Line data Source code
1 : /*-------------------------------------------------------------------------
2 : *
3 : * user.c
4 : * Commands for manipulating roles (formerly called users).
5 : *
6 : * Portions Copyright (c) 1996-2025, PostgreSQL Global Development Group
7 : * Portions Copyright (c) 1994, Regents of the University of California
8 : *
9 : * src/backend/commands/user.c
10 : *
11 : *-------------------------------------------------------------------------
12 : */
13 : #include "postgres.h"
14 :
15 : #include "access/genam.h"
16 : #include "access/htup_details.h"
17 : #include "access/table.h"
18 : #include "access/xact.h"
19 : #include "catalog/binary_upgrade.h"
20 : #include "catalog/catalog.h"
21 : #include "catalog/dependency.h"
22 : #include "catalog/indexing.h"
23 : #include "catalog/objectaccess.h"
24 : #include "catalog/pg_auth_members.h"
25 : #include "catalog/pg_authid.h"
26 : #include "catalog/pg_database.h"
27 : #include "catalog/pg_db_role_setting.h"
28 : #include "commands/comment.h"
29 : #include "commands/dbcommands.h"
30 : #include "commands/defrem.h"
31 : #include "commands/seclabel.h"
32 : #include "commands/user.h"
33 : #include "lib/qunique.h"
34 : #include "libpq/crypt.h"
35 : #include "miscadmin.h"
36 : #include "storage/lmgr.h"
37 : #include "utils/acl.h"
38 : #include "utils/builtins.h"
39 : #include "utils/catcache.h"
40 : #include "utils/fmgroids.h"
41 : #include "utils/syscache.h"
42 : #include "utils/varlena.h"
43 :
44 : /*
45 : * Removing a role grant - or the admin option on it - might recurse to
46 : * dependent grants. We use these values to reason about what would need to
47 : * be done in such cases.
48 : *
49 : * RRG_NOOP indicates a grant that would not need to be altered by the
50 : * operation.
51 : *
52 : * RRG_REMOVE_ADMIN_OPTION indicates a grant that would need to have
53 : * admin_option set to false by the operation.
54 : *
55 : * Similarly, RRG_REMOVE_INHERIT_OPTION and RRG_REMOVE_SET_OPTION indicate
56 : * grants that would need to have the corresponding options set to false.
57 : *
58 : * RRG_DELETE_GRANT indicates a grant that would need to be removed entirely
59 : * by the operation.
60 : */
61 : typedef enum
62 : {
63 : RRG_NOOP,
64 : RRG_REMOVE_ADMIN_OPTION,
65 : RRG_REMOVE_INHERIT_OPTION,
66 : RRG_REMOVE_SET_OPTION,
67 : RRG_DELETE_GRANT,
68 : } RevokeRoleGrantAction;
69 :
70 : /* Potentially set by pg_upgrade_support functions */
71 : Oid binary_upgrade_next_pg_authid_oid = InvalidOid;
72 :
73 : typedef struct
74 : {
75 : unsigned specified;
76 : bool admin;
77 : bool inherit;
78 : bool set;
79 : } GrantRoleOptions;
80 :
81 : #define GRANT_ROLE_SPECIFIED_ADMIN 0x0001
82 : #define GRANT_ROLE_SPECIFIED_INHERIT 0x0002
83 : #define GRANT_ROLE_SPECIFIED_SET 0x0004
84 :
85 : /* GUC parameters */
86 : int Password_encryption = PASSWORD_TYPE_SCRAM_SHA_256;
87 : char *createrole_self_grant = "";
88 : static bool createrole_self_grant_enabled = false;
89 : static GrantRoleOptions createrole_self_grant_options;
90 :
91 : /* Hook to check passwords in CreateRole() and AlterRole() */
92 : check_password_hook_type check_password_hook = NULL;
93 :
94 : static void AddRoleMems(Oid currentUserId, const char *rolename, Oid roleid,
95 : List *memberSpecs, List *memberIds,
96 : Oid grantorId, GrantRoleOptions *popt);
97 : static void DelRoleMems(Oid currentUserId, const char *rolename, Oid roleid,
98 : List *memberSpecs, List *memberIds,
99 : Oid grantorId, GrantRoleOptions *popt,
100 : DropBehavior behavior);
101 : static void check_role_membership_authorization(Oid currentUserId, Oid roleid,
102 : bool is_grant);
103 : static Oid check_role_grantor(Oid currentUserId, Oid roleid, Oid grantorId,
104 : bool is_grant);
105 : static RevokeRoleGrantAction *initialize_revoke_actions(CatCList *memlist);
106 : static bool plan_single_revoke(CatCList *memlist,
107 : RevokeRoleGrantAction *actions,
108 : Oid member, Oid grantor,
109 : GrantRoleOptions *popt,
110 : DropBehavior behavior);
111 : static void plan_member_revoke(CatCList *memlist,
112 : RevokeRoleGrantAction *actions, Oid member);
113 : static void plan_recursive_revoke(CatCList *memlist,
114 : RevokeRoleGrantAction *actions,
115 : int index,
116 : bool revoke_admin_option_only,
117 : DropBehavior behavior);
118 : static void InitGrantRoleOptions(GrantRoleOptions *popt);
119 :
120 :
121 : /* Check if current user has createrole privileges */
122 : static bool
123 2204 : have_createrole_privilege(void)
124 : {
125 2204 : return has_createrole_privilege(GetUserId());
126 : }
127 :
128 :
129 : /*
130 : * CREATE ROLE
131 : */
132 : Oid
133 1844 : CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
134 : {
135 : Relation pg_authid_rel;
136 : TupleDesc pg_authid_dsc;
137 : HeapTuple tuple;
138 1844 : Datum new_record[Natts_pg_authid] = {0};
139 1844 : bool new_record_nulls[Natts_pg_authid] = {0};
140 1844 : Oid currentUserId = GetUserId();
141 : Oid roleid;
142 : ListCell *item;
143 : ListCell *option;
144 1844 : char *password = NULL; /* user password */
145 1844 : bool issuper = false; /* Make the user a superuser? */
146 1844 : bool inherit = true; /* Auto inherit privileges? */
147 1844 : bool createrole = false; /* Can this user create roles? */
148 1844 : bool createdb = false; /* Can the user create databases? */
149 1844 : bool canlogin = false; /* Can this user login? */
150 1844 : bool isreplication = false; /* Is this a replication role? */
151 1844 : bool bypassrls = false; /* Is this a row security enabled role? */
152 1844 : int connlimit = -1; /* maximum connections allowed */
153 1844 : List *addroleto = NIL; /* roles to make this a member of */
154 1844 : List *rolemembers = NIL; /* roles to be members of this role */
155 1844 : List *adminmembers = NIL; /* roles to be admins of this role */
156 1844 : char *validUntil = NULL; /* time the login is valid until */
157 : Datum validUntil_datum; /* same, as timestamptz Datum */
158 : bool validUntil_null;
159 1844 : DefElem *dpassword = NULL;
160 1844 : DefElem *dissuper = NULL;
161 1844 : DefElem *dinherit = NULL;
162 1844 : DefElem *dcreaterole = NULL;
163 1844 : DefElem *dcreatedb = NULL;
164 1844 : DefElem *dcanlogin = NULL;
165 1844 : DefElem *disreplication = NULL;
166 1844 : DefElem *dconnlimit = NULL;
167 1844 : DefElem *daddroleto = NULL;
168 1844 : DefElem *drolemembers = NULL;
169 1844 : DefElem *dadminmembers = NULL;
170 1844 : DefElem *dvalidUntil = NULL;
171 1844 : DefElem *dbypassRLS = NULL;
172 : GrantRoleOptions popt;
173 :
174 : /* The defaults can vary depending on the original statement type */
175 1844 : switch (stmt->stmt_type)
176 : {
177 1364 : case ROLESTMT_ROLE:
178 1364 : break;
179 456 : case ROLESTMT_USER:
180 456 : canlogin = true;
181 : /* may eventually want inherit to default to false here */
182 456 : break;
183 24 : case ROLESTMT_GROUP:
184 24 : break;
185 : }
186 :
187 : /* Extract options from the statement node tree */
188 3026 : foreach(option, stmt->options)
189 : {
190 1182 : DefElem *defel = (DefElem *) lfirst(option);
191 :
192 1182 : if (strcmp(defel->defname, "password") == 0)
193 : {
194 122 : if (dpassword)
195 0 : errorConflictingDefElem(defel, pstate);
196 122 : dpassword = defel;
197 : }
198 1060 : else if (strcmp(defel->defname, "sysid") == 0)
199 : {
200 6 : ereport(NOTICE,
201 : (errmsg("SYSID can no longer be specified")));
202 : }
203 1054 : else if (strcmp(defel->defname, "superuser") == 0)
204 : {
205 194 : if (dissuper)
206 0 : errorConflictingDefElem(defel, pstate);
207 194 : dissuper = defel;
208 : }
209 860 : else if (strcmp(defel->defname, "inherit") == 0)
210 : {
211 64 : if (dinherit)
212 0 : errorConflictingDefElem(defel, pstate);
213 64 : dinherit = defel;
214 : }
215 796 : else if (strcmp(defel->defname, "createrole") == 0)
216 : {
217 90 : if (dcreaterole)
218 0 : errorConflictingDefElem(defel, pstate);
219 90 : dcreaterole = defel;
220 : }
221 706 : else if (strcmp(defel->defname, "createdb") == 0)
222 : {
223 70 : if (dcreatedb)
224 0 : errorConflictingDefElem(defel, pstate);
225 70 : dcreatedb = defel;
226 : }
227 636 : else if (strcmp(defel->defname, "canlogin") == 0)
228 : {
229 296 : if (dcanlogin)
230 0 : errorConflictingDefElem(defel, pstate);
231 296 : dcanlogin = defel;
232 : }
233 340 : else if (strcmp(defel->defname, "isreplication") == 0)
234 : {
235 92 : if (disreplication)
236 0 : errorConflictingDefElem(defel, pstate);
237 92 : disreplication = defel;
238 : }
239 248 : else if (strcmp(defel->defname, "connectionlimit") == 0)
240 : {
241 14 : if (dconnlimit)
242 0 : errorConflictingDefElem(defel, pstate);
243 14 : dconnlimit = defel;
244 : }
245 234 : else if (strcmp(defel->defname, "addroleto") == 0)
246 : {
247 100 : if (daddroleto)
248 0 : errorConflictingDefElem(defel, pstate);
249 100 : daddroleto = defel;
250 : }
251 134 : else if (strcmp(defel->defname, "rolemembers") == 0)
252 : {
253 28 : if (drolemembers)
254 0 : errorConflictingDefElem(defel, pstate);
255 28 : drolemembers = defel;
256 : }
257 106 : else if (strcmp(defel->defname, "adminmembers") == 0)
258 : {
259 22 : if (dadminmembers)
260 0 : errorConflictingDefElem(defel, pstate);
261 22 : dadminmembers = defel;
262 : }
263 84 : else if (strcmp(defel->defname, "validUntil") == 0)
264 : {
265 2 : if (dvalidUntil)
266 0 : errorConflictingDefElem(defel, pstate);
267 2 : dvalidUntil = defel;
268 : }
269 82 : else if (strcmp(defel->defname, "bypassrls") == 0)
270 : {
271 82 : if (dbypassRLS)
272 0 : errorConflictingDefElem(defel, pstate);
273 82 : dbypassRLS = defel;
274 : }
275 : else
276 0 : elog(ERROR, "option \"%s\" not recognized",
277 : defel->defname);
278 : }
279 :
280 1844 : if (dpassword && dpassword->arg)
281 110 : password = strVal(dpassword->arg);
282 1844 : if (dissuper)
283 194 : issuper = boolVal(dissuper->arg);
284 1844 : if (dinherit)
285 64 : inherit = boolVal(dinherit->arg);
286 1844 : if (dcreaterole)
287 90 : createrole = boolVal(dcreaterole->arg);
288 1844 : if (dcreatedb)
289 70 : createdb = boolVal(dcreatedb->arg);
290 1844 : if (dcanlogin)
291 296 : canlogin = boolVal(dcanlogin->arg);
292 1844 : if (disreplication)
293 92 : isreplication = boolVal(disreplication->arg);
294 1844 : if (dconnlimit)
295 : {
296 14 : connlimit = intVal(dconnlimit->arg);
297 14 : if (connlimit < -1)
298 0 : ereport(ERROR,
299 : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
300 : errmsg("invalid connection limit: %d", connlimit)));
301 : }
302 1844 : if (daddroleto)
303 100 : addroleto = (List *) daddroleto->arg;
304 1844 : if (drolemembers)
305 28 : rolemembers = (List *) drolemembers->arg;
306 1844 : if (dadminmembers)
307 22 : adminmembers = (List *) dadminmembers->arg;
308 1844 : if (dvalidUntil)
309 2 : validUntil = strVal(dvalidUntil->arg);
310 1844 : if (dbypassRLS)
311 82 : bypassrls = boolVal(dbypassRLS->arg);
312 :
313 : /* Check some permissions first */
314 1844 : if (!superuser_arg(currentUserId))
315 : {
316 222 : if (!has_createrole_privilege(currentUserId))
317 0 : ereport(ERROR,
318 : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
319 : errmsg("permission denied to create role"),
320 : errdetail("Only roles with the %s attribute may create roles.",
321 : "CREATEROLE")));
322 222 : if (issuper)
323 6 : ereport(ERROR,
324 : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
325 : errmsg("permission denied to create role"),
326 : errdetail("Only roles with the %s attribute may create roles with the %s attribute.",
327 : "SUPERUSER", "SUPERUSER")));
328 216 : if (createdb && !have_createdb_privilege())
329 6 : ereport(ERROR,
330 : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
331 : errmsg("permission denied to create role"),
332 : errdetail("Only roles with the %s attribute may create roles with the %s attribute.",
333 : "CREATEDB", "CREATEDB")));
334 210 : if (isreplication && !has_rolreplication(currentUserId))
335 12 : ereport(ERROR,
336 : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
337 : errmsg("permission denied to create role"),
338 : errdetail("Only roles with the %s attribute may create roles with the %s attribute.",
339 : "REPLICATION", "REPLICATION")));
340 198 : if (bypassrls && !has_bypassrls_privilege(currentUserId))
341 6 : ereport(ERROR,
342 : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
343 : errmsg("permission denied to create role"),
344 : errdetail("Only roles with the %s attribute may create roles with the %s attribute.",
345 : "BYPASSRLS", "BYPASSRLS")));
346 : }
347 :
348 : /*
349 : * Check that the user is not trying to create a role in the reserved
350 : * "pg_" namespace.
351 : */
352 1814 : if (IsReservedName(stmt->role))
353 8 : ereport(ERROR,
354 : (errcode(ERRCODE_RESERVED_NAME),
355 : errmsg("role name \"%s\" is reserved",
356 : stmt->role),
357 : errdetail("Role names starting with \"pg_\" are reserved.")));
358 :
359 : /*
360 : * If built with appropriate switch, whine when regression-testing
361 : * conventions for role names are violated.
362 : */
363 : #ifdef ENFORCE_REGRESSION_TEST_NAME_RESTRICTIONS
364 : if (strncmp(stmt->role, "regress_", 8) != 0)
365 : elog(WARNING, "roles created by regression test cases should have names starting with \"regress_\"");
366 : #endif
367 :
368 : /*
369 : * Check the pg_authid relation to be certain the role doesn't already
370 : * exist.
371 : */
372 1806 : pg_authid_rel = table_open(AuthIdRelationId, RowExclusiveLock);
373 1806 : pg_authid_dsc = RelationGetDescr(pg_authid_rel);
374 :
375 1806 : if (OidIsValid(get_role_oid(stmt->role, true)))
376 6 : ereport(ERROR,
377 : (errcode(ERRCODE_DUPLICATE_OBJECT),
378 : errmsg("role \"%s\" already exists",
379 : stmt->role)));
380 :
381 : /* Convert validuntil to internal form */
382 1800 : if (validUntil)
383 : {
384 2 : validUntil_datum = DirectFunctionCall3(timestamptz_in,
385 : CStringGetDatum(validUntil),
386 : ObjectIdGetDatum(InvalidOid),
387 : Int32GetDatum(-1));
388 2 : validUntil_null = false;
389 : }
390 : else
391 : {
392 1798 : validUntil_datum = (Datum) 0;
393 1798 : validUntil_null = true;
394 : }
395 :
396 : /*
397 : * Call the password checking hook if there is one defined
398 : */
399 1800 : if (check_password_hook && password)
400 0 : (*check_password_hook) (stmt->role,
401 : password,
402 : get_password_type(password),
403 : validUntil_datum,
404 : validUntil_null);
405 :
406 : /*
407 : * Build a tuple to insert
408 : */
409 1800 : new_record[Anum_pg_authid_rolname - 1] =
410 1800 : DirectFunctionCall1(namein, CStringGetDatum(stmt->role));
411 1800 : new_record[Anum_pg_authid_rolsuper - 1] = BoolGetDatum(issuper);
412 1800 : new_record[Anum_pg_authid_rolinherit - 1] = BoolGetDatum(inherit);
413 1800 : new_record[Anum_pg_authid_rolcreaterole - 1] = BoolGetDatum(createrole);
414 1800 : new_record[Anum_pg_authid_rolcreatedb - 1] = BoolGetDatum(createdb);
415 1800 : new_record[Anum_pg_authid_rolcanlogin - 1] = BoolGetDatum(canlogin);
416 1800 : new_record[Anum_pg_authid_rolreplication - 1] = BoolGetDatum(isreplication);
417 1800 : new_record[Anum_pg_authid_rolconnlimit - 1] = Int32GetDatum(connlimit);
418 :
419 1800 : if (password)
420 : {
421 : char *shadow_pass;
422 110 : const char *logdetail = NULL;
423 :
424 : /*
425 : * Don't allow an empty password. Libpq treats an empty password the
426 : * same as no password at all, and won't even try to authenticate. But
427 : * other clients might, so allowing it would be confusing. By clearing
428 : * the password when an empty string is specified, the account is
429 : * consistently locked for all clients.
430 : *
431 : * Note that this only covers passwords stored in the database itself.
432 : * There are also checks in the authentication code, to forbid an
433 : * empty password from being used with authentication methods that
434 : * fetch the password from an external system, like LDAP or PAM.
435 : */
436 214 : if (password[0] == '\0' ||
437 104 : plain_crypt_verify(stmt->role, password, "", &logdetail) == STATUS_OK)
438 : {
439 6 : ereport(NOTICE,
440 : (errmsg("empty string is not a valid password, clearing password")));
441 6 : new_record_nulls[Anum_pg_authid_rolpassword - 1] = true;
442 : }
443 : else
444 : {
445 : /* Encrypt the password to the requested format. */
446 104 : shadow_pass = encrypt_password(Password_encryption, stmt->role,
447 : password);
448 98 : new_record[Anum_pg_authid_rolpassword - 1] =
449 98 : CStringGetTextDatum(shadow_pass);
450 : }
451 : }
452 : else
453 1690 : new_record_nulls[Anum_pg_authid_rolpassword - 1] = true;
454 :
455 1794 : new_record[Anum_pg_authid_rolvaliduntil - 1] = validUntil_datum;
456 1794 : new_record_nulls[Anum_pg_authid_rolvaliduntil - 1] = validUntil_null;
457 :
458 1794 : new_record[Anum_pg_authid_rolbypassrls - 1] = BoolGetDatum(bypassrls);
459 :
460 : /*
461 : * pg_largeobject_metadata contains pg_authid.oid's, so we use the
462 : * binary-upgrade override.
463 : */
464 1794 : if (IsBinaryUpgrade)
465 : {
466 0 : if (!OidIsValid(binary_upgrade_next_pg_authid_oid))
467 0 : ereport(ERROR,
468 : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
469 : errmsg("pg_authid OID value not set when in binary upgrade mode")));
470 :
471 0 : roleid = binary_upgrade_next_pg_authid_oid;
472 0 : binary_upgrade_next_pg_authid_oid = InvalidOid;
473 : }
474 : else
475 : {
476 1794 : roleid = GetNewOidWithIndex(pg_authid_rel, AuthIdOidIndexId,
477 : Anum_pg_authid_oid);
478 : }
479 :
480 1794 : new_record[Anum_pg_authid_oid - 1] = ObjectIdGetDatum(roleid);
481 :
482 1794 : tuple = heap_form_tuple(pg_authid_dsc, new_record, new_record_nulls);
483 :
484 : /*
485 : * Insert new record in the pg_authid table
486 : */
487 1794 : CatalogTupleInsert(pg_authid_rel, tuple);
488 :
489 : /*
490 : * Advance command counter so we can see new record; else tests in
491 : * AddRoleMems may fail.
492 : */
493 1794 : CommandCounterIncrement();
494 :
495 : /* Default grant. */
496 1794 : InitGrantRoleOptions(&popt);
497 :
498 : /*
499 : * Add the new role to the specified existing roles.
500 : */
501 1794 : if (addroleto)
502 : {
503 100 : RoleSpec *thisrole = makeNode(RoleSpec);
504 100 : List *thisrole_list = list_make1(thisrole);
505 100 : List *thisrole_oidlist = list_make1_oid(roleid);
506 :
507 100 : thisrole->roletype = ROLESPEC_CSTRING;
508 100 : thisrole->rolename = stmt->role;
509 100 : thisrole->location = -1;
510 :
511 128 : foreach(item, addroleto)
512 : {
513 100 : RoleSpec *oldrole = lfirst(item);
514 100 : HeapTuple oldroletup = get_rolespec_tuple(oldrole);
515 100 : Form_pg_authid oldroleform = (Form_pg_authid) GETSTRUCT(oldroletup);
516 100 : Oid oldroleid = oldroleform->oid;
517 100 : char *oldrolename = NameStr(oldroleform->rolname);
518 :
519 : /* can only add this role to roles for which you have rights */
520 100 : check_role_membership_authorization(currentUserId, oldroleid, true);
521 28 : AddRoleMems(currentUserId, oldrolename, oldroleid,
522 : thisrole_list,
523 : thisrole_oidlist,
524 : InvalidOid, &popt);
525 :
526 28 : ReleaseSysCache(oldroletup);
527 : }
528 : }
529 :
530 : /*
531 : * If the current user isn't a superuser, make them an admin of the new
532 : * role so that they can administer the new object they just created.
533 : * Superusers will be able to do that anyway.
534 : *
535 : * The grantor of record for this implicit grant is the bootstrap
536 : * superuser, which means that the CREATEROLE user cannot revoke the
537 : * grant. They can however grant the created role back to themselves with
538 : * different options, since they enjoy ADMIN OPTION on it.
539 : */
540 1722 : if (!superuser())
541 : {
542 120 : RoleSpec *current_role = makeNode(RoleSpec);
543 : GrantRoleOptions poptself;
544 : List *memberSpecs;
545 120 : List *memberIds = list_make1_oid(currentUserId);
546 :
547 120 : current_role->roletype = ROLESPEC_CURRENT_ROLE;
548 120 : current_role->location = -1;
549 120 : memberSpecs = list_make1(current_role);
550 :
551 120 : poptself.specified = GRANT_ROLE_SPECIFIED_ADMIN
552 : | GRANT_ROLE_SPECIFIED_INHERIT
553 : | GRANT_ROLE_SPECIFIED_SET;
554 120 : poptself.admin = true;
555 120 : poptself.inherit = false;
556 120 : poptself.set = false;
557 :
558 120 : AddRoleMems(BOOTSTRAP_SUPERUSERID, stmt->role, roleid,
559 : memberSpecs, memberIds,
560 : BOOTSTRAP_SUPERUSERID, &poptself);
561 :
562 : /*
563 : * We must make the implicit grant visible to the code below, else the
564 : * additional grants will fail.
565 : */
566 120 : CommandCounterIncrement();
567 :
568 : /*
569 : * Because of the implicit grant above, a CREATEROLE user who creates
570 : * a role has the ability to grant that role back to themselves with
571 : * the INHERIT or SET options, if they wish to inherit the role's
572 : * privileges or be able to SET ROLE to it. The createrole_self_grant
573 : * GUC can be used to make this happen automatically. This has no
574 : * security implications since the same user is able to make the same
575 : * grant using an explicit GRANT statement; it's just convenient.
576 : */
577 120 : if (createrole_self_grant_enabled)
578 6 : AddRoleMems(currentUserId, stmt->role, roleid,
579 : memberSpecs, memberIds,
580 : currentUserId, &createrole_self_grant_options);
581 : }
582 :
583 : /*
584 : * Add the specified members to this new role. adminmembers get the admin
585 : * option, rolemembers don't.
586 : *
587 : * NB: No permissions check is required here. If you have enough rights to
588 : * create a role, you can add any members you like.
589 : */
590 1722 : AddRoleMems(currentUserId, stmt->role, roleid,
591 : rolemembers, roleSpecsToIds(rolemembers),
592 : InvalidOid, &popt);
593 1716 : popt.specified |= GRANT_ROLE_SPECIFIED_ADMIN;
594 1716 : popt.admin = true;
595 1716 : AddRoleMems(currentUserId, stmt->role, roleid,
596 : adminmembers, roleSpecsToIds(adminmembers),
597 : InvalidOid, &popt);
598 :
599 : /* Post creation hook for new role */
600 1710 : InvokeObjectPostCreateHook(AuthIdRelationId, roleid, 0);
601 :
602 : /*
603 : * Close pg_authid, but keep lock till commit.
604 : */
605 1710 : table_close(pg_authid_rel, NoLock);
606 :
607 1710 : return roleid;
608 : }
609 :
610 :
611 : /*
612 : * ALTER ROLE
613 : *
614 : * Note: the rolemembers option accepted here is intended to support the
615 : * backwards-compatible ALTER GROUP syntax. Although it will work to say
616 : * "ALTER ROLE role ROLE rolenames", we don't document it.
617 : */
618 : Oid
619 460 : AlterRole(ParseState *pstate, AlterRoleStmt *stmt)
620 : {
621 460 : Datum new_record[Natts_pg_authid] = {0};
622 460 : bool new_record_nulls[Natts_pg_authid] = {0};
623 460 : bool new_record_repl[Natts_pg_authid] = {0};
624 : Relation pg_authid_rel;
625 : TupleDesc pg_authid_dsc;
626 : HeapTuple tuple,
627 : new_tuple;
628 : Form_pg_authid authform;
629 : ListCell *option;
630 : char *rolename;
631 460 : char *password = NULL; /* user password */
632 460 : int connlimit = -1; /* maximum connections allowed */
633 460 : char *validUntil = NULL; /* time the login is valid until */
634 : Datum validUntil_datum; /* same, as timestamptz Datum */
635 : bool validUntil_null;
636 460 : DefElem *dpassword = NULL;
637 460 : DefElem *dissuper = NULL;
638 460 : DefElem *dinherit = NULL;
639 460 : DefElem *dcreaterole = NULL;
640 460 : DefElem *dcreatedb = NULL;
641 460 : DefElem *dcanlogin = NULL;
642 460 : DefElem *disreplication = NULL;
643 460 : DefElem *dconnlimit = NULL;
644 460 : DefElem *drolemembers = NULL;
645 460 : DefElem *dvalidUntil = NULL;
646 460 : DefElem *dbypassRLS = NULL;
647 : Oid roleid;
648 460 : Oid currentUserId = GetUserId();
649 : GrantRoleOptions popt;
650 :
651 460 : check_rolespec_name(stmt->role,
652 460 : _("Cannot alter reserved roles."));
653 :
654 : /* Extract options from the statement node tree */
655 1160 : foreach(option, stmt->options)
656 : {
657 700 : DefElem *defel = (DefElem *) lfirst(option);
658 :
659 700 : if (strcmp(defel->defname, "password") == 0)
660 : {
661 96 : if (dpassword)
662 0 : errorConflictingDefElem(defel, pstate);
663 96 : dpassword = defel;
664 : }
665 604 : else if (strcmp(defel->defname, "superuser") == 0)
666 : {
667 98 : if (dissuper)
668 0 : errorConflictingDefElem(defel, pstate);
669 98 : dissuper = defel;
670 : }
671 506 : else if (strcmp(defel->defname, "inherit") == 0)
672 : {
673 66 : if (dinherit)
674 0 : errorConflictingDefElem(defel, pstate);
675 66 : dinherit = defel;
676 : }
677 440 : else if (strcmp(defel->defname, "createrole") == 0)
678 : {
679 48 : if (dcreaterole)
680 0 : errorConflictingDefElem(defel, pstate);
681 48 : dcreaterole = defel;
682 : }
683 392 : else if (strcmp(defel->defname, "createdb") == 0)
684 : {
685 66 : if (dcreatedb)
686 0 : errorConflictingDefElem(defel, pstate);
687 66 : dcreatedb = defel;
688 : }
689 326 : else if (strcmp(defel->defname, "canlogin") == 0)
690 : {
691 72 : if (dcanlogin)
692 0 : errorConflictingDefElem(defel, pstate);
693 72 : dcanlogin = defel;
694 : }
695 254 : else if (strcmp(defel->defname, "isreplication") == 0)
696 : {
697 134 : if (disreplication)
698 0 : errorConflictingDefElem(defel, pstate);
699 134 : disreplication = defel;
700 : }
701 120 : else if (strcmp(defel->defname, "connectionlimit") == 0)
702 : {
703 12 : if (dconnlimit)
704 0 : errorConflictingDefElem(defel, pstate);
705 12 : dconnlimit = defel;
706 : }
707 108 : else if (strcmp(defel->defname, "rolemembers") == 0 &&
708 42 : stmt->action != 0)
709 : {
710 42 : if (drolemembers)
711 0 : errorConflictingDefElem(defel, pstate);
712 42 : drolemembers = defel;
713 : }
714 66 : else if (strcmp(defel->defname, "validUntil") == 0)
715 : {
716 0 : if (dvalidUntil)
717 0 : errorConflictingDefElem(defel, pstate);
718 0 : dvalidUntil = defel;
719 : }
720 66 : else if (strcmp(defel->defname, "bypassrls") == 0)
721 : {
722 66 : if (dbypassRLS)
723 0 : errorConflictingDefElem(defel, pstate);
724 66 : dbypassRLS = defel;
725 : }
726 : else
727 0 : elog(ERROR, "option \"%s\" not recognized",
728 : defel->defname);
729 : }
730 :
731 460 : if (dpassword && dpassword->arg)
732 96 : password = strVal(dpassword->arg);
733 460 : if (dconnlimit)
734 : {
735 12 : connlimit = intVal(dconnlimit->arg);
736 12 : if (connlimit < -1)
737 0 : ereport(ERROR,
738 : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
739 : errmsg("invalid connection limit: %d", connlimit)));
740 : }
741 460 : if (dvalidUntil)
742 0 : validUntil = strVal(dvalidUntil->arg);
743 :
744 : /*
745 : * Scan the pg_authid relation to be certain the user exists.
746 : */
747 460 : pg_authid_rel = table_open(AuthIdRelationId, RowExclusiveLock);
748 460 : pg_authid_dsc = RelationGetDescr(pg_authid_rel);
749 :
750 460 : tuple = get_rolespec_tuple(stmt->role);
751 444 : authform = (Form_pg_authid) GETSTRUCT(tuple);
752 444 : rolename = pstrdup(NameStr(authform->rolname));
753 444 : roleid = authform->oid;
754 :
755 : /* To mess with a superuser in any way you gotta be superuser. */
756 444 : if (!superuser() && authform->rolsuper)
757 0 : ereport(ERROR,
758 : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
759 : errmsg("permission denied to alter role"),
760 : errdetail("Only roles with the %s attribute may alter roles with the %s attribute.",
761 : "SUPERUSER", "SUPERUSER")));
762 444 : if (!superuser() && dissuper)
763 18 : ereport(ERROR,
764 : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
765 : errmsg("permission denied to alter role"),
766 : errdetail("Only roles with the %s attribute may change the %s attribute.",
767 : "SUPERUSER", "SUPERUSER")));
768 :
769 : /*
770 : * Most changes to a role require that you both have CREATEROLE privileges
771 : * and also ADMIN OPTION on the role.
772 : */
773 426 : if (!have_createrole_privilege() ||
774 390 : !is_admin_of_role(GetUserId(), roleid))
775 : {
776 : /* things an unprivileged user certainly can't do */
777 42 : if (dinherit || dcreaterole || dcreatedb || dcanlogin || dconnlimit ||
778 36 : dvalidUntil || disreplication || dbypassRLS)
779 6 : ereport(ERROR,
780 : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
781 : errmsg("permission denied to alter role"),
782 : errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may alter this role.",
783 : "CREATEROLE", "ADMIN", rolename)));
784 :
785 : /* an unprivileged user can change their own password */
786 36 : if (dpassword && roleid != currentUserId)
787 6 : ereport(ERROR,
788 : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
789 : errmsg("permission denied to alter role"),
790 : errdetail("To change another role's password, the current user must have the %s attribute and the %s option on the role.",
791 : "CREATEROLE", "ADMIN")));
792 : }
793 384 : else if (!superuser())
794 : {
795 : /*
796 : * Even if you have both CREATEROLE and ADMIN OPTION on a role, you
797 : * can only change the CREATEDB, REPLICATION, or BYPASSRLS attributes
798 : * if they are set for your own role (or you are the superuser).
799 : */
800 60 : if (dcreatedb && !have_createdb_privilege())
801 6 : ereport(ERROR,
802 : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
803 : errmsg("permission denied to alter role"),
804 : errdetail("Only roles with the %s attribute may change the %s attribute.",
805 : "CREATEDB", "CREATEDB")));
806 54 : if (disreplication && !has_rolreplication(currentUserId))
807 6 : ereport(ERROR,
808 : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
809 : errmsg("permission denied to alter role"),
810 : errdetail("Only roles with the %s attribute may change the %s attribute.",
811 : "REPLICATION", "REPLICATION")));
812 48 : if (dbypassRLS && !has_bypassrls_privilege(currentUserId))
813 6 : ereport(ERROR,
814 : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
815 : errmsg("permission denied to alter role"),
816 : errdetail("Only roles with the %s attribute may change the %s attribute.",
817 : "BYPASSRLS", "BYPASSRLS")));
818 : }
819 :
820 : /* To add or drop members, you need ADMIN OPTION. */
821 396 : if (drolemembers && !is_admin_of_role(currentUserId, roleid))
822 12 : ereport(ERROR,
823 : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
824 : errmsg("permission denied to alter role"),
825 : errdetail("Only roles with the %s option on role \"%s\" may add or drop members.",
826 : "ADMIN", rolename)));
827 :
828 : /* Convert validuntil to internal form */
829 384 : if (dvalidUntil)
830 : {
831 0 : validUntil_datum = DirectFunctionCall3(timestamptz_in,
832 : CStringGetDatum(validUntil),
833 : ObjectIdGetDatum(InvalidOid),
834 : Int32GetDatum(-1));
835 0 : validUntil_null = false;
836 : }
837 : else
838 : {
839 : /* fetch existing setting in case hook needs it */
840 384 : validUntil_datum = SysCacheGetAttr(AUTHNAME, tuple,
841 : Anum_pg_authid_rolvaliduntil,
842 : &validUntil_null);
843 : }
844 :
845 : /*
846 : * Call the password checking hook if there is one defined
847 : */
848 384 : if (check_password_hook && password)
849 14 : (*check_password_hook) (rolename,
850 : password,
851 : get_password_type(password),
852 : validUntil_datum,
853 : validUntil_null);
854 :
855 : /*
856 : * Build an updated tuple, perusing the information just obtained
857 : */
858 :
859 : /*
860 : * issuper/createrole/etc
861 : */
862 376 : if (dissuper)
863 : {
864 80 : bool should_be_super = boolVal(dissuper->arg);
865 :
866 80 : if (!should_be_super && roleid == BOOTSTRAP_SUPERUSERID)
867 0 : ereport(ERROR,
868 : (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
869 : errmsg("permission denied to alter role"),
870 : errdetail("The bootstrap superuser must have the %s attribute.",
871 : "SUPERUSER")));
872 :
873 80 : new_record[Anum_pg_authid_rolsuper - 1] = BoolGetDatum(should_be_super);
874 80 : new_record_repl[Anum_pg_authid_rolsuper - 1] = true;
875 : }
876 :
877 376 : if (dinherit)
878 : {
879 60 : new_record[Anum_pg_authid_rolinherit - 1] = BoolGetDatum(boolVal(dinherit->arg));
880 60 : new_record_repl[Anum_pg_authid_rolinherit - 1] = true;
881 : }
882 :
883 376 : if (dcreaterole)
884 : {
885 48 : new_record[Anum_pg_authid_rolcreaterole - 1] = BoolGetDatum(boolVal(dcreaterole->arg));
886 48 : new_record_repl[Anum_pg_authid_rolcreaterole - 1] = true;
887 : }
888 :
889 376 : if (dcreatedb)
890 : {
891 60 : new_record[Anum_pg_authid_rolcreatedb - 1] = BoolGetDatum(boolVal(dcreatedb->arg));
892 60 : new_record_repl[Anum_pg_authid_rolcreatedb - 1] = true;
893 : }
894 :
895 376 : if (dcanlogin)
896 : {
897 66 : new_record[Anum_pg_authid_rolcanlogin - 1] = BoolGetDatum(boolVal(dcanlogin->arg));
898 66 : new_record_repl[Anum_pg_authid_rolcanlogin - 1] = true;
899 : }
900 :
901 376 : if (disreplication)
902 : {
903 112 : new_record[Anum_pg_authid_rolreplication - 1] = BoolGetDatum(boolVal(disreplication->arg));
904 112 : new_record_repl[Anum_pg_authid_rolreplication - 1] = true;
905 : }
906 :
907 376 : if (dconnlimit)
908 : {
909 6 : new_record[Anum_pg_authid_rolconnlimit - 1] = Int32GetDatum(connlimit);
910 6 : new_record_repl[Anum_pg_authid_rolconnlimit - 1] = true;
911 : }
912 :
913 : /* password */
914 376 : if (password)
915 : {
916 : char *shadow_pass;
917 82 : const char *logdetail = NULL;
918 :
919 : /* Like in CREATE USER, don't allow an empty password. */
920 164 : if (password[0] == '\0' ||
921 82 : plain_crypt_verify(rolename, password, "", &logdetail) == STATUS_OK)
922 : {
923 12 : ereport(NOTICE,
924 : (errmsg("empty string is not a valid password, clearing password")));
925 12 : new_record_nulls[Anum_pg_authid_rolpassword - 1] = true;
926 : }
927 : else
928 : {
929 : /* Encrypt the password to the requested format. */
930 70 : shadow_pass = encrypt_password(Password_encryption, rolename,
931 : password);
932 64 : new_record[Anum_pg_authid_rolpassword - 1] =
933 64 : CStringGetTextDatum(shadow_pass);
934 : }
935 76 : new_record_repl[Anum_pg_authid_rolpassword - 1] = true;
936 : }
937 :
938 : /* unset password */
939 370 : if (dpassword && dpassword->arg == NULL)
940 : {
941 0 : new_record_repl[Anum_pg_authid_rolpassword - 1] = true;
942 0 : new_record_nulls[Anum_pg_authid_rolpassword - 1] = true;
943 : }
944 :
945 : /* valid until */
946 370 : new_record[Anum_pg_authid_rolvaliduntil - 1] = validUntil_datum;
947 370 : new_record_nulls[Anum_pg_authid_rolvaliduntil - 1] = validUntil_null;
948 370 : new_record_repl[Anum_pg_authid_rolvaliduntil - 1] = true;
949 :
950 370 : if (dbypassRLS)
951 : {
952 60 : new_record[Anum_pg_authid_rolbypassrls - 1] = BoolGetDatum(boolVal(dbypassRLS->arg));
953 60 : new_record_repl[Anum_pg_authid_rolbypassrls - 1] = true;
954 : }
955 :
956 370 : new_tuple = heap_modify_tuple(tuple, pg_authid_dsc, new_record,
957 : new_record_nulls, new_record_repl);
958 370 : CatalogTupleUpdate(pg_authid_rel, &tuple->t_self, new_tuple);
959 :
960 370 : InvokeObjectPostAlterHook(AuthIdRelationId, roleid, 0);
961 :
962 370 : ReleaseSysCache(tuple);
963 370 : heap_freetuple(new_tuple);
964 :
965 370 : InitGrantRoleOptions(&popt);
966 :
967 : /*
968 : * Advance command counter so we can see new record; else tests in
969 : * AddRoleMems may fail.
970 : */
971 370 : if (drolemembers)
972 : {
973 30 : List *rolemembers = (List *) drolemembers->arg;
974 :
975 30 : CommandCounterIncrement();
976 :
977 30 : if (stmt->action == +1) /* add members to role */
978 18 : AddRoleMems(currentUserId, rolename, roleid,
979 : rolemembers, roleSpecsToIds(rolemembers),
980 : InvalidOid, &popt);
981 12 : else if (stmt->action == -1) /* drop members from role */
982 12 : DelRoleMems(currentUserId, rolename, roleid,
983 : rolemembers, roleSpecsToIds(rolemembers),
984 : InvalidOid, &popt, DROP_RESTRICT);
985 : }
986 :
987 : /*
988 : * Close pg_authid, but keep lock till commit.
