Add SET SESSION AUTHORIZATION command.

2001-05-08 21:06:43 +00:00 · 2001-05-08 21:06:43 +00:00 · 1c1c58c76c
parent c50aa9db70
commit 1c1c58c76c
10 changed files with 179 additions and 16 deletions
--- a/doc/src/sgml/ref/allfiles.sgml
+++ b/doc/src/sgml/ref/allfiles.sgml
@ -1,5 +1,5 @@
 <!--
-$Header: /cvsroot/pgsql/doc/src/sgml/ref/allfiles.sgml,v 1.29 2001/05/08 19:28:01 momjian Exp $
+$Header: /cvsroot/pgsql/doc/src/sgml/ref/allfiles.sgml,v 1.30 2001/05/08 21:06:42 petere Exp $
 Postgres documentation
 Complete list of usable sgml source files in this directory.
 -->
@ -98,6 +98,7 @@ Complete list of usable sgml source files in this directory.
 <!entity selectInto         system "select_into.sgml">
 <!entity set                system "set.sgml">
 <!entity setConstraints     system "set_constraints.sgml">
+<!entity setSessionAuth     system "set_session_auth.sgml">
 <!entity setTransaction     system "set_transaction.sgml">
 <!entity show               system "show.sgml">
 <!entity truncate           system "truncate.sgml">
--- a/doc/src/sgml/ref/set_session_auth.sgml
+++ b/doc/src/sgml/ref/set_session_auth.sgml
@ -0,0 +1,103 @@
+<!-- $Header: /cvsroot/pgsql/doc/src/sgml/ref/set_session_auth.sgml,v 1.1 2001/05/08 21:06:42 petere Exp $ -->
+<refentry id="SQL-SET-SESSION-AUTHORIZATION">
+ <docinfo>
+  <date>2001-04-21</date>
+ </docinfo>
+
+ <refmeta>
+  <refentrytitle>SET SESSION AUTHORIZATION</refentrytitle>
+  <refmiscinfo>SQL - Language Statements</refmiscinfo>
+ </refmeta>
+
+ <refnamediv>
+  <refname>SET SESSION AUTHORIZATION</refname>
+  <refpurpose>Set the session user identifier and the current user identifier
+         of the current SQL-session context</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+<synopsis>
+SET SESSION AUTHORIZATION '<parameter>username</parameter>'
+</synopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+  <title>Description</title>
+
+  <para>
+   This command sets the session user identifier and the current user
+   identifer of the current SQL-session context to be
+   <parameter>username</parameter>.
+  </para>
+
+  <para>
+   The session user identifier is initially set to be the (possibly
+   authenticated) user name provided by the client.  The current user
+   identifier is normally equal to the session user identifier, but
+   may change temporarily in the context of <quote>setuid</quote>
+   functions and similar mechanisms.  The current user identifer is
+   relevant for permission checking.
+  </para>
+
+  <para>
+   Execution of this command is only permitted if the initial session
+   user (the <firstterm>authenticated user</firstterm>) had the
+   superuser privilege.  This permission is kept for the duration of a
+   connection; for example, it is possible to temporarily become an
+   unprivileged user and later switch back to become a superuser.
+  </para>
+ </refsect1>
+
+ <refsect1>
+  <title>Examples</title>
+
+<screen>
+<userinput>SELECT SESSION_USER, CURRENT_USER;</userinput>
+ current_user | session_user
+--------------+--------------
+ peter        | peter
+
+<userinput>SET SESSION AUTHORIZATION 'paul';</userinput>
+
+<userinput>SELECT SESSION_USER, CURRENT_USER;</userinput>
+ current_user | session_user
+--------------+--------------
+ paul         | paul
+</screen>
+ </refsect1>
+
+ <refsect1>
+  <title>Compatibility</title>
+
+  <simpara>SQL99</simpara>
+
+  <para>
+   SQL99 allows some other expressions to appear in place of the
+   literal <parameter>username</parameter> which are not important in
+   practice.  <application>PostgreSQL</application> allows identifier
+   syntax (<literal>"username"</literal>), which SQL does not.  SQL
+   does not allow this command during a transaction;
+   <application>PostgreSQL</application> does not make
+   this restriction because there is no reason to.  The
+   privileges necessary to execute this command are left
+   implementation-defined by the standard.
+  </para>
+ </refsect1>
+</refentry>
+
+<!-- Keep this comment at the end of the file
+Local variables:
+mode:sgml
+sgml-omittag:nil
+sgml-shorttag:t
+sgml-minimize-attributes:nil
+sgml-always-quote-attributes:t
+sgml-indent-step:1
+sgml-indent-data:t
+sgml-parent-document:nil
+sgml-default-dtd-file:"../reference.ced"
+sgml-exposed-tags:nil
+sgml-local-catalogs:("/usr/lib/sgml/catalog")
+sgml-local-ecat-files:nil
+End:
+-->
--- a/doc/src/sgml/reference.sgml
+++ b/doc/src/sgml/reference.sgml
@ -1,5 +1,5 @@
 <!-- reference.sgml
-$Header: /cvsroot/pgsql/doc/src/sgml/reference.sgml,v 1.16 2001/05/07 00:43:14 tgl Exp $
+$Header: /cvsroot/pgsql/doc/src/sgml/reference.sgml,v 1.17 2001/05/08 21:06:42 petere Exp $

