Re: New patch for Column-level privileges - Mailing list pgsql-hackers

From Tom Lane
Subject Re: New patch for Column-level privileges
Date
Msg-id 1558.1231536498@sss.pgh.pa.us
Whole thread Raw
In response to Re: New patch for Column-level privileges  (Stephen Frost <sfrost@snowman.net>)
Responses Re: New patch for Column-level privileges
List pgsql-hackers
Stephen Frost <sfrost@snowman.net> writes:
> Please test, comment, etc.

A few random comments based on a very fast scan through the patch:

The RTE fields really ought to be bitmaps not integer lists.  The
list representation is expensive to store, copy, etc.  You could use
the same approach the HOT patch used, ie offset the indexes by
FirstLowInvalidHeapAttributeNumber (cf pull_varattnos).

Patch is desperately lacking comments surrounding the altered meaning
of ATTRIBUTE_TUPLE_SIZE, the fact that TupleDescs no longer contain
complete copies of pg_attribute rows, etc.  It might be a good idea
to rename ATTRIBUTE_TUPLE_SIZE to ATTRIBUTE_TUPLE_FIXED_PART_SIZE
or something like that.

Don't like exporting allocacl() from acl.c nor having aclchk.c be so
intimate with the internal representation of ACLs.  Seems like the
operations actually needed could be represented a bit more abstractly,
ie copy an ACL or merge two ACLs.

applyColumnPrivs is misnamed as it's not "applying" any privileges nor
indeed doing much of anything directly to do with privileges.  It should
probably be named something more like findReferencedColumns.  And what's
with the special exception for SortGroupClause!?

Actually, though, you probably shouldn't have applyColumnPrivsWalker at all.
It requires an additional traversal of the parse tree, and an additional RTE
search for each var, for no good reason.  Can't we just mark the column
as referenced in make_var() and maybe a couple other places that already have
their hands on the RTE?

I don't see anything in transformDeleteStatement to handle the
fact that "DELETE ... WHERE foo = 42" requires select on foo.

In the gram.y changes, don't treat CREATE differently from the other
cases.  You need a test and error in the statement execution code anyway
for the case of a privilege type inappropriately applied to columns, and
it's better to throw that very specific error message than the generic
"syntax error" that bison is going to throw for CREATE (column list).

The comment added to InsertPgAttributeTuple seems not to belong to it
(copy/paste error?)

What's the point of disallowing column privileges on a sequence?  (aclcheck.c
line 800 or so) It's not nonsensical to want to restrict what someone can do
in "SELECT * FROM sequence".

pg_attribute_aclmask seems to need a rethink.  I don't like the amount
of policy copied-and-pasted from pg_class_aclmask, nor the fact that
it will fail for system attributes (attnum < 0), nor the fact that it
insists on looping over the attributes even if the relation privileges
would provide what's needed.  (Indeed, you shouldn't need that "merge
ACLs" operation at all -- you could be ORing a couple of bitmasks
instead, no?)

I don't find what you've done with no_priv_msg[] to be particularly
comfortable: if anyone ever tried to print an ACL_KIND_COLUMN error
with the regular code path (hardly unlikely) you'd get a core dump
due to the format wanting two %s arguments with only one supplied.
I think the best thing is for no_priv_msg[] to include just
+     gettext_noop("permission denied for column %s"),
and then make aclcheck_error_col() use its own error text rather than
pulling from the array.

Don't like naming of "Priv" node type, it's way too nonspecific.
Also, you need outfuncs.c support for it, see comment at head of
that file.
        regards, tom lane


pgsql-hackers by date:

Previous
From: Greg Smith
Date:
Subject: Re: Improving compressibility of WAL files
Next
From: Tom Lane
Date:
Subject: Re: Re: [COMMITTERS] pgsql: Explicitly bind gettext() to the UTF8 locale when in use.