From fd496129d160950ed681c1150ea8f627b292c511 Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Sat, 24 Jan 2015 16:16:22 -0500 Subject: Clean up some mess in row-security patches. Fix unsafe coding around PG_TRY in RelationBuildRowSecurity: can't change a variable inside PG_TRY and then use it in PG_CATCH without marking it "volatile". In this case though it seems saner to avoid that by doing a single assignment before entering the TRY block. I started out just intending to fix that, but the more I looked at the row-security code the more distressed I got. This patch also fixes incorrect construction of the RowSecurityPolicy cache entries (there was not sufficient care taken to copy pass-by-ref data into the cache memory context) and a whole bunch of sloppiness around the definition and use of pg_policy.polcmd. You can't use nulls in that column because initdb will mark it NOT NULL --- and I see no particular reason why a null entry would be a good idea anyway, so changing initdb's behavior is not the right answer. The internal value of '\0' wouldn't be suitable in a "char" column either, so after a bit of thought I settled on using '*' to represent ALL. Chasing those changes down also revealed that somebody wasn't paying attention to what the underlying values of ACL_UPDATE_CHR etc really were, and there was a great deal of lackadaiscalness in the catalogs.sgml documentation for pg_policy and pg_policies too. This doesn't pretend to be a complete code review for the row-security stuff, it just fixes the things that were in my face while dealing with the bugs in RelationBuildRowSecurity. --- doc/src/sgml/catalogs.sgml | 226 +++++++++++++++++++++++---------------------- 1 file changed, 115 insertions(+), 111 deletions(-) (limited to 'doc/src') diff --git a/doc/src/sgml/catalogs.sgml b/doc/src/sgml/catalogs.sgml index 9ceb96b54c7..62305d2bb3e 100644 --- a/doc/src/sgml/catalogs.sgml +++ b/doc/src/sgml/catalogs.sgml @@ -218,6 +218,11 @@ template data for procedural languages + + pg_policy + row-security policies + + pg_proc functions and procedures @@ -238,11 +243,6 @@ replication slot information - - pg_policy - table policies - - pg_seclabel security labels on database objects @@ -1940,20 +1940,20 @@ - relrowsecurity + relhassubclass bool - - True if table has row level security enabled; see - pg_policy catalog - + True if table has (or once had) any inheritance children - relhassubclass + relrowsecurity bool - True if table has (or once had) any inheritance children + + True if table has row-level security enabled; see + pg_policy catalog + @@ -4711,6 +4711,98 @@ + + <structname>pg_policy</structname> + + + pg_policy + + + + The catalog pg_policy stores row-level + security policies for tables. A policy includes the kind of + command that it applies to (possibly all commands), the roles that it + applies to, the expression to be added as a security-barrier + qualification to queries that include the table, and the expression + to be added as a WITH CHECK option for queries that attempt to + add new records to the table. + + + + + <structname>pg_policy</structname> Columns + + + + + Name + Type + References + Description + + + + + + polname + name + + The name of the policy + + + + polrelid + oid + pg_class.oid + The table to which the policy applies + + + + polcmd + char + + The command type to which the policy is applied: + r for SELECT, + a for INSERT, + w for UPDATE, + d for DELETE, + or * for all + + + + polroles + oid[] + pg_authid.oid + The roles to which the policy is applied + + + + polqual + pg_node_tree + + The expression tree to be added to the security barrier qualifications for queries that use the table + + + + polwithcheck + pg_node_tree + + The expression tree to be added to the WITH CHECK qualifications for queries that attempt to add rows to the table + + + + +
+ + + + Policies stored in pg_policy are applied only when + pg_class.relrowsecurity is set for + their table. + + + + <structname>pg_proc</structname> @@ -5342,94 +5434,6 @@ - - <structname>pg_policy</structname> - - - pg_policy - - - - The catalog pg_policy stores row-level - security policies for each table. A policy includes the kind of - command which it applies to (or all commands), the roles which it - applies to, the expression to be added as a security-barrier - qualification to queries which include the table and the expression - to be added as a with-check option for queries which attempt to add - new records to the table. - - - - - <structname>pg_policy</structname> Columns - - - - - Name - Type - References - Description - - - - - - polname - name - - The name of the policy - - - - polrelid - oid - pg_class.oid - The table to which the policy belongs - - - - polcmd - char - - The command type to which the policy is applied. - - - - polroles - char - - The roles to which the policy is applied. - - - - polqual - pg_node_tree - - The expression tree to be added to the security barrier qualifications for queries which use the table. - - - - polwithcheck - pg_node_tree - - The expression tree to be added to the with check qualifications for queries which attempt to add rows to the table. - - - - -
- - - - pg_class.relrowsecurity - True if the table has row security enabled. Policies will not be applied - unless row security is enabled on the table. - - - - - <structname>pg_seclabel</structname> @@ -8166,7 +8170,7 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx The view pg_policies provides access to - useful information about each policy in the database. + useful information about each row-level security policy in the database. @@ -8197,34 +8201,34 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx policyname name - pg_class.relname + pg_policy.polname Name of policy - cmd - text + roles + name[] - The command type to which the policy is applied. + The roles to which this policy applies - roles - name[] + cmd + text - The roles to which this policy applies. + The command type to which the policy is applied qual text The expression added to the security barrier qualifications for - queries which this policy applies to. + queries that this policy applies to with_check text - The expression added to the with check qualifications for - queries which attempt to add rows to this table. + The expression added to the WITH CHECK qualifications for + queries that attempt to add rows to this table -- cgit v1.2.3