diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2024-06-17 12:55:10 -0400 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2024-06-17 12:55:10 -0400 |
| commit | 35dd40d34cbdf5aa3e0f5b3493c33d00abb26456 (patch) | |
| tree | 3c7f0d0ed836f92409a3a14fa70d7c72a0016e7f /src/backend/utils/adt/acl.c | |
| parent | 653d3969bb013f14c4a6884a253ad9676caf8166 (diff) | |
| download | postgresql-35dd40d34cbdf5aa3e0f5b3493c33d00abb26456.tar.gz postgresql-35dd40d34cbdf5aa3e0f5b3493c33d00abb26456.zip | |
Improve tracking of role dependencies of pg_init_privs entries.
Commit 534287403 invented SHARED_DEPENDENCY_INITACL entries in
pg_shdepend, but installed them only for non-owner roles mentioned
in a pg_init_privs entry. This turns out to be the wrong thing,
because there is nothing to cue REASSIGN OWNED to go and update
pg_init_privs entries when the object's ownership is reassigned.
That leads to leaving dangling entries in pg_init_privs, as
reported by Hannu Krosing. Instead, install INITACL entries for
all roles mentioned in pg_init_privs entries (except pinned roles),
and change ALTER OWNER to not touch them, just as it doesn't
touch pg_init_privs entries.
REASSIGN OWNED will now substitute the new owner OID for the old
in pg_init_privs entries. This feels like perhaps not quite the
right thing, since pg_init_privs ought to be a historical record
of the state of affairs just after CREATE EXTENSION. However,
it's hard to see what else to do, if we don't want to disallow
dropping the object's original owner. In any case this is
better than the previous do-nothing behavior, and we're unlikely
to come up with a superior solution in time for v17.
While here, tighten up some coding rules about how ACLs in
pg_init_privs should never be null or empty. There's not any
obvious reason to allow that, and perhaps asserting that it's
not so will catch some bugs. (We were previously inconsistent
on the point, with some code paths taking care not to store
empty ACLs and others not.)
This leaves recordExtensionInitPrivWorker not doing anything
with its ownerId argument, but we'll deal with that separately.
catversion bump forced because of change of expected contents
of pg_shdepend when pg_init_privs entries exist.
Discussion: https://postgr.es/m/CAMT0RQSVgv48G5GArUvOVhottWqZLrvC5wBzBa4HrUdXe9VRXw@mail.gmail.com
Diffstat (limited to 'src/backend/utils/adt/acl.c')
| -rw-r--r-- | src/backend/utils/adt/acl.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/backend/utils/adt/acl.c b/src/backend/utils/adt/acl.c index dc10b4a4839..d7b39140b3d 100644 --- a/src/backend/utils/adt/acl.c +++ b/src/backend/utils/adt/acl.c @@ -1091,6 +1091,12 @@ aclupdate(const Acl *old_acl, const AclItem *mod_aip, * The result is a modified copy; the input object is not changed. * * NB: caller is responsible for having detoasted the input ACL, if needed. + * + * Note: the name of this function is a bit of a misnomer, since it will + * happily make the specified role substitution whether the old role is + * really the owner of the parent object or merely mentioned in its ACL. + * But the vast majority of callers use it in connection with ALTER OWNER + * operations, so we'll keep the name. */ Acl * aclnewowner(const Acl *old_acl, Oid oldOwnerId, Oid newOwnerId) |