Re: New patch for Column-level privileges - Mailing list pgsql-hackers
| From | KaiGai Kohei |
|---|---|
| Subject | Re: New patch for Column-level privileges |
| Date | |
| Msg-id | 4965A004.5090504@ak.jp.nec.com Whole thread Raw |
| In response to | Re: New patch for Column-level privileges ("Jaime Casanova" <jcasanov@systemguards.com.ec>) |
| Responses |
Re: New patch for Column-level privileges
(Tom Lane <tgl@sss.pgh.pa.us>)
|
| List | pgsql-hackers |
Jaime Casanova wrote: > On Wed, Jan 7, 2009 at 1:46 AM, KaiGai Kohei <kaigai@ak.jp.nec.com> wrote: >> The attached patch is a proof of the concept. >> It walks on a given query tree to append accessed columns on >> rte->cols_sel and rte->cols_mod. >> When aliasvar of JOIN'ed relation is accesses, its source is >> appended on the list. >> > > for my test i created to tables: > > CREATE TABLE t1 (col1 int primary key, col2 int); > CREATE TABLE t2 (col1 int references t1); > > and a role: > > CREATE ROLE rol1; > > then i granted all cols in the table to the role: > > GRANT SELECT (col1) ON t1 TO rol1; > GRANT SELECT (col2) ON t1 TO rol1; > GRANT SELECT (col1) ON t2 TO rol1; > > prueba=> \dp > Access privileges > Schema | Name | Type | Access privileges | Column Access privileges > --------+------+-------+---------------------------+-------------------------- > public | t1 | table | postgres=arwdDxt/postgres | col1 > : postgres=arw/postgres > : rol1=r/postgres > : col2 > : postgres=arw/postgres > : rol1=r/postgres > public | t2 | table | postgres=arwdDxt/postgres | col1 > : postgres=arw/postgres > : rol1=r/postgres > (2 rows) > > > then i execute: > > prueba=> select t1.* from t1, t2 where t1.col1 = t2.col1; > NOTICE: pg_attribute_aclmask: t1.col1 required: 0002 allowed: 0002 > NOTICE: pg_attribute_aclmask: t1.col2 required: 0002 allowed: 0002 > NOTICE: pg_attribute_aclmask: t1.col1 required: 0002 allowed: 0002 > NOTICE: pg_attribute_aclmask: t2.col1 required: 0002 allowed: 0002 > col1 | col2 > ------+------ > (0 rows) > > good, but if i doesn't include filter conditions: > > prueba=> select t1.* from t1, t2; > NOTICE: pg_attribute_aclmask: t1.col1 required: 0002 allowed: 0002 > NOTICE: pg_attribute_aclmask: t1.col2 required: 0002 allowed: 0002 > ERROR: permission denied for relation t2 > > is this intended? Basically, I want to wait for Stephen's opinion. However, it seem's to me it is a correct behavior. ExecCheckRTEPerms() checks user's privileges on columns, when he does not have required privileges on the table. When he has proper privileges on all the appeared columns within the table, it is allowed. But, when no columns are used on the table, it applies result of checks on the table. In this example, "rol1" does not have any privileges on relation "t1" and "t2", but he can select "t1.col1", "t1.col2" and "t2.col1". Since he does not have any privs on relations, column's privs are checked in both of queries. In the first query, he uses "col1" and "col2" for "t1" and "col1" for "t2", and all of them are allowed to select. So, he got succeeded. In the other query, he uses "col1" and "col2" for "t1" but no columns for "t2", so the result of checks on relation "t2" is applied. Stephen, could you indicate us what behavior is proper in this case? Thanks, -- OSS Platform Development Division, NEC KaiGai Kohei <kaigai@ak.jp.nec.com>
pgsql-hackers by date: