PostgreSQL Source Code  git master
aclchk.c
Go to the documentation of this file.
1 /*-------------------------------------------------------------------------
2  *
3  * aclchk.c
4  * Routines to check access control permissions.
5  *
6  * Portions Copyright (c) 1996-2021, PostgreSQL Global Development Group
7  * Portions Copyright (c) 1994, Regents of the University of California
8  *
9  *
10  * IDENTIFICATION
11  * src/backend/catalog/aclchk.c
12  *
13  * NOTES
14  * See acl.h.
15  *
16  *-------------------------------------------------------------------------
17  */
18 #include "postgres.h"
19 
20 #include "access/genam.h"
21 #include "access/heapam.h"
22 #include "access/htup_details.h"
23 #include "access/sysattr.h"
24 #include "access/tableam.h"
25 #include "access/xact.h"
26 #include "catalog/binary_upgrade.h"
27 #include "catalog/catalog.h"
28 #include "catalog/dependency.h"
29 #include "catalog/indexing.h"
30 #include "catalog/objectaccess.h"
31 #include "catalog/pg_aggregate.h"
32 #include "catalog/pg_am.h"
33 #include "catalog/pg_authid.h"
34 #include "catalog/pg_cast.h"
35 #include "catalog/pg_collation.h"
36 #include "catalog/pg_conversion.h"
37 #include "catalog/pg_database.h"
38 #include "catalog/pg_default_acl.h"
40 #include "catalog/pg_extension.h"
43 #include "catalog/pg_init_privs.h"
44 #include "catalog/pg_language.h"
45 #include "catalog/pg_largeobject.h"
47 #include "catalog/pg_namespace.h"
48 #include "catalog/pg_opclass.h"
49 #include "catalog/pg_operator.h"
50 #include "catalog/pg_opfamily.h"
51 #include "catalog/pg_proc.h"
54 #include "catalog/pg_tablespace.h"
55 #include "catalog/pg_transform.h"
56 #include "catalog/pg_ts_config.h"
57 #include "catalog/pg_ts_dict.h"
58 #include "catalog/pg_ts_parser.h"
59 #include "catalog/pg_ts_template.h"
60 #include "catalog/pg_type.h"
61 #include "commands/dbcommands.h"
62 #include "commands/event_trigger.h"
63 #include "commands/extension.h"
64 #include "commands/proclang.h"
65 #include "commands/tablespace.h"
66 #include "foreign/foreign.h"
67 #include "miscadmin.h"
68 #include "nodes/makefuncs.h"
69 #include "parser/parse_func.h"
70 #include "parser/parse_type.h"
71 #include "utils/acl.h"
72 #include "utils/aclchk_internal.h"
73 #include "utils/builtins.h"
74 #include "utils/fmgroids.h"
75 #include "utils/lsyscache.h"
76 #include "utils/rel.h"
77 #include "utils/syscache.h"
78 
79 /*
80  * Internal format used by ALTER DEFAULT PRIVILEGES.
81  */
82 typedef struct
83 {
84  Oid roleid; /* owning role */
85  Oid nspid; /* namespace, or InvalidOid if none */
86  /* remaining fields are same as in InternalGrant: */
87  bool is_grant;
89  bool all_privs;
95 
96 /*
97  * When performing a binary-upgrade, pg_dump will call a function to set
98  * this variable to let us know that we need to populate the pg_init_privs
99  * table for the GRANT/REVOKE commands while this variable is set to true.
100  */
102 
103 static void ExecGrantStmt_oids(InternalGrant *istmt);
104 static void ExecGrant_Relation(InternalGrant *grantStmt);
105 static void ExecGrant_Database(InternalGrant *grantStmt);
106 static void ExecGrant_Fdw(InternalGrant *grantStmt);
107 static void ExecGrant_ForeignServer(InternalGrant *grantStmt);
108 static void ExecGrant_Function(InternalGrant *grantStmt);
109 static void ExecGrant_Language(InternalGrant *grantStmt);
110 static void ExecGrant_Largeobject(InternalGrant *grantStmt);
111 static void ExecGrant_Namespace(InternalGrant *grantStmt);
112 static void ExecGrant_Tablespace(InternalGrant *grantStmt);
113 static void ExecGrant_Type(InternalGrant *grantStmt);
114 
115 static void SetDefaultACLsInSchemas(InternalDefaultACL *iacls, List *nspnames);
116 static void SetDefaultACL(InternalDefaultACL *iacls);
117 
118 static List *objectNamesToOids(ObjectType objtype, List *objnames);
119 static List *objectsInSchemaToOids(ObjectType objtype, List *nspnames);
120 static List *getRelationsInNamespace(Oid namespaceId, char relkind);
121 static void expand_col_privileges(List *colnames, Oid table_oid,
122  AclMode this_privileges,
123  AclMode *col_privileges,
124  int num_col_privileges);
125 static void expand_all_col_privileges(Oid table_oid, Form_pg_class classForm,
126  AclMode this_privileges,
127  AclMode *col_privileges,
128  int num_col_privileges);
129 static AclMode string_to_privilege(const char *privname);
130 static const char *privilege_to_string(AclMode privilege);
131 static AclMode restrict_and_check_grant(bool is_grant, AclMode avail_goptions,
132  bool all_privs, AclMode privileges,
133  Oid objectId, Oid grantorId,
134  ObjectType objtype, const char *objname,
135  AttrNumber att_number, const char *colname);
136 static AclMode pg_aclmask(ObjectType objtype, Oid table_oid, AttrNumber attnum,
137  Oid roleid, AclMode mask, AclMaskHow how);
138 static void recordExtensionInitPriv(Oid objoid, Oid classoid, int objsubid,
139  Acl *new_acl);
140 static void recordExtensionInitPrivWorker(Oid objoid, Oid classoid, int objsubid,
141  Acl *new_acl);
142 
143 
144 /*
145  * If is_grant is true, adds the given privileges for the list of
146  * grantees to the existing old_acl. If is_grant is false, the
147  * privileges for the given grantees are removed from old_acl.
148  *
149  * NB: the original old_acl is pfree'd.
150  */
151 static Acl *
152 merge_acl_with_grant(Acl *old_acl, bool is_grant,
153  bool grant_option, DropBehavior behavior,
154  List *grantees, AclMode privileges,
155  Oid grantorId, Oid ownerId)
156 {
157  unsigned modechg;
158  ListCell *j;
159  Acl *new_acl;
160 
161  modechg = is_grant ? ACL_MODECHG_ADD : ACL_MODECHG_DEL;
162 
163  new_acl = old_acl;
164 
165  foreach(j, grantees)
166  {
167  AclItem aclitem;
168  Acl *newer_acl;
169 
170  aclitem.ai_grantee = lfirst_oid(j);
171 
172  /*
173  * Grant options can only be granted to individual roles, not PUBLIC.
174  * The reason is that if a user would re-grant a privilege that he
175  * held through PUBLIC, and later the user is removed, the situation
176  * is impossible to clean up.
177  */
178  if (is_grant && grant_option && aclitem.ai_grantee == ACL_ID_PUBLIC)
179  ereport(ERROR,
180  (errcode(ERRCODE_INVALID_GRANT_OPERATION),
181  errmsg("grant options can only be granted to roles")));
182 
183  aclitem.ai_grantor = grantorId;
184 
185  /*
186  * The asymmetry in the conditions here comes from the spec. In
187  * GRANT, the grant_option flag signals WITH GRANT OPTION, which means
188  * to grant both the basic privilege and its grant option. But in
189  * REVOKE, plain revoke revokes both the basic privilege and its grant
190  * option, while REVOKE GRANT OPTION revokes only the option.
191  */
193  (is_grant || !grant_option) ? privileges : ACL_NO_RIGHTS,
194  (!is_grant || grant_option) ? privileges : ACL_NO_RIGHTS);
195 
196  newer_acl = aclupdate(new_acl, &aclitem, modechg, ownerId, behavior);
197 
198  /* avoid memory leak when there are many grantees */
199  pfree(new_acl);
200  new_acl = newer_acl;
201  }
202 
203  return new_acl;
204 }
205 
206 /*
207  * Restrict the privileges to what we can actually grant, and emit
208  * the standards-mandated warning and error messages.
209  */
210 static AclMode
211 restrict_and_check_grant(bool is_grant, AclMode avail_goptions, bool all_privs,
212  AclMode privileges, Oid objectId, Oid grantorId,
213  ObjectType objtype, const char *objname,
214  AttrNumber att_number, const char *colname)
215 {
216  AclMode this_privileges;
217  AclMode whole_mask;
218 
219  switch (objtype)
220  {
221  case OBJECT_COLUMN:
222  whole_mask = ACL_ALL_RIGHTS_COLUMN;
223  break;
224  case OBJECT_TABLE:
225  whole_mask = ACL_ALL_RIGHTS_RELATION;
226  break;
227  case OBJECT_SEQUENCE:
228  whole_mask = ACL_ALL_RIGHTS_SEQUENCE;
229  break;
230  case OBJECT_DATABASE:
231  whole_mask = ACL_ALL_RIGHTS_DATABASE;
232  break;
233  case OBJECT_FUNCTION:
234  whole_mask = ACL_ALL_RIGHTS_FUNCTION;
235  break;
236  case OBJECT_LANGUAGE:
237  whole_mask = ACL_ALL_RIGHTS_LANGUAGE;
238  break;
239  case OBJECT_LARGEOBJECT:
240  whole_mask = ACL_ALL_RIGHTS_LARGEOBJECT;
241  break;
242  case OBJECT_SCHEMA:
243  whole_mask = ACL_ALL_RIGHTS_SCHEMA;
244  break;
245  case OBJECT_TABLESPACE:
246  whole_mask = ACL_ALL_RIGHTS_TABLESPACE;
247  break;
248  case OBJECT_FDW:
249  whole_mask = ACL_ALL_RIGHTS_FDW;
250  break;
252  whole_mask = ACL_ALL_RIGHTS_FOREIGN_SERVER;
253  break;
255  elog(ERROR, "grantable rights not supported for event triggers");
256  /* not reached, but keep compiler quiet */
257  return ACL_NO_RIGHTS;
258  case OBJECT_TYPE:
259  whole_mask = ACL_ALL_RIGHTS_TYPE;
260  break;
261  default:
262  elog(ERROR, "unrecognized object type: %d", objtype);
263  /* not reached, but keep compiler quiet */
264  return ACL_NO_RIGHTS;
265  }
266 
267  /*
268  * If we found no grant options, consider whether to issue a hard error.
269  * Per spec, having any privilege at all on the object will get you by
270  * here.
271  */
272  if (avail_goptions == ACL_NO_RIGHTS)
273  {
274  if (pg_aclmask(objtype, objectId, att_number, grantorId,
275  whole_mask | ACL_GRANT_OPTION_FOR(whole_mask),
277  {
278  if (objtype == OBJECT_COLUMN && colname)
279  aclcheck_error_col(ACLCHECK_NO_PRIV, objtype, objname, colname);
280  else
281  aclcheck_error(ACLCHECK_NO_PRIV, objtype, objname);
282  }
283  }
284 
285  /*
286  * Restrict the operation to what we can actually grant or revoke, and
287  * issue a warning if appropriate. (For REVOKE this isn't quite what the
288  * spec says to do: the spec seems to want a warning only if no privilege
289  * bits actually change in the ACL. In practice that behavior seems much
290  * too noisy, as well as inconsistent with the GRANT case.)
291  */
292  this_privileges = privileges & ACL_OPTION_TO_PRIVS(avail_goptions);
293  if (is_grant)
294  {
295  if (this_privileges == 0)
296  {
297  if (objtype == OBJECT_COLUMN && colname)
299  (errcode(ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED),
300  errmsg("no privileges were granted for column \"%s\" of relation \"%s\"",
301  colname, objname)));
302  else
304  (errcode(ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED),
305  errmsg("no privileges were granted for \"%s\"",
306  objname)));
307  }
308  else if (!all_privs && this_privileges != privileges)
309  {
310  if (objtype == OBJECT_COLUMN && colname)
312  (errcode(ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED),
313  errmsg("not all privileges were granted for column \"%s\" of relation \"%s\"",
314  colname, objname)));
315  else
317  (errcode(ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED),
318  errmsg("not all privileges were granted for \"%s\"",
319  objname)));
320  }
321  }
322  else
323  {
324  if (this_privileges == 0)
325  {
326  if (objtype == OBJECT_COLUMN && colname)
328  (errcode(ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED),
329  errmsg("no privileges could be revoked for column \"%s\" of relation \"%s\"",
330  colname, objname)));
331  else
333  (errcode(ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED),
334  errmsg("no privileges could be revoked for \"%s\"",
335  objname)));
336  }
337  else if (!all_privs && this_privileges != privileges)
338  {
339  if (objtype == OBJECT_COLUMN && colname)
341  (errcode(ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED),
342  errmsg("not all privileges could be revoked for column \"%s\" of relation \"%s\"",
343  colname, objname)));
344  else
346  (errcode(ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED),
347  errmsg("not all privileges could be revoked for \"%s\"",
348  objname)));
349  }
350  }
351 
352  return this_privileges;
353 }
354 
355 /*
356  * Called to execute the utility commands GRANT and REVOKE
357  */
358 void
360 {
361  InternalGrant istmt;
362  ListCell *cell;
363  const char *errormsg;
364  AclMode all_privileges;
365 
366  if (stmt->grantor)
367  {
368  Oid grantor;
369 
370  grantor = get_rolespec_oid(stmt->grantor, false);
371 
372  /*
373  * Currently, this clause is only for SQL compatibility, not very
374  * interesting otherwise.
375  */
376  if (grantor != GetUserId())
377  ereport(ERROR,
378  (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
379  errmsg("grantor must be current user")));
380  }
381 
382  /*
383  * Turn the regular GrantStmt into the InternalGrant form.
384  */
385  istmt.is_grant = stmt->is_grant;
386  istmt.objtype = stmt->objtype;
387 
388  /* Collect the OIDs of the target objects */
389  switch (stmt->targtype)
390  {
391  case ACL_TARGET_OBJECT:
392  istmt.objects = objectNamesToOids(stmt->objtype, stmt->objects);
393  break;
395  istmt.objects = objectsInSchemaToOids(stmt->objtype, stmt->objects);
396  break;
397  /* ACL_TARGET_DEFAULTS should not be seen here */
398  default:
399  elog(ERROR, "unrecognized GrantStmt.targtype: %d",
400  (int) stmt->targtype);
401  }
402 
403  /* all_privs to be filled below */
404  /* privileges to be filled below */
405  istmt.col_privs = NIL; /* may get filled below */
406  istmt.grantees = NIL; /* filled below */
407  istmt.grant_option = stmt->grant_option;
408  istmt.behavior = stmt->behavior;
409 
410  /*
411  * Convert the RoleSpec list into an Oid list. Note that at this point we
412  * insert an ACL_ID_PUBLIC into the list if appropriate, so downstream
413  * there shouldn't be any additional work needed to support this case.
414  */
415  foreach(cell, stmt->grantees)
416  {
417  RoleSpec *grantee = (RoleSpec *) lfirst(cell);
418  Oid grantee_uid;
419 
420  switch (grantee->roletype)
421  {
422  case ROLESPEC_PUBLIC:
423  grantee_uid = ACL_ID_PUBLIC;
424  break;
425  default:
426  grantee_uid = get_rolespec_oid(grantee, false);
427  break;
428  }
429  istmt.grantees = lappend_oid(istmt.grantees, grantee_uid);
430  }
431 
432  /*
433  * Convert stmt->privileges, a list of AccessPriv nodes, into an AclMode
434  * bitmask. Note: objtype can't be OBJECT_COLUMN.
435  */
436  switch (stmt->objtype)
437  {
438  case OBJECT_TABLE:
439 
440  /*
441  * Because this might be a sequence, we test both relation and
442  * sequence bits, and later do a more limited test when we know
443  * the object type.
444  */
446  errormsg = gettext_noop("invalid privilege type %s for relation");
447  break;
448  case OBJECT_SEQUENCE:
449  all_privileges = ACL_ALL_RIGHTS_SEQUENCE;
450  errormsg = gettext_noop("invalid privilege type %s for sequence");
451  break;
452  case OBJECT_DATABASE:
453  all_privileges = ACL_ALL_RIGHTS_DATABASE;
454  errormsg = gettext_noop("invalid privilege type %s for database");
455  break;
456  case OBJECT_DOMAIN:
457  all_privileges = ACL_ALL_RIGHTS_TYPE;
458  errormsg = gettext_noop("invalid privilege type %s for domain");
459  break;
460  case OBJECT_FUNCTION:
461  all_privileges = ACL_ALL_RIGHTS_FUNCTION;
462  errormsg = gettext_noop("invalid privilege type %s for function");
463  break;
464  case OBJECT_LANGUAGE:
465  all_privileges = ACL_ALL_RIGHTS_LANGUAGE;
466  errormsg = gettext_noop("invalid privilege type %s for language");
467  break;
468  case OBJECT_LARGEOBJECT:
469  all_privileges = ACL_ALL_RIGHTS_LARGEOBJECT;
470  errormsg = gettext_noop("invalid privilege type %s for large object");
471  break;
472  case OBJECT_SCHEMA:
473  all_privileges = ACL_ALL_RIGHTS_SCHEMA;
474  errormsg = gettext_noop("invalid privilege type %s for schema");
475  break;
476  case OBJECT_PROCEDURE:
477  all_privileges = ACL_ALL_RIGHTS_FUNCTION;
478  errormsg = gettext_noop("invalid privilege type %s for procedure");
479  break;
480  case OBJECT_ROUTINE:
481  all_privileges = ACL_ALL_RIGHTS_FUNCTION;
482  errormsg = gettext_noop("invalid privilege type %s for routine");
483  break;
484  case OBJECT_TABLESPACE:
485  all_privileges = ACL_ALL_RIGHTS_TABLESPACE;
486  errormsg = gettext_noop("invalid privilege type %s for tablespace");
487  break;
488  case OBJECT_TYPE:
489  all_privileges = ACL_ALL_RIGHTS_TYPE;
490  errormsg = gettext_noop("invalid privilege type %s for type");
491  break;
492  case OBJECT_FDW:
493  all_privileges = ACL_ALL_RIGHTS_FDW;
494  errormsg = gettext_noop("invalid privilege type %s for foreign-data wrapper");
495  break;
497  all_privileges = ACL_ALL_RIGHTS_FOREIGN_SERVER;
498  errormsg = gettext_noop("invalid privilege type %s for foreign server");
499  break;
500  default:
501  elog(ERROR, "unrecognized GrantStmt.objtype: %d",
502  (int) stmt->objtype);
503  /* keep compiler quiet */
504  all_privileges = ACL_NO_RIGHTS;
505  errormsg = NULL;
506  }
507 
508  if (stmt->privileges == NIL)
509  {
510  istmt.all_privs = true;
511 
512  /*
513  * will be turned into ACL_ALL_RIGHTS_* by the internal routines
514  * depending on the object type
515  */
516  istmt.privileges = ACL_NO_RIGHTS;
517  }
518  else
519  {
520  istmt.all_privs = false;
521  istmt.privileges = ACL_NO_RIGHTS;
522 
523  foreach(cell, stmt->privileges)
524  {
525  AccessPriv *privnode = (AccessPriv *) lfirst(cell);
526  AclMode priv;
527 
528  /*
529  * If it's a column-level specification, we just set it aside in
530  * col_privs for the moment; but insist it's for a relation.
531  */
532  if (privnode->cols)
533  {
534  if (stmt->objtype != OBJECT_TABLE)
535  ereport(ERROR,
536  (errcode(ERRCODE_INVALID_GRANT_OPERATION),
537  errmsg("column privileges are only valid for relations")));
538  istmt.col_privs = lappend(istmt.col_privs, privnode);
539  continue;
540  }
541 
542  if (privnode->priv_name == NULL) /* parser mistake? */
543  elog(ERROR, "AccessPriv node must specify privilege or columns");
544  priv = string_to_privilege(privnode->priv_name);
545 
546  if (priv & ~((AclMode) all_privileges))
547  ereport(ERROR,
548  (errcode(ERRCODE_INVALID_GRANT_OPERATION),
549  errmsg(errormsg, privilege_to_string(priv))));
550 
551  istmt.privileges |= priv;
552  }
553  }
554 
555  ExecGrantStmt_oids(&istmt);
556 }
557 
558 /*
559  * ExecGrantStmt_oids
560  *
561  * Internal entry point for granting and revoking privileges.
562  */
563 static void
565 {
566  switch (istmt->objtype)
567  {
568  case OBJECT_TABLE:
569  case OBJECT_SEQUENCE:
570  ExecGrant_Relation(istmt);
571  break;
572  case OBJECT_DATABASE:
573  ExecGrant_Database(istmt);
574  break;
575  case OBJECT_DOMAIN:
576  case OBJECT_TYPE:
577  ExecGrant_Type(istmt);
578  break;
579  case OBJECT_FDW:
580  ExecGrant_Fdw(istmt);
581  break;
584  break;
585  case OBJECT_FUNCTION:
586  case OBJECT_PROCEDURE:
587  case OBJECT_ROUTINE:
588  ExecGrant_Function(istmt);
589  break;
590  case OBJECT_LANGUAGE:
591  ExecGrant_Language(istmt);
592  break;
593  case OBJECT_LARGEOBJECT:
594  ExecGrant_Largeobject(istmt);
595  break;
596  case OBJECT_SCHEMA:
597  ExecGrant_Namespace(istmt);
598  break;
599  case OBJECT_TABLESPACE:
600  ExecGrant_Tablespace(istmt);
601  break;
602  default:
603  elog(ERROR, "unrecognized GrantStmt.objtype: %d",
604  (int) istmt->objtype);
605  }
606 
607  /*
608  * Pass the info to event triggers about the just-executed GRANT. Note
609  * that we prefer to do it after actually executing it, because that gives
610  * the functions a chance to adjust the istmt with privileges actually
611  * granted.
612  */
615 }
616 
617 /*
618  * objectNamesToOids
619  *
620  * Turn a list of object names of a given type into an Oid list.
621  *
622  * XXX: This function doesn't take any sort of locks on the objects whose
623  * names it looks up. In the face of concurrent DDL, we might easily latch
624  * onto an old version of an object, causing the GRANT or REVOKE statement
625  * to fail.
626  */
627 static List *
628 objectNamesToOids(ObjectType objtype, List *objnames)
629 {
630  List *objects = NIL;
631  ListCell *cell;
632 
633  Assert(objnames != NIL);
634 
635  switch (objtype)
636  {
637  case OBJECT_TABLE:
638  case OBJECT_SEQUENCE:
639  foreach(cell, objnames)
640  {
641  RangeVar *relvar = (RangeVar *) lfirst(cell);
642  Oid relOid;
643 
644  relOid = RangeVarGetRelid(relvar, NoLock, false);
645  objects = lappend_oid(objects, relOid);
646  }
647  break;
648  case OBJECT_DATABASE:
649  foreach(cell, objnames)
650  {
651  char *dbname = strVal(lfirst(cell));
652  Oid dbid;
653 
654  dbid = get_database_oid(dbname, false);
655  objects = lappend_oid(objects, dbid);
656  }
657  break;
658  case OBJECT_DOMAIN:
659  case OBJECT_TYPE:
660  foreach(cell, objnames)
661  {
662  List *typname = (List *) lfirst(cell);
663  Oid oid;
664 
665  oid = typenameTypeId(NULL, makeTypeNameFromNameList(typname));
666  objects = lappend_oid(objects, oid);
667  }
668  break;
669  case OBJECT_FUNCTION:
670  foreach(cell, objnames)
671  {
672  ObjectWithArgs *func = (ObjectWithArgs *) lfirst(cell);
673  Oid funcid;
674 
675  funcid = LookupFuncWithArgs(OBJECT_FUNCTION, func, false);
676  objects = lappend_oid(objects, funcid);
677  }
678  break;
679  case OBJECT_LANGUAGE:
680  foreach(cell, objnames)
681  {
682  char *langname = strVal(lfirst(cell));
683  Oid oid;
684 
685  oid = get_language_oid(langname, false);
686  objects = lappend_oid(objects, oid);
687  }
688  break;
689  case OBJECT_LARGEOBJECT:
690  foreach(cell, objnames)
691  {
692  Oid lobjOid = oidparse(lfirst(cell));
693 
694  if (!LargeObjectExists(lobjOid))
695  ereport(ERROR,
696  (errcode(ERRCODE_UNDEFINED_OBJECT),
697  errmsg("large object %u does not exist",
698  lobjOid)));
699 
700  objects = lappend_oid(objects, lobjOid);
701  }
702  break;
703  case OBJECT_SCHEMA:
704  foreach(cell, objnames)
705  {
706  char *nspname = strVal(lfirst(cell));
707  Oid oid;
708 
709  oid = get_namespace_oid(nspname, false);
710  objects = lappend_oid(objects, oid);
711  }
712  break;
713  case OBJECT_PROCEDURE:
714  foreach(cell, objnames)
715  {
716  ObjectWithArgs *func = (ObjectWithArgs *) lfirst(cell);
717  Oid procid;
718 
719  procid = LookupFuncWithArgs(OBJECT_PROCEDURE, func, false);
720  objects = lappend_oid(objects, procid);
721  }
722  break;
723  case OBJECT_ROUTINE:
724  foreach(cell, objnames)
725  {
726  ObjectWithArgs *func = (ObjectWithArgs *) lfirst(cell);
727  Oid routid;
728 
729  routid = LookupFuncWithArgs(OBJECT_ROUTINE, func, false);
730  objects = lappend_oid(objects, routid);
731  }
732  break;
733  case OBJECT_TABLESPACE:
734  foreach(cell, objnames)
735  {
736  char *spcname = strVal(lfirst(cell));
737  Oid spcoid;
738 
739  spcoid = get_tablespace_oid(spcname, false);
740  objects = lappend_oid(objects, spcoid);
741  }
742  break;
743  case OBJECT_FDW:
744  foreach(cell, objnames)
745  {
746  char *fdwname = strVal(lfirst(cell));
747  Oid fdwid = get_foreign_data_wrapper_oid(fdwname, false);
748 
749  objects = lappend_oid(objects, fdwid);
750  }
751  break;
753  foreach(cell, objnames)
754  {
755  char *srvname = strVal(lfirst(cell));
756  Oid srvid = get_foreign_server_oid(srvname, false);
757 
758  objects = lappend_oid(objects, srvid);
759  }
760  break;
761  default:
762  elog(ERROR, "unrecognized GrantStmt.objtype: %d",
763  (int) objtype);
764  }
765 
766  return objects;
767 }
768 
769 /*
770  * objectsInSchemaToOids
771  *
772  * Find all objects of a given type in specified schemas, and make a list
773  * of their Oids. We check USAGE privilege on the schemas, but there is
774  * no privilege checking on the individual objects here.
