Kohei KaiGai <kai...@kaigai.gr.jp> wrote:
> I'll adjust contrib/sepgsql portion to fit materialized-view with
> matter of existing view.
OK. In case it is of any use to you as a starting point, attached
is what I originally had, which seems to be similar to what you
describe as your preference. I'll revert everything under
contrib/sepgsql/ and wait for a patch from you.
If you have something prior to a commit to the community repo, you
can work against:
https://github.com/kgrittn/postgres/commits/matview
-Kevin
diff --git a/contrib/sepgsql/dml.c b/contrib/sepgsql/dml.c
index c3ef2b7..4db5883 100644
--- a/contrib/sepgsql/dml.c
+++ b/contrib/sepgsql/dml.c
@@ -191,6 +191,7 @@ check_relation_privileges(Oid relOid,
switch (relkind)
{
case RELKIND_RELATION:
+ case RELKIND_MATVIEW:
result = sepgsql_avc_check_perms(&object,
SEPG_CLASS_DB_TABLE,
required,
@@ -226,7 +227,7 @@ check_relation_privileges(Oid relOid,
/*
* Only columns owned by relations shall be checked
*/
- if (relkind != RELKIND_RELATION)
+ if (relkind != RELKIND_RELATION && relkind != RELKIND_MATVIEW)
return true;
/*
diff --git a/contrib/sepgsql/label.c b/contrib/sepgsql/label.c
index a5bdde3..7ebf525 100644
--- a/contrib/sepgsql/label.c
+++ b/contrib/sepgsql/label.c
@@ -764,6 +764,8 @@ exec_object_restorecon(struct selabel_handle * sehnd, Oid catalogId)
objtype = SELABEL_DB_SEQUENCE;
else if (relForm->relkind == RELKIND_VIEW)
objtype = SELABEL_DB_VIEW;
+ else if (relForm->relkind == RELKIND_MATVIEW)
+ objtype = SELABEL_DB_MATVIEW;
else
continue; /* no need to assign security label */
@@ -782,7 +784,8 @@ exec_object_restorecon(struct selabel_handle * sehnd, Oid catalogId)
case AttributeRelationId:
attForm = (Form_pg_attribute) GETSTRUCT(tuple);
- if (get_rel_relkind(attForm->attrelid) != RELKIND_RELATION)
+ if (get_rel_relkind(attForm->attrelid) != RELKIND_RELATION &&
+ get_rel_relkind(attForm->attrelid) != RELKIND_MATVIEW)
continue; /* no need to assign security label */
objtype = SELABEL_DB_COLUMN;
diff --git a/contrib/sepgsql/relation.c b/contrib/sepgsql/relation.c
index a277fab..feaecfd 100644
--- a/contrib/sepgsql/relation.c
+++ b/contrib/sepgsql/relation.c
@@ -54,8 +54,8 @@ sepgsql_attribute_post_create(Oid relOid, AttrNumber attnum)
Form_pg_attribute attForm;
/*
- * Only attributes within regular relation have individual security
- * labels.
+ * Only attributes within regular relation or materialized view have
+ * individual security labels.
*/
if (get_rel_relkind(relOid) != RELKIND_RELATION)
return;
@@ -159,7 +159,8 @@ sepgsql_attribute_relabel(Oid relOid, AttrNumber attnum,
ObjectAddress object;
char *audit_name;
- if (get_rel_relkind(relOid) != RELKIND_RELATION)
+ if (get_rel_relkind(relOid) != RELKIND_RELATION &&
+ get_rel_relkind(relOid) != RELKIND_MATVIEW)
ereport(ERROR,
(errcode(ERRCODE_WRONG_OBJECT_TYPE),
errmsg("cannot set security label on non-regular columns")));
@@ -263,6 +264,10 @@ sepgsql_relation_post_create(Oid relOid)
tclass = SEPG_CLASS_DB_VIEW;
tclass_text = "view";
break;
+ case RELKIND_MATVIEW:
+ tclass = SEPG_CLASS_DB_MATVIEW;
+ tclass_text = "materialized view"; /* TODO: "matview"? */
+ break;
case RELKIND_INDEX:
/* deal with indexes specially; no need for tclass */
sepgsql_index_modify(relOid);
@@ -301,10 +306,11 @@ sepgsql_relation_post_create(Oid relOid)
SetSecurityLabel(&object, SEPGSQL_LABEL_TAG, rcontext);
/*
- * We also assigns a default security label on columns of the new regular
- * tables.
+ * We also assign a default security label on columns of new regular
+ * tables and materialized views.
*/
- if (classForm->relkind == RELKIND_RELATION)
+ if (classForm->relkind == RELKIND_RELATION ||
+ classForm->relkind == RELKIND_MATVIEW)
{
Relation arel;
ScanKeyData akey;
@@ -386,6 +392,9 @@ sepgsql_relation_drop(Oid relOid)
case RELKIND_VIEW:
tclass = SEPG_CLASS_DB_VIEW;
break;
+ case RELKIND_MATVIEW:
+ tclass = SEPG_CLASS_DB_MATVIEW;
+ break;
case RELKIND_INDEX:
/* ignore indexes on toast tables */
if (get_rel_namespace(relOid) == PG_TOAST_NAMESPACE)
@@ -420,7 +429,7 @@ sepgsql_relation_drop(Oid relOid)
}
/*
- * check db_table/sequence/view:{drop} permission
+ * check db_table/sequence/view/matview:{drop} permission
*/
object.classId = RelationRelationId;
object.objectId = relOid;
@@ -436,6 +445,8 @@ sepgsql_relation_drop(Oid relOid)
/*
* check db_column:{drop} permission
+ *
+ * TODO: Anything to do here for materialized views?
*/
if (relkind == RELKIND_RELATION)
{
@@ -489,11 +500,13 @@ sepgsql_relation_relabel(Oid relOid, const char *seclabel)
tclass = SEPG_CLASS_DB_SEQUENCE;
else if (relkind == RELKIND_VIEW)
tclass = SEPG_CLASS_DB_VIEW;
+ else if (relkind == RELKIND_MATVIEW)
+ tclass = SEPG_CLASS_DB_MATVIEW;
else
ereport(ERROR,
(errcode(ERRCODE_WRONG_OBJECT_TYPE),
errmsg("cannot set security labels on relations except "
- "for tables, sequences or views")));
+ "for tables, sequences, views, or materialized views")));
object.classId = RelationRelationId;
object.objectId = relOid;
@@ -544,6 +557,9 @@ sepgsql_relation_setattr(Oid relOid)
case RELKIND_VIEW:
tclass = SEPG_CLASS_DB_VIEW;
break;
+ case RELKIND_MATVIEW:
+ tclass = SEPG_CLASS_DB_MATVIEW;
+ break;
case RELKIND_INDEX:
/* deal with indexes specially */
sepgsql_index_modify(relOid);
diff --git a/contrib/sepgsql/selinux.c b/contrib/sepgsql/selinux.c
index f70254f..2ae17a5 100644
--- a/contrib/sepgsql/selinux.c
+++ b/contrib/sepgsql/selinux.c
@@ -594,6 +594,35 @@ static struct
},
}
},
+ {
+ "db_materialized_view", SEPG_CLASS_DB_MATVIEW,
+ {
+ {
+ "create", SEPG_DB_MATVIEW__CREATE
+ },
+ {
+ "drop", SEPG_DB_MATVIEW__DROP
+ },
+ {
+ "getattr", SEPG_DB_MATVIEW__GETATTR
+ },
+ {
+ "setattr", SEPG_DB_MATVIEW__SETATTR
+ },
+ {
+ "relabelfrom", SEPG_DB_MATVIEW__RELABELFROM
+ },
+ {
+ "relabelto", SEPG_DB_MATVIEW__RELABELTO
+ },
+ {
+ "expand", SEPG_DB_MATVIEW__SELECT
+ },
+ {
+ NULL, 0UL
+ },
+ }
+ },
};
/*
diff --git a/contrib/sepgsql/sepgsql.h b/contrib/sepgsql/sepgsql.h
index 5ae5146..4b436b8 100644
--- a/contrib/sepgsql/sepgsql.h
+++ b/contrib/sepgsql/sepgsql.h
@@ -51,7 +51,8 @@
#define SEPG_CLASS_DB_BLOB 15
#define SEPG_CLASS_DB_LANGUAGE 16
#define SEPG_CLASS_DB_VIEW 17
-#define SEPG_CLASS_MAX 18
+#define SEPG_CLASS_DB_MATVIEW 18
+#define SEPG_CLASS_MAX 19
/*
* Internally used code of access vectors
@@ -211,6 +212,14 @@
#define SEPG_DB_VIEW__RELABELTO (SEPG_DB_DATABASE__RELABELTO)
#define SEPG_DB_VIEW__EXPAND (1<<6)
+#define SEPG_DB_MATVIEW__CREATE (SEPG_DB_DATABASE__CREATE)
+#define SEPG_DB_MATVIEW__DROP (SEPG_DB_DATABASE__DROP)
+#define SEPG_DB_MATVIEW__GETATTR (SEPG_DB_DATABASE__GETATTR)
+#define SEPG_DB_MATVIEW__SETATTR (SEPG_DB_DATABASE__SETATTR)
+#define SEPG_DB_MATVIEW__RELABELFROM (SEPG_DB_DATABASE__RELABELFROM)
+#define SEPG_DB_MATVIEW__RELABELTO (SEPG_DB_DATABASE__RELABELTO)
+#define SEPG_DB_MATVIEW__SELECT (1<<6)
+
/*
* hooks.c
*/
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
