* before ExecutorEnd. This can be omitted only in case of EXPLAIN,
* which should also omit ExecutorRun.
*
- * Portions Copyright (c) 1996-2014, PostgreSQL Global Development Group
+ * Portions Copyright (c) 1996-2015, PostgreSQL Global Development Group
* Portions Copyright (c) 1994, Regents of the University of California
*
*
#include "utils/acl.h"
#include "utils/lsyscache.h"
#include "utils/memutils.h"
+#include "utils/rls.h"
#include "utils/snapmgr.h"
#include "utils/tqual.h"
DestReceiver *dest);
static bool ExecCheckRTEPerms(RangeTblEntry *rte);
static void ExecCheckXactReadOnly(PlannedStmt *plannedstmt);
-static char *ExecBuildSlotValueDescription(TupleTableSlot *slot,
+static char *ExecBuildSlotValueDescription(Oid reloid,
+ TupleTableSlot *slot,
TupleDesc tupdesc,
+ Bitmapset *modifiedCols,
int maxfieldlen);
static void EvalPlanQualStart(EPQState *epqstate, EState *parentestate,
Plan *planTree);
+/*
+ * Note that this macro also exists in commands/trigger.c. There does not
+ * appear to be any good header to put it into, given the structures that
+ * it uses, so we let them be duplicated. Be sure to update both if one needs
+ * to be changed, however.
+ */
+#define GetModifiedColumns(relinfo, estate) \
+ (rt_fetch((relinfo)->ri_RangeTableIndex, (estate)->es_range_table)->modifiedCols)
+
/* end of local decls */
*
* Returns true if permissions are adequate. Otherwise, throws an appropriate
* error if ereport_on_violation is true, or simply returns false otherwise.
+ *
+ * Note that this does NOT address row level security policies (aka: RLS). If
+ * rows will be returned to the user as a result of this permission check
+ * passing, then RLS also needs to be consulted (and check_enable_rls()).
+ *
+ * See rewrite/rowsecurity.c.
*/
bool
ExecCheckRTPerms(List *rangeTable, bool ereport_on_violation)
AclMode remainingPerms;
Oid relOid;
Oid userid;
- Bitmapset *tmpset;
int col;
/*
return false;
}
- tmpset = bms_copy(rte->selectedCols);
- while ((col = bms_first_member(tmpset)) >= 0)
+ col = -1;
+ while ((col = bms_next_member(rte->selectedCols, col)) >= 0)
{
- /* remove the column number offset */
- col += FirstLowInvalidHeapAttributeNumber;
- if (col == InvalidAttrNumber)
+ /* bit #s are offset by FirstLowInvalidHeapAttributeNumber */
+ AttrNumber attno = col + FirstLowInvalidHeapAttributeNumber;
+
+ if (attno == InvalidAttrNumber)
{
/* Whole-row reference, must have priv on all cols */
if (pg_attribute_aclcheck_all(relOid, userid, ACL_SELECT,
}
else
{
- if (pg_attribute_aclcheck(relOid, col, userid,
+ if (pg_attribute_aclcheck(relOid, attno, userid,
ACL_SELECT) != ACLCHECK_OK)
return false;
}
}
- bms_free(tmpset);
}
/*
return false;
}
- tmpset = bms_copy(rte->modifiedCols);
- while ((col = bms_first_member(tmpset)) >= 0)
+ col = -1;
+ while ((col = bms_next_member(rte->modifiedCols, col)) >= 0)
{
- /* remove the column number offset */
- col += FirstLowInvalidHeapAttributeNumber;
- if (col == InvalidAttrNumber)
+ /* bit #s are offset by FirstLowInvalidHeapAttributeNumber */
+ AttrNumber attno = col + FirstLowInvalidHeapAttributeNumber;
+
+ if (attno == InvalidAttrNumber)
{
/* whole-row reference can't happen here */
elog(ERROR, "whole-row update is not implemented");
}
else
{
- if (pg_attribute_aclcheck(relOid, col, userid,
+ if (pg_attribute_aclcheck(relOid, attno, userid,
remainingPerms) != ACLCHECK_OK)
return false;
}
}
- bms_free(tmpset);
}
}
return true;
erm->prti = rc->prti;
erm->rowmarkId = rc->rowmarkId;
erm->markType = rc->markType;
- erm->noWait = rc->noWait;
+ erm->waitPolicy = rc->waitPolicy;
ItemPointerSetInvalid(&(erm->curCtid));
estate->es_rowMarks = lappend(estate->es_rowMarks, erm);
}
{
if (tupdesc->attrs[attrChk - 1]->attnotnull &&
slot_attisnull(slot, attrChk))
+ {
+ char *val_desc;
+ Bitmapset *modifiedCols;
+
+ modifiedCols = GetModifiedColumns(resultRelInfo, estate);
+ val_desc = ExecBuildSlotValueDescription(RelationGetRelid(rel),
+ slot,
+ tupdesc,
+ modifiedCols,
+ 64);
+
ereport(ERROR,
(errcode(ERRCODE_NOT_NULL_VIOLATION),
errmsg("null value in column \"%s\" violates not-null constraint",
NameStr(tupdesc->attrs[attrChk - 1]->attname)),
- errdetail("Failing row contains %s.",
- ExecBuildSlotValueDescription(slot,
- tupdesc,
- 64)),
+ val_desc ? errdetail("Failing row contains %s.", val_desc) : 0,
errtablecol(rel, attrChk)));
+ }
}
}
const char *failed;
if ((failed = ExecRelCheck(resultRelInfo, slot, estate)) != NULL)
+ {
+ char *val_desc;
+ Bitmapset *modifiedCols;
+
+ modifiedCols = GetModifiedColumns(resultRelInfo, estate);
+ val_desc = ExecBuildSlotValueDescription(RelationGetRelid(rel),
+ slot,
+ tupdesc,
+ modifiedCols,
+ 64);
ereport(ERROR,
(errcode(ERRCODE_CHECK_VIOLATION),
errmsg("new row for relation \"%s\" violates check constraint \"%s\"",
RelationGetRelationName(rel), failed),
- errdetail("Failing row contains %s.",
- ExecBuildSlotValueDescription(slot,
- tupdesc,
- 64)),
+ val_desc ? errdetail("Failing row contains %s.", val_desc) : 0,
errtableconstraint(rel, failed)));
+ }
}
}
ExecWithCheckOptions(ResultRelInfo *resultRelInfo,
TupleTableSlot *slot, EState *estate)
{
+ Relation rel = resultRelInfo->ri_RelationDesc;
+ TupleDesc tupdesc = RelationGetDescr(rel);
ExprContext *econtext;
ListCell *l1,
*l2;
/*
* WITH CHECK OPTION checks are intended to ensure that the new tuple
- * is visible in the view. If the view's qual evaluates to NULL, then
- * the new tuple won't be included in the view. Therefore we need to
- * tell ExecQual to return FALSE for NULL (the opposite of what we do
- * above for CHECK constraints).
+ * is visible (in the case of a view) or that it passes the
+ * 'with-check' policy (in the case of row security).
+ * If the qual evaluates to NULL or FALSE, then the new tuple won't be
+ * included in the view or doesn't pass the 'with-check' policy for the
+ * table. We need ExecQual to return FALSE for NULL to handle the view
+ * case (the opposite of what we do above for CHECK constraints).
*/
if (!ExecQual((List *) wcoExpr, econtext, false))
+ {
+ char *val_desc;
+ Bitmapset *modifiedCols;
+
+ modifiedCols = GetModifiedColumns(resultRelInfo, estate);
+ val_desc = ExecBuildSlotValueDescription(RelationGetRelid(rel),
+ slot,
+ tupdesc,
+ modifiedCols,
+ 64);
+
ereport(ERROR,
(errcode(ERRCODE_WITH_CHECK_OPTION_VIOLATION),
- errmsg("new row violates WITH CHECK OPTION for view \"%s\"",
+ errmsg("new row violates WITH CHECK OPTION for \"%s\"",
wco->viewname),
- errdetail("Failing row contains %s.",
- ExecBuildSlotValueDescription(slot,
- RelationGetDescr(resultRelInfo->ri_RelationDesc),
- 64))));
+ val_desc ? errdetail("Failing row contains %s.", val_desc) :
+ 0));
+ }
}
}
* dropped columns. We used to use the slot's tuple descriptor to decode the
* data, but the slot's descriptor doesn't identify dropped columns, so we
* now need to be passed the relation's descriptor.
+ *
+ * Note that, like BuildIndexValueDescription, if the user does not have
+ * permission to view any of the columns involved, a NULL is returned. Unlike
+ * BuildIndexValueDescription, if the user has access to view a subset of the
+ * column involved, that subset will be returned with a key identifying which
+ * columns they are.
*/
static char *
-ExecBuildSlotValueDescription(TupleTableSlot *slot,
+ExecBuildSlotValueDescription(Oid reloid,
+ TupleTableSlot *slot,
TupleDesc tupdesc,
+ Bitmapset *modifiedCols,
int maxfieldlen)
{
StringInfoData buf;
+ StringInfoData collist;
bool write_comma = false;
+ bool write_comma_collist = false;
int i;
+ AclResult aclresult;
+ bool table_perm = false;
+ bool any_perm = false;
- /* Make sure the tuple is fully deconstructed */
- slot_getallattrs(slot);
+ /*
+ * Check if RLS is enabled and should be active for the relation; if so,
+ * then don't return anything. Otherwise, go through normal permission
+ * checks.
+ */
+ if (check_enable_rls(reloid, GetUserId(), true) == RLS_ENABLED)
+ return NULL;
initStringInfo(&buf);
appendStringInfoChar(&buf, '(');
+ /*
+ * Check if the user has permissions to see the row. Table-level SELECT
+ * allows access to all columns. If the user does not have table-level
+ * SELECT then we check each column and include those the user has SELECT
+ * rights on. Additionally, we always include columns the user provided
+ * data for.
+ */
+ aclresult = pg_class_aclcheck(reloid, GetUserId(), ACL_SELECT);
+ if (aclresult != ACLCHECK_OK)
+ {
+ /* Set up the buffer for the column list */
+ initStringInfo(&collist);
+ appendStringInfoChar(&collist, '(');
+ }
+ else
+ table_perm = any_perm = true;
+
+ /* Make sure the tuple is fully deconstructed */
+ slot_getallattrs(slot);
+
for (i = 0; i < tupdesc->natts; i++)
{
+ bool column_perm = false;
char *val;
int vallen;
if (tupdesc->attrs[i]->attisdropped)
continue;
- if (slot->tts_isnull[i])
- val = "null";
- else
+ if (!table_perm)
{
- Oid foutoid;
- bool typisvarlena;
+ /*
+ * No table-level SELECT, so need to make sure they either have
+ * SELECT rights on the column or that they have provided the
+ * data for the column. If not, omit this column from the error
+ * message.
+ */
+ aclresult = pg_attribute_aclcheck(reloid, tupdesc->attrs[i]->attnum,
+ GetUserId(), ACL_SELECT);
+ if (bms_is_member(tupdesc->attrs[i]->attnum - FirstLowInvalidHeapAttributeNumber,
+ modifiedCols) || aclresult == ACLCHECK_OK)
+ {
+ column_perm = any_perm = true;
- getTypeOutputInfo(tupdesc->attrs[i]->atttypid,
- &foutoid, &typisvarlena);
- val = OidOutputFunctionCall(foutoid, slot->tts_values[i]);
- }
+ if (write_comma_collist)
+ appendStringInfoString(&collist, ", ");
+ else
+ write_comma_collist = true;
- if (write_comma)
- appendStringInfoString(&buf, ", ");
- else
- write_comma = true;
+ appendStringInfoString(&collist, NameStr(tupdesc->attrs[i]->attname));
+ }
+ }
- /* truncate if needed */
- vallen = strlen(val);
- if (vallen <= maxfieldlen)
- appendStringInfoString(&buf, val);
- else
+ if (table_perm || column_perm)
{
- vallen = pg_mbcliplen(val, vallen, maxfieldlen);
- appendBinaryStringInfo(&buf, val, vallen);
- appendStringInfoString(&buf, "...");
+ if (slot->tts_isnull[i])
+ val = "null";
+ else
+ {
+ Oid foutoid;
+ bool typisvarlena;
+
+ getTypeOutputInfo(tupdesc->attrs[i]->atttypid,
+ &foutoid, &typisvarlena);
+ val = OidOutputFunctionCall(foutoid, slot->tts_values[i]);
+ }
+
+ if (write_comma)
+ appendStringInfoString(&buf, ", ");
+ else
+ write_comma = true;
+
+ /* truncate if needed */
+ vallen = strlen(val);
+ if (vallen <= maxfieldlen)
+ appendStringInfoString(&buf, val);
+ else
+ {
+ vallen = pg_mbcliplen(val, vallen, maxfieldlen);
+ appendBinaryStringInfo(&buf, val, vallen);
+ appendStringInfoString(&buf, "...");
+ }
}
}
+ /* If we end up with zero columns being returned, then return NULL. */
+ if (!any_perm)
+ return NULL;
+
appendStringInfoChar(&buf, ')');
+ if (!table_perm)
+ {
+ appendStringInfoString(&collist, ") = ");
+ appendStringInfoString(&collist, buf.data);
+
+ return collist.data;
+ }
+
return buf.data;
}
/*
* Get and lock the updated version of the row; if fail, return NULL.
*/
- copyTuple = EvalPlanQualFetch(estate, relation, lockmode, false /* wait */,
+ copyTuple = EvalPlanQualFetch(estate, relation, lockmode, LockWaitBlock,
tid, priorXmax);
if (copyTuple == NULL)
* estate - executor state data
* relation - table containing tuple
* lockmode - requested tuple lock mode
- * noWait - wait mode to pass to heap_lock_tuple
+ * wait_policy - requested lock wait policy
* *tid - t_ctid from the outdated tuple (ie, next updated version)
* priorXmax - t_xmax from the outdated tuple
*
* Returns a palloc'd copy of the newest tuple version, or NULL if we find
* that there is no newest version (ie, the row was deleted not updated).
+ * We also return NULL if the tuple is locked and the wait policy is to skip
+ * such tuples.
+ *
* If successful, we have locked the newest tuple version, so caller does not
* need to worry about it changing anymore.
*
* but we use "int" to avoid having to include heapam.h in executor.h.
*/
HeapTuple
-EvalPlanQualFetch(EState *estate, Relation relation, int lockmode, bool noWait,
+EvalPlanQualFetch(EState *estate, Relation relation, int lockmode,
+ LockWaitPolicy wait_policy,
ItemPointer tid, TransactionId priorXmax)
{
HeapTuple copyTuple = NULL;
if (TransactionIdIsValid(SnapshotDirty.xmax))
{
ReleaseBuffer(buffer);
- if (noWait)
+ switch (wait_policy)
{
- if (!ConditionalXactLockTableWait(SnapshotDirty.xmax))
- ereport(ERROR,
- (errcode(ERRCODE_LOCK_NOT_AVAILABLE),
- errmsg("could not obtain lock on row in relation \"%s\"",
- RelationGetRelationName(relation))));
+ case LockWaitBlock:
+ XactLockTableWait(SnapshotDirty.xmax,
+ relation, &tuple.t_self,
+ XLTW_FetchUpdated);
+ break;
+ case LockWaitSkip:
+ if (!ConditionalXactLockTableWait(SnapshotDirty.xmax))
+ return NULL; /* skip instead of waiting */
+ break;
+ case LockWaitError:
+ if (!ConditionalXactLockTableWait(SnapshotDirty.xmax))
+ ereport(ERROR,
+ (errcode(ERRCODE_LOCK_NOT_AVAILABLE),
+ errmsg("could not obtain lock on row in relation \"%s\"",
+ RelationGetRelationName(relation))));
+ break;
}
- else
- XactLockTableWait(SnapshotDirty.xmax,
- relation, &tuple.t_data->t_ctid,
- XLTW_FetchUpdated);
continue; /* loop back to repeat heap_fetch */
}
* heap_lock_tuple() will throw an error, and so would any later
* attempt to update or delete the tuple. (We need not check cmax
* because HeapTupleSatisfiesDirty will consider a tuple deleted
- * by our transaction dead, regardless of cmax.) Wee just checked
+ * by our transaction dead, regardless of cmax.) We just checked
* that priorXmax == xmin, so we can test that variable instead of
* doing HeapTupleHeaderGetXmin again.
