I have large database and with this DB work more users and I very need

more restriction for fretful users. The current PG allow define only NO-CREATE-DB and NO-CREATE-USER restriction, but for some users I need NO-CREATE-TABLE and NO-LOCK-TABLE. This patch add to current code NOCREATETABLE and NOLOCKTABLE feature: CREATE USER username [ WITH [ SYSID uid ] [ PASSWORD 'password' ] ] [ CREATEDB | NOCREATEDB ] [ CREATEUSER | NOCREATEUSER ] -> [ CREATETABLE | NOCREATETABLE ] [ LOCKTABLE | NOLOCKTABLE ] ...etc. If CREATETABLE or LOCKTABLE is not specific in CREATE USER command, as default is set CREATETABLE or LOCKTABLE (true). A user with NOCREATETABLE restriction can't call CREATE TABLE or SELECT INTO commands, only create temp table is allow for him. Karel
author: Bruce Momjian 2000-06-09 15:51:02 +0000
committer: Bruce Momjian 2000-06-09 15:51:02 +0000
commit: 85add42a570cdb4be2d674e62535eb54b4dcd5cf (patch)
tree: dbf157f4e38ff97df572bda2244d7280338bf541 /src/backend
parent: a672e9650abcc9a08df06dd075a884543f3d87f3 (diff)
6 files changed, 146 insertions, 30 deletions
diff --git a/src/backend/commands/command.c b/src/backend/commands/command.c
index 38cee644b22..48d2b4cbc34 100644
--- a/src/backend/commands/command.c
+++ b/src/backend/commands/command.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/commands/Attic/command.c,v 1.77 2000/06/04 22:04:32 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/commands/Attic/command.c,v 1.78 2000/06/09 15:50:43 momjian Exp $
  *
  * NOTES
  *	  The PortalExecutorHeapMemory crap needs to be eliminated
@@ -30,6 +30,7 @@
 #include "commands/command.h"
 #include "executor/spi.h"
 #include "catalog/heap.h"
+#include "catalog/pg_shadow.h"
 #include "miscadmin.h"
 #include "optimizer/prep.h"
 #include "utils/acl.h"
@@ -1211,6 +1212,21 @@ LockTableCommand(LockStmt *lockstmt)
 {
 	Relation	rel;
 	int			aclresult;
+	HeapTuple	tup;
+
+	
+	/* ----------
+	 * Check pg_shadow for global lock setting 
+	 * ----------
+	 */
+	tup = SearchSysCacheTuple(SHADOWNAME, PointerGetDatum(GetPgUserName()), 0, 0, 0);
+
+	if (!HeapTupleIsValid(tup))
+ 		elog(ERROR, "LOCK TABLE: look at pg_shadow failed"); 
+
+ 	if (!((Form_pg_shadow) GETSTRUCT(tup))->uselocktable)
+ 		elog(ERROR, "LOCK TABLE: permission denied");	
+
 
 	rel = heap_openr(lockstmt->relname, NoLock);
 	if (!RelationIsValid(rel))
diff --git a/src/backend/commands/creatinh.c b/src/backend/commands/creatinh.c
index f33d301ded2..4d52b9aad76 100644
--- a/src/backend/commands/creatinh.c
+++ b/src/backend/commands/creatinh.c
@@ -9,9 +9,9 @@
  *
  * IDENTIFICATION
 <<<<<<< creatinh.c
- *	  $Header: /cvsroot/pgsql/src/backend/commands/Attic/creatinh.c,v 1.59 2000/06/09 01:44:03 momjian Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/commands/Attic/creatinh.c,v 1.60 2000/06/09 15:50:43 momjian Exp $
 =======
- *	  $Header: /cvsroot/pgsql/src/backend/commands/Attic/creatinh.c,v 1.59 2000/06/09 01:44:03 momjian Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/commands/Attic/creatinh.c,v 1.60 2000/06/09 15:50:43 momjian Exp $
 >>>>>>> 1.58
  *
  *-------------------------------------------------------------------------
@@ -26,8 +26,10 @@
 #include "catalog/pg_inherits.h"
 #include "catalog/pg_ipl.h"
 #include "catalog/pg_type.h"
+#include "catalog/pg_shadow.h"
 #include "commands/creatinh.h"
 #include "utils/syscache.h"
+#include "miscadmin.h"
 
 /* ----------------
  *		local stuff
@@ -63,6 +65,22 @@ DefineRelation(CreateStmt *stmt, char relkind)
 	int			i;
 	AttrNumber	attnum;
 
+	if (!stmt->istemp) {
+		HeapTuple       tup;
+	
+		/* ----------
+		 * Check pg_shadow for global createTable setting 
+		 * ----------
+		 */
+		tup = SearchSysCacheTuple(SHADOWNAME, PointerGetDatum(GetPgUserName()), 0, 0, 0);
+	
+		if (!HeapTupleIsValid(tup))
+	 		elog(ERROR, "CREATE TABLE: look at pg_shadow failed"); 
+	
+	 	if (!((Form_pg_shadow) GETSTRUCT(tup))->usecreatetable)
+	 		elog(ERROR, "CREATE TABLE: permission denied");	
+	}
+	
 	if (strlen(stmt->relname) >= NAMEDATALEN)
 		elog(ERROR, "the relation name %s is >= %d characters long",
 			 stmt->relname, NAMEDATALEN);
diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c
index 55dcd55adf1..512c5b4c2a3 100644
--- a/src/backend/commands/user.c
+++ b/src/backend/commands/user.c
@@ -6,7 +6,7 @@
  * Portions Copyright (c) 1996-2000, PostgreSQL, Inc
  * Portions Copyright (c) 1994, Regents of the University of California
  *
- * $Header: /cvsroot/pgsql/src/backend/commands/user.c,v 1.58 2000/06/09 01:11:04 tgl Exp $
+ * $Header: /cvsroot/pgsql/src/backend/commands/user.c,v 1.59 2000/06/09 15:50:43 momjian Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -250,6 +250,10 @@ CreateUser(CreateUserStmt *stmt)
 		return;
 	}
 
+    AssertState(BoolIsValid(stmt->createtable));
+    new_record[Anum_pg_shadow_usecreatetable-1] = (Datum)(stmt->createtable);
+    AssertState(BoolIsValid(stmt->locktable));
+    new_record[Anum_pg_shadow_uselocktable-1] = (Datum)(stmt->locktable);
 	/*
 	 * Build a tuple to insert
 	 */
@@ -263,6 +267,8 @@ CreateUser(CreateUserStmt *stmt)
 	AssertState(BoolIsValid(stmt->createuser));
 	new_record[Anum_pg_shadow_usesuper - 1] = (Datum) (stmt->createuser);
 	/* superuser gets catupd right by default */
+    new_record_nulls[Anum_pg_shadow_usecreatetable-1] = ' ';
+    new_record_nulls[Anum_pg_shadow_uselocktable-1] = ' ';
 	new_record[Anum_pg_shadow_usecatupd - 1] = (Datum) (stmt->createuser);
 
 	if (stmt->password)
@@ -352,7 +358,8 @@ AlterUser(AlterUserStmt *stmt)
 
 	/* must be superuser or just want to change your own password */
 	if (!superuser() &&
-	  !(stmt->createdb == 0 && stmt->createuser == 0 && !stmt->validUntil
+        !(stmt->createdb==0 && stmt->createuser==0 && stmt->createtable==0 
+          && stmt->locktable==0 && !stmt->validUntil
 		&& stmt->password && strcmp(GetPgUserName(), stmt->user) == 0))
 		elog(ERROR, "ALTER USER: permission denied");
 
@@ -380,8 +387,32 @@ AlterUser(AlterUserStmt *stmt)
 	/*
 	 * Build a tuple to update, perusing the information just obtained
 	 */
-	new_record[Anum_pg_shadow_usename - 1] = PointerGetDatum(namein(stmt->user));
-	new_record_nulls[Anum_pg_shadow_usename - 1] = ' ';
+
+    /* createtable */
+    if (stmt->createtable == 0)
+    {
+        /* don't change */
+        new_record[Anum_pg_shadow_usecreatetable-1] = heap_getattr(tuple, Anum_pg_shadow_usecreatetable, pg_shadow_dsc, &null);
+        new_record_nulls[Anum_pg_shadow_usecreatetable-1] = null ? 'n' : ' ';
+    }
+    else
+    {
+        new_record[Anum_pg_shadow_usecreatetable-1] = (Datum)(stmt->createtable > 0 ? true : false);
+        new_record_nulls[Anum_pg_shadow_usecreatetable-1] = ' ';
+    }
+
+    /* locktable */
+    if (stmt->locktable == 0)
+    {
+        /* don't change */
+        new_record[Anum_pg_shadow_uselocktable-1] = heap_getattr(tuple, Anum_pg_shadow_uselocktable, pg_shadow_dsc, &null);
+        new_record_nulls[Anum_pg_shadow_uselocktable-1] = null ? 'n' : ' ';
+    }
+    else
+    {
+        new_record[Anum_pg_shadow_uselocktable-1] = (Datum)(stmt->locktable > 0 ? true : false);
+        new_record_nulls[Anum_pg_shadow_uselocktable-1] = ' ';
+	}
 
 	/* sysid - leave as is */
 	new_record[Anum_pg_shadow_usesysid - 1] = heap_getattr(tuple, Anum_pg_shadow_usesysid, pg_shadow_dsc, &null);
diff --git a/src/backend/parser/gram.y b/src/backend/parser/gram.y
index 38539964f5b..8506d005218 100644
--- a/src/backend/parser/gram.y
+++ b/src/backend/parser/gram.y
@@ -11,7 +11,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/parser/gram.y,v 2.170 2000/06/09 01:44:18 momjian Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/parser/gram.y,v 2.171 2000/06/09 15:50:44 momjian Exp $
  *
  * HISTORY
  *	  AUTHOR			DATE			MAJOR EVENT
@@ -145,7 +145,8 @@ static void doNegateFloat(Value *v);
 %type <ival>	opt_lock, lock_type
 %type <boolean>	opt_lmode, opt_force
 
-%type <ival>    user_createdb_clause, user_createuser_clause
+%type <ival>    user_createdb_clause, user_createuser_clause, user_createtable_clause,
+		user_locktable_clause
 %type <str>		user_passwd_clause
 %type <ival>            sysid_clause
 %type <str>		user_valid_clause
@@ -339,14 +340,14 @@ static void doNegateFloat(Value *v);
  */
 %token	ABORT_TRANS, ACCESS, AFTER, AGGREGATE, ANALYZE,
 		BACKWARD, BEFORE, BINARY, BIT,
-		CACHE, CLUSTER, COMMENT, COPY, CREATEDB, CREATEUSER, CYCLE,
+		CACHE, CLUSTER, COMMENT, COPY, CREATEDB, CREATETABLE, CREATEUSER, CYCLE,
 		DATABASE, DELIMITERS, DO,
 		EACH, ENCODING, EXCLUSIVE, EXPLAIN, EXTEND,
 		FORCE, FORWARD, FUNCTION, HANDLER,
 		INCREMENT, INDEX, INHERITS, INSTEAD, ISNULL,
-		LANCOMPILER, LIMIT, LISTEN, LOAD, LOCATION, LOCK_P,
+		LANCOMPILER, LIMIT, LISTEN, LOAD, LOCATION, LOCK_P, LOCKTABLE,
 		MAXVALUE, MINVALUE, MODE, MOVE,
-		NEW, NOCREATEDB, NOCREATEUSER, NONE, NOTHING, NOTIFY, NOTNULL,
+		NEW, NOCREATEDB, NOCREATETABLE, NOCREATEUSER, NOLOCKTABLE, NONE, NOTHING, NOTIFY, NOTNULL,
 		OFFSET, OIDS, OPERATOR, PASSWORD, PROCEDURAL,
 		REINDEX, RENAME, RESET, RETURNS, ROW, RULE,
 		SEQUENCE, SERIAL, SETOF, SHARE, SHOW, START, STATEMENT, STDIN, STDOUT, SYSID,
@@ -473,32 +474,37 @@ stmt :	AlterTableStmt
  *
  *****************************************************************************/
 
-CreateUserStmt:  CREATE USER UserId
-                 user_createdb_clause user_createuser_clause user_group_clause
+CreateUserStmt:  CREATE USER UserId user_createdb_clause user_createuser_clause 
+                 user_createtable_clause user_locktable_clause user_group_clause
                  user_valid_clause
 				{
 					CreateUserStmt *n = makeNode(CreateUserStmt);
 					n->user = $3;
-                    n->sysid = -1;
+					n->sysid = -1;
 					n->password = NULL;
 					n->createdb = $4 == +1 ? true : false;
 					n->createuser = $5 == +1 ? true : false;
-					n->groupElts = $6;
-					n->validUntil = $7;
+					n->createtable = $6 == +1 ? true : false;
+					n->locktable = $7 == +1 ? true : false;
+					n->groupElts = $8;
+					n->validUntil = $9;
 					$$ = (Node *)n;
 				}
                 | CREATE USER UserId WITH sysid_clause user_passwd_clause
-                user_createdb_clause user_createuser_clause user_group_clause
+                user_createdb_clause user_createuser_clause 
+                user_createtable_clause user_locktable_clause user_group_clause
                 user_valid_clause
                {
 					CreateUserStmt *n = makeNode(CreateUserStmt);
 					n->user = $3;
-                    n->sysid = $5;
+   					n->sysid = $5;
 					n->password = $6;
 					n->createdb = $7 == +1 ? true : false;
 					n->createuser = $8 == +1 ? true : false;
-					n->groupElts = $9;
-					n->validUntil = $10;
+					n->createtable = $9 == +1 ? true : false;
+					n->locktable = $10 == +1 ? true : false;					
+					n->groupElts = $11;
+					n->validUntil = $12;
 					$$ = (Node *)n;
                }                   
 		;
@@ -510,27 +516,32 @@ CreateUserStmt:  CREATE USER UserId
  *
  *****************************************************************************/
 
-AlterUserStmt:  ALTER USER UserId user_createdb_clause
-				user_createuser_clause user_valid_clause
+AlterUserStmt:  ALTER USER UserId user_createdb_clause user_createuser_clause 
+		user_createtable_clause user_locktable_clause user_valid_clause
 				{
 					AlterUserStmt *n = makeNode(AlterUserStmt);
 					n->user = $3;
 					n->password = NULL;
 					n->createdb = $4;
 					n->createuser = $5;
-					n->validUntil = $6;
+					n->createtable = $6;
+					n->locktable = $7;
+					n->validUntil = $8;
 					$$ = (Node *)n;
 				}
 			| ALTER USER UserId WITH PASSWORD Sconst
-			  user_createdb_clause
-			  user_createuser_clause user_valid_clause
+			  user_createdb_clause user_createuser_clause 
+			  user_createtable_clause user_locktable_clause
+			  user_valid_clause
 				{
 					AlterUserStmt *n = makeNode(AlterUserStmt);
 					n->user = $3;
 					n->password = $6;
 					n->createdb = $7;
 					n->createuser = $8;
-					n->validUntil = $9;
+					n->createtable = $9;
+					n->locktable = $10;
+					n->validUntil = $11;
 					$$ = (Node *)n;
 				}
 		;
@@ -573,6 +584,22 @@ user_createuser_clause:  CREATEUSER				{ $$ = +1; }
 			| /*EMPTY*/							{ $$ = 0; }
 		;
 
+user_createtable_clause:  CREATETABLE				{ $$ = +1; }
+			| NOCREATETABLE				{ $$ = -1; }
+			| /*EMPTY*/		{ 
+						/* EMPTY is default = CREATETABLE */
+							$$ = +1; 
+						}				
+		;
+
+user_locktable_clause:  LOCKTABLE				{ $$ = +1; }
+			| NOLOCKTABLE				{ $$ = -1; }
+			| /*EMPTY*/		{ 
+						/* EMPTY is default = LOCKTABLE */
+							$$ = +1; 
+						}
+		;
+
 user_list:  user_list ',' UserId
 				{
 					$$ = lcons((void*)makeString($3), $1);
diff --git a/src/backend/parser/keywords.c b/src/backend/parser/keywords.c
index c6cc5ad9e93..ae7bf39f62b 100644
--- a/src/backend/parser/keywords.c
+++ b/src/backend/parser/keywords.c
@@ -9,9 +9,9 @@
  *
  * IDENTIFICATION
 <<<<<<< keywords.c
- *	  $Header: /cvsroot/pgsql/src/backend/parser/keywords.c,v 1.74 2000/06/09 01:44:18 momjian Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/parser/keywords.c,v 1.75 2000/06/09 15:50:45 momjian Exp $
 =======
- *	  $Header: /cvsroot/pgsql/src/backend/parser/keywords.c,v 1.74 2000/06/09 01:44:18 momjian Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/parser/keywords.c,v 1.75 2000/06/09 15:50:45 momjian Exp $
 >>>>>>> 1.73
  *
  *-------------------------------------------------------------------------
@@ -75,6 +75,7 @@ static ScanKeyword ScanKeywords[] = {
 	{"copy", COPY},
 	{"create", CREATE},
 	{"createdb", CREATEDB},
+	{"createtable", CREATETABLE},
 	{"createuser", CREATEUSER},
 	{"cross", CROSS},
 	{"current_date", CURRENT_DATE},
@@ -155,6 +156,7 @@ static ScanKeyword ScanKeywords[] = {
 	{"local", LOCAL},
 	{"location", LOCATION},
 	{"lock", LOCK_P},
+	{"locktable", LOCKTABLE},
 	{"match", MATCH},
 	{"maxvalue", MAXVALUE},
 	{"minute", MINUTE_P},
@@ -170,7 +172,9 @@ static ScanKeyword ScanKeywords[] = {
 	{"next", NEXT},
 	{"no", NO},
 	{"nocreatedb", NOCREATEDB},
+	{"nocreatetable", NOCREATETABLE},
 	{"nocreateuser", NOCREATEUSER},
+	{"nolocktable", NOLOCKTABLE},
 	{"none", NONE},
 	{"not", NOT},
 	{"nothing", NOTHING},
diff --git a/src/backend/tcop/pquery.c b/src/backend/tcop/pquery.c
index aa2b8e2c06a..8fec7766a44 100644
--- a/src/backend/tcop/pquery.c
+++ b/src/backend/tcop/pquery.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/tcop/pquery.c,v 1.32 2000/06/04 22:08:53 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/tcop/pquery.c,v 1.33 2000/06/09 15:50:46 momjian Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -20,6 +20,9 @@
 #include "executor/executor.h"
 #include "tcop/pquery.h"
 #include "utils/ps_status.h"
+#include "catalog/pg_shadow.h"
+#include "miscadmin.h"
+#include "utils/syscache.h"
 
 static char *CreateOperationTag(int operationType);
 static void ProcessQueryDesc(QueryDesc *queryDesc, Node *limoffset,
@@ -250,6 +253,23 @@ ProcessQueryDesc(QueryDesc *queryDesc, Node *limoffset, Node *limcount)
 		else if (parseTree->into != NULL)
 		{
 			/* select into table */
+			
+			if (!parseTree->isTemp) {
+				HeapTuple       tup;
+	
+				/* ----------
+				 * Check pg_shadow for global createTable setting 
+				 * ----------
+				 */
+				tup = SearchSysCacheTuple(SHADOWNAME, PointerGetDatum(GetPgUserName()), 0, 0, 0);
+	
+				if (!HeapTupleIsValid(tup))
+	 				elog(ERROR, "ProcessQueryDesc: look at pg_shadow failed"); 
+	
+	 			if (!((Form_pg_shadow) GETSTRUCT(tup))->usecreatetable)
+	 				elog(ERROR, "SELECT INTO TABLE: permission denied");	
+			}
+			
 			isRetrieveIntoRelation = true;
 		}
author	Bruce Momjian	2000-06-09 15:51:02 +0000
committer	Bruce Momjian	2000-06-09 15:51:02 +0000
commit	85add42a570cdb4be2d674e62535eb54b4dcd5cf (patch)
tree	dbf157f4e38ff97df572bda2244d7280338bf541 /src/backend
parent	a672e9650abcc9a08df06dd075a884543f3d87f3 (diff)