From: | Achilleas Mantzios - cloud <a(dot)mantzios(at)cloud(dot)gatewaynet(dot)com> |
---|---|
To: | "pgsql-general(at)lists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org> |
Subject: | Strange permission effect depending on DEFERRABILITY |
Date: | 2024-09-09 13:14:02 |
Message-ID: | 89e33a53-909c-6a02-bfc6-2578ba974e16@cloud.gatewaynet.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
Dear List
The below runs on PostgreSQL 16.4
We are trying to implement a certain operation based on a security
definer function : mariner_update_availability_date
This is supposed to update a table : mariner , which has several other
triggers :
mariner_build_natural_id_tg BEFORE INSERT OR UPDATE ON mariner FOR EACH
ROW EXECUTE FUNCTION mariner_build_natural_id()
mariner_force_integrity_tg AFTER INSERT OR UPDATE ON mariner FOR
EACH ROW EXECUTE FUNCTION mariner_force_integrity()
mariner_manage_past_tg BEFORE UPDATE ON mariner FOR EACH ROW EXECUTE
FUNCTION mariner_manage_past()
mariner_xadmin_prod_tmp_map_ins__crew_tg AFTER INSERT ON mariner FOR
EACH ROW EXECUTE FUNCTION xadmin_prod_tmp_map_ins__crew()
mariner_zb_dbmirror_trig AFTER INSERT OR DELETE OR UPDATE ON mariner
FOR EACH ROW EXECUTE FUNCTION dbmirror_recordchange()
zzzmariner_dmq_tg AFTER INSERT OR DELETE OR UPDATE ON mariner
DEFERRABLE INITIALLY DEFERRED FOR EACH ROW EXECUTE FUNCTION export_dmq()
Yes, for those highly observant veterans, dbmirror_recordchange is
indeed DBMIRROR. And no, we cannot replace it, since this is our own
ultra hacked and customized version, not replaceable by any past,
present (and most likely future) extension.
As you noticed the last trigger is a CONSTRAINT DEFERRABLE trigger. This
function mariner_update_availability_date is supposed to be run by a
user : cbt_results_import strippedof any privileges to the rest of the
system. Here is what we get : when we SET the constraint of the last
trigger to IMMEDIATE, the function runs on behalf of its owner
(postgres) who has all needed privileges (as superuser) to run the
update on mariner table and also run the triggers . However, when we run
with this CONSTRAINT as DEFERRED then it seems to NOT run the last
deferrable trigger as postgres.
postgres(at)smadb-pgsql16:~$ psql
psql (16.4)
Type "help" for help.
postgres(at)[local]/dynacom=# set role cbt_results_import ;
SET
postgres(at)[local]/dynacom=> begin ;
BEGIN
postgres(at)[local]/dynacom=*> SET CONSTRAINTS zzzmariner_dmq_tg IMMEDIATE;
SET CONSTRAINTS
postgres(at)[local]/dynacom=*> select
mariner_update_availability_date(13916, '2020-02-28');
mariner_update_availability_date
----------------------------------
(1 row)
postgres(at)[local]/dynacom=*> commit ;
COMMIT
postgres(at)[local]/dynacom=> begin ;
BEGIN
postgres(at)[local]/dynacom=*> SET CONSTRAINTS zzzmariner_dmq_tg DEFERRED;
SET CONSTRAINTS
postgres(at)[local]/dynacom=*> select
mariner_update_availability_date(13916, '2020-02-28');
mariner_update_availability_date
----------------------------------
(1 row)
postgres(at)[local]/dynacom=*> commit ;
ERROR: permission denied for table export_dmq
CONTEXT: SQL statement "DELETE FROM export_dmq where id=($1).id and
op='U' and tbl='mariner'"
PL/pgSQL function export_dmq() line 15 at EXECUTE
postgres(at)[local]/dynacom=>
Is this supposed to be normal? Documented anywhere ?
Thank you
From | Date | Subject | |
---|---|---|---|
Next Message | KK CHN | 2024-09-09 13:18:46 | Re: ssh to DB server and su normal users very slow : |
Previous Message | Philip Hazelden | 2024-09-09 13:02:50 | Clarify this MERGE warning? "Only columns from the target table that attempt to match data_source rows should appear in join_condition." |