summaryrefslogtreecommitdiff
path: root/src/include
diff options
context:
space:
mode:
Diffstat (limited to 'src/include')
-rw-r--r--src/include/catalog/acldefs.h72
-rw-r--r--src/include/catalog/catversion.h2
-rw-r--r--src/include/catalog/pg_authid.h34
-rw-r--r--src/include/catalog/pg_proc.h13
-rw-r--r--src/include/nodes/parsenodes.h28
-rw-r--r--src/include/utils/acl.h14
-rw-r--r--src/include/utils/builtins.h6
7 files changed, 110 insertions, 59 deletions
diff --git a/src/include/catalog/acldefs.h b/src/include/catalog/acldefs.h
new file mode 100644
index 00000000000..2dcc17495d3
--- /dev/null
+++ b/src/include/catalog/acldefs.h
@@ -0,0 +1,72 @@
+/*-------------------------------------------------------------------------
+ *
+ * acldefs.h
+ * base definitions for ACLs and role attributes
+ *
+ * Portions Copyright (c) 2014, PostgreSQL Global Development Group
+ *
+ * src/include/catalog/acldefs.h
+ *
+ *-------------------------------------------------------------------------
+ */
+#ifndef ACLDEFS_H
+#define ACLDEFS_H
+
+/*
+ * Grantable rights are encoded so that we can OR them together in a bitmask.
+ * The present representation of AclItem limits us to 16 distinct rights,
+ * even though AclMode is defined as uint32. See utils/acl.h.
+ *
+ * Caution: changing these codes breaks stored ACLs, hence forces initdb.
+ */
+typedef uint32 AclMode; /* a bitmask of privilege bits */
+
+#define ACL_INSERT (1<<0) /* for relations */
+#define ACL_SELECT (1<<1)
+#define ACL_UPDATE (1<<2)
+#define ACL_DELETE (1<<3)
+#define ACL_TRUNCATE (1<<4)
+#define ACL_REFERENCES (1<<5)
+#define ACL_TRIGGER (1<<6)
+#define ACL_EXECUTE (1<<7) /* for functions */
+#define ACL_USAGE (1<<8) /* for languages, namespaces, FDWs, and
+ * servers */
+#define ACL_CREATE (1<<9) /* for namespaces and databases */
+#define ACL_CREATE_TEMP (1<<10) /* for databases */
+#define ACL_CONNECT (1<<11) /* for databases */
+#define N_ACL_RIGHTS 12 /* 1 plus the last 1<<x */
+#define ACL_NO_RIGHTS 0
+/* Currently, SELECT ... FOR [KEY] UPDATE/SHARE requires UPDATE privileges */
+#define ACL_SELECT_FOR_UPDATE ACL_UPDATE
+
+#define ACL_ID_PUBLIC 0 /* placeholder for id in a PUBLIC acl item */
+
+
+/*
+ * Role attributes are encoded so that we can OR them together in a bitmask.
+ * The present representation of RoleAttr (defined in acl.h) limits us to 64
+ * distinct rights.
+ *
+ * Note about ROLE_ATTR_ALL: This symbol is used verbatim by genbki.pl, which
+ * means we need to hard-code its value instead of using a symbolic definition.
+ * Therefore, whenever role attributes are changed, this value MUST be updated
+ * manually.
+ */
+
+/* A bitmask for role attributes */
+typedef uint64 RoleAttr;
+
+#define ROLE_ATTR_NONE 0
+#define ROLE_ATTR_SUPERUSER (1<<0)
+#define ROLE_ATTR_INHERIT (1<<1)
+#define ROLE_ATTR_CREATEROLE (1<<2)
+#define ROLE_ATTR_CREATEDB (1<<3)
+#define ROLE_ATTR_CATUPDATE (1<<4)
+#define ROLE_ATTR_CANLOGIN (1<<5)
+#define ROLE_ATTR_REPLICATION (1<<6)
+#define ROLE_ATTR_BYPASSRLS (1<<7)
+#define N_ROLE_ATTRIBUTES 8 /* 1 plus the last 1<<x */
+#define ROLE_ATTR_ALL 255 /* (1 << N_ROLE_ATTRIBUTES) - 1 */
+
+
+#endif /* ACLDEFS_H */
diff --git a/src/include/catalog/catversion.h b/src/include/catalog/catversion.h
index 5e9961af69d..e56f7ded9d9 100644
--- a/src/include/catalog/catversion.h
+++ b/src/include/catalog/catversion.h
@@ -53,6 +53,6 @@
*/
/* yyyymmddN */
-#define CATALOG_VERSION_NO 201412191
+#define CATALOG_VERSION_NO 201412232
#endif
diff --git a/src/include/catalog/pg_authid.h b/src/include/catalog/pg_authid.h
index 3b63d2bb9e0..a45f38d1ebc 100644
--- a/src/include/catalog/pg_authid.h
+++ b/src/include/catalog/pg_authid.h
@@ -21,6 +21,7 @@
#ifndef PG_AUTHID_H
#define PG_AUTHID_H
+#include "catalog/acldefs.h"
#include "catalog/genbki.h"
/*
@@ -45,16 +46,8 @@
CATALOG(pg_authid,1260) BKI_SHARED_RELATION BKI_ROWTYPE_OID(2842) BKI_SCHEMA_MACRO
{
NameData rolname; /* name of role */
- bool rolsuper; /* read this field via superuser() only! */
- bool rolinherit; /* inherit privileges from other roles? */
- bool rolcreaterole; /* allowed to create more roles? */
- bool rolcreatedb; /* allowed to create databases? */
- bool rolcatupdate; /* allowed to alter catalogs manually? */
- bool rolcanlogin; /* allowed to log in as session user? */
- bool rolreplication; /* role used for streaming replication */
- bool rolbypassrls; /* allowed to bypass row level security? */
+ int64 rolattr; /* role attribute bitmask */
int32 rolconnlimit; /* max connections allowed (-1=no limit) */
-
/* remaining fields may be null; use heap_getattr to read them! */
text rolpassword; /* password, if any */
timestamptz rolvaliduntil; /* password expiration time, if any */
@@ -74,28 +67,25 @@ typedef FormData_pg_authid *Form_pg_authid;
* compiler constants for pg_authid
* ----------------
*/
-#define Natts_pg_authid 12
+#define Natts_pg_authid 5
#define Anum_pg_authid_rolname 1
-#define Anum_pg_authid_rolsuper 2
-#define Anum_pg_authid_rolinherit 3
-#define Anum_pg_authid_rolcreaterole 4
-#define Anum_pg_authid_rolcreatedb 5
-#define Anum_pg_authid_rolcatupdate 6
-#define Anum_pg_authid_rolcanlogin 7
-#define Anum_pg_authid_rolreplication 8
-#define Anum_pg_authid_rolbypassrls 9
-#define Anum_pg_authid_rolconnlimit 10
-#define Anum_pg_authid_rolpassword 11
-#define Anum_pg_authid_rolvaliduntil 12
+#define Anum_pg_authid_rolattr 2
+#define Anum_pg_authid_rolconnlimit 3
+#define Anum_pg_authid_rolpassword 4
+#define Anum_pg_authid_rolvaliduntil 5
+
/* ----------------
* initial contents of pg_authid
*
* The uppercase quantities will be replaced at initdb time with
* user choices.
+ *
+ * PGROLATTRALL is substituted by genbki.pl to use the value defined by
+ * ROLE_ATTR_ALL.
* ----------------
*/
-DATA(insert OID = 10 ( "POSTGRES" t t t t t t t t -1 _null_ _null_));
+DATA(insert OID = 10 ( "POSTGRES" PGROLATTRALL -1 _null_ _null_));
#define BOOTSTRAP_SUPERUSERID 10
diff --git a/src/include/catalog/pg_proc.h b/src/include/catalog/pg_proc.h
index f766ed791fb..7f64aaa964d 100644
--- a/src/include/catalog/pg_proc.h
+++ b/src/include/catalog/pg_proc.h
@@ -5136,6 +5136,19 @@ DESCR("rank of hypothetical row without gaps");
DATA(insert OID = 3993 ( dense_rank_final PGNSP PGUID 12 1 0 2276 0 f f f f f f i 2 0 20 "2281 2276" "{2281,2276}" "{i,v}" _null_ _null_ hypothetical_dense_rank_final _null_ _null_ _null_ ));
DESCR("aggregate final function");
+/* role attribute support functions */
+DATA(insert OID = 3994 ( pg_has_role_attribute PGNSP PGUID 12 1 0 0 0 f f f f t f s 2 0 16 "26 25" _null_ _null_ _null_ _null_ pg_has_role_attribute_id _null_ _null_ _null_ ));
+DESCR("check role attribute by role oid with superuser bypass check");
+DATA(insert OID = 3995 ( pg_has_role_attribute PGNSP PGUID 12 1 0 0 0 f f f f t f s 2 0 16 "19 25" _null_ _null_ _null_ _null_ pg_has_role_attribute_name _null_ _null_ _null_ ));
+DESCR("check role attribute by role name with superuser bypass check");
+DATA(insert OID = 3996 ( pg_check_role_attribute PGNSP PGUID 12 1 0 0 0 f f f f t f s 2 0 16 "26 25" _null_ _null_ _null_ _null_ pg_check_role_attribute_id _null_ _null_ _null_ ));
+DESCR("check role attribute by role id");
+DATA(insert OID = 3997 ( pg_check_role_attribute PGNSP PGUID 12 1 0 0 0 f f f f t f s 2 0 16 "19 25" _null_ _null_ _null_ _null_ pg_check_role_attribute_name _null_ _null_ _null_ ));
+DESCR("check role attribute by role name");
+DATA(insert OID = 3998 ( pg_check_role_attribute PGNSP PGUID 12 1 0 0 0 f f f f t f s 2 0 16 "20 25" _null_ _null_ _null_ _null_ pg_check_role_attribute_attrs _null_ _null_ _null_ ));
+DESCR("check role attribute");
+DATA(insert OID = 3999 ( pg_all_role_attributes PGNSP PGUID 12 10 0 0 0 f f f f t f s 1 0 1009 "20" _null_ _null_ _null_ _null_ pg_all_role_attributes _null_ _null_ _null_));
+DESCR("convert role attributes to string array");
/*
* Symbolic values for provolatile column: these indicate whether the result
diff --git a/src/include/nodes/parsenodes.h b/src/include/nodes/parsenodes.h
index 64508f0338a..f027a375351 100644
--- a/src/include/nodes/parsenodes.h
+++ b/src/include/nodes/parsenodes.h
@@ -23,6 +23,7 @@
#include "nodes/bitmapset.h"
#include "nodes/primnodes.h"
#include "nodes/value.h"
+#include "catalog/acldefs.h"
#include "utils/lockwaitpolicy.h"
/* Possible sources of a Query */
@@ -51,33 +52,6 @@ typedef enum SortByNulls
SORTBY_NULLS_LAST
} SortByNulls;
-/*
- * Grantable rights are encoded so that we can OR them together in a bitmask.
- * The present representation of AclItem limits us to 16 distinct rights,
- * even though AclMode is defined as uint32. See utils/acl.h.
- *
- * Caution: changing these codes breaks stored ACLs, hence forces initdb.
- */
-typedef uint32 AclMode; /* a bitmask of privilege bits */
-
-#define ACL_INSERT (1<<0) /* for relations */
-#define ACL_SELECT (1<<1)
-#define ACL_UPDATE (1<<2)
-#define ACL_DELETE (1<<3)
-#define ACL_TRUNCATE (1<<4)
-#define ACL_REFERENCES (1<<5)
-#define ACL_TRIGGER (1<<6)
-#define ACL_EXECUTE (1<<7) /* for functions */
-#define ACL_USAGE (1<<8) /* for languages, namespaces, FDWs, and
- * servers */
-#define ACL_CREATE (1<<9) /* for namespaces and databases */
-#define ACL_CREATE_TEMP (1<<10) /* for databases */
-#define ACL_CONNECT (1<<11) /* for databases */
-#define N_ACL_RIGHTS 12 /* 1 plus the last 1<<x */
-#define ACL_NO_RIGHTS 0
-/* Currently, SELECT ... FOR [KEY] UPDATE/SHARE requires UPDATE privileges */
-#define ACL_SELECT_FOR_UPDATE ACL_UPDATE
-
/*****************************************************************************
* Query Tree
diff --git a/src/include/utils/acl.h b/src/include/utils/acl.h
index a8e3164659c..4e8d81ca0ad 100644
--- a/src/include/utils/acl.h
+++ b/src/include/utils/acl.h
@@ -30,13 +30,6 @@
/*
- * typedef AclMode is declared in parsenodes.h, also the individual privilege
- * bit meanings are defined there
- */
-
-#define ACL_ID_PUBLIC 0 /* placeholder for id in a PUBLIC acl item */
-
-/*
* AclItem
*
* Note: must be same size on all platforms, because the size is hardcoded
@@ -326,7 +319,10 @@ extern bool pg_foreign_data_wrapper_ownercheck(Oid srv_oid, Oid roleid);
extern bool pg_foreign_server_ownercheck(Oid srv_oid, Oid roleid);
extern bool pg_event_trigger_ownercheck(Oid et_oid, Oid roleid);
extern bool pg_extension_ownercheck(Oid ext_oid, Oid roleid);
-extern bool has_createrole_privilege(Oid roleid);
-extern bool has_bypassrls_privilege(Oid roleid);
+
+/* role attribute check routines */
+extern bool has_role_attribute(Oid roleid, RoleAttr attribute);
+extern bool have_role_attribute(RoleAttr attribute);
+extern bool check_role_attribute(Oid roleid, RoleAttr attribute);
#endif /* ACL_H */
diff --git a/src/include/utils/builtins.h b/src/include/utils/builtins.h
index 2da3002e5d0..c8e0e3a4344 100644
--- a/src/include/utils/builtins.h
+++ b/src/include/utils/builtins.h
@@ -106,6 +106,12 @@ extern Datum pg_has_role_id_name(PG_FUNCTION_ARGS);
extern Datum pg_has_role_id_id(PG_FUNCTION_ARGS);
extern Datum pg_has_role_name(PG_FUNCTION_ARGS);
extern Datum pg_has_role_id(PG_FUNCTION_ARGS);
+extern Datum pg_has_role_attribute_id(PG_FUNCTION_ARGS);
+extern Datum pg_has_role_attribute_name(PG_FUNCTION_ARGS);
+extern Datum pg_check_role_attribute_id(PG_FUNCTION_ARGS);
+extern Datum pg_check_role_attribute_name(PG_FUNCTION_ARGS);
+extern Datum pg_check_role_attribute_attrs(PG_FUNCTION_ARGS);
+extern Datum pg_all_role_attributes(PG_FUNCTION_ARGS);
/* bool.c */
extern Datum boolin(PG_FUNCTION_ARGS);
generated by cgit v1.2.3 (git 2.46.0) at 2025-08-31 18:28:05 +0000