From bf038899965263dbc4aef2b43c8fdfe6f49b788f Mon Sep 17 00:00:00 2001 From: Stephen Frost Date: Thu, 19 Mar 2015 15:02:33 -0400 Subject: GetUserId() changes to has_privs_of_role() The pg_stat and pg_signal-related functions have been using GetUserId() instead of has_privs_of_role() for checking if the current user should be able to see details in pg_stat_activity or signal other processes, requiring a user to do 'SET ROLE' for inheirited roles for a permissions check, unlike other permissions checks. This patch changes that behavior to, instead, act like most other permission checks and use has_privs_of_role(), removing the 'SET ROLE' need. Documentation and error messages updated accordingly. Per discussion with Alvaro, Peter, Adam (though not using Adam's patch), and Robert. Reviewed by Jeevan Chalke. --- src/backend/utils/adt/pgstatfuncs.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) (limited to 'src/backend/utils/adt/pgstatfuncs.c') diff --git a/src/backend/utils/adt/pgstatfuncs.c b/src/backend/utils/adt/pgstatfuncs.c index 9964c5e1032..78adb2d853c 100644 --- a/src/backend/utils/adt/pgstatfuncs.c +++ b/src/backend/utils/adt/pgstatfuncs.c @@ -20,6 +20,7 @@ #include "libpq/ip.h" #include "miscadmin.h" #include "pgstat.h" +#include "utils/acl.h" #include "utils/builtins.h" #include "utils/inet.h" #include "utils/timestamp.h" @@ -675,8 +676,8 @@ pg_stat_get_activity(PG_FUNCTION_ARGS) else nulls[15] = true; - /* Values only available to same user or superuser */ - if (superuser() || beentry->st_userid == GetUserId()) + /* Values only available to role member */ + if (has_privs_of_role(GetUserId(), beentry->st_userid)) { SockAddr zero_clientaddr; @@ -878,7 +879,7 @@ pg_stat_get_backend_activity(PG_FUNCTION_ARGS) if ((beentry = pgstat_fetch_stat_beentry(beid)) == NULL) activity = ""; - else if (!superuser() && beentry->st_userid != GetUserId()) + else if (!has_privs_of_role(GetUserId(), beentry->st_userid)) activity = ""; else if (*(beentry->st_activity) == '\0') activity = ""; @@ -899,7 +900,7 @@ pg_stat_get_backend_waiting(PG_FUNCTION_ARGS) if ((beentry = pgstat_fetch_stat_beentry(beid)) == NULL) PG_RETURN_NULL(); - if (!superuser() && beentry->st_userid != GetUserId()) + if (!has_privs_of_role(GetUserId(), beentry->st_userid)) PG_RETURN_NULL(); result = beentry->st_waiting; @@ -918,7 +919,7 @@ pg_stat_get_backend_activity_start(PG_FUNCTION_ARGS) if ((beentry = pgstat_fetch_stat_beentry(beid)) == NULL) PG_RETURN_NULL(); - if (!superuser() && beentry->st_userid != GetUserId()) + if (!has_privs_of_role(GetUserId(), beentry->st_userid)) PG_RETURN_NULL(); result = beentry->st_activity_start_timestamp; @@ -944,7 +945,7 @@ pg_stat_get_backend_xact_start(PG_FUNCTION_ARGS) if ((beentry = pgstat_fetch_stat_beentry(beid)) == NULL) PG_RETURN_NULL(); - if (!superuser() && beentry->st_userid != GetUserId()) + if (!has_privs_of_role(GetUserId(), beentry->st_userid)) PG_RETURN_NULL(); result = beentry->st_xact_start_timestamp; @@ -966,7 +967,7 @@ pg_stat_get_backend_start(PG_FUNCTION_ARGS) if ((beentry = pgstat_fetch_stat_beentry(beid)) == NULL) PG_RETURN_NULL(); - if (!superuser() && beentry->st_userid != GetUserId()) + if (!has_privs_of_role(GetUserId(), beentry->st_userid)) PG_RETURN_NULL(); result = beentry->st_proc_start_timestamp; @@ -990,7 +991,7 @@ pg_stat_get_backend_client_addr(PG_FUNCTION_ARGS) if ((beentry = pgstat_fetch_stat_beentry(beid)) == NULL) PG_RETURN_NULL(); - if (!superuser() && beentry->st_userid != GetUserId()) + if (!has_privs_of_role(GetUserId(), beentry->st_userid)) PG_RETURN_NULL(); /* A zeroed client addr means we don't know */ @@ -1037,7 +1038,7 @@ pg_stat_get_backend_client_port(PG_FUNCTION_ARGS) if ((beentry = pgstat_fetch_stat_beentry(beid)) == NULL) PG_RETURN_NULL(); - if (!superuser() && beentry->st_userid != GetUserId()) + if (!has_privs_of_role(GetUserId(), beentry->st_userid)) PG_RETURN_NULL(); /* A zeroed client addr means we don't know */ -- cgit v1.2.3