[PATCH] [v8.5] Security checks on largeobjects

This patch adds support DAC security checks on largeobjects.

Enhanced GRANT/REVOKE statement allows to set SELECT (read) and
UPDATE (write) permission on individual largeobjects.

At the creation time, it checks ACL_CREATE on the schema object.
Currently, a largeobject does not have any human readable name and
qualified namespace, we assume "public" namespace here.

At the deletion time, it checks ownership of the largeobject.
Only resource owner and superuser can drop largeobjects.

The ownership and schema can be set using:
ALTER LARGE OBJECT <lobj> OWNER TO <role>;
ALTER LARGE OBJECT <lobj> SET SCHEMA <schema>;

The current pg_largeobject system catalog cannot store metadata
of the largeobejcts, its data structure is modified.

CATALOG(pg_largeobject,2613)
{
Oid lonsp; /* OID of the namespace */
Oid loowner; /* OID of the owner */
aclitem loacl[1]; /* access permissions */
} FormData_pg_largeobject;

The current pg_largeobejct is renamed to pg_largeobject_data.
One or multiple tuples within pg_largeobject_data points to
a record within pg_largeobject which has a metadata of a
certain largeobject.

CATALOG(pg_largeobject_data,2966) BKI_WITHOUT_OIDS
{
Oid loid; /* Identifier of large object */
int4 pageno; /* Page number (starting from 0) */
bytea data; /* Data for page (may be zero-length) */
} FormData_pg_largeobject_data;

Issues:
* Is ALTER LARGE OBJECT interface suitable?
* How we should consider the namespace (schema) and the ownership
of the largeobejct?
* Is the named large object (including fully qualified one) worth?
It will enables us to specify a largeobject with human readable
identifier string.
* Is the data structure appropriate?
- As an aside, the pg_largeobject_data has an identical definition
with TOAST tables. It may be possible to store them within TOAST
table.
* If so, it may also resolve other Todo item.
- Allow read/write into TOAST values like large objects

Memo:
http://wiki.postgresql.org/wiki/Largeobject_Enhancement

Example:
postgres=# REVOKE ALL ON LARGE OBJECT 1234 FROM PUBLIC;
REVOKE
postgres=# GRANT SELECT ON LARGE OBJECT 1234 TO ymj;
GRANT
postgres=# GRANT SELECT,UPDATE ON LARGE OBJECT 1234 TO tak;
GRANT

postgres=# \c - ymj
psql (8.4rc2)
You are now connected to database "postgres" as user "ymj".
postgres=> SELECT loread(lo_open(1234, x'40000'::int), 10);
loread
------------
1234567890
(1 row)

postgres=> SELECT lowrite(lo_open(1234, x'20000'::int), 'abcdefg');
ERROR: permission denied for largeobject largeobject:1234

postgres=> \c - tak
psql (8.4rc2)
You are now connected to database "postgres" as user "tak".
postgres=> SELECT lowrite(lo_open(1234, x'20000'::int), 'abcdefg');
lowrite
---------
7
(1 row)

Scale of the patch:
[kaigai(at)saba ]$ diffstat pgsql-lobj-perms-8.4rc2-r2080.patch
backend/catalog/Makefile | 6
backend/catalog/aclchk.c | 243 ++++++++++++++++++++++++++++++
backend/catalog/dependency.c | 15 +
backend/catalog/pg_largeobject.c | 265 ++++++++++++!!!!!!!!!!!!!!!!!!!!
backend/commands/alter.c | 9 +
backend/libpq/be-fsstubs.c | 25 +++
backend/parser/gram.y | 28 +++
backend/storage/large_object/inv_api.c | 140 +++------!!!!!!
backend/tcop/utility.c | 6
backend/utils/adt/acl.c | 4
backend/utils/cache/syscache.c | 13 +
include/catalog/dependency.h | 1
include/catalog/indexing.h | 7
include/catalog/pg_largeobject.h | 21 !!
include/catalog/pg_largeobject_data.h | 54 ++++++
include/catalog/toasting.h | 1
include/nodes/parsenodes.h | 1
include/utils/acl.h | 7
include/utils/syscache.h | 1
test/regress/expected/sanity_check.out | 3
test/regress/input/largeobject.source | 95 +++++++++++
test/regress/output/largeobject.source | 175 +++++++++++++++++++++
22 files changed, 803 insertions(+), 46 deletions(-), 271 modifications(!)

--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>