arkhipov / acl Goto Github PK
View Code? Open in Web Editor NEWAccess Control Lists (ACL) PostgreSQL Extension
License: BSD 2-Clause "Simplified" License
acl's People
Contributors
Stargazers
Watchers
Forkers
mlt akorsukov mariomka zerojuls chri-s zdenekhbr emrul ganielinn cuulee nikatov bookvik postgraphdbacl's Issues
Indexing ACL columns?
Does anyone have experience of indexing the ACL columns using GIN/GIST indexes?
Wrong ACE_ALL_TYPES_STR in acl.c
static char ace_type_chars[] =
{
'a', // ACCESS_ALLOWED
'd' // ACCESS_DENIED
};
#define ACE_ALL_TYPES_STR "adi"
compatible with 9.6 / 10?
I didn't test it yet, but can we use this extension with postgres 9.6 (and/or the 10 beta release)
Reason for static Oid get_role_oid in acl_oid.c?
First of all: I'm no expert in C.
I tried to compile acl for PostgreSQL 11 on Windows 10 and FreeBSD 11.2. Windows 10 was no problem, but compiling it on FreeBSD 11.2 gave this error:
acl_oid.c:66:12: error: static declaration of 'get_role_oid' follows non-static declaration
static Oid get_role_oid(const char *name, bool missing_ok);
^
/usr/local/include/postgresql/server/utils/acl.h:212:12: note: previous declaration is here
extern Oid get_role_oid(const char *rolename, bool missing_ok);
^
acl_oid.c:390:5: error: static declaration of 'get_role_oid' follows non-static declaration
Oid get_role_oid(const char *name, bool missing_ok)
^
/usr/local/include/postgresql/server/utils/acl.h:212:12: note: previous declaration is here
extern Oid get_role_oid(const char *rolename, bool missing_ok);
^
2 errors generated.
gmake: *** [<builtin>: acl_oid.o] Error 1
After some googling I found that this was a warning in earlier compiler versions and now this is an error which blocks compliation. The used compiler is "FreeBSD clang version 6.0.0 (tags/RELEASE_600/final 326565) (based on LLVM 6.0.0)".
This is the function get_role_oid in acl:
Lines 389 to 401 in a22179c
I found that a function with the same name and same code is included in PostgreSQL: https://git.postgresql.org/gitweb/?p=postgresql.git;a=blob;f=src/backend/utils/adt/acl.c;hb=refs/heads/REL_11_STABLE#l5184
/*
* get_role_oid - Given a role name, look up the role's OID.
*
* If missing_ok is false, throw an error if role name not found. If
* true, just return InvalidOid.
*/
Oid
get_role_oid(const char *rolname, bool missing_ok)
{
Oid oid;
oid = GetSysCacheOid1(AUTHNAME, CStringGetDatum(rolname));
if (!OidIsValid(oid) && !missing_ok)
ereport(ERROR,
(errcode(ERRCODE_UNDEFINED_OBJECT),
errmsg("role \"%s\" does not exist", rolname)));
return oid;
}
I removed the function get_role_oid in acl_oid.c and the declaration in line 66. It compiles and passes the tests.
Since it works and the function does the same as the function from PostgreSQL, is it safe to do this and can the function perhaps be removed in the repository?
Please consider updating for PG15
Namely the subj.
TIA
Inheritance problem
I need to inherit permissions in three or more levels. If a user has access to level 1 then can access to all levels, if has access to level 2 then can access to level 3 and following. Something like:
The when I add or update acl of Level 1 it is propagated through the children using acl_merge, the problem is that I don't know how to propagate successfully in this case because if I set container parameter to true "i" flag is added and acl isn't applied but if I set container to false level 2 receive acl without 'o' and 'c' flags then next levels don't inherit the permissions.
