I've observed the behavior of column-level privileges and
required permissions with a few elog()s injected.
I noticed rte->selectedCols is incorrect when we make a query
on inherited tables.
See below:
-------------------------------------------------
postgres=# CREATE TABLE t1 (a int, b int, c int);
CREATE TABLE
postgres=# ALTER TABLE t1 DROP COLUMN b;
ALTER TABLE
postgres=# CREATE TABLE t2 (d int) inherits (t1);
CREATE TABLE
postgres=# SELECT * FROM t1;
NOTICE: markRTEForSelectPriv: ACL_SELECT on t1.a
NOTICE: markRTEForSelectPriv: ACL_SELECT on t1.c
NOTICE: ExecCheckRTEPerms: ACL_SELECT on t1 perms = 0000 inh = 1
NOTICE: ExecCheckRTEPerms: selectedCols: t1.a
NOTICE: ExecCheckRTEPerms: selectedCols: t1.c
NOTICE: ExecCheckRTEPerms: ACL_SELECT on t1 perms = 0002 inh = 0
NOTICE: ExecCheckRTEPerms: selectedCols: t1.a
NOTICE: ExecCheckRTEPerms: selectedCols: t1.c
NOTICE: ExecCheckRTEPerms: ACL_SELECT on t2 perms = 0002 inh = 0
NOTICE: ExecCheckRTEPerms: selectedCols: t2.a
NOTICE: ExecCheckRTEPerms: selectedCols: t2.d <--- (*)a | c
---+---
(0 rows)
-------------------------------------------------
I injected elog() at the head of ExecCheckRTEPerms() to print requiredPerms
and all the columns on selectedCols/modifiedCols.
It seems to me the current implementation assumes the parant table and
child table have same set of attribute name/number pair, but incorrect.
It is necessary to lookup attribute names of "t2" when we extract
inherited tables.
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>