0 速查
被授权的对象在系统表中记录授权信息,例如pg_namespace中的nspacl列:
{mingjie=UC/mingjie,=UC/mingjie,pusr1=UC/mingjie}
pusr1=UC/mingjie的含义:
- mingjie是赋予者
- pusr1是被赋予者
- UC是权限,表示USAGE和CREATE
1 视图权限案例
有时会遇到下面场景,访问一个视图没有权限:
drop schema sch1 cascade;
drop user pusr1;
drop user pusr2;
create user pusr1;
create user pusr2;
create schema sch1;
create procedure sch1.func1(i int) as $$
begin
raise notice 'func1';
end;
$$ language plpgsql;
\c - pusr1
call sch1.func1(1);
结果
查看namespace视图:
这种情况下,添加两种权限都可以访问函数:
grant all on schema sch1 to public;
grant all on schema sch1 to pusr1;
这里我们看到namespace元数据增加了两条规则,对应两条grant:
grant all on schema sch1 to public; → =UC/mingjie
grant all on schema sch1 to pusr1; → pusr1=UC/mingjie
显然这两条规则就是权限判断的依据,下面分析这两条规则的使用流程。
2 权限判定流程分析
部分代码
static AclMode
pg_namespace_aclmask(Oid nsp_oid, Oid roleid,
AclMode mask, AclMaskHow how)
{
...
...
查pg_namespace表:
tuple = SearchSysCache1(NAMESPACEOID, ObjectIdGetDatum(nsp_oid));
检查owner是谁?
ownerId = ((Form_pg_namespace) GETSTRUCT(tuple))->nspowner;
拿到规则aclDatum:{mingjie=UC/mingjie,=UC/mingjie,pusr1=UC/mingjie}
aclDatum = SysCacheGetAttr(NAMESPACEOID, tuple, Anum_pg_namespace_nspacl,
&isNull);
默认没grant的时候aclDatum字段是isNull,这时候owner有权限访问,其他没权限。
if (isNull)
{
/* No ACL, so build default ACL */
acl = acldefault(OBJECT_SCHEMA, ownerId);
aclDatum = (Datum) 0;
}
有grant后,aclDatum字段有值了,把{mingjie=UC/mingjie,=UC/mingjie,pusr1=UC/mingjie}传入,detoast后变成valena变长类型。
else
{
/* detoast ACL if necessary */
acl = DatumGetAclP(aclDatum);
}
拿着acl进入aclmask处理,判断roleid是否有访问权限。
result = aclmask(acl, roleid, ownerId, mask, how);
...
...
return result;
}
aclmask函数
AclMode
aclmask(const Acl *acl, Oid roleid, Oid ownerId,
AclMode mask, AclMaskHow how)
{
入参:
- valena变量含义
{mingjie=UC/mingjie,=UC/mingjie,pusr1=UC/mingjie} - roleid:24601表示pusr1。
- ownerId:10表示建库的超级用户。
- mask:256表示
#define ACL_USAGE (1<<8) /* for various object types */ - how:ACLMASK_ANY
num = ACL_NUM(acl);
aidat = ACL_DAT(acl);
num = 3
(gdb) p aidat[0]
$6 = {ai_grantee = 10, ai_grantor = 10, ai_privs = 768}
(gdb) p aidat[1
$7 = {ai_grantee = 0, ai_grantor = 10, ai_privs = 768}
(gdb) p aidat[2
$8 = {ai_grantee = 24601, ai_grantor = 10, ai_privs = 768}
这里解释下这三个数据的含义
$8 = {ai_grantee = 24601, ai_grantor = 10, ai_privs = 768}
10表示建库的超级用户,赋予,24601表示pusr1,768的权限
768 = 1100000000 = ACL_USAGE | ACL_CREATE
#define ACL_USAGE (1<<8) /* for various object types */
#define ACL_CREATE (1<<9) /* for namespaces and databases */
注意这里有一个特殊的ai_grantee:ACL_ID_PUBLIC=0,表示被授权者是任意用户。
下面循环就是对上述逻辑进行判断:
/*
* Check privileges granted directly to roleid or to public
*/
for (i = 0; i < num; i++)
{
AclItem *aidata = &aidat[i];
if (aidata->ai_grantee == ACL_ID_PUBLIC ||
aidata->ai_grantee == roleid)
{
result |= aidata->ai_privs & mask;
if ((how == ACLMASK_ALL) ? (result == mask) : (result != 0))
返回256:ACL_USAGE
return result;
}
}
...
...
}
grant__to_public_165">3 系统schema的grant … to public是哪里赋值的?
注意到pg_catalog、public、information_schema三者都是有初始授权的,记录下赋值方法和位置。
postgres=> select * from pg_namespace ;
oid | nspname | nspowner | nspacl
-------+--------------------+----------+---------------------------------------------------------------
99 | pg_toast | 10 |
11 | pg_catalog | 10 | {mingjie=UC/mingjie,=U/mingjie}
2200 | public | 6171 | {pg_database_owner=UC/pg_database_owner,=U/pg_database_owner}
13918 | information_schema | 10 | {mingjie=UC/mingjie,=U/mingjie}
information_schema
在information_schema.sql中赋权:
CREATE SCHEMA information_schema;
GRANT USAGE ON SCHEMA information_schema TO PUBLIC;
SET search_path TO information_schema;
pg_catalog / public
pg_namespace.dat里面插入pg_catalog的tuple,但没有权限信息:
[
{ oid => '11', oid_symbol => 'PG_CATALOG_NAMESPACE',
descr => 'system catalog schema',
nspname => 'pg_catalog', nspacl => '_null_' },
{ oid => '99', oid_symbol => 'PG_TOAST_NAMESPACE',
descr => 'reserved schema for TOAST tables',
nspname => 'pg_toast', nspacl => '_null_' },
# update dumpNamespace() if changing this descr
{ oid => '2200', oid_symbol => 'PG_PUBLIC_NAMESPACE',
descr => 'standard public schema',
nspname => 'public', nspowner => 'pg_database_owner', nspacl => '_null_' },
]
initdb初始化时在这里给pg_catalog授权:
(gdb) bt
#0 ExecGrant_common (istmt=0x7ffcc262d0c0, classid=2615, default_privs=768, object_check=0x0) at aclchk.c:2170
#1 0x000000000059d7d1 in ExecGrantStmt_oids (istmt=0x7ffcc262d0c0) at aclchk.c:625
#2 0x000000000059d6a6 in ExecuteGrantStmt (stmt=0x27458c8) at aclchk.c:583
#3 0x00000000009c0d56 in ProcessUtilitySlow (pstate=0x283fd28, pstmt=0x2745998, queryString=0x2744c88 "GRANT USAGE ON SCHEMA pg_catalog, public TO PUBLIC;\n", context=PROCESS_UTILITY_TOPLEVEL, params=0x0, queryEnv=0x0, dest=0xd64360 <debugtupDR>, qc=0x7ffcc262d890) at utility.c:1813
#4 0x00000000009bf16e in standard_ProcessUtility (pstmt=0x2745998, queryString=0x2744c88 "GRANT USAGE ON SCHEMA pg_catalog, public TO PUBLIC;\n", readOnlyTree=false, context=PROCESS_UTILITY_TOPLEVEL, params=0x0, queryEnv=0x0, dest=0xd64360 <debugtupDR>, qc=0x7ffcc262d890) at utility.c:977
#5 0x00000000009be69a in ProcessUtility (pstmt=0x2745998, queryString=0x2744c88 "GRANT USAGE ON SCHEMA pg_catalog, public TO PUBLIC;\n", readOnlyTree=false, context=PROCESS_UTILITY_TOPLEVEL, params=0x0, queryEnv=0x0, dest=0xd64360 <debugtupDR>, qc=0x7ffcc262d890) at utility.c:530
#6 0x00000000009bd2db in PortalRunUtility (portal=0x26f2bd8, pstmt=0x2745998, isTopLevel=true, setHoldSnapshot=false, dest=0xd64360 <debugtupDR>, qc=0x7ffcc262d890) at pquery.c:1158
#7 0x00000000009bd535 in PortalRunMulti (portal=0x26f2bd8, isTopLevel=true, setHoldSnapshot=false, dest=0xd64360 <debugtupDR>, altdest=0xd64360 <debugtupDR>, qc=0x7ffcc262d890) at pquery.c:1315
#8 0x00000000009bca6d in PortalRun (portal=0x26f2bd8, count=9223372036854775807, isTopLevel=true, run_once=true, dest=0xd64360 <debugtupDR>, altdest=0xd64360 <debugtupDR>, qc=0x7ffcc262d890) at pquery.c:791
#9 0x00000000009b6533 in exec_simple_query (query_string=0x2744c88 "GRANT USAGE ON SCHEMA pg_catalog, public TO PUBLIC;\n") at postgres.c:1274
#10 0x00000000009babc3 in PostgresMain (dbname=0x2699be0 "template1", username=0x2699350 "mingjie") at postgres.c:4637
#11 0x00000000009ba472 in PostgresSingleUserMain (argc=12, argv=0x2693a50, username=0x2699350 "mingjie") at postgres.c:4096
#12 0x00000000007b821e in main (argc=12, argv=0x2693a50) at main.c:195
![[FineReport]安装与使用(连接Hive3.1.2)](https://img-blog.csdnimg.cn/f9fc1b418f2f451ba15fb6f60432cf66.png)
