| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | pgsql-committers(at)lists(dot)postgresql(dot)org |
| Subject: | pgsql: Allow granting SET and ALTER SYSTEM privileges on GUC parameters |
| Date: | 2022-04-06 17:24:54 |
| Message-ID: | E1nc9On-000bor-Qs@gemulon.postgresql.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-committers |
Allow granting SET and ALTER SYSTEM privileges on GUC parameters.
This patch allows "PGC_SUSET" parameters to be set by non-superusers
if they have been explicitly granted the privilege to do so.
The privilege to perform ALTER SYSTEM SET/RESET on a specific parameter
can also be granted.
Such privileges are cluster-wide, not per database. They are tracked
in a new shared catalog, pg_parameter_acl.
Granting and revoking these new privileges works as one would expect.
One caveat is that PGC_USERSET GUCs are unaffected by the SET privilege
--- one could wish that those were handled by a revocable grant to
PUBLIC, but they are not, because we couldn't make it robust enough
for GUCs defined by extensions.
Mark Dilger, reviewed at various times by Andrew Dunstan, Robert Haas,
Joshua Brindle, and myself
Discussion: https://postgr.es/m/3D691E20-C1D5-4B80-8BA5-6BEB63AF3029@enterprisedb.com
Branch
------
master
Details
-------
https://git.postgresql.org/pg/commitdiff/a0ffa885e478f5eeacc4e250e35ce25a4740c487
Modified Files
--------------
doc/src/sgml/catalogs.sgml | 77 ++-
doc/src/sgml/config.sgml | 150 ++++--
doc/src/sgml/ddl.sgml | 44 +-
doc/src/sgml/func.sgml | 24 +-
doc/src/sgml/ref/alter_system.sgml | 3 +-
doc/src/sgml/ref/drop_owned.sgml | 4 +-
doc/src/sgml/ref/grant.sgml | 17 +-
doc/src/sgml/ref/pg_dumpall.sgml | 3 +-
doc/src/sgml/ref/revoke.sgml | 7 +
doc/src/sgml/ref/set.sgml | 6 +-
src/backend/catalog/Makefile | 4 +-
src/backend/catalog/aclchk.c | 357 +++++++++++++-
src/backend/catalog/catalog.c | 36 +-
src/backend/catalog/dependency.c | 6 +
src/backend/catalog/objectaddress.c | 71 +++
src/backend/catalog/pg_parameter_acl.c | 118 +++++
src/backend/commands/alter.c | 1 +
src/backend/commands/event_trigger.c | 5 +
src/backend/commands/seclabel.c | 1 +
src/backend/commands/tablecmds.c | 1 +
src/backend/parser/gram.y | 46 +-
src/backend/utils/adt/acl.c | 114 +++++
src/backend/utils/cache/syscache.c | 23 +
src/backend/utils/misc/guc.c | 146 +++++-
src/bin/pg_dump/dumputils.c | 7 +-
src/bin/pg_dump/pg_dumpall.c | 65 +++
src/bin/psql/tab-complete.c | 78 ++-
src/include/catalog/catversion.h | 2 +-
src/include/catalog/dependency.h | 1 +
src/include/catalog/objectaccess.h | 2 +-
src/include/catalog/pg_parameter_acl.h | 62 +++
src/include/catalog/pg_proc.dat | 16 +
src/include/nodes/parsenodes.h | 5 +-
src/include/parser/kwlist.h | 1 +
src/include/utils/acl.h | 11 +-
src/include/utils/guc.h | 2 +
src/include/utils/syscache.h | 2 +
.../test_oat_hooks/expected/test_oat_hooks.out | 215 ++++++---
.../modules/test_oat_hooks/sql/test_oat_hooks.sql | 49 +-
src/test/modules/test_oat_hooks/test_oat_hooks.c | 80 +++-
src/test/modules/test_pg_dump/t/001_base.pl | 32 ++
src/test/modules/unsafe_tests/Makefile | 2 +-
.../modules/unsafe_tests/expected/guc_privs.out | 526 +++++++++++++++++++++
src/test/modules/unsafe_tests/sql/guc_privs.sql | 237 ++++++++++
44 files changed, 2465 insertions(+), 194 deletions(-)
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andrew Dunstan | 2022-04-06 17:54:49 | pgsql: Further improve jsonb_sqljson parallel test |
| Previous Message | Tom Lane | 2022-04-06 15:20:02 | Re: pgsql: Reduce running time of jsonb_sqljson test |