Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vvGw1-00BQn1-1I for pgsql-bugs@arkaria.postgresql.org; Wed, 25 Feb 2026 15:36:21 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vvGvz-006kgT-0g for pgsql-bugs@arkaria.postgresql.org; Wed, 25 Feb 2026 15:36:19 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vvGvy-006kgK-35 for pgsql-bugs@lists.postgresql.org; Wed, 25 Feb 2026 15:36:18 +0000 Received: from sss.pgh.pa.us ([68.162.161.243]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from ) id 1vvGvv-000000018ZV-0rld for pgsql-bugs@lists.postgresql.org; Wed, 25 Feb 2026 15:36:17 +0000 Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1]) by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 61PFaDRH179449; Wed, 25 Feb 2026 10:36:13 -0500 From: Tom Lane To: Robert Haas cc: =?UTF-8?Q?=C3=81lvaro_Herrera?= , Virender Singla , pgsql-bugs@lists.postgresql.org, Aniket Jha Subject: Re: Major Version Upgrade failure due to orphan roles entries in catalog In-reply-to: References: <202502131716.7mgkcnrem2hn@alvherre.pgsql> <2939991.1740089974@sss.pgh.pa.us> Comments: In-reply-to Robert Haas message dated "Wed, 25 Feb 2026 08:59:04 -0500" MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <179447.1772033773.1@sss.pgh.pa.us> Date: Wed, 25 Feb 2026 10:36:13 -0500 Message-ID: <179448.1772033773@sss.pgh.pa.us> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Robert Haas writes: > I recently learned of a case where this commit caused role grants to > be erroneously emitted from the output of pg_dumpall. In the case in > question, a v16 pg_dumpall was used against an older server. Hence, > dump_grantors was false, and any generated GRANT commands would not > have included in the grantor anyway. Nevertheless, this logic caused > those grants to be skipped altogether: > ... > If you do this on v15 and then run v15's pg_dumpall, it will dump > "GRANT foo to bar", with no GRANTOR clause due to the PQgetisnull() > gating that logic. v16's pg_dumpall will dump nothing and emit a > warning instead. Arguably, pre-v16 pg_dumpall shouldn't EVER be > dumping the grantor since the grantorid could be an old role OID that > has been recycled for a new role, and relying on that for anything > security-critical seems like a mistake, but that behavior is also > longstanding. But omitting the grant altogether seems like an > overreaction. I understand that we need to do that when the *member* > is invalid, of course; in that case, there's no alternative. But > that's not the case for the grantor. Hmm. As per the commit message, Pre-v16 branches already coped with dangling grantor OIDs by simply omitting the GRANTED BY clause. I left that behavior as-is, although it's somewhat inconsistent with the behavior of later branches. So what you're saying is that I should have made the later branches do that also. I guess it's arguably better than dropping the grant altogether ... but the end result will be that the grant is now granted by the superuser running the restore, which doesn't seem very good either. regards, tom lane