Re: What permissions are required for e.g. EXPLAIN UPDATE ...

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Thomas Nyberg <twn(at)thomasnyberg(dot)com>
Cc: pgsql-general(at)lists(dot)postgresql(dot)org
Subject: Re: What permissions are required for e.g. EXPLAIN UPDATE ...
Date: 2024-04-04 18:44:30
Message-ID: 809558.1712256270@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Thomas Nyberg <twn(at)thomasnyberg(dot)com> writes:
> Or put another way, does an EXPLAIN UPDATE on a table really require
> UPDATE permissions to run? Why can't it be done without UPDATE
> permissions?

IIRC, the reasoning is this: should you be allowed to run an EXPLAIN
on a table that you have no permissions for at all? We've felt that
the answer to that has to be "no". An example of why not is that
EXPLAIN must take at least a shared lock on the table, which should
not be allowed to someone without any permissions.

Having decided that, the next question is what permissions are enough,
and we've concluded that "the same as it'd take to actually run the
query" is a perfectly appropriate answer. That in turn lets us
decide that "what strength of table lock should be taken?" can be
answered the same for EXPLAIN as for the underlying query. This
simplifies life by not requiring there to be different code paths
for EXPLAIN and normal query running in various places.

regards, tom lane

In response to

Browse pgsql-general by date

  From Date Subject
Next Message yudhi s 2024-04-04 20:42:10 Re: Moving delta data faster
Previous Message Ron Johnson 2024-04-04 18:15:40 Re: Multiple COPY statements for one table vs one for ~half a billion records