Kohei KaiGai <kaigai@kaigai.gr.jp> writes:
> Sorry, it does not cover all the code paths that I want to apply permission
> checks around creation of new tables.
>
> The existing DAC checks permission on creation of new tables at
> DefineRelation() and OpenIntoRel(), and sepgsql also wants to follow
> this manner.
> However, OpenIntoRel() does not go through ProcessUtility, so it seems
> to me the command trigger is not invoked in this case.
we have the same problem in the command trigger patch, we will need to
add specific calls to its functions from other code path than just
ProcessUtility.
> And, it seems to me the current proposition of the command trigger
> does not support to fire triggers on creation of databases, although
> permission checks requires Oid of source database that is not also
> appeared in pg_database catalog.
I have to have a look at what forbids us to add support for the create
database command here. It seems to be just another branch of the switch
in standard_ProcessUtility().
>> I don't think schemaname+objectname fails to be unique, so I don't think
>> you need another kind of Oid in BEFORE creation triggers here.
>>
> The pg_seclabel and pg_shseclabel needs OID to assign a security label
> on a particular database object, so label provider (sepgsql) must know
> Oid of the target object on assignment time.
Yes, and you need to refer to things you did in the BEFORE trigger from
the AFTER trigger, I'm just offering you a way to do that. Then if you
need the Oid in the AFTER trigger, of course you have it.
Regards,
--
Dimitri Fontaine
http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support