Quick coding question with acl fixes

Christopher Kings-Lynne <chriskl@familyhealth.com.au> writes:

If I have the nspForm variable (which is a Form_pg_namespace) struct
pointer, then how do I check if the nspacl field is default (ie.
"NULL"). This is so I can avoid running DatumGetAclP on it, which seems
to cause alloc error reports.

Best practice is to use SysCacheGetAttr if you are dealing with a row
from cache or heap_getattr if it's from a table scan. For instance
in aclchk.c there is

aclDatum = SysCacheGetAttr(NAMESPACENAME, tuple,
Anum_pg_namespace_nspacl,
&isNull);
if (isNull)
old_acl = acldefault(ACL_OBJECT_NAMESPACE, ownerId);
else
/* get a detoasted copy of the ACL */
old_acl = DatumGetAclPCopy(aclDatum);

When I run through the acl changing all references from the old owner to
the new owner, should I combine the resulting acls if possible? Because
if the new owner already has some acls on that item, they will end up
with two acls.

If possible ... how painful would it be to do?

regards, tom lane

Tom Lane <tgl@sss.pgh.pa.us> writes:

Christopher Kings-Lynne <chriskl@familyhealth.com.au> writes:

When I run through the acl changing all references from the old owner to
the new owner, should I combine the resulting acls if possible? Because
if the new owner already has some acls on that item, they will end up
with two acls.

If possible ... how painful would it be to do?

Actually it looks like you'd better, because for example aclupdate
assumes there's only one entry for a given grantor/grantee pair.

BTW, are you sure Fabien did not already solve this problem in his
pending patch?

regards, tom lane

If possible ... how painful would it be to do?

I'm yet to do that part, so I guess I'll find out.

Actually it looks like you'd better, because for example aclupdate
assumes there's only one entry for a given grantor/grantee pair.

OK, many thanks for the prompt reply :)

BTW, are you sure Fabien did not already solve this problem in his
pending patch?

You mean schema ownership? I thought that was just upon the first
connection to a database or something? I'm using schemas as my first
case for fixing OWNER TO commands and acls...

Chris

Christopher Kings-Lynne <chriskl@familyhealth.com.au> writes:

BTW, are you sure Fabien did not already solve this problem in his
pending patch?

You mean schema ownership? I thought that was just upon the first
connection to a database or something?

Yeah, but the point was that he was doing an ALTER OWNER and needed to
fix the ACL to match. I thought he claimed to have written the needed
subroutine. I have not yet looked at his patch though.

regards, tom lane

Yeah, but the point was that he was doing an ALTER OWNER and needed to
fix the ACL to match. I thought he claimed to have written the needed
subroutine. I have not yet looked at his patch though.

I think Fabien's owner changing routine will end up being a strict
subset of my routine. I think his just happens to only work on the
newly created public and info_schema in a new db. It's not complex
enough to work on arbitrary acls. Also, his needs to work as a public
SQL function:

+ /* acl acl_switch_grantor(acl, oldgrantor, newgrantor);
+  * switch grantor id in aclitem array.
+  * used internally for fixing owner rights in new databases.
+  * must be STRICT.
+  */
+ Datum acl_switch_grantor(PG_FUNCTION_ARGS)
+ {
+ 	Acl * acls = PG_GETARG_ACL_P_COPY(0);
+ 	int i,
+ 		old_grantor = PG_GETARG_INT32(1),
+ 		new_grantor = PG_GETARG_INT32(2);
+ 	AclItem * item;
+
+ 	for (i=0, item=ACL_DAT(acls); i<ACL_NUM(acls); i++, item++)
+ 		if (item->ai_grantor == old_grantor)
+ 			item->ai_grantor = new_grantor;
+
+ 	PG_RETURN_ACL_P(acls);
+ }

Chris

When I run through the acl changing all references from the old owner to
the new owner, should I combine the resulting acls if possible? Because
if the new owner already has some acls on that item, they will end up
with two acls.

If possible ... how painful would it be to do?

I'm pretty close to finishing this. Just applying it to all the
acl'able objects atm. It's a pain when you can only find 15 mins every
other day to work on it :(

Chris