Parameters reported as of the current release include
<literal>server_version</> (cannot change after startup);
<literal>server_encoding</> (also not presently changeable after start);
-<literal>client_encoding</>, and
+<literal>client_encoding</>,
+<literal>is_superuser</>, and
<literal>DateStyle</>.
</para>
<literal>server_version</> (a pseudo-parameter that cannot change after
startup);
<literal>server_encoding</> (also not presently changeable after start);
- <literal>client_encoding</>, and
+ <literal>client_encoding</>,
+ <literal>is_superuser</>, and
<literal>DateStyle</>.
This set might change in the future, or even become configurable.
Accordingly, a frontend should simply ignore ParameterStatus for
</para>
</listitem>
</varlistentry>
+
+ <varlistentry>
+ <term><literal>IS_SUPERUSER</literal></term>
+ <listitem>
+ <para>
+ True if the current session authorization identifier has
+ superuser privileges.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</para>
</listitem>
* When resetting session auth after an error, we can't expect to do catalog
* lookups. Hence, the stored form of the value must provide a numeric userid
* that can be re-used directly. We store the string in the form of
- * NAMEDATALEN 'x's followed by the numeric userid --- this cannot conflict
- * with any valid user name, because of the NAMEDATALEN limit on names.
+ * NAMEDATALEN 'x's, followed by T or F to indicate superuserness, followed
+ * by the numeric userid --- this cannot conflict with any valid user name,
+ * because of the NAMEDATALEN limit on names.
*/
const char *
assign_session_authorization(const char *value, bool doit, bool interactive)
{
AclId usesysid = 0;
+ bool is_superuser = false;
char *result;
- if (strspn(value, "x") == NAMEDATALEN)
+ if (strspn(value, "x") == NAMEDATALEN &&
+ (value[NAMEDATALEN] == 'T' || value[NAMEDATALEN] == 'F'))
{
/* might be a saved numeric userid */
char *endptr;
- usesysid = (AclId) strtoul(value + NAMEDATALEN, &endptr, 10);
+ usesysid = (AclId) strtoul(value + NAMEDATALEN + 1, &endptr, 10);
- if (endptr != value + NAMEDATALEN && *endptr == '\0')
+ if (endptr != value + NAMEDATALEN + 1 && *endptr == '\0')
{
- /* syntactically valid, so use the numeric user ID */
+ /* syntactically valid, so use the numeric user ID and flag */
+ is_superuser = (value[NAMEDATALEN] == 'T');
}
else
usesysid = 0;
}
usesysid = ((Form_pg_shadow) GETSTRUCT(userTup))->usesysid;
-
+ is_superuser = ((Form_pg_shadow) GETSTRUCT(userTup))->usesuper;
+
ReleaseSysCache(userTup);
}
if (doit)
- SetSessionAuthorization(usesysid);
+ SetSessionAuthorization(usesysid, is_superuser);
result = (char *) malloc(NAMEDATALEN + 32);
if (!result)
memset(result, 'x', NAMEDATALEN);
- snprintf(result + NAMEDATALEN, 32, "%lu", (unsigned long) usesysid);
+ snprintf(result + NAMEDATALEN, 32, "%c%lu",
+ is_superuser ? 'T' : 'F',
+ (unsigned long) usesysid);
return result;
}
SetSessionUserId(usesysid); /* sets CurrentUserId too */
- /* Record username as a config option too */
+ /* Record username and superuser status as GUC settings too */
SetConfigOption("session_authorization", username,
PGC_BACKEND, PGC_S_OVERRIDE);
+ SetConfigOption("is_superuser",
+ AuthenticatedUserIsSuperuser ? "on" : "off",
+ PGC_INTERNAL, PGC_S_OVERRIDE);
/*
* Set up user-specific configuration variables. This is a good place
/*
* Change session auth ID while running
*
- * Only a superuser may set auth ID to something other than himself.
+ * Only a superuser may set auth ID to something other than himself. Note
+ * that in case of multiple SETs in a single session, the original userid's
+ * superuserness is what matters. But we set the GUC variable is_superuser
+ * to indicate whether the *current* session userid is a superuser.
*/
void
-SetSessionAuthorization(AclId userid)
+SetSessionAuthorization(AclId userid, bool is_superuser)
{
/* Must have authenticated already, else can't make permission check */
AssertState(AclIdIsValid(AuthenticatedUserId));
SetSessionUserId(userid);
SetUserId(userid);
+
+ SetConfigOption("is_superuser",
+ is_superuser ? "on" : "off",
+ PGC_INTERNAL, PGC_S_OVERRIDE);
}
## if an option is valid but shows up in only one file (guc.c but not
## postgresql.conf.sample), it should be listed here so that it
## can be ignored
-INTENTIONALLY_NOT_INCLUDED="pre_auth_delay lc_messages lc_monetary \
-lc_numeric lc_time seed server_encoding session_authorization \
-transaction_isolation transaction_read_only zero_damaged_pages"
+INTENTIONALLY_NOT_INCLUDED="autocommit debug_deadlocks exit_on_error \
+is_superuser lc_collate lc_ctype lc_messages lc_monetary lc_numeric lc_time \
+pre_auth_delay seed server_encoding server_version session_authorization \
+trace_lock_oidmin trace_lock_table trace_locks trace_lwlocks trace_notify \
+trace_userlocks transaction_isolation transaction_read_only \
+zero_damaged_pages"
### What options are listed in postgresql.conf.sample, but don't appear
### in guc.c?
static char *log_min_messages_str;
static char *client_min_messages_str;
static bool phony_autocommit;
+static bool session_auth_is_superuser;
static double phony_random_seed;
static char *client_encoding_string;
static char *datestyle_string;
true, NULL, NULL
},
+ /* Not for general use --- used by SET SESSION AUTHORIZATION */
+ {
+ {"is_superuser", PGC_INTERNAL, GUC_REPORT | GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL},
+ &session_auth_is_superuser,
+ false, NULL, NULL
+ },
+
{
{"tcpip_socket", PGC_POSTMASTER}, &NetServer,
false, NULL, NULL
"SQL_ASCII", NULL, NULL
},
+ /* Can't be set in postgresql.conf */
{
{"server_version", PGC_INTERNAL, GUC_REPORT},
&server_version_string,
extern void SetSessionUserId(AclId userid);
extern void InitializeSessionUserId(const char *username);
extern void InitializeSessionUserIdStandalone(void);
-extern void SetSessionAuthorization(AclId userid);
+extern void SetSessionAuthorization(AclId userid, bool is_superuser);
extern void SetDataDir(const char *dir);
projects / users / bernd / postgres.git / commitdiff