Re: generating function default settings from pg_proc.dat - Mailing list pgsql-hackers
| From | Tom Lane |
|---|---|
| Subject | Re: generating function default settings from pg_proc.dat |
| Date | |
| Msg-id | 2226242.1771454512@sss.pgh.pa.us Whole thread Raw |
| In response to | Re: generating function default settings from pg_proc.dat (Tom Lane <tgl@sss.pgh.pa.us>) |
| Responses |
Re: generating function default settings from pg_proc.dat
|
| List | pgsql-hackers |
I wrote:
> 2. GRANT/REVOKE operations. Andres muttered something about trying
> to integrate those into pg_proc.dat too, and I'm going to go look
> at the idea.
Here's a draft patch for that. It's pretty simple in concept: in
bootstrap mode, let aclitemin() look into a hard-wired table of role
names, just as we do for pg_type data before that catalog has been
loaded. Everything then basically just works. However, the project
bloated on me a little bit, because after removing all the function
revoke/grant commands from system_functions.sql, I was left with
GRANT pg_read_all_settings TO pg_monitor;
GRANT pg_read_all_stats TO pg_monitor;
GRANT pg_stat_scan_tables TO pg_monitor;
There was some excuse for those to live in system_functions.sql
as long as they were beside grants establishing special privileges
for those roles, but with those grants gone this seemed like an
unacceptably random place for them. So I moved that knowledge
into a new catalog data file pg_auth_members.dat.
This accomplishes the goal Andres had of eliminating pg_proc
update operations during initdb, except for the new-style
SQL-language functions set up in system_functions.sql:
postgres=# select xmin, oid, oid::regprocedure from pg_proc where xmin != 1 and prosqlbody is null;
xmin | oid | oid
------+-------+-------------------------------------------------------
261 | 14095 | dsnowball_init(internal)
262 | 14096 | dsnowball_lexize(internal,internal,internal,internal)
459 | 14161 | information_schema._pg_expandarray(anyarray)
612 | 14511 | plpgsql_call_handler()
612 | 14512 | plpgsql_inline_handler(internal)
612 | 14513 | plpgsql_validator(oid)
(6 rows)
However, I'm not sure I love it in this form, because what it
asks developers to do is populate proacl using aclitemin's
notation, eg
@@ -8602,7 +8641,8 @@
provolatile => 'v', prorettype => 'record', proargtypes => '',
proallargtypes => '{text,int8,int8,int8}', proargmodes => '{o,o,o,o}',
proargnames => '{name,off,size,allocated_size}',
- prosrc => 'pg_get_shmem_allocations' },
+ prosrc => 'pg_get_shmem_allocations',
+ proacl => '{postgres=X/postgres,pg_read_all_stats=X/postgres}' },
{ oid => '4099', descr => 'Is NUMA support available?',
proname => 'pg_numa_available', provolatile => 's', prorettype => 'bool',
That's verbose, and not very pretty, and potentially confusing because
it's predicated on the assumption that the bootstrap user's name is
'postgres'. This patch does work when the bootstrap user's name is
something else, but I don't really like hard-wiring things that way.
Is it worth putting in some additional kluge to allow this field
to be spelled in a different way, and if so what notation do we
want to adopt?
One thing we could do for free is to drop the "/postgres" grantor
notations, since aclitemin will default to assuming the grantor
is the bootstrap superuser. That makes things more compact but
doesn't move the needle far otherwise.
Another potential objection is specific to the functions that
underlie system views: before, their special grants/revokes lived
beside similar grants for the associated views. Now those are in
two different files with completely different notations. So maybe
this has taken the "single source of truth" idea too far, and we
should leave system_views.sql alone.
Comments welcome.
regards, tom lane
From 28afb7041102eb0b8657746106533a7780aaddc0 Mon Sep 17 00:00:00 2001
From: Tom Lane <tgl@sss.pgh.pa.us>
Date: Wed, 18 Feb 2026 17:38:30 -0500
Subject: [PATCH v1] Simplify creation of built-in functions with non-default
ACLs.
Up to now, to create such a function, one had to make a pg_proc.dat
entry and then modify it with GRANT/REVOKE commands, which we put in
system_functions.sql. That seems a little ugly though, because it
violates the idea of having a single source of truth about the initial
contents of pg_proc, and it results in leaving dead rows in the
initial contents of pg_proc.
This patch improves matters by allowing aclitemin() to work during
early bootstrap, before pg_authid has been loaded. On the same
principle that we use for early access to pg_type details, put
a table of known built-in role names into bootstrap.c, and use
that in bootstrap mode.
In this form of the patch, one must write verbatim ACL lists in
proacl entries in pg_proc.dat. That seems less than ideal:
it requires assuming a particular name for the bootstrap superuser
(here "postgres"), and it is a notation that many developers may
not be familiar with. Maybe we can think of a better notation.
Author: Tom Lane <tgl@sss.pgh.pa.us>
Discussion: https://postgr.es/m/183292bb-4891-4c96-a3ca-e78b5e0e1358@dunslane.net
---
src/backend/bootstrap/bootstrap.c | 59 +++++++
src/backend/catalog/system_functions.sql | 166 +------------------
src/backend/catalog/system_views.sql | 14 --
src/backend/utils/adt/acl.c | 14 +-
src/include/bootstrap/bootstrap.h | 2 +
src/include/catalog/Makefile | 1 +
src/include/catalog/meson.build | 1 +
src/include/catalog/pg_auth_members.dat | 20 +++
src/include/catalog/pg_auth_members.h | 27 ++-
src/include/catalog/pg_authid.dat | 3 +
src/include/catalog/pg_proc.dat | 201 +++++++++++++++--------
11 files changed, 254 insertions(+), 254 deletions(-)
create mode 100644 src/include/catalog/pg_auth_members.dat
diff --git a/src/backend/bootstrap/bootstrap.c b/src/backend/bootstrap/bootstrap.c
index 8d601c363b4..e34b157b6de 100644
--- a/src/backend/bootstrap/bootstrap.c
+++ b/src/backend/bootstrap/bootstrap.c
@@ -25,6 +25,7 @@
#include "access/xact.h"
#include "bootstrap/bootstrap.h"
#include "catalog/index.h"
+#include "catalog/pg_authid.h"
#include "catalog/pg_collation.h"
#include "catalog/pg_proc.h"
#include "catalog/pg_type.h"
@@ -115,6 +116,8 @@ static const struct typinfo TypInfo[] = {
F_JSONB_IN, F_JSONB_OUT},
{"oid", OIDOID, 0, 4, true, TYPALIGN_INT, TYPSTORAGE_PLAIN, InvalidOid,
F_OIDIN, F_OIDOUT},
+ {"aclitem", ACLITEMOID, 0, 16, false, TYPALIGN_DOUBLE, TYPSTORAGE_PLAIN, InvalidOid,
+ F_ACLITEMIN, F_ACLITEMOUT},
{"pg_node_tree", PG_NODE_TREEOID, 0, -1, false, TYPALIGN_INT, TYPSTORAGE_EXTENDED, DEFAULT_COLLATION_OID,
F_PG_NODE_TREE_IN, F_PG_NODE_TREE_OUT},
{"int2vector", INT2VECTOROID, INT2OID, -1, false, TYPALIGN_INT, TYPSTORAGE_PLAIN, InvalidOid,
@@ -144,6 +147,43 @@ struct typmap
static List *Typ = NIL; /* List of struct typmap* */
static struct typmap *Ap = NULL;
+/*
+ * Basic information about built-in roles.
