Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to content

Commit 463f262

Browse files
committed
Support SECURITY LABEL on databases, tablespaces, and roles.
This requires a new shared catalog, pg_shseclabel. Along the way, fix the security_label regression tests so that they don't monkey with the labels of any pre-existing objects. This is unlikely to matter in practice, since only the label for the "dummy" provider was being manipulated. But this way still seems cleaner. KaiGai Kohei, with fairly extensive hacking by me.
1 parent cacd42d commit 463f262

22 files changed

+534
-41
lines changed

doc/src/sgml/catalogs.sgml

+78
Original file line numberDiff line numberDiff line change
@@ -238,6 +238,11 @@
238238
<entry>comments on shared objects</entry>
239239
</row>
240240

241+
<row>
242+
<entry><link linkend="catalog-pg-shseclabel"><structname>pg_shseclabel</structname></link></entry>
243+
<entry>security labels on shared database objects</entry>
244+
</row>
245+
241246
<row>
242247
<entry><link linkend="catalog-pg-statistic"><structname>pg_statistic</structname></link></entry>
243248
<entry>planner statistics</entry>
@@ -4681,6 +4686,12 @@
46814686
way to view security labels, see <xref linkend="view-pg-seclabels">.
46824687
</para>
46834688

4689+
<para>
4690+
See also <link linkend="catalog-pg-shseclabel"><structname>pg_shseclabel</structname></link>,
4691+
which performs a similar function for security labels of database objects
4692+
that are shared across a database cluster.
4693+
</para>
4694+
46844695
<table>
46854696
<title><structname>pg_seclabel</structname> Columns</title>
46864697

@@ -4959,6 +4970,73 @@
49594970

49604971
</sect1>
49614972

4973+
<sect1 id="catalog-pg-shseclabel">
4974+
<title><structname>pg_shseclabel</structname></title>
4975+
4976+
<indexterm zone="catalog-pg-shseclabel">
4977+
<primary>pg_shseclabel</primary>
4978+
</indexterm>
4979+
4980+
<para>
4981+
The catalog <structname>pg_shseclabel</structname> stores security
4982+
lables on shared database objects. Security labels can be manipulated
4983+
with the <xref linkend="sql-security-label"> command. For an easier
4984+
way to view security labels, see <xref linkend="view-pg-seclabels">.
4985+
</para>
4986+
4987+
<para>
4988+
See also <link linkend="catalog-pg-seclabel"><structname>pg_seclabel</structname></link>,
4989+
which performs a similar function for security labels involving objects
4990+
within a single database.
4991+
</para>
4992+
4993+
<para>
4994+
Unlike most system catalogs, <structname>pg_shseclabel</structname>
4995+
is shared across all databases of a cluster: there is only one
4996+
copy of <structname>pg_shseclabel</structname> per cluster, not
4997+
one per database.
4998+
</para>
4999+
5000+
<table>
5001+
<title><structname>pg_shseclabel</structname> Columns</title>
5002+
<tgroup cols="4">
5003+
<thead>
5004+
<row>
5005+
<entry>Name</entry>
5006+
<entry>Type</entry>
5007+
<entry>References</entry>
5008+
<entry>Description</entry>
5009+
</row>
5010+
</thead>
5011+
<tbody>
5012+
<row>
5013+
<entry><structfield>objoid</structfield></entry>
5014+
<entry><type>oid</type></entry>
5015+
<entry>any OID column</entry>
5016+
<entry>The OID of the object this security label pertains to</entry>
5017+
</row>
5018+
<row>
5019+
<entry><structfield>classoid</structfield></entry>
5020+
<entry><type>oid</type></entry>
5021+
<entry><literal><link linkend="catalog-pg-class"><structname>pg_class</structname></link>.oid</literal></entry>
5022+
<entry>The OID of the system catalog this object appears in</entry>
5023+
</row>
5024+
<row>
5025+
<entry><structfield>provider</structfield></entry>
5026+
<entry><type>name</type></entry>
5027+
<entry></entry>
5028+
<entry>The label provider associated with this label.</entry>
5029+
</row>
5030+
<row>
5031+
<entry><structfield>label</structfield></entry>
5032+
<entry><type>text</type></entry>
5033+
<entry></entry>
5034+
<entry>The security label applied to this object.</entry>
5035+
</row>
5036+
</tbody>
5037+
</tgroup>
5038+
</table>
5039+
</sect1>
49625040

49635041
<sect1 id="catalog-pg-statistic">
49645042
<title><structname>pg_statistic</structname></title>

doc/src/sgml/ref/security_label.sgml

+3
Original file line numberDiff line numberDiff line change
@@ -26,13 +26,16 @@ SECURITY LABEL [ FOR <replaceable class="PARAMETER">provider</replaceable> ] ON
2626
TABLE <replaceable class="PARAMETER">object_name</replaceable> |
2727
COLUMN <replaceable class="PARAMETER">table_name</replaceable>.<replaceable class="PARAMETER">column_name</replaceable> |
2828
AGGREGATE <replaceable class="PARAMETER">agg_name</replaceable> (<replaceable class="PARAMETER">agg_type</replaceable> [, ...] ) |
29+
DATABASE <replaceable class="PARAMETER">object_name</replaceable> |
2930
DOMAIN <replaceable class="PARAMETER">object_name</replaceable> |
3031
FOREIGN TABLE <replaceable class="PARAMETER">object_name</replaceable>
3132
FUNCTION <replaceable class="PARAMETER">function_name</replaceable> ( [ [ <replaceable class="parameter">argmode</replaceable> ] [ <replaceable class="parameter">argname</replaceable> ] <replaceable class="parameter">argtype</replaceable> [, ...] ] ) |
3233
LARGE OBJECT <replaceable class="PARAMETER">large_object_oid</replaceable> |
3334
[ PROCEDURAL ] LANGUAGE <replaceable class="PARAMETER">object_name</replaceable> |
35+
ROLE <replaceable class="PARAMETER">object_name</replaceable> |
3436
SCHEMA <replaceable class="PARAMETER">object_name</replaceable> |
3537
SEQUENCE <replaceable class="PARAMETER">object_name</replaceable> |
38+
TABLESPACE <replaceable class="PARAMETER">object_name</replaceable> |
3639
TYPE <replaceable class="PARAMETER">object_name</replaceable> |
3740
VIEW <replaceable class="PARAMETER">object_name</replaceable>
3841
} IS '<replaceable class="PARAMETER">label</replaceable>'

src/backend/catalog/Makefile

+1-1
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,7 @@ POSTGRES_BKI_SRCS = $(addprefix $(top_srcdir)/src/include/catalog/,\
3939
pg_ts_parser.h pg_ts_template.h pg_extension.h \
4040
pg_foreign_data_wrapper.h pg_foreign_server.h pg_user_mapping.h \
4141
pg_foreign_table.h \
42-
pg_default_acl.h pg_seclabel.h pg_collation.h \
42+
pg_default_acl.h pg_seclabel.h pg_shseclabel.h pg_collation.h \
4343
toasting.h indexing.h \
4444
)
4545

src/backend/catalog/catalog.c

+3
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,7 @@
3434
#include "catalog/pg_db_role_setting.h"
3535
#include "catalog/pg_shdepend.h"
3636
#include "catalog/pg_shdescription.h"
37+
#include "catalog/pg_shseclabel.h"
3738
#include "catalog/pg_tablespace.h"
3839
#include "catalog/toasting.h"
3940
#include "miscadmin.h"
@@ -380,6 +381,7 @@ IsSharedRelation(Oid relationId)
380381
relationId == PLTemplateRelationId ||
381382
relationId == SharedDescriptionRelationId ||
382383
relationId == SharedDependRelationId ||
384+
relationId == SharedSecLabelRelationId ||
383385
relationId == TableSpaceRelationId ||
384386
relationId == DbRoleSettingRelationId)
385387
return true;
@@ -394,6 +396,7 @@ IsSharedRelation(Oid relationId)
394396
relationId == SharedDescriptionObjIndexId ||
395397
relationId == SharedDependDependerIndexId ||
396398
relationId == SharedDependReferenceIndexId ||
399+
relationId == SharedSecLabelObjectIndexId ||
397400
relationId == TablespaceOidIndexId ||
398401
relationId == TablespaceNameIndexId ||
399402
relationId == DbRoleSettingDatidRolidIndexId)

src/backend/catalog/system_views.sql

+31-1
Original file line numberDiff line numberDiff line change
@@ -283,7 +283,37 @@ FROM
283283
pg_seclabel l
284284
JOIN pg_namespace nsp ON l.classoid = nsp.tableoid AND l.objoid = nsp.oid
285285
WHERE
286-
l.objsubid = 0;
286+
l.objsubid = 0
287+
UNION ALL
288+
SELECT
289+
l.objoid, l.classoid, 0::int4 AS objsubid,
290+
'database'::text AS objtype,
291+
NULL::oid AS objnamespace,
292+
quote_ident(dat.datname) AS objname,
293+
l.provider, l.label
294+
FROM
295+
pg_shseclabel l
296+
JOIN pg_database dat ON l.classoid = dat.tableoid AND l.objoid = dat.oid
297+
UNION ALL
298+
SELECT
299+
l.objoid, l.classoid, 0::int4 AS objsubid,
300+
'tablespace'::text AS objtype,
301+
NULL::oid AS objnamespace,
302+
quote_ident(spc.spcname) AS objname,
303+
l.provider, l.label
304+
FROM
305+
pg_shseclabel l
306+
JOIN pg_tablespace spc ON l.classoid = spc.tableoid AND l.objoid = spc.oid
307+
UNION ALL
308+
SELECT
309+
l.objoid, l.classoid, 0::int4 AS objsubid,
310+
'role'::text AS objtype,
311+
NULL::oid AS objnamespace,
312+
quote_ident(rol.rolname) AS objname,
313+
l.provider, l.label
314+
FROM
315+
pg_shseclabel l
316+
JOIN pg_authid rol ON l.classoid = rol.tableoid AND l.objoid = rol.oid;
287317

288318
CREATE VIEW pg_settings AS
289319
SELECT * FROM pg_show_all_settings() AS A;

src/backend/commands/dbcommands.c

+4-1
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,7 @@
3939
#include "catalog/pg_tablespace.h"
4040
#include "commands/comment.h"
4141
#include "commands/dbcommands.h"
42+
#include "commands/seclabel.h"
4243
#include "commands/tablespace.h"
4344
#include "mb/pg_wchar.h"
4445
#include "miscadmin.h"
@@ -822,9 +823,11 @@ dropdb(const char *dbname, bool missing_ok)
822823
ReleaseSysCache(tup);
823824

824825
/*
825-
* Delete any comments associated with the database.
826+
* Delete any comments or security labels associated with
827+
* the database.
826828
*/
827829
DeleteSharedComments(db_id, DatabaseRelationId);
830+
DeleteSharedSecurityLabel(db_id, DatabaseRelationId);
828831

829832
/*
830833
* Remove settings associated with this database

0 commit comments

Comments
 (0)