriate user. * has the appropriate privileges for.
*/ */
indRelation = table_open(IndexRelationId, AccessShareLock); indRelation = table_open(IndexRelationId, AccessShareLock);
ScanKeyInit(&entry, ScanKeyInit(&entry,
@ -1651,7 +1653,7 @@ get_tables_to_cluster(MemoryContext cluster_context)
index = (Form_pg_index) GETSTRUCT(indexTuple); index = (Form_pg_index) GETSTRUCT(indexTuple);
if (!object_ownercheck(RelationRelationId, index->indrelid, GetUserId())) if (!cluster_is_permitted_for_relation(index->indrelid, GetUserId()))
continue; continue;
/* Use a permanent memory context for the result list */ /* Use a permanent memory context for the result list */
@ -1699,10 +1701,13 @@ get_tables_to_cluster_partitioned(MemoryContext cluster_context, Oid indexOid)
if (get_rel_relkind(indexrelid) != RELKIND_INDEX) if (get_rel_relkind(indexrelid) != RELKIND_INDEX)
continue; continue;
/* Silently skip partitions which the user has no access to. */ /*
if (!object_ownercheck(RelationRelationId, relid, GetUserId()) && * It's possible that the user does not have privileges to CLUSTER the
(!object_ownercheck(DatabaseRelationId, MyDatabaseId, GetUserId()) || * leaf partition despite having such privileges on the partitioned
IsSharedRelation(relid))) * table. We skip any partitions which the user is not permitted to
* CLUSTER.
*/
if (!cluster_is_permitted_for_relation(relid, GetUserId()))
continue; continue;
/* Use a permanent memory context for the result list */ /* Use a permanent memory context for the result list */
@ -1718,3 +1723,19 @@ get_tables_to_cluster_partitioned(MemoryContext cluster_context, Oid indexOid)
return rtcs; return rtcs;
} }
/*
* Return whether userid has privileges to CLUSTER relid. If not, this
* function emits a WARNING.
*/
static bool
cluster_is_permitted_for_relation(Oid relid, Oid userid)
{
if (pg_class_aclcheck(relid, userid, ACL_MAINTAIN) == ACLCHECK_OK)
return true;
ereport(WARNING,
(errmsg("permission denied to cluster \"%s\", skipping it",
get_rel_name(relid))));
return false;
}

34
src/backend/commands/indexcmds.c
Unescape View File

@ -28,6 +28,7 @@
#include "catalog/indexing.h" #include "catalog/indexing.h"
#include "catalog/namespace.h" #include "catalog/namespace.h"
#include "catalog/pg_am.h" #include "catalog/pg_am.h"
#include "catalog/pg_authid.h"
#include "catalog/pg_constraint.h" #include "catalog/pg_constraint.h"
#include "catalog/pg_database.h" #include "catalog/pg_database.h"
#include "catalog/pg_inherits.h" #include "catalog/pg_inherits.h"
@ -2947,6 +2948,7 @@ RangeVarCallbackForReindexIndex(const RangeVar *relation,
char relkind; char relkind;
struct ReindexIndexCallbackState *state = arg; struct ReindexIndexCallbackState *state = arg;
LOCKMODE table_lockmode; LOCKMODE table_lockmode;
Oid table_oid;
/* /*
* Lock level here should match table lock in reindex_index() for * Lock level here should match table lock in reindex_index() for
@ -2986,14 +2988,19 @@ RangeVarCallbackForReindexIndex(const RangeVar *relation,
errmsg("\"%s\" is not an index", relation->relname))); errmsg("\"%s\" is not an index", relation->relname)));
/* Check permissions */ /* Check permissions */
if (!object_ownercheck(RelationRelationId, relId, GetUserId())) table_oid = IndexGetRelation(relId, true);
aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, relation->relname); if (OidIsValid(table_oid))
{
AclResult aclresult;
aclresult = pg_class_aclcheck(table_oid, GetUserId(), ACL_MAINTAIN);
if (aclresult != ACLCHECK_OK)
aclcheck_error(aclresult, OBJECT_INDEX, relation->relname);
}
/* Lock heap before index to avoid deadlock. */ /* Lock heap before index to avoid deadlock. */
if (relId != oldRelId) if (relId != oldRelId)
{ {
Oid table_oid = IndexGetRelation(relId, true);
/* /*
* If the OID isn't valid, it means the index was concurrently * If the OID isn't valid, it means the index was concurrently
* dropped, which is not a problem for us; just return normally. * dropped, which is not a problem for us; just return normally.
@ -3029,7 +3036,7 @@ ReindexTable(const ReindexStmt *stmt, const ReindexParams *params, bool isTopLev
(params->options & REINDEXOPT_CONCURRENTLY) != 0 ? (params->options & REINDEXOPT_CONCURRENTLY) != 0 ?
ShareUpdateExclusiveLock : ShareLock, ShareUpdateExclusiveLock : ShareLock,
0, 0,
RangeVarCallbackOwnsTable, NULL); RangeVarCallbackMaintainsTable, NULL);
if (get_rel_relkind(heapOid) == RELKIND_PARTITIONED_TABLE) if (get_rel_relkind(heapOid) == RELKIND_PARTITIONED_TABLE)
ReindexPartitions(stmt, heapOid, params, isTopLevel); ReindexPartitions(stmt, heapOid, params, isTopLevel);
@ -3113,7 +3120,8 @@ ReindexMultipleTables(const ReindexStmt *stmt, const ReindexParams *params)
{ {
objectOid = get_namespace_oid(objectName, false); objectOid = get_namespace_oid(objectName, false);
if (!object_ownercheck(NamespaceRelationId, objectOid, GetUserId())) if (!object_ownercheck(NamespaceRelationId, objectOid, GetUserId()) &&
!has_privs_of_role(GetUserId(), ROLE_PG_MAINTAIN))
aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_SCHEMA, aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_SCHEMA,
objectName); objectName);
} }
@ -3125,7 +3133,8 @@ ReindexMultipleTables(const ReindexStmt *stmt, const ReindexParams *params)
ereport(ERROR, ereport(ERROR,
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED), (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
errmsg("can only reindex the currently open database"))); errmsg("can only reindex the currently open database")));
if (!object_ownercheck(DatabaseRelationId, objectOid, GetUserId())) if (!object_ownercheck(DatabaseRelationId, objectOid, GetUserId()) &&
!has_privs_of_role(GetUserId(), ROLE_PG_MAINTAIN))
aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_DATABASE, aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_DATABASE,
get_database_name(objectOid)); get_database_name(objectOid));
} }
@ -3197,15 +3206,12 @@ ReindexMultipleTables(const ReindexStmt *stmt, const ReindexParams *params)
continue; continue;
/* /*
* The table can be reindexed if the user is superuser, the table * We already checked privileges on the database or schema, but we
* owner, or the database/schema owner (but in the latter case, only * further restrict reindexing shared catalogs to roles with the
* if it's not a shared relation). object_ownercheck includes the * MAINTAIN privilege on the relation.
* superuser case, and depending on objectKind we already know that
* the user has permission to run REINDEX on this database or schema
* per the permission checks at the beginning of this routine.
*/ */
if (classtuple->relisshared && if (classtuple->relisshared &&
!object_ownercheck(RelationRelationId, relid, GetUserId())) pg_class_aclcheck(relid, GetUserId(), ACL_MAINTAIN) != ACLCHECK_OK)
continue; continue;
/* /*

2
src/backend/commands/lockcmds.c
Unescape View File

@ -283,7 +283,7 @@ LockTableAclCheck(Oid reloid, LOCKMODE lockmode, Oid userid)
AclMode aclmask; AclMode aclmask;
/* any of these privileges permit any lock mode */ /* any of these privileges permit any lock mode */
aclmask = ACL_UPDATE | ACL_DELETE | ACL_TRUNCATE; aclmask = ACL_MAINTAIN | ACL_UPDATE | ACL_DELETE | ACL_TRUNCATE;
/* SELECT privileges also permit ACCESS SHARE and below */ /* SELECT privileges also permit ACCESS SHARE and below */
if (lockmode <= AccessShareLock) if (lockmode <= AccessShareLock)

3
src/backend/commands/matview.c
Unescape View File

@ -160,7 +160,8 @@ ExecRefreshMatView(RefreshMatViewStmt *stmt, const char *queryString,
*/ */
matviewOid = RangeVarGetRelidExtended(stmt->relation, matviewOid = RangeVarGetRelidExtended(stmt->relation,
lockmode, 0, lockmode, 0,
RangeVarCallbackOwnsTable, NULL); RangeVarCallbackMaintainsTable,
NULL);
matviewRel = table_open(matviewOid, NoLock); matviewRel = table_open(matviewOid, NoLock);
relowner = matviewRel->rd_rel->relowner; relowner = matviewRel->rd_rel->relowner;

18
src/backend/commands/tablecmds.c
Unescape View File

@ -18096,15 +18096,16 @@ AtEOSubXact_on_commit_actions(bool isCommit, SubTransactionId mySubid,
* This is intended as a callback for RangeVarGetRelidExtended(). It allows * This is intended as a callback for RangeVarGetRelidExtended(). It allows
* the relation to be locked only if (1) it's a plain or partitioned table, * the relation to be locked only if (1) it's a plain or partitioned table,
* materialized view, or TOAST table and (2) the current user is the owner (or * materialized view, or TOAST table and (2) the current user is the owner (or
* the superuser). This meets the permission-checking needs of CLUSTER, * the superuser) or has been granted MAINTAIN. This meets the
* REINDEX TABLE, and REFRESH MATERIALIZED VIEW; we expose it here so that it * permission-checking needs of CLUSTER, REINDEX TABLE, and REFRESH
* can be used by all. * MATERIALIZED VIEW; we expose it here so that it can be used by all.
*/ */
void void
RangeVarCallbackOwnsTable(const RangeVar *relation, RangeVarCallbackMaintainsTable(const RangeVar *relation,
Oid relId, Oid oldRelId, void *arg) Oid relId, Oid oldRelId, void *arg)
{ {
char relkind; char relkind;
AclResult aclresult;
/* Nothing to do if the relation was not found. */ /* Nothing to do if the relation was not found. */
if (!OidIsValid(relId)) if (!OidIsValid(relId))
@ -18125,8 +18126,11 @@ RangeVarCallbackOwnsTable(const RangeVar *relation,
errmsg("\"%s\" is not a table or materialized view", relation->relname))); errmsg("\"%s\" is not a table or materialized view", relation->relname)));
/* Check permissions */ /* Check permissions */
if (!object_ownercheck(RelationRelationId, relId, GetUserId())) aclresult = pg_class_aclcheck(relId, GetUserId(), ACL_MAINTAIN);
aclcheck_error(ACLCHECK_NOT_OWNER, get_relkind_objtype(get_rel_relkind(relId)), relation->relname); if (aclresult != ACLCHECK_OK)
aclcheck_error(aclresult,
get_relkind_objtype(get_rel_relkind(relId)),
relation->relname);
} }
/* /*

76
src/backend/commands/vacuum.c
Unescape View File

@ -170,6 +170,9 @@ ExecVacuum(ParseState *pstate, VacuumStmt *vacstmt, bool isTopLevel)
/* By default parallel vacuum is enabled */ /* By default parallel vacuum is enabled */
params.nworkers = 0; params.nworkers = 0;
/* Will be set later if we recurse to a TOAST table. */
params.toast_parent = InvalidOid;
/* /*
* Set this to an invalid value so it is clear whether or not a * Set this to an invalid value so it is clear whether or not a
* BUFFER_USAGE_LIMIT was specified when making the access strategy. * BUFFER_USAGE_LIMIT was specified when making the access strategy.
@ -695,32 +698,29 @@ vacuum(List *relations, VacuumParams *params, BufferAccessStrategy bstrategy,
} }
/* /*
* Check if a given relation can be safely vacuumed or analyzed. If the * Check if the current user has privileges to vacuum or analyze the relation.
* user is not the relation owner, issue a WARNING log message and return * If not, issue a WARNING log message and return false to let the caller
* false to let the caller decide what to do with this relation. This * decide what to do with this relation. This routine is used to decide if a
* routine is used to decide if a relation can be processed for VACUUM or * relation can be processed for VACUUM or ANALYZE.
* ANALYZE.
*/ */
bool bool
vacuum_is_relation_owner(Oid relid, Form_pg_class reltuple, bits32 options) vacuum_is_permitted_for_relation(Oid relid, Form_pg_class reltuple,
bits32 options)
{ {
char *relname; char *relname;
Assert((options & (VACOPT_VACUUM | VACOPT_ANALYZE)) != 0); Assert((options & (VACOPT_VACUUM | VACOPT_ANALYZE)) != 0);
/* /*----------
* Check permissions. * A role has privileges to vacuum or analyze the relation if any of the
* * following are true:
* We allow the user to vacuum or analyze a table if he is superuser, the * - the role owns the current database and the relation is not shared
* table owner, or the database owner (but in the latter case, only if * - the role has the MAINTAIN privilege on the relation
* it's not a shared relation). object_ownercheck includes the superuser *----------
* case.
*
* Note we choose to treat permissions failure as a WARNING and keep
* trying to vacuum or analyze the rest of the DB --- is this appropriate?
*/ */
if (object_ownercheck(RelationRelationId, relid, GetUserId()) || if ((object_ownercheck(DatabaseRelationId, MyDatabaseId, GetUserId()) &&
(object_ownercheck(DatabaseRelationId, MyDatabaseId, GetUserId()) && !reltuple->relisshared)) !reltuple->relisshared) ||
pg_class_aclcheck(relid, GetUserId(), ACL_MAINTAIN) == ACLCHECK_OK)
return true; return true;
relname = NameStr(reltuple->relname); relname = NameStr(reltuple->relname);
@ -936,10 +936,10 @@ expand_vacuum_rel(VacuumRelation *vrel, MemoryContext vac_context,
classForm = (Form_pg_class) GETSTRUCT(tuple); classForm = (Form_pg_class) GETSTRUCT(tuple);
/* /*
* Make a returnable VacuumRelation for this rel if user is a proper * Make a returnable VacuumRelation for this rel if the user has the
* owner. * required privileges.
*/ */
if (vacuum_is_relation_owner(relid, classForm, options)) if (vacuum_is_permitted_for_relation(relid, classForm, options))
{ {
oldcontext = MemoryContextSwitchTo(vac_context); oldcontext = MemoryContextSwitchTo(vac_context);
vacrels = lappend(vacrels, makeVacuumRelation(vrel->relation, vacrels = lappend(vacrels, makeVacuumRelation(vrel->relation,
@ -1036,7 +1036,7 @@ get_all_vacuum_rels(MemoryContext vac_context, int options)
continue; continue;
/* check permissions of relation */ /* check permissions of relation */
if (!vacuum_is_relation_owner(relid, classForm, options)) if (!vacuum_is_permitted_for_relation(relid, classForm, options))
continue; continue;
/* /*
@ -1952,6 +1952,7 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams *params,
LOCKMODE lmode; LOCKMODE lmode;
Relation rel; Relation rel;
LockRelId lockrelid; LockRelId lockrelid;
Oid priv_relid;
Oid toast_relid; Oid toast_relid;
Oid save_userid; Oid save_userid;
int save_sec_context; int save_sec_context;
@ -2028,16 +2029,25 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams *params,
} }
/* /*
* Check if relation needs to be skipped based on ownership. This check * When recursing to a TOAST table, check privileges on the parent. NB:
* This is only safe to do because we hold a session lock on the main
* relation that prevents concurrent deletion.
*/
if (OidIsValid(params->toast_parent))
priv_relid = params->toast_parent;
else
priv_relid = RelationGetRelid(rel);
/*
* Check if relation needs to be skipped based on privileges. This check
* happens also when building the relation list to vacuum for a manual * happens also when building the relation list to vacuum for a manual
* operation, and needs to be done additionally here as VACUUM could * operation, and needs to be done additionally here as VACUUM could
* happen across multiple transactions where relation ownership could have * happen across multiple transactions where privileges could have changed
* changed in-between. Make sure to only generate logs for VACUUM in this * in-between. Make sure to only generate logs for VACUUM in this case.
* case.
*/ */
if (!vacuum_is_relation_owner(RelationGetRelid(rel), if (!vacuum_is_permitted_for_relation(priv_relid,
rel->rd_rel, rel->rd_rel,
params->options & VACOPT_VACUUM)) params->options & ~VACOPT_ANALYZE))
{ {
relation_close(rel, lmode); relation_close(rel, lmode);
PopActiveSnapshot(); PopActiveSnapshot();
@ -2224,9 +2234,15 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams *params,
{ {
VacuumParams toast_vacuum_params; VacuumParams toast_vacuum_params;
/* force VACOPT_PROCESS_MAIN so vacuum_rel() processes it */ /*
* Force VACOPT_PROCESS_MAIN so vacuum_rel() processes it. Likewise,
* set toast_parent so that the privilege checks are done on the main
* relation. NB: This is only safe to do because we hold a session
* lock on the main relation that prevents concurrent deletion.
*/
memcpy(&toast_vacuum_params, params, sizeof(VacuumParams)); memcpy(&toast_vacuum_params, params, sizeof(VacuumParams));
toast_vacuum_params.options |= VACOPT_PROCESS_MAIN; toast_vacuum_params.options |= VACOPT_PROCESS_MAIN;
toast_vacuum_params.toast_parent = relid;
vacuum_rel(toast_relid, NULL, &toast_vacuum_params, bstrategy); vacuum_rel(toast_relid, NULL, &toast_vacuum_params, bstrategy);
} }

