diff options
| author | Stephen Frost <sfrost@snowman.net> | 2014-09-24 16:32:22 -0400 |
|---|---|---|
| committer | Stephen Frost <sfrost@snowman.net> | 2014-09-24 16:32:22 -0400 |
| commit | 6550b901fe7c47c03775400e0c790c6c1234a017 (patch) | |
| tree | f67c2cabd58ef765f0bcaf4307d73d7eac51e5fc /src/bin/psql/tab-complete.c | |
| parent | 3f6f9260e308a331e6809d5309b17d1613ff900f (diff) | |
Code review for row security.
Buildfarm member tick identified an issue where the policies in the
relcache for a relation were were being replaced underneath a running
query, leading to segfaults while processing the policies to be added
to a query. Similar to how TupleDesc RuleLocks are handled, add in a
equalRSDesc() function to check if the policies have actually changed
and, if not, swap back the rsdesc field (using the original instead of
the temporairly built one; the whole structure is swapped and then
specific fields swapped back). This now passes a CLOBBER_CACHE_ALWAYS
for me and should resolve the buildfarm error.
In addition to addressing this, add a new chapter in Data Definition
under Privileges which explains row security and provides examples of
its usage, change \d to always list policies (even if row security is
disabled- but note that it is disabled, or enabled with no policies),
rework check_role_for_policy (it really didn't need the entire policy,
but it did need to be using has_privs_of_role()), and change the field
in pg_class to relrowsecurity from relhasrowsecurity, based on
Heikki's suggestion. Also from Heikki, only issue SET ROW_SECURITY in
pg_restore when talking to a 9.5+ server, list Bypass RLS in \du, and
document --enable-row-security options for pg_dump and pg_restore.
Lastly, fix a number of minor whitespace and typo issues from Heikki,
Dimitri, add a missing #include, per Peter E, fix a few minor
variable-assigned-but-not-used and resource leak issues from Coverity
and add tab completion for role attribute bypassrls as well.
Diffstat (limited to 'src/bin/psql/tab-complete.c')
| -rw-r--r-- | src/bin/psql/tab-complete.c | 38 |
1 files changed, 20 insertions, 18 deletions
diff --git a/src/bin/psql/tab-complete.c b/src/bin/psql/tab-complete.c index a4594b6783c..886188c036f 100644 --- a/src/bin/psql/tab-complete.c +++ b/src/bin/psql/tab-complete.c @@ -1214,11 +1214,12 @@ psql_completion(const char *text, int start, int end) pg_strcasecmp(prev2_wd, "ROLE") == 0)) { static const char *const list_ALTERUSER[] = - {"CONNECTION LIMIT", "CREATEDB", "CREATEROLE", "CREATEUSER", - "ENCRYPTED", "INHERIT", "LOGIN", "NOCREATEDB", "NOCREATEROLE", - "NOCREATEUSER", "NOINHERIT", "NOLOGIN", "NOREPLICATION", - "NOSUPERUSER", "RENAME TO", "REPLICATION", "RESET", "SET", - "SUPERUSER", "UNENCRYPTED", "VALID UNTIL", "WITH", NULL}; + {"BYPASSRLS", "CONNECTION LIMIT", "CREATEDB", "CREATEROLE", + "CREATEUSER", "ENCRYPTED", "INHERIT", "LOGIN", "NOBYPASSRLS", + "NOCREATEDB", "NOCREATEROLE", "NOCREATEUSER", "NOINHERIT", + "NOLOGIN", "NOREPLICATION", "NOSUPERUSER", "RENAME TO", + "REPLICATION", "RESET", "SET", "SUPERUSER", "UNENCRYPTED", + "VALID UNTIL", "WITH", NULL}; COMPLETE_WITH_LIST(list_ALTERUSER); } @@ -1231,11 +1232,12 @@ psql_completion(const char *text, int start, int end) { /* Similar to the above, but don't complete "WITH" again. */ static const char *const list_ALTERUSER_WITH[] = - {"CONNECTION LIMIT", "CREATEDB", "CREATEROLE", "CREATEUSER", - "ENCRYPTED", "INHERIT", "LOGIN", "NOCREATEDB", "NOCREATEROLE", - "NOCREATEUSER", "NOINHERIT", "NOLOGIN", "NOREPLICATION", - "NOSUPERUSER", "RENAME TO", "REPLICATION", "RESET", "SET", - "SUPERUSER", "UNENCRYPTED", "VALID UNTIL", NULL}; + {"BYPASSRLS", "CONNECTION LIMIT", "CREATEDB", "CREATEROLE", + "CREATEUSER", "ENCRYPTED", "INHERIT", "LOGIN", "NOBYPASSRLS", + "NOCREATEDB", "NOCREATEROLE", "NOCREATEUSER", "NOINHERIT", + "NOLOGIN", "NOREPLICATION", "NOSUPERUSER", "RENAME TO", + "REPLICATION", "RESET", "SET", "SUPERUSER", "UNENCRYPTED", + "VALID UNTIL", NULL}; COMPLETE_WITH_LIST(list_ALTERUSER_WITH); } @@ -2565,10 +2567,10 @@ psql_completion(const char *text, int start, int end) pg_strcasecmp(prev2_wd, "GROUP") == 0 || pg_strcasecmp(prev2_wd, "USER") == 0)) { static const char *const list_CREATEROLE[] = - {"ADMIN", "CONNECTION LIMIT", "CREATEDB", "CREATEROLE", "CREATEUSER", - "ENCRYPTED", "IN", "INHERIT", "LOGIN", "NOCREATEDB", - "NOCREATEROLE", "NOCREATEUSER", "NOINHERIT", "NOLOGIN", - "NOREPLICATION", "NOSUPERUSER", "REPLICATION", "ROLE", + {"ADMIN", "BYPASSRLS", "CONNECTION LIMIT", "CREATEDB", "CREATEROLE", + "CREATEUSER", "ENCRYPTED", "IN", "INHERIT", "LOGIN", "NOBYPASSRLS", + "NOCREATEDB", "NOCREATEROLE", "NOCREATEUSER", "NOINHERIT", + "NOLOGIN", "NOREPLICATION", "NOSUPERUSER", "REPLICATION", "ROLE", "SUPERUSER", "SYSID", "UNENCRYPTED", "VALID UNTIL", "WITH", NULL}; COMPLETE_WITH_LIST(list_CREATEROLE); @@ -2583,10 +2585,10 @@ psql_completion(const char *text, int start, int end) { /* Similar to the above, but don't complete "WITH" again. */ static const char *const list_CREATEROLE_WITH[] = - {"ADMIN", "CONNECTION LIMIT", "CREATEDB", "CREATEROLE", "CREATEUSER", - "ENCRYPTED", "IN", "INHERIT", "LOGIN", "NOCREATEDB", - "NOCREATEROLE", "NOCREATEUSER", "NOINHERIT", "NOLOGIN", - "NOREPLICATION", "NOSUPERUSER", "REPLICATION", "ROLE", + {"ADMIN", "BYPASSRLS", "CONNECTION LIMIT", "CREATEDB", "CREATEROLE", + "CREATEUSER", "ENCRYPTED", "IN", "INHERIT", "LOGIN", "NOBYPASSRLS", + "NOCREATEDB", "NOCREATEROLE", "NOCREATEUSER", "NOINHERIT", + "NOLOGIN", "NOREPLICATION", "NOSUPERUSER", "REPLICATION", "ROLE", "SUPERUSER", "SYSID", "UNENCRYPTED", "VALID UNTIL", NULL}; COMPLETE_WITH_LIST(list_CREATEROLE_WITH); |