 PostgreSQL Reference Manual
 -->
@ -84,6 +84,7 @@ PostgreSQL Reference Manual
   &selectInto;
   &set;
   &setConstraints;
+   &setSessionAuth;
   &setTransaction;
   &show;
   &truncate;
@ -131,7 +132,6 @@ Disable this chapter until we have more functions documented.
   &dropuser;
   &ecpgRef;
   &pgAccess;
-   &pgAdmin;
   &pgConfig;
   &pgDump;
   &pgDumpall;
--- a/src/backend/commands/variable.c
+++ b/src/backend/commands/variable.c
@ -9,7 +9,7 @@
 *
 *
 * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/commands/variable.c,v 1.47 2001/03/29 19:03:57 petere Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/commands/variable.c,v 1.48 2001/05/08 21:06:42 petere Exp $
 *
 *-------------------------------------------------------------------------
 */
@ -721,6 +721,8 @@ SetPGVariable(const char *name, const char *value)
 		parse_server_encoding(mvalue);
 	else if (strcasecmp(name, "seed") == 0)
 		parse_random_seed(mvalue);
+	else if (strcasecmp(name, "session_authorization") == 0)
+		SetSessionAuthorization(value);
 	else
 		SetConfigOption(name, value, superuser() ? PGC_SUSET : PGC_USERSET);

--- a/src/backend/parser/gram.y
+++ b/src/backend/parser/gram.y
@ -11,7 +11,7 @@
 *
 *
 * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/parser/gram.y,v 2.223 2001/05/07 00:43:23 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/parser/gram.y,v 2.224 2001/05/08 21:06:42 petere Exp $
 *
 * HISTORY
 *	  AUTHOR			DATE			MAJOR EVENT
@ -259,7 +259,7 @@ static void doNegateFloat(Value *v);

 %type <ival>	Iconst
 %type <str>		Sconst, comment_text
-%type <str>		UserId, opt_boolean, var_value, zone_value
+%type <str>		UserId, opt_boolean, var_value, zone_value, Ident_or_Sconst
 %type <str>		ColId, ColLabel, TokenId

 %type <node>	TableConstraint
@ -292,7 +292,7 @@ static void doNegateFloat(Value *v);
 */

 /* Keywords (in SQL92 reserved words) */
-%token	ABSOLUTE, ACTION, ADD, ALL, ALTER, AND, ANY, AS, ASC, AT,
+%token	ABSOLUTE, ACTION, ADD, ALL, ALTER, AND, ANY, AS, ASC, AT, AUTHORIZATION,
 		BEGIN_TRANS, BETWEEN, BOTH, BY,
 		CASCADE, CASE, CAST, CHAR, CHARACTER, CHECK, CLOSE, 
 		COALESCE, COLLATE, COLUMN, COMMIT,
@ -761,6 +761,13 @@ VariableSetStmt:  SET ColId TO var_value
 					n->value = $3;
 					$$ = (Node *) n;
 				}
+		| SET SESSION AUTHORIZATION Ident_or_Sconst
+				{
+					VariableSetStmt *n = makeNode(VariableSetStmt);
+					n->name = "session_authorization";
+					n->value = $4;
+					$$ = (Node *) n;
+				}
 		;

 opt_level:  READ COMMITTED					{ $$ = "committed"; }
@ -837,6 +844,10 @@ opt_encoding:  Sconst						{ $$ = $1; }
        | /*EMPTY*/							{ $$ = NULL; }
        ;

