修复视图sql security 问题
This commit is contained in:
chenbd
@ -308,6 +308,15 @@ static bool viewSecurityPassDown(Node* node, void* context)
|
||||
/* Do what we came for */
|
||||
if (rte->rtekind == RTE_RELATION) {
|
||||
rte->checkAsUser = *asUser;
|
||||
/* Check namespace permissions. */
|
||||
AclResult aclresult;
|
||||
/* No lock here ,cause relation already opend */
|
||||
Relation rel = heap_open(rte->relid, NoLock);
|
||||
Oid namespaceId = RelationGetNamespace(rel);
|
||||
aclresult = pg_namespace_aclcheck(namespaceId, *asUser, ACL_USAGE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, ACL_KIND_NAMESPACE, get_namespace_name(namespaceId));
|
||||
heap_close(rel, NoLock);
|
||||
}
|
||||
/* allow rangetable entry continue */
|
||||
return false;
|
||||
|
||||
@ -2876,3 +2876,69 @@ drop database b_cmpt_db;
|
||||
drop database db_a1144425;
|
||||
DROP USER test_c;
|
||||
DROP USER test_d;
|
||||
-- view sql security bugfix
|
||||
create database db_a1144877 dbcompatibility 'B';
|
||||
\c db_a1144877;
|
||||
create user use_a_1144877 identified by 'A@123456';
|
||||
create user use_b_1144877 identified by 'A@123456';
|
||||
--create
|
||||
create table sql_security_1144877(id int,cal int);
|
||||
insert into sql_security_1144877 values(1,1);
|
||||
insert into sql_security_1144877 values(2,2);
|
||||
insert into sql_security_1144877 values(3,3);
|
||||
create schema s_1144877;
|
||||
create table s_1144877.sql_security_1144877(id int,cal int);
|
||||
insert into s_1144877.sql_security_1144877 values(2,1);
|
||||
insert into s_1144877.sql_security_1144877 values(3,2);
|
||||
insert into s_1144877.sql_security_1144877 values(4,3);
|
||||
create or replace procedure p_1144877 as
|
||||
begin
|
||||
create sql security invoker view v_1144877 as select * from s_1144877.sql_security_1144877;
|
||||
|
||||
create sql security definer view v_1144877_1 as select * from sql_security_1144877;
|
||||
end;
|
||||
/
|
||||
call p_1144877();
|
||||
p_1144877
|
||||
-----------
|
||||
|
||||
(1 row)
|
||||
|
||||
--root pass
|
||||
select * from v_1144877 order by 1,2;
|
||||
id | cal
|
||||
----+-----
|
||||
2 | 1
|
||||
3 | 2
|
||||
4 | 3
|
||||
(3 rows)
|
||||
|
||||
select * from v_1144877_1 order by 1,2;
|
||||
id | cal
|
||||
----+-----
|
||||
1 | 1
|
||||
2 | 2
|
||||
3 | 3
|
||||
(3 rows)
|
||||
|
||||
--a call
|
||||
grant select on v_1144877 to use_a_1144877;
|
||||
grant select on v_1144877_1 to use_a_1144877;
|
||||
grant all on table s_1144877.sql_security_1144877 to use_a_1144877;
|
||||
set role use_a_1144877 password 'A@123456';
|
||||
select * from v_1144877 order by 1,2;
|
||||
ERROR: permission denied for schema s_1144877
|
||||
DETAIL: N/A
|
||||
select * from v_1144877_1 order by 1,2;
|
||||
id | cal
|
||||
----+-----
|
||||
1 | 1
|
||||
2 | 2
|
||||
3 | 3
|
||||
(3 rows)
|
||||
|
||||
reset role;
|
||||
drop user use_a_1144877 cascade;
|
||||
drop user use_b_1144877 cascade;
|
||||
\c regression
|
||||
drop database db_a1144877;
|
||||
|
||||
@ -1724,3 +1724,50 @@ drop database b_cmpt_db;
|
||||
drop database db_a1144425;
|
||||
DROP USER test_c;
|
||||
DROP USER test_d;
|
||||
|
||||
-- view sql security bugfix
|
||||
create database db_a1144877 dbcompatibility 'B';
|
||||
\c db_a1144877;
|
||||
|
||||
create user use_a_1144877 identified by 'A@123456';
|
||||
create user use_b_1144877 identified by 'A@123456';
|
||||
--create
|
||||
create table sql_security_1144877(id int,cal int);
|
||||
insert into sql_security_1144877 values(1,1);
|
||||
insert into sql_security_1144877 values(2,2);
|
||||
insert into sql_security_1144877 values(3,3);
|
||||
|
||||
create schema s_1144877;
|
||||
create table s_1144877.sql_security_1144877(id int,cal int);
|
||||
insert into s_1144877.sql_security_1144877 values(2,1);
|
||||
insert into s_1144877.sql_security_1144877 values(3,2);
|
||||
insert into s_1144877.sql_security_1144877 values(4,3);
|
||||
|
||||
create or replace procedure p_1144877 as
|
||||
begin
|
||||
create sql security invoker view v_1144877 as select * from s_1144877.sql_security_1144877;
|
||||
|
||||
create sql security definer view v_1144877_1 as select * from sql_security_1144877;
|
||||
end;
|
||||
/
|
||||
|
||||
call p_1144877();
|
||||
--root pass
|
||||
select * from v_1144877 order by 1,2;
|
||||
select * from v_1144877_1 order by 1,2;
|
||||
|
||||
--a call
|
||||
grant select on v_1144877 to use_a_1144877;
|
||||
grant select on v_1144877_1 to use_a_1144877;
|
||||
grant all on table s_1144877.sql_security_1144877 to use_a_1144877;
|
||||
set role use_a_1144877 password 'A@123456';
|
||||
select * from v_1144877 order by 1,2;
|
||||
select * from v_1144877_1 order by 1,2;
|
||||
|
||||
reset role;
|
||||
|
||||
drop user use_a_1144877 cascade;
|
||||
drop user use_b_1144877 cascade;
|
||||
|
||||
\c regression
|
||||
drop database db_a1144877;
|
||||
Reference in New Issue
Block a user