| From: | Nathan Bossart <nathandbossart(at)gmail(dot)com> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Cc: | pgsql(at)j-davis(dot)com |
| Subject: | Re: un-revert the MAINTAIN privilege and the pg_maintain predefined role |
| Date: | 2024-03-12 21:05:41 |
| Message-ID: | 20240312210541.GA2400644@nathanxps13 |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Thu, Mar 07, 2024 at 10:50:00AM -0600, Nathan Bossart wrote:
> Given all of this code was previously reviewed and committed, I am planning
> to forge ahead and commit this early next week, provided no objections or
> additional feedback materialize.
Jeff Davis and I spent some additional time looking at this patch. There
are existing inconsistencies among the privilege checks for the various
maintenance commands, and the MAINTAIN privilege just builds on the status
quo, with one exception. In the v1 patch, I proposed skipping privilege
checks when VACUUM recurses to TOAST tables, which means that a user may be
able to process a TOAST table for which they've concurrent lost privileges
on the main relation (since each table is vacuumed in a separate
transaction). It's easy enough to resolve this inconsistency by sending
down the parent OID when recursing to a TOAST table and using that for the
privilege checks. AFAICT this avoids any kind of cache lookup hazards
because we hold a session lock on the main relation in this case. I've
done this in the attached v2.
--
Nathan Bossart
Amazon Web Services: https://aws.amazon.com
| Attachment | Content-Type | Size |
|---|---|---|
| v2-0001-Reintroduce-MAINTAIN-privilege-and-pg_maintain-pr.patch | text/x-diff | 72.1 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2024-03-12 21:18:09 | Re: On disable_cost |
| Previous Message | David Rowley | 2024-03-12 20:55:22 | Re: On disable_cost |