Postgresql小特性:为nosuper用户预留连接数
发布时间:2020-12-13 16:49:15 所属栏目:百科 来源:网络整理
导读:需求描述 场景 在某些场景下,希望保证某个nosuper用户必须能连上数据库。(superuser权限过大) postgresql原生只可以给超级用户预留连接数,该特性可以使指定的某个用户(reserved_user_name)使用给超级用户预留的连接数。 功能说明 1、增加参数 reserved
需求描述场景在某些场景下,希望保证某个nosuper用户必须能连上数据库。(superuser权限过大) postgresql原生只可以给超级用户预留连接数,该特性可以使指定的某个用户(reserved_user_name)使用给超级用户预留的连接数。 功能说明1、增加参数 reserved_user_name = ” 2、参数说明 指定的用户名与superuser共享superuser_reserved_connections预留的连接数。 测试结果当前数据库服务器参数 max_connections = 5
superuser_reserved_connections = 3
reserved_user_name = 'tu1'
当前用户情况 postgres=# select rolname,rolsuper from pg_authid;
rolname | rolsuper
-------------------+----------
jackgo | t
pg_signal_backend | f
tu1 | f
tu2 | f
当前连接情况 postgres=# select datname,usename from pg_stat_activity;
datname | usename ----------+---------
postgres | jackgo
postgres | jackgo
postgres | jackgo
(3 rows)
使用超级用户连接结果 [jackgo@MiWiFi-R1CM-srv:~]<PG96-60>$psql
psql (9.6.2)
Type "help" for help.
postgres=#
使用指定用户tu1连接结果 [jackgo@MiWiFi-R1CM-srv:~]<PG96-60>$psql -U tu1
psql (9.6.2)
Type "help" for help.
postgres=>
使用其他用户连接结果 [jackgo@MiWiFi-R1CM-srv:~]<PG96-60>$psql -U tu2
psql: FATAL: remaining connection slots are reserved for non-replication superuser connections
源码diff --git a/src/backend/postmaster/postmaster.c b/src/backend/postmaster/postmaster.c
old mode 100644
new mode 100755
index 533252a..2cf0037
--- a/src/backend/postmaster/postmaster.c
+++ b/src/backend/postmaster/postmaster.c
@@ -207,6 +207,7 @@ char *ListenAddresses;
* count against the limit.
*/
int ReservedBackends;
+char *ReservedUserName = NULL;
/* The socket(s) we're listening to. */
#define MAXLISTEN 64
diff --git a/src/backend/utils/init/postinit.c b/src/backend/utils/init/postinit.c
old mode 100644
new mode 100755
index 0a4295b..fb72bee
--- a/src/backend/utils/init/postinit.c
+++ b/src/backend/utils/init/postinit.c
@@ -560,6 +560,7 @@ InitPostgres(const char *in_dbname,Oid dboid,const char *username,{
bool bootstrap = IsBootstrapProcessingMode();
bool am_superuser;
+ bool am_reserveduser = false;
char *fullpath;
char dbname[NAMEDATALEN];
@@ -735,6 +736,PerformAuthentication(MyProcPort);
InitializeSessionUserId(username,useroid);
am_superuser = superuser();
+ am_reserveduser = reserveduser();
}
/* @@ -770,8 +772,12 @@ InitPostgres(const char *in_dbname,const char *username,* replication connections currently require superuser privileges,we * don't allow them to consume the reserved slots,which are intended for * interactive use. + * + * Put am_reserveduser in the AND logic.So am_reserveduser doesn't have to + * consider whether it's a super user. */
if ((!am_superuser || am_walsender) &&
+ !am_reserveduser &&
ReservedBackends > 0 &&
!HaveNFreeProcs(ReservedBackends))
ereport(FATAL,diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c
old mode 100644
new mode 100755
index 4f1891f..250d18c
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -3552,6 +3552,18 @@ static struct config_string ConfigureNamesString[] =
check_cluster_name,NULL,NULL
},+ {
+ {"reserved_user_name",PGC_SIGHUP,CONN_AUTH_SETTINGS,+ gettext_noop("Sets the reserved user name."),+ NULL,+ GUC_SUPERUSER_ONLY
+ },+ &ReservedUserName,+ "",+ NULL,NULL
+ },+
+
/* End-of-list marker */
{
{NULL,0,NULL},NULL
diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample
old mode 100644
new mode 100755
index fa6c0ea..8676106
--- a/src/backend/utils/misc/postgresql.conf.sample
+++ b/src/backend/utils/misc/postgresql.conf.sample
@@ -63,6 +63,7 @@
#port = 5432 # (change requires restart)
#max_connections = 100 # (change requires restart)
#superuser_reserved_connections = 3 # (change requires restart)
+#reserved_user_name = '' # (change requires restart)
#unix_socket_directories = '/tmp' # comma-separated list of directories
# (change requires restart)
#unix_socket_group = '' # (change requires restart)
diff --git a/src/backend/utils/misc/superuser.c b/src/backend/utils/misc/superuser.c
old mode 100644
new mode 100755
index dd70e02..0c3a252
--- a/src/backend/utils/misc/superuser.c
+++ b/src/backend/utils/misc/superuser.c
@@ -24,7 +24,9 @@
#include "catalog/pg_authid.h"
#include "utils/inval.h"
#include "utils/syscache.h"
+#include "utils/acl.h"
#include "miscadmin.h"
+#include "postmaster/postmaster.h"
/* @@ -96,6 +98,40 @@ superuser_arg(Oid roleid) return result; } + +bool +reserveduser(void) +{ + return reserveduser_arg(GetUserId()); +} + +bool +reserveduser_arg(Oid roleid) +{ + bool result; + Oid reservedoid; + + if (ReservedUserName && !(*ReservedUserName)) + { + result = false; + } + + reservedoid = get_role_oid(ReservedUserName,true); + + if (!OidIsValid(reservedoid)) + { + result = false; + } + + if (roleid == reservedoid) + { + result = true; + } + + return result; +} + + /* * RoleidCallback * Syscache inval callback function diff --git a/src/include/miscadmin.h b/src/include/miscadmin.h old mode 100644 new mode 100755 index 78545da..6399632 --- a/src/include/miscadmin.h +++ b/src/include/miscadmin.h @@ -326,6 +326,8 @@ extern void SwitchBackToLocalLatch(void); /* in utils/misc/superuser.c */
extern bool superuser(void); /* current user is superuser */
extern bool superuser_arg(Oid roleid); /* given user is superuser */
+extern bool reserveduser(void); /* current user is reserveduser */
+extern bool reserveduser_arg(Oid roleid); /* given user is reserveduser */
/***************************************************************************** diff --git a/src/include/postmaster/postmaster.h b/src/include/postmaster/postmaster.h old mode 100644 new mode 100755 index b2d7776..99edac8 --- a/src/include/postmaster/postmaster.h +++ b/src/include/postmaster/postmaster.h @@ -16,6 +16,8 @@ /* GUC options */
extern bool EnableSSL;
extern int ReservedBackends;
+extern char *ReservedUserName;
+
extern int PostPortNumber;
extern int Unix_socket_permissions;
extern char *Unix_socket_group;
(编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |