PostgreSQL Source Code  git master
aclchk.c
Go to the documentation of this file.
1 /*-------------------------------------------------------------------------
2  *
3  * aclchk.c
4  * Routines to check access control permissions.
5  *
6  * Portions Copyright (c) 1996-2022, PostgreSQL Global Development Group
7  * Portions Copyright (c) 1994, Regents of the University of California
8  *
9  *
10  * IDENTIFICATION
11  * src/backend/catalog/aclchk.c
12  *
13  * NOTES
14  * See acl.h.
15  *
16  *-------------------------------------------------------------------------
17  */
18 #include "postgres.h"
19 
20 #include "access/genam.h"
21 #include "access/heapam.h"
22 #include "access/htup_details.h"
23 #include "access/sysattr.h"
24 #include "access/tableam.h"
25 #include "access/xact.h"
26 #include "catalog/binary_upgrade.h"
27 #include "catalog/catalog.h"
28 #include "catalog/dependency.h"
29 #include "catalog/indexing.h"
30 #include "catalog/objectaccess.h"
31 #include "catalog/pg_aggregate.h"
32 #include "catalog/pg_am.h"
33 #include "catalog/pg_authid.h"
34 #include "catalog/pg_cast.h"
35 #include "catalog/pg_class.h"
36 #include "catalog/pg_collation.h"
37 #include "catalog/pg_conversion.h"
38 #include "catalog/pg_database.h"
39 #include "catalog/pg_default_acl.h"
41 #include "catalog/pg_extension.h"
44 #include "catalog/pg_init_privs.h"
45 #include "catalog/pg_language.h"
46 #include "catalog/pg_largeobject.h"
48 #include "catalog/pg_namespace.h"
49 #include "catalog/pg_opclass.h"
50 #include "catalog/pg_operator.h"
51 #include "catalog/pg_opfamily.h"
53 #include "catalog/pg_proc.h"
56 #include "catalog/pg_tablespace.h"
57 #include "catalog/pg_transform.h"
58 #include "catalog/pg_ts_config.h"
59 #include "catalog/pg_ts_dict.h"
60 #include "catalog/pg_ts_parser.h"
61 #include "catalog/pg_ts_template.h"
62 #include "catalog/pg_type.h"
63 #include "commands/dbcommands.h"
64 #include "commands/defrem.h"
65 #include "commands/event_trigger.h"
66 #include "commands/extension.h"
67 #include "commands/proclang.h"
68 #include "commands/tablespace.h"
69 #include "foreign/foreign.h"
70 #include "miscadmin.h"
71 #include "nodes/makefuncs.h"
72 #include "parser/parse_func.h"
73 #include "parser/parse_type.h"
74 #include "utils/acl.h"
75 #include "utils/aclchk_internal.h"
76 #include "utils/builtins.h"
77 #include "utils/fmgroids.h"
78 #include "utils/guc.h"
79 #include "utils/lsyscache.h"
80 #include "utils/rel.h"
81 #include "utils/syscache.h"
82 
83 /*
84  * Internal format used by ALTER DEFAULT PRIVILEGES.
85  */
86 typedef struct
87 {
88  Oid roleid; /* owning role */
89  Oid nspid; /* namespace, or InvalidOid if none */
90  /* remaining fields are same as in InternalGrant: */
91  bool is_grant;
93  bool all_privs;
99 
100 /*
101  * When performing a binary-upgrade, pg_dump will call a function to set
102  * this variable to let us know that we need to populate the pg_init_privs
103  * table for the GRANT/REVOKE commands while this variable is set to true.
104  */
106 
107 static void ExecGrantStmt_oids(InternalGrant *istmt);
108 static void ExecGrant_Relation(InternalGrant *istmt);
109 static void ExecGrant_Database(InternalGrant *istmt);
110 static void ExecGrant_Fdw(InternalGrant *istmt);
111 static void ExecGrant_ForeignServer(InternalGrant *istmt);
112 static void ExecGrant_Function(InternalGrant *istmt);
113 static void ExecGrant_Language(InternalGrant *istmt);
114 static void ExecGrant_Largeobject(InternalGrant *istmt);
115 static void ExecGrant_Namespace(InternalGrant *istmt);
116 static void ExecGrant_Tablespace(InternalGrant *istmt);
117 static void ExecGrant_Type(InternalGrant *istmt);
118 static void ExecGrant_Parameter(InternalGrant *istmt);
119 
120 static void SetDefaultACLsInSchemas(InternalDefaultACL *iacls, List *nspnames);
121 static void SetDefaultACL(InternalDefaultACL *iacls);
122 
123 static List *objectNamesToOids(ObjectType objtype, List *objnames,
124  bool is_grant);
125 static List *objectsInSchemaToOids(ObjectType objtype, List *nspnames);
126 static List *getRelationsInNamespace(Oid namespaceId, char relkind);
127 static void expand_col_privileges(List *colnames, Oid table_oid,
128  AclMode this_privileges,
129  AclMode *col_privileges,
130  int num_col_privileges);
131 static void expand_all_col_privileges(Oid table_oid, Form_pg_class classForm,
132  AclMode this_privileges,
133  AclMode *col_privileges,
134  int num_col_privileges);
135 static AclMode string_to_privilege(const char *privname);
136 static const char *privilege_to_string(AclMode privilege);
137 static AclMode restrict_and_check_grant(bool is_grant, AclMode avail_goptions,
138  bool all_privs, AclMode privileges,
139  Oid objectId, Oid grantorId,
140  ObjectType objtype, const char *objname,
141  AttrNumber att_number, const char *colname);
142 static AclMode pg_aclmask(ObjectType objtype, Oid object_oid, AttrNumber attnum,
143  Oid roleid, AclMode mask, AclMaskHow how);
144 static AclMode object_aclmask(Oid classid, Oid objectid, Oid roleid,
145  AclMode mask, AclMaskHow how);
147  Oid roleid, AclMode mask, AclMaskHow how);
149  Oid roleid, AclMode mask,
150  AclMaskHow how, bool *is_missing);
151 static AclMode pg_class_aclmask_ext(Oid table_oid, Oid roleid,
152  AclMode mask, AclMaskHow how,
153  bool *is_missing);
154 static AclMode pg_parameter_acl_aclmask(Oid acl_oid, Oid roleid,
155  AclMode mask, AclMaskHow how);
156 static AclMode pg_largeobject_aclmask_snapshot(Oid lobj_oid, Oid roleid,
157  AclMode mask, AclMaskHow how, Snapshot snapshot);
158 static AclMode pg_namespace_aclmask(Oid nsp_oid, Oid roleid,
159  AclMode mask, AclMaskHow how);
160 static AclMode pg_type_aclmask(Oid type_oid, Oid roleid,
161  AclMode mask, AclMaskHow how);
162 static void recordExtensionInitPriv(Oid objoid, Oid classoid, int objsubid,
163  Acl *new_acl);
164 static void recordExtensionInitPrivWorker(Oid objoid, Oid classoid, int objsubid,
165  Acl *new_acl);
166 
167 
168 /*
169  * If is_grant is true, adds the given privileges for the list of
170  * grantees to the existing old_acl. If is_grant is false, the
171  * privileges for the given grantees are removed from old_acl.
172  *
173  * NB: the original old_acl is pfree'd.
174  */
175 static Acl *
176 merge_acl_with_grant(Acl *old_acl, bool is_grant,
177  bool grant_option, DropBehavior behavior,
178  List *grantees, AclMode privileges,
179  Oid grantorId, Oid ownerId)
180 {
181  unsigned modechg;
182  ListCell *j;
183  Acl *new_acl;
184 
185  modechg = is_grant ? ACL_MODECHG_ADD : ACL_MODECHG_DEL;
186 
187  new_acl = old_acl;
188 
189  foreach(j, grantees)
190  {
191  AclItem aclitem;
192  Acl *newer_acl;
193 
194  aclitem.ai_grantee = lfirst_oid(j);
195 
196  /*
197  * Grant options can only be granted to individual roles, not PUBLIC.
198  * The reason is that if a user would re-grant a privilege that he
199  * held through PUBLIC, and later the user is removed, the situation
200  * is impossible to clean up.
201  */
202  if (is_grant && grant_option && aclitem.ai_grantee == ACL_ID_PUBLIC)
203  ereport(ERROR,
204  (errcode(ERRCODE_INVALID_GRANT_OPERATION),
205  errmsg("grant options can only be granted to roles")));
206 
207  aclitem.ai_grantor = grantorId;
208 
209  /*
210  * The asymmetry in the conditions here comes from the spec. In
211  * GRANT, the grant_option flag signals WITH GRANT OPTION, which means
212  * to grant both the basic privilege and its grant option. But in
213  * REVOKE, plain revoke revokes both the basic privilege and its grant
214  * option, while REVOKE GRANT OPTION revokes only the option.
215  */
217  (is_grant || !grant_option) ? privileges : ACL_NO_RIGHTS,
218  (!is_grant || grant_option) ? privileges : ACL_NO_RIGHTS);
219 
220  newer_acl = aclupdate(new_acl, &aclitem, modechg, ownerId, behavior);
221 
222  /* avoid memory leak when there are many grantees */
223  pfree(new_acl);
224  new_acl = newer_acl;
225  }
226 
227  return new_acl;
228 }
229 
230 /*
231  * Restrict the privileges to what we can actually grant, and emit
232  * the standards-mandated warning and error messages.
233  */
234 static AclMode
235 restrict_and_check_grant(bool is_grant, AclMode avail_goptions, bool all_privs,
236  AclMode privileges, Oid objectId, Oid grantorId,
237  ObjectType objtype, const char *objname,
238  AttrNumber att_number, const char *colname)
239 {
240  AclMode this_privileges;
241  AclMode whole_mask;
242 
243  switch (objtype)
244  {
245  case OBJECT_COLUMN:
246  whole_mask = ACL_ALL_RIGHTS_COLUMN;
247  break;
248  case OBJECT_TABLE:
249  whole_mask = ACL_ALL_RIGHTS_RELATION;
250  break;
251  case OBJECT_SEQUENCE:
252  whole_mask = ACL_ALL_RIGHTS_SEQUENCE;
253  break;
254  case OBJECT_DATABASE:
255  whole_mask = ACL_ALL_RIGHTS_DATABASE;
256  break;
257  case OBJECT_FUNCTION:
258  whole_mask = ACL_ALL_RIGHTS_FUNCTION;
259  break;
260  case OBJECT_LANGUAGE:
261  whole_mask = ACL_ALL_RIGHTS_LANGUAGE;
262  break;
263  case OBJECT_LARGEOBJECT:
264  whole_mask = ACL_ALL_RIGHTS_LARGEOBJECT;
265  break;
266  case OBJECT_SCHEMA:
267  whole_mask = ACL_ALL_RIGHTS_SCHEMA;
268  break;
269  case OBJECT_TABLESPACE:
270  whole_mask = ACL_ALL_RIGHTS_TABLESPACE;
271  break;
272  case OBJECT_FDW:
273  whole_mask = ACL_ALL_RIGHTS_FDW;
274  break;
276  whole_mask = ACL_ALL_RIGHTS_FOREIGN_SERVER;
277  break;
279  elog(ERROR, "grantable rights not supported for event triggers");
280  /* not reached, but keep compiler quiet */
281  return ACL_NO_RIGHTS;
282  case OBJECT_TYPE:
283  whole_mask = ACL_ALL_RIGHTS_TYPE;
284  break;
286  whole_mask = ACL_ALL_RIGHTS_PARAMETER_ACL;
287  break;
288  default:
289  elog(ERROR, "unrecognized object type: %d", objtype);
290  /* not reached, but keep compiler quiet */
291  return ACL_NO_RIGHTS;
292  }
293 
294  /*
295  * If we found no grant options, consider whether to issue a hard error.
296  * Per spec, having any privilege at all on the object will get you by
297  * here.
298  */
299  if (avail_goptions == ACL_NO_RIGHTS)
300  {
301  if (pg_aclmask(objtype, objectId, att_number, grantorId,
302  whole_mask | ACL_GRANT_OPTION_FOR(whole_mask),
304  {
305  if (objtype == OBJECT_COLUMN && colname)
306  aclcheck_error_col(ACLCHECK_NO_PRIV, objtype, objname, colname);
307  else
308  aclcheck_error(ACLCHECK_NO_PRIV, objtype, objname);
309  }
310  }
311 
312  /*
313  * Restrict the operation to what we can actually grant or revoke, and
314  * issue a warning if appropriate. (For REVOKE this isn't quite what the
315  * spec says to do: the spec seems to want a warning only if no privilege
316  * bits actually change in the ACL. In practice that behavior seems much
317  * too noisy, as well as inconsistent with the GRANT case.)
318  */
319  this_privileges = privileges & ACL_OPTION_TO_PRIVS(avail_goptions);
320  if (is_grant)
321  {
322  if (this_privileges == 0)
323  {
324  if (objtype == OBJECT_COLUMN && colname)
326  (errcode(ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED),
327  errmsg("no privileges were granted for column \"%s\" of relation \"%s\"",
328  colname, objname)));
329  else
331  (errcode(ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED),
332  errmsg("no privileges were granted for \"%s\"",
333  objname)));
334  }
335  else if (!all_privs && this_privileges != privileges)
336  {
337  if (objtype == OBJECT_COLUMN && colname)
339  (errcode(ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED),
340  errmsg("not all privileges were granted for column \"%s\" of relation \"%s\"",
341  colname, objname)));
342  else
344  (errcode(ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED),
345  errmsg("not all privileges were granted for \"%s\"",
346  objname)));
347  }
348  }
349  else
350  {
351  if (this_privileges == 0)
352  {
353  if (objtype == OBJECT_COLUMN && colname)
355  (errcode(ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED),
356  errmsg("no privileges could be revoked for column \"%s\" of relation \"%s\"",
357  colname, objname)));
358  else
360  (errcode(ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED),
361  errmsg("no privileges could be revoked for \"%s\"",
362  objname)));
363  }
364  else if (!all_privs && this_privileges != privileges)
365  {
366  if (objtype == OBJECT_COLUMN && colname)
368  (errcode(ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED),
369  errmsg("not all privileges could be revoked for column \"%s\" of relation \"%s\"",
370  colname, objname)));
371  else
373  (errcode(ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED),
374  errmsg("not all privileges could be revoked for \"%s\"",
375  objname)));
376  }
377  }
378 
379  return this_privileges;
380 }
381 
382 /*
383  * Called to execute the utility commands GRANT and REVOKE
384  */
385 void
387 {
388  InternalGrant istmt;
389  ListCell *cell;
390  const char *errormsg;
391  AclMode all_privileges;
392 
393  if (stmt->grantor)
394  {
395  Oid grantor;
396 
397  grantor = get_rolespec_oid(stmt->grantor, false);
398 
399  /*
400  * Currently, this clause is only for SQL compatibility, not very
401  * interesting otherwise.
402  */
403  if (grantor != GetUserId())
404  ereport(ERROR,
405  (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
406  errmsg("grantor must be current user")));
407  }
408 
409  /*
410  * Turn the regular GrantStmt into the InternalGrant form.
411  */
412  istmt.is_grant = stmt->is_grant;
413  istmt.objtype = stmt->objtype;
414 
415  /* Collect the OIDs of the target objects */
416  switch (stmt->targtype)
417  {
418  case ACL_TARGET_OBJECT:
419  istmt.objects = objectNamesToOids(stmt->objtype, stmt->objects,
420  stmt->is_grant);
421  break;
423  istmt.objects = objectsInSchemaToOids(stmt->objtype, stmt->objects);
424  break;
425  /* ACL_TARGET_DEFAULTS should not be seen here */
426  default:
427  elog(ERROR, "unrecognized GrantStmt.targtype: %d",
428  (int) stmt->targtype);
429  }
430 
431  /* all_privs to be filled below */
432  /* privileges to be filled below */
433  istmt.col_privs = NIL; /* may get filled below */
434  istmt.grantees = NIL; /* filled below */
435  istmt.grant_option = stmt->grant_option;
436  istmt.behavior = stmt->behavior;
437 
438  /*
439  * Convert the RoleSpec list into an Oid list. Note that at this point we
440  * insert an ACL_ID_PUBLIC into the list if appropriate, so downstream
441  * there shouldn't be any additional work needed to support this case.
442  */
443  foreach(cell, stmt->grantees)
444  {
445  RoleSpec *grantee = (RoleSpec *) lfirst(cell);
446  Oid grantee_uid;
447 
448  switch (grantee->roletype)
449  {
450  case ROLESPEC_PUBLIC:
451  grantee_uid = ACL_ID_PUBLIC;
452  break;
453  default:
454  grantee_uid = get_rolespec_oid(grantee, false);
455  break;
456  }
457  istmt.grantees = lappend_oid(istmt.grantees, grantee_uid);
458  }
459 
460  /*
461  * Convert stmt->privileges, a list of AccessPriv nodes, into an AclMode
462  * bitmask. Note: objtype can't be OBJECT_COLUMN.
463  */
464  switch (stmt->objtype)
465  {
466  case OBJECT_TABLE:
467 
468  /*
469  * Because this might be a sequence, we test both relation and
470  * sequence bits, and later do a more limited test when we know
471  * the object type.
472  */
474  errormsg = gettext_noop("invalid privilege type %s for relation");
475  break;
476  case OBJECT_SEQUENCE:
477  all_privileges = ACL_ALL_RIGHTS_SEQUENCE;
478  errormsg = gettext_noop("invalid privilege type %s for sequence");
479  break;
480  case OBJECT_DATABASE:
481  all_privileges = ACL_ALL_RIGHTS_DATABASE;
482  errormsg = gettext_noop("invalid privilege type %s for database");
483  break;
484  case OBJECT_DOMAIN:
485  all_privileges = ACL_ALL_RIGHTS_TYPE;
486  errormsg = gettext_noop("invalid privilege type %s for domain");
487  break;
488  case OBJECT_FUNCTION:
489  all_privileges = ACL_ALL_RIGHTS_FUNCTION;
490  errormsg = gettext_noop("invalid privilege type %s for function");
491  break;
492  case OBJECT_LANGUAGE:
493  all_privileges = ACL_ALL_RIGHTS_LANGUAGE;
494  errormsg = gettext_noop("invalid privilege type %s for language");
495  break;
496  case OBJECT_LARGEOBJECT:
497  all_privileges = ACL_ALL_RIGHTS_LARGEOBJECT;
498  errormsg = gettext_noop("invalid privilege type %s for large object");
499  break;
500  case OBJECT_SCHEMA:
501  all_privileges = ACL_ALL_RIGHTS_SCHEMA;
502  errormsg = gettext_noop("invalid privilege type %s for schema");
503  break;
504  case OBJECT_PROCEDURE:
505  all_privileges = ACL_ALL_RIGHTS_FUNCTION;
506  errormsg = gettext_noop("invalid privilege type %s for procedure");
507  break;
508  case OBJECT_ROUTINE:
509  all_privileges = ACL_ALL_RIGHTS_FUNCTION;
510  errormsg = gettext_noop("invalid privilege type %s for routine");
511  break;
512  case OBJECT_TABLESPACE:
513  all_privileges = ACL_ALL_RIGHTS_TABLESPACE;
514  errormsg = gettext_noop("invalid privilege type %s for tablespace");
515  break;
516  case OBJECT_TYPE:
517  all_privileges = ACL_ALL_RIGHTS_TYPE;
518  errormsg = gettext_noop("invalid privilege type %s for type");
519  break;
520  case OBJECT_FDW:
521  all_privileges = ACL_ALL_RIGHTS_FDW;
522  errormsg = gettext_noop("invalid privilege type %s for foreign-data wrapper");
523  break;
525  all_privileges = ACL_ALL_RIGHTS_FOREIGN_SERVER;
526  errormsg = gettext_noop("invalid privilege type %s for foreign server");
527  break;
529  all_privileges = ACL_ALL_RIGHTS_PARAMETER_ACL;
530  errormsg = gettext_noop("invalid privilege type %s for parameter");
531  break;
532  default:
533  elog(ERROR, "unrecognized GrantStmt.objtype: %d",
534  (int) stmt->objtype);
535  /* keep compiler quiet */
536  all_privileges = ACL_NO_RIGHTS;
537  errormsg = NULL;
538  }
539 
540  if (stmt->privileges == NIL)
541  {
542  istmt.all_privs = true;
543 
544  /*
545  * will be turned into ACL_ALL_RIGHTS_* by the internal routines
546  * depending on the object type
547  */
548  istmt.privileges = ACL_NO_RIGHTS;
549  }
550  else
551  {
552  istmt.all_privs = false;
553  istmt.privileges = ACL_NO_RIGHTS;
554 
555  foreach(cell, stmt->privileges)
556  {
557  AccessPriv *privnode = (AccessPriv *) lfirst(cell);
558  AclMode priv;
559 
560  /*
561  * If it's a column-level specification, we just set it aside in
562  * col_privs for the moment; but insist it's for a relation.
563  */
564  if (privnode->cols)
565  {
566  if (stmt->objtype != OBJECT_TABLE)
567  ereport(ERROR,
568  (errcode(ERRCODE_INVALID_GRANT_OPERATION),
569  errmsg("column privileges are only valid for relations")));
570  istmt.col_privs = lappend(istmt.col_privs, privnode);
571  continue;
572  }
573 
574  if (privnode->priv_name == NULL) /* parser mistake? */
575  elog(ERROR, "AccessPriv node must specify privilege or columns");
576  priv = string_to_privilege(privnode->priv_name);
577 
578  if (priv & ~((AclMode) all_privileges))
579  ereport(ERROR,
580  (errcode(ERRCODE_INVALID_GRANT_OPERATION),
581  errmsg(errormsg, privilege_to_string(priv))));
582 
583  istmt.privileges |= priv;
584  }
585  }
586 
587  ExecGrantStmt_oids(&istmt);
588 }
589 
590 /*
591  * ExecGrantStmt_oids
592  *
593  * Internal entry point for granting and revoking privileges.
594  */
595 static void
597 {
598  switch (istmt->objtype)
599  {
600  case OBJECT_TABLE:
601  case OBJECT_SEQUENCE:
602  ExecGrant_Relation(istmt);
603  break;
604  case OBJECT_DATABASE:
605  ExecGrant_Database(istmt);
606  break;
607  case OBJECT_DOMAIN:
608  case OBJECT_TYPE:
609  ExecGrant_Type(istmt);
610  break;
611  case OBJECT_FDW:
612  ExecGrant_Fdw(istmt);
613  break;
616  break;
617  case OBJECT_FUNCTION:
618  case OBJECT_PROCEDURE:
619  case OBJECT_ROUTINE:
620  ExecGrant_Function(istmt);
621  break;
622  case OBJECT_LANGUAGE:
623  ExecGrant_Language(istmt);
624  break;
625  case OBJECT_LARGEOBJECT:
626  ExecGrant_Largeobject(istmt);
627  break;
628  case OBJECT_SCHEMA:
629  ExecGrant_Namespace(istmt);
630  break;
631  case OBJECT_TABLESPACE:
632  ExecGrant_Tablespace(istmt);
633  break;
635  ExecGrant_Parameter(istmt);
636  break;
637  default:
638  elog(ERROR, "unrecognized GrantStmt.objtype: %d",
639  (int) istmt->objtype);
640  }
641 
642  /*
643  * Pass the info to event triggers about the just-executed GRANT. Note
644  * that we prefer to do it after actually executing it, because that gives
645  * the functions a chance to adjust the istmt with privileges actually
646  * granted.
647  */
650 }
651 
652 /*
653  * objectNamesToOids
654  *
655  * Turn a list of object names of a given type into an Oid list.
656  *
657  * XXX: This function doesn't take any sort of locks on the objects whose
658  * names it looks up. In the face of concurrent DDL, we might easily latch
659  * onto an old version of an object, causing the GRANT or REVOKE statement
660  * to fail.
661  */
662 static List *
663 objectNamesToOids(ObjectType objtype, List *objnames, bool is_grant)
664 {
665  List *objects = NIL;
666  ListCell *cell;
667 
668  Assert(objnames != NIL);
669 
670  switch (objtype)
671  {
672  case OBJECT_TABLE:
673  case OBJECT_SEQUENCE:
674  foreach(cell, objnames)
675  {
676  RangeVar *relvar = (RangeVar *) lfirst(cell);
677  Oid relOid;
678 
679  relOid = RangeVarGetRelid(relvar, NoLock, false);
680  objects = lappend_oid(objects, relOid);
681  }
682  break;
683  case OBJECT_DATABASE:
684  foreach(cell, objnames)
685  {
686  char *dbname = strVal(lfirst(cell));
687  Oid dbid;
688 
689  dbid = get_database_oid(dbname, false);
690  objects = lappend_oid(objects, dbid);
691  }
692  break;
693  case OBJECT_DOMAIN:
694  case OBJECT_TYPE:
695  foreach(cell, objnames)
696  {
697  List *typname = (List *) lfirst(cell);
698  Oid oid;
699 
701  objects = lappend_oid(objects, oid);
702  }
703  break;
704  case OBJECT_FUNCTION:
705  foreach(cell, objnames)
706  {
707  ObjectWithArgs *func = (ObjectWithArgs *) lfirst(cell);
708  Oid funcid;
709 
710  funcid = LookupFuncWithArgs(OBJECT_FUNCTION, func, false);
711  objects = lappend_oid(objects, funcid);
712  }
713  break;
714  case OBJECT_LANGUAGE:
715  foreach(cell, objnames)
716  {
717  char *langname = strVal(lfirst(cell));
718  Oid oid;
719 
720  oid = get_language_oid(langname, false);
721  objects = lappend_oid(objects, oid);
722  }
723  break;
724  case OBJECT_LARGEOBJECT:
725  foreach(cell, objnames)
726  {
727  Oid lobjOid = oidparse(lfirst(cell));
728 
729  if (!LargeObjectExists(lobjOid))
730  ereport(ERROR,
731  (errcode(ERRCODE_UNDEFINED_OBJECT),
732  errmsg("large object %u does not exist",
733  lobjOid)));
734 
735  objects = lappend_oid(objects, lobjOid);
736  }
737  break;
738  case OBJECT_SCHEMA:
739  foreach(cell, objnames)
740  {
741  char *nspname = strVal(lfirst(cell));
742  Oid oid;
743 
744  oid = get_namespace_oid(nspname, false);
745  objects = lappend_oid(objects, oid);
746  }
747  break;
748  case OBJECT_PROCEDURE:
749  foreach(cell, objnames)
750  {
751  ObjectWithArgs *func = (ObjectWithArgs *) lfirst(cell);
752  Oid procid;
753 
754  procid = LookupFuncWithArgs(OBJECT_PROCEDURE, func, false);
755  objects = lappend_oid(objects, procid);
756  }
757  break;
758  case OBJECT_ROUTINE:
759  foreach(cell, objnames)
760  {
761  ObjectWithArgs *func = (ObjectWithArgs *) lfirst(cell);
762  Oid routid;
763 
764  routid = LookupFuncWithArgs(OBJECT_ROUTINE, func, false);
765  objects = lappend_oid(objects, routid);
766  }
767  break;
768  case OBJECT_TABLESPACE:
769  foreach(cell, objnames)
770  {
771  char *spcname = strVal(lfirst(cell));
772  Oid spcoid;
773 
774  spcoid = get_tablespace_oid(spcname, false);
775  objects = lappend_oid(objects, spcoid);
776  }
777  break;
778  case OBJECT_FDW:
779  foreach(cell, objnames)
780  {
781  char *fdwname = strVal(lfirst(cell));
782  Oid fdwid = get_foreign_data_wrapper_oid(fdwname, false);
783 
784  objects = lappend_oid(objects, fdwid);
785  }
786  break;
788  foreach(cell, objnames)
789  {
790  char *srvname = strVal(lfirst(cell));
791  Oid srvid = get_foreign_server_oid(srvname, false);
792 
793  objects = lappend_oid(objects, srvid);
794  }
795  break;
797  foreach(cell, objnames)
798  {
799  /*
800  * In this code we represent a GUC by the OID of its entry in
801  * pg_parameter_acl, which we have to manufacture here if it
802  * doesn't exist yet. (That's a hack for sure, but it avoids
803  * messing with all the GRANT/REVOKE infrastructure that
804  * expects to use OIDs for object identities.) However, if
805  * this is a REVOKE, we can instead just ignore any GUCs that
806  * don't have such an entry, as they must not have any
807  * privileges needing removal.
