From a9d7f62cadab92ca6a074794765392adc2833a9d Mon Sep 17 00:00:00 2001 From: Andres Freund Date: Tue, 12 Apr 2016 18:06:59 -0700 Subject: [PATCH] Perform permission checks on operations re-implemented by citus. Currently that's just COPY FROM. There's other places where we could check for permissions earlier (to fail less verbosely), but since there's other pending changes in the whole DDL area, which is affected by this, I'm just adding a note to those places. --- src/backend/distributed/executor/multi_utility.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/backend/distributed/executor/multi_utility.c b/src/backend/distributed/executor/multi_utility.c index 58de7ae0f..389bc15da 100644 --- a/src/backend/distributed/executor/multi_utility.c +++ b/src/backend/distributed/executor/multi_utility.c @@ -315,6 +315,7 @@ ProcessCopyStmt(CopyStmt *copyStatement, char *completionTag, bool *commandMustR bool isDistributedRelation = false; bool isFrom = copyStatement->is_from; + /* consider using RangeVarGetRelidExtended to check perms before locking */ copiedRelation = heap_openrv(copyStatement->relation, isFrom ? RowExclusiveLock : AccessShareLock); @@ -330,6 +331,8 @@ ProcessCopyStmt(CopyStmt *copyStatement, char *completionTag, bool *commandMustR { if (copyStatement->is_from) { + /* check permissions, we're bypassing postgres' normal checks */ + CheckCopyPermissions(copyStatement); CitusCopyFrom(copyStatement, completionTag); return NULL; } @@ -445,6 +448,12 @@ ProcessIndexStmt(IndexStmt *createIndexStatement, const char *createIndexCommand lockmode = ShareUpdateExclusiveLock; } + /* + * XXX: Consider using RangeVarGetRelidExtended with a permission + * checking callback. Right now we'll acquire the lock before having + * checked permissions, and will only fail when executing the actual + * index statements. + */ relation = heap_openrv(createIndexStatement->relation, lockmode); relationId = RelationGetRelid(relation);