Implement password profile feature in Cloudberry DB.

.gitignore

@@ -72,10 +72,5 @@ lib*.pc
 /CMakeLists.txt
 /compile_commands.json
 /tmp_install/
-<<<<<<< HEAD
 /.cache/
 /install/
-=======
-/install/
-/.cache/
->>>>>>> 77c11b4beab (update .gitignore.)

doc/src/sgml/catalogs.sgml

@@ -6911,6 +6911,16 @@ SCRAM-SHA-256$<replaceable>&lt;iteration count&gt;</replaceable>:<replaceable>&l
       </para>
      </listitem>
     </varlistentry>
+
+    <varlistentry>
+     <term><symbol>SHARED_DEPENDENCY_PROFILE</symbol> (<literal>t</literal>)</term>
+     <listitem>
+      <para>
+       The referenced object (which must be a profile) is mentioned as
+       the profile for a role using.
+      </para>
+     </listitem>
+    </varlistentry>
    </variablelist>
 
    Other dependency flavors might be needed in future.  Note in particular

gpMgmt/bin/gpcheckcat

@@ -1568,6 +1568,12 @@ def checkTableInconsistentEntry(cat):
     if catname == "pg_authid":
         columns.remove("rolpassword")
         castcols.remove("rolpassword")
+        columns.remove("rolpasswordsetat")
+        castcols.remove("rolpasswordsetat")
+        columns.remove("rollockdate")
+        castcols.remove("rollockdate")
+        columns.remove("rolpasswordexpire")
+        castcols.remove("rolpasswordexpire")
 
     if cat.tableHasConsistentOids():
         qry = inconsistentEntryQuery(GV.max_content, catname, ['oid'], columns, castcols)
@@ -2277,6 +2283,7 @@ TableMainColumn['pg_proc_callback'] = ['profnoid', 'pg_proc']
 TableMainColumn['pg_statistic_ext_data'] = ['stxoid', 'pg_statistic_ext']
 TableMainColumn['pg_type_encoding'] = ['typid', 'pg_type']
 TableMainColumn['pg_window'] = ['winfnoid', 'pg_proc']
+TableMainColumn['pg_password_history'] = ['passhistroleid', 'pg_authid']
 
 # Table with OID (special case), these OIDs are known to be inconsistent
 TableMainColumn['pg_attrdef'] = ['adrelid', 'pg_class']
@@ -2915,7 +2922,7 @@ class GPObject:
 
         # Report missing issues
         if len(self.missingIssues):
-            omitlist = ['pg_attribute', 'pg_attribute_encoding', 'pg_type', 'pg_appendonly', 'pg_index']
+            omitlist = ['pg_attribute', 'pg_attribute_encoding', 'pg_type', 'pg_appendonly', 'pg_index', 'pg_password_history']
             if 'pg_class' in self.missingIssues:
                 myprint('    Name of test which found this issue: missing_extraneous_pg_class')
                 for name in omitlist:

src/backend/catalog/Makefile

@@ -91,7 +91,8 @@ CATALOG_HEADERS := \
 	pg_default_acl.h pg_init_privs.h pg_seclabel.h pg_shseclabel.h \
 	pg_collation.h pg_partitioned_table.h pg_range.h pg_transform.h \
 	pg_sequence.h pg_publication.h pg_publication_rel.h pg_subscription.h \
-	pg_subscription_rel.h gp_partition_template.h pg_task.h pg_task_run_history.h
+	pg_subscription_rel.h gp_partition_template.h pg_task.h pg_task_run_history.h \
+	pg_profile.h pg_password_history.h
 
 USE_INTERNAL_FTS_FOUND := $(if $(findstring USE_INTERNAL_FTS,$(CFLAGS)),true,false)
 
@@ -117,7 +118,7 @@ POSTGRES_BKI_DATA = $(addprefix $(top_srcdir)/src/include/catalog/,\
 	pg_namespace.dat pg_opclass.dat pg_operator.dat pg_opfamily.dat \
 	pg_proc.dat pg_range.dat pg_tablespace.dat \
 	pg_ts_config.dat pg_ts_config_map.dat pg_ts_dict.dat pg_ts_parser.dat \
-	pg_ts_template.dat pg_type.dat \
+	pg_ts_template.dat pg_type.dat pg_profile.dat \
 	)
 
 POSTGRES_BKI_DATA += $(addprefix $(top_srcdir)/src/include/catalog/,\

src/backend/catalog/aclchk.c

@@ -3790,6 +3790,7 @@ aclcheck_error(AclResult aclerr, ObjectType objtype,
 					case OBJECT_TSPARSER:
 					case OBJECT_TSTEMPLATE:
 					case OBJECT_USER_MAPPING:
+					case OBJECT_PROFILE:
 						elog(ERROR, "unsupported object type %d", objtype);
 				}
 
@@ -3931,6 +3932,7 @@ aclcheck_error(AclResult aclerr, ObjectType objtype,
 					case OBJECT_TSPARSER:
 					case OBJECT_TSTEMPLATE:
 					case OBJECT_USER_MAPPING:
+					case OBJECT_PROFILE:
 						elog(ERROR, "unsupported object type %d", objtype);
 				}
 

src/backend/catalog/catalog.c

@@ -67,6 +67,8 @@
 #include "catalog/pg_resqueuecapability.h"
 #include "catalog/pg_resgroup.h"
 #include "catalog/pg_resgroupcapability.h"
+#include "catalog/pg_profile.h"
+#include "catalog/pg_password_history.h"
 #include "catalog/pg_rewrite.h"
 #include "catalog/pg_stat_last_operation.h"
 #include "catalog/pg_stat_last_shoperation.h"
@@ -419,7 +421,10 @@ IsSharedRelation(Oid relationId)
 #ifdef USE_INTERNAL_FTS
 		relationId == GpSegmentConfigRelationId ||
 #endif
-		relationId == AuthTimeConstraintRelationId)
+		relationId == AuthTimeConstraintRelationId ||
+
+		relationId == ProfileRelationId ||
+		relationId == PasswordHistoryRelationId)
 		return true;
 
 	/* These are their indexes */
@@ -463,7 +468,13 @@ IsSharedRelation(Oid relationId)
 		relationId == GpSegmentConfigContentPreferred_roleWarehouseIndexId ||
 		relationId == GpSegmentConfigDbidWarehouseIndexId ||
 #endif
-		relationId == AuthTimeConstraintAuthIdIndexId)
+		relationId == AuthTimeConstraintAuthIdIndexId ||
+		relationId == AuthIdRolProfileIndexId ||
+		relationId == ProfilePrfnameIndexId ||
+		relationId == ProfileOidIndexId ||
+		relationId == ProfileVerifyFunctionIndexId ||
+		relationId == PasswordHistoryRolePasswordIndexId ||
+		relationId == PasswordHistoryRolePasswordsetatIndexId)
 	{
 		return true;
 	}
@@ -484,7 +495,9 @@ IsSharedRelation(Oid relationId)
 		relationId == PgSubscriptionToastTable ||
 		relationId == PgSubscriptionToastIndex ||
 		relationId == PgTablespaceToastTable ||
-		relationId == PgTablespaceToastIndex)
+		relationId == PgTablespaceToastIndex ||
+		relationId == PgPasswordHistoryToastTable ||
+		relationId == PgPasswordHistoryToastIndex)
 		return true;
 #ifdef USE_INTERNAL_FTS
 	/* GPDB added toast tables and their indexes */

src/backend/catalog/dependency.c

@@ -94,6 +94,8 @@
 #include "commands/tablespace.h"
 #include "cdb/cdbvars.h"
 #include "commands/extprotocolcmds.h"
+#include "catalog/pg_profile.h"
+#include "catalog/pg_password_history.h"
 #include "commands/tablecmds.h"
 
 
@@ -198,6 +200,8 @@ static const Oid object_classes[] = {
 	TransformRelationId,		/* OCLASS_TRANSFORM */
 
 	/* GPDB additions */
+	ProfileRelationId,		/* OCLASS_PROFILE */
+	PasswordHistoryRelationId,	/* OCLASS_PASSWORDHISTORY */
 	ExtprotocolRelationId,		/* OCLASS_EXTPROTOCOL */
 	TaskRelationId				/* OCLASS_TASK */
 };
@@ -1573,6 +1577,8 @@ doDeletion(const ObjectAddress *object, int flags)
 		case OCLASS_DATABASE:
 		case OCLASS_TBLSPACE:
 		case OCLASS_SUBSCRIPTION:
+		case OCLASS_PROFILE:
+		case OCLASS_PASSWORDHISTORY:
 			elog(ERROR, "global objects cannot be deleted by doDeletion");
 			break;
 
@@ -2931,6 +2937,12 @@ getObjectClass(const ObjectAddress *object)
 			Assert(object->objectSubId == 0);
 			return OCLASS_EXTPROTOCOL;
 
+		case ProfileRelationId:
+			return OCLASS_PROFILE;
+
+		case PasswordHistoryRelationId:
+			return OCLASS_PASSWORDHISTORY;
+
 		case PolicyRelationId:
 			return OCLASS_POLICY;
 

src/backend/catalog/objectaddress.c

@@ -47,6 +47,8 @@
 #include "catalog/pg_opclass.h"
 #include "catalog/pg_operator.h"
 #include "catalog/pg_opfamily.h"
+#include "catalog/pg_password_history.h"
+#include "catalog/pg_profile.h"
 #include "catalog/pg_policy.h"
 #include "catalog/pg_proc.h"
 #include "catalog/pg_publication.h"
@@ -379,6 +381,20 @@ static const ObjectPropertyType ObjectProperty[] =
 		OBJECT_OPFAMILY,
 		true
 	},
+	{
+		"profile",
+		ProfileRelationId,
+		ProfileOidIndexId,
+		PROFILEID,
+		PROFILENAME,
+		Anum_pg_profile_oid,
+		Anum_pg_profile_prfname,
+		InvalidAttrNumber,
+		InvalidAttrNumber,
+		InvalidAttrNumber,
+		OBJECT_PROFILE,
+		true
+	},
 	{
 		"role",
 		AuthIdRelationId,
@@ -879,6 +895,10 @@ static const struct object_type_map
 	/* OCLASS_STATISTIC_EXT */
 	{
 		"statistics object", OBJECT_STATISTIC_EXT
+	},
+	/* OCLASS_PROFILE */
+	{
+		"profile", OBJECT_PROFILE
 	}
 };
 
@@ -1052,6 +1072,7 @@ get_object_address(ObjectType objtype, Node *object,
 			case OBJECT_SUBSCRIPTION:
 			case OBJECT_RESQUEUE:
 			case OBJECT_RESGROUP:
+			case OBJECT_PROFILE:
 				address = get_object_address_unqualified(objtype,
 														 (Value *) object, missing_ok);
 				break;
@@ -1371,6 +1392,11 @@ get_object_address_unqualified(ObjectType objtype,
 			address.objectId = get_resgroup_oid(name, missing_ok);
 			address.objectSubId = 0;
 			break;
+		case OBJECT_PROFILE:
+			address.classId = ProfileRelationId;
+			address.objectId = get_profile_oid(name, missing_ok);
+			address.objectSubId = 0;
+			break;
 		default:
 			elog(ERROR, "unrecognized objtype: %d", (int) objtype);
 			/* placate compiler, which doesn't know elog won't return */
@@ -2341,6 +2367,7 @@ pg_get_object_address(PG_FUNCTION_ARGS)
 		case OBJECT_EXTPROTOCOL:
 		case OBJECT_RESGROUP:
 		case OBJECT_RESQUEUE:
+		case OBJECT_PROFILE:
 			if (list_length(name) != 1)
 				ereport(ERROR,
 						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
@@ -2641,6 +2668,13 @@ check_object_ownership(Oid roleid, ObjectType objtype, ObjectAddress address,
 				aclcheck_error(ACLCHECK_NOT_OWNER, objtype,
 							   NameListToString(castNode(List, object)));
 			break;
+		case OBJECT_PROFILE:
+			/* We treat these object types as being owned by superusers */
+			if (!superuser_arg(roleid))
+				ereport(ERROR,
+						(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+						 errmsg("must be superuser")));
+			break;
 		default:
 			elog(ERROR, "unrecognized object type: %d",
 				 (int) objtype);
@@ -4026,6 +4060,25 @@ getObjectDescription(const ObjectAddress *object, bool missing_ok)
 				appendStringInfo(&buffer, _("task %s"), taskname);
 				break;
 			}
+
+		case OCLASS_PROFILE:
+			{
+				char	*profilename = ProfileGetNameByOid(object->objectId,
+												missing_ok);
+
+				if (profilename)
+					appendStringInfo(&buffer, _("profile %s"), profilename);
+				break;
+			}
+		case OCLASS_PASSWORDHISTORY:
+			{
+				char	*username = GetUserNameFromId(object->objectId,
+									     		missing_ok);
+
+				if (username)
+					appendStringInfo(&buffer, _("history password for role %s"), username);
+				break;
+			}
 	}
 
 	/* an empty buffer is equivalent to no object found */
@@ -4589,6 +4642,14 @@ getObjectTypeDescription(const ObjectAddress *object, bool missing_ok)
 			appendStringInfoString(&buffer, "task");
 			break;
 
+		case OCLASS_PROFILE:
+			appendStringInfoString(&buffer, "profile");
+			break;
+
+		case OCLASS_PASSWORDHISTORY:
+			appendStringInfoString(&buffer, "password_history");
+			break;
+
 			/*
 			 * There's intentionally no default: case here; we want the
 			 * compiler to warn if a new OCLASS hasn't been handled above.
@@ -5897,6 +5958,35 @@ getObjectIdentityParts(const ObjectAddress *object,
 				}
 			}
 			break;
+
+		case OCLASS_PROFILE:
+			{
+				char	*prfname;
+
+				prfname = ProfileGetNameByOid(object->objectId, missing_ok);
+				if (!prfname)
+					break;
+				if (objname)
+					*objname = list_make1(prfname);
+				appendStringInfoString(&buffer,
+					       	quote_identifier(prfname));
+				break;
+			}
+
+		case OCLASS_PASSWORDHISTORY:
+			{
+				char	*username;
+
+				username = GetUserNameFromId(object->objectId, missing_ok);
+				if (!username)
+					break;
+				if (objname)
+					*objname = list_make1(username);
+				appendStringInfo(&buffer,
+					       	"history password for role %s: ", quote_identifier(username));
+
+				break;
+			}
 
 			/*
 			 * There's intentionally no default: case here; we want the

src/backend/catalog/oid_dispatch.c

@@ -104,6 +104,7 @@
 #include "catalog/pg_operator.h"
 #include "catalog/pg_opfamily.h"
 #include "catalog/pg_policy.h"
+#include "catalog/pg_profile.h"
 #include "catalog/pg_proc.h"
 #include "catalog/pg_publication.h"
 #include "catalog/pg_publication_rel.h"
@@ -727,6 +728,22 @@ GetNewOidForExtprotocol(Relation relation, Oid indexId, AttrNumber oidcolumn,
 	return GetNewOrPreassignedOid(relation, indexId, oidcolumn, &key);
 }
 
+Oid
+GetNewOidForProfile(Relation relation, Oid indexId, AttrNumber oidcolumn,
+			       			char *prfname)
+{
+	OidAssignment  key;
+
+	Assert(RelationGetRelid(relation) == ProfileRelationId);
+	Assert(indexId == ProfileOidIndexId);
+	Assert(oidcolumn == Anum_pg_profile_oid);
+
+	memset(&key, 0, sizeof(OidAssignment));
+	key.type = T_OidAssignment;
+	key.objname = prfname;
+	return GetNewOrPreassignedOid(relation, indexId, oidcolumn, &key);
+}
+
 Oid
 GetNewOidForForeignDataWrapper(Relation relation, Oid indexId, AttrNumber oidcolumn,
 							   char *fdwname)