*
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/catalog/aclchk.c,v 1.113 2005/06/28 05:08:52 tgl Exp $
+ * $PostgreSQL: pgsql/src/backend/catalog/aclchk.c,v 1.114 2005/06/28 19:51:21 tgl Exp $
*
* NOTES
* See acl.h.
static void ExecuteGrantStmt_Namespace(GrantStmt *stmt);
static void ExecuteGrantStmt_Tablespace(GrantStmt *stmt);
+static AclMode string_to_privilege(const char *privname);
static const char *privilege_to_string(AclMode privilege);
bool all_privs;
ListCell *i;
- if (linitial_int(stmt->privileges) == ACL_ALL_RIGHTS)
+ if (stmt->privileges == NIL)
{
all_privs = true;
privileges = ACL_ALL_RIGHTS_RELATION;
privileges = ACL_NO_RIGHTS;
foreach(i, stmt->privileges)
{
- AclMode priv = lfirst_int(i);
+ char *privname = strVal(lfirst(i));
+ AclMode priv = string_to_privilege(privname);
if (priv & ~((AclMode) ACL_ALL_RIGHTS_RELATION))
ereport(ERROR,
bool all_privs;
ListCell *i;
- if (linitial_int(stmt->privileges) == ACL_ALL_RIGHTS)
+ if (stmt->privileges == NIL)
{
all_privs = true;
privileges = ACL_ALL_RIGHTS_DATABASE;
privileges = ACL_NO_RIGHTS;
foreach(i, stmt->privileges)
{
- AclMode priv = lfirst_int(i);
+ char *privname = strVal(lfirst(i));
+ AclMode priv = string_to_privilege(privname);
if (priv & ~((AclMode) ACL_ALL_RIGHTS_DATABASE))
ereport(ERROR,
bool all_privs;
ListCell *i;
- if (linitial_int(stmt->privileges) == ACL_ALL_RIGHTS)
+ if (stmt->privileges == NIL)
{
all_privs = true;
privileges = ACL_ALL_RIGHTS_FUNCTION;
privileges = ACL_NO_RIGHTS;
foreach(i, stmt->privileges)
{
- AclMode priv = lfirst_int(i);
+ char *privname = strVal(lfirst(i));
+ AclMode priv = string_to_privilege(privname);
if (priv & ~((AclMode) ACL_ALL_RIGHTS_FUNCTION))
ereport(ERROR,
bool all_privs;
ListCell *i;
- if (linitial_int(stmt->privileges) == ACL_ALL_RIGHTS)
+ if (stmt->privileges == NIL)
{
all_privs = true;
privileges = ACL_ALL_RIGHTS_LANGUAGE;
privileges = ACL_NO_RIGHTS;
foreach(i, stmt->privileges)
{
- AclMode priv = lfirst_int(i);
+ char *privname = strVal(lfirst(i));
+ AclMode priv = string_to_privilege(privname);
if (priv & ~((AclMode) ACL_ALL_RIGHTS_LANGUAGE))
ereport(ERROR,
bool all_privs;
ListCell *i;
- if (linitial_int(stmt->privileges) == ACL_ALL_RIGHTS)
+ if (stmt->privileges == NIL)
{
all_privs = true;
privileges = ACL_ALL_RIGHTS_NAMESPACE;
privileges = ACL_NO_RIGHTS;
foreach(i, stmt->privileges)
{
- AclMode priv = lfirst_int(i);
+ char *privname = strVal(lfirst(i));
+ AclMode priv = string_to_privilege(privname);
if (priv & ~((AclMode) ACL_ALL_RIGHTS_NAMESPACE))
ereport(ERROR,
bool all_privs;
ListCell *i;
- if (linitial_int(stmt->privileges) == ACL_ALL_RIGHTS)
+ if (stmt->privileges == NIL)
{
all_privs = true;
privileges = ACL_ALL_RIGHTS_TABLESPACE;
privileges = ACL_NO_RIGHTS;
foreach(i, stmt->privileges)
{
- AclMode priv = lfirst_int(i);
+ char *privname = strVal(lfirst(i));
+ AclMode priv = string_to_privilege(privname);
if (priv & ~((AclMode) ACL_ALL_RIGHTS_TABLESPACE))
ereport(ERROR,
}
+static AclMode
+string_to_privilege(const char *privname)
+{
+ if (strcmp(privname, "insert") == 0)
+ return ACL_INSERT;
+ if (strcmp(privname, "select") == 0)
+ return ACL_SELECT;
+ if (strcmp(privname, "update") == 0)
+ return ACL_UPDATE;
+ if (strcmp(privname, "delete") == 0)
+ return ACL_DELETE;
+ if (strcmp(privname, "rule") == 0)
+ return ACL_RULE;
+ if (strcmp(privname, "references") == 0)
+ return ACL_REFERENCES;
+ if (strcmp(privname, "trigger") == 0)
+ return ACL_TRIGGER;
+ if (strcmp(privname, "execute") == 0)
+ return ACL_EXECUTE;
+ if (strcmp(privname, "usage") == 0)
+ return ACL_USAGE;
+ if (strcmp(privname, "create") == 0)
+ return ACL_CREATE;
+ if (strcmp(privname, "temporary") == 0)
+ return ACL_CREATE_TEMP;
+ if (strcmp(privname, "temp") == 0)
+ return ACL_CREATE_TEMP;
+ ereport(ERROR,
+ (errcode(ERRCODE_SYNTAX_ERROR),
+ errmsg("unrecognized privilege type \"%s\"", privname)));
+ return 0; /* appease compiler */
+}
+
static const char *
privilege_to_string(AclMode privilege)
{
*
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/catalog/pg_proc.c,v 1.130 2005/06/28 05:08:52 tgl Exp $
+ * $PostgreSQL: pgsql/src/backend/catalog/pg_proc.c,v 1.131 2005/06/28 19:51:21 tgl Exp $
*
*-------------------------------------------------------------------------
*/
(errcode(ERRCODE_DUPLICATE_FUNCTION),
errmsg("function \"%s\" already exists with same argument types",
procedureName)));
- if (GetUserId() != oldproc->proowner && !superuser())
+ if (!pg_proc_ownercheck(HeapTupleGetOid(oldtup), GetUserId()))
aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_PROC,
procedureName);
* Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group
* Portions Copyright (c) 1994, Regents of the University of California
*
- * $PostgreSQL: pgsql/src/backend/commands/user.c,v 1.152 2005/06/28 05:08:55 tgl Exp $
+ * $PostgreSQL: pgsql/src/backend/commands/user.c,v 1.153 2005/06/28 19:51:22 tgl Exp $
*
*-------------------------------------------------------------------------
*/
bool createrole = false; /* Can this user create roles? */
bool createdb = false; /* Can the user create databases? */
bool canlogin = false; /* Can this user login? */
- List *roleElts = NIL; /* roles the user is a member of */
- List *rolememElts = NIL; /* roles which will be members of this role */
- char *validUntil = NULL; /* The time the login is valid
- * until */
+ List *addroleto = NIL; /* roles to make this a member of */
+ List *rolemembers = NIL; /* roles to be members of this role */
+ List *adminmembers = NIL; /* roles to be admins of this role */
+ char *validUntil = NULL; /* time the login is valid until */
DefElem *dpassword = NULL;
DefElem *dcreatedb = NULL;
DefElem *dcreaterole = NULL;
DefElem *dcanlogin = NULL;
- DefElem *droleElts = NULL;
- DefElem *drolememElts = NULL;
+ DefElem *daddroleto = NULL;
+ DefElem *drolemembers = NULL;
+ DefElem *dadminmembers = NULL;
DefElem *dvalidUntil = NULL;
/* Extract options from the statement node tree */
errmsg("conflicting or redundant options")));
dcanlogin = defel;
}
- else if (strcmp(defel->defname, "roleElts") == 0)
+ else if (strcmp(defel->defname, "addroleto") == 0)
{
- if (droleElts)
+ if (daddroleto)
ereport(ERROR,
(errcode(ERRCODE_SYNTAX_ERROR),
errmsg("conflicting or redundant options")));
- droleElts = defel;
+ daddroleto = defel;
}
- else if (strcmp(defel->defname, "rolememElts") == 0)
+ else if (strcmp(defel->defname, "rolemembers") == 0)
{
- if (drolememElts)
+ if (drolemembers)
ereport(ERROR,
(errcode(ERRCODE_SYNTAX_ERROR),
errmsg("conflicting or redundant options")));
- drolememElts = defel;
+ drolemembers = defel;
+ }
+ else if (strcmp(defel->defname, "adminmembers") == 0)
+ {
+ if (dadminmembers)
+ ereport(ERROR,
+ (errcode(ERRCODE_SYNTAX_ERROR),
+ errmsg("conflicting or redundant options")));
+ dadminmembers = defel;
}
else if (strcmp(defel->defname, "validUntil") == 0)
{
validUntil = strVal(dvalidUntil->arg);
if (dpassword)
password = strVal(dpassword->arg);
- if (droleElts)
- roleElts = (List *) droleElts->arg;
- if (drolememElts)
- rolememElts = (List *) drolememElts->arg;
+ if (daddroleto)
+ addroleto = (List *) daddroleto->arg;
+ if (drolemembers)
+ rolemembers = (List *) drolemembers->arg;
+ if (dadminmembers)
+ adminmembers = (List *) dadminmembers->arg;
/* Check some permissions first */
if (!superuser())
/*
* Add the new role to the specified existing roles.
*/
- foreach(item, roleElts)
+ foreach(item, addroleto)
{
char *oldrolename = strVal(lfirst(item));
Oid oldroleid = get_roleid_checked(oldrolename);
}
/*
- * Add the specified members to this new role.
+ * Add the specified members to this new role. adminmembers get the
+ * admin option, rolemembers don't.
*/
AddRoleMems(stmt->role, roleid,
- rolememElts, roleNamesToIds(rolememElts),
+ adminmembers, roleNamesToIds(adminmembers),
+ GetUserId(), true);
+ AddRoleMems(stmt->role, roleid,
+ rolemembers, roleNamesToIds(rolemembers),
GetUserId(), false);
/*
int createrole = -1; /* Can this user create roles? */
int createdb = -1; /* Can the user create databases? */
int canlogin = -1; /* Can this user login? */
- int adminopt = 0; /* Can this user grant this role to others? */
- List *rolememElts = NIL; /* The roles which will be added/removed to this role */
- char *validUntil = NULL; /* The time the login is valid
- * until */
+ List *rolemembers = NIL; /* roles to be added/removed */
+ char *validUntil = NULL; /* time the login is valid until */
DefElem *dpassword = NULL;
DefElem *dcreatedb = NULL;
DefElem *dcreaterole = NULL;
DefElem *dcanlogin = NULL;
- DefElem *dadminopt = NULL;
DefElem *dvalidUntil = NULL;
- DefElem *drolememElts = NULL;
+ DefElem *drolemembers = NULL;
Oid roleid;
/* Extract options from the statement node tree */
errmsg("conflicting or redundant options")));
dcanlogin = defel;
}
- else if (strcmp(defel->defname, "adminopt") == 0)
- {
- if (dadminopt)
- ereport(ERROR,
- (errcode(ERRCODE_SYNTAX_ERROR),
- errmsg("conflicting or redundant options")));
- dadminopt = defel;
- }
else if (strcmp(defel->defname, "validUntil") == 0)
{
if (dvalidUntil)
errmsg("conflicting or redundant options")));
dvalidUntil = defel;
}
- else if (strcmp(defel->defname, "rolememElts") == 0 && stmt->action != 0)
+ else if (strcmp(defel->defname, "rolemembers") == 0 &&
+ stmt->action != 0)
{
- if (drolememElts)
+ if (drolemembers)
ereport(ERROR,
(errcode(ERRCODE_SYNTAX_ERROR),
errmsg("conflicting or redundant options")));
- drolememElts = defel;
+ drolemembers = defel;
}
else
elog(ERROR, "option \"%s\" not recognized",
}
if (dcanlogin)
canlogin = intVal(dcanlogin->arg);
- if (dadminopt)
- adminopt = intVal(dadminopt->arg);
if (dvalidUntil)
validUntil = strVal(dvalidUntil->arg);
if (dpassword)
password = strVal(dpassword->arg);
- if (drolememElts)
- rolememElts = (List *) drolememElts->arg;
+ if (drolemembers)
+ rolemembers = (List *) drolemembers->arg;
/* must be superuser or just want to change your own password */
if (!superuser() &&
createdb < 0 &&
canlogin < 0 &&
!validUntil &&
- !rolememElts &&
- !adminopt &&
+ !rolemembers &&
password &&
strcmp(GetUserNameFromId(GetUserId()), stmt->role) == 0))
ereport(ERROR,
if (stmt->action == +1) /* add members to role */
AddRoleMems(stmt->role, roleid,
- rolememElts, roleNamesToIds(rolememElts),
- GetUserId(), adminopt);
+ rolemembers, roleNamesToIds(rolemembers),
+ GetUserId(), false);
else if (stmt->action == -1) /* drop members from role */
DelRoleMems(stmt->role, roleid,
- rolememElts, roleNamesToIds(rolememElts),
- adminopt);
+ rolemembers, roleNamesToIds(rolemembers),
+ false);
/*
* Set flag to update flat auth file at commit.
*
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/parser/gram.y,v 2.499 2005/06/28 05:08:57 tgl Exp $
+ * $PostgreSQL: pgsql/src/backend/parser/gram.y,v 2.500 2005/06/28 19:51:22 tgl Exp $
*
* HISTORY
* AUTHOR DATE MAJOR EVENT
DropGroupStmt DropOpClassStmt DropPLangStmt DropStmt
DropAssertStmt DropTrigStmt DropRuleStmt DropCastStmt DropRoleStmt
DropUserStmt DropdbStmt DropTableSpaceStmt ExplainStmt FetchStmt
- GrantRoleStmt GrantStmt IndexStmt InsertStmt ListenStmt LoadStmt
+ GrantStmt GrantRoleStmt IndexStmt InsertStmt ListenStmt LoadStmt
LockStmt NotifyStmt ExplainableStmt PreparableStmt
CreateFunctionStmt AlterFunctionStmt ReindexStmt RemoveAggrStmt
- RemoveFuncStmt RemoveOperStmt RenameStmt RevokeRoleStmt RevokeStmt
+ RemoveFuncStmt RemoveOperStmt RenameStmt RevokeStmt RevokeRoleStmt
RuleActionStmt RuleActionStmtOrEmpty RuleStmt
SelectStmt TransactionStmt TruncateStmt
UnlistenStmt UpdateStmt VacuumStmt
%type <ival> opt_lock lock_type cast_context
%type <boolean> opt_force opt_or_replace
- opt_grant_grant_option opt_revoke_grant_option
- opt_alter_admin_option
- opt_grant_admin_option opt_revoke_admin_option
+ opt_grant_grant_option opt_grant_admin_option
opt_nowait
%type <boolean> like_including_defaults
-%type <list> role_list
-
%type <list> OptRoleList
%type <defelt> OptRoleElem
%type <str> iso_level opt_encoding
%type <node> grantee
%type <list> grantee_list
-%type <ival> privilege
+%type <str> privilege
%type <list> privileges privilege_list
%type <privtarget> privilege_target
%type <funwithargs> function_with_argtypes
CHARACTER CHARACTERISTICS CHECK CHECKPOINT CLASS CLOSE
CLUSTER COALESCE COLLATE COLUMN COMMENT COMMIT
COMMITTED CONSTRAINT CONSTRAINTS CONVERSION_P CONVERT COPY CREATE CREATEDB
- CREATEROLE CREATEUSER CROSS CSV CURRENT_DATE CURRENT_TIME
- CURRENT_TIMESTAMP CURRENT_ROLE CURRENT_USER CURSOR CYCLE
+ CREATEROLE CREATEUSER CROSS CSV CURRENT_DATE CURRENT_ROLE CURRENT_TIME
+ CURRENT_TIMESTAMP CURRENT_USER CURSOR CYCLE
DATABASE DAY_P DEALLOCATE DEC DECIMAL_P DECLARE DEFAULT DEFAULTS
DEFERRABLE DEFERRED DEFINER DELETE_P DELIMITER DELIMITERS
LANCOMPILER LANGUAGE LARGE_P LAST_P LEADING LEAST LEFT LEVEL
