Switch user ID to the object owner when populating a materialized view.

This makes superuser-issued REFRESH MATERIALIZED VIEW safe regardless of
the object's provenance.  REINDEX is an earlier example of this pattern.
As a downside, functions called from materialized views must tolerate
running in a security-restricted operation.  CREATE MATERIALIZED VIEW
need not change user ID.  Nonetheless, avoid creation of materialized
views that will invariably fail REFRESH by making it, too, start a
security-restricted operation.

Back-patch to 9.3 so materialized views have this from the beginning.

Reviewed by Kevin Grittner.

diff --git a/doc/src/sgml/ref/create_materialized_view.sgml b/doc/src/sgml/ref/create_materialized_view.sgml
index 0ed764b353394137afd73c9a013e031e197ae79c..b742e17ac828a64f816650e7c8c78c3f67bffd78 100644 (file)
--- a/doc/src/sgml/ref/create_materialized_view.sgml
+++ b/doc/src/sgml/ref/create_materialized_view.sgml
@@ -105,7 +105,9 @@ CREATE MATERIALIZED VIEW <replaceable>table_name</replaceable>
     <listitem>
      <para>
       A <xref linkend="sql-select">, <link linkend="sql-table">TABLE</link>,
-      or <xref linkend="sql-values"> command.
+      or <xref linkend="sql-values"> command.  This query will run within a
+      security-restricted operation; in particular, calls to functions that
+      themselves create temporary tables will fail.
      </para>
     </listitem>
    </varlistentry>

diff --git a/src/backend/commands/createas.c b/src/backend/commands/createas.c
index 2bfe5fba8775631afb378b8591b536c3472b074b..a3509d8c2a3242efa7896fb0a777e5928b239d6e 100644 (file)
--- a/src/backend/commands/createas.c
+++ b/src/backend/commands/createas.c
@@ -33,6 +33,7 @@
 #include "commands/prepare.h"
 #include "commands/tablecmds.h"
 #include "commands/view.h"
+#include "miscadmin.h"
 #include "parser/parse_clause.h"
 #include "rewrite/rewriteHandler.h"
 #include "storage/smgr.h"
@@ -69,7 +70,11 @@ ExecCreateTableAs(CreateTableAsStmt *stmt, const char *queryString,
 {
    Query      *query = (Query *) stmt->query;
    IntoClause *into = stmt->into;
+   bool        is_matview = (into->viewQuery != NULL);
    DestReceiver *dest;
+   Oid         save_userid = InvalidOid;
+   int         save_sec_context = 0;
+   int         save_nestlevel = 0;
    List       *rewritten;
    PlannedStmt *plan;
    QueryDesc  *queryDesc;
@@ -90,12 +95,28 @@ ExecCreateTableAs(CreateTableAsStmt *stmt, const char *queryString,
    {
        ExecuteStmt *estmt = (ExecuteStmt *) query->utilityStmt;
 
+       Assert(!is_matview);    /* excluded by syntax */
        ExecuteQuery(estmt, into, queryString, params, dest, completionTag);
 
        return;
    }
    Assert(query->commandType == CMD_SELECT);
 
+   /*
+    * For materialized views, lock down security-restricted operations and
+    * arrange to make GUC variable changes local to this command.  This is
+    * not necessary for security, but this keeps the behavior similar to
+    * REFRESH MATERIALIZED VIEW.  Otherwise, one could create a materialized
+    * view not possible to refresh.
+    */
+   if (is_matview)
+   {
+       GetUserIdAndSecContext(&save_userid, &save_sec_context);
+       SetUserIdAndSecContext(save_userid,
+                          save_sec_context | SECURITY_RESTRICTED_OPERATION);
+       save_nestlevel = NewGUCNestLevel();
+   }
+
    /*
     * Parse analysis was done already, but we still have to run the rule
     * rewriter.  We do not do AcquireRewriteLocks: we assume the query either
@@ -160,6 +181,15 @@ ExecCreateTableAs(CreateTableAsStmt *stmt, const char *queryString,
    FreeQueryDesc(queryDesc);
 
    PopActiveSnapshot();
+
+   if (is_matview)
+   {
+       /* Roll back any GUC changes */
+       AtEOXact_GUC(false, save_nestlevel);
+
+       /* Restore userid and security context */
+       SetUserIdAndSecContext(save_userid, save_sec_context);
+   }
 }
 
 /*

diff --git a/src/backend/commands/matview.c b/src/backend/commands/matview.c
index 2ffdca31f6ba35e2c95d75fcba5bf850f7a20aa3..1c383baf68750808320ebc5e9925b122c802a639 100644 (file)
--- a/src/backend/commands/matview.c
+++ b/src/backend/commands/matview.c
@@ -122,6 +122,9 @@ ExecRefreshMatView(RefreshMatViewStmt *stmt, const char *queryString,
    RewriteRule *rule;
    List       *actions;
    Query      *dataQuery;
+   Oid         save_userid;
+   int         save_sec_context;
+   int         save_nestlevel;
    Oid         tableSpace;
    Oid         OIDNewHeap;
    DestReceiver *dest;
@@ -191,6 +194,16 @@ ExecRefreshMatView(RefreshMatViewStmt *stmt, const char *queryString,
     */
    CheckTableNotInUse(matviewRel, "REFRESH MATERIALIZED VIEW");
 
+   /*
+    * Switch to the owner's userid, so that any functions are run as that
+    * user.  Also lock down security-restricted operations and arrange to
+    * make GUC variable changes local to this command.
+    */
+   GetUserIdAndSecContext(&save_userid, &save_sec_context);
+   SetUserIdAndSecContext(matviewRel->rd_rel->relowner,
+                          save_sec_context | SECURITY_RESTRICTED_OPERATION);
+   save_nestlevel = NewGUCNestLevel();
+
    /*
     * Tentatively mark the matview as populated or not (this will roll back
     * if we fail later).
@@ -217,6 +230,12 @@ ExecRefreshMatView(RefreshMatViewStmt *stmt, const char *queryString,
                     RecentXmin, ReadNextMultiXactId());
 
    RelationCacheInvalidateEntry(matviewOid);
+
+   /* Roll back any GUC changes */
+   AtEOXact_GUC(false, save_nestlevel);
+
+   /* Restore userid and security context */
+   SetUserIdAndSecContext(save_userid, save_sec_context);
 }
 
 /*