Обсуждение: pgsql: Reserve the "pg_" namespace for roles
Reserve the "pg_" namespace for roles This will prevent users from creating roles which begin with "pg_" and will check for those roles before allowing an upgrade using pg_upgrade. This will allow for default roles to be provided at initdb time. Reviews by José Luis Tallón and Robert Haas Branch ------ master Details ------- http://git.postgresql.org/pg/commitdiff/293007898d3fa5a815c1c5814df53627553f114d Modified Files -------------- doc/src/sgml/ref/psql-ref.sgml | 8 ++++-- src/backend/catalog/aclchk.c | 7 +++++ src/backend/catalog/catalog.c | 5 ++-- src/backend/commands/alter.c | 3 ++ src/backend/commands/foreigncmds.c | 13 +++++++++ src/backend/commands/policy.c | 5 ++++ src/backend/commands/schemacmds.c | 4 +++ src/backend/commands/tablecmds.c | 2 ++ src/backend/commands/tablespace.c | 4 +++ src/backend/commands/user.c | 49 +++++++++++++++++++++++++++++++++ src/backend/commands/variable.c | 3 ++ src/backend/utils/adt/acl.c | 39 ++++++++++++++++++++++++++ src/bin/pg_dump/pg_dumpall.c | 11 +++++++- src/bin/pg_upgrade/check.c | 40 +++++++++++++++++++++++++-- src/bin/psql/command.c | 4 +-- src/bin/psql/describe.c | 5 +++- src/bin/psql/describe.h | 2 +- src/bin/psql/help.c | 4 +-- src/include/utils/acl.h | 1 + src/test/regress/expected/rolenames.out | 20 ++++++++++++++ src/test/regress/sql/rolenames.sql | 10 +++++++ 21 files changed, 226 insertions(+), 13 deletions(-)
On Fri, Apr 8, 2016 at 08:56:34PM +0000, Stephen Frost wrote: > Reserve the "pg_" namespace for roles > > This will prevent users from creating roles which begin with "pg_" and > will check for those roles before allowing an upgrade using pg_upgrade. > > This will allow for default roles to be provided at initdb time. Nice you added the check to pg_upgrade, but I assume a pg_dumpall restore is going to fail pretty badly, e.g. any pg_* object assignment will fail. I guess there isn't much we can do to fix that. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + As you are, so once was I. As I am, so you will be. + + Ancient Roman grave inscription +
Bruce,
On Friday, April 29, 2016, Bruce Momjian <bruce@momjian.us> wrote:
On Fri, Apr 8, 2016 at 08:56:34PM +0000, Stephen Frost wrote:
> Reserve the "pg_" namespace for roles
>
> This will prevent users from creating roles which begin with "pg_" and
> will check for those roles before allowing an upgrade using pg_upgrade.
>
> This will allow for default roles to be provided at initdb time.
Nice you added the check to pg_upgrade, but I assume a pg_dumpall
restore is going to fail pretty badly, e.g. any pg_* object assignment
will fail. I guess there isn't much we can do to fix that.
The pg_dumpall will work but will throw a warning. A restore will fail to recreate any pg_* roles and there could be follow-on errors from that, of course.
I had pg_dumpall throw an error initially, but based on discussion that was considered too harsh.
Thanks!
Stephen
On Fri, Apr 29, 2016 at 08:05:15AM -0400, Stephen Frost wrote: > Bruce, > > On Friday, April 29, 2016, Bruce Momjian <bruce@momjian.us> wrote: > > On Fri, Apr 8, 2016 at 08:56:34PM +0000, Stephen Frost wrote: > > Reserve the "pg_" namespace for roles > > > > This will prevent users from creating roles which begin with "pg_" and > > will check for those roles before allowing an upgrade using pg_upgrade. > > > > This will allow for default roles to be provided at initdb time. > > Nice you added the check to pg_upgrade, but I assume a pg_dumpall > restore is going to fail pretty badly, e.g. any pg_* object assignment > will fail. I guess there isn't much we can do to fix that. > > > The pg_dumpall will work but will throw a warning. A restore will fail to > recreate any pg_* roles and there could be follow-on errors from that, of > course. OK, good --- that's the best we can do. > I had pg_dumpall throw an error initially, but based on discussion that was > considered too harsh. OK. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + As you are, so once was I. As I am, so you will be. + + Ancient Roman grave inscription +