LIKE LIMIT LISTEN LOAD LOCAL LOCALTIME LOCALTIMESTAMP LOCATION
- LOCK_P LOGIN
+ LOCK_P LOGIN_P
MATCH MAXVALUE MINUTE_P MINVALUE MODE MONTH_P MOVE
NAMES NATIONAL NATURAL NCHAR NEW NEXT NO NOCREATEDB
- NOCREATEROLE NOCREATEUSER NONE NOT NOTHING NOTIFY NOTNULL NOWAIT NULL_P
- NULLIF NUMERIC NOLOGIN
+ NOCREATEROLE NOCREATEUSER NOLOGIN_P NONE NOT NOTHING NOTIFY
+ NOTNULL NOWAIT NULL_P NULLIF NUMERIC
OBJECT_P OF OFF OFFSET OIDS OLD ON ONLY OPERATOR OPTION OR
ORDER OUT_P OUTER_P OVERLAPS OVERLAY OWNER
ROLE ROLLBACK ROW ROWS RULE
SAVEPOINT SCHEMA SCROLL SECOND_P SECURITY SELECT SEQUENCE
- SERIALIZABLE SESSION SESSION_ROLE SESSION_USER SET SETOF SHARE
+ SERIALIZABLE SESSION SESSION_USER SET SETOF SHARE
SHOW SIMILAR SIMPLE SMALLINT SOME STABLE START STATEMENT
STATISTICS STDIN STDOUT STORAGE STRICT_P SUBSTRING SYMMETRIC
SYSID SYSTEM_P
TRUNCATE TRUSTED TYPE_P
UNCOMMITTED UNENCRYPTED UNION UNIQUE UNKNOWN UNLISTEN UNTIL
- UPDATE USAGE USER USING
+ UPDATE USER USING
VACUUM VALID VALIDATOR VALUES VARCHAR VARYING
VERBOSE VIEW VOLATILE
| ExecuteStmt
| ExplainStmt
| FetchStmt
- | GrantRoleStmt
| GrantStmt
+ | GrantRoleStmt
| IndexStmt
| InsertStmt
| ListenStmt
| RemoveFuncStmt
| RemoveOperStmt
| RenameStmt
- | RevokeRoleStmt
| RevokeStmt
+ | RevokeRoleStmt
| RuleStmt
| SelectStmt
| TransactionStmt
*
* Create a new Postgres DBMS role
*
- *
*****************************************************************************/
CreateRoleStmt:
| /*EMPTY*/ {}
;
+/*
+ * Options for CREATE ROLE and ALTER ROLE (also used by CREATE/ALTER USER
+ * for backwards compatibility). Note: the only option required by SQL99
+ * is "WITH ADMIN name".
+ */
+OptRoleList:
+ OptRoleList OptRoleElem { $$ = lappend($1, $2); }
+ | /* EMPTY */ { $$ = NIL; }
+ ;
+
+OptRoleElem:
+ PASSWORD Sconst
+ {
+ $$ = makeDefElem("password",
+ (Node *)makeString($2));
+ }
+ | ENCRYPTED PASSWORD Sconst
+ {
+ $$ = makeDefElem("encryptedPassword",
+ (Node *)makeString($3));
+ }
+ | UNENCRYPTED PASSWORD Sconst
+ {
+ $$ = makeDefElem("unencryptedPassword",
+ (Node *)makeString($3));
+ }
+ | SYSID Iconst
+ {
+ $$ = makeDefElem("sysid", (Node *)makeInteger($2));
+ }
+ | CREATEDB
+ {
+ $$ = makeDefElem("createdb", (Node *)makeInteger(TRUE));
+ }
+ | NOCREATEDB
+ {
+ $$ = makeDefElem("createdb", (Node *)makeInteger(FALSE));
+ }
+ | CREATEROLE
+ {
+ $$ = makeDefElem("createrole", (Node *)makeInteger(TRUE));
+ }
+ | CREATEUSER
+ {
+ $$ = makeDefElem("createrole", (Node *)makeInteger(TRUE));
+ }
+ | LOGIN_P
+ {
+ $$ = makeDefElem("canlogin", (Node *)makeInteger(TRUE));
+ }
+ | NOCREATEROLE
+ {
+ $$ = makeDefElem("createrole", (Node *)makeInteger(FALSE));
+ }
+ | NOCREATEUSER
+ {
+ $$ = makeDefElem("createrole", (Node *)makeInteger(FALSE));
+ }
+ | NOLOGIN_P
+ {
+ $$ = makeDefElem("canlogin", (Node *)makeInteger(FALSE));
+ }
+ | IN_P ROLE name_list
+ {
+ $$ = makeDefElem("addroleto", (Node *)$3);
+ }
+ | IN_P GROUP_P name_list
+ {
+ $$ = makeDefElem("addroleto", (Node *)$3);
+ }
+ | VALID UNTIL Sconst
+ {
+ $$ = makeDefElem("validUntil", (Node *)makeString($3));
+ }
+ | ADMIN name_list
+ {
+ $$ = makeDefElem("adminmembers", (Node *)$2);
+ }
+ | ROLE name_list
+ {
+ $$ = makeDefElem("rolemembers", (Node *)$2);
+ }
+ | USER name_list
+ {
+ $$ = makeDefElem("rolemembers", (Node *)$2);
+ }
+ ;
+
+
/*****************************************************************************
*
* Create a new Postgres DBMS user (role with implied login ability)
*
- *
*****************************************************************************/
CreateUserStmt:
{
CreateRoleStmt *n = makeNode(CreateRoleStmt);
n->role = $3;
- n->options = $5;
- n->options = lappend(n->options,makeDefElem("canlogin", (Node *)makeInteger(TRUE)));
+ n->options = lappend($5,
+ makeDefElem("canlogin",
+ (Node *)makeInteger(TRUE)));
$$ = (Node *)n;
}
;
*
* Alter a postgresql DBMS role
*
- *
*****************************************************************************/
AlterRoleStmt:
n->options = $5;
$$ = (Node *)n;
}
- | ALTER ROLE RoleId add_drop ROLE role_list opt_alter_admin_option
- {
- AlterRoleStmt *n = makeNode(AlterRoleStmt);
- n->role = $3;
- n->action = $4;
- n->options = lappend(n->options,makeDefElem("rolememElts", (Node *)$6));
- n->options = lappend(n->options,makeDefElem("adminopt", (Node *)makeInteger($7)));
- $$ = (Node *)n;
- }
- ;
-
-add_drop: ADD { $$ = +1; }
- | DROP { $$ = -1; }
- ;
-
-opt_alter_admin_option:
- ADMIN OPTION { $$ = TRUE; }
- | /*EMPTY*/ { $$ = FALSE; }
;
AlterRoleSetStmt:
n->value = NIL;
$$ = (Node *)n;
}
- ;
+ ;
/*****************************************************************************
*
* Alter a postgresql DBMS user
*
- *
*****************************************************************************/
AlterUserStmt:
*****************************************************************************/
DropRoleStmt:
- DROP ROLE role_list
+ DROP ROLE name_list
{
DropRoleStmt *n = makeNode(DropRoleStmt);
n->roles = $3;
*****************************************************************************/
DropUserStmt:
- DROP USER role_list
+ DROP USER name_list
{
DropRoleStmt *n = makeNode(DropRoleStmt);
n->roles = $3;
}
;
-/*
- * Options for CREATE ROLE and ALTER ROLE (also used by CREATE/ALTER USER for backwards compat)
- */
-OptRoleList:
- OptRoleList OptRoleElem { $$ = lappend($1, $2); }
- | /* EMPTY */ { $$ = NIL; }
- ;
-
-OptRoleElem:
- PASSWORD Sconst
- {
- $$ = makeDefElem("password", (Node *)makeString($2));
- }
- | ENCRYPTED PASSWORD Sconst
- {
- $$ = makeDefElem("encryptedPassword", (Node *)makeString($3));
- }
- | UNENCRYPTED PASSWORD Sconst
- {
- $$ = makeDefElem("unencryptedPassword", (Node *)makeString($3));
- }
- | SYSID Iconst
- {
- $$ = makeDefElem("sysid", (Node *)makeInteger($2));
- }
- | CREATEDB
- {
- $$ = makeDefElem("createdb", (Node *)makeInteger(TRUE));
- }
- | NOCREATEDB
- {
- $$ = makeDefElem("createdb", (Node *)makeInteger(FALSE));
- }
- | CREATEROLE
- {
- $$ = makeDefElem("createrole", (Node *)makeInteger(TRUE));
- }
- | CREATEUSER
- {
- $$ = makeDefElem("createrole", (Node *)makeInteger(TRUE));
- }
- | LOGIN
- {
- $$ = makeDefElem("canlogin", (Node *)makeInteger(TRUE));
- }
- | NOCREATEROLE
- {
- $$ = makeDefElem("createrole", (Node *)makeInteger(FALSE));
- }
- | NOCREATEUSER
- {
- $$ = makeDefElem("createrole", (Node *)makeInteger(FALSE));
- }
- | NOLOGIN
- {
- $$ = makeDefElem("canlogin", (Node *)makeInteger(FALSE));
- }
- | IN_P ROLE role_list
- {
- $$ = makeDefElem("roleElts", (Node *)$3);
- }
- | IN_P GROUP_P role_list
- {
- $$ = makeDefElem("roleElts", (Node *)$3);
- }
- | VALID UNTIL Sconst
- {
- $$ = makeDefElem("validUntil", (Node *)makeString($3));
- }
- | ROLE role_list
- {
- $$ = makeDefElem("rolememElts", (Node *)$2);
- }
- | USER role_list
- {
- $$ = makeDefElem("rolememElts", (Node *)$2);
- }
- ;
-
-role_list: role_list ',' RoleId { $$ = lappend($1, makeString($3)); }
- | RoleId { $$ = list_make1(makeString($1)); }
- ;
-
-
/*****************************************************************************
*
* Create a postgresql group (role without login ability)
*
- *
*****************************************************************************/
CreateGroupStmt:
*
* Alter a postgresql group
*
- *
*****************************************************************************/
AlterGroupStmt:
- ALTER GROUP_P RoleId add_drop USER role_list
+ ALTER GROUP_P RoleId add_drop USER name_list
{
AlterRoleStmt *n = makeNode(AlterRoleStmt);
n->role = $3;
n->action = $4;
- n->options = lappend(n->options,makeDefElem("rolememElts", (Node *)$6));
+ n->options = list_make1(makeDefElem("rolemembers",
+ (Node *)$6));
$$ = (Node *)n;
}
;
+add_drop: ADD { $$ = +1; }
+ | DROP { $$ = -1; }
+ ;
+
/*****************************************************************************
*
*****************************************************************************/
DropGroupStmt:
- DROP GROUP_P role_list
+ DROP GROUP_P name_list
{
DropRoleStmt *n = makeNode(DropRoleStmt);
n->roles = $3;
;
-/*****************************************************************************
- *
- * GRANT and REVOKE ROLE statements
- *
- *****************************************************************************/
-
-GrantRoleStmt: GRANT ROLE role_list TO role_list opt_grant_admin_option
- opt_granted_by
- {
- GrantRoleStmt *n = makeNode(GrantRoleStmt);
- n->granted_roles = $3;
- n->grantee_roles = $5;
- n->is_grant = true;
- n->admin_opt = $6;
- n->grantor = $7;
- $$ = (Node*)n;
- }
-
-RevokeRoleStmt: REVOKE ROLE opt_revoke_admin_option role_list FROM role_list
- opt_drop_behavior
- {
- GrantRoleStmt *n = makeNode(GrantRoleStmt);
- n->granted_roles = $4;
- n->grantee_roles = $6;
- n->is_grant = false;
- n->admin_opt = $3;
- n->behavior = $7;
- $$ = (Node*)n;
- }
-
/*****************************************************************************
*
* GRANT and REVOKE statements
}
;
-RevokeStmt: REVOKE opt_revoke_grant_option privileges ON privilege_target
+RevokeStmt:
+ REVOKE privileges ON privilege_target
FROM grantee_list opt_drop_behavior
{
GrantStmt *n = makeNode(GrantStmt);
n->is_grant = false;
- n->privileges = $3;
- n->objtype = ($5)->objtype;
- n->objects = ($5)->objs;
- n->grantees = $7;
- n->grant_option = $2;
- n->behavior = $8;
-
+ n->grant_option = false;
+ n->privileges = $2;
+ n->objtype = ($4)->objtype;
+ n->objects = ($4)->objs;
+ n->grantees = $6;
+ n->behavior = $7;
+ $$ = (Node *)n;
+ }
+ | REVOKE GRANT OPTION FOR privileges ON privilege_target
+ FROM grantee_list opt_drop_behavior
+ {
+ GrantStmt *n = makeNode(GrantStmt);
+ n->is_grant = false;
+ n->grant_option = true;
+ n->privileges = $5;
+ n->objtype = ($7)->objtype;
+ n->objects = ($7)->objs;
+ n->grantees = $9;
+ n->behavior = $10;
$$ = (Node *)n;
}
;
+/*
+ * A privilege list is represented as a list of strings; the validity of
+ * the privilege names gets checked at execution. This is a bit annoying
+ * but we have little choice because of the syntactic conflict with lists
+ * of role names in GRANT/REVOKE. What's more, we have to call out in
+ * the "privilege" production any reserved keywords that need to be usable
+ * as privilege names.
