2009/12/16 KaiGai Kohei <[email protected]>:
> (2009/12/17 7:25), Robert Haas wrote:
>> On Thu, Dec 10, 2009 at 10:41 PM, Takahiro Itagaki
>> <[email protected]> wrote:
>>>
>>> KaiGai Kohei<[email protected]> wrote:
>>>
>>>> What's your opinion about:
>>>> long desc: When turned on, privilege checks on large objects perform
>>>> with
>>>> backward compatibility as 8.4.x or earlier releases.
>>>
>>> I updated the description as your suggest.
>>>
>>> Applied with minor editorialization,
>>> mainly around tab-completion support in psql.
>>
>> The documentation in this patch needs work.
>
> Are you talking about English quality? or Am I missing something to be
> documented?
Mostly English quality, but there are some other issues too. Proposed
patch attached.
...Robert
diff --git a/doc/src/sgml/catalogs.sgml b/doc/src/sgml/catalogs.sgml
index fdff8b8..482aeac 100644
--- a/doc/src/sgml/catalogs.sgml
+++ b/doc/src/sgml/catalogs.sgml
@@ -3125,9 +3125,8 @@
<para>
The catalog <structname>pg_largeobject</structname> holds the data making up
- <quote>large objects</quote>. A large object is identified by an OID of
- <link linkend="catalog-pg-largeobject-metadata"><structname>pg_largeobject_metadata</></link>
- catalog, assigned when it is created. Each large object is broken into
+ <quote>large objects</quote>. A large object is identified by an OID
+ assigned when it is created. Each large object is broken into
segments or <quote>pages</> small enough to be conveniently stored as rows
in <structname>pg_largeobject</structname>.
The amount of data per page is defined to be <symbol>LOBLKSIZE</> (which is currently
@@ -3135,10 +3134,12 @@
</para>
<para>
- <structname>pg_largeobject</structname> should not be readable by the
- public, since the catalog contains data in large objects of all users.
- <structname>pg_largeobject_metadata</> is a publicly readable catalog
- that only contains identifiers of large objects.
+ Prior to <productname>PostgreSQL</> 8.5, there was no permission structure
+ associated with large objects. As a result,
+ <structname>pg_largeobject</structname> was publicly readable and could be
+ used to obtain the OIDs (and contents) of all large objects in the system.
+ This is no longer the case; use <structname>pg_largeobject_metadata</> to
+ obtain a list of large object OIDs.
</para>
<table>
@@ -3202,9 +3203,8 @@
</indexterm>
<para>
- The purpose of <structname>pg_largeobject_metadata</structname> is to
- hold metadata of <quote>large objects</quote>, such as OID of its owner,
- access permissions and OID of the large object itself.
+ The catalog <structname>pg_largeobject_metadata</structname>
+ holds metadata associated with large objects.
</para>
<table>
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 36d3a22..5e4b44a 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -4825,22 +4825,19 @@ dynamic_library_path = 'C:\tools\postgresql;H:\my_project\lib;$libdir'
</indexterm>
<listitem>
<para>
- This allows us to tuen on/off database privilege checks on large
- objects. In the 8.4.x series and earlier release do not have
- privilege checks on large object in most cases.
-
- So, turning the <varname>lo_compat_privileges</varname> off means
- the large object feature performs in compatible mode.
+ In <productname>PostgreSQL</> releases prior to 8.5, large objects
+ did not have access privileges and were, in effect, readable and
+ writable by all users. Setting this variable to <literal>on</>
+ disables the new privilege checks, for compatibility with prior
+ releases. The default is <literal>off</>.
</para>
<para>
- Please note that it is not equivalent to disable all the security
- checks corresponding to large objects.
- For example, the <literal>lo_import()</literal> and
+ Setting this variable does not disable all security checks for
+ large objects - only those for which the default behavior has changed
+ in <productname>PostgreSQL</> 8.5.
+ For example, <literal>lo_import()</literal> and
<literal>lo_export()</literal> need superuser privileges independent
- from this setting as prior versions were doing.
- </para>
- <para>
- It is <literal>off</literal> by default.
+ of this setting.
</para>
</listitem>
</varlistentry>
diff --git a/doc/src/sgml/lobj.sgml b/doc/src/sgml/lobj.sgml
index e5a680a..de246b0 100644
--- a/doc/src/sgml/lobj.sgml
+++ b/doc/src/sgml/lobj.sgml
@@ -59,6 +59,21 @@
searches for the correct chunk number when doing random
access reads and writes.
