Line data Source code
1 : /*-------------------------------------------------------------------------
2 : *
3 : * schemacmds.c
4 : * schema creation/manipulation commands
5 : *
6 : * Portions Copyright (c) 1996-2025, PostgreSQL Global Development Group
7 : * Portions Copyright (c) 1994, Regents of the University of California
8 : *
9 : *
10 : * IDENTIFICATION
11 : * src/backend/commands/schemacmds.c
12 : *
13 : *-------------------------------------------------------------------------
14 : */
15 : #include "postgres.h"
16 :
17 : #include "access/htup_details.h"
18 : #include "access/table.h"
19 : #include "access/xact.h"
20 : #include "catalog/catalog.h"
21 : #include "catalog/dependency.h"
22 : #include "catalog/indexing.h"
23 : #include "catalog/namespace.h"
24 : #include "catalog/objectaccess.h"
25 : #include "catalog/pg_authid.h"
26 : #include "catalog/pg_database.h"
27 : #include "catalog/pg_namespace.h"
28 : #include "commands/dbcommands.h"
29 : #include "commands/event_trigger.h"
30 : #include "commands/schemacmds.h"
31 : #include "miscadmin.h"
32 : #include "parser/parse_utilcmd.h"
33 : #include "parser/scansup.h"
34 : #include "tcop/utility.h"
35 : #include "utils/acl.h"
36 : #include "utils/builtins.h"
37 : #include "utils/rel.h"
38 : #include "utils/syscache.h"
39 :
40 : static void AlterSchemaOwner_internal(HeapTuple tup, Relation rel, Oid newOwnerId);
41 :
42 : /*
43 : * CREATE SCHEMA
44 : *
45 : * Note: caller should pass in location information for the whole
46 : * CREATE SCHEMA statement, which in turn we pass down as the location
47 : * of the component commands. This comports with our general plan of
48 : * reporting location/len for the whole command even when executing
49 : * a subquery.
50 : */
51 : Oid
52 1070 : CreateSchemaCommand(CreateSchemaStmt *stmt, const char *queryString,
53 : int stmt_location, int stmt_len)
54 : {
55 1070 : const char *schemaName = stmt->schemaname;
56 : Oid namespaceId;
57 : List *parsetree_list;
58 : ListCell *parsetree_item;
59 : Oid owner_uid;
60 : Oid saved_uid;
61 : int save_sec_context;
62 : int save_nestlevel;
63 1070 : char *nsp = namespace_search_path;
64 : AclResult aclresult;
65 : ObjectAddress address;
66 : StringInfoData pathbuf;
67 :
68 1070 : GetUserIdAndSecContext(&saved_uid, &save_sec_context);
69 :
70 : /*
71 : * Who is supposed to own the new schema?
72 : */
73 1070 : if (stmt->authrole)
74 176 : owner_uid = get_rolespec_oid(stmt->authrole, false);
75 : else
76 894 : owner_uid = saved_uid;
77 :
78 : /* fill schema name with the user name if not specified */
79 1058 : if (!schemaName)
80 : {
81 : HeapTuple tuple;
82 :
83 72 : tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(owner_uid));
84 72 : if (!HeapTupleIsValid(tuple))
85 0 : elog(ERROR, "cache lookup failed for role %u", owner_uid);
86 : schemaName =
87 72 : pstrdup(NameStr(((Form_pg_authid) GETSTRUCT(tuple))->rolname));
88 72 : ReleaseSysCache(tuple);
89 : }
90 :
91 : /*
92 : * To create a schema, must have schema-create privilege on the current
93 : * database and must be able to become the target role (this does not
94 : * imply that the target role itself must have create-schema privilege).
95 : * The latter provision guards against "giveaway" attacks. Note that a
96 : * superuser will always have both of these privileges a fortiori.
97 : */
98 1058 : aclresult = object_aclcheck(DatabaseRelationId, MyDatabaseId, saved_uid, ACL_CREATE);
99 1058 : if (aclresult != ACLCHECK_OK)
100 0 : aclcheck_error(aclresult, OBJECT_DATABASE,
101 0 : get_database_name(MyDatabaseId));
102 :
103 1058 : check_can_set_role(saved_uid, owner_uid);
104 :
105 : /* Additional check to protect reserved schema names */
106 1052 : if (!allowSystemTableMods && IsReservedName(schemaName))
107 2 : ereport(ERROR,
108 : (errcode(ERRCODE_RESERVED_NAME),
109 : errmsg("unacceptable schema name \"%s\"", schemaName),
110 : errdetail("The prefix \"pg_\" is reserved for system schemas.")));
111 :
112 : /*
113 : * If if_not_exists was given and the schema already exists, bail out.
