From ce5acb9aab3fec940a0bfd50e433163bd487769d Mon Sep 17 00:00:00 2001 From: Peter Eisentraut Date: Tue, 16 Jan 2018 13:32:03 -0500 Subject: [PATCH v4 3/5] Don't use OBJECT_RELATION with aclcheck_error --- contrib/dblink/dblink.c | 2 +- contrib/file_fdw/output/file_fdw.source | 2 +- contrib/pg_prewarm/pg_prewarm.c | 2 +- contrib/pgrowlocks/pgrowlocks.c | 3 +- contrib/test_decoding/expected/permissions.out | 4 +- src/backend/catalog/aclchk.c | 8 +- src/backend/catalog/namespace.c | 2 +- src/backend/catalog/objectaddress.c | 25 +++++ src/backend/commands/lockcmds.c | 4 +- src/backend/commands/policy.c | 2 +- src/backend/commands/publicationcmds.c | 2 +- src/backend/commands/statscmds.c | 3 +- src/backend/commands/tablecmds.c | 24 ++--- src/backend/commands/trigger.c | 6 +- src/backend/executor/execMain.c | 2 +- src/backend/parser/parse_utilcmd.c | 2 +- src/backend/rewrite/rewriteDefine.c | 6 +- src/backend/utils/adt/tid.c | 5 +- src/include/catalog/objectaddress.h | 2 + src/test/regress/expected/alter_table.out | 2 +- src/test/regress/expected/copy2.out | 6 +- src/test/regress/expected/lock.out | 2 +- src/test/regress/expected/privileges.out | 144 ++++++++++++------------- src/test/regress/expected/publication.out | 2 +- src/test/regress/expected/rowsecurity.out | 18 ++-- src/test/regress/expected/select_into.out | 6 +- src/test/regress/expected/sequence.out | 2 +- src/test/regress/expected/updatable_views.out | 30 +++--- 28 files changed, 172 insertions(+), 146 deletions(-) diff --git a/contrib/dblink/dblink.c b/contrib/dblink/dblink.c index 6b4d036d9e..742e2a20c3 100644 --- a/contrib/dblink/dblink.c +++ b/contrib/dblink/dblink.c @@ -2504,7 +2504,7 @@ get_rel_from_relname(text *relname_text, LOCKMODE lockmode, AclMode aclmode) aclresult = pg_class_aclcheck(RelationGetRelid(rel), GetUserId(), aclmode); if (aclresult != ACLCHECK_OK) - aclcheck_error(aclresult, OBJECT_RELATION, + aclcheck_error(aclresult, relkind_get_objtype(get_rel_relkind(RelationGetRelid(rel))), RelationGetRelationName(rel)); return rel; diff --git a/contrib/file_fdw/output/file_fdw.source b/contrib/file_fdw/output/file_fdw.source index 709c43ec80..e2d8b87015 100644 --- a/contrib/file_fdw/output/file_fdw.source +++ b/contrib/file_fdw/output/file_fdw.source @@ -393,7 +393,7 @@ SELECT * FROM agg_text ORDER BY a; SET ROLE regress_no_priv_user; SELECT * FROM agg_text ORDER BY a; -- ERROR -ERROR: permission denied for relation agg_text +ERROR: permission denied for foreign table agg_text SET ROLE regress_file_fdw_user; \t on EXPLAIN (VERBOSE, COSTS FALSE) SELECT * FROM agg_text WHERE a > 0; diff --git a/contrib/pg_prewarm/pg_prewarm.c b/contrib/pg_prewarm/pg_prewarm.c index bab01e6781..7755c1a6cf 100644 --- a/contrib/pg_prewarm/pg_prewarm.c +++ b/contrib/pg_prewarm/pg_prewarm.c @@ -107,7 +107,7 @@ pg_prewarm(PG_FUNCTION_ARGS) rel = relation_open(relOid, AccessShareLock); aclresult = pg_class_aclcheck(relOid, GetUserId(), ACL_SELECT); if (aclresult != ACLCHECK_OK) - aclcheck_error(aclresult, OBJECT_RELATION, get_rel_name(relOid)); + aclcheck_error(aclresult, relkind_get_objtype(get_rel_relkind(relOid)), get_rel_name(relOid)); /* Check that the fork exists. */ RelationOpenSmgr(rel); diff --git a/contrib/pgrowlocks/pgrowlocks.c b/contrib/pgrowlocks/pgrowlocks.c index 38e10e59a8..576beb4fd4 100644 --- a/contrib/pgrowlocks/pgrowlocks.c +++ b/contrib/pgrowlocks/pgrowlocks.c @@ -35,6 +35,7 @@ #include "storage/procarray.h" #include "utils/acl.h" #include "utils/builtins.h" +#include "utils/lsyscache.h" #include "utils/rel.h" #include "utils/snapmgr.h" #include "utils/tqual.h" @@ -121,7 +122,7 @@ pgrowlocks(PG_FUNCTION_ARGS) aclresult = is_member_of_role(GetUserId(), DEFAULT_ROLE_STAT_SCAN_TABLES) ? ACLCHECK_OK : ACLCHECK_NO_PRIV; if (aclresult != ACLCHECK_OK) - aclcheck_error(aclresult, OBJECT_RELATION, + aclcheck_error(aclresult, relkind_get_objtype(get_rel_relkind(RelationGetRelid(rel))), RelationGetRelationName(rel)); scan = heap_beginscan(rel, GetActiveSnapshot(), 0, NULL); diff --git a/contrib/test_decoding/expected/permissions.out b/contrib/test_decoding/expected/permissions.out index 7175dcd5f6..ed97f81dda 100644 --- a/contrib/test_decoding/expected/permissions.out +++ b/contrib/test_decoding/expected/permissions.out @@ -38,7 +38,7 @@ SELECT 'init' FROM pg_create_logical_replication_slot('regression_slot', 'test_d (1 row) INSERT INTO lr_test VALUES('lr_superuser_init'); -ERROR: permission denied for relation lr_test +ERROR: permission denied for table lr_test SELECT data FROM pg_logical_slot_get_changes('regression_slot', NULL, NULL, 'include-xids', '0', 'skip-empty-xacts', '1'); data ------ @@ -56,7 +56,7 @@ SET ROLE regress_lr_normal; SELECT 'init' FROM pg_create_logical_replication_slot('regression_slot', 'test_decoding'); ERROR: must be superuser or replication role to use replication slots INSERT INTO lr_test VALUES('lr_superuser_init'); -ERROR: permission denied for relation lr_test +ERROR: permission denied for table lr_test SELECT data FROM pg_logical_slot_get_changes('regression_slot', NULL, NULL, 'include-xids', '0', 'skip-empty-xacts', '1'); ERROR: must be superuser or replication role to use replication slots SELECT pg_drop_replication_slot('regression_slot'); diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c index 2e07d75ef4..a9cf354357 100644 --- a/src/backend/catalog/aclchk.c +++ b/src/backend/catalog/aclchk.c @@ -3428,9 +3428,6 @@ aclcheck_error(AclResult aclerr, ObjectType objtype, case OBJECT_PUBLICATION: msg = gettext_noop("permission denied for publication %s"); break; - case OBJECT_RELATION: - msg = gettext_noop("permission denied for relation %s"); - break; case OBJECT_ROUTINE: msg = gettext_noop("permission denied for routine %s"); break; @@ -3474,6 +3471,7 @@ aclcheck_error(AclResult aclerr, ObjectType objtype, case OBJECT_DEFACL: case OBJECT_DOMCONSTRAINT: case OBJECT_PUBLICATION_REL: + case OBJECT_RELATION: case OBJECT_ROLE: case OBJECT_RULE: case OBJECT_TABCONSTRAINT: @@ -3563,9 +3561,6 @@ aclcheck_error(AclResult aclerr, ObjectType objtype, case OBJECT_PUBLICATION: msg = gettext_noop("must be owner of publication %s"); break; - case OBJECT_RELATION: - msg = gettext_noop("must be owner of relation %s"); - break; case OBJECT_ROUTINE: msg = gettext_noop("must