1
src/backend/postmaster/autovacuum.c
Unescape View File

@ -2906,6 +2906,7 @@ table_recheck_autovac(Oid relid, HTAB *table_toast_map,
tab->at_params.multixact_freeze_table_age = multixact_freeze_table_age; tab->at_params.multixact_freeze_table_age = multixact_freeze_table_age;
tab->at_params.is_wraparound = wraparound; tab->at_params.is_wraparound = wraparound;
tab->at_params.log_min_duration = log_min_duration; tab->at_params.log_min_duration = log_min_duration;
tab->at_params.toast_parent = InvalidOid;
tab->at_storage_param_vac_cost_limit = avopts ? tab->at_storage_param_vac_cost_limit = avopts ?
avopts->vacuum_cost_limit : 0; avopts->vacuum_cost_limit : 0;
tab->at_storage_param_vac_cost_delay = avopts ? tab->at_storage_param_vac_cost_delay = avopts ?

8
src/backend/utils/adt/acl.c
Unescape View File

@ -330,6 +330,9 @@ aclparse(const char *s, AclItem *aip, Node *escontext)
case ACL_ALTER_SYSTEM_CHR: case ACL_ALTER_SYSTEM_CHR:
read = ACL_ALTER_SYSTEM; read = ACL_ALTER_SYSTEM;
break; break;
case ACL_MAINTAIN_CHR:
read = ACL_MAINTAIN;
break;
case 'R': /* ignore old RULE privileges */ case 'R': /* ignore old RULE privileges */
read = 0; read = 0;
break; break;
@ -1621,6 +1624,7 @@ makeaclitem(PG_FUNCTION_ARGS)
{"CONNECT", ACL_CONNECT}, {"CONNECT", ACL_CONNECT},
{"SET", ACL_SET}, {"SET", ACL_SET},
{"ALTER SYSTEM", ACL_ALTER_SYSTEM}, {"ALTER SYSTEM", ACL_ALTER_SYSTEM},
{"MAINTAIN", ACL_MAINTAIN},
{"RULE", 0}, /* ignore old RULE privileges */ {"RULE", 0}, /* ignore old RULE privileges */
{NULL, 0} {NULL, 0}
}; };
@ -1729,6 +1733,8 @@ convert_aclright_to_string(int aclright)
return "SET"; return "SET";
case ACL_ALTER_SYSTEM: case ACL_ALTER_SYSTEM:
return "ALTER SYSTEM"; return "ALTER SYSTEM";
case ACL_MAINTAIN:
return "MAINTAIN";
default: default:
elog(ERROR, "unrecognized aclright: %d", aclright); elog(ERROR, "unrecognized aclright: %d", aclright);
return NULL; return NULL;
@ -2041,6 +2047,8 @@ convert_table_priv_string(text *priv_type_text)
{"REFERENCES WITH GRANT OPTION", ACL_GRANT_OPTION_FOR(ACL_REFERENCES)}, {"REFERENCES WITH GRANT OPTION", ACL_GRANT_OPTION_FOR(ACL_REFERENCES)},
{"TRIGGER", ACL_TRIGGER}, {"TRIGGER", ACL_TRIGGER},
{"TRIGGER WITH GRANT OPTION", ACL_GRANT_OPTION_FOR(ACL_TRIGGER)}, {"TRIGGER WITH GRANT OPTION", ACL_GRANT_OPTION_FOR(ACL_TRIGGER)},
{"MAINTAIN", ACL_MAINTAIN},
{"MAINTAIN WITH GRANT OPTION", ACL_GRANT_OPTION_FOR(ACL_MAINTAIN)},
{"RULE", 0}, /* ignore old RULE privileges */ {"RULE", 0}, /* ignore old RULE privileges */
{"RULE WITH GRANT OPTION", 0}, {"RULE WITH GRANT OPTION", 0},
{NULL, 0} {NULL, 0}

1
src/bin/pg_dump/dumputils.c
Unescape View File

@ -463,6 +463,7 @@ do { \
CONVERT_PRIV('d', "DELETE"); CONVERT_PRIV('d', "DELETE");
CONVERT_PRIV('t', "TRIGGER"); CONVERT_PRIV('t', "TRIGGER");
CONVERT_PRIV('D', "TRUNCATE"); CONVERT_PRIV('D', "TRUNCATE");
CONVERT_PRIV('m', "MAINTAIN");
} }
} }

2
src/bin/pg_dump/t/002_pg_dump.pl
Unescape View File

@ -794,7 +794,7 @@ my %tests = (
\QREVOKE ALL ON TABLES FROM regress_dump_test_role;\E\n \QREVOKE ALL ON TABLES FROM regress_dump_test_role;\E\n
\QALTER DEFAULT PRIVILEGES \E \QALTER DEFAULT PRIVILEGES \E
\QFOR ROLE regress_dump_test_role \E \QFOR ROLE regress_dump_test_role \E
\QGRANT INSERT,REFERENCES,DELETE,TRIGGER,TRUNCATE,UPDATE ON TABLES TO regress_dump_test_role;\E \QGRANT INSERT,REFERENCES,DELETE,TRIGGER,TRUNCATE,MAINTAIN,UPDATE ON TABLES TO regress_dump_test_role;\E
/xm, /xm,
like => { %full_runs, section_post_data => 1, }, like => { %full_runs, section_post_data => 1, },
unlike => { no_privs => 1, }, unlike => { no_privs => 1, },

6
src/bin/psql/tab-complete.c
Unescape View File

@ -1152,7 +1152,7 @@ Keywords_for_list_of_owner_roles, "PUBLIC"
#define Privilege_options_of_grant_and_revoke \ #define Privilege_options_of_grant_and_revoke \
"SELECT", "INSERT", "UPDATE", "DELETE", "TRUNCATE", "REFERENCES", "TRIGGER", \ "SELECT", "INSERT", "UPDATE", "DELETE", "TRUNCATE", "REFERENCES", "TRIGGER", \
"CREATE", "CONNECT", "TEMPORARY", "EXECUTE", "USAGE", "SET", "ALTER SYSTEM", \ "CREATE", "CONNECT", "TEMPORARY", "EXECUTE", "USAGE", "SET", "ALTER SYSTEM", \
"ALL" "MAINTAIN", "ALL"
/* ALTER PROCEDURE options */ /* ALTER PROCEDURE options */
#define Alter_procedure_options \ #define Alter_procedure_options \
@ -3944,7 +3944,7 @@ psql_completion(const char *text, int start, int end)
if (HeadMatches("ALTER", "DEFAULT", "PRIVILEGES")) if (HeadMatches("ALTER", "DEFAULT", "PRIVILEGES"))
COMPLETE_WITH("SELECT", "INSERT", "UPDATE", COMPLETE_WITH("SELECT", "INSERT", "UPDATE",
"DELETE", "TRUNCATE", "REFERENCES", "TRIGGER", "DELETE", "TRUNCATE", "REFERENCES", "TRIGGER",
"CREATE", "EXECUTE", "USAGE", "ALL"); "CREATE", "EXECUTE", "USAGE", "MAINTAIN", "ALL");
else if (TailMatches("GRANT")) else if (TailMatches("GRANT"))
COMPLETE_WITH_QUERY_PLUS(Query_for_list_of_roles, COMPLETE_WITH_QUERY_PLUS(Query_for_list_of_roles,
Privilege_options_of_grant_and_revoke); Privilege_options_of_grant_and_revoke);
@ -3996,7 +3996,7 @@ psql_completion(const char *text, int start, int end)
else if (TailMatches("GRANT|REVOKE", MatchAny) || else if (TailMatches("GRANT|REVOKE", MatchAny) ||
TailMatches("REVOKE", "GRANT", "OPTION", "FOR", MatchAny)) TailMatches("REVOKE", "GRANT", "OPTION", "FOR", MatchAny))
{ {
if (TailMatches("SELECT|INSERT|UPDATE|DELETE|TRUNCATE|REFERENCES|TRIGGER|CREATE|CONNECT|TEMPORARY|TEMP|EXECUTE|USAGE|ALL")) if (TailMatches("SELECT|INSERT|UPDATE|DELETE|TRUNCATE|REFERENCES|TRIGGER|CREATE|CONNECT|TEMPORARY|TEMP|EXECUTE|USAGE|MAINTAIN|ALL"))
COMPLETE_WITH("ON"); COMPLETE_WITH("ON");
else if (TailMatches("GRANT", MatchAny)) else if (TailMatches("GRANT", MatchAny))
COMPLETE_WITH("TO"); COMPLETE_WITH("TO");

2
src/include/catalog/catversion.h
Unescape View File

@ -57,6 +57,6 @@
*/ */
/* yyyymmddN */ /* yyyymmddN */
#define CATALOG_VERSION_NO 202403091 #define CATALOG_VERSION_NO 202403131
#endif #endif

5
src/include/catalog/pg_authid.dat
Unescape View File

@ -84,6 +84,11 @@
rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f', rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',
rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1', rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
rolpassword => '_null_', rolvaliduntil => '_null_' }, rolpassword => '_null_', rolvaliduntil => '_null_' },
{ oid => '9256', oid_symbol => 'ROLE_PG_MAINTAIN',
rolname => 'pg_maintain', rolsuper => 'f', rolinherit => 't',
rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',
rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
rolpassword => '_null_', rolvaliduntil => '_null_' },
{ oid => '4550', oid_symbol => 'ROLE_PG_USE_RESERVED_CONNECTIONS', { oid => '4550', oid_symbol => 'ROLE_PG_USE_RESERVED_CONNECTIONS',
rolname => 'pg_use_reserved_connections', rolsuper => 'f', rolinherit => 't', rolname => 'pg_use_reserved_connections', rolsuper => 'f', rolinherit => 't',
rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f', rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',

5
src/include/commands/tablecmds.h
Unescape View File

@ -98,8 +98,9 @@ extern void AtEOSubXact_on_commit_actions(bool isCommit,
SubTransactionId mySubid, SubTransactionId mySubid,
SubTransactionId parentSubid); SubTransactionId parentSubid);
extern void RangeVarCallbackOwnsTable(const RangeVar *relation, extern void RangeVarCallbackMaintainsTable(const RangeVar *relation,
Oid relId, Oid oldRelId, void *arg); Oid relId, Oid oldRelId,
void *arg);
extern void RangeVarCallbackOwnsRelation(const RangeVar *relation, extern void RangeVarCallbackOwnsRelation(const RangeVar *relation,
Oid relId, Oid oldRelId, void *arg); Oid relId, Oid oldRelId, void *arg);

5
src/include/commands/vacuum.h
Unescape View File

@ -228,6 +228,7 @@ typedef struct VacuumParams
* default */ * default */
VacOptValue index_cleanup; /* Do index vacuum and cleanup */ VacOptValue index_cleanup; /* Do index vacuum and cleanup */
VacOptValue truncate; /* Truncate empty pages at the end */ VacOptValue truncate; /* Truncate empty pages at the end */
Oid toast_parent; /* for privilege checks when recursing */
/* /*
* The number of parallel vacuum workers. 0 by default which means choose * The number of parallel vacuum workers. 0 by default which means choose
@ -343,8 +344,8 @@ extern bool vacuum_get_cutoffs(Relation rel, const VacuumParams *params,
extern bool vacuum_xid_failsafe_check(const struct VacuumCutoffs *cutoffs); extern bool vacuum_xid_failsafe_check(const struct VacuumCutoffs *cutoffs);
extern void vac_update_datfrozenxid(void); extern void vac_update_datfrozenxid(void);
extern void vacuum_delay_point(void); extern void vacuum_delay_point(void);
extern bool vacuum_is_relation_owner(Oid relid, Form_pg_class reltuple, extern bool vacuum_is_permitted_for_relation(Oid relid, Form_pg_class reltuple,
bits32 options); bits32 options);
extern Relation vacuum_open_relation(Oid relid, RangeVar *relation, extern Relation vacuum_open_relation(Oid relid, RangeVar *relation,
bits32 options, bool verbose, bits32 options, bool verbose,
LOCKMODE lmode); LOCKMODE lmode);

3
src/include/nodes/parsenodes.h
Unescape View File

@ -87,7 +87,8 @@ typedef uint64 AclMode; /* a bitmask of privilege bits */
#define ACL_CONNECT (1<<11) /* for databases */ #define ACL_CONNECT (1<<11) /* for databases */
#define ACL_SET (1<<12) /* for configuration parameters */ #define ACL_SET (1<<12) /* for configuration parameters */
#define ACL_ALTER_SYSTEM (1<<13) /* for configuration parameters */ #define ACL_ALTER_SYSTEM (1<<13) /* for configuration parameters */
#define N_ACL_RIGHTS 14 /* 1 plus the last 1<<x */ #define ACL_MAINTAIN (1<<14) /* for relations */
#define N_ACL_RIGHTS 15 /* 1 plus the last 1<<x */
#define ACL_NO_RIGHTS 0 #define ACL_NO_RIGHTS 0
/* Currently, SELECT ... FOR [KEY] UPDATE/SHARE requires UPDATE privileges */ /* Currently, SELECT ... FOR [KEY] UPDATE/SHARE requires UPDATE privileges */
#define ACL_SELECT_FOR_UPDATE ACL_UPDATE #define ACL_SELECT_FOR_UPDATE ACL_UPDATE