808  */
809  char *parameter = strVal(lfirst(cell));
810  Oid parameterId = ParameterAclLookup(parameter, true);
811 
812  if (!OidIsValid(parameterId) && is_grant)
813  {
814  parameterId = ParameterAclCreate(parameter);
815 
816  /*
817  * Prevent error when processing duplicate objects, and
818  * make this new entry visible so that ExecGrant_Parameter
819  * can update it.
820  */
822  }
823  if (OidIsValid(parameterId))
824  objects = lappend_oid(objects, parameterId);
825  }
826  break;
827  default:
828  elog(ERROR, "unrecognized GrantStmt.objtype: %d",
829  (int) objtype);
830  }
831 
832  return objects;
833 }
834 
835 /*
836  * objectsInSchemaToOids
837  *
838  * Find all objects of a given type in specified schemas, and make a list
839  * of their Oids. We check USAGE privilege on the schemas, but there is
840  * no privilege checking on the individual objects here.
841  */
842 static List *
844 {
845  List *objects = NIL;
846  ListCell *cell;
847 
848  foreach(cell, nspnames)
849  {
850  char *nspname = strVal(lfirst(cell));
851  Oid namespaceId;
852  List *objs;
853 
854  namespaceId = LookupExplicitNamespace(nspname, false);
855 
856  switch (objtype)
857  {
858  case OBJECT_TABLE:
859  objs = getRelationsInNamespace(namespaceId, RELKIND_RELATION);
860  objects = list_concat(objects, objs);
861  objs = getRelationsInNamespace(namespaceId, RELKIND_VIEW);
862  objects = list_concat(objects, objs);
863  objs = getRelationsInNamespace(namespaceId, RELKIND_MATVIEW);
864  objects = list_concat(objects, objs);
865  objs = getRelationsInNamespace(namespaceId, RELKIND_FOREIGN_TABLE);
866  objects = list_concat(objects, objs);
867  objs = getRelationsInNamespace(namespaceId, RELKIND_PARTITIONED_TABLE);
868  objects = list_concat(objects, objs);
869  break;
870  case OBJECT_SEQUENCE:
871  objs = getRelationsInNamespace(namespaceId, RELKIND_SEQUENCE);
872  objects = list_concat(objects, objs);
873  break;
874  case OBJECT_FUNCTION:
875  case OBJECT_PROCEDURE:
876  case OBJECT_ROUTINE:
877  {
878  ScanKeyData key[2];
879  int keycount;
880  Relation rel;
881  TableScanDesc scan;
882  HeapTuple tuple;
883 
884  keycount = 0;
885  ScanKeyInit(&key[keycount++],
886  Anum_pg_proc_pronamespace,
887  BTEqualStrategyNumber, F_OIDEQ,
888  ObjectIdGetDatum(namespaceId));
889 
890  if (objtype == OBJECT_FUNCTION)
891  /* includes aggregates and window functions */
892  ScanKeyInit(&key[keycount++],
893  Anum_pg_proc_prokind,
894  BTEqualStrategyNumber, F_CHARNE,
895  CharGetDatum(PROKIND_PROCEDURE));
896  else if (objtype == OBJECT_PROCEDURE)
897  ScanKeyInit(&key[keycount++],
898  Anum_pg_proc_prokind,
899  BTEqualStrategyNumber, F_CHAREQ,
900  CharGetDatum(PROKIND_PROCEDURE));
901 
902  rel = table_open(ProcedureRelationId, AccessShareLock);
903  scan = table_beginscan_catalog(rel, keycount, key);
904 
905  while ((tuple = heap_getnext(scan, ForwardScanDirection)) != NULL)
906  {
907  Oid oid = ((Form_pg_proc) GETSTRUCT(tuple))->oid;
908 
909  objects = lappend_oid(objects, oid);
910  }
911 
912  table_endscan(scan);
914  }
915  break;
916  default:
917  /* should not happen */
918  elog(ERROR, "unrecognized GrantStmt.objtype: %d",
919  (int) objtype);
920  }
921  }
922 
923  return objects;
924 }
925 
926 /*
927  * getRelationsInNamespace
928  *
929  * Return Oid list of relations in given namespace filtered by relation kind
930  */
931 static List *
932 getRelationsInNamespace(Oid namespaceId, char relkind)
933 {
934  List *relations = NIL;
935  ScanKeyData key[2];
936  Relation rel;
937  TableScanDesc scan;
938  HeapTuple tuple;
939 
940  ScanKeyInit(&key[0],
941  Anum_pg_class_relnamespace,
942  BTEqualStrategyNumber, F_OIDEQ,
943  ObjectIdGetDatum(namespaceId));
944  ScanKeyInit(&key[1],
945  Anum_pg_class_relkind,
946  BTEqualStrategyNumber, F_CHAREQ,
947  CharGetDatum(relkind));
948 
949  rel = table_open(RelationRelationId, AccessShareLock);
950  scan = table_beginscan_catalog(rel, 2, key);
951 
952  while ((tuple = heap_getnext(scan, ForwardScanDirection)) != NULL)
953  {
954  Oid oid = ((Form_pg_class) GETSTRUCT(tuple))->oid;
955 
956  relations = lappend_oid(relations, oid);
957  }
958 
959  table_endscan(scan);
961 
962  return relations;
963 }
964 
965 
966 /*
967  * ALTER DEFAULT PRIVILEGES statement
968  */
969 void
971 {
972  GrantStmt *action = stmt->action;
973  InternalDefaultACL iacls;
974  ListCell *cell;
975  List *rolespecs = NIL;
976  List *nspnames = NIL;
977  DefElem *drolespecs = NULL;
978  DefElem *dnspnames = NULL;
979  AclMode all_privileges;
980  const char *errormsg;
981 
982  /* Deconstruct the "options" part of the statement */
983  foreach(cell, stmt->options)
984  {
985  DefElem *defel = (DefElem *) lfirst(cell);
986 
987  if (strcmp(defel->defname, "schemas") == 0)
988  {
989  if (dnspnames)
990  errorConflictingDefElem(defel, pstate);
991  dnspnames = defel;
992  }
993  else if (strcmp(defel->defname, "roles") == 0)
994  {
995  if (drolespecs)
996  errorConflictingDefElem(defel, pstate);
997  drolespecs = defel;
998  }
999  else
1000  elog(ERROR, "option \"%s\" not recognized", defel->defname);
1001  }
1002 
1003  if (dnspnames)
1004  nspnames = (List *) dnspnames->arg;
1005  if (drolespecs)
1006  rolespecs = (List *) drolespecs->arg;
1007 
1008  /* Prepare the InternalDefaultACL representation of the statement */
1009  /* roleid to be filled below */
1010  /* nspid to be filled in SetDefaultACLsInSchemas */
1011  iacls.is_grant = action->is_grant;
1012  iacls.objtype = action->objtype;
1013  /* all_privs to be filled below */
1014  /* privileges to be filled below */
1015  iacls.grantees = NIL; /* filled below */
1016  iacls.grant_option = action->grant_option;
1017  iacls.behavior = action->behavior;
1018 
1019  /*
1020  * Convert the RoleSpec list into an Oid list. Note that at this point we
1021  * insert an ACL_ID_PUBLIC into the list if appropriate, so downstream
1022  * there shouldn't be any additional work needed to support this case.
1023  */
1024  foreach(cell, action->grantees)
1025  {
1026  RoleSpec *grantee = (RoleSpec *) lfirst(cell);
1027  Oid grantee_uid;
1028 
1029  switch (grantee->roletype)
1030  {
1031  case ROLESPEC_PUBLIC:
1032  grantee_uid = ACL_ID_PUBLIC;
1033  break;
1034  default:
1035  grantee_uid = get_rolespec_oid(grantee, false);
1036  break;
1037  }
1038  iacls.grantees = lappend_oid(iacls.grantees, grantee_uid);
1039  }
1040 
1041  /*
1042  * Convert action->privileges, a list of privilege strings, into an
1043  * AclMode bitmask.
1044  */
1045  switch (action->objtype)
1046  {
1047  case OBJECT_TABLE:
1048  all_privileges = ACL_ALL_RIGHTS_RELATION;
1049  errormsg = gettext_noop("invalid privilege type %s for relation");
1050  break;
1051  case OBJECT_SEQUENCE:
1052  all_privileges = ACL_ALL_RIGHTS_SEQUENCE;
1053  errormsg = gettext_noop("invalid privilege type %s for sequence");
1054  break;
1055  case OBJECT_FUNCTION:
1056  all_privileges = ACL_ALL_RIGHTS_FUNCTION;
1057  errormsg = gettext_noop("invalid privilege type %s for function");
1058  break;
1059  case OBJECT_PROCEDURE:
1060  all_privileges = ACL_ALL_RIGHTS_FUNCTION;
1061  errormsg = gettext_noop("invalid privilege type %s for procedure");
1062  break;
1063  case OBJECT_ROUTINE:
1064  all_privileges = ACL_ALL_RIGHTS_FUNCTION;
1065  errormsg = gettext_noop("invalid privilege type %s for routine");
1066  break;
1067  case OBJECT_TYPE:
1068  all_privileges = ACL_ALL_RIGHTS_TYPE;
1069  errormsg = gettext_noop("invalid privilege type %s for type");
1070  break;
1071  case OBJECT_SCHEMA:
1072  all_privileges = ACL_ALL_RIGHTS_SCHEMA;
1073  errormsg = gettext_noop("invalid privilege type %s for schema");
1074  break;
1075  default:
1076  elog(ERROR, "unrecognized GrantStmt.objtype: %d",
1077  (int) action->objtype);
1078  /* keep compiler quiet */
1079  all_privileges = ACL_NO_RIGHTS;
1080  errormsg = NULL;
1081  }
1082 
1083  if (action->privileges == NIL)
1084  {
1085  iacls.all_privs = true;
1086 
1087  /*
1088  * will be turned into ACL_ALL_RIGHTS_* by the internal routines
1089  * depending on the object type
1090  */
1091  iacls.privileges = ACL_NO_RIGHTS;
1092  }
1093  else
1094  {
1095  iacls.all_privs = false;
1096  iacls.privileges = ACL_NO_RIGHTS;
1097 
1098  foreach(cell, action->privileges)
1099  {
1100  AccessPriv *privnode = (AccessPriv *) lfirst(cell);
1101  AclMode priv;
1102 
1103  if (privnode->cols)
1104  ereport(ERROR,
1105  (errcode(ERRCODE_INVALID_GRANT_OPERATION),
1106  errmsg("default privileges cannot be set for columns")));
1107 
1108  if (privnode->priv_name == NULL) /* parser mistake? */
1109  elog(ERROR, "AccessPriv node must specify privilege");
1110  priv = string_to_privilege(privnode->priv_name);
1111 
1112  if (priv & ~((AclMode) all_privileges))
1113  ereport(ERROR,
1114  (errcode(ERRCODE_INVALID_GRANT_OPERATION),
1115  errmsg(errormsg, privilege_to_string(priv))));
1116 
1117  iacls.privileges |= priv;
1118  }
1119  }
1120 
1121  if (rolespecs == NIL)
1122  {
1123  /* Set permissions for myself */
1124  iacls.roleid = GetUserId();
1125 
1126  SetDefaultACLsInSchemas(&iacls, nspnames);
1127  }
1128  else
1129  {
1130  /* Look up the role OIDs and do permissions checks */
1131  ListCell *rolecell;
1132 
1133  foreach(rolecell, rolespecs)
1134  {
1135  RoleSpec *rolespec = lfirst(rolecell);
1136 
1137  iacls.roleid = get_rolespec_oid(rolespec, false);
1138 
1139  if (!has_privs_of_role(GetUserId(), iacls.roleid))
1140  ereport(ERROR,
1141  (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1142  errmsg("permission denied to change default privileges")));
1143 
1144  SetDefaultACLsInSchemas(&iacls, nspnames);
1145  }
1146  }
1147 }
1148 
1149 /*
1150  * Process ALTER DEFAULT PRIVILEGES for a list of target schemas
1151  *
1152  * All fields of *iacls except nspid were filled already
1153  */
1154 static void
1156 {
1157  if (nspnames == NIL)
1158  {
1159  /* Set database-wide permissions if no schema was specified */
1160  iacls->nspid = InvalidOid;
1161 
1162  SetDefaultACL(iacls);
1163  }
1164  else
1165  {
1166  /* Look up the schema OIDs and set permissions for each one */
1167  ListCell *nspcell;
1168 
1169  foreach(nspcell, nspnames)
1170  {
1171  char *nspname = strVal(lfirst(nspcell));
1172 
1173  iacls->nspid = get_namespace_oid(nspname, false);
1174 
1175  /*
1176  * We used to insist that the target role have CREATE privileges
1177  * on the schema, since without that it wouldn't be able to create
1178  * an object for which these default privileges would apply.
1179  * However, this check proved to be more confusing than helpful,
1180  * and it also caused certain database states to not be
1181  * dumpable/restorable, since revoking CREATE doesn't cause
1182  * default privileges for the schema to go away. So now, we just
1183  * allow the ALTER; if the user lacks CREATE he'll find out when
1184  * he tries to create an object.
1185  */
1186 
1187  SetDefaultACL(iacls);
1188  }
1189  }
1190 }
1191 
1192 
1193 /*
1194  * Create or update a pg_default_acl entry
1195  */
1196 static void
1198 {
1199  AclMode this_privileges = iacls->privileges;
1200  char objtype;
1201  Relation rel;
1202  HeapTuple tuple;
1203  bool isNew;
1204  Acl *def_acl;
1205  Acl *old_acl;
1206  Acl *new_acl;
1207  HeapTuple newtuple;
1208  int noldmembers;
1209  int nnewmembers;
1210  Oid *oldmembers;
1211  Oid *newmembers;
1212 
1213  rel = table_open(DefaultAclRelationId, RowExclusiveLock);
1214 
1215  /*
1216  * The default for a global entry is the hard-wired default ACL for the
1217  * particular object type. The default for non-global entries is an empty
1218  * ACL. This must be so because global entries replace the hard-wired
1219  * defaults, while others are added on.
1220  */
1221  if (!OidIsValid(iacls->nspid))
1222  def_acl = acldefault(iacls->objtype, iacls->roleid);
1223  else
1224  def_acl = make_empty_acl();
1225 
1226  /*
1227  * Convert ACL object type to pg_default_acl object type and handle
1228  * all_privs option
1229  */
1230  switch (iacls->objtype)
1231  {
1232  case OBJECT_TABLE:
1233  objtype = DEFACLOBJ_RELATION;
1234  if (iacls->all_privs && this_privileges == ACL_NO_RIGHTS)
1235  this_privileges = ACL_ALL_RIGHTS_RELATION;
1236  break;
1237 
1238  case OBJECT_SEQUENCE:
1239  objtype = DEFACLOBJ_SEQUENCE;
1240  if (iacls->all_privs && this_privileges == ACL_NO_RIGHTS)
1241  this_privileges = ACL_ALL_RIGHTS_SEQUENCE;
1242  break;
1243 
1244  case OBJECT_FUNCTION:
1245  objtype = DEFACLOBJ_FUNCTION;
1246  if (iacls->all_privs && this_privileges == ACL_NO_RIGHTS)
1247  this_privileges = ACL_ALL_RIGHTS_FUNCTION;
1248  break;
1249 
1250  case OBJECT_TYPE:
1251  objtype = DEFACLOBJ_TYPE;
1252  if (iacls->all_privs && this_privileges == ACL_NO_RIGHTS)
1253  this_privileges = ACL_ALL_RIGHTS_TYPE;
1254  break;
1255 
1256  case OBJECT_SCHEMA:
1257  if (OidIsValid(iacls->nspid))
1258  ereport(ERROR,
1259  (errcode(ERRCODE_INVALID_GRANT_OPERATION),
1260  errmsg("cannot use IN SCHEMA clause when using GRANT/REVOKE ON SCHEMAS")));
1261  objtype = DEFACLOBJ_NAMESPACE;
1262  if (iacls->all_privs && this_privileges == ACL_NO_RIGHTS)
1263  this_privileges = ACL_ALL_RIGHTS_SCHEMA;
1264  break;
1265 
1266  default:
1267  elog(ERROR, "unrecognized object type: %d",
1268  (int) iacls->objtype);
1269  objtype = 0; /* keep compiler quiet */
1270  break;
1271  }
1272 
1273  /* Search for existing row for this object type in catalog */
1275  ObjectIdGetDatum(iacls->roleid),
1276  ObjectIdGetDatum(iacls->nspid),
1277  CharGetDatum(objtype));
1278 
1279  if (HeapTupleIsValid(tuple))
1280  {
1281  Datum aclDatum;
1282  bool isNull;
1283 
1284  aclDatum = SysCacheGetAttr(DEFACLROLENSPOBJ, tuple,
1285  Anum_pg_default_acl_defaclacl,
1286  &isNull);
1287  if (!isNull)
1288  old_acl = DatumGetAclPCopy(aclDatum);
1289  else
1290  old_acl = NULL; /* this case shouldn't happen, probably */
1291  isNew = false;
1292  }
1293  else
1294  {
1295  old_acl = NULL;
1296  isNew = true;
1297  }
1298 
1299  if (old_acl != NULL)
1300  {
1301  /*
1302  * We need the members of both old and new ACLs so we can correct the
1303  * shared dependency information. Collect data before
1304  * merge_acl_with_grant throws away old_acl.
1305  */
1306  noldmembers = aclmembers(old_acl, &oldmembers);
1307  }
1308  else
1309  {
1310  /* If no or null entry, start with the default ACL value */
1311  old_acl = aclcopy(def_acl);
1312  /* There are no old member roles according to the catalogs */
1313  noldmembers = 0;
1314  oldmembers = NULL;
1315  }
1316 
1317  /*
1318  * Generate new ACL. Grantor of rights is always the same as the target
1319  * role.
1320  */
1321  new_acl = merge_acl_with_grant(old_acl,
1322  iacls->is_grant,
1323  iacls->grant_option,
1324  iacls->behavior,
1325  iacls->grantees,
1326  this_privileges,
1327  iacls->roleid,
1328  iacls->roleid);
1329 
1330  /*
1331  * If the result is the same as the default value, we do not need an
1332  * explicit pg_default_acl entry, and should in fact remove the entry if
1333  * it exists. Must sort both arrays to compare properly.
1334  */
1335  aclitemsort(new_acl);
1336  aclitemsort(def_acl);
1337  if (aclequal(new_acl, def_acl))
1338  {
1339  /* delete old entry, if indeed there is one */
1340  if (!isNew)
1341  {
1342  ObjectAddress myself;
1343 
1344  /*
1345  * The dependency machinery will take care of removing all
1346  * associated dependency entries. We use DROP_RESTRICT since
1347  * there shouldn't be anything depending on this entry.
1348  */
1349  myself.classId = DefaultAclRelationId;
1350  myself.objectId = ((Form_pg_default_acl) GETSTRUCT(tuple))->oid;
1351  myself.objectSubId = 0;
1352 
1353  performDeletion(&myself, DROP_RESTRICT, 0);
1354  }
1355  }
1356  else
1357  {
1358  Datum values[Natts_pg_default_acl] = {0};
1359  bool nulls[Natts_pg_default_acl] = {0};
1360  bool replaces[Natts_pg_default_acl] = {0};
1361  Oid defAclOid;
1362 
1363  if (isNew)
1364  {
1365  /* insert new entry */
1366  defAclOid = GetNewOidWithIndex(rel, DefaultAclOidIndexId,
1367  Anum_pg_default_acl_oid);
1368  values[Anum_pg_default_acl_oid - 1] = ObjectIdGetDatum(defAclOid);
1369  values[Anum_pg_default_acl_defaclrole - 1] = ObjectIdGetDatum(iacls->roleid);
1370  values[Anum_pg_default_acl_defaclnamespace - 1] = ObjectIdGetDatum(iacls->nspid);
1371  values[Anum_pg_default_acl_defaclobjtype - 1] = CharGetDatum(objtype);
1372  values[Anum_pg_default_acl_defaclacl - 1] = PointerGetDatum(new_acl);
1373 
1374  newtuple = heap_form_tuple(RelationGetDescr(rel), values, nulls);
1375  CatalogTupleInsert(rel, newtuple);
1376  }
1377  else
1378  {
1379  defAclOid = ((Form_pg_default_acl) GETSTRUCT(tuple))->oid;
1380 
1381  /* update existing entry */
1382  values[Anum_pg_default_acl_defaclacl - 1] = PointerGetDatum(new_acl);
1383  replaces[Anum_pg_default_acl_defaclacl - 1] = true;
1384 
1385  newtuple = heap_modify_tuple(tuple, RelationGetDescr(rel),
1386  values, nulls, replaces);
1387  CatalogTupleUpdate(rel, &newtuple->t_self, newtuple);
1388  }
1389 
1390  /* these dependencies don't change in an update */
1391  if (isNew)
1392  {
1393  /* dependency on role */
1394  recordDependencyOnOwner(DefaultAclRelationId, defAclOid,
1395  iacls->roleid);
1396 
1397  /* dependency on namespace */
1398  if (OidIsValid(iacls->nspid))
1399  {
1400  ObjectAddress myself,
1401  referenced;
1402 
1403  myself.classId = DefaultAclRelationId;
1404  myself.objectId = defAclOid;
1405  myself.objectSubId = 0;
1406 
1407  referenced.classId = NamespaceRelationId;
1408  referenced.objectId = iacls->nspid;
1409  referenced.objectSubId = 0;
1410 
1411  recordDependencyOn(&myself, &referenced, DEPENDENCY_AUTO);
1412  }
1413  }
1414 
1415  /*
1416  * Update the shared dependency ACL info
1417  */
1418  nnewmembers = aclmembers(new_acl, &newmembers);
1419 
1420  updateAclDependencies(DefaultAclRelationId,
1421  defAclOid, 0,
1422  iacls->roleid,
1423  noldmembers, oldmembers,
1424  nnewmembers, newmembers);
1425 
1426  if (isNew)
1427  InvokeObjectPostCreateHook(DefaultAclRelationId, defAclOid, 0);
1428  else
1429  InvokeObjectPostAlterHook(DefaultAclRelationId, defAclOid, 0);
1430  }
1431 
1432  if (HeapTupleIsValid(tuple))
1433  ReleaseSysCache(tuple);
1434 
1436 
1437  /* prevent error when processing duplicate objects */
1439 }
1440 
1441 
1442 /*
1443  * RemoveRoleFromObjectACL
1444  *
1445  * Used by shdepDropOwned to remove mentions of a role in ACLs
1446  */
1447 void
1448 RemoveRoleFromObjectACL(Oid roleid, Oid classid, Oid objid)
1449 {
1450  if (classid == DefaultAclRelationId)
1451  {
1452  InternalDefaultACL iacls;
1453  Form_pg_default_acl pg_default_acl_tuple;
1454  Relation rel;
1455  ScanKeyData skey[1];
1456  SysScanDesc scan;
1457  HeapTuple tuple;
1458 
1459  /* first fetch info needed by SetDefaultACL */
1460  rel = table_open(DefaultAclRelationId, AccessShareLock);
1461 
1462  ScanKeyInit(&skey[0],
1463  Anum_pg_default_acl_oid,
1464  BTEqualStrategyNumber, F_OIDEQ,
1465  ObjectIdGetDatum(objid));
1466 
1467  scan = systable_beginscan(rel, DefaultAclOidIndexId, true,
1468  NULL, 1, skey);
1469 
1470  tuple = systable_getnext(scan);
1471 
1472  if (!HeapTupleIsValid(tuple))
1473  elog(ERROR, "could not find tuple for default ACL %u", objid);
1474 
1475  pg_default_acl_tuple = (Form_pg_default_acl) GETSTRUCT(tuple);
1476 
1477  iacls.roleid = pg_default_acl_tuple->defaclrole;
1478  iacls.nspid = pg_default_acl_tuple->defaclnamespace;
1479 
1480  switch (pg_default_acl_tuple->defaclobjtype)
1481  {
1482  case DEFACLOBJ_RELATION:
1483  iacls.objtype = OBJECT_TABLE;
1484  break;
1485  case DEFACLOBJ_SEQUENCE:
1486  iacls.objtype = OBJECT_SEQUENCE;
1487  break;
1488  case DEFACLOBJ_FUNCTION:
1489  iacls.objtype = OBJECT_FUNCTION;
1490  break;
1491  case DEFACLOBJ_TYPE:
1492  iacls.objtype = OBJECT_TYPE;
1493  break;
1494  case DEFACLOBJ_NAMESPACE:
1495  iacls.objtype = OBJECT_SCHEMA;
1496  break;
1497  default:
1498  /* Shouldn't get here */
1499  elog(ERROR, "unexpected default ACL type: %d",
1500  (int) pg_default_acl_tuple->defaclobjtype);
1501  break;
1502  }
1503 
1504  systable_endscan(scan);
1506 
1507  iacls.is_grant = false;
1508  iacls.all_privs = true;
1509  iacls.privileges = ACL_NO_RIGHTS;
1510  iacls.grantees = list_make1_oid(roleid);
1511  iacls.grant_option = false;
1512  iacls.behavior = DROP_CASCADE;
1513 
1514  /* Do it */
1515  SetDefaultACL(&iacls);
1516  }
1517  else
1518  {
1519  InternalGrant istmt;
1520 
1521  switch (classid)
1522  {
1523  case RelationRelationId:
1524  /* it's OK to use TABLE for a sequence */
1525  istmt.objtype = OBJECT_TABLE;
1526  break;
1527  case DatabaseRelationId:
1528  istmt.objtype = OBJECT_DATABASE;
1529  break;
1530  case TypeRelationId:
1531  istmt.objtype = OBJECT_TYPE;
1532  break;
1533  case ProcedureRelationId:
1534  istmt.objtype = OBJECT_ROUTINE;
1535  break;
1536  case LanguageRelationId:
1537  istmt.objtype = OBJECT_LANGUAGE;
1538  break;
1539  case LargeObjectRelationId:
1540  istmt.objtype = OBJECT_LARGEOBJECT;
1541  break;
1542  case NamespaceRelationId:
1543  istmt.objtype = OBJECT_SCHEMA;
1544  break;
1545  case TableSpaceRelationId:
1546  istmt.objtype = OBJECT_TABLESPACE;
1547  break;
1548  case ForeignServerRelationId:
1550  break;
1551  case ForeignDataWrapperRelationId:
1552  istmt.objtype = OBJECT_FDW;
1553  break;
1554  case ParameterAclRelationId:
1555  istmt.objtype = OBJECT_PARAMETER_ACL;
1556  break;
1557  default:
1558  elog(ERROR, "unexpected object class %u", classid);
1559  break;
1560  }
1561  istmt.is_grant = false;
1562  istmt.objects = list_make1_oid(objid);
1563  istmt.all_privs = true;
1564  istmt.privileges = ACL_NO_RIGHTS;
1565  istmt.col_privs = NIL;
1566  istmt.grantees = list_make1_oid(roleid);
1567  istmt.grant_option = false;
1568  istmt.behavior = DROP_CASCADE;
1569 
1570  ExecGrantStmt_oids(&istmt);
1571  }
1572 }
1573 
1574 
1575 /*
1576  * expand_col_privileges
1577  *
1578  * OR the specified privilege(s) into per-column array entries for each
1579  * specified attribute. The per-column array is indexed starting at
1580  * FirstLowInvalidHeapAttributeNumber, up to relation's last attribute.
1581  */
1582 static void
1583 expand_col_privileges(List *colnames, Oid table_oid,
1584  AclMode this_privileges,
1585  AclMode *col_privileges,
1586  int num_col_privileges)
1587 {
1588  ListCell *cell;
1589 
1590  foreach(cell, colnames)
1591  {
1592  char *colname = strVal(lfirst(cell));
1594 
1595  attnum = get_attnum(table_oid, colname);
1596  if (attnum == InvalidAttrNumber)
1597  ereport(ERROR,
1598  (errcode(ERRCODE_UNDEFINED_COLUMN),
1599  errmsg("column \"%s\" of relation \"%s\" does not exist",
1600  colname, get_rel_name(table_oid))));
1602  if (attnum <= 0 || attnum >= num_col_privileges)
1603  elog(ERROR, "column number out of range"); /* safety check */
1604  col_privileges[attnum] |= this_privileges;
1605  }
1606 }
1607 
1608 /*
1609  * expand_all_col_privileges
1610  *
1611  * OR the specified privilege(s) into per-column array entries for each valid
1612  * attribute of a relation. The per-column array is indexed starting at
1613  * FirstLowInvalidHeapAttributeNumber, up to relation's last attribute.
1614  */
1615 static void
1617  AclMode this_privileges,
1618  AclMode *col_privileges,
1619  int num_col_privileges)
1620 {
1621  AttrNumber curr_att;
1622 
1623  Assert(classForm->relnatts - FirstLowInvalidHeapAttributeNumber < num_col_privileges);
1624  for (curr_att = FirstLowInvalidHeapAttributeNumber + 1;
1625  curr_att <= classForm->relnatts;
1626  curr_att++)
1627  {
1628  HeapTuple attTuple;
1629  bool isdropped;
1630 
1631  if (curr_att == InvalidAttrNumber)
1632  continue;
1633 
1634  /* Views don't have any system columns at all */
1635  if (classForm->relkind == RELKIND_VIEW && curr_att < 0)
1636  continue;
1637 
1638  attTuple = SearchSysCache2(ATTNUM,
1639  ObjectIdGetDatum(table_oid),
1640  Int16GetDatum(curr_att));
1641  if (!HeapTupleIsValid(attTuple))
1642  elog(ERROR, "cache lookup failed for attribute %d of relation %u",
1643  curr_att, table_oid);
1644 
1645  isdropped = ((Form_pg_attribute) GETSTRUCT(attTuple))->attisdropped;
1646 
1647  ReleaseSysCache(attTuple);
1648 
1649  /* ignore dropped columns */
1650  if (isdropped)
1651  continue;
1652 
1653  col_privileges[curr_att - FirstLowInvalidHeapAttributeNumber] |= this_privileges;
1654  }
1655 }
1656 
1657 /*
1658  * This processes attributes, but expects to be called from
1659  * ExecGrant_Relation, not directly from ExecuteGrantStmt.
1660  */
1661 static void
1662 ExecGrant_Attribute(InternalGrant *istmt, Oid relOid, const char *relname,
1663  AttrNumber attnum, Oid ownerId, AclMode col_privileges,
1664  Relation attRelation, const Acl *old_rel_acl)
1665 {
1666  HeapTuple attr_tuple;
1667  Form_pg_attribute pg_attribute_tuple;
1668  Acl *old_acl;
1669  Acl *new_acl;
1670  Acl *merged_acl;
1671  Datum aclDatum;
1672  bool isNull;
1673  Oid grantorId;
1674  AclMode avail_goptions;
1675  bool need_update;
1676  HeapTuple newtuple;
1677  Datum values[Natts_pg_attribute] = {0};
1678  bool nulls[Natts_pg_attribute] = {0};
1679  bool replaces[Natts_pg_attribute] = {0};
1680  int noldmembers;
1681  int nnewmembers;
1682  Oid *oldmembers;
1683  Oid *newmembers;
1684 
1685  attr_tuple = SearchSysCache2(ATTNUM,
1686  ObjectIdGetDatum(relOid),
1688  if (!HeapTupleIsValid(attr_tuple))
1689  elog(ERROR, "cache lookup failed for attribute %d of relation %u",
1690  attnum, relOid);
1691  pg_attribute_tuple = (Form_pg_attribute) GETSTRUCT(attr_tuple);
1692 
1693  /*
1694  * Get working copy of existing ACL. If there's no ACL, substitute the
1695  * proper default.
1696  */
1697  aclDatum = SysCacheGetAttr(ATTNUM, attr_tuple, Anum_pg_attribute_attacl,
1698  &isNull);
1699  if (isNull)
1700  {
1701  old_acl = acldefault(OBJECT_COLUMN, ownerId);
1702  /* There are no old member roles according to the catalogs */
1703  noldmembers = 0;
1704  oldmembers = NULL;
1705  }
1706  else
1707  {
1708  old_acl = DatumGetAclPCopy(aclDatum);
1709  /* Get the roles mentioned in the existing ACL */
1710  noldmembers = aclmembers(old_acl, &oldmembers);
1711  }
1712 
1713  /*
1714  * In select_best_grantor we should consider existing table-level ACL bits
1715  * as well as the per-column ACL. Build a new ACL that is their
1716  * concatenation. (This is a bit cheap and dirty compared to merging them
1717  * properly with no duplications, but it's all we need here.)
1718  */
1719  merged_acl = aclconcat(old_rel_acl, old_acl);
1720 
1721  /* Determine ID to do the grant as, and available grant options */
1722  select_best_grantor(GetUserId(), col_privileges,
1723  merged_acl, ownerId,
1724  &grantorId, &avail_goptions);
1725 
1726  pfree(merged_acl);
1727 
1728  /*
1729  * Restrict the privileges to what we can actually grant, and emit the
1730  * standards-mandated warning and error messages. Note: we don't track
1731  * whether the user actually used the ALL PRIVILEGES(columns) syntax for
1732  * each column; we just approximate it by whether all the possible
1733  * privileges are specified now. Since the all_privs flag only determines
1734  * whether a warning is issued, this seems close enough.
1735  */
1736  col_privileges =
1737  restrict_and_check_grant(istmt->is_grant, avail_goptions,
1738  (col_privileges == ACL_ALL_RIGHTS_COLUMN),
1739  col_privileges,
1740  relOid, grantorId, OBJECT_COLUMN,
1741  relname, attnum,
1742  NameStr(pg_attribute_tuple->attname));
1743 
1744  /*
1745  * Generate new ACL.
1746  */
1747  new_acl = merge_acl_with_grant(old_acl, istmt->is_grant,
1748  istmt->grant_option,
1749  istmt->behavior, istmt->grantees,
1750  col_privileges, grantorId,
1751  ownerId);
1752 
1753  /*
1754  * We need the members of both old and new ACLs so we can correct the
1755  * shared dependency information.
1756  */
1757  nnewmembers = aclmembers(new_acl, &newmembers);
1758 
1759  /* finished building new ACL value, now insert it */
1760 
1761  /*
1762  * If the updated ACL is empty, we can set attacl to null, and maybe even
1763  * avoid an update of the pg_attribute row. This is worth testing because
1764  * we'll come through here multiple times for any relation-level REVOKE,
1765  * even if there were never any column GRANTs. Note we are assuming that
1766  * the "default" ACL state for columns is empty.
1767  */
1768  if (ACL_NUM(new_acl) > 0)
1769  {
1770  values[Anum_pg_attribute_attacl - 1] = PointerGetDatum(new_acl);
1771  need_update = true;
1772  }
1773  else
1774  {
1775  nulls[Anum_pg_attribute_attacl - 1] = true;
1776  need_update = !isNull;
1777  }
1778  replaces[Anum_pg_attribute_attacl - 1] = true;
1779 
1780  if (need_update)
1781  {
1782  newtuple = heap_modify_tuple(attr_tuple, RelationGetDescr(attRelation),
1783  values, nulls, replaces);
1784 
1785  CatalogTupleUpdate(attRelation, &newtuple->t_self, newtuple);
1786 
1787  /* Update initial privileges for extensions */
1788  recordExtensionInitPriv(relOid, RelationRelationId, attnum,
1789  ACL_NUM(new_acl) > 0 ? new_acl : NULL);
1790 
1791  /* Update the shared dependency ACL info */
1792  updateAclDependencies(RelationRelationId, relOid, attnum,
1793  ownerId,
1794  noldmembers, oldmembers,
1795  nnewmembers, newmembers);
1796  }
1797 
1798  pfree(new_acl);
1799 
1800  ReleaseSysCache(attr_tuple);
1801 }
1802 
1803 /*
1804  * This processes both sequences and non-sequences.
1805  */
1806 static void
1808 {
1809  Relation relation;
1810  Relation attRelation;
1811  ListCell *cell;
1812 
1813  relation = table_open(RelationRelationId, RowExclusiveLock);
1814  attRelation = table_open(AttributeRelationId, RowExclusiveLock);
1815 
1816  foreach(cell, istmt->objects)
1817  {
1818  Oid relOid = lfirst_oid(cell);
1819  Datum aclDatum;
1820  Form_pg_class pg_class_tuple;
1821  bool isNull;
1822  AclMode this_privileges;
1823  AclMode *col_privileges;
1824  int num_col_privileges;
1825  bool have_col_privileges;
1826  Acl *old_acl;
1827  Acl *old_rel_acl;
1828  int noldmembers;
1829  Oid *oldmembers;
1830  Oid ownerId;
1831  HeapTuple tuple;
1832  ListCell *cell_colprivs;
1833 
1834  tuple = SearchSysCache1(RELOID, ObjectIdGetDatum(relOid));
1835  if (!HeapTupleIsValid(tuple))
1836  elog(ERROR, "cache lookup failed for relation %u", relOid);
1837  pg_class_tuple = (Form_pg_class) GETSTRUCT(tuple);
1838 
1839  /* Not sensible to grant on an index */
1840  if (pg_class_tuple->relkind == RELKIND_INDEX ||
1841  pg_class_tuple->relkind == RELKIND_PARTITIONED_INDEX)
1842  ereport(ERROR,
1843  (errcode(ERRCODE_WRONG_OBJECT_TYPE),
1844  errmsg("\"%s\" is an index",
1845  NameStr(pg_class_tuple->relname))));
1846 
1847  /* Composite types aren't tables either */
1848  if (pg_class_tuple->relkind == RELKIND_COMPOSITE_TYPE)
1849  ereport(ERROR,
1850  (errcode(ERRCODE_WRONG_OBJECT_TYPE),
1851  errmsg("\"%s\" is a composite type",
1852  NameStr(pg_class_tuple->relname))));
1853 
1854  /* Used GRANT SEQUENCE on a non-sequence? */
1855  if (istmt->objtype == OBJECT_SEQUENCE &&
1856  pg_class_tuple->relkind != RELKIND_SEQUENCE)
1857  ereport(ERROR,
1858  (errcode(ERRCODE_WRONG_OBJECT_TYPE),
1859  errmsg("\"%s\" is not a sequence",
1860  NameStr(pg_class_tuple->relname))));
1861 
1862  /* Adjust the default permissions based on object type */
1863  if (istmt->all_privs && istmt->privileges == ACL_NO_RIGHTS)
1864  {
1865  if (pg_class_tuple->relkind == RELKIND_SEQUENCE)
1866  this_privileges = ACL_ALL_RIGHTS_SEQUENCE;
1867  else
1868  this_privileges = ACL_ALL_RIGHTS_RELATION;
1869  }
1870  else
1871  this_privileges = istmt->privileges;
1872 
1873  /*
1874  * The GRANT TABLE syntax can be used for sequences and non-sequences,
1875  * so we have to look at the relkind to determine the supported
1876  * permissions. The OR of table and sequence permissions were already
1877  * checked.
1878  */
1879  if (istmt->objtype == OBJECT_TABLE)
1880  {
1881  if (pg_class_tuple->relkind == RELKIND_SEQUENCE)
1882  {
1883  /*
1884  * For backward compatibility, just throw a warning for
1885  * invalid sequence permissions when using the non-sequence
1886  * GRANT syntax.
1887  */
1888  if (this_privileges & ~((AclMode) ACL_ALL_RIGHTS_SEQUENCE))
1889  {
1890  /*
1891  * Mention the object name because the user needs to know
1892  * which operations succeeded. This is required because
1893  * WARNING allows the command to continue.
1894  */
1895  ereport(WARNING,
1896  (errcode(ERRCODE_INVALID_GRANT_OPERATION),
1897  errmsg("sequence \"%s\" only supports USAGE, SELECT, and UPDATE privileges",
1898  NameStr(pg_class_tuple->relname))));
1899  this_privileges &= (AclMode) ACL_ALL_RIGHTS_SEQUENCE;
1900  }
1901  }
1902  else
1903  {
1904  if (this_privileges & ~((AclMode) ACL_ALL_RIGHTS_RELATION))
1905  {
1906  /*
1907  * USAGE is the only permission supported by sequences but
1908  * not by non-sequences. Don't mention the object name
1909  * because we didn't in the combined TABLE | SEQUENCE
1910  * check.
1911  */
1912  ereport(ERROR,
1913  (errcode(ERRCODE_INVALID_GRANT_OPERATION),
1914  errmsg("invalid privilege type %s for table",
1915  "USAGE")));
1916  }
1917  }
1918  }
1919 
1920  /*
1921  * Set up array in which we'll accumulate any column privilege bits
1922  * that need modification. The array is indexed such that entry [0]
1923  * corresponds to FirstLowInvalidHeapAttributeNumber.
1924  */
1925  num_col_privileges = pg_class_tuple->relnatts - FirstLowInvalidHeapAttributeNumber + 1;
1926  col_privileges = (AclMode *) palloc0(num_col_privileges * sizeof(AclMode));
1927  have_col_privileges = false;
1928 
1929  /*
1930  * If we are revoking relation privileges that are also column
1931  * privileges, we must implicitly revoke them from each column too,
1932  * per SQL spec. (We don't need to implicitly add column privileges
1933  * during GRANT because the permissions-checking code always checks
1934  * both relation and per-column privileges.)
1935  */
1936  if (!istmt->is_grant &&
1937  (this_privileges & ACL_ALL_RIGHTS_COLUMN) != 0)
1938  {
1939  expand_all_col_privileges(relOid, pg_class_tuple,
1940  this_privileges & ACL_ALL_RIGHTS_COLUMN,
1941  col_privileges,
1942  num_col_privileges);
1943  have_col_privileges = true;
1944  }
1945 
1946  /*
1947  * Get owner ID and working copy of existing ACL. If there's no ACL,
1948  * substitute the proper default.
1949  */
1950  ownerId = pg_class_tuple->relowner;
1951  aclDatum = SysCacheGetAttr(RELOID, tuple, Anum_pg_class_relacl,
1952  &isNull);
1953  if (isNull)
1954  {
1955  switch (pg_class_tuple->relkind)
1956  {
1957  case RELKIND_SEQUENCE:
1958  old_acl = acldefault(OBJECT_SEQUENCE, ownerId);
1959  break;
1960  default:
1961  old_acl = acldefault(OBJECT_TABLE, ownerId);
1962  break;
1963  }
1964  /* There are no old member roles according to the catalogs */
1965  noldmembers = 0;
1966  oldmembers = NULL;
1967  }
1968  else
1969  {
1970  old_acl = DatumGetAclPCopy(aclDatum);
1971  /* Get the roles mentioned in the existing ACL */
1972  noldmembers = aclmembers(old_acl, &oldmembers);
1973  }
1974 
1975  /* Need an extra copy of original rel ACL for column handling */
1976  old_rel_acl = aclcopy(old_acl);
1977 
1978  /*
1979  * Handle relation-level privileges, if any were specified
1980  */
1981  if (this_privileges != ACL_NO_RIGHTS)
1982  {
1983  AclMode avail_goptions;
1984  Acl *new_acl;
1985  Oid grantorId;
1986  HeapTuple newtuple;
1987  Datum values[Natts_pg_class] = {0};
1988  bool nulls[Natts_pg_class] = {0};
1989  bool replaces[Natts_pg_class] = {0};
1990  int nnewmembers;
1991  Oid *newmembers;
1992  ObjectType objtype;
1993 
1994  /* Determine ID to do the grant as, and available grant options */
1995  select_best_grantor(GetUserId(), this_privileges,
1996  old_acl, ownerId,
1997  &grantorId, &avail_goptions);
1998 
1999  switch (pg_class_tuple->relkind)
2000  {
2001  case RELKIND_SEQUENCE:
2002  objtype = OBJECT_SEQUENCE;
2003  break;
2004  default:
2005  objtype = OBJECT_TABLE;
2006  break;
2007  }
2008 
2009  /*
2010  * Restrict the privileges to what we can actually grant, and emit
2011  * the standards-mandated warning and error messages.
2012  */
2013  this_privileges =
2014  restrict_and_check_grant(istmt->is_grant, avail_goptions,
2015  istmt->all_privs, this_privileges,
2016  relOid, grantorId, objtype,
2017  NameStr(pg_class_tuple->relname),
2018  0, NULL);
2019 
2020  /*
2021  * Generate new ACL.
2022  */
2023  new_acl = merge_acl_with_grant(old_acl,
2024  istmt->is_grant,
2025  istmt->grant_option,
2026  istmt->behavior,
2027  istmt->grantees,
2028  this_privileges,
2029  grantorId,
2030  ownerId);
2031 
2032  /*
2033  * We need the members of both old and new ACLs so we can correct
2034  * the shared dependency information.
2035  */
2036  nnewmembers = aclmembers(new_acl, &newmembers);
2037 
2038  /* finished building new ACL value, now insert it */
2039  replaces[Anum_pg_class_relacl - 1] = true;
2040  values[Anum_pg_class_relacl - 1] = PointerGetDatum(new_acl);
2041 
2042  newtuple = heap_modify_tuple(tuple, RelationGetDescr(relation),
2043  values, nulls, replaces);
2044 
2045  CatalogTupleUpdate(relation, &newtuple->t_self, newtuple);
2046 
2047  /* Update initial privileges for extensions */
2048  recordExtensionInitPriv(relOid, RelationRelationId, 0, new_acl);
2049 
2050  /* Update the shared dependency ACL info */
2051  updateAclDependencies(RelationRelationId, relOid, 0,
2052  ownerId,
2053  noldmembers, oldmembers,
2054  nnewmembers, newmembers);
2055 
2056  pfree(new_acl);
2057  }
2058 
2059  /*
2060  * Handle column-level privileges, if any were specified or implied.
2061  * We first expand the user-specified column privileges into the
2062  * array, and then iterate over all nonempty array entries.
2063  */
2064  foreach(cell_colprivs, istmt->col_privs)
2065  {
2066  AccessPriv *col_privs = (AccessPriv *) lfirst(cell_colprivs);
2067 
2068  if (col_privs->priv_name == NULL)
2069  this_privileges = ACL_ALL_RIGHTS_COLUMN;
2070  else
2071  this_privileges = string_to_privilege(col_privs->priv_name);
2072 
2073  if (this_privileges & ~((AclMode) ACL_ALL_RIGHTS_COLUMN))
2074  ereport(ERROR,
2075  (errcode(ERRCODE_INVALID_GRANT_OPERATION),
2076  errmsg("invalid privilege type %s for column",
2077  privilege_to_string(this_privileges))));
2078 
2079  if (pg_class_tuple->relkind == RELKIND_SEQUENCE &&
2080  this_privileges & ~((AclMode) ACL_SELECT))
2081  {
2082  /*
2083  * The only column privilege allowed on sequences is SELECT.
2084  * This is a warning not error because we do it that way for
2085  * relation-level privileges.
2086  */
2087  ereport(WARNING,
2088  (errcode(ERRCODE_INVALID_GRANT_OPERATION),
2089  errmsg("sequence \"%s\" only supports SELECT column privileges",
2090  NameStr(pg_class_tuple->relname))));
2091 
2092  this_privileges &= (AclMode) ACL_SELECT;
2093  }
2094 
2095  expand_col_privileges(col_privs->cols, relOid,
2096  this_privileges,
2097  col_privileges,
2098  num_col_privileges);
2099  have_col_privileges = true;
2100  }
2101 
2102  if (have_col_privileges)
2103  {
2104  AttrNumber i;
2105 
2106  for (i = 0; i < num_col_privileges; i++)
2107  {
2108  if (col_privileges[i] == ACL_NO_RIGHTS)
2109  continue;
2110  ExecGrant_Attribute(istmt,
2111  relOid,
2112  NameStr(pg_class_tuple->relname),
2114  ownerId,
2115  col_privileges[i],
2116  attRelation,
2117  old_rel_acl);
2118  }
2119  }
2120 
2121  pfree(old_rel_acl);
2122  pfree(col_privileges);
2123 
2124  ReleaseSysCache(tuple);
2125 
2126  /* prevent error when processing duplicate objects */
2128  }
2129 
2130  table_close(attRelation, RowExclusiveLock);
2131  table_close(relation, RowExclusiveLock);
2132 }
2133 
2134 static void
2136 {
2137  Relation relation;
2138  ListCell *cell;
2139 
2140  if (istmt->all_privs && istmt->privileges == ACL_NO_RIGHTS)
2142 
2143  relation = table_open(DatabaseRelationId, RowExclusiveLock);
2144 
2145  foreach(cell, istmt->objects)
2146  {
2147  Oid datId = lfirst_oid(cell);
2148  Form_pg_database pg_database_tuple;
2149  Datum aclDatum;
2150  bool isNull;
2151  AclMode avail_goptions;
2152  AclMode this_privileges;
2153  Acl *old_acl;
2154  Acl *new_acl;
2155  Oid grantorId;
2156  Oid ownerId;
2157  HeapTuple newtuple;
2158  Datum values[Natts_pg_database] = {0};
2159  bool nulls[Natts_pg_database] = {0};
2160  bool replaces[Natts_pg_database] = {0};
2161  int noldmembers;
2162  int nnewmembers;
2163  Oid *oldmembers;
2164  Oid *newmembers;
2165  HeapTuple tuple;
2166 
2167  tuple = SearchSysCache1(DATABASEOID, ObjectIdGetDatum(datId));
2168  if (!HeapTupleIsValid(tuple))
2169  elog(ERROR, "cache lookup failed for database %u", datId);
2170 
2171  pg_database_tuple = (Form_pg_database) GETSTRUCT(tuple);
2172 
2173  /*
2174  * Get owner ID and working copy of existing ACL. If there's no ACL,
2175  * substitute the proper default.
