-<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.87 2006/03/10 19:10:47 momjian Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.88 2006/04/30 02:09:06 momjian Exp $ -->
<chapter id="client-authentication">
<title>Client Authentication</title>
Multiple user names can be supplied by separating them with commas.
A separate file containing user names can be specified by preceding the
file name with <literal>@</>.
+ User and group connectivity can also be restricted by <command>GRANT
+ CONNECTION ON DATABASE</>.
</para>
</listitem>
</varlistentry>
<!--
-$PostgreSQL: pgsql/doc/src/sgml/ref/grant.sgml,v 1.52 2006/02/14 03:32:14 momjian Exp $
+$PostgreSQL: pgsql/doc/src/sgml/ref/grant.sgml,v 1.53 2006/04/30 02:09:06 momjian Exp $
PostgreSQL documentation
-->
ON SEQUENCE <replaceable class="PARAMETER">sequencename</replaceable> [, ...]
TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]
-GRANT { { CREATE | TEMPORARY | TEMP } [,...] | ALL [ PRIVILEGES ] }
+GRANT { { CREATE | TEMPORARY | TEMP | CONNECTION } [,...] | ALL [ PRIVILEGES ] }
ON DATABASE <replaceable>dbname</replaceable> [, ...]
TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>CONNECTION</term>
+ <listitem>
+ <para>
+ Allows the ability to connect to the specified database.
+ By default, Grant permissions allow users to connect to any database,
+ though <filename>pg_hba.conf</> can add additional connection
+ restrictions.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term>TEMPORARY</term>
<term>TEMP</term>
X -- EXECUTE
U -- USAGE
C -- CREATE
+ c -- CONNECTION
T -- TEMPORARY
arwdRxt -- ALL PRIVILEGES (for tables)
* -- grant option for preceding privilege
<!--
-$PostgreSQL: pgsql/doc/src/sgml/ref/revoke.sgml,v 1.36 2006/01/21 02:16:18 momjian Exp $
+$PostgreSQL: pgsql/doc/src/sgml/ref/revoke.sgml,v 1.37 2006/04/30 02:09:06 momjian Exp $
PostgreSQL documentation
-->
[ CASCADE | RESTRICT ]
REVOKE [ GRANT OPTION FOR ]
- { { CREATE | TEMPORARY | TEMP } [,...] | ALL [ PRIVILEGES ] }
+ { { CREATE | TEMPORARY | TEMP | CONNECTION } [,...] | ALL [ PRIVILEGES ] }
ON DATABASE <replaceable>dbname</replaceable> [, ...]
FROM { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
[ CASCADE | RESTRICT ]
*
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/catalog/aclchk.c,v 1.125 2006/03/05 15:58:22 momjian Exp $
+ * $PostgreSQL: pgsql/src/backend/catalog/aclchk.c,v 1.126 2006/04/30 02:09:07 momjian Exp $
*
* NOTES
* See acl.h.
return ACL_CREATE_TEMP;
if (strcmp(privname, "temp") == 0)
return ACL_CREATE_TEMP;
+ if (strcmp(privname, "connection") == 0)
+ return ACL_CONNECT;
ereport(ERROR,
(errcode(ERRCODE_SYNTAX_ERROR),
errmsg("unrecognized privilege type \"%s\"", privname)));
return "CREATE";
case ACL_CREATE_TEMP:
return "TEMP";
+ case ACL_CONNECT:
+ return "CONNECTION";
default:
elog(ERROR, "unrecognized privilege: %d", (int) privilege);
}
*
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/utils/adt/acl.c,v 1.131 2006/03/05 15:58:40 momjian Exp $
+ * $PostgreSQL: pgsql/src/backend/utils/adt/acl.c,v 1.132 2006/04/30 02:09:07 momjian Exp $
*
*-------------------------------------------------------------------------
*/
case ACL_CREATE_TEMP_CHR:
read = ACL_CREATE_TEMP;
break;
+ case ACL_CONNECT_CHR:
+ read = ACL_CONNECT;
+ break;
default:
ereport(ERROR,
(errcode(ERRCODE_INVALID_TEXT_REPRESENTATION),
owner_default = ACL_ALL_RIGHTS_SEQUENCE;
break;
case ACL_OBJECT_DATABASE:
- world_default = ACL_CREATE_TEMP; /* not NO_RIGHTS! */
+ world_default = ACL_CREATE_TEMP | ACL_CONNECT; /* not NO_RIGHTS! */
owner_default = ACL_ALL_RIGHTS_DATABASE;
break;
case ACL_OBJECT_FUNCTION:
*
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/utils/init/postinit.c,v 1.162 2006/03/29 21:17:39 tgl Exp $
+ * $PostgreSQL: pgsql/src/backend/utils/init/postinit.c,v 1.163 2006/04/30 02:09:07 momjian Exp $
*
*
*-------------------------------------------------------------------------
static bool FindMyDatabase(const char *name, Oid *db_id, Oid *db_tablespace);
-static void ReverifyMyDatabase(const char *name);
+static void ReverifyMyDatabase(const char *name, const char *user_name);
static void InitCommunication(void);
static void ShutdownPostgres(int code, Datum arg);
static bool ThereIsAtLeastOneRole(void);
* during session startup, this place is also fitting to set up any
* database-specific configuration variables.
*/
+
static void
-ReverifyMyDatabase(const char *name)
+ReverifyMyDatabase(const char *name, const char *user_name)
{
Relation pgdbrel;
SysScanDesc pgdbscan;
(errcode(ERRCODE_TOO_MANY_CONNECTIONS),
errmsg("too many connections for database \"%s\"",
name)));
+
+ /*
+ * Checking for privilege to connect to the database
+ * We want to bypass the test if we are running in bootstrap mode
+ */
+ if (!IsBootstrapProcessingMode())
+ {
+ if(pg_database_aclcheck(MyDatabaseId,GetUserId()
+ ,ACL_CONNECT) != ACLCHECK_OK )
+ {
+ ereport(FATAL,
+ (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+ errmsg("couldn't connect to database %s", NameStr(dbform->datname)),
+ errdetail("User %s doesn't have the CONNECTION privilege for database %s.",
+ user_name, NameStr(dbform->datname))));
+ }
+ }
}
/*
* superuser, so the above stuff has to happen first.)
*/
if (!bootstrap)
- ReverifyMyDatabase(dbname);
+ ReverifyMyDatabase(dbname,username);
/*
* Final phase of relation cache startup: write a new cache file if
* Portions Copyright (c) 1996-2006, PostgreSQL Global Development Group
* Portions Copyright (c) 1994, Regents of the University of California
*
- * $PostgreSQL: pgsql/src/include/catalog/catversion.h,v 1.326 2006/04/26 22:33:13 momjian Exp $
+ * $PostgreSQL: pgsql/src/include/catalog/catversion.h,v 1.327 2006/04/30 02:09:07 momjian Exp $
*
*-------------------------------------------------------------------------
*/
*/
/* yyyymmddN */
-#define CATALOG_VERSION_NO 200604262
+#define CATALOG_VERSION_NO 200604291
#endif
* Portions Copyright (c) 1996-2006, PostgreSQL Global Development Group
* Portions Copyright (c) 1994, Regents of the University of California
*
- * $PostgreSQL: pgsql/src/include/nodes/parsenodes.h,v 1.308 2006/04/27 00:33:46 momjian Exp $
+ * $PostgreSQL: pgsql/src/include/nodes/parsenodes.h,v 1.309 2006/04/30 02:09:07 momjian Exp $
*
*-------------------------------------------------------------------------
*/
#define ACL_USAGE (1<<8) /* for languages and namespaces */
#define ACL_CREATE (1<<9) /* for namespaces and databases */
#define ACL_CREATE_TEMP (1<<10) /* for databases */
-#define N_ACL_RIGHTS 11 /* 1 plus the last 1<<x */
+#define ACL_CONNECT (1<<11) /* for database connection privilege */
+#define N_ACL_RIGHTS 12 /* 1 plus the last 1<<x */
#define ACL_NO_RIGHTS 0
/* Currently, SELECT ... FOR UPDATE/FOR SHARE requires UPDATE privileges */
#define ACL_SELECT_FOR_UPDATE ACL_UPDATE
* Portions Copyright (c) 1996-2006, PostgreSQL Global Development Group
* Portions Copyright (c) 1994, Regents of the University of California
*
- * $PostgreSQL: pgsql/src/include/utils/acl.h,v 1.93 2006/03/05 15:59:06 momjian Exp $
+ * $PostgreSQL: pgsql/src/include/utils/acl.h,v 1.94 2006/04/30 02:09:07 momjian Exp $
*
* NOTES
* An ACL array is simply an array of AclItems, representing the union
#define ACL_USAGE_CHR 'U'
#define ACL_CREATE_CHR 'C'
#define ACL_CREATE_TEMP_CHR 'T'
+#define ACL_CONNECT_CHR 'c'
/* string holding all privilege code chars, in order by bitmask position */
-#define ACL_ALL_RIGHTS_STR "arwdRxtXUCT"
+#define ACL_ALL_RIGHTS_STR "arwdRxtXUCTc"
/*
* Bitmasks defining "all rights" for each supported object type
*/
#define ACL_ALL_RIGHTS_RELATION (ACL_INSERT|ACL_SELECT|ACL_UPDATE|ACL_DELETE|ACL_RULE|ACL_REFERENCES|ACL_TRIGGER)
#define ACL_ALL_RIGHTS_SEQUENCE (ACL_USAGE|ACL_SELECT|ACL_UPDATE)
-#define ACL_ALL_RIGHTS_DATABASE (ACL_CREATE|ACL_CREATE_TEMP)
+#define ACL_ALL_RIGHTS_DATABASE (ACL_CREATE|ACL_CREATE_TEMP|ACL_CONNECT )
#define ACL_ALL_RIGHTS_FUNCTION (ACL_EXECUTE)
#define ACL_ALL_RIGHTS_LANGUAGE (ACL_USAGE)
#define ACL_ALL_RIGHTS_NAMESPACE (ACL_USAGE|ACL_CREATE)
projects / postgresql.git / commitdiff