Thread: Getting the function definition from oid in before firing the function
Dear Postgres Team, For my thesis about secure access control for database systems I need to implement a new decision algorithm for deciding if commands can be executed. For that algorithm to work I need to keep a stack that holds all the commands that are currently running, like a stacktrace. Each stack entry should contain the following: - Session user - User that runs the command (differs if we have security definer on triggers) - Command - Oid of trigger (if it is one) Now my problem consists of two steps: - First I need to decide if the algorithm supports the trigger type (only of LANGUAGE PLPGSQL). - Second I need to get the SQL command that the function will execute. What I tried was the following: In the file trigger.c I have found the location where the function is called. There I have access to the FunctionCallInfoData struct. I have seen on http://www.postgresql.org/docs/9.4/static/functions-info.html that there is a function which should return the functions definition as a Datum from the function oid. Now this is a bit weird since in the source code the function expects a pointer to a FunctionCallInfoData struct, which is no problem since I have access to both there. But when I pass the the pointer to the FunctionCallInfoData I always get an error stating that the cache lookup failed. I really don't know why, since when I investigate the struct fcinfo in gdb it has valid entries and also the oid of the function is accessible. I would be glad for some help here. Also another problem that I have at the moment is the following: My advisor wanted to have a uniform interface for access control, thus I have refactored the code of postgres and moved the relevant access control parts to a new module (src/backend/access_control). Now I have put the header files in src/include/access_control. What I don't quite get is how to get make a Makefile that delivers the object files as postgres needs them to link them to the main binary. Is it enough to make a Makefile that just creates the object files and leaves them in the correct folder for the root Makefile to pick them up or do I need to modify the root Makefile too? Thank you very much for your help in advance, for both problems I have tried many variations and researched quite much, but did not find a solution. Kind regards, Mohammed Ajil -- -------------------------------------------- Mohammed Ajil Bsc CS D-INFK ajilm@student.ethz.ch
On 1/5/16 8:13 AM, Mohammed Ajil wrote: > Now my problem consists of two steps: > - First I need to decide if the algorithm supports the trigger type > (only of LANGUAGE PLPGSQL). plpgsql is NOT the only language that supports triggers. > - Second I need to get the SQL command that the function will execute. > > What I tried was the following: > In the file trigger.c I have found the location where the function is > called. I think triggers is the wrong way to approach this; it's full of holes (not the least of which is triggers don't fire on SELECT). You'd be much better off with an executor hook. Have you looked at https://github.com/2ndQuadrant/pgaudit? -- Jim Nasby, Data Architect, Blue Treble Consulting, Austin TX Experts in Analytics, Data Architecture and PostgreSQL Data in Trouble? Get it in Treble! http://BlueTreble.com
Hi, Thanks for your answer! I know that this is not the only language for triggers, but the algorithm I have to implement only supports these triggers. I have looked at the audit trigger, but that is not quite what I am trying to achieve. I have implemented the stack push and pop for the initial commands at another location, what I am trying to do now is keep track of what triggers are fired, since they recursively can fire more triggers. What is an executor hook? Regards, Mohammed On 01/06/2016 03:20 AM, Jim Nasby wrote: > On 1/5/16 8:13 AM, Mohammed Ajil wrote: >> Now my problem consists of two steps: >> - First I need to decide if the algorithm supports the trigger type >> (only of LANGUAGE PLPGSQL). > > plpgsql is NOT the only language that supports triggers. > >> - Second I need to get the SQL command that the function will execute. >> >> What I tried was the following: >> In the file trigger.c I have found the location where the function is >> called. > > I think triggers is the wrong way to approach this; it's full of holes > (not the least of which is triggers don't fire on SELECT). You'd be much > better off with an executor hook. > > Have you looked at https://github.com/2ndQuadrant/pgaudit? -- -------------------------------------------- Mohammed Ajil Bsc CS D-INFK ajilm@student.ethz.ch
Re: Getting the function definition from oid in before firing the function
From
Michael Paquier
Date:
On Wed, Jan 6, 2016 at 4:29 PM, Mohammed Ajil <ajilm@student.ethz.ch> wrote: > What is an executor hook? Here you go, with a particular focus on the ones names Executor*_hook: https://wiki.postgresql.org/images/e/e3/Hooks_in_postgresql.pdf -- Michael