Re: TODO item question [pg_hba.conf] - Mailing list pgsql-hackers

From Gevik Babakhani
Subject Re: TODO item question [pg_hba.conf]
Date
Msg-id 1145661272.29554.44.camel@voyager.truesoftware.net
Whole thread Raw
In response to Re: TODO item question [pg_hba.conf]  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-hackers
Hi,

I have created a new patch. Please check to see if I am on the right
track.


1) The GRANT and REVOKE statements look like:
GRANT CONNECTION ON DATABASE db1 TO user1 (,user2,user3)
REVOKE CONNECTION ON DATABASE db1 TO user1 (,user2,user3)

2) The file parsenodes.h is updated to support
#define ACL_DATABASE_CONNECT

3) The file acl.h is updated to support
#define ACL_DATABASE_CONNECT_CHR      'c'

4) Functions "string_to_privilege" and "privilege_to_string" in
aclchk.c are updated to support ACL_DATABASE_CONNECT

5) Function "aclparse" in acl.c is updated to support
ACL_DATABASE_CONNECT

6) Catalog version number is updated to
CATALOG_VERSION_NO    200604211

7) File postinit.c method "ReverifyMyDatabase" is updated by following:
First we check to make sure we are not in bootstrap processing mode.
If not, we check to see if the connected user has ACL_DATABASE_CONNECT.
If not, ereport(FATAL,.....)
(Perhaps we should change the error message later)

8) File dbcommands.c method "createdb" is updated by following:
When a new database is being created we add a default ACL by 
calling acldefault(ACL_OBJECT_DATABASE,.... and adding the default ACL
by new_record[Anum_pg_database_datacl - 1] =
PointerGetDatum(defaultAcl);

This would mean, every time a new database gets created the owner of the
database gets the ACL_OBJECT_DATABASE privilege and can login. Other
users not having the privilege to that database get an error message.
Because the catalog version is changed a pg_dump is necessarily, means
all the new roles created from that point will get the
ACL_OBJECT_DATABASE and everything should be "backward-compatible"

At this moment the owner of the database CAN REVOKE himself form the
ACL_OBJECT_DATABASE. If the implementation above is acceptable then I
can work on this one :)

http://www.xs4all.nl/~gevik/patch/patch-0.1.diff

Did I forget something? Please advice.





pgsql-hackers by date:

Previous
From: Andreas Pflug
Date:
Subject: Re: Google SoC--Idea Request
Next
From: Simon Riggs
Date:
Subject: Re: Further reduction of bufmgr lock contention