2176  */
2177  ownerId = pg_database_tuple->datdba;
2178  aclDatum = heap_getattr(tuple, Anum_pg_database_datacl,
2179  RelationGetDescr(relation), &isNull);
2180  if (isNull)
2181  {
2182  old_acl = acldefault(OBJECT_DATABASE, ownerId);
2183  /* There are no old member roles according to the catalogs */
2184  noldmembers = 0;
2185  oldmembers = NULL;
2186  }
2187  else
2188  {
2189  old_acl = DatumGetAclPCopy(aclDatum);
2190  /* Get the roles mentioned in the existing ACL */
2191  noldmembers = aclmembers(old_acl, &oldmembers);
2192  }
2193 
2194  /* Determine ID to do the grant as, and available grant options */
2196  old_acl, ownerId,
2197  &grantorId, &avail_goptions);
2198 
2199  /*
2200  * Restrict the privileges to what we can actually grant, and emit the
2201  * standards-mandated warning and error messages.
2202  */
2203  this_privileges =
2204  restrict_and_check_grant(istmt->is_grant, avail_goptions,
2205  istmt->all_privs, istmt->privileges,
2206  datId, grantorId, OBJECT_DATABASE,
2207  NameStr(pg_database_tuple->datname),
2208  0, NULL);
2209 
2210  /*
2211  * Generate new ACL.
2212  */
2213  new_acl = merge_acl_with_grant(old_acl, istmt->is_grant,
2214  istmt->grant_option, istmt->behavior,
2215  istmt->grantees, this_privileges,
2216  grantorId, ownerId);
2217 
2218  /*
2219  * We need the members of both old and new ACLs so we can correct the
2220  * shared dependency information.
2221  */
2222  nnewmembers = aclmembers(new_acl, &newmembers);
2223 
2224  /* finished building new ACL value, now insert it */
2225  replaces[Anum_pg_database_datacl - 1] = true;
2226  values[Anum_pg_database_datacl - 1] = PointerGetDatum(new_acl);
2227 
2228  newtuple = heap_modify_tuple(tuple, RelationGetDescr(relation), values,
2229  nulls, replaces);
2230 
2231  CatalogTupleUpdate(relation, &newtuple->t_self, newtuple);
2232 
2233  /* Update the shared dependency ACL info */
2234  updateAclDependencies(DatabaseRelationId, pg_database_tuple->oid, 0,
2235  ownerId,
2236  noldmembers, oldmembers,
2237  nnewmembers, newmembers);
2238 
2239  ReleaseSysCache(tuple);
2240 
2241  pfree(new_acl);
2242 
2243  /* prevent error when processing duplicate objects */
2245  }
2246 
2247  table_close(relation, RowExclusiveLock);
2248 }
2249 
2250 static void
2252 {
2253  Relation relation;
2254  ListCell *cell;
2255 
2256  if (istmt->all_privs && istmt->privileges == ACL_NO_RIGHTS)
2257  istmt->privileges = ACL_ALL_RIGHTS_FDW;
2258 
2259  relation = table_open(ForeignDataWrapperRelationId, RowExclusiveLock);
2260 
2261  foreach(cell, istmt->objects)
2262  {
2263  Oid fdwid = lfirst_oid(cell);
2264  Form_pg_foreign_data_wrapper pg_fdw_tuple;
2265  Datum aclDatum;
2266  bool isNull;
2267  AclMode avail_goptions;
2268  AclMode this_privileges;
2269  Acl *old_acl;
2270  Acl *new_acl;
2271  Oid grantorId;
2272  Oid ownerId;
2273  HeapTuple tuple;
2274  HeapTuple newtuple;
2275  Datum values[Natts_pg_foreign_data_wrapper] = {0};
2276  bool nulls[Natts_pg_foreign_data_wrapper] = {0};
2277  bool replaces[Natts_pg_foreign_data_wrapper] = {0};
2278  int noldmembers;
2279  int nnewmembers;
2280  Oid *oldmembers;
2281  Oid *newmembers;
2282 
2284  ObjectIdGetDatum(fdwid));
2285  if (!HeapTupleIsValid(tuple))
2286  elog(ERROR, "cache lookup failed for foreign-data wrapper %u", fdwid);
2287 
2288  pg_fdw_tuple = (Form_pg_foreign_data_wrapper) GETSTRUCT(tuple);
2289 
2290  /*
2291  * Get owner ID and working copy of existing ACL. If there's no ACL,
2292  * substitute the proper default.
2293  */
2294  ownerId = pg_fdw_tuple->fdwowner;
2295  aclDatum = SysCacheGetAttr(FOREIGNDATAWRAPPEROID, tuple,
2296  Anum_pg_foreign_data_wrapper_fdwacl,
2297  &isNull);
2298  if (isNull)
2299  {
2300  old_acl = acldefault(OBJECT_FDW, ownerId);
2301  /* There are no old member roles according to the catalogs */
2302  noldmembers = 0;
2303  oldmembers = NULL;
2304  }
2305  else
2306  {
2307  old_acl = DatumGetAclPCopy(aclDatum);
2308  /* Get the roles mentioned in the existing ACL */
2309  noldmembers = aclmembers(old_acl, &oldmembers);
2310  }
2311 
2312  /* Determine ID to do the grant as, and available grant options */
2314  old_acl, ownerId,
2315  &grantorId, &avail_goptions);
2316 
2317  /*
2318  * Restrict the privileges to what we can actually grant, and emit the
2319  * standards-mandated warning and error messages.
2320  */
2321  this_privileges =
2322  restrict_and_check_grant(istmt->is_grant, avail_goptions,
2323  istmt->all_privs, istmt->privileges,
2324  fdwid, grantorId, OBJECT_FDW,
2325  NameStr(pg_fdw_tuple->fdwname),
2326  0, NULL);
2327 
2328  /*
2329  * Generate new ACL.
2330  */
2331  new_acl = merge_acl_with_grant(old_acl, istmt->is_grant,
2332  istmt->grant_option, istmt->behavior,
2333  istmt->grantees, this_privileges,
2334  grantorId, ownerId);
2335 
2336  /*
2337  * We need the members of both old and new ACLs so we can correct the
2338  * shared dependency information.
2339  */
2340  nnewmembers = aclmembers(new_acl, &newmembers);
2341 
2342  /* finished building new ACL value, now insert it */
2343  replaces[Anum_pg_foreign_data_wrapper_fdwacl - 1] = true;
2344  values[Anum_pg_foreign_data_wrapper_fdwacl - 1] = PointerGetDatum(new_acl);
2345 
2346  newtuple = heap_modify_tuple(tuple, RelationGetDescr(relation), values,
2347  nulls, replaces);
2348 
2349  CatalogTupleUpdate(relation, &newtuple->t_self, newtuple);
2350 
2351  /* Update initial privileges for extensions */
2352  recordExtensionInitPriv(fdwid, ForeignDataWrapperRelationId, 0,
2353  new_acl);
2354 
2355  /* Update the shared dependency ACL info */
2356  updateAclDependencies(ForeignDataWrapperRelationId,
2357  pg_fdw_tuple->oid, 0,
2358  ownerId,
2359  noldmembers, oldmembers,
2360  nnewmembers, newmembers);
2361 
2362  ReleaseSysCache(tuple);
2363 
2364  pfree(new_acl);
2365 
2366  /* prevent error when processing duplicate objects */
2368  }
2369 
2370  table_close(relation, RowExclusiveLock);
2371 }
2372 
2373 static void
2375 {
2376  Relation relation;
2377  ListCell *cell;
2378 
2379  if (istmt->all_privs && istmt->privileges == ACL_NO_RIGHTS)
2381 
2382  relation = table_open(ForeignServerRelationId, RowExclusiveLock);
2383 
2384  foreach(cell, istmt->objects)
2385  {
2386  Oid srvid = lfirst_oid(cell);
2387  Form_pg_foreign_server pg_server_tuple;
2388  Datum aclDatum;
2389  bool isNull;
2390  AclMode avail_goptions;
2391  AclMode this_privileges;
2392  Acl *old_acl;
2393  Acl *new_acl;
2394  Oid grantorId;
2395  Oid ownerId;
2396  HeapTuple tuple;
2397  HeapTuple newtuple;
2398  Datum values[Natts_pg_foreign_server] = {0};
2399  bool nulls[Natts_pg_foreign_server] = {0};
2400  bool replaces[Natts_pg_foreign_server] = {0};
2401  int noldmembers;
2402  int nnewmembers;
2403  Oid *oldmembers;
2404  Oid *newmembers;
2405 
2407  if (!HeapTupleIsValid(tuple))
2408  elog(ERROR, "cache lookup failed for foreign server %u", srvid);
2409 
2410  pg_server_tuple = (Form_pg_foreign_server) GETSTRUCT(tuple);
2411 
2412  /*
2413  * Get owner ID and working copy of existing ACL. If there's no ACL,
2414  * substitute the proper default.
2415  */
2416  ownerId = pg_server_tuple->srvowner;
2417  aclDatum = SysCacheGetAttr(FOREIGNSERVEROID, tuple,
2418  Anum_pg_foreign_server_srvacl,
2419  &isNull);
2420  if (isNull)
2421  {
2422  old_acl = acldefault(OBJECT_FOREIGN_SERVER, ownerId);
2423  /* There are no old member roles according to the catalogs */
2424  noldmembers = 0;
2425  oldmembers = NULL;
2426  }
2427  else
2428  {
2429  old_acl = DatumGetAclPCopy(aclDatum);
2430  /* Get the roles mentioned in the existing ACL */
2431  noldmembers = aclmembers(old_acl, &oldmembers);
2432  }
2433 
2434  /* Determine ID to do the grant as, and available grant options */
2436  old_acl, ownerId,
2437  &grantorId, &avail_goptions);
2438 
2439  /*
2440  * Restrict the privileges to what we can actually grant, and emit the
2441  * standards-mandated warning and error messages.
2442  */
2443  this_privileges =
2444  restrict_and_check_grant(istmt->is_grant, avail_goptions,
2445  istmt->all_privs, istmt->privileges,
2446  srvid, grantorId, OBJECT_FOREIGN_SERVER,
2447  NameStr(pg_server_tuple->srvname),
2448  0, NULL);
2449 
2450  /*
2451  * Generate new ACL.
2452  */
2453  new_acl = merge_acl_with_grant(old_acl, istmt->is_grant,
2454  istmt->grant_option, istmt->behavior,
2455  istmt->grantees, this_privileges,
2456  grantorId, ownerId);
2457 
2458  /*
2459  * We need the members of both old and new ACLs so we can correct the
2460  * shared dependency information.
2461  */
2462  nnewmembers = aclmembers(new_acl, &newmembers);
2463 
2464  /* finished building new ACL value, now insert it */
2465  replaces[Anum_pg_foreign_server_srvacl - 1] = true;
2466  values[Anum_pg_foreign_server_srvacl - 1] = PointerGetDatum(new_acl);
2467 
2468  newtuple = heap_modify_tuple(tuple, RelationGetDescr(relation), values,
2469  nulls, replaces);
2470 
2471  CatalogTupleUpdate(relation, &newtuple->t_self, newtuple);
2472 
2473  /* Update initial privileges for extensions */
2474  recordExtensionInitPriv(srvid, ForeignServerRelationId, 0, new_acl);
2475 
2476  /* Update the shared dependency ACL info */
2477  updateAclDependencies(ForeignServerRelationId,
2478  pg_server_tuple->oid, 0,
2479  ownerId,
2480  noldmembers, oldmembers,
2481  nnewmembers, newmembers);
2482 
2483  ReleaseSysCache(tuple);
2484 
2485  pfree(new_acl);
2486 
2487  /* prevent error when processing duplicate objects */
2489  }
2490 
2491  table_close(relation, RowExclusiveLock);
2492 }
2493 
2494 static void
2496 {
2497  Relation relation;
2498  ListCell *cell;
2499 
2500  if (istmt->all_privs && istmt->privileges == ACL_NO_RIGHTS)
2502 
2503  relation = table_open(ProcedureRelationId, RowExclusiveLock);
2504 
2505  foreach(cell, istmt->objects)
2506  {
2507  Oid funcId = lfirst_oid(cell);
2508  Form_pg_proc pg_proc_tuple;
2509  Datum aclDatum;
2510  bool isNull;
2511  AclMode avail_goptions;
2512  AclMode this_privileges;
2513  Acl *old_acl;
2514  Acl *new_acl;
2515  Oid grantorId;
2516  Oid ownerId;
2517  HeapTuple tuple;
2518  HeapTuple newtuple;
2519  Datum values[Natts_pg_proc] = {0};
2520  bool nulls[Natts_pg_proc] = {0};
2521  bool replaces[Natts_pg_proc] = {0};
2522  int noldmembers;
2523  int nnewmembers;
2524  Oid *oldmembers;
2525  Oid *newmembers;
2526 
2527  tuple = SearchSysCache1(PROCOID, ObjectIdGetDatum(funcId));
2528  if (!HeapTupleIsValid(tuple))
2529  elog(ERROR, "cache lookup failed for function %u", funcId);
2530 
2531  pg_proc_tuple = (Form_pg_proc) GETSTRUCT(tuple);
2532 
2533  /*
2534  * Get owner ID and working copy of existing ACL. If there's no ACL,
2535  * substitute the proper default.
2536  */
2537  ownerId = pg_proc_tuple->proowner;
2538  aclDatum = SysCacheGetAttr(PROCOID, tuple, Anum_pg_proc_proacl,
2539  &isNull);
2540  if (isNull)
2541  {
2542  old_acl = acldefault(OBJECT_FUNCTION, ownerId);
2543  /* There are no old member roles according to the catalogs */
2544  noldmembers = 0;
2545  oldmembers = NULL;
2546  }
2547  else
2548  {
2549  old_acl = DatumGetAclPCopy(aclDatum);
2550  /* Get the roles mentioned in the existing ACL */
2551  noldmembers = aclmembers(old_acl, &oldmembers);
2552  }
2553 
2554  /* Determine ID to do the grant as, and available grant options */
2556  old_acl, ownerId,
2557  &grantorId, &avail_goptions);
2558 
2559  /*
2560  * Restrict the privileges to what we can actually grant, and emit the
2561  * standards-mandated warning and error messages.
2562  */
2563  this_privileges =
2564  restrict_and_check_grant(istmt->is_grant, avail_goptions,
2565  istmt->all_privs, istmt->privileges,
2566  funcId, grantorId, OBJECT_FUNCTION,
2567  NameStr(pg_proc_tuple->proname),
2568  0, NULL);
2569 
2570  /*
2571  * Generate new ACL.
2572  */
2573  new_acl = merge_acl_with_grant(old_acl, istmt->is_grant,
2574  istmt->grant_option, istmt->behavior,
2575  istmt->grantees, this_privileges,
2576  grantorId, ownerId);
2577 
2578  /*
2579  * We need the members of both old and new ACLs so we can correct the
2580  * shared dependency information.
2581  */
2582  nnewmembers = aclmembers(new_acl, &newmembers);
2583 
2584  /* finished building new ACL value, now insert it */
2585  replaces[Anum_pg_proc_proacl - 1] = true;
2586  values[Anum_pg_proc_proacl - 1] = PointerGetDatum(new_acl);
2587 
2588  newtuple = heap_modify_tuple(tuple, RelationGetDescr(relation), values,
2589  nulls, replaces);
2590 
2591  CatalogTupleUpdate(relation, &newtuple->t_self, newtuple);
2592 
2593  /* Update initial privileges for extensions */
2594  recordExtensionInitPriv(funcId, ProcedureRelationId, 0, new_acl);
2595 
2596  /* Update the shared dependency ACL info */
2597  updateAclDependencies(ProcedureRelationId, funcId, 0,
2598  ownerId,
2599  noldmembers, oldmembers,
2600  nnewmembers, newmembers);
2601 
2602  ReleaseSysCache(tuple);
2603 
2604  pfree(new_acl);
2605 
2606  /* prevent error when processing duplicate objects */
2608  }
2609 
2610  table_close(relation, RowExclusiveLock);
2611 }
2612 
2613 static void
2615 {
2616  Relation relation;
2617  ListCell *cell;
2618 
2619  if (istmt->all_privs && istmt->privileges == ACL_NO_RIGHTS)
2621 
2622  relation = table_open(LanguageRelationId, RowExclusiveLock);
2623 
2624  foreach(cell, istmt->objects)
2625  {
2626  Oid langId = lfirst_oid(cell);
2627  Form_pg_language pg_language_tuple;
2628  Datum aclDatum;
2629  bool isNull;
2630  AclMode avail_goptions;
2631  AclMode this_privileges;
2632  Acl *old_acl;
2633  Acl *new_acl;
2634  Oid grantorId;
2635  Oid ownerId;
2636  HeapTuple tuple;
2637  HeapTuple newtuple;
2638  Datum values[Natts_pg_language] = {0};
2639  bool nulls[Natts_pg_language] = {0};
2640  bool replaces[Natts_pg_language] = {0};
2641  int noldmembers;
2642  int nnewmembers;
2643  Oid *oldmembers;
2644  Oid *newmembers;
2645 
2646  tuple = SearchSysCache1(LANGOID, ObjectIdGetDatum(langId));
2647  if (!HeapTupleIsValid(tuple))
2648  elog(ERROR, "cache lookup failed for language %u", langId);
2649 
2650  pg_language_tuple = (Form_pg_language) GETSTRUCT(tuple);
2651 
2652  if (!pg_language_tuple->lanpltrusted)
2653  ereport(ERROR,
2654  (errcode(ERRCODE_WRONG_OBJECT_TYPE),
2655  errmsg("language \"%s\" is not trusted",
2656  NameStr(pg_language_tuple->lanname)),
2657  errdetail("GRANT and REVOKE are not allowed on untrusted languages, "
2658  "because only superusers can use untrusted languages.")));
2659 
2660  /*
2661  * Get owner ID and working copy of existing ACL. If there's no ACL,
2662  * substitute the proper default.
2663  */
2664  ownerId = pg_language_tuple->lanowner;
2665  aclDatum = SysCacheGetAttr(LANGNAME, tuple, Anum_pg_language_lanacl,
2666  &isNull);
2667  if (isNull)
2668  {
2669  old_acl = acldefault(OBJECT_LANGUAGE, ownerId);
2670  /* There are no old member roles according to the catalogs */
2671  noldmembers = 0;
2672  oldmembers = NULL;
2673  }
2674  else
2675  {
2676  old_acl = DatumGetAclPCopy(aclDatum);
2677  /* Get the roles mentioned in the existing ACL */
2678  noldmembers = aclmembers(old_acl, &oldmembers);
2679  }
2680 
2681  /* Determine ID to do the grant as, and available grant options */
2683  old_acl, ownerId,
2684  &grantorId, &avail_goptions);
2685 
2686  /*
2687  * Restrict the privileges to what we can actually grant, and emit the
2688  * standards-mandated warning and error messages.
2689  */
2690  this_privileges =
2691  restrict_and_check_grant(istmt->is_grant, avail_goptions,
2692  istmt->all_privs, istmt->privileges,
2693  langId, grantorId, OBJECT_LANGUAGE,
2694  NameStr(pg_language_tuple->lanname),
2695  0, NULL);
2696 
2697  /*
2698  * Generate new ACL.
2699  */
2700  new_acl = merge_acl_with_grant(old_acl, istmt->is_grant,
2701  istmt->grant_option, istmt->behavior,
2702  istmt->grantees, this_privileges,
2703  grantorId, ownerId);
2704 
2705  /*
2706  * We need the members of both old and new ACLs so we can correct the
2707  * shared dependency information.
2708  */
2709  nnewmembers = aclmembers(new_acl, &newmembers);
2710 
2711  /* finished building new ACL value, now insert it */
2712  replaces[Anum_pg_language_lanacl - 1] = true;
2713  values[Anum_pg_language_lanacl - 1] = PointerGetDatum(new_acl);
2714 
2715  newtuple = heap_modify_tuple(tuple, RelationGetDescr(relation), values,
2716  nulls, replaces);
2717 
2718  CatalogTupleUpdate(relation, &newtuple->t_self, newtuple);
2719 
2720  /* Update initial privileges for extensions */
2721  recordExtensionInitPriv(langId, LanguageRelationId, 0, new_acl);
2722 
2723  /* Update the shared dependency ACL info */
2724  updateAclDependencies(LanguageRelationId, pg_language_tuple->oid, 0,
2725  ownerId,
2726  noldmembers, oldmembers,
2727  nnewmembers, newmembers);
2728 
2729  ReleaseSysCache(tuple);
2730 
2731  pfree(new_acl);
2732 
2733  /* prevent error when processing duplicate objects */
2735  }
2736 
2737  table_close(relation, RowExclusiveLock);
2738 }
2739 
2740 static void
2742 {
2743  Relation relation;
2744  ListCell *cell;
2745 
2746  if (istmt->all_privs && istmt->privileges == ACL_NO_RIGHTS)
2748 
2749  relation = table_open(LargeObjectMetadataRelationId,
2751 
2752  foreach(cell, istmt->objects)
2753  {
2754  Oid loid = lfirst_oid(cell);
2755  Form_pg_largeobject_metadata form_lo_meta;
2756  char loname[NAMEDATALEN];
2757  Datum aclDatum;
2758  bool isNull;
2759  AclMode avail_goptions;
2760  AclMode this_privileges;
2761  Acl *old_acl;
2762  Acl *new_acl;
2763  Oid grantorId;
2764  Oid ownerId;
2765  HeapTuple newtuple;
2766  Datum values[Natts_pg_largeobject_metadata] = {0};
2767  bool nulls[Natts_pg_largeobject_metadata] = {0};
2768  bool replaces[Natts_pg_largeobject_metadata] = {0};
2769  int noldmembers;
2770  int nnewmembers;
2771  Oid *oldmembers;
2772  Oid *newmembers;
2773  ScanKeyData entry[1];
2774  SysScanDesc scan;
2775  HeapTuple tuple;
2776 
2777  /* There's no syscache for pg_largeobject_metadata */
2778  ScanKeyInit(&entry[0],
2779  Anum_pg_largeobject_metadata_oid,
2780  BTEqualStrategyNumber, F_OIDEQ,
2781  ObjectIdGetDatum(loid));
2782 
2783  scan = systable_beginscan(relation,
2784  LargeObjectMetadataOidIndexId, true,
2785  NULL, 1, entry);
2786 
2787  tuple = systable_getnext(scan);
2788  if (!HeapTupleIsValid(tuple))
2789  elog(ERROR, "could not find tuple for large object %u", loid);
2790 
2791  form_lo_meta = (Form_pg_largeobject_metadata) GETSTRUCT(tuple);
2792 
2793  /*
2794  * Get owner ID and working copy of existing ACL. If there's no ACL,
2795  * substitute the proper default.
2796  */
2797  ownerId = form_lo_meta->lomowner;
2798  aclDatum = heap_getattr(tuple,
2799  Anum_pg_largeobject_metadata_lomacl,
2800  RelationGetDescr(relation), &isNull);
2801  if (isNull)
2802  {
2803  old_acl = acldefault(OBJECT_LARGEOBJECT, ownerId);
2804  /* There are no old member roles according to the catalogs */
2805  noldmembers = 0;
2806  oldmembers = NULL;
2807  }
2808  else
2809  {
2810  old_acl = DatumGetAclPCopy(aclDatum);
2811  /* Get the roles mentioned in the existing ACL */
2812  noldmembers = aclmembers(old_acl, &oldmembers);
2813  }
2814 
2815  /* Determine ID to do the grant as, and available grant options */
2817  old_acl, ownerId,
2818  &grantorId, &avail_goptions);
2819 
2820  /*
2821  * Restrict the privileges to what we can actually grant, and emit the
2822  * standards-mandated warning and error messages.
2823  */
2824  snprintf(loname, sizeof(loname), "large object %u", loid);
2825  this_privileges =
2826  restrict_and_check_grant(istmt->is_grant, avail_goptions,
2827  istmt->all_privs, istmt->privileges,
2828  loid, grantorId, OBJECT_LARGEOBJECT,
2829  loname, 0, NULL);
2830 
2831  /*
2832  * Generate new ACL.
2833  */
2834  new_acl = merge_acl_with_grant(old_acl, istmt->is_grant,
2835  istmt->grant_option, istmt->behavior,
2836  istmt->grantees, this_privileges,
2837  grantorId, ownerId);
2838 
2839  /*
2840  * We need the members of both old and new ACLs so we can correct the
2841  * shared dependency information.
2842  */
2843  nnewmembers = aclmembers(new_acl, &newmembers);
2844 
2845  /* finished building new ACL value, now insert it */
2846  replaces[Anum_pg_largeobject_metadata_lomacl - 1] = true;
2847  values[Anum_pg_largeobject_metadata_lomacl - 1]
2848  = PointerGetDatum(new_acl);
2849 
2850  newtuple = heap_modify_tuple(tuple, RelationGetDescr(relation),
2851  values, nulls, replaces);
2852 
2853  CatalogTupleUpdate(relation, &newtuple->t_self, newtuple);
2854 
2855  /* Update initial privileges for extensions */
2856  recordExtensionInitPriv(loid, LargeObjectRelationId, 0, new_acl);
2857 
2858  /* Update the shared dependency ACL info */
2859  updateAclDependencies(LargeObjectRelationId,
2860  form_lo_meta->oid, 0,
2861  ownerId,
2862  noldmembers, oldmembers,
2863  nnewmembers, newmembers);
2864 
2865  systable_endscan(scan);
2866 
2867  pfree(new_acl);
2868 
2869  /* prevent error when processing duplicate objects */
2871  }
2872 
2873  table_close(relation, RowExclusiveLock);
2874 }
2875 
2876 static void
2878 {
2879  Relation relation;
2880  ListCell *cell;
2881 
2882  if (istmt->all_privs && istmt->privileges == ACL_NO_RIGHTS)
2884 
2885  relation = table_open(NamespaceRelationId, RowExclusiveLock);
2886 
2887  foreach(cell, istmt->objects)
2888  {
2889  Oid nspid = lfirst_oid(cell);
2890  Form_pg_namespace pg_namespace_tuple;
2891  Datum aclDatum;
2892  bool isNull;
2893  AclMode avail_goptions;
2894  AclMode this_privileges;
2895  Acl *old_acl;
2896  Acl *new_acl;
2897  Oid grantorId;
2898  Oid ownerId;
2899  HeapTuple tuple;
2900  HeapTuple newtuple;
2901  Datum values[Natts_pg_namespace] = {0};
2902  bool nulls[Natts_pg_namespace] = {0};
2903  bool replaces[Natts_pg_namespace] = {0};
2904  int noldmembers;
2905  int nnewmembers;
2906  Oid *oldmembers;
2907  Oid *newmembers;
2908 
2910  if (!HeapTupleIsValid(tuple))
2911  elog(ERROR, "cache lookup failed for namespace %u", nspid);
2912 
2913  pg_namespace_tuple = (Form_pg_namespace) GETSTRUCT(tuple);
2914 
2915  /*
2916  * Get owner ID and working copy of existing ACL. If there's no ACL,
2917  * substitute the proper default.
