Re: BUG #19379: Role pg_read_all_data don't allowed read large objects

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Andres Freund <[email protected]>
To: David G. Johnston <[email protected]>
Cc: [email protected] <[email protected]>
Cc: [email protected] <[email protected]>
Subject: Re: BUG #19379: Role pg_read_all_data don't allowed read large objects
Date: Thu, 15 Jan 2026 08:45:40 -0500
Message-ID: <r5a3aqlrrqen2snktdmx5tjeoakp3hmbektlqmeqhij3fqqez4@zmx3bdscipny> (raw)
In-Reply-To: <CAKFQuwZbtoAs1Ew62aC25R1r7i=M1J_3UmCsssidwDn2Xe6XhA@mail.gmail.com>
References: <[email protected]>
	<CAKFQuwZbtoAs1Ew62aC25R1r7i=M1J_3UmCsssidwDn2Xe6XhA@mail.gmail.com>

Hi,

On 2026-01-15 06:36:35 -0700, David G. Johnston wrote:
> On Thursday, January 15, 2026, PG Bug reporting form <[email protected]>
> wrote:
>
> > The following bug has been logged on the website:
> >
> > Bug reference:      19379
> > Logged by:          Misha Shaygu
> > Email address:      [email protected]
> > PostgreSQL version: 17.7
> > Operating system:   Kubuntu 24.04
> > Description:
> >
> > My goal: create role for backup any database on server
> >
> > Steps:
> > 1. CREATE USER backup_user;
> > 2. GRANT pg_read_all_data TO backup_user;
> > 3. pg_dump my_db
> > 4. got error to read large object
> >
> > Following by links
> > https://www.postgresql.org/docs/17/predefined-roles.html
> > https://www.postgresql.org/docs/17/lo-implementation.html
> > "SELECT privileges are required to read a large object" and role
> > "pg_read_all_data" grant it, but it don't work!
> >
> > Please fix it, thanks!
> >
>
> The docs you link note that all data is “tables, views, sequences”.  Large
> objects are not listed.  Maybe that means the name is a bit misleading but
> it’s working as documented.
>
> Likewise, the LO page doesn’t say anything about read all being applicable.

It's not contradicting our docs, but I think it likely still is an
oversight. The goal of pg_read_all_data [1] was to allow running pg_dump
without having to grant granular access, not being able to run pg_dump
successfully due to LOs prevents that.

This doesn't seem like something we're going to fix in a minor version
though...

Greetings,

Andres Freund

[1] http://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=6c3ffd697e2242f5497ea4b40fffc8f6f922ff...
> A commonly requested use-case is to have a role who can run an
> unfettered pg_dump without having to explicitly GRANT that user access
> to all tables, schemas, et al, without that role being a superuser.

view thread (4+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected]
  Subject: Re: BUG #19379: Role pg_read_all_data don't allowed read large objects
  In-Reply-To: <r5a3aqlrrqen2snktdmx5tjeoakp3hmbektlqmeqhij3fqqez4@zmx3bdscipny>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox