Thread: Setting ACL
I have a few questions about setting acl on SQL level. Is it safe to do something like UPDATE pg_class SET relacl = $1 WHERE oid = $2; ? I don't think it is because ExecGrant_* call updateAclDependencies after they do the update and my own update would not do that. But is it safe to do my update if I'm not touching anything in pg_global? If it is not safe, is there any point in keeping around makeaclitem()? I see no use for it except for manually setting an acl column like above, and it gives people a false sense of security (or at least it did for me). And finally, would there be any interest in a function like aclset("char", oid, aclitem[]) and does this properly? My use case is I have a simple view and a simple function that both provide a wrapper over a table, and I want to have an event trigger that updates their acls when the user does a GRANT/REVOKE on the base table. -- Vik Fearing
Vik Fearing <vik@postgresfriends.org> writes: > I have a few questions about setting acl on SQL level. > Is it safe to do something like > UPDATE pg_class SET relacl = $1 WHERE oid = $2; > ? > I don't think it is because ExecGrant_* call updateAclDependencies after > they do the update and my own update would not do that. But is it safe > to do my update if I'm not touching anything in pg_global? Well, it'll work, but the system won't know about the role references in this ACL item, so for instance dropping the role wouldn't make the ACL go away. Which might cause you dump/reload issues later. > And finally, would there be any interest in a function like > aclset("char", oid, aclitem[]) and does this properly? Not really, when GRANT is already there ... regards, tom lane
On 03/03/2020 19:02, Tom Lane wrote: > Vik Fearing <vik@postgresfriends.org> writes: >> I have a few questions about setting acl on SQL level. >> Is it safe to do something like >> UPDATE pg_class SET relacl = $1 WHERE oid = $2; >> ? > >> I don't think it is because ExecGrant_* call updateAclDependencies after >> they do the update and my own update would not do that. But is it safe >> to do my update if I'm not touching anything in pg_global? > > Well, it'll work, but the system won't know about the role references > in this ACL item, so for instance dropping the role wouldn't make the> ACL go away. Which might cause you dump/reloadissues later. Ok, so not safe. Should we remove makeaclitem() then? >> And finally, would there be any interest in a function like >> aclset("char", oid, aclitem[]) and does this properly? > > Not really, when GRANT is already there ... So I have to manually do a diff of the two acls and generate GRANT/REVOKE statements? That's not encouraging. :( -- Vik Fearing
Vik Fearing <vik@postgresfriends.org> writes: > Ok, so not safe. Should we remove makeaclitem() then? Well, I wouldn't recommend poking values into an ACL with it, but it seems like it has potential use in queries too, say select * from pg_class where makeaclitem('joe'::regrole, 'bob'::regrole, 'select', false) = any(relacl); However, that certainly leaves a lot to be desired because in practical cases you wouldn't only be interested in exact matches. I suppose the has_foo_privilege series of functions would cover some of that territory though. > So I have to manually do a diff of the two acls and generate > GRANT/REVOKE statements? That's not encouraging. :( The case of just blindly copying one object's ACL to another object seems kind of limited. I could see providing some more general facility for that sort of operation, but I'm not quite sure what it should look like. regards, tom lane
Greetings, * Vik Fearing (vik@postgresfriends.org) wrote: > So I have to manually do a diff of the two acls and generate > GRANT/REVOKE statements? That's not encouraging. :( Not sure if it's helpful to you, but pg_dump has code that generates SQL to do more-or-less exactly this. Thanks, Stephen