+ */
+
/* either ALL [PRIVILEGES] or a list of individual privileges */
-privileges: privilege_list { $$ = $1; }
- | ALL { $$ = list_make1_int(ACL_ALL_RIGHTS); }
- | ALL PRIVILEGES { $$ = list_make1_int(ACL_ALL_RIGHTS); }
+privileges: privilege_list
+ { $$ = $1; }
+ | ALL
+ { $$ = NIL; }
+ | ALL PRIVILEGES
+ { $$ = NIL; }
;
-privilege_list:
- privilege { $$ = list_make1_int($1); }
- | privilege_list ',' privilege { $$ = lappend_int($1, $3); }
+privilege_list: privilege
+ { $$ = list_make1(makeString($1)); }
+ | privilege_list ',' privilege
+ { $$ = lappend($1, makeString($3)); }
;
-/* Not all of these privilege types apply to all objects, but that
- * gets sorted out later.
- */
-privilege: SELECT { $$ = ACL_SELECT; }
- | INSERT { $$ = ACL_INSERT; }
- | UPDATE { $$ = ACL_UPDATE; }
- | DELETE_P { $$ = ACL_DELETE; }
- | RULE { $$ = ACL_RULE; }
- | REFERENCES { $$ = ACL_REFERENCES; }
- | TRIGGER { $$ = ACL_TRIGGER; }
- | EXECUTE { $$ = ACL_EXECUTE; }
- | USAGE { $$ = ACL_USAGE; }
- | CREATE { $$ = ACL_CREATE; }
- | TEMPORARY { $$ = ACL_CREATE_TEMP; }
- | TEMP { $$ = ACL_CREATE_TEMP; }
+privilege: SELECT { $$ = pstrdup($1); }
+ | REFERENCES { $$ = pstrdup($1); }
+ | CREATE { $$ = pstrdup($1); }
+ | ColId { $$ = $1; }
;
/* Don't bother trying to fold the first two rules into one using
- opt_table. You're going to get conflicts. */
+ * opt_table. You're going to get conflicts.
+ */
privilege_target:
qualified_name_list
{
| /*EMPTY*/ { $$ = FALSE; }
;
-opt_grant_admin_option:
- WITH ADMIN OPTION { $$ = TRUE; }
- | /*EMPTY*/ { $$ = FALSE; }
- ;
-
-opt_granted_by:
- GRANTED BY RoleId { $$ = $3; }
- | /*EMPTY*/ { $$ = NULL; }
- ;
-
-opt_revoke_grant_option:
- GRANT OPTION FOR { $$ = TRUE; }
- | /*EMPTY*/ { $$ = FALSE; }
- ;
-
-opt_revoke_admin_option:
- ADMIN OPTION FOR { $$ = TRUE; }
- | /*EMPTY*/ { $$ = FALSE; }
- ;
-
-
function_with_argtypes_list:
function_with_argtypes { $$ = list_make1($1); }
| function_with_argtypes_list ',' function_with_argtypes
}
;
+/*****************************************************************************
+ *
+ * GRANT and REVOKE ROLE statements
+ *
+ *****************************************************************************/
+
+GrantRoleStmt:
+ GRANT privilege_list TO name_list opt_grant_admin_option opt_granted_by
+ {
+ GrantRoleStmt *n = makeNode(GrantRoleStmt);
+ n->is_grant = true;
+ n->granted_roles = $2;
+ n->grantee_roles = $4;
+ n->admin_opt = $5;
+ n->grantor = $6;
+ $$ = (Node*)n;
+ }
+ ;
+
+RevokeRoleStmt:
+ REVOKE privilege_list FROM name_list opt_granted_by opt_drop_behavior
+ {
+ GrantRoleStmt *n = makeNode(GrantRoleStmt);
+ n->is_grant = false;
+ n->admin_opt = false;
+ n->granted_roles = $2;
+ n->grantee_roles = $4;
+ n->behavior = $6;
+ $$ = (Node*)n;
+ }
+ | REVOKE ADMIN OPTION FOR privilege_list FROM name_list opt_granted_by opt_drop_behavior
+ {
+ GrantRoleStmt *n = makeNode(GrantRoleStmt);
+ n->is_grant = false;
+ n->admin_opt = true;
+ n->granted_roles = $5;
+ n->grantee_roles = $7;
+ n->behavior = $9;
+ $$ = (Node*)n;
+ }
+ ;
+
+opt_grant_admin_option: WITH ADMIN OPTION { $$ = TRUE; }
+ | /*EMPTY*/ { $$ = FALSE; }
+ ;
+
+opt_granted_by: GRANTED BY RoleId { $$ = $3; }
+ | /*EMPTY*/ { $$ = NULL; }
+ ;
+
/*****************************************************************************
*
n->agg_distinct = FALSE;
$$ = (Node *)n;
}
- | SESSION_ROLE
- {
- FuncCall *n = makeNode(FuncCall);
- n->funcname = SystemFuncName("session_user");
- n->args = NIL;
- n->agg_star = FALSE;
- n->agg_distinct = FALSE;
- $$ = (Node *)n;
- }
- | ROLE
- {
- FuncCall *n = makeNode(FuncCall);
- n->funcname = SystemFuncName("current_user");
- n->args = NIL;
- n->agg_star = FALSE;
- n->agg_distinct = FALSE;
- $$ = (Node *)n;
- }
| CURRENT_USER
{
FuncCall *n = makeNode(FuncCall);
| ACCESS
| ACTION
| ADD
+ | ADMIN
| AFTER
| AGGREGATE
| ALSO
| FORWARD
| FUNCTION
| GLOBAL
+ | GRANTED
| HANDLER
| HEADER
| HOLD
| LOCAL
| LOCATION
| LOCK_P
- | LOGIN
+ | LOGIN_P
| MATCH
| MAXVALUE
| MINUTE_P
| NOCREATEDB
| NOCREATEROLE
| NOCREATEUSER
- | NOLOGIN
+ | NOLOGIN_P
| NOTHING
| NOTIFY
| NOWAIT
| RESTRICT
| RETURNS
| REVOKE
+ | ROLE
| ROLLBACK
| ROWS
| RULE
| UNLISTEN
| UNTIL
| UPDATE
- | USAGE
| VACUUM
| VALID
| VALIDATOR
| CONSTRAINT
| CREATE
| CURRENT_DATE
+ | CURRENT_ROLE
| CURRENT_TIME
| CURRENT_TIMESTAMP
- | CURRENT_ROLE
| CURRENT_USER
| DEFAULT
| DEFERRABLE
| PRIMARY
| REFERENCES
| SELECT
- | SESSION_ROLE
| SESSION_USER
| SOME
| SYMMETRIC
| TRUE_P
| UNION
| UNIQUE
- | ROLE
| USER
| USING
| WHEN
*
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/parser/keywords.c,v 1.160 2005/06/28 05:08:58 tgl Exp $
+ * $PostgreSQL: pgsql/src/backend/parser/keywords.c,v 1.161 2005/06/28 19:51:22 tgl Exp $
*
*-------------------------------------------------------------------------
*/
{"access", ACCESS},
{"action", ACTION},
{"add", ADD},
+ {"admin", ADMIN},
{"after", AFTER},
{"aggregate", AGGREGATE},
{"all", ALL},
{"copy", COPY},
{"create", CREATE},
{"createdb", CREATEDB},
+ {"createrole", CREATEROLE},
{"createuser", CREATEUSER},
{"cross", CROSS},
{"csv", CSV},
{"current_date", CURRENT_DATE},
+ {"current_role", CURRENT_ROLE},
{"current_time", CURRENT_TIME},
{"current_timestamp", CURRENT_TIMESTAMP},
{"current_user", CURRENT_USER},
{"function", FUNCTION},
{"global", GLOBAL},
{"grant", GRANT},
+ {"granted", GRANTED},
{"greatest", GREATEST},
{"group", GROUP_P},
{"handler", HANDLER},
{"localtimestamp", LOCALTIMESTAMP},
{"location", LOCATION},
{"lock", LOCK_P},
+ {"login", LOGIN_P},
{"match", MATCH},
{"maxvalue", MAXVALUE},
{"minute", MINUTE_P},
{"next", NEXT},
{"no", NO},
{"nocreatedb", NOCREATEDB},
+ {"nocreaterole", NOCREATEROLE},
{"nocreateuser", NOCREATEUSER},
+ {"nologin", NOLOGIN_P},
{"none", NONE},
{"not", NOT},
{"nothing", NOTHING},
{"unlisten", UNLISTEN},
{"until", UNTIL},
{"update", UPDATE},
- {"usage", USAGE},
{"user", USER},
{"using", USING},
{"vacuum", VACUUM},
*
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/utils/adt/acl.c,v 1.115 2005/06/28 05:09:00 tgl Exp $
+ * $PostgreSQL: pgsql/src/backend/utils/adt/acl.c,v 1.116 2005/06/28 19:51:23 tgl Exp $
*
*-------------------------------------------------------------------------
*/
}
void
-InitializeAcl(void)
+initialize_acl(void)
{
if (!IsBootstrapProcessingMode())
{
*
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/utils/init/postinit.c,v 1.150 2005/06/28 05:09:02 tgl Exp $
+ * $PostgreSQL: pgsql/src/backend/utils/init/postinit.c,v 1.151 2005/06/28 19:51:23 tgl Exp $
*
*
*-------------------------------------------------------------------------
InitializeSearchPath();
/* set up ACL framework (currently just sets RolMemCache callback) */
- InitializeAcl();
+ initialize_acl();
/* initialize client encoding */
InitializeClientEncoding();
* Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group
* Portions Copyright (c) 1994, Regents of the University of California
*
- * $PostgreSQL: pgsql/src/include/nodes/parsenodes.h,v 1.284 2005/06/28 05:09:13 tgl Exp $
+ * $PostgreSQL: pgsql/src/include/nodes/parsenodes.h,v 1.285 2005/06/28 19:51:24 tgl Exp $
*
*-------------------------------------------------------------------------
*/
/*
* Grantable rights are encoded so that we can OR them together in a bitmask.
- * The present representation of AclItem limits us to 15 distinct rights,
+ * The present representation of AclItem limits us to 16 distinct rights,
* even though AclMode is defined as uint32. See utils/acl.h.
