On Mon, Sep 15, 2014 at 1:33 AM, Tom Lane <t...@sss.pgh.pa.us> wrote: > Peter Eisentraut <pete...@gmx.net> writes: >> On 9/1/14 7:51 AM, Kyotaro HORIGUCHI wrote: >>> The attached patch simply changes the context for local_... to >>> PGC_USERSET and edits the doc. > >> I had this ready to commit, but then > >> Invent PGC_SU_BACKEND and mark log_connections/log_disconnections >> that way. > >> was committed in the meantime. > >> Does this affect what we should do with this change? > >> I guess one thing to look into would be whether we could leave >> local_preload_libraries as PGC_BACKEND and change >> session_preload_libraries to PGC_SU_BACKEND, and then investigate >> whether we could allow settings made with ALTER ROLE / SET to change >> PGC_BACKEND settings. > > Yeah, I was wondering about that while I was making the other commit. > I did not touch those variables at the time, but it would make sense > to restrict them as you suggest.
+1 Also I think that it's useful to allow ALTER ROLE/DATABASE SET to set PGC_BACKEND and PGC_SU_BACKEND parameters. So, what about applying the attached patch? This patch allows that and changes the context of session_preload_libraries to PGC_SU_BACKEND. Regards, -- Fujii Masao
*** a/doc/src/sgml/config.sgml --- b/doc/src/sgml/config.sgml *************** *** 6260,6266 **** SET XML OPTION { DOCUMENT | CONTENT }; <listitem> <para> This variable specifies one or more shared libraries that are to be ! preloaded at connection start. Only superusers can change this setting. The parameter value only takes effect at the start of the connection. Subsequent changes have no effect. If a specified library is not found, the connection attempt will fail. --- 6260,6267 ---- <listitem> <para> This variable specifies one or more shared libraries that are to be ! preloaded at connection start. Only superusers can change this setting ! at session start. The parameter value only takes effect at the start of the connection. Subsequent changes have no effect. If a specified library is not found, the connection attempt will fail. *** a/src/backend/utils/misc/guc.c --- b/src/backend/utils/misc/guc.c *************** *** 2892,2898 **** static struct config_string ConfigureNamesString[] = }, { ! {"session_preload_libraries", PGC_SUSET, CLIENT_CONN_PRELOAD, gettext_noop("Lists shared libraries to preload into each backend."), NULL, GUC_LIST_INPUT | GUC_LIST_QUOTE | GUC_SUPERUSER_ONLY --- 2892,2898 ---- }, { ! {"session_preload_libraries", PGC_SU_BACKEND, CLIENT_CONN_PRELOAD, gettext_noop("Lists shared libraries to preload into each backend."), NULL, GUC_LIST_INPUT | GUC_LIST_QUOTE | GUC_SUPERUSER_ONLY *************** *** 5756,5762 **** set_config_option(const char *name, const char *value, else if (context != PGC_POSTMASTER && context != PGC_BACKEND && context != PGC_SU_BACKEND && ! source != PGC_S_CLIENT) { ereport(elevel, (errcode(ERRCODE_CANT_CHANGE_RUNTIME_PARAM), --- 5756,5766 ---- else if (context != PGC_POSTMASTER && context != PGC_BACKEND && context != PGC_SU_BACKEND && ! source != PGC_S_CLIENT && ! source != PGC_S_DATABASE_USER && ! source != PGC_S_USER && ! source != PGC_S_DATABASE && ! source != PGC_S_GLOBAL) { ereport(elevel, (errcode(ERRCODE_CANT_CHANGE_RUNTIME_PARAM), *************** *** 8820,8827 **** validate_option_array_item(const char *name, const char *value, * There are three cases to consider: * * name is a known GUC variable. Check the value normally, check ! * permissions normally (ie, allow if variable is USERSET, or if it's ! * SUSET and user is superuser). * * name is not known, but exists or can be created as a placeholder (i.e., * it has a prefixed name). We allow this case if you're a superuser, --- 8824,8831 ---- * There are three cases to consider: * * name is a known GUC variable. Check the value normally, check ! * permissions normally (ie, allow if variable is USERSET/BACKEND, ! * or if it's SUSET/SU_BACKEND and user is superuser). * * name is not known, but exists or can be created as a placeholder (i.e., * it has a prefixed name). We allow this case if you're a superuser, *************** *** 8861,8877 **** validate_option_array_item(const char *name, const char *value, } /* manual permissions check so we can avoid an error being thrown */ ! if (gconf->context == PGC_USERSET) /* ok */ ; ! else if (gconf->context == PGC_SUSET && superuser()) /* ok */ ; else if (skipIfNoPermissions) return false; /* if a permissions error should be thrown, let set_config_option do it */ ! /* test for permissions and valid option value */ (void) set_config_option(name, value, ! superuser() ? PGC_SUSET : PGC_USERSET, PGC_S_TEST, GUC_ACTION_SET, false, 0); return true; --- 8865,8888 ---- } /* manual permissions check so we can avoid an error being thrown */ ! if (gconf->context == PGC_USERSET || gconf->context == PGC_BACKEND) /* ok */ ; ! else if ((gconf->context == PGC_SUSET || ! gconf->context == PGC_SU_BACKEND) && ! superuser()) /* ok */ ; else if (skipIfNoPermissions) return false; /* if a permissions error should be thrown, let set_config_option do it */ ! /* ! * Test for permissions and valid option value. Use PGC_BACKEND or ! * PGC_SU_BACKEND as the context so that this test can validate ! * PGC_USERSET, PGC_SUSET, PGC_BACKEND and PGC_SU_BACKEND ! * parameters. ! */ (void) set_config_option(name, value, ! superuser() ? PGC_SU_BACKEND : PGC_BACKEND, PGC_S_TEST, GUC_ACTION_SET, false, 0); return true; *** a/src/bin/psql/tab-complete.c --- b/src/bin/psql/tab-complete.c *************** *** 560,565 **** static const SchemaQuery Query_for_list_of_matviews = { --- 560,573 ---- " UNION ALL SELECT 'all') ss "\ " WHERE substring(name,1,%d)='%s'" + #define Query_for_list_of_set_vars_in_db_role \ + "SELECT name FROM "\ + " (SELECT pg_catalog.lower(name) AS name FROM pg_catalog.pg_settings "\ + " WHERE context IN ('user', 'superuser', 'backend', 'superuser-backend')"\ + " UNION ALL SELECT 'tablespace' "\ + " UNION ALL SELECT 'all') ss "\ + " WHERE substring(name,1,%d)='%s'" + #define Query_for_list_of_show_vars \ "SELECT name FROM "\ " (SELECT pg_catalog.lower(name) AS name FROM pg_catalog.pg_settings "\ *************** *** 3385,3390 **** psql_completion(const char *text, int start, int end) --- 3393,3403 ---- /* SET, RESET, SHOW */ /* Complete with a variable name */ + else if ((pg_strcasecmp(prev_wd, "SET") == 0 || + pg_strcasecmp(prev_wd, "RESET") == 0) && + (pg_strcasecmp(prev3_wd, "DATABASE") == 0 || + pg_strcasecmp(prev3_wd, "ROLE") == 0)) + COMPLETE_WITH_QUERY(Query_for_list_of_set_vars_in_db_role); else if ((pg_strcasecmp(prev_wd, "SET") == 0 && pg_strcasecmp(prev3_wd, "UPDATE") != 0) || pg_strcasecmp(prev_wd, "RESET") == 0) *** a/src/test/regress/expected/alter_generic.out --- b/src/test/regress/expected/alter_generic.out *************** *** 679,681 **** drop cascades to text search parser alt_ts_prs2 --- 679,699 ---- DROP USER regtest_alter_user1; DROP USER regtest_alter_user2; DROP USER regtest_alter_user3; + -- + -- Text ALTER ROLE SET + -- + CREATE ROLE settest_alter_user NOSUPERUSER; + ALTER ROLE settest_alter_user SET enable_bitmapscan TO off; -- OK + ALTER ROLE settest_alter_user SET log_disconnections TO on; -- OK + ALTER ROLE settest_alter_user SET log_checkpoints TO on; -- failed + ERROR: parameter "log_checkpoints" cannot be changed now + SET SESSION AUTHORIZATION settest_alter_user; + ALTER ROLE settest_alter_user SET log_connections TO on; -- failed + ERROR: permission denied to set parameter "log_connections" + SELECT rolconfig FROM pg_roles WHERE rolname = current_user; + rolconfig + ----------------------------------------------- + {enable_bitmapscan=off,log_disconnections=on} + (1 row) + + \c - *** a/src/test/regress/sql/alter_generic.sql --- b/src/test/regress/sql/alter_generic.sql *************** *** 553,555 **** DROP SCHEMA alt_nsp2 CASCADE; --- 553,568 ---- DROP USER regtest_alter_user1; DROP USER regtest_alter_user2; DROP USER regtest_alter_user3; + + -- + -- Text ALTER ROLE SET + -- + + CREATE ROLE settest_alter_user NOSUPERUSER; + ALTER ROLE settest_alter_user SET enable_bitmapscan TO off; -- OK + ALTER ROLE settest_alter_user SET log_disconnections TO on; -- OK + ALTER ROLE settest_alter_user SET log_checkpoints TO on; -- failed + SET SESSION AUTHORIZATION settest_alter_user; + ALTER ROLE settest_alter_user SET log_connections TO on; -- failed + SELECT rolconfig FROM pg_roles WHERE rolname = current_user; + \c -
-- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers