Kurt Roeckx wrote:
Hi,
Has anyone tried to use the huge tlb support of the Linux 2.6 kernel?
If you compile the kernel with support for it (CONFIG_HUGETLBFS), you
can call shmget() with a SHM_HUGETLB parameter so that it will use
larger pages.
Has anyone tried to use it? Is it worth trying to
[4/4] - sepostgresql-policy-8.4devel-3.patch
This patch gives us the default security policy for SE-PostgreSQL.
You can build it as a security policy module. It can be linked with
the existing distributor's policy, and reloaded.
--
OSS Platform Development Division, NEC
KaiGai Kohei [EMAIL
[3/4] - sepostgresql-pg_dump-8.4devel-3.patch
This patch gives us a feature to dump database with security attribute.
It is turned on with '--enable-selinux' option at pg_dump/pg_dumpall,
when the server works as SE- version.
No need to say, users need to have enough capabilities to dump whole of
It seems to me some of SE-PostgreSQL patches are not delivered yet,
although [3/4] and [4/4] were already done.
Does anti-spam system caught my previous three messages?
If necessary, I will send them again.
Thanks,
Kohei KaiGai wrote:
The series of patches are the proposal of Security-Enhanced
The series of patches are the proposal of Security-Enhanced PostgreSQL
(SE-PostgreSQL) for the upstreamed PostgreSQL 8.4 development cycle.
[1/4] sepostgresql-pgace-8.4devel-3.patch
provides PGACE (PostgreSQL Access Control Extension) framework
[2/4]
[2/4] - sepostgresql-sepgsql-8.4devel-3.patch.gz
This patch provides SE-PostgreSQL facilities based on PGACE.
Security-Enhanced PostgreSQL (SE-PostgreSQL) is a security extension
built in PostgreSQL, to provide system-wide consistency in access
controls. It enables to apply a single unigied
Zdenek Kotala wrote:
Kohei KaiGai napsal(a):
It seems to me some of SE-PostgreSQL patches are not delivered yet,
although [3/4] and [4/4] were already done.
Does anti-spam system caught my previous three messages?
If necessary, I will send them again.
There is a file size limitation
2011/12/22 Robert Haas robertmh...@gmail.com:
On Mon, Dec 12, 2011 at 12:00 PM, Kohei KaiGai kai...@kaigai.gr.jp wrote:
The v8.option-2 add checks around examine_simple_variable, and
prevent to reference statistical data, if Var node tries to reference
relation with security-barrier attribute
2011/12/23 Robert Haas robertmh...@gmail.com:
On Fri, Dec 23, 2011 at 5:56 AM, Kohei KaiGai kai...@kaigai.gr.jp wrote:
I'd like the regression test on select_view test being committed also
to detect unexpected changed in the future. How about it?
Can you resend that as a separate patch? I
I guess you concerned about that expected/select_views_1.out is
patched, not expected/select_views.out.
I'm not sure the reason why regression test script tries to make diff
between results/select_views and expected/select_views_1.out.
select_views.out and select_views_1.out are alternate
This patch adds a new GUC sepgsql.client_label that allows client
process to switch its privileges into another one, as long as the
system security policy admits this transition.
Because of this feature, I ported two permissions from process class
of SELinux; setcurrent and dyntransition. The
2012/1/17 Robert Haas robertmh...@gmail.com:
On Tue, Jan 10, 2012 at 7:51 AM, Kohei KaiGai kai...@kaigai.gr.jp wrote:
The attached patch adds OAT_DROP object-access-hook around permission
checks of object deletion.
Due to the previous drop statement reworks, the number of places to
put
2012/1/19 Robert Haas robertmh...@gmail.com:
On Wed, Jan 18, 2012 at 9:50 AM, Kohei KaiGai kai...@kaigai.gr.jp wrote:
In sepgsql side, it determines a case to apply permission checks
according to the contextual information; that is same technique
when we implemented create permission.
Thus
2012/1/19 Robert Haas robertmh...@gmail.com:
On Thu, Jan 19, 2012 at 3:51 AM, Kohei KaiGai kai...@kaigai.gr.jp wrote:
2012/1/19 Robert Haas robertmh...@gmail.com:
On Wed, Jan 18, 2012 at 9:50 AM, Kohei KaiGai kai...@kaigai.gr.jp wrote:
In sepgsql side, it determines a case to apply permission
2012/1/21 Jeff Janes jeff.ja...@gmail.com:
On Tue, Jan 17, 2012 at 7:08 PM, Robert Haas robertmh...@gmail.com wrote:
On Sun, Jan 8, 2012 at 10:32 AM, Kohei KaiGai kai...@kaigai.gr.jp wrote:
I guess you concerned about that expected/select_views_1.out is
patched, not expected/select_views.out
Hi,
I tried to implement a fdw module that is designed to utilize GPU
devices to execute
qualifiers of sequential-scan on foreign tables managed by this module.
It was named PG-Strom, and the following wikipage gives a brief
overview of this module.
http://wiki.postgresql.org/wiki/PGStrom
2012/1/23 Robert Haas robertmh...@gmail.com:
On Sun, Jan 22, 2012 at 10:48 AM, Kohei KaiGai kai...@kaigai.gr.jp wrote:
I tried to implement a fdw module that is designed to utilize GPU
devices to execute
qualifiers of sequential-scan on foreign tables managed by this module.
It was named PG
2012/1/23 Simon Riggs si...@2ndquadrant.com:
On Sun, Jan 22, 2012 at 3:48 PM, Kohei KaiGai kai...@kaigai.gr.jp wrote:
I tried to implement a fdw module that is designed to utilize GPU
devices to execute
qualifiers of sequential-scan on foreign tables managed by this module.
It was named PG
2012/1/26 Robert Haas robertmh...@gmail.com:
I'm wondering if a function would be a better fit than a GUC. I don't
think you can really restrict the ability to revert a GUC change -
i.e. if someone does a SET and then a RESET, you pretty much have to
allow that. I think. But if you expose a
2012/1/26 Robert Haas robertmh...@gmail.com:
On Thu, Jan 26, 2012 at 7:27 AM, Kohei KaiGai kai...@kaigai.gr.jp wrote:
It seems to me reasonable design.
The attached patch is rebased one according to your perform-deletion patch.
That looks pretty sensible. But I don't think this is true any
2012/1/26 Robert Haas robertmh...@gmail.com:
On Thu, Jan 26, 2012 at 2:07 PM, Kohei KaiGai kai...@kaigai.gr.jp wrote:
2012/1/26 Robert Haas robertmh...@gmail.com:
I'm wondering if a function would be a better fit than a GUC. I don't
think you can really restrict the ability to revert a GUC
2012/1/28 Kohei KaiGai kai...@kaigai.gr.jp:
2012/1/26 Robert Haas robertmh...@gmail.com:
On Thu, Jan 26, 2012 at 2:07 PM, Kohei KaiGai kai...@kaigai.gr.jp wrote:
2012/1/26 Robert Haas robertmh...@gmail.com:
I'm wondering if a function would be a better fit than a GUC. I don't
think you can
Hi Harada-san,
I checked the fdw_helper_funcs_v3.patch, pgsql_fdw_v5.patch and
pgsql_fdw_pushdown_v1.patch. My comments are below.
[BUG]
Even though pgsql_fdw tries to push-down qualifiers being executable
on the remove side at the deparseSql(), it does not remove qualifiers
being pushed down
2012年2月1日12:15 Shigeru Hanada shigeru.han...@gmail.com:
(2012/01/30 4:39), Kohei KaiGai wrote:
I checked the fdw_helper_funcs_v3.patch, pgsql_fdw_v5.patch and
pgsql_fdw_pushdown_v1.patch. My comments are below.
Thanks for the review!
[BUG]
Even though pgsql_fdw tries to push-down
2012/2/13 Greg Smith g...@2ndquadrant.com:
On 02/11/2012 08:14 PM, Gaetano Mendola wrote:
The trend is to have server capable of running CUDA providing GPU via
external hardware (PCI Express interface with PCI Express switches), look
for example at PowerEdge C410x PCIe Expansion Chassis from
2012/2/14 Robert Haas robertmh...@gmail.com:
On Mon, Feb 13, 2012 at 7:51 AM, Kohei KaiGai kai...@kaigai.gr.jp wrote:
I rebased the patch due to the updates of pg_proc.h.
Please see the newer one. Thanks,
Thanks, committed. I think, though, that some further adjustment is
needed here
2012/2/14 Robert Haas robertmh...@gmail.com:
On Tue, Feb 14, 2012 at 4:55 AM, Kohei KaiGai kai...@kaigai.gr.jp wrote:
I could not find out where is the origin of grammer conflicts, although
it does not conflict with any options within ALTER FUNCTION.
Do you think the idea of ALTER
The attached patch is additional regression tests of ALTER FUNCTION with
LEAKPROOF based on your patch.
It also moves create_function_3 into the group with create_aggregate and so on.
Thanks,
2012/2/14 Kohei KaiGai kai...@kaigai.gr.jp:
2012/2/14 Robert Haas robertmh...@gmail.com:
On Tue, Feb
Harada-san,
I checked the v9 patch, however, it still has some uncertain implementation.
[memory context of tuple store]
It calls tuplestore_begin_heap() under the memory context of
festate-scan_cxt at pgsqlBeginForeignScan.
On the other hand, tuplestore_gettupleslot() is called under the
memory
for the review. Attached patches are revised version, though
only fdw_helper_v5.patch is unchanged.
(2012/02/16 0:09), Kohei KaiGai wrote:
[memory context of tuple store]
It calls tuplestore_begin_heap() under the memory context of
festate-scan_cxt at pgsqlBeginForeignScan.
Yes, it's because tuplestore
2012年2月16日13:41 Shigeru Hanada shigeru.han...@gmail.com:
Kaigai-san,
Thanks for the review. Attached patches are revised version, though
only fdw_helper_v5.patch is unchanged.
(2012/02/16 0:09), Kohei KaiGai wrote:
[memory context of tuple store]
It calls tuplestore_begin_heap() under
2012年2月17日6:08 Shigeru Hanada shigeru.han...@gmail.com:
(2012/02/17 2:02), Kohei KaiGai wrote:
I found a strange behavior with v10. Is it available to reproduce?
snip
I tried to raise an error on remote side.
postgres=# select * FROM ftbl WHERE 100 / (a - 3) 0;
The connection
2012/2/20 Yeb Havinga yebhavi...@gmail.com:
On 2012-02-05 10:09, Kohei KaiGai wrote:
The attached part-1 patch moves related routines from hooks.c to label.c
because of references to static variables. The part-2 patch implements above
mechanism.
I took a short look at this patch but am
2012/2/24 Yeb Havinga yebhavi...@gmail.com:
On 2012-02-23 12:17, Kohei KaiGai wrote:
2012/2/20 Yeb Havingayebhavi...@gmail.com:
So maybe this is because my start domain is not s0-s0:c0.c1023
However, when trying to run bash or psql in domain
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0
2012年2月28日12:00 Shigeru Hanada shigeru.han...@gmail.com:
(2012/02/28 18:08), Thom Brown wrote:
If that's something that will likely be introduced in future, then
surely we'd want to keep the tableoid column rather than removing it
then re-introducing it later?
As background knowledge,
2012/2/24 Yeb Havinga yebhavi...@gmail.com:
On 2012-02-24 15:17, Yeb Havinga wrote:
I don't know what's fishy about the mgrid user and root that causes
c0.c1023 to be absent.
more info:
In shells started in a x environment under Xvnc, id -Z shows the system_u
and c0.c1023 absent.
In
value.
Most of comments update are quite helpful for me.
So, I merged your revised one in this patch.
Thanks so much!
