[PATCH] Cleanup existing PG privileges - database, schema

From: KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>
To: pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: [PATCH] Cleanup existing PG privileges - database, schema
Date: 2009-12-16 05:58:32
Message-ID: 4B287708.5070709@ak.jp.nec.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

The attached patch is a draft for the discussion.

It cleans up the existing PG privileges checks related to databases
and schemas, and consolidates points where it applies privileges
checks as a groundwork for the upcoming security framework.

We have tried a few approaches to implement SE-PgSQL for this year,
however, it has a bit high hurdle to join development, because it
tried to separate features unless it loses something useful.
It naturally holds two parts within a patch. The one is modification
to the core routines. The other is selinux specific code.
The selinux-specific part was hurdle for pgsql-folks, and the core
pgsql part was hurdle for selinux-folks.

Under the CF#3, we had a fruitful discussion, especially BWPUG
meeting. Again, Stephen Frost suggested to start the development
from a common security framework for both of security models.

http://wiki.postgresql.org/wiki/SEPostgreSQL_Review_at_the_BWPUG#PostgreSQL_security_check_cleanup

It allows us to focus on the pure pgsql part, without any selinux
specific part at the moment.

In the CF#2, I tried to rework anything with a single patch, but this
approach was wrong, too large. So, I'll try to separate the changeset
smaller, per object class basis.

This patch is a groundwork before the security framework.
The existing PG checks requires multiple permission checks in separate
places for a single operation, but it makes harder to replace these
inlined permission checks by security hooks.
It tries to consolidate multiple separate permission checks into same
place for database and schema, as a discussion draft.

* LookupCreationNamespace
It checks CREATE permission on the reuiqred schema, when ALTER with
SCHEMA TO option. It will be consolidated to check_*_alter_schema()
hooks, so I removed this check and moved to the caller.

* createdb movedb
It repeats name resolve and permission checks if necessary.
So, I consolidate permission checks in a same place.

$ diffstat pgsql-01-ground-work-8.5devel-r2486.patch
catalog/namespace.c | 11 --!!!
commands/dbcommands.c | 89 ++++++++++++++++++++++++--------------------!!!
commands/functioncmds.c | 11 ++++!
commands/tablecmds.c | 11 ++++!
commands/typecmds.c | 11 ++++!
5 files changed, 72 insertions(+), 43 deletions(-), 18 modifications(!)

Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>

Attachment Content-Type Size
pgsql-01-ground-work-8.5devel-r2486.patch text/x-patch 12.1 KB

Browse pgsql-hackers by date

  From Date Subject
Next Message KaiGai Kohei 2009-12-16 06:15:32 [PATCH] remove redundant ownership checks
Previous Message Robert Haas 2009-12-16 05:42:00 Re: Patch: Remove gcc dependency in definition of inline functions