41 #include "utils/fmgroids.h"
76 relkind = classform->relkind;
85 (
errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
86 errmsg(
"permission denied: \"%s\" is a system catalog",
90 if (relkind != RELKIND_RELATION && relkind != RELKIND_PARTITIONED_TABLE)
92 (
errcode(ERRCODE_WRONG_OBJECT_TYPE),
113 elog(
ERROR,
"unrecognized policy command");
115 if (strcmp(cmd_name,
"all") == 0)
117 else if (strcmp(cmd_name,
"select") == 0)
119 else if (strcmp(cmd_name,
"insert") == 0)
121 else if (strcmp(cmd_name,
"update") == 0)
123 else if (strcmp(cmd_name,
"delete") == 0)
126 elog(
ERROR,
"unrecognized policy command");
168 (
errcode(ERRCODE_INVALID_PARAMETER_VALUE),
169 errmsg(
"ignoring specified roles other than PUBLIC"),
170 errhint(
"All roles are members of the PUBLIC role.")));
210 "row security descriptor",
216 rsdesc->
rscxt = rscxt;
227 Anum_pg_policy_polrelid,
251 policy->
polcmd = policy_form->polcmd;
254 policy->
permissive = policy_form->polpermissive;
265 elog(
ERROR,
"unexpected null value in pg_policy.polroles");
285 datum =
heap_getattr(tuple, Anum_pg_policy_polwithcheck,
358 elog(
ERROR,
"could not find tuple for policy %u", policy_id);
369 if (rel->
rd_rel->relkind != RELKIND_RELATION &&
370 rel->
rd_rel->relkind != RELKIND_PARTITIONED_TABLE)
372 (
errcode(ERRCODE_WRONG_OBJECT_TYPE),
373 errmsg(
"\"%s\" is not a table",
378 (
errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
379 errmsg(
"permission denied: \"%s\" is a system catalog",
429 bool keep_policy =
true;
433 Assert(classid == PolicyRelationId);
452 elog(
ERROR,
"could not find tuple for policy %u", policy_id);
459 Anum_pg_policy_polroles,
467 num_roles =
ARR_DIMS(policy_roles)[0];
475 for (
i = 0,
j = 0;
i < num_roles;
i++)
477 if (roles[
i] != roleid)
487 bool isnull[Natts_pg_policy];
488 bool replaces[Natts_pg_policy];
496 memset(replaces, 0,
sizeof(replaces));
497 memset(isnull, 0,
sizeof(isnull));
502 replaces[Anum_pg_policy_polroles - 1] =
true;
507 values, isnull, replaces);
514 myself.
classId = PolicyRelationId;
518 target.
classId = AuthIdRelationId;
520 for (
i = 0;
i < num_roles;
i++)
583 Node *with_check_qual;
588 bool isnull[Natts_pg_policy];
600 &&
stmt->with_check != NULL)
602 (
errcode(ERRCODE_SYNTAX_ERROR),
603 errmsg(
"WITH CHECK cannot be applied to SELECT or DELETE")));
611 (
errcode(ERRCODE_SYNTAX_ERROR),
612 errmsg(
"only WITH CHECK expression allowed for INSERT")));
624 memset(isnull, 0,
sizeof(isnull));
666 Anum_pg_policy_polrelid,
672 Anum_pg_policy_polname,
677 PolicyPolrelidPolnameIndexId,
true, NULL, 2,
686 errmsg(
"policy \"%s\" for table \"%s\" already exists",
703 isnull[Anum_pg_policy_polqual - 1] =
true;
709 isnull[Anum_pg_policy_polwithcheck - 1] =
true;
717 target.
classId = RelationRelationId;
721 myself.
classId = PolicyRelationId;
734 target.
classId = AuthIdRelationId;
774 Datum *role_oids = NULL;
778 List *with_check_parse_rtable =
NIL;
780 Node *with_check_qual = NULL;
786 bool isnull[Natts_pg_policy];
787 bool replaces[Natts_pg_policy];
796 if (
stmt->roles != NULL)
829 qual_parse_rtable = qual_pstate->
p_rtable;
834 if (
stmt->with_check)
853 with_check_parse_rtable = with_check_pstate->
p_rtable;
859 memset(replaces, 0,
sizeof(replaces));
860 memset(isnull, 0,
sizeof(isnull));
867 Anum_pg_policy_polrelid,
873 Anum_pg_policy_polname,
878 PolicyPolrelidPolnameIndexId,
true, NULL, 2,
886 (
errcode(ERRCODE_UNDEFINED_OBJECT),
887 errmsg(
"policy \"%s\" for table \"%s\" does not exist",
892 polcmd_datum =
heap_getattr(policy_tuple, Anum_pg_policy_polcmd,
902 &&
stmt->with_check != NULL)
904 (
errcode(ERRCODE_SYNTAX_ERROR),
905 errmsg(
"only USING expression allowed for SELECT, DELETE")));
912 &&
stmt->qual != NULL)
914 (
errcode(ERRCODE_SYNTAX_ERROR),
915 errmsg(
"only WITH CHECK expression allowed for INSERT")));
919 if (role_ids != NULL)
921 replaces[Anum_pg_policy_polroles - 1] =
true;
937 roles_datum =
heap_getattr(policy_tuple, Anum_pg_policy_polroles,
956 replaces[Anum_pg_policy_polqual - 1] =
true;
957 values[Anum_pg_policy_polqual - 1]
972 value_datum =
heap_getattr(policy_tuple, Anum_pg_policy_polqual,
991 qual_parse_rtable = qual_pstate->
p_rtable;
996 if (with_check_qual != NULL)
998 replaces[Anum_pg_policy_polwithcheck - 1] =
true;
999 values[Anum_pg_policy_polwithcheck - 1]
1014 value_datum =
heap_getattr(policy_tuple, Anum_pg_policy_polwithcheck,
1019 char *with_check_value;
1032 NULL,
false,
false);
1034 with_check_parse_rtable = with_check_pstate->
p_rtable;
1041 values, isnull, replaces);
1048 target.
classId = RelationRelationId;
1052 myself.
classId = PolicyRelationId;
1065 target.
classId = AuthIdRelationId;
1121 Anum_pg_policy_polrelid,
1127 Anum_pg_policy_polname,
1132 PolicyPolrelidPolnameIndexId,
true, NULL, 2,
1138 errmsg(
"policy \"%s\" for table \"%s\" already exists",
1146 Anum_pg_policy_polrelid,
1152 Anum_pg_policy_polname,
1157 PolicyPolrelidPolnameIndexId,
true, NULL, 2,
1165 (
errcode(ERRCODE_UNDEFINED_OBJECT),
1166 errmsg(
"policy \"%s\" for table \"%s\" does not exist",
1216 Anum_pg_policy_polrelid,
1222 Anum_pg_policy_polname,
1227 PolicyPolrelidPolnameIndexId,
true, NULL, 2,
1236 (
errcode(ERRCODE_UNDEFINED_OBJECT),
1237 errmsg(
"policy \"%s\" for table \"%s\" does not exist",
1266 Anum_pg_policy_polrelid,
Oid get_rolespec_oid(const RoleSpec *role, bool missing_ok)
void aclcheck_error(AclResult aclerr, ObjectType objtype, const char *objectname)
bool object_ownercheck(Oid classid, Oid objectid, Oid roleid)
#define DatumGetArrayTypePCopy(X)
ArrayType * construct_array_builtin(Datum *elems, int nelems, Oid elmtype)
static Datum values[MAXATTR]
#define CStringGetTextDatum(s)
#define TextDatumGetCString(d)
#define Assert(condition)
bool IsSystemRelation(Relation relation)
Oid GetNewOidWithIndex(Relation relation, Oid indexId, AttrNumber oidcolumn)
bool IsSystemClass(Oid relid, Form_pg_class reltuple)
void recordDependencyOnExpr(const ObjectAddress *depender, Node *expr, List *rtable, DependencyType behavior)
@ SHARED_DEPENDENCY_POLICY
int errhint(const char *fmt,...)
int errcode(int sqlerrcode)
int errmsg(const char *fmt,...)
#define ereport(elevel,...)
#define DirectFunctionCall1(func, arg1)
void systable_endscan(SysScanDesc sysscan)
HeapTuple systable_getnext(SysScanDesc sysscan)
SysScanDesc systable_beginscan(Relation heapRelation, Oid indexId, bool indexOK, Snapshot snapshot, int nkeys, ScanKey key)
bool allowSystemTableMods
HeapTuple heap_modify_tuple(HeapTuple tuple, TupleDesc tupleDesc, const Datum *replValues, const bool *replIsnull, const bool *doReplace)
HeapTuple heap_copytuple(HeapTuple tuple)
HeapTuple heap_form_tuple(TupleDesc tupleDescriptor, const Datum *values, const bool *isnull)
void heap_freetuple(HeapTuple htup)
#define HeapTupleIsValid(tuple)
static Datum heap_getattr(HeapTuple tup, int attnum, TupleDesc tupleDesc, bool *isnull)
void CatalogTupleUpdate(Relation heapRel, ItemPointer otid, HeapTuple tup)
void CatalogTupleInsert(Relation heapRel, HeapTuple tup)
void CatalogTupleDelete(Relation heapRel, ItemPointer tid)
void CacheInvalidateRelcache(Relation relation)
void CacheInvalidateRelcacheByTuple(HeapTuple classTuple)
List * lcons(void *datum, List *list)
#define AccessExclusiveLock
char get_rel_relkind(Oid relid)
char * get_rel_name(Oid relid)
void MemoryContextSetParent(MemoryContext context, MemoryContext new_parent)
void pfree(void *pointer)
void * MemoryContextAllocZero(MemoryContext context, Size size)
MemoryContext CurrentMemoryContext
char * MemoryContextStrdup(MemoryContext context, const char *string)
MemoryContext CacheMemoryContext
#define AllocSetContextCreate
#define ALLOCSET_SMALL_SIZES
#define MemoryContextCopyAndSetIdentifier(cxt, id)
void namestrcpy(Name name, const char *str)
Datum namein(PG_FUNCTION_ARGS)
Oid RangeVarGetRelidExtended(const RangeVar *relation, LOCKMODE lockmode, uint32 flags, RangeVarGetRelidCallback callback, void *callback_arg)
#define InvokeObjectPostCreateHook(classId, objectId, subId)
#define InvokeObjectPostAlterHook(classId, objectId, subId)
ObjectType get_relkind_objtype(char relkind)
#define ObjectAddressSet(addr, class_id, object_id)
char * nodeToString(const void *obj)
Node * transformWhereClause(ParseState *pstate, Node *clause, ParseExprKind exprKind, const char *constructName)
void assign_expr_collations(ParseState *pstate, Node *expr)
void free_parsestate(ParseState *pstate)
ParseState * make_parsestate(ParseState *parentParseState)
ParseNamespaceItem * addRangeTableEntryForRelation(ParseState *pstate, Relation rel, int lockmode, Alias *alias, bool inh, bool inFromCl)
void addNSItemToQuery(ParseState *pstate, ParseNamespaceItem *nsitem, bool addToJoinList, bool addToRelNameSpace, bool addToVarNameSpace)
FormData_pg_class * Form_pg_class
void recordDependencyOn(const ObjectAddress *depender, const ObjectAddress *referenced, DependencyType behavior)
long deleteDependencyRecordsFor(Oid classId, Oid objectId, bool skipExtensionDeps)
static int list_length(const List *l)
FormData_pg_policy * Form_pg_policy
void deleteSharedDependencyRecordsFor(Oid classId, Oid objectId, int32 objectSubId)
void recordSharedDependencyOn(ObjectAddress *depender, ObjectAddress *referenced, SharedDependencyType deptype)
bool RemoveRoleFromObjectPolicy(Oid roleid, Oid classid, Oid policy_id)
static void RangeVarCallbackForPolicy(const RangeVar *rv, Oid relid, Oid oldrelid, void *arg)
ObjectAddress CreatePolicy(CreatePolicyStmt *stmt)
static Datum * policy_role_list_to_array(List *roles, int *num_roles)
ObjectAddress AlterPolicy(AlterPolicyStmt *stmt)
void RelationBuildRowSecurity(Relation relation)
static char parse_policy_command(const char *cmd_name)
bool relation_has_policies(Relation rel)
Oid get_relation_policy_oid(Oid relid, const char *policy_name, bool missing_ok)
ObjectAddress rename_policy(RenameStmt *stmt)
void RemovePolicyById(Oid policy_id)
static Datum PointerGetDatum(const void *X)
static Oid DatumGetObjectId(Datum X)
static Datum BoolGetDatum(bool X)
static Datum ObjectIdGetDatum(Oid X)
static char DatumGetChar(Datum X)
static Datum CStringGetDatum(const char *X)
static Datum CharGetDatum(char X)
MemoryContextSwitchTo(old_ctx)
void * stringToNode(const char *str)
#define RelationGetRelid(relation)
#define RelationGetDescr(relation)
#define RelationGetRelationName(relation)
bool checkExprHasSubLink(Node *node)
void ScanKeyInit(ScanKey entry, AttrNumber attributeNumber, StrategyNumber strategy, RegProcedure procedure, Datum argument)
void relation_close(Relation relation, LOCKMODE lockmode)
Relation relation_open(Oid relationId, LOCKMODE lockmode)
#define BTEqualStrategyNumber
#define ERRCODE_DUPLICATE_OBJECT
struct RowSecurityDesc * rd_rsdesc
void ReleaseSysCache(HeapTuple tuple)
HeapTuple SearchSysCache1(int cacheId, Datum key1)
void table_close(Relation relation, LOCKMODE lockmode)
Relation table_open(Oid relationId, LOCKMODE lockmode)
void CommandCounterIncrement(void)