Re: Bug in handling default privileges inside extension update scripts

From: Mats Kindahl <mats(at)timescale(dot)com>
To: Stephen Frost <sfrost(at)snowman(dot)net>
Cc: pgsql-bugs(at)lists(dot)postgresql(dot)org
Subject: Re: Bug in handling default privileges inside extension update scripts
Date: 2021-04-26 08:55:57
Message-ID: CA+14425Oyw1Wt7j0nUU2hOf3qa_=L8pR0q-K12TAkQ4EW2CXTw@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

On Thu, Apr 22, 2021 at 5:15 PM Stephen Frost <sfrost(at)snowman(dot)net> wrote:

> Greetings,
>
> * Mats Kindahl (mats(at)timescale(dot)com) wrote:
> > * To be able to read the configuration tables, "reader" need to have
> > SELECT privileges.
> >
> > * Since the new role is added by the user and not by the extension,
> > the grants have to be dumped as well. Otherwise, a restore of the
> > data will have wrong privileges.
> >
> > * Since new configuration tables could be added by an update of the
> > extension, it is necessary to make sure that these privileges are
> > added to new tables when updating. Typically, this means changing
> > the default privileges on the schema for the configuration files.
>
> If the extension is updated, I think it's entirely reasonable to expect
> an admin to have to go in and update the relevant permissions on any new
> tables that have come into existance and, as I've said elsewhere, I
> don't think that schema-level default privs should be applied to tables
> created by extensions. Sadly, no one else seems to have an opinion
> regarding that and so there hasn't been a change in that, yet, but
> that's the source of the issue imv.
>

That is a different way to solve it, but I think that is a little
unintuitive. I am actually proposing to still assign default privileges,
but not add them to initprivs, to make sure that they are treated the same
way before and after an update.

> If you want to comment on that, I'd suggest doing so on that thread:
>
>
> https://www.postgresql.org/message-id/20200205034454.GU3195@tamriel.snowman.net
>
>
Will do. Thanks for the pointer.

Best wishes,
Mats Kindahl

> Thanks,
>
> Stephen
>

In response to

Responses

Browse pgsql-bugs by date

  From Date Subject
Next Message PG Bug reporting form 2021-04-26 10:14:07 BUG #16984: any version i install it says database cluster initialization failed
Previous Message Noah Misch 2021-04-25 11:57:26 Re: BUG #16939: Plural interval for negative singular