diff --git a/java/yb-pgsql/src/test/java/org/yb/pgsql/TestYbProfileFlag.java b/java/yb-pgsql/src/test/java/org/yb/pgsql/TestYbProfileFlag.java index 57f218d5ec0f..0068a08f01cc 100644 --- a/java/yb-pgsql/src/test/java/org/yb/pgsql/TestYbProfileFlag.java +++ b/java/yb-pgsql/src/test/java/org/yb/pgsql/TestYbProfileFlag.java @@ -65,7 +65,7 @@ protected Map getTServerFlags() { @Test(expected = PSQLException.class) public void testCreateProfileIsDisabled() throws Exception { try (Statement stmt = connection.createStatement()) { - stmt.execute("CREATE PROFILE p1 FAILED ATTEMPTS 3"); + stmt.execute("CREATE PROFILE p1 FAILED_LOGIN_ATTEMPTS 3"); } } diff --git a/java/yb-pgsql/src/test/java/org/yb/pgsql/TestYbRoleProfile.java b/java/yb-pgsql/src/test/java/org/yb/pgsql/TestYbRoleProfile.java index 1bc4ab63cd84..83318bee0144 100644 --- a/java/yb-pgsql/src/test/java/org/yb/pgsql/TestYbRoleProfile.java +++ b/java/yb-pgsql/src/test/java/org/yb/pgsql/TestYbRoleProfile.java @@ -146,9 +146,9 @@ public void cleanup() throws Exception { public void setup() throws Exception { try (Statement stmt = connection.createStatement()) { stmt.execute(String.format("CREATE USER %s PASSWORD '%s'", USERNAME, PASSWORD)); - stmt.execute(String.format("CREATE PROFILE %s FAILED ATTEMPTS %d", + stmt.execute(String.format("CREATE PROFILE %s LIMIT FAILED_LOGIN_ATTEMPTS %d", PROFILE_1_NAME, PRF_1_FAILED_ATTEMPTS)); - stmt.execute(String.format("CREATE PROFILE %s FAILED ATTEMPTS %d", + stmt.execute(String.format("CREATE PROFILE %s LIMIT FAILED_LOGIN_ATTEMPTS %d", PROFILE_2_NAME, PRF_2_FAILED_ATTEMPTS)); stmt.execute(String.format("ALTER USER %s PROFILE ATTACH %s", USERNAME, PROFILE_1_NAME)); diff --git a/src/postgres/src/backend/catalog/aclchk.c b/src/postgres/src/backend/catalog/aclchk.c index 8adedd8f71d5..eebfe32745b1 100644 --- a/src/postgres/src/backend/catalog/aclchk.c +++ b/src/postgres/src/backend/catalog/aclchk.c @@ -3804,7 +3804,7 @@ aclcheck_error(AclResult aclerr, ObjectType objtype, case OBJECT_TABLESPACE: msg = gettext_noop("permission denied for tablespace %s"); break; - case OBJECT_PROFILE: + case OBJECT_YBPROFILE: msg = gettext_noop("permission denied for profile %s"); break; case OBJECT_TSCONFIGURATION: @@ -3971,7 +3971,7 @@ aclcheck_error(AclResult aclerr, ObjectType objtype, case OBJECT_DEFACL: case OBJECT_DOMCONSTRAINT: case OBJECT_PUBLICATION_REL: - case OBJECT_PROFILE: + case OBJECT_YBPROFILE: case OBJECT_ROLE: case OBJECT_TRANSFORM: case OBJECT_TSPARSER: diff --git a/src/postgres/src/backend/catalog/dependency.c b/src/postgres/src/backend/catalog/dependency.c index 9aa513133cbf..a96f0435a747 100644 --- a/src/postgres/src/backend/catalog/dependency.c +++ b/src/postgres/src/backend/catalog/dependency.c @@ -68,7 +68,6 @@ #include "commands/extension.h" #include "commands/policy.h" #include "commands/proclang.h" -#include "commands/profile.h" #include "commands/publicationcmds.h" #include "commands/schemacmds.h" #include "commands/seclabel.h" @@ -76,6 +75,7 @@ #include "commands/tablegroup.h" #include "commands/trigger.h" #include "commands/typecmds.h" +#include "commands/ybc_profile.h" #include "nodes/nodeFuncs.h" #include "parser/parsetree.h" #include "rewrite/rewriteRemove.h" @@ -179,8 +179,8 @@ static const Oid object_classes[] = { PublicationRelRelationId, /* OCLASS_PUBLICATION_REL */ SubscriptionRelationId, /* OCLASS_SUBSCRIPTION */ TransformRelationId, /* OCLASS_TRANSFORM */ - YbProfileRelationId, /* OCLASS_PROFILE */ - YbRoleProfileRelationId, /* OCLASS_ROLE_PROFILE */ + YbProfileRelationId, /* OCLASS_YBPROFILE */ + YbRoleProfileRelationId, /* OCLASS_ROLE_YBPROFILE */ }; @@ -1319,11 +1319,11 @@ doDeletion(const ObjectAddress *object, int flags) RemoveTablegroupById(object->objectId); break; - case OCLASS_PROFILE: + case OCLASS_YBPROFILE: RemoveProfileById(object->objectId); break; - case OCLASS_ROLE_PROFILE: + case OCLASS_ROLE_YBPROFILE: RemoveRoleProfileById(object->objectId); break; /* @@ -2549,10 +2549,10 @@ getObjectClass(const ObjectAddress *object) return OCLASS_DATABASE; case YbProfileRelationId: - return OCLASS_PROFILE; + return OCLASS_YBPROFILE; case YbRoleProfileRelationId: - return OCLASS_ROLE_PROFILE; + return OCLASS_ROLE_YBPROFILE; case YbTablegroupRelationId: return OCLASS_TBLGROUP; diff --git a/src/postgres/src/backend/catalog/objectaddress.c b/src/postgres/src/backend/catalog/objectaddress.c index 8e1752085e0d..c10bd9f24749 100644 --- a/src/postgres/src/backend/catalog/objectaddress.c +++ b/src/postgres/src/backend/catalog/objectaddress.c @@ -64,12 +64,12 @@ #include "commands/defrem.h" #include "commands/event_trigger.h" #include "commands/extension.h" -#include "commands/profile.h" #include "commands/policy.h" #include "commands/proclang.h" #include "commands/tablespace.h" #include "commands/tablegroup.h" #include "commands/trigger.h" +#include "commands/ybc_profile.h" #include "foreign/foreign.h" #include "funcapi.h" #include "miscadmin.h" @@ -515,7 +515,7 @@ static const ObjectPropertyType ObjectProperty[] = InvalidAttrNumber, InvalidAttrNumber, InvalidAttrNumber, - OBJECT_PROFILE, + OBJECT_YBPROFILE, true } }; @@ -747,9 +747,9 @@ static const struct object_type_map { "statistics object", OBJECT_STATISTIC_EXT }, - /* OBJECT_PROFILE */ + /* OBJECT_YBPROFILE */ { - "profile", OBJECT_PROFILE + "profile", OBJECT_YBPROFILE } }; @@ -915,7 +915,7 @@ get_object_address(ObjectType objtype, Node *object, case OBJECT_PUBLICATION: case OBJECT_SUBSCRIPTION: case OBJECT_YBTABLEGROUP: - case OBJECT_PROFILE: + case OBJECT_YBPROFILE: address = get_object_address_unqualified(objtype, (Value *) object, missing_ok); break; @@ -1225,7 +1225,7 @@ get_object_address_unqualified(ObjectType objtype, address.objectId = get_subscription_oid(name, missing_ok); address.objectSubId = 0; break; - case OBJECT_PROFILE: + case OBJECT_YBPROFILE: address.classId = YbProfileRelationId; address.objectId = get_profile_oid(name, missing_ok); address.objectSubId = 0; @@ -2183,7 +2183,7 @@ pg_get_object_address(PG_FUNCTION_ARGS) case OBJECT_TABCONSTRAINT: case OBJECT_OPCLASS: case OBJECT_OPFAMILY: - case OBJECT_PROFILE: + case OBJECT_YBPROFILE: objnode = (Node *) name; break; case OBJECT_ACCESS_METHOD: @@ -2479,7 +2479,7 @@ check_object_ownership(Oid roleid, ObjectType objtype, ObjectAddress address, if (!pg_statistics_object_ownercheck(address.objectId, roleid)) aclcheck_error_type(ACLCHECK_NOT_OWNER, address.objectId); break; - case OBJECT_PROFILE: + case OBJECT_YBPROFILE: /* A profile can be dropped by the super user or yb_db_admin */ if (!superuser() && !IsYbDbAdminUser(GetUserId())) ereport(ERROR, @@ -3658,14 +3658,14 @@ getObjectDescription(const ObjectAddress *object) ReleaseSysCache(trfTup); break; } - case OCLASS_PROFILE: + case OCLASS_YBPROFILE: { char *profile; profile = get_profile_name(object->objectId); appendStringInfo(&buffer, _("profile %s"), profile); break; } - case OCLASS_ROLE_PROFILE: + case OCLASS_ROLE_YBPROFILE: { Oid roleid = get_role_oid_from_role_profile(object->objectId); appendStringInfo(&buffer, _("a profile is attached to role %s"), @@ -4179,11 +4179,11 @@ getObjectTypeDescription(const ObjectAddress *object) appendStringInfoString(&buffer, "transform"); break; - case OCLASS_PROFILE: + case OCLASS_YBPROFILE: appendStringInfoString(&buffer, "profile"); break; - case OCLASS_ROLE_PROFILE: + case OCLASS_ROLE_YBPROFILE: appendStringInfoString(&buffer, "role profile"); break; /* @@ -5254,7 +5254,7 @@ getObjectIdentityParts(const ObjectAddress *object, heap_close(transformDesc, AccessShareLock); } break; - case OCLASS_PROFILE: + case OCLASS_YBPROFILE: { char *profile; profile = get_profile_name(object->objectId); @@ -5264,7 +5264,7 @@ getObjectIdentityParts(const ObjectAddress *object, quote_identifier(profile)); break; } - case OCLASS_ROLE_PROFILE: + case OCLASS_ROLE_YBPROFILE: { Oid roleid = get_role_oid_from_role_profile(object->objectId); if (roleid == InvalidOid) diff --git a/src/postgres/src/backend/commands/alter.c b/src/postgres/src/backend/commands/alter.c index 92d91adf881d..4042ee3b98bc 100644 --- a/src/postgres/src/backend/commands/alter.c +++ b/src/postgres/src/backend/commands/alter.c @@ -638,8 +638,8 @@ AlterObjectNamespace_oid(Oid classId, Oid objid, Oid nspOid, case OCLASS_PUBLICATION_REL: case OCLASS_SUBSCRIPTION: case OCLASS_TRANSFORM: - case OCLASS_PROFILE: - case OCLASS_ROLE_PROFILE: + case OCLASS_YBPROFILE: + case OCLASS_ROLE_YBPROFILE: /* ignore object types that don't have schema-qualified names */ break; diff --git a/src/postgres/src/backend/commands/dropcmds.c b/src/postgres/src/backend/commands/dropcmds.c index 95a2ecb87698..49b80105df96 100644 --- a/src/postgres/src/backend/commands/dropcmds.c +++ b/src/postgres/src/backend/commands/dropcmds.c @@ -458,7 +458,7 @@ does_not_exist_skipping(ObjectType objtype, Node *object) msg = gettext_noop("tablegroup \"%s\" does not exist, skipping"); name = strVal((Value *) object); break; - case OBJECT_PROFILE: + case OBJECT_YBPROFILE: msg = gettext_noop("profile \"%s\" does not exist, skipping"); name = strVal((Value *) object); break; diff --git a/src/postgres/src/backend/commands/event_trigger.c b/src/postgres/src/backend/commands/event_trigger.c index 777060f68a56..f110169245c9 100644 --- a/src/postgres/src/backend/commands/event_trigger.c +++ b/src/postgres/src/backend/commands/event_trigger.c @@ -1121,7 +1121,7 @@ EventTriggerSupportsObjectType(ObjectType obtype) /* no support for event triggers on event triggers */ return false; case OBJECT_YBTABLEGROUP: - case OBJECT_PROFILE: + case OBJECT_YBPROFILE: /* no support for event triggers on tablegroups or profile*/ return false; case OBJECT_ACCESS_METHOD: @@ -1201,8 +1201,8 @@ EventTriggerSupportsObjectClass(ObjectClass objclass) case OCLASS_TBLGROUP: /* no support for event triggers on tablegroups */ return false; - case OCLASS_PROFILE: - case OCLASS_ROLE_PROFILE: + case OCLASS_YBPROFILE: + case OCLASS_ROLE_YBPROFILE: /* no support for event triggers on profiles */ return false; case OCLASS_CLASS: @@ -2275,7 +2275,7 @@ stringify_grant_objtype(ObjectType objtype) return "TABLEGROUP"; case OBJECT_TABLESPACE: return "TABLESPACE"; - case OBJECT_PROFILE: + case OBJECT_YBPROFILE: return "PROFILE"; case OBJECT_TYPE: return "TYPE"; @@ -2361,7 +2361,7 @@ stringify_adefprivs_objtype(ObjectType objtype) return "TABLEGROUPS"; case OBJECT_TABLESPACE: return "TABLESPACES"; - case OBJECT_PROFILE: + case OBJECT_YBPROFILE: return "PROFILES"; case OBJECT_TYPE: return "TYPES"; diff --git a/src/postgres/src/backend/commands/tablecmds.c b/src/postgres/src/backend/commands/tablecmds.c index c0fb1ba3200e..433ecd795243 100644 --- a/src/postgres/src/backend/commands/tablecmds.c +++ b/src/postgres/src/backend/commands/tablecmds.c @@ -11648,8 +11648,8 @@ ATExecAlterColumnType(AlteredTableInfo *tab, Relation rel, case OCLASS_PUBLICATION_REL: case OCLASS_SUBSCRIPTION: case OCLASS_TRANSFORM: - case OCLASS_PROFILE: - case OCLASS_ROLE_PROFILE: + case OCLASS_YBPROFILE: + case OCLASS_ROLE_YBPROFILE: /* * We don't expect any of these sorts of objects to depend on diff --git a/src/postgres/src/backend/commands/user.c b/src/postgres/src/backend/commands/user.c index 23954bd286ba..78b3fad360bd 100644 --- a/src/postgres/src/backend/commands/user.c +++ b/src/postgres/src/backend/commands/user.c @@ -28,9 +28,9 @@ #include "catalog/pg_db_role_setting.h" #include "commands/comment.h" #include "commands/dbcommands.h" -#include "commands/profile.h" #include "commands/seclabel.h" #include "commands/user.h" +#include "commands/ybc_profile.h" #include "libpq/crypt.h" #include "miscadmin.h" #include "storage/lmgr.h" diff --git a/src/postgres/src/backend/commands/ybc_profile.c b/src/postgres/src/backend/commands/ybc_profile.c index acf87398b71a..06860e5aa030 100644 --- a/src/postgres/src/backend/commands/ybc_profile.c +++ b/src/postgres/src/backend/commands/ybc_profile.c @@ -44,10 +44,10 @@ #include "commands/comment.h" #include "commands/dbcommands.h" #include "commands/defrem.h" -#include "commands/profile.h" #include "commands/seclabel.h" #include "commands/tablecmds.h" #include "commands/ybccmds.h" +#include "commands/ybc_profile.h" #include "common/file_perm.h" #include "miscadmin.h" #include "postmaster/bgwriter.h" @@ -321,8 +321,7 @@ CreateRoleProfile(Oid roleid, const char *rolename, const char *prfname) (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), errmsg("permission denied to attach role \"%s\" to profile \"%s\"", rolename, prfname), - errhint("Must be superuser or a member of the yb_db_admin " - "role to create a profile."))); + errhint("Must be superuser or a member of the yb_db_admin"))); /* * Check that there is a profile by this name. diff --git a/src/postgres/src/backend/executor/ybcModifyTable.c b/src/postgres/src/backend/executor/ybcModifyTable.c index c17397cf2e85..556193d892c2 100644 --- a/src/postgres/src/backend/executor/ybcModifyTable.c +++ b/src/postgres/src/backend/executor/ybcModifyTable.c @@ -30,7 +30,7 @@ #include "catalog/pg_yb_role_profile.h" #include "catalog/pg_yb_role_profile_d.h" #include "catalog/yb_type.h" -#include "commands/profile.h" +#include "commands/ybc_profile.h" #include "utils/relcache.h" #include "utils/rel.h" #include "utils/lsyscache.h" diff --git a/src/postgres/src/backend/libpq/auth.c b/src/postgres/src/backend/libpq/auth.c index bf526d39d85b..e3489be1a10e 100644 --- a/src/postgres/src/backend/libpq/auth.c +++ b/src/postgres/src/backend/libpq/auth.c @@ -25,8 +25,8 @@ #include "access/htup_details.h" #include "catalog/pg_yb_role_profile.h" -#include "commands/profile.h" #include "commands/user.h" +#include "commands/ybc_profile.h" #include "common/ip.h" #include "common/md5.h" #include "common/scram-common.h" diff --git a/src/postgres/src/backend/parser/gram.y b/src/postgres/src/backend/parser/gram.y index 4f4ed7c598c1..1dc4c9c8a112 100644 --- a/src/postgres/src/backend/parser/gram.y +++ b/src/postgres/src/backend/parser/gram.y @@ -658,9 +658,9 @@ static Node *makeRecursiveViewSelect(char *relname, List *aliases, Node *query); */ /* ordinary key words in alphabetical order */ -%token ABORT_P ABSOLUTE_P ACCESS ACTION ADD_P ADMIN AFTER +%token ABORT_P ABSOLUTE_P ACCESS ACCOUNT ACTION ADD_P ADMIN AFTER AGGREGATE ALL ALSO ALTER ALWAYS ANALYSE ANALYZE AND ANY ARRAY AS ASC - ASSERTION ASSIGNMENT ASYMMETRIC AT ATTACH ATTEMPTS ATTRIBUTE AUTHORIZATION + ASSERTION ASSIGNMENT ASYMMETRIC AT ATTACH ATTRIBUTE AUTHORIZATION BACKFILL BACKWARD BEFORE BEGIN_P BETWEEN BIGINT BINARY BIT BOOLEAN_P BOTH BY @@ -683,8 +683,8 @@ static Node *makeRecursiveViewSelect(char *relname, List *aliases, Node *query); EXCLUDE EXCLUDING EXCLUSIVE EXECUTE EXISTS EXPLAIN EXTENSION EXTERNAL EXTRACT - FAILED FALSE_P FAMILY FETCH FILTER FIRST_P FLOAT_P FOLLOWING FOR - FORCE FOREIGN FORWARD FREEZE FROM FULL FUNCTION FUNCTIONS + FAILED_LOGIN_ATTEMPTS FALSE_P FAMILY FETCH FILTER FIRST_P FLOAT_P FOLLOWING + FOR FORCE FOREIGN FORWARD FREEZE FROM FULL FUNCTION FUNCTIONS GENERATED GLOBAL GRANT GRANTED GREATEST GROUP_P GROUPING GROUPS @@ -735,8 +735,8 @@ static Node *makeRecursiveViewSelect(char *relname, List *aliases, Node *query); TREAT TRIGGER TRIM TRUE_P TRUNCATE TRUSTED TYPE_P TYPES_P - UNBOUNDED UNCOMMITTED UNENCRYPTED UNION UNIQUE UNKNOWN UNLISTEN UNLOGGED - UNTIL UPDATE USER USING + UNBOUNDED UNCOMMITTED UNENCRYPTED UNION UNIQUE UNKNOWN UNLISTEN UNLOCK + UNLOGGED UNTIL UPDATE USER USING VACUUM VALID VALIDATE VALIDATOR VALUE_P VALUES VARCHAR VARIADIC VARYING VERBOSE VERSION_P VIEW VIEWS VOLATILE @@ -1137,20 +1137,20 @@ AlterOptRoleElem: parser_ybc_not_support(@1, "PROFILE"); $$ = makeDefElem("profile", (Node *)makeString($3), @1); } - | PROFILE ENABLE_P + | ACCOUNT LOCK_P { if (!*YBCGetGFlags()->ysql_enable_profile) parser_ybc_not_support(@1, "PROFILE"); - $$ = makeDefElem("enabled", (Node *)makeInteger(true), @1); + $$ = makeDefElem("enabled", (Node *)makeInteger(false), @1); } - | PROFILE DISABLE_P + | ACCOUNT UNLOCK { if (!*YBCGetGFlags()->ysql_enable_profile) parser_ybc_not_support(@1, "PROFILE"); - $$ = makeDefElem("enabled", (Node *)makeInteger(false), @1); + $$ = makeDefElem("enabled", (Node *)makeInteger(true), @1); } /* CAUTION: DEV RULE to test increment failed attempts counter and disable profile */ - | PROFILE ATTEMPTS FAILED + | PROFILE ADD_P FAILED_LOGIN_ATTEMPTS { if (!*YBCGetGFlags()->ysql_enable_profile) parser_ybc_not_support(@1, "PROFILE"); @@ -4856,11 +4856,11 @@ DropTableSpaceStmt: DROP TABLESPACE name /***************************************************************************** * * QUERY: - * CREATE PROFILE prfname FAILED ATTEMPTS + * CREATE PROFILE prfname LIMIT FAILED_LOGIN_ATTEMPTS * *****************************************************************************/ -CreateProfileStmt: CREATE PROFILE name FAILED ATTEMPTS SignedIconst +CreateProfileStmt: CREATE PROFILE name LIMIT FAILED_LOGIN_ATTEMPTS Iconst { if (!*YBCGetGFlags()->ysql_enable_profile) parser_ybc_not_support(@1, "PROFILE"); @@ -6873,7 +6873,7 @@ drop_type_name: { if (!*YBCGetGFlags()->ysql_enable_profile) parser_ybc_not_support(@1, "PROFILE"); - $$ = OBJECT_PROFILE; + $$ = OBJECT_YBPROFILE; } ; @@ -16014,6 +16014,7 @@ unreserved_keyword: ABORT_P | ABSOLUTE_P | ACCESS + | ACCOUNT | ACTION | ADD_P | ADMIN @@ -16026,7 +16027,6 @@ unreserved_keyword: | ASSIGNMENT | AT | ATTACH - | ATTEMPTS | ATTRIBUTE | BACKFILL | BACKWARD @@ -16100,7 +16100,7 @@ unreserved_keyword: | EXPLAIN | EXTENSION | EXTERNAL - | FAILED + | FAILED_LOGIN_ATTEMPTS | FAMILY | FILTER | FIRST_P @@ -16289,6 +16289,7 @@ unreserved_keyword: | UNENCRYPTED | UNKNOWN | UNLISTEN + | UNLOCK | UNLOGGED | UNTIL | UPDATE diff --git a/src/postgres/src/backend/tcop/utility.c b/src/postgres/src/backend/tcop/utility.c index dadb57819ab7..d9e69769a3fb 100644 --- a/src/postgres/src/backend/tcop/utility.c +++ b/src/postgres/src/backend/tcop/utility.c @@ -45,7 +45,6 @@ #include "commands/portalcmds.h" #include "commands/prepare.h" #include "commands/proclang.h" -#include "commands/profile.h" #include "commands/publicationcmds.h" #include "commands/schemacmds.h" #include "commands/seclabel.h" @@ -59,6 +58,7 @@ #include "commands/user.h" #include "commands/vacuum.h" #include "commands/view.h" +#include "commands/ybc_profile.h" #include "libpq/libpq-be.h" #include "miscadmin.h" #include "parser/parse_utilcmd.h" @@ -2474,7 +2474,7 @@ CreateCommandTag(Node *parsetree) case OBJECT_YBTABLEGROUP: tag = "DROP TABLEGROUP"; break; - case OBJECT_PROFILE: + case OBJECT_YBPROFILE: tag = "DROP PROFILE"; break; default: diff --git a/src/postgres/src/include/catalog/dependency.h b/src/postgres/src/include/catalog/dependency.h index 400c709f299d..9dfbfd233f01 100644 --- a/src/postgres/src/include/catalog/dependency.h +++ b/src/postgres/src/include/catalog/dependency.h @@ -190,11 +190,11 @@ typedef enum ObjectClass OCLASS_PUBLICATION_REL, /* pg_publication_rel */ OCLASS_SUBSCRIPTION, /* pg_subscription */ OCLASS_TRANSFORM, /* pg_transform */ - OCLASS_PROFILE, /* pg_yb_profile */ - OCLASS_ROLE_PROFILE, /* pg_yb_role_profile */ + OCLASS_YBPROFILE, /* pg_yb_profile */ + OCLASS_ROLE_YBPROFILE, /* pg_yb_role_profile */ } ObjectClass; -#define LAST_OCLASS OCLASS_ROLE_PROFILE +#define LAST_OCLASS OCLASS_ROLE_YBPROFILE /* flag bits for performDeletion/performMultipleDeletions: */ #define PERFORM_DELETION_INTERNAL 0x0001 /* internal action */ diff --git a/src/postgres/src/include/nodes/parsenodes.h b/src/postgres/src/include/nodes/parsenodes.h index c7d1bf43e549..9e92eec1350c 100644 --- a/src/postgres/src/include/nodes/parsenodes.h +++ b/src/postgres/src/include/nodes/parsenodes.h @@ -1693,7 +1693,7 @@ typedef enum ObjectType OBJECT_TYPE, OBJECT_USER_MAPPING, OBJECT_VIEW, - OBJECT_PROFILE + OBJECT_YBPROFILE } ObjectType; /* ---------------------- diff --git a/src/postgres/src/include/parser/kwlist.h b/src/postgres/src/include/parser/kwlist.h index 04094c14a695..f380243f17a9 100644 --- a/src/postgres/src/include/parser/kwlist.h +++ b/src/postgres/src/include/parser/kwlist.h @@ -29,6 +29,7 @@ PG_KEYWORD("abort", ABORT_P, UNRESERVED_KEYWORD) PG_KEYWORD("absolute", ABSOLUTE_P, UNRESERVED_KEYWORD) PG_KEYWORD("access", ACCESS, UNRESERVED_KEYWORD) +PG_KEYWORD("account", ACCOUNT, UNRESERVED_KEYWORD) PG_KEYWORD("action", ACTION, UNRESERVED_KEYWORD) PG_KEYWORD("add", ADD_P, UNRESERVED_KEYWORD) PG_KEYWORD("admin", ADMIN, UNRESERVED_KEYWORD) @@ -50,7 +51,6 @@ PG_KEYWORD("assignment", ASSIGNMENT, UNRESERVED_KEYWORD) PG_KEYWORD("asymmetric", ASYMMETRIC, RESERVED_KEYWORD) PG_KEYWORD("at", AT, UNRESERVED_KEYWORD) PG_KEYWORD("attach", ATTACH, UNRESERVED_KEYWORD) -PG_KEYWORD("attempts", ATTEMPTS, UNRESERVED_KEYWORD) PG_KEYWORD("attribute", ATTRIBUTE, UNRESERVED_KEYWORD) PG_KEYWORD("authorization", AUTHORIZATION, TYPE_FUNC_NAME_KEYWORD) PG_KEYWORD("backfill", BACKFILL, UNRESERVED_KEYWORD) @@ -163,7 +163,7 @@ PG_KEYWORD("explain", EXPLAIN, UNRESERVED_KEYWORD) PG_KEYWORD("extension", EXTENSION, UNRESERVED_KEYWORD) PG_KEYWORD("external", EXTERNAL, UNRESERVED_KEYWORD) PG_KEYWORD("extract", EXTRACT, COL_NAME_KEYWORD) -PG_KEYWORD("failed", FAILED, UNRESERVED_KEYWORD) +PG_KEYWORD("failed_login_attempts", FAILED_LOGIN_ATTEMPTS, UNRESERVED_KEYWORD) PG_KEYWORD("false", FALSE_P, RESERVED_KEYWORD) PG_KEYWORD("family", FAMILY, UNRESERVED_KEYWORD) PG_KEYWORD("fetch", FETCH, RESERVED_KEYWORD) @@ -434,6 +434,7 @@ PG_KEYWORD("union", UNION, RESERVED_KEYWORD) PG_KEYWORD("unique", UNIQUE, RESERVED_KEYWORD) PG_KEYWORD("unknown", UNKNOWN, UNRESERVED_KEYWORD) PG_KEYWORD("unlisten", UNLISTEN, UNRESERVED_KEYWORD) +PG_KEYWORD("unlock", UNLOCK, UNRESERVED_KEYWORD) PG_KEYWORD("unlogged", UNLOGGED, UNRESERVED_KEYWORD) PG_KEYWORD("until", UNTIL, UNRESERVED_KEYWORD) PG_KEYWORD("update", UPDATE, UNRESERVED_KEYWORD) diff --git a/src/postgres/src/test/regress/expected/yb_profile.out b/src/postgres/src/test/regress/expected/yb_profile.out index bfa49ace4647..ac4ae68f39c7 100644 --- a/src/postgres/src/test/regress/expected/yb_profile.out +++ b/src/postgres/src/test/regress/expected/yb_profile.out @@ -49,7 +49,7 @@ SELECT oid, prfname, prffailedloginattempts FROM pg_catalog.pg_yb_profile ORDER 8057 | default | 0 (1 row) -CREATE PROFILE test_profile FAILED ATTEMPTS 3; +CREATE PROFILE test_profile LIMIT FAILED_LOGIN_ATTEMPTS 3; SELECT prfname, prffailedloginattempts FROM pg_catalog.pg_yb_profile ORDER BY OID; prfname | prffailedloginattempts --------------+------------------------ @@ -58,7 +58,7 @@ SELECT prfname, prffailedloginattempts FROM pg_catalog.pg_yb_profile ORDER BY OI (2 rows) -- Fail because it is a duplicate name -CREATE PROFILE test_profile FAILED ATTEMPTS 4; +CREATE PROFILE test_profile LIMIT FAILED_LOGIN_ATTEMPTS 4; ERROR: profile "test_profile" already exists -- -- DROP PROFILE @@ -72,7 +72,7 @@ ERROR: profile "test_profile" does not exist -- DROP PROFILE IF EXISTS non_existing; NOTICE: profile "non_existing" does not exist, skipping -CREATE PROFILE exists_profile FAILED ATTEMPTS 3; +CREATE PROFILE exists_profile LIMIT FAILED_LOGIN_ATTEMPTS 3; DROP PROFILE IF EXISTS exists_profile; -- fail: cannot delete default profile DROP PROFILE "default"; diff --git a/src/postgres/src/test/regress/expected/yb_profile_permissions.out b/src/postgres/src/test/regress/expected/yb_profile_permissions.out index 1b719b8a517a..cab476b2b572 100644 --- a/src/postgres/src/test/regress/expected/yb_profile_permissions.out +++ b/src/postgres/src/test/regress/expected/yb_profile_permissions.out @@ -3,13 +3,13 @@ CREATE USER user_2 SUPERUSER; CREATE USER user_3; CREATE USER restricted_user; GRANT yb_db_admin TO user_3 WITH ADMIN OPTION; -CREATE PROFILE existing_profile FAILED ATTEMPTS 3; +CREATE PROFILE existing_profile LIMIT FAILED_LOGIN_ATTEMPTS 3; \c yugabyte user_1 -- None of these commands should be allowed to a normal user -CREATE PROFILE test_profile FAILED ATTEMPTS 3; -ERROR: permission denied to create profile "test_profile" +CREATE PROFILE test_profile_1 LIMIT FAILED_LOGIN_ATTEMPTS 3; +ERROR: permission denied to create profile "test_profile_1" HINT: Must be superuser or a member of the yb_db_admin role to create a profile. -ALTER USER restricted_user PROFILE ATTACH test_profile; +ALTER USER restricted_user PROFILE ATTACH test_profile_1; ERROR: must be superuser or a member of the yb_db_admin role to change profile configuration ALTER USER restricted_user PROFILE DISABLE; ERROR: must be superuser or a member of the yb_db_admin role to change profile configuration @@ -17,29 +17,31 @@ ALTER USER restricted_user PROFILE ENABLE; ERROR: must be superuser or a member of the yb_db_admin role to change profile configuration ALTER USER restricted_user PROFILE DETACH; ERROR: must be superuser or a member of the yb_db_admin role to change profile configuration -DROP PROFILE test_profile; -ERROR: profile "test_profile" does not exist DROP PROFILE existing_profile; ERROR: permission denied to drop profile HINT: Must be superuser or a member of the yb_db_admin -- user_2 can execute these commands as it is a super user. \c yugabyte user_2 -CREATE PROFILE test_profile FAILED ATTEMPTS 3; -ALTER USER restricted_user PROFILE ATTACH test_profile; +CREATE PROFILE test_profile_2 LIMIT FAILED_LOGIN_ATTEMPTS 3; +ALTER USER restricted_user PROFILE ATTACH test_profile_2; ALTER USER restricted_user PROFILE DISABLE; ALTER USER restricted_user PROFILE ENABLE; ALTER USER restricted_user PROFILE DETACH; -DROP PROFILE test_profile; +DROP PROFILE test_profile_2; +DROP PROFILE existing_profile; +-- Recreate profile for next test +\c yugabyte yugabyte +CREATE PROFILE existing_profile LIMIT FAILED_LOGIN_ATTEMPTS 3; -- user_3 can execute these commands as it is a yb_superuser. \c yugabyte user_3 -CREATE PROFILE test_profile FAILED ATTEMPTS 3; -ALTER USER restricted_user PROFILE ATTACH test_profile; +CREATE PROFILE test_profile_3 LIMIT FAILED_LOGIN_ATTEMPTS 3; +ALTER USER restricted_user PROFILE ATTACH test_profile_3; ALTER USER restricted_user PROFILE DISABLE; ALTER USER restricted_user PROFILE ENABLE; ALTER USER restricted_user PROFILE DETACH; -DROP PROFILE test_profile; -\c yugabyte yugabyte +DROP PROFILE test_profile_3; DROP PROFILE existing_profile; +\c yugabyte yugabyte DROP USER user_1; DROP USER user_2; DROP USER user_3; diff --git a/src/postgres/src/test/regress/expected/yb_role_inc_and_disable.out b/src/postgres/src/test/regress/expected/yb_role_inc_and_disable.out index ef9ab44b99a5..dc8c4e44baeb 100644 --- a/src/postgres/src/test/regress/expected/yb_role_inc_and_disable.out +++ b/src/postgres/src/test/regress/expected/yb_role_inc_and_disable.out @@ -1,4 +1,4 @@ -CREATE PROFILE ind_profile FAILED ATTEMPTS 2; +CREATE PROFILE ind_profile LIMIT FAILED_LOGIN_ATTEMPTS 2; CREATE USER ind_user; SELECT prfname, prffailedloginattempts FROM pg_catalog.pg_yb_profile ORDER BY OID; prfname | prffailedloginattempts @@ -23,7 +23,7 @@ SELECT rolisenabled, rolfailedloginattempts, rolname, prfname FROM (1 row) -- Simulate a failed attempt that increments the counter. -ALTER USER ind_user PROFILE ATTEMPTS FAILED; +ALTER USER ind_user PROFILE ADD FAILED_LOGIN_ATTEMPTS; SELECT rolisenabled, rolfailedloginattempts, rolname, prfname FROM pg_catalog.pg_yb_role_profile rp JOIN pg_catalog.pg_roles rol ON rp.rolid = rol.oid JOIN pg_catalog.pg_yb_profile lp ON rp.prfid = lp.oid; @@ -33,7 +33,7 @@ SELECT rolisenabled, rolfailedloginattempts, rolname, prfname FROM (1 row) -- Simulate one more failure. This failure is allowed and does not disable the role. -ALTER USER ind_user PROFILE ATTEMPTS FAILED; +ALTER USER ind_user PROFILE ADD FAILED_LOGIN_ATTEMPTS; SELECT rolisenabled, rolfailedloginattempts, rolname, prfname FROM pg_catalog.pg_yb_role_profile rp JOIN pg_catalog.pg_roles rol ON rp.rolid = rol.oid JOIN pg_catalog.pg_yb_profile lp ON rp.prfid = lp.oid; @@ -43,7 +43,7 @@ SELECT rolisenabled, rolfailedloginattempts, rolname, prfname FROM (1 row) -- Simulate one more failure. This attempt disables the role. -ALTER USER ind_user PROFILE ATTEMPTS FAILED; +ALTER USER ind_user PROFILE ADD FAILED_LOGIN_ATTEMPTS; SELECT rolisenabled, rolfailedloginattempts, rolname, prfname FROM pg_catalog.pg_yb_role_profile rp JOIN pg_catalog.pg_roles rol ON rp.rolid = rol.oid JOIN pg_catalog.pg_yb_profile lp ON rp.prfid = lp.oid; diff --git a/src/postgres/src/test/regress/expected/yb_role_profile.out b/src/postgres/src/test/regress/expected/yb_role_profile.out index f671a6b7aaa2..5d9ec9a6acec 100644 --- a/src/postgres/src/test/regress/expected/yb_role_profile.out +++ b/src/postgres/src/test/regress/expected/yb_role_profile.out @@ -33,7 +33,7 @@ SELECT oid, typname, typrelid FROM pg_type WHERE typname LIKE 'pg_yb_role_profil -- -- CREATE PROFILE -- -CREATE PROFILE test_profile FAILED ATTEMPTS 3; +CREATE PROFILE test_profile LIMIT FAILED_LOGIN_ATTEMPTS 3; CREATE USER restricted_user; -- Can connect when no profiles are setup \c yugabyte restricted_user diff --git a/src/postgres/src/test/regress/sql/yb_profile.sql b/src/postgres/src/test/regress/sql/yb_profile.sql index 9be50e8e4859..893cd6d3dd23 100644 --- a/src/postgres/src/test/regress/sql/yb_profile.sql +++ b/src/postgres/src/test/regress/sql/yb_profile.sql @@ -17,13 +17,13 @@ SELECT pg_describe_object('pg_yb_profile'::regclass::oid, oid, 0) FROM pg_yb_pro -- SELECT oid, prfname, prffailedloginattempts FROM pg_catalog.pg_yb_profile ORDER BY oid; -CREATE PROFILE test_profile FAILED ATTEMPTS 3; +CREATE PROFILE test_profile LIMIT FAILED_LOGIN_ATTEMPTS 3; SELECT prfname, prffailedloginattempts FROM pg_catalog.pg_yb_profile ORDER BY OID; -- Fail because it is a duplicate name -CREATE PROFILE test_profile FAILED ATTEMPTS 4; +CREATE PROFILE test_profile LIMIT FAILED_LOGIN_ATTEMPTS 4; -- -- DROP PROFILE @@ -40,7 +40,7 @@ DROP PROFILE test_profile; DROP PROFILE IF EXISTS non_existing; -CREATE PROFILE exists_profile FAILED ATTEMPTS 3; +CREATE PROFILE exists_profile LIMIT FAILED_LOGIN_ATTEMPTS 3; DROP PROFILE IF EXISTS exists_profile; -- fail: cannot delete default profile diff --git a/src/postgres/src/test/regress/sql/yb_profile_permissions.sql b/src/postgres/src/test/regress/sql/yb_profile_permissions.sql index e53213980789..41f586b2bc51 100644 --- a/src/postgres/src/test/regress/sql/yb_profile_permissions.sql +++ b/src/postgres/src/test/regress/sql/yb_profile_permissions.sql @@ -5,40 +5,44 @@ CREATE USER restricted_user; GRANT yb_db_admin TO user_3 WITH ADMIN OPTION; -CREATE PROFILE existing_profile FAILED ATTEMPTS 3; +CREATE PROFILE existing_profile LIMIT FAILED_LOGIN_ATTEMPTS 3; \c yugabyte user_1 -- None of these commands should be allowed to a normal user -CREATE PROFILE test_profile FAILED ATTEMPTS 3; -ALTER USER restricted_user PROFILE ATTACH test_profile; -ALTER USER restricted_user PROFILE DISABLE; -ALTER USER restricted_user PROFILE ENABLE; +CREATE PROFILE test_profile_1 LIMIT FAILED_LOGIN_ATTEMPTS 3; +ALTER USER restricted_user PROFILE ATTACH test_profile_1; +ALTER USER restricted_user ACCOUNT LOCK; +ALTER USER restricted_user ACCOUNT UNLOCK; ALTER USER restricted_user PROFILE DETACH; -DROP PROFILE test_profile; DROP PROFILE existing_profile; -- user_2 can execute these commands as it is a super user. \c yugabyte user_2 -CREATE PROFILE test_profile FAILED ATTEMPTS 3; -ALTER USER restricted_user PROFILE ATTACH test_profile; -ALTER USER restricted_user PROFILE DISABLE; -ALTER USER restricted_user PROFILE ENABLE; +CREATE PROFILE test_profile_2 LIMIT FAILED_LOGIN_ATTEMPTS 3; +ALTER USER restricted_user PROFILE ATTACH test_profile_2; +ALTER USER restricted_user ACCOUNT LOCK; +ALTER USER restricted_user ACCOUNT UNLOCK; ALTER USER restricted_user PROFILE DETACH; -DROP PROFILE test_profile; +DROP PROFILE test_profile_2; +DROP PROFILE existing_profile; + +-- Recreate profile for next test +\c yugabyte yugabyte +CREATE PROFILE existing_profile LIMIT FAILED_LOGIN_ATTEMPTS 3; -- user_3 can execute these commands as it is a yb_superuser. \c yugabyte user_3 -CREATE PROFILE test_profile FAILED ATTEMPTS 3; -ALTER USER restricted_user PROFILE ATTACH test_profile; -ALTER USER restricted_user PROFILE DISABLE; -ALTER USER restricted_user PROFILE ENABLE; +CREATE PROFILE test_profile_3 LIMIT FAILED_LOGIN_ATTEMPTS 3; +ALTER USER restricted_user PROFILE ATTACH test_profile_3; +ALTER USER restricted_user ACCOUNT LOCK; +ALTER USER restricted_user ACCOUNT UNLOCK; ALTER USER restricted_user PROFILE DETACH; -DROP PROFILE test_profile; +DROP PROFILE test_profile_3; +DROP PROFILE existing_profile; \c yugabyte yugabyte -DROP PROFILE existing_profile; DROP USER user_1; DROP USER user_2; DROP USER user_3; diff --git a/src/postgres/src/test/regress/sql/yb_role_inc_and_disable.sql b/src/postgres/src/test/regress/sql/yb_role_inc_and_disable.sql index 00b2a0cce963..b59d984e8209 100644 --- a/src/postgres/src/test/regress/sql/yb_role_inc_and_disable.sql +++ b/src/postgres/src/test/regress/sql/yb_role_inc_and_disable.sql @@ -1,4 +1,4 @@ -CREATE PROFILE ind_profile FAILED ATTEMPTS 2; +CREATE PROFILE ind_profile LIMIT FAILED_LOGIN_ATTEMPTS 2; CREATE USER ind_user; SELECT prfname, prffailedloginattempts FROM pg_catalog.pg_yb_profile ORDER BY OID; @@ -11,25 +11,25 @@ SELECT rolisenabled, rolfailedloginattempts, rolname, prfname FROM JOIN pg_catalog.pg_yb_profile lp ON rp.prfid = lp.oid; -- Simulate a failed attempt that increments the counter. -ALTER USER ind_user PROFILE ATTEMPTS FAILED; +ALTER USER ind_user PROFILE ADD FAILED_LOGIN_ATTEMPTS; SELECT rolisenabled, rolfailedloginattempts, rolname, prfname FROM pg_catalog.pg_yb_role_profile rp JOIN pg_catalog.pg_roles rol ON rp.rolid = rol.oid JOIN pg_catalog.pg_yb_profile lp ON rp.prfid = lp.oid; -- Simulate one more failure. This failure is allowed and does not disable the role. -ALTER USER ind_user PROFILE ATTEMPTS FAILED; +ALTER USER ind_user PROFILE ADD FAILED_LOGIN_ATTEMPTS; SELECT rolisenabled, rolfailedloginattempts, rolname, prfname FROM pg_catalog.pg_yb_role_profile rp JOIN pg_catalog.pg_roles rol ON rp.rolid = rol.oid JOIN pg_catalog.pg_yb_profile lp ON rp.prfid = lp.oid; -- Simulate one more failure. This attempt disables the role. -ALTER USER ind_user PROFILE ATTEMPTS FAILED; +ALTER USER ind_user PROFILE ADD FAILED_LOGIN_ATTEMPTS; SELECT rolisenabled, rolfailedloginattempts, rolname, prfname FROM pg_catalog.pg_yb_role_profile rp JOIN pg_catalog.pg_roles rol ON rp.rolid = rol.oid JOIN pg_catalog.pg_yb_profile lp ON rp.prfid = lp.oid; -- Enable should reset the counter -ALTER USER ind_user PROFILE ENABLE; +ALTER USER ind_user ACCOUNT UNLOCK; SELECT rolisenabled, rolfailedloginattempts, rolname, prfname FROM pg_catalog.pg_yb_role_profile rp JOIN pg_catalog.pg_roles rol ON rp.rolid = rol.oid JOIN pg_catalog.pg_yb_profile lp ON rp.prfid = lp.oid; diff --git a/src/postgres/src/test/regress/sql/yb_role_profile.sql b/src/postgres/src/test/regress/sql/yb_role_profile.sql index 17999087590e..7fa49afc388b 100644 --- a/src/postgres/src/test/regress/sql/yb_role_profile.sql +++ b/src/postgres/src/test/regress/sql/yb_role_profile.sql @@ -12,7 +12,7 @@ SELECT oid, typname, typrelid FROM pg_type WHERE typname LIKE 'pg_yb_role_profil -- -- CREATE PROFILE -- -CREATE PROFILE test_profile FAILED ATTEMPTS 3; +CREATE PROFILE test_profile LIMIT FAILED_LOGIN_ATTEMPTS 3; CREATE USER restricted_user; -- Can connect when no profiles are setup @@ -31,12 +31,12 @@ SELECT rolisenabled, rolfailedloginattempts, rolname, prfname FROM pg_catalog.pg_yb_role_profile rp JOIN pg_catalog.pg_roles rol ON rp.rolid = rol.oid JOIN pg_catalog.pg_yb_profile lp ON rp.prfid = lp.oid; -ALTER USER restricted_user PROFILE DISABLE; +ALTER USER restricted_user ACCOUNT LOCK; SELECT rolisenabled, rolfailedloginattempts, rolname, prfname FROM pg_catalog.pg_yb_role_profile rp JOIN pg_catalog.pg_roles rol ON rp.rolid = rol.oid JOIN pg_catalog.pg_yb_profile lp ON rp.prfid = lp.oid; -ALTER USER restricted_user PROFILE ENABLE; +ALTER USER restricted_user ACCOUNT UNLOCK; SELECT rolisenabled, rolfailedloginattempts, rolname, prfname FROM pg_catalog.pg_yb_role_profile rp JOIN pg_catalog.pg_roles rol ON rp.rolid = rol.oid JOIN pg_catalog.pg_yb_profile lp ON rp.prfid = lp.oid; @@ -59,8 +59,8 @@ SELECT rolisenabled, rolfailedloginattempts, rolname, prfname FROM JOIN pg_catalog.pg_yb_profile lp ON rp.prfid = lp.oid; -- fail: cannot enable/disable a role that is not attached -ALTER USER restricted_user PROFILE ENABLE; -ALTER USER restricted_user PROFILE DISABLE; +ALTER USER restricted_user ACCOUNT UNLOCK; +ALTER USER restricted_user ACCOUNT LOCK; -- fail: Cannot attach to a non-existent profile ALTER USER restricted_user PROFILE ATTACH non_existent; diff --git a/src/postgres/src/test/regress/yb_profile_schedule b/src/postgres/src/test/regress/yb_profile_schedule index bc30da37dbf4..a3e1ce2996e2 100644 --- a/src/postgres/src/test/regress/yb_profile_schedule +++ b/src/postgres/src/test/regress/yb_profile_schedule @@ -10,6 +10,4 @@ test: yb_profile test: yb_role_profile test: yb_profile_permissions -test: yb_role_profile_disabled -test: yb_role_profile_disabled_cleanup test: yb_role_inc_and_disable