775  */
776 static List *
778 {
779  List *objects = NIL;
780  ListCell *cell;
781 
782  foreach(cell, nspnames)
783  {
784  char *nspname = strVal(lfirst(cell));
785  Oid namespaceId;
786  List *objs;
787 
788  namespaceId = LookupExplicitNamespace(nspname, false);
789 
790  switch (objtype)
791  {
792  case OBJECT_TABLE:
793  objs = getRelationsInNamespace(namespaceId, RELKIND_RELATION);
794  objects = list_concat(objects, objs);
795  objs = getRelationsInNamespace(namespaceId, RELKIND_VIEW);
796  objects = list_concat(objects, objs);
797  objs = getRelationsInNamespace(namespaceId, RELKIND_MATVIEW);
798  objects = list_concat(objects, objs);
799  objs = getRelationsInNamespace(namespaceId, RELKIND_FOREIGN_TABLE);
800  objects = list_concat(objects, objs);
801  objs = getRelationsInNamespace(namespaceId, RELKIND_PARTITIONED_TABLE);
802  objects = list_concat(objects, objs);
803  break;
804  case OBJECT_SEQUENCE:
805  objs = getRelationsInNamespace(namespaceId, RELKIND_SEQUENCE);
806  objects = list_concat(objects, objs);
807  break;
808  case OBJECT_FUNCTION:
809  case OBJECT_PROCEDURE:
810  case OBJECT_ROUTINE:
811  {
812  ScanKeyData key[2];
813  int keycount;
814  Relation rel;
815  TableScanDesc scan;
816  HeapTuple tuple;
817 
818  keycount = 0;
819  ScanKeyInit(&key[keycount++],
820  Anum_pg_proc_pronamespace,
821  BTEqualStrategyNumber, F_OIDEQ,
822  ObjectIdGetDatum(namespaceId));
823 
824  if (objtype == OBJECT_FUNCTION)
825  /* includes aggregates and window functions */
826  ScanKeyInit(&key[keycount++],
827  Anum_pg_proc_prokind,
828  BTEqualStrategyNumber, F_CHARNE,
829  CharGetDatum(PROKIND_PROCEDURE));
830  else if (objtype == OBJECT_PROCEDURE)
831  ScanKeyInit(&key[keycount++],
832  Anum_pg_proc_prokind,
833  BTEqualStrategyNumber, F_CHAREQ,
834  CharGetDatum(PROKIND_PROCEDURE));
835 
836  rel = table_open(ProcedureRelationId, AccessShareLock);
837  scan = table_beginscan_catalog(rel, keycount, key);
838 
839  while ((tuple = heap_getnext(scan, ForwardScanDirection)) != NULL)
840  {
841  Oid oid = ((Form_pg_proc) GETSTRUCT(tuple))->oid;
842 
843  objects = lappend_oid(objects, oid);
844  }
845 
846  table_endscan(scan);
848  }
849  break;
850  default:
851  /* should not happen */
852  elog(ERROR, "unrecognized GrantStmt.objtype: %d",
853  (int) objtype);
854  }
855  }
856 
857  return objects;
858 }
859 
860 /*
861  * getRelationsInNamespace
862  *
863  * Return Oid list of relations in given namespace filtered by relation kind
864  */
865 static List *
866 getRelationsInNamespace(Oid namespaceId, char relkind)
867 {
868  List *relations = NIL;
869  ScanKeyData key[2];
870  Relation rel;
871  TableScanDesc scan;
872  HeapTuple tuple;
873 
874  ScanKeyInit(&key[0],
875  Anum_pg_class_relnamespace,
876  BTEqualStrategyNumber, F_OIDEQ,
877  ObjectIdGetDatum(namespaceId));
878  ScanKeyInit(&key[1],
879  Anum_pg_class_relkind,
880  BTEqualStrategyNumber, F_CHAREQ,
881  CharGetDatum(relkind));
882 
883  rel = table_open(RelationRelationId, AccessShareLock);
884  scan = table_beginscan_catalog(rel, 2, key);
885 
886  while ((tuple = heap_getnext(scan, ForwardScanDirection)) != NULL)
887  {
888  Oid oid = ((Form_pg_class) GETSTRUCT(tuple))->oid;
889 
890  relations = lappend_oid(relations, oid);
891  }
892 
893  table_endscan(scan);
895 
896  return relations;
897 }
898 
899 
900 /*
901  * ALTER DEFAULT PRIVILEGES statement
902  */
903 void
905 {
906  GrantStmt *action = stmt->action;
907  InternalDefaultACL iacls;
908  ListCell *cell;
909  List *rolespecs = NIL;
910  List *nspnames = NIL;
911  DefElem *drolespecs = NULL;
912  DefElem *dnspnames = NULL;
913  AclMode all_privileges;
914  const char *errormsg;
915 
916  /* Deconstruct the "options" part of the statement */
917  foreach(cell, stmt->options)
918  {
919  DefElem *defel = (DefElem *) lfirst(cell);
920 
921  if (strcmp(defel->defname, "schemas") == 0)
922  {
923  if (dnspnames)
924  ereport(ERROR,
925  (errcode(ERRCODE_SYNTAX_ERROR),
926  errmsg("conflicting or redundant options"),
927  parser_errposition(pstate, defel->location)));
928  dnspnames = defel;
929  }
930  else if (strcmp(defel->defname, "roles") == 0)
931  {
932  if (drolespecs)
933  ereport(ERROR,
934  (errcode(ERRCODE_SYNTAX_ERROR),
935  errmsg("conflicting or redundant options"),
936  parser_errposition(pstate, defel->location)));
937  drolespecs = defel;
938  }
939  else
940  elog(ERROR, "option \"%s\" not recognized", defel->defname);
941  }
942 
943  if (dnspnames)
944  nspnames = (List *) dnspnames->arg;
945  if (drolespecs)
946  rolespecs = (List *) drolespecs->arg;
947 
948  /* Prepare the InternalDefaultACL representation of the statement */
949  /* roleid to be filled below */
950  /* nspid to be filled in SetDefaultACLsInSchemas */
951  iacls.is_grant = action->is_grant;
952  iacls.objtype = action->objtype;
953  /* all_privs to be filled below */
954  /* privileges to be filled below */
955  iacls.grantees = NIL; /* filled below */
956  iacls.grant_option = action->grant_option;
957  iacls.behavior = action->behavior;
958 
959  /*
960  * Convert the RoleSpec list into an Oid list. Note that at this point we
961  * insert an ACL_ID_PUBLIC into the list if appropriate, so downstream
962  * there shouldn't be any additional work needed to support this case.
963  */
964  foreach(cell, action->grantees)
965  {
966  RoleSpec *grantee = (RoleSpec *) lfirst(cell);
967  Oid grantee_uid;
968 
969  switch (grantee->roletype)
970  {
971  case ROLESPEC_PUBLIC:
972  grantee_uid = ACL_ID_PUBLIC;
973  break;
974  default:
975  grantee_uid = get_rolespec_oid(grantee, false);
976  break;
977  }
978  iacls.grantees = lappend_oid(iacls.grantees, grantee_uid);
979  }
980 
981  /*
982  * Convert action->privileges, a list of privilege strings, into an
983  * AclMode bitmask.
984  */
985  switch (action->objtype)
986  {
987  case OBJECT_TABLE:
988  all_privileges = ACL_ALL_RIGHTS_RELATION;
989  errormsg = gettext_noop("invalid privilege type %s for relation");
990  break;
991  case OBJECT_SEQUENCE:
992  all_privileges = ACL_ALL_RIGHTS_SEQUENCE;
993  errormsg = gettext_noop("invalid privilege type %s for sequence");
994  break;
995  case OBJECT_FUNCTION:
996  all_privileges = ACL_ALL_RIGHTS_FUNCTION;
997  errormsg = gettext_noop("invalid privilege type %s for function");
998  break;
999  case OBJECT_PROCEDURE:
1000  all_privileges = ACL_ALL_RIGHTS_FUNCTION;
1001  errormsg = gettext_noop("invalid privilege type %s for procedure");
1002  break;
1003  case OBJECT_ROUTINE:
1004  all_privileges = ACL_ALL_RIGHTS_FUNCTION;
1005  errormsg = gettext_noop("invalid privilege type %s for routine");
1006  break;
1007  case OBJECT_TYPE:
1008  all_privileges = ACL_ALL_RIGHTS_TYPE;
1009  errormsg = gettext_noop("invalid privilege type %s for type");
1010  break;
1011  case OBJECT_SCHEMA:
1012  all_privileges = ACL_ALL_RIGHTS_SCHEMA;
1013  errormsg = gettext_noop("invalid privilege type %s for schema");
1014  break;
1015  default:
1016  elog(ERROR, "unrecognized GrantStmt.objtype: %d",
1017  (int) action->objtype);
1018  /* keep compiler quiet */
1019  all_privileges = ACL_NO_RIGHTS;
1020  errormsg = NULL;
1021  }
1022 
1023  if (action->privileges == NIL)
1024  {
1025  iacls.all_privs = true;
1026 
1027  /*
1028  * will be turned into ACL_ALL_RIGHTS_* by the internal routines
1029  * depending on the object type
1030  */
1031  iacls.privileges = ACL_NO_RIGHTS;
1032  }
1033  else
1034  {
1035  iacls.all_privs = false;
1036  iacls.privileges = ACL_NO_RIGHTS;
1037 
1038  foreach(cell, action->privileges)
1039  {
1040  AccessPriv *privnode = (AccessPriv *) lfirst(cell);
1041  AclMode priv;
1042 
1043  if (privnode->cols)
1044  ereport(ERROR,
1045  (errcode(ERRCODE_INVALID_GRANT_OPERATION),
1046  errmsg("default privileges cannot be set for columns")));
1047 
1048  if (privnode->priv_name == NULL) /* parser mistake? */
1049  elog(ERROR, "AccessPriv node must specify privilege");
1050  priv = string_to_privilege(privnode->priv_name);
1051 
1052  if (priv & ~((AclMode) all_privileges))
1053  ereport(ERROR,
1054  (errcode(ERRCODE_INVALID_GRANT_OPERATION),
1055  errmsg(errormsg, privilege_to_string(priv))));
1056 
1057  iacls.privileges |= priv;
1058  }
1059  }
1060 
1061  if (rolespecs == NIL)
1062  {
1063  /* Set permissions for myself */
1064  iacls.roleid = GetUserId();
1065 
1066  SetDefaultACLsInSchemas(&iacls, nspnames);
1067  }
1068  else
1069  {
1070  /* Look up the role OIDs and do permissions checks */
1071  ListCell *rolecell;
1072 
1073  foreach(rolecell, rolespecs)
1074  {
1075  RoleSpec *rolespec = lfirst(rolecell);
1076 
1077  iacls.roleid = get_rolespec_oid(rolespec, false);
1078 
1079  /*
1080  * We insist that calling user be a member of each target role. If
1081  * he has that, he could become that role anyway via SET ROLE, so
1082  * FOR ROLE is just a syntactic convenience and doesn't give any
1083  * special privileges.
1084  */
1086 
1087  SetDefaultACLsInSchemas(&iacls, nspnames);
1088  }
1089  }
1090 }
1091 
1092 /*
1093  * Process ALTER DEFAULT PRIVILEGES for a list of target schemas
1094  *
1095  * All fields of *iacls except nspid were filled already
1096  */
1097 static void
1099 {
1100  if (nspnames == NIL)
1101  {
1102  /* Set database-wide permissions if no schema was specified */
1103  iacls->nspid = InvalidOid;
1104 
1105  SetDefaultACL(iacls);
1106  }
1107  else
1108  {
1109  /* Look up the schema OIDs and set permissions for each one */
1110  ListCell *nspcell;
1111 
1112  foreach(nspcell, nspnames)
1113  {
1114  char *nspname = strVal(lfirst(nspcell));
1115 
1116  iacls->nspid = get_namespace_oid(nspname, false);
1117 
1118  /*
1119  * We used to insist that the target role have CREATE privileges
1120  * on the schema, since without that it wouldn't be able to create
1121  * an object for which these default privileges would apply.
1122  * However, this check proved to be more confusing than helpful,
1123  * and it also caused certain database states to not be
1124  * dumpable/restorable, since revoking CREATE doesn't cause
1125  * default privileges for the schema to go away. So now, we just
1126  * allow the ALTER; if the user lacks CREATE he'll find out when
1127  * he tries to create an object.
1128  */
1129 
1130  SetDefaultACL(iacls);
1131  }
1132  }
1133 }
1134 
1135 
1136 /*
1137  * Create or update a pg_default_acl entry
1138  */
1139 static void
1141 {
1142  AclMode this_privileges = iacls->privileges;
1143  char objtype;
1144  Relation rel;
1145  HeapTuple tuple;
1146  bool isNew;
1147  Acl *def_acl;
1148  Acl *old_acl;
1149  Acl *new_acl;
1150  HeapTuple newtuple;
1151  Datum values[Natts_pg_default_acl];
1152  bool nulls[Natts_pg_default_acl];
1153  bool replaces[Natts_pg_default_acl];
1154  int noldmembers;
1155  int nnewmembers;
1156  Oid *oldmembers;
1157  Oid *newmembers;
1158 
1159  rel = table_open(DefaultAclRelationId, RowExclusiveLock);
1160 
1161  /*
1162  * The default for a global entry is the hard-wired default ACL for the
1163  * particular object type. The default for non-global entries is an empty
1164  * ACL. This must be so because global entries replace the hard-wired
1165  * defaults, while others are added on.
1166  */
1167  if (!OidIsValid(iacls->nspid))
1168  def_acl = acldefault(iacls->objtype, iacls->roleid);
1169  else
1170  def_acl = make_empty_acl();
1171 
1172  /*
1173  * Convert ACL object type to pg_default_acl object type and handle
1174  * all_privs option
1175  */
1176  switch (iacls->objtype)
1177  {
1178  case OBJECT_TABLE:
1179  objtype = DEFACLOBJ_RELATION;
1180  if (iacls->all_privs && this_privileges == ACL_NO_RIGHTS)
1181  this_privileges = ACL_ALL_RIGHTS_RELATION;
1182  break;
1183 
1184  case OBJECT_SEQUENCE:
1185  objtype = DEFACLOBJ_SEQUENCE;
1186  if (iacls->all_privs && this_privileges == ACL_NO_RIGHTS)
1187  this_privileges = ACL_ALL_RIGHTS_SEQUENCE;
1188  break;
1189 
1190  case OBJECT_FUNCTION:
1191  objtype = DEFACLOBJ_FUNCTION;
1192  if (iacls->all_privs && this_privileges == ACL_NO_RIGHTS)
1193  this_privileges = ACL_ALL_RIGHTS_FUNCTION;
1194  break;
1195 
1196  case OBJECT_TYPE:
1197  objtype = DEFACLOBJ_TYPE;
1198  if (iacls->all_privs && this_privileges == ACL_NO_RIGHTS)
1199  this_privileges = ACL_ALL_RIGHTS_TYPE;
1200  break;
1201 
1202  case OBJECT_SCHEMA:
1203  if (OidIsValid(iacls->nspid))
1204  ereport(ERROR,
1205  (errcode(ERRCODE_INVALID_GRANT_OPERATION),
1206  errmsg("cannot use IN SCHEMA clause when using GRANT/REVOKE ON SCHEMAS")));
1207  objtype = DEFACLOBJ_NAMESPACE;
1208  if (iacls->all_privs && this_privileges == ACL_NO_RIGHTS)
1209  this_privileges = ACL_ALL_RIGHTS_SCHEMA;
1210  break;
1211 
1212  default:
1213  elog(ERROR, "unrecognized objtype: %d",
1214  (int) iacls->objtype);
1215  objtype = 0; /* keep compiler quiet */
1216  break;
1217  }
1218 
1219  /* Search for existing row for this object type in catalog */
1221  ObjectIdGetDatum(iacls->roleid),
1222  ObjectIdGetDatum(iacls->nspid),
1223  CharGetDatum(objtype));
1224 
1225  if (HeapTupleIsValid(tuple))
1226  {
1227  Datum aclDatum;
1228  bool isNull;
1229 
1230  aclDatum = SysCacheGetAttr(DEFACLROLENSPOBJ, tuple,
1231  Anum_pg_default_acl_defaclacl,
1232  &isNull);
1233  if (!isNull)
1234  old_acl = DatumGetAclPCopy(aclDatum);
1235  else
1236  old_acl = NULL; /* this case shouldn't happen, probably */
1237  isNew = false;
1238  }
1239  else
1240  {
1241  old_acl = NULL;
1242  isNew = true;
1243  }
1244 
1245  if (old_acl != NULL)
1246  {
1247  /*
1248  * We need the members of both old and new ACLs so we can correct the
1249  * shared dependency information. Collect data before
1250  * merge_acl_with_grant throws away old_acl.
1251  */
1252  noldmembers = aclmembers(old_acl, &oldmembers);
1253  }
1254  else
1255  {
1256  /* If no or null entry, start with the default ACL value */
1257  old_acl = aclcopy(def_acl);
1258  /* There are no old member roles according to the catalogs */
1259  noldmembers = 0;
1260  oldmembers = NULL;
1261  }
1262 
1263  /*
1264  * Generate new ACL. Grantor of rights is always the same as the target
1265  * role.
1266  */
1267  new_acl = merge_acl_with_grant(old_acl,
1268  iacls->is_grant,
1269  iacls->grant_option,
1270  iacls->behavior,
1271  iacls->grantees,
1272  this_privileges,
1273  iacls->roleid,
1274  iacls->roleid);
1275 
1276  /*
1277  * If the result is the same as the default value, we do not need an
1278  * explicit pg_default_acl entry, and should in fact remove the entry if
1279  * it exists. Must sort both arrays to compare properly.
1280  */
1281  aclitemsort(new_acl);
1282  aclitemsort(def_acl);
1283  if (aclequal(new_acl, def_acl))
1284  {
1285  /* delete old entry, if indeed there is one */
1286  if (!isNew)
1287  {
1288  ObjectAddress myself;
1289 
1290  /*
1291  * The dependency machinery will take care of removing all
1292  * associated dependency entries. We use DROP_RESTRICT since
1293  * there shouldn't be anything depending on this entry.
1294  */
1295  myself.classId = DefaultAclRelationId;
1296  myself.objectId = ((Form_pg_default_acl) GETSTRUCT(tuple))->oid;
1297  myself.objectSubId = 0;
1298 
1299  performDeletion(&myself, DROP_RESTRICT, 0);
1300  }
1301  }
1302  else
1303  {
1304  Oid defAclOid;
1305 
1306  /* Prepare to insert or update pg_default_acl entry */
1307  MemSet(values, 0, sizeof(values));
1308  MemSet(nulls, false, sizeof(nulls));
1309  MemSet(replaces, false, sizeof(replaces));
1310 
1311  if (isNew)
1312  {
1313  /* insert new entry */
1314  defAclOid = GetNewOidWithIndex(rel, DefaultAclOidIndexId,
1315  Anum_pg_default_acl_oid);
1316  values[Anum_pg_default_acl_oid - 1] = ObjectIdGetDatum(defAclOid);
1317  values[Anum_pg_default_acl_defaclrole - 1] = ObjectIdGetDatum(iacls->roleid);
1318  values[Anum_pg_default_acl_defaclnamespace - 1] = ObjectIdGetDatum(iacls->nspid);
1319  values[Anum_pg_default_acl_defaclobjtype - 1] = CharGetDatum(objtype);
1320  values[Anum_pg_default_acl_defaclacl - 1] = PointerGetDatum(new_acl);
1321 
1322  newtuple = heap_form_tuple(RelationGetDescr(rel), values, nulls);
1323  CatalogTupleInsert(rel, newtuple);
1324  }
1325  else
1326  {
1327  defAclOid = ((Form_pg_default_acl) GETSTRUCT(tuple))->oid;
1328 
1329  /* update existing entry */
1330  values[Anum_pg_default_acl_defaclacl - 1] = PointerGetDatum(new_acl);
1331  replaces[Anum_pg_default_acl_defaclacl - 1] = true;
1332 
1333  newtuple = heap_modify_tuple(tuple, RelationGetDescr(rel),
1334  values, nulls, replaces);
1335  CatalogTupleUpdate(rel, &newtuple->t_self, newtuple);
1336  }
1337 
1338  /* these dependencies don't change in an update */
1339  if (isNew)
1340  {
1341  /* dependency on role */
1342  recordDependencyOnOwner(DefaultAclRelationId, defAclOid,
1343  iacls->roleid);
1344 
1345  /* dependency on namespace */
1346  if (OidIsValid(iacls->nspid))
1347  {
1348  ObjectAddress myself,
1349  referenced;
1350 
1351  myself.classId = DefaultAclRelationId;
1352  myself.objectId = defAclOid;
1353  myself.objectSubId = 0;
1354 
1355  referenced.classId = NamespaceRelationId;
1356  referenced.objectId = iacls->nspid;
1357  referenced.objectSubId = 0;
1358 
1359  recordDependencyOn(&myself, &referenced, DEPENDENCY_AUTO);
1360  }
1361  }
1362 
1363  /*
1364  * Update the shared dependency ACL info
1365  */
1366  nnewmembers = aclmembers(new_acl, &newmembers);
1367 
1368  updateAclDependencies(DefaultAclRelationId,
1369  defAclOid, 0,
1370  iacls->roleid,
1371  noldmembers, oldmembers,
1372  nnewmembers, newmembers);
1373 
1374  if (isNew)
1375  InvokeObjectPostCreateHook(DefaultAclRelationId, defAclOid, 0);
1376  else
1377  InvokeObjectPostAlterHook(DefaultAclRelationId, defAclOid, 0);
1378  }
1379 
1380  if (HeapTupleIsValid(tuple))
1381  ReleaseSysCache(tuple);
1382 
1384 
1385  /* prevent error when processing duplicate objects */
1387 }
1388 
1389 
1390 /*
1391  * RemoveRoleFromObjectACL
1392  *
1393  * Used by shdepDropOwned to remove mentions of a role in ACLs
1394  */
1395 void
1396 RemoveRoleFromObjectACL(Oid roleid, Oid classid, Oid objid)
1397 {
1398  if (classid == DefaultAclRelationId)
1399  {
1400  InternalDefaultACL iacls;
1401  Form_pg_default_acl pg_default_acl_tuple;
1402  Relation rel;
1403  ScanKeyData skey[1];
1404  SysScanDesc scan;
1405  HeapTuple tuple;
1406 
1407  /* first fetch info needed by SetDefaultACL */
1408  rel = table_open(DefaultAclRelationId, AccessShareLock);
1409 
1410  ScanKeyInit(&skey[0],
1411  Anum_pg_default_acl_oid,
1412  BTEqualStrategyNumber, F_OIDEQ,
1413  ObjectIdGetDatum(objid));
1414 
1415  scan = systable_beginscan(rel, DefaultAclOidIndexId, true,
1416  NULL, 1, skey);
1417 
1418  tuple = systable_getnext(scan);
1419 
1420  if (!HeapTupleIsValid(tuple))
1421  elog(ERROR, "could not find tuple for default ACL %u", objid);
1422 
1423  pg_default_acl_tuple = (Form_pg_default_acl) GETSTRUCT(tuple);
1424 
1425  iacls.roleid = pg_default_acl_tuple->defaclrole;
1426  iacls.nspid = pg_default_acl_tuple->defaclnamespace;
1427 
1428  switch (pg_default_acl_tuple->defaclobjtype)
1429  {
1430  case DEFACLOBJ_RELATION:
1431  iacls.objtype = OBJECT_TABLE;
1432  break;
1433  case DEFACLOBJ_SEQUENCE:
1434  iacls.objtype = OBJECT_SEQUENCE;
1435  break;
1436  case DEFACLOBJ_FUNCTION:
1437  iacls.objtype = OBJECT_FUNCTION;
1438  break;
1439  case DEFACLOBJ_TYPE:
1440  iacls.objtype = OBJECT_TYPE;
1441  break;
1442  case DEFACLOBJ_NAMESPACE:
1443  iacls.objtype = OBJECT_SCHEMA;
1444  break;
1445  default:
1446  /* Shouldn't get here */
1447  elog(ERROR, "unexpected default ACL type: %d",
1448  (int) pg_default_acl_tuple->defaclobjtype);
1449  break;
1450  }
1451 
1452  systable_endscan(scan);
1454 
1455  iacls.is_grant = false;
1456  iacls.all_privs = true;
1457  iacls.privileges = ACL_NO_RIGHTS;
1458  iacls.grantees = list_make1_oid(roleid);
1459  iacls.grant_option = false;
1460  iacls.behavior = DROP_CASCADE;
1461 
1462  /* Do it */
1463  SetDefaultACL(&iacls);
1464  }
1465  else
1466  {
1467  InternalGrant istmt;
1468 
1469  switch (classid)
1470  {
1471  case RelationRelationId:
1472  /* it's OK to use TABLE for a sequence */
1473  istmt.objtype = OBJECT_TABLE;
1474  break;
1475  case DatabaseRelationId:
1476  istmt.objtype = OBJECT_DATABASE;
1477  break;
1478  case TypeRelationId:
1479  istmt.objtype = OBJECT_TYPE;
1480  break;
1481  case ProcedureRelationId:
1482  istmt.objtype = OBJECT_ROUTINE;
1483  break;
1484  case LanguageRelationId:
1485  istmt.objtype = OBJECT_LANGUAGE;
1486  break;
1487  case LargeObjectRelationId:
1488  istmt.objtype = OBJECT_LARGEOBJECT;
1489  break;
1490  case NamespaceRelationId:
1491  istmt.objtype = OBJECT_SCHEMA;
1492  break;
1493  case TableSpaceRelationId:
1494  istmt.objtype = OBJECT_TABLESPACE;
1495  break;
1496  case ForeignServerRelationId:
1498  break;
1499  case ForeignDataWrapperRelationId:
1500  istmt.objtype = OBJECT_FDW;
1501  break;
1502  default:
1503  elog(ERROR, "unexpected object class %u", classid);
1504  break;
1505  }
1506  istmt.is_grant = false;
1507  istmt.objects = list_make1_oid(objid);
1508  istmt.all_privs = true;
1509  istmt.privileges = ACL_NO_RIGHTS;
1510  istmt.col_privs = NIL;
1511  istmt.grantees = list_make1_oid(roleid);
1512  istmt.grant_option = false;
1513  istmt.behavior = DROP_CASCADE;
1514 
1515  ExecGrantStmt_oids(&istmt);
1516  }
1517 }
1518 
1519 
1520 /*
1521  * expand_col_privileges
1522  *
1523  * OR the specified privilege(s) into per-column array entries for each
1524  * specified attribute. The per-column array is indexed starting at
1525  * FirstLowInvalidHeapAttributeNumber, up to relation's last attribute.
1526  */
1527 static void
1528 expand_col_privileges(List *colnames, Oid table_oid,
1529  AclMode this_privileges,
1530  AclMode *col_privileges,
1531  int num_col_privileges)
1532 {
1533  ListCell *cell;
1534 
1535  foreach(cell, colnames)
1536  {
1537  char *colname = strVal(lfirst(cell));
1539 
1540  attnum = get_attnum(table_oid, colname);
1541  if (attnum == InvalidAttrNumber)
1542  ereport(ERROR,
1543  (errcode(ERRCODE_UNDEFINED_COLUMN),
1544  errmsg("column \"%s\" of relation \"%s\" does not exist",
1545  colname, get_rel_name(table_oid))));
1547  if (attnum <= 0 || attnum >= num_col_privileges)
1548  elog(ERROR, "column number out of range"); /* safety check */
1549  col_privileges[attnum] |= this_privileges;
1550  }
1551 }
1552 
1553 /*
1554  * expand_all_col_privileges
1555  *
1556  * OR the specified privilege(s) into per-column array entries for each valid
1557  * attribute of a relation. The per-column array is indexed starting at
1558  * FirstLowInvalidHeapAttributeNumber, up to relation's last attribute.
1559  */
1560 static void
1562  AclMode this_privileges,
1563  AclMode *col_privileges,
1564  int num_col_privileges)
1565 {
1566  AttrNumber curr_att;
1567 
1568  Assert(classForm->relnatts - FirstLowInvalidHeapAttributeNumber < num_col_privileges);
1569  for (curr_att = FirstLowInvalidHeapAttributeNumber + 1;
1570  curr_att <= classForm->relnatts;
1571  curr_att++)
1572  {
1573  HeapTuple attTuple;
1574  bool isdropped;
1575 
1576  if (curr_att == InvalidAttrNumber)
1577  continue;
1578 
1579  /* Views don't have any system columns at all */
1580  if (classForm->relkind == RELKIND_VIEW && curr_att < 0)
1581  continue;
1582 
1583  attTuple = SearchSysCache2(ATTNUM,
1584  ObjectIdGetDatum(table_oid),
1585  Int16GetDatum(curr_att));
1586  if (!HeapTupleIsValid(attTuple))
1587  elog(ERROR, "cache lookup failed for attribute %d of relation %u",
1588  curr_att, table_oid);
1589 
1590  isdropped = ((Form_pg_attribute) GETSTRUCT(attTuple))->attisdropped;
1591 
1592  ReleaseSysCache(attTuple);
1593 
1594  /* ignore dropped columns */
1595  if (isdropped)
1596  continue;
1597 
1598  col_privileges[curr_att - FirstLowInvalidHeapAttributeNumber] |= this_privileges;
1599  }
1600 }
1601 
1602 /*
1603  * This processes attributes, but expects to be called from
1604  * ExecGrant_Relation, not directly from ExecuteGrantStmt.
1605  */
1606 static void
1607 ExecGrant_Attribute(InternalGrant *istmt, Oid relOid, const char *relname,
1608  AttrNumber attnum, Oid ownerId, AclMode col_privileges,
1609  Relation attRelation, const Acl *old_rel_acl)
1610 {
1611  HeapTuple attr_tuple;
1612  Form_pg_attribute pg_attribute_tuple;
1613  Acl *old_acl;
1614  Acl *new_acl;
1615  Acl *merged_acl;
1616  Datum aclDatum;
1617  bool isNull;
1618  Oid grantorId;
1619  AclMode avail_goptions;
1620  bool need_update;
1621  HeapTuple newtuple;
1622  Datum values[Natts_pg_attribute];
1623  bool nulls[Natts_pg_attribute];
1624  bool replaces[Natts_pg_attribute];
1625  int noldmembers;
1626  int nnewmembers;
1627  Oid *oldmembers;
1628  Oid *newmembers;
1629 
1630  attr_tuple = SearchSysCache2(ATTNUM,
1631  ObjectIdGetDatum(relOid),
1632  Int16GetDatum(attnum));
1633  if (!HeapTupleIsValid(attr_tuple))
1634  elog(ERROR, "cache lookup failed for attribute %d of relation %u",
1635  attnum, relOid);
1636  pg_attribute_tuple = (Form_pg_attribute) GETSTRUCT(attr_tuple);
1637 
1638  /*
1639  * Get working copy of existing ACL. If there's no ACL, substitute the
1640  * proper default.
1641  */
1642  aclDatum = SysCacheGetAttr(ATTNUM, attr_tuple, Anum_pg_attribute_attacl,
1643  &isNull);
1644  if (isNull)
1645  {
1646  old_acl = acldefault(OBJECT_COLUMN, ownerId);
1647  /* There are no old member roles according to the catalogs */
1648  noldmembers = 0;
1649  oldmembers = NULL;
1650  }
1651  else
1652  {
1653  old_acl = DatumGetAclPCopy(aclDatum);
1654  /* Get the roles mentioned in the existing ACL */
1655  noldmembers = aclmembers(old_acl, &oldmembers);
1656  }
1657 
1658  /*
1659  * In select_best_grantor we should consider existing table-level ACL bits
1660  * as well as the per-column ACL. Build a new ACL that is their
1661  * concatenation. (This is a bit cheap and dirty compared to merging them
1662  * properly with no duplications, but it's all we need here.)
1663  */
1664  merged_acl = aclconcat(old_rel_acl, old_acl);
1665 
1666  /* Determine ID to do the grant as, and available grant options */
1667  select_best_grantor(GetUserId(), col_privileges,
1668  merged_acl, ownerId,
1669  &grantorId, &avail_goptions);
1670 
1671  pfree(merged_acl);
1672 
1673  /*
1674  * Restrict the privileges to what we can actually grant, and emit the
1675  * standards-mandated warning and error messages. Note: we don't track
1676  * whether the user actually used the ALL PRIVILEGES(columns) syntax for
1677  * each column; we just approximate it by whether all the possible
1678  * privileges are specified now. Since the all_privs flag only determines
1679  * whether a warning is issued, this seems close enough.
1680  */
1681  col_privileges =
1682  restrict_and_check_grant(istmt->is_grant, avail_goptions,
1683  (col_privileges == ACL_ALL_RIGHTS_COLUMN),
1684  col_privileges,
1685  relOid, grantorId, OBJECT_COLUMN,
1686  relname, attnum,
1687  NameStr(pg_attribute_tuple->attname));
1688 
1689  /*
1690  * Generate new ACL.
1691  */
1692  new_acl = merge_acl_with_grant(old_acl, istmt->is_grant,
1693  istmt->grant_option,
1694  istmt->behavior, istmt->grantees,
1695  col_privileges, grantorId,
1696  ownerId);
1697 
1698  /*
1699  * We need the members of both old and new ACLs so we can correct the
1700  * shared dependency information.
1701  */
1702  nnewmembers = aclmembers(new_acl, &newmembers);
1703 
1704  /* finished building new ACL value, now insert it */
1705  MemSet(values, 0, sizeof(values));
1706  MemSet(nulls, false, sizeof(nulls));
1707  MemSet(replaces, false, sizeof(replaces));
1708 
1709  /*
1710  * If the updated ACL is empty, we can set attacl to null, and maybe even
1711  * avoid an update of the pg_attribute row. This is worth testing because
1712  * we'll come through here multiple times for any relation-level REVOKE,
1713  * even if there were never any column GRANTs. Note we are assuming that
1714  * the "default" ACL state for columns is empty.
1715  */
1716  if (ACL_NUM(new_acl) > 0)
1717  {
1718  values[Anum_pg_attribute_attacl - 1] = PointerGetDatum(new_acl);
1719  need_update = true;
1720  }
1721  else
1722  {
1723  nulls[Anum_pg_attribute_attacl - 1] = true;
1724  need_update = !isNull;
1725  }
1726  replaces[Anum_pg_attribute_attacl - 1] = true;
1727 
1728  if (need_update)
1729  {
1730  newtuple = heap_modify_tuple(attr_tuple, RelationGetDescr(attRelation),
1731  values, nulls, replaces);
1732 
1733  CatalogTupleUpdate(attRelation, &newtuple->t_self, newtuple);
1734 
1735  /* Update initial privileges for extensions */
1736  recordExtensionInitPriv(relOid, RelationRelationId, attnum,
1737  ACL_NUM(new_acl) > 0 ? new_acl : NULL);
1738 
1739  /* Update the shared dependency ACL info */
1740  updateAclDependencies(RelationRelationId, relOid, attnum,
1741  ownerId,
1742  noldmembers, oldmembers,
1743  nnewmembers, newmembers);
1744  }
1745 
1746  pfree(new_acl);
1747 
1748  ReleaseSysCache(attr_tuple);
1749 }
1750 
1751 /*
1752  * This processes both sequences and non-sequences.
1753  */
1754 static void
1756 {
1757  Relation relation;
1758  Relation attRelation;
1759  ListCell *cell;
1760 
1761  relation = table_open(RelationRelationId, RowExclusiveLock);
1762  attRelation = table_open(AttributeRelationId, RowExclusiveLock);
1763 
1764  foreach(cell, istmt->objects)
1765  {
1766  Oid relOid = lfirst_oid(cell);
1767  Datum aclDatum;
1768  Form_pg_class pg_class_tuple;
1769  bool isNull;
1770  AclMode this_privileges;
1771  AclMode *col_privileges;
1772  int num_col_privileges;
1773  bool have_col_privileges;
1774  Acl *old_acl;
1775  Acl *old_rel_acl;
1776  int noldmembers;
1777  Oid *oldmembers;
1778  Oid ownerId;
1779  HeapTuple tuple;
1780  ListCell *cell_colprivs;
1781 
1782  tuple = SearchSysCache1(RELOID, ObjectIdGetDatum(relOid));
1783  if (!HeapTupleIsValid(tuple))
1784  elog(ERROR, "cache lookup failed for relation %u", relOid);
1785  pg_class_tuple = (Form_pg_class) GETSTRUCT(tuple);
1786 
1787  /* Not sensible to grant on an index */
1788  if (pg_class_tuple->relkind == RELKIND_INDEX ||
1789  pg_class_tuple->relkind == RELKIND_PARTITIONED_INDEX)
1790  ereport(ERROR,
1791  (errcode(ERRCODE_WRONG_OBJECT_TYPE),
1792  errmsg("\"%s\" is an index",
1793  NameStr(pg_class_tuple->relname))));
1794 
1795  /* Composite types aren't tables either */
1796  if (pg_class_tuple->relkind == RELKIND_COMPOSITE_TYPE)
1797  ereport(ERROR,
1798  (errcode(ERRCODE_WRONG_OBJECT_TYPE),
1799  errmsg("\"%s\" is a composite type",
1800  NameStr(pg_class_tuple->relname))));
1801 
1802  /* Used GRANT SEQUENCE on a non-sequence? */
1803  if (istmt->objtype == OBJECT_SEQUENCE &&
1804  pg_class_tuple->relkind != RELKIND_SEQUENCE)
1805  ereport(ERROR,
1806  (errcode(ERRCODE_WRONG_OBJECT_TYPE),
1807  errmsg("\"%s\" is not a sequence",
1808  NameStr(pg_class_tuple->relname))));
1809 
1810  /* Adjust the default permissions based on object type */
1811  if (istmt->all_privs && istmt->privileges == ACL_NO_RIGHTS)
1812  {
1813  if (pg_class_tuple->relkind == RELKIND_SEQUENCE)
1814  this_privileges = ACL_ALL_RIGHTS_SEQUENCE;
1815  else
1816  this_privileges = ACL_ALL_RIGHTS_RELATION;
1817  }
1818  else
1819  this_privileges = istmt->privileges;
1820 
1821  /*
1822  * The GRANT TABLE syntax can be used for sequences and non-sequences,
1823  * so we have to look at the relkind to determine the supported
1824  * permissions. The OR of table and sequence permissions were already
1825  * checked.
1826  */
1827  if (istmt->objtype == OBJECT_TABLE)
1828  {
1829  if (pg_class_tuple->relkind == RELKIND_SEQUENCE)
1830  {
1831  /*
1832  * For backward compatibility, just throw a warning for
1833  * invalid sequence permissions when using the non-sequence
1834  * GRANT syntax.
1835  */
1836  if (this_privileges & ~((AclMode) ACL_ALL_RIGHTS_SEQUENCE))
1837  {
1838  /*
1839  * Mention the object name because the user needs to know
1840  * which operations succeeded. This is required because
1841  * WARNING allows the command to continue.
1842  */
1843  ereport(WARNING,
1844  (errcode(ERRCODE_INVALID_GRANT_OPERATION),
1845  errmsg("sequence \"%s\" only supports USAGE, SELECT, and UPDATE privileges",
1846  NameStr(pg_class_tuple->relname))));
1847  this_privileges &= (AclMode) ACL_ALL_RIGHTS_SEQUENCE;
1848  }
1849  }
1850  else
1851  {
1852  if (this_privileges & ~((AclMode) ACL_ALL_RIGHTS_RELATION))
1853  {
1854  /*
1855  * USAGE is the only permission supported by sequences but
1856  * not by non-sequences. Don't mention the object name
1857  * because we didn't in the combined TABLE | SEQUENCE
1858  * check.
1859  */
1860  ereport(ERROR,
1861  (errcode(ERRCODE_INVALID_GRANT_OPERATION),
1862  errmsg("invalid privilege type %s for table",
1863  "USAGE")));
1864  }
1865  }
1866  }
1867 
1868  /*
1869  * Set up array in which we'll accumulate any column privilege bits
1870  * that need modification. The array is indexed such that entry [0]
1871  * corresponds to FirstLowInvalidHeapAttributeNumber.
1872  */
1873  num_col_privileges = pg_class_tuple->relnatts - FirstLowInvalidHeapAttributeNumber + 1;
1874  col_privileges = (AclMode *) palloc0(num_col_privileges * sizeof(AclMode));
1875  have_col_privileges = false;
1876 
1877  /*
1878  * If we are revoking relation privileges that are also column
1879  * privileges, we must implicitly revoke them from each column too,
1880  * per SQL spec. (We don't need to implicitly add column privileges
1881  * during GRANT because the permissions-checking code always checks
1882  * both relation and per-column privileges.)
1883  */
1884  if (!istmt->is_grant &&
1885  (this_privileges & ACL_ALL_RIGHTS_COLUMN) != 0)
1886  {
1887  expand_all_col_privileges(relOid, pg_class_tuple,
1888  this_privileges & ACL_ALL_RIGHTS_COLUMN,
1889  col_privileges,
1890  num_col_privileges);
1891  have_col_privileges = true;
1892  }
1893 
1894  /*
1895  * Get owner ID and working copy of existing ACL. If there's no ACL,
1896  * substitute the proper default.
1897  */
1898  ownerId = pg_class_tuple->relowner;
1899  aclDatum = SysCacheGetAttr(RELOID, tuple, Anum_pg_class_relacl,
1900  &isNull);
1901  if (isNull)
1902  {
1903  switch (pg_class_tuple->relkind)
1904  {
1905  case RELKIND_SEQUENCE:
1906  old_acl = acldefault(OBJECT_SEQUENCE, ownerId);
1907  break;
1908  default:
1909  old_acl = acldefault(OBJECT_TABLE, ownerId);
1910  break;
1911  }
1912  /* There are no old member roles according to the catalogs */
1913  noldmembers = 0;
1914  oldmembers = NULL;
1915  }
1916  else
1917  {
1918  old_acl = DatumGetAclPCopy(aclDatum);
1919  /* Get the roles mentioned in the existing ACL */
1920  noldmembers = aclmembers(old_acl, &oldmembers);
1921  }
1922 
1923  /* Need an extra copy of original rel ACL for column handling */
1924  old_rel_acl = aclcopy(old_acl);
1925 
1926  /*
1927  * Handle relation-level privileges, if any were specified
1928  */
1929  if (this_privileges != ACL_NO_RIGHTS)
1930  {
1931  AclMode avail_goptions;
1932  Acl *new_acl;
1933  Oid grantorId;
1934  HeapTuple newtuple;
1935  Datum values[Natts_pg_class];
1936  bool nulls[Natts_pg_class];
1937  bool replaces[Natts_pg_class];
1938  int nnewmembers;
1939  Oid *newmembers;
1940  ObjectType objtype;
1941 
1942  /* Determine ID to do the grant as, and available grant options */
1943  select_best_grantor(GetUserId(), this_privileges,
1944  old_acl, ownerId,
1945  &grantorId, &avail_goptions);
1946 
1947  switch (pg_class_tuple->relkind)
1948  {
1949  case RELKIND_SEQUENCE:
1950  objtype = OBJECT_SEQUENCE;
1951  break;
1952  default:
1953  objtype = OBJECT_TABLE;
1954  break;
1955  }
1956 
1957  /*
1958  * Restrict the privileges to what we can actually grant, and emit
1959  * the standards-mandated warning and error messages.
1960  */
1961  this_privileges =
1962  restrict_and_check_grant(istmt->is_grant, avail_goptions,
1963  istmt->all_privs, this_privileges,
1964  relOid, grantorId, objtype,
1965  NameStr(pg_class_tuple->relname),
1966  0, NULL);
1967 
1968  /*
1969  * Generate new ACL.
1970  */
1971  new_acl = merge_acl_with_grant(old_acl,
1972  istmt->is_grant,
1973  istmt->grant_option,
1974  istmt->behavior,
1975  istmt->grantees,
1976  this_privileges,
1977  grantorId,
1978  ownerId);
1979 
1980  /*
1981  * We need the members of both old and new ACLs so we can correct
1982  * the shared dependency information.
1983  */
1984  nnewmembers = aclmembers(new_acl, &newmembers);
1985 
1986  /* finished building new ACL value, now insert it */
1987  MemSet(values, 0, sizeof(values));
1988  MemSet(nulls, false, sizeof(nulls));
1989  MemSet(replaces, false, sizeof(replaces));
1990 
1991  replaces[Anum_pg_class_relacl - 1] = true;
1992  values[Anum_pg_class_relacl - 1] = PointerGetDatum(new_acl);
1993 
1994  newtuple = heap_modify_tuple(tuple, RelationGetDescr(relation),
1995  values, nulls, replaces);
1996 
1997  CatalogTupleUpdate(relation, &newtuple->t_self, newtuple);
1998 
1999  /* Update initial privileges for extensions */
2000  recordExtensionInitPriv(relOid, RelationRelationId, 0, new_acl);
2001 
2002  /* Update the shared dependency ACL info */
2003  updateAclDependencies(RelationRelationId, relOid, 0,
2004  ownerId,
2005  noldmembers, oldmembers,
2006  nnewmembers, newmembers);
2007 
2008  pfree(new_acl);
2009  }
2010 
2011  /*
2012  * Handle column-level privileges, if any were specified or implied.
2013  * We first expand the user-specified column privileges into the
2014  * array, and then iterate over all nonempty array entries.
2015  */
2016  foreach(cell_colprivs, istmt->col_privs)
2017  {
2018  AccessPriv *col_privs = (AccessPriv *) lfirst(cell_colprivs);
2019 
2020  if (col_privs->priv_name == NULL)
2021  this_privileges = ACL_ALL_RIGHTS_COLUMN;
2022  else
2023  this_privileges = string_to_privilege(col_privs->priv_name);
2024 
2025  if (this_privileges & ~((AclMode) ACL_ALL_RIGHTS_COLUMN))
2026  ereport(ERROR,
2027  (errcode(ERRCODE_INVALID_GRANT_OPERATION),
2028  errmsg("invalid privilege type %s for column",
2029  privilege_to_string(this_privileges))));
2030 
2031  if (pg_class_tuple->relkind == RELKIND_SEQUENCE &&
2032  this_privileges & ~((AclMode) ACL_SELECT))
2033  {
2034  /*
2035  * The only column privilege allowed on sequences is SELECT.
2036  * This is a warning not error because we do it that way for
2037  * relation-level privileges.
2038  */
2039  ereport(WARNING,
2040  (errcode(ERRCODE_INVALID_GRANT_OPERATION),
2041  errmsg("sequence \"%s\" only supports SELECT column privileges",
2042  NameStr(pg_class_tuple->relname))));
2043 
2044  this_privileges &= (AclMode) ACL_SELECT;
2045  }
2046 
2047  expand_col_privileges(col_privs->cols, relOid,
2048  this_privileges,
2049  col_privileges,
2050  num_col_privileges);
2051  have_col_privileges = true;
2052  }
2053 
2054  if (have_col_privileges)
2055  {
2056  AttrNumber i;
2057 
2058  for (i = 0; i < num_col_privileges; i++)
2059  {
2060  if (col_privileges[i] == ACL_NO_RIGHTS)
2061  continue;
2062  ExecGrant_Attribute(istmt,
2063  relOid,
2064  NameStr(pg_class_tuple->relname),
2066  ownerId,
2067  col_privileges[i],
2068  attRelation,
2069  old_rel_acl);
2070  }
2071  }
2072 
2073  pfree(old_rel_acl);
2074  pfree(col_privileges);
2075 
2076  ReleaseSysCache(tuple);
2077 
2078  /* prevent error when processing duplicate objects */
2080  }
2081 
2082  table_close(attRelation, RowExclusiveLock);
2083  table_close(relation, RowExclusiveLock);
2084 }
2085 
2086 static void
2088 {
2089  Relation relation;
2090  ListCell *cell;
2091 
2092  if (istmt->all_privs && istmt->privileges == ACL_NO_RIGHTS)
2094 
2095  relation = table_open(DatabaseRelationId, RowExclusiveLock);
2096 
2097  foreach(cell, istmt->objects)
2098  {
2099  Oid datId = lfirst_oid(cell);
2100  Form_pg_database pg_database_tuple;
2101  Datum aclDatum;
2102  bool isNull;
2103  AclMode avail_goptions;
2104  AclMode this_privileges;
2105  Acl *old_acl;
2106  Acl *new_acl;
2107  Oid grantorId;
2108  Oid ownerId;
2109  HeapTuple newtuple;
2110  Datum values[Natts_pg_database];
2111  bool nulls[Natts_pg_database];
2112  bool replaces[Natts_pg_database];
2113  int noldmembers;
2114  int nnewmembers;
2115  Oid *oldmembers;
2116  Oid *newmembers;
2117  HeapTuple tuple;
2118 
2119  tuple = SearchSysCache1(DATABASEOID, ObjectIdGetDatum(datId));
2120  if (!HeapTupleIsValid(tuple))
2121  elog(ERROR, "cache lookup failed for database %u", datId);
2122 
2123  pg_database_tuple = (Form_pg_database) GETSTRUCT(tuple);
2124 
2125  /*
2126  * Get owner ID and working copy of existing ACL. If there's no ACL,
2127  * substitute the proper default.
2128  */
2129  ownerId = pg_database_tuple->datdba;
2130  aclDatum = heap_getattr(tuple, Anum_pg_database_datacl,
2131  RelationGetDescr(relation), &isNull);
2132  if (isNull)
2133  {
2134  old_acl = acldefault(OBJECT_DATABASE, ownerId);
2135  /* There are no old member roles according to the catalogs */
2136  noldmembers = 0;
2137  oldmembers = NULL;
2138  }
2139  else
2140  {
2141  old_acl = DatumGetAclPCopy(aclDatum);
2142  /* Get the roles mentioned in the existing ACL */
2143  noldmembers = aclmembers(old_acl, &oldmembers);
2144  }
2145 
2146  /* Determine ID to do the grant as, and available grant options */
2148  old_acl, ownerId,
2149  &grantorId, &avail_goptions);
2150 
2151  /*
2152  * Restrict the privileges to what we can actually grant, and emit the
2153  * standards-mandated warning and error messages.
2154  */
2155  this_privileges =
2156  restrict_and_check_grant(istmt->is_grant, avail_goptions,
2157  istmt->all_privs, istmt->privileges,
2158  datId, grantorId, OBJECT_DATABASE,
2159  NameStr(pg_database_tuple->datname),
2160  0, NULL);
2161 
2162  /*
2163  * Generate new ACL.
2164  */
2165  new_acl = merge_acl_with_grant(old_acl, istmt->is_grant,
2166  istmt->grant_option, istmt->behavior,
2167  istmt->grantees, this_privileges,
2168  grantorId, ownerId);
2169 
2170  /*
2171  * We need the members of both old and new ACLs so we can correct the
2172  * shared dependency information.
2173  */
2174  nnewmembers = aclmembers(new_acl, &newmembers);
2175 
2176  /* finished building new ACL value, now insert it */
2177  MemSet(values, 0, sizeof(values));
2178  MemSet(nulls, false, sizeof(nulls));
2179  MemSet(replaces, false, sizeof(replaces));
2180 
2181  replaces[Anum_pg_database_datacl - 1] = true;
2182  values[Anum_pg_database_datacl - 1] = PointerGetDatum(new_acl);
2183 
2184  newtuple = heap_modify_tuple(tuple, RelationGetDescr(relation), values,
2185  nulls, replaces);
2186 
2187  CatalogTupleUpdate(relation, &newtuple->t_self, newtuple);
2188 
2189  /* Update the shared dependency ACL info */
2190  updateAclDependencies(DatabaseRelationId, pg_database_tuple->oid, 0,
2191  ownerId,
2192  noldmembers, oldmembers,
2193  nnewmembers, newmembers);
2194 
2195  ReleaseSysCache(tuple);
2196 
2197  pfree(new_acl);
2198 
2199  /* prevent error when processing duplicate objects */
2201  }
2202 
2203  table_close(relation, RowExclusiveLock);
2204 }
2205 
2206 static void
2208 {
2209  Relation relation;
2210  ListCell *cell;
2211 
2212  if (istmt->all_privs && istmt->privileges == ACL_NO_RIGHTS)
2213  istmt->privileges = ACL_ALL_RIGHTS_FDW;
2214 
2215  relation = table_open(ForeignDataWrapperRelationId, RowExclusiveLock);
2216 
2217  foreach(cell, istmt->objects)
2218  {
2219  Oid fdwid = lfirst_oid(cell);
2220  Form_pg_foreign_data_wrapper pg_fdw_tuple;
2221  Datum aclDatum;
2222  bool isNull;
2223  AclMode avail_goptions;
2224  AclMode this_privileges;
2225  Acl *old_acl;
2226  Acl *new_acl;
2227  Oid grantorId;
2228  Oid ownerId;
2229  HeapTuple tuple;
2230  HeapTuple newtuple;
2231  Datum values[Natts_pg_foreign_data_wrapper];
2232  bool nulls[Natts_pg_foreign_data_wrapper];
2233  bool replaces[Natts_pg_foreign_data_wrapper];
2234  int noldmembers;
2235  int nnewmembers;
2236  Oid *oldmembers;
2237  Oid *newmembers;
2238 
2240  ObjectIdGetDatum(fdwid));
2241  if (!HeapTupleIsValid(tuple))
2242  elog(ERROR, "cache lookup failed for foreign-data wrapper %u", fdwid);
2243 
2244  pg_fdw_tuple = (Form_pg_foreign_data_wrapper) GETSTRUCT(tuple);
2245 
2246  /*
2247  * Get owner ID and working copy of existing ACL. If there's no ACL,
2248  * substitute the proper default.
2249  */
2250  ownerId = pg_fdw_tuple->fdwowner;
2251  aclDatum = SysCacheGetAttr(FOREIGNDATAWRAPPEROID, tuple,
2252  Anum_pg_foreign_data_wrapper_fdwacl,
2253  &isNull);
2254  if (isNull)
2255  {
2256  old_acl = acldefault(OBJECT_FDW, ownerId);
2257  /* There are no old member roles according to the catalogs */
2258  noldmembers = 0;
2259  oldmembers = NULL;
2260  }
2261  else
2262  {
2263  old_acl = DatumGetAclPCopy(aclDatum);
2264  /* Get the roles mentioned in the existing ACL */
2265  noldmembers = aclmembers(old_acl, &oldmembers);
2266  }
2267 
2268  /* Determine ID to do the grant as, and available grant options */
2270  old_acl, ownerId,
2271  &grantorId, &avail_goptions);
2272 
2273  /*
2274  * Restrict the privileges to what we can actually grant, and emit the
2275  * standards-mandated warning and error messages.
2276  */
2277  this_privileges =
2278  restrict_and_check_grant(istmt->is_grant, avail_goptions,
2279  istmt->all_privs, istmt->privileges,
2280  fdwid, grantorId, OBJECT_FDW,
2281  NameStr(pg_fdw_tuple->fdwname),
2282  0, NULL);
2283 
2284  /*
2285  * Generate new ACL.
2286  */
2287  new_acl = merge_acl_with_grant(old_acl, istmt->is_grant,
2288  istmt->grant_option, istmt->behavior,
2289  istmt->grantees, this_privileges,
2290  grantorId, ownerId);
2291 
2292  /*
2293  * We need the members of both old and new ACLs so we can correct the
2294  * shared dependency information.
2295  */
2296  nnewmembers = aclmembers(new_acl, &newmembers);
2297 
2298  /* finished building new ACL value, now insert it */
2299  MemSet(values, 0, sizeof(values));
2300  MemSet(nulls, false, sizeof(nulls));
2301  MemSet(replaces, false, sizeof(replaces));
2302 
2303  replaces[Anum_pg_foreign_data_wrapper_fdwacl - 1] = true;
2304  values[Anum_pg_foreign_data_wrapper_fdwacl - 1] = PointerGetDatum(new_acl);
2305 
2306  newtuple = heap_modify_tuple(tuple, RelationGetDescr(relation), values,
2307  nulls, replaces);
2308 
2309  CatalogTupleUpdate(relation, &newtuple->t_self, newtuple);
2310 
2311  /* Update initial privileges for extensions */
2312  recordExtensionInitPriv(fdwid, ForeignDataWrapperRelationId, 0,
2313  new_acl);
2314 
2315  /* Update the shared dependency ACL info */
2316  updateAclDependencies(ForeignDataWrapperRelationId,
2317  pg_fdw_tuple->oid, 0,
2318  ownerId,
2319  noldmembers, oldmembers,
2320  nnewmembers, newmembers);
2321 
2322  ReleaseSysCache(tuple);
2323 
2324  pfree(new_acl);
2325 
2326  /* prevent error when processing duplicate objects */
2328  }
2329 
2330  table_close(relation, RowExclusiveLock);
2331 }
2332 
2333 static void
2335 {
2336  Relation relation;
2337  ListCell *cell;
2338 
2339  if (istmt->all_privs && istmt->privileges == ACL_NO_RIGHTS)
2341 
2342  relation = table_open(ForeignServerRelationId, RowExclusiveLock);
2343 
2344  foreach(cell, istmt->objects)
2345  {
2346  Oid srvid = lfirst_oid(cell);
2347  Form_pg_foreign_server pg_server_tuple;
2348  Datum aclDatum;
2349  bool isNull;
2350  AclMode avail_goptions;
2351  AclMode this_privileges;
2352  Acl *old_acl;
2353  Acl *new_acl;
2354  Oid grantorId;
2355  Oid ownerId;
2356  HeapTuple tuple;
2357  HeapTuple newtuple;
2358  Datum values[Natts_pg_foreign_server];
2359  bool nulls[Natts_pg_foreign_server];
2360  bool replaces[Natts_pg_foreign_server];
2361  int noldmembers;
2362  int nnewmembers;
2363  Oid *oldmembers;
2364  Oid *newmembers;
2365 
2367  if (!HeapTupleIsValid(tuple))
2368  elog(ERROR, "cache lookup failed for foreign server %u", srvid);
2369 
2370  pg_server_tuple = (Form_pg_foreign_server) GETSTRUCT(tuple);
2371 
2372  /*
2373  * Get owner ID and working copy of existing ACL. If there's no ACL,
2374  * substitute the proper default.
2375  */
2376  ownerId = pg_server_tuple->srvowner;
2377  aclDatum = SysCacheGetAttr(FOREIGNSERVEROID, tuple,
2378  Anum_pg_foreign_server_srvacl,
2379  &isNull);
2380  if (isNull)
2381  {
2382  old_acl = acldefault(OBJECT_FOREIGN_SERVER, ownerId);
2383  /* There are no old member roles according to the catalogs */
2384  noldmembers = 0;
2385  oldmembers = NULL;
2386  }
2387  else
2388  {
2389  old_acl = DatumGetAclPCopy(aclDatum);
2390  /* Get the roles mentioned in the existing ACL */
2391  noldmembers = aclmembers(old_acl, &oldmembers);
2392  }
2393 
2394  /* Determine ID to do the grant as, and available grant options */
2396  old_acl, ownerId,
2397  &grantorId, &avail_goptions);
2398 
2399  /*
2400  * Restrict the privileges to what we can actually grant, and emit the
2401  * standards-mandated warning and error messages.
2402  */
2403  this_privileges =
2404  restrict_and_check_grant(istmt->is_grant, avail_goptions,
2405  istmt->all_privs, istmt->privileges,
2406  srvid, grantorId, OBJECT_FOREIGN_SERVER,
2407  NameStr(pg_server_tuple->srvname),
2408  0, NULL);
2409 
2410  /*
2411  * Generate new ACL.
2412  */
2413  new_acl = merge_acl_with_grant(old_acl, istmt->is_grant,
2414  istmt->grant_option, istmt->behavior,
2415  istmt->grantees, this_privileges,
2416  grantorId, ownerId);
2417 
2418  /*
2419  * We need the members of both old and new ACLs so we can correct the
2420  * shared dependency information.
2421  */
2422  nnewmembers = aclmembers(new_acl, &newmembers);
2423 
2424  /* finished building new ACL value, now insert it */
2425  MemSet(values, 0, sizeof(values));
2426  MemSet(nulls, false, sizeof(nulls));
2427  MemSet(replaces, false, sizeof(replaces));
2428 
2429  replaces[Anum_pg_foreign_server_srvacl - 1] = true;
2430  values[Anum_pg_foreign_server_srvacl - 1] = PointerGetDatum(new_acl);
2431 
2432  newtuple = heap_modify_tuple(tuple, RelationGetDescr(relation), values,
2433  nulls, replaces);
2434 
2435  CatalogTupleUpdate(relation, &newtuple->t_self, newtuple);
2436 
2437  /* Update initial privileges for extensions */
2438  recordExtensionInitPriv(srvid, ForeignServerRelationId, 0, new_acl);
2439 
2440  /* Update the shared dependency ACL info */
2441  updateAclDependencies(ForeignServerRelationId,
2442  pg_server_tuple->oid, 0,
2443  ownerId,
2444  noldmembers, oldmembers,
2445  nnewmembers, newmembers);
2446 
2447  ReleaseSysCache(tuple);
2448 
2449  pfree(new_acl);
2450 
2451  /* prevent error when processing duplicate objects */
2453  }
2454 
2455  table_close(relation, RowExclusiveLock);
2456 }
2457 
2458 static void
2460 {
2461  Relation relation;
2462  ListCell *cell;
2463 
2464  if (istmt->all_privs && istmt->privileges == ACL_NO_RIGHTS)
2466 
2467  relation = table_open(ProcedureRelationId, RowExclusiveLock);
2468 
2469  foreach(cell, istmt->objects)
2470  {
2471  Oid funcId = lfirst_oid(cell);
2472  Form_pg_proc pg_proc_tuple;
2473  Datum aclDatum;
2474  bool isNull;
2475  AclMode avail_goptions;
2476  AclMode this_privileges;
2477  Acl *old_acl;
2478  Acl *new_acl;
2479  Oid grantorId;
2480  Oid ownerId;
2481  HeapTuple tuple;
2482  HeapTuple newtuple;
2483  Datum values[Natts_pg_proc];
2484  bool nulls[Natts_pg_proc];
2485  bool replaces[Natts_pg_proc];
2486  int noldmembers;
2487  int nnewmembers;
2488  Oid *oldmembers;
2489  Oid *newmembers;
2490 
2491  tuple = SearchSysCache1(PROCOID, ObjectIdGetDatum(funcId));
2492  if (!HeapTupleIsValid(tuple))
2493  elog(ERROR, "cache lookup failed for function %u", funcId);
2494 
2495  pg_proc_tuple = (Form_pg_proc) GETSTRUCT(tuple);
2496 
2497  /*
2498  * Get owner ID and working copy of existing ACL. If there's no ACL,
2499  * substitute the proper default.
2500  */
2501  ownerId = pg_proc_tuple->proowner;
2502  aclDatum = SysCacheGetAttr(PROCOID, tuple, Anum_pg_proc_proacl,
2503  &isNull);
2504  if (isNull)
2505  {
2506  old_acl = acldefault(OBJECT_FUNCTION, ownerId);
2507  /* There are no old member roles according to the catalogs */
2508  noldmembers = 0;
2509  oldmembers = NULL;
2510  }
2511  else
2512  {
2513  old_acl = DatumGetAclPCopy(aclDatum);
2514  /* Get the roles mentioned in the existing ACL */
2515  noldmembers = aclmembers(old_acl, &oldmembers);
2516  }
2517 
2518  /* Determine ID to do the grant as, and available grant options */
2520  old_acl, ownerId,
2521  &grantorId, &avail_goptions);
2522 
2523  /*
2524  * Restrict the privileges to what we can actually grant, and emit the
2525  * standards-mandated warning and error messages.
2526  */
2527  this_privileges =
2528  restrict_and_check_grant(istmt->is_grant, avail_goptions,
2529  istmt->all_privs, istmt->privileges,
2530  funcId, grantorId, OBJECT_FUNCTION,
2531  NameStr(pg_proc_tuple->proname),
2532  0, NULL);
2533 
2534  /*
2535  * Generate new ACL.
2536  */
2537  new_acl = merge_acl_with_grant(old_acl, istmt->is_grant,
2538  istmt->grant_option, istmt->behavior,
2539  istmt->grantees, this_privileges,
2540  grantorId, ownerId);
2541 
2542  /*
2543  * We need the members of both old and new ACLs so we can correct the
2544  * shared dependency information.
2545  */
2546  nnewmembers = aclmembers(new_acl, &newmembers);
2547 
2548  /* finished building new ACL value, now insert it */
2549  MemSet(values, 0, sizeof(values));
2550  MemSet(nulls, false, sizeof(nulls));
2551  MemSet(replaces, false, sizeof(replaces));
2552 
2553  replaces[Anum_pg_proc_proacl - 1] = true;
2554  values[Anum_pg_proc_proacl - 1] = PointerGetDatum(new_acl);
2555 
2556  newtuple = heap_modify_tuple(tuple, RelationGetDescr(relation), values,
2557  nulls, replaces);
2558 
2559  CatalogTupleUpdate(relation, &newtuple->t_self, newtuple);
2560 
2561  /* Update initial privileges for extensions */
2562  recordExtensionInitPriv(funcId, ProcedureRelationId, 0, new_acl);
2563 
2564  /* Update the shared dependency ACL info */
2565  updateAclDependencies(ProcedureRelationId, funcId, 0,
2566  ownerId,
2567  noldmembers, oldmembers,
2568  nnewmembers, newmembers);
2569 
2570  ReleaseSysCache(tuple);
2571 
2572  pfree(new_acl);
2573 
2574  /* prevent error when processing duplicate objects */
2576  }
2577 
2578  table_close(relation, RowExclusiveLock);
2579 }
2580 
2581 static void
2583 {
2584  Relation relation;
2585  ListCell *cell;
2586 
2587  if (istmt->all_privs && istmt->privileges == ACL_NO_RIGHTS)
2589 
2590  relation = table_open(LanguageRelationId, RowExclusiveLock);
2591 
2592  foreach(cell, istmt->objects)
2593  {
2594  Oid langId = lfirst_oid(cell);
2595  Form_pg_language pg_language_tuple;
2596  Datum aclDatum;
2597  bool isNull;
2598  AclMode avail_goptions;
2599  AclMode this_privileges;
2600  Acl *old_acl;
2601  Acl *new_acl;
2602  Oid grantorId;
2603  Oid ownerId;
2604  HeapTuple tuple;
2605  HeapTuple newtuple;
2606  Datum values[Natts_pg_language];
2607  bool nulls[Natts_pg_language];
2608  bool replaces[Natts_pg_language];
2609  int noldmembers;
2610  int nnewmembers;
2611  Oid *oldmembers;
2612  Oid *newmembers;
2613 
2614  tuple = SearchSysCache1(LANGOID, ObjectIdGetDatum(langId));
2615  if (!HeapTupleIsValid(tuple))
2616  elog(ERROR, "cache lookup failed for language %u", langId);
2617 
2618  pg_language_tuple = (Form_pg_language) GETSTRUCT(tuple);
2619 
2620  if (!pg_language_tuple->lanpltrusted)
2621  ereport(ERROR,
2622  (errcode(ERRCODE_WRONG_OBJECT_TYPE),
2623  errmsg("language \"%s\" is not trusted",
2624  NameStr(pg_language_tuple->lanname)),
2625  errdetail("GRANT and REVOKE are not allowed on untrusted languages, "
2626  "because only superusers can use untrusted languages.")));
2627 
2628  /*
2629  * Get owner ID and working copy of existing ACL. If there's no ACL,
2630  * substitute the proper default.
2631  */
2632  ownerId = pg_language_tuple->lanowner;
2633  aclDatum = SysCacheGetAttr(LANGNAME, tuple, Anum_pg_language_lanacl,
2634  &isNull);
2635  if (isNull)
2636  {
2637  old_acl = acldefault(OBJECT_LANGUAGE, ownerId);
2638  /* There are no old member roles according to the catalogs */
2639  noldmembers = 0;
2640  oldmembers = NULL;
2641  }
2642  else
2643  {
2644  old_acl = DatumGetAclPCopy(aclDatum);
2645  /* Get the roles mentioned in the existing ACL */
2646  noldmembers = aclmembers(old_acl, &oldmembers);
2647  }
2648 
2649  /* Determine ID to do the grant as, and available grant options */
2651  old_acl, ownerId,
2652  &grantorId, &avail_goptions);
2653 
2654  /*
2655  * Restrict the privileges to what we can actually grant, and emit the
2656  * standards-mandated warning and error messages.
2657  */
2658  this_privileges =
2659  restrict_and_check_grant(istmt->is_grant, avail_goptions,
2660  istmt->all_privs, istmt->privileges,
2661  langId, grantorId, OBJECT_LANGUAGE,
2662  NameStr(pg_language_tuple->lanname),
2663  0, NULL);
2664 
2665  /*
2666  * Generate new ACL.
2667  */
2668  new_acl = merge_acl_with_grant(old_acl, istmt->is_grant,
2669  istmt->grant_option, istmt->behavior,
2670  istmt->grantees, this_privileges,
2671  grantorId, ownerId);
2672 
2673  /*
2674  * We need the members of both old and new ACLs so we can correct the
2675  * shared dependency information.
2676  */
2677  nnewmembers = aclmembers(new_acl, &newmembers);
2678 
2679  /* finished building new ACL value, now insert it */
2680  MemSet(values, 0, sizeof(values));
2681  MemSet(nulls, false, sizeof(nulls));
2682  MemSet(replaces, false, sizeof(replaces));
2683 
2684  replaces[Anum_pg_language_lanacl - 1] = true;
2685  values[Anum_pg_language_lanacl - 1] = PointerGetDatum(new_acl);
2686 
2687  newtuple = heap_modify_tuple(tuple, RelationGetDescr(relation), values,
2688  nulls, replaces);
2689 
2690  CatalogTupleUpdate(relation, &newtuple->t_self, newtuple);
2691 
2692  /* Update initial privileges for extensions */
2693  recordExtensionInitPriv(langId, LanguageRelationId, 0, new_acl);
2694 
2695  /* Update the shared dependency ACL info */
2696  updateAclDependencies(LanguageRelationId, pg_language_tuple->oid, 0,
2697  ownerId,
2698  noldmembers, oldmembers,
2699  nnewmembers, newmembers);
2700 
2701  ReleaseSysCache(tuple);
2702 
2703  pfree(new_acl);
2704 
2705  /* prevent error when processing duplicate objects */
2707  }
2708 
2709  table_close(relation, RowExclusiveLock);
2710 }
2711 
2712 static void
2714 {
2715  Relation relation;
2716  ListCell *cell;
2717 
2718  if (istmt->all_privs && istmt->privileges == ACL_NO_RIGHTS)
2720 
2721  relation = table_open(LargeObjectMetadataRelationId,
2723 
2724  foreach(cell, istmt->objects)
2725  {
2726  Oid loid = lfirst_oid(cell);
2727  Form_pg_largeobject_metadata form_lo_meta;
2728  char loname[NAMEDATALEN];
2729  Datum aclDatum;
2730  bool isNull;
2731  AclMode avail_goptions;
2732  AclMode this_privileges;
2733  Acl *old_acl;
2734  Acl *new_acl;
2735  Oid grantorId;
2736  Oid ownerId;
2737  HeapTuple newtuple;
2738  Datum values[Natts_pg_largeobject_metadata];
2739  bool nulls[Natts_pg_largeobject_metadata];
2740  bool replaces[Natts_pg_largeobject_metadata];
2741  int noldmembers;
2742  int nnewmembers;
2743  Oid *oldmembers;
2744  Oid *newmembers;
2745  ScanKeyData entry[1];
2746  SysScanDesc scan;
2747  HeapTuple tuple;
2748 
2749  /* There's no syscache for pg_largeobject_metadata */
2750  ScanKeyInit(&entry[0],
2751  Anum_pg_largeobject_metadata_oid,
2752  BTEqualStrategyNumber, F_OIDEQ,
2753  ObjectIdGetDatum(loid));
2754 
2755  scan = systable_beginscan(relation,
2757  NULL, 1, entry);
2758 
2759  tuple = systable_getnext(scan);
2760  if (!HeapTupleIsValid(tuple))
2761  elog(ERROR, "could not find tuple for large object %u", loid);
2762 
2763  form_lo_meta = (Form_pg_largeobject_metadata) GETSTRUCT(tuple);
2764 
2765  /*
2766  * Get owner ID and working copy of existing ACL. If there's no ACL,
2767  * substitute the proper default.
2768  */
2769  ownerId = form_lo_meta->lomowner;
2770  aclDatum = heap_getattr(tuple,
2771  Anum_pg_largeobject_metadata_lomacl,
2772  RelationGetDescr(relation), &isNull);
2773  if (isNull)
2774  {
2775  old_acl = acldefault(OBJECT_LARGEOBJECT, ownerId);
2776  /* There are no old member roles according to the catalogs */
2777  noldmembers = 0;
2778  oldmembers = NULL;
2779  }
2780  else
2781  {
2782  old_acl = DatumGetAclPCopy(aclDatum);
2783  /* Get the roles mentioned in the existing ACL */
2784  noldmembers = aclmembers(old_acl, &oldmembers);
2785  }
2786 
2787  /* Determine ID to do the grant as, and available grant options */
2789  old_acl, ownerId,
2790  &grantorId, &avail_goptions);
2791 
2792  /*
2793  * Restrict the privileges to what we can actually grant, and emit the
2794  * standards-mandated warning and error messages.
2795  */
2796  snprintf(loname, sizeof(loname), "large object %u", loid);
2797  this_privileges =
2798  restrict_and_check_grant(istmt->is_grant, avail_goptions,
2799  istmt->all_privs, istmt->privileges,
2800  loid, grantorId, OBJECT_LARGEOBJECT,
2801  loname, 0, NULL);
2802 
2803  /*
2804  * Generate new ACL.
2805  */
2806  new_acl = merge_acl_with_grant(old_acl, istmt->is_grant,
2807  istmt->grant_option, istmt->behavior,
2808  istmt->grantees, this_privileges,
2809  grantorId, ownerId);
2810 
2811  /*
2812  * We need the members of both old and new ACLs so we can correct the
2813  * shared dependency information.
2814  */
2815  nnewmembers = aclmembers(new_acl, &newmembers);
2816 
2817  /* finished building new ACL value, now insert it */
2818  MemSet(values, 0, sizeof(values));
2819  MemSet(nulls, false, sizeof(nulls));
2820  MemSet(replaces, false, sizeof(replaces));
2821 
2822  replaces[Anum_pg_largeobject_metadata_lomacl - 1] = true;
2823  values[Anum_pg_largeobject_metadata_lomacl - 1]
2824  = PointerGetDatum(new_acl);
2825 
2826  newtuple = heap_modify_tuple(tuple, RelationGetDescr(relation),
2827  values, nulls, replaces);
2828 
2829  CatalogTupleUpdate(relation, &newtuple->t_self, newtuple);
2830 
2831  /* Update initial privileges for extensions */
2832  recordExtensionInitPriv(loid, LargeObjectRelationId, 0, new_acl);
2833 
2834  /* Update the shared dependency ACL info */
2835  updateAclDependencies(LargeObjectRelationId,
2836  form_lo_meta->oid, 0,
2837  ownerId,
2838  noldmembers, oldmembers,
2839  nnewmembers, newmembers);
2840 
2841  systable_endscan(scan);
2842 
2843  pfree(new_acl);
2844 
2845  /* prevent error when processing duplicate objects */
2847  }
2848 
2849  table_close(relation, RowExclusiveLock);
2850 }
2851 
2852 static void
2854 {
2855  Relation relation;
2856  ListCell *cell;
2857 
2858  if (istmt->all_privs && istmt->privileges == ACL_NO_RIGHTS)
2860 
2861  relation = table_open(NamespaceRelationId, RowExclusiveLock);
2862 
2863  foreach(cell, istmt->objects)
2864  {
2865  Oid nspid = lfirst_oid(cell);
2866  Form_pg_namespace pg_namespace_tuple;
2867  Datum aclDatum;
2868  bool isNull;
2869  AclMode avail_goptions;
2870  AclMode this_privileges;
2871  Acl *old_acl;
2872  Acl *new_acl;
2873  Oid grantorId;
2874  Oid ownerId;
2875  HeapTuple tuple;
2876  HeapTuple newtuple;
2877  Datum values[Natts_pg_namespace];
2878  bool nulls[Natts_pg_namespace];
2879  bool replaces[Natts_pg_namespace];
2880  int noldmembers;
2881  int nnewmembers;
2882  Oid *oldmembers;
2883  Oid *newmembers;
2884 
2886  if (!HeapTupleIsValid(tuple))
2887  elog(ERROR, "cache lookup failed for namespace %u", nspid);
2888 
2889  pg_namespace_tuple = (Form_pg_namespace) GETSTRUCT(tuple);
2890 
2891  /*
2892  * Get owner ID and working copy of existing ACL. If there's no ACL,
2893  * substitute the proper default.
2894  */
2895  ownerId = pg_namespace_tuple->nspowner;
2896  aclDatum = SysCacheGetAttr(NAMESPACENAME, tuple,
2897  Anum_pg_namespace_nspacl,
2898  &isNull);
2899  if (isNull)
2900  {
2901  old_acl = acldefault(OBJECT_SCHEMA, ownerId);
2902  /* There are no old member roles according to the catalogs */
2903  noldmembers = 0;
2904  oldmembers = NULL;
2905  }
2906  else
2907  {
2908  old_acl = DatumGetAclPCopy(aclDatum);
2909  /* Get the roles mentioned in the existing ACL */
2910  noldmembers = aclmembers(old_acl, &oldmembers);
2911  }
2912 
2913  /* Determine ID to do the grant as, and available grant options */
2915  old_acl, ownerId,
2916  &grantorId, &avail_goptions);
2917 
2918  /*
2919  * Restrict the privileges to what we can actually grant, and emit the
2920  * standards-mandated warning and error messages.
2921  */
2922  this_privileges =
2923  restrict_and_check_grant(istmt->is_grant, avail_goptions,
2924  istmt->all_privs, istmt->privileges,
2925  nspid, grantorId, OBJECT_SCHEMA,
2926  NameStr(pg_namespace_tuple->nspname),
2927  0, NULL);
2928 
2929  /*
2930  * Generate new ACL.
2931  */
2932  new_acl = merge_acl_with_grant(old_acl, istmt->is_grant,
2933  istmt->grant_option, istmt->behavior,
2934  istmt->grantees, this_privileges,
2935  grantorId, ownerId);
2936 
2937  /*
2938  * We need the members of both old and new ACLs so we can correct the
2939  * shared dependency information.
2940  */
2941  nnewmembers = aclmembers(new_acl, &newmembers);
2942 
2943  /* finished building new ACL value, now insert it */
2944  MemSet(values, 0, sizeof(values));
2945  MemSet(nulls, false, sizeof(nulls));
2946  MemSet(replaces, false, sizeof(replaces));
2947 
2948  replaces[Anum_pg_namespace_nspacl - 1] = true;
2949  values[Anum_pg_namespace_nspacl - 1] = PointerGetDatum(new_acl);
2950 
2951  newtuple = heap_modify_tuple(tuple, RelationGetDescr(relation), values,
2952  nulls, replaces);
2953 
2954  CatalogTupleUpdate(relation, &newtuple->t_self, newtuple);
2955 
2956  /* Update initial privileges for extensions */
2957  recordExtensionInitPriv(nspid, NamespaceRelationId, 0, new_acl);
2958 
2959  /* Update the shared dependency ACL info */
2960  updateAclDependencies(NamespaceRelationId, pg_namespace_tuple->oid, 0,
2961  ownerId,
2962  noldmembers, oldmembers,
2963  nnewmembers, newmembers);
2964 
2965  ReleaseSysCache(tuple);
2966 
2967  pfree(new_acl);
2968 
2969  /* prevent error when processing duplicate objects */
2971  }
2972 
2973  table_close(relation, RowExclusiveLock);
2974 }
2975 
2976 static void
2978 {
2979  Relation relation;
2980  ListCell *cell;
2981 
2982  if (istmt->all_privs && istmt->privileges == ACL_NO_RIGHTS)
2984 
2985  relation = table_open(TableSpaceRelationId, RowExclusiveLock);
2986 
2987  foreach(cell, istmt->objects)
2988  {
2989  Oid tblId = lfirst_oid(cell);
2990  Form_pg_tablespace pg_tablespace_tuple;
2991  Datum aclDatum;
2992  bool isNull;
2993  AclMode avail_goptions;
2994  AclMode this_privileges;
2995  Acl *old_acl;
2996  Acl *new_acl;
2997  Oid grantorId;
2998  Oid ownerId;
2999  HeapTuple newtuple;
3000  Datum values[Natts_pg_tablespace];
3001  bool nulls[Natts_pg_tablespace];
3002  bool replaces[Natts_pg_tablespace];
3003  int noldmembers;
3004  int nnewmembers;
3005  Oid *oldmembers;
3006  Oid *newmembers;
3007  HeapTuple tuple;
3008 
3009  /* Search syscache for pg_tablespace */
3011  if (!HeapTupleIsValid(tuple))
3012  elog(ERROR, "cache lookup failed for tablespace %u", tblId);
3013 
3014  pg_tablespace_tuple = (Form_pg_tablespace) GETSTRUCT(tuple);
3015 
3016  /*
3017  * Get owner ID and working copy of existing ACL. If there's no ACL,
3018  * substitute the proper default.
3019  */
3020  ownerId = pg_tablespace_tuple->spcowner;
3021  aclDatum = heap_getattr(tuple, Anum_pg_tablespace_spcacl,
3022  RelationGetDescr(relation), &isNull);
3023  if (isNull)
3024  {
3025  old_acl = acldefault(OBJECT_TABLESPACE, ownerId);
3026  /* There are no old member roles according to the catalogs */
3027  noldmembers = 0;
3028  oldmembers = NULL;
3029  }
3030  else
3031  {
3032  old_acl = DatumGetAclPCopy(aclDatum);
3033  /* Get the roles mentioned in the existing ACL */
3034  noldmembers = aclmembers(old_acl, &oldmembers);
3035  }
3036 
3037  /* Determine ID to do the grant as, and available grant options */
3039  old_acl, ownerId,
3040  &grantorId, &avail_goptions);
3041 
3042  /*
3043  * Restrict the privileges to what we can actually grant, and emit the
3044  * standards-mandated warning and error messages.
3045  */
3046  this_privileges =
3047  restrict_and_check_grant(istmt->is_grant, avail_goptions,
3048  istmt->all_privs, istmt->privileges,
3049  tblId, grantorId, OBJECT_TABLESPACE,
3050  NameStr(pg_tablespace_tuple->spcname),
3051  0, NULL);
3052 
3053  /*
3054  * Generate new ACL.
3055  */
3056  new_acl = merge_acl_with_grant(old_acl, istmt->is_grant,
3057  istmt->grant_option, istmt->behavior,
3058  istmt->grantees, this_privileges,
3059  grantorId, ownerId);
3060 
3061  /*
3062  * We need the members of both old and new ACLs so we can correct the
3063  * shared dependency information.
3064  */
3065  nnewmembers = aclmembers(new_acl, &newmembers);
3066 
3067  /* finished building new ACL value, now insert it */
3068  MemSet(values, 0, sizeof(values));
3069  MemSet(nulls, false, sizeof(nulls));
3070  MemSet(replaces, false, sizeof(replaces));
3071 
3072  replaces[Anum_pg_tablespace_spcacl - 1] = true;
3073  values[Anum_pg_tablespace_spcacl - 1] = PointerGetDatum(new_acl);
3074 
3075  newtuple = heap_modify_tuple(tuple, RelationGetDescr(relation), values,
3076  nulls, replaces);
3077 
3078  CatalogTupleUpdate(relation, &newtuple->t_self, newtuple);
3079 
3080  /* Update the shared dependency ACL info */
3081  updateAclDependencies(TableSpaceRelationId, tblId, 0,
3082  ownerId,
3083  noldmembers, oldmembers,
3084  nnewmembers, newmembers);
3085 
3086  ReleaseSysCache(tuple);
3087  pfree(new_acl);
3088 
3089  /* prevent error when processing duplicate objects */
3091  }
3092 
3093  table_close(relation, RowExclusiveLock);
3094 }
3095 
3096 static void
3098 {
3099  Relation relation;
3100  ListCell *cell;
3101 
3102  if (istmt->all_privs && istmt->privileges == ACL_NO_RIGHTS)
3104 
3105  relation = table_open(TypeRelationId, RowExclusiveLock);
3106 
3107  foreach(cell, istmt->objects)
3108  {
3109  Oid typId = lfirst_oid(cell);
3110  Form_pg_type pg_type_tuple;
3111  Datum aclDatum;
3112  bool isNull;
3113  AclMode avail_goptions;
3114  AclMode this_privileges;
3115  Acl *old_acl;
3116  Acl *new_acl;
3117  Oid grantorId;
3118  Oid ownerId;
3119  HeapTuple newtuple;
3120  Datum values[Natts_pg_type];
3121  bool nulls[Natts_pg_type];
3122  bool replaces[Natts_pg_type];
3123  int noldmembers;
3124  int nnewmembers;
3125  Oid *oldmembers;
3126  Oid *newmembers;
3127  HeapTuple tuple;
3128 
3129  /* Search syscache for pg_type */
3130  tuple = SearchSysCache1(TYPEOID, ObjectIdGetDatum(typId));
3131  if (!HeapTupleIsValid(tuple))
3132  elog(ERROR, "cache lookup failed for type %u", typId);
3133 
3134  pg_type_tuple = (Form_pg_type) GETSTRUCT(tuple);
3135 
3136  if (IsTrueArrayType(pg_type_tuple))
3137  ereport(ERROR,
3138  (errcode(ERRCODE_INVALID_GRANT_OPERATION),
3139  errmsg("cannot set privileges of array types"),
3140  errhint("Set the privileges of the element type instead.")));
3141 
3142  /* Used GRANT DOMAIN on a non-domain? */
3143  if (istmt->objtype == OBJECT_DOMAIN &&
3144  pg_type_tuple->typtype != TYPTYPE_DOMAIN)
3145  ereport(ERROR,
3146  (errcode(ERRCODE_WRONG_OBJECT_TYPE),
3147  errmsg("\"%s\" is not a domain",
3148  NameStr(pg_type_tuple->typname))));
3149 
3150  /*
3151  * Get owner ID and working copy of existing ACL. If there's no ACL,
3152  * substitute the proper default.
3153  */
3154  ownerId = pg_type_tuple->typowner;
3155  aclDatum = heap_getattr(tuple, Anum_pg_type_typacl,
3156  RelationGetDescr(relation), &isNull);
3157  if (isNull)
3158  {
3159  old_acl = acldefault(istmt->objtype, ownerId);
3160  /* There are no old member roles according to the catalogs */
3161  noldmembers = 0;
3162  oldmembers = NULL;
3163  }
3164  else
3165  {
3166  old_acl = DatumGetAclPCopy(aclDatum);
3167  /* Get the roles mentioned in the existing ACL */
3168  noldmembers = aclmembers(old_acl, &oldmembers);
3169  }
3170 
3171  /* Determine ID to do the grant as, and available grant options */
3173  old_acl, ownerId,
3174  &grantorId, &avail_goptions);
3175 
3176  /*
3177  * Restrict the privileges to what we can actually grant, and emit the
3178  * standards-mandated warning and error messages.
3179  */
3180  this_privileges =
3181  restrict_and_check_grant(istmt->is_grant, avail_goptions,
3182  istmt->all_privs, istmt->privileges,
3183  typId, grantorId, OBJECT_TYPE,
3184  NameStr(pg_type_tuple->typname),
3185  0, NULL);
3186 
3187  /*
3188  * Generate new ACL.
3189  */
3190  new_acl = merge_acl_with_grant(old_acl, istmt->is_grant,
3191  istmt->grant_option, istmt->behavior,
3192  istmt->grantees, this_privileges,
3193  grantorId, ownerId);
3194 
3195  /*
3196  * We need the members of both old and new ACLs so we can correct the
3197  * shared dependency information.
3198  */
3199  nnewmembers = aclmembers(new_acl, &newmembers);
3200 
3201  /* finished building new ACL value, now insert it */
3202  MemSet(values, 0, sizeof(values));
3203  MemSet(nulls, false, sizeof(nulls));
3204  MemSet(replaces, false, sizeof(replaces));
3205 
3206  replaces[Anum_pg_type_typacl - 1] = true;
3207  values[Anum_pg_type_typacl - 1] = PointerGetDatum(new_acl);
3208 
3209  newtuple = heap_modify_tuple(tuple, RelationGetDescr(relation), values,
3210  nulls, replaces);
3211 
3212  CatalogTupleUpdate(relation, &newtuple->t_self, newtuple);
3213 
3214  /* Update initial privileges for extensions */
3215  recordExtensionInitPriv(typId, TypeRelationId, 0, new_acl);
3216 
3217  /* Update the shared dependency ACL info */
3218  updateAclDependencies(TypeRelationId, typId, 0,
3219  ownerId,
3220  noldmembers, oldmembers,
3221  nnewmembers, newmembers);
3222 
3223  ReleaseSysCache(tuple);
3224  pfree(new_acl);
3225 
3226  /* prevent error when processing duplicate objects */
3228  }
3229 
3230  table_close(relation, RowExclusiveLock);
3231 }
3232 
3233 
3234 static AclMode
3235 string_to_privilege(const char *privname)
3236 {
3237  if (strcmp(privname, "insert") == 0)
3238  return ACL_INSERT;
3239  if (strcmp(privname, "select") == 0)
3240  return ACL_SELECT;
3241  if (strcmp(privname, "update") == 0)
3242  return ACL_UPDATE;
3243  if (strcmp(privname, "delete") == 0)
3244  return ACL_DELETE;
3245  if (strcmp(privname, "truncate") == 0)
3246  return ACL_TRUNCATE;
3247  if (strcmp(privname, "references") == 0)
3248  return ACL_REFERENCES;
3249  if (strcmp(privname, "trigger") == 0)
3250  return ACL_TRIGGER;
3251  if (strcmp(privname, "execute") == 0)
3252  return ACL_EXECUTE;
3253  if (strcmp(privname, "usage") == 0)
3254  return ACL_USAGE;
3255  if (strcmp(privname, "create") == 0)
3256  return ACL_CREATE;
3257  if (strcmp(privname, "temporary") == 0)
3258  return ACL_CREATE_TEMP;
3259  if (strcmp(privname, "temp") == 0)
3260  return ACL_CREATE_TEMP;
3261  if (strcmp(privname, "connect") == 0)
3262  return ACL_CONNECT;
3263  if (strcmp(privname, "rule") == 0)
3264  return 0; /* ignore old RULE privileges */
3265  ereport(ERROR,
3266  (errcode(ERRCODE_SYNTAX_ERROR),
3267  errmsg("unrecognized privilege type \"%s\"", privname)));
3268  return 0; /* appease compiler */
3269 }
3270 
3271 static const char *
3273 {
3274  switch (privilege)
3275  {
3276  case ACL_INSERT:
3277  return "INSERT";
3278  case ACL_SELECT:
3279  return "SELECT";
3280  case ACL_UPDATE:
3281  return "UPDATE";
3282  case ACL_DELETE:
3283  return "DELETE";
3284  case ACL_TRUNCATE:
3285  return "TRUNCATE";
3286  case ACL_REFERENCES:
3287  return "REFERENCES";
3288  case ACL_TRIGGER:
3289  return "TRIGGER";
3290  case ACL_EXECUTE:
3291  return "EXECUTE";
3292  case ACL_USAGE:
3293  return "USAGE";
3294  case ACL_CREATE:
3295  return "CREATE";
3296  case ACL_CREATE_TEMP:
3297  return "TEMP";
3298  case ACL_CONNECT:
3299  return "CONNECT";
3300  default:
3301  elog(ERROR, "unrecognized privilege: %d", (int) privilege);
3302  }
3303  return NULL; /* appease compiler */
3304 }
3305 
3306 /*
3307  * Standardized reporting of aclcheck permissions failures.
3308  *
3309  * Note: we do not double-quote the %s's below, because many callers
3310  * supply strings that might be already quoted.
3311  */
3312 void
3314  const char *objectname)
3315 {
3316  switch (aclerr)
3317  {
3318  case ACLCHECK_OK:
3319  /* no error, so return to caller */
3320  break;
3321  case ACLCHECK_NO_PRIV:
3322  {
3323  const char *msg = "???";
3324 
3325  switch (objtype)
3326  {
3327  case OBJECT_AGGREGATE:
3328  msg = gettext_noop("permission denied for aggregate %s");
3329  break;
3330  case OBJECT_COLLATION:
3331  msg = gettext_noop("permission denied for collation %s");
3332  break;
3333  case OBJECT_COLUMN:
3334  msg = gettext_noop("permission denied for column %s");
3335  break;
3336  case OBJECT_CONVERSION:
3337  msg = gettext_noop("permission denied for conversion %s");
3338  break;
3339  case OBJECT_DATABASE:
3340  msg = gettext_noop("permission denied for database %s");
3341  break;
3342  case OBJECT_DOMAIN:
3343  msg = gettext_noop("permission denied for domain %s");
3344  break;
3345  case OBJECT_EVENT_TRIGGER:
3346  msg = gettext_noop("permission denied for event trigger %s");
3347  break;
3348  case OBJECT_EXTENSION:
3349  msg = gettext_noop("permission denied for extension %s");
3350  break;
3351  case OBJECT_FDW:
3352  msg = gettext_noop("permission denied for foreign-data wrapper %s");
3353  break;
3354  case OBJECT_FOREIGN_SERVER:
3355  msg = gettext_noop("permission denied for foreign server %s");
3356  break;
3357  case OBJECT_FOREIGN_TABLE:
3358  msg = gettext_noop("permission denied for foreign table %s");
3359  break;
3360  case OBJECT_FUNCTION:
3361  msg = gettext_noop("permission denied for function %s");
3362  break;
3363  case OBJECT_INDEX:
3364  msg = gettext_noop("permission denied for index %s");
3365  break;
3366  case OBJECT_LANGUAGE:
3367  msg = gettext_noop("permission denied for language %s");
3368  break;
3369  case OBJECT_LARGEOBJECT:
3370  msg = gettext_noop("permission denied for large object %s");
3371  break;
3372  case OBJECT_MATVIEW:
3373  msg = gettext_noop("permission denied for materialized view %s");
3374  break;
3375  case OBJECT_OPCLASS:
3376  msg = gettext_noop("permission denied for operator class %s");
3377  break;
3378  case OBJECT_OPERATOR:
3379  msg = gettext_noop("permission denied for operator %s");
3380  break;
3381  case OBJECT_OPFAMILY:
3382  msg = gettext_noop("permission denied for operator family %s");
3383  break;
3384  case OBJECT_POLICY:
3385  msg = gettext_noop("permission denied for policy %s");
3386  break;
3387  case OBJECT_PROCEDURE:
3388  msg = gettext_noop("permission denied for procedure %s");
3389  break;
3390  case OBJECT_PUBLICATION:
3391  msg = gettext_noop("permission denied for publication %s");
3392  break;
3393  case OBJECT_ROUTINE:
3394  msg = gettext_noop("permission denied for routine %s");
3395  break;
3396  case OBJECT_SCHEMA:
3397  msg = gettext_noop("permission denied for schema %s");
3398  break;
3399  case OBJECT_SEQUENCE:
3400  msg = gettext_noop("permission denied for sequence %s");
3401  break;
3402  case OBJECT_STATISTIC_EXT:
3403  msg = gettext_noop("permission denied for statistics object %s");
3404  break;
3405  case OBJECT_SUBSCRIPTION:
3406  msg = gettext_noop("permission denied for subscription %s");
3407  break;
3408  case OBJECT_TABLE:
3409  msg = gettext_noop("permission denied for table %s");
3410  break;
3411  case OBJECT_TABLESPACE:
3412  msg = gettext_noop("permission denied for tablespace %s");
3413  break;
3415  msg = gettext_noop("permission denied for text search configuration %s");
3416  break;
3417  case OBJECT_TSDICTIONARY:
3418  msg = gettext_noop("permission denied for text search dictionary %s");
3419  break;
3420  case OBJECT_TYPE:
3421  msg = gettext_noop("permission denied for type %s");
3422  break;
3423  case OBJECT_VIEW:
3424  msg = gettext_noop("permission denied for view %s");
3425  break;
3426  /* these currently aren't used */
3427  case OBJECT_ACCESS_METHOD:
3428  case OBJECT_AMOP:
3429  case OBJECT_AMPROC:
3430  case OBJECT_ATTRIBUTE:
3431  case OBJECT_CAST:
3432  case OBJECT_DEFAULT:
3433  case OBJECT_DEFACL:
3434  case OBJECT_DOMCONSTRAINT:
3436  case OBJECT_ROLE:
3437  case OBJECT_RULE:
3438  case OBJECT_TABCONSTRAINT:
3439  case OBJECT_TRANSFORM:
3440  case OBJECT_TRIGGER:
3441  case OBJECT_TSPARSER:
3442  case OBJECT_TSTEMPLATE:
3443  case OBJECT_USER_MAPPING:
3444  elog(ERROR, "unsupported object type %d", objtype);
3445  }
3446 
3447  ereport(ERROR,
3448  (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
3449  errmsg(msg, objectname)));
3450  break;
3451  }
3452  case ACLCHECK_NOT_OWNER:
3453  {
3454  const char *msg = "???";
3455 
3456  switch (objtype)
3457  {
3458  case OBJECT_AGGREGATE:
3459  msg = gettext_noop("must be owner of aggregate %s");
3460  break;
3461  case OBJECT_COLLATION:
3462  msg = gettext_noop("must be owner of collation %s");
3463  break;
3464  case OBJECT_CONVERSION:
3465  msg = gettext_noop("must be owner of conversion %s");
3466  break;
3467  case OBJECT_DATABASE:
3468  msg = gettext_noop("must be owner of database %s");
3469  break;
3470  case OBJECT_DOMAIN:
3471  msg = gettext_noop("must be owner of domain %s");
3472  break;
3473  case OBJECT_EVENT_TRIGGER:
3474  msg = gettext_noop("must be owner of event trigger %s");
3475  break;
3476  case OBJECT_EXTENSION:
3477  msg = gettext_noop("must be owner of extension %s");
3478  break;
3479  case OBJECT_FDW:
3480  msg = gettext_noop("must be owner of foreign-data wrapper %s");
3481  break;
3482  case OBJECT_FOREIGN_SERVER:
3483  msg = gettext_noop("must be owner of foreign server %s");
3484  break;
3485  case OBJECT_FOREIGN_TABLE:
3486  msg = gettext_noop("must be owner of foreign table %s");
3487  break;
3488  case OBJECT_FUNCTION:
3489  msg = gettext_noop("must be owner of function %s");
3490  break;
3491  case OBJECT_INDEX:
3492  msg = gettext_noop("must be owner of index %s");
3493  break;
3494  case OBJECT_LANGUAGE:
3495  msg = gettext_noop("must be owner of language %s");
3496  break;
3497  case OBJECT_LARGEOBJECT:
3498  msg = gettext_noop("must be owner of large object %s");
3499  break;
3500  case OBJECT_MATVIEW:
3501  msg = gettext_noop("must be owner of materialized view %s");
3502  break;
3503  case OBJECT_OPCLASS:
3504  msg = gettext_noop("must be owner of operator class %s");
3505  break;
3506  case OBJECT_OPERATOR:
3507  msg = gettext_noop("must be owner of operator %s");
3508  break;
3509  case OBJECT_OPFAMILY:
3510  msg = gettext_noop("must be owner of operator family %s");
3511  break;
3512  case OBJECT_PROCEDURE:
3513  msg = gettext_noop("must be owner of procedure %s");
3514  break;
3515  case OBJECT_PUBLICATION:
3516  msg = gettext_noop("must be owner of publication %s");
3517  break;
3518  case OBJECT_ROUTINE:
3519  msg = gettext_noop("must be owner of routine %s");
3520  break;
3521  case OBJECT_SEQUENCE:
3522  msg = gettext_noop("must be owner of sequence %s");
3523  break;
3524  case OBJECT_SUBSCRIPTION:
3525  msg = gettext_noop("must be owner of subscription %s");
3526  break;
3527  case OBJECT_TABLE:
3528  msg = gettext_noop("must be owner of table %s");
3529  break;
3530  case OBJECT_TYPE:
3531  msg = gettext_noop("must be owner of type %s");
3532  break;
3533  case OBJECT_VIEW:
3534  msg = gettext_noop("must be owner of view %s");
3535  break;
3536  case OBJECT_SCHEMA:
3537  msg = gettext_noop("must be owner of schema %s");
3538  break;
3539  case OBJECT_STATISTIC_EXT:
3540  msg = gettext_noop("must be owner of statistics object %s");
3541  break;
3542  case OBJECT_TABLESPACE:
3543  msg = gettext_noop("must be owner of tablespace %s");
3544  break;
3546  msg = gettext_noop("must be owner of text search configuration %s");
3547  break;
3548  case OBJECT_TSDICTIONARY:
3549  msg = gettext_noop("must be owner of text search dictionary %s");
3550  break;
3551 
3552  /*
3553  * Special cases: For these, the error message talks
3554  * about "relation", because that's where the
3555  * ownership is attached. See also
3556  * check_object_ownership().
3557  */
3558  case OBJECT_COLUMN:
3559  case OBJECT_POLICY:
3560  case OBJECT_RULE:
3561  case OBJECT_TABCONSTRAINT:
3562  case OBJECT_TRIGGER:
3563  msg = gettext_noop("must be owner of relation %s");
3564  break;
3565  /* these currently aren't used */
3566  case OBJECT_ACCESS_METHOD:
3567  case OBJECT_AMOP:
3568  case OBJECT_AMPROC:
3569  case OBJECT_ATTRIBUTE:
3570  case OBJECT_CAST:
3571  case OBJECT_DEFAULT:
3572  case OBJECT_DEFACL:
3573  case OBJECT_DOMCONSTRAINT:
3575  case OBJECT_ROLE:
3576  case OBJECT_TRANSFORM:
3577  case OBJECT_TSPARSER:
3578  case OBJECT_TSTEMPLATE:
3579  case OBJECT_USER_MAPPING:
3580  elog(ERROR, "unsupported object type %d", objtype);
3581  }
3582 
3583  ereport(ERROR,
3584  (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
3585  errmsg(msg, objectname)));
3586  break;
3587  }
3588  default:
3589  elog(ERROR, "unrecognized AclResult: %d", (int) aclerr);
3590  break;
3591  }
3592 }
3593 
3594 
3595 void
3597  const char *objectname, const char *colname)
3598 {
3599  switch (aclerr)
3600  {
3601  case ACLCHECK_OK:
3602  /* no error, so return to caller */
3603  break;
3604  case ACLCHECK_NO_PRIV:
3605  ereport(ERROR,
3606  (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
3607  errmsg("permission denied for column \"%s\" of relation \"%s\"",
3608  colname, objectname)));
3609  break;
3610  case ACLCHECK_NOT_OWNER:
3611  /* relation msg is OK since columns don't have separate owners */
3612  aclcheck_error(aclerr, objtype, objectname);
3613  break;
3614  default:
3615  elog(ERROR, "unrecognized AclResult: %d", (int) aclerr);
3616  break;
3617  }
3618 }
3619 
3620 
3621 /*
3622  * Special common handling for types: use element type instead of array type,
3623  * and format nicely
3624  */
3625 void
3627 {
3628  Oid element_type = get_element_type(typeOid);
3629 
3630  aclcheck_error(aclerr, OBJECT_TYPE, format_type_be(element_type ? element_type : typeOid));
3631 }
3632 
3633 
3634 /*
3635  * Relay for the various pg_*_mask routines depending on object kind
3636  */
3637 static AclMode
3638 pg_aclmask(ObjectType objtype, Oid table_oid, AttrNumber attnum, Oid roleid,
3639  AclMode mask, AclMaskHow how)
3640 {
3641  switch (objtype)
3642  {
3643  case OBJECT_COLUMN:
3644  return
3645  pg_class_aclmask(table_oid, roleid, mask, how) |
3646  pg_attribute_aclmask(table_oid, attnum, roleid, mask, how);
3647  case OBJECT_TABLE:
3648  case OBJECT_SEQUENCE:
3649  return pg_class_aclmask(table_oid, roleid, mask, how);
3650  case OBJECT_DATABASE:
3651  return pg_database_aclmask(table_oid, roleid, mask, how);
3652  case OBJECT_FUNCTION:
3653  return pg_proc_aclmask(table_oid, roleid, mask, how);
3654  case OBJECT_LANGUAGE:
3655  return pg_language_aclmask(table_oid, roleid, mask, how);
3656  case OBJECT_LARGEOBJECT:
3657  return pg_largeobject_aclmask_snapshot(table_oid, roleid,
3658  mask, how, NULL);
3659  case OBJECT_SCHEMA:
3660  return pg_namespace_aclmask(table_oid, roleid, mask, how);
3661  case OBJECT_STATISTIC_EXT:
3662  elog(ERROR, "grantable rights not supported for statistics objects");
3663  /* not reached, but keep compiler quiet */
3664  return ACL_NO_RIGHTS;
3665  case OBJECT_TABLESPACE:
3666  return pg_tablespace_aclmask(table_oid, roleid, mask, how);
3667  case OBJECT_FDW:
3668  return pg_foreign_data_wrapper_aclmask(table_oid, roleid, mask, how);
3669  case OBJECT_FOREIGN_SERVER:
3670  return pg_foreign_server_aclmask(table_oid, roleid, mask, how);
3671  case OBJECT_EVENT_TRIGGER:
3672  elog(ERROR, "grantable rights not supported for event triggers");
3673  /* not reached, but keep compiler quiet */
3674  return ACL_NO_RIGHTS;
3675  case OBJECT_TYPE:
3676  return pg_type_aclmask(table_oid, roleid, mask, how);
3677  default:
3678  elog(ERROR, "unrecognized objtype: %d",
3679  (int) objtype);
3680  /* not reached, but keep compiler quiet */
3681  return ACL_NO_RIGHTS;
3682  }
3683 }
3684 
3685 
3686 /* ****************************************************************
3687  * Exported routines for examining a user's privileges for various objects
3688  *
3689  * See aclmask() for a description of the common API for these functions.
3690  *
3691  * Note: we give lookup failure the full ereport treatment because the
3692  * has_xxx_privilege() family of functions allow users to pass any random
3693  * OID to these functions.
3694  * ****************************************************************
3695  */
3696 
3697 /*
3698  * Exported routine for examining a user's privileges for a column
3699  *
3700  * Note: this considers only privileges granted specifically on the column.
3701  * It is caller's responsibility to take relation-level privileges into account
3702  * as appropriate. (For the same reason, we have no special case for
3703  * superuser-ness here.)
3704  */
3705 AclMode
3707  AclMode mask, AclMaskHow how)
3708 {
3709  return pg_attribute_aclmask_ext(table_oid, attnum, roleid,
3710  mask, how, NULL);
3711 }
3712 
3713 /*
3714  * Exported routine for examining a user's privileges for a column
3715  *
3716  * Does the bulk of the work for pg_attribute_aclmask(), and allows other
3717  * callers to avoid the missing attribute ERROR when is_missing is non-NULL.
3718  */
3719 AclMode
3721  AclMode mask, AclMaskHow how, bool *is_missing)
3722 {
3723  AclMode result;
3724  HeapTuple classTuple;
3725  HeapTuple attTuple;
3726  Form_pg_class classForm;
3727  Form_pg_attribute attributeForm;
3728  Datum aclDatum;
3729  bool isNull;
3730  Acl *acl;
3731  Oid ownerId;
3732 
3733  /*
3734  * First, get the column's ACL from its pg_attribute entry
3735  */
3736  attTuple = SearchSysCache2(ATTNUM,
3737  ObjectIdGetDatum(table_oid),
3738  Int16GetDatum(attnum));
3739  if (!HeapTupleIsValid(attTuple))
3740  {
3741  if (is_missing != NULL)
3742  {
3743  /* return "no privileges" instead of throwing an error */
3744  *is_missing = true;
3745  return 0;
3746  }
3747  else
3748  ereport(ERROR,
3749  (errcode(ERRCODE_UNDEFINED_COLUMN),
3750  errmsg("attribute %d of relation with OID %u does not exist",
3751  attnum, table_oid)));
3752  }
3753 
3754  attributeForm = (Form_pg_attribute) GETSTRUCT(attTuple);
3755 
3756  /* Check dropped columns, too */
3757  if (attributeForm->attisdropped)
3758  {
3759  if (is_missing != NULL)
3760  {
3761  /* return "no privileges" instead of throwing an error */
3762  *is_missing = true;
3763  ReleaseSysCache(attTuple);
3764  return 0;
3765  }
3766  else
3767  ereport(ERROR,
3768  (errcode(ERRCODE_UNDEFINED_COLUMN),
3769  errmsg("attribute %d of relation with OID %u does not exist",
3770  attnum, table_oid)));
3771  }
3772 
3773  aclDatum = SysCacheGetAttr(ATTNUM, attTuple, Anum_pg_attribute_attacl,
3774  &isNull);
3775 
3776  /*
3777  * Here we hard-wire knowledge that the default ACL for a column grants no
3778  * privileges, so that we can fall out quickly in the very common case
3779  * where attacl is null.
3780  */
3781  if (isNull)
3782  {
3783  ReleaseSysCache(attTuple);
3784  return 0;
3785  }
3786 
3787  /*
3788  * Must get the relation's ownerId from pg_class. Since we already found
3789  * a pg_attribute entry, the only likely reason for this to fail is that a
3790  * concurrent DROP of the relation committed since then (which could only
3791  * happen if we don't have lock on the relation). We prefer to report "no
3792  * privileges" rather than failing in such a case, so as to avoid unwanted
3793  * failures in has_column_privilege() tests.
3794  */
3795  classTuple = SearchSysCache1(RELOID, ObjectIdGetDatum(table_oid));
3796  if (!HeapTupleIsValid(classTuple))
3797  {
3798  ReleaseSysCache(attTuple);
3799  return 0;
3800  }
3801  classForm = (Form_pg_class) GETSTRUCT(classTuple);
3802 
3803  ownerId = classForm->relowner;
3804 
3805  ReleaseSysCache(classTuple);
3806 
3807  /* detoast column's ACL if necessary */
3808  acl = DatumGetAclP(aclDatum);
3809 
3810  result = aclmask(acl, roleid, ownerId, mask, how);
3811 
3812  /* if we have a detoasted copy, free it */
3813  if (acl && (Pointer) acl != DatumGetPointer(aclDatum))
3814  pfree(acl);
3815 
3816  ReleaseSysCache(attTuple);
3817 
3818  return result;
3819 }
3820 
3821 /*
3822  * Exported routine for examining a user's privileges for a table
3823  */
3824 AclMode
3825 pg_class_aclmask(Oid table_oid, Oid roleid,
3826  AclMode mask, AclMaskHow how)
3827 {
3828  return pg_class_aclmask_ext(table_oid, roleid, mask, how, NULL);
3829 }
3830 
3831 /*
3832  * Exported routine for examining a user's privileges for a table
3833  *
3834  * Does the bulk of the work for pg_class_aclmask(), and allows other
3835  * callers to avoid the missing relation ERROR when is_missing is non-NULL.
3836  */
3837 AclMode
3838 pg_class_aclmask_ext(Oid table_oid, Oid roleid, AclMode mask,
3839  AclMaskHow how, bool *is_missing)
3840 {
3841  AclMode result;
3842  HeapTuple tuple;
3843  Form_pg_class classForm;
3844  Datum aclDatum;
3845  bool isNull;
3846  Acl *acl;
3847  Oid ownerId;
3848 
3849  /*
3850  * Must get the relation's tuple from pg_class
3851  */
3852  tuple = SearchSysCache1(RELOID, ObjectIdGetDatum(table_oid));
3853  if (!HeapTupleIsValid(tuple))
3854  {
3855  if (is_missing != NULL)
3856  {
3857  /* return "no privileges" instead of throwing an error */
3858  *is_missing = true;
3859  return 0;
3860  }
3861  else
3862  ereport(ERROR,
3864  errmsg("relation with OID %u does not exist",
3865  table_oid)));
3866  }
3867 
3868  classForm = (Form_pg_class) GETSTRUCT(tuple);
3869 
3870  /*
3871  * Deny anyone permission to update a system catalog unless
3872  * pg_authid.rolsuper is set.
3873  *
3874  * As of 7.4 we have some updatable system views; those shouldn't be
3875  * protected in this way. Assume the view rules can take care of
3876  * themselves. ACL_USAGE is if we ever have system sequences.
3877  */
3878  if ((mask & (ACL_INSERT | ACL_UPDATE | ACL_DELETE | ACL_TRUNCATE | ACL_USAGE)) &&
3879  IsSystemClass(table_oid, classForm) &&
3880  classForm->relkind != RELKIND_VIEW &&
3881  !superuser_arg(roleid))
3883 
3884  /*
3885  * Otherwise, superusers bypass all permission-checking.
3886  */
3887  if (superuser_arg(roleid))
3888  {
3889  ReleaseSysCache(tuple);
3890  return mask;
3891  }
3892 
3893  /*
3894  * Normal case: get the relation's ACL from pg_class
3895  */
3896  ownerId = classForm->relowner;
3897 
3898  aclDatum = SysCacheGetAttr(RELOID, tuple, Anum_pg_class_relacl,
3899  &isNull);
3900  if (isNull)
3901  {
3902  /* No ACL, so build default ACL */
3903  switch (classForm->relkind)
3904  {
3905  case RELKIND_SEQUENCE:
3906  acl = acldefault(OBJECT_SEQUENCE, ownerId);
3907  break;
3908  default:
3909  acl = acldefault(OBJECT_TABLE, ownerId);
3910  break;
3911  }
3912  aclDatum = (Datum) 0;
3913  }
3914  else
3915  {
3916  /* detoast rel's ACL if necessary */
3917  acl = DatumGetAclP(aclDatum);
3918  }
3919 
3920  result = aclmask(acl, roleid, ownerId, mask, how);
3921 
3922  /* if we have a detoasted copy, free it */
3923  if (acl && (Pointer) acl != DatumGetPointer(aclDatum))
3924  pfree(acl);
3925 
3926  ReleaseSysCache(tuple);
3927 
3928  /*
3929  * Check if ACL_SELECT is being checked and, if so, and not set already as
3930  * part of the result, then check if the user is a member of the
3931  * pg_read_all_data role, which allows read access to all relations.
3932  */
3933  if (mask & ACL_SELECT && !(result & ACL_SELECT) &&
3934  has_privs_of_role(roleid, ROLE_PG_READ_ALL_DATA))
3935  result |= ACL_SELECT;
3936 
3937  /*
3938  * Check if ACL_INSERT, ACL_UPDATE, or ACL_DELETE is being checked and, if
3939  * so, and not set already as part of the result, then check if the user
3940  * is a member of the pg_write_all_data role, which allows
3941  * INSERT/UPDATE/DELETE access to all relations (except system catalogs,
3942  * which requires superuser, see above).
3943  */
3944  if (mask & (ACL_INSERT | ACL_UPDATE | ACL_DELETE) &&
3945  !(result & (ACL_INSERT | ACL_UPDATE | ACL_DELETE)) &&
3946  has_privs_of_role(roleid, ROLE_PG_WRITE_ALL_DATA))
3947  result |= (mask & (ACL_INSERT | ACL_UPDATE | ACL_DELETE));
3948 
3949  return result;
3950 }
3951 
3952 /*
3953  * Exported routine for examining a user's privileges for a database
3954  */
3955 AclMode
3956 pg_database_aclmask(Oid db_oid, Oid roleid,
3957  AclMode mask, AclMaskHow how)
3958 {
3959  AclMode result;
3960  HeapTuple tuple;
3961  Datum aclDatum;
3962  bool isNull;
3963  Acl *acl;
3964  Oid ownerId;
3965 
3966  /* Superusers bypass all permission checking. */
3967  if (superuser_arg(roleid))
3968  return mask;
3969 
3970  /*
3971  * Get the database's ACL from pg_database
3972  */
3973  tuple = SearchSysCache1(DATABASEOID, ObjectIdGetDatum(db_oid));
3974  if (!HeapTupleIsValid(tuple))
3975  ereport(ERROR,
3976  (errcode(ERRCODE_UNDEFINED_DATABASE),
3977  errmsg("database with OID %u does not exist", db_oid)));
3978 
3979  ownerId = ((Form_pg_database) GETSTRUCT(tuple))->datdba;
3980 
3981  aclDatum = SysCacheGetAttr(DATABASEOID, tuple, Anum_pg_database_datacl,
3982  &isNull);
3983  if (isNull)
3984  {
3985  /* No ACL, so build default ACL */
3986  acl = acldefault(OBJECT_DATABASE, ownerId);
3987  aclDatum = (Datum) 0;
3988  }
3989  else
3990  {
3991  /* detoast ACL if necessary */
3992  acl = DatumGetAclP(aclDatum);
3993  }
3994 
3995  result = aclmask(acl, roleid, ownerId, mask, how);
3996 
3997  /* if we have a detoasted copy, free it */
3998  if (acl && (Pointer) acl != DatumGetPointer(aclDatum))
3999  pfree(acl);
4000 
4001  ReleaseSysCache(tuple);
4002 
4003  return result;
4004 }
4005 
4006 /*
4007  * Exported routine for examining a user's privileges for a function
4008  */
4009 AclMode
4010 pg_proc_aclmask(Oid proc_oid, Oid roleid,
4011  AclMode mask, AclMaskHow how)
4012 {
4013  AclMode result;
4014  HeapTuple tuple;
4015  Datum aclDatum;
4016  bool isNull;
4017  Acl *acl;
4018  Oid ownerId;
4019 
4020  /* Superusers bypass all permission checking. */
4021  if (superuser_arg(roleid))
4022  return mask;
4023 
4024  /*
4025  * Get the function's ACL from pg_proc
4026  */
4027  tuple = SearchSysCache1(PROCOID, ObjectIdGetDatum(proc_oid));
4028  if (!HeapTupleIsValid(tuple))
4029  ereport(ERROR,
4030  (errcode(ERRCODE_UNDEFINED_FUNCTION),
4031  errmsg("function with OID %u does not exist", proc_oid)));
4032 
4033  ownerId = ((Form_pg_proc) GETSTRUCT(tuple))->proowner;
4034 
4035  aclDatum = SysCacheGetAttr(PROCOID, tuple, Anum_pg_proc_proacl,
4036  &isNull);
4037  if (isNull)
4038  {
4039  /* No ACL, so build default ACL */
4040  acl = acldefault(OBJECT_FUNCTION, ownerId);
4041  aclDatum = (Datum) 0;
4042  }
4043  else
4044  {
4045  /* detoast ACL if necessary */
4046  acl = DatumGetAclP(aclDatum);
4047  }
4048 
4049  result = aclmask(acl, roleid, ownerId, mask, how);
4050 
4051  /* if we have a detoasted copy, free it */
4052  if (acl && (Pointer) acl != DatumGetPointer(aclDatum))
4053  pfree(acl);
4054 
4055  ReleaseSysCache(tuple);
4056 
4057  return result;
4058 }
4059 
4060 /*
4061  * Exported routine for examining a user's privileges for a language
4062  */
4063 AclMode
4064 pg_language_aclmask(Oid lang_oid, Oid roleid,
4065  AclMode mask, AclMaskHow how)
4066 {
4067  AclMode result;
4068  HeapTuple tuple;
4069  Datum aclDatum;
4070  bool isNull;
4071  Acl *acl;
4072  Oid ownerId;
4073 
4074  /* Superusers bypass all permission checking. */
4075  if (superuser_arg(roleid))
4076  return mask;
4077 
4078  /*
4079  * Get the language's ACL from pg_language
4080  */
4081  tuple = SearchSysCache1(LANGOID, ObjectIdGetDatum(lang_oid));
4082  if (!HeapTupleIsValid(tuple))
4083  ereport(ERROR,
4084  (errcode(ERRCODE_UNDEFINED_OBJECT),
4085  errmsg("language with OID %u does not exist", lang_oid)));
4086 
4087  ownerId = ((Form_pg_language) GETSTRUCT(tuple))->lanowner;
4088 
4089  aclDatum = SysCacheGetAttr(LANGOID, tuple, Anum_pg_language_lanacl,
4090  &isNull);
4091  if (isNull)
4092  {
4093  /* No ACL, so build default ACL */
4094  acl = acldefault(OBJECT_LANGUAGE, ownerId);
4095  aclDatum = (Datum) 0;
4096  }
4097  else
4098  {
4099  /* detoast ACL if necessary */
4100  acl = DatumGetAclP(aclDatum);
4101  }
4102 
4103  result = aclmask(acl, roleid, ownerId, mask, how);
4104 
4105  /* if we have a detoasted copy, free it */
4106  if (acl && (Pointer) acl != DatumGetPointer(aclDatum))
4107  pfree(acl);
4108 
4109  ReleaseSysCache(tuple);
4110 
4111  return result;
4112 }
4113 
4114 /*
4115  * Exported routine for examining a user's privileges for a largeobject
4116  *
4117  * When a large object is opened for reading, it is opened relative to the
4118  * caller's snapshot, but when it is opened for writing, a current
4119  * MVCC snapshot will be used. See doc/src/sgml/lobj.sgml. This function
4120  * takes a snapshot argument so that the permissions check can be made
4121  * relative to the same snapshot that will be used to read the underlying
4122  * data. The caller will actually pass NULL for an instantaneous MVCC
4123  * snapshot, since all we do with the snapshot argument is pass it through
4124  * to systable_beginscan().
4125  */
4126 AclMode
4128  AclMode mask, AclMaskHow how,
4129  Snapshot snapshot)
4130 {
4131  AclMode result;
4132  Relation pg_lo_meta;
4133  ScanKeyData entry[1];
4134  SysScanDesc scan;
4135  HeapTuple tuple;
4136  Datum aclDatum;
4137  bool isNull;
4138  Acl *acl;
4139  Oid ownerId;
4140 
4141  /* Superusers bypass all permission checking. */
4142  if (superuser_arg(roleid))
4143  return mask;
4144 
4145  /*
4146  * Get the largeobject's ACL from pg_largeobject_metadata
4147  */
4148  pg_lo_meta = table_open(LargeObjectMetadataRelationId,
4149  AccessShareLock);
4150 
4151  ScanKeyInit(&entry[0],
4152  Anum_pg_largeobject_metadata_oid,
4153  BTEqualStrategyNumber, F_OIDEQ,
4154  ObjectIdGetDatum(lobj_oid));
4155 
4156  scan = systable_beginscan(pg_lo_meta,
4158  snapshot, 1, entry);
4159 
4160  tuple = systable_getnext(scan);
4161  if (!HeapTupleIsValid(tuple))
4162  ereport(ERROR,
4163  (errcode(ERRCODE_UNDEFINED_OBJECT),
4164  errmsg("large object %u does not exist", lobj_oid)));
4165 
4166  ownerId = ((Form_pg_largeobject_metadata) GETSTRUCT(tuple))->lomowner;
4167 
4168  aclDatum = heap_getattr(tuple, Anum_pg_largeobject_metadata_lomacl,
4169  RelationGetDescr(pg_lo_meta), &isNull);
4170 
4171  if (isNull)
4172  {
4173  /* No ACL, so build default ACL */
4174  acl = acldefault(OBJECT_LARGEOBJECT, ownerId);
4175  aclDatum = (Datum) 0;
4176  }
4177  else
4178  {
4179  /* detoast ACL if necessary */
4180  acl = DatumGetAclP(aclDatum);
4181  }
4182 
4183  result = aclmask(acl, roleid, ownerId, mask, how);
4184 
4185  /* if we have a detoasted copy, free it */
4186  if (acl && (Pointer) acl != DatumGetPointer(aclDatum))
4187  pfree(acl);
4188 
4189  systable_endscan(scan);
4190 
4191  table_close(pg_lo_meta, AccessShareLock);
4192 
4193  return result;
4194 }
4195 
4196 /*
4197  * Exported routine for examining a user's privileges for a namespace
4198  */
4199 AclMode
4200 pg_namespace_aclmask(Oid nsp_oid, Oid roleid,
4201  AclMode mask, AclMaskHow how)
4202 {
4203  AclMode result;
4204  HeapTuple tuple;
4205  Datum aclDatum;
4206  bool isNull;
4207  Acl *acl;
4208  Oid ownerId;
4209 
4210  /* Superusers bypass all permission checking. */
4211  if (superuser_arg(roleid))
4212  return mask;
4213 
4214  /*
4215  * If we have been assigned this namespace as a temp namespace, check to
4216  * make sure we have CREATE TEMP permission on the database, and if so act
4217  * as though we have all standard (but not GRANT OPTION) permissions on
4218  * the namespace. If we don't have CREATE TEMP, act as though we have
4219  * only USAGE (and not CREATE) rights.
4220  *
4221  * This may seem redundant given the check in InitTempTableNamespace, but
4222  * it really isn't since current user ID may have changed since then. The
4223  * upshot of this behavior is that a SECURITY DEFINER function can create
4224  * temp tables that can then be accessed (if permission is granted) by
4225  * code in the same session that doesn't have permissions to create temp
4226  * tables.
4227  *
4228  * XXX Would it be safe to ereport a special error message as
4229  * InitTempTableNamespace does? Returning zero here means we'll get a
4230  * generic "permission denied for schema pg_temp_N" message, which is not
4231  * remarkably user-friendly.
4232  */
4233  if (isTempNamespace(nsp_oid))
4234  {
4235  if (pg_database_aclcheck(MyDatabaseId, roleid,
4237  return mask & ACL_ALL_RIGHTS_SCHEMA;
4238  else
4239  return mask & ACL_USAGE;
4240  }
4241 
4242  /*
4243  * Get the schema's ACL from pg_namespace
4244  */
4245  tuple = SearchSysCache1(NAMESPACEOID, ObjectIdGetDatum(nsp_oid));
4246  if (!HeapTupleIsValid(tuple))
4247  ereport(ERROR,
4248  (errcode(ERRCODE_UNDEFINED_SCHEMA),
4249  errmsg("schema with OID %u does not exist", nsp_oid)));
4250 
4251  ownerId = ((Form_pg_namespace) GETSTRUCT(tuple))->nspowner;
4252 
4253  aclDatum = SysCacheGetAttr(NAMESPACEOID, tuple, Anum_pg_namespace_nspacl,
4254  &isNull);
4255  if (isNull)
4256  {
4257  /* No ACL, so build default ACL */
4258  acl = acldefault(OBJECT_SCHEMA, ownerId);
4259  aclDatum = (Datum) 0;
4260  }
4261  else
4262  {
4263  /* detoast ACL if necessary */
4264  acl = DatumGetAclP(aclDatum);
4265  }
4266 
4267  result = aclmask(acl, roleid, ownerId, mask, how);
4268 
4269  /* if we have a detoasted copy, free it */
4270  if (acl && (Pointer) acl != DatumGetPointer(aclDatum))
4271  pfree(acl);
4272 
4273  ReleaseSysCache(tuple);
4274 
4275  /*
4276  * Check if ACL_USAGE is being checked and, if so, and not set already as
4277  * part of the result, then check if the user is a member of the
4278  * pg_read_all_data or pg_write_all_data roles, which allow usage access
4279  * to all schemas.
4280  */
4281  if (mask & ACL_USAGE && !(result & ACL_USAGE) &&
4282  (has_privs_of_role(roleid, ROLE_PG_READ_ALL_DATA) ||
4283  has_privs_of_role(roleid, ROLE_PG_WRITE_ALL_DATA)))
4284  result |= ACL_USAGE;
4285  return result;
4286 }
4287 
4288 /*
4289  * Exported routine for examining a user's privileges for a tablespace
4290  */
4291 AclMode
4293  AclMode mask, AclMaskHow how)
4294 {
4295  AclMode result;
4296  HeapTuple tuple;
4297  Datum aclDatum;
4298  bool isNull;
4299  Acl *acl;
4300  Oid ownerId;
4301 
4302  /* Superusers bypass all permission checking. */
4303  if (superuser_arg(roleid))
4304  return mask;
4305 
4306  /*
4307  * Get the tablespace's ACL from pg_tablespace
4308  */
4309  tuple = SearchSysCache1(TABLESPACEOID, ObjectIdGetDatum(spc_oid));
4310  if (!HeapTupleIsValid(tuple))
4311  ereport(ERROR,
4312  (errcode(ERRCODE_UNDEFINED_OBJECT),
4313  errmsg("tablespace with OID %u does not exist", spc_oid)));
4314 
4315  ownerId = ((Form_pg_tablespace) GETSTRUCT(tuple))->spcowner;
4316 
4317  aclDatum = SysCacheGetAttr(TABLESPACEOID, tuple,
4318  Anum_pg_tablespace_spcacl,
4319  &isNull);
4320 
4321  if (isNull)
4322  {
4323  /* No ACL, so build default ACL */
4324  acl = acldefault(OBJECT_TABLESPACE, ownerId);
4325  aclDatum = (Datum) 0;
4326  }
4327  else
4328  {
4329  /* detoast ACL if necessary */
4330  acl = DatumGetAclP(aclDatum);
4331  }
4332 
4333  result = aclmask(acl, roleid, ownerId, mask, how);
4334 
4335  /* if we have a detoasted copy, free it */
4336  if (acl && (Pointer) acl != DatumGetPointer(aclDatum))
4337  pfree(acl);
4338 
4339  ReleaseSysCache(tuple);
4340 
4341  return result;
4342 }
4343 
4344 /*
4345  * Exported routine for examining a user's privileges for a foreign
4346  * data wrapper
4347  */
4348 AclMode
4350  AclMode mask, AclMaskHow how)
4351 {
4352  AclMode result;
4353  HeapTuple tuple;
4354  Datum aclDatum;
4355  bool isNull;
4356  Acl *acl;
4357  Oid ownerId;
4358 
4360 
4361  /* Bypass permission checks for superusers */
4362  if (superuser_arg(roleid))
4363  return mask;
4364 
4365  /*
4366  * Must get the FDW's tuple from pg_foreign_data_wrapper
4367  */
4369  if (!HeapTupleIsValid(tuple))
4370  ereport(ERROR,
4371  (errcode(ERRCODE_UNDEFINED_OBJECT),
4372  errmsg("foreign-data wrapper with OID %u does not exist",
4373  fdw_oid)));
4374  fdwForm = (Form_pg_foreign_data_wrapper) GETSTRUCT(tuple);
4375 
4376  /*
4377  * Normal case: get the FDW's ACL from pg_foreign_data_wrapper
4378  */
4379  ownerId = fdwForm->fdwowner;
4380 
4381  aclDatum = SysCacheGetAttr(FOREIGNDATAWRAPPEROID, tuple,
4382  Anum_pg_foreign_data_wrapper_fdwacl, &isNull);
4383  if (isNull)
4384  {
4385  /* No ACL, so build default ACL */
4386  acl = acldefault(OBJECT_FDW, ownerId);
4387  aclDatum = (Datum) 0;
4388  }
4389  else
4390  {
4391  /* detoast rel's ACL if necessary */
4392  acl = DatumGetAclP(aclDatum);
4393  }
4394 
4395  result = aclmask(acl, roleid, ownerId, mask, how);
4396 
4397  /* if we have a detoasted copy, free it */
4398  if (acl && (Pointer) acl != DatumGetPointer(aclDatum))
4399  pfree(acl);
4400 
4401  ReleaseSysCache(tuple);
4402 
4403  return result;
4404 }
4405 
4406 /*
4407  * Exported routine for examining a user's privileges for a foreign
4408  * server.
4409  */
4410 AclMode
4412  AclMode mask, AclMaskHow how)
4413 {
4414  AclMode result;
4415  HeapTuple tuple;
4416  Datum aclDatum;
4417  bool isNull;
4418  Acl *acl;
4419  Oid ownerId;
4420 
4421  Form_pg_foreign_server srvForm;
4422 
4423  /* Bypass permission checks for superusers */
4424  if (superuser_arg(roleid))
4425  return mask;
4426 
4427  /*
4428  * Must get the FDW's tuple from pg_foreign_data_wrapper
4429  */
4431  if (!HeapTupleIsValid(tuple))
4432  ereport(ERROR,
4433  (errcode(ERRCODE_UNDEFINED_OBJECT),
4434  errmsg("foreign server with OID %u does not exist",
4435  srv_oid)));
4436  srvForm = (Form_pg_foreign_server) GETSTRUCT(tuple);
4437 
4438  /*
4439  * Normal case: get the foreign server's ACL from pg_foreign_server
4440  */
4441  ownerId = srvForm->srvowner;
4442 
4443  aclDatum = SysCacheGetAttr(FOREIGNSERVEROID, tuple,
4444  Anum_pg_foreign_server_srvacl, &isNull);
4445  if (isNull)
4446  {
4447  /* No ACL, so build default ACL */
4448  acl = acldefault(OBJECT_FOREIGN_SERVER, ownerId);
4449  aclDatum = (Datum) 0;
4450  }
4451  else
4452  {
4453  /* detoast rel's ACL if necessary */
4454  acl = DatumGetAclP(aclDatum);
4455  }
4456 
4457  result = aclmask(acl, roleid, ownerId, mask, how);
4458 
4459  /* if we have a detoasted copy, free it */
4460  if (acl && (Pointer) acl != DatumGetPointer(aclDatum))
4461  pfree(acl);
4462 
4463  ReleaseSysCache(tuple);
4464 
4465  return result;
4466 }
4467 
4468 /*
4469  * Exported routine for examining a user's privileges for a type.
4470  */
4471 AclMode
4472 pg_type_aclmask(Oid type_oid, Oid roleid, AclMode mask, AclMaskHow how)
4473 {
4474  AclMode result;
4475  HeapTuple tuple;
4476  Datum aclDatum;
4477  bool isNull;
4478  Acl *acl;
4479  Oid ownerId;
4480 
4481  Form_pg_type typeForm;
4482 
4483  /* Bypass permission checks for superusers */
4484  if (superuser_arg(roleid))
4485  return mask;
4486 
4487  /*
4488  * Must get the type's tuple from pg_type
4489  */
4490  tuple = SearchSysCache1(TYPEOID, ObjectIdGetDatum(type_oid));
4491  if (!HeapTupleIsValid(tuple))
4492  ereport(ERROR,
4493  (errcode(ERRCODE_UNDEFINED_OBJECT),
4494  errmsg("type with OID %u does not exist",
4495  type_oid)));
4496  typeForm = (Form_pg_type) GETSTRUCT(tuple);
4497 
4498  /*
4499  * "True" array types don't manage permissions of their own; consult the
4500  * element type instead.
4501  */
4502  if (IsTrueArrayType(typeForm))
4503  {
4504  Oid elttype_oid = typeForm->typelem;
4505 
4506  ReleaseSysCache(tuple);
4507 
4508  tuple = SearchSysCache1(TYPEOID, ObjectIdGetDatum(elttype_oid));
4509  /* this case is not a user-facing error, so elog not ereport */
4510  if (!HeapTupleIsValid(tuple))
4511  elog(ERROR, "cache lookup failed for type %u", elttype_oid);
4512  typeForm = (Form_pg_type) GETSTRUCT(tuple);
4513  }
4514 
4515  /*
4516  * Now get the type's owner and ACL from the tuple
4517  */
4518  ownerId = typeForm->typowner;
4519 
4520  aclDatum = SysCacheGetAttr(TYPEOID, tuple,
4521  Anum_pg_type_typacl, &isNull);
4522  if (isNull)
4523  {
4524  /* No ACL, so build default ACL */
4525  acl = acldefault(OBJECT_TYPE, ownerId);
4526  aclDatum = (Datum) 0;
4527  }
4528  else
4529  {
4530  /* detoast rel's ACL if necessary */
4531  acl = DatumGetAclP(aclDatum);
4532  }
4533 
4534  result = aclmask(acl, roleid, ownerId, mask, how);
4535 
4536  /* if we have a detoasted copy, free it */
4537  if (acl && (Pointer) acl != DatumGetPointer(aclDatum))
4538  pfree(acl);
4539 
4540  ReleaseSysCache(tuple);
4541 
4542  return result;
4543 }
4544 
4545 /*
4546  * Exported routine for checking a user's access privileges to a column
4547  *
4548  * Returns ACLCHECK_OK if the user has any of the privileges identified by
4549  * 'mode'; otherwise returns a suitable error code (in practice, always
4550  * ACLCHECK_NO_PRIV).
4551  *
4552  * As with pg_attribute_aclmask, only privileges granted directly on the
4553  * column are considered here.
4554  */
4555 AclResult
4557  Oid roleid, AclMode mode)
4558 {
4559  return pg_attribute_aclcheck_ext(table_oid, attnum, roleid, mode, NULL);
4560 }
4561 
4562 
4563 /*
4564  * Exported routine for checking a user's access privileges to a column
4565  *
4566  * Does the bulk of the work for pg_attribute_aclcheck(), and allows other
4567  * callers to avoid the missing attribute ERROR when is_missing is non-NULL.
4568  */
4569 AclResult
4571  Oid roleid, AclMode mode, bool *is_missing)
4572 {
4573  if (pg_attribute_aclmask_ext(table_oid, attnum, roleid, mode,
4574  ACLMASK_ANY, is_missing) != 0)
4575  return ACLCHECK_OK;
4576  else
4577  return ACLCHECK_NO_PRIV;
4578 }
4579 
4580 /*
4581  * Exported routine for checking a user's access privileges to any/all columns
4582  *
4583  * If 'how' is ACLMASK_ANY, then returns ACLCHECK_OK if user has any of the
4584  * privileges identified by 'mode' on any non-dropped column in the relation;
4585  * otherwise returns a suitable error code (in practice, always
4586  * ACLCHECK_NO_PRIV).
4587  *
4588  * If 'how' is ACLMASK_ALL, then returns ACLCHECK_OK if user has any of the
4589  * privileges identified by 'mode' on each non-dropped column in the relation
4590  * (and there must be at least one such column); otherwise returns a suitable
4591  * error code (in practice, always ACLCHECK_NO_PRIV).
4592  *
4593  * As with pg_attribute_aclmask, only privileges granted directly on the
4594  * column(s) are considered here.
4595  *
4596  * Note: system columns are not considered here; there are cases where that
4597  * might be appropriate but there are also cases where it wouldn't.
4598  */
4599 AclResult
4601  AclMaskHow how)
4602 {
4603  AclResult result;
4604  HeapTuple classTuple;
4605  Form_pg_class classForm;
4606  AttrNumber nattrs;
4607  AttrNumber curr_att;
4608 
4609  /*
4610  * Must fetch pg_class row to check number of attributes. As in
4611  * pg_attribute_aclmask, we prefer to return "no privileges" instead of
4612  * throwing an error if we get any unexpected lookup errors.
4613  */
4614  classTuple = SearchSysCache1(RELOID, ObjectIdGetDatum(table_oid));
4615  if (!HeapTupleIsValid(classTuple))
4616  return ACLCHECK_NO_PRIV;
4617  classForm = (Form_pg_class) GETSTRUCT(classTuple);
4618 
4619  nattrs = classForm->relnatts;
4620 
4621  ReleaseSysCache(classTuple);
4622 
4623  /*
4624  * Initialize result in case there are no non-dropped columns. We want to
4625  * report failure in such cases for either value of 'how'.
4626  */
4627  result = ACLCHECK_NO_PRIV;
4628 
4629  for (curr_att = 1; curr_att <= nattrs; curr_att++)
4630  {
4631  HeapTuple attTuple;
4632  AclMode attmask;
4633 
4634  attTuple = SearchSysCache2(ATTNUM,
4635  ObjectIdGetDatum(table_oid),
4636  Int16GetDatum(curr_att));
4637  if (!HeapTupleIsValid(attTuple))
4638  continue;
4639 
4640  /* ignore dropped columns */
4641  if (((Form_pg_attribute) GETSTRUCT(attTuple))->attisdropped)
4642  {
4643  ReleaseSysCache(attTuple);
4644  continue;
4645  }
4646 
4647  /*
4648  * Here we hard-wire knowledge that the default ACL for a column
4649  * grants no privileges, so that we can fall out quickly in the very
4650  * common case where attacl is null.
4651  */
4652  if (heap_attisnull(attTuple, Anum_pg_attribute_attacl, NULL))
4653  attmask = 0;
4654  else
4655  attmask = pg_attribute_aclmask(table_oid, curr_att, roleid,
4656  mode, ACLMASK_ANY);
4657 
4658  ReleaseSysCache(attTuple);
4659 
4660  if (attmask != 0)
4661  {
4662  result = ACLCHECK_OK;
4663  if (how == ACLMASK_ANY)
4664  break; /* succeed on any success */
4665  }
4666  else
4667  {
4668  result = ACLCHECK_NO_PRIV;
4669  if (how == ACLMASK_ALL)
4670  break; /* fail on any failure */
4671  }
4672  }
4673 
4674  return result;
4675 }
4676 
4677 /*
4678  * Exported routine for checking a user's access privileges to a table
4679  *
4680  * Returns ACLCHECK_OK if the user has any of the privileges identified by
4681  * 'mode'; otherwise returns a suitable error code (in practice, always
4682  * ACLCHECK_NO_PRIV).
4683  */
4684 AclResult
4685 pg_class_aclcheck(Oid table_oid, Oid roleid, AclMode mode)
4686 {
4687  return pg_class_aclcheck_ext(table_oid, roleid, mode, NULL);
4688 }
4689 
4690 /*
4691  * Exported routine for checking a user's access privileges to a table
4692  *
4693  * Does the bulk of the work for pg_class_aclcheck(), and allows other
4694  * callers to avoid the missing relation ERROR when is_missing is non-NULL.
4695  */
4696 AclResult
4697 pg_class_aclcheck_ext(Oid table_oid, Oid roleid,
4698  AclMode mode, bool *is_missing)
4699 {
4700  if (pg_class_aclmask_ext(table_oid, roleid, mode,
4701  ACLMASK_ANY, is_missing) != 0)
4702  return ACLCHECK_OK;
4703  else
4704  return ACLCHECK_NO_PRIV;
4705 }
4706 
4707 /*
4708  * Exported routine for checking a user's access privileges to a database
4709  */
4710 AclResult
4712 {
4713  if (pg_database_aclmask(db_oid, roleid, mode, ACLMASK_ANY) != 0)
4714  return ACLCHECK_OK;
4715  else
4716  return ACLCHECK_NO_PRIV;
4717 }
4718 
4719 /*
4720  * Exported routine for checking a user's access privileges to a function
4721  */
4722 AclResult
4724 {
4725  if (pg_proc_aclmask(proc_oid, roleid, mode, ACLMASK_ANY) != 0)
4726  return ACLCHECK_OK;
4727  else
4728  return ACLCHECK_NO_PRIV;
4729 }
4730 
4731 /*
4732  * Exported routine for checking a user's access privileges to a language
4733  */
4734 AclResult
4736 {
4737  if (pg_language_aclmask(lang_oid, roleid, mode, ACLMASK_ANY) != 0)
4738  return ACLCHECK_OK;
4739  else
4740  return ACLCHECK_NO_PRIV;
4741 }
4742 
4743 /*
4744  * Exported routine for checking a user's access privileges to a largeobject
4745  */
4746 AclResult
4748  Snapshot snapshot)
4749 {
4750  if (pg_largeobject_aclmask_snapshot(lobj_oid, roleid, mode,
4751  ACLMASK_ANY, snapshot) != 0)
4752  return ACLCHECK_OK;
4753  else
4754  return ACLCHECK_NO_PRIV;
4755 }
4756 
4757 /*
4758  * Exported routine for checking a user's access privileges to a namespace
4759  */
4760 AclResult
4762 {
4763  if (pg_namespace_aclmask(nsp_oid, roleid, mode, ACLMASK_ANY) != 0)
4764  return ACLCHECK_OK;
4765  else
4766  return ACLCHECK_NO_PRIV;
4767 }
4768 
4769 /*
4770  * Exported routine for checking a user's access privileges to a tablespace
4771  */
4772 AclResult
4774 {
4775  if (pg_tablespace_aclmask(spc_oid, roleid, mode, ACLMASK_ANY) != 0)
4776  return ACLCHECK_OK;
4777  else
4778  return ACLCHECK_NO_PRIV;
4779 }
4780 
4781 /*
4782  * Exported routine for checking a user's access privileges to a foreign
4783  * data wrapper
4784  */
4785 AclResult
4787 {
4788  if (pg_foreign_data_wrapper_aclmask(fdw_oid, roleid, mode, ACLMASK_ANY) != 0)
4789  return ACLCHECK_OK;
4790  else
4791  return ACLCHECK_NO_PRIV;
4792 }
4793 
4794 /*
4795  * Exported routine for checking a user's access privileges to a foreign
4796  * server
4797  */
4798 AclResult
4800 {
4801  if (pg_foreign_server_aclmask(srv_oid, roleid, mode, ACLMASK_ANY) != 0)
4802  return ACLCHECK_OK;
4803  else
4804  return ACLCHECK_NO_PRIV;
4805 }
4806 
4807 /*
4808  * Exported routine for checking a user's access privileges to a type
4809  */
4810 AclResult
4812 {
4813  if (pg_type_aclmask(type_oid, roleid, mode, ACLMASK_ANY) != 0)
4814  return ACLCHECK_OK;
4815  else
4816  return ACLCHECK_NO_PRIV;
4817 }
4818 
4819 /*
4820  * Ownership check for a relation (specified by OID).
4821  */
4822 bool
4823 pg_class_ownercheck(Oid class_oid, Oid roleid)
4824 {
4825  HeapTuple tuple;
4826  Oid ownerId;
4827 
4828  /* Superusers bypass all permission checking. */
4829  if (superuser_arg(roleid))
4830  return true;
4831 
4832  tuple = SearchSysCache1(RELOID, ObjectIdGetDatum(class_oid));
4833  if (!HeapTupleIsValid(tuple))
4834  ereport(ERROR,
4836  errmsg("relation with OID %u does not exist", class_oid)));
4837 
4838  ownerId = ((Form_pg_class) GETSTRUCT(tuple))->relowner;
4839 
4840  ReleaseSysCache(tuple);
4841 
4842  return has_privs_of_role(roleid, ownerId);
4843 }
4844 
4845 /*
4846  * Ownership check for a type (specified by OID).
4847  */
4848 bool
4849 pg_type_ownercheck(Oid type_oid, Oid roleid)
4850 {
4851  HeapTuple tuple;
4852  Oid ownerId;
4853 
4854  /* Superusers bypass all permission checking. */
4855  if (superuser_arg(roleid))
4856  return true;
4857 
4858  tuple = SearchSysCache1(TYPEOID, ObjectIdGetDatum(type_oid));
4859  if (!HeapTupleIsValid(tuple))
4860  ereport(ERROR,
4861  (errcode(ERRCODE_UNDEFINED_OBJECT),
4862  errmsg("type with OID %u does not exist", type_oid)));
4863 
4864  ownerId = ((Form_pg_type) GETSTRUCT(tuple))->typowner;
4865 
4866  ReleaseSysCache(tuple);
4867 
4868  return has_privs_of_role(roleid, ownerId);
4869 }
4870 
4871 /*
4872  * Ownership check for an operator (specified by OID).
4873  */
4874 bool
4875 pg_oper_ownercheck(Oid oper_oid, Oid roleid)
4876 {
4877  HeapTuple tuple;
4878  Oid ownerId;
4879 
4880  /* Superusers bypass all permission checking. */
4881  if (superuser_arg(roleid))
4882  return true;
4883 
4884  tuple = SearchSysCache1(OPEROID, ObjectIdGetDatum(oper_oid));
4885  if (!HeapTupleIsValid(tuple))
4886  ereport(ERROR,
4887  (errcode(ERRCODE_UNDEFINED_FUNCTION),
4888  errmsg("operator with OID %u does not exist", oper_oid)));
4889 
4890  ownerId = ((Form_pg_operator) GETSTRUCT(tuple))->oprowner;
4891 
4892  ReleaseSysCache(tuple);
4893 
4894  return has_privs_of_role(roleid, ownerId);
4895 }
4896 
4897 /*
4898  * Ownership check for a function (specified by OID).
4899  */
4900 bool
4901 pg_proc_ownercheck(Oid proc_oid, Oid roleid)
4902 {
4903  HeapTuple tuple;
4904  Oid ownerId;
4905 
4906  /* Superusers bypass all permission checking. */
4907  if (superuser_arg(roleid))
4908  return true;
4909 
4910  tuple = SearchSysCache1(PROCOID, ObjectIdGetDatum(proc_oid));
4911  if (!HeapTupleIsValid(tuple))
4912  ereport(ERROR,
4913  (errcode(ERRCODE_UNDEFINED_FUNCTION),
4914  errmsg("function with OID %u does not exist", proc_oid)));
4915 
4916  ownerId = ((Form_pg_proc) GETSTRUCT(tuple))->proowner;
4917 
4918  ReleaseSysCache(tuple);
4919 
4920  return has_privs_of_role(roleid, ownerId);
4921 }
4922 
4923 /*
4924  * Ownership check for a procedural language (specified by OID)
4925  */
4926 bool
4928 {
4929  HeapTuple tuple;
4930  Oid ownerId;
4931 
4932  /* Superusers bypass all permission checking. */
4933  if (superuser_arg(roleid))
4934  return true;
4935 
4936  tuple = SearchSysCache1(LANGOID, ObjectIdGetDatum(lan_oid));
4937  if (!HeapTupleIsValid(tuple))
4938  ereport(ERROR,
4939  (errcode(ERRCODE_UNDEFINED_FUNCTION),
4940  errmsg("language with OID %u does not exist", lan_oid)));
4941 
4942  ownerId = ((Form_pg_language) GETSTRUCT(tuple))->lanowner;
4943 
4944  ReleaseSysCache(tuple);
4945 
4946  return has_privs_of_role(roleid, ownerId);
4947 }
4948 
4949 /*
4950  * Ownership check for a largeobject (specified by OID)
4951  *
4952  * This is only used for operations like ALTER LARGE OBJECT that are always
4953  * relative to an up-to-date snapshot.
4954  */
4955 bool
4957 {
4958  Relation pg_lo_meta;
4959  ScanKeyData entry[1];
4960  SysScanDesc scan;
4961  HeapTuple tuple;
4962  Oid ownerId;
4963 
4964  /* Superusers bypass all permission checking. */
4965  if (superuser_arg(roleid))
4966  return true;
4967 
4968  /* There's no syscache for pg_largeobject_metadata */
4969  pg_lo_meta = table_open(LargeObjectMetadataRelationId,
4970  AccessShareLock);
4971 
4972  ScanKeyInit(&entry[0],
4973  Anum_pg_largeobject_metadata_oid,
4974  BTEqualStrategyNumber, F_OIDEQ,
4975  ObjectIdGetDatum(lobj_oid));
4976 
4977  scan = systable_beginscan(pg_lo_meta,
4979  NULL, 1, entry);
4980 
4981  tuple = systable_getnext(scan);
4982  if (!HeapTupleIsValid(tuple))
4983  ereport(ERROR,
4984  (errcode(ERRCODE_UNDEFINED_OBJECT),
4985  errmsg("large object %u does not exist", lobj_oid)));
4986 
4987  ownerId = ((Form_pg_largeobject_metadata) GETSTRUCT(tuple))->lomowner;
4988 
4989  systable_endscan(scan);
4990  table_close(pg_lo_meta, AccessShareLock);
4991 
4992  return has_privs_of_role(roleid, ownerId);
4993 }
4994 
4995 /*
4996  * Ownership check for a namespace (specified by OID).
4997  */
4998 bool
5000 {
5001  HeapTuple tuple;
5002  Oid ownerId;
5003 
5004  /* Superusers bypass all permission checking. */
5005  if (superuser_arg(roleid))
5006  return true;
5007 
5008  tuple = SearchSysCache1(NAMESPACEOID, ObjectIdGetDatum(nsp_oid));
5009  if (!HeapTupleIsValid(tuple))
5010  ereport(ERROR,
5011  (errcode(ERRCODE_UNDEFINED_SCHEMA),
5012  errmsg("schema with OID %u does not exist", nsp_oid)));
5013 
5014  ownerId = ((Form_pg_namespace) GETSTRUCT(tuple))->nspowner;
5015 
5016  ReleaseSysCache(tuple);
5017 
5018  return has_privs_of_role(roleid, ownerId);
5019 }
5020 
5021 /*
5022  * Ownership check for a tablespace (specified by OID).