5
src/include/utils/acl.h
Unescape View File

@ -148,15 +148,16 @@ typedef struct ArrayType Acl;
#define ACL_CONNECT_CHR 'c' #define ACL_CONNECT_CHR 'c'
#define ACL_SET_CHR 's' #define ACL_SET_CHR 's'
#define ACL_ALTER_SYSTEM_CHR 'A' #define ACL_ALTER_SYSTEM_CHR 'A'
#define ACL_MAINTAIN_CHR 'm'
/* string holding all privilege code chars, in order by bitmask position */ /* string holding all privilege code chars, in order by bitmask position */
#define ACL_ALL_RIGHTS_STR "arwdDxtXUCTcsA" #define ACL_ALL_RIGHTS_STR "arwdDxtXUCTcsAm"
/* /*
* Bitmasks defining "all rights" for each supported object type * Bitmasks defining "all rights" for each supported object type
*/ */
#define ACL_ALL_RIGHTS_COLUMN (ACL_INSERT|ACL_SELECT|ACL_UPDATE|ACL_REFERENCES) #define ACL_ALL_RIGHTS_COLUMN (ACL_INSERT|ACL_SELECT|ACL_UPDATE|ACL_REFERENCES)
#define ACL_ALL_RIGHTS_RELATION (ACL_INSERT|ACL_SELECT|ACL_UPDATE|ACL_DELETE|ACL_TRUNCATE|ACL_REFERENCES|ACL_TRIGGER) #define ACL_ALL_RIGHTS_RELATION (ACL_INSERT|ACL_SELECT|ACL_UPDATE|ACL_DELETE|ACL_TRUNCATE|ACL_REFERENCES|ACL_TRIGGER|ACL_MAINTAIN)
#define ACL_ALL_RIGHTS_SEQUENCE (ACL_USAGE|ACL_SELECT|ACL_UPDATE) #define ACL_ALL_RIGHTS_SEQUENCE (ACL_USAGE|ACL_SELECT|ACL_UPDATE)
#define ACL_ALL_RIGHTS_DATABASE (ACL_CREATE|ACL_CREATE_TEMP|ACL_CONNECT) #define ACL_ALL_RIGHTS_DATABASE (ACL_CREATE|ACL_CREATE_TEMP|ACL_CONNECT)
#define ACL_ALL_RIGHTS_FDW (ACL_USAGE) #define ACL_ALL_RIGHTS_FDW (ACL_USAGE)

8
src/test/isolation/expected/cluster-conflict-partition.out
Unescape View File

@ -3,7 +3,7 @@ Parsed test spec with 2 sessions
starting permutation: s1_begin s1_lock_parent s2_auth s2_cluster s1_commit s2_reset starting permutation: s1_begin s1_lock_parent s2_auth s2_cluster s1_commit s2_reset
step s1_begin: BEGIN; step s1_begin: BEGIN;
step s1_lock_parent: LOCK cluster_part_tab IN SHARE UPDATE EXCLUSIVE MODE; step s1_lock_parent: LOCK cluster_part_tab IN SHARE UPDATE EXCLUSIVE MODE;
step s2_auth: SET ROLE regress_cluster_part; step s2_auth: SET ROLE regress_cluster_part; SET client_min_messages = ERROR;
step s2_cluster: CLUSTER cluster_part_tab USING cluster_part_ind; <waiting ...> step s2_cluster: CLUSTER cluster_part_tab USING cluster_part_ind; <waiting ...>
step s1_commit: COMMIT; step s1_commit: COMMIT;
step s2_cluster: <... completed> step s2_cluster: <... completed>
@ -11,7 +11,7 @@ step s2_reset: RESET ROLE;
starting permutation: s1_begin s2_auth s1_lock_parent s2_cluster s1_commit s2_reset starting permutation: s1_begin s2_auth s1_lock_parent s2_cluster s1_commit s2_reset
step s1_begin: BEGIN; step s1_begin: BEGIN;
step s2_auth: SET ROLE regress_cluster_part; step s2_auth: SET ROLE regress_cluster_part; SET client_min_messages = ERROR;
step s1_lock_parent: LOCK cluster_part_tab IN SHARE UPDATE EXCLUSIVE MODE; step s1_lock_parent: LOCK cluster_part_tab IN SHARE UPDATE EXCLUSIVE MODE;
step s2_cluster: CLUSTER cluster_part_tab USING cluster_part_ind; <waiting ...> step s2_cluster: CLUSTER cluster_part_tab USING cluster_part_ind; <waiting ...>
step s1_commit: COMMIT; step s1_commit: COMMIT;
@ -21,14 +21,14 @@ step s2_reset: RESET ROLE;
starting permutation: s1_begin s1_lock_child s2_auth s2_cluster s1_commit s2_reset starting permutation: s1_begin s1_lock_child s2_auth s2_cluster s1_commit s2_reset
step s1_begin: BEGIN; step s1_begin: BEGIN;
step s1_lock_child: LOCK cluster_part_tab1 IN SHARE UPDATE EXCLUSIVE MODE; step s1_lock_child: LOCK cluster_part_tab1 IN SHARE UPDATE EXCLUSIVE MODE;
step s2_auth: SET ROLE regress_cluster_part; step s2_auth: SET ROLE regress_cluster_part; SET client_min_messages = ERROR;
step s2_cluster: CLUSTER cluster_part_tab USING cluster_part_ind; step s2_cluster: CLUSTER cluster_part_tab USING cluster_part_ind;
step s1_commit: COMMIT; step s1_commit: COMMIT;
step s2_reset: RESET ROLE; step s2_reset: RESET ROLE;
starting permutation: s1_begin s2_auth s1_lock_child s2_cluster s1_commit s2_reset starting permutation: s1_begin s2_auth s1_lock_child s2_cluster s1_commit s2_reset
step s1_begin: BEGIN; step s1_begin: BEGIN;
step s2_auth: SET ROLE regress_cluster_part; step s2_auth: SET ROLE regress_cluster_part; SET client_min_messages = ERROR;
step s1_lock_child: LOCK cluster_part_tab1 IN SHARE UPDATE EXCLUSIVE MODE; step s1_lock_child: LOCK cluster_part_tab1 IN SHARE UPDATE EXCLUSIVE MODE;
step s2_cluster: CLUSTER cluster_part_tab USING cluster_part_ind; step s2_cluster: CLUSTER cluster_part_tab USING cluster_part_ind;
step s1_commit: COMMIT; step s1_commit: COMMIT;

2
src/test/isolation/specs/cluster-conflict-partition.spec
Unescape View File

@ -23,7 +23,7 @@ step s1_lock_child { LOCK cluster_part_tab1 IN SHARE UPDATE EXCLUSIVE MODE;
step s1_commit { COMMIT; } step s1_commit { COMMIT; }
session s2 session s2
step s2_auth { SET ROLE regress_cluster_part; } step s2_auth { SET ROLE regress_cluster_part; SET client_min_messages = ERROR; }
step s2_cluster { CLUSTER cluster_part_tab USING cluster_part_ind; } step s2_cluster { CLUSTER cluster_part_tab USING cluster_part_ind; }
step s2_reset { RESET ROLE; } step s2_reset { RESET ROLE; }

11
src/test/perl/PostgreSQL/Test/AdjustUpgrade.pm
Unescape View File

@ -300,6 +300,17 @@ sub adjust_old_dumpfile
$dump = _mash_view_qualifiers($dump); $dump = _mash_view_qualifiers($dump);
} }
if ($old_version >= 14 && $old_version < 17)
{
# Fix up some privilege-set discrepancies.
$dump =~
s {^REVOKE SELECT,INSERT,REFERENCES,DELETE,TRIGGER,TRUNCATE,UPDATE ON TABLE}
{REVOKE ALL ON TABLE}mg;
$dump =~
s {^(GRANT SELECT,INSERT,REFERENCES,TRIGGER,TRUNCATE),UPDATE ON TABLE}
{$1,MAINTAIN,UPDATE ON TABLE}mg;
}
if ($old_version < 14) if ($old_version < 14)
{ {
# Remove mentions of extended hash functions. # Remove mentions of extended hash functions.

7
src/test/regress/expected/cluster.out
Unescape View File

@ -353,7 +353,9 @@ INSERT INTO clstr_3 VALUES (1);
-- this user can only cluster clstr_1 and clstr_3, but the latter -- this user can only cluster clstr_1 and clstr_3, but the latter
-- has not been clustered -- has not been clustered
SET SESSION AUTHORIZATION regress_clstr_user; SET SESSION AUTHORIZATION regress_clstr_user;
SET client_min_messages = ERROR; -- order of "skipping" warnings may vary
CLUSTER; CLUSTER;
RESET client_min_messages;
SELECT * FROM clstr_1 UNION ALL SELECT * FROM clstr_1 UNION ALL
SELECT * FROM clstr_2 UNION ALL SELECT * FROM clstr_2 UNION ALL
SELECT * FROM clstr_3; SELECT * FROM clstr_3;
@ -501,12 +503,17 @@ CREATE TABLE ptnowner1 PARTITION OF ptnowner FOR VALUES IN (1);
CREATE ROLE regress_ptnowner; CREATE ROLE regress_ptnowner;
CREATE TABLE ptnowner2 PARTITION OF ptnowner FOR VALUES IN (2); CREATE TABLE ptnowner2 PARTITION OF ptnowner FOR VALUES IN (2);
ALTER TABLE ptnowner1 OWNER TO regress_ptnowner; ALTER TABLE ptnowner1 OWNER TO regress_ptnowner;
SET SESSION AUTHORIZATION regress_ptnowner;
CLUSTER ptnowner USING ptnowner_i_idx;
ERROR: permission denied for table ptnowner
RESET SESSION AUTHORIZATION;
ALTER TABLE ptnowner OWNER TO regress_ptnowner; ALTER TABLE ptnowner OWNER TO regress_ptnowner;
CREATE TEMP TABLE ptnowner_oldnodes AS CREATE TEMP TABLE ptnowner_oldnodes AS
SELECT oid, relname, relfilenode FROM pg_partition_tree('ptnowner') AS tree SELECT oid, relname, relfilenode FROM pg_partition_tree('ptnowner') AS tree
JOIN pg_class AS c ON c.oid=tree.relid; JOIN pg_class AS c ON c.oid=tree.relid;
SET SESSION AUTHORIZATION regress_ptnowner; SET SESSION AUTHORIZATION regress_ptnowner;
CLUSTER ptnowner USING ptnowner_i_idx; CLUSTER ptnowner USING ptnowner_i_idx;
WARNING: permission denied to cluster "ptnowner2", skipping it
RESET SESSION AUTHORIZATION; RESET SESSION AUTHORIZATION;
SELECT a.relname, a.relfilenode=b.relfilenode FROM pg_class a SELECT a.relname, a.relfilenode=b.relfilenode FROM pg_class a
JOIN ptnowner_oldnodes b USING (oid) ORDER BY a.relname COLLATE "C"; JOIN ptnowner_oldnodes b USING (oid) ORDER BY a.relname COLLATE "C";

4
src/test/regress/expected/create_index.out
Unescape View File

@ -2832,9 +2832,9 @@ RESET ROLE;
GRANT USAGE ON SCHEMA pg_toast TO regress_reindexuser; GRANT USAGE ON SCHEMA pg_toast TO regress_reindexuser;
SET SESSION ROLE regress_reindexuser; SET SESSION ROLE regress_reindexuser;
REINDEX TABLE pg_toast.pg_toast_1260; REINDEX TABLE pg_toast.pg_toast_1260;
ERROR: must be owner of table pg_toast_1260 ERROR: permission denied for table pg_toast_1260
REINDEX INDEX pg_toast.pg_toast_1260_index; REINDEX INDEX pg_toast.pg_toast_1260_index;
ERROR: must be owner of index pg_toast_1260_index ERROR: permission denied for index pg_toast_1260_index
-- Clean up -- Clean up
RESET ROLE; RESET ROLE;
REVOKE USAGE ON SCHEMA pg_toast FROM regress_reindexuser; REVOKE USAGE ON SCHEMA pg_toast FROM regress_reindexuser;

22
src/test/regress/expected/dependency.out
Unescape View File

@ -19,7 +19,7 @@ DETAIL: privileges for table deptest
REVOKE SELECT ON deptest FROM GROUP regress_dep_group; REVOKE SELECT ON deptest FROM GROUP regress_dep_group;
DROP GROUP regress_dep_group; DROP GROUP regress_dep_group;
-- can't drop the user if we revoke the privileges partially -- can't drop the user if we revoke the privileges partially
REVOKE SELECT, INSERT, UPDATE, DELETE, TRUNCATE, REFERENCES ON deptest FROM regress_dep_user; REVOKE SELECT, INSERT, UPDATE, DELETE, TRUNCATE, REFERENCES, MAINTAIN ON deptest FROM regress_dep_user;
DROP USER regress_dep_user; DROP USER regress_dep_user;
ERROR: role "regress_dep_user" cannot be dropped because some objects depend on it ERROR: role "regress_dep_user" cannot be dropped because some objects depend on it
DETAIL: privileges for table deptest DETAIL: privileges for table deptest
@ -67,21 +67,21 @@ CREATE TABLE deptest (a serial primary key, b text);
GRANT ALL ON deptest1 TO regress_dep_user2; GRANT ALL ON deptest1 TO regress_dep_user2;
RESET SESSION AUTHORIZATION; RESET SESSION AUTHORIZATION;
\z deptest1 \z deptest1
Access privileges Access privileges
Schema | Name | Type | Access privileges | Column privileges | Policies Schema | Name | Type | Access privileges | Column privileges | Policies
--------+----------+-------+----------------------------------------------------+-------------------+---------- --------+----------+-------+------------------------------------------------------+-------------------+----------
public | deptest1 | table | regress_dep_user0=arwdDxt/regress_dep_user0 +| | public | deptest1 | table | regress_dep_user0=arwdDxtm/regress_dep_user0 +| |
| | | regress_dep_user1=a*r*w*d*D*x*t*/regress_dep_user0+| | | | | regress_dep_user1=a*r*w*d*D*x*t*m*/regress_dep_user0+| |
| | | regress_dep_user2=arwdDxt/regress_dep_user1 | | | | | regress_dep_user2=arwdDxtm/regress_dep_user1 | |
(1 row) (1 row)
DROP OWNED BY regress_dep_user1; DROP OWNED BY regress_dep_user1;
-- all grants revoked -- all grants revoked
\z deptest1 \z deptest1
Access privileges Access privileges
Schema | Name | Type | Access privileges | Column privileges | Policies Schema | Name | Type | Access privileges | Column privileges | Policies
--------+----------+-------+---------------------------------------------+-------------------+---------- --------+----------+-------+----------------------------------------------+-------------------+----------
public | deptest1 | table | regress_dep_user0=arwdDxt/regress_dep_user0 | | public | deptest1 | table | regress_dep_user0=arwdDxtm/regress_dep_user0 | |
(1 row) (1 row)
-- table was dropped -- table was dropped