be owner of routine %s"); break; @@ -3609,6 +3604,7 @@ aclcheck_error(AclResult aclerr, ObjectType objtype, case OBJECT_DEFACL: case OBJECT_DOMCONSTRAINT: case OBJECT_PUBLICATION_REL: + case OBJECT_RELATION: case OBJECT_ROLE: case OBJECT_RULE: case OBJECT_TABCONSTRAINT: diff --git a/src/backend/catalog/namespace.c b/src/backend/catalog/namespace.c index 75636e6dab..8b9f993815 100644 --- a/src/backend/catalog/namespace.c +++ b/src/backend/catalog/namespace.c @@ -585,7 +585,7 @@ RangeVarGetAndCheckCreationNamespace(RangeVar *relation, if (lockmode != NoLock && OidIsValid(relid)) { if (!pg_class_ownercheck(relid, GetUserId())) - aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_RELATION, + aclcheck_error(ACLCHECK_NOT_OWNER, relkind_get_objtype(get_rel_relkind(relid)), relation->relname); if (relid != oldrelid) LockRelationOid(relid, lockmode); diff --git a/src/backend/catalog/objectaddress.c b/src/backend/catalog/objectaddress.c index 9be365f50d..d691b25aa6 100644 --- a/src/backend/catalog/objectaddress.c +++ b/src/backend/catalog/objectaddress.c @@ -5097,3 +5097,28 @@ strlist_to_textarray(List *list) return arr; } + +ObjectType +relkind_get_objtype(char relkind) +{ + switch (relkind) + { + case RELKIND_RELATION: + case RELKIND_PARTITIONED_TABLE: + return OBJECT_TABLE; + case RELKIND_INDEX: + return OBJECT_INDEX; + case RELKIND_SEQUENCE: + return OBJECT_SEQUENCE; + case RELKIND_VIEW: + return OBJECT_VIEW; + case RELKIND_MATVIEW: + return OBJECT_MATVIEW; + case RELKIND_FOREIGN_TABLE: + return OBJECT_FOREIGN_TABLE; + /* other relkinds are not supported here because they don't map to OBJECT_* values */ + default: + elog(ERROR, "unexpected relkind: %d", relkind); + return 0; + } +} diff --git a/src/backend/commands/lockcmds.c b/src/backend/commands/lockcmds.c index aa54565716..0d7c18d0bd 100644 --- a/src/backend/commands/lockcmds.c +++ b/src/backend/commands/lockcmds.c @@ -96,7 +96,7 @@ RangeVarCallbackForLockTable(const RangeVar *rv, Oid relid, Oid oldrelid, /* Check permissions. */ aclresult = LockTableAclCheck(relid, lockmode); if (aclresult != ACLCHECK_OK) - aclcheck_error(aclresult, OBJECT_RELATION, rv->relname); + aclcheck_error(aclresult, relkind_get_objtype(get_rel_relkind(relid)), rv->relname); } /* @@ -127,7 +127,7 @@ LockTableRecurse(Oid reloid, LOCKMODE lockmode, bool nowait) if (!relname) continue; /* child concurrently dropped, just skip it */ - aclcheck_error(aclresult, OBJECT_RELATION, relname); + aclcheck_error(aclresult, relkind_get_objtype(get_rel_relkind(childreloid)), relname); } /* We have enough rights to lock the relation; do so. */ diff --git a/src/backend/commands/policy.c b/src/backend/commands/policy.c index 2ec35abf8f..76b5bfd34b 100644 --- a/src/backend/commands/policy.c +++ b/src/backend/commands/policy.c @@ -78,7 +78,7 @@ RangeVarCallbackForPolicy(const RangeVar *rv, Oid relid, Oid oldrelid, /* Must own relation. */ if (!pg_class_ownercheck(relid, GetUserId())) - aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_RELATION, rv->relname); + aclcheck_error(ACLCHECK_NOT_OWNER, relkind_get_objtype(get_rel_relkind(relid)), rv->relname); /* No system table modifications unless explicitly allowed. */ if (!allowSystemTableMods && IsSystemClass(relid, classform)) diff --git a/src/backend/commands/publicationcmds.c b/src/backend/commands/publicationcmds.c index 0cc62c77bd..d248e063a8 100644 --- a/src/backend/commands/publicationcmds.c +++ b/src/backend/commands/publicationcmds.c @@ -582,7 +582,7 @@ PublicationAddTables(Oid pubid, List *rels, bool if_not_exists, /* Must be owner of the table or superuser. */ if (!pg_class_ownercheck(RelationGetRelid(rel), GetUserId())) - aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_RELATION, + aclcheck_error(ACLCHECK_NOT_OWNER, relkind_get_objtype(get_rel_relkind(RelationGetRelid(rel))), RelationGetRelationName(rel)); obj = publication_add_relation(pubid, rel, if_not_exists); diff --git a/src/backend/commands/statscmds.c b/src/backend/commands/statscmds.c index 8a0cc6c2cf..89237c48ce 100644 --- a/src/backend/commands/statscmds.c +++ b/src/backend/commands/statscmds.c @@ -25,6 +25,7 @@ #include "statistics/statistics.h" #include "utils/builtins.h" #include "utils/inval.h" +#include "utils/lsyscache.h" #include "utils/memutils.h" #include "utils/rel.h" #include "utils/syscache.h" @@ -141,7 +142,7 @@ CreateStatistics(CreateStatsStmt *stmt) /* You must own the relation to create stats on it */ if (!pg_class_ownercheck(RelationGetRelid(rel), stxowner)) - aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_RELATION, + aclcheck_error(ACLCHECK_NOT_OWNER, relkind_get_objtype(get_rel_relkind(RelationGetRelid(rel))), RelationGetRelationName(rel)); } diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38bfd29cd9..a5c8d4443d 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -1192,7 +1192,7 @@ RangeVarCallbackForDropRelation(const RangeVar *rel, Oid relOid, Oid oldRelOid, /* Allow DROP to either table owner or schema owner */ if (!pg_class_ownercheck(relOid, GetUserId()) && !pg_namespace_ownercheck(classform->relnamespace, GetUserId())) - aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_RELATION, + aclcheck_error(ACLCHECK_NOT_OWNER, relkind_get_objtype(get_rel_relkind(relOid)), rel->relname); if (!allowSystemTableMods && IsSystemClass(relOid, classform)) @@ -1562,7 +1562,7 @@ truncate_check_rel(Relation rel) aclresult = pg_class_aclcheck(RelationGetRelid(rel), GetUserId(), ACL_TRUNCATE); if (aclresult != ACLCHECK_OK) - aclcheck_error(aclresult, OBJECT_RELATION, + aclcheck_error(aclresult, relkind_get_objtype(get_rel_relkind(RelationGetRelid(rel))), RelationGetRelationName(rel)); if (!allowSystemTableMods && IsSystemRelation(rel)) @@ -1848,7 +1848,7 @@ MergeAttributes(List *schema, List *supers, char relpersistence, * demand that creator of a child table own the parent. */ if (!pg_class_ownercheck(RelationGetRelid(relation), GetUserId())) - aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_RELATION, + aclcheck_error(ACLCHECK_NOT_OWNER, relkind_get_objtype(get_rel_relkind(RelationGetRelid(relation))), RelationGetRelationName(relation)); /* @@ -2551,7 +2551,7 @@ renameatt_check(Oid myrelid, Form_pg_class classform, bool recursing) * permissions checking. only the owner of a class can change its schema. */ if (!pg_class_ownercheck(myrelid, GetUserId())) - aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_RELATION, + aclcheck_error(ACLCHECK_NOT_OWNER, relkind_get_objtype(get_rel_relkind(myrelid)), NameStr(classform->relname)); if (!allowSystemTableMods && IsSystemClass(myrelid, classform)) ereport(ERROR, @@ -4769,7 +4769,7 @@ ATSimplePermissions(Relation rel, int allowed_targets) /* Permissions checks */ if (!pg_class_ownercheck(RelationGetRelid(rel), GetUserId())) - aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_RELATION, + aclcheck_error(ACLCHECK_NOT_OWNER, relkind_get_objtype(get_rel_relkind(RelationGetRelid(rel))), RelationGetRelationName(rel)); if (!allowSystemTableMods && IsSystemRelation(rel)) @@ -6212,7 +6212,7 @@ ATPrepSetStatistics(Relation rel, const char *colName, int16 colNum, Node *newVa /* Permissions checks */ if (!pg_class_ownercheck(RelationGetRelid(rel), GetUserId())) - aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_RELATION, + aclcheck_error(ACLCHECK_NOT_OWNER, relkind_get_objtype(get_rel_relkind(RelationGetRelid(rel))), RelationGetRelationName(rel)); } @@ -8136,7 +8136,7 @@ checkFkeyPermissions(Relation rel, int16 *attnums, int natts) aclresult = pg_attribute_aclcheck(RelationGetRelid(rel), attnums[i], roleid, ACL_REFERENCES); if (aclresult != ACLCHECK_OK) - aclcheck_error(aclresult, OBJECT_RELATION, + aclcheck_error(aclresult, relkind_get_objtype(get_rel_relkind(RelationGetRelid(rel))), RelationGetRelationName(rel)); } } @@ -10046,7 +10046,7 @@ ATExecChangeOwner(Oid relationOid, Oid newOwnerId, bool recursing, LOCKMODE lock /* Otherwise, must be owner of the existing object */ if (!pg_class_ownercheck(relationOid, GetUserId())) - aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_RELATION, + aclcheck_error(ACLCHECK_NOT_OWNER, relkind_get_objtype(get_rel_relkind(relationOid)), RelationGetRelationName(target_rel)); /* Must be able to become new owner */ @@ -10856,7 +10856,7 @@ AlterTableMoveAll(AlterTableMoveAllStmt *stmt) * Caller must be considered an owner on the table to move it. */ if (!pg_class_ownercheck(relOid, GetUserId())) - aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_RELATION, + aclcheck_error(ACLCHECK_NOT_OWNER, relkind_get_objtype(get_rel_relkind(relOid)), NameStr(relForm->relname)); if (stmt->nowait && @@ -13101,7 +13101,7 @@ RangeVarCallbackOwnsTable(const RangeVar *relation, /* Check permissions */ if (!pg_class_ownercheck(relId, GetUserId())) - aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_RELATION, relation->relname); + aclcheck_error(ACLCHECK_NOT_OWNER, relkind_get_objtype(get_rel_relkind(relId)), relation->relname); } /* @@ -13123,7 +13123,7 @@ RangeVarCallbackOwnsRelation(const RangeVar *relation, elog(ERROR, "cache lookup failed for relation %u", relId); if (!pg_class_ownercheck(relId, GetUserId())) - aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_RELATION, + aclcheck_error(ACLCHECK_NOT_OWNER, relkind_get_objtype(get_rel_relkind(relId)), relation->relname); if (!allowSystemTableMods && @@ -13159,7 +13159,7 @@ RangeVarCallbackForAlterRelation(const RangeVar *rv, Oid relid, Oid oldrelid, /* Must own relation. */ if (!pg_class_ownercheck(relid, GetUserId())) - aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_RELATION, rv->relname); + aclcheck_error(ACLCHECK_NOT_OWNER, relkind_get_objtype(get_rel_relkind(relid)), rv->relname); /* No system table modifications unless explicitly allowed. */ if (!allowSystemTableMods && IsSystemClass(relid, classform)) diff --git a/src/backend/commands/trigger.c b/src/backend/commands/trigger.c index 438653f310..0bda470dd2 100644 --- a/src/backend/commands/trigger.c +++ b/src/backend/commands/trigger.c @@ -284,7 +284,7 @@ CreateTrigger(CreateTrigStmt *stmt, const char *queryString, aclresult = pg_class_aclcheck(RelationGetRelid(rel), GetUserId(), ACL_TRIGGER); if (aclresult != ACLCHECK_OK) - aclcheck_error(aclresult, OBJECT_RELATION, + aclcheck_error(aclresult, relkind_get_objtype(get_rel_relkind(RelationGetRelid(rel))), RelationGetRelationName(rel)); if (OidIsValid(constrrelid)) @@ -292,7 +292,7 @@ CreateTrigger(CreateTrigStmt *stmt, const char *queryString, aclresult = pg_class_aclcheck(constrrelid, GetUserId(), ACL_TRIGGER); if (aclresult != ACLCHECK_OK) - aclcheck_error(aclresult, OBJECT_RELATION, + aclcheck_error(aclresult, relkind_get_objtype(get_rel_relkind(constrrelid)), get_rel_name(constrrelid)); } } @@ -1422,7 +1422,7 @@ RangeVarCallbackForRenameTrigger(const RangeVar *rv, Oid relid, Oid oldrelid, /* you must own the table to rename one of its triggers */ if (!pg_class_ownercheck(relid, GetUserId())) - aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_RELATION, rv->relname); + aclcheck_error(ACLCHECK_NOT_OWNER, relkind_get_objtype(get_rel_relkind(relid)), rv->relname); if (!allowSystemTableMods && IsSystemClass(relid, form)) ereport(ERROR, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), diff --git a/src/backend/executor/execMain.c b/src/backend/executor/execMain.c index 64a43822bb..97c461b480 100644 --- a/src/backend/executor/execMain.c +++ b/src/backend/executor/execMain.c @@ -579,7 +579,7 @@ ExecCheckRTPerms(List *rangeTable, bool ereport_on_violation) { Assert(rte->rtekind == RTE_RELATION); if (ereport_on_violation) - aclcheck_error(ACLCHECK_NO_PRIV, OBJECT_RELATION, + aclcheck_error(ACLCHECK_NO_PRIV, relkind_get_objtype(get_rel_relkind(rte->relid)), get_rel_name(rte->relid)); return false; } diff --git a/src/backend/parser/parse_utilcmd.c b/src/backend/parser/parse_utilcmd.c index e7df455634..a31ce08449 100644 --- a/src/backend/parser/parse_utilcmd.c +++ b/src/backend/parser/parse_utilcmd.c @@ -962,7 +962,7 @@ transformTableLikeClause(CreateStmtContext *cxt, TableLikeClause *table_like_cla aclresult = pg_class_aclcheck(RelationGetRelid(relation), GetUserId(), ACL_SELECT); if (aclresult != ACLCHECK_OK) - aclcheck_error(aclresult, OBJECT_RELATION, + aclcheck_error(aclresult, relkind_get_objtype(get_rel_relkind(RelationGetRelid(relation))), RelationGetRelationName(relation)); } diff --git a/src/backend/rewrite/rewriteDefine.c b/src/backend/rewrite/rewriteDefine.c index 7eca67a52f..078e549e6d 100644 --- a/src/backend/rewrite/rewriteDefine.c +++ b/src/backend/rewrite/rewriteDefine.c @@ -276,7 +276,7 @@ DefineQueryRewrite(const char *rulename, * Check user has permission to apply rules to this relation. */ if (!pg_class_ownercheck(event_relid, GetUserId())) - aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_RELATION, + aclcheck_error(ACLCHECK_NOT_OWNER, relkind_get_objtype(get_rel_relkind(RelationGetRelid(event_relation))), RelationGetRelationName(event_relation)); /* @@ -864,7 +864,7 @@ EnableDisableRule(Relation rel, const char *rulename, eventRelationOid = ((Form_pg_rewrite) GETSTRUCT(ruletup))->ev_class; Assert(eventRelationOid == owningRel); if (!pg_class_ownercheck(eventRelationOid, GetUserId())) - aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_RELATION, + aclcheck_error(ACLCHECK_NOT_OWNER, relkind_get_objtype(get_rel_relkind(eventRelationOid)), get_rel_name(eventRelationOid)); /* @@ -927,7 +927,7 @@ RangeVarCallbackForRenameRule(const RangeVar *rv, Oid relid, Oid oldrelid, /* you must own the table to rename one of its rules */ if (!pg_class_ownercheck(relid, GetUserId())) - aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_RELATION, rv->relname); + aclcheck_error(ACLCHECK_NOT_OWNER, relkind_get_objtype(get_rel_relkind(relid)), rv->relname); ReleaseSysCache(tuple); } diff --git a/src/backend/utils/adt/tid.c b/src/backend/utils/adt/tid.c index 4aa8122fa2..12efc85d06 100644 --- a/src/backend/utils/adt/tid.c +++ b/src/backend/utils/adt/tid.c @@ -29,6 +29,7 @@ #include "parser/parsetree.h" #include "utils/acl.h" #include "utils/builtins.h" +#include "utils/lsyscache.h" #include "utils/rel.h" #include "utils/snapmgr.h" #include "utils/tqual.h" @@ -343,7 +344,7 @@ currtid_byreloid(PG_FUNCTION_ARGS) aclresult = pg_class_aclcheck(RelationGetRelid(rel), GetUserId(), ACL_SELECT); if (aclresult != ACLCHECK_OK) - aclcheck_error(aclresult, OBJECT_RELATION, + aclcheck_error(aclresult, relkind_get_objtype(get_rel_relkind(RelationGetRelid(rel))), RelationGetRelationName(rel)); if (rel->rd_rel->relkind == RELKIND_VIEW) @@ -377,7 +378,7 @@ currtid_byrelname(PG_FUNCTION_ARGS) aclresult = pg_class_aclcheck(RelationGetRelid(rel), GetUserId(), ACL_SELECT); if (aclresult != ACLCHECK_OK) - aclcheck_error(aclresult, OBJECT_RELATION, + aclcheck_error(aclresult, relkind_get_objtype(get_rel_relkind(RelationGetRelid(rel))), RelationGetRelationName(rel)); if (rel->rd_rel->relkind == RELKIND_VIEW) diff --git a/src/include/catalog/objectaddress.h b/src/include/catalog/objectaddress.h index 403e8bb2af..43819304eb 100644 --- a/src/include/catalog/objectaddress.h +++ b/src/include/catalog/objectaddress.h @@ -78,4 +78,6 @@ extern char *getObjectIdentityParts(const ObjectAddress *address, List **objname, List **objargs); extern ArrayType *strlist_to_textarray(List *list); +extern ObjectType relkind_get_objtype(char relkind); + #endif /* OBJECTADDRESS_H */ diff --git a/src/test/regress/expected/alter_table.out b/src/test/regress/expected/alter_table.out index 11f0baa11b..b998dab6ab 100644 --- a/src/test/regress/expected/alter_table.out +++ b/src/test/regress/expected/alter_table.out @@ -3303,7 +3303,7 @@ CREATE TABLE owned_by_me ( a int ) PARTITION BY LIST (a); ALTER TABLE owned_by_me ATTACH PARTITION not_owned_by_me FOR VALUES IN (1); -ERROR: must be owner of relation not_owned_by_me +ERROR: must be owner of table not_owned_by_me RESET SESSION AUTHORIZATION; DROP TABLE owned_by_me, not_owned_by_me; DROP ROLE regress_test_not_me; diff --git a/src/test/regress/expected/copy2.out b/src/test/regress/expected/copy2.out index 65e9c626b3..e606a5fda4 100644 --- a/src/test/regress/expected/copy2.out +++ b/src/test/regress/expected/copy2.out @@ -521,12 +521,12 @@ RESET SESSION AUTHORIZATION; SET SESSION AUTHORIZATION regress_rls_copy_user_colperms; -- attempt all columns (should fail) COPY rls_t1 TO stdout; -ERROR: permission denied for relation rls_t1 +ERROR: permission denied for table rls_t1 COPY rls_t1 (a, b, c) TO stdout; -ERROR: permission denied for relation rls_t1 +ERROR: permission denied for table rls_t1 -- try to copy column with no privileges (should fail) COPY rls_t1 (c) TO stdout; -ERROR: permission denied for relation rls_t1 +ERROR: permission denied for table rls_t1 -- subset of columns (should succeed) COPY rls_t1 (a) TO stdout; 2 diff --git a/src/test/regress/expected/lock.out b/src/test/regress/expected/lock.out index fd27344503..74a434d24d 100644 --- a/src/test/regress/expected/lock.out +++ b/src/test/regress/expected/lock.out @@ -45,7 +45,7 @@ GRANT UPDATE ON TABLE lock_tbl1 TO regress_rol_lock1; SET ROLE regress_rol_lock1; BEGIN; LOCK TABLE lock_tbl1 * IN ACCESS EXCLUSIVE MODE; -ERROR: permission denied for relation lock_tbl2 +ERROR: permission denied for table lock_tbl2 ROLLBACK; BEGIN; LOCK TABLE ONLY lock_tbl1; diff --git a/src/test/regress/expected/privileges.out b/src/test/regress/expected/privileges.out index 87e9211f6a..cf53b37383 100644 --- a/src/test/regress/expected/privileges.out +++ b/src/test/regress/expected/privileges.out @@ -92,11 +92,11 @@ SELECT * FROM atest2; -- ok INSERT INTO atest1 VALUES (2, 'two'); -- ok INSERT INTO atest2 VALUES ('foo', true); -- fail -ERROR: permission denied for relation atest2 +ERROR: permission denied for table atest2 INSERT INTO atest1 SELECT 1, b FROM atest1; -- ok UPDATE atest1 SET a = 1 WHERE a = 2; -- ok UPDATE atest2 SET col2 = NOT col2; -- fail -ERROR: permission denied for relation atest2 +ERROR: permission denied for table atest2 SELECT * FROM atest1 FOR UPDATE; -- ok a | b ---+----- @@ -105,17 +105,17 @@ SELECT * FROM atest1 FOR UPDATE; -- ok (2 rows) SELECT * FROM atest2 FOR UPDATE; -- fail -ERROR: permission denied for relation atest2 +ERROR: permission denied for table atest2 DELETE FROM atest2; -- fail -ERROR: permission denied for relation atest2 +ERROR: permission denied for table atest2 TRUNCATE atest2; -- fail -ERROR: permission denied for relation atest2 +ERROR: permission denied for table atest2 BEGIN; LOCK atest2 IN ACCESS EXCLUSIVE MODE; -- fail -ERROR: permission denied for relation atest2 +ERROR: permission denied for table atest2 COMMIT; COPY atest2 FROM stdin; -- fail -ERROR: permission denied for relation atest2 +ERROR: permission denied for table atest2 GRANT ALL ON atest1 TO PUBLIC; -- fail WARNING: no privileges were granted for "atest1" -- checks in subquery, both ok @@ -144,37 +144,37 @@ SELECT * FROM atest1; -- ok (2 rows) SELECT * FROM atest2; -- fail -ERROR: permission denied for relation atest2 +ERROR: permission denied for table atest2 INSERT INTO atest1 VALUES (2, 'two'); -- fail -ERROR: permission denied for relation atest1 +ERROR: permission denied for table atest1 INSERT INTO atest2 VALUES ('foo', true); -- fail -ERROR: permission denied for relation atest2 +ERROR: permission denied for table atest2 INSERT INTO atest1 SELECT 1, b FROM atest1; -- fail -ERROR: permission denied for relation atest1 +ERROR: permission denied for table atest1 UPDATE atest1 SET a = 1 WHERE a = 2; -- fail -ERROR: permission denied for relation atest1 +ERROR: permission denied for table atest1 UPDATE atest2 SET col2 = NULL; -- ok UPDATE atest2 SET col2 = NOT col2; -- fails; requires SELECT on atest2 -ERROR: permission denied for relation atest2 +ERROR: permission denied for table atest2 UPDATE atest2 SET col2 = true FROM atest1 WHERE atest1.a = 5; -- ok SELECT * FROM atest1 FOR UPDATE; -- fail -ERROR: permission denied for relation atest1 +ERROR: permission denied for table atest1 SELECT * FROM atest2 FOR UPDATE; -- fail -ERROR: permission denied for relation atest2 +ERROR: permission denied for table atest2 DELETE FROM atest2; -- fail -ERROR: permission denied for relation atest2 +ERROR: permission denied for table atest2 TRUNCATE atest2; -- fail -ERROR: permission denied for relation atest2 +ERROR: permission denied for table atest2 BEGIN; LOCK atest2 IN ACCESS EXCLUSIVE MODE; -- ok COMMIT; COPY atest2 FROM stdin; -- fail -ERROR: permission denied for relation atest2 +ERROR: permission denied for table atest2 -- checks in subquery, both fail SELECT * FROM atest1 WHERE ( b IN ( SELECT col1 FROM atest2 ) ); -ERROR: permission denied for relation atest2 +ERROR: permission denied for table atest2 SELECT * FROM atest2 WHERE ( col1 IN ( SELECT b FROM atest1 ) ); -ERROR: permission denied for relation atest2 +ERROR: permission denied for table atest2 SET SESSION AUTHORIZATION regress_user4; COPY atest2 FROM stdin; -- ok SELECT * FROM atest1; -- ok @@ -234,7 +234,7 @@ CREATE OPERATOR >>> (procedure = leak2, leftarg = integer, rightarg = integer, restrict = scalargtsel); -- This should not show any "leak" notices before failing. EXPLAIN (COSTS OFF) SELECT * FROM atest12 WHERE a >>> 0; -ERROR: permission denied for relation atest12 +ERROR: permission denied for table atest12 -- This plan should use hashjoin, as it will expect many rows to be selected. EXPLAIN (COSTS OFF) SELECT * FROM atest12v x, atest12v y WHERE x.a = y.b; QUERY PLAN @@ -287,7 +287,7 @@ CREATE TABLE atest3 (one int, two int, three int); GRANT DELETE ON atest3 TO GROUP regress_group2; SET SESSION AUTHORIZATION regress_user1; SELECT * FROM atest3; -- fail -ERROR: permission denied for relation atest3 +ERROR: permission denied for table atest3 DELETE FROM atest3; -- ok -- views SET SESSION AUTHORIZATION regress_user3; @@ -305,7 +305,7 @@ SELECT * FROM atestv1; -- ok (2 rows) SELECT * FROM atestv2; -- fail -ERROR: permission denied for relation atest2 +ERROR: permission denied for table atest2 GRANT SELECT ON atestv1, atestv3 TO regress_user4; GRANT SELECT ON atestv2 TO regress_user2; SET SESSION AUTHORIZATION regress_user4; @@ -317,28 +317,28 @@ SELECT * FROM atestv1; -- ok (2 rows) SELECT * FROM atestv2; -- fail -ERROR: permission denied for relation atestv2 +ERROR: permission denied for view atestv2 SELECT * FROM atestv3; -- ok one | two | three -----+-----+------- (0 rows) SELECT * FROM atestv0; -- fail -ERROR: permission denied for relation atestv0 +ERROR: permission denied for view atestv0 -- Appendrels excluded by constraints failed to check permissions in 8.4-9.2. select * from ((select a.q1 as x from int8_tbl a offset 0) union all (select b.q2 as x from int8_tbl b offset 0)) ss where false; -ERROR: permission denied for relation int8_tbl +ERROR: permission denied for table int8_tbl set constraint_exclusion = on; select * from ((select a.q1 as x, random() from int8_tbl a where q1 > 0) union all (select b.q2 as x, random() from int8_tbl b where q2 > 0)) ss where x < 0; -ERROR: permission denied for relation int8_tbl +ERROR: permission denied for table int8_tbl reset constraint_exclusion; CREATE VIEW atestv4 AS SELECT * FROM atestv3; -- nested view SELECT * FROM atestv4; -- ok @@ -350,7 +350,7 @@ GRANT SELECT ON atestv4 TO regress_user2; SET SESSION AUTHORIZATION regress_user2; -- Two complex cases: SELECT * FROM atestv3; -- fail -ERROR: permission denied for relation atestv3 +ERROR: permission denied for view atestv3 SELECT * FROM atestv4; -- ok (even though regress_user2 cannot access underlying atestv3) one | two | three -----+-----+------- @@ -363,7 +363,7 @@ SELECT * FROM atest2; -- ok (1 row) SELECT * FROM atestv2; -- fail (even though regress_user2 can access underlying atest2) -ERROR: permission denied for relation atest2 +ERROR: permission denied for table atest2 -- Test column level permissions SET SESSION AUTHORIZATION regress_user1; CREATE TABLE atest5 (one int, two int unique, three int, four int unique); @@ -373,7 +373,7 @@ GRANT ALL (one) ON atest5 TO regress_user3; INSERT INTO atest5 VALUES (1,2,3); SET SESSION AUTHORIZATION regress_user4; SELECT * FROM atest5; -- fail -ERROR: permission denied for relation atest5 +ERROR: permission denied for table atest5 SELECT one FROM atest5; -- ok one ----- @@ -383,13 +383,13 @@ SELECT one FROM atest5; -- ok COPY atest5 (one) TO stdout; -- ok 1 SELECT two FROM atest5; -- fail -ERROR: permission denied for relation atest5 +ERROR: permission denied for table atest5 COPY atest5 (two) TO stdout; -- fail -ERROR: permission denied for relation atest5 +ERROR: permission denied for table atest5 SELECT atest5 FROM atest5; -- fail -ERROR: permission denied for relation atest5 +ERROR: permission denied for table atest5 COPY atest5 (one,two) TO stdout; -- fail -ERROR: permission denied for relation atest5 +ERROR: permission denied for table atest5 SELECT 1 FROM atest5; -- ok ?column? ---------- @@ -403,15 +403,15 @@ SELECT 1 FROM atest5 a JOIN atest5 b USING (one); -- ok (1 row) SELECT 1 FROM atest5 a JOIN atest5 b USING (two); -- fail -ERROR: permission denied for relation atest5 +ERROR: permission denied for table atest5 SELECT 1 FROM atest5 a NATURAL JOIN atest5 b; -- fail -ERROR: permission denied for relation atest5 +ERROR: permission denied for table atest5 SELECT (j.*) IS NULL FROM (atest5 a JOIN atest5 b USING (one)) j; -- fail -ERROR: permission denied for relation atest5 +ERROR: permission denied for table atest5 SELECT 1 FROM atest5 WHERE two = 2; -- fail -ERROR: permission denied for relation atest5 +ERROR: permission denied for table atest5 SELECT * FROM atest1, atest5; -- fail -ERROR: permission denied for relation atest5 +ERROR: permission denied for table atest5 SELECT atest1.* FROM atest1, atest5; -- ok a | b ---+----- @@ -427,7 +427,7 @@ SELECT atest1.*,atest5.one FROM atest1, atest5; -- ok (2 rows) SELECT atest1.*,atest5.one FROM atest1 JOIN atest5 ON (atest1.a = atest5.two); -- fail -ERROR: permission denied for relation atest5 +ERROR: permission denied for table atest5 SELECT atest1.*,atest5.one FROM atest1 JOIN atest5 ON (atest1.a = atest5.one); -- ok a | b | one ---+-----+----- @@ -436,12 +436,12 @@ SELECT atest1.*,atest5.one FROM atest1 JOIN atest5 ON (atest1.a = atest5.one); - (2 rows) SELECT one, two FROM atest5; -- fail -ERROR: permission denied for relation atest5 +ERROR: permission denied for table atest5 SET SESSION AUTHORIZATION regress_user1; GRANT SELECT (one,two) ON atest6 TO regress_user4; SET SESSION AUTHORIZATION regress_user4; SELECT one, two FROM atest5 NATURAL JOIN atest6; -- fail still -ERROR: permission denied for relation atest5 +ERROR: permission denied for table atest5 SET SESSION AUTHORIZATION regress_user1; GRANT SELECT (two) ON atest5 TO regress_user4; SET SESSION AUTHORIZATION regress_user4; @@ -453,23 +453,23 @@ SELECT one, two FROM atest5 NATURAL JOIN atest6; -- ok now -- test column-level privileges for INSERT and UPDATE INSERT INTO atest5 (two) VALUES (3); -- ok COPY atest5 FROM stdin; -- fail -ERROR: permission denied for relation atest5 +ERROR: permission denied for table atest5 COPY atest5 (two) FROM stdin; -- ok INSERT INTO atest5 (three) VALUES (4); -- fail -ERROR: permission denied for relation atest5 +ERROR: permission denied for table atest5 INSERT INTO atest5 VALUES (5,5,5); -- fail -ERROR: permission denied for relation atest5 +ERROR: permission denied for table atest5 UPDATE atest5 SET three = 10; -- ok UPDATE atest5 SET one = 8; -- fail -ERROR: permission denied for relation atest5 +ERROR: permission denied for table atest5 UPDATE atest5 SET three = 5, one = 2; -- fail -ERROR: permission denied for relation atest5 +ERROR: permission denied for table atest5 -- Check that column level privs are enforced in RETURNING -- Ok. INSERT INTO atest5(two) VALUES (6) ON CONFLICT (two) DO UPDATE set three = 10; -- Error. No SELECT on column three. INSERT INTO atest5(two) VALUES (6) ON CONFLICT (two) DO UPDATE set three = 10 RETURNING atest5.three; -ERROR: permission denied for relation atest5 +ERROR: permission denied for table atest5 -- Ok. May SELECT on column "one": INSERT INTO atest5(two) VALUES (6) ON CONFLICT (two) DO UPDATE set three = 10 RETURNING atest5.one; one @@ -482,21 +482,21 @@ INSERT INTO atest5(two) VALUES (6) ON CONFLICT (two) DO UPDATE set three = 10 RE INSERT INTO atest5(two) VALUES (6) ON CONFLICT (two) DO UPDATE set three = EXCLUDED.one; -- Error. No select rights on three INSERT INTO atest5(two) VALUES (6) ON CONFLICT (two) DO UPDATE set three = EXCLUDED.three; -ERROR: permission denied for relation atest5 +ERROR: permission denied for table atest5 INSERT INTO atest5(two) VALUES (6) ON CONFLICT (two) DO UPDATE set one = 8; -- fails (due to UPDATE) -ERROR: permission denied for relation atest5 +ERROR: permission denied for table atest5 INSERT INTO atest5(three) VALUES (4) ON CONFLICT (two) DO UPDATE set three = 10; -- fails (due to INSERT) -ERROR: permission denied for relation atest5 +ERROR: permission denied for table atest5 -- Check that the columns in the inference require select privileges INSERT INTO atest5(four) VALUES (4); -- fail -ERROR: permission denied for relation atest5 +ERROR: permission denied for table atest5 SET SESSION AUTHORIZATION regress_user1; GRANT INSERT (four) ON atest5 TO regress_user4; SET SESSION AUTHORIZATION regress_user4; INSERT INTO atest5(four) VALUES (4) ON CONFLICT (four) DO UPDATE set three = 3; -- fails (due to SELECT) -ERROR: permission denied for relation atest5 +ERROR: permission denied for table atest5 INSERT INTO atest5(four) VALUES (4) ON CONFLICT ON CONSTRAINT atest5_four_key DO UPDATE set three = 3; -- fails (due to SELECT) -ERROR: permission denied for relation atest5 +ERROR: permission denied for table atest5 INSERT INTO atest5(four) VALUES (4); -- ok SET SESSION AUTHORIZATION regress_user1; GRANT SELECT (four) ON atest5 TO regress_user4; @@ -508,9 +508,9 @@ REVOKE ALL (one) ON atest5 FROM regress_user4; GRANT SELECT (one,two,blue) ON atest6 TO regress_user4; SET SESSION AUTHORIZATION regress_user4; SELECT one FROM atest5; -- fail -ERROR: permission denied for relation atest5 +ERROR: permission denied for table atest5 UPDATE atest5 SET one = 1; -- fail -ERROR: permission denied for relation atest5 +ERROR: permission denied for table atest5 SELECT atest6 FROM atest6; -- ok atest6 -------- @@ -557,9 +557,9 @@ REVOKE ALL (one) ON atest5 FROM regress_user3; GRANT SELECT (one) ON atest5 TO regress_user4; SET SESSION AUTHORIZATION regress_user4; SELECT atest6 FROM atest6; -- fail -ERROR: permission denied for relation atest6 +ERROR: permission denied for table atest6 SELECT one FROM atest5 NATURAL JOIN atest6; -- fail -ERROR: permission denied for relation atest5 +ERROR: permission denied for table atest5 SET SESSION AUTHORIZATION regress_user1; ALTER TABLE atest6 DROP COLUMN three; SET SESSION AUTHORIZATION regress_user4; @@ -578,12 +578,12 @@ ALTER TABLE atest6 DROP COLUMN two; REVOKE SELECT (one,blue) ON atest6 FROM regress_user4; SET SESSION AUTHORIZATION regress_user4; SELECT * FROM atest6; -- fail -ERROR: permission denied for relation atest6 +ERROR: permission denied for table atest6 SELECT 1 FROM atest6; -- fail -ERROR: permission denied for relation atest6 +ERROR: permission denied for table atest6 SET SESSION AUTHORIZATION regress_user3; DELETE FROM atest5 WHERE one = 1; -- fail -ERROR: permission denied for relation atest5 +ERROR: permission denied for table atest5 DELETE FROM atest5 WHERE two = 2; -- ok -- check inheritance cases SET SESSION AUTHORIZATION regress_user1; @@ -614,7 +614,7 @@ SELECT oid FROM atestp2; -- ok (0 rows) SELECT fy FROM atestc; -- fail -ERROR: permission denied for relation atestc +ERROR: permission denied for table atestc SET SESSION AUTHORIZATION regress_user1; GRANT SELECT(fy,oid) ON atestc TO regress_user2; SET SESSION AUTHORIZATION regress_user2; @@ -698,7 +698,7 @@ ERROR: permission denied for aggregate testagg1 CALL testproc1(6); -- fail ERROR: permission denied for procedure testproc1 SELECT col1 FROM atest2 WHERE col2 = true; -- fail -ERROR: permission denied for relation atest2 +ERROR: permission denied for table atest2 SELECT testfunc4(true); -- ok testfunc4 ----------- @@ -849,7 +849,7 @@ DROP DOMAIN testdomain1; -- ok SET SESSION AUTHORIZATION regress_user5; TRUNCATE atest2; -- ok TRUNCATE atest3; -- fail -ERROR: permission denied for relation atest3 +ERROR: permission denied for table atest3 -- has_table_privilege function -- bad-input checks select has_table_privilege(NULL,'pg_authid','select'); @@ -1435,7 +1435,7 @@ SELECT * FROM pg_largeobject LIMIT 0; SET SESSION AUTHORIZATION regress_user1; SELECT * FROM pg_largeobject LIMIT 0; -- to be denied -ERROR: permission denied for relation pg_largeobject +ERROR: permission denied for table pg_largeobject -- test default ACLs \c - CREATE SCHEMA testns; @@ -1899,14 +1899,14 @@ GRANT SELECT ON lock_table TO regress_locktable_user; SET SESSION AUTHORIZATION regress_locktable_user; BEGIN; LOCK TABLE lock_table IN ROW EXCLUSIVE MODE; -- should fail -ERROR: permission denied for relation lock_table +ERROR: permission denied for table lock_table ROLLBACK; BEGIN; LOCK TABLE lock_table IN ACCESS SHARE MODE; -- should pass COMMIT; BEGIN; LOCK TABLE lock_table IN ACCESS EXCLUSIVE MODE; -- should fail -ERROR: permission denied for relation lock_table +ERROR: permission denied for table lock_table ROLLBACK; \c REVOKE SELECT ON lock_table FROM regress_locktable_user; @@ -1918,11 +1918,11 @@ LOCK TABLE lock_table IN ROW EXCLUSIVE MODE; -- should pass COMMIT; BEGIN; LOCK TABLE lock_table IN ACCESS SHARE MODE; -- should fail -ERROR: permission denied for relation lock_table +ERROR: permission denied for table lock_table ROLLBACK; BEGIN; LOCK TABLE lock_table IN ACCESS EXCLUSIVE MODE; -- should fail -ERROR: permission denied for relation lock_table +ERROR: permission denied for table lock_table ROLLBACK; \c REVOKE INSERT ON lock_table FROM regress_locktable_user; @@ -1934,7 +1934,7 @@ LOCK TABLE lock_table IN ROW EXCLUSIVE MODE; -- should pass COMMIT; BEGIN; LOCK TABLE lock_table IN ACCESS SHARE MODE; -- should fail -ERROR: permission denied for relation lock_table +ERROR: permission denied for table lock_table ROLLBACK; BEGIN; LOCK TABLE lock_table IN ACCESS EXCLUSIVE MODE; -- should pass @@ -1949,7 +1949,7 @@ LOCK TABLE lock_table IN ROW EXCLUSIVE MODE; -- should pass COMMIT; BEGIN; LOCK TABLE lock_table IN ACCESS SHARE MODE; -- should fail -ERROR: permission denied for relation lock_table +ERROR: permission denied for table lock_table ROLLBACK; BEGIN; LOCK TABLE lock_table IN ACCESS EXCLUSIVE MODE; -- should pass @@ -1964,7 +1964,7 @@ LOCK TABLE lock_table IN ROW EXCLUSIVE MODE; -- should pass COMMIT; BEGIN; LOCK TABLE lock_table IN ACCESS SHARE MODE; -- should fail -ERROR: permission denied for relation lock_table +ERROR: permission denied for table lock_table ROLLBACK; BEGIN; LOCK TABLE lock_table IN ACCESS EXCLUSIVE MODE; -- should pass diff --git a/src/test/regress/expected/publication.out b/src/test/regress/expected/publication.out index b101331d69..0c86c647bc 100644 --- a/src/test/regress/expected/publication.out +++ b/src/test/regress/expected/publication.out @@ -198,7 +198,7 @@ GRANT CREATE ON DATABASE regression TO regress_publication_user2; SET ROLE regress_publication_user2; CREATE PUBLICATION testpub2; -- ok ALTER PUBLICATION testpub2 ADD TABLE testpub_tbl1; -- fail -ERROR: must be owner of relation testpub_tbl1 +ERROR: must be owner of table testpub_tbl1 SET ROLE regress_publication_user; GRANT regress_publication_user TO regress_publication_user2; SET ROLE regress_publication_user2; diff --git a/src/test/regress/expected/rowsecurity.out b/src/test/regress/expected/rowsecurity.out index b8dcf51a30..f1ae40df61 100644 --- a/src/test/regress/expected/rowsecurity.out +++ b/src/test/regress/expected/rowsecurity.out @@ -361,7 +361,7 @@ INSERT INTO document VALUES (100, 55, 1, 'regress_rls_dave', 'testing sorting of ERROR: new row violates row-level security policy "p2r" for table "document" -- only owner can change policies ALTER POLICY p1 ON document USING (true); --fail -ERROR: must be owner of relation document +ERROR: must be owner of table document DROP POLICY p1 ON document; --fail ERROR: must be owner of relation document SET SESSION AUTHORIZATION regress_rls_alice; @@ -1192,7 +1192,7 @@ EXPLAIN (COSTS OFF) SELECT * FROM part_document WHERE f_leak(dtitle); -- only owner can change policies ALTER POLICY pp1 ON part_document USING (true); --fail -ERROR: must be owner of relation part_document +ERROR: must be owner of table part_document DROP POLICY pp1 ON part_document; --fail ERROR: must be owner of relation part_document SET SESSION AUTHORIZATION regress_rls_alice; @@ -2446,9 +2446,9 @@ EXPLAIN (COSTS OFF) SELECT * FROM rls_view; -- Query as role that is not the owner of the table or view without permissions. SET SESSION AUTHORIZATION regress_rls_carol; SELECT * FROM rls_view; --fail - permission denied. -ERROR: permission denied for relation rls_view +ERROR: permission denied for view rls_view EXPLAIN (COSTS OFF) SELECT * FROM rls_view; --fail - permission denied. -ERROR: permission denied for relation rls_view +ERROR: permission denied for view rls_view -- Query as role that is not the owner of the table or view with permissions. SET SESSION AUTHORIZATION regress_rls_bob; GRANT SELECT ON rls_view TO regress_rls_carol; @@ -3235,7 +3235,7 @@ COPY (SELECT * FROM copy_t ORDER BY a ASC) TO STDOUT WITH DELIMITER ','; --fail ERROR: query would be affected by row-level security policy for table "copy_t" SET row_security TO ON; COPY (SELECT * FROM copy_t ORDER BY a ASC) TO STDOUT WITH DELIMITER ','; --fail - permission denied -ERROR: permission denied for relation copy_t +ERROR: permission denied for table copy_t -- Check COPY relation TO; keep it just one row to avoid reordering issues RESET SESSION AUTHORIZATION; SET row_security TO ON; @@ -3271,10 +3271,10 @@ COPY copy_rel_to TO STDOUT WITH DELIMITER ','; --ok SET SESSION AUTHORIZATION regress_rls_carol; SET row_security TO OFF; COPY copy_rel_to TO STDOUT WITH DELIMITER ','; --fail - permission denied -ERROR: permission denied for relation copy_rel_to +ERROR: permission denied for table copy_rel_to SET row_security TO ON; COPY copy_rel_to TO STDOUT WITH DELIMITER ','; --fail - permission denied -ERROR: permission denied for relation copy_rel_to +ERROR: permission denied for table copy_rel_to -- Check COPY FROM as Superuser/owner. RESET SESSION AUTHORIZATION; SET row_security TO OFF; @@ -3298,10 +3298,10 @@ COPY copy_t FROM STDIN; --ok SET SESSION AUTHORIZATION regress_rls_carol; SET row_security TO OFF; COPY copy_t FROM STDIN; --fail - permission denied. -ERROR: permission denied for relation copy_t +ERROR: permission denied for table copy_t SET row_security TO ON; COPY copy_t FROM STDIN; --fail - permission denied. -ERROR: permission denied for relation copy_t +ERROR: permission denied for table copy_t RESET SESSION AUTHORIZATION; DROP TABLE copy_t; DROP TABLE copy_rel_to CASCADE; diff --git a/src/test/regress/expected/select_into.out b/src/test/regress/expected/select_into.out index 5d54bbf3b0..ef7cfd6f29 100644 --- a/src/test/regress/expected/select_into.out +++ b/src/test/regress/expected/select_into.out @@ -22,15 +22,15 @@ GRANT ALL ON SCHEMA selinto_schema TO public; SET SESSION AUTHORIZATION regress_selinto_user; SELECT * INTO TABLE selinto_schema.tmp1 FROM pg_class WHERE relname like '%a%'; -- Error -ERROR: permission denied for relation tmp1 +ERROR: permission denied for table tmp1 SELECT oid AS clsoid, relname, relnatts + 10 AS x INTO selinto_schema.tmp2 FROM pg_class WHERE relname like '%b%'; -- Error -ERROR: permission denied for relation tmp2 +ERROR: permission denied for table tmp2 CREATE TABLE selinto_schema.tmp3 (a,b,c) AS SELECT oid,relname,relacl FROM pg_class WHERE relname like '%c%'; -- Error -ERROR: permission denied for relation tmp3 +ERROR: permission denied for table tmp3 RESET SESSION AUTHORIZATION; ALTER DEFAULT PRIVILEGES FOR ROLE regress_selinto_user GRANT INSERT ON TABLES TO regress_selinto_user; diff --git a/src/test/regress/expected/sequence.out b/src/test/regress/expected/sequence.out index 2384b7dd81..ca5ea063fa 100644 --- a/src/test/regress/expected/sequence.out +++ b/src/test/regress/expected/sequence.out @@ -785,7 +785,7 @@ ROLLBACK; BEGIN; SET LOCAL SESSION AUTHORIZATION regress_seq_user; ALTER SEQUENCE sequence_test2 START WITH 1; -ERROR: must be owner of relation sequence_test2 +ERROR: must be owner of sequence sequence_test2 ROLLBACK; -- Sequences should get wiped out as well: DROP TABLE serialTest1, serialTest2; diff --git a/src/test/regress/expected/updatable_views.out b/src/test/regress/expected/updatable_views.out index 2090a411fe..964c115b14 100644 --- a/src/test/regress/expected/updatable_views.out +++ b/src/test/regress/expected/updatable_views.out @@ -990,26 +990,26 @@ SELECT * FROM rw_view2; -- ok (2 rows) INSERT INTO base_tbl VALUES (3, 'Row 3', 3.0); -- not allowed -ERROR: permission denied for relation base_tbl +ERROR: permission denied for table base_tbl INSERT INTO rw_view1 VALUES ('Row 3', 3.0, 3); -- not allowed -ERROR: permission denied for relation rw_view1 +ERROR: permission denied for view rw_view1 INSERT INTO rw_view2 VALUES ('Row 3', 3.0, 3); -- not allowed -ERROR: permission denied for relation base_tbl +ERROR: permission denied for table base_tbl UPDATE base_tbl SET a=a, c=c; -- ok UPDATE base_tbl SET b=b; -- not allowed -ERROR: permission denied for relation base_tbl +ERROR: permission denied for table base_tbl UPDATE rw_view1 SET bb=bb, cc=cc; -- ok UPDATE rw_view1 SET aa=aa; -- not allowed -ERROR: permission denied for relation rw_view1 +ERROR: permission denied for view rw_view1 UPDATE rw_view2 SET aa=aa, cc=cc; -- ok UPDATE rw_view2 SET bb=bb; -- not allowed -ERROR: permission denied for relation base_tbl +ERROR: permission denied for table base_tbl DELETE FROM base_tbl; -- not allowed -ERROR: permission denied for relation base_tbl +ERROR: permission denied for table base_tbl DELETE FROM rw_view1; -- not allowed -ERROR: permission denied for relation rw_view1 +ERROR: permission denied for view rw_view1 DELETE FROM rw_view2; -- not allowed -ERROR: permission denied for relation base_tbl +ERROR: permission denied for table base_tbl RESET SESSION AUTHORIZATION; SET SESSION AUTHORIZATION regress_view_user1; GRANT INSERT, DELETE ON base_tbl TO regress_view_user2; @@ -1017,11 +1017,11 @@ RESET SESSION AUTHORIZATION; SET SESSION AUTHORIZATION regress_view_user2; INSERT INTO base_tbl VALUES (3, 'Row 3', 3.0); -- ok INSERT INTO rw_view1 VALUES ('Row 4', 4.0, 4); -- not allowed -ERROR: permission denied for relation rw_view1 +ERROR: permission denied for view rw_view1 INSERT INTO rw_view2 VALUES ('Row 4', 4.0, 4); -- ok DELETE FROM base_tbl WHERE a=1; -- ok DELETE FROM rw_view1 WHERE aa=2; -- not allowed -ERROR: permission denied for relation rw_view1 +ERROR: permission denied for view rw_view1 DELETE FROM rw_view2 WHERE aa=2; -- ok SELECT * FROM base_tbl; a | b | c @@ -1037,15 +1037,15 @@ GRANT INSERT, DELETE ON rw_view1 TO regress_view_user2; RESET SESSION AUTHORIZATION; SET SESSION AUTHORIZATION regress_view_user2; INSERT INTO base_tbl VALUES (5, 'Row 5', 5.0); -- not allowed -ERROR: permission denied for relation base_tbl +ERROR: permission denied for table base_tbl INSERT INTO rw_view1 VALUES ('Row 5', 5.0, 5); -- ok INSERT INTO rw_view2 VALUES ('Row 6', 6.0, 6); -- not allowed -ERROR: permission denied for relation base_tbl +ERROR: permission denied for table base_tbl DELETE FROM base_tbl WHERE a=3; -- not allowed -ERROR: permission denied for relation base_tbl +ERROR: permission denied for table base_tbl DELETE FROM rw_view1 WHERE aa=3; -- ok DELETE FROM rw_view2 WHERE aa=4; -- not allowed -ERROR: permission denied for relation base_tbl +ERROR: permission denied for table base_tbl SELECT * FROM base_tbl; a | b | c ---+-------+--- -- 2.15.1