Hi All,
While working on an auth hook, I found that I was unable to access the
pg_shseclabel system table while processing the hook. I discovered
that the only tables that were bootstrapped and made available at this
stage of the the auth process were pg_database, pg_authid and
pg_auth_members. Unfortunately, this is problematic if you have
security labels that are associated with a role which are needed to
determine auth decisions/actions.
Given that the shared relations currently exposed can also have
security labels that can be used for auth purposes, I believe it makes
sense to make those available as well. I have attached a patch that
adds this functionality for review/discussion. If this functionality
makes sense I'll add it to the commitfest.
Thanks,
Adam
diff --git a/src/backend/utils/cache/relcache.c b/src/backend/utils/cache/relcache.c
index 9c3d096..c38a8ac 100644
--- a/src/backend/utils/cache/relcache.c
+++ b/src/backend/utils/cache/relcache.c
@@ -51,6 +51,7 @@
#include "catalog/pg_opclass.h"
#include "catalog/pg_proc.h"
#include "catalog/pg_rewrite.h"
+#include "catalog/pg_shseclabel.h"
#include "catalog/pg_tablespace.h"
#include "catalog/pg_trigger.h"
#include "catalog/pg_type.h"
@@ -98,6 +99,7 @@ static const FormData_pg_attribute Desc_pg_database[Natts_pg_database] = {Schema
static const FormData_pg_attribute Desc_pg_authid[Natts_pg_authid] = {Schema_pg_authid};
static const FormData_pg_attribute Desc_pg_auth_members[Natts_pg_auth_members] = {Schema_pg_auth_members};
static const FormData_pg_attribute Desc_pg_index[Natts_pg_index] = {Schema_pg_index};
+static const FormData_pg_attribute Desc_pg_shseclabel[Natts_pg_shseclabel] = {Schema_pg_shseclabel};
/*
* Hash tables that index the relation cache
@@ -3187,13 +3189,14 @@ RelationCacheInitialize(void)
/*
* RelationCacheInitializePhase2
*
- * This is called to prepare for access to shared catalogs during startup.
- * We must at least set up nailed reldescs for pg_database, pg_authid,
- * and pg_auth_members. Ideally we'd like to have reldescs for their
- * indexes, too. We attempt to load this information from the shared
- * relcache init file. If that's missing or broken, just make phony
- * entries for the catalogs themselves. RelationCacheInitializePhase3
- * will clean up as needed.
+ * This is called to prepare for access to shared catalogs during
+ * startup. We must at least set up nailed reldescs for
+ * pg_database, pg_authid, pg_auth_members, and pg_shseclabel.
+ * Ideally we'd like to have reldescs for their indexes, too. We
+ * attempt to load this information from the shared relcache init
+ * file. If that's missing or broken, just make phony entries for
+ * the catalogs themselves. RelationCacheInitializePhase3 will
+ * clean up as needed.
*/
void
RelationCacheInitializePhase2(void)
@@ -3229,8 +3232,10 @@ RelationCacheInitializePhase2(void)
true, Natts_pg_authid, Desc_pg_authid);
formrdesc("pg_auth_members", AuthMemRelation_Rowtype_Id, true,
false, Natts_pg_auth_members, Desc_pg_auth_members);
+ formrdesc("pg_shseclabel", SharedSecLabelRelation_Rowtype_Id, true,
+ false, Natts_pg_shseclabel, Desc_pg_shseclabel);
-#define NUM_CRITICAL_SHARED_RELS 3 /* fix if you change list above */
+#define NUM_CRITICAL_SHARED_RELS 4 /* fix if you change list above */
}
MemoryContextSwitchTo(oldcxt);
@@ -3365,6 +3370,8 @@ RelationCacheInitializePhase3(void)
AuthIdRelationId);
load_critical_index(AuthMemMemRoleIndexId,
AuthMemRelationId);
+ load_critical_index(SharedSecLabelObjectIndexId,
+ SharedSecLabelRelationId);
#define NUM_CRITICAL_SHARED_INDEXES 5 /* fix if you change list above */
diff --git a/src/include/catalog/pg_shseclabel.h b/src/include/catalog/pg_shseclabel.h
index 0ff41f3..d8334bf 100644
--- a/src/include/catalog/pg_shseclabel.h
+++ b/src/include/catalog/pg_shseclabel.h
@@ -18,9 +18,10 @@
* typedef struct FormData_pg_shseclabel
* ----------------
*/
-#define SharedSecLabelRelationId 3592
+#define SharedSecLabelRelationId 3592
+#define SharedSecLabelRelation_Rowtype_Id 4066
-CATALOG(pg_shseclabel,3592) BKI_SHARED_RELATION BKI_WITHOUT_OIDS
+CATALOG(pg_shseclabel,3592) BKI_SHARED_RELATION BKI_ROWTYPE_OID(4066) BKI_WITHOUT_OIDS BKI_SCHEMA_MACRO
{
Oid objoid; /* OID of the shared object itself */
Oid classoid; /* OID of table containing the shared object */
@@ -31,6 +32,8 @@ CATALOG(pg_shseclabel,3592) BKI_SHARED_RELATION BKI_WITHOUT_OIDS
#endif
} FormData_pg_shseclabel;
+typedef FormData_pg_shseclabel *Form_pg_shseclabel;
+
/* ----------------
* compiler constants for pg_shseclabel
* ----------------
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
