Skip to content

Commit

Permalink
Rework query relation permission checking
Browse files Browse the repository at this point in the history
BABELFISH-CONFLICT: see Postgres community repo for original commit

Currently, information about the permissions to be checked on relations
mentioned in a query is stored in their range table entries.  So the
executor must scan the entire range table looking for relations that
need to have permissions checked.  This can make the permission checking
part of the executor initialization needlessly expensive when many
inheritance children are present in the range range.  While the
permissions need not be checked on the individual child relations, the
executor still must visit every range table entry to filter them out.

This commit moves the permission checking information out of the range
table entries into a new plan node called RTEPermissionInfo.  Every
top-level (inheritance "root") RTE_RELATION entry in the range table
gets one and a list of those is maintained alongside the range table.
This new list is initialized by the parser when initializing the range
table.  The rewriter can add more entries to it as rules/views are
expanded.  Finally, the planner combines the lists of the individual
subqueries into one flat list that is passed to the executor for
checking.

To make it quick to find the RTEPermissionInfo entry belonging to a
given relation, RangeTblEntry gets a new Index field 'perminfoindex'
that stores the corresponding RTEPermissionInfo's index in the query's
list of the latter.

ExecutorCheckPerms_hook has gained another List * argument; the
signature is now:
typedef bool (*ExecutorCheckPerms_hook_type) (List *rangeTable,
					      List *rtePermInfos,
					      bool ereport_on_violation);
The first argument is no longer used by any in-core uses of the hook,
but we leave it in place because there may be other implementations that
do.  Implementations should likely scan the rtePermInfos list to
determine which operations to allow or deny.

Author: Amit Langote <[email protected]>
Discussion: https://postgr.es/m/CA+HiwqGjJDmUhDSfv-U2qhKJjt9ST7Xh9JXC_irsAQ1TAUsJYg@mail.gmail.com
(cherry picked from commit a61b1f74823c9c4f79c95226a461f1e7a367764b)
  • Loading branch information
alvherre authored and Jason Teng committed Dec 7, 2023
1 parent 1171baa commit 8e03977
Show file tree
Hide file tree
Showing 47 changed files with 960 additions and 538 deletions.
17 changes: 8 additions & 9 deletions contrib/postgres_fdw/postgres_fdw.c
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@
#include "optimizer/appendinfo.h"
#include "optimizer/clauses.h"
#include "optimizer/cost.h"
#include "optimizer/inherit.h"
#include "optimizer/optimizer.h"
#include "optimizer/pathnode.h"
#include "optimizer/paths.h"
Expand Down Expand Up @@ -657,8 +658,8 @@ postgresGetForeignRelSize(PlannerInfo *root,
/*
* If the table or the server is configured to use remote estimates,
* identify which user to do remote access as during planning. This
* should match what ExecCheckRTEPerms() does. If we fail due to lack of
* permissions, the query would have failed at runtime anyway.
* should match what ExecCheckPermissions() does. If we fail due to lack
* of permissions, the query would have failed at runtime anyway.
*/
if (fpinfo->use_remote_estimate)
{
Expand Down Expand Up @@ -1809,7 +1810,8 @@ postgresPlanForeignModify(PlannerInfo *root,
else if (operation == CMD_UPDATE)
{
int col;
Bitmapset *allUpdatedCols = bms_union(rte->updatedCols, rte->extraUpdatedCols);
RelOptInfo *rel = find_base_rel(root, resultRelation);
Bitmapset *allUpdatedCols = get_rel_all_updated_cols(root, rel);

col = -1;
while ((col = bms_next_member(allUpdatedCols, col)) >= 0)
Expand Down Expand Up @@ -2650,7 +2652,7 @@ postgresBeginDirectModify(ForeignScanState *node, int eflags)

/*
* Identify which user to do the remote access as. This should match what
* ExecCheckRTEPerms() does.
* ExecCheckPermissions() does.
*/
userid = OidIsValid(fsplan->checkAsUser) ? fsplan->checkAsUser : GetUserId();

Expand Down Expand Up @@ -3975,11 +3977,8 @@ create_foreign_modify(EState *estate,
fmstate = (PgFdwModifyState *) palloc0(sizeof(PgFdwModifyState));
fmstate->rel = rel;

/*
* Identify which user to do the remote access as. This should match what
* ExecCheckRTEPerms() does.
*/
userid = OidIsValid(rte->checkAsUser) ? rte->checkAsUser : GetUserId();
/* Identify which user to do the remote access as. */
userid = ExecGetResultRelCheckAsUser(resultRelInfo, estate);

/* Get info about foreign table. */
table = GetForeignTable(RelationGetRelid(rel));
Expand Down
42 changes: 19 additions & 23 deletions contrib/sepgsql/dml.c
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
#include "commands/tablecmds.h"
#include "executor/executor.h"
#include "nodes/bitmapset.h"
#include "parser/parsetree.h"
#include "sepgsql.h"
#include "utils/lsyscache.h"
#include "utils/syscache.h"
Expand Down Expand Up @@ -277,38 +278,33 @@ check_relation_privileges(Oid relOid,
* Entrypoint of the DML permission checks
*/
bool
sepgsql_dml_privileges(List *rangeTabls, bool abort_on_violation)
sepgsql_dml_privileges(List *rangeTbls, List *rteperminfos,
bool abort_on_violation)
{
ListCell *lr;

foreach(lr, rangeTabls)
foreach(lr, rteperminfos)
{
RangeTblEntry *rte = lfirst(lr);
RTEPermissionInfo *perminfo = lfirst_node(RTEPermissionInfo, lr);
uint32 required = 0;
List *tableIds;
ListCell *li;

/*
* Only regular relations shall be checked
*/
if (rte->rtekind != RTE_RELATION)
continue;

/*
* Find out required permissions
*/
if (rte->requiredPerms & ACL_SELECT)
if (perminfo->requiredPerms & ACL_SELECT)
required |= SEPG_DB_TABLE__SELECT;
if (rte->requiredPerms & ACL_INSERT)
if (perminfo->requiredPerms & ACL_INSERT)
required |= SEPG_DB_TABLE__INSERT;
if (rte->requiredPerms & ACL_UPDATE)
if (perminfo->requiredPerms & ACL_UPDATE)
{
if (!bms_is_empty(rte->updatedCols))
if (!bms_is_empty(perminfo->updatedCols))
required |= SEPG_DB_TABLE__UPDATE;
else
required |= SEPG_DB_TABLE__LOCK;
}
if (rte->requiredPerms & ACL_DELETE)
if (perminfo->requiredPerms & ACL_DELETE)
required |= SEPG_DB_TABLE__DELETE;

/*
Expand All @@ -323,10 +319,10 @@ sepgsql_dml_privileges(List *rangeTabls, bool abort_on_violation)
* expand rte->relid into list of OIDs of inheritance hierarchy, then
* checker routine will be invoked for each relations.
*/
if (!rte->inh)
tableIds = list_make1_oid(rte->relid);
if (!perminfo->inh)
tableIds = list_make1_oid(perminfo->relid);
else
tableIds = find_all_inheritors(rte->relid, NoLock, NULL);
tableIds = find_all_inheritors(perminfo->relid, NoLock, NULL);

foreach(li, tableIds)
{
Expand All @@ -339,12 +335,12 @@ sepgsql_dml_privileges(List *rangeTabls, bool abort_on_violation)
* child table has different attribute numbers, so we need to fix
* up them.
*/
selectedCols = fixup_inherited_columns(rte->relid, tableOid,
rte->selectedCols);
insertedCols = fixup_inherited_columns(rte->relid, tableOid,
rte->insertedCols);
updatedCols = fixup_inherited_columns(rte->relid, tableOid,
rte->updatedCols);
selectedCols = fixup_inherited_columns(perminfo->relid, tableOid,
perminfo->selectedCols);
insertedCols = fixup_inherited_columns(perminfo->relid, tableOid,
perminfo->insertedCols);
updatedCols = fixup_inherited_columns(perminfo->relid, tableOid,
perminfo->updatedCols);

/*
* check permissions on individual tables
Expand Down
6 changes: 3 additions & 3 deletions contrib/sepgsql/hooks.c
Original file line number Diff line number Diff line change
Expand Up @@ -287,17 +287,17 @@ sepgsql_object_access(ObjectAccessType access,
* Entrypoint of DML permissions
*/
static bool
sepgsql_exec_check_perms(List *rangeTabls, bool abort)
sepgsql_exec_check_perms(List *rangeTbls, List *rteperminfos, bool abort)
{
/*
* If security provider is stacking and one of them replied 'false' at
* least, we don't need to check any more.
*/
if (next_exec_check_perms_hook &&
!(*next_exec_check_perms_hook) (rangeTabls, abort))
!(*next_exec_check_perms_hook) (rangeTbls, rteperminfos, abort))
return false;

if (!sepgsql_dml_privileges(rangeTabls, abort))
if (!sepgsql_dml_privileges(rangeTbls, rteperminfos, abort))
return false;

return true;
Expand Down
3 changes: 2 additions & 1 deletion contrib/sepgsql/sepgsql.h
Original file line number Diff line number Diff line change
Expand Up @@ -274,7 +274,8 @@ extern void sepgsql_object_relabel(const ObjectAddress *object,
/*
* dml.c
*/
extern bool sepgsql_dml_privileges(List *rangeTabls, bool abort_on_violation);
extern bool sepgsql_dml_privileges(List *rangeTabls, List *rteperminfos,
bool abort_on_violation);

/*
* database.c
Expand Down
23 changes: 12 additions & 11 deletions src/backend/commands/copy.c
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,7 @@ DoCopy(ParseState *pstate, const CopyStmt *stmt,
{
LOCKMODE lockmode = is_from ? RowExclusiveLock : AccessShareLock;
ParseNamespaceItem *nsitem;
RangeTblEntry *rte;
RTEPermissionInfo *perminfo;
TupleDesc tupDesc;
List *attnums;
ListCell *cur;
Expand All @@ -125,8 +125,9 @@ DoCopy(ParseState *pstate, const CopyStmt *stmt,

nsitem = addRangeTableEntryForRelation(pstate, rel, lockmode,
NULL, false, false);
rte = nsitem->p_rte;
rte->requiredPerms = (is_from ? ACL_INSERT : ACL_SELECT);

perminfo = nsitem->p_perminfo;
perminfo->requiredPerms = (is_from ? ACL_INSERT : ACL_SELECT);

if (stmt->whereClause)
{
Expand All @@ -152,15 +153,15 @@ DoCopy(ParseState *pstate, const CopyStmt *stmt,
attnums = CopyGetAttnums(tupDesc, rel, stmt->attlist);
foreach(cur, attnums)
{
int attno = lfirst_int(cur) -
FirstLowInvalidHeapAttributeNumber;
int attno;
Bitmapset **bms;

if (is_from)
rte->insertedCols = bms_add_member(rte->insertedCols, attno);
else
rte->selectedCols = bms_add_member(rte->selectedCols, attno);
attno = lfirst_int(cur) - FirstLowInvalidHeapAttributeNumber;
bms = is_from ? &perminfo->insertedCols : &perminfo->selectedCols;

*bms = bms_add_member(*bms, attno);
}
ExecCheckRTPerms(pstate->p_rtable, true);
ExecCheckPermissions(pstate->p_rtable, list_make1(perminfo), true);