</para>
+
+ <para>
+ As of <productname>PostgreSQL</> 8.5, large objects have an owner
+ and a set of access permissions, which can be managed using
+ <xref linkend="sql-grant" endterm="sql-grant-title"> and
+ <xref linkend="sql-revoke" endterm="sql-revoke-title">.
+ For compatibility with prior releases, see
+ <xref linkend="guc-lo-compat-privileges">.
+ <literal>SELECT</literal> privileges are required to read a large
+ object, and
+ <literal>UPDATE</literal> privileges are required to write to or
+ truncate it.
+ Only the large object owner (or the database superuser) can unlink, comment
+ on, or change the owner of a large object.
+ </para>
</sect1>
<sect1 id="lo-interfaces">
@@ -438,60 +453,9 @@ SELECT lo_export(image.raster, '/tmp/motd') FROM image
owning user. Therefore, their use is restricted to superusers. In
contrast, the client-side import and export functions read and write files
in the client's file system, using the permissions of the client program.
- The client-side functions can be used by any
- <productname>PostgreSQL</productname> user.
+ The client-side functions do not require superuser privilege.
</para>
- <sect2 id="lo-func-privilege">
- <title>Large object and privileges</title>
- <para>
- Note that access control feature was not supported in the 8.4.x series
- and earlier release.
- Also see the <xref linkend="guc-lo-compat-privileges"> compatibility
- option.
- </para>
- <para>
- Now it supports access controls on large objects, and allows the owner
- of large objects to set up access rights using
- <xref linkend="sql-grant" endterm="sql-grant-title"> and
- <xref linkend="sql-revoke" endterm="sql-revoke-title"> statement.
- </para>
- <para>
- Two permissions are defined on the large object class.
- These are checked only when <xref linkend="guc-lo-compat-privileges">
- option is disabled.
- </para>
- <para>
- The first is <literal>SELECT</literal>.
- It is required on <function>loread()</function> function.
- Note that when we open large object with read-only mode, we can see
- a static image even if other concurrent transaction modified the
- same large object.
- This principle is also applied on the access rights of large objects.
- Even if a transaction modified access rights and commit it, it is
- not invisible from other transaction which already opened the large
- object.
- </para>
- <para>
- The second is <literal>UPDATE</literal>.
- It is required on <function>lowrite()</function> function and
- <function>lo_truncate()</function> function.
- </para>
- <para>
- In addition, <function>lo_unlink()</function> function,
- <command>COMMENT ON</command> and <command>ALTER LARGE OBJECT</command>
- statements needs ownership of the large object to be accessed.
- </para>
- <para>
- You may wonder why <literal>SELECT</literal> is not checked on the
- <function>lo_export()</function> function or <literal>UPDATE</literal>
- is not checked on the <function>lo_import</function> function.
-
- These functions originally require database superuser privilege,
- and it allows to bypass the default database privilege checks,
- so we don't need to check an obvious test twice.
- </para>
- </sect2>
</sect1>
<sect1 id="lo-examplesect">
diff --git a/doc/src/sgml/ref/grant.sgml b/doc/src/sgml/ref/grant.sgml
index 8f61d72..2456a96 100644
--- a/doc/src/sgml/ref/grant.sgml
+++ b/doc/src/sgml/ref/grant.sgml
@@ -174,8 +174,7 @@ GRANT <replaceable class="PARAMETER">role_name</replaceable> [, ...] TO <replace
<xref linkend="sql-delete" endterm="sql-delete-title">.
For sequences, this privilege also allows the use of the
<function>currval</function> function.
- For large objects, this privilege also allows to read from
- the target large object.
+ For large objects, this privilege allows the object to be read.
</para>
</listitem>
</varlistentry>
@@ -209,8 +208,8 @@ GRANT <replaceable class="PARAMETER">role_name</replaceable> [, ...] TO <replace
<literal>SELECT</literal> privilege. For sequences, this
privilege allows the use of the <function>nextval</function> and
<function>setval</function> functions.
- For large objects, this privilege also allows to write or truncate
- on the target large object.
+ For large objects, this privilege allows writing or truncating the
+ object.
</para>
</listitem>
</varlistentry>
--
Sent via pgsql-hackers mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