114 : * (Note: we needn't check this when not if_not_exists, because
115 : * NamespaceCreate will complain anyway.) We could do this before making
116 : * the permissions checks, but since CREATE TABLE IF NOT EXISTS makes its
117 : * creation-permission check first, we do likewise.
118 : */
119 1050 : if (stmt->if_not_exists)
120 : {
121 34 : namespaceId = get_namespace_oid(schemaName, true);
122 34 : if (OidIsValid(namespaceId))
123 : {
124 : /*
125 : * If we are in an extension script, insist that the pre-existing
126 : * object be a member of the extension, to avoid security risks.
127 : */
128 24 : ObjectAddressSet(address, NamespaceRelationId, namespaceId);
129 24 : checkMembershipInCurrentExtension(&address);
130 :
131 : /* OK to skip */
132 22 : ereport(NOTICE,
133 : (errcode(ERRCODE_DUPLICATE_SCHEMA),
134 : errmsg("schema \"%s\" already exists, skipping",
135 : schemaName)));
136 22 : return InvalidOid;
137 : }
138 : }
139 :
140 : /*
141 : * If the requested authorization is different from the current user,
142 : * temporarily set the current user so that the object(s) will be created
143 : * with the correct ownership.
144 : *
145 : * (The setting will be restored at the end of this routine, or in case of
146 : * error, transaction abort will clean things up.)
147 : */
148 1026 : if (saved_uid != owner_uid)
149 70 : SetUserIdAndSecContext(owner_uid,
150 : save_sec_context | SECURITY_LOCAL_USERID_CHANGE);
151 :
152 : /* Create the schema's namespace */
153 1026 : namespaceId = NamespaceCreate(schemaName, owner_uid, false);
154 :
155 : /* Advance cmd counter to make the namespace visible */
156 1020 : CommandCounterIncrement();
157 :
158 : /*
159 : * Prepend the new schema to the current search path.
160 : *
161 : * We use the equivalent of a function SET option to allow the setting to
162 : * persist for exactly the duration of the schema creation. guc.c also
163 : * takes care of undoing the setting on error.
164 : */
165 1020 : save_nestlevel = NewGUCNestLevel();
166 :
167 1020 : initStringInfo(&pathbuf);
168 1020 : appendStringInfoString(&pathbuf, quote_identifier(schemaName));
169 :
170 1026 : while (scanner_isspace(*nsp))
171 6 : nsp++;
172 :
173 1020 : if (*nsp != '\0')
174 970 : appendStringInfo(&pathbuf, ", %s", nsp);
175 :
176 1020 : (void) set_config_option("search_path", pathbuf.data,
177 : PGC_USERSET, PGC_S_SESSION,
178 : GUC_ACTION_SAVE, true, 0, false);
179 :
180 : /*
181 : * Report the new schema to possibly interested event triggers. Note we
182 : * must do this here and not in ProcessUtilitySlow because otherwise the
183 : * objects created below are reported before the schema, which would be
184 : * wrong.
185 : */
186 1020 : ObjectAddressSet(address, NamespaceRelationId, namespaceId);
187 1020 : EventTriggerCollectSimpleCommand(address, InvalidObjectAddress,
188 : (Node *) stmt);
189 :
190 : /*
191 : * Examine the list of commands embedded in the CREATE SCHEMA command, and
192 : * reorganize them into a sequentially executable order with no forward
193 : * references. Note that the result is still a list of raw parsetrees ---
194 : * we cannot, in general, run parse analysis on one statement until we
195 : * have actually executed the prior ones.
196 : */
197 1020 : parsetree_list = transformCreateSchemaStmtElements(stmt->schemaElts,
198 : schemaName);
199 :
200 : /*
201 : * Execute each command contained in the CREATE SCHEMA. Since the grammar
202 : * allows only utility commands in CREATE SCHEMA, there is no need to pass
203 : * them through parse_analyze_*() or the rewriter; we can just hand them
204 : * straight to ProcessUtility.
205 : */
206 1368 : foreach(parsetree_item, parsetree_list)
207 : {
208 450 : Node *stmt = (Node *) lfirst(parsetree_item);
209 : PlannedStmt *wrapper;
210 :
211 : /* need to make a wrapper PlannedStmt */
212 450 : wrapper = makeNode(PlannedStmt);
213 450 : wrapper->commandType = CMD_UTILITY;
214 450 : wrapper->canSetTag = false;
215 450 : wrapper->utilityStmt = stmt;
216 450 : wrapper->stmt_location = stmt_location;
217 450 : wrapper->stmt_len = stmt_len;
218 :
219 : /* do this step */
220 450 : ProcessUtility(wrapper,
221 : queryString,
222 : false,
223 : PROCESS_UTILITY_SUBCOMMAND,
224 : NULL,
225 : NULL,
226 : None_Receiver,
227 : NULL);
228 :
229 : /* make sure later steps can see the object created here */
230 438 : CommandCounterIncrement();
231 : }
232 :
233 : /*
234 : * Restore the GUC variable search_path we set above.
235 : */
236 918 : AtEOXact_GUC(true, save_nestlevel);
237 :
238 : /* Reset current user and security context */
239 918 : SetUserIdAndSecContext(saved_uid, save_sec_context);
240 :
241 918 : return namespaceId;
242 : }
243 :
244 :
245 : /*
246 : * Rename schema
247 : */
248 : ObjectAddress
249 20 : RenameSchema(const char *oldname, const char *newname)
250 : {
251 : Oid nspOid;
252 : HeapTuple tup;
253 : Relation rel;
254 : AclResult aclresult;
255 : ObjectAddress address;
256 : Form_pg_namespace nspform;
257 :
258 20 : rel = table_open(NamespaceRelationId, RowExclusiveLock);
259 :
260 20 : tup = SearchSysCacheCopy1(NAMESPACENAME, CStringGetDatum(oldname));
261 20 : if (!HeapTupleIsValid(tup))
262 0 : ereport(ERROR,
263 : (errcode(ERRCODE_UNDEFINED_SCHEMA),
264 : errmsg("schema \"%s\" does not exist", oldname)));
265 :
266 20 : nspform = (Form_pg_namespace) GETSTRUCT(tup);
267 20 : nspOid = nspform->oid;
268 :
269 : /* make sure the new name doesn't exist */
270 20 : if (OidIsValid(get_namespace_oid(newname, true)))
271 0 : ereport(ERROR,
272 : (errcode(ERRCODE_DUPLICATE_SCHEMA),
273 : errmsg("schema \"%s\" already exists", newname)));
274 :
275 : /* must be owner */
276 20 : if (!object_ownercheck(NamespaceRelationId, nspOid, GetUserId()))
277 0 : aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_SCHEMA,
278 : oldname);
279 :
280 : /* must have CREATE privilege on database */
281 20 : aclresult = object_aclcheck(DatabaseRelationId, MyDatabaseId, GetUserId(), ACL_CREATE);
282 20 : if (aclresult != ACLCHECK_OK)
283 0 : aclcheck_error(aclresult, OBJECT_DATABASE,
284 0 : get_database_name(MyDatabaseId));
285 :
286 20 : if (!allowSystemTableMods && IsReservedName(newname))
287 0 : ereport(ERROR,
288 : (errcode(ERRCODE_RESERVED_NAME),
289 : errmsg("unacceptable schema name \"%s\"", newname),
290 : errdetail("The prefix \"pg_\" is reserved for system schemas.")));
291 :
292 : /* rename */
293 20 : namestrcpy(&nspform->nspname, newname);
294 20 : CatalogTupleUpdate(rel, &tup->t_self, tup);
295 :
296 20 : InvokeObjectPostAlterHook(NamespaceRelationId, nspOid, 0);
297 :
298 20 : ObjectAddressSet(address, NamespaceRelationId, nspOid);
299 :
300 20 : table_close(rel, NoLock);
301 20 : heap_freetuple(tup);
302 :
303 20 : return address;
304 : }
305 :
306 : void
307 8 : AlterSchemaOwner_oid(Oid schemaoid, Oid newOwnerId)
308 : {
309 : HeapTuple tup;
310 : Relation rel;
311 :
312 8 : rel = table_open(NamespaceRelationId, RowExclusiveLock);
313 :
314 8 : tup = SearchSysCache1(NAMESPACEOID, ObjectIdGetDatum(schemaoid));
315 8 : if (!HeapTupleIsValid(tup))
316 0 : elog(ERROR, "cache lookup failed for schema %u", schemaoid);
317 :
318 8 : AlterSchemaOwner_internal(tup, rel, newOwnerId);
319 :
320 8 : ReleaseSysCache(tup);
321 :
322 8 : table_close(rel, RowExclusiveLock);
323 8 : }
324 :
325 :
326 : /*
327 : * Change schema owner
328 : */
329 : ObjectAddress
330 78 : AlterSchemaOwner(const char *name, Oid newOwnerId)
331 : {
332 : Oid nspOid;
333 : HeapTuple tup;
334 : Relation rel;
335 : ObjectAddress address;
336 : Form_pg_namespace nspform;
337 :
338 78 : rel = table_open(NamespaceRelationId, RowExclusiveLock);
339 :
340 78 : tup = SearchSysCache1(NAMESPACENAME, CStringGetDatum(name));
341 78 : if (!HeapTupleIsValid(tup))
342 0 : ereport(ERROR,
343 : (errcode(ERRCODE_UNDEFINED_SCHEMA),
344 : errmsg("schema \"%s\" does not exist", name)));
345 :
346 78 : nspform = (Form_pg_namespace) GETSTRUCT(tup);
347 78 : nspOid = nspform->oid;
348 :
349 78 : AlterSchemaOwner_internal(tup, rel, newOwnerId);
350 :
351 78 : ObjectAddressSet(address, NamespaceRelationId, nspOid);
352 :
353 78 : ReleaseSysCache(tup);
354 :
355 78 : table_close(rel, RowExclusiveLock);
356 :
357 78 : return address;
358 : }
359 :
360 : static void
361 86 : AlterSchemaOwner_internal(HeapTuple tup, Relation rel, Oid newOwnerId)
362 : {
363 : Form_pg_namespace nspForm;
364 :
365 : Assert(tup->t_tableOid == NamespaceRelationId);
366 : Assert(RelationGetRelid(rel) == NamespaceRelationId);
367 :
368 86 : nspForm = (Form_pg_namespace) GETSTRUCT(tup);
369 :
370 : /*
371 : * If the new owner is the same as the existing owner, consider the
372 : * command to have succeeded. This is for dump restoration purposes.
373 : */
374 86 : if (nspForm->nspowner != newOwnerId)
375 : {
376 : Datum repl_val[Natts_pg_namespace];
377 : bool repl_null[Natts_pg_namespace];
378 : bool repl_repl[Natts_pg_namespace];
379 : Acl *newAcl;
380 : Datum aclDatum;
381 : bool isNull;
382 : HeapTuple newtuple;
383 : AclResult aclresult;
384 :
385 : /* Otherwise, must be owner of the existing object */
386 42 : if (!object_ownercheck(NamespaceRelationId, nspForm->oid, GetUserId()))
387 0 : aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_SCHEMA,
388 0 : NameStr(nspForm->nspname));
389 :
390 : /* Must be able to become new owner */
391 42 : check_can_set_role(GetUserId(), newOwnerId);
392 :
393 : /*
394 : * must have create-schema rights
395 : *
396 : * NOTE: This is different from other alter-owner checks in that the
397 : * current user is checked for create privileges instead of the
398 : * destination owner. This is consistent with the CREATE case for
399 : * schemas. Because superusers will always have this right, we need
400 : * no special case for them.
401 : */
402 42 : aclresult = object_aclcheck(DatabaseRelationId, MyDatabaseId, GetUserId(),
403 : ACL_CREATE);
404 42 : if (aclresult != ACLCHECK_OK)
405 0 : aclcheck_error(aclresult, OBJECT_DATABASE,
406 0 : get_database_name(MyDatabaseId));
407 :
408 42 : memset(repl_null, false, sizeof(repl_null));
409 42 : memset(repl_repl, false, sizeof(repl_repl));
410 :
411 42 : repl_repl[Anum_pg_namespace_nspowner - 1] = true;
412 42 : repl_val[Anum_pg_namespace_nspowner - 1] = ObjectIdGetDatum(newOwnerId);
413 :
414 : /*
415 : * Determine the modified ACL for the new owner. This is only
416 : * necessary when the ACL is non-null.
417 : */
418 42 : aclDatum = SysCacheGetAttr(NAMESPACENAME, tup,
419 : Anum_pg_namespace_nspacl,
420 : &isNull);
421 42 : if (!isNull)
422 : {
423 4 : newAcl = aclnewowner(DatumGetAclP(aclDatum),
424 : nspForm->nspowner, newOwnerId);
425 4 : repl_repl[Anum_pg_namespace_nspacl - 1] = true;
426 4 : repl_val[Anum_pg_namespace_nspacl - 1] = PointerGetDatum(newAcl);
427 : }
428 :
429 42 : newtuple = heap_modify_tuple(tup, RelationGetDescr(rel), repl_val, repl_null, repl_repl);
430 :
431 42 : CatalogTupleUpdate(rel, &newtuple->t_self, newtuple);
432 :
433 42 : heap_freetuple(newtuple);
434 :
435 : /* Update owner dependency reference */
436 42 : changeDependencyOnOwner(NamespaceRelationId, nspForm->oid,
437 : newOwnerId);
438 : }
439 :
440 86 : InvokeObjectPostAlterHook(NamespaceRelationId,
441 : nspForm->oid, 0);
442 86 : }
|
