| From: | David Wheeler <dwheeler(at)dgitsystems(dot)com> |
|---|---|
| To: | "pgsql-general(at)lists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org> |
| Cc: | Cameron Redpath <credpath(at)dgitsystems(dot)com> |
| Subject: | Permission inconsistency with views that call functions |
| Date: | 2021-02-23 03:32:11 |
| Message-ID: | PS2PR06MB2551F46C4FE553D1C2053741DD809@PS2PR06MB2551.apcprd06.prod.outlook.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Hi all
I’m seeing some inconsistency with how permissions are enforced within views. In particular, if the view accesses a table directly, then the table is accessible, however if the view uses a function to access the table then permission is denied.
Here’s a demonstration (from pg13.0)
createdb temp
psql temp <<\EOF
create schema hidden;
create table hidden.tab (col1 text);
insert into hidden.tab values ('abc');
create function test() returns text[] as $$
select array_agg(col1) from hidden.tab;
$$ language sql stable;
create view tv1 as select test();
create view tv2 as select array_agg(col1) from hidden.tab;
grant select on tv1 to public;
grant select on tv2 to public;
create user test password 'test' login;
EOF
PGPASSWORD=test psql -U test temp <<\EOF
\echo select * from tv1;
select * from tv1;
\echo ---------------
\echo select * from tv2;
select * from tv2;
set jit_inline_above_cost to -1;
\echo ---------------
\echo select * from tv1; -- no jit inlining
select * from tv1;
EOF
OUTPUT
ERROR: permission denied for schema hidden
LINE 2: select array_agg(col1) from hidden.tab;
^
QUERY:
select array_agg(col1) from hidden.tab;
CONTEXT: SQL function "test" during inlining
---------------
select * from tv2;
array_agg
-----------
{abc}
(1 row)
SET
---------------
select * from tv1; -- no jit inlining
ERROR: permission denied for schema hidden
LINE 2: select array_agg(col1) from hidden.tab;
^
QUERY:
select array_agg(col1) from hidden.tab;
CONTEXT: SQL function "test" during inlining
Is this expected/desirable? Any ideas how I can work around it, short of inlining every function manually (if that’s even possible) or granting access to the “hidden” schema?
Thanks in advance!
Best regards,
David Wheeler, Inomial Architect
E. dwheeler(at)dgitsystems(dot)com<mailto:dwheeler(at)dgitsystems(dot)com>
313 La Trobe Street, Victoria 3000, Australia
+61 3 8820 5200
MELBOURNE . DENPASAR . AUCKLAND
WWW.DGITSYSTEMS.COM<http://www.dgitsystems.com/>
[signature_414257395]<https://www.dgitsystems.com/>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Santosh Udupi | 2021-02-23 03:43:36 | Re: pg_restore - generated column - not populating |
| Previous Message | Michael Lewis | 2021-02-23 02:33:27 | Re: Simple IN vs IN values performace |