+ *
+ * Presently, this need only list roles that are mentioned in aclitem arrays
+ * in the catalog .dat files. We might as well list everything that is in
+ * pg_authid.dat, since there aren't that many. We assume that the bootstrap
+ * superuser's name is "postgres", even though it might not be that in the
+ * finished installation; this means aclitem entries in .dat files must spell
+ * it like that.
+ */
+struct rolinfo
+{
+ const char *rolname;
+ Oid oid;
+};
+
+static const struct rolinfo RolInfo[] = {
+ {"postgres", BOOTSTRAP_SUPERUSERID},
+ {"pg_database_owner", ROLE_PG_DATABASE_OWNER},
+ {"pg_read_all_data", ROLE_PG_READ_ALL_DATA},
+ {"pg_write_all_data", ROLE_PG_WRITE_ALL_DATA},
+ {"pg_monitor", ROLE_PG_MONITOR},
+ {"pg_read_all_settings", ROLE_PG_READ_ALL_SETTINGS},
+ {"pg_read_all_stats", ROLE_PG_READ_ALL_STATS},
+ {"pg_stat_scan_tables", ROLE_PG_STAT_SCAN_TABLES},
+ {"pg_read_server_files", ROLE_PG_READ_SERVER_FILES},
+ {"pg_write_server_files", ROLE_PG_WRITE_SERVER_FILES},
+ {"pg_execute_server_program", ROLE_PG_EXECUTE_SERVER_PROGRAM},
+ {"pg_signal_backend", ROLE_PG_SIGNAL_BACKEND},
+ {"pg_checkpoint", ROLE_PG_CHECKPOINT},
+ {"pg_maintain", ROLE_PG_MAINTAIN},
+ {"pg_use_reserved_connections", ROLE_PG_USE_RESERVED_CONNECTIONS},
+ {"pg_create_subscription", ROLE_PG_CREATE_SUBSCRIPTION},
+ {"pg_signal_autovacuum_worker", ROLE_PG_SIGNAL_AUTOVACUUM_WORKER}
+};
+
+
static Datum values[MAXATTR]; /* current row's attribute values */
static bool Nulls[MAXATTR];
@@ -1034,6 +1074,25 @@ boot_get_type_io_data(Oid typid,
}
}
+/* ----------------
+ * boot_get_role_oid
+ *
+ * Look up a role name at bootstrap time. This is equivalent to
+ * get_role_oid(rolname, true): return the role OID or InvalidOid if
+ * not found. We only need to cope with built-in role names.
+ * ----------------
+ */
+Oid
+boot_get_role_oid(const char *rolname)
+{
+ for (int i = 0; i < lengthof(RolInfo); i++)
+ {
+ if (strcmp(RolInfo[i].rolname, rolname) == 0)
+ return RolInfo[i].oid;
+ }
+ return InvalidOid;
+}
+
/* ----------------
* AllocateAttribute
*
diff --git a/src/backend/catalog/system_functions.sql b/src/backend/catalog/system_functions.sql
index 69699f8830a..1c5b6d6df05 100644
--- a/src/backend/catalog/system_functions.sql
+++ b/src/backend/catalog/system_functions.sql
@@ -14,12 +14,8 @@
* definitions of such functions into pg_proc.dat and then replace them
* here. The stub definitions would be unnecessary were it not that we'd
* like these functions to have stable OIDs, the same as other built-in
- * functions.
- *
- * This file also takes care of adjusting privileges for those functions
- * that should not have the default public-EXECUTE privileges. (However,
- * a small number of functions that exist mainly to underlie system views
- * are dealt with in system_views.sql, instead.)
+ * functions. (That's important, for example, to their treatment by
+ * postgres_fdw.)
*
* Note: this file is read in single-user -j mode, which means that the
* command terminator is semicolon-newline-newline; whenever the backend
@@ -376,161 +372,3 @@ CREATE OR REPLACE FUNCTION ts_debug(document text,
BEGIN ATOMIC
SELECT * FROM ts_debug(get_current_ts_config(), $1);
END;
-
-
---
--- The default permissions for functions mean that anyone can execute them.
--- A number of functions shouldn't be executable by just anyone, but rather
--- than use explicit 'superuser()' checks in those functions, we use the GRANT
--- system to REVOKE access to those functions at initdb time. Administrators
--- can later change who can access these functions, or leave them as only
--- available to superuser / cluster owner, if they choose.
---
-
-REVOKE EXECUTE ON FUNCTION pg_backup_start(text, boolean) FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_backup_stop(boolean) FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_create_restore_point(text) FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_switch_wal() FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_log_standby_snapshot() FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_wal_replay_pause() FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_wal_replay_resume() FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_rotate_logfile() FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_reload_conf() FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_current_logfile() FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_current_logfile(text) FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_promote(boolean, integer) FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_stat_reset() FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_stat_reset_shared(text) FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_stat_reset_slru(text) FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_stat_reset_single_table_counters(oid) FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_stat_reset_single_function_counters(oid) FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_stat_reset_backend_stats(integer) FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_stat_reset_replication_slot(text) FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_stat_have_stats(text, oid, int8) FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_stat_reset_subscription_stats(oid) FROM public;
-
-REVOKE EXECUTE ON FUNCTION lo_import(text) FROM public;
-
-REVOKE EXECUTE ON FUNCTION lo_import(text, oid) FROM public;
-
-REVOKE EXECUTE ON FUNCTION lo_export(oid, text) FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_ls_logdir() FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_ls_waldir() FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_ls_archive_statusdir() FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_ls_summariesdir() FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_ls_tmpdir() FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_ls_tmpdir(oid) FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_read_file(text) FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_read_file(text,boolean) FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_read_file(text,bigint,bigint) FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_read_file(text,bigint,bigint,boolean) FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_read_binary_file(text) FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_read_binary_file(text,boolean) FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_read_binary_file(text,bigint,bigint) FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_read_binary_file(text,bigint,bigint,boolean) FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_replication_origin_advance(text, pg_lsn) FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_replication_origin_create(text) FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_replication_origin_drop(text) FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_replication_origin_oid(text) FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_replication_origin_progress(text, boolean) FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_replication_origin_session_is_setup() FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_replication_origin_session_progress(boolean) FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_replication_origin_session_reset() FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_replication_origin_session_setup(text, integer) FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_replication_origin_xact_reset() FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_replication_origin_xact_setup(pg_lsn, timestamp with time zone) FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_show_replication_origin_status() FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_stat_file(text) FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_stat_file(text,boolean) FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_ls_dir(text) FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_ls_dir(text,boolean,boolean) FROM public;
-
-REVOKE EXECUTE ON FUNCTION pg_log_backend_memory_contexts(integer) FROM PUBLIC;
-
-REVOKE EXECUTE ON FUNCTION pg_ls_logicalsnapdir() FROM PUBLIC;
-
-REVOKE EXECUTE ON FUNCTION pg_ls_logicalmapdir() FROM PUBLIC;
-
-REVOKE EXECUTE ON FUNCTION pg_ls_replslotdir(text) FROM PUBLIC;
-
---
--- We also set up some things as accessible to standard roles.