+Ident_or_Sconst: IDENT						{ $$ = $1; }
+		| SCONST							{ $$ = $1; }
+
+
 VariableShowStmt:  SHOW ColId
 				{
 					VariableShowStmt *n = makeNode(VariableShowStmt);
@ -5459,6 +5470,7 @@ TokenId:  ABSOLUTE						{ $$ = "absolute"; }
 		| AGGREGATE						{ $$ = "aggregate"; }
 		| ALTER							{ $$ = "alter"; }
 		| AT							{ $$ = "at"; }
+		| AUTHORIZATION					{ $$ = "authorization"; }
 		| BACKWARD						{ $$ = "backward"; }
 		| BEFORE						{ $$ = "before"; }
 		| BEGIN_TRANS					{ $$ = "begin"; }
--- a/src/backend/parser/keywords.c
+++ b/src/backend/parser/keywords.c
@ -8,7 +8,7 @@
 *
 *
 * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/parser/keywords.c,v 1.91 2001/05/07 00:43:23 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/parser/keywords.c,v 1.92 2001/05/08 21:06:43 petere Exp $
 *
 *-------------------------------------------------------------------------
 */
@ -44,6 +44,7 @@ static ScanKeyword ScanKeywords[] = {
 	{"as", AS},
 	{"asc", ASC},
 	{"at", AT},
+	{"authorization", AUTHORIZATION},
 	{"backward", BACKWARD},
 	{"before", BEFORE},
 	{"begin", BEGIN_TRANS},
--- a/src/backend/utils/init/miscinit.c
+++ b/src/backend/utils/init/miscinit.c
@ -8,7 +8,7 @@
 *
 *
 * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/utils/init/miscinit.c,v 1.65 2001/04/16 02:42:01 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/utils/init/miscinit.c,v 1.66 2001/05/08 21:06:43 petere Exp $
 *
 *-------------------------------------------------------------------------
 */
@ -354,6 +354,7 @@ convertstr(unsigned char *buff, int len, int dest)
 static Oid	CurrentUserId = InvalidOid;
 static Oid	SessionUserId = InvalidOid;

+static bool AuthenticatedUserIsSuperuser = false;

 /*
 * This function is relevant for all privilege checks.
@ -397,7 +398,7 @@ SetSessionUserId(Oid newid)


 void
-SetSessionUserIdFromUserName(const char *username)
+InitializeSessionUserId(const char *username)
 {
 	HeapTuple	userTup;

@ -407,6 +408,9 @@ SetSessionUserIdFromUserName(const char *username)
 	 */
 	AssertState(!IsBootstrapProcessingMode());

+	/* call only once */
+	AssertState(!OidIsValid(SessionUserId));
+
 	userTup = SearchSysCache(SHADOWNAME,
 							 PointerGetDatum(username),
 							 0, 0, 0);
@ -415,6 +419,29 @@ SetSessionUserIdFromUserName(const char *username)

 	SetSessionUserId(((Form_pg_shadow) GETSTRUCT(userTup))->usesysid);

+	AuthenticatedUserIsSuperuser = ((Form_pg_shadow) GETSTRUCT(userTup))->usesuper;
+
+	ReleaseSysCache(userTup);
+}
+
+
+
+void SetSessionAuthorization(const char * username)
+{
+	HeapTuple	userTup;
+
+	if (!AuthenticatedUserIsSuperuser)
+		elog(ERROR, "permission denied");
+
+	userTup = SearchSysCache(SHADOWNAME,
+							 PointerGetDatum(username),
+							 0, 0, 0);
+	if (!HeapTupleIsValid(userTup))
+		elog(ERROR, "user \"%s\" does not exist", username);
+
+	SetSessionUserId(((Form_pg_shadow) GETSTRUCT(userTup))->usesysid);
+	SetUserId(((Form_pg_shadow) GETSTRUCT(userTup))->usesysid);
+
 	ReleaseSysCache(userTup);
 }

--- a/src/backend/utils/init/postinit.c
+++ b/src/backend/utils/init/postinit.c
@ -8,7 +8,7 @@
 *
 *
 * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/utils/init/postinit.c,v 1.84 2001/04/21 18:29:29 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/utils/init/postinit.c,v 1.85 2001/05/08 21:06:43 petere Exp $
 *
 *
 *-------------------------------------------------------------------------
@ -341,7 +341,7 @@ InitPostgres(const char *dbname, const char *username)
 	if (bootstrap)
 		SetSessionUserId(geteuid());
 	else
-		SetSessionUserIdFromUserName(username);
+		InitializeSessionUserId(username);

 	/*
 	 * Unless we are bootstrapping, double-check that InitMyDatabaseInfo()
--- a/src/bin/psql/tab-complete.c
+++ b/src/bin/psql/tab-complete.c
@ -3,7 +3,7 @@
 *
 * Copyright 2000 by PostgreSQL Global Development Group
 *
- * $Header: /cvsroot/pgsql/src/bin/psql/tab-complete.c,v 1.31 2001/05/07 19:31:33 petere Exp $
+ * $Header: /cvsroot/pgsql/src/bin/psql/tab-complete.c,v 1.32 2001/05/08 21:06:43 petere Exp $
 */

 /*----------------------------------------------------------------------
@ -201,7 +201,7 @@ psql_completion(char *text, int start, int end)
 		/* these SET arguments are known in gram.y */
 		"CONSTRAINTS",
 		"NAMES",
-		"SESSION CHARACTERISTICS AS TRANSACTION ISOLATION LEVEL",
+		"SESSION",
 		"TRANSACTION ISOLATION LEVEL",
 		/* these are treated in backend/commands/variable.c */
 		"DateStyle",
@ -646,6 +646,22 @@ psql_completion(char *text, int start, int end)

 		COMPLETE_WITH_LIST(constraint_list);
 	}
+	/* Complete SET SESSION with AUTHORIZATION or CHARACTERISTICS... */
+	else if (strcasecmp(prev2_wd, "SET") == 0 && strcasecmp(prev_wd, "SESSION") == 0)
+	{
+		char *my_list[] = {"AUTHORIZATION",
+						   "CHARACTERISTICS AS TRANSACTION ISOLATION LEVEL",
+						   NULL};
+
+		COMPLETE_WITH_LIST(my_list);
+	}
+	/* Complete SET SESSION AUTHORIZATION with username */
+	else if (strcasecmp(prev3_wd, "SET") == 0 
+			 && strcasecmp(prev2_wd, "SESSION") == 0
+			 && strcasecmp(prev_wd, "AUTHORIZATION") == 0)
+	{
+		COMPLETE_WITH_QUERY(Query_for_list_of_users);
+	}
 	/* Complete SET <var> with "TO" */
 	else if (strcasecmp(prev2_wd, "SET") == 0 &&
 			 strcasecmp(prev4_wd, "UPDATE") != 0)
--- a/src/include/miscadmin.h
+++ b/src/include/miscadmin.h
@ -12,7 +12,7 @@
 * Portions Copyright (c) 1996-2001, PostgreSQL Global Development Group
 * Portions Copyright (c) 1994, Regents of the University of California
 *
- * $Id: miscadmin.h,v 1.83 2001/03/22 04:00:25 momjian Exp $
+ * $Id: miscadmin.h,v 1.84 2001/05/08 21:06:43 petere Exp $
 *
 * NOTES
 *	  some of the information in this file should be moved to
@ -208,7 +208,8 @@ extern Oid	GetUserId(void);
 extern void SetUserId(Oid userid);
 extern Oid	GetSessionUserId(void);
 extern void SetSessionUserId(Oid userid);
-extern void SetSessionUserIdFromUserName(const char *username);
+extern void InitializeSessionUserId(const char *username);
+extern void SetSessionAuthorization(const char *username);

 extern void SetDataDir(const char *dir);