diff --git a/contrib/postgres_fdw/expected/postgres_fdw.out b/contrib/postgres_fdw/expected/postgres_fdw.out
index 811a68b3ec..063869c2ad 100644
--- a/contrib/postgres_fdw/expected/postgres_fdw.out
+++ b/contrib/postgres_fdw/expected/postgres_fdw.out
@@ -637,6 +637,17 @@ EXPLAIN (VERBOSE, COSTS OFF) SELECT * FROM ft_empty ORDER BY c1;
Remote SQL: SELECT c1, c2 FROM public.loct_empty ORDER BY c1 ASC NULLS LAST
(3 rows)
+-- test restriction on non-system foreign tables.
+SET restrict_nonsystem_relation_kind TO 'foreign-table';
+SELECT * from ft1 where c1 < 1; -- ERROR
+ERROR: access to non-system foreign table is restricted
+INSERT INTO ft1 (c1) VALUES (1); -- ERROR
+ERROR: access to non-system foreign table is restricted
+DELETE FROM ft1 WHERE c1 = 1; -- ERROR
+ERROR: access to non-system foreign table is restricted
+TRUNCATE ft1; -- ERROR
+ERROR: access to non-system foreign table is restricted
+RESET restrict_nonsystem_relation_kind;
-- ===================================================================
-- WHERE with remotely-executable conditions
-- ===================================================================
diff --git a/contrib/postgres_fdw/sql/postgres_fdw.sql b/contrib/postgres_fdw/sql/postgres_fdw.sql
index 8be9f99c19..db69434188 100644
--- a/contrib/postgres_fdw/sql/postgres_fdw.sql
+++ b/contrib/postgres_fdw/sql/postgres_fdw.sql
@@ -327,6 +327,14 @@ DELETE FROM loct_empty;
ANALYZE ft_empty;
EXPLAIN (VERBOSE, COSTS OFF) SELECT * FROM ft_empty ORDER BY c1;
+-- test restriction on non-system foreign tables.
+SET restrict_nonsystem_relation_kind TO 'foreign-table';
+SELECT * from ft1 where c1 < 1; -- ERROR
+INSERT INTO ft1 (c1) VALUES (1); -- ERROR
+DELETE FROM ft1 WHERE c1 = 1; -- ERROR
+TRUNCATE ft1; -- ERROR
+RESET restrict_nonsystem_relation_kind;
+
-- ===================================================================
-- WHERE with remotely-executable conditions
-- ===================================================================
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index d35b82a582..d778d28e6f 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -9813,6 +9813,23 @@ SET XML OPTION { DOCUMENT | CONTENT };
+
+ restrict_nonsystem_relation_kind (string)
+
+ restrict_nonsystem_relation_kind
+ configuration parameter
+
+
+
+
+ This variable specifies relation kind to which access is restricted.
+ It contains a comma-separated list of relation kind. Currently, the
+ supported relation kinds are view and
+ foreign-table.
+
+
+
+
diff --git a/doc/src/sgml/ref/pg_dump.sgml b/doc/src/sgml/ref/pg_dump.sgml
index b95ed87517..f27f2987ba 100644
--- a/doc/src/sgml/ref/pg_dump.sgml
+++ b/doc/src/sgml/ref/pg_dump.sgml
@@ -997,6 +997,14 @@ PostgreSQL documentation
The only exception is that an empty pattern is disallowed.
+
+
+ Using wildcards in may result
+ in access to unexpected foreign servers. Also, to use this option securely,
+ make sure that the named server must have a trusted owner.