/*
* Permission check for row security policies.
Expand All @@ -176,7 +177,7 @@ DoCopy(ParseState *pstate, const CopyStmt *stmt,
* If RLS is not enabled for this, then just fall through to the
* normal non-filtering relation handling.
*/
if (check_enable_rls(rte->relid, InvalidOid, false) == RLS_ENABLED)
if (check_enable_rls(relid, InvalidOid, false) == RLS_ENABLED)
{
SelectStmt *select;
ColumnRef *cr;
Expand Down
11 changes: 10 additions & 1 deletion src/backend/commands/copyfrom.c
Original file line number Diff line number Diff line change
Expand Up @@ -761,6 +761,12 @@ CopyFrom(CopyFromState cstate)
resultRelInfo = target_resultRelInfo = makeNode(ResultRelInfo);
ExecInitResultRelation(estate, resultRelInfo, 1);

/*
* Copy the RTEPermissionInfos into estate as well, so that
* ExecGetInsertedCols() et al will work correctly.
*/
estate->es_rteperminfos = cstate->rteperminfos;

/* Verify the named relation is a valid target for INSERT */
CheckValidResultRel(resultRelInfo, CMD_INSERT);

Expand Down Expand Up @@ -1525,9 +1531,12 @@ BeginCopyFrom(ParseState *pstate,

initStringInfo(&cstate->attribute_buf);

/* Assign range table, we'll need it in CopyFrom. */
/* Assign range table and rteperminfos, we'll need them in CopyFrom. */
if (pstate)
{
cstate->range_table = pstate->p_rtable;
cstate->rteperminfos = pstate->p_rteperminfos;
}

tupDesc = RelationGetDescr(cstate->rel);
num_phys_attrs = tupDesc->natts;
Expand Down
33 changes: 29 additions & 4 deletions src/backend/commands/view.c
Original file line number Diff line number Diff line change
Expand Up @@ -374,7 +374,7 @@ DefineViewRules(Oid viewOid, Query *viewParse, bool replace)
* by 2...
*
* These extra RT entries are not actually used in the query,
* except for run-time locking and permission checking.
* except for run-time locking.
*---------------------------------------------------------------
*/
static Query *
Expand All @@ -385,7 +385,9 @@ UpdateRangeTableOfViewParse(Oid viewOid, Query *viewParse)
ParseNamespaceItem *nsitem;
RangeTblEntry *rt_entry1,
*rt_entry2;
RTEPermissionInfo *rte_perminfo1;
ParseState *pstate;
ListCell *lc;

/*
* Make a copy of the given parsetree. It's not so much that we don't
Expand All @@ -412,15 +414,38 @@ UpdateRangeTableOfViewParse(Oid viewOid, Query *viewParse)
makeAlias("old", NIL),
false, false);
rt_entry1 = nsitem->p_rte;
rte_perminfo1 = nsitem->p_perminfo;
nsitem = addRangeTableEntryForRelation(pstate, viewRel,
AccessShareLock,
makeAlias("new", NIL),
false, false);
rt_entry2 = nsitem->p_rte;

/* Must override addRangeTableEntry's default access-check flags */
rt_entry1->requiredPerms = 0;
rt_entry2->requiredPerms = 0;
/*
* Add only the "old" RTEPermissionInfo at the head of view query's list
* and update the other RTEs' perminfoindex accordingly. When rewriting a
* query on the view, ApplyRetrieveRule() will transfer the view
* relation's permission details into this RTEPermissionInfo. That's
* needed because the view's RTE itself will be transposed into a subquery
* RTE that can't carry the permission details; see the code stanza toward
* the end of ApplyRetrieveRule() for how that's done.
*/
viewParse->rteperminfos = lcons(rte_perminfo1, viewParse->rteperminfos);
foreach(lc, viewParse->rtable)
{
RangeTblEntry *rte = lfirst(lc);

if (rte->perminfoindex > 0)
rte->perminfoindex += 1;
}

/*
* Also make the "new" RTE's RTEPermissionInfo undiscoverable. This is a
* bit of a hack given that all the non-child RTE_RELATION entries really
* should have a RTEPermissionInfo, but this dummy "new" RTE is going to
* go away anyway in the very near future.
*/
rt_entry2->perminfoindex = 0;

new_rt = lcons(rt_entry1, lcons(rt_entry2, viewParse->rtable));

Expand Down
Loading

0 comments on commit 8e03977

Please sign in to comment.