It doesn't currently seem possible to switch between different users using
SET SESSION AUTHORIZATION. If I log in as the superuser and switch to
another user that works, but if I then switch to a second user in succession
I get permission denied when I try to select from a table that the user does
have access to. Following is a cut and paste of two sessions showing what I
mean (with certain details masked out).
defender# psql db1-U pgsql
lcome to psql 7.4, the PostgreSQL interactive terminal.
Type: \copyright for distribution terms
\h for help with SQL commands
\? for help on internal slash commands
\g or terminate with semicolon to execute query
\q to quit
paygw=# set search_path to poi,public;
SET
paygw=# set session authorization poi;
SET
paygw=> select * from get_accountsettings_by_username('poi');
settletype | fraudchecks | mer_id | username | cgipass | test_card |
testcard_status | network | dupchecks | gatewaypass | duptime |
itemtypes_allowed | debug_log
------------+-------------+--------+----------+---------+------------------+
-----------------+---------+-----------+-------------+-----------+----------
---------+-----------
AUTO | OFF | 9300 | poi | XXXX| XXXXXXXXXX |
vital | OFF | | 1 seconds | 1 | ON
(1 row)
paygw=> reset session authorization;
RESET
paygw=# set search_path to jdonline,public;
SET
paygw=# set session authorization jdonline;
SET
paygw=> select * from get_accountsettings_by_username('jdonline');
ERROR: permission denied for relation account_settings
CONTEXT: PL/pgSQL function "get_accountsettings_by_username" line 5 at
select into variables
paygw=> \q
-------------
psql db1 -U jdonline
Type: \copyright for distribution terms
\h for help with SQL commands
\? for help on internal slash commands
\g or terminate with semicolon to execute query
\q to quit
paygw=> set search_path to jdonline,public;
SET
paygw=> select * from get_accountsettings_by_username('jdonline');
settletype | fraudchecks | mer_id | username | cgipass | test_card |
testcard_status | network | dupchecks | gatewaypass | duptime |
itemtypes_allowed | debug_log
------------+-------------+--------+----------+---------+------------------+
-----------------+---------+-----------+-------------+----------+-----------
--------+-----------
AUTO | OFF | 0502 | jdonline | XXXXXX|XXXX | fhms
| ON | | 3 months | 1 | ON
(1 row)
paygw=>
---------------------------(end of broadcast)---------------------------
TIP 9: the planner will ignore your desire to choose an index scan if your
joining column's datatypes do not match 5 2052
A followup on this. If I "select * from account_settings" directly it
works, but if I call the function "get_accountsettings_by_username" it
fails. So it seems like an issue with functions in particular. Following
is the function in question if that helps.
CREATE OR REPLACE FUNCTION get_accountsettings_by_username(varchar) RETURNS
acctsettingsrec AS
'
DECLARE
r acctsettingsrec%ROWTYPE;
in_username ALIAS FOR $1;
BEGIN
SELECT INTO r
settletype,fraudchecks,mer_id,username,cgipass,tes t_card,testcard_status,net
work,dupchecks,gatewaypass,duptime,item
types_allowed,debug_log from account_settings where username = in_username;
RETURN r;
END '
LANGUAGE 'plpgsql';
----- Original Message -----
From: "Chris Ochs" <ch***@paymentonline.com>
To: <pg***********@postgresql.org>
Sent: Monday, June 21, 2004 8:07 AM
Subject: [GENERAL] Possible SET SESSION AUTHORIZATION bug It doesn't currently seem possible to switch between different users using SET SESSION AUTHORIZATION. If I log in as the superuser and switch to another user that works, but if I then switch to a second user in
succession I get permission denied when I try to select from a table that the user
does have access to. Following is a cut and paste of two sessions showing what
I mean (with certain details masked out).
defender# psql db1-U pgsql lcome to psql 7.4, the PostgreSQL interactive terminal.
Type: \copyright for distribution terms \h for help with SQL commands \? for help on internal slash commands \g or terminate with semicolon to execute query \q to quit
paygw=# set search_path to poi,public; SET paygw=# set session authorization poi; SET paygw=> select * from get_accountsettings_by_username('poi'); settletype | fraudchecks | mer_id | username | cgipass | test_card
| testcard_status | network | dupchecks | gatewaypass | duptime | itemtypes_allowed | debug_log ------------+-------------+--------+----------+---------+-----------------
-+ -----------------+---------+-----------+-------------+-----------+--------
-- ---------+----------- AUTO | OFF | 9300 | poi | XXXX| XXXXXXXXXX | vital | OFF | | 1 seconds | 1 | ON (1 row)
paygw=> reset session authorization; RESET paygw=# set search_path to jdonline,public; SET paygw=# set session authorization jdonline; SET paygw=> select * from get_accountsettings_by_username('jdonline'); ERROR: permission denied for relation account_settings CONTEXT: PL/pgSQL function "get_accountsettings_by_username" line 5 at select into variables paygw=> \q
------------- psql db1 -U jdonline
Type: \copyright for distribution terms \h for help with SQL commands \? for help on internal slash commands \g or terminate with semicolon to execute query \q to quit
paygw=> set search_path to jdonline,public; SET paygw=> select * from get_accountsettings_by_username('jdonline'); settletype | fraudchecks | mer_id | username | cgipass | test_card
| testcard_status | network | dupchecks | gatewaypass | duptime | itemtypes_allowed | debug_log ------------+-------------+--------+----------+---------+-----------------
-+ -----------------+---------+-----------+-------------+----------+---------
-- --------+----------- AUTO | OFF | 0502 | jdonline | XXXXXX|XXXX |
fhms | ON | | 3 months | 1 | ON (1 row)
paygw=>
---------------------------(end of broadcast)--------------------------- TIP 9: the planner will ignore your desire to choose an index scan if your joining column's datatypes do not match
---------------------------(end of broadcast)---------------------------
TIP 7: don't forget to increase your free space map settings
Ok this probably isn't a bug but a side affect of how functions are cached.
