Re: [HACKERS] Prep object creation hooks, and related sepgsql updates

2011-12-16 Thread Dimitri Fontaine
Hi, Kohei KaiGai kai...@kaigai.gr.jp writes: The attached patches are revised ones. I added explanations of DDL permissions on creation time added by these patches, and added a few regression test cases. The whole patches are now against contrib/sepgsql, which seems to me to be a good news,

Re: [HACKERS] Prep object creation hooks, and related sepgsql updates

2011-12-16 Thread Greg Smith
On 12/16/2011 11:58 AM, Dimitri Fontaine wrote: The whole patches are now against contrib/sepgsql, which seems to me to be a good news, but means I'm not skilled to help review further. I'm unsure about marking that as “ready for commiter” but I'm definitely done myself. Robert already

Re: [HACKERS] Prep object creation hooks, and related sepgsql updates

2011-12-03 Thread Kohei KaiGai
2011/12/3 Robert Haas robertmh...@gmail.com: On Fri, Dec 2, 2011 at 6:52 AM, Kohei KaiGai kai...@kaigai.gr.jp wrote: At least, it is working. However, it is not a perfect solution to the future updates of code paths in the core. Hmm.  So, do you want this committed?  If so, I think the major

Re: [HACKERS] Prep object creation hooks, and related sepgsql updates

2011-12-02 Thread Kohei KaiGai
I tried to implement remaining portion of the object creation permission patches using this approach; that temporary saves contextual information using existing ProcessUtility hook and ExecutorStart hook. It likely works fine towards my first problem; system catalog entry does not have all the

Re: [HACKERS] Prep object creation hooks, and related sepgsql updates

2011-12-02 Thread Robert Haas
On Fri, Dec 2, 2011 at 6:52 AM, Kohei KaiGai kai...@kaigai.gr.jp wrote: At least, it is working. However, it is not a perfect solution to the future updates of code paths in the core. Hmm. So, do you want this committed? If so, I think the major thing it lacks is documentation. I can't help

Re: [HACKERS] Prep object creation hooks, and related sepgsql updates

2011-11-29 Thread Kohei KaiGai
2011/11/28 Dimitri Fontaine dimi...@2ndquadrant.fr: Kohei KaiGai kai...@kaigai.gr.jp writes: I found up a similar idea that acquires control on ProcessUtility_hook and save necessary contextual information on auto variable then kicks the original ProcessUtility_hook, then it reference the

Re: [HACKERS] Prep object creation hooks, and related sepgsql updates

2011-11-28 Thread Kohei KaiGai
2011/11/27 Dimitri Fontaine dimi...@2ndquadrant.fr: And, it seems to me the current proposition of the command trigger does not support to fire triggers on creation of databases, although permission checks requires Oid of source database that is not also appeared in pg_database catalog. I

Re: [HACKERS] Prep object creation hooks, and related sepgsql updates

2011-11-28 Thread Dimitri Fontaine
Kohei KaiGai kai...@kaigai.gr.jp writes: How does it inherit an opaque private initialized at BEFORE trigger to AFTER trigger? I checked your patch, however, it seems to me it does not have a mechanism to deliver something between BEFORE and AFTER. Right, there's no such facility provided in

Re: [HACKERS] Prep object creation hooks, and related sepgsql updates

2011-11-28 Thread Kohei KaiGai
2011/11/28 Dimitri Fontaine dimi...@2ndquadrant.fr: Kohei KaiGai kai...@kaigai.gr.jp writes: How does it inherit an opaque private initialized at BEFORE trigger to AFTER trigger? I checked your patch, however, it seems to me it does not have a mechanism to deliver something between BEFORE and

Re: [HACKERS] Prep object creation hooks, and related sepgsql updates

2011-11-28 Thread Dimitri Fontaine
Kohei KaiGai kai...@kaigai.gr.jp writes: I found up a similar idea that acquires control on ProcessUtility_hook and save necessary contextual information on auto variable then kicks the original ProcessUtility_hook, then it reference the contextual information from object_access_hook. In this

Re: [HACKERS] Prep object creation hooks, and related sepgsql updates

2011-11-27 Thread Kohei KaiGai
2011/11/26 Dimitri Fontaine dimi...@2ndquadrant.fr: Kohei KaiGai kai...@kaigai.gr.jp writes: We still don't have clear direction of the way to implement external permission checks on object creation time. So, please consider these patches are on the proof-of-concept stage; using

Re: [HACKERS] Prep object creation hooks, and related sepgsql updates

2011-11-27 Thread Dimitri Fontaine
Kohei KaiGai kai...@kaigai.gr.jp writes: I wonder if you could implement that as an extension given the command trigger patch finds its way in.  What do you think? Unfortunately, it does not solve my point. [...] It is also reason why I mentioned about an idea that put prep-creation hook

Re: [HACKERS] Prep object creation hooks, and related sepgsql updates

2011-11-27 Thread Kohei KaiGai
2011/11/27 Dimitri Fontaine dimi...@2ndquadrant.fr: Kohei KaiGai kai...@kaigai.gr.jp writes: I wonder if you could implement that as an extension given the command trigger patch finds its way in.  What do you think? Unfortunately, it does not solve my point. [...] It is also reason why I

Re: [HACKERS] Prep object creation hooks, and related sepgsql updates

2011-11-27 Thread Dimitri Fontaine
Kohei KaiGai kai...@kaigai.gr.jp writes: Sorry, it does not cover all the code paths that I want to apply permission checks around creation of new tables. The existing DAC checks permission on creation of new tables at DefineRelation() and OpenIntoRel(), and sepgsql also wants to follow this

Re: [HACKERS] Prep object creation hooks, and related sepgsql updates

2011-11-26 Thread Dimitri Fontaine
Kohei KaiGai kai...@kaigai.gr.jp writes: We still don't have clear direction of the way to implement external permission checks on object creation time. So, please consider these patches are on the proof-of-concept stage; using prep-creation-hook to permission checks. I wonder if you could