*
* Caution: changing these codes breaks stored ACLs, hence forces initdb.
#define ACL_CREATE (1<<9) /* for namespaces and databases */
#define ACL_CREATE_TEMP (1<<10) /* for databases */
#define N_ACL_RIGHTS 11 /* 1 plus the last 1<<x */
-#define ACL_ALL_RIGHTS (-1) /* all-privileges marker in GRANT list */
#define ACL_NO_RIGHTS 0
/* Currently, SELECT ... FOR UPDATE/FOR SHARE requires UPDATE privileges */
#define ACL_SELECT_FOR_UPDATE ACL_UPDATE
List *objects; /* list of RangeVar nodes, FuncWithArgs
* nodes, or plain names (as Value
* strings) */
- List *privileges; /* integer list of privilege codes */
+ List *privileges; /* list of privilege names (as Strings) */
+ /* privileges == NIL denotes "all privileges" */
List *grantees; /* list of PrivGrantee nodes */
bool grant_option; /* grant or revoke grant option */
DropBehavior behavior; /* drop behavior (for REVOKE) */
* Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group
* Portions Copyright (c) 1994, Regents of the University of California
*
- * $PostgreSQL: pgsql/src/include/storage/pmsignal.h,v 1.11 2004/12/31 22:03:42 pgsql Exp $
+ * $PostgreSQL: pgsql/src/include/storage/pmsignal.h,v 1.12 2005/06/28 19:51:25 tgl Exp $
*
*-------------------------------------------------------------------------
*/
*/
typedef enum
{
- PMSIGNAL_PASSWORD_CHANGE, /* pg_pwd file has changed */
+ PMSIGNAL_PASSWORD_CHANGE, /* pg_auth file has changed */
PMSIGNAL_WAKEN_CHILDREN, /* send a SIGUSR1 signal to all backends */
PMSIGNAL_WAKEN_ARCHIVER, /* send a NOTIFY signal to xlog archiver */
* Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group
* Portions Copyright (c) 1994, Regents of the University of California
*
- * $PostgreSQL: pgsql/src/include/utils/acl.h,v 1.78 2005/06/28 05:09:13 tgl Exp $
+ * $PostgreSQL: pgsql/src/include/utils/acl.h,v 1.79 2005/06/28 19:51:25 tgl Exp $
*
* NOTES
* An ACL array is simply an array of AclItems, representing the union
extern bool is_member_of_role(Oid member, Oid role);
-extern void InitializeAcl(void);
+extern void initialize_acl(void);
/*
* SQL functions (from acl.c)
iexit | SELECT ih.name, ih.thepath, interpt_pp(ih.thepath, r.thepath) AS exit FROM ihighway ih, ramp r WHERE (ih.thepath ## r.thepath);
pg_group | SELECT pg_authid.rolname AS groname, pg_authid.oid AS grosysid, ARRAY(SELECT pg_auth_members.member FROM pg_auth_members WHERE (pg_auth_members.roleid = pg_authid.oid)) AS grolist FROM pg_authid WHERE (NOT pg_authid.rolcanlogin);
pg_indexes | SELECT n.nspname AS schemaname, c.relname AS tablename, i.relname AS indexname, t.spcname AS "tablespace", pg_get_indexdef(i.oid) AS indexdef FROM ((((pg_index x JOIN pg_class c ON ((c.oid = x.indrelid))) JOIN pg_class i ON ((i.oid = x.indexrelid))) LEFT JOIN pg_namespace n ON ((n.oid = c.relnamespace))) LEFT JOIN pg_tablespace t ON ((t.oid = i.reltablespace))) WHERE ((c.relkind = 'r'::"char") AND (i.relkind = 'i'::"char"));
- pg_locks | SELECT l.locktype, l."database", l.relation, l.page, l.tuple, l.transactionid, l.classid, l.objid, l.objsubid, l."transaction", l.pid, l."mode", l.granted FROM pg_lock_status() l(locktype text, "database" oid, relation oid, page integer, tuple smallint, transactionid xid, classid oid, objid oid, objsubid smallint, "transaction" xid, pid integer, "mode" text, granted boolean);
+ pg_locks | SELECT l.locktype, l."database", l.relation, l.page, l.tuple, l.transactionid, l.classid, l.objid, l.objsubid, l."transaction", l.pid, l."mode", l."granted" FROM pg_lock_status() l(locktype text, "database" oid, relation oid, page integer, tuple smallint, transactionid xid, classid oid, objid oid, objsubid smallint, "transaction" xid, pid integer, "mode" text, "granted" boolean);
pg_prepared_xacts | SELECT p."transaction", p.gid, p."prepared", u.rolname AS "owner", d.datname AS "database" FROM ((pg_prepared_xact() p("transaction" xid, gid text, "prepared" timestamp with time zone, ownerid oid, dbid oid) LEFT JOIN pg_authid u ON ((p.ownerid = u.oid))) LEFT JOIN pg_database d ON ((p.dbid = d.oid)));
pg_roles | SELECT pg_authid.rolname, pg_authid.rolsuper, pg_authid.rolcreaterole, pg_authid.rolcreatedb, pg_authid.rolcatupdate, pg_authid.rolcanlogin, '********'::text AS rolpassword, pg_authid.rolvaliduntil, pg_authid.rolconfig FROM pg_authid;
pg_rules | SELECT n.nspname AS schemaname, c.relname AS tablename, r.rulename, pg_get_ruledef(r.oid) AS definition FROM ((pg_rewrite r JOIN pg_class c ON ((c.oid = r.ev_class))) LEFT JOIN pg_namespace n ON ((n.oid = c.relnamespace))) WHERE (r.rulename <> '_RETURN'::name);
projects / postgresql / commitdiff