<entry>Role can create databases</entry>
</row>
- <row>
- <entry><structfield>rolcatupdate</structfield></entry>
- <entry><type>bool</type></entry>
- <entry>
- Role can update system catalogs directly. (Even a superuser cannot do
- this unless this column is true)
- </entry>
- </row>
-
<row>
<entry><structfield>rolcanlogin</structfield></entry>
<entry><type>bool</type></entry>
<entry>Role can create databases</entry>
</row>
- <row>
- <entry><structfield>rolcatupdate</structfield></entry>
- <entry><type>bool</type></entry>
- <entry></entry>
- <entry>
- Role can update system catalogs directly. (Even a superuser cannot do
- this unless this column is true)
- </entry>
- </row>
-
<row>
<entry><structfield>rolcanlogin</structfield></entry>
<entry><type>bool</type></entry>
<entry>User is a superuser</entry>
</row>
- <row>
- <entry><structfield>usecatupd</structfield></entry>
- <entry><type>bool</type></entry>
- <entry></entry>
- <entry>
- User can update system catalogs. (Even a superuser cannot do
- this unless this column is true.)
- </entry>
- </row>
-
<row>
<entry><structfield>userepl</structfield></entry>
<entry><type>bool</type></entry>
<entry>User is a superuser</entry>
</row>
- <row>
- <entry><structfield>usecatupd</structfield></entry>
- <entry><type>bool</type></entry>
- <entry>
- User can update system catalogs. (Even a superuser cannot do
- this unless this column is true.)
- </entry>
- </row>
-
<row>
<entry><structfield>userepl</structfield></entry>
<entry><type>bool</type></entry>
}
-/* Check if given user has rolcatupdate privilege according to pg_authid */
-static bool
-has_rolcatupdate(Oid roleid)
-{
- bool rolcatupdate;
- HeapTuple tuple;
-
- tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
- if (!HeapTupleIsValid(tuple))
- ereport(ERROR,
- (errcode(ERRCODE_UNDEFINED_OBJECT),
- errmsg("role with OID %u does not exist", roleid)));
-
- rolcatupdate = ((Form_pg_authid) GETSTRUCT(tuple))->rolcatupdate;
-
- ReleaseSysCache(tuple);
-
- return rolcatupdate;
-}
-
/*
* Relay for the various pg_*_mask routines depending on object kind
*/
/*
* Deny anyone permission to update a system catalog unless
- * pg_authid.rolcatupdate is set. (This is to let superusers protect
- * themselves from themselves.) Also allow it if allowSystemTableMods.
+ * pg_authid.rolsuper is set. Also allow it if allowSystemTableMods.
*
* As of 7.4 we have some updatable system views; those shouldn't be
* protected in this way. Assume the view rules can take care of
if ((mask & (ACL_INSERT | ACL_UPDATE | ACL_DELETE | ACL_TRUNCATE | ACL_USAGE)) &&
IsSystemClass(table_oid, classForm) &&
classForm->relkind != RELKIND_VIEW &&
- !has_rolcatupdate(roleid) &&
+ !superuser_arg(roleid) &&
!allowSystemTableMods)
{
#ifdef ACLDEBUG
rolinherit,
rolcreaterole,
rolcreatedb,
- rolcatupdate,
rolcanlogin,
rolreplication,
rolconnlimit,
pg_authid.oid AS usesysid,
rolcreatedb AS usecreatedb,
rolsuper AS usesuper,
- rolcatupdate AS usecatupd,
rolreplication AS userepl,
rolbypassrls AS usebypassrls,
rolpassword AS passwd,
usesysid,
usecreatedb,
usesuper,
- usecatupd,
userepl,
usebypassrls,
'********'::text as passwd,
new_record[Anum_pg_authid_rolinherit - 1] = BoolGetDatum(inherit);
new_record[Anum_pg_authid_rolcreaterole - 1] = BoolGetDatum(createrole);
new_record[Anum_pg_authid_rolcreatedb - 1] = BoolGetDatum(createdb);
- /* superuser gets catupdate right by default */
- new_record[Anum_pg_authid_rolcatupdate - 1] = BoolGetDatum(issuper);
new_record[Anum_pg_authid_rolcanlogin - 1] = BoolGetDatum(canlogin);
new_record[Anum_pg_authid_rolreplication - 1] = BoolGetDatum(isreplication);
new_record[Anum_pg_authid_rolconnlimit - 1] = Int32GetDatum(connlimit);
MemSet(new_record_repl, false, sizeof(new_record_repl));
/*
- * issuper/createrole/catupdate/etc
- *
- * XXX It's rather unclear how to handle catupdate. It's probably best to
- * keep it equal to the superuser status, otherwise you could end up with
- * a situation where no existing superuser can alter the catalogs,
- * including pg_authid!
+ * issuper/createrole/etc
*/
if (issuper >= 0)
{
new_record[Anum_pg_authid_rolsuper - 1] = BoolGetDatum(issuper > 0);
new_record_repl[Anum_pg_authid_rolsuper - 1] = true;
-
- new_record[Anum_pg_authid_rolcatupdate - 1] = BoolGetDatum(issuper > 0);
- new_record_repl[Anum_pg_authid_rolcatupdate - 1] = true;
}
if (inherit >= 0)
*/
/* yyyymmddN */
-#define CATALOG_VERSION_NO 201503031
+#define CATALOG_VERSION_NO 201503061
#endif
bool rolinherit; /* inherit privileges from other roles? */
bool rolcreaterole; /* allowed to create more roles? */
bool rolcreatedb; /* allowed to create databases? */
- bool rolcatupdate; /* allowed to alter catalogs manually? */
bool rolcanlogin; /* allowed to log in as session user? */
bool rolreplication; /* role used for streaming replication */
bool rolbypassrls; /* allowed to bypass row level security? */
* compiler constants for pg_authid
* ----------------
*/
-#define Natts_pg_authid 12
+#define Natts_pg_authid 11
#define Anum_pg_authid_rolname 1
#define Anum_pg_authid_rolsuper 2
#define Anum_pg_authid_rolinherit 3
#define Anum_pg_authid_rolcreaterole 4
#define Anum_pg_authid_rolcreatedb 5
-#define Anum_pg_authid_rolcatupdate 6
-#define Anum_pg_authid_rolcanlogin 7
-#define Anum_pg_authid_rolreplication 8
-#define Anum_pg_authid_rolbypassrls 9
-#define Anum_pg_authid_rolconnlimit 10
-#define Anum_pg_authid_rolpassword 11
-#define Anum_pg_authid_rolvaliduntil 12
+#define Anum_pg_authid_rolcanlogin 6
+#define Anum_pg_authid_rolreplication 7
+#define Anum_pg_authid_rolbypassrls 8
+#define Anum_pg_authid_rolconnlimit 9
+#define Anum_pg_authid_rolpassword 10
+#define Anum_pg_authid_rolvaliduntil 11
/* ----------------
* initial contents of pg_authid
* user choices.
* ----------------
*/
-DATA(insert OID = 10 ( "POSTGRES" t t t t t t t t -1 _null_ _null_));
+DATA(insert OID = 10 ( "POSTGRES" t t t t t t t -1 _null_ _null_));
#define BOOTSTRAP_SUPERUSERID 10
select has_table_privilege('pg_authid','sel');
ERROR: unrecognized privilege type: "sel"
select has_table_privilege(-999999,'pg_authid','update');
-ERROR: role with OID 4293967297 does not exist
+ has_table_privilege
+---------------------
+ f
+(1 row)
+
select has_table_privilege(1,'select');
has_table_privilege
---------------------
pg_authid.rolinherit,
pg_authid.rolcreaterole,
pg_authid.rolcreatedb,
- pg_authid.rolcatupdate,
pg_authid.rolcanlogin,
pg_authid.rolreplication,
pg_authid.rolconnlimit,
pg_authid.oid AS usesysid,
pg_authid.rolcreatedb AS usecreatedb,
pg_authid.rolsuper AS usesuper,
- pg_authid.rolcatupdate AS usecatupd,
pg_authid.rolreplication AS userepl,
pg_authid.rolbypassrls AS usebypassrls,
pg_authid.rolpassword AS passwd,
pg_shadow.usesysid,
pg_shadow.usecreatedb,
pg_shadow.usesuper,
- pg_shadow.usecatupd,
pg_shadow.userepl,
pg_shadow.usebypassrls,
'********'::text AS passwd,
projects / postgresql / commitdiff