+
+
+
When is specified,
diff --git a/src/backend/foreign/foreign.c b/src/backend/foreign/foreign.c
index f4f35728b4..bb67d9f92b 100644
--- a/src/backend/foreign/foreign.c
+++ b/src/backend/foreign/foreign.c
@@ -22,6 +22,7 @@
#include "foreign/foreign.h"
#include "funcapi.h"
#include "miscadmin.h"
+#include "tcop/tcopprot.h"
#include "utils/builtins.h"
#include "utils/memutils.h"
#include "utils/rel.h"
@@ -326,6 +327,15 @@ GetFdwRoutine(Oid fdwhandler)
Datum datum;
FdwRoutine *routine;
+ /* Check if the access to foreign tables is restricted */
+ if (unlikely((restrict_nonsystem_relation_kind & RESTRICT_RELKIND_FOREIGN_TABLE) != 0))
+ {
+ /* there must not be built-in FDW handler */
+ ereport(ERROR,
+ (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
+ errmsg("access to non-system foreign table is restricted")));
+ }
+
datum = OidFunctionCall0(fdwhandler);
routine = (FdwRoutine *) DatumGetPointer(datum);
diff --git a/src/backend/optimizer/plan/createplan.c b/src/backend/optimizer/plan/createplan.c
index 6b64c4a362..a5c32b91cc 100644
--- a/src/backend/optimizer/plan/createplan.c
+++ b/src/backend/optimizer/plan/createplan.c
@@ -41,6 +41,7 @@
#include "parser/parse_clause.h"
#include "parser/parsetree.h"
#include "partitioning/partprune.h"
+#include "tcop/tcopprot.h"
#include "utils/lsyscache.h"
@@ -7141,7 +7142,19 @@ make_modifytable(PlannerInfo *root, Plan *subplan,
if (rte->rtekind == RTE_RELATION &&
rte->relkind == RELKIND_FOREIGN_TABLE)
+ {
+ /* Check if the access to foreign tables is restricted */
+ if (unlikely((restrict_nonsystem_relation_kind & RESTRICT_RELKIND_FOREIGN_TABLE) != 0))
+ {
+ /* there must not be built-in foreign tables */
+ Assert(rte->relid >= FirstNormalObjectId);
+ ereport(ERROR,
+ (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
+ errmsg("access to non-system foreign table is restricted")));
+ }
+
fdwroutine = GetFdwRoutineByRelId(rte->relid);
+ }
else
fdwroutine = NULL;
}
diff --git a/src/backend/optimizer/util/plancat.c b/src/backend/optimizer/util/plancat.c
index 775955363e..86655f05dc 100644
--- a/src/backend/optimizer/util/plancat.c
+++ b/src/backend/optimizer/util/plancat.c
@@ -45,6 +45,7 @@
#include "rewrite/rewriteManip.h"
#include "statistics/statistics.h"
#include "storage/bufmgr.h"
+#include "tcop/tcopprot.h"
#include "utils/builtins.h"
#include "utils/lsyscache.h"
#include "utils/partcache.h"
@@ -528,6 +529,17 @@ get_relation_info(PlannerInfo *root, Oid relationObjectId, bool inhparent,
/* Grab foreign-table info using the relcache, while we have it */
if (relation->rd_rel->relkind == RELKIND_FOREIGN_TABLE)
{
+ /* Check if the access to foreign tables is restricted */
+ if (unlikely((restrict_nonsystem_relation_kind & RESTRICT_RELKIND_FOREIGN_TABLE) != 0))
+ {
+ /* there must not be built-in foreign tables */
+ Assert(RelationGetRelid(relation) >= FirstNormalObjectId);
+
+ ereport(ERROR,
+ (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
+ errmsg("access to non-system foreign table is restricted")));
+ }
+
rel->serverid = GetForeignServerIdByRelId(RelationGetRelid(relation));
rel->fdwroutine = GetFdwRoutineForRelation(relation, true);
}
diff --git a/src/backend/rewrite/rewriteHandler.c b/src/backend/rewrite/rewriteHandler.c
index e1d805d113..c223a2c50a 100644
--- a/src/backend/rewrite/rewriteHandler.c
+++ b/src/backend/rewrite/rewriteHandler.c
@@ -40,6 +40,7 @@
#include "rewrite/rewriteManip.h"
#include "rewrite/rewriteSearchCycle.h"
#include "rewrite/rowsecurity.h"
+#include "tcop/tcopprot.h"
#include "utils/builtins.h"
#include "utils/lsyscache.h"
#include "utils/rel.h"
@@ -1729,6 +1730,14 @@ ApplyRetrieveRule(Query *parsetree,
if (rule->qual != NULL)
elog(ERROR, "cannot handle qualified ON SELECT rule");
+ /* Check if the expansion of non-system views are restricted */
+ if (unlikely((restrict_nonsystem_relation_kind & RESTRICT_RELKIND_VIEW) != 0 &&
+ RelationGetRelid(relation) >= FirstNormalObjectId))
+ ereport(ERROR,
+ (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
+ errmsg("access to non-system view \"%s\" is restricted",
+ RelationGetRelationName(relation))));
+
if (rt_index == parsetree->resultRelation)
{
/*
@@ -3212,6 +3221,14 @@ rewriteTargetView(Query *parsetree, Relation view)
}
}
+ /* Check if the expansion of non-system views are restricted */
+ if (unlikely((restrict_nonsystem_relation_kind & RESTRICT_RELKIND_VIEW) != 0 &&
+ RelationGetRelid(view) >= FirstNormalObjectId))
+ ereport(ERROR,
+ (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
+ errmsg("access to non-system view \"%s\" is restricted",
+ RelationGetRelationName(view))));
+
/*
* The view must be updatable, else fail.
*
diff --git a/src/backend/tcop/postgres.c b/src/backend/tcop/postgres.c
index 034e0100bf..7fe14c5402 100644
--- a/src/backend/tcop/postgres.c
+++ b/src/backend/tcop/postgres.c
@@ -79,6 +79,7 @@
#include "utils/snapmgr.h"
#include "utils/timeout.h"
#include "utils/timestamp.h"
+#include "utils/varlena.h"
/* ----------------
* global variables
@@ -103,6 +104,9 @@ int PostAuthDelay = 0;
/* Time between checks that the client is still connected. */
int client_connection_check_interval = 0;
+/* flags for non-system relation kinds to restrict use */
+int restrict_nonsystem_relation_kind;
+
/* ----------------
* private typedefs etc
* ----------------
@@ -3667,6 +3671,66 @@ assign_transaction_timeout(int newval, void *extra)
}
}
+/*
+ * GUC check_hook for restrict_nonsystem_relation_kind
+ */
+bool
+check_restrict_nonsystem_relation_kind(char **newval, void **extra, GucSource source)
+{
+ char *rawstring;
+ List *elemlist;
+ ListCell *l;
+ int flags = 0;
+
+ /* Need a modifiable copy of string */
+ rawstring = pstrdup(*newval);
+
+ if (!SplitIdentifierString(rawstring, ',', &elemlist))
+ {
+ /* syntax error in list */
+ GUC_check_errdetail("List syntax is invalid.");
+ pfree(rawstring);
+ list_free(elemlist);
+ return false;
+ }
+
+ foreach(l, elemlist)
+ {
+ char *tok = (char *) lfirst(l);
+
+ if (pg_strcasecmp(tok, "view") == 0)
+ flags |= RESTRICT_RELKIND_VIEW;
+ else if (pg_strcasecmp(tok, "foreign-table") == 0)
+ flags |= RESTRICT_RELKIND_FOREIGN_TABLE;
+ else
+ {
+ GUC_check_errdetail("Unrecognized key word: \"%s\".", tok);
+ pfree(rawstring);
+ list_free(elemlist);
+ return false;
+ }
+ }
+
+ pfree(rawstring);
+ list_free(elemlist);
+
+ /* Save the flags in *extra, for use by the assign function */
+ *extra = guc_malloc(ERROR, sizeof(int));
+ *((int *) *extra) = flags;
+
+ return true;
+}
+
+/*
+ * GUC assign_hook for restrict_nonsystem_relation_kind
+ */
+void
+assign_restrict_nonsystem_relation_kind(const char *newval, void *extra)
+{
+ int *flags = (int *) extra;
+
+ restrict_nonsystem_relation_kind = *flags;
+}
/*
* set_debug_options --- apply "-d N" command line option
diff --git a/src/backend/utils/misc/guc_tables.c b/src/backend/utils/misc/guc_tables.c
index 6f4188599b..319f6d7cc0 100644
--- a/src/backend/utils/misc/guc_tables.c
+++ b/src/backend/utils/misc/guc_tables.c
@@ -578,6 +578,7 @@ static char *server_encoding_string;
static char *server_version_string;
static int server_version_num;
static char *debug_io_direct_string;
+static char *restrict_nonsystem_relation_kind_string;
#ifdef HAVE_SYSLOG
#define DEFAULT_SYSLOG_FACILITY LOG_LOCAL0
@@ -4705,6 +4706,17 @@ struct config_string ConfigureNamesString[] =
check_synchronized_standby_slots, assign_synchronized_standby_slots, NULL
},
+ {
+ {"restrict_nonsystem_relation_kind", PGC_USERSET, CLIENT_CONN_STATEMENT,
+ gettext_noop("Sets relation kinds of non-system relation to restrict use"),
+ NULL,
+ GUC_LIST_INPUT | GUC_NOT_IN_SAMPLE
+ },
+ &restrict_nonsystem_relation_kind_string,
+ "",
+ check_restrict_nonsystem_relation_kind, assign_restrict_nonsystem_relation_kind, NULL
+ },
+
/* End-of-list marker */
{
{NULL, 0, 0, NULL, NULL}, NULL, NULL, NULL, NULL, NULL
diff --git a/src/bin/pg_dump/pg_dump.c b/src/bin/pg_dump/pg_dump.c
index 9202a43eb2..9737e1e189 100644
--- a/src/bin/pg_dump/pg_dump.c
+++ b/src/bin/pg_dump/pg_dump.c
@@ -336,6 +336,7 @@ static bool nonemptyReloptions(const char *reloptions);
static void appendReloptionsArrayAH(PQExpBuffer buffer, const char *reloptions,
const char *prefix, Archive *fout);
static char *get_synchronized_snapshot(Archive *fout);
+static void set_restrict_relation_kind(Archive *AH, const char *value);
static void setupDumpWorker(Archive *AH);
static TableInfo *getRootTableInfo(const TableInfo *tbinfo);
static bool forcePartitionRootLoad(const TableInfo *tbinfo);
@@ -1293,6 +1294,13 @@ setup_connection(Archive *AH, const char *dumpencoding,
ExecuteSqlStatement(AH, "SET row_security = off");
}
+ /*
+ * For security reasons, we restrict the expansion of non-system views and
+ * access to foreign tables during the pg_dump process. This restriction
+ * is adjusted when dumping foreign table data.
+ */
+ set_restrict_relation_kind(AH, "view, foreign-table");
+
/*
* Initialize prepared-query state to "nothing prepared". We do this here
* so that a parallel dump worker will have its own state.
@@ -2161,6 +2169,10 @@ dumpTableData_copy(Archive *fout, const void *dcontext)
*/
if (tdinfo->filtercond || tbinfo->relkind == RELKIND_FOREIGN_TABLE)
{
+ /* Temporary allows to access to foreign tables to dump data */
+ if (tbinfo->relkind == RELKIND_FOREIGN_TABLE)
+ set_restrict_relation_kind(fout, "view");
+
appendPQExpBufferStr(q, "COPY (SELECT ");
/* klugery to get rid of parens in column list */
if (strlen(column_list) > 2)
@@ -2272,6 +2284,11 @@ dumpTableData_copy(Archive *fout, const void *dcontext)
classname);
destroyPQExpBuffer(q);
+
+ /* Revert back the setting */
+ if (tbinfo->relkind == RELKIND_FOREIGN_TABLE)
+ set_restrict_relation_kind(fout, "view, foreign-table");
+
return 1;
}
@@ -2298,6 +2315,10 @@ dumpTableData_insert(Archive *fout, const void *dcontext)
int rows_per_statement = dopt->dump_inserts;
int rows_this_statement = 0;
+ /* Temporary allows to access to foreign tables to dump data */
+ if (tbinfo->relkind == RELKIND_FOREIGN_TABLE)
+ set_restrict_relation_kind(fout, "view");
+
/*
* If we're going to emit INSERTs with column names, the most efficient
* way to deal with generated columns is to exclude them entirely. For
@@ -2537,6 +2558,10 @@ dumpTableData_insert(Archive *fout, const void *dcontext)
destroyPQExpBuffer(insertStmt);
free(attgenerated);
+ /* Revert back the setting */
+ if (tbinfo->relkind == RELKIND_FOREIGN_TABLE)
+ set_restrict_relation_kind(fout, "view, foreign-table");
+
return 1;
}
@@ -4710,6 +4735,28 @@ is_superuser(Archive *fout)
return false;
}
+/*
+ * Set the given value to restrict_nonsystem_relation_kind value. Since
+ * restrict_nonsystem_relation_kind is introduced in minor version releases,
+ * the setting query is effective only where available.
+ */
+static void
+set_restrict_relation_kind(Archive *AH, const char *value)
+{
+ PQExpBuffer query = createPQExpBuffer();
+ PGresult *res;
+
+ appendPQExpBuffer(query,
+ "SELECT set_config(name, '%s', false) "
+ "FROM pg_settings "
+ "WHERE name = 'restrict_nonsystem_relation_kind'",
+ value);
+ res = ExecuteSqlQuery(AH, query->data, PGRES_TUPLES_OK);
+
+ PQclear(res);
+ destroyPQExpBuffer(query);
+}
+
/*
* getSubscriptions
* get information about subscriptions
diff --git a/src/include/tcop/tcopprot.h b/src/include/tcop/tcopprot.h
index 643ce9cffa..180d5a2d22 100644
--- a/src/include/tcop/tcopprot.h
+++ b/src/include/tcop/tcopprot.h
@@ -42,6 +42,12 @@ typedef enum
extern PGDLLIMPORT int log_statement;
+/* Flags for restrict_nonsystem_relation_kind value */
+#define RESTRICT_RELKIND_VIEW 0x01
+#define RESTRICT_RELKIND_FOREIGN_TABLE 0x02
+
+extern PGDLLIMPORT int restrict_nonsystem_relation_kind;
+
extern List *pg_parse_query(const char *query_string);
extern List *pg_rewrite_query(Query *query);
extern List *pg_analyze_and_rewrite_fixedparams(RawStmt *parsetree,
diff --git a/src/include/utils/guc_hooks.h b/src/include/utils/guc_hooks.h
index 070d3f2a1a..8fd91af388 100644
--- a/src/include/utils/guc_hooks.h
+++ b/src/include/utils/guc_hooks.h
@@ -127,6 +127,9 @@ extern void assign_recovery_target_xid(const char *newval, void *extra);
extern bool check_role(char **newval, void **extra, GucSource source);
extern void assign_role(const char *newval, void *extra);
extern const char *show_role(void);
+extern bool check_restrict_nonsystem_relation_kind(char **newval, void **extra,
+ GucSource source);
+extern void assign_restrict_nonsystem_relation_kind(const char *newval, void *extra);
extern bool check_search_path(char **newval, void **extra, GucSource source);
extern void assign_search_path(const char *newval, void *extra);
extern bool check_serial_buffers(int *newval, void **extra, GucSource source);
diff --git a/src/test/regress/expected/create_view.out b/src/test/regress/expected/create_view.out
index 61825ef7d4..f3f8c7b5a2 100644
--- a/src/test/regress/expected/create_view.out
+++ b/src/test/regress/expected/create_view.out
@@ -2202,6 +2202,21 @@ select pg_get_viewdef('tt26v', true);
FROM ( VALUES (1,2,3)) v(x, y, z);
(1 row)
+-- test restriction on non-system view expansion.
+create table tt27v_tbl (a int);
+create view tt27v as select a from tt27v_tbl;
+set restrict_nonsystem_relation_kind to 'view';
+select a from tt27v where a > 0; -- Error
+ERROR: access to non-system view "tt27v" is restricted
+insert into tt27v values (1); -- Error
+ERROR: access to non-system view "tt27v" is restricted
+select viewname from pg_views where viewname = 'tt27v'; -- Ok to access a system view.
+ viewname
+----------
+ tt27v
+(1 row)
+
+reset restrict_nonsystem_relation_kind;
-- clean up all the random objects we made above
DROP SCHEMA temp_view_test CASCADE;
NOTICE: drop cascades to 27 other objects
@@ -2233,7 +2248,7 @@ drop cascades to view aliased_view_2
drop cascades to view aliased_view_3
drop cascades to view aliased_view_4
DROP SCHEMA testviewschm2 CASCADE;
-NOTICE: drop cascades to 77 other objects
+NOTICE: drop cascades to 79 other objects
DETAIL: drop cascades to table t1
drop cascades to view temporal1
drop cascades to view temporal2
@@ -2311,3 +2326,5 @@ drop cascades to view tt23v
drop cascades to view tt24v
drop cascades to view tt25v
drop cascades to view tt26v
+drop cascades to table tt27v_tbl
+drop cascades to view tt27v
diff --git a/src/test/regress/sql/create_view.sql b/src/test/regress/sql/create_view.sql
index 8838a40f7a..3a78be1b0c 100644
--- a/src/test/regress/sql/create_view.sql
+++ b/src/test/regress/sql/create_view.sql
@@ -813,6 +813,15 @@ select x + y + z as c1,
from (values(1,2,3)) v(x,y,z);
select pg_get_viewdef('tt26v', true);
+-- test restriction on non-system view expansion.
+create table tt27v_tbl (a int);
+create view tt27v as select a from tt27v_tbl;
+set restrict_nonsystem_relation_kind to 'view';
+select a from tt27v where a > 0; -- Error
+insert into tt27v values (1); -- Error
+select viewname from pg_views where viewname = 'tt27v'; -- Ok to access a system view.
+reset restrict_nonsystem_relation_kind;
+
-- clean up all the random objects we made above
DROP SCHEMA temp_view_test CASCADE;
DROP SCHEMA testviewschm2 CASCADE;