Skip to content

Commit 2ad0cf0

Browse files
funbringerfunbringer
committed
change default value of column 'enable_parent', small refactoring of function check_security_policy(), check_security_policy_internal() now takes role as parameter
1 parent f4e71de commit 2ad0cf0

File tree

5 files changed

+31
-15
lines changed

5 files changed

+31
-15
lines changed

expected/pathman_permissions.out

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,8 @@ INSERT INTO permissions.user1_table SELECT g, g FROM generate_series(1, 20) as g
1717
SET ROLE user2;
1818
SELECT create_range_partitions('permissions.user1_table', 'id', 1, 10, 2);
1919
NOTICE: sequence "user1_table_seq" does not exist, skipping
20-
ERROR: only the owner or superuser can change partitioning configuration of table "user1_table"
20+
WARNING: only the owner or superuser can change partitioning configuration of table "user1_table"
21+
ERROR: new row violates row-level security policy for table "pathman_config"
2122
/* Should be ok */
2223
SET ROLE user1;
2324
SELECT create_range_partitions('permissions.user1_table', 'id', 1, 10, 2);
@@ -44,14 +45,16 @@ SELECT * FROM pathman_config_params;
4445
/* Should fail */
4546
SET ROLE user2;
4647
SELECT set_enable_parent('permissions.user1_table', true);
47-
ERROR: only the owner or superuser can change partitioning configuration of table "user1_table"
48+
WARNING: only the owner or superuser can change partitioning configuration of table "user1_table"
49+
ERROR: new row violates row-level security policy for table "pathman_config_params"
4850
SELECT set_auto('permissions.user1_table', false);
49-
ERROR: only the owner or superuser can change partitioning configuration of table "user1_table"
51+
WARNING: only the owner or superuser can change partitioning configuration of table "user1_table"
52+
ERROR: new row violates row-level security policy for table "pathman_config_params"
5053
/* Should fail */
5154
SET ROLE user2;
5255
DELETE FROM pathman_config
5356
WHERE partrel = 'permissions.user1_table'::regclass;
54-
ERROR: only the owner or superuser can change partitioning configuration of table "user1_table"
57+
WARNING: only the owner or superuser can change partitioning configuration of table "user1_table"
5558
/* No rights to insert, should fail */
5659
SET ROLE user2;
5760
INSERT INTO permissions.user1_table (id, a) VALUES (35, 0);

init.sql

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@ CREATE TABLE IF NOT EXISTS @extschema@.pathman_config (
3535
*/
3636
CREATE TABLE IF NOT EXISTS @extschema@.pathman_config_params (
3737
partrel REGCLASS NOT NULL PRIMARY KEY,
38-
enable_parent BOOLEAN NOT NULL DEFAULT TRUE,
38+
enable_parent BOOLEAN NOT NULL DEFAULT FALSE,
3939
auto BOOLEAN NOT NULL DEFAULT TRUE,
4040
init_callback REGPROCEDURE NOT NULL DEFAULT 0
4141
);

src/pl_funcs.c

Lines changed: 14 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -538,7 +538,7 @@ build_check_constraint_name_attname(PG_FUNCTION_ARGS)
538538
elog(ERROR, "Invalid relation %u", relid);
539539

540540
if (attnum == InvalidAttrNumber)
541-
elog(ERROR, "Relation \"%s\" has no column '%s'",
541+
elog(ERROR, "relation \"%s\" has no column \"%s\"",
542542
get_rel_name_or_relid(relid), text_to_cstring(attname));
543543

544544
result = build_check_constraint_name_internal(relid, attnum);
@@ -870,7 +870,19 @@ invoke_on_partition_created_callback(PG_FUNCTION_ARGS)
870870
Datum
871871
check_security_policy(PG_FUNCTION_ARGS)
872872
{
873-
PG_RETURN_BOOL(check_security_policy_internal(PG_GETARG_OID(0)));
873+
Oid relid = PG_GETARG_OID(0);
874+
875+
if (!check_security_policy_internal(relid, GetUserId()))
876+
{
877+
elog(WARNING, "only the owner or superuser can change "
878+
"partitioning configuration of table \"%s\"",
879+
get_rel_name_or_relid(relid));
880+
881+
PG_RETURN_BOOL(false);
882+
}
883+
884+
/* Else return TRUE */
885+
PG_RETURN_BOOL(true);
874886
}
875887

876888

src/utils.c

Lines changed: 8 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -759,27 +759,28 @@ validate_on_part_init_cb(Oid procid, bool emit_error)
759759
* better to check user permissions in order to let other users participate.
760760
*/
761761
bool
762-
check_security_policy_internal(Oid relid)
762+
check_security_policy_internal(Oid relid, Oid role)
763763
{
764-
Oid owner;
764+
Oid owner;
765765

766766
/* Superuser is allowed to do anything */
767767
if (superuser())
768768
return true;
769769

770+
/* Fetch the owner */
771+
owner = get_rel_owner(relid);
772+
770773
/*
771774
* Sometimes the relation doesn't exist anymore but there is still
772775
* a record in config. For instance, it happens in DDL event trigger.
773776
* Still we should be able to remove this record.
774777
*/
775-
if ((owner = get_rel_owner(relid)) == InvalidOid)
778+
if (owner == InvalidOid)
776779
return true;
777780

778781
/* Check if current user is the owner of the relation */
779-
if (owner != GetUserId())
780-
elog(ERROR, "only the owner or superuser can change "
781-
"partitioning configuration of table \"%s\"",
782-
get_rel_name_or_relid(relid));
782+
if (owner != role)
783+
return false;
783784

784785
return true;
785786
}

src/utils.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -50,7 +50,7 @@ bool clause_contains_params(Node *clause);
5050
bool is_date_type_internal(Oid typid);
5151
bool is_string_type_internal(Oid typid);
5252
bool validate_on_part_init_cb(Oid procid, bool emit_error);
53-
bool check_security_policy_internal(Oid relid);
53+
bool check_security_policy_internal(Oid relid, Oid role);
5454

5555
/*
5656
* Misc.

0 commit comments

Comments
 (0)