989 : */
990 370 : table_close(pg_authid_rel, NoLock);
991 :
992 370 : return roleid;
993 : }
994 :
995 :
996 : /*
997 : * ALTER ROLE ... SET
998 : */
999 : Oid
1000 82 : AlterRoleSet(AlterRoleSetStmt *stmt)
1001 : {
1002 : HeapTuple roletuple;
1003 : Form_pg_authid roleform;
1004 82 : Oid databaseid = InvalidOid;
1005 82 : Oid roleid = InvalidOid;
1006 :
1007 82 : if (stmt->role)
1008 : {
1009 74 : check_rolespec_name(stmt->role,
1010 74 : _("Cannot alter reserved roles."));
1011 :
1012 74 : roletuple = get_rolespec_tuple(stmt->role);
1013 66 : roleform = (Form_pg_authid) GETSTRUCT(roletuple);
1014 66 : roleid = roleform->oid;
1015 :
1016 : /*
1017 : * Obtain a lock on the role and make sure it didn't go away in the
1018 : * meantime.
1019 : */
1020 66 : shdepLockAndCheckObject(AuthIdRelationId, roleid);
1021 :
1022 : /*
1023 : * To mess with a superuser you gotta be superuser; otherwise you need
1024 : * CREATEROLE plus admin option on the target role; unless you're just
1025 : * trying to change your own settings
1026 : */
1027 66 : if (roleform->rolsuper)
1028 : {
1029 30 : if (!superuser())
1030 0 : ereport(ERROR,
1031 : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1032 : errmsg("permission denied to alter role"),
1033 : errdetail("Only roles with the %s attribute may alter roles with the %s attribute.",
1034 : "SUPERUSER", "SUPERUSER")));
1035 : }
1036 : else
1037 : {
1038 36 : if ((!have_createrole_privilege() ||
1039 26 : !is_admin_of_role(GetUserId(), roleid))
1040 10 : && roleid != GetUserId())
1041 0 : ereport(ERROR,
1042 : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1043 : errmsg("permission denied to alter role"),
1044 : errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may alter this role.",
1045 : "CREATEROLE", "ADMIN", NameStr(roleform->rolname))));
1046 : }
1047 :
1048 66 : ReleaseSysCache(roletuple);
1049 : }
1050 :
1051 : /* look up and lock the database, if specified */
1052 74 : if (stmt->database != NULL)
1053 : {
1054 0 : databaseid = get_database_oid(stmt->database, false);
1055 0 : shdepLockAndCheckObject(DatabaseRelationId, databaseid);
1056 :
1057 0 : if (!stmt->role)
1058 : {
1059 : /*
1060 : * If no role is specified, then this is effectively the same as
1061 : * ALTER DATABASE ... SET, so use the same permission check.
1062 : */
1063 0 : if (!object_ownercheck(DatabaseRelationId, databaseid, GetUserId()))
1064 0 : aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_DATABASE,
1065 0 : stmt->database);
1066 : }
1067 : }
1068 :
1069 74 : if (!stmt->role && !stmt->database)
1070 : {
1071 : /* Must be superuser to alter settings globally. */
1072 8 : if (!superuser())
1073 0 : ereport(ERROR,
1074 : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1075 : errmsg("permission denied to alter setting"),
1076 : errdetail("Only roles with the %s attribute may alter settings globally.",
1077 : "SUPERUSER")));
1078 : }
1079 :
1080 74 : AlterSetting(databaseid, roleid, stmt->setstmt);
1081 :
1082 72 : return roleid;
1083 : }
1084 :
1085 :
1086 : /*
1087 : * DROP ROLE
1088 : */
1089 : void
1090 1718 : DropRole(DropRoleStmt *stmt)
1091 : {
1092 : Relation pg_authid_rel,
1093 : pg_auth_members_rel;
1094 : ListCell *item;
1095 1718 : List *role_oids = NIL;
1096 :
1097 1718 : if (!have_createrole_privilege())
1098 0 : ereport(ERROR,
1099 : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1100 : errmsg("permission denied to drop role"),
1101 : errdetail("Only roles with the %s attribute and the %s option on the target roles may drop roles.",
1102 : "CREATEROLE", "ADMIN")));
1103 :
1104 : /*
1105 : * Scan the pg_authid relation to find the Oid of the role(s) to be
1106 : * deleted and perform preliminary permissions and sanity checks.
1107 : */
1108 1718 : pg_authid_rel = table_open(AuthIdRelationId, RowExclusiveLock);
1109 1718 : pg_auth_members_rel = table_open(AuthMemRelationId, RowExclusiveLock);
1110 :
1111 3438 : foreach(item, stmt->roles)
1112 : {
1113 1828 : RoleSpec *rolspec = lfirst(item);
1114 : char *role;
1115 : HeapTuple tuple,
1116 : tmp_tuple;
1117 : Form_pg_authid roleform;
1118 : ScanKeyData scankey;
1119 : SysScanDesc sscan;
1120 : Oid roleid;
1121 :
1122 1828 : if (rolspec->roletype != ROLESPEC_CSTRING)
1123 0 : ereport(ERROR,
1124 : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
1125 : errmsg("cannot use special role specifier in DROP ROLE")));
1126 1828 : role = rolspec->rolename;
1127 :
1128 1828 : tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role));
1129 1828 : if (!HeapTupleIsValid(tuple))
1130 : {
1131 300 : if (!stmt->missing_ok)
1132 : {
1133 90 : ereport(ERROR,
1134 : (errcode(ERRCODE_UNDEFINED_OBJECT),
1135 : errmsg("role \"%s\" does not exist", role)));
1136 : }
1137 : else
1138 : {
1139 210 : ereport(NOTICE,
1140 : (errmsg("role \"%s\" does not exist, skipping",
1141 : role)));
1142 : }
1143 :
1144 210 : continue;
1145 : }
1146 :
1147 1528 : roleform = (Form_pg_authid) GETSTRUCT(tuple);
1148 1528 : roleid = roleform->oid;
1149 :
1150 1528 : if (roleid == GetUserId())
1151 6 : ereport(ERROR,
1152 : (errcode(ERRCODE_OBJECT_IN_USE),
1153 : errmsg("current user cannot be dropped")));
1154 1522 : if (roleid == GetOuterUserId())
1155 0 : ereport(ERROR,
1156 : (errcode(ERRCODE_OBJECT_IN_USE),
1157 : errmsg("current user cannot be dropped")));
1158 1522 : if (roleid == GetSessionUserId())
1159 0 : ereport(ERROR,
1160 : (errcode(ERRCODE_OBJECT_IN_USE),
1161 : errmsg("session user cannot be dropped")));
1162 :
1163 : /*
1164 : * For safety's sake, we allow createrole holders to drop ordinary
1165 : * roles but not superuser roles, and only if they also have ADMIN
1166 : * OPTION.
1167 : */
1168 1522 : if (roleform->rolsuper && !superuser())
1169 6 : ereport(ERROR,
1170 : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1171 : errmsg("permission denied to drop role"),
1172 : errdetail("Only roles with the %s attribute may drop roles with the %s attribute.",
1173 : "SUPERUSER", "SUPERUSER")));
1174 1516 : if (!is_admin_of_role(GetUserId(), roleid))
1175 6 : ereport(ERROR,
1176 : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1177 : errmsg("permission denied to drop role"),
1178 : errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.",
1179 : "CREATEROLE", "ADMIN", NameStr(roleform->rolname))));
1180 :
1181 : /* DROP hook for the role being removed */
1182 1510 : InvokeObjectDropHook(AuthIdRelationId, roleid, 0);
1183 :
1184 : /* Don't leak the syscache tuple */
1185 1510 : ReleaseSysCache(tuple);
1186 :
1187 : /*
1188 : * Lock the role, so nobody can add dependencies to her while we drop
1189 : * her. We keep the lock until the end of transaction.
1190 : */
1191 1510 : LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock);
1192 :
1193 : /*
1194 : * If there is a pg_auth_members entry that has one of the roles to be
1195 : * dropped as the roleid or member, it should be silently removed, but
1196 : * if there is a pg_auth_members entry that has one of the roles to be
1197 : * dropped as the grantor, the operation should fail.
1198 : *
1199 : * It's possible, however, that a single pg_auth_members entry could
1200 : * fall into multiple categories - e.g. the user could do "GRANT foo
1201 : * TO bar GRANTED BY baz" and then "DROP ROLE baz, bar". We want such
1202 : * an operation to succeed regardless of the order in which the
1203 : * to-be-dropped roles are passed to DROP ROLE.
1204 : *
1205 : * To make that work, we remove all pg_auth_members entries that can
1206 : * be silently removed in this loop, and then below we'll make a
1207 : * second pass over the list of roles to be removed and check for any
1208 : * remaining dependencies.
1209 : */
1210 1510 : ScanKeyInit(&scankey,
1211 : Anum_pg_auth_members_roleid,
1212 : BTEqualStrategyNumber, F_OIDEQ,
1213 : ObjectIdGetDatum(roleid));
1214 :
1215 1510 : sscan = systable_beginscan(pg_auth_members_rel, AuthMemRoleMemIndexId,
1216 : true, NULL, 1, &scankey);
1217 :
1218 1758 : while (HeapTupleIsValid(tmp_tuple = systable_getnext(sscan)))
1219 : {
1220 : Form_pg_auth_members authmem_form;
1221 :
1222 248 : authmem_form = (Form_pg_auth_members) GETSTRUCT(tmp_tuple);
1223 248 : deleteSharedDependencyRecordsFor(AuthMemRelationId,
1224 : authmem_form->oid, 0);
1225 248 : CatalogTupleDelete(pg_auth_members_rel, &tmp_tuple->t_self);
1226 : }
1227 :
1228 1510 : systable_endscan(sscan);
1229 :
1230 1510 : ScanKeyInit(&scankey,
1231 : Anum_pg_auth_members_member,
1232 : BTEqualStrategyNumber, F_OIDEQ,
1233 : ObjectIdGetDatum(roleid));
1234 :
1235 1510 : sscan = systable_beginscan(pg_auth_members_rel, AuthMemMemRoleIndexId,
1236 : true, NULL, 1, &scankey);
1237 :
1238 1752 : while (HeapTupleIsValid(tmp_tuple = systable_getnext(sscan)))
1239 : {
1240 : Form_pg_auth_members authmem_form;
1241 :
1242 242 : authmem_form = (Form_pg_auth_members) GETSTRUCT(tmp_tuple);
1243 242 : deleteSharedDependencyRecordsFor(AuthMemRelationId,
1244 : authmem_form->oid, 0);
1245 242 : CatalogTupleDelete(pg_auth_members_rel, &tmp_tuple->t_self);
1246 : }
1247 :
1248 1510 : systable_endscan(sscan);
1249 :
1250 : /*
1251 : * Advance command counter so that later iterations of this loop will
1252 : * see the changes already made. This is essential if, for example,
1253 : * we are trying to drop both a role and one of its direct members ---
1254 : * we'll get an error if we try to delete the linking pg_auth_members
1255 : * tuple twice. (We do not need a CCI between the two delete loops
1256 : * above, because it's not allowed for a role to directly contain
1257 : * itself.)
1258 : */
1259 1510 : CommandCounterIncrement();
1260 :
1261 : /* Looks tentatively OK, add it to the list if not there yet. */
1262 1510 : role_oids = list_append_unique_oid(role_oids, roleid);
1263 : }
1264 :
1265 : /*
1266 : * Second pass over the roles to be removed.
1267 : */
1268 2990 : foreach(item, role_oids)
1269 : {
1270 1504 : Oid roleid = lfirst_oid(item);
1271 : HeapTuple tuple;
1272 : Form_pg_authid roleform;
1273 : char *detail;
1274 : char *detail_log;
1275 :
1276 : /*
1277 : * Re-find the pg_authid tuple.
1278 : *
1279 : * Since we've taken a lock on the role OID, it shouldn't be possible
1280 : * for the tuple to have been deleted -- or for that matter updated --
1281 : * unless the user is manually modifying the system catalogs.
1282 : */
1283 1504 : tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
1284 1504 : if (!HeapTupleIsValid(tuple))
1285 0 : elog(ERROR, "could not find tuple for role %u", roleid);
1286 1504 : roleform = (Form_pg_authid) GETSTRUCT(tuple);
1287 :
1288 : /*
1289 : * Check for pg_shdepend entries depending on this role.
1290 : *
1291 : * This needs to happen after we've completed removing any
1292 : * pg_auth_members entries that can be removed silently, in order to
1293 : * avoid spurious failures. See notes above for more details.
1294 : */
1295 1504 : if (checkSharedDependencies(AuthIdRelationId, roleid,
1296 : &detail, &detail_log))
1297 124 : ereport(ERROR,
1298 : (errcode(ERRCODE_DEPENDENT_OBJECTS_STILL_EXIST),
1299 : errmsg("role \"%s\" cannot be dropped because some objects depend on it",
1300 : NameStr(roleform->rolname)),
1301 : errdetail_internal("%s", detail),
1302 : errdetail_log("%s", detail_log)));
1303 :
1304 : /*
1305 : * Remove the role from the pg_authid table
1306 : */
1307 1380 : CatalogTupleDelete(pg_authid_rel, &tuple->t_self);
1308 :
1309 1380 : ReleaseSysCache(tuple);
1310 :
1311 : /*
1312 : * Remove any comments or security labels on this role.
1313 : */
1314 1380 : DeleteSharedComments(roleid, AuthIdRelationId);
1315 1380 : DeleteSharedSecurityLabel(roleid, AuthIdRelationId);
1316 :
1317 : /*
1318 : * Remove settings for this role.
1319 : */
1320 1380 : DropSetting(InvalidOid, roleid);
1321 : }
1322 :
1323 : /*
1324 : * Now we can clean up; but keep locks until commit.
1325 : */
1326 1486 : table_close(pg_auth_members_rel, NoLock);
1327 1486 : table_close(pg_authid_rel, NoLock);
1328 1486 : }
1329 :
1330 : /*
1331 : * Rename role
1332 : */
1333 : ObjectAddress
1334 30 : RenameRole(const char *oldname, const char *newname)
1335 : {
1336 : HeapTuple oldtuple,
1337 : newtuple;
1338 : TupleDesc dsc;
1339 : Relation rel;
1340 : Datum datum;
1341 : bool isnull;
1342 : Datum repl_val[Natts_pg_authid];
1343 : bool repl_null[Natts_pg_authid];
1344 : bool repl_repl[Natts_pg_authid];
1345 : int i;
1346 : Oid roleid;
1347 : ObjectAddress address;
1348 : Form_pg_authid authform;
1349 :
1350 30 : rel = table_open(AuthIdRelationId, RowExclusiveLock);
1351 30 : dsc = RelationGetDescr(rel);
1352 :
1353 30 : oldtuple = SearchSysCache1(AUTHNAME, CStringGetDatum(oldname));
1354 30 : if (!HeapTupleIsValid(oldtuple))
1355 0 : ereport(ERROR,
1356 : (errcode(ERRCODE_UNDEFINED_OBJECT),
1357 : errmsg("role \"%s\" does not exist", oldname)));
1358 :
1359 : /*
1360 : * XXX Client applications probably store the session user somewhere, so
1361 : * renaming it could cause confusion. On the other hand, there may not be
1362 : * an actual problem besides a little confusion, so think about this and
1363 : * decide. Same for SET ROLE ... we don't restrict renaming the current
1364 : * effective userid, though.
1365 : */
1366 :
1367 30 : authform = (Form_pg_authid) GETSTRUCT(oldtuple);
1368 30 : roleid = authform->oid;
1369 :
1370 30 : if (roleid == GetSessionUserId())
1371 0 : ereport(ERROR,
1372 : (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
1373 : errmsg("session user cannot be renamed")));
1374 30 : if (roleid == GetOuterUserId())
1375 0 : ereport(ERROR,
1376 : (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
1377 : errmsg("current user cannot be renamed")));
1378 :
1379 : /*
1380 : * Check that the user is not trying to rename a system role and not
1381 : * trying to rename a role into the reserved "pg_" namespace.
1382 : */
1383 30 : if (IsReservedName(NameStr(authform->rolname)))
1384 0 : ereport(ERROR,
1385 : (errcode(ERRCODE_RESERVED_NAME),
1386 : errmsg("role name \"%s\" is reserved",
1387 : NameStr(authform->rolname)),
1388 : errdetail("Role names starting with \"pg_\" are reserved.")));
1389 :
1390 30 : if (IsReservedName(newname))
1391 0 : ereport(ERROR,
1392 : (errcode(ERRCODE_RESERVED_NAME),
1393 : errmsg("role name \"%s\" is reserved",
1394 : newname),
1395 : errdetail("Role names starting with \"pg_\" are reserved.")));
1396 :
1397 : /*
1398 : * If built with appropriate switch, whine when regression-testing
1399 : * conventions for role names are violated.
1400 : */
1401 : #ifdef ENFORCE_REGRESSION_TEST_NAME_RESTRICTIONS
1402 : if (strncmp(newname, "regress_", 8) != 0)
1403 : elog(WARNING, "roles created by regression test cases should have names starting with \"regress_\"");
1404 : #endif
1405 :
1406 : /* make sure the new name doesn't exist */
1407 30 : if (SearchSysCacheExists1(AUTHNAME, CStringGetDatum(newname)))
1408 0 : ereport(ERROR,
1409 : (errcode(ERRCODE_DUPLICATE_OBJECT),
1410 : errmsg("role \"%s\" already exists", newname)));
1411 :
1412 : /*
1413 : * Only superusers can mess with superusers. Otherwise, a user with
1414 : * CREATEROLE can rename a role for which they have ADMIN OPTION.
1415 : */
1416 30 : if (authform->rolsuper)
1417 : {
1418 6 : if (!superuser())
1419 0 : ereport(ERROR,
1420 : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1421 : errmsg("permission denied to rename role"),
1422 : errdetail("Only roles with the %s attribute may rename roles with the %s attribute.",
1423 : "SUPERUSER", "SUPERUSER")));
1424 : }
1425 : else
1426 : {
1427 24 : if (!have_createrole_privilege() ||
1428 24 : !is_admin_of_role(GetUserId(), roleid))
1429 6 : ereport(ERROR,
1430 : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1431 : errmsg("permission denied to rename role"),
1432 : errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may rename this role.",
1433 : "CREATEROLE", "ADMIN", NameStr(authform->rolname))));
1434 : }
1435 :
1436 : /* OK, construct the modified tuple */
1437 312 : for (i = 0; i < Natts_pg_authid; i++)
1438 288 : repl_repl[i] = false;
1439 :
1440 24 : repl_repl[Anum_pg_authid_rolname - 1] = true;
1441 24 : repl_val[Anum_pg_authid_rolname - 1] = DirectFunctionCall1(namein,
1442 : CStringGetDatum(newname));
1443 24 : repl_null[Anum_pg_authid_rolname - 1] = false;
1444 :
1445 24 : datum = heap_getattr(oldtuple, Anum_pg_authid_rolpassword, dsc, &isnull);
1446 :
1447 24 : if (!isnull && get_password_type(TextDatumGetCString(datum)) == PASSWORD_TYPE_MD5)
1448 : {
1449 : /* MD5 uses the username as salt, so just clear it on a rename */
1450 6 : repl_repl[Anum_pg_authid_rolpassword - 1] = true;
1451 6 : repl_null[Anum_pg_authid_rolpassword - 1] = true;
1452 :
1453 6 : ereport(NOTICE,
1454 : (errmsg("MD5 password cleared because of role rename")));
1455 : }
1456 :
1457 24 : newtuple = heap_modify_tuple(oldtuple, dsc, repl_val, repl_null, repl_repl);
1458 24 : CatalogTupleUpdate(rel, &oldtuple->t_self, newtuple);
1459 :
1460 24 : InvokeObjectPostAlterHook(AuthIdRelationId, roleid, 0);
1461 :
1462 24 : ObjectAddressSet(address, AuthIdRelationId, roleid);
1463 :
1464 24 : ReleaseSysCache(oldtuple);
1465 :
1466 : /*
1467 : * Close pg_authid, but keep lock till commit.
1468 : */
1469 24 : table_close(rel, NoLock);
1470 :
1471 24 : return address;
1472 : }
1473 :
1474 : /*
1475 : * GrantRoleStmt
1476 : *
1477 : * Grant/Revoke roles to/from roles
1478 : */
1479 : void
1480 930 : GrantRole(ParseState *pstate, GrantRoleStmt *stmt)
1481 : {
1482 : Relation pg_authid_rel;
1483 : Oid grantor;
1484 : List *grantee_ids;
1485 : ListCell *item;
1486 : GrantRoleOptions popt;
1487 930 : Oid currentUserId = GetUserId();
1488 :
1489 : /* Parse options list. */
1490 930 : InitGrantRoleOptions(&popt);
1491 1294 : foreach(item, stmt->opt)
1492 : {
1493 364 : DefElem *opt = (DefElem *) lfirst(item);
1494 364 : char *optval = defGetString(opt);
1495 :
1496 364 : if (strcmp(opt->defname, "admin") == 0)
1497 : {
1498 188 : popt.specified |= GRANT_ROLE_SPECIFIED_ADMIN;
1499 :
1500 188 : if (parse_bool(optval, &popt.admin))
1501 188 : continue;
1502 : }
1503 176 : else if (strcmp(opt->defname, "inherit") == 0)
1504 : {
1505 94 : popt.specified |= GRANT_ROLE_SPECIFIED_INHERIT;
1506 94 : if (parse_bool(optval, &popt.inherit))
1507 94 : continue;
1508 : }
1509 82 : else if (strcmp(opt->defname, "set") == 0)
1510 : {
1511 82 : popt.specified |= GRANT_ROLE_SPECIFIED_SET;
1512 82 : if (parse_bool(optval, &popt.set))
1513 82 : continue;
1514 : }
1515 : else
1516 0 : ereport(ERROR,
1517 : errcode(ERRCODE_SYNTAX_ERROR),
1518 : errmsg("unrecognized role option \"%s\"", opt->defname),
1519 : parser_errposition(pstate, opt->location));
1520 :
1521 0 : ereport(ERROR,
1522 : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
1523 : errmsg("unrecognized value for role option \"%s\": \"%s\"",
1524 : opt->defname, optval),
1525 : parser_errposition(pstate, opt->location)));
1526 : }
1527 :
1528 : /* Lookup OID of grantor, if specified. */
1529 930 : if (stmt->grantor)
1530 120 : grantor = get_rolespec_oid(stmt->grantor, false);
1531 : else
1532 810 : grantor = InvalidOid;
1533 :
1534 924 : grantee_ids = roleSpecsToIds(stmt->grantee_roles);
1535 :
1536 : /* AccessShareLock is enough since we aren't modifying pg_authid */
1537 924 : pg_authid_rel = table_open(AuthIdRelationId, AccessShareLock);
1538 :
1539 : /*
1540 : * Step through all of the granted roles and add, update, or remove
1541 : * entries in pg_auth_members as appropriate. If stmt->is_grant is true,
1542 : * we are adding new grants or, if they already exist, updating options on
1543 : * those grants. If stmt->is_grant is false, we are revoking grants or
1544 : * removing options from them.
1545 : */
1546 1730 : foreach(item, stmt->granted_roles)
1547 : {
1548 926 : AccessPriv *priv = (AccessPriv *) lfirst(item);
1549 926 : char *rolename = priv->priv_name;
1550 : Oid roleid;
1551 :
1552 : /* Must reject priv(columns) and ALL PRIVILEGES(columns) */
1553 926 : if (rolename == NULL || priv->cols != NIL)
1554 0 : ereport(ERROR,
1555 : (errcode(ERRCODE_INVALID_GRANT_OPERATION),
1556 : errmsg("column names cannot be included in GRANT/REVOKE ROLE")));
1557 :
1558 926 : roleid = get_role_oid(rolename, false);
1559 926 : check_role_membership_authorization(currentUserId,
1560 926 : roleid, stmt->is_grant);
1561 836 : if (stmt->is_grant)
1562 686 : AddRoleMems(currentUserId, rolename, roleid,
1563 : stmt->grantee_roles, grantee_ids,
1564 : grantor, &popt);
1565 : else
1566 150 : DelRoleMems(currentUserId, rolename, roleid,
1567 : stmt->grantee_roles, grantee_ids,
1568 : grantor, &popt, stmt->behavior);
1569 : }
1570 :
1571 : /*
1572 : * Close pg_authid, but keep lock till commit.
1573 : */
1574 804 : table_close(pg_authid_rel, NoLock);
1575 804 : }
1576 :
1577 : /*
1578 : * DropOwnedObjects
1579 : *
1580 : * Drop the objects owned by a given list of roles.
1581 : */
1582 : void
1583 154 : DropOwnedObjects(DropOwnedStmt *stmt)
1584 : {
1585 154 : List *role_ids = roleSpecsToIds(stmt->roles);
1586 : ListCell *cell;
1587 :
1588 : /* Check privileges */
1589 326 : foreach(cell, role_ids)
1590 : {
1591 184 : Oid roleid = lfirst_oid(cell);
1592 :
1593 184 : if (!has_privs_of_role(GetUserId(), roleid))
1594 12 : ereport(ERROR,
1595 : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1596 : errmsg("permission denied to drop objects"),
1597 : errdetail("Only roles with privileges of role \"%s\" may drop objects owned by it.",
1598 : GetUserNameFromId(roleid, false))));
1599 : }
1600 :
1601 : /* Ok, do it */
1602 142 : shdepDropOwned(role_ids, stmt->behavior);
1603 136 : }
1604 :
1605 : /*
1606 : * ReassignOwnedObjects
1607 : *
1608 : * Give the objects owned by a given list of roles away to another user.
1609 : */
1610 : void
1611 52 : ReassignOwnedObjects(ReassignOwnedStmt *stmt)
1612 : {
1613 52 : List *role_ids = roleSpecsToIds(stmt->roles);
1614 : ListCell *cell;
1615 : Oid newrole;
1616 :
1617 : /* Check privileges */
1618 92 : foreach(cell, role_ids)
1619 : {
1620 52 : Oid roleid = lfirst_oid(cell);
1621 :
1622 52 : if (!has_privs_of_role(GetUserId(), roleid))
1623 12 : ereport(ERROR,
1624 : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1625 : errmsg("permission denied to reassign objects"),
1626 : errdetail("Only roles with privileges of role \"%s\" may reassign objects owned by it.",
1627 : GetUserNameFromId(roleid, false))));
1628 : }
1629 :
1630 : /* Must have privileges on the receiving side too */
1631 40 : newrole = get_rolespec_oid(stmt->newrole, false);
1632 :
1633 40 : if (!has_privs_of_role(GetUserId(), newrole))
1634 6 : ereport(ERROR,
1635 : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1636 : errmsg("permission denied to reassign objects"),
1637 : errdetail("Only roles with privileges of role \"%s\" may reassign objects to it.",
1638 : GetUserNameFromId(newrole, false))));
1639 :
1640 : /* Ok, do it */
1641 34 : shdepReassignOwned(role_ids, newrole);
1642 34 : }
1643 :
1644 : /*
1645 : * roleSpecsToIds
1646 : *
1647 : * Given a list of RoleSpecs, generate a list of role OIDs in the same order.
1648 : *
1649 : * ROLESPEC_PUBLIC is not allowed.
1650 : */
1651 : List *
1652 4628 : roleSpecsToIds(List *memberNames)
1653 : {
1654 4628 : List *result = NIL;
1655 : ListCell *l;
1656 :
1657 5956 : foreach(l, memberNames)
1658 : {
1659 1328 : RoleSpec *rolespec = lfirst_node(RoleSpec, l);
1660 : Oid roleid;
1661 :
1662 1328 : roleid = get_rolespec_oid(rolespec, false);
1663 1328 : result = lappend_oid(result, roleid);
1664 : }
1665 4628 : return result;
1666 : }
1667 :
1668 : /*
1669 : * AddRoleMems -- Add given members to the specified role
1670 : *
1671 : * currentUserId: OID of role performing the operation
1672 : * rolename: name of role to add to (used only for error messages)
1673 : * roleid: OID of role to add to
1674 : * memberSpecs: list of RoleSpec of roles to add (used only for error messages)
1675 : * memberIds: OIDs of roles to add
1676 : * grantorId: OID that should be recorded as having granted the membership
1677 : * (InvalidOid if not set explicitly)
1678 : * popt: information about grant options
1679 : */
1680 : static void
1681 4296 : AddRoleMems(Oid currentUserId, const char *rolename, Oid roleid,
1682 : List *memberSpecs, List *memberIds,
1683 : Oid grantorId, GrantRoleOptions *popt)
1684 : {
1685 : Relation pg_authmem_rel;
1686 : TupleDesc pg_authmem_dsc;
1687 : ListCell *specitem;
1688 : ListCell *iditem;
1689 :
1690 : Assert(list_length(memberSpecs) == list_length(memberIds));
1691 :
1692 : /* Validate grantor (and resolve implicit grantor if not specified). */
1693 4296 : grantorId = check_role_grantor(currentUserId, roleid, grantorId, true);
1694 :
1695 4290 : pg_authmem_rel = table_open(AuthMemRelationId, RowExclusiveLock);
1696 4290 : pg_authmem_dsc = RelationGetDescr(pg_authmem_rel);
1697 :
1698 : /*
1699 : * Only allow changes to this role by one backend at a time, so that we
1700 : * can check integrity constraints like the lack of circular ADMIN OPTION
1701 : * grants without fear of race conditions.
1702 : */
1703 4290 : LockSharedObject(AuthIdRelationId, roleid, 0,
1704 : ShareUpdateExclusiveLock);
1705 :
1706 : /* Preliminary sanity checks. */
1707 5262 : forboth(specitem, memberSpecs, iditem, memberIds)
1708 : {
1709 990 : RoleSpec *memberRole = lfirst_node(RoleSpec, specitem);
1710 990 : Oid memberid = lfirst_oid(iditem);
1711 :
1712 : /*
1713 : * pg_database_owner is never a role member. Lifting this restriction
1714 : * would require a policy decision about membership loops. One could
1715 : * prevent loops, which would include making "ALTER DATABASE x OWNER
1716 : * TO proposed_datdba" fail if is_member_of_role(pg_database_owner,
1717 : * proposed_datdba). Hence, gaining a membership could reduce what a
1718 : * role could do. Alternately, one could allow these memberships to
1719 : * complete loops. A role could then have actual WITH ADMIN OPTION on
1720 : * itself, prompting a decision about is_admin_of_role() treatment of
1721 : * the case.
1722 : *
1723 : * Lifting this restriction also has policy implications for ownership
1724 : * of shared objects (databases and tablespaces). We allow such
1725 : * ownership, but we might find cause to ban it in the future.
1726 : * Designing such a ban would more troublesome if the design had to
1727 : * address pg_database_owner being a member of role FOO that owns a
1728 : * shared object. (The effect of such ownership is that any owner of
1729 : * another database can act as the owner of affected shared objects.)
1730 : */
1731 990 : if (memberid == ROLE_PG_DATABASE_OWNER)
1732 6 : ereport(ERROR,
1733 : errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
1734 : errmsg("role \"%s\" cannot be a member of any role",
1735 : get_rolespec_name(memberRole)));
1736 :
1737 : /*
1738 : * Refuse creation of membership loops, including the trivial case
1739 : * where a role is made a member of itself. We do this by checking to
1740 : * see if the target role is already a member of the proposed member
1741 : * role. We have to ignore possible superuserness, however, else we
1742 : * could never grant membership in a superuser-privileged role.
1743 : */
1744 984 : if (is_member_of_role_nosuper(roleid, memberid))
1745 12 : ereport(ERROR,
1746 : (errcode(ERRCODE_INVALID_GRANT_OPERATION),
1747 : errmsg("role \"%s\" is a member of role \"%s\"",
1748 : rolename, get_rolespec_name(memberRole))));
1749 : }
1750 :
1751 : /*
1752 : * Disallow attempts to grant ADMIN OPTION back to a user who granted it
1753 : * to you, similar to what check_circularity does for ACLs. We want the
1754 : * chains of grants to remain acyclic, so that it's always possible to use
1755 : * REVOKE .. CASCADE to clean up all grants that depend on the one being
1756 : * revoked.
1757 : *
1758 : * NB: This check might look redundant with the check for membership loops
1759 : * above, but it isn't. That's checking for role-member loop (e.g. A is a
1760 : * member of B and B is a member of A) while this is checking for a
1761 : * member-grantor loop (e.g. A gave ADMIN OPTION on X to B and now B, who
1762 : * has no other source of ADMIN OPTION on X, tries to give ADMIN OPTION on
1763 : * X back to A).
1764 : */
1765 4272 : if (popt->admin && grantorId != BOOTSTRAP_SUPERUSERID)
1766 : {
1767 : CatCList *memlist;
1768 : RevokeRoleGrantAction *actions;
1769 : int i;
1770 :
1771 : /* Get the list of members for this role. */
1772 144 : memlist = SearchSysCacheList1(AUTHMEMROLEMEM,
1773 : ObjectIdGetDatum(roleid));
1774 :
1775 : /*
1776 : * Figure out what would happen if we removed all existing grants to
1777 : * every role to which we've been asked to make a new grant.
1778 : */
1779 144 : actions = initialize_revoke_actions(memlist);
1780 228 : foreach(iditem, memberIds)
1781 : {
1782 84 : Oid memberid = lfirst_oid(iditem);
1783 :
1784 84 : if (memberid == BOOTSTRAP_SUPERUSERID)
1785 0 : ereport(ERROR,
1786 : (errcode(ERRCODE_INVALID_GRANT_OPERATION),
1787 : errmsg("%s option cannot be granted back to your own grantor",
1788 : "ADMIN")));
1789 84 : plan_member_revoke(memlist, actions, memberid);
1790 : }
1791 :
1792 : /*
1793 : * If the result would be that the grantor role would no longer have
1794 : * the ability to perform the grant, then the proposed grant would
1795 : * create a circularity.
1796 : */
1797 174 : for (i = 0; i < memlist->n_members; ++i)
1798 : {
1799 : HeapTuple authmem_tuple;
1800 : Form_pg_auth_members authmem_form;
1801 :
1802 168 : authmem_tuple = &memlist->members[i]->tuple;
1803 168 : authmem_form = (Form_pg_auth_members) GETSTRUCT(authmem_tuple);
1804 :
1805 168 : if (actions[i] == RRG_NOOP &&
1806 156 : authmem_form->member == grantorId &&
1807 138 : authmem_form->admin_option)
1808 138 : break;
1809 : }
1810 144 : if (i >= memlist->n_members)
1811 6 : ereport(ERROR,
1812 : (errcode(ERRCODE_INVALID_GRANT_OPERATION),
1813 : errmsg("%s option cannot be granted back to your own grantor",
1814 : "ADMIN")));
1815 :
1816 138 : ReleaseSysCacheList(memlist);
1817 : }
1818 :
1819 : /* Now perform the catalog updates. */
1820 5232 : forboth(specitem, memberSpecs, iditem, memberIds)
1821 : {
1822 966 : RoleSpec *memberRole = lfirst_node(RoleSpec, specitem);
1823 966 : Oid memberid = lfirst_oid(iditem);
1824 : HeapTuple authmem_tuple;
1825 : HeapTuple tuple;
1826 966 : Datum new_record[Natts_pg_auth_members] = {0};
1827 966 : bool new_record_nulls[Natts_pg_auth_members] = {0};
1828 966 : bool new_record_repl[Natts_pg_auth_members] = {0};
1829 :
1830 : /* Common initialization for possible insert or update */
1831 966 : new_record[Anum_pg_auth_members_roleid - 1] =
1832 966 : ObjectIdGetDatum(roleid);
1833 966 : new_record[Anum_pg_auth_members_member - 1] =
1834 966 : ObjectIdGetDatum(memberid);
1835 966 : new_record[Anum_pg_auth_members_grantor - 1] =
1836 966 : ObjectIdGetDatum(grantorId);
1837 :
1838 : /* Find any existing tuple */
1839 966 : authmem_tuple = SearchSysCache3(AUTHMEMROLEMEM,
1840 : ObjectIdGetDatum(roleid),
1841 : ObjectIdGetDatum(memberid),
1842 : ObjectIdGetDatum(grantorId));
1843 :
1844 : /*
1845 : * If we found a tuple, update it with new option values, unless there
1846 : * are no changes, in which case issue a WARNING.
1847 : *
1848 : * If we didn't find a tuple, just insert one.
1849 : */
1850 966 : if (HeapTupleIsValid(authmem_tuple))
1851 : {
1852 : Form_pg_auth_members authmem_form;
1853 34 : bool at_least_one_change = false;
1854 :
1855 34 : authmem_form = (Form_pg_auth_members) GETSTRUCT(authmem_tuple);
1856 :
1857 34 : if ((popt->specified & GRANT_ROLE_SPECIFIED_ADMIN) != 0
1858 0 : && authmem_form->admin_option != popt->admin)
1859 : {
1860 0 : new_record[Anum_pg_auth_members_admin_option - 1] =
1861 0 : BoolGetDatum(popt->admin);
1862 0 : new_record_repl[Anum_pg_auth_members_admin_option - 1] =
1863 : true;
1864 0 : at_least_one_change = true;
1865 : }
1866 :
1867 34 : if ((popt->specified & GRANT_ROLE_SPECIFIED_INHERIT) != 0
1868 16 : && authmem_form->inherit_option != popt->inherit)
1869 : {
1870 16 : new_record[Anum_pg_auth_members_inherit_option - 1] =
1871 16 : BoolGetDatum(popt->inherit);
1872 16 : new_record_repl[Anum_pg_auth_members_inherit_option - 1] =
1873 : true;
1874 16 : at_least_one_change = true;
1875 : }
1876 :
1877 34 : if ((popt->specified & GRANT_ROLE_SPECIFIED_SET) != 0
1878 10 : && authmem_form->set_option != popt->set)
1879 : {
1880 10 : new_record[Anum_pg_auth_members_set_option - 1] =
1881 10 : BoolGetDatum(popt->set);
1882 10 : new_record_repl[Anum_pg_auth_members_set_option - 1] =
1883 : true;
1884 10 : at_least_one_change = true;
1885 : }
1886 :
1887 34 : if (!at_least_one_change)
1888 : {
1889 18 : ereport(NOTICE,
1890 : (errmsg("role \"%s\" has already been granted membership in role \"%s\" by role \"%s\"",
1891 : get_rolespec_name(memberRole), rolename,
1892 : GetUserNameFromId(grantorId, false))));
1893 18 : ReleaseSysCache(authmem_tuple);
1894 18 : continue;
1895 : }
1896 :
1897 16 : tuple = heap_modify_tuple(authmem_tuple, pg_authmem_dsc,
1898 : new_record,
1899 : new_record_nulls, new_record_repl);
1900 16 : CatalogTupleUpdate(pg_authmem_rel, &tuple->t_self, tuple);
1901 :
1902 16 : ReleaseSysCache(authmem_tuple);
1903 : }
1904 : else
1905 : {
1906 : Oid objectId;
1907 932 : Oid *newmembers = (Oid *) palloc(3 * sizeof(Oid));
1908 : int nnewmembers;
1909 :
1910 : /*
1911 : * The values for these options can be taken directly from 'popt'.
1912 : * Either they were specified, or the defaults as set by
1913 : * InitGrantRoleOptions are correct.
1914 : */
1915 932 : new_record[Anum_pg_auth_members_admin_option - 1] =
1916 932 : BoolGetDatum(popt->admin);
1917 932 : new_record[Anum_pg_auth_members_set_option - 1] =
1918 932 : BoolGetDatum(popt->set);
1919 :
1920 : /*
1921 : * If the user specified a value for the inherit option, use
1922 : * whatever was specified. Otherwise, set the default value based
1923 : * on the role-level property.
1924 : */
1925 932 : if ((popt->specified & GRANT_ROLE_SPECIFIED_INHERIT) != 0)
1926 194 : new_record[Anum_pg_auth_members_inherit_option - 1] =
1927 194 : popt->inherit;
1928 : else
1929 : {
1930 : HeapTuple mrtup;
1931 : Form_pg_authid mrform;
1932 :
1933 738 : mrtup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(memberid));
1934 738 : if (!HeapTupleIsValid(mrtup))
1935 0 : elog(ERROR, "cache lookup failed for role %u", memberid);
1936 738 : mrform = (Form_pg_authid) GETSTRUCT(mrtup);
1937 738 : new_record[Anum_pg_auth_members_inherit_option - 1] =
1938 738 : mrform->rolinherit;
1939 738 : ReleaseSysCache(mrtup);
1940 : }
1941 :
1942 : /* get an OID for the new row and insert it */
1943 932 : objectId = GetNewOidWithIndex(pg_authmem_rel, AuthMemOidIndexId,
1944 : Anum_pg_auth_members_oid);
1945 932 : new_record[Anum_pg_auth_members_oid - 1] = objectId;
1946 932 : tuple = heap_form_tuple(pg_authmem_dsc,
1947 : new_record, new_record_nulls);
1948 932 : CatalogTupleInsert(pg_authmem_rel, tuple);
1949 :
1950 : /*
1951 : * Record dependencies on the roleid, member, and grantor, as if a
1952 : * pg_auth_members entry were an object ACL.
1953 : * updateAclDependencies() requires an input array that is
1954 : * palloc'd (it will free it), sorted, and de-duped.
1955 : */
1956 932 : newmembers[0] = roleid;
1957 932 : newmembers[1] = memberid;
1958 932 : newmembers[2] = grantorId;
1959 932 : qsort(newmembers, 3, sizeof(Oid), oid_cmp);
1960 932 : nnewmembers = qunique(newmembers, 3, sizeof(Oid), oid_cmp);
1961 :
1962 932 : updateAclDependencies(AuthMemRelationId, objectId,
1963 : 0, InvalidOid,
1964 : 0, NULL,
1965 : nnewmembers, newmembers);
1966 : }
1967 :
1968 : /* CCI after each change, in case there are duplicates in list */
1969 948 : CommandCounterIncrement();
1970 : }
1971 :
1972 : /*
1973 : * Close pg_authmem, but keep lock till commit.
1974 : */
1975 4266 : table_close(pg_authmem_rel, NoLock);
1976 4266 : }
1977 :
1978 : /*
1979 : * DelRoleMems -- Remove given members from the specified role
1980 : *
1981 : * rolename: name of role to del from (used only for error messages)
1982 : * roleid: OID of role to del from
1983 : * memberSpecs: list of RoleSpec of roles to del (used only for error messages)
1984 : * memberIds: OIDs of roles to del
1985 : * grantorId: who is revoking the membership
1986 : * popt: information about grant options
1987 : * behavior: RESTRICT or CASCADE behavior for recursive removal
1988 : */
1989 : static void
1990 162 : DelRoleMems(Oid currentUserId, const char *rolename, Oid roleid,
1991 : List *memberSpecs, List *memberIds,
1992 : Oid grantorId, GrantRoleOptions *popt, DropBehavior behavior)
1993 : {
1994 : Relation pg_authmem_rel;
1995 : TupleDesc pg_authmem_dsc;
1996 : ListCell *specitem;
1997 : ListCell *iditem;
1998 : CatCList *memlist;
1999 : RevokeRoleGrantAction *actions;
2000 : int i;
2001 :
2002 : Assert(list_length(memberSpecs) == list_length(memberIds));
2003 :
2004 : /* Validate grantor (and resolve implicit grantor if not specified). */
2005 162 : grantorId = check_role_grantor(currentUserId, roleid, grantorId, false);
2006 :
2007 162 : pg_authmem_rel = table_open(AuthMemRelationId, RowExclusiveLock);
2008 162 : pg_authmem_dsc = RelationGetDescr(pg_authmem_rel);
2009 :
2010 : /*
2011 : * Only allow changes to this role by one backend at a time, so that we
2012 : * can check for things like dependent privileges without fear of race
2013 : * conditions.
2014 : */
2015 162 : LockSharedObject(AuthIdRelationId, roleid, 0,
2016 : ShareUpdateExclusiveLock);
2017 :
2018 162 : memlist = SearchSysCacheList1(AUTHMEMROLEMEM, ObjectIdGetDatum(roleid));
2019 162 : actions = initialize_revoke_actions(memlist);
2020 :
2021 : /*
2022 : * We may need to recurse to dependent privileges if DROP_CASCADE was
2023 : * specified, or refuse to perform the operation if dependent privileges
2024 : * exist and DROP_RESTRICT was specified. plan_single_revoke() will figure
2025 : * out what to do with each catalog tuple.
2026 : */
2027 312 : forboth(specitem, memberSpecs, iditem, memberIds)
2028 : {
2029 162 : RoleSpec *memberRole = lfirst(specitem);
2030 162 : Oid memberid = lfirst_oid(iditem);
2031 :
2032 162 : if (!plan_single_revoke(memlist, actions, memberid, grantorId,
2033 : popt, behavior))
2034 : {
2035 6 : ereport(WARNING,
2036 : (errmsg("role \"%s\" has not been granted membership in role \"%s\" by role \"%s\"",
2037 : get_rolespec_name(memberRole), rolename,
2038 : GetUserNameFromId(grantorId, false))));
2039 6 : continue;
2040 : }
2041 : }
2042 :
2043 : /*
2044 : * We now know what to do with each catalog tuple: it should either be
2045 : * left alone, deleted, or just have the admin_option flag cleared.
2046 : * Perform the appropriate action in each case.
2047 : */
2048 436 : for (i = 0; i < memlist->n_members; ++i)
2049 : {
2050 : HeapTuple authmem_tuple;
2051 : Form_pg_auth_members authmem_form;
2052 :
2053 286 : if (actions[i] == RRG_NOOP)
2054 124 : continue;
2055 :
2056 162 : authmem_tuple = &memlist->members[i]->tuple;
2057 162 : authmem_form = (Form_pg_auth_members) GETSTRUCT(authmem_tuple);
2058 :
2059 162 : if (actions[i] == RRG_DELETE_GRANT)
2060 : {
2061 : /*
2062 : * Remove the entry altogether, after first removing its
2063 : * dependencies
2064 : */
2065 114 : deleteSharedDependencyRecordsFor(AuthMemRelationId,
2066 : authmem_form->oid, 0);
2067 114 : CatalogTupleDelete(pg_authmem_rel, &authmem_tuple->t_self);
2068 : }
2069 : else
2070 : {
2071 : /* Just turn off the specified option */
2072 : HeapTuple tuple;
2073 48 : Datum new_record[Natts_pg_auth_members] = {0};
2074 48 : bool new_record_nulls[Natts_pg_auth_members] = {0};
2075 48 : bool new_record_repl[Natts_pg_auth_members] = {0};
2076 :
2077 : /* Build a tuple to update with */
2078 48 : if (actions[i] == RRG_REMOVE_ADMIN_OPTION)
2079 : {
2080 30 : new_record[Anum_pg_auth_members_admin_option - 1] =
2081 30 : BoolGetDatum(false);
2082 30 : new_record_repl[Anum_pg_auth_members_admin_option - 1] =
2083 : true;
2084 : }
2085 18 : else if (actions[i] == RRG_REMOVE_INHERIT_OPTION)
2086 : {
2087 12 : new_record[Anum_pg_auth_members_inherit_option - 1] =
2088 12 : BoolGetDatum(false);
2089 12 : new_record_repl[Anum_pg_auth_members_inherit_option - 1] =
2090 : true;
2091 : }
2092 6 : else if (actions[i] == RRG_REMOVE_SET_OPTION)
2093 : {
2094 6 : new_record[Anum_pg_auth_members_set_option - 1] =
2095 6 : BoolGetDatum(false);
2096 6 : new_record_repl[Anum_pg_auth_members_set_option - 1] =
2097 : true;
2098 : }
2099 : else
2100 0 : elog(ERROR, "unknown role revoke action");
2101 :
2102 48 : tuple = heap_modify_tuple(authmem_tuple, pg_authmem_dsc,
2103 : new_record,
2104 : new_record_nulls, new_record_repl);
2105 48 : CatalogTupleUpdate(pg_authmem_rel, &tuple->t_self, tuple);
2106 : }
2107 : }
2108 :
2109 150 : ReleaseSysCacheList(memlist);
2110 :
2111 : /*
2112 : * Close pg_authmem, but keep lock till commit.
2113 : */
2114 150 : table_close(pg_authmem_rel, NoLock);
2115 150 : }
2116 :
2117 : /*
2118 : * Check that currentUserId has permission to modify the membership list for
2119 : * roleid. Throw an error if not.
2120 : */
2121 : static void
2122 1026 : check_role_membership_authorization(Oid currentUserId, Oid roleid,
2123 : bool is_grant)
2124 : {
2125 : /*
2126 : * The charter of pg_database_owner is to have exactly one, implicit,
2127 : * situation-dependent member. There's no technical need for this
2128 : * restriction. (One could lift it and take the further step of making
2129 : * object_ownercheck(DatabaseRelationId, ...) equivalent to
2130 : * has_privs_of_role(roleid, ROLE_PG_DATABASE_OWNER), in which case
2131 : * explicit, situation-independent members could act as the owner of any
2132 : * database.)
2133 : */
2134 1026 : if (is_grant && roleid == ROLE_PG_DATABASE_OWNER)
2135 12 : ereport(ERROR,
2136 : errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
2137 : errmsg("role \"%s\" cannot have explicit members",
2138 : GetUserNameFromId(roleid, false)));
2139 :
2140 : /* To mess with a superuser role, you gotta be superuser. */
2141 1014 : if (superuser_arg(roleid))
2142 : {
2143 16 : if (!superuser_arg(currentUserId))
2144 : {
2145 6 : if (is_grant)
2146 6 : ereport(ERROR,
2147 : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
2148 : errmsg("permission denied to grant role \"%s\"",
2149 : GetUserNameFromId(roleid, false)),
2150 : errdetail("Only roles with the %s attribute may grant roles with the %s attribute.",
2151 : "SUPERUSER", "SUPERUSER")));
2152 : else
2153 0 : ereport(ERROR,
2154 : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
2155 : errmsg("permission denied to revoke role \"%s\"",
2156 : GetUserNameFromId(roleid, false)),
2157 : errdetail("Only roles with the %s attribute may revoke roles with the %s attribute.",
2158 : "SUPERUSER", "SUPERUSER")));
2159 : }
2160 : }
2161 : else
2162 : {
2163 : /*
2164 : * Otherwise, must have admin option on the role to be changed.
2165 : */
2166 998 : if (!is_admin_of_role(currentUserId, roleid))
2167 : {
2168 144 : if (is_grant)
2169 144 : ereport(ERROR,
2170 : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
2171 : errmsg("permission denied to grant role \"%s\"",
2172 : GetUserNameFromId(roleid, false)),
2173 : errdetail("Only roles with the %s option on role \"%s\" may grant this role.",
2174 : "ADMIN", GetUserNameFromId(roleid, false))));
2175 : else
2176 0 : ereport(ERROR,
2177 : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
2178 : errmsg("permission denied to revoke role \"%s\"",
2179 : GetUserNameFromId(roleid, false)),
2180 : errdetail("Only roles with the %s option on role \"%s\" may revoke this role.",
2181 : "ADMIN", GetUserNameFromId(roleid, false))));
2182 : }
2183 : }
2184 864 : }
2185 :
2186 : /*
2187 : * Sanity-check, or infer, the grantor for a GRANT or REVOKE statement
2188 : * targeting a role.
2189 : *
2190 : * The grantor must always be either a role with ADMIN OPTION on the role in
2191 : * which membership is being granted, or the bootstrap superuser. This is
2192 : * similar to the restriction enforced by select_best_grantor, except that
2193 : * roles don't have owners, so we regard the bootstrap superuser as the
2194 : * implicit owner.
2195 : *
2196 : * If the grantor was not explicitly specified by the user, grantorId should
2197 : * be passed as InvalidOid, and this function will infer the user to be
2198 : * recorded as the grantor. In many cases, this will be the current user, but
2199 : * things get more complicated when the current user doesn't possess ADMIN
2200 : * OPTION on the role but rather relies on having SUPERUSER privileges, or
2201 : * on inheriting the privileges of a role which does have ADMIN OPTION. See
2202 : * below for details.
2203 : *
2204 : * If the grantor was specified by the user, then it must be a user that
2205 : * can legally be recorded as the grantor, as per the rule stated above.
2206 : * This is an integrity constraint, not a permissions check, and thus even
2207 : * superusers are subject to this restriction. However, there is also a
2208 : * permissions check: to specify a role as the grantor, the current user
2209 : * must possess the privileges of that role. Superusers will always pass
2210 : * this check, but for non-superusers it may lead to an error.
2211 : *
2212 : * The return value is the OID to be regarded as the grantor when executing
2213 : * the operation.
2214 : */
2215 : static Oid
2216 4458 : check_role_grantor(Oid currentUserId, Oid roleid, Oid grantorId, bool is_grant)
2217 : {
2218 : /* If the grantor ID was not specified, pick one to use. */
2219 4458 : if (!OidIsValid(grantorId))
2220 : {
2221 : /*
2222 : * Grants where the grantor is recorded as the bootstrap superuser do
2223 : * not depend on any other existing grants, so always default to this
2224 : * interpretation when possible.
2225 : */
2226 4218 : if (superuser_arg(currentUserId))
2227 3882 : return BOOTSTRAP_SUPERUSERID;
2228 :
2229 : /*
2230 : * Otherwise, the grantor must either have ADMIN OPTION on the role or
2231 : * inherit the privileges of a role which does. In the former case,
2232 : * record the grantor as the current user; in the latter, pick one of
2233 : * the roles that is "most directly" inherited by the current role
2234 : * (i.e. fewest "hops").
2235 : *
2236 : * (We shouldn't fail to find a best grantor, because we've already
2237 : * established that the current user has permission to perform the
2238 : * operation.)
2239 : */
2240 336 : grantorId = select_best_admin(currentUserId, roleid);
2241 336 : if (!OidIsValid(grantorId))
2242 0 : elog(ERROR, "no possible grantors");
2243 336 : return grantorId;
2244 : }
2245 :
2246 : /*
2247 : * If an explicit grantor is specified, it must be a role whose privileges
2248 : * the current user possesses.
2249 : *
2250 : * It should also be a role that has ADMIN OPTION on the target role, but
2251 : * we check this condition only in case of GRANT. For REVOKE, no matching
2252 : * grant should exist anyway, but if it somehow does, let the user get rid
2253 : * of it.
2254 : */
2255 240 : if (is_grant)
2256 : {
2257 216 : if (!has_privs_of_role(currentUserId, grantorId))
2258 0 : ereport(ERROR,
2259 : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
2260 : errmsg("permission denied to grant privileges as role \"%s\"",
2261 : GetUserNameFromId(grantorId, false)),
2262 : errdetail("Only roles with privileges of role \"%s\" may grant privileges as this role.",
2263 : GetUserNameFromId(grantorId, false))));
2264 :
2265 306 : if (grantorId != BOOTSTRAP_SUPERUSERID &&
2266 90 : select_best_admin(grantorId, roleid) != grantorId)
2267 6 : ereport(ERROR,
2268 : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
2269 : errmsg("permission denied to grant privileges as role \"%s\"",
2270 : GetUserNameFromId(grantorId, false)),
2271 : errdetail("The grantor must have the %s option on role \"%s\".",
2272 : "ADMIN", GetUserNameFromId(roleid, false))));
2273 : }
2274 : else
2275 : {
2276 24 : if (!has_privs_of_role(currentUserId, grantorId))
2277 0 : ereport(ERROR,
2278 : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
2279 : errmsg("permission denied to revoke privileges granted by role \"%s\"",
2280 : GetUserNameFromId(grantorId, false)),
2281 : errdetail("Only roles with privileges of role \"%s\" may revoke privileges granted by this role.",
2282 : GetUserNameFromId(grantorId, false))));
2283 : }
2284 :
2285 : /*
2286 : * If a grantor was specified explicitly, always attribute the grant to
2287 : * that role (unless we error out above).
2288 : */
2289 234 : return grantorId;
2290 : }
2291 :
2292 : /*
2293 : * Initialize an array of RevokeRoleGrantAction objects.
2294 : *
2295 : * 'memlist' should be a list of all grants for the target role.
2296 : *
2297 : * This constructs an array indicating that no actions are to be performed;
2298 : * that is, every element is initially RRG_NOOP.
2299 : */
2300 : static RevokeRoleGrantAction *
2301 306 : initialize_revoke_actions(CatCList *memlist)
2302 : {
2303 : RevokeRoleGrantAction *result;
2304 : int i;
2305 :
2306 306 : if (memlist->n_members == 0)
2307 0 : return NULL;
2308 :
2309 306 : result = palloc(sizeof(RevokeRoleGrantAction) * memlist->n_members);
2310 832 : for (i = 0; i < memlist->n_members; i++)
2311 526 : result[i] = RRG_NOOP;
2312 306 : return result;
2313 : }
2314 :
2315 : /*
2316 : * Figure out what we would need to do in order to revoke a grant, or just the
2317 : * admin option on a grant, given that there might be dependent privileges.
2318 : *
2319 : * 'memlist' should be a list of all grants for the target role.
2320 : *
2321 : * Whatever actions prove to be necessary will be signalled by updating
2322 : * 'actions'.
2323 : *
2324 : * If behavior is DROP_RESTRICT, an error will occur if there are dependent
2325 : * role membership grants; if DROP_CASCADE, those grants will be scheduled
2326 : * for deletion.
2327 : *
2328 : * The return value is true if the matching grant was found in the list,
2329 : * and false if not.
2330 : */
2331 : static bool
2332 162 : plan_single_revoke(CatCList *memlist, RevokeRoleGrantAction *actions,
2333 : Oid member, Oid grantor, GrantRoleOptions *popt,
2334 : DropBehavior behavior)
2335 : {
2336 : int i;
2337 :
2338 : /*
2339 : * If popt.specified == 0, we're revoking the grant entirely; otherwise,
2340 : * we expect just one bit to be set, and we're revoking the corresponding
2341 : * option. As of this writing, there's no syntax that would allow for an
2342 : * attempt to revoke multiple options at once, and the logic below
2343 : * wouldn't work properly if such syntax were added, so assert that our
2344 : * caller isn't trying to do that.
2345 : */
2346 : Assert(pg_popcount32(popt->specified) <= 1);
2347 :
2348 280 : for (i = 0; i < memlist->n_members; ++i)
2349 : {
2350 : HeapTuple authmem_tuple;
2351 : Form_pg_auth_members authmem_form;
2352 :
2353 274 : authmem_tuple = &memlist->members[i]->tuple;
2354 274 : authmem_form = (Form_pg_auth_members) GETSTRUCT(authmem_tuple);
2355 :
2356 274 : if (authmem_form->member == member &&
2357 174 : authmem_form->grantor == grantor)
2358 : {
2359 156 : if ((popt->specified & GRANT_ROLE_SPECIFIED_INHERIT) != 0)
2360 : {
2361 : /*
2362 : * Revoking the INHERIT option doesn't change anything for
2363 : * dependent privileges, so we don't need to recurse.
2364 : */
2365 12 : actions[i] = RRG_REMOVE_INHERIT_OPTION;
2366 : }
2367 144 : else if ((popt->specified & GRANT_ROLE_SPECIFIED_SET) != 0)
2368 : {
2369 : /* Here too, no need to recurse. */
2370 6 : actions[i] = RRG_REMOVE_SET_OPTION;
2371 : }
2372 : else
2373 : {
2374 : bool revoke_admin_option_only;
2375 :
2376 : /*
2377 : * Revoking the grant entirely, or ADMIN option on a grant,
2378 : * implicates dependent privileges, so we may need to recurse.
2379 : */
2380 138 : revoke_admin_option_only =
2381 138 : (popt->specified & GRANT_ROLE_SPECIFIED_ADMIN) != 0;
2382 138 : plan_recursive_revoke(memlist, actions, i,
2383 : revoke_admin_option_only, behavior);
2384 : }
2385 144 : return true;
2386 : }
2387 : }
2388 :
2389 6 : return false;
2390 : }
2391 :
2392 : /*
2393 : * Figure out what we would need to do in order to revoke all grants to
2394 : * a given member, given that there might be dependent privileges.
2395 : *
2396 : * 'memlist' should be a list of all grants for the target role.
2397 : *
2398 : * Whatever actions prove to be necessary will be signalled by updating
2399 : * 'actions'.
2400 : */
2401 : static void
2402 84 : plan_member_revoke(CatCList *memlist, RevokeRoleGrantAction *actions,
2403 : Oid member)
2404 : {
2405 : int i;
2406 :
2407 186 : for (i = 0; i < memlist->n_members; ++i)
2408 : {
2409 : HeapTuple authmem_tuple;
2410 : Form_pg_auth_members authmem_form;
2411 :
2412 102 : authmem_tuple = &memlist->members[i]->tuple;
2413 102 : authmem_form = (Form_pg_auth_members) GETSTRUCT(authmem_tuple);
2414 :
2415 102 : if (authmem_form->member == member)
2416 6 : plan_recursive_revoke(memlist, actions, i, false, DROP_CASCADE);
2417 : }
2418 84 : }
2419 :
2420 : /*
2421 : * Workhorse for figuring out recursive revocation of role grants.
2422 : *
2423 : * This is similar to what recursive_revoke() does for ACLs.
2424 : */
2425 : static void
2426 168 : plan_recursive_revoke(CatCList *memlist, RevokeRoleGrantAction *actions,
2427 : int index,
2428 : bool revoke_admin_option_only, DropBehavior behavior)
2429 : {
2430 168 : bool would_still_have_admin_option = false;
2431 : HeapTuple authmem_tuple;
2432 : Form_pg_auth_members authmem_form;
2433 : int i;
2434 :
2435 : /* If it's already been done, we can just return. */
2436 168 : if (actions[index] == RRG_DELETE_GRANT)
2437 0 : return;
2438 168 : if (actions[index] == RRG_REMOVE_ADMIN_OPTION &&
2439 : revoke_admin_option_only)
2440 0 : return;
2441 :
2442 : /* Locate tuple data. */
2443 168 : authmem_tuple = &memlist->members[index]->tuple;
2444 168 : authmem_form = (Form_pg_auth_members) GETSTRUCT(authmem_tuple);
2445 :
2446 : /*
2447 : * If the existing tuple does not have admin_option set, then we do not
2448 : * need to recurse. If we're just supposed to clear that bit we don't need
2449 : * to do anything at all; if we're supposed to remove the grant, we need
2450 : * to do something, but only to the tuple, and not any others.
2451 : */
2452 168 : if (!revoke_admin_option_only)
2453 : {
2454 132 : actions[index] = RRG_DELETE_GRANT;
2455 132 : if (!authmem_form->admin_option)
2456 90 : return;
2457 : }
2458 : else
2459 : {
2460 36 : if (!authmem_form->admin_option)
2461 0 : return;
2462 36 : actions[index] = RRG_REMOVE_ADMIN_OPTION;
2463 : }
2464 :
2465 : /* Determine whether the member would still have ADMIN OPTION. */
2466 228 : for (i = 0; i < memlist->n_members; ++i)
2467 : {
2468 : HeapTuple am_cascade_tuple;
2469 : Form_pg_auth_members am_cascade_form;
2470 :
2471 150 : am_cascade_tuple = &memlist->members[i]->tuple;
2472 150 : am_cascade_form = (Form_pg_auth_members) GETSTRUCT(am_cascade_tuple);
2473 :
2474 150 : if (am_cascade_form->member == authmem_form->member &&
2475 78 : am_cascade_form->admin_option && actions[i] == RRG_NOOP)
2476 : {
2477 0 : would_still_have_admin_option = true;
2478 0 : break;
2479 : }
2480 : }
2481 :
2482 : /* If the member would still have ADMIN OPTION, we need not recurse. */
2483 78 : if (would_still_have_admin_option)
2484 0 : return;
2485 :
2486 : /*
2487 : * Recurse to grants that are not yet slated for deletion which have this
2488 : * member as the grantor.
2489 : */
2490 216 : for (i = 0; i < memlist->n_members; ++i)
2491 : {
2492 : HeapTuple am_cascade_tuple;
2493 : Form_pg_auth_members am_cascade_form;
2494 :
2495 150 : am_cascade_tuple = &memlist->members[i]->tuple;
2496 150 : am_cascade_form = (Form_pg_auth_members) GETSTRUCT(am_cascade_tuple);
2497 :
2498 150 : if (am_cascade_form->grantor == authmem_form->member &&
2499 36 : actions[i] != RRG_DELETE_GRANT)
2500 : {
2501 36 : if (behavior == DROP_RESTRICT)
2502 12 : ereport(ERROR,
2503 : (errcode(ERRCODE_DEPENDENT_OBJECTS_STILL_EXIST),
2504 : errmsg("dependent privileges exist"),
2505 : errhint("Use CASCADE to revoke them too.")));
2506 :
2507 24 : plan_recursive_revoke(memlist, actions, i, false, behavior);
2508 : }
2509 : }
2510 : }
2511 :
2512 : /*
2513 : * Initialize a GrantRoleOptions object with default values.
2514 : */
2515 : static void
2516 3094 : InitGrantRoleOptions(GrantRoleOptions *popt)
2517 : {
2518 3094 : popt->specified = 0;
2519 3094 : popt->admin = false;
2520 3094 : popt->inherit = false;
2521 3094 : popt->set = true;
2522 3094 : }
2523 :
2524 : /*
2525 : * GUC check_hook for createrole_self_grant
2526 : */
2527 : bool
2528 2170 : check_createrole_self_grant(char **newval, void **extra, GucSource source)
2529 : {
2530 : char *rawstring;
2531 : List *elemlist;
2532 : ListCell *l;
2533 2170 : unsigned options = 0;
2534 : unsigned *result;
2535 :
2536 : /* Need a modifiable copy of string */
2537 2170 : rawstring = pstrdup(*newval);
2538 :
2539 2170 : if (!SplitIdentifierString(rawstring, ',', &elemlist))
2540 : {
2541 : /* syntax error in list */
2542 0 : GUC_check_errdetail("List syntax is invalid.");
2543 0 : pfree(rawstring);
2544 0 : list_free(elemlist);
2545 0 : return false;
2546 : }
2547 :
2548 2182 : foreach(l, elemlist)
2549 : {
2550 12 : char *tok = (char *) lfirst(l);
2551 :
2552 12 : if (pg_strcasecmp(tok, "SET") == 0)
2553 6 : options |= GRANT_ROLE_SPECIFIED_SET;
2554 6 : else if (pg_strcasecmp(tok, "INHERIT") == 0)
2555 6 : options |= GRANT_ROLE_SPECIFIED_INHERIT;
2556 : else
2557 : {
2558 0 : GUC_check_errdetail("Unrecognized key word: \"%s\".", tok);
2559 0 : pfree(rawstring);
2560 0 : list_free(elemlist);
2561 0 : return false;
2562 : }
2563 : }
2564 :
2565 2170 : pfree(rawstring);
2566 2170 : list_free(elemlist);
2567 :
2568 2170 : result = (unsigned *) guc_malloc(LOG, sizeof(unsigned));
2569 2170 : if (!result)
2570 0 : return false;
2571 2170 : *result = options;
2572 2170 : *extra = result;
2573 :
2574 2170 : return true;
2575 : }
2576 :
2577 : /*
2578 : * GUC assign_hook for createrole_self_grant
2579 : */
2580 : void
2581 2170 : assign_createrole_self_grant(const char *newval, void *extra)
2582 : {
2583 2170 : unsigned options = *(unsigned *) extra;
2584 :
2585 2170 : createrole_self_grant_enabled = (options != 0);
2586 2170 : createrole_self_grant_options.specified = GRANT_ROLE_SPECIFIED_ADMIN
2587 : | GRANT_ROLE_SPECIFIED_INHERIT
2588 : | GRANT_ROLE_SPECIFIED_SET;
2589 2170 : createrole_self_grant_options.admin = false;
2590 2170 : createrole_self_grant_options.inherit =
2591 2170 : (options & GRANT_ROLE_SPECIFIED_INHERIT) != 0;
2592 2170 : createrole_self_grant_options.set =
2593 2170 : (options & GRANT_ROLE_SPECIFIED_SET) != 0;
2594 2170 : }
|