Example:
Container paramerter is true:
Level 1: {a/oc/1=r}
Level 2: {a/hcoi/1=r} result of acl_merge('{a/oc/1=r}'::ACE_INT8[], '{}', true, true)
Level 3+: {a/hcoi/1=r} result of acl_merge('{a/hcoi/1=r}'::ACE_INT8[], '{}', true, true)
Container paramerter is false:
Level 1: {a/oc/1=r}
Level 2+: {a/h/1=r} result of acl_merge('{a/oc/1=r}'::ACE_INT8[], '{}', false, true)
Level 3+: {} result of acl_merge('{a/h/1=r}'::ACE_INT8[], '{}', false, true)
How can I deal with this problem?
compiled version
Can you release a compiled version?
suggestion, option to use ACL-JSON
the ACL field (an array) can be represented (map) in JSON schema as jsonschema-acl or similar.. since pg9.5 we have all "JSON algebra" (or JSONb) to implement it.
Installation using pgxn fails on MacOS for PG 12
Tried to install using pgxn install acl. This fails with the following error.
Am I missing something?
$ pgxn install acl
INFO: best version: acl 1.0.2
INFO: saving /var/folders/qq/hkfz9ql503b0k9k8vrj48n8w0000gn/T/tmpzm99e1k6/acl-1.0.2.zip
INFO: unpacking: /var/folders/qq/hkfz9ql503b0k9k8vrj48n8w0000gn/T/tmpzm99e1k6/acl-1.0.2.zip
INFO: building extension
clang -Wall -Wmissing-prototypes -Wpointer-arith -Wdeclaration-after-statement -Werror=vla -Wendif-labels -Wmissing-format-attribute -Wformat-security -fno-strict-aliasing -fwrapv -Wno-unused-command-line-argument -O2 -Wall -I. -I./ -I/usr/local/include/postgresql/server -I/usr/local/include/postgresql/internal -I/usr/local/Cellar/icu4c/67.1/include -isysroot /Library/Developer/CommandLineTools/SDKs/MacOSX10.15.sdk -I/usr/local/opt/[email protected]/include -I/usr/local/opt/readline/include -c -o acl.o acl.c
clang -Wall -Wmissing-prototypes -Wpointer-arith -Wdeclaration-after-statement -Werror=vla -Wendif-labels -Wmissing-format-attribute -Wformat-security -fno-strict-aliasing -fwrapv -Wno-unused-command-line-argument -O2 -Wall -I. -I./ -I/usr/local/include/postgresql/server -I/usr/local/include/postgresql/internal -I/usr/local/Cellar/icu4c/67.1/include -isysroot /Library/Developer/CommandLineTools/SDKs/MacOSX10.15.sdk -I/usr/local/opt/[email protected]/include -I/usr/local/opt/readline/include -c -o acl_oid.o acl_oid.c
acl_oid.c:66:12: error: static declaration of 'get_role_oid' follows non-static
declaration
static Oid get_role_oid(const char *name, bool missing_ok);
^
/usr/local/include/postgresql/server/utils/acl.h:214:12: note: previous
declaration is here
extern Oid get_role_oid(const char *rolename, bool missing_ok);
^
acl_oid.c:390:5: error: static declaration of 'get_role_oid' follows non-static
declaration
Oid get_role_oid(const char *name, bool missing_ok)
^
/usr/local/include/postgresql/server/utils/acl.h:214:12: note: previous
declaration is here
extern Oid get_role_oid(const char *rolename, bool missing_ok);
^
acl_oid.c:394:55: error: too few arguments provided to function-like macro
invocation
oid = GetSysCacheOid1(AUTHNAME, CStringGetDatum(name));
^
/usr/local/include/postgresql/server/utils/syscache.h:192:9: note: macro
'GetSysCacheOid1' defined here
#define GetSysCacheOid1(cacheId, oidcol, key1) \
^
acl_oid.c:394:8: error: use of undeclared identifier 'GetSysCacheOid1'; did you
mean 'GetSysCacheOid'?
oid = GetSysCacheOid1(AUTHNAME, CStringGetDatum(name));
^~~~~~~~~~~~~~~
GetSysCacheOid
/usr/local/include/postgresql/server/utils/syscache.h:142:12: note:
'GetSysCacheOid' declared here
extern Oid GetSysCacheOid(int cacheId, AttrNumber oidcol,
^
acl_oid.c:394:6: warning: incompatible pointer to integer conversion assigning
to 'Oid' (aka 'unsigned int') from 'Oid (int, AttrNumber, Datum, Datum,
Datum, Datum)' (aka 'unsigned int (int, short, unsigned long, unsigned
long, unsigned long, unsigned long)') [-Wint-conversion]
oid = GetSysCacheOid1(AUTHNAME, CStringGetDatum(name));
^ ~~~~~~~~~~~~~~~
1 warning and 4 errors generated.
make: *** [acl_oid.o] Error 1
ERROR: command returned 2: make PG_CONFIG=/usr/local/bin/pg_config allAccess violation (acl_entry_base->type = 0)
Hey! I'm trying to run this extension on Windows. I ported some changes we made to temporal_tables to automate builds. Here it the temporary AppVeyor project setup. There are regression test problems (disregard "green" status). The source as of now comes from my msvc branch.
Also I tried to execute SELECT '{a/i/postgres=rwd, d//user=r, a//=r}'::ace[]; from the readme. However it fails with the following stacktrace:
> acl.dll!format_acl_entry(StringInfoData * out, __int64 opaque, AclEntryBase * acl_entry_base, void(*)(StringInfoData *, __int64) format_who) Line 258 C
acl.dll!ace_out(FunctionCallInfoData * fcinfo) Line 91 C
postgres.exe!FunctionCall1Coll(FmgrInfo * flinfo, unsigned int collation, unsigned __int64 arg1) Line 1300 C
postgres.exe!OutputFunctionCall(FmgrInfo * flinfo, unsigned __int64 val) Line 1952 C
postgres.exe!array_out(FunctionCallInfoData * fcinfo) Line 1132 C
postgres.exe!FunctionCall1Coll(FmgrInfo * flinfo, unsigned int collation, unsigned __int64 arg1) Line 1300 C
postgres.exe!OutputFunctionCall(FmgrInfo * flinfo, unsigned __int64 val) Line 1952 C
postgres.exe!printtup(TupleTableSlot * slot, _DestReceiver * self) Line 360 C
postgres.exe!ExecutePlan(EState * estate, PlanState * planstate, CmdType operation, char sendTuples, long numberTuples, ScanDirection direction, _DestReceiver * dest) Line 1581 C
postgres.exe!standard_ExecutorRun(QueryDesc * queryDesc, ScanDirection direction, long count) Line 348 C
postgres.exe!PortalRunSelect(PortalData * portal, char forward, long count, _DestReceiver * dest) Line 943 C
postgres.exe!PortalRun(PortalData * portal, long count, char isTopLevel, _DestReceiver * dest, _DestReceiver * altdest, char * completionTag) Line 793 C
postgres.exe!exec_simple_query(const char * query_string) Line 1111 C
postgres.exe!PostgresMain(int argc, char * * argv, const char * dbname, const char * username) Line 4032 C
postgres.exe!BackendRun(Port * port) Line 4240 C
postgres.exe!SubPostmasterMain(int argc, char * * argv) Line 4731 C
postgres.exe!main(int argc, char * * argv) Line 216 C
[External Code]
It tries to access max int element from ace_type_chars as type is equal to zero.
Updated builds for Windows x64 with PostgreSQL > 9.6
Given that the "pgxnclient install" method doesn't work under Windows OS, it would be great if there were pre-built binaries available for a more recent release of PostgreSQL (like v12.5, and v13).
Or is there another better suggestion for handling more advanced ACLs in these newer versions?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.