2012/3/3 Yeb Havinga yebhavi...@gmail.com:
On 2012-02-24 17:25, Yeb Havinga wrote:
On 2012-02-23 12:17, Kohei KaiGai wrote:
2012/2/20 Yeb Havingayebhavi...@gmail.com:
On 2012
2012/3/6 Alvaro Herrera alvhe...@commandprompt.com:
It seems to me that the only thing that needs core support is the
ability to start up the daemon when postmaster is ready to accept
queries, and shut the daemon down when postmaster kills backends (either
because one crashed, or because it's
2012/3/9 Robert Haas robertmh...@gmail.com:
On Tue, Mar 6, 2012 at 9:14 AM, Kohei KaiGai kai...@kaigai.gr.jp wrote:
[ new patch ]
Are we absolutely certain that we want the semantics of
sepgsql_setcon() to be transactional? Because if we made them
non-transactional, this would be a whole
2012/3/11 Yeb Havinga yebhavi...@gmail.com:
On 2012-03-10 10:39, I wrote:
I can probably write some docs tomorrow.
Attached is v5 of the patch, with is exactly equal to v4 but with added
documentation.
Thanks for your dedicated volunteer. I'm under checking of the updates
at
2012/3/12 Robert Haas robertmh...@gmail.com:
On Mon, Mar 12, 2012 at 10:58 AM, Kohei KaiGai kai...@kaigai.gr.jp wrote:
It is a practical reason. In case when httpd open the connection to PG and
set a suitable security label according to the given credential prior to
launch
of user
2012/3/12 Robert Haas robertmh...@gmail.com:
On Mon, Mar 12, 2012 at 11:13 AM, Kohei KaiGai kai...@kaigai.gr.jp wrote:
2012/3/12 Robert Haas robertmh...@gmail.com:
On Mon, Mar 12, 2012 at 10:58 AM, Kohei KaiGai kai...@kaigai.gr.jp wrote:
It is a practical reason. In case when httpd open
2012/3/12 Robert Haas robertmh...@gmail.com:
On Mon, Mar 12, 2012 at 12:30 PM, Kohei KaiGai kai...@kaigai.gr.jp wrote:
Suppose that the connection starts out in context connection_pooler_t.
Based on the identity of the user, we transition to foo_t, bar_t, or
baz_t. If it's possible, by any
2011/1/22 Robert Haas robertmh...@gmail.com:
On Fri, Jan 21, 2011 at 10:46 AM, Tom Lane t...@sss.pgh.pa.us wrote:
Robert Haas robertmh...@gmail.com writes:
On Fri, Jan 21, 2011 at 9:55 AM, Tom Lane t...@sss.pgh.pa.us wrote:
ALTER FUNCTION is supposed to cause plan invalidation in such a case.
2011/1/22 Robert Haas robertmh...@gmail.com:
On Fri, Jan 21, 2011 at 9:55 AM, Tom Lane t...@sss.pgh.pa.us wrote:
Robert Haas robertmh...@gmail.com writes:
For that matter, I wonder what happens with regular function
permissions. If the plan inlines the function and then somebody goes
and
2012/10/22 Alvaro Herrera alvhe...@2ndquadrant.com:
Here's an updated version of this patch, which also works in
an EXEC_BACKEND environment. (I haven't tested this at all on Windows,
but I don't see anything that would create a portability problem there.)
I also tried to check the latest
2012/11/16 Albe Laurenz laurenz.a...@wien.gv.at:
Kohei KaiGai wrote:
The attached patch is just a refreshed version for clean applying to
the latest tree.
As previous version doing, it makes pseudo enhancement on file_fdw
to print something about the supplied tuple on INSERT, UPDATE
Hi Dimitri,
Thanks for your checks.
2012/11/19 Dimitri Fontaine dimi...@2ndquadrant.fr:
Kohei KaiGai kai...@kaigai.gr.jp writes:
The attached patch is the revised version of ALTER RENAME TO
consolidation. According to the previous suggestion, it uses
a common logic to check object-naming
2012/11/19 Dimitri Fontaine dimi...@2ndquadrant.fr:
Kohei KaiGai kai...@kaigai.gr.jp writes:
OK, Are you suggesting to add a generic comments such as Generic
function to change the name of a given object, for simple cases ...,
not a list of OBJECT_* at the head of this function, aren't you
2012/11/19 Albe Laurenz laurenz.a...@wien.gv.at:
Kohei KaiGai wrote:
I am not so happy with GetForeignRelInfo:
- The name seems ill-chosen from the FDW API side.
I guess that you chose the name because the function
is called from get_relation_info, but I think the name
should be more
, Kohei KaiGai kai...@kaigai.gr.jp wrote:
Isn't it possible to pick-up only columns to be used in targetlist or
local qualifiers,
without modification of baserestrictinfo?
IMO, it's possible. postgres_fdw doesn't modify baserestrictinfo at all; it
just create two new lists which exclusively
2012/11/19 Alvaro Herrera alvhe...@2ndquadrant.com:
Kohei KaiGai wrote:
Sorry, I missed the attached version.
Please use this revision.
All those direct uses of object_access_hook make me think that the
InvokeObjectAccessHook() macro we have is insufficient. Maybe we could
have
2012/11/20 Albe Laurenz laurenz.a...@wien.gv.at:
Kohei KaiGai wrote:
This design tries to kill two-birds with one-stone.
It enables to add multiple number of pseudo-columns,
not only rowid, and makes possible to push-down
complex calculation of target list into external computing
resource
The second hunk to alter.c does not apply anymore; please rebase.
OK,
Oops, I assumed the patch for ALTER RENAME TO reworks. Sorry.
2012/11/20 Alvaro Herrera alvhe...@2ndquadrant.com:
Kohei KaiGai wrote:
I'd like to have catalog/objectaccess.c to wrap-up invocation of hooks,
rather
than
2012/11/21 Shigeru Hanada shigeru.han...@gmail.com:
Thank for the comment!
On Tue, Nov 20, 2012 at 10:23 PM, Kohei KaiGai kai...@kaigai.gr.jp wrote:
I also think the new use_remote_explain option is good. It works fine
when we try to use this fdw over the network with latency more or less
2012/11/22 Shigeru Hanada shigeru.han...@gmail.com:
After playing with some big SQLs for testing, I came to feel that
showing every remote query in EXPLAIN output is annoying, especially
when SELECT * is unfolded to long column list.
AFAIK no plan node shows so many information in a line, so
2012/11/21 Alvaro Herrera alvhe...@2ndquadrant.com:
Alvaro Herrera escribió:
FWIW I have pushed this to github; see
https://github.com/alvherre/postgres/compare/bgworker
It's also attached.
The UnBlockSig stuff is the main stumbling block as I see it because it
precludes compilation on
2012/11/21 Shigeru Hanada shigeru.han...@gmail.com:
Thank for the comment!
On Tue, Nov 20, 2012 at 10:23 PM, Kohei KaiGai kai...@kaigai.gr.jp wrote:
I also think the new use_remote_explain option is good. It works fine
when we try to use this fdw over the network with latency more or less
2012/11/28 Shigeru Hanada shigeru.han...@gmail.com:
On Sun, Nov 25, 2012 at 5:24 AM, Kohei KaiGai kai...@kaigai.gr.jp wrote:
I checked the v4 patch, and I have nothing to comment anymore.
So, could you update the remaining EXPLAIN with VERBOSE option
stuff?
Thanks for the review. Here
2012/11/28 Kohei KaiGai kai...@kaigai.gr.jp:
it is reasonable. So, postgre_fdw is OK for me. pgsql_fdw is also welcome.
Sorry, s/postgre_fdw/postgres_fdw/g
Thanks,
--
KaiGai Kohei kai...@kaigai.gr.jp
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes
2012/11/30 Dimitri Fontaine dimi...@2ndquadrant.fr:
Andres Freund and...@2ndquadrant.com writes:
One of the uses for bgworkers that don't have shmem connection is to
have them use libpq connections instead. I don't really see the point
of forcing everyone to use backend connections when libpq
2012/11/30 Dimitri Fontaine dimi...@2ndquadrant.fr:
Kohei KaiGai kai...@kaigai.gr.jp writes:
One thing we have to pay attention is, the backend code cannot distinguish
connection from pgworker via libpq from other regular connections, from
perspective of access control.
Even if we implement
2012/11/30 Markus Wanner mar...@bluegap.ch:
On 11/30/2012 03:16 PM, Kohei KaiGai wrote:
This feature does not enforce them to implement with this new framework.
If they can perform as separate daemons, it is fine enough.
I'm not clear on what exactly you envision, but if a process needs
2012/12/3 Robert Haas robertmh...@gmail.com:
On Tue, Nov 20, 2012 at 8:43 AM, Kohei KaiGai kai...@kaigai.gr.jp wrote:
I'd like to have catalog/objectaccess.c to wrap-up invocation of hooks,
rather
than doing all the stuffs with macros. It allows to use local variables,
unlike
macros
2012/12/3 Robert Haas robertmh...@gmail.com:
On Sat, Dec 1, 2012 at 2:57 AM, Kohei KaiGai kai...@kaigai.gr.jp wrote:
* Do we need OAT_POST_ALTER hook even if no fields were updated
actually? In case when ALTER SET OWNER, it checks object's ownership
only when current and new user-id
2012/12/3 David Fetter da...@fetter.org:
On Sun, Nov 25, 2012 at 03:20:28PM +0100, Kohei KaiGai wrote:
However, UPDATE / DELETE support is not perfect right now.
In case when we try to update / delete a table with inherited
children and RETURNING clause was added, is loses right
Thanks for your reviewing in spite of large number of lines.
My comments are below.
2012/12/4 Simon Riggs si...@2ndquadrant.com:
Patch looks good and also like it will/can be ready for 9.3. I'm happy
to put time into this as committer and/or reviewer and take further
responsibility for it,
2012/12/7 Simon Riggs si...@2ndquadrant.com:
On 5 December 2012 11:16, Kohei KaiGai kai...@kaigai.gr.jp wrote:
* TRUNCATE works, and allows you to remove all rows of a table, even
ones you can't see to run a DELETE on. Er...
It was my oversight. My preference is to rewrite TRUNCATE command
2012/12/7 Simon Riggs si...@2ndquadrant.com:
On 5 December 2012 11:16, Kohei KaiGai kai...@kaigai.gr.jp wrote:
Oracle defaults to putting VPD on all event types: INSERT, UPDATE,
DELETE, SELECT. ISTM we should be doing the same, not just say we can
add an INSERT trigger if you want.
Adding
2012/12/9 Simon Riggs si...@2ndquadrant.com:
On 9 December 2012 06:08, Kohei KaiGai kai...@kaigai.gr.jp wrote:
2012/12/7 Simon Riggs si...@2ndquadrant.com:
On 5 December 2012 11:16, Kohei KaiGai kai...@kaigai.gr.jp wrote:
* TRUNCATE works, and allows you to remove all rows of a table, even
2012/12/11 Robert Haas robertmh...@gmail.com:
On Mon, Dec 3, 2012 at 9:59 AM, Kohei KaiGai kai...@kaigai.gr.jp wrote:
As we discussed before, it is hard to determine which attributes shall
be informed to extension via object_access_hook, so the proposed
post-alter hook (that allows to compare
2012/12/12 Tom Lane t...@sss.pgh.pa.us:
Simon Riggs si...@2ndquadrant.com writes:
Currently, ANALYZE collects data on all columns and stores these
samples in pg_statistic where they can be seen via the view pg_stats.
Only if you have appropriate privileges.
In some cases we have data that
?
I'm very excited about this feature, thank you for making this possible.
Regards,
--
Ronan Dunklau
2012/12/14 Albe Laurenz laurenz.a...@wien.gv.at
Kohei KaiGai wrote:
I came up with one more query that causes a problem:
[...]
This causes a deadlock, but one that is not detected
2012/12/20 Stephen Frost sfr...@snowman.net:
Kevin, all,
* Kevin Grittner (kgri...@mail.com) wrote:
The more secure behavior is to allow entry of data which will not
be visible by the person doing the entry.
wrt this- I'm inclined to agree with Kevin. It's certainly common in
certain
2012/12/20 Robert Haas robertmh...@gmail.com:
On Thu, Dec 20, 2012 at 4:35 AM, Simon Riggs si...@2ndquadrant.com wrote:
Not sure I understand you. You suggested it was a valid use case for a
user to have only INSERT privilege and wish to bypass security checks.
I agreed and suggested it could
2012/12/20 Kevin Grittner kgri...@mail.com:
Kohei KaiGai wrote:
If system ensures writer's permission is always equivalent or
more restrictive than reader's permission, it also eliminates the
problem around asymmetric row-security policy between commands.
I'm not sure we're understanding
2012/12/21 Kevin Grittner kgri...@mail.com:
Simon Riggs wrote:
Each table has a single security clause. The clause doesn't enforce
that it must contain something that depends on role, but that is the
most easily understood usage of it. We do that to ensure that you can
embed the intelligence
2012/12/21 Stephen Frost sfr...@snowman.net:
It seems to me we need some more discussion about design and
implementation on row-security checks of writer-side, to reach our
consensus.
Again, I agree with Kevin on this- there should be a wiki or similar
which actually outlines the high-level
2012/12/22 Simon Riggs si...@2ndquadrant.com:
On 21 December 2012 22:01, Stephen Frost sfr...@snowman.net wrote:
On the other hand, we are standing next to the consensus about
reader-side; a unique row-security policy (so, first version does not
support per-command policy) shall be checked on
2012/12/22 Kevin Grittner kgri...@mail.com:
Kohei KaiGai wrote:
RLS entry of wiki has not been updated for long time, I'll try to
update the entry for high-level design in a couple of days.
Thanks, I think that is essential for a productive discussion of
the issue.
I tried to update http
Sorry, I oversight this report.
The reason of this confusing error message is originated by incorrect
aclkind being delivered to aclcheck_error() at AlterObjectOwner_internal().
/* New owner must have CREATE privilege on namespace */
if (OidIsValid(namespaceId))
2012/12/20 Robert Haas robertmh...@gmail.com:
The recent SET SCHEMA refactoring has changed the error message that
you get when trying to move a function into the schema that already
contains it.
For a table, as ever, you get:
rhaas=# create table foo (a int);
CREATE TABLE
rhaas=# alter
2012/12/31 Simon Riggs si...@2ndquadrant.com:
On 23 December 2012 18:49, Simon Riggs si...@2ndquadrant.com wrote:
Anyway, hope you can make call on 28th so we can discuss this and
agree a way forwards you're happy with.
Stephen, KaiGai and myself met by phone on 28th to discuss.
1. The
2013/1/7 Tom Lane t...@sss.pgh.pa.us:
Robert Haas robertmh...@gmail.com writes:
On Mon, Jan 7, 2013 at 3:43 PM, Alvaro Herrera alvhe...@2ndquadrant.com
wrote:
I checked this patch. It needed a rebase for the changes to return
OIDs. Attached patch applies to current HEAD. In general this
2013/1/7 Robert Haas robertmh...@gmail.com:
On Mon, Jan 7, 2013 at 2:14 PM, Alvaro Herrera alvhe...@2ndquadrant.com
wrote:
Kohei KaiGai escribió:
Function and collation are candidates of this special case handling;
here are just two kinds of object.
Another idea is to add a function
2013/1/8 Robert Haas robertmh...@gmail.com:
On Tue, Jan 8, 2013 at 4:05 AM, Kohei KaiGai kai...@kaigai.gr.jp wrote:
Does it make sense an idea to invoke AlterFunctionNamespace_oid()
or AlterCollationNamespace_oid() from AlterObjectNamespace_internal()
for checks of namespace conflicts?
It can
2013/1/15 Alvaro Herrera alvhe...@2ndquadrant.com:
Alvaro Herrera escribió:
Kohei KaiGai escribió:
I'm probably saying same idea. It just adds invocation of external
functions to check naming conflicts of functions or collation; that
takes additional 4-lines for special case handling
2013/1/15 Alvaro Herrera alvhe...@2ndquadrant.com:
Kohei KaiGai escribió:
The attached patch is a rebased version towards the latest master
branch, and fix up the issue around error messages on name conflicts.
I assume the lock.c changes are just a bollixed merge, right?
Yes, I'll check
This patch adds sepgsql the feature of name qualified creation label.
Background, on creation of a certain database object, sepgsql assigns
a default security label according to the security policy that has a set of
rules to determine a label of new object.
Usually, a new object inherits its
This patch adds sepgsql support for permission checks almost
equivalent to the existing FUNCTION EXECUTE privilege.
This feature is constructed on new OAT_FUNCTION_EXEC event
type being invoked around pg_proc_aclcheck() except for cases
when function's permissions are checked during CREATE or
2013/1/15 Peter Eisentraut pete...@gmx.net:
On 12/18/12 12:09 PM, Peter Eisentraut wrote:
There are some system administration functions that have hardcoded
superuser checks, specifically:
pg_reload_conf
pg_rotate_logfile
pg_read_file
pg_read_file_all
pg_read_binary_file
2013/1/16 Robert Haas robertmh...@gmail.com:
On Tue, Jan 15, 2013 at 3:02 PM, Kohei KaiGai kai...@kaigai.gr.jp wrote:
This patch adds sepgsql the feature of name qualified creation label.
Background, on creation of a certain database object, sepgsql assigns
a default security label according
2013/1/18 Craig Ringer cr...@2ndquadrant.com:
On 11/16/2012 08:08 AM, Noah Misch wrote:
On Thu, Nov 15, 2012 at 02:33:21PM +0900, Shigeru Hanada wrote:
On Sat, Oct 20, 2012 at 4:24 PM, Kohei KaiGai kai...@kaigai.gr.jp wrote:
IIRC, the reason why postgresql_fdw instead of pgsql_fdw
2013/1/17 Alvaro Herrera alvhe...@2ndquadrant.com:
Kohei KaiGai escribió:
This attached patch is the rebased one towards the latest master branch.
Great, thanks. I played with it a bit and it looks almost done to me.
The only issue I can find is that it lets you rename an aggregate
2013/1/24 Tom Lane t...@sss.pgh.pa.us:
John R Pierce pie...@hogranch.com writes:
On 1/23/2013 8:32 PM, Tom Lane wrote:
FWIW, in Fedora-land I see: ...
I'd be far more interested in what is in RHEL and CentOS.Fedora,
with its 6 month obsolescence cycle, is of zero interest to me for
2013/1/24 Magnus Hagander mag...@hagander.net:
On Thu, Jan 24, 2013 at 10:11 AM, Kohei KaiGai kai...@kaigai.gr.jp wrote:
2013/1/24 Tom Lane t...@sss.pgh.pa.us:
John R Pierce pie...@hogranch.com writes:
On 1/23/2013 8:32 PM, Tom Lane wrote:
FWIW, in Fedora-land I see: ...
I'd be far more
2013/1/25 Kohei KaiGai kai...@kaigai.gr.jp:
2013/1/24 Magnus Hagander mag...@hagander.net:
On Thu, Jan 24, 2013 at 10:11 AM, Kohei KaiGai kai...@kaigai.gr.jp wrote:
2013/1/24 Tom Lane t...@sss.pgh.pa.us:
John R Pierce pie...@hogranch.com writes:
On 1/23/2013 8:32 PM, Tom Lane wrote:
FWIW
2013/1/20 Tom Lane t...@sss.pgh.pa.us:
Robert Haas robertmh...@gmail.com writes:
Yeah. We'd need to think a little bit about how to make this work,
since I think that adding a gajillion booleans to pg_authid will not
make anyone very happy. But I like the idea. GRANT
2013/1/15 Peter Eisentraut pete...@gmx.net:
On Tue, 2012-10-09 at 20:45 -0400, Peter Eisentraut wrote:
About that plugins directory ($libdir/plugins) ... I don't think we
ever
really got that to work sensibly. I don't remember the original
design
discussion, but I have seen a number of
2013/1/29 Simon Riggs si...@2ndquadrant.com:
On 15 January 2013 20:28, Kohei KaiGai kai...@kaigai.gr.jp wrote:
This patch adds sepgsql support for permission checks equivalent
to the existing SCHEMA USE privilege.
This feature is constructed on new OAT_SCHEMA_SEARCH event
type being invoked
1 - 100 of 521 matches
Mail list logo