Обсуждение: A Question about InvokeObjectPostAlterHook

On Tue, Apr 18, 2023 at 09:51:30AM +0800,  Legs Mansion wrote:
> Recently, I ran into a problem, InvokeObjectPostAlterHook was
> implemented for sepgsql, sepgsql use it to determine whether to
> check permissions during certain operations.  But
> InvokeObjectPostAlterHook doesn't handle all of the alter's
> behavior, at least the table is not controlled. e.g., ALTER
> TABLE... ENABLE/DISABLE ROW LEVEL SECURITY，ALTER TABLE ... DISABLE
> TRIGGER, GRANT and REVOKE and so on.
> Whether InvokeObjectPostAlterHook is not fully controlled? it's
> a bug?

Yes, tablecmds.c has some holes and these are added when there is a
ask for it, as far as I recall.  In some cases, these locations can be
tricky to add, so usually they require an independent analysis.  For
example, EnableDisableTrigger() has one AOT for the trigger itself,
but not for the relation changed in tablecmds.c, as you say, anyway we
should be careful with cross-dependencies.

Note that 90efa2f has made the tests for OATs much easier, and there
is no need to rely only on sepgsql for that.  (Even if test_oat_hooks
has been having some stability issues with namespace lookups because
of the position on the namespace search hook.)

Also, the additions of InvokeObjectPostAlterHook() are historically
conservative because they create behavior changes in stable branches,
meaning no backpatch.  See a995b37 or 7b56584 as past examples, for
example.

Note that the development of PostgreSQL 16 has just finished, so now
may not be the best moment to add these extra AOT calls, but these
could be added in 17~ for sure at the beginning of July once the next
development cycle begins.

Attached would be what I think would be required to add OATs for RLS,
triggers and rules, for example.  There are much more of these at
quick glance, still that's one step in providing more checks.  Perhaps
you'd like to expand this patch with more ALTER TABLE subcommands
covered?
--
Michael

On Fri, Apr 21, 2023 at 04:16:10PM +0800,  Legs Mansion wrote:
> actually, some location can be tricky to add.
> it looks like CREATE, but it’s actually ALTER, should call
> InvokeObjectPostAlterHook instead
> of InvokeObjectPostCreateHook? eg.,CREATE OR REPLACE, CREATE
> TYPE(perfecting shell type)

Sure, it could be possible to plaster more of these depending on the
control one may want with OATs.  Coming back to the main you point of
the thread you were making, what are the use cases with ALTER TABLE
you were interested in for sepgsql on top of what the patch I sent
upthread is doing?

Note that it is perfectly fine to do the changes incrementally, though
I'd rather add some proper coverage for each one of them using the
module I've patched (sepgsql's tests are annoying to setup and run).
--
Michael

On Tue, Apr 18, 2023 at 01:34:00PM +0900, Michael Paquier wrote:
> Note that the development of PostgreSQL 16 has just finished, so now
> may not be the best moment to add these extra AOT calls, but these
> could be added in 17~ for sure at the beginning of July once the next
> development cycle begins.

The OAT hooks are added in ALTER TABLE for the following subcommands:
- { ENABLE | DISABLE | [NO] FORCE } ROW LEVEL SECURITY
- { ENABLE | DISABLE } TRIGGER
- { ENABLE | DISABLE } RULE

> Attached would be what I think would be required to add OATs for RLS,
> triggers and rules, for example.  There are much more of these at
> quick glance, still that's one step in providing more checks.  Perhaps
> you'd like to expand this patch with more ALTER TABLE subcommands
> covered?

Now that we are at the middle of the development cycle of 17~, it is
time to come back to this one (it was registered in the CF, but I did
not come back to it).  Would there be any objections if I apply this
patch with its tests?  This would cover most of the ground requested
by Legs at the start of this thread.

(The patch had one diff because of a namespace lookup not happening
anymore, so rebased.)
--
Michael