---
-
-GRANT EXECUTE ON FUNCTION pg_ls_logdir() TO pg_monitor;
-
-GRANT EXECUTE ON FUNCTION pg_ls_waldir() TO pg_monitor;
-
-GRANT EXECUTE ON FUNCTION pg_ls_archive_statusdir() TO pg_monitor;
-
-GRANT EXECUTE ON FUNCTION pg_ls_summariesdir() TO pg_monitor;
-
-GRANT EXECUTE ON FUNCTION pg_ls_tmpdir() TO pg_monitor;
-
-GRANT EXECUTE ON FUNCTION pg_ls_tmpdir(oid) TO pg_monitor;
-
-GRANT EXECUTE ON FUNCTION pg_ls_logicalsnapdir() TO pg_monitor;
-
-GRANT EXECUTE ON FUNCTION pg_ls_logicalmapdir() TO pg_monitor;
-
-GRANT EXECUTE ON FUNCTION pg_ls_replslotdir(text) TO pg_monitor;
-
-GRANT EXECUTE ON FUNCTION pg_current_logfile() TO pg_monitor;
-
-GRANT EXECUTE ON FUNCTION pg_current_logfile(text) TO pg_monitor;
-
-GRANT pg_read_all_settings TO pg_monitor;
-
-GRANT pg_read_all_stats TO pg_monitor;
-
-GRANT pg_stat_scan_tables TO pg_monitor;
diff --git a/src/backend/catalog/system_views.sql b/src/backend/catalog/system_views.sql
index 1ea8f1faa9e..56106d92eaf 100644
--- a/src/backend/catalog/system_views.sql
+++ b/src/backend/catalog/system_views.sql
@@ -650,19 +650,16 @@ CREATE VIEW pg_file_settings AS
SELECT * FROM pg_show_all_file_settings() AS A;
REVOKE ALL ON pg_file_settings FROM PUBLIC;
-REVOKE EXECUTE ON FUNCTION pg_show_all_file_settings() FROM PUBLIC;
CREATE VIEW pg_hba_file_rules AS
SELECT * FROM pg_hba_file_rules() AS A;
REVOKE ALL ON pg_hba_file_rules FROM PUBLIC;
-REVOKE EXECUTE ON FUNCTION pg_hba_file_rules() FROM PUBLIC;
CREATE VIEW pg_ident_file_mappings AS
SELECT * FROM pg_ident_file_mappings() AS A;
REVOKE ALL ON pg_ident_file_mappings FROM PUBLIC;
-REVOKE EXECUTE ON FUNCTION pg_ident_file_mappings() FROM PUBLIC;
CREATE VIEW pg_timezone_abbrevs AS
SELECT * FROM pg_timezone_abbrevs_zone() z
@@ -679,39 +676,30 @@ CREATE VIEW pg_config AS
SELECT * FROM pg_config();
REVOKE ALL ON pg_config FROM PUBLIC;
-REVOKE EXECUTE ON FUNCTION pg_config() FROM PUBLIC;
CREATE VIEW pg_shmem_allocations AS
SELECT * FROM pg_get_shmem_allocations();
REVOKE ALL ON pg_shmem_allocations FROM PUBLIC;
GRANT SELECT ON pg_shmem_allocations TO pg_read_all_stats;
-REVOKE EXECUTE ON FUNCTION pg_get_shmem_allocations() FROM PUBLIC;
-GRANT EXECUTE ON FUNCTION pg_get_shmem_allocations() TO pg_read_all_stats;
CREATE VIEW pg_shmem_allocations_numa AS
SELECT * FROM pg_get_shmem_allocations_numa();
REVOKE ALL ON pg_shmem_allocations_numa FROM PUBLIC;
GRANT SELECT ON pg_shmem_allocations_numa TO pg_read_all_stats;
-REVOKE EXECUTE ON FUNCTION pg_get_shmem_allocations_numa() FROM PUBLIC;
-GRANT EXECUTE ON FUNCTION pg_get_shmem_allocations_numa() TO pg_read_all_stats;
CREATE VIEW pg_dsm_registry_allocations AS
SELECT * FROM pg_get_dsm_registry_allocations();
REVOKE ALL ON pg_dsm_registry_allocations FROM PUBLIC;
GRANT SELECT ON pg_dsm_registry_allocations TO pg_read_all_stats;
-REVOKE EXECUTE ON FUNCTION pg_get_dsm_registry_allocations() FROM PUBLIC;
-GRANT EXECUTE ON FUNCTION pg_get_dsm_registry_allocations() TO pg_read_all_stats;
CREATE VIEW pg_backend_memory_contexts AS
SELECT * FROM pg_get_backend_memory_contexts();
REVOKE ALL ON pg_backend_memory_contexts FROM PUBLIC;
GRANT SELECT ON pg_backend_memory_contexts TO pg_read_all_stats;
-REVOKE EXECUTE ON FUNCTION pg_get_backend_memory_contexts() FROM PUBLIC;
-GRANT EXECUTE ON FUNCTION pg_get_backend_memory_contexts() TO pg_read_all_stats;
-- Statistics views
@@ -1471,5 +1459,3 @@ CREATE VIEW pg_aios AS
SELECT * FROM pg_get_aios();
REVOKE ALL ON pg_aios FROM PUBLIC;
GRANT SELECT ON pg_aios TO pg_read_all_stats;
-REVOKE EXECUTE ON FUNCTION pg_get_aios() FROM PUBLIC;
-GRANT EXECUTE ON FUNCTION pg_get_aios() TO pg_read_all_stats;
diff --git a/src/backend/utils/adt/acl.c b/src/backend/utils/adt/acl.c
index 641673f0b0e..31067f1f51e 100644
--- a/src/backend/utils/adt/acl.c
+++ b/src/backend/utils/adt/acl.c
@@ -17,6 +17,7 @@
#include <ctype.h>
#include "access/htup_details.h"
+#include "bootstrap/bootstrap.h"
#include "catalog/catalog.h"
#include "catalog/namespace.h"
#include "catalog/pg_auth_members.h"
@@ -261,6 +262,9 @@ putid(char *p, const char *s)
* This routine is called by the parser as well as aclitemin(), hence
* the added generality.
*
+ * In bootstrap mode, we consult a hard-wired list of role names
+ * (see bootstrap.c) rather than trying to access the catalogs.
+ *
* RETURNS:
* the string position in 's' immediately following the ACL
* specification. Also:
@@ -376,7 +380,10 @@ aclparse(const char *s, AclItem *aip, Node *escontext)
aip->ai_grantee = ACL_ID_PUBLIC;
else
{
- aip->ai_grantee = get_role_oid(name, true);
+ if (IsBootstrapProcessingMode())
+ aip->ai_grantee = boot_get_role_oid(name);
+ else
+ aip->ai_grantee = get_role_oid(name, true);
if (!OidIsValid(aip->ai_grantee))
ereturn(escontext, NULL,
(errcode(ERRCODE_UNDEFINED_OBJECT),
@@ -396,7 +403,10 @@ aclparse(const char *s, AclItem *aip, Node *escontext)
ereturn(escontext, NULL,
(errcode(ERRCODE_INVALID_TEXT_REPRESENTATION),
errmsg("a name must follow the \"/\" sign")));
- aip->ai_grantor = get_role_oid(name2, true);
+ if (IsBootstrapProcessingMode())
+ aip->ai_grantor = boot_get_role_oid(name2);
+ else
+ aip->ai_grantor = get_role_oid(name2, true);
if (!OidIsValid(aip->ai_grantor))
ereturn(escontext, NULL,
(errcode(ERRCODE_UNDEFINED_OBJECT),
diff --git a/src/include/bootstrap/bootstrap.h b/src/include/bootstrap/bootstrap.h
index 21447a3d661..e967b2b1885 100644
--- a/src/include/bootstrap/bootstrap.h
+++ b/src/include/bootstrap/bootstrap.h
@@ -56,6 +56,8 @@ extern void boot_get_type_io_data(Oid typid,
Oid *typoutput,
Oid *typcollation);
+extern Oid boot_get_role_oid(const char *rolname);
+
union YYSTYPE;
typedef void *yyscan_t;
diff --git a/src/include/catalog/Makefile b/src/include/catalog/Makefile
index 24b527230d4..444fc76eed6 100644
--- a/src/include/catalog/Makefile
+++ b/src/include/catalog/Makefile
@@ -94,6 +94,7 @@ POSTGRES_BKI_DATA = \
pg_amop.dat \
pg_amproc.dat \
pg_authid.dat \
+ pg_auth_members.dat \
pg_cast.dat \
pg_class.dat \
pg_collation.dat \
diff --git a/src/include/catalog/meson.build b/src/include/catalog/meson.build
index 433bcc908ad..bcc01c87c2e 100644
--- a/src/include/catalog/meson.build
+++ b/src/include/catalog/meson.build
@@ -78,6 +78,7 @@ bki_data = [
'pg_amop.dat',
'pg_amproc.dat',
'pg_authid.dat',
+ 'pg_auth_members.dat',
'pg_cast.dat',
'pg_class.dat',
'pg_collation.dat',
diff --git a/src/include/catalog/pg_auth_members.dat b/src/include/catalog/pg_auth_members.dat
new file mode 100644
index 00000000000..246373251d4
--- /dev/null
+++ b/src/include/catalog/pg_auth_members.dat
@@ -0,0 +1,20 @@
+#----------------------------------------------------------------------
+#
+# pg_auth_members.dat
+# Initial contents of the pg_auth_members system catalog.
+#
+# Portions Copyright (c) 1996-2026, PostgreSQL Global Development Group
+# Portions Copyright (c) 1994, Regents of the University of California
+#
+# src/include/catalog/pg_auth_members.dat
+#
+#----------------------------------------------------------------------
+
+[
+
+# We grant these roles to pg_monitor.
+{ roleid => 'pg_read_all_settings', member => 'pg_monitor' },
+{ roleid => 'pg_read_all_stats', member => 'pg_monitor' },
+{ roleid => 'pg_stat_scan_tables', member => 'pg_monitor' },
+
+]
diff --git a/src/include/catalog/pg_auth_members.h b/src/include/catalog/pg_auth_members.h
index 92cf5271496..15806df95bf 100644
--- a/src/include/catalog/pg_auth_members.h
+++ b/src/include/catalog/pg_auth_members.h
@@ -29,13 +29,26 @@
*/
CATALOG(pg_auth_members,1261,AuthMemRelationId) BKI_SHARED_RELATION BKI_ROWTYPE_OID(2843,AuthMemRelation_Rowtype_Id)
BKI_SCHEMA_MACRO
{
- Oid oid; /* oid */
- Oid roleid BKI_LOOKUP(pg_authid); /* ID of a role */
- Oid member BKI_LOOKUP(pg_authid); /* ID of a member of that role */
- Oid grantor BKI_LOOKUP(pg_authid); /* who granted the membership */
- bool admin_option; /* granted with admin option? */
- bool inherit_option; /* exercise privileges without SET ROLE? */
- bool set_option; /* use SET ROLE to the target role? */
+ /* OID for this record (needed for dependencies) */
+ Oid oid;
+
+ /* ID of a role */
+ Oid roleid BKI_LOOKUP(pg_authid);
+
+ /* ID of a member of that role */
+ Oid member BKI_LOOKUP(pg_authid);
+
+ /* who granted the membership */
+ Oid grantor BKI_DEFAULT(POSTGRES) BKI_LOOKUP(pg_authid);
+
+ /* granted with admin option? */
+ bool admin_option BKI_DEFAULT(f);
+
+ /* exercise privileges without SET ROLE? */
+ bool inherit_option BKI_DEFAULT(t);
+
+ /* use SET ROLE to the target role? */
+ bool set_option BKI_DEFAULT(t);
} FormData_pg_auth_members;
/* ----------------
diff --git a/src/include/catalog/pg_authid.dat b/src/include/catalog/pg_authid.dat
index 26b5c9971a4..3d376479cbe 100644
--- a/src/include/catalog/pg_authid.dat
+++ b/src/include/catalog/pg_authid.dat
@@ -18,6 +18,9 @@
# The bootstrap superuser is named POSTGRES according to this data and
# according to BKI_DEFAULT entries in other catalogs. However, initdb
# will replace that at database initialization time.
+# Inconsistently with that, the bootstrap superuser is called "postgres"
+# in ACL entries within the catalog .dat files, because boot_get_role_oid()
+# will translate it that way.
{ oid => '10', oid_symbol => 'BOOTSTRAP_SUPERUSERID',
rolname => 'POSTGRES', rolsuper => 't', rolinherit => 't',
diff --git a/src/include/catalog/pg_proc.dat b/src/include/catalog/pg_proc.dat
index dac40992cbc..5399044451e 100644
--- a/src/include/catalog/pg_proc.dat
+++ b/src/include/catalog/pg_proc.dat
@@ -1822,14 +1822,17 @@
{ oid => '764', descr => 'large object import',
proname => 'lo_import', provolatile => 'v', proparallel => 'u',
- prorettype => 'oid', proargtypes => 'text', prosrc => 'be_lo_import' },
+ prorettype => 'oid', proargtypes => 'text', prosrc => 'be_lo_import',
+ proacl => '{postgres=X/postgres}' },
{ oid => '767', descr => 'large object import',
proname => 'lo_import', provolatile => 'v', proparallel => 'u',
prorettype => 'oid', proargtypes => 'text oid',
- prosrc => 'be_lo_import_with_oid' },
+ prosrc => 'be_lo_import_with_oid',
+ proacl => '{postgres=X/postgres}' },
{ oid => '765', descr => 'large object export',
proname => 'lo_export', provolatile => 'v', proparallel => 'u',
- prorettype => 'int4', proargtypes => 'oid text', prosrc => 'be_lo_export' },
+ prorettype => 'int4', proargtypes => 'oid text', prosrc => 'be_lo_export',
+ proacl => '{postgres=X/postgres}' },
{ oid => '766', descr => 'increment',
proname => 'int4inc', prorettype => 'int4', proargtypes => 'int4',
@@ -5709,7 +5712,8 @@
{ oid => '6230', descr => 'statistics: check if a stats object exists',
proname => 'pg_stat_have_stats', provolatile => 'v', proparallel => 'r',
prorettype => 'bool', proargtypes => 'text oid int8',
- prosrc => 'pg_stat_have_stats' },
+ prosrc => 'pg_stat_have_stats',
+ proacl => '{postgres=X/postgres}' },
{ oid => '6231', descr => 'statistics: information about subscription stats',
proname => 'pg_stat_get_subscription_stats', provolatile => 's',
@@ -6170,43 +6174,51 @@
{ oid => '2274',
descr => 'statistics: reset collected statistics for current database',
proname => 'pg_stat_reset', proisstrict => 'f', provolatile => 'v',
- prorettype => 'void', proargtypes => '', prosrc => 'pg_stat_reset' },
+ prorettype => 'void', proargtypes => '', prosrc => 'pg_stat_reset',
+ proacl => '{postgres=X/postgres}' },
{ oid => '3775',
descr => 'statistics: reset collected statistics shared across the cluster',
proname => 'pg_stat_reset_shared', proisstrict => 'f', provolatile => 'v',
prorettype => 'void', proargtypes => 'text',
proargnames => '{target}', proargdefaults => '{NULL}',
- prosrc => 'pg_stat_reset_shared' },
+ prosrc => 'pg_stat_reset_shared',
+ proacl => '{postgres=X/postgres}' },
{ oid => '3776',
descr => 'statistics: reset collected statistics for a single table or index in the current database or shared
acrossall databases in the cluster',
proname => 'pg_stat_reset_single_table_counters', provolatile => 'v',
prorettype => 'void', proargtypes => 'oid',
- prosrc => 'pg_stat_reset_single_table_counters' },
+ prosrc => 'pg_stat_reset_single_table_counters',
+ proacl => '{postgres=X/postgres}' },
{ oid => '3777',
descr => 'statistics: reset collected statistics for a single function in the current database',
proname => 'pg_stat_reset_single_function_counters', provolatile => 'v',
prorettype => 'void', proargtypes => 'oid',
- prosrc => 'pg_stat_reset_single_function_counters' },
+ prosrc => 'pg_stat_reset_single_function_counters',
+ proacl => '{postgres=X/postgres}' },
{ oid => '6387', descr => 'statistics: reset statistics for a single backend',
proname => 'pg_stat_reset_backend_stats', provolatile => 'v',
prorettype => 'void', proargtypes => 'int4',
- prosrc => 'pg_stat_reset_backend_stats' },
+ prosrc => 'pg_stat_reset_backend_stats',
+ proacl => '{postgres=X/postgres}' },
{ oid => '2307',
descr => 'statistics: reset collected statistics for a single SLRU',
proname => 'pg_stat_reset_slru', proisstrict => 'f', provolatile => 'v',
prorettype => 'void', proargtypes => 'text', proargnames => '{target}',
proargdefaults => '{NULL}',
- prosrc => 'pg_stat_reset_slru' },
+ prosrc => 'pg_stat_reset_slru',
+ proacl => '{postgres=X/postgres}' },
{ oid => '6170',
descr => 'statistics: reset collected statistics for a single replication slot',
proname => 'pg_stat_reset_replication_slot', proisstrict => 'f',
provolatile => 'v', prorettype => 'void', proargtypes => 'text',
- prosrc => 'pg_stat_reset_replication_slot' },
+ prosrc => 'pg_stat_reset_replication_slot',
+ proacl => '{postgres=X/postgres}' },
{ oid => '6232',
descr => 'statistics: reset collected statistics for a single subscription',
proname => 'pg_stat_reset_subscription_stats', proisstrict => 'f',
provolatile => 'v', prorettype => 'void', proargtypes => 'oid',
- prosrc => 'pg_stat_reset_subscription_stats' },
+ prosrc => 'pg_stat_reset_subscription_stats',
+ proacl => '{postgres=X/postgres}' },
{ oid => '3163', descr => 'current trigger depth',
proname => 'pg_trigger_depth', provolatile => 's', proparallel => 'r',
@@ -6553,21 +6565,24 @@
proallargtypes => '{text,int4,int4,text,text,bool,text}',
proargmodes => '{o,o,o,o,o,o,o}',
proargnames => '{sourcefile,sourceline,seqno,name,setting,applied,error}',
- prosrc => 'show_all_file_settings' },
+ prosrc => 'show_all_file_settings',
+ proacl => '{postgres=X/postgres}' },
{ oid => '3401', descr => 'show pg_hba.conf rules',
proname => 'pg_hba_file_rules', prorows => '1000', proretset => 't',
provolatile => 'v', prorettype => 'record', proargtypes => '',
proallargtypes => '{int4,text,int4,text,_text,_text,text,text,text,_text,text}',
proargmodes => '{o,o,o,o,o,o,o,o,o,o,o}',
proargnames =>
'{rule_number,file_name,line_number,type,database,user_name,address,netmask,auth_method,options,error}',
- prosrc => 'pg_hba_file_rules' },
+ prosrc => 'pg_hba_file_rules',
+ proacl => '{postgres=X/postgres}' },
{ oid => '6250', descr => 'show pg_ident.conf mappings',
proname => 'pg_ident_file_mappings', prorows => '1000', proretset => 't',
provolatile => 'v', prorettype => 'record', proargtypes => '',
proallargtypes => '{int4,text,int4,text,text,text,text}',
proargmodes => '{o,o,o,o,o,o,o}',
proargnames => '{map_number,file_name,line_number,map_name,sys_name,pg_username,error}',
- prosrc => 'pg_ident_file_mappings' },
+ prosrc => 'pg_ident_file_mappings',
+ proacl => '{postgres=X/postgres}' },
{ oid => '1371', descr => 'view system lock information',
proname => 'pg_lock_status', prorows => '1000', proretset => 't',
provolatile => 'v', prorettype => 'record', proargtypes => '',
@@ -6737,30 +6752,36 @@
proname => 'pg_backup_start', provolatile => 'v', proparallel => 'r',
prorettype => 'pg_lsn', proargtypes => 'text bool',
proargnames => '{label,fast}', proargdefaults => '{false}',
- prosrc => 'pg_backup_start' },
+ prosrc => 'pg_backup_start',
+ proacl => '{postgres=X/postgres}' },
{ oid => '2739', descr => 'finish taking an online backup',
proname => 'pg_backup_stop', provolatile => 'v', proparallel => 'r',
prorettype => 'record', proargtypes => 'bool',
proallargtypes => '{bool,pg_lsn,text,text}', proargmodes => '{i,o,o,o}',
proargnames => '{wait_for_archive,lsn,labelfile,spcmapfile}',
proargdefaults => '{true}',
- prosrc => 'pg_backup_stop' },
+ prosrc => 'pg_backup_stop',
+ proacl => '{postgres=X/postgres}' },
{ oid => '3436', descr => 'promote standby server',
proname => 'pg_promote', provolatile => 'v', prorettype => 'bool',
proargtypes => 'bool int4', proargnames => '{wait,wait_seconds}',
proargdefaults => '{true,60}',
- prosrc => 'pg_promote' },
+ prosrc => 'pg_promote',
+ proacl => '{postgres=X/postgres}' },
{ oid => '2848', descr => 'switch to new wal file',
proname => 'pg_switch_wal', provolatile => 'v', prorettype => 'pg_lsn',
- proargtypes => '', prosrc => 'pg_switch_wal' },
+ proargtypes => '', prosrc => 'pg_switch_wal',
+ proacl => '{postgres=X/postgres}' },
{ oid => '6305', descr => 'log details of the current snapshot to WAL',
proname => 'pg_log_standby_snapshot', provolatile => 'v',
prorettype => 'pg_lsn', proargtypes => '',
- prosrc => 'pg_log_standby_snapshot' },
+ prosrc => 'pg_log_standby_snapshot',
+ proacl => '{postgres=X/postgres}' },
{ oid => '3098', descr => 'create a named restore point',
proname => 'pg_create_restore_point', provolatile => 'v',
prorettype => 'pg_lsn', proargtypes => 'text',
- prosrc => 'pg_create_restore_point' },
+ prosrc => 'pg_create_restore_point',
+ proacl => '{postgres=X/postgres}' },
{ oid => '2849', descr => 'current wal write location',
proname => 'pg_current_wal_lsn', provolatile => 'v', prorettype => 'pg_lsn',
proargtypes => '', prosrc => 'pg_current_wal_lsn' },
@@ -6816,10 +6837,12 @@
{ oid => '3071', descr => 'pause wal replay',
proname => 'pg_wal_replay_pause', provolatile => 'v', prorettype => 'void',
- proargtypes => '', prosrc => 'pg_wal_replay_pause' },
+ proargtypes => '', prosrc => 'pg_wal_replay_pause',
+ proacl => '{postgres=X/postgres}' },
{ oid => '3072', descr => 'resume wal replay, if it was paused',
proname => 'pg_wal_replay_resume', provolatile => 'v', prorettype => 'void',
- proargtypes => '', prosrc => 'pg_wal_replay_resume' },
+ proargtypes => '', prosrc => 'pg_wal_replay_resume',
+ proacl => '{postgres=X/postgres}' },
{ oid => '3073', descr => 'true if wal replay is paused',
proname => 'pg_is_wal_replay_paused', provolatile => 'v',
prorettype => 'bool', proargtypes => '',
@@ -6845,17 +6868,21 @@
{ oid => '2621', descr => 'reload configuration files',
proname => 'pg_reload_conf', provolatile => 'v', prorettype => 'bool',
- proargtypes => '', prosrc => 'pg_reload_conf' },
+ proargtypes => '', prosrc => 'pg_reload_conf',
+ proacl => '{postgres=X/postgres}' },
{ oid => '2622', descr => 'rotate log file',
proname => 'pg_rotate_logfile', provolatile => 'v', prorettype => 'bool',
- proargtypes => '', prosrc => 'pg_rotate_logfile' },
+ proargtypes => '', prosrc => 'pg_rotate_logfile',
+ proacl => '{postgres=X/postgres}' },
{ oid => '3800', descr => 'current logging collector file location',
proname => 'pg_current_logfile', proisstrict => 'f', provolatile => 'v',
- prorettype => 'text', proargtypes => '', prosrc => 'pg_current_logfile' },
+ prorettype => 'text', proargtypes => '', prosrc => 'pg_current_logfile',
+ proacl => '{postgres=X/postgres,pg_monitor=X/postgres}' },
{ oid => '3801', descr => 'current logging collector file location',
proname => 'pg_current_logfile', proisstrict => 'f', provolatile => 'v',
prorettype => 'text', proargtypes => 'text',
- prosrc => 'pg_current_logfile_1arg' },
+ prosrc => 'pg_current_logfile_1arg',
+ proacl => '{postgres=X/postgres,pg_monitor=X/postgres}' },
{ oid => '2623', descr => 'get information about file',
proname => 'pg_stat_file', provolatile => 'v', prorettype => 'record',
@@ -6863,48 +6890,60 @@
proallargtypes => '{text,int8,timestamptz,timestamptz,timestamptz,timestamptz,bool}',
proargmodes => '{i,o,o,o,o,o,o}',
proargnames => '{filename,size,access,modification,change,creation,isdir}',
- prosrc => 'pg_stat_file_1arg' },
+ prosrc => 'pg_stat_file_1arg',
+ proacl => '{postgres=X/postgres}' },
{ oid => '3307', descr => 'get information about file',
proname => 'pg_stat_file', provolatile => 'v', prorettype => 'record',
proargtypes => 'text bool',
proallargtypes => '{text,bool,int8,timestamptz,timestamptz,timestamptz,timestamptz,bool}',
proargmodes => '{i,i,o,o,o,o,o,o}',
proargnames => '{filename,missing_ok,size,access,modification,change,creation,isdir}',
- prosrc => 'pg_stat_file' },
+ prosrc => 'pg_stat_file',
+ proacl => '{postgres=X/postgres}' },
{ oid => '2624', descr => 'read text from a file',
proname => 'pg_read_file', provolatile => 'v', prorettype => 'text',
- proargtypes => 'text int8 int8', prosrc => 'pg_read_file_off_len' },
+ proargtypes => 'text int8 int8', prosrc => 'pg_read_file_off_len',
+ proacl => '{postgres=X/postgres}' },
{ oid => '3293', descr => 'read text from a file',
proname => 'pg_read_file', provolatile => 'v', prorettype => 'text',
proargtypes => 'text int8 int8 bool',
- prosrc => 'pg_read_file_off_len_missing' },
+ prosrc => 'pg_read_file_off_len_missing',
+ proacl => '{postgres=X/postgres}' },
{ oid => '3826', descr => 'read text from a file',
proname => 'pg_read_file', provolatile => 'v', prorettype => 'text',
- proargtypes => 'text', prosrc => 'pg_read_file_all' },
+ proargtypes => 'text', prosrc => 'pg_read_file_all',
+ proacl => '{postgres=X/postgres}' },
{ oid => '6208', descr => 'read text from a file',
proname => 'pg_read_file', provolatile => 'v', prorettype => 'text',
- proargtypes => 'text bool', prosrc => 'pg_read_file_all_missing' },
+ proargtypes => 'text bool', prosrc => 'pg_read_file_all_missing',
+ proacl => '{postgres=X/postgres}' },
{ oid => '3827', descr => 'read bytea from a file',
proname => 'pg_read_binary_file', provolatile => 'v', prorettype => 'bytea',
- proargtypes => 'text int8 int8', prosrc => 'pg_read_binary_file_off_len' },
+ proargtypes => 'text int8 int8', prosrc => 'pg_read_binary_file_off_len',
+ proacl => '{postgres=X/postgres}' },
{ oid => '3295', descr => 'read bytea from a file',
proname => 'pg_read_binary_file', provolatile => 'v', prorettype => 'bytea',
proargtypes => 'text int8 int8 bool',
- prosrc => 'pg_read_binary_file_off_len_missing' },
+ prosrc => 'pg_read_binary_file_off_len_missing',
+ proacl => '{postgres=X/postgres}' },
{ oid => '3828', descr => 'read bytea from a file',
proname => 'pg_read_binary_file', provolatile => 'v', prorettype => 'bytea',
- proargtypes => 'text', prosrc => 'pg_read_binary_file_all' },
+ proargtypes => 'text', prosrc => 'pg_read_binary_file_all',
+ proacl => '{postgres=X/postgres}' },
{ oid => '6209', descr => 'read bytea from a file',
proname => 'pg_read_binary_file', provolatile => 'v', prorettype => 'bytea',
- proargtypes => 'text bool', prosrc => 'pg_read_binary_file_all_missing' },
+ proargtypes => 'text bool', prosrc => 'pg_read_binary_file_all_missing',
+ proacl => '{postgres=X/postgres}' },
{ oid => '2625', descr => 'list all files in a directory',
proname => 'pg_ls_dir', prorows => '1000', proretset => 't',
provolatile => 'v', prorettype => 'text', proargtypes => 'text',
- prosrc => 'pg_ls_dir_1arg' },
+ prosrc => 'pg_ls_dir_1arg',
+ proacl => '{postgres=X/postgres}' },
{ oid => '3297', descr => 'list all files in a directory',
proname => 'pg_ls_dir', prorows => '1000', proretset => 't',
provolatile => 'v', prorettype => 'text', proargtypes => 'text bool bool',
- prosrc => 'pg_ls_dir' },
+ prosrc => 'pg_ls_dir',
+ proacl => '{postgres=X/postgres}' },
{ oid => '2626', descr => 'sleep for the specified time in seconds',
proname => 'pg_sleep', provolatile => 'v', prorettype => 'void',
proargtypes => 'float8', prosrc => 'pg_sleep' },
@@ -8602,7 +8641,8 @@
provolatile => 'v', prorettype => 'record', proargtypes => '',
proallargtypes => '{text,int8,int8,int8}', proargmodes => '{o,o,o,o}',
proargnames => '{name,off,size,allocated_size}',
- prosrc => 'pg_get_shmem_allocations' },
+ prosrc => 'pg_get_shmem_allocations',
+ proacl => '{postgres=X/postgres,pg_read_all_stats=X/postgres}' },
{ oid => '4099', descr => 'Is NUMA support available?',
proname => 'pg_numa_available', provolatile => 's', prorettype => 'bool',
@@ -8614,7 +8654,8 @@
provolatile => 'v', prorettype => 'record', proargtypes => '',
proallargtypes => '{text,int4,int8}', proargmodes => '{o,o,o}',
proargnames => '{name,numa_node,size}',
- prosrc => 'pg_get_shmem_allocations_numa' },
+ prosrc => 'pg_get_shmem_allocations_numa',
+ proacl => '{postgres=X/postgres,pg_read_all_stats=X/postgres}' },
{ oid => '9314',
descr => 'shared memory allocations tracked in the DSM registry',
@@ -8622,7 +8663,8 @@
proretset => 't', provolatile => 'v', prorettype => 'record',
proargtypes => '', proallargtypes => '{text,text,int8}',
proargmodes => '{o,o,o}', proargnames => '{name,type,size}',
- prosrc => 'pg_get_dsm_registry_allocations' },
+ prosrc => 'pg_get_dsm_registry_allocations',
+ proacl => '{postgres=X/postgres,pg_read_all_stats=X/postgres}' },
# memory context of local backend
{ oid => '2282',
@@ -8633,13 +8675,15 @@
proallargtypes => '{text,text,text,int4,_int4,int8,int8,int8,int8,int8}',
proargmodes => '{o,o,o,o,o,o,o,o,o,o}',
proargnames => '{name, ident, type, level, path, total_bytes, total_nblocks, free_bytes, free_chunks, used_bytes}',
- prosrc => 'pg_get_backend_memory_contexts' },
+ prosrc => 'pg_get_backend_memory_contexts',
+ proacl => '{postgres=X/postgres,pg_read_all_stats=X/postgres}' },
# logging memory contexts of the specified backend
{ oid => '4543', descr => 'log memory contexts of the specified backend',
proname => 'pg_log_backend_memory_contexts', provolatile => 'v',
prorettype => 'bool', proargtypes => 'int4',
- prosrc => 'pg_log_backend_memory_contexts' },
+ prosrc => 'pg_log_backend_memory_contexts',
+ proacl => '{postgres=X/postgres}' },
# non-persistent series generator
{ oid => '1066', descr => 'non-persistent series generator',
@@ -12312,63 +12356,74 @@
{ oid => '6003', descr => 'create a replication origin',
proname => 'pg_replication_origin_create', provolatile => 'v',
proparallel => 'u', prorettype => 'oid', proargtypes => 'text',
- prosrc => 'pg_replication_origin_create' },
+ prosrc => 'pg_replication_origin_create',
+ proacl => '{postgres=X/postgres}' },
{ oid => '6004', descr => 'drop replication origin identified by its name',
proname => 'pg_replication_origin_drop', provolatile => 'v',
proparallel => 'u', prorettype => 'void', proargtypes => 'text',
- prosrc => 'pg_replication_origin_drop' },
+ prosrc => 'pg_replication_origin_drop',
+ proacl => '{postgres=X/postgres}' },
{ oid => '6005',
descr => 'translate the replication origin\'s name to its id',
proname => 'pg_replication_origin_oid', provolatile => 's',
prorettype => 'oid', proargtypes => 'text',
- prosrc => 'pg_replication_origin_oid' },
+ prosrc => 'pg_replication_origin_oid',
+ proacl => '{postgres=X/postgres}' },
{ oid => '6006',
descr => 'configure session to maintain replication progress tracking for the passed in origin',
proname => 'pg_replication_origin_session_setup', provolatile => 'v',
proparallel => 'u', prorettype => 'void', proargtypes => 'text int4',
proargnames => '{node_name,pid}', proargdefaults => '{0}',
- prosrc => 'pg_replication_origin_session_setup' },
+ prosrc => 'pg_replication_origin_session_setup',
+ proacl => '{postgres=X/postgres}' },
{ oid => '6007', descr => 'teardown configured replication progress tracking',
proname => 'pg_replication_origin_session_reset', provolatile => 'v',
proparallel => 'u', prorettype => 'void', proargtypes => '',
- prosrc => 'pg_replication_origin_session_reset' },
+ prosrc => 'pg_replication_origin_session_reset',
+ proacl => '{postgres=X/postgres}' },
{ oid => '6008',
descr => 'is a replication origin configured in this session',
proname => 'pg_replication_origin_session_is_setup', provolatile => 'v',
proparallel => 'r', prorettype => 'bool', proargtypes => '',
- prosrc => 'pg_replication_origin_session_is_setup' },
+ prosrc => 'pg_replication_origin_session_is_setup',
+ proacl => '{postgres=X/postgres}' },
{ oid => '6009',
descr => 'get the replication progress of the current session',
proname => 'pg_replication_origin_session_progress', provolatile => 'v',
proparallel => 'u', prorettype => 'pg_lsn', proargtypes => 'bool',
- prosrc => 'pg_replication_origin_session_progress' },
+ prosrc => 'pg_replication_origin_session_progress',
+ proacl => '{postgres=X/postgres}' },
{ oid => '6010', descr => 'setup the transaction\'s origin lsn and timestamp',
proname => 'pg_replication_origin_xact_setup', provolatile => 'v',
proparallel => 'r', prorettype => 'void', proargtypes => 'pg_lsn timestamptz',
- prosrc => 'pg_replication_origin_xact_setup' },
+ prosrc => 'pg_replication_origin_xact_setup',
+ proacl => '{postgres=X/postgres}' },
{ oid => '6011', descr => 'reset the transaction\'s origin lsn and timestamp',
proname => 'pg_replication_origin_xact_reset', provolatile => 'v',
proparallel => 'r', prorettype => 'void', proargtypes => '',
- prosrc => 'pg_replication_origin_xact_reset' },
+ prosrc => 'pg_replication_origin_xact_reset',
+ proacl => '{postgres=X/postgres}' },
{ oid => '6012', descr => 'advance replication origin to specific location',
proname => 'pg_replication_origin_advance', provolatile => 'v',
proparallel => 'u', prorettype => 'void', proargtypes => 'text pg_lsn',
- prosrc => 'pg_replication_origin_advance' },
+ prosrc => 'pg_replication_origin_advance',
+ proacl => '{postgres=X/postgres}' },
{ oid => '6013',
descr => 'get an individual replication origin\'s replication progress',
proname => 'pg_replication_origin_progress', provolatile => 'v',
proparallel => 'u', prorettype => 'pg_lsn', proargtypes => 'text bool',
- prosrc => 'pg_replication_origin_progress' },
+ prosrc => 'pg_replication_origin_progress',
+ proacl => '{postgres=X/postgres}' },
{ oid => '6014', descr => 'get progress for all replication origins',
proname => 'pg_show_replication_origin_status', prorows => '100',
@@ -12376,7 +12431,8 @@
prorettype => 'record', proargtypes => '',
proallargtypes => '{oid,text,pg_lsn,pg_lsn}', proargmodes => '{o,o,o,o}',
proargnames => '{local_id, external_id, remote_lsn, local_lsn}',
- prosrc => 'pg_show_replication_origin_status' },
+ prosrc => 'pg_show_replication_origin_status',
+ proacl => '{postgres=X/postgres}' },
# publications
{ oid => '6119',
@@ -12414,7 +12470,8 @@
proname => 'pg_config', prorows => '23', proretset => 't', provolatile => 's',
proparallel => 'r', prorettype => 'record', proargtypes => '',
proallargtypes => '{text,text}', proargmodes => '{o,o}',
- proargnames => '{name,setting}', prosrc => 'pg_config' },
+ proargnames => '{name,setting}', prosrc => 'pg_config',
+ proacl => '{postgres=X/postgres}' },
# pg_controldata related functions
{ oid => '3441',
@@ -12489,49 +12546,57 @@
proname => 'pg_ls_logdir', procost => '10', prorows => '20', proretset => 't',
provolatile => 'v', prorettype => 'record', proargtypes => '',
proallargtypes => '{text,int8,timestamptz}', proargmodes => '{o,o,o}',
- proargnames => '{name,size,modification}', prosrc => 'pg_ls_logdir' },
+ proargnames => '{name,size,modification}', prosrc => 'pg_ls_logdir',
+ proacl => '{postgres=X/postgres,pg_monitor=X/postgres}' },
{ oid => '3354', descr => 'list of files in the WAL directory',
proname => 'pg_ls_waldir', procost => '10', prorows => '20', proretset => 't',
provolatile => 'v', prorettype => 'record', proargtypes => '',
proallargtypes => '{text,int8,timestamptz}', proargmodes => '{o,o,o}',
- proargnames => '{name,size,modification}', prosrc => 'pg_ls_waldir' },
+ proargnames => '{name,size,modification}', prosrc => 'pg_ls_waldir',
+ proacl => '{postgres=X/postgres,pg_monitor=X/postgres}' },
{ oid => '6400', descr => 'list of files in the pg_wal/summaries directory',
proname => 'pg_ls_summariesdir', procost => '10', prorows => '20',
proretset => 't', provolatile => 'v', prorettype => 'record',
proargtypes => '', proallargtypes => '{text,int8,timestamptz}',
proargmodes => '{o,o,o}', proargnames => '{name,size,modification}',
- prosrc => 'pg_ls_summariesdir' },
+ prosrc => 'pg_ls_summariesdir',
+ proacl => '{postgres=X/postgres,pg_monitor=X/postgres}' },
{ oid => '5031', descr => 'list of files in the archive_status directory',
proname => 'pg_ls_archive_statusdir', procost => '10', prorows => '20',
proretset => 't', provolatile => 'v', prorettype => 'record',
proargtypes => '', proallargtypes => '{text,int8,timestamptz}',
proargmodes => '{o,o,o}', proargnames => '{name,size,modification}',
- prosrc => 'pg_ls_archive_statusdir' },
+ prosrc => 'pg_ls_archive_statusdir',
+ proacl => '{postgres=X/postgres,pg_monitor=X/postgres}' },
{ oid => '5029', descr => 'list files in the pgsql_tmp directory',
proname => 'pg_ls_tmpdir', procost => '10', prorows => '20', proretset => 't',
provolatile => 'v', prorettype => 'record', proargtypes => '',
proallargtypes => '{text,int8,timestamptz}', proargmodes => '{o,o,o}',
- proargnames => '{name,size,modification}', prosrc => 'pg_ls_tmpdir_noargs' },
+ proargnames => '{name,size,modification}', prosrc => 'pg_ls_tmpdir_noargs',
+ proacl => '{postgres=X/postgres,pg_monitor=X/postgres}' },
{ oid => '5030', descr => 'list files in the pgsql_tmp directory',
proname => 'pg_ls_tmpdir', procost => '10', prorows => '20', proretset => 't',
provolatile => 'v', prorettype => 'record', proargtypes => 'oid',
proallargtypes => '{oid,text,int8,timestamptz}', proargmodes => '{i,o,o,o}',
proargnames => '{tablespace,name,size,modification}',
- prosrc => 'pg_ls_tmpdir_1arg' },
+ prosrc => 'pg_ls_tmpdir_1arg',
+ proacl => '{postgres=X/postgres,pg_monitor=X/postgres}' },
{ oid => '6270',
descr => 'list of files in the pg_logical/snapshots directory',
proname => 'pg_ls_logicalsnapdir', procost => '10', prorows => '20',
proretset => 't', provolatile => 'v', prorettype => 'record',
proargtypes => '', proallargtypes => '{text,int8,timestamptz}',
proargmodes => '{o,o,o}', proargnames => '{name,size,modification}',
- prosrc => 'pg_ls_logicalsnapdir' },
+ prosrc => 'pg_ls_logicalsnapdir',
+ proacl => '{postgres=X/postgres,pg_monitor=X/postgres}' },
{ oid => '6271',
descr => 'list of files in the pg_logical/mappings directory',
proname => 'pg_ls_logicalmapdir', procost => '10', prorows => '20',
proretset => 't', provolatile => 'v', prorettype => 'record',
proargtypes => '', proallargtypes => '{text,int8,timestamptz}',
proargmodes => '{o,o,o}', proargnames => '{name,size,modification}',
- prosrc => 'pg_ls_logicalmapdir' },
+ prosrc => 'pg_ls_logicalmapdir',
+ proacl => '{postgres=X/postgres,pg_monitor=X/postgres}' },
{ oid => '6272',
descr => 'list of files in the pg_replslot/slot_name directory',
proname => 'pg_ls_replslotdir', procost => '10', prorows => '20',
@@ -12539,7 +12604,8 @@
proargtypes => 'text', proallargtypes => '{text,text,int8,timestamptz}',
proargmodes => '{i,o,o,o}',
proargnames => '{slot_name,name,size,modification}',
- prosrc => 'pg_ls_replslotdir' },
+ prosrc => 'pg_ls_replslotdir',
+ proacl => '{postgres=X/postgres,pg_monitor=X/postgres}' },
# hash partitioning constraint function
{ oid => '5028', descr => 'hash partition CHECK constraint',
@@ -12702,7 +12768,8 @@
proallargtypes => '{int4,int4,int8,text,text,int8,int8,text,int2,int4,text,text,bool,bool,bool}',
proargmodes => '{o,o,o,o,o,o,o,o,o,o,o,o,o,o,o}',
proargnames =>
'{pid,io_id,io_generation,state,operation,off,length,target,handle_data_len,raw_result,result,target_desc,f_sync,f_localmem,f_buffered}',
- prosrc => 'pg_get_aios' },
+ prosrc => 'pg_get_aios',
+ proacl => '{postgres=X/postgres,pg_read_all_stats=X/postgres}' },
# oid8 related functions
{ oid => '8255', descr => 'convert oid to oid8',
--
2.43.7
pgsql-hackers by date: