Re: Bug in handling default privileges inside extension update scripts

On Thu, Apr 22, 2021 at 5:15 PM Stephen Frost <sfrost(at)snowman(dot)net> wrote:

> Greetings,
>
> * Mats Kindahl (mats(at)timescale(dot)com) wrote:
> > * To be able to read the configuration tables, "reader" need to have
> > SELECT privileges.
> >
> > * Since the new role is added by the user and not by the extension,
> > the grants have to be dumped as well. Otherwise, a restore of the
> > data will have wrong privileges.
> >
> > * Since new configuration tables could be added by an update of the
> > extension, it is necessary to make sure that these privileges are
> > added to new tables when updating. Typically, this means changing
> > the default privileges on the schema for the configuration files.
>
> If the extension is updated, I think it's entirely reasonable to expect
> an admin to have to go in and update the relevant permissions on any new
> tables that have come into existance and, as I've said elsewhere, I
> don't think that schema-level default privs should be applied to tables
> created by extensions. Sadly, no one else seems to have an opinion
> regarding that and so there hasn't been a change in that, yet, but
> that's the source of the issue imv.
>

That is a different way to solve it, but I think that is a little
unintuitive. I am actually proposing to still assign default privileges,
but not add them to initprivs, to make sure that they are treated the same
way before and after an update.

> If you want to comment on that, I'd suggest doing so on that thread:
>
>
> https://www.postgresql.org/message-id/20200205034454.GU3195@tamriel.snowman.net
>
>
Will do. Thanks for the pointer.

Best wishes,
Mats Kindahl

> Thanks,
>
> Stephen
>