Re: [PATCHES] Extending grant insert on tables to sequences
Jaime Casanova escribió:
On Thu, May 22, 2008 at 1:18 PM, Jaime Casanova [EMAIL PROTECTED] wrote:
Hi,
The idea of this patch is to avoid the need to make explicit grants on
sequences owned by tables.
I've noted that the patch i attached is an older version that doesn't
compile because of a typo...
Re-attaching right patch and fix documentation to indicate the new
behaviour...
I had a look at this patch and it looks good. The only thing that's not
clear to me is whether we have agreed we want this to be the default
behavior?
A quibble:
+ foreach(cell, istmt.objects)
+ {
+ [...]
+
+ istmt_seq.objects = getOwnedSequences(lfirst_oid(cell));
+ if (istmt_seq.objects != NIL)
+ {
+ if (istmt.privileges (ACL_INSERT))
+ istmt_seq.privileges |= ACL_USAGE;
+ else if (istmt.privileges (ACL_UPDATE))
+ istmt_seq.privileges |= ACL_UPDATE;
+ else if (istmt.privileges (ACL_SELECT))
+ istmt_seq.privileges |= ACL_SELECT;
+
+ ExecGrantStmt_oids(istmt_seq);
+ }
Wouldn't it be clearer to build a list with all the sequences owned by
the tables in istmt.objects, and then call ExecGrantStmt_oids() a single
time with the big list?
--
Alvaro Herrerahttp://www.CommandPrompt.com/
PostgreSQL Replication, Consulting, Custom Development, 24x7 support
--
Sent via pgsql-patches mailing list (pgsql-patches@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-patches
Re: [PATCHES] Extending grant insert on tables to sequences
On Saturday 24 May 2008 01:19:05 Jaime Casanova wrote:
On Sat, May 24, 2008 at 12:09 AM, Alvaro Herrera
[EMAIL PROTECTED] wrote:
Please add the patch to the commitfest page,
Ah! I forgot we have a new process now... patch added to the commitfest
page...
What's the use case for extending SELECT on table to SELECT on sequence ?
--
Robert Treat
Build A Brighter LAMP :: Linux Apache {middleware} PostgreSQL
--
Sent via pgsql-patches mailing list (pgsql-patches@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-patches
Re: [PATCHES] Extending grant insert on tables to sequences
On 5/29/08, Robert Treat [EMAIL PROTECTED] wrote: On Saturday 24 May 2008 01:19:05 Jaime Casanova wrote: On Sat, May 24, 2008 at 12:09 AM, Alvaro Herrera [EMAIL PROTECTED] wrote: Please add the patch to the commitfest page, Ah! I forgot we have a new process now... patch added to the commitfest page... What's the use case for extending SELECT on table to SELECT on sequence ? Just to be consistent -- Atentamente, Jaime Casanova Soporte y capacitación de PostgreSQL Guayaquil - Ecuador Cel. (593) 087171157 -- Sent via pgsql-patches mailing list (pgsql-patches@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-patches
Re: [PATCHES] Extending grant insert on tables to sequences
On Thu, May 22, 2008 at 1:18 PM, Jaime Casanova [EMAIL PROTECTED] wrote:
Hi,
The idea of this patch is to avoid the need to make explicit grants on
sequences owned by tables.
I've noted that the patch i attached is an older version that doesn't
compile because of a typo...
Re-attaching right patch and fix documentation to indicate the new behaviour...
we need an user visible message to indicate this implicit grant on the
sequences?
--
Atentamente,
Jaime Casanova
Soporte y capacitación de PostgreSQL
Guayaquil - Ecuador
Cel. (593) 087171157
Index: doc/src/sgml/ref/grant.sgml
===
RCS file: /projects/cvsroot/pgsql/doc/src/sgml/ref/grant.sgml,v
retrieving revision 1.68
diff -c -r1.68 grant.sgml
*** doc/src/sgml/ref/grant.sgml 5 May 2008 01:21:03 - 1.68
--- doc/src/sgml/ref/grant.sgml 24 May 2008 04:46:36 -
***
*** 387,396
/para
para
! Granting permission on a table does not automatically extend
! permissions to any sequences used by the table, including
! sequences tied to typeSERIAL/ columns. Permissions on
! sequence must be set separately.
/para
para
--- 387,395
/para
para
! Granting permission on a table automatically extend
! permissions to any sequences owned by the table, including
! sequences tied to typeSERIAL/ columns.
/para
para
Index: src/backend/catalog/aclchk.c
===
RCS file: /projects/cvsroot/pgsql/src/backend/catalog/aclchk.c,v
retrieving revision 1.146
diff -c -r1.146 aclchk.c
*** src/backend/catalog/aclchk.c12 May 2008 00:00:46 - 1.146
--- src/backend/catalog/aclchk.c24 May 2008 04:46:45 -
***
*** 360,365
--- 360,402
}
ExecGrantStmt_oids(istmt);
+
+ /*
+* If the objtype is a relation and the privileges includes INSERT,
UPDATE
+* or SELECT then extends the GRANT/REVOKE to the sequences owned by the
+* relation
+*/
+ if ((istmt.objtype == ACL_OBJECT_RELATION)
+ (istmt.privileges (ACL_INSERT | ACL_UPDATE | ACL_SELECT)))
+ {
+ AclMode priv;
+ foreach(cell, istmt.objects)
+ {
+ InternalGrant istmt_seq;
+
+ istmt_seq.is_grant = istmt.is_grant;
+ istmt_seq.objtype = ACL_OBJECT_SEQUENCE;
+ istmt_seq.grantees = istmt.grantees;
+ istmt_seq.grant_option = istmt.grant_option;
+ istmt_seq.behavior = istmt.behavior;
+
+ istmt_seq.all_privs = false;
+ istmt_seq.privileges = ACL_NO_RIGHTS;
+
+ istmt_seq.objects = getOwnedSequences(lfirst_oid(cell));
+ if (istmt_seq.objects != NIL)
+ {
+ if (istmt.privileges (ACL_INSERT))
+ istmt_seq.privileges |= ACL_USAGE;
+ else if (istmt.privileges (ACL_UPDATE))
+ istmt_seq.privileges |= ACL_UPDATE;
+ else if (istmt.privileges (ACL_SELECT))
+ istmt_seq.privileges |= ACL_SELECT;
+
+ ExecGrantStmt_oids(istmt_seq);
+ }
+ }
+ }
}
/*
Index: src/test/regress/expected/dependency.out
===
RCS file: /projects/cvsroot/pgsql/src/test/regress/expected/dependency.out,v
retrieving revision 1.6
diff -c -r1.6 dependency.out
*** src/test/regress/expected/dependency.out5 May 2008 01:21:03 -
1.6
--- src/test/regress/expected/dependency.out24 May 2008 04:46:59 -
***
*** 16,22
DETAIL: access to table deptest
DROP GROUP regression_group;
ERROR: role regression_group cannot be dropped because some objects depend
on it
! DETAIL: access to table deptest
-- if we revoke the privileges we can drop the group
REVOKE SELECT ON deptest FROM GROUP regression_group;
DROP GROUP regression_group;
--- 16,23
DETAIL: access to table deptest
DROP GROUP regression_group;
ERROR: role regression_group cannot be dropped because some objects depend
on it
! DETAIL: access to sequence deptest_f1_seq
! access to table deptest
-- if we revoke the privileges we can drop the group
REVOKE SELECT ON deptest FROM GROUP regression_group;
DROP GROUP regression_group;
--
Sent via pgsql-patches mailing list (pgsql-patches@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-patches
Re: [PATCHES] Extending grant insert on tables to sequences
On Sat, May 24, 2008 at 12:09 AM, Alvaro Herrera [EMAIL PROTECTED] wrote: Please add the patch to the commitfest page, Ah! I forgot we have a new process now... patch added to the commitfest page... -- Atentamente, Jaime Casanova Soporte y capacitación de PostgreSQL Guayaquil - Ecuador Cel. (593) 087171157 -- Sent via pgsql-patches mailing list (pgsql-patches@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-patches
Re: [PATCHES] Extending grant insert on tables to sequences
Jaime Casanova escribió: On Thu, May 22, 2008 at 1:18 PM, Jaime Casanova [EMAIL PROTECTED] wrote: Hi, The idea of this patch is to avoid the need to make explicit grants on sequences owned by tables. I've noted that the patch i attached is an older version that doesn't compile because of a typo... Re-attaching right patch and fix documentation to indicate the new behaviour... Please add the patch to the commitfest page, http://wiki.postgresql.org/wiki/CommitFest:July -- Alvaro Herrerahttp://www.CommandPrompt.com/ PostgreSQL Replication, Consulting, Custom Development, 24x7 support -- Sent via pgsql-patches mailing list (pgsql-patches@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-patches