2918  */
2919  ownerId = pg_namespace_tuple->nspowner;
2920  aclDatum = SysCacheGetAttr(NAMESPACENAME, tuple,
2921  Anum_pg_namespace_nspacl,
2922  &isNull);
2923  if (isNull)
2924  {
2925  old_acl = acldefault(OBJECT_SCHEMA, ownerId);
2926  /* There are no old member roles according to the catalogs */
2927  noldmembers = 0;
2928  oldmembers = NULL;
2929  }
2930  else
2931  {
2932  old_acl = DatumGetAclPCopy(aclDatum);
2933  /* Get the roles mentioned in the existing ACL */
2934  noldmembers = aclmembers(old_acl, &oldmembers);
2935  }
2936 
2937  /* Determine ID to do the grant as, and available grant options */
2939  old_acl, ownerId,
2940  &grantorId, &avail_goptions);
2941 
2942  /*
2943  * Restrict the privileges to what we can actually grant, and emit the
2944  * standards-mandated warning and error messages.
2945  */
2946  this_privileges =
2947  restrict_and_check_grant(istmt->is_grant, avail_goptions,
2948  istmt->all_privs, istmt->privileges,
2949  nspid, grantorId, OBJECT_SCHEMA,
2950  NameStr(pg_namespace_tuple->nspname),
2951  0, NULL);
2952 
2953  /*
2954  * Generate new ACL.
2955  */
2956  new_acl = merge_acl_with_grant(old_acl, istmt->is_grant,
2957  istmt->grant_option, istmt->behavior,
2958  istmt->grantees, this_privileges,
2959  grantorId, ownerId);
2960 
2961  /*
2962  * We need the members of both old and new ACLs so we can correct the
2963  * shared dependency information.
2964  */
2965  nnewmembers = aclmembers(new_acl, &newmembers);
2966 
2967  /* finished building new ACL value, now insert it */
2968  replaces[Anum_pg_namespace_nspacl - 1] = true;
2969  values[Anum_pg_namespace_nspacl - 1] = PointerGetDatum(new_acl);
2970 
2971  newtuple = heap_modify_tuple(tuple, RelationGetDescr(relation), values,
2972  nulls, replaces);
2973 
2974  CatalogTupleUpdate(relation, &newtuple->t_self, newtuple);
2975 
2976  /* Update initial privileges for extensions */
2977  recordExtensionInitPriv(nspid, NamespaceRelationId, 0, new_acl);
2978 
2979  /* Update the shared dependency ACL info */
2980  updateAclDependencies(NamespaceRelationId, pg_namespace_tuple->oid, 0,
2981  ownerId,
2982  noldmembers, oldmembers,
2983  nnewmembers, newmembers);
2984 
2985  ReleaseSysCache(tuple);
2986 
2987  pfree(new_acl);
2988 
2989  /* prevent error when processing duplicate objects */
2991  }
2992 
2993  table_close(relation, RowExclusiveLock);
2994 }
2995 
2996 static void
2998 {
2999  Relation relation;
3000  ListCell *cell;
3001 
3002  if (istmt->all_privs && istmt->privileges == ACL_NO_RIGHTS)
3004 
3005  relation = table_open(TableSpaceRelationId, RowExclusiveLock);
3006 
3007  foreach(cell, istmt->objects)
3008  {
3009  Oid tblId = lfirst_oid(cell);
3010  Form_pg_tablespace pg_tablespace_tuple;
3011  Datum aclDatum;
3012  bool isNull;
3013  AclMode avail_goptions;
3014  AclMode this_privileges;
3015  Acl *old_acl;
3016  Acl *new_acl;
3017  Oid grantorId;
3018  Oid ownerId;
3019  HeapTuple newtuple;
3020  Datum values[Natts_pg_tablespace] = {0};
3021  bool nulls[Natts_pg_tablespace] = {0};
3022  bool replaces[Natts_pg_tablespace] = {0};
3023  int noldmembers;
3024  int nnewmembers;
3025  Oid *oldmembers;
3026  Oid *newmembers;
3027  HeapTuple tuple;
3028 
3029  /* Search syscache for pg_tablespace */
3031  if (!HeapTupleIsValid(tuple))
3032  elog(ERROR, "cache lookup failed for tablespace %u", tblId);
3033 
3034  pg_tablespace_tuple = (Form_pg_tablespace) GETSTRUCT(tuple);
3035 
3036  /*
3037  * Get owner ID and working copy of existing ACL. If there's no ACL,
3038  * substitute the proper default.
3039  */
3040  ownerId = pg_tablespace_tuple->spcowner;
3041  aclDatum = heap_getattr(tuple, Anum_pg_tablespace_spcacl,
3042  RelationGetDescr(relation), &isNull);
3043  if (isNull)
3044  {
3045  old_acl = acldefault(OBJECT_TABLESPACE, ownerId);
3046  /* There are no old member roles according to the catalogs */
3047  noldmembers = 0;
3048  oldmembers = NULL;
3049  }
3050  else
3051  {
3052  old_acl = DatumGetAclPCopy(aclDatum);
3053  /* Get the roles mentioned in the existing ACL */
3054  noldmembers = aclmembers(old_acl, &oldmembers);
3055  }
3056 
3057  /* Determine ID to do the grant as, and available grant options */
3059  old_acl, ownerId,
3060  &grantorId, &avail_goptions);
3061 
3062  /*
3063  * Restrict the privileges to what we can actually grant, and emit the
3064  * standards-mandated warning and error messages.
3065  */
3066  this_privileges =
3067  restrict_and_check_grant(istmt->is_grant, avail_goptions,
3068  istmt->all_privs, istmt->privileges,
3069  tblId, grantorId, OBJECT_TABLESPACE,
3070  NameStr(pg_tablespace_tuple->spcname),
3071  0, NULL);
3072 
3073  /*
3074  * Generate new ACL.
3075  */
3076  new_acl = merge_acl_with_grant(old_acl, istmt->is_grant,
3077  istmt->grant_option, istmt->behavior,
3078  istmt->grantees, this_privileges,
3079  grantorId, ownerId);
3080 
3081  /*
3082  * We need the members of both old and new ACLs so we can correct the
3083  * shared dependency information.
3084  */
3085  nnewmembers = aclmembers(new_acl, &newmembers);
3086 
3087  /* finished building new ACL value, now insert it */
3088  replaces[Anum_pg_tablespace_spcacl - 1] = true;
3089  values[Anum_pg_tablespace_spcacl - 1] = PointerGetDatum(new_acl);
3090 
3091  newtuple = heap_modify_tuple(tuple, RelationGetDescr(relation), values,
3092  nulls, replaces);
3093 
3094  CatalogTupleUpdate(relation, &newtuple->t_self, newtuple);
3095 
3096  /* Update the shared dependency ACL info */
3097  updateAclDependencies(TableSpaceRelationId, tblId, 0,
3098  ownerId,
3099  noldmembers, oldmembers,
3100  nnewmembers, newmembers);
3101 
3102  ReleaseSysCache(tuple);
3103  pfree(new_acl);
3104 
3105  /* prevent error when processing duplicate objects */
3107  }
3108 
3109  table_close(relation, RowExclusiveLock);
3110 }
3111 
3112 static void
3114 {
3115  Relation relation;
3116  ListCell *cell;
3117 
3118  if (istmt->all_privs && istmt->privileges == ACL_NO_RIGHTS)
3120 
3121  relation = table_open(TypeRelationId, RowExclusiveLock);
3122 
3123  foreach(cell, istmt->objects)
3124  {
3125  Oid typId = lfirst_oid(cell);
3126  Form_pg_type pg_type_tuple;
3127  Datum aclDatum;
3128  bool isNull;
3129  AclMode avail_goptions;
3130  AclMode this_privileges;
3131  Acl *old_acl;
3132  Acl *new_acl;
3133  Oid grantorId;
3134  Oid ownerId;
3135  HeapTuple newtuple;
3136  Datum values[Natts_pg_type] = {0};
3137  bool nulls[Natts_pg_type] = {0};
3138  bool replaces[Natts_pg_type] = {0};
3139  int noldmembers;
3140  int nnewmembers;
3141  Oid *oldmembers;
3142  Oid *newmembers;
3143  HeapTuple tuple;
3144 
3145  /* Search syscache for pg_type */
3146  tuple = SearchSysCache1(TYPEOID, ObjectIdGetDatum(typId));
3147  if (!HeapTupleIsValid(tuple))
3148  elog(ERROR, "cache lookup failed for type %u", typId);
3149 
3150  pg_type_tuple = (Form_pg_type) GETSTRUCT(tuple);
3151 
3152  if (IsTrueArrayType(pg_type_tuple))
3153  ereport(ERROR,
3154  (errcode(ERRCODE_INVALID_GRANT_OPERATION),
3155  errmsg("cannot set privileges of array types"),
3156  errhint("Set the privileges of the element type instead.")));
3157 
3158  /* Used GRANT DOMAIN on a non-domain? */
3159  if (istmt->objtype == OBJECT_DOMAIN &&
3160  pg_type_tuple->typtype != TYPTYPE_DOMAIN)
3161  ereport(ERROR,
3162  (errcode(ERRCODE_WRONG_OBJECT_TYPE),
3163  errmsg("\"%s\" is not a domain",
3164  NameStr(pg_type_tuple->typname))));
3165 
3166  /*
3167  * Get owner ID and working copy of existing ACL. If there's no ACL,
3168  * substitute the proper default.
3169  */
3170  ownerId = pg_type_tuple->typowner;
3171  aclDatum = heap_getattr(tuple, Anum_pg_type_typacl,
3172  RelationGetDescr(relation), &isNull);
3173  if (isNull)
3174  {
3175  old_acl = acldefault(istmt->objtype, ownerId);
3176  /* There are no old member roles according to the catalogs */
3177  noldmembers = 0;
3178  oldmembers = NULL;
3179  }
3180  else
3181  {
3182  old_acl = DatumGetAclPCopy(aclDatum);
3183  /* Get the roles mentioned in the existing ACL */
3184  noldmembers = aclmembers(old_acl, &oldmembers);
3185  }
3186 
3187  /* Determine ID to do the grant as, and available grant options */
3189  old_acl, ownerId,
3190  &grantorId, &avail_goptions);
3191 
3192  /*
3193  * Restrict the privileges to what we can actually grant, and emit the
3194  * standards-mandated warning and error messages.
3195  */
3196  this_privileges =
3197  restrict_and_check_grant(istmt->is_grant, avail_goptions,
3198  istmt->all_privs, istmt->privileges,
3199  typId, grantorId, OBJECT_TYPE,
3200  NameStr(pg_type_tuple->typname),
3201  0, NULL);
3202 
3203  /*
3204  * Generate new ACL.
3205  */
3206  new_acl = merge_acl_with_grant(old_acl, istmt->is_grant,
3207  istmt->grant_option, istmt->behavior,
3208  istmt->grantees, this_privileges,
3209  grantorId, ownerId);
3210 
3211  /*
3212  * We need the members of both old and new ACLs so we can correct the
3213  * shared dependency information.
3214  */
3215  nnewmembers = aclmembers(new_acl, &newmembers);
3216 
3217  /* finished building new ACL value, now insert it */
3218  replaces[Anum_pg_type_typacl - 1] = true;
3219  values[Anum_pg_type_typacl - 1] = PointerGetDatum(new_acl);
3220 
3221  newtuple = heap_modify_tuple(tuple, RelationGetDescr(relation), values,
3222  nulls, replaces);
3223 
3224  CatalogTupleUpdate(relation, &newtuple->t_self, newtuple);
3225 
3226  /* Update initial privileges for extensions */
3227  recordExtensionInitPriv(typId, TypeRelationId, 0, new_acl);
3228 
3229  /* Update the shared dependency ACL info */
3230  updateAclDependencies(TypeRelationId, typId, 0,
3231  ownerId,
3232  noldmembers, oldmembers,
3233  nnewmembers, newmembers);
3234 
3235  ReleaseSysCache(tuple);
3236  pfree(new_acl);
3237 
3238  /* prevent error when processing duplicate objects */
3240  }
3241 
3242  table_close(relation, RowExclusiveLock);
3243 }
3244 
3245 static void
3247 {
3248  Relation relation;
3249  ListCell *cell;
3250 
3251  if (istmt->all_privs && istmt->privileges == ACL_NO_RIGHTS)
3253 
3254  relation = table_open(ParameterAclRelationId, RowExclusiveLock);
3255 
3256  foreach(cell, istmt->objects)
3257  {
3258  Oid parameterId = lfirst_oid(cell);
3259  Datum nameDatum;
3260  const char *parname;
3261  Datum aclDatum;
3262  bool isNull;
3263  AclMode avail_goptions;
3264  AclMode this_privileges;
3265  Acl *old_acl;
3266  Acl *new_acl;
3267  Oid grantorId;
3268  Oid ownerId;
3269  HeapTuple tuple;
3270  int noldmembers;
3271  int nnewmembers;
3272  Oid *oldmembers;
3273  Oid *newmembers;
3274 
3275  tuple = SearchSysCache1(PARAMETERACLOID, ObjectIdGetDatum(parameterId));
3276  if (!HeapTupleIsValid(tuple))
3277  elog(ERROR, "cache lookup failed for parameter ACL %u",
3278  parameterId);
3279 
3280  /* We'll need the GUC's name */
3281  nameDatum = SysCacheGetAttr(PARAMETERACLOID, tuple,
3282  Anum_pg_parameter_acl_parname,
3283  &isNull);
3284  Assert(!isNull);
3285  parname = TextDatumGetCString(nameDatum);
3286 
3287  /* Treat all parameters as belonging to the bootstrap superuser. */
3288  ownerId = BOOTSTRAP_SUPERUSERID;
3289 
3290  /*
3291  * Get working copy of existing ACL. If there's no ACL, substitute the
3292  * proper default.
3293  */
3294  aclDatum = SysCacheGetAttr(PARAMETERACLOID, tuple,
3295  Anum_pg_parameter_acl_paracl,
3296  &isNull);
3297 
3298  if (isNull)
3299  {
3300  old_acl = acldefault(istmt->objtype, ownerId);
3301  /* There are no old member roles according to the catalogs */
3302  noldmembers = 0;
3303  oldmembers = NULL;
3304  }
3305  else
3306  {
3307  old_acl = DatumGetAclPCopy(aclDatum);
3308  /* Get the roles mentioned in the existing ACL */
3309  noldmembers = aclmembers(old_acl, &oldmembers);
3310  }
3311 
3312  /* Determine ID to do the grant as, and available grant options */
3314  old_acl, ownerId,
3315  &grantorId, &avail_goptions);
3316 
3317  /*
3318  * Restrict the privileges to what we can actually grant, and emit the
3319  * standards-mandated warning and error messages.
3320  */
3321  this_privileges =
3322  restrict_and_check_grant(istmt->is_grant, avail_goptions,
3323  istmt->all_privs, istmt->privileges,
3324  parameterId, grantorId,
3326  parname,
3327  0, NULL);
3328 
3329  /*
3330  * Generate new ACL.
3331  */
3332  new_acl = merge_acl_with_grant(old_acl, istmt->is_grant,
3333  istmt->grant_option, istmt->behavior,
3334  istmt->grantees, this_privileges,
3335  grantorId, ownerId);
3336 
3337  /*
3338  * We need the members of both old and new ACLs so we can correct the
3339  * shared dependency information.
3340  */
3341  nnewmembers = aclmembers(new_acl, &newmembers);
3342 
3343  /*
3344  * If the new ACL is equal to the default, we don't need the catalog
3345  * entry any longer. Delete it rather than updating it, to avoid
3346  * leaving a degenerate entry.
3347  */
3348  if (aclequal(new_acl, acldefault(istmt->objtype, ownerId)))
3349  {
3350  CatalogTupleDelete(relation, &tuple->t_self);
3351  }
3352  else
3353  {
3354  /* finished building new ACL value, now insert it */
3355  HeapTuple newtuple;
3356  Datum values[Natts_pg_parameter_acl] = {0};
3357  bool nulls[Natts_pg_parameter_acl] = {0};
3358  bool replaces[Natts_pg_parameter_acl] = {0};
3359 
3360  replaces[Anum_pg_parameter_acl_paracl - 1] = true;
3361  values[Anum_pg_parameter_acl_paracl - 1] = PointerGetDatum(new_acl);
3362 
3363  newtuple = heap_modify_tuple(tuple, RelationGetDescr(relation),
3364  values, nulls, replaces);
3365 
3366  CatalogTupleUpdate(relation, &newtuple->t_self, newtuple);
3367  }
3368 
3369  /* Update initial privileges for extensions */
3370  recordExtensionInitPriv(parameterId, ParameterAclRelationId, 0,
3371  new_acl);
3372 
3373  /* Update the shared dependency ACL info */
3374  updateAclDependencies(ParameterAclRelationId, parameterId, 0,
3375  ownerId,
3376  noldmembers, oldmembers,
3377  nnewmembers, newmembers);
3378 
3379  ReleaseSysCache(tuple);
3380  pfree(new_acl);
3381 
3382  /* prevent error when processing duplicate objects */
3384  }
3385 
3386  table_close(relation, RowExclusiveLock);
3387 }
3388 
3389 
3390 static AclMode
3391 string_to_privilege(const char *privname)
3392 {
3393  if (strcmp(privname, "insert") == 0)
3394  return ACL_INSERT;
3395  if (strcmp(privname, "select") == 0)
3396  return ACL_SELECT;
3397  if (strcmp(privname, "update") == 0)
3398  return ACL_UPDATE;
3399  if (strcmp(privname, "delete") == 0)
3400  return ACL_DELETE;
3401  if (strcmp(privname, "truncate") == 0)
3402  return ACL_TRUNCATE;
3403  if (strcmp(privname, "references") == 0)
3404  return ACL_REFERENCES;
3405  if (strcmp(privname, "trigger") == 0)
3406  return ACL_TRIGGER;
3407  if (strcmp(privname, "execute") == 0)
3408  return ACL_EXECUTE;
3409  if (strcmp(privname, "usage") == 0)
3410  return ACL_USAGE;
3411  if (strcmp(privname, "create") == 0)
3412  return ACL_CREATE;
3413  if (strcmp(privname, "temporary") == 0)
3414  return ACL_CREATE_TEMP;
3415  if (strcmp(privname, "temp") == 0)
3416  return ACL_CREATE_TEMP;
3417  if (strcmp(privname, "connect") == 0)
3418  return ACL_CONNECT;
3419  if (strcmp(privname, "set") == 0)
3420  return ACL_SET;
3421  if (strcmp(privname, "alter system") == 0)
3422  return ACL_ALTER_SYSTEM;
3423  if (strcmp(privname, "vacuum") == 0)
3424  return ACL_VACUUM;
3425  if (strcmp(privname, "analyze") == 0)
3426  return ACL_ANALYZE;
3427  if (strcmp(privname, "rule") == 0)
3428  return 0; /* ignore old RULE privileges */
3429  ereport(ERROR,
3430  (errcode(ERRCODE_SYNTAX_ERROR),
3431  errmsg("unrecognized privilege type \"%s\"", privname)));
3432  return 0; /* appease compiler */
3433 }
3434 
3435 static const char *
3437 {
3438  switch (privilege)
3439  {
3440  case ACL_INSERT:
3441  return "INSERT";
3442  case ACL_SELECT:
3443  return "SELECT";
3444  case ACL_UPDATE:
3445  return "UPDATE";
3446  case ACL_DELETE:
3447  return "DELETE";
3448  case ACL_TRUNCATE:
3449  return "TRUNCATE";
3450  case ACL_REFERENCES:
3451  return "REFERENCES";
3452  case ACL_TRIGGER:
3453  return "TRIGGER";
3454  case ACL_EXECUTE:
3455  return "EXECUTE";
3456  case ACL_USAGE:
3457  return "USAGE";
3458  case ACL_CREATE:
3459  return "CREATE";
3460  case ACL_CREATE_TEMP:
3461  return "TEMP";
3462  case ACL_CONNECT:
3463  return "CONNECT";
3464  case ACL_SET:
3465  return "SET";
3466  case ACL_ALTER_SYSTEM:
3467  return "ALTER SYSTEM";
3468  case ACL_VACUUM:
3469  return "VACUUM";
3470  case ACL_ANALYZE:
3471  return "ANALYZE";
3472  default:
3473  elog(ERROR, "unrecognized privilege: %d", (int) privilege);
3474  }
3475  return NULL; /* appease compiler */
3476 }
3477 
3478 /*
3479  * Standardized reporting of aclcheck permissions failures.
3480  *
3481  * Note: we do not double-quote the %s's below, because many callers
3482  * supply strings that might be already quoted.
3483  */
3484 void
3486  const char *objectname)
3487 {
3488  switch (aclerr)
3489  {
3490  case ACLCHECK_OK:
3491  /* no error, so return to caller */
3492  break;
3493  case ACLCHECK_NO_PRIV:
3494  {
3495  const char *msg = "???";
3496 
3497  switch (objtype)
3498  {
3499  case OBJECT_AGGREGATE:
3500  msg = gettext_noop("permission denied for aggregate %s");
3501  break;
3502  case OBJECT_COLLATION:
3503  msg = gettext_noop("permission denied for collation %s");
3504  break;
3505  case OBJECT_COLUMN:
3506  msg = gettext_noop("permission denied for column %s");
3507  break;
3508  case OBJECT_CONVERSION:
3509  msg = gettext_noop("permission denied for conversion %s");
3510  break;
3511  case OBJECT_DATABASE:
3512  msg = gettext_noop("permission denied for database %s");
3513  break;
3514  case OBJECT_DOMAIN:
3515  msg = gettext_noop("permission denied for domain %s");
3516  break;
3517  case OBJECT_EVENT_TRIGGER:
3518  msg = gettext_noop("permission denied for event trigger %s");
3519  break;
3520  case OBJECT_EXTENSION:
3521  msg = gettext_noop("permission denied for extension %s");
3522  break;
3523  case OBJECT_FDW:
3524  msg = gettext_noop("permission denied for foreign-data wrapper %s");
3525  break;
3526  case OBJECT_FOREIGN_SERVER:
3527  msg = gettext_noop("permission denied for foreign server %s");
3528  break;
3529  case OBJECT_FOREIGN_TABLE:
3530  msg = gettext_noop("permission denied for foreign table %s");
3531  break;
3532  case OBJECT_FUNCTION:
3533  msg = gettext_noop("permission denied for function %s");
3534  break;
3535  case OBJECT_INDEX:
3536  msg = gettext_noop("permission denied for index %s");
3537  break;
3538  case OBJECT_LANGUAGE:
3539  msg = gettext_noop("permission denied for language %s");
3540  break;
3541  case OBJECT_LARGEOBJECT:
3542  msg = gettext_noop("permission denied for large object %s");
3543  break;
3544  case OBJECT_MATVIEW:
3545  msg = gettext_noop("permission denied for materialized view %s");
3546  break;
3547  case OBJECT_OPCLASS:
3548  msg = gettext_noop("permission denied for operator class %s");
3549  break;
3550  case OBJECT_OPERATOR:
3551  msg = gettext_noop("permission denied for operator %s");
3552  break;
3553  case OBJECT_OPFAMILY:
3554  msg = gettext_noop("permission denied for operator family %s");
3555  break;
3556  case OBJECT_PARAMETER_ACL:
3557  msg = gettext_noop("permission denied for parameter %s");
3558  break;
3559  case OBJECT_POLICY:
3560  msg = gettext_noop("permission denied for policy %s");
3561  break;
3562  case OBJECT_PROCEDURE:
3563  msg = gettext_noop("permission denied for procedure %s");
3564  break;
3565  case OBJECT_PUBLICATION:
3566  msg = gettext_noop("permission denied for publication %s");
3567  break;
3568  case OBJECT_ROUTINE:
3569  msg = gettext_noop("permission denied for routine %s");
3570  break;
3571  case OBJECT_SCHEMA:
3572  msg = gettext_noop("permission denied for schema %s");
3573  break;
3574  case OBJECT_SEQUENCE:
3575  msg = gettext_noop("permission denied for sequence %s");
3576  break;
3577  case OBJECT_STATISTIC_EXT:
3578  msg = gettext_noop("permission denied for statistics object %s");
3579  break;
3580  case OBJECT_SUBSCRIPTION:
3581  msg = gettext_noop("permission denied for subscription %s");
3582  break;
3583  case OBJECT_TABLE:
3584  msg = gettext_noop("permission denied for table %s");
3585  break;
3586  case OBJECT_TABLESPACE:
3587  msg = gettext_noop("permission denied for tablespace %s");
3588  break;
3590  msg = gettext_noop("permission denied for text search configuration %s");
3591  break;
3592  case OBJECT_TSDICTIONARY:
3593  msg = gettext_noop("permission denied for text search dictionary %s");
3594  break;
3595  case OBJECT_TYPE:
3596  msg = gettext_noop("permission denied for type %s");
3597  break;
3598  case OBJECT_VIEW:
3599  msg = gettext_noop("permission denied for view %s");
3600  break;
3601  /* these currently aren't used */
3602  case OBJECT_ACCESS_METHOD:
3603  case OBJECT_AMOP:
3604  case OBJECT_AMPROC:
3605  case OBJECT_ATTRIBUTE:
3606  case OBJECT_CAST:
3607  case OBJECT_DEFAULT:
3608  case OBJECT_DEFACL:
3609  case OBJECT_DOMCONSTRAINT:
3612  case OBJECT_ROLE:
3613  case OBJECT_RULE:
3614  case OBJECT_TABCONSTRAINT:
3615  case OBJECT_TRANSFORM:
3616  case OBJECT_TRIGGER:
3617  case OBJECT_TSPARSER:
3618  case OBJECT_TSTEMPLATE:
3619  case OBJECT_USER_MAPPING:
3620  elog(ERROR, "unsupported object type: %d", objtype);
3621  }
3622 
3623  ereport(ERROR,
3624  (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
3625  errmsg(msg, objectname)));
3626  break;
3627  }
3628  case ACLCHECK_NOT_OWNER:
3629  {
3630  const char *msg = "???";
3631 
3632  switch (objtype)
3633  {
3634  case OBJECT_AGGREGATE:
3635  msg = gettext_noop("must be owner of aggregate %s");
3636  break;
3637  case OBJECT_COLLATION:
3638  msg = gettext_noop("must be owner of collation %s");
3639  break;
3640  case OBJECT_CONVERSION:
3641  msg = gettext_noop("must be owner of conversion %s");
3642  break;
3643  case OBJECT_DATABASE:
3644  msg = gettext_noop("must be owner of database %s");
3645  break;
3646  case OBJECT_DOMAIN:
3647  msg = gettext_noop("must be owner of domain %s");
3648  break;
3649  case OBJECT_EVENT_TRIGGER:
3650  msg = gettext_noop("must be owner of event trigger %s");
3651  break;
3652  case OBJECT_EXTENSION:
3653  msg = gettext_noop("must be owner of extension %s");
3654  break;
3655  case OBJECT_FDW:
3656  msg = gettext_noop("must be owner of foreign-data wrapper %s");
3657  break;
3658  case OBJECT_FOREIGN_SERVER:
3659  msg = gettext_noop("must be owner of foreign server %s");
3660  break;
3661  case OBJECT_FOREIGN_TABLE:
3662  msg = gettext_noop("must be owner of foreign table %s");
3663  break;
3664  case OBJECT_FUNCTION:
3665  msg = gettext_noop("must be owner of function %s");
3666  break;
3667  case OBJECT_INDEX:
3668  msg = gettext_noop("must be owner of index %s");
3669  break;
3670  case OBJECT_LANGUAGE:
3671  msg = gettext_noop("must be owner of language %s");
3672  break;
3673  case OBJECT_LARGEOBJECT:
3674  msg = gettext_noop("must be owner of large object %s");
3675  break;
3676  case OBJECT_MATVIEW:
3677  msg = gettext_noop("must be owner of materialized view %s");
3678  break;
3679  case OBJECT_OPCLASS:
3680  msg = gettext_noop("must be owner of operator class %s");
3681  break;
3682  case OBJECT_OPERATOR:
3683  msg = gettext_noop("must be owner of operator %s");
3684  break;
3685  case OBJECT_OPFAMILY:
3686  msg = gettext_noop("must be owner of operator family %s");
3687  break;
3688  case OBJECT_PROCEDURE:
3689  msg = gettext_noop("must be owner of procedure %s");
3690  break;
3691  case OBJECT_PUBLICATION:
3692  msg = gettext_noop("must be owner of publication %s");
3693  break;
3694  case OBJECT_ROUTINE:
3695  msg = gettext_noop("must be owner of routine %s");
3696  break;
3697  case OBJECT_SEQUENCE:
3698  msg = gettext_noop("must be owner of sequence %s");
3699  break;
3700  case OBJECT_SUBSCRIPTION:
3701  msg = gettext_noop("must be owner of subscription %s");
3702  break;
3703  case OBJECT_TABLE:
3704  msg = gettext_noop("must be owner of table %s");
3705  break;
3706  case OBJECT_TYPE:
3707  msg = gettext_noop("must be owner of type %s");
3708  break;
3709  case OBJECT_VIEW:
3710  msg = gettext_noop("must be owner of view %s");
3711  break;
3712  case OBJECT_SCHEMA:
3713  msg = gettext_noop("must be owner of schema %s");
3714  break;
3715  case OBJECT_STATISTIC_EXT:
3716  msg = gettext_noop("must be owner of statistics object %s");
3717  break;
3718  case OBJECT_TABLESPACE:
3719  msg = gettext_noop("must be owner of tablespace %s");
3720  break;
3722  msg = gettext_noop("must be owner of text search configuration %s");
3723  break;
3724  case OBJECT_TSDICTIONARY:
3725  msg = gettext_noop("must be owner of text search dictionary %s");
3726  break;
3727 
3728  /*
3729  * Special cases: For these, the error message talks
3730  * about "relation", because that's where the
3731  * ownership is attached. See also
3732  * check_object_ownership().
3733  */
3734  case OBJECT_COLUMN:
3735  case OBJECT_POLICY:
3736  case OBJECT_RULE:
3737  case OBJECT_TABCONSTRAINT:
3738  case OBJECT_TRIGGER:
3739  msg = gettext_noop("must be owner of relation %s");
3740  break;
3741  /* these currently aren't used */
3742  case OBJECT_ACCESS_METHOD:
3743  case OBJECT_AMOP:
3744  case OBJECT_AMPROC:
3745  case OBJECT_ATTRIBUTE:
3746  case OBJECT_CAST:
3747  case OBJECT_DEFAULT:
3748  case OBJECT_DEFACL:
3749  case OBJECT_DOMCONSTRAINT:
3750  case OBJECT_PARAMETER_ACL:
3753  case OBJECT_ROLE:
3754  case OBJECT_TRANSFORM:
3755  case OBJECT_TSPARSER:
3756  case OBJECT_TSTEMPLATE:
3757  case OBJECT_USER_MAPPING:
3758  elog(ERROR, "unsupported object type: %d", objtype);
3759  }
3760 
3761  ereport(ERROR,
3762  (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
3763  errmsg(msg, objectname)));
3764  break;
3765  }
3766  default:
3767  elog(ERROR, "unrecognized AclResult: %d", (int) aclerr);
3768  break;
3769  }
3770 }
3771 
3772 
3773 void
3775  const char *objectname, const char *colname)
3776 {
3777  switch (aclerr)
3778  {
3779  case ACLCHECK_OK:
3780  /* no error, so return to caller */
3781  break;
3782  case ACLCHECK_NO_PRIV:
3783  ereport(ERROR,
3784  (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
3785  errmsg("permission denied for column \"%s\" of relation \"%s\"",
3786  colname, objectname)));
3787  break;
3788  case ACLCHECK_NOT_OWNER:
3789  /* relation msg is OK since columns don't have separate owners */
3790  aclcheck_error(aclerr, objtype, objectname);
3791  break;
3792  default:
3793  elog(ERROR, "unrecognized AclResult: %d", (int) aclerr);
3794  break;
3795  }
3796 }
3797 
3798 
3799 /*
3800  * Special common handling for types: use element type instead of array type,
3801  * and format nicely
3802  */
3803 void
3805 {
3806  Oid element_type = get_element_type(typeOid);
3807 
3808  aclcheck_error(aclerr, OBJECT_TYPE, format_type_be(element_type ? element_type : typeOid));
3809 }
3810 
3811 
3812 /*
3813  * Relay for the various pg_*_mask routines depending on object kind
3814  */
3815 static AclMode
3816 pg_aclmask(ObjectType objtype, Oid object_oid, AttrNumber attnum, Oid roleid,
3817  AclMode mask, AclMaskHow how)
3818 {
3819  switch (objtype)
3820  {
3821  case OBJECT_COLUMN:
3822  return
3823  pg_class_aclmask(object_oid, roleid, mask, how) |
3824  pg_attribute_aclmask(object_oid, attnum, roleid, mask, how);
3825  case OBJECT_TABLE:
3826  case OBJECT_SEQUENCE:
3827  return pg_class_aclmask(object_oid, roleid, mask, how);
3828  case OBJECT_DATABASE:
3829  return object_aclmask(DatabaseRelationId, object_oid, roleid, mask, how);
3830  case OBJECT_FUNCTION:
3831  return object_aclmask(ProcedureRelationId, object_oid, roleid, mask, how);
3832  case OBJECT_LANGUAGE:
3833  return object_aclmask(LanguageRelationId, object_oid, roleid, mask, how);
3834  case OBJECT_LARGEOBJECT:
3835  return pg_largeobject_aclmask_snapshot(object_oid, roleid,
3836  mask, how, NULL);
3837  case OBJECT_PARAMETER_ACL:
3838  return pg_parameter_acl_aclmask(object_oid, roleid, mask, how);
3839  case OBJECT_SCHEMA:
3840  return object_aclmask(NamespaceRelationId, object_oid, roleid, mask, how);
3841  case OBJECT_STATISTIC_EXT:
3842  elog(ERROR, "grantable rights not supported for statistics objects");
3843  /* not reached, but keep compiler quiet */
3844  return ACL_NO_RIGHTS;
3845  case OBJECT_TABLESPACE:
3846  return object_aclmask(TableSpaceRelationId, object_oid, roleid, mask, how);
3847  case OBJECT_FDW:
3848  return object_aclmask(ForeignDataWrapperRelationId, object_oid, roleid, mask, how);
3849  case OBJECT_FOREIGN_SERVER:
3850  return object_aclmask(ForeignServerRelationId, object_oid, roleid, mask, how);
3851  case OBJECT_EVENT_TRIGGER:
3852  elog(ERROR, "grantable rights not supported for event triggers");
3853  /* not reached, but keep compiler quiet */
3854  return ACL_NO_RIGHTS;
3855  case OBJECT_TYPE:
3856  return object_aclmask(TypeRelationId, object_oid, roleid, mask, how);
3857  default:
3858  elog(ERROR, "unrecognized object type: %d",
3859  (int) objtype);
3860  /* not reached, but keep compiler quiet */
3861  return ACL_NO_RIGHTS;
3862  }
3863 }
3864 
3865 
3866 /* ****************************************************************
3867  * Exported routines for examining a user's privileges for various objects
3868  *
3869  * See aclmask() for a description of the common API for these functions.
3870  *
3871  * Note: we give lookup failure the full ereport treatment because the
3872  * has_xxx_privilege() family of functions allow users to pass any random
3873  * OID to these functions.
3874  * ****************************************************************
3875  */
3876 
3877 /*
3878  * Generic routine for examining a user's privileges for an object
3879  */
3880 static AclMode
3881 object_aclmask(Oid classid, Oid objectid, Oid roleid,
3882  AclMode mask, AclMaskHow how)
3883 {
3884  int cacheid;
3885  AclMode result;
3886  HeapTuple tuple;
3887  Datum aclDatum;
3888  bool isNull;
3889  Acl *acl;
3890  Oid ownerId;
3891 
3892  /* Special cases */
3893  switch (classid)
3894  {
3895  case NamespaceRelationId:
3896  return pg_namespace_aclmask(objectid, roleid, mask, how);
3897  case TypeRelationId:
3898  return pg_type_aclmask(objectid, roleid, mask, how);
3899  }
3900 
3901  /* Even more special cases */
3902  Assert(classid != RelationRelationId); /* should use pg_class_acl* */
3903  Assert(classid != LargeObjectMetadataRelationId); /* should use
3904  * pg_largeobject_acl* */
3905 
3906  /* Superusers bypass all permission checking. */
3907  if (superuser_arg(roleid))
3908  return mask;
3909 
3910  /*
3911  * Get the objects's ACL from its catalog
3912  */
3913 
3914  cacheid = get_object_catcache_oid(classid);
3915 
3916  tuple = SearchSysCache1(cacheid, ObjectIdGetDatum(objectid));
3917  if (!HeapTupleIsValid(tuple))
3918  ereport(ERROR,
3919  (errcode(ERRCODE_UNDEFINED_DATABASE),
3920  errmsg("%s with OID %u does not exist", get_object_class_descr(classid), objectid)));
3921 
3922  ownerId = DatumGetObjectId(SysCacheGetAttr(cacheid,
3923  tuple,
3924  get_object_attnum_owner(classid),
3925  &isNull));
3926  Assert(!isNull);
3927 
3928  aclDatum = SysCacheGetAttr(cacheid, tuple, get_object_attnum_acl(classid),
3929  &isNull);
3930  if (isNull)
3931  {
3932  /* No ACL, so build default ACL */
3933  acl = acldefault(get_object_type(classid, objectid), ownerId);
3934  aclDatum = (Datum) 0;
3935  }
3936  else
3937  {
3938  /* detoast ACL if necessary */
3939  acl = DatumGetAclP(aclDatum);
3940  }
3941 
3942  result = aclmask(acl, roleid, ownerId, mask, how);
3943 
3944  /* if we have a detoasted copy, free it */
3945  if (acl && (Pointer) acl != DatumGetPointer(aclDatum))
3946  pfree(acl);
3947 
3948  ReleaseSysCache(tuple);
3949 
3950  return result;
3951 }
3952 
3953 /*
3954  * Routine for examining a user's privileges for a column
3955  *
3956  * Note: this considers only privileges granted specifically on the column.
3957  * It is caller's responsibility to take relation-level privileges into account
3958  * as appropriate. (For the same reason, we have no special case for
3959  * superuser-ness here.)
3960  */
3961 static AclMode
3963  AclMode mask, AclMaskHow how)
3964 {
3965  return pg_attribute_aclmask_ext(table_oid, attnum, roleid,
3966  mask, how, NULL);
3967 }
3968 
3969 /*
3970  * Routine for examining a user's privileges for a column
3971  *
3972  * Does the bulk of the work for pg_attribute_aclmask(), and allows other
3973  * callers to avoid the missing attribute ERROR when is_missing is non-NULL.
3974  */
3975 static AclMode
3977  AclMode mask, AclMaskHow how, bool *is_missing)
3978 {
3979  AclMode result;
3980  HeapTuple classTuple;
3981  HeapTuple attTuple;
3982  Form_pg_class classForm;
3983  Form_pg_attribute attributeForm;
3984  Datum aclDatum;
3985  bool isNull;
3986  Acl *acl;
3987  Oid ownerId;
3988 
3989  /*
3990  * First, get the column's ACL from its pg_attribute entry
3991  */
3992  attTuple = SearchSysCache2(ATTNUM,
3993  ObjectIdGetDatum(table_oid),
3995  if (!HeapTupleIsValid(attTuple))
3996  {
3997  if (is_missing != NULL)
3998  {
3999  /* return "no privileges" instead of throwing an error */
4000  *is_missing = true;
4001  return 0;
4002  }
4003  else
4004  ereport(ERROR,
4005  (errcode(ERRCODE_UNDEFINED_COLUMN),
4006  errmsg("attribute %d of relation with OID %u does not exist",
4007  attnum, table_oid)));
4008  }
4009 
4010  attributeForm = (Form_pg_attribute) GETSTRUCT(attTuple);
4011 
4012  /* Check dropped columns, too */
4013  if (attributeForm->attisdropped)
4014  {
4015  if (is_missing != NULL)
4016  {
4017  /* return "no privileges" instead of throwing an error */
4018  *is_missing = true;
4019  ReleaseSysCache(attTuple);
4020  return 0;
4021  }
4022  else
4023  ereport(ERROR,
4024  (errcode(ERRCODE_UNDEFINED_COLUMN),
4025  errmsg("attribute %d of relation with OID %u does not exist",
4026  attnum, table_oid)));
4027  }
4028 
4029  aclDatum = SysCacheGetAttr(ATTNUM, attTuple, Anum_pg_attribute_attacl,
4030  &isNull);
4031 
4032  /*
4033  * Here we hard-wire knowledge that the default ACL for a column grants no
4034  * privileges, so that we can fall out quickly in the very common case
4035  * where attacl is null.
4036  */
4037  if (isNull)
4038  {
4039  ReleaseSysCache(attTuple);
4040  return 0;
4041  }
4042 
4043  /*
4044  * Must get the relation's ownerId from pg_class. Since we already found
4045  * a pg_attribute entry, the only likely reason for this to fail is that a
4046  * concurrent DROP of the relation committed since then (which could only
4047  * happen if we don't have lock on the relation). We prefer to report "no
4048  * privileges" rather than failing in such a case, so as to avoid unwanted
4049  * failures in has_column_privilege() tests.
4050  */
4051  classTuple = SearchSysCache1(RELOID, ObjectIdGetDatum(table_oid));
4052  if (!HeapTupleIsValid(classTuple))
4053  {
4054  ReleaseSysCache(attTuple);
4055  return 0;
4056  }
4057  classForm = (Form_pg_class) GETSTRUCT(classTuple);
4058 
4059  ownerId = classForm->relowner;
4060 
4061  ReleaseSysCache(classTuple);
4062 
4063  /* detoast column's ACL if necessary */
4064  acl = DatumGetAclP(aclDatum);
4065 
4066  result = aclmask(acl, roleid, ownerId, mask, how);
4067 
4068  /* if we have a detoasted copy, free it */
4069  if (acl && (Pointer) acl != DatumGetPointer(aclDatum))
4070  pfree(acl);
4071 
4072  ReleaseSysCache(attTuple);
4073 
4074  return result;
4075 }
4076 
4077 /*
4078  * Exported routine for examining a user's privileges for a table
4079  */
4080 AclMode
4081 pg_class_aclmask(Oid table_oid, Oid roleid,
4082  AclMode mask, AclMaskHow how)
4083 {
4084  return pg_class_aclmask_ext(table_oid, roleid, mask, how, NULL);
4085 }
4086 
4087 /*
4088  * Routine for examining a user's privileges for a table
4089  *
4090  * Does the bulk of the work for pg_class_aclmask(), and allows other
4091  * callers to avoid the missing relation ERROR when is_missing is non-NULL.
4092  */
4093 static AclMode
4094 pg_class_aclmask_ext(Oid table_oid, Oid roleid, AclMode mask,
4095  AclMaskHow how, bool *is_missing)
4096 {
4097  AclMode result;
4098  HeapTuple tuple;
4099  Form_pg_class classForm;
4100  Datum aclDatum;
4101  bool isNull;
4102  Acl *acl;
4103  Oid ownerId;
4104 
4105  /*
4106  * Must get the relation's tuple from pg_class
4107  */
4108  tuple = SearchSysCache1(RELOID, ObjectIdGetDatum(table_oid));
4109  if (!HeapTupleIsValid(tuple))
4110  {
4111  if (is_missing != NULL)
4112  {
4113  /* return "no privileges" instead of throwing an error */
4114  *is_missing = true;
4115  return 0;
4116  }
4117  else
4118  ereport(ERROR,
4120  errmsg("relation with OID %u does not exist",
4121  table_oid)));
4122  }
4123 
4124  classForm = (Form_pg_class) GETSTRUCT(tuple);
4125 
4126  /*
4127  * Deny anyone permission to update a system catalog unless
4128  * pg_authid.rolsuper is set.
4129  *
4130  * As of 7.4 we have some updatable system views; those shouldn't be
4131  * protected in this way. Assume the view rules can take care of
4132  * themselves. ACL_USAGE is if we ever have system sequences.
4133  */
4134  if ((mask & (ACL_INSERT | ACL_UPDATE | ACL_DELETE | ACL_TRUNCATE | ACL_USAGE)) &&
4135  IsSystemClass(table_oid, classForm) &&
4136  classForm->relkind != RELKIND_VIEW &&
4137  !superuser_arg(roleid))
4139 
4140  /*
4141  * Otherwise, superusers bypass all permission-checking.
4142  */
4143  if (superuser_arg(roleid))
4144  {
4145  ReleaseSysCache(tuple);
4146  return mask;
4147  }
4148 
4149  /*
4150  * Normal case: get the relation's ACL from pg_class
4151  */
4152  ownerId = classForm->relowner;
4153 
4154  aclDatum = SysCacheGetAttr(RELOID, tuple, Anum_pg_class_relacl,
4155  &isNull);
4156  if (isNull)
4157  {
4158  /* No ACL, so build default ACL */
4159  switch (classForm->relkind)
4160  {
4161  case RELKIND_SEQUENCE:
4162  acl = acldefault(OBJECT_SEQUENCE, ownerId);
4163  break;
4164  default:
4165  acl = acldefault(OBJECT_TABLE, ownerId);
4166  break;
4167  }
4168  aclDatum = (Datum) 0;
4169  }
4170  else
4171  {
4172  /* detoast rel's ACL if necessary */
4173  acl = DatumGetAclP(aclDatum);
4174  }
4175 
4176  result = aclmask(acl, roleid, ownerId, mask, how);
4177 
4178  /* if we have a detoasted copy, free it */
4179  if (acl && (Pointer) acl != DatumGetPointer(aclDatum))
4180  pfree(acl);
4181 
4182  ReleaseSysCache(tuple);
4183 
4184  /*
4185  * Check if ACL_SELECT is being checked and, if so, and not set already as
4186  * part of the result, then check if the user is a member of the
4187  * pg_read_all_data role, which allows read access to all relations.
4188  */
4189  if (mask & ACL_SELECT && !(result & ACL_SELECT) &&
4190  has_privs_of_role(roleid, ROLE_PG_READ_ALL_DATA))
4191  result |= ACL_SELECT;
4192 
4193  /*
4194  * Check if ACL_INSERT, ACL_UPDATE, or ACL_DELETE is being checked and, if
4195  * so, and not set already as part of the result, then check if the user
4196  * is a member of the pg_write_all_data role, which allows
4197  * INSERT/UPDATE/DELETE access to all relations (except system catalogs,
4198  * which requires superuser, see above).
4199  */
4200  if (mask & (ACL_INSERT | ACL_UPDATE | ACL_DELETE) &&
4201  !(result & (ACL_INSERT | ACL_UPDATE | ACL_DELETE)) &&
4202  has_privs_of_role(roleid, ROLE_PG_WRITE_ALL_DATA))
4203  result |= (mask & (ACL_INSERT | ACL_UPDATE | ACL_DELETE));
4204 
4205  /*
4206  * Check if ACL_VACUUM is being checked and, if so, and not already set as
4207  * part of the result, then check if the user is a member of the
4208  * pg_vacuum_all_tables role, which allows VACUUM on all relations.
4209  */
4210  if (mask & ACL_VACUUM &&
4211  !(result & ACL_VACUUM) &&
4212  has_privs_of_role(roleid, ROLE_PG_VACUUM_ALL_TABLES))
4213  result |= ACL_VACUUM;
4214 
4215  /*
4216  * Check if ACL_ANALYZE is being checked and, if so, and not already set as
4217  * part of the result, then check if the user is a member of the
4218  * pg_analyze_all_tables role, which allows ANALYZE on all relations.
4219  */
4220  if (mask & ACL_ANALYZE &&
4221  !(result & ACL_ANALYZE) &&
4222  has_privs_of_role(roleid, ROLE_PG_ANALYZE_ALL_TABLES))
4223  result |= ACL_ANALYZE;
4224 
4225  return result;
4226 }
4227 
4228 /*
4229  * Routine for examining a user's privileges for a configuration
4230  * parameter (GUC), identified by GUC name.
4231  */
4232 static AclMode
4233 pg_parameter_aclmask(const char *name, Oid roleid, AclMode mask, AclMaskHow how)
4234 {
4235  AclMode result;
4236  char *parname;
4237  text *partext;
4238  HeapTuple tuple;
4239 
4240  /* Superusers bypass all permission checking. */
4241  if (superuser_arg(roleid))
4242  return mask;
4243 
4244  /* Convert name to the form it should have in pg_parameter_acl... */
4246  partext = cstring_to_text(parname);
4247 
4248  /* ... and look it up */
4250 
4251  if (!HeapTupleIsValid(tuple))
4252  {
4253  /* If no entry, GUC has no permissions for non-superusers */
4254  result = ACL_NO_RIGHTS;
4255  }
4256  else
4257  {
4258  Datum aclDatum;
4259  bool isNull;
4260  Acl *acl;
4261 
4262  aclDatum = SysCacheGetAttr(PARAMETERACLNAME, tuple,
4263  Anum_pg_parameter_acl_paracl,
4264  &isNull);
4265  if (isNull)
4266  {
4267  /* No ACL, so build default ACL */
4268  acl = acldefault(OBJECT_PARAMETER_ACL, BOOTSTRAP_SUPERUSERID);
4269  aclDatum = (Datum) 0;
4270  }
4271  else
4272  {
4273  /* detoast ACL if necessary */
4274  acl = DatumGetAclP(aclDatum);
4275  }
4276 
4277  result = aclmask(acl, roleid, BOOTSTRAP_SUPERUSERID, mask, how);
4278 
4279  /* if we have a detoasted copy, free it */
4280  if (acl && (Pointer) acl != DatumGetPointer(aclDatum))
4281  pfree(acl);
4282 
4283  ReleaseSysCache(tuple);
4284  }
4285 
4286  pfree(parname);
4287  pfree(partext);
4288 
4289  return result;
4290 }
4291 
4292 /*
4293  * Routine for examining a user's privileges for a configuration
4294  * parameter (GUC), identified by the OID of its pg_parameter_acl entry.
4295  */
4296 static AclMode
4298 {
4299  AclMode result;
4300  HeapTuple tuple;
4301  Datum aclDatum;
4302  bool isNull;
4303  Acl *acl;
4304 
4305  /* Superusers bypass all permission checking. */
4306  if (superuser_arg(roleid))
4307  return mask;
4308 
4309  /* Get the ACL from pg_parameter_acl */
4311  if (!HeapTupleIsValid(tuple))
4312  ereport(ERROR,
4313  (errcode(ERRCODE_UNDEFINED_OBJECT),
4314  errmsg("parameter ACL with OID %u does not exist",
4315  acl_oid)));
4316 
4317  aclDatum = SysCacheGetAttr(PARAMETERACLOID, tuple,
4318  Anum_pg_parameter_acl_paracl,
4319  &isNull);
4320  if (isNull)
4321  {
4322  /* No ACL, so build default ACL */
4323  acl = acldefault(OBJECT_PARAMETER_ACL, BOOTSTRAP_SUPERUSERID);
4324  aclDatum = (Datum) 0;
4325  }
4326  else
4327  {
4328  /* detoast ACL if necessary */
4329  acl = DatumGetAclP(aclDatum);
4330  }
4331 
4332  result = aclmask(acl, roleid, BOOTSTRAP_SUPERUSERID, mask, how);
4333 
4334  /* if we have a detoasted copy, free it */
4335  if (acl && (Pointer) acl != DatumGetPointer(aclDatum))
4336  pfree(acl);
4337 
4338  ReleaseSysCache(tuple);
4339 
4340  return result;
4341 }
4342 
4343 /*
4344  * Routine for examining a user's privileges for a largeobject
4345  *
4346  * When a large object is opened for reading, it is opened relative to the
4347  * caller's snapshot, but when it is opened for writing, a current
4348  * MVCC snapshot will be used. See doc/src/sgml/lobj.sgml. This function
4349  * takes a snapshot argument so that the permissions check can be made
4350  * relative to the same snapshot that will be used to read the underlying
4351  * data. The caller will actually pass NULL for an instantaneous MVCC
4352  * snapshot, since all we do with the snapshot argument is pass it through
4353  * to systable_beginscan().
4354  */
4355 static AclMode
4357  AclMode mask, AclMaskHow how,
4358  Snapshot snapshot)
4359 {
4360  AclMode result;
4361  Relation pg_lo_meta;
4362  ScanKeyData entry[1];
4363  SysScanDesc scan;
4364  HeapTuple tuple;
4365  Datum aclDatum;
4366  bool isNull;
4367  Acl *acl;
4368  Oid ownerId;
4369 
4370  /* Superusers bypass all permission checking. */
4371  if (superuser_arg(roleid))
4372  return mask;
4373 
4374  /*
4375  * Get the largeobject's ACL from pg_largeobject_metadata
4376  */
4377  pg_lo_meta = table_open(LargeObjectMetadataRelationId,
4378  AccessShareLock);
4379 
4380  ScanKeyInit(&entry[0],
4381  Anum_pg_largeobject_metadata_oid,
4382  BTEqualStrategyNumber, F_OIDEQ,
4383  ObjectIdGetDatum(lobj_oid));
4384 
4385  scan = systable_beginscan(pg_lo_meta,
4386  LargeObjectMetadataOidIndexId, true,
4387  snapshot, 1, entry);
4388 
4389  tuple = systable_getnext(scan);
4390  if (!HeapTupleIsValid(tuple))
4391  ereport(ERROR,
4392  (errcode(ERRCODE_UNDEFINED_OBJECT),
4393  errmsg("large object %u does not exist", lobj_oid)));
4394 
4395  ownerId = ((Form_pg_largeobject_metadata) GETSTRUCT(tuple))->lomowner;
4396 
4397  aclDatum = heap_getattr(tuple, Anum_pg_largeobject_metadata_lomacl,
4398  RelationGetDescr(pg_lo_meta), &isNull);
4399 
4400  if (isNull)
4401  {
4402  /* No ACL, so build default ACL */
4403  acl = acldefault(OBJECT_LARGEOBJECT, ownerId);
4404  aclDatum = (Datum) 0;
4405  }
4406  else
4407  {
4408  /* detoast ACL if necessary */
4409  acl = DatumGetAclP(aclDatum);
4410  }
4411 
4412  result = aclmask(acl, roleid, ownerId, mask, how);
4413 
4414  /* if we have a detoasted copy, free it */
4415  if (acl && (Pointer) acl != DatumGetPointer(aclDatum))
4416  pfree(acl);
4417 
4418  systable_endscan(scan);
4419 
4420  table_close(pg_lo_meta, AccessShareLock);
4421 
4422  return result;
4423 }
4424 
4425 /*
4426  * Routine for examining a user's privileges for a namespace
4427  */
4428 static AclMode
4429 pg_namespace_aclmask(Oid nsp_oid, Oid roleid,
4430  AclMode mask, AclMaskHow how)
4431 {
4432  AclMode result;
4433  HeapTuple tuple;
4434  Datum aclDatum;
4435  bool isNull;
4436  Acl *acl;
4437  Oid ownerId;
4438 
4439  /* Superusers bypass all permission checking. */
4440  if (superuser_arg(roleid))
4441  return mask;
4442 
4443  /*
4444  * If we have been assigned this namespace as a temp namespace, check to
4445  * make sure we have CREATE TEMP permission on the database, and if so act
4446  * as though we have all standard (but not GRANT OPTION) permissions on
4447  * the namespace. If we don't have CREATE TEMP, act as though we have
4448  * only USAGE (and not CREATE) rights.
4449  *
4450  * This may seem redundant given the check in InitTempTableNamespace, but
4451  * it really isn't since current user ID may have changed since then. The
4452  * upshot of this behavior is that a SECURITY DEFINER function can create
4453  * temp tables that can then be accessed (if permission is granted) by
4454  * code in the same session that doesn't have permissions to create temp
4455  * tables.
4456  *
4457  * XXX Would it be safe to ereport a special error message as
4458  * InitTempTableNamespace does? Returning zero here means we'll get a
4459  * generic "permission denied for schema pg_temp_N" message, which is not
4460  * remarkably user-friendly.
4461  */
4462  if (isTempNamespace(nsp_oid))
4463  {
4464  if (object_aclcheck(DatabaseRelationId, MyDatabaseId, roleid,
4466  return mask & ACL_ALL_RIGHTS_SCHEMA;
4467  else
4468  return mask & ACL_USAGE;
4469  }
4470 
4471  /*
4472  * Get the schema's ACL from pg_namespace
4473  */
4474  tuple = SearchSysCache1(NAMESPACEOID, ObjectIdGetDatum(nsp_oid));
4475  if (!HeapTupleIsValid(tuple))
4476  ereport(ERROR,
4477  (errcode(ERRCODE_UNDEFINED_SCHEMA),
4478  errmsg("schema with OID %u does not exist", nsp_oid)));
4479 
4480  ownerId = ((Form_pg_namespace) GETSTRUCT(tuple))->nspowner;
4481 
4482  aclDatum = SysCacheGetAttr(NAMESPACEOID, tuple, Anum_pg_namespace_nspacl,
4483  &isNull);
4484  if (isNull)
4485  {
4486  /* No ACL, so build default ACL */
4487  acl = acldefault(OBJECT_SCHEMA, ownerId);
4488  aclDatum = (Datum) 0;
4489  }
4490  else
4491  {
4492  /* detoast ACL if necessary */
4493  acl = DatumGetAclP(aclDatum);
4494  }
4495 
4496  result = aclmask(acl, roleid, ownerId, mask, how);
4497 
4498  /* if we have a detoasted copy, free it */
4499  if (acl && (Pointer) acl != DatumGetPointer(aclDatum))
4500  pfree(acl);
4501 
4502  ReleaseSysCache(tuple);
4503 
4504  /*
4505  * Check if ACL_USAGE is being checked and, if so, and not set already as
4506  * part of the result, then check if the user is a member of the
4507  * pg_read_all_data or pg_write_all_data roles, which allow usage access
4508  * to all schemas.
4509  */
4510  if (mask & ACL_USAGE && !(result & ACL_USAGE) &&
4511  (has_privs_of_role(roleid, ROLE_PG_READ_ALL_DATA) ||
4512  has_privs_of_role(roleid, ROLE_PG_WRITE_ALL_DATA)))
4513  result |= ACL_USAGE;
4514  return result;
4515 }
4516 
4517 /*
4518  * Routine for examining a user's privileges for a type.
4519  */
4520 static AclMode
4521 pg_type_aclmask(Oid type_oid, Oid roleid, AclMode mask, AclMaskHow how)
4522 {
4523  AclMode result;
4524  HeapTuple tuple;
4525  Datum aclDatum;
4526  bool isNull;
4527  Acl *acl;
4528  Oid ownerId;
4529 
4530  Form_pg_type typeForm;
4531 
4532  /* Bypass permission checks for superusers */
4533  if (superuser_arg(roleid))
4534  return mask;
4535 
4536  /*
4537  * Must get the type's tuple from pg_type
4538  */
4539  tuple = SearchSysCache1(TYPEOID, ObjectIdGetDatum(type_oid));
4540  if (!HeapTupleIsValid(tuple))
4541  ereport(ERROR,
4542  (errcode(ERRCODE_UNDEFINED_OBJECT),
4543  errmsg("type with OID %u does not exist",
4544  type_oid)));
4545  typeForm = (Form_pg_type) GETSTRUCT(tuple);
4546 
4547  /*
4548  * "True" array types don't manage permissions of their own; consult the
4549  * element type instead.
4550  */
4551  if (IsTrueArrayType(typeForm))
4552  {
4553  Oid elttype_oid = typeForm->typelem;
4554 
4555  ReleaseSysCache(tuple);
4556 
4557  tuple = SearchSysCache1(TYPEOID, ObjectIdGetDatum(elttype_oid));
4558  /* this case is not a user-facing error, so elog not ereport */
4559  if (!HeapTupleIsValid(tuple))
4560  elog(ERROR, "cache lookup failed for type %u", elttype_oid);
4561  typeForm = (Form_pg_type) GETSTRUCT(tuple);
4562  }
4563 
4564  /*
4565  * Now get the type's owner and ACL from the tuple
4566  */
4567  ownerId = typeForm->typowner;
4568 
4569  aclDatum = SysCacheGetAttr(TYPEOID, tuple,
4570  Anum_pg_type_typacl, &isNull);
4571  if (isNull)
4572  {
4573  /* No ACL, so build default ACL */
4574  acl = acldefault(OBJECT_TYPE, ownerId);
4575  aclDatum = (Datum) 0;
4576  }
4577  else
4578  {
4579  /* detoast rel's ACL if necessary */
4580  acl = DatumGetAclP(aclDatum);
4581  }
4582 
4583  result = aclmask(acl, roleid, ownerId, mask, how);
4584 
4585  /* if we have a detoasted copy, free it */
4586  if (acl && (Pointer) acl != DatumGetPointer(aclDatum))
4587  pfree(acl);
4588 
4589  ReleaseSysCache(tuple);
4590 
4591  return result;
4592 }
4593 
4594 /*
4595  * Exported generic routine for checking a user's access privileges to an object
4596  */
4597 AclResult
4598 object_aclcheck(Oid classid, Oid objectid, Oid roleid, AclMode mode)
4599 {
4600  if (object_aclmask(classid, objectid, roleid, mode, ACLMASK_ANY) != 0)
4601  return ACLCHECK_OK;
4602  else
4603  return ACLCHECK_NO_PRIV;
4604 }
4605 
4606 /*
4607  * Exported routine for checking a user's access privileges to a column
4608  *
4609  * Returns ACLCHECK_OK if the user has any of the privileges identified by
4610  * 'mode'; otherwise returns a suitable error code (in practice, always
4611  * ACLCHECK_NO_PRIV).
4612  *
4613  * As with pg_attribute_aclmask, only privileges granted directly on the
4614  * column are considered here.
4615  */
4616 AclResult
4618  Oid roleid, AclMode mode)
4619 {
4620  return pg_attribute_aclcheck_ext(table_oid, attnum, roleid, mode, NULL);
4621 }
4622 
4623 
4624 /*
4625  * Exported routine for checking a user's access privileges to a column
4626  *
4627  * Does the bulk of the work for pg_attribute_aclcheck(), and allows other
4628  * callers to avoid the missing attribute ERROR when is_missing is non-NULL.
4629  */
4630 AclResult
4632  Oid roleid, AclMode mode, bool *is_missing)
4633 {
4634  if (pg_attribute_aclmask_ext(table_oid, attnum, roleid, mode,
4635  ACLMASK_ANY, is_missing) != 0)
4636  return ACLCHECK_OK;
4637  else
4638  return ACLCHECK_NO_PRIV;
4639 }
4640 
4641 /*
4642  * Exported routine for checking a user's access privileges to any/all columns
4643  *
4644  * If 'how' is ACLMASK_ANY, then returns ACLCHECK_OK if user has any of the
4645  * privileges identified by 'mode' on any non-dropped column in the relation;
4646  * otherwise returns a suitable error code (in practice, always
4647  * ACLCHECK_NO_PRIV).
4648  *
4649  * If 'how' is ACLMASK_ALL, then returns ACLCHECK_OK if user has any of the
4650  * privileges identified by 'mode' on each non-dropped column in the relation
4651  * (and there must be at least one such column); otherwise returns a suitable
4652  * error code (in practice, always ACLCHECK_NO_PRIV).
4653  *
4654  * As with pg_attribute_aclmask, only privileges granted directly on the
4655  * column(s) are considered here.
4656  *
4657  * Note: system columns are not considered here; there are cases where that
4658  * might be appropriate but there are also cases where it wouldn't.
4659  */
4660 AclResult
4662  AclMaskHow how)
4663 {
4664  AclResult result;
4665  HeapTuple classTuple;
4666  Form_pg_class classForm;
4667  AttrNumber nattrs;
4668  AttrNumber curr_att;
4669 
4670  /*
4671  * Must fetch pg_class row to check number of attributes. As in
4672  * pg_attribute_aclmask, we prefer to return "no privileges" instead of
4673  * throwing an error if we get any unexpected lookup errors.
4674  */
4675  classTuple = SearchSysCache1(RELOID, ObjectIdGetDatum(table_oid));
4676  if (!HeapTupleIsValid(classTuple))
4677  return ACLCHECK_NO_PRIV;
4678  classForm = (Form_pg_class) GETSTRUCT(classTuple);
4679 
4680  nattrs = classForm->relnatts;
4681 
4682  ReleaseSysCache(classTuple);
4683 
4684  /*
4685  * Initialize result in case there are no non-dropped columns. We want to
4686  * report failure in such cases for either value of 'how'.
4687  */
4688  result = ACLCHECK_NO_PRIV;
4689 
4690  for (curr_att = 1; curr_att <= nattrs; curr_att++)
4691  {
4692  HeapTuple attTuple;
4693  AclMode attmask;
4694 
4695  attTuple = SearchSysCache2(ATTNUM,
4696  ObjectIdGetDatum(table_oid),
4697  Int16GetDatum(curr_att));
4698  if (!HeapTupleIsValid(attTuple))
4699  continue;
4700 
4701  /* ignore dropped columns */
4702  if (((Form_pg_attribute) GETSTRUCT(attTuple))->attisdropped)
4703  {
4704  ReleaseSysCache(attTuple);
4705  continue;
4706  }
4707 
4708  /*
4709  * Here we hard-wire knowledge that the default ACL for a column
4710  * grants no privileges, so that we can fall out quickly in the very
4711  * common case where attacl is null.
4712  */
4713  if (heap_attisnull(attTuple, Anum_pg_attribute_attacl, NULL))
4714  attmask = 0;
4715  else
4716  attmask = pg_attribute_aclmask(table_oid, curr_att, roleid,
4717  mode, ACLMASK_ANY);
4718 
4719  ReleaseSysCache(attTuple);
4720 
4721  if (attmask != 0)
4722  {
4723  result = ACLCHECK_OK;
4724  if (how == ACLMASK_ANY)
4725  break; /* succeed on any success */
4726  }
4727  else
4728  {
4729  result = ACLCHECK_NO_PRIV;
4730  if (how == ACLMASK_ALL)
4731  break; /* fail on any failure */
4732  }
4733  }
4734 
4735  return result;
4736 }
4737 
4738 /*
4739  * Exported routine for checking a user's access privileges to a table
4740  *
4741  * Returns ACLCHECK_OK if the user has any of the privileges identified by
4742  * 'mode'; otherwise returns a suitable error code (in practice, always
4743  * ACLCHECK_NO_PRIV).
4744  */
4745 AclResult
4746 pg_class_aclcheck(Oid table_oid, Oid roleid, AclMode mode)
4747 {
4748  return pg_class_aclcheck_ext(table_oid, roleid, mode, NULL);
4749 }
4750 
4751 /*
4752  * Exported routine for checking a user's access privileges to a table
4753  *
4754  * Does the bulk of the work for pg_class_aclcheck(), and allows other
4755  * callers to avoid the missing relation ERROR when is_missing is non-NULL.
4756  */
4757 AclResult
4758 pg_class_aclcheck_ext(Oid table_oid, Oid roleid,
4759  AclMode mode, bool *is_missing)
4760 {
4761  if (pg_class_aclmask_ext(table_oid, roleid, mode,
4762  ACLMASK_ANY, is_missing) != 0)
4763  return ACLCHECK_OK;
4764  else
4765  return ACLCHECK_NO_PRIV;
4766 }
4767 
4768 /*
4769  * Exported routine for checking a user's access privileges to a configuration
4770  * parameter (GUC), identified by GUC name.
4771  */
4772 AclResult
4774 {
4775  if (pg_parameter_aclmask(name, roleid, mode, ACLMASK_ANY) != 0)
4776  return ACLCHECK_OK;
4777  else
4778  return ACLCHECK_NO_PRIV;
4779 }
4780 
4781 /*
4782  * Exported routine for checking a user's access privileges to a largeobject
4783  */
4784 AclResult
4786  Snapshot snapshot)
4787 {
4788  if (pg_largeobject_aclmask_snapshot(lobj_oid, roleid, mode,
4789  ACLMASK_ANY, snapshot) != 0)
4790  return ACLCHECK_OK;
4791  else
4792  return ACLCHECK_NO_PRIV;
4793 }
4794 
4795 /*
4796  * Generic ownership check for an object
4797  */
4798 bool
4799 object_ownercheck(Oid classid, Oid objectid, Oid roleid)
4800 {
4801  int cacheid;
4802  Oid ownerId;
4803 
4804  /* Superusers bypass all permission checking. */
4805  if (superuser_arg(roleid))
4806  return true;
4807 
4808  cacheid = get_object_catcache_oid(classid);
4809  if (cacheid != -1)
4810  {
4811  HeapTuple tuple;
4812  bool isnull;
4813 
4814  tuple = SearchSysCache1(cacheid, ObjectIdGetDatum(objectid));
4815  if (!HeapTupleIsValid(tuple))
4816  ereport(ERROR,
4817  (errcode(ERRCODE_UNDEFINED_OBJECT),
4818  errmsg("%s with OID %u does not exist", get_object_class_descr(classid), objectid)));
4819 
4820  ownerId = DatumGetObjectId(SysCacheGetAttr(cacheid,
4821  tuple,
4822  get_object_attnum_owner(classid),
4823  &isnull));
4824  Assert(!isnull);
4825 
4826  ReleaseSysCache(tuple);
4827  }
4828  else
4829  {
4830  /* for catalogs without an appropriate syscache */
4831 
4832  Relation rel;
4833  ScanKeyData entry[1];
4834  SysScanDesc scan;
4835  HeapTuple tuple;
4836  bool isnull;
4837 
4838  rel = table_open(classid, AccessShareLock);
4839 
4840  ScanKeyInit(&entry[0],
4841  get_object_attnum_oid(classid),
4842  BTEqualStrategyNumber, F_OIDEQ,
4843  ObjectIdGetDatum(objectid));
4844 
4845  scan = systable_beginscan(rel,
4846  get_object_oid_index(classid), true,
4847  NULL, 1, entry);
4848 
4849  tuple = systable_getnext(scan);
4850  if (!HeapTupleIsValid(tuple))
4851  ereport(ERROR,
4852  (errcode(ERRCODE_UNDEFINED_OBJECT),
4853  errmsg("%s with OID %u does not exist", get_object_class_descr(classid), objectid)));
4854 
4855  ownerId = DatumGetObjectId(heap_getattr(tuple,
4856  get_object_attnum_owner(classid),
4857  RelationGetDescr(rel),
4858  &isnull));
4859  Assert(!isnull);
4860 
4861  systable_endscan(scan);
4863  }
4864 
4865  return has_privs_of_role(roleid, ownerId);
4866 }
4867 
4868 /*
4869  * Check whether specified role has CREATEROLE privilege (or is a superuser)
4870  *
4871  * Note: roles do not have owners per se; instead we use this test in
4872  * places where an ownership-like permissions test is needed for a role.
4873  * Be sure to apply it to the role trying to do the operation, not the
4874  * role being operated on! Also note that this generally should not be
4875  * considered enough privilege if the target role is a superuser.
4876  * (We don't handle that consideration here because we want to give a
4877  * separate error message for such cases, so the caller has to deal with it.)
4878  */
4879 bool
4881 {
4882  bool result = false;
4883  HeapTuple utup;
4884 
4885  /* Superusers bypass all permission checking. */
4886  if (superuser_arg(roleid))
4887  return true;
4888 
4889  utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
4890  if (HeapTupleIsValid(utup))
4891  {
4892  result = ((Form_pg_authid) GETSTRUCT(utup))->rolcreaterole;
4893  ReleaseSysCache(utup);
4894  }
4895  return result;
4896 }
4897 
4898 bool
4900 {
4901  bool result = false;
4902  HeapTuple utup;
4903 
4904  /* Superusers bypass all permission checking. */
4905  if (superuser_arg(roleid))
4906  return true;
4907 
4908  utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
4909  if (HeapTupleIsValid(utup))
4910  {
4911  result = ((Form_pg_authid) GETSTRUCT(utup))->rolbypassrls;
4912  ReleaseSysCache(utup);
4913  }
4914  return result;
4915 }
4916 
4917 /*
4918  * Fetch pg_default_acl entry for given role, namespace and object type
4919  * (object type must be given in pg_default_acl's encoding).
4920  * Returns NULL if no such entry.
4921  */
4922 static Acl *
4923 get_default_acl_internal(Oid roleId, Oid nsp_oid, char objtype)
4924 {
4925  Acl *result = NULL;
4926  HeapTuple tuple;
4927 
4929  ObjectIdGetDatum(roleId),
4930  ObjectIdGetDatum(nsp_oid),
4931  CharGetDatum(objtype));
4932 
4933  if (HeapTupleIsValid(tuple))
4934  {
4935  Datum aclDatum;
4936  bool isNull;
4937 
4938  aclDatum = SysCacheGetAttr(DEFACLROLENSPOBJ, tuple,
4939  Anum_pg_default_acl_defaclacl,
4940  &isNull);
4941  if (!isNull)
4942  result = DatumGetAclPCopy(aclDatum);
4943  ReleaseSysCache(tuple);
4944  }
4945 
4946  return result;
4947 }
4948 
4949 /*
4950  * Get default permissions for newly created object within given schema
4951  *
4952  * Returns NULL if built-in system defaults should be used.
4953  *
4954  * If the result is not NULL, caller must call recordDependencyOnNewAcl
4955  * once the OID of the new object is known.
4956  */
4957 Acl *
4958 get_user_default_acl(ObjectType objtype, Oid ownerId, Oid nsp_oid)
4959 {
4960  Acl *result;
4961  Acl *glob_acl;
4962  Acl *schema_acl;
4963  Acl *def_acl;
4964  char defaclobjtype;
4965 
4966  /*
4967  * Use NULL during bootstrap, since pg_default_acl probably isn't there
4968  * yet.
4969  */
4971  return NULL;
4972 
4973  /* Check if object type is supported in pg_default_acl */
4974  switch (objtype)
4975  {
4976  case OBJECT_TABLE:
4977  defaclobjtype = DEFACLOBJ_RELATION;
4978  break;
4979 
4980  case OBJECT_SEQUENCE:
4981  defaclobjtype = DEFACLOBJ_SEQUENCE;
4982  break;
4983 
4984  case OBJECT_FUNCTION:
4985  defaclobjtype = DEFACLOBJ_FUNCTION;
4986  break;
4987 
4988  case OBJECT_TYPE:
4989  defaclobjtype = DEFACLOBJ_TYPE;
4990  break;
4991 
4992  case OBJECT_SCHEMA:
4993  defaclobjtype = DEFACLOBJ_NAMESPACE;
4994  break;
4995 
4996  default:
4997  return NULL;
4998  }
4999 
5000  /* Look up the relevant pg_default_acl entries */
5001  glob_acl = get_default_acl_internal(ownerId, InvalidOid, defaclobjtype);
5002  schema_acl = get_default_acl_internal(ownerId, nsp_oid, defaclobjtype);
5003 
5004  /* Quick out if neither entry exists */
5005  if (glob_acl == NULL && schema_acl == NULL)
5006  return NULL;
5007 
5008  /* We need to know the hard-wired default value, too */
5009  def_acl = acldefault(objtype, ownerId);
5010 
5011  /* If there's no global entry, substitute the hard-wired default */
5012  if (glob_acl == NULL)
5013  glob_acl = def_acl;
5014 
5015  /* Merge in any per-schema privileges */
5016  result = aclmerge(glob_acl, schema_acl, ownerId);
5017 
5018  /*
5019  * For efficiency, we want to return NULL if the result equals default.
5020  * This requires sorting both arrays to get an accurate comparison.
5021  */
5022  aclitemsort(result);
5023  aclitemsort(def_acl);
5024  if (aclequal(result, def_acl))
5025  result = NULL;
5026 
5027  return result;
5028 }
5029 
5030 /*
5031  * Record dependencies on roles mentioned in a new object's ACL.
5032  */
5033 void
5034 recordDependencyOnNewAcl(Oid classId, Oid objectId, int32 objsubId,
5035  Oid ownerId, Acl *acl)
5036 {
5037  int nmembers;
5038  Oid *members;
5039 
5040  /* Nothing to do if ACL is defaulted */
5041  if (acl == NULL)
5042  return;
5043 
5044  /* Extract roles mentioned in ACL */
5045  nmembers = aclmembers(acl, &members);
5046 
5047  /* Update the shared dependency ACL info */
5048  updateAclDependencies(classId, objectId, objsubId,
5049  ownerId,
5050  0, NULL,
5051  nmembers, members);
5052 }
5053 
5054 /*
5055  * Record initial privileges for the top-level object passed in.
5056  *
5057  * For the object passed in, this will record its ACL (if any) and the ACLs of
5058  * any sub-objects (eg: columns) into pg_init_privs.
5059  *
5060  * Any new kinds of objects which have ACLs associated with them and can be
5061  * added to an extension should be added to the if-else tree below.
5062  */
5063 void
5064 recordExtObjInitPriv(Oid objoid, Oid classoid)
5065 {
5066  /*
5067  * pg_class / pg_attribute
5068  *
5069  * If this is a relation then we need to see if there are any sub-objects
5070  * (eg: columns) for it and, if so, be sure to call
5071  * recordExtensionInitPrivWorker() for each one.
5072  */
5073  if (classoid == RelationRelationId)
5074  {
5075  Form_pg_class pg_class_tuple;
5076  Datum aclDatum;
5077  bool isNull;
5078  HeapTuple tuple;
5079 
5080  tuple = SearchSysCache1(RELOID, ObjectIdGetDatum(objoid));
5081  if (!HeapTupleIsValid(tuple))
5082  elog(ERROR, "cache lookup failed for relation %u", objoid);
5083  pg_class_tuple = (Form_pg_class) GETSTRUCT(tuple);
5084 
5085  /*
5086  * Indexes don't have permissions, neither do the pg_class rows for
5087  * composite types. (These cases are unreachable given the
5088  * restrictions in ALTER EXTENSION ADD, but let's check anyway.)
5089  */
5090  if (pg_class_tuple->relkind == RELKIND_INDEX ||
5091  pg_class_tuple->relkind == RELKIND_PARTITIONED_INDEX ||
5092  pg_class_tuple->relkind == RELKIND_COMPOSITE_TYPE)
5093  {
5094  ReleaseSysCache(tuple);
5095  return;
5096  }
5097 
5098  /*
5099  * If this isn't a sequence then it's possibly going to have
5100  * column-level ACLs associated with it.
5101  */
5102  if (pg_class_tuple->relkind != RELKIND_SEQUENCE)
5103  {
5104  AttrNumber curr_att;
5105  AttrNumber nattrs = pg_class_tuple->relnatts;
5106 
5107  for (curr_att = 1; curr_att <= nattrs; curr_att++)
5108  {
5109  HeapTuple attTuple;
5110  Datum attaclDatum;
5111 
5112  attTuple = SearchSysCache2(ATTNUM,
5113  ObjectIdGetDatum(objoid),
5114  Int16GetDatum(curr_att));
5115 
5116  if (!HeapTupleIsValid(attTuple))
5117  continue;
5118 
5119  /* ignore dropped columns */
5120  if (((Form_pg_attribute) GETSTRUCT(attTuple))->attisdropped)
5121  {
5122  ReleaseSysCache(attTuple);
5123  continue;
5124  }
5125 
5126  attaclDatum = SysCacheGetAttr(ATTNUM, attTuple,
5127  Anum_pg_attribute_attacl,
5128  &isNull);
5129 
5130  /* no need to do anything for a NULL ACL */
5131  if (isNull)
5132  {
5133  ReleaseSysCache(attTuple);
5134  continue;
5135  }
5136 
5137  recordExtensionInitPrivWorker(objoid, classoid, curr_att,
5138  DatumGetAclP(attaclDatum));
5139 
5140  ReleaseSysCache(attTuple);
5141  }
5142  }
5143 
5144  aclDatum = SysCacheGetAttr(RELOID, tuple, Anum_pg_class_relacl,
5145  &isNull);
5146 
5147  /* Add the record, if any, for the top-level object */
5148  if (!isNull)
5149  recordExtensionInitPrivWorker(objoid, classoid, 0,
5150  DatumGetAclP(aclDatum));
5151 
5152  ReleaseSysCache(tuple);
5153  }
5154  /* pg_foreign_data_wrapper */
5155  else if (classoid == ForeignDataWrapperRelationId)
5156  {
5157  Datum aclDatum;
5158  bool isNull;
5159  HeapTuple tuple;
5160 
5162  ObjectIdGetDatum(objoid));
5163  if (!HeapTupleIsValid(tuple))
5164  elog(ERROR, "cache lookup failed for foreign data wrapper %u",
5165  objoid);
5166 
5167  aclDatum = SysCacheGetAttr(FOREIGNDATAWRAPPEROID, tuple,
5168  Anum_pg_foreign_data_wrapper_fdwacl,
5169  &isNull);
5170 
5171  /* Add the record, if any, for the top-level object */
5172  if (!isNull)
5173  recordExtensionInitPrivWorker(objoid, classoid, 0,
5174  DatumGetAclP(aclDatum));
5175 
5176  ReleaseSysCache(tuple);
5177  }
5178  /* pg_foreign_server */
5179  else if (classoid == ForeignServerRelationId)
5180  {
5181  Datum aclDatum;
5182  bool isNull;
5183  HeapTuple tuple;
5184 
5186  if (!HeapTupleIsValid(tuple))
5187  elog(ERROR, "cache lookup failed for foreign data wrapper %u",
5188  objoid);
5189 
5190  aclDatum = SysCacheGetAttr(FOREIGNSERVEROID, tuple,
5191  Anum_pg_foreign_server_srvacl,
5192  &isNull);
5193 
5194  /* Add the record, if any, for the top-level object */
5195  if (!isNull)
5196  recordExtensionInitPrivWorker(objoid, classoid, 0,
5197  DatumGetAclP(aclDatum));
5198 
5199  ReleaseSysCache(tuple);
5200  }
5201  /* pg_language */
5202  else if (classoid == LanguageRelationId)
5203  {
5204  Datum aclDatum;
5205  bool isNull;
5206  HeapTuple tuple;
5207 
5208  tuple = SearchSysCache1(LANGOID, ObjectIdGetDatum(objoid));
5209  if (!HeapTupleIsValid(tuple))
5210  elog(ERROR, "cache lookup failed for language %u", objoid);
5211 
5212  aclDatum = SysCacheGetAttr(LANGOID, tuple, Anum_pg_language_lanacl,
5213  &isNull);
5214 
5215  /* Add the record, if any, for the top-level object */
5216  if (!isNull)
5217  recordExtensionInitPrivWorker(objoid, classoid, 0,
5218  DatumGetAclP(aclDatum));
5219 
5220  ReleaseSysCache(tuple);
5221  }
5222  /* pg_largeobject_metadata */
5223  else if (classoid == LargeObjectMetadataRelationId)
5224  {
5225  Datum aclDatum;
5226  bool isNull;
5227  HeapTuple tuple;
5228  ScanKeyData entry[1];
5229  SysScanDesc scan;
5230  Relation relation;
5231 
5232  /*
5233  * Note: this is dead code, given that we don't allow large objects to
5234  * be made extension members. But it seems worth carrying in case
5235  * some future caller of this function has need for it.
5236  */
5237  relation = table_open(LargeObjectMetadataRelationId, RowExclusiveLock);
5238 
5239  /* There's no syscache for pg_largeobject_metadata */
5240  ScanKeyInit(&entry[0],
5241  Anum_pg_largeobject_metadata_oid,
5242  BTEqualStrategyNumber, F_OIDEQ,
5243  ObjectIdGetDatum(objoid));
5244 
5245  scan = systable_beginscan(relation,
5246  LargeObjectMetadataOidIndexId, true,
5247  NULL, 1, entry);
5248 
5249  tuple = systable_getnext(scan);
5250  if (!HeapTupleIsValid(tuple))
5251  elog(ERROR, "could not find tuple for large object %u", objoid);
5252 
5253  aclDatum = heap_getattr(tuple,
5254  Anum_pg_largeobject_metadata_lomacl,
5255  RelationGetDescr(relation), &isNull);
5256 
5257  /* Add the record, if any, for the top-level object */
5258  if (!isNull)
5259  recordExtensionInitPrivWorker(objoid, classoid, 0,
5260  DatumGetAclP(aclDatum));
5261 
5262  systable_endscan(scan);
5263  }
5264  /* pg_namespace */
5265  else if (classoid == NamespaceRelationId)
5266  {
5267  Datum aclDatum;
5268  bool isNull;
5269  HeapTuple tuple;
5270 
5271  tuple = SearchSysCache1(NAMESPACEOID, ObjectIdGetDatum(objoid));
5272  if (!HeapTupleIsValid(tuple))
5273  elog(ERROR, "cache lookup failed for function %u", objoid);
5274 
5275  aclDatum = SysCacheGetAttr(NAMESPACEOID, tuple,
5276  Anum_pg_namespace_nspacl, &isNull);
5277 
5278  /* Add the record, if any, for the top-level object */
5279  if (!isNull)
5280  recordExtensionInitPrivWorker(objoid, classoid, 0,
5281  DatumGetAclP(aclDatum));
5282 
5283  ReleaseSysCache(tuple);
5284  }
5285  /* pg_proc */
5286  else if (classoid == ProcedureRelationId)
5287  {
5288  Datum aclDatum;
5289  bool isNull;
5290  HeapTuple tuple;
5291 
5292  tuple = SearchSysCache1(PROCOID, ObjectIdGetDatum(objoid));
5293  if (!HeapTupleIsValid(tuple))
5294  elog(ERROR, "cache lookup failed for function %u", objoid);
5295 
5296  aclDatum = SysCacheGetAttr(PROCOID, tuple, Anum_pg_proc_proacl,
5297  &isNull);
5298 
5299  /* Add the record, if any, for the top-level object */
5300  if (!isNull)
5301  recordExtensionInitPrivWorker(objoid, classoid, 0,
5302  DatumGetAclP(aclDatum));
5303 
5304  ReleaseSysCache(tuple);
5305  }
5306  /* pg_type */
5307  else if (classoid == TypeRelationId)
5308  {
5309  Datum aclDatum;
5310  bool isNull;
5311  HeapTuple tuple;
5312 
5313  tuple = SearchSysCache1(TYPEOID, ObjectIdGetDatum(objoid));
5314  if (!HeapTupleIsValid(tuple))
5315  elog(ERROR, "cache lookup failed for function %u", objoid);
5316 
5317  aclDatum = SysCacheGetAttr(TYPEOID, tuple, Anum_pg_type_typacl,
5318  &isNull);
5319 
5320  /* Add the record, if any, for the top-level object */
5321  if (!isNull)
5322  recordExtensionInitPrivWorker(objoid, classoid, 0,
5323  DatumGetAclP(aclDatum));
5324 
5325  ReleaseSysCache(tuple);
5326  }
5327  else if (classoid == AccessMethodRelationId ||
5328  classoid == AggregateRelationId ||
5329  classoid == CastRelationId ||
5330  classoid == CollationRelationId ||
5331  classoid == ConversionRelationId ||
5332  classoid == EventTriggerRelationId ||
5333  classoid == OperatorRelationId ||
5334  classoid == OperatorClassRelationId ||
5335  classoid == OperatorFamilyRelationId ||
5336  classoid == NamespaceRelationId ||
5337  classoid == TSConfigRelationId ||
5338  classoid == TSDictionaryRelationId ||
5339  classoid == TSParserRelationId ||
5340  classoid == TSTemplateRelationId ||
5341  classoid == TransformRelationId
5342  )
5343  {
5344  /* no ACL for these object types, so do nothing. */
5345  }
5346 
5347  /*
5348  * complain if we are given a class OID for a class that extensions don't
5349  * support or that we don't recognize.
5350  */
5351  else
5352  {
5353  elog(ERROR, "unrecognized or unsupported class OID: %u", classoid);
5354  }
5355 }
5356 
5357 /*
5358  * For the object passed in, remove its ACL and the ACLs of any object subIds
5359  * from pg_init_privs (via recordExtensionInitPrivWorker()).
5360  */
5361 void
5362 removeExtObjInitPriv(Oid objoid, Oid classoid)
5363 {
5364  /*
5365  * If this is a relation then we need to see if there are any sub-objects
5366  * (eg: columns) for it and, if so, be sure to call
5367  * recordExtensionInitPrivWorker() for each one.
5368  */
5369  if (classoid == RelationRelationId)
5370  {
5371  Form_pg_class pg_class_tuple;
5372  HeapTuple tuple;
5373 
5374  tuple = SearchSysCache1(RELOID, ObjectIdGetDatum(objoid));
5375  if (!HeapTupleIsValid(tuple))
5376  elog(ERROR, "cache lookup failed for relation %u", objoid);
5377  pg_class_tuple = (Form_pg_class) GETSTRUCT(tuple);
5378 
5379  /*
5380  * Indexes don't have permissions, neither do the pg_class rows for
5381  * composite types. (These cases are unreachable given the
5382  * restrictions in ALTER EXTENSION DROP, but let's check anyway.)
5383  */
5384  if (pg_class_tuple->relkind == RELKIND_INDEX ||
5385  pg_class_tuple->relkind == RELKIND_PARTITIONED_INDEX ||
5386  pg_class_tuple->relkind == RELKIND_COMPOSITE_TYPE)
5387  {
5388  ReleaseSysCache(tuple);
5389  return;
5390  }
5391 
5392  /*
5393  * If this isn't a sequence then it's possibly going to have
5394  * column-level ACLs associated with it.
5395  */
5396  if (pg_class_tuple->relkind != RELKIND_SEQUENCE)
5397  {
5398  AttrNumber curr_att;
5399  AttrNumber nattrs = pg_class_tuple->relnatts;
5400 
5401  for (curr_att = 1; curr_att <= nattrs; curr_att++)
5402  {
5403  HeapTuple attTuple;
5404 
5405  attTuple = SearchSysCache2(ATTNUM,
5406  ObjectIdGetDatum(objoid),
5407  Int16GetDatum(curr_att));
5408 
5409  if (!HeapTupleIsValid(attTuple))
5410  continue;
5411 
5412  /* when removing, remove all entries, even dropped columns */
5413 
5414  recordExtensionInitPrivWorker(objoid, classoid, curr_att, NULL);
5415 
5416  ReleaseSysCache(attTuple);
5417  }
5418  }
5419 
5420  ReleaseSysCache(tuple);
5421  }
5422 
5423  /* Remove the record, if any, for the top-level object */
5424  recordExtensionInitPrivWorker(objoid, classoid, 0, NULL);
5425 }
5426 
5427 /*
5428  * Record initial ACL for an extension object
5429  *
5430  * Can be called at any time, we check if 'creating_extension' is set and, if
5431  * not, exit immediately.
5432  *
5433  * Pass in the object OID, the OID of the class (the OID of the table which
5434  * the object is defined in) and the 'sub' id of the object (objsubid), if
5435  * any. If there is no 'sub' id (they are currently only used for columns of
5436  * tables) then pass in '0'. Finally, pass in the complete ACL to store.
5437  *
5438  * If an ACL already exists for this object/sub-object then we will replace
5439  * it with what is passed in.
5440  *
5441  * Passing in NULL for 'new_acl' will result in the entry for the object being
5442  * removed, if one is found.
5443  */
5444 static void
5445 recordExtensionInitPriv(Oid objoid, Oid classoid, int objsubid, Acl *new_acl)
5446 {
5447  /*
5448  * Generally, we only record the initial privileges when an extension is
5449  * being created, but because we don't actually use CREATE EXTENSION
5450  * during binary upgrades with pg_upgrade, there is a variable to let us
5451  * know that the GRANT and REVOKE statements being issued, while this
5452  * variable is true, are for the initial privileges of the extension
5453  * object and therefore we need to record them.
5454  */
5456  return;
5457 
5458  recordExtensionInitPrivWorker(objoid, classoid, objsubid, new_acl);
5459 }
5460 
5461 /*
5462  * Record initial ACL for an extension object, worker.
5463  *
5464  * This will perform a wholesale replacement of the entire ACL for the object
5465  * passed in, therefore be sure to pass in the complete new ACL to use.
5466  *
5467  * Generally speaking, do *not* use this function directly but instead use
5468  * recordExtensionInitPriv(), which checks if 'creating_extension' is set.
5469  * This function does *not* check if 'creating_extension' is set as it is also
5470  * used when an object is added to or removed from an extension via ALTER
5471  * EXTENSION ... ADD/DROP.
5472  */
5473 static void
5474 recordExtensionInitPrivWorker(Oid objoid, Oid classoid, int objsubid, Acl *new_acl)
5475 {
5476  Relation relation;
5477  ScanKeyData key[3];
5478  SysScanDesc scan;
5479  HeapTuple tuple;
5480  HeapTuple oldtuple;
5481 
5482  relation = table_open(InitPrivsRelationId, RowExclusiveLock);
5483 
5484  ScanKeyInit(&key[0],
5485  Anum_pg_init_privs_objoid,
5486  BTEqualStrategyNumber, F_OIDEQ,
5487  ObjectIdGetDatum(objoid));
5488  ScanKeyInit(&key[1],
5489  Anum_pg_init_privs_classoid,
5490  BTEqualStrategyNumber, F_OIDEQ,
5491  ObjectIdGetDatum(classoid));
5492  ScanKeyInit(&key[2],
5493  Anum_pg_init_privs_objsubid,
5494  BTEqualStrategyNumber, F_INT4EQ,
5495  Int32GetDatum(objsubid));
5496 
5497  scan = systable_beginscan(relation, InitPrivsObjIndexId, true,
5498  NULL, 3, key);
5499 
5500  /* There should exist only one entry or none. */
5501  oldtuple = systable_getnext(scan);
5502 
5503  /* If we find an entry, update it with the latest ACL. */
5504  if (HeapTupleIsValid(oldtuple))
5505  {
5506  Datum values[Natts_pg_init_privs] = {0};
5507  bool nulls[Natts_pg_init_privs] = {0};
5508  bool replace[Natts_pg_init_privs] = {0};
5509 
5510  /* If we have a new ACL to set, then update the row with it. */
5511  if (new_acl)
5512  {
5513  values[Anum_pg_init_privs_initprivs - 1] = PointerGetDatum(new_acl);
5514  replace[Anum_pg_init_privs_initprivs - 1] = true;
5515 
5516  oldtuple = heap_modify_tuple(oldtuple, RelationGetDescr(relation),
5517  values, nulls, replace);
5518 
5519  CatalogTupleUpdate(relation, &oldtuple->t_self, oldtuple);
5520  }
5521  else
5522  {
5523  /* new_acl is NULL, so delete the entry we found. */
5524  CatalogTupleDelete(relation, &oldtuple->t_self);
5525  }
5526  }
5527  else
5528  {
5529  Datum values[Natts_pg_init_privs] = {0};
5530  bool nulls[Natts_pg_init_privs] = {0};
5531 
5532  /*
5533  * Only add a new entry if the new ACL is non-NULL.
5534  *
5535  * If we are passed in a NULL ACL and no entry exists, we can just
5536  * fall through and do nothing.
5537  */
5538  if (new_acl)
5539  {
5540  /* No entry found, so add it. */
5541  values[Anum_pg_init_privs_objoid - 1] = ObjectIdGetDatum(objoid);
5542  values[Anum_pg_init_privs_classoid - 1] = ObjectIdGetDatum(classoid);
5543  values[Anum_pg_init_privs_objsubid - 1] = Int32GetDatum(objsubid);
5544 
5545  /* This function only handles initial privileges of extensions */
5546  values[Anum_pg_init_privs_privtype - 1] =
5548 
5549  values[Anum_pg_init_privs_initprivs - 1] = PointerGetDatum(new_acl);
5550 
5551  tuple = heap_form_tuple(RelationGetDescr(relation), values, nulls);
5552 
5553  CatalogTupleInsert(relation, tuple);
5554  }
5555  }
5556 
5557  systable_endscan(scan);
5558 
5559  /* prevent error when processing objects multiple times */
5561 
5562  table_close(relation, RowExclusiveLock);
5563 }
Acl * aclupdate(const Acl *old_acl, const AclItem *mod_aip, int modechg, Oid ownerId, DropBehavior behavior)
Definition: acl.c:944
bool aclequal(const Acl *left_acl, const Acl *right_acl)
Definition: acl.c:516
void select_best_grantor(Oid roleId, AclMode privileges, const Acl *acl, Oid ownerId, Oid *grantorId, AclMode *grantOptions)
Definition: acl.c:5159
bool has_privs_of_role(Oid member, Oid role)
Definition: acl.c:4949
int aclmembers(const Acl *acl, Oid **roleids)
Definition: acl.c:1486
Acl * aclconcat(const Acl *left_acl, const Acl *right_acl)
Definition: acl.c:434
Acl * aclcopy(const Acl *orig_acl)
Definition: acl.c:414
void aclitemsort(Acl *acl)
Definition: acl.c:502
AclMode aclmask(const Acl *acl, Oid roleid, Oid ownerId, AclMode mask, AclMaskHow how)
Definition: acl.c:1334
Acl * acldefault(ObjectType objtype, Oid ownerId)
Definition: acl.c:755
Acl * make_empty_acl(void)
Definition: acl.c:405
Oid get_rolespec_oid(const RoleSpec *role, bool missing_ok)
Definition: acl.c:5269
Acl * aclmerge(const Acl *left_acl, const Acl *right_acl, Oid ownerId)
Definition: acl.c:458
#define ACL_ALL_RIGHTS_FOREIGN_SERVER
Definition: acl.h:165
#define ACL_ALL_RIGHTS_TABLESPACE
Definition: acl.h:171
AclResult
Definition: acl.h:183
@ ACLCHECK_NO_PRIV
Definition: acl.h:185
@ ACLCHECK_OK
Definition: acl.h:184
@ ACLCHECK_NOT_OWNER
Definition: acl.h:186
#define ACL_ALL_RIGHTS_PARAMETER_ACL
Definition: acl.h:169
#define ACL_ALL_RIGHTS_SCHEMA
Definition: acl.h:170
#define DatumGetAclP(X)
Definition: acl.h:120
#define ACL_MODECHG_DEL
Definition: acl.h:130
#define ACL_ALL_RIGHTS_SEQUENCE
Definition: acl.h:162
#define ACL_ALL_RIGHTS_DATABASE
Definition: acl.h:163
#define ACL_MODECHG_ADD
Definition: acl.h:129
#define ACL_ALL_RIGHTS_COLUMN
Definition: acl.h:160
#define ACL_OPTION_TO_PRIVS(privs)
Definition: acl.h:71
#define ACL_ALL_RIGHTS_FUNCTION
Definition: acl.h:166
#define ACL_ALL_RIGHTS_LANGUAGE
Definition: acl.h:167
#define ACL_ALL_RIGHTS_TYPE
Definition: acl.h:172
#define ACL_ALL_RIGHTS_FDW
Definition: acl.h:164
#define ACLITEM_SET_PRIVS_GOPTIONS(item, privs, goptions)
Definition: acl.h:82
#define ACL_NUM(ACL)
Definition: acl.h:108
#define DatumGetAclPCopy(X)
Definition: acl.h:121
#define ACL_ALL_RIGHTS_RELATION
Definition: acl.h:161
#define ACL_ID_PUBLIC
Definition: acl.h:46
#define ACL_ALL_RIGHTS_LARGEOBJECT
Definition: acl.h:168
AclMaskHow
Definition: acl.h:176
@ ACLMASK_ANY
Definition: acl.h:178
@ ACLMASK_ALL
Definition: acl.h:177
#define ACL_GRANT_OPTION_FOR(privs)
Definition: acl.h:70
static AclMode pg_attribute_aclmask_ext(Oid table_oid, AttrNumber attnum, Oid roleid, AclMode mask, AclMaskHow how, bool *is_missing)
Definition: aclchk.c:3976
void ExecuteGrantStmt(GrantStmt *stmt)
Definition: aclchk.c:386
AclResult pg_largeobject_aclcheck_snapshot(Oid lobj_oid, Oid roleid, AclMode mode, Snapshot snapshot)
Definition: aclchk.c:4785
static void expand_all_col_privileges(Oid table_oid, Form_pg_class classForm, AclMode this_privileges, AclMode *col_privileges, int num_col_privileges)
Definition: aclchk.c:1616
static void recordExtensionInitPriv(Oid objoid, Oid classoid, int objsubid, Acl *new_acl)
Definition: aclchk.c:5445
static void expand_col_privileges(List *colnames, Oid table_oid, AclMode this_privileges, AclMode *col_privileges, int num_col_privileges)
Definition: aclchk.c:1583
bool has_bypassrls_privilege(Oid roleid)
Definition: aclchk.c:4899
static void ExecGrant_Fdw(InternalGrant *istmt)
Definition: aclchk.c:2251
AclResult pg_class_aclcheck_ext(Oid table_oid, Oid roleid, AclMode mode, bool *is_missing)
Definition: aclchk.c:4758
void aclcheck_error_col(AclResult aclerr, ObjectType objtype, const char *objectname, const char *colname)
Definition: aclchk.c:3774
void recordDependencyOnNewAcl(Oid classId, Oid objectId, int32 objsubId, Oid ownerId, Acl *acl)
Definition: aclchk.c:5034
static void ExecGrant_Attribute(InternalGrant *istmt, Oid relOid, const char *relname, AttrNumber attnum, Oid ownerId, AclMode col_privileges, Relation attRelation, const Acl *old_rel_acl)
Definition: aclchk.c:1662
static void ExecGrant_ForeignServer(InternalGrant *istmt)
Definition: aclchk.c:2374
void ExecAlterDefaultPrivilegesStmt(ParseState *pstate, AlterDefaultPrivilegesStmt *stmt)
Definition: aclchk.c:970
static void ExecGrantStmt_oids(InternalGrant *istmt)
Definition: aclchk.c:596
static AclMode pg_largeobject_aclmask_snapshot(Oid lobj_oid, Oid roleid, AclMode mask, AclMaskHow how, Snapshot snapshot)
Definition: aclchk.c:4356
static AclMode pg_attribute_aclmask(Oid table_oid, AttrNumber attnum, Oid roleid, AclMode mask, AclMaskHow how)
Definition: aclchk.c:3962
static List * objectNamesToOids(ObjectType objtype, List *objnames, bool is_grant)
Definition: aclchk.c:663
static Acl * merge_acl_with_grant(Acl *old_acl, bool is_grant, bool grant_option, DropBehavior behavior, List *grantees, AclMode privileges, Oid grantorId, Oid ownerId)
Definition: aclchk.c:176
static AclMode pg_parameter_aclmask(const char *name, Oid roleid, AclMode mask, AclMaskHow how)
Definition: aclchk.c:4233
AclResult pg_attribute_aclcheck_all(Oid table_oid, Oid roleid, AclMode mode, AclMaskHow how)
Definition: aclchk.c:4661
static void ExecGrant_Namespace(InternalGrant *istmt)
Definition: aclchk.c:2877
static AclMode pg_parameter_acl_aclmask(Oid acl_oid, Oid roleid, AclMode mask, AclMaskHow how)
Definition: aclchk.c:4297
static void SetDefaultACL(InternalDefaultACL *iacls)
Definition: aclchk.c:1197
static List * objectsInSchemaToOids(ObjectType objtype, List *nspnames)
Definition: aclchk.c:843
AclResult pg_parameter_aclcheck(const char *name, Oid roleid, AclMode mode)
Definition: aclchk.c:4773
static void ExecGrant_Database(InternalGrant *istmt)
Definition: aclchk.c:2135
void recordExtObjInitPriv(Oid objoid, Oid classoid)
Definition: aclchk.c:5064