*/
*/
test = heap_lock_tuple(relation, &tuple,
estate->es_output_cid,
- lockmode, noWait,
+ lockmode, wait_policy,
false, &buffer, &hufd);
/* We now have two pins on the buffer, get rid of one */
ReleaseBuffer(buffer);
/* tuple was deleted, so give up */
return NULL;
+ case HeapTupleWouldBlock:
+ ReleaseBuffer(buffer);
+ return NULL;
+
default:
ReleaseBuffer(buffer);
elog(ERROR, "unrecognized heap_lock_tuple status: %u",
/*
* EvalPlanQualSetPlan -- set or change subplan of an EPQState.
*
- * We need this so that ModifyTuple can deal with multiple subplans.
+ * We need this so that ModifyTable can deal with multiple subplans.
*/
void
EvalPlanQualSetPlan(EPQState *epqstate, Plan *subplan, List *auxrowmarks)
/* build a temporary HeapTuple control structure */
tuple.t_len = HeapTupleHeaderGetDatumLength(td);
ItemPointerSetInvalid(&(tuple.t_self));
- tuple.t_tableOid = InvalidOid;
+ /* relation might be a foreign table, if so provide tableoid */
+ tuple.t_tableOid = getrelid(erm->rti,
+ epqstate->estate->es_range_table);
tuple.t_data = td;
/* copy and store tuple */
* the snapshot, rangetable, result-rel info, and external Param info.
* They need their own copies of local state, including a tuple table,
* es_param_exec_vals, etc.
+ *
+ * The ResultRelInfo array management is trickier than it looks. We
+ * create a fresh array for the child but copy all the content from the
+ * parent. This is because it's okay for the child to share any
+ * per-relation state the parent has already created --- but if the child
+ * sets up any ResultRelInfo fields, such as its own junkfilter, that
+ * state must *not* propagate back to the parent. (For one thing, the
+ * pointed-to data is in a memory context that won't last long enough.)
*/
estate->es_direction = ForwardScanDirection;
estate->es_snapshot = parentestate->es_snapshot;
estate->es_plannedstmt = parentestate->es_plannedstmt;
estate->es_junkFilter = parentestate->es_junkFilter;
estate->es_output_cid = parentestate->es_output_cid;
- estate->es_result_relations = parentestate->es_result_relations;
- estate->es_num_result_relations = parentestate->es_num_result_relations;
- estate->es_result_relation_info = parentestate->es_result_relation_info;
+ if (parentestate->es_num_result_relations > 0)
+ {
+ int numResultRelations = parentestate->es_num_result_relations;
+ ResultRelInfo *resultRelInfos;
+
+ resultRelInfos = (ResultRelInfo *)
+ palloc(numResultRelations * sizeof(ResultRelInfo));
+ memcpy(resultRelInfos, parentestate->es_result_relations,
+ numResultRelations * sizeof(ResultRelInfo));
+ estate->es_result_relations = resultRelInfos;
+ estate->es_num_result_relations = numResultRelations;
+ }
+ /* es_result_relation_info must NOT be copied */
/* es_trig_target_relations must NOT be copied */
estate->es_rowMarks = parentestate->es_rowMarks;
estate->es_top_eflags = parentestate->es_top_eflags;
projects / postgresql / blobdiff