116
src/test/regress/expected/privileges.out
Unescape View File

@ -2296,9 +2296,9 @@ SELECT pg_input_is_valid('regress_priv_user1=rY', 'aclitem');
(1 row) (1 row)
SELECT * FROM pg_input_error_info('regress_priv_user1=rY', 'aclitem'); SELECT * FROM pg_input_error_info('regress_priv_user1=rY', 'aclitem');
message | detail | hint | sql_error_code message | detail | hint | sql_error_code
---------------------------------------------------------+--------+------+---------------- ----------------------------------------------------------+--------+------+----------------
invalid mode character: must be one of "arwdDxtXUCTcsA" | | | 22P02 invalid mode character: must be one of "arwdDxtXUCTcsAm" | | | 22P02
(1 row) (1 row)
-- --
@ -2639,38 +2639,38 @@ set session role regress_priv_user4;
grant select on dep_priv_test to regress_priv_user5; grant select on dep_priv_test to regress_priv_user5;
\dp dep_priv_test \dp dep_priv_test
Access privileges Access privileges
Schema | Name | Type | Access privileges | Column privileges | Policies Schema | Name | Type | Access privileges | Column privileges | Policies
--------+---------------+-------+-----------------------------------------------+-------------------+---------- --------+---------------+-------+------------------------------------------------+-------------------+----------
public | dep_priv_test | table | regress_priv_user1=arwdDxt/regress_priv_user1+| | public | dep_priv_test | table | regress_priv_user1=arwdDxtm/regress_priv_user1+| |
| | | regress_priv_user2=r*/regress_priv_user1 +| | | | | regress_priv_user2=r*/regress_priv_user1 +| |
| | | regress_priv_user3=r*/regress_priv_user1 +| | | | | regress_priv_user3=r*/regress_priv_user1 +| |
| | | regress_priv_user4=r*/regress_priv_user2 +| | | | | regress_priv_user4=r*/regress_priv_user2 +| |
| | | regress_priv_user4=r*/regress_priv_user3 +| | | | | regress_priv_user4=r*/regress_priv_user3 +| |
| | | regress_priv_user5=r/regress_priv_user4 | | | | | regress_priv_user5=r/regress_priv_user4 | |
(1 row) (1 row)
set session role regress_priv_user2; set session role regress_priv_user2;
revoke select on dep_priv_test from regress_priv_user4 cascade; revoke select on dep_priv_test from regress_priv_user4 cascade;
\dp dep_priv_test \dp dep_priv_test
Access privileges Access privileges
Schema | Name | Type | Access privileges | Column privileges | Policies Schema | Name | Type | Access privileges | Column privileges | Policies
--------+---------------+-------+-----------------------------------------------+-------------------+---------- --------+---------------+-------+------------------------------------------------+-------------------+----------
public | dep_priv_test | table | regress_priv_user1=arwdDxt/regress_priv_user1+| | public | dep_priv_test | table | regress_priv_user1=arwdDxtm/regress_priv_user1+| |
| | | regress_priv_user2=r*/regress_priv_user1 +| | | | | regress_priv_user2=r*/regress_priv_user1 +| |
| | | regress_priv_user3=r*/regress_priv_user1 +| | | | | regress_priv_user3=r*/regress_priv_user1 +| |
| | | regress_priv_user4=r*/regress_priv_user3 +| | | | | regress_priv_user4=r*/regress_priv_user3 +| |
| | | regress_priv_user5=r/regress_priv_user4 | | | | | regress_priv_user5=r/regress_priv_user4 | |
(1 row) (1 row)
set session role regress_priv_user3; set session role regress_priv_user3;
revoke select on dep_priv_test from regress_priv_user4 cascade; revoke select on dep_priv_test from regress_priv_user4 cascade;
\dp dep_priv_test \dp dep_priv_test
Access privileges Access privileges
Schema | Name | Type | Access privileges | Column privileges | Policies Schema | Name | Type | Access privileges | Column privileges | Policies
--------+---------------+-------+-----------------------------------------------+-------------------+---------- --------+---------------+-------+------------------------------------------------+-------------------+----------
public | dep_priv_test | table | regress_priv_user1=arwdDxt/regress_priv_user1+| | public | dep_priv_test | table | regress_priv_user1=arwdDxtm/regress_priv_user1+| |
| | | regress_priv_user2=r*/regress_priv_user1 +| | | | | regress_priv_user2=r*/regress_priv_user1 +| |
| | | regress_priv_user3=r*/regress_priv_user1 | | | | | regress_priv_user3=r*/regress_priv_user1 | |
(1 row) (1 row)
set session role regress_priv_user1; set session role regress_priv_user1;
@ -2800,6 +2800,20 @@ LOCK TABLE lock_table IN ACCESS EXCLUSIVE MODE; -- should pass
COMMIT; COMMIT;
\c \c
REVOKE TRUNCATE ON lock_table FROM regress_locktable_user; REVOKE TRUNCATE ON lock_table FROM regress_locktable_user;
-- LOCK TABLE and MAINTAIN permission
GRANT MAINTAIN ON lock_table TO regress_locktable_user;
SET SESSION AUTHORIZATION regress_locktable_user;
BEGIN;
LOCK TABLE lock_table IN ACCESS SHARE MODE; -- should pass
ROLLBACK;
BEGIN;
LOCK TABLE lock_table IN ROW EXCLUSIVE MODE; -- should pass
COMMIT;
BEGIN;
LOCK TABLE lock_table IN ACCESS EXCLUSIVE MODE; -- should pass
COMMIT;
\c
REVOKE MAINTAIN ON lock_table FROM regress_locktable_user;
-- clean up -- clean up
DROP TABLE lock_table; DROP TABLE lock_table;
DROP USER regress_locktable_user; DROP USER regress_locktable_user;
@ -2913,3 +2927,59 @@ DROP SCHEMA regress_roleoption;
DROP ROLE regress_roleoption_protagonist; DROP ROLE regress_roleoption_protagonist;
DROP ROLE regress_roleoption_donor; DROP ROLE regress_roleoption_donor;
DROP ROLE regress_roleoption_recipient; DROP ROLE regress_roleoption_recipient;
-- MAINTAIN
CREATE ROLE regress_no_maintain;
CREATE ROLE regress_maintain;
CREATE ROLE regress_maintain_all IN ROLE pg_maintain;
CREATE TABLE maintain_test (a INT);
CREATE INDEX ON maintain_test (a);
GRANT MAINTAIN ON maintain_test TO regress_maintain;
CREATE MATERIALIZED VIEW refresh_test AS SELECT 1;
GRANT MAINTAIN ON refresh_test TO regress_maintain;
CREATE SCHEMA reindex_test;
-- negative tests; should fail
SET ROLE regress_no_maintain;
VACUUM maintain_test;
WARNING: permission denied to vacuum "maintain_test", skipping it
ANALYZE maintain_test;
WARNING: permission denied to analyze "maintain_test", skipping it
VACUUM (ANALYZE) maintain_test;
WARNING: permission denied to vacuum "maintain_test", skipping it
CLUSTER maintain_test USING maintain_test_a_idx;
ERROR: permission denied for table maintain_test
REFRESH MATERIALIZED VIEW refresh_test;
ERROR: permission denied for materialized view refresh_test
REINDEX TABLE maintain_test;
ERROR: permission denied for table maintain_test
REINDEX INDEX maintain_test_a_idx;
ERROR: permission denied for index maintain_test_a_idx
REINDEX SCHEMA reindex_test;
ERROR: must be owner of schema reindex_test
RESET ROLE;
SET ROLE regress_maintain;
VACUUM maintain_test;
ANALYZE maintain_test;
VACUUM (ANALYZE) maintain_test;
CLUSTER maintain_test USING maintain_test_a_idx;
REFRESH MATERIALIZED VIEW refresh_test;
REINDEX TABLE maintain_test;
REINDEX INDEX maintain_test_a_idx;
REINDEX SCHEMA reindex_test;
ERROR: must be owner of schema reindex_test
RESET ROLE;
SET ROLE regress_maintain_all;
VACUUM maintain_test;
ANALYZE maintain_test;
VACUUM (ANALYZE) maintain_test;
CLUSTER maintain_test USING maintain_test_a_idx;
REFRESH MATERIALIZED VIEW refresh_test;
REINDEX TABLE maintain_test;
REINDEX INDEX maintain_test_a_idx;
REINDEX SCHEMA reindex_test;
RESET ROLE;
DROP TABLE maintain_test;
DROP MATERIALIZED VIEW refresh_test;
DROP SCHEMA reindex_test;
DROP ROLE regress_no_maintain;
DROP ROLE regress_maintain;
DROP ROLE regress_maintain_all;

34
src/test/regress/expected/rowsecurity.out
Unescape View File

@ -93,23 +93,23 @@ CREATE POLICY p2r ON document AS RESTRICTIVE TO regress_rls_dave
CREATE POLICY p1r ON document AS RESTRICTIVE TO regress_rls_dave CREATE POLICY p1r ON document AS RESTRICTIVE TO regress_rls_dave
USING (cid <> 44); USING (cid <> 44);
\dp \dp
Access privileges Access privileges
Schema | Name | Type | Access privileges | Column privileges | Policies Schema | Name | Type | Access privileges | Column privileges | Policies
--------------------+----------+-------+---------------------------------------------+-------------------+-------------------------------------------- --------------------+----------+-------+----------------------------------------------+-------------------+--------------------------------------------
regress_rls_schema | category | table | regress_rls_alice=arwdDxt/regress_rls_alice+| | regress_rls_schema | category | table | regress_rls_alice=arwdDxtm/regress_rls_alice+| |
| | | =arwdDxt/regress_rls_alice | | | | | =arwdDxtm/regress_rls_alice | |
regress_rls_schema | document | table | regress_rls_alice=arwdDxt/regress_rls_alice+| | p1: + regress_rls_schema | document | table | regress_rls_alice=arwdDxtm/regress_rls_alice+| | p1: +
| | | =arwdDxt/regress_rls_alice | | (u): (dlevel <= ( SELECT uaccount.seclv + | | | =arwdDxtm/regress_rls_alice | | (u): (dlevel <= ( SELECT uaccount.seclv +
| | | | | FROM uaccount + | | | | | FROM uaccount +
| | | | | WHERE (uaccount.pguser = CURRENT_USER)))+ | | | | | WHERE (uaccount.pguser = CURRENT_USER)))+
| | | | | p2r (RESTRICTIVE): + | | | | | p2r (RESTRICTIVE): +
| | | | | (u): ((cid <> 44) AND (cid < 50)) + | | | | | (u): ((cid <> 44) AND (cid < 50)) +
| | | | | to: regress_rls_dave + | | | | | to: regress_rls_dave +
| | | | | p1r (RESTRICTIVE): + | | | | | p1r (RESTRICTIVE): +
| | | | | (u): (cid <> 44) + | | | | | (u): (cid <> 44) +
| | | | | to: regress_rls_dave | | | | | to: regress_rls_dave
regress_rls_schema | uaccount | table | regress_rls_alice=arwdDxt/regress_rls_alice+| | regress_rls_schema | uaccount | table | regress_rls_alice=arwdDxtm/regress_rls_alice+| |
| | | =r/regress_rls_alice | | | | | =r/regress_rls_alice | |
(3 rows) (3 rows)
\d document \d document

5
src/test/regress/sql/cluster.sql
Unescape View File

@ -145,7 +145,9 @@ INSERT INTO clstr_3 VALUES (1);
-- this user can only cluster clstr_1 and clstr_3, but the latter -- this user can only cluster clstr_1 and clstr_3, but the latter
-- has not been clustered -- has not been clustered
SET SESSION AUTHORIZATION regress_clstr_user; SET SESSION AUTHORIZATION regress_clstr_user;
SET client_min_messages = ERROR; -- order of "skipping" warnings may vary
CLUSTER; CLUSTER;
RESET client_min_messages;
SELECT * FROM clstr_1 UNION ALL SELECT * FROM clstr_1 UNION ALL
SELECT * FROM clstr_2 UNION ALL SELECT * FROM clstr_2 UNION ALL
SELECT * FROM clstr_3; SELECT * FROM clstr_3;
@ -236,6 +238,9 @@ CREATE TABLE ptnowner1 PARTITION OF ptnowner FOR VALUES IN (1);
CREATE ROLE regress_ptnowner; CREATE ROLE regress_ptnowner;
CREATE TABLE ptnowner2 PARTITION OF ptnowner FOR VALUES IN (2); CREATE TABLE ptnowner2 PARTITION OF ptnowner FOR VALUES IN (2);
ALTER TABLE ptnowner1 OWNER TO regress_ptnowner; ALTER TABLE ptnowner1 OWNER TO regress_ptnowner;
SET SESSION AUTHORIZATION regress_ptnowner;
CLUSTER ptnowner USING ptnowner_i_idx;
RESET SESSION AUTHORIZATION;
ALTER TABLE ptnowner OWNER TO regress_ptnowner; ALTER TABLE ptnowner OWNER TO regress_ptnowner;
CREATE TEMP TABLE ptnowner_oldnodes AS CREATE TEMP TABLE ptnowner_oldnodes AS
SELECT oid, relname, relfilenode FROM pg_partition_tree('ptnowner') AS tree SELECT oid, relname, relfilenode FROM pg_partition_tree('ptnowner') AS tree

2
src/test/regress/sql/dependency.sql
Unescape View File

@ -21,7 +21,7 @@ REVOKE SELECT ON deptest FROM GROUP regress_dep_group;
DROP GROUP regress_dep_group; DROP GROUP regress_dep_group;
-- can't drop the user if we revoke the privileges partially -- can't drop the user if we revoke the privileges partially
REVOKE SELECT, INSERT, UPDATE, DELETE, TRUNCATE, REFERENCES ON deptest FROM regress_dep_user; REVOKE SELECT, INSERT, UPDATE, DELETE, TRUNCATE, REFERENCES, MAINTAIN ON deptest FROM regress_dep_user;
DROP USER regress_dep_user; DROP USER regress_dep_user;
-- now we are OK to drop him -- now we are OK to drop him

67
src/test/regress/sql/privileges.sql
Unescape View File

@ -1793,6 +1793,21 @@ COMMIT;
\c \c
REVOKE TRUNCATE ON lock_table FROM regress_locktable_user; REVOKE TRUNCATE ON lock_table FROM regress_locktable_user;
-- LOCK TABLE and MAINTAIN permission
GRANT MAINTAIN ON lock_table TO regress_locktable_user;
SET SESSION AUTHORIZATION regress_locktable_user;
BEGIN;
LOCK TABLE lock_table IN ACCESS SHARE MODE; -- should pass
ROLLBACK;
BEGIN;
LOCK TABLE lock_table IN ROW EXCLUSIVE MODE; -- should pass
COMMIT;
BEGIN;
LOCK TABLE lock_table IN ACCESS EXCLUSIVE MODE; -- should pass
COMMIT;
\c
REVOKE MAINTAIN ON lock_table FROM regress_locktable_user;
-- clean up -- clean up
DROP TABLE lock_table; DROP TABLE lock_table;
DROP USER regress_locktable_user; DROP USER regress_locktable_user;
@ -1876,3 +1891,55 @@ DROP SCHEMA regress_roleoption;
DROP ROLE regress_roleoption_protagonist; DROP ROLE regress_roleoption_protagonist;
DROP ROLE regress_roleoption_donor; DROP ROLE regress_roleoption_donor;
DROP ROLE regress_roleoption_recipient; DROP ROLE regress_roleoption_recipient;
-- MAINTAIN
CREATE ROLE regress_no_maintain;
CREATE ROLE regress_maintain;
CREATE ROLE regress_maintain_all IN ROLE pg_maintain;
CREATE TABLE maintain_test (a INT);
CREATE INDEX ON maintain_test (a);
GRANT MAINTAIN ON maintain_test TO regress_maintain;
CREATE MATERIALIZED VIEW refresh_test AS SELECT 1;
GRANT MAINTAIN ON refresh_test TO regress_maintain;
CREATE SCHEMA reindex_test;
-- negative tests; should fail
SET ROLE regress_no_maintain;
VACUUM maintain_test;
ANALYZE maintain_test;
VACUUM (ANALYZE) maintain_test;
CLUSTER maintain_test USING maintain_test_a_idx;
REFRESH MATERIALIZED VIEW refresh_test;
REINDEX TABLE maintain_test;
REINDEX INDEX maintain_test_a_idx;
REINDEX SCHEMA reindex_test;
RESET ROLE;
SET ROLE regress_maintain;
VACUUM maintain_test;
ANALYZE maintain_test;
VACUUM (ANALYZE) maintain_test;
CLUSTER maintain_test USING maintain_test_a_idx;
REFRESH MATERIALIZED VIEW refresh_test;
REINDEX TABLE maintain_test;
REINDEX INDEX maintain_test_a_idx;
REINDEX SCHEMA reindex_test;
RESET ROLE;
SET ROLE regress_maintain_all;
VACUUM maintain_test;
ANALYZE maintain_test;
VACUUM (ANALYZE) maintain_test;
CLUSTER maintain_test USING maintain_test_a_idx;
REFRESH MATERIALIZED VIEW refresh_test;
REINDEX TABLE maintain_test;
REINDEX INDEX maintain_test_a_idx;
REINDEX SCHEMA reindex_test;
RESET ROLE;
DROP TABLE maintain_test;
DROP MATERIALIZED VIEW refresh_test;
DROP SCHEMA reindex_test;
DROP ROLE regress_no_maintain;
DROP ROLE regress_maintain;
DROP ROLE regress_maintain_all;

Write Preview
Loading…
Cancel
Save