From: | Gevik Babakhani <pgdev(at)xs4all(dot)nl> |
---|---|
To: | Alvaro Herrera <alvherre(at)commandprompt(dot)com> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: TODO item question [pg_hba.conf] |
Date: | 2006-04-21 23:14:32 |
Message-ID: | 1145661272.29554.44.camel@voyager.truesoftware.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Hi,
I have created a new patch. Please check to see if I am on the right
track.
1) The GRANT and REVOKE statements look like:
GRANT CONNECTION ON DATABASE db1 TO user1 (,user2,user3)
REVOKE CONNECTION ON DATABASE db1 TO user1 (,user2,user3)
2) The file parsenodes.h is updated to support
#define ACL_DATABASE_CONNECT
3) The file acl.h is updated to support
#define ACL_DATABASE_CONNECT_CHR 'c'
4) Functions "string_to_privilege" and "privilege_to_string" in
aclchk.c are updated to support ACL_DATABASE_CONNECT
5) Function "aclparse" in acl.c is updated to support
ACL_DATABASE_CONNECT
6) Catalog version number is updated to
CATALOG_VERSION_NO 200604211
7) File postinit.c method "ReverifyMyDatabase" is updated by following:
First we check to make sure we are not in bootstrap processing mode.
If not, we check to see if the connected user has ACL_DATABASE_CONNECT.
If not, ereport(FATAL,.....)
(Perhaps we should change the error message later)
8) File dbcommands.c method "createdb" is updated by following:
When a new database is being created we add a default ACL by
calling acldefault(ACL_OBJECT_DATABASE,.... and adding the default ACL
by new_record[Anum_pg_database_datacl - 1] =
PointerGetDatum(defaultAcl);
This would mean, every time a new database gets created the owner of the
database gets the ACL_OBJECT_DATABASE privilege and can login. Other
users not having the privilege to that database get an error message.
Because the catalog version is changed a pg_dump is necessarily, means
all the new roles created from that point will get the
ACL_OBJECT_DATABASE and everything should be "backward-compatible"
At this moment the owner of the database CAN REVOKE himself form the
ACL_OBJECT_DATABASE. If the implementation above is acceptable then I
can work on this one :)
http://www.xs4all.nl/~gevik/patch/patch-0.1.diff
Did I forget something? Please advice.
From | Date | Subject | |
---|---|---|---|
Next Message | Bruce Momjian | 2006-04-21 23:30:10 | Re: Win32 sysconfig -> pg_service.conf |
Previous Message | Andreas Pflug | 2006-04-21 23:02:17 | Re: Google SoC--Idea Request |