sepgsql: Enforce db_procedure:{execute} permission.

To do this, we add an additional object access hook type, OAT_FUNCTION_EXECUTE. KaiGai Kohei
author: Robert Haas <rhaas@postgresql.org> 2013-04-12 08:55:56 -0400
committer: Robert Haas <rhaas@postgresql.org> 2013-04-12 08:58:01 -0400
commit: f8a54e936bdf4c31b395a2ab7d7bc98eefa6dbad (patch)
tree: 957024396b9375191802c4b9eb5a2ed8e80809fb /doc/src
parent: d017bf41a32d08885f00a274603ed2e50816fe7f (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/doc/src/sgml/sepgsql.sgml b/doc/src/sgml/sepgsql.sgml
index 0a2ee86a111..2cdbe9de43b 100644
--- a/doc/src/sgml/sepgsql.sgml
+++ b/doc/src/sgml/sepgsql.sgml
@@ -393,8 +393,11 @@ UPDATE t1 SET x = 2, y = md5sum(y) WHERE z = 100;
    </para>
 
    <para>
-    For functions, <literal>db_procedure:{execute}</> is defined, but is not
-    checked in this version.
+    For functions, <literal>db_procedure:{execute}</> will be checked when
+    user tries to execute a function as a part of query, or using fast-path
+    invocation. If this function is a trusted procedure, it also checks
+    <literal>db_procedure:{entrypoint}</> permission to check whether it
+    can perform as entrypoint of trusted procedure.
    </para>
 
    <para>
author	Robert Haas <rhaas@postgresql.org>	2013-04-12 08:55:56 -0400
committer	Robert Haas <rhaas@postgresql.org>	2013-04-12 08:58:01 -0400
commit	f8a54e936bdf4c31b395a2ab7d7bc98eefa6dbad (patch)
tree	957024396b9375191802c4b9eb5a2ed8e80809fb /doc/src
parent	d017bf41a32d08885f00a274603ed2e50816fe7f (diff)