public inbox for [email protected]
help / color / mirror / Atom feedFrom: David G. Johnston <[email protected]>
To: Euler Taveira <[email protected]>
Cc: Álvaro Rodríguez <[email protected]>
Cc: [email protected]
Cc: Javier Maellas <[email protected]>
Cc: Diego Revenga <[email protected]>
Subject: Re: pg_dumpall can't be restored with different bootstrap superuser
Date: Tue, 5 May 2026 11:59:48 -0700
Message-ID: <CAKFQuwZYVes3zgoDU=FXxQxNnR8A1D4wtge8n0wnj9kUeLpcZA@mail.gmail.com> (raw)
In-Reply-To: <[email protected]>
References: <CA+C_kKWHMP4c56jx1BPvP1jmjp2pmBu0Cw07fPVECUmkJSnT4w@mail.gmail.com>
<[email protected]>
On Tue, May 5, 2026 at 11:23 AM Euler Taveira <[email protected]> wrote:
> On Tue, May 5, 2026, at 7:51 AM, Álvaro Rodríguez wrote:
> >
> > We have hit an issue with pg_dumpall --roles-only where the role grants
> > to other roles can't be reapplied in a clean database, if the bootstrap
> > superuser does not have the same name in both databases.
> >
>
> This is not a bug.
> Maybe we should
> add a sentence saying that GRANT on roles requires the same bootstrap user.
>
>
This does seem to contradict the claim in create role:
SUPERUSER
These clauses determine whether the new role is a “superuser”, who can
override all access restrictions within the database.
This at least feels like an access restriction being applied to a
superuser. IIUC, the reason the bootstrap superuser doesn't get this
applied is because as owner of all roles in a system they alone can bypass
the "with admin" privilege check.
This may not be a bug in the code but it seems a reasonable indicator that
our documentation hasn't imparted a solid mental model as to how this is
supposed to behave in the new, more locked down, regime.
I wouldn't object to giving pg_dumpall a --bootstrap-name parameter though,
to avoid having to tell people to perform string munging on its output. We
already have a --no-owner option to pg_dump, this doesn't seem all that
different. (Or --no-granted-by-on-role-grants ?) (Or make --no-owner on
pg_dumpall apply here.)
David J.
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
Subject: Re: pg_dumpall can't be restored with different bootstrap superuser
In-Reply-To: <CAKFQuwZYVes3zgoDU=FXxQxNnR8A1D4wtge8n0wnj9kUeLpcZA@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox