| From: | Nathan Bossart <nathan(at)postgresql(dot)org> |
|---|---|
| To: | pgsql-committers(at)lists(dot)postgresql(dot)org |
| Subject: | pgsql: Reintroduce MAINTAIN privilege and pg_maintain predefined role. |
| Date: | 2024-03-13 19:52:44 |
| Message-ID: | E1rkUea-003dvO-7q@gemulon.postgresql.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-committers |
Reintroduce MAINTAIN privilege and pg_maintain predefined role.
Roles with MAINTAIN on a relation may run VACUUM, ANALYZE, REINDEX,
REFRESH MATERIALIZE VIEW, CLUSTER, and LOCK TABLE on the relation.
Roles with privileges of pg_maintain may run those same commands on
all relations.
This was previously committed for v16, but it was reverted in
commit 151c22deee due to concerns about search_path tricks that
could be used to escalate privileges to the table owner. Commits
2af07e2f74, 59825d1639, and c7ea3f4229 resolved these concerns by
restricting search_path when running maintenance commands.
Bumps catversion.
Reviewed-by: Jeff Davis
Discussion: https://postgr.es/m/20240305161235.GA3478007%40nathanxps13
Branch
------
master
Details
-------
https://git.postgresql.org/pg/commitdiff/ecb0fd33720fab91df1207e85704f382f55e1eb7
Modified Files
--------------
doc/src/sgml/ddl.sgml | 35 +++++--
doc/src/sgml/func.sgml | 2 +-
doc/src/sgml/ref/alter_default_privileges.sgml | 4 +-
doc/src/sgml/ref/analyze.sgml | 6 +-
doc/src/sgml/ref/cluster.sgml | 10 +-
doc/src/sgml/ref/grant.sgml | 3 +-
doc/src/sgml/ref/lock.sgml | 4 +-
doc/src/sgml/ref/refresh_materialized_view.sgml | 5 +-
doc/src/sgml/ref/reindex.sgml | 23 ++--
doc/src/sgml/ref/revoke.sgml | 2 +-
doc/src/sgml/ref/vacuum.sgml | 6 +-
doc/src/sgml/user-manag.sgml | 12 +++
src/backend/catalog/aclchk.c | 15 +++
src/backend/commands/analyze.c | 13 ++-
src/backend/commands/cluster.c | 43 ++++++--
src/backend/commands/indexcmds.c | 34 +++---
src/backend/commands/lockcmds.c | 2 +-
src/backend/commands/matview.c | 3 +-
src/backend/commands/tablecmds.c | 18 ++--
src/backend/commands/vacuum.c | 76 ++++++++------
src/backend/postmaster/autovacuum.c | 1 +
src/backend/utils/adt/acl.c | 8 ++
src/bin/pg_dump/dumputils.c | 1 +
src/bin/pg_dump/t/002_pg_dump.pl | 2 +-
src/bin/psql/tab-complete.c | 6 +-
src/include/catalog/catversion.h | 2 +-
src/include/catalog/pg_authid.dat | 5 +
src/include/commands/tablecmds.h | 5 +-
src/include/commands/vacuum.h | 5 +-
src/include/nodes/parsenodes.h | 3 +-
src/include/utils/acl.h | 5 +-
.../expected/cluster-conflict-partition.out | 8 +-
.../specs/cluster-conflict-partition.spec | 2 +-
src/test/perl/PostgreSQL/Test/AdjustUpgrade.pm | 11 ++
src/test/regress/expected/cluster.out | 7 ++
src/test/regress/expected/create_index.out | 4 +-
src/test/regress/expected/dependency.out | 22 ++--
src/test/regress/expected/privileges.out | 116 +++++++++++++++++----
src/test/regress/expected/rowsecurity.out | 34 +++---
src/test/regress/sql/cluster.sql | 5 +
src/test/regress/sql/dependency.sql | 2 +-
src/test/regress/sql/privileges.sql | 67 ++++++++++++
42 files changed, 457 insertions(+), 180 deletions(-)
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alexander Korotkov | 2024-03-14 00:18:17 | pgsql: Improve documentation for pg_stat_checkpointer fields |
| Previous Message | Robert Haas | 2024-03-13 19:13:25 | pgsql: Add the system identifier to backup manifests. |