Re: TODO item question [pg_hba.conf]

From: Gevik Babakhani <pgdev(at)xs4all(dot)nl>
To: Alvaro Herrera <alvherre(at)commandprompt(dot)com>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: TODO item question [pg_hba.conf]
Date: 2006-04-21 23:14:32
Message-ID: 1145661272.29554.44.camel@voyager.truesoftware.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Hi,

I have created a new patch. Please check to see if I am on the right
track.

1) The GRANT and REVOKE statements look like:
GRANT CONNECTION ON DATABASE db1 TO user1 (,user2,user3)
REVOKE CONNECTION ON DATABASE db1 TO user1 (,user2,user3)

2) The file parsenodes.h is updated to support
#define ACL_DATABASE_CONNECT

3) The file acl.h is updated to support
#define ACL_DATABASE_CONNECT_CHR 'c'

4) Functions "string_to_privilege" and "privilege_to_string" in
aclchk.c are updated to support ACL_DATABASE_CONNECT

5) Function "aclparse" in acl.c is updated to support
ACL_DATABASE_CONNECT

6) Catalog version number is updated to
CATALOG_VERSION_NO 200604211

7) File postinit.c method "ReverifyMyDatabase" is updated by following:
First we check to make sure we are not in bootstrap processing mode.
If not, we check to see if the connected user has ACL_DATABASE_CONNECT.
If not, ereport(FATAL,.....)
(Perhaps we should change the error message later)

8) File dbcommands.c method "createdb" is updated by following:
When a new database is being created we add a default ACL by
calling acldefault(ACL_OBJECT_DATABASE,.... and adding the default ACL
by new_record[Anum_pg_database_datacl - 1] =
PointerGetDatum(defaultAcl);

This would mean, every time a new database gets created the owner of the
database gets the ACL_OBJECT_DATABASE privilege and can login. Other
users not having the privilege to that database get an error message.
Because the catalog version is changed a pg_dump is necessarily, means
all the new roles created from that point will get the
ACL_OBJECT_DATABASE and everything should be "backward-compatible"

At this moment the owner of the database CAN REVOKE himself form the
ACL_OBJECT_DATABASE. If the implementation above is acceptable then I
can work on this one :)

http://www.xs4all.nl/~gevik/patch/patch-0.1.diff

Did I forget something? Please advice.

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Bruce Momjian 2006-04-21 23:30:10 Re: Win32 sysconfig -> pg_service.conf
Previous Message Andreas Pflug 2006-04-21 23:02:17 Re: Google SoC--Idea Request