Changing the function to use EXECUTE to perform the query works. I don't
know if this particular scenario was ever even though of before, or if in
the future it would make sense to have the query planner not cache the
session user/current user? I'll leave that to those that understand the
implications more than I do.
Chris
----- Original Message -----
From: "Chris Ochs" <ch***@paymentonline.com>
To: <pg***********@postgresql.org>
Sent: Monday, June 21, 2004 8:25 AM
Subject: Re: [GENERAL] Possible SET SESSION AUTHORIZATION bug A followup on this. If I "select * from account_settings" directly it works, but if I call the function "get_accountsettings_by_username" it fails. So it seems like an issue with functions in particular. Following is the function in question if that helps.
CREATE OR REPLACE FUNCTION get_accountsettings_by_username(varchar)
RETURNS acctsettingsrec AS ' DECLARE r acctsettingsrec%ROWTYPE; in_username ALIAS FOR $1; BEGIN SELECT INTO r
settletype,fraudchecks,mer_id,username,cgipass,tes t_card,testcard_status,net work,dupchecks,gatewaypass,duptime,item types_allowed,debug_log from account_settings where username =
in_username; RETURN r; END ' LANGUAGE 'plpgsql';
----- Original Message ----- From: "Chris Ochs" <ch***@paymentonline.com> To: <pg***********@postgresql.org> Sent: Monday, June 21, 2004 8:07 AM Subject: [GENERAL] Possible SET SESSION AUTHORIZATION bug
It doesn't currently seem possible to switch between different users
using SET SESSION AUTHORIZATION. If I log in as the superuser and switch to another user that works, but if I then switch to a second user in succession I get permission denied when I try to select from a table that the user does have access to. Following is a cut and paste of two sessions showing
what I mean (with certain details masked out).
defender# psql db1-U pgsql lcome to psql 7.4, the PostgreSQL interactive terminal.
Type: \copyright for distribution terms \h for help with SQL commands \? for help on internal slash commands \g or terminate with semicolon to execute query \q to quit
paygw=# set search_path to poi,public; SET paygw=# set session authorization poi; SET paygw=> select * from get_accountsettings_by_username('poi'); settletype | fraudchecks | mer_id | username | cgipass | test_card | testcard_status | network | dupchecks | gatewaypass | duptime | itemtypes_allowed | debug_log
------------+-------------+--------+----------+---------+----------------- -+
-----------------+---------+-----------+-------------+-----------+-------- -- ---------+----------- AUTO | OFF | 9300 | poi | XXXX| XXXXXXXXXX
| vital | OFF | | 1 seconds | 1 | ON (1 row)
paygw=> reset session authorization; RESET paygw=# set search_path to jdonline,public; SET paygw=# set session authorization jdonline; SET paygw=> select * from get_accountsettings_by_username('jdonline'); ERROR: permission denied for relation account_settings CONTEXT: PL/pgSQL function "get_accountsettings_by_username" line 5 at select into variables paygw=> \q
------------- psql db1 -U jdonline
Type: \copyright for distribution terms \h for help with SQL commands \? for help on internal slash commands \g or terminate with semicolon to execute query \q to quit
paygw=> set search_path to jdonline,public; SET paygw=> select * from get_accountsettings_by_username('jdonline'); settletype | fraudchecks | mer_id | username | cgipass | test_card
| testcard_status | network | dupchecks | gatewaypass | duptime | itemtypes_allowed | debug_log
------------+-------------+--------+----------+---------+----------------- -+
-----------------+---------+-----------+-------------+----------+--------- -- --------+----------- AUTO | OFF | 0502 | jdonline | XXXXXX|XXXX | fhms | ON | | 3 months | 1 | ON (1 row)
paygw=>
---------------------------(end of broadcast)--------------------------- TIP 9: the planner will ignore your desire to choose an index scan if
your joining column's datatypes do not match
---------------------------(end of broadcast)--------------------------- TIP 7: don't forget to increase your free space map settings
---------------------------(end of broadcast)---------------------------
TIP 8: explain analyze is your friend
"Chris Ochs" <ch***@paymentonline.com> writes: Ok this probably isn't a bug but a side affect of how functions are cached. Changing the function to use EXECUTE to perform the query works. I don't know if this particular scenario was ever even though of before, or if in the future it would make sense to have the query planner not cache the session user/current user?
It doesn't cache that. I'm not sure what's going on here ... could you
provide a self-contained test script?
regards, tom lane
---------------------------(end of broadcast)---------------------------
TIP 4: Don't 'kill -9' the postmaster
"Chris Ochs" <ch***@paymentonline.com> writes: On my system I get permission denied when I switch to pgtest2 and select * from pgtest_func.
What's being cached here is not the authorization, but the table
reference --- that is, the function's SELECT FROM pgtest_table
is resolved as pgtest1.pgtest_table the first time you run it,
and that remains true even though the schema search path is
different during the second call. The permissions failure occurs
because the correct user is trying to access the wrong table,
not wrong user and right table.
There's been some talk of trying to deal with this by associating
cached plans with particular schema search path strings, but no
one's done anything about it yet --- it looks expensive, and it
wouldn't prevent every failure of this sort anyway. Consider
for example that your search path is a,b,c, and on the first time
through "t1" is resolved as "b.t1". Now you create an "a.t1"
and call the function again. The search path is still the same,
so a cache based on checking that would not notice that it ought
to recompile the query.
regards, tom lane
---------------------------(end of broadcast)---------------------------
TIP 9: the planner will ignore your desire to choose an index scan if your
joining column's datatypes do not match
Makes sense thanks for the explanation. Using FOR-IN-EXECUTE works just as
well in our case. Every call to the function is likely to be a different
schema, so caching wouldn't help us much anyways. The only negative is
that the functions get uglier using EXECUTE:)
Chris
----- Original Message -----
From: "Tom Lane" <tg*@sss.pgh.pa.us>
To: "Chris Ochs" <ch***@paymentonline.com>
Cc: <pg***********@postgreSQL.org>
Sent: Monday, June 21, 2004 5:52 PM
Subject: Re: [GENERAL] Possible SET SESSION AUTHORIZATION bug "Chris Ochs" <ch***@paymentonline.com> writes: On my system I get permission denied when I switch to pgtest2 and select
* from pgtest_func.
What's being cached here is not the authorization, but the table reference --- that is, the function's SELECT FROM pgtest_table is resolved as pgtest1.pgtest_table the first time you run it, and that remains true even though the schema search path is different during the second call. The permissions failure occurs because the correct user is trying to access the wrong table, not wrong user and right table.
There's been some talk of trying to deal with this by associating cached plans with particular schema search path strings, but no one's done anything about it yet --- it looks expensive, and it wouldn't prevent every failure of this sort anyway. Consider for example that your search path is a,b,c, and on the first time through "t1" is resolved as "b.t1". Now you create an "a.t1" and call the function again. The search path is still the same, so a cache based on checking that would not notice that it ought to recompile the query.
regards, tom lane
---------------------------(end of broadcast)---------------------------
TIP 7: don't forget to increase your free space map settings This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Edward Mitchell |
last post by:
I have an app that requires the user to login before accessing a
Register.aspx form. I am using Forms authorization so the lines in the
Web.config file are:
<authentication mode="Forms">...
|
by: bharath |
last post by:
Hi
Can anyone help me with Session Management in ASP.NET. I have a web
application with a login page and i need to retain the username after
he logs in. This is what I have in Config Files
...
|
by: zbychu |
last post by:
Hi,
I have a problem with a special sql.
My configuration : IBM DB2 V8.1.5 / AIX
Procedure:
CREATE PROCEDURE DB2TARAN.SetSessionAutor()
SPECIFIC x.SetSessionAutor
LANGUAGE SQL
P1: BEGIN
|
by: Matt |
last post by:
Hello,
I'm working on a portal derived from IBuySpy, and I have changed
I check username and pwd against a database, then I make a
Session= UserID (the ID I get from the database, if it...
|
by: na |
last post by:
I am using form authentication and InProc cookieless session. The
strange thing is that when an authenticated user try to navigate to any
page that is in subfolder of the application root, the...
|
by: jack |
last post by:
HI i have tried different types of form based authentications but im
not able to get how to make a session level authorization.
im a begginer
and im not able to make that difference off like what...
|
by: Tomas Martinez |
last post by:
Hi,
Well, my problem is so simple as it says in the subjet but very frustrating
also. I have a project and it is losing the session variables with each
postback, so I downloaded from the web a...
|
by: =?Utf-8?B?V2FubmFiZQ==?= |
last post by:
I've been on this for a while, and cannot figure it out. Can someone please
help with this message?
SessionState can only be used when EnableSessionState is set to true, either
in a...
|
by: Bjorn Sagbakken |
last post by:
In a web-application with login creds (user, pwd), these are checked against
a user table on a SQL server. On a positive validation I have saved the
userID, name, custno and role-settings in a...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
| |