GRANT/REVOKE column-level privileges
Has anyone else taken a look at this? I thought I'd play around with the
system catalog and see if I couldn't put an ACL column into pg_attribute:
It ended up generating the following BKI line:
insert ( 1249 attacl 1034 -1 -1 18 1 -1 -1 f x i f f f t 0 _null_ )
And the ROW certainly appears to be in pg_attribute:
template1=# select * from pg_attribute where attrelid=1249 and attnum=18;
-[ RECORD 1 ]-+-------
attrelid | 1249
attname | attacl
atttypid | 1034
attstattarget | -1
attlen | -1
attnum | 18
attndims | 1
attcacheoff | -1
atttypmod | -1
attbyval | f
attstorage | x
attalign | i
attnotnull | f
atthasdef | f
attisdropped | f
attislocal | t
attinhcount | 0
^^^^ no attacl column though!
However, the COLUMN doesn't appear to the parser:
kbrint@[local]/test=# select attacl from pg_attribute;
ERROR: column "attacl" does not exist
-----------------------------------------------------------------
For better or worse, I tried the idea from pg_class where the attacl[]
comes at the end of the CATALOG(pg_attribute):
*** include/catalog/pg_attribute.h 15 Oct 2005 02:49:42 -0000 1.119
--- include/catalog/pg_attribute.h 13 Jan 2006 09:29:06 -0000
***************
*** 37,44 ****
--- 37,50 ----
*
* If you change the following, make sure you change the structs for
* system attributes in catalog/heap.c also.
* ----------------
+ * This structure is actually variable-length (the last attribute is
+ * a POSTGRES array). Hence, sizeof(FormData_pg_attribute) does not
+ * necessarily match the actual length of the structure. Furthermore
+ * attacl may be a NULL field. Hence, you MUST use heap_getattr()
+ * to get the attacl field ... and don't forget to check isNull.
+ * ----------------
*/
#define AttributeRelationId 1249 CATALOG(pg_attribute,1249) BKI_BOOTSTRAP BKI_WITHOUT_OIDS
***************
*** 148,161 ****
--- 154,174 ----
bool attislocal; /* Number of times inherited from direct parent relation(s) */
int4 attinhcount;
+
+ /*
+ * attacl may or may not be present, see note above!
+ */
+ aclitem attacl[1]; /* we declare this just for the catalog */
+
} FormData_pg_attribute; /*
* someone should figure out how to do this properly. (The problem is
* the size of the C struct is not the same as the size of the tuple
* because of alignment padding at the end of the struct.)
+ * This includes only the fixed part of the tuple (not the attacl).
*/
#define ATTRIBUTE_TUPLE_SIZE \
(offsetof(FormData_pg_attribute,attinhcount) + sizeof(int4))
-----------------------------------------------------------------
What is causing the parser not to be able to see that attacl is a valid
column? Have I missed something in the relcache? Or is the pg_class hack
(with its relacl[] on the end of the struct) truly not going to work with
pg_attribute?
Ideas?
--
kevin brintnall =~ <kbrint@rufus.net>
On Fri, Jan 13, 2006 at 03:37:32AM -0600, kevin brintnall wrote:
Has anyone else taken a look at this? I thought I'd play around with the
system catalog and see if I couldn't put an ACL column into pg_attribute:It ended up generating the following BKI line:
insert ( 1249 attacl 1034 -1 -1 18 1 -1 -1 f x i f f f t 0 _null_ )
Umm, yes. You also need to add the column to the contents of
pg_attribute, give the attribute a number, increase the number of
attributes as stored in pg_class, update the #define that gives the
attribute count, change the macro that gives the size of the
pg_attribute structure (ATTRIBUTE_TUPLE_SIZE) and update all the places
that create the structure to store a null or something else in that
column.
At that, I think I missed some steps but this should get you a bit
further...
Good luck!
--
Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/
Show quoted text
Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
tool for doing 5% of the work and then sitting around waiting for someone
else to do the other 95% so you can sue them.
Martijn van Oosterhout <kleptog@svana.org> writes:
Umm, yes. You also need to add the column to the contents of
pg_attribute, give the attribute a number, increase the number of
attributes as stored in pg_class, update the #define that gives the
attribute count, change the macro that gives the size of the
pg_attribute structure (ATTRIBUTE_TUPLE_SIZE) and update all the places
that create the structure to store a null or something else in that
column.
At that, I think I missed some steps but this should get you a bit
further...
It'd be worthwhile to look into the CVS history to study past commits
that have added columns to pg_attribute. Adding columns to any of
the core system catalogs is generally a PITA ... not impossible,
but there are plenty of details to take care of.
regards, tom lane
On Fri, Jan 13, 2006 at 10:04:10AM -0500, Tom Lane wrote:
Martijn van Oosterhout <kleptog@svana.org> writes:
Umm, yes. You also need to add the column to the contents of
pg_attribute, give the attribute a number, increase the number of
attributes as stored in pg_class, update the #define that gives the
attribute count, change the macro that gives the size of the
pg_attribute structure (ATTRIBUTE_TUPLE_SIZE) and update all the places
that create the structure to store a null or something else in that
column.
I did all that, with the exception of the relnatts entry in pg_class. I
omitted my full diff for brevity.
At that, I think I missed some steps but this should get you a bit
further...It'd be worthwhile to look into the CVS history to study past commits
that have added columns to pg_attribute. Adding columns to any of
the core system catalogs is generally a PITA ... not impossible,
but there are plenty of details to take care of.
Thank you. That is a good suggestion.
--
kevin brintnall =~ <kbrint@rufus.net>