5023  */
5024 bool
5026 {
5027  HeapTuple spctuple;
5028  Oid spcowner;
5029 
5030  /* Superusers bypass all permission checking. */
5031  if (superuser_arg(roleid))
5032  return true;
5033 
5034  /* Search syscache for pg_tablespace */
5035  spctuple = SearchSysCache1(TABLESPACEOID, ObjectIdGetDatum(spc_oid));
5036  if (!HeapTupleIsValid(spctuple))
5037  ereport(ERROR,
5038  (errcode(ERRCODE_UNDEFINED_OBJECT),
5039  errmsg("tablespace with OID %u does not exist", spc_oid)));
5040 
5041  spcowner = ((Form_pg_tablespace) GETSTRUCT(spctuple))->spcowner;
5042 
5043  ReleaseSysCache(spctuple);
5044 
5045  return has_privs_of_role(roleid, spcowner);
5046 }
5047 
5048 /*
5049  * Ownership check for an operator class (specified by OID).
5050  */
5051 bool
5053 {
5054  HeapTuple tuple;
5055  Oid ownerId;
5056 
5057  /* Superusers bypass all permission checking. */
5058  if (superuser_arg(roleid))
5059  return true;
5060 
5061  tuple = SearchSysCache1(CLAOID, ObjectIdGetDatum(opc_oid));
5062  if (!HeapTupleIsValid(tuple))
5063  ereport(ERROR,
5064  (errcode(ERRCODE_UNDEFINED_OBJECT),
5065  errmsg("operator class with OID %u does not exist",
5066  opc_oid)));
5067 
5068  ownerId = ((Form_pg_opclass) GETSTRUCT(tuple))->opcowner;
5069 
5070  ReleaseSysCache(tuple);
5071 
5072  return has_privs_of_role(roleid, ownerId);
5073 }
5074 
5075 /*
5076  * Ownership check for an operator family (specified by OID).
5077  */
5078 bool
5080 {
5081  HeapTuple tuple;
5082  Oid ownerId;
5083 
5084  /* Superusers bypass all permission checking. */
5085  if (superuser_arg(roleid))
5086  return true;
5087 
5088  tuple = SearchSysCache1(OPFAMILYOID, ObjectIdGetDatum(opf_oid));
5089  if (!HeapTupleIsValid(tuple))
5090  ereport(ERROR,
5091  (errcode(ERRCODE_UNDEFINED_OBJECT),
5092  errmsg("operator family with OID %u does not exist",
5093  opf_oid)));
5094 
5095  ownerId = ((Form_pg_opfamily) GETSTRUCT(tuple))->opfowner;
5096 
5097  ReleaseSysCache(tuple);
5098 
5099  return has_privs_of_role(roleid, ownerId);
5100 }
5101 
5102 /*
5103  * Ownership check for a text search dictionary (specified by OID).
5104  */
5105 bool
5106 pg_ts_dict_ownercheck(Oid dict_oid, Oid roleid)
5107 {
5108  HeapTuple tuple;
5109  Oid ownerId;
5110 
5111  /* Superusers bypass all permission checking. */
5112  if (superuser_arg(roleid))
5113  return true;
5114 
5115  tuple = SearchSysCache1(TSDICTOID, ObjectIdGetDatum(dict_oid));
5116  if (!HeapTupleIsValid(tuple))
5117  ereport(ERROR,
5118  (errcode(ERRCODE_UNDEFINED_OBJECT),
5119  errmsg("text search dictionary with OID %u does not exist",
5120  dict_oid)));
5121 
5122  ownerId = ((Form_pg_ts_dict) GETSTRUCT(tuple))->dictowner;
5123 
5124  ReleaseSysCache(tuple);
5125 
5126  return has_privs_of_role(roleid, ownerId);
5127 }
5128 
5129 /*
5130  * Ownership check for a text search configuration (specified by OID).
5131  */
5132 bool
5134 {
5135  HeapTuple tuple;
5136  Oid ownerId;
5137 
5138  /* Superusers bypass all permission checking. */
5139  if (superuser_arg(roleid))
5140  return true;
5141 
5142  tuple = SearchSysCache1(TSCONFIGOID, ObjectIdGetDatum(cfg_oid));
5143  if (!HeapTupleIsValid(tuple))
5144  ereport(ERROR,
5145  (errcode(ERRCODE_UNDEFINED_OBJECT),
5146  errmsg("text search configuration with OID %u does not exist",
5147  cfg_oid)));
5148 
5149  ownerId = ((Form_pg_ts_config) GETSTRUCT(tuple))->cfgowner;
5150 
5151  ReleaseSysCache(tuple);
5152 
5153  return has_privs_of_role(roleid, ownerId);
5154 }
5155 
5156 /*
5157  * Ownership check for a foreign-data wrapper (specified by OID).
5158  */
5159 bool
5161 {
5162  HeapTuple tuple;
5163  Oid ownerId;
5164 
5165  /* Superusers bypass all permission checking. */
5166  if (superuser_arg(roleid))
5167  return true;
5168 
5170  if (!HeapTupleIsValid(tuple))
5171  ereport(ERROR,
5172  (errcode(ERRCODE_UNDEFINED_OBJECT),
5173  errmsg("foreign-data wrapper with OID %u does not exist",
5174  srv_oid)));
5175 
5176  ownerId = ((Form_pg_foreign_data_wrapper) GETSTRUCT(tuple))->fdwowner;
5177 
5178  ReleaseSysCache(tuple);
5179 
5180  return has_privs_of_role(roleid, ownerId);
5181 }
5182 
5183 /*
5184  * Ownership check for a foreign server (specified by OID).
5185  */
5186 bool
5188 {
5189  HeapTuple tuple;
5190  Oid ownerId;
5191 
5192  /* Superusers bypass all permission checking. */
5193  if (superuser_arg(roleid))
5194  return true;
5195 
5197  if (!HeapTupleIsValid(tuple))
5198  ereport(ERROR,
5199  (errcode(ERRCODE_UNDEFINED_OBJECT),
5200  errmsg("foreign server with OID %u does not exist",
5201  srv_oid)));
5202 
5203  ownerId = ((Form_pg_foreign_server) GETSTRUCT(tuple))->srvowner;
5204 
5205  ReleaseSysCache(tuple);
5206 
5207  return has_privs_of_role(roleid, ownerId);
5208 }
5209 
5210 /*
5211  * Ownership check for an event trigger (specified by OID).
5212  */
5213 bool
5215 {
5216  HeapTuple tuple;
5217  Oid ownerId;
5218 
5219  /* Superusers bypass all permission checking. */
5220  if (superuser_arg(roleid))
5221  return true;
5222 
5224  if (!HeapTupleIsValid(tuple))
5225  ereport(ERROR,
5226  (errcode(ERRCODE_UNDEFINED_OBJECT),
5227  errmsg("event trigger with OID %u does not exist",
5228  et_oid)));
5229 
5230  ownerId = ((Form_pg_event_trigger) GETSTRUCT(tuple))->evtowner;
5231 
5232  ReleaseSysCache(tuple);
5233 
5234  return has_privs_of_role(roleid, ownerId);
5235 }
5236 
5237 /*
5238  * Ownership check for a database (specified by OID).
5239  */
5240 bool
5242 {
5243  HeapTuple tuple;
5244  Oid dba;
5245 
5246  /* Superusers bypass all permission checking. */
5247  if (superuser_arg(roleid))
5248  return true;
5249 
5250  tuple = SearchSysCache1(DATABASEOID, ObjectIdGetDatum(db_oid));
5251  if (!HeapTupleIsValid(tuple))
5252  ereport(ERROR,
5253  (errcode(ERRCODE_UNDEFINED_DATABASE),
5254  errmsg("database with OID %u does not exist", db_oid)));
5255 
5256  dba = ((Form_pg_database) GETSTRUCT(tuple))->datdba;
5257 
5258  ReleaseSysCache(tuple);
5259 
5260  return has_privs_of_role(roleid, dba);
5261 }
5262 
5263 /*
5264  * Ownership check for a collation (specified by OID).
5265  */
5266 bool
5268 {
5269  HeapTuple tuple;
5270  Oid ownerId;
5271 
5272  /* Superusers bypass all permission checking. */
5273  if (superuser_arg(roleid))
5274  return true;
5275 
5276  tuple = SearchSysCache1(COLLOID, ObjectIdGetDatum(coll_oid));
5277  if (!HeapTupleIsValid(tuple))
5278  ereport(ERROR,
5279  (errcode(ERRCODE_UNDEFINED_OBJECT),
5280  errmsg("collation with OID %u does not exist", coll_oid)));
5281 
5282  ownerId = ((Form_pg_collation) GETSTRUCT(tuple))->collowner;
5283 
5284  ReleaseSysCache(tuple);
5285 
5286  return has_privs_of_role(roleid, ownerId);
5287 }
5288 
5289 /*
5290  * Ownership check for a conversion (specified by OID).
5291  */
5292 bool
5294 {
5295  HeapTuple tuple;
5296  Oid ownerId;
5297 
5298  /* Superusers bypass all permission checking. */
5299  if (superuser_arg(roleid))
5300  return true;
5301 
5302  tuple = SearchSysCache1(CONVOID, ObjectIdGetDatum(conv_oid));
5303  if (!HeapTupleIsValid(tuple))
5304  ereport(ERROR,
5305  (errcode(ERRCODE_UNDEFINED_OBJECT),
5306  errmsg("conversion with OID %u does not exist", conv_oid)));
5307 
5308  ownerId = ((Form_pg_conversion) GETSTRUCT(tuple))->conowner;
5309 
5310  ReleaseSysCache(tuple);
5311 
5312  return has_privs_of_role(roleid, ownerId);
5313 }
5314 
5315 /*
5316  * Ownership check for an extension (specified by OID).
5317  */
5318 bool
5320 {
5321  Relation pg_extension;
5322  ScanKeyData entry[1];
5323  SysScanDesc scan;
5324  HeapTuple tuple;
5325  Oid ownerId;
5326 
5327  /* Superusers bypass all permission checking. */
5328  if (superuser_arg(roleid))
5329  return true;
5330 
5331  /* There's no syscache for pg_extension, so do it the hard way */
5332  pg_extension = table_open(ExtensionRelationId, AccessShareLock);
5333 
5334  ScanKeyInit(&entry[0],
5335  Anum_pg_extension_oid,
5336  BTEqualStrategyNumber, F_OIDEQ,
5337  ObjectIdGetDatum(ext_oid));
5338 
5339  scan = systable_beginscan(pg_extension,
5340  ExtensionOidIndexId, true,
5341  NULL, 1, entry);
5342 
5343  tuple = systable_getnext(scan);
5344  if (!HeapTupleIsValid(tuple))
5345  ereport(ERROR,
5346  (errcode(ERRCODE_UNDEFINED_OBJECT),
5347  errmsg("extension with OID %u does not exist", ext_oid)));
5348 
5349  ownerId = ((Form_pg_extension) GETSTRUCT(tuple))->extowner;
5350 
5351  systable_endscan(scan);
5352  table_close(pg_extension, AccessShareLock);
5353 
5354  return has_privs_of_role(roleid, ownerId);
5355 }
5356 
5357 /*
5358  * Ownership check for a publication (specified by OID).
5359  */
5360 bool
5362 {
5363  HeapTuple tuple;
5364  Oid ownerId;
5365 
5366  /* Superusers bypass all permission checking. */
5367  if (superuser_arg(roleid))
5368  return true;
5369 
5370  tuple = SearchSysCache1(PUBLICATIONOID, ObjectIdGetDatum(pub_oid));
5371  if (!HeapTupleIsValid(tuple))
5372  ereport(ERROR,
5373  (errcode(ERRCODE_UNDEFINED_OBJECT),
5374  errmsg("publication with OID %u does not exist", pub_oid)));
5375 
5376  ownerId = ((Form_pg_publication) GETSTRUCT(tuple))->pubowner;
5377 
5378  ReleaseSysCache(tuple);
5379 
5380  return has_privs_of_role(roleid, ownerId);
5381 }
5382 
5383 /*
5384  * Ownership check for a subscription (specified by OID).
5385  */
5386 bool
5388 {
5389  HeapTuple tuple;
5390  Oid ownerId;
5391 
5392  /* Superusers bypass all permission checking. */
5393  if (superuser_arg(roleid))
5394  return true;
5395 
5397  if (!HeapTupleIsValid(tuple))
5398  ereport(ERROR,
5399  (errcode(ERRCODE_UNDEFINED_OBJECT),
5400  errmsg("subscription with OID %u does not exist", sub_oid)));
5401 
5402  ownerId = ((Form_pg_subscription) GETSTRUCT(tuple))->subowner;
5403 
5404  ReleaseSysCache(tuple);
5405 
5406  return has_privs_of_role(roleid, ownerId);
5407 }
5408 
5409 /*
5410  * Ownership check for a statistics object (specified by OID).
5411  */
5412 bool
5414 {
5415  HeapTuple tuple;
5416  Oid ownerId;
5417 
5418  /* Superusers bypass all permission checking. */
5419  if (superuser_arg(roleid))
5420  return true;
5421 
5422  tuple = SearchSysCache1(STATEXTOID, ObjectIdGetDatum(stat_oid));
5423  if (!HeapTupleIsValid(tuple))
5424  ereport(ERROR,
5425  (errcode(ERRCODE_UNDEFINED_OBJECT),
5426  errmsg("statistics object with OID %u does not exist",
5427  stat_oid)));
5428 
5429  ownerId = ((Form_pg_statistic_ext) GETSTRUCT(tuple))->stxowner;
5430 
5431  ReleaseSysCache(tuple);
5432 
5433  return has_privs_of_role(roleid, ownerId);
5434 }
5435 
5436 /*
5437  * Check whether specified role has CREATEROLE privilege (or is a superuser)
5438  *
5439  * Note: roles do not have owners per se; instead we use this test in
5440  * places where an ownership-like permissions test is needed for a role.
5441  * Be sure to apply it to the role trying to do the operation, not the
5442  * role being operated on! Also note that this generally should not be
5443  * considered enough privilege if the target role is a superuser.
5444  * (We don't handle that consideration here because we want to give a
5445  * separate error message for such cases, so the caller has to deal with it.)
5446  */
5447 bool
5449 {
5450  bool result = false;
5451  HeapTuple utup;
5452 
5453  /* Superusers bypass all permission checking. */
5454  if (superuser_arg(roleid))
5455  return true;
5456 
5457  utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
5458  if (HeapTupleIsValid(utup))
5459  {
5460  result = ((Form_pg_authid) GETSTRUCT(utup))->rolcreaterole;
5461  ReleaseSysCache(utup);
5462  }
5463  return result;
5464 }
5465 
5466 bool
5468 {
5469  bool result = false;
5470  HeapTuple utup;
5471 
5472  /* Superusers bypass all permission checking. */
5473  if (superuser_arg(roleid))
5474  return true;
5475 
5476  utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
5477  if (HeapTupleIsValid(utup))
5478  {
5479  result = ((Form_pg_authid) GETSTRUCT(utup))->rolbypassrls;
5480  ReleaseSysCache(utup);
5481  }
5482  return result;
5483 }
5484 
5485 /*
5486  * Fetch pg_default_acl entry for given role, namespace and object type
5487  * (object type must be given in pg_default_acl's encoding).
5488  * Returns NULL if no such entry.
5489  */
5490 static Acl *
5491 get_default_acl_internal(Oid roleId, Oid nsp_oid, char objtype)
5492 {
5493  Acl *result = NULL;
5494  HeapTuple tuple;
5495 
5497  ObjectIdGetDatum(roleId),
5498  ObjectIdGetDatum(nsp_oid),
5499  CharGetDatum(objtype));
5500 
5501  if (HeapTupleIsValid(tuple))
5502  {
5503  Datum aclDatum;
5504  bool isNull;
5505 
5506  aclDatum = SysCacheGetAttr(DEFACLROLENSPOBJ, tuple,
5507  Anum_pg_default_acl_defaclacl,
5508  &isNull);
5509  if (!isNull)
5510  result = DatumGetAclPCopy(aclDatum);
5511  ReleaseSysCache(tuple);
5512  }
5513 
5514  return result;
5515 }
5516 
5517 /*
5518  * Get default permissions for newly created object within given schema
5519  *
5520  * Returns NULL if built-in system defaults should be used.
5521  *
5522  * If the result is not NULL, caller must call recordDependencyOnNewAcl
5523  * once the OID of the new object is known.
5524  */
5525 Acl *
5526 get_user_default_acl(ObjectType objtype, Oid ownerId, Oid nsp_oid)
5527 {
5528  Acl *result;
5529  Acl *glob_acl;
5530  Acl *schema_acl;
5531  Acl *def_acl;
5532  char defaclobjtype;
5533 
5534  /*
5535  * Use NULL during bootstrap, since pg_default_acl probably isn't there
5536  * yet.
5537  */
5539  return NULL;
5540 
5541  /* Check if object type is supported in pg_default_acl */
5542  switch (objtype)
5543  {
5544  case OBJECT_TABLE:
5545  defaclobjtype = DEFACLOBJ_RELATION;
5546  break;
5547 
5548  case OBJECT_SEQUENCE:
5549  defaclobjtype = DEFACLOBJ_SEQUENCE;
5550  break;
5551 
5552  case OBJECT_FUNCTION:
5553  defaclobjtype = DEFACLOBJ_FUNCTION;
5554  break;
5555 
5556  case OBJECT_TYPE:
5557  defaclobjtype = DEFACLOBJ_TYPE;
5558  break;
5559 
5560  case OBJECT_SCHEMA:
5561  defaclobjtype = DEFACLOBJ_NAMESPACE;
5562  break;
5563 
5564  default:
5565  return NULL;
5566  }
5567 
5568  /* Look up the relevant pg_default_acl entries */
5569  glob_acl = get_default_acl_internal(ownerId, InvalidOid, defaclobjtype);
5570  schema_acl = get_default_acl_internal(ownerId, nsp_oid, defaclobjtype);
5571 
5572  /* Quick out if neither entry exists */
5573  if (glob_acl == NULL && schema_acl == NULL)
5574  return NULL;
5575 
5576  /* We need to know the hard-wired default value, too */
5577  def_acl = acldefault(objtype, ownerId);
5578 
5579  /* If there's no global entry, substitute the hard-wired default */
5580  if (glob_acl == NULL)
5581  glob_acl = def_acl;
5582 
5583  /* Merge in any per-schema privileges */
5584  result = aclmerge(glob_acl, schema_acl, ownerId);
5585 
5586  /*
5587  * For efficiency, we want to return NULL if the result equals default.
5588  * This requires sorting both arrays to get an accurate comparison.
5589  */
5590  aclitemsort(result);
5591  aclitemsort(def_acl);
5592  if (aclequal(result, def_acl))
5593  result = NULL;
5594 
5595  return result;
5596 }
5597 
5598 /*
5599  * Record dependencies on roles mentioned in a new object's ACL.
5600  */
5601 void
5602 recordDependencyOnNewAcl(Oid classId, Oid objectId, int32 objsubId,
5603  Oid ownerId, Acl *acl)
5604 {
5605  int nmembers;
5606  Oid *members;
5607 
5608  /* Nothing to do if ACL is defaulted */
5609  if (acl == NULL)
5610  return;
5611 
5612  /* Extract roles mentioned in ACL */
5613  nmembers = aclmembers(acl, &members);
5614 
5615  /* Update the shared dependency ACL info */
5616  updateAclDependencies(classId, objectId, objsubId,
5617  ownerId,
5618  0, NULL,
5619  nmembers, members);
5620 }
5621 
5622 /*
5623  * Record initial privileges for the top-level object passed in.
5624  *
5625  * For the object passed in, this will record its ACL (if any) and the ACLs of
5626  * any sub-objects (eg: columns) into pg_init_privs.
5627  *
5628  * Any new kinds of objects which have ACLs associated with them and can be
5629  * added to an extension should be added to the if-else tree below.
5630  */
5631 void
5632 recordExtObjInitPriv(Oid objoid, Oid classoid)
5633 {
5634  /*
5635  * pg_class / pg_attribute
5636  *
5637  * If this is a relation then we need to see if there are any sub-objects
5638  * (eg: columns) for it and, if so, be sure to call
5639  * recordExtensionInitPrivWorker() for each one.
5640  */
5641  if (classoid == RelationRelationId)
5642  {
5643  Form_pg_class pg_class_tuple;
5644  Datum aclDatum;
5645  bool isNull;
5646  HeapTuple tuple;
5647 
5648  tuple = SearchSysCache1(RELOID, ObjectIdGetDatum(objoid));
5649  if (!HeapTupleIsValid(tuple))
5650  elog(ERROR, "cache lookup failed for relation %u", objoid);
5651  pg_class_tuple = (Form_pg_class) GETSTRUCT(tuple);
5652 
5653  /*
5654  * Indexes don't have permissions, neither do the pg_class rows for
5655  * composite types. (These cases are unreachable given the
5656  * restrictions in ALTER EXTENSION ADD, but let's check anyway.)
5657  */
5658  if (pg_class_tuple->relkind == RELKIND_INDEX ||
5659  pg_class_tuple->relkind == RELKIND_PARTITIONED_INDEX ||
5660  pg_class_tuple->relkind == RELKIND_COMPOSITE_TYPE)
5661  {
5662  ReleaseSysCache(tuple);
5663  return;
5664  }
5665 
5666  /*
5667  * If this isn't a sequence then it's possibly going to have
5668  * column-level ACLs associated with it.
5669  */
5670  if (pg_class_tuple->relkind != RELKIND_SEQUENCE)
5671  {
5672  AttrNumber curr_att;
5673  AttrNumber nattrs = pg_class_tuple->relnatts;
5674 
5675  for (curr_att = 1; curr_att <= nattrs; curr_att++)
5676  {
5677  HeapTuple attTuple;
5678  Datum attaclDatum;
5679 
5680  attTuple = SearchSysCache2(ATTNUM,
5681  ObjectIdGetDatum(objoid),
5682  Int16GetDatum(curr_att));
5683 
5684  if (!HeapTupleIsValid(attTuple))
5685  continue;
5686 
5687  /* ignore dropped columns */
5688  if (((Form_pg_attribute) GETSTRUCT(attTuple))->attisdropped)
5689  {
5690  ReleaseSysCache(attTuple);
5691  continue;
5692  }
5693 
5694  attaclDatum = SysCacheGetAttr(ATTNUM, attTuple,
5695  Anum_pg_attribute_attacl,
5696  &isNull);
5697 
5698  /* no need to do anything for a NULL ACL */
5699  if (isNull)
5700  {
5701  ReleaseSysCache(attTuple);
5702  continue;
5703  }
5704 
5705  recordExtensionInitPrivWorker(objoid, classoid, curr_att,
5706  DatumGetAclP(attaclDatum));
5707 
5708  ReleaseSysCache(attTuple);
5709  }
5710  }
5711 
5712  aclDatum = SysCacheGetAttr(RELOID, tuple, Anum_pg_class_relacl,
5713  &isNull);
5714 
5715  /* Add the record, if any, for the top-level object */
5716  if (!isNull)
5717  recordExtensionInitPrivWorker(objoid, classoid, 0,
5718  DatumGetAclP(aclDatum));
5719 
5720  ReleaseSysCache(tuple);
5721  }
5722  /* pg_foreign_data_wrapper */
5723  else if (classoid == ForeignDataWrapperRelationId)
5724  {
5725  Datum aclDatum;
5726  bool isNull;
5727  HeapTuple tuple;
5728 
5730  ObjectIdGetDatum(objoid));
5731  if (!HeapTupleIsValid(tuple))
5732  elog(ERROR, "cache lookup failed for foreign data wrapper %u",
5733  objoid);
5734 
5735  aclDatum = SysCacheGetAttr(FOREIGNDATAWRAPPEROID, tuple,
5736  Anum_pg_foreign_data_wrapper_fdwacl,
5737  &isNull);
5738 
5739  /* Add the record, if any, for the top-level object */
5740  if (!isNull)
5741  recordExtensionInitPrivWorker(objoid, classoid, 0,
5742  DatumGetAclP(aclDatum));
5743 
5744  ReleaseSysCache(tuple);
5745  }
5746  /* pg_foreign_server */
5747  else if (classoid == ForeignServerRelationId)
5748  {
5749  Datum aclDatum;
5750  bool isNull;
5751  HeapTuple tuple;
5752 
5754  if (!HeapTupleIsValid(tuple))
5755  elog(ERROR, "cache lookup failed for foreign data wrapper %u",
5756  objoid);
5757 
5758  aclDatum = SysCacheGetAttr(FOREIGNSERVEROID, tuple,
5759  Anum_pg_foreign_server_srvacl,
5760  &isNull);
5761 
5762  /* Add the record, if any, for the top-level object */
5763  if (!isNull)
5764  recordExtensionInitPrivWorker(objoid, classoid, 0,
5765  DatumGetAclP(aclDatum));
5766 
5767  ReleaseSysCache(tuple);
5768  }
5769  /* pg_language */
5770  else if (classoid == LanguageRelationId)
5771  {
5772  Datum aclDatum;
5773  bool isNull;
5774  HeapTuple tuple;
5775 
5776  tuple = SearchSysCache1(LANGOID, ObjectIdGetDatum(objoid));
5777  if (!HeapTupleIsValid(tuple))
5778  elog(ERROR, "cache lookup failed for language %u"