Re: pg_restore -L reordering of the statements does not work

Andres Freund <andres(at)anarazel(dot)de> writes:
> A schema like:
> ...
> results in the following, abbreviated, dump on HEAD:
> ...
> Which is bad because the ALTER TABLE OWNER TO cannot be executed before
> the GRANT ALL:
> ERROR: 42501: permission denied for schema nosuper
> LOCATION: aclcheck_error, aclchk.c:2833

Works fine for me. I agree that it might not work if you're restoring
as non-superuser, but if you try that the ALTER OWNER commands are all
going to fail too. Moreover, reordering the GRANTs is no solution,
because who promised that the schema owner granted you any permissions?

The bigger picture here is that pg_dump effectively relies on all
objects being treated throughout the restore as though the restoring
user is their owner --- either via --no-owner, or because the
restoring user is superuser, or perhaps because the restoring user is
a member of every object owner named in the dump. Postponing
execution of GRANTs to the end should therefore be perfectly safe, and
indeed it's *necessary* if you want to successfully restore cases in
which an object owner has revoked some of their own privileges.

I experimented with making the restoring user be a member with inherit
of the nosuper_N roles, and indeed I still see the failure above,
which makes me wonder if the ACL check is being done correctly for
that specific case. The INHERIT bit ought to let it work.

regards, tom lane