From: | Maxim Boguk <maxim(dot)boguk(at)gmail(dot)com> |
---|---|
To: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi> |
Cc: | pgsql-bugs(at)lists(dot)postgresql(dot)org |
Subject: | Re: BUG #18387: Erroneous permission checks and/or misleading error messages with refresh materialized view |
Date: | 2024-03-12 10:40:31 |
Message-ID: | CAK-MWwQBrjfAPu=nfWS9B_Y5QK147xU2Y-EpDYAvsrdni97HCw@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
>
> > test=# REFRESH MATERIALIZED VIEW CONCURRENTLY test_mv;
> > ERROR: permission denied for table test
> > --what??? N1
> >
> > --check that im not hallucinating
> > test=# select * from test;
> > val
> > -----
> > 1
> > (1 row)
>
> So far, this is working correctly. REFRESH MATERIALIZED VIEW runs with
> the permissions of the materialized view's owner. In this case, the
> owner is 'test_role', which doesn't have select permission on the table.
>
This decision led to a strange (and only one known to me) case when a
superuser cannot do something in the database.
(so far I have yet to see any other possible scenario when a command run by
superuser fails with permission error).
May I suggest a change to always allow superuser run REFRESH MATERIALIZED
VIEW (may be via set role or similar mechanics)?
Without that I think it's possible build a case of the database which could
be dumped but cannot be restored without errors
(restore from MV owner cannot be done because dump contains create
extension (for a sample) and restore from superuser cannot be done because
refresh MV permission check).
--
Maxim Boguk
Senior Postgresql DBA
Phone UA: +380 99 143 0000
Phone AU: +61 45 218 5678
From | Date | Subject | |
---|---|---|---|
Next Message | Laurenz Albe | 2024-03-12 12:22:33 | Re: BUG #18387: Erroneous permission checks and/or misleading error messages with refresh materialized view |
Previous Message | Hayato Kuroda (Fujitsu) | 2024-03-12 10:22:59 | RE: Re:RE: Re:RE: Re:BUG #18369: logical decoding core on AssertTXNLsnOrder() |