|
Eneboo - Documentación para desarrolladores
|
src/libpq/include/utils/acl.h
Ir a la documentación de este archivo.
00001 /*------------------------------------------------------------------------- 00002 * 00003 * acl.h 00004 * Definition of (and support for) access control list data structures. 00005 * 00006 * 00007 * Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group 00008 * Portions Copyright (c) 1994, Regents of the University of California 00009 * 00010 * $PostgreSQL: pgsql/src/include/utils/acl.h,v 1.86 2005/11/04 17:25:15 tgl Exp $ 00011 * 00012 * NOTES 00013 * An ACL array is simply an array of AclItems, representing the union 00014 * of the privileges represented by the individual items. A zero-length 00015 * array represents "no privileges". There are no assumptions about the 00016 * ordering of the items, but we do expect that there are no two entries 00017 * in the array with the same grantor and grantee. 00018 * 00019 * For backward-compatibility purposes we have to allow null ACL entries 00020 * in system catalogs. A null ACL will be treated as meaning "default 00021 * protection" (i.e., whatever acldefault() returns). 00022 *------------------------------------------------------------------------- 00023 */ 00024 #ifndef ACL_H 00025 #define ACL_H 00026 00027 #include "nodes/parsenodes.h" 00028 #include "utils/array.h" 00029 00030 00031 /* 00032 * typedef AclMode is declared in parsenodes.h, also the individual privilege 00033 * bit meanings are defined there 00034 */ 00035 00036 #define ACL_ID_PUBLIC 0 /* placeholder for id in a PUBLIC acl item */ 00037 00038 /* 00039 * AclItem 00040 * 00041 * Note: must be same size on all platforms, because the size is hardcoded 00042 * in the pg_type.h entry for aclitem. 00043 */ 00044 typedef struct AclItem 00045 { 00046 Oid ai_grantee; /* ID that this item grants privs to */ 00047 Oid ai_grantor; /* grantor of privs */ 00048 AclMode ai_privs; /* privilege bits */ 00049 } AclItem; 00050 00051 /* 00052 * The upper 16 bits of the ai_privs field of an AclItem are the grant option 00053 * bits, and the lower 16 bits are the actual privileges. We use "rights" 00054 * to mean the combined grant option and privilege bits fields. 00055 */ 00056 #define ACLITEM_GET_PRIVS(item) ((item).ai_privs & 0xFFFF) 00057 #define ACLITEM_GET_GOPTIONS(item) (((item).ai_privs >> 16) & 0xFFFF) 00058 #define ACLITEM_GET_RIGHTS(item) ((item).ai_privs) 00059 00060 #define ACL_GRANT_OPTION_FOR(privs) (((AclMode) (privs) & 0xFFFF) << 16) 00061 #define ACL_OPTION_TO_PRIVS(privs) (((AclMode) (privs) >> 16) & 0xFFFF) 00062 00063 #define ACLITEM_SET_PRIVS(item,privs) \ 00064 ((item).ai_privs = ((item).ai_privs & ~((AclMode) 0xFFFF)) | \ 00065 ((AclMode) (privs) & 0xFFFF)) 00066 #define ACLITEM_SET_GOPTIONS(item,goptions) \ 00067 ((item).ai_privs = ((item).ai_privs & ~(((AclMode) 0xFFFF) << 16)) | \ 00068 (((AclMode) (goptions) & 0xFFFF) << 16)) 00069 #define ACLITEM_SET_RIGHTS(item,rights) \ 00070 ((item).ai_privs = (AclMode) (rights)) 00071 00072 #define ACLITEM_SET_PRIVS_GOPTIONS(item,privs,goptions) \ 00073 ((item).ai_privs = ((AclMode) (privs) & 0xFFFF) | \ 00074 (((AclMode) (goptions) & 0xFFFF) << 16)) 00075 00076 00077 #define ACLITEM_ALL_PRIV_BITS ((AclMode) 0xFFFF) 00078 #define ACLITEM_ALL_GOPTION_BITS ((AclMode) 0xFFFF << 16) 00079 00080 /* 00081 * Definitions for convenient access to Acl (array of AclItem) and IdList 00082 * (array of Oid). These are standard PostgreSQL arrays, but are restricted 00083 * to have one dimension. We also ignore the lower bound when reading, 00084 * and set it to one when writing. 00085 * 00086 * CAUTION: as of PostgreSQL 7.1, these arrays are toastable (just like all 00087 * other array types). Therefore, be careful to detoast them with the 00088 * macros provided, unless you know for certain that a particular array 00089 * can't have been toasted. 00090 */ 00091 00092 00093 /* 00094 * Acl a one-dimensional array of AclItem 00095 */ 00096 typedef ArrayType Acl; 00097 00098 #define ACL_NUM(ACL) (ARR_DIMS(ACL)[0]) 00099 #define ACL_DAT(ACL) ((AclItem *) ARR_DATA_PTR(ACL)) 00100 #define ACL_N_SIZE(N) (ARR_OVERHEAD(1) + ((N) * sizeof(AclItem))) 00101 #define ACL_SIZE(ACL) ARR_SIZE(ACL) 00102 00103 /* 00104 * IdList a one-dimensional array of Oid 00105 */ 00106 typedef ArrayType IdList; 00107 00108 #define IDLIST_NUM(IDL) (ARR_DIMS(IDL)[0]) 00109 #define IDLIST_DAT(IDL) ((Oid *) ARR_DATA_PTR(IDL)) 00110 #define IDLIST_N_SIZE(N) (ARR_OVERHEAD(1) + ((N) * sizeof(Oid))) 00111 #define IDLIST_SIZE(IDL) ARR_SIZE(IDL) 00112 00113 /* 00114 * fmgr macros for these types 00115 */ 00116 #define DatumGetAclItemP(X) ((AclItem *) DatumGetPointer(X)) 00117 #define PG_GETARG_ACLITEM_P(n) DatumGetAclItemP(PG_GETARG_DATUM(n)) 00118 #define PG_RETURN_ACLITEM_P(x) PG_RETURN_POINTER(x) 00119 00120 #define DatumGetAclP(X) ((Acl *) PG_DETOAST_DATUM(X)) 00121 #define DatumGetAclPCopy(X) ((Acl *) PG_DETOAST_DATUM_COPY(X)) 00122 #define PG_GETARG_ACL_P(n) DatumGetAclP(PG_GETARG_DATUM(n)) 00123 #define PG_GETARG_ACL_P_COPY(n) DatumGetAclPCopy(PG_GETARG_DATUM(n)) 00124 #define PG_RETURN_ACL_P(x) PG_RETURN_POINTER(x) 00125 00126 #define DatumGetIdListP(X) ((IdList *) PG_DETOAST_DATUM(X)) 00127 #define DatumGetIdListPCopy(X) ((IdList *) PG_DETOAST_DATUM_COPY(X)) 00128 #define PG_GETARG_IDLIST_P(n) DatumGetIdListP(PG_GETARG_DATUM(n)) 00129 #define PG_GETARG_IDLIST_P_COPY(n) DatumGetIdListPCopy(PG_GETARG_DATUM(n)) 00130 #define PG_RETURN_IDLIST_P(x) PG_RETURN_POINTER(x) 00131 00132 00133 /* 00134 * ACL modification opcodes for aclupdate 00135 */ 00136 #define ACL_MODECHG_ADD 1 00137 #define ACL_MODECHG_DEL 2 00138 #define ACL_MODECHG_EQL 3 00139 00140 /* 00141 * External representations of the privilege bits --- aclitemin/aclitemout 00142 * represent each possible privilege bit with a distinct 1-character code 00143 */ 00144 #define ACL_INSERT_CHR 'a' /* formerly known as "append" */ 00145 #define ACL_SELECT_CHR 'r' /* formerly known as "read" */ 00146 #define ACL_UPDATE_CHR 'w' /* formerly known as "write" */ 00147 #define ACL_DELETE_CHR 'd' 00148 #define ACL_RULE_CHR 'R' 00149 #define ACL_REFERENCES_CHR 'x' 00150 #define ACL_TRIGGER_CHR 't' 00151 #define ACL_EXECUTE_CHR 'X' 00152 #define ACL_USAGE_CHR 'U' 00153 #define ACL_CREATE_CHR 'C' 00154 #define ACL_CREATE_TEMP_CHR 'T' 00155 00156 /* string holding all privilege code chars, in order by bitmask position */ 00157 #define ACL_ALL_RIGHTS_STR "arwdRxtXUCT" 00158 00159 /* 00160 * Bitmasks defining "all rights" for each supported object type 00161 */ 00162 #define ACL_ALL_RIGHTS_RELATION (ACL_INSERT|ACL_SELECT|ACL_UPDATE|ACL_DELETE|ACL_RULE|ACL_REFERENCES|ACL_TRIGGER) 00163 #define ACL_ALL_RIGHTS_DATABASE (ACL_CREATE|ACL_CREATE_TEMP) 00164 #define ACL_ALL_RIGHTS_FUNCTION (ACL_EXECUTE) 00165 #define ACL_ALL_RIGHTS_LANGUAGE (ACL_USAGE) 00166 #define ACL_ALL_RIGHTS_NAMESPACE (ACL_USAGE|ACL_CREATE) 00167 #define ACL_ALL_RIGHTS_TABLESPACE (ACL_CREATE) 00168 00169 /* operation codes for pg_*_aclmask */ 00170 typedef enum 00171 { 00172 ACLMASK_ALL, /* normal case: compute all bits */ 00173 ACLMASK_ANY /* return when result is known nonzero */ 00174 } AclMaskHow; 00175 00176 /* result codes for pg_*_aclcheck */ 00177 typedef enum 00178 { 00179 ACLCHECK_OK = 0, 00180 ACLCHECK_NO_PRIV, 00181 ACLCHECK_NOT_OWNER 00182 } AclResult; 00183 00184 /* this enum covers all object types that can have privilege errors */ 00185 /* currently it's only used to tell aclcheck_error what to say */ 00186 typedef enum AclObjectKind 00187 { 00188 ACL_KIND_CLASS, /* pg_class */ 00189 ACL_KIND_DATABASE, /* pg_database */ 00190 ACL_KIND_PROC, /* pg_proc */ 00191 ACL_KIND_OPER, /* pg_operator */ 00192 ACL_KIND_TYPE, /* pg_type */ 00193 ACL_KIND_LANGUAGE, /* pg_language */ 00194 ACL_KIND_NAMESPACE, /* pg_namespace */ 00195 ACL_KIND_OPCLASS, /* pg_opclass */ 00196 ACL_KIND_CONVERSION, /* pg_conversion */ 00197 ACL_KIND_TABLESPACE, /* pg_tablespace */ 00198 MAX_ACL_KIND /* MUST BE LAST */ 00199 } AclObjectKind; 00200 00201 /* 00202 * routines used internally 00203 */ 00204 extern Acl *acldefault(GrantObjectType objtype, Oid ownerId); 00205 extern Acl *aclupdate(const Acl *old_acl, const AclItem *mod_aip, 00206 int modechg, Oid ownerId, DropBehavior behavior); 00207 extern Acl *aclnewowner(const Acl *old_acl, Oid oldOwnerId, Oid newOwnerId); 00208 00209 extern AclMode aclmask(const Acl *acl, Oid roleid, Oid ownerId, 00210 AclMode mask, AclMaskHow how); 00211 extern int aclmembers(const Acl *acl, Oid **roleids); 00212 00213 extern bool has_privs_of_role(Oid member, Oid role); 00214 extern bool is_member_of_role(Oid member, Oid role); 00215 extern bool is_member_of_role_nosuper(Oid member, Oid role); 00216 extern bool is_admin_of_role(Oid member, Oid role); 00217 extern void check_is_member_of_role(Oid member, Oid role); 00218 00219 extern void select_best_grantor(Oid roleId, AclMode privileges, 00220 const Acl *acl, Oid ownerId, 00221 Oid *grantorId, AclMode *grantOptions); 00222 00223 extern void initialize_acl(void); 00224 00225 /* 00226 * SQL functions (from acl.c) 00227 */ 00228 extern Datum aclitemin(PG_FUNCTION_ARGS); 00229 extern Datum aclitemout(PG_FUNCTION_ARGS); 00230 extern Datum aclinsert(PG_FUNCTION_ARGS); 00231 extern Datum aclremove(PG_FUNCTION_ARGS); 00232 extern Datum aclcontains(PG_FUNCTION_ARGS); 00233 extern Datum makeaclitem(PG_FUNCTION_ARGS); 00234 extern Datum aclitem_eq(PG_FUNCTION_ARGS); 00235 extern Datum hash_aclitem(PG_FUNCTION_ARGS); 00236 00237 /* 00238 * prototypes for functions in aclchk.c 00239 */ 00240 extern void ExecuteGrantStmt(GrantStmt *stmt); 00241 00242 extern AclMode pg_class_aclmask(Oid table_oid, Oid roleid, 00243 AclMode mask, AclMaskHow how); 00244 extern AclMode pg_database_aclmask(Oid db_oid, Oid roleid, 00245 AclMode mask, AclMaskHow how); 00246 extern AclMode pg_proc_aclmask(Oid proc_oid, Oid roleid, 00247 AclMode mask, AclMaskHow how); 00248 extern AclMode pg_language_aclmask(Oid lang_oid, Oid roleid, 00249 AclMode mask, AclMaskHow how); 00250 extern AclMode pg_namespace_aclmask(Oid nsp_oid, Oid roleid, 00251 AclMode mask, AclMaskHow how); 00252 extern AclMode pg_tablespace_aclmask(Oid spc_oid, Oid roleid, 00253 AclMode mask, AclMaskHow how); 00254 00255 extern AclResult pg_class_aclcheck(Oid table_oid, Oid roleid, AclMode mode); 00256 extern AclResult pg_database_aclcheck(Oid db_oid, Oid roleid, AclMode mode); 00257 extern AclResult pg_proc_aclcheck(Oid proc_oid, Oid roleid, AclMode mode); 00258 extern AclResult pg_language_aclcheck(Oid lang_oid, Oid roleid, AclMode mode); 00259 extern AclResult pg_namespace_aclcheck(Oid nsp_oid, Oid roleid, AclMode mode); 00260 extern AclResult pg_tablespace_aclcheck(Oid spc_oid, Oid roleid, AclMode mode); 00261 00262 extern void aclcheck_error(AclResult aclerr, AclObjectKind objectkind, 00263 const char *objectname); 00264 00265 /* ownercheck routines just return true (owner) or false (not) */ 00266 extern bool pg_class_ownercheck(Oid class_oid, Oid roleid); 00267 extern bool pg_type_ownercheck(Oid type_oid, Oid roleid); 00268 extern bool pg_oper_ownercheck(Oid oper_oid, Oid roleid); 00269 extern bool pg_proc_ownercheck(Oid proc_oid, Oid roleid); 00270 extern bool pg_namespace_ownercheck(Oid nsp_oid, Oid roleid); 00271 extern bool pg_tablespace_ownercheck(Oid spc_oid, Oid roleid); 00272 extern bool pg_opclass_ownercheck(Oid opc_oid, Oid roleid); 00273 extern bool pg_database_ownercheck(Oid db_oid, Oid roleid); 00274 extern bool pg_conversion_ownercheck(Oid conv_oid, Oid roleid); 00275 00276 #endif /* ACL_H */
