From: | Nathan Bossart <nathandbossart(at)gmail(dot)com> |
---|---|
To: | Fujii Masao <masao(dot)fujii(at)oss(dot)nttdata(dot)com> |
Cc: | Michael Paquier <michael(at)paquier(dot)xyz>, Christophe Pettus <xof(at)thebuild(dot)com>, vaibhave postgres <postgresvaibhave(at)gmail(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Noah Misch <noah(at)leadboat(dot)com>, pgsql-bugs(at)lists(dot)postgresql(dot)org, vsekar(at)microsoft(dot)com |
Subject: | Re: vacuumdb: permission denied for schema "pg_temp_7" |
Date: | 2024-09-24 14:26:21 |
Message-ID: | ZvLMDXv1XrxuJfT3@nathan |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
On Tue, Sep 24, 2024 at 11:20:43PM +0900, Fujii Masao wrote:
> On 2024/09/24 10:08, Michael Paquier wrote:
>> About the permission restrictions depending on the objects listed, the
>> filtering query uses currently a list of VALUES in a CTE. Perhaps it
>> would be more elegant to switch that to a SELECT with some
>> has_schema_privilege() for the cases where OBJFILTER_SCHEMA is
>> used?
>>
>> There permission checks with USAGE and MAINTAIN are broader, so I'd
>> choose to add a skip on the temp persistence first and backpatch it
>> down to 12 as there is also a performance argument. Then tackle the
>> rest by reworking the VALUES part in the CTE.
>
> Are you suggesting that any objects a user lacks sufficient privileges for
> should be silently excluded from vacuuming? This could make vacuumdb appear
> successful because no errors occur, but some tables the user intended to
> vacuum might be skipped without notice. That seems more problematic to me.
Yeah, this is what I mentioned upthread [0]. If the user doesn't specify
anything in --table or --schema, then it's probably fine to silently skip
objects for which they lack privileges. But if they do explicitly specify
a table or schema that they cannot vacuum, then IMHO it'd be better to
fail.
[0] https://postgr.es/m/Zu3iMzfiGBTbg3iy%40nathan
--
nathan
From | Date | Subject | |
---|---|---|---|
Next Message | Nathan Bossart | 2024-09-24 14:30:21 | Re: vacuumdb: permission denied for schema "pg_temp_7" |
Previous Message | Fujii Masao | 2024-09-24 14:20:43 | Re: vacuumdb: permission denied for schema "pg_temp_7" |