Allow usage on schema for mdb_read_all_data (#23)

Author: reshke

src/backend/catalog/aclchk.c

@@ -4561,6 +4561,7 @@ pg_namespace_aclmask(Oid nsp_oid, Oid roleid,
 	bool		isNull;
 	Acl		   *acl;
 	Oid			ownerId;
+	Oid			mdb_read_all_data_oid;
 
 	/* Superusers bypass all permission checking. */
 	if (superuser_arg(roleid))
@@ -4605,6 +4606,8 @@ pg_namespace_aclmask(Oid nsp_oid, Oid roleid,
 
 	ownerId = ((Form_pg_namespace) GETSTRUCT(tuple))->nspowner;
 
+	mdb_read_all_data_oid = get_role_oid("mdb_read_all_data", true);
+
 	aclDatum = SysCacheGetAttr(NAMESPACEOID, tuple, Anum_pg_namespace_nspacl,
 							   &isNull);
 	if (isNull)
@@ -4637,6 +4640,13 @@ pg_namespace_aclmask(Oid nsp_oid, Oid roleid,
 		(has_privs_of_role(roleid, ROLE_PG_READ_ALL_DATA) ||
 		 has_privs_of_role(roleid, ROLE_PG_WRITE_ALL_DATA)))
 		result |= ACL_USAGE;
+
+
+	if (mask & ACL_USAGE && !(result & ACL_USAGE) &&
+		has_privs_of_role(roleid, mdb_read_all_data_oid) && 
+		!has_privs_of_unwanted_system_role(ownerId, true))
+		result |= ACL_USAGE;
+
 	return result;
 }
 

src/test/regress/expected/mdb_read_write_roles.out

@@ -18,8 +18,10 @@ SET ROLE pg_write_all_data;
 CREATE TABLE regress_pgrwd_table();
 SET ROLE regress_mdb_superuser_user1;
 CREATE TABLE regress_mdbsu_table();
+CREATE SCHEMA regress_schema CREATE TABLE regress_mdbsu_table();
 SET ROLE regress_mdb_superuser_user2;
 CREATE TABLE regress_mdbsu_table2();
+CREATE SCHEMA regress_schema2 CREATE TABLE regress_mdbsu_table2();
 SET ROLE mdb_read_all_data;
 -- cannot read all data (fail)
 TABLE pg_authid;
@@ -45,6 +47,15 @@ TABLE regress_mdbsu_table2;
 --
 (0 rows)
 
+-- check USAGE of schema
+TABLE regress_schema.regress_mdbsu_table;
+--
+(0 rows)
+
+TABLE regress_schema2.regress_mdbsu_table2;
+--
+(0 rows)
+
 SET ROLE mdb_write_all_data;
 CREATE TABLE regress_tt_dat();
 -- cannot read all data (fail)
@@ -73,6 +84,10 @@ DROP TABLE regress_pgrad_table;
 DROP TABLE regress_pgrwd_table;
 DROP TABLE regress_mdbsu_table;
 DROP TABLE regress_mdbsu_table2;
+DROP TABLE regress_schema.regress_mdbsu_table;
+DROP TABLE regress_schema2.regress_mdbsu_table2;
+DROP SCHEMA regress_schema;
+DROP SCHEMA regress_schema2;
 DROP TABLE regress_superuser_table;
 REVOKE CREATE ON DATABASE regression FROM regress_mdb_superuser_user2;
 REVOKE CREATE ON DATABASE regression FROM regress_mdb_superuser_user3;

src/test/regress/sql/mdb_read_write_roles.sql

@@ -28,9 +28,11 @@ CREATE TABLE regress_pgrwd_table();
 
 SET ROLE regress_mdb_superuser_user1;
 CREATE TABLE regress_mdbsu_table();
+CREATE SCHEMA regress_schema CREATE TABLE regress_mdbsu_table();
 
 SET ROLE regress_mdb_superuser_user2;
 CREATE TABLE regress_mdbsu_table2();
+CREATE SCHEMA regress_schema2 CREATE TABLE regress_mdbsu_table2();
 
 SET ROLE mdb_read_all_data;
 -- cannot read all data (fail)
@@ -48,6 +50,9 @@ TABLE regress_pgwsf_table;
 TABLE regress_mdbsu_table;
 TABLE regress_mdbsu_table2;
 
+-- check USAGE of schema
+TABLE regress_schema.regress_mdbsu_table;
+TABLE regress_schema2.regress_mdbsu_table2;
 
 SET ROLE mdb_write_all_data;
 CREATE TABLE regress_tt_dat();
@@ -78,6 +83,13 @@ DROP TABLE regress_pgrwd_table;
 
 DROP TABLE regress_mdbsu_table;
 DROP TABLE regress_mdbsu_table2;
+
+DROP TABLE regress_schema.regress_mdbsu_table;
+DROP TABLE regress_schema2.regress_mdbsu_table2;
+
+DROP SCHEMA regress_schema;
+DROP SCHEMA regress_schema2;
+
 DROP TABLE regress_superuser_table;
 
 REVOKE CREATE ON DATABASE regression FROM regress_mdb_superuser_user2;