Re: pgsql: Add pg_get_acl() to get the ACL for a database object

From: "Joel Jacobson" <joel(at)compiler(dot)org>
To: "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us>, "Michael Paquier" <michael(at)paquier(dot)xyz>
Cc: pgsql-committers(at)lists(dot)postgresql(dot)org
Subject: Re: pgsql: Add pg_get_acl() to get the ACL for a database object
Date: 2024-07-04 20:53:49
Message-ID: f2688fb7-add6-43da-b1df-97312a451893@app.fastmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-committers pgsql-hackers

On Thu, Jul 4, 2024, at 17:44, Tom Lane wrote:
> Michael Paquier <michael(at)paquier(dot)xyz> writes:
>> Add pg_get_acl() to get the ACL for a database object
>> This function returns the ACL for a database object, specified by
>> catalog OID and object OID.
>
> Uh, why is it defined like that rather than allowing a subobject?
> This definition is unable to fetch column-specific ACLs.

Good point, that's surely an important missing feature,
that I hadn't thought about up until now.
Probably because all object classes, except columns, don't have subobjects.

I wonder if it would be motivated to provide overloads for this function,
and perhaps even for pg_get_object_address and pg_identify_object_as_address?

That is, two param versions (class OID and object OID),
and three param versions that in addition also take subobject ID.

Why I think this could be motivated, is since during discussion,
some even wanted reg* overloads, to avoid having to pass the class OID.

As a middle ground, maybe users would appreciate if they at least
didn't have pass in the extra 0, since it's meaningless anyway,
most of the times (for all classes except columns)?

Anyway, that's just an idea. We still need support for subobject,
so I had a look on how to implement it.

Unfortunately, the AlterObjectOwner_internal function in alter.c,
which pg_get_acl in objectaddress.c is based upon,
doesn't deal with subobjects.

I found some code in aclchk.c on line 4452-4468 that seems useful,
but not sure. Maybe there is some other existing code that is better
as an inspiration?

I guess we need to handle the RelationRelationId separately,
and handle all other classes using the current code in pg_get_acl()?

Regards,
Joel

In response to

Responses

Browse pgsql-committers by date

  From Date Subject
Next Message Michael Paquier 2024-07-04 23:18:33 Re: pgsql: Add pg_get_acl() to get the ACL for a database object
Previous Message Tom Lane 2024-07-04 17:23:56 pgsql: Doc: small improvements in discussion of geometric data types.

Browse pgsql-hackers by date

  From Date Subject
Next Message Andres Freund 2024-07-04 20:56:52 Re: Pluggable cumulative statistics
Previous Message Andres Freund 2024-07-04 20:36:16 Re: Linux likely() unlikely() for PostgreSQL