Thread: privileges regression problem on freebsd/alpha
Hi all, Just tested latest CVS on my freebsd/alpha. Only one test failed, and that's privileges related... *** ./expected/privileges.out Thu Mar 7 09:53:51 2002 --- ./results/privileges.out Fri Mar 8 11:03:36 2002 *************** *** 201,218 **** CREATE FUNCTION testfunc1(int) RETURNS int AS 'select 2 * $1;' LANGUAGE sql; CREATE FUNCTION testfunc2(int) RETURNS int AS 'select 3 * $1;' LANGUAGE sql; GRANT EXECUTE ON FUNCTION testfunc1(int), testfunc2(int) TO regressuser2; GRANT USAGE ON FUNCTION testfunc1(int) TO regressuser3; -- semantic error ! ERROR: invalid privilege type USAGE for function object GRANT ALL PRIVILEGES ON FUNCTION testfunc1(int) TO regressuser4; GRANT ALL PRIVILEGES ON FUNCTION testfunc_nosuch(int) TO regressuser4; ! ERROR: Function 'testfunc_nosuch(int4)' does not exist SET SESSION AUTHORIZATION regressuser2; SELECT testfunc1(5), testfunc2(5); -- ok ! testfunc1 | testfunc2 ! -----------+----------- ! 10 | 15 ! (1 row) ! CREATE FUNCTION testfunc3(int) RETURNS int AS 'select 2 * $1;' LANGUAGE sql; -- fail ERROR: permission denied SET SESSION AUTHORIZATION regressuser3; --- 201,216 ---- CREATE FUNCTION testfunc1(int) RETURNS int AS 'select 2 * $1;' LANGUAGE sql; CREATE FUNCTION testfunc2(int) RETURNS int AS 'select 3 * $1;' LANGUAGE sql; GRANT EXECUTE ON FUNCTION testfunc1(int), testfunc2(int) TO regressuser2; + ERROR: bogus GrantStmt.objtype 458 GRANT USAGE ON FUNCTION testfunc1(int) TO regressuser3; -- semantic error ! ERROR: bogus GrantStmt.objtype 458 GRANT ALL PRIVILEGES ON FUNCTION testfunc1(int) TO regressuser4; + ERROR: bogus GrantStmt.objtype 458 GRANT ALL PRIVILEGES ON FUNCTION testfunc_nosuch(int) TO regressuser4; ! ERROR: bogus GrantStmt.objtype 458 SET SESSION AUTHORIZATION regressuser2; SELECT testfunc1(5), testfunc2(5); -- ok ! ERROR: permission denied CREATE FUNCTION testfunc3(int) RETURNS int AS 'select 2 * $1;' LANGUAGE sql; -- fail ERROR: permission denied SET SESSION AUTHORIZATION regressuser3; *************** *** 220,230 **** ERROR: permission denied SET SESSION AUTHORIZATION regressuser4; SELECT testfunc1(5); -- ok ! testfunc1 ! ----------- ! 10 ! (1 row) ! DROP FUNCTION testfunc1(int); -- fail ERROR: RemoveFunction: function 'testfunc1': permission denied \c - --- 218,224 ---- ERROR: permission denied SET SESSION AUTHORIZATION regressuser4; SELECT testfunc1(5); -- ok ! ERROR: permission denied DROP FUNCTION testfunc1(int); -- fail ERROR: RemoveFunction: function 'testfunc1': permission denied \c - ======================================================================
Attachment
"Christopher Kings-Lynne" <chriskl@familyhealth.com.au> writes:
> GRANT EXECUTE ON FUNCTION testfunc1(int), testfunc2(int) TO regressuser2;
> + ERROR: bogus GrantStmt.objtype 458
Does the error persist if you "make clean" and rebuild?
I'm betting this is not a platform issue, but just aclchk.c being out
of sync with the parser. GrantStmt is using parser token codes to
distinguish the various kinds of GRANT, which is probably a bad idea.
The token codes will change anytime someone looks crosseyed at gram.y
(well, I exaggerate, but they're not exactly stable). IMHO node
structure definitions shouldn't depend on them.
regards, tom lane
Yep, tried it again and everything passes. Chris > -----Original Message----- > From: Tom Lane [mailto:tgl@sss.pgh.pa.us] > Sent: Friday, 8 March 2002 1:33 PM > To: Christopher Kings-Lynne > Cc: Hackers > Subject: Re: [HACKERS] privileges regression problem on freebsd/alpha > > > "Christopher Kings-Lynne" <chriskl@familyhealth.com.au> writes: > > GRANT EXECUTE ON FUNCTION testfunc1(int), testfunc2(int) TO > regressuser2; > > + ERROR: bogus GrantStmt.objtype 458 > > Does the error persist if you "make clean" and rebuild? > > I'm betting this is not a platform issue, but just aclchk.c being out > of sync with the parser. GrantStmt is using parser token codes to > distinguish the various kinds of GRANT, which is probably a bad idea. > The token codes will change anytime someone looks crosseyed at gram.y > (well, I exaggerate, but they're not exactly stable). IMHO node > structure definitions shouldn't depend on them. > > regards, tom lane >
"Christopher Kings-Lynne" <chriskl@familyhealth.com.au> writes:
> Yep, tried it again and everything passes.
Bingo.
>> I'm betting this is not a platform issue, but just aclchk.c being out
>> of sync with the parser. GrantStmt is using parser token codes to
>> distinguish the various kinds of GRANT, which is probably a bad idea.
>> The token codes will change anytime someone looks crosseyed at gram.y
>> (well, I exaggerate, but they're not exactly stable). IMHO node
>> structure definitions shouldn't depend on them.
Looking around finds these places where parser token codes are used
beyond the parser itself:
aclchk.c: GrantStmt
command.c: AlterTableDropConstraint
comment.c: CommentObject, CommentRelation
postgres.c: TransactionStmt
utility.c: TransactionStmt, FetchStmt, CopyStmt, DefineStmt, ReindexStmt
(I exclude _outAExpr in outfuncs.c, which is okay since it's effectively
only used for debugging dumps.)
I believe these are all trouble waiting to happen --- for example,
if utility.o is out of sync with the parser, a COPY command could be
interpreted as going in the wrong direction :-(. The risk would be
completely intolerable if any of these commands were allowed in stored
rules, since the rule parsetree would outlive any one compilation of the
backend. Currently that's not true, but they might be allowed sometime.
Barring strenuous objections from someplace, I plan to change these node
types to use booleans or special-purpose enum fields as appropriate.
That will make their representation independent of what the parser token
set happens to be on any given day. We should avoid re-introducing such
dependencies in future.
Comments?
regards, tom lane
Christopher, is this problem fixed now? --------------------------------------------------------------------------- Christopher Kings-Lynne wrote: > Hi all, > > Just tested latest CVS on my freebsd/alpha. Only one test failed, and > that's privileges related... > > *** ./expected/privileges.out Thu Mar 7 09:53:51 2002 > --- ./results/privileges.out Fri Mar 8 11:03:36 2002 > *************** > *** 201,218 **** > CREATE FUNCTION testfunc1(int) RETURNS int AS 'select 2 * $1;' LANGUAGE > sql; > CREATE FUNCTION testfunc2(int) RETURNS int AS 'select 3 * $1;' LANGUAGE > sql; > GRANT EXECUTE ON FUNCTION testfunc1(int), testfunc2(int) TO regressuser2; > GRANT USAGE ON FUNCTION testfunc1(int) TO regressuser3; -- semantic error > ! ERROR: invalid privilege type USAGE for function object > GRANT ALL PRIVILEGES ON FUNCTION testfunc1(int) TO regressuser4; > GRANT ALL PRIVILEGES ON FUNCTION testfunc_nosuch(int) TO regressuser4; > ! ERROR: Function 'testfunc_nosuch(int4)' does not exist > SET SESSION AUTHORIZATION regressuser2; > SELECT testfunc1(5), testfunc2(5); -- ok > ! testfunc1 | testfunc2 > ! -----------+----------- > ! 10 | 15 > ! (1 row) > ! > CREATE FUNCTION testfunc3(int) RETURNS int AS 'select 2 * $1;' LANGUAGE > sql; -- fail > ERROR: permission denied > SET SESSION AUTHORIZATION regressuser3; > --- 201,216 ---- > CREATE FUNCTION testfunc1(int) RETURNS int AS 'select 2 * $1;' LANGUAGE > sql; > CREATE FUNCTION testfunc2(int) RETURNS int AS 'select 3 * $1;' LANGUAGE > sql; > GRANT EXECUTE ON FUNCTION testfunc1(int), testfunc2(int) TO regressuser2; > + ERROR: bogus GrantStmt.objtype 458 > GRANT USAGE ON FUNCTION testfunc1(int) TO regressuser3; -- semantic error > ! ERROR: bogus GrantStmt.objtype 458 > GRANT ALL PRIVILEGES ON FUNCTION testfunc1(int) TO regressuser4; > + ERROR: bogus GrantStmt.objtype 458 > GRANT ALL PRIVILEGES ON FUNCTION testfunc_nosuch(int) TO regressuser4; > ! ERROR: bogus GrantStmt.objtype 458 > SET SESSION AUTHORIZATION regressuser2; > SELECT testfunc1(5), testfunc2(5); -- ok > ! ERROR: permission denied > CREATE FUNCTION testfunc3(int) RETURNS int AS 'select 2 * $1;' LANGUAGE > sql; -- fail > ERROR: permission denied > SET SESSION AUTHORIZATION regressuser3; > *************** > *** 220,230 **** > ERROR: permission denied > SET SESSION AUTHORIZATION regressuser4; > SELECT testfunc1(5); -- ok > ! testfunc1 > ! ----------- > ! 10 > ! (1 row) > ! > DROP FUNCTION testfunc1(int); -- fail > ERROR: RemoveFunction: function 'testfunc1': permission denied > \c - > --- 218,224 ---- > ERROR: permission denied > SET SESSION AUTHORIZATION regressuser4; > SELECT testfunc1(5); -- ok > ! ERROR: permission denied > DROP FUNCTION testfunc1(int); -- fail > ERROR: RemoveFunction: function 'testfunc1': permission denied > \c - > > ====================================================================== [ Attachment, skipping... ] [ Attachment, skipping... ] > > ---------------------------(end of broadcast)--------------------------- > TIP 2: you can get off all lists at once with the unregister command > (send "unregister YourEmailAddressHere" to majordomo@postgresql.org) -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania19026
Yep > -----Original Message----- > From: Bruce Momjian [mailto:pgman@candle.pha.pa.us] > Sent: Friday, 15 March 2002 5:20 AM > To: Christopher Kings-Lynne > Cc: Hackers > Subject: Re: [HACKERS] privileges regression problem on freebsd/alpha > > > > Christopher, is this problem fixed now? > > ------------------------------------------------------------------ > --------- > > Christopher Kings-Lynne wrote: > > Hi all, > > > > Just tested latest CVS on my freebsd/alpha. Only one test failed, and > > that's privileges related... > > > > *** ./expected/privileges.out Thu Mar 7 09:53:51 2002 > > --- ./results/privileges.out Fri Mar 8 11:03:36 2002 > > *************** > > *** 201,218 **** > > CREATE FUNCTION testfunc1(int) RETURNS int AS 'select 2 * > $1;' LANGUAGE > > sql; > > CREATE FUNCTION testfunc2(int) RETURNS int AS 'select 3 * > $1;' LANGUAGE > > sql; > > GRANT EXECUTE ON FUNCTION testfunc1(int), testfunc2(int) TO > regressuser2; > > GRANT USAGE ON FUNCTION testfunc1(int) TO regressuser3; -- > semantic error > > ! ERROR: invalid privilege type USAGE for function object > > GRANT ALL PRIVILEGES ON FUNCTION testfunc1(int) TO regressuser4; > > GRANT ALL PRIVILEGES ON FUNCTION testfunc_nosuch(int) TO regressuser4; > > ! ERROR: Function 'testfunc_nosuch(int4)' does not exist > > SET SESSION AUTHORIZATION regressuser2; > > SELECT testfunc1(5), testfunc2(5); -- ok > > ! testfunc1 | testfunc2 > > ! -----------+----------- > > ! 10 | 15 > > ! (1 row) > > ! > > CREATE FUNCTION testfunc3(int) RETURNS int AS 'select 2 * > $1;' LANGUAGE > > sql; -- fail > > ERROR: permission denied > > SET SESSION AUTHORIZATION regressuser3; > > --- 201,216 ---- > > CREATE FUNCTION testfunc1(int) RETURNS int AS 'select 2 * > $1;' LANGUAGE > > sql; > > CREATE FUNCTION testfunc2(int) RETURNS int AS 'select 3 * > $1;' LANGUAGE > > sql; > > GRANT EXECUTE ON FUNCTION testfunc1(int), testfunc2(int) TO > regressuser2; > > + ERROR: bogus GrantStmt.objtype 458 > > GRANT USAGE ON FUNCTION testfunc1(int) TO regressuser3; -- > semantic error > > ! ERROR: bogus GrantStmt.objtype 458 > > GRANT ALL PRIVILEGES ON FUNCTION testfunc1(int) TO regressuser4; > > + ERROR: bogus GrantStmt.objtype 458 > > GRANT ALL PRIVILEGES ON FUNCTION testfunc_nosuch(int) TO regressuser4; > > ! ERROR: bogus GrantStmt.objtype 458 > > SET SESSION AUTHORIZATION regressuser2; > > SELECT testfunc1(5), testfunc2(5); -- ok > > ! ERROR: permission denied > > CREATE FUNCTION testfunc3(int) RETURNS int AS 'select 2 * > $1;' LANGUAGE > > sql; -- fail > > ERROR: permission denied > > SET SESSION AUTHORIZATION regressuser3; > > *************** > > *** 220,230 **** > > ERROR: permission denied > > SET SESSION AUTHORIZATION regressuser4; > > SELECT testfunc1(5); -- ok > > ! testfunc1 > > ! ----------- > > ! 10 > > ! (1 row) > > ! > > DROP FUNCTION testfunc1(int); -- fail > > ERROR: RemoveFunction: function 'testfunc1': permission denied > > \c - > > --- 218,224 ---- > > ERROR: permission denied > > SET SESSION AUTHORIZATION regressuser4; > > SELECT testfunc1(5); -- ok > > ! ERROR: permission denied > > DROP FUNCTION testfunc1(int); -- fail > > ERROR: RemoveFunction: function 'testfunc1': permission denied > > \c - > > > > ====================================================================== > > [ Attachment, skipping... ] > > [ Attachment, skipping... ] > > > > > ---------------------------(end of broadcast)--------------------------- > > TIP 2: you can get off all lists at once with the unregister command > > (send "unregister YourEmailAddressHere" to majordomo@postgresql.org) > > -- > Bruce Momjian | http://candle.pha.pa.us > pgman@candle.pha.pa.us | (610) 853-3000 > + If your life is a hard drive, | 830 Blythe Avenue > + Christ can be your backup. | Drexel Hill, Pennsylvania 19026 >