Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uh9YL-00B3Ri-8v for pgsql-general@arkaria.postgresql.org; Wed, 30 Jul 2025 16:21:18 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1uh9YK-00B1jg-82 for pgsql-general@arkaria.postgresql.org; Wed, 30 Jul 2025 16:21:16 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uh9YJ-00B1jY-LY for pgsql-general@lists.postgresql.org; Wed, 30 Jul 2025 16:21:16 +0000 Received: from fout-b6-smtp.messagingengine.com ([202.12.124.149]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1uh9YG-001hOM-1t for pgsql-general@lists.postgresql.org; Wed, 30 Jul 2025 16:21:15 +0000 Received: from phl-compute-09.internal (phl-compute-09.phl.internal [10.202.2.49]) by mailfout.stl.internal (Postfix) with ESMTP id 47C281D000D3; Wed, 30 Jul 2025 12:21:10 -0400 (EDT) Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-09.internal (MEProxy); Wed, 30 Jul 2025 12:21:10 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aklaver.com; h= cc:cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm2; t=1753892470; x=1753978870; bh=GLo2r6i3fYA00VN1V+CkM19ixTxejnm60kBylsO+Qec=; b= rb522GL38K1gqfLsQbI/BpJbE/GdS00Y4YzyRZOJuiSJ2sWCEffrpSXUyLDmqWoC L2gn6DLSwElMZym7aTGgaDYAa/CdyBO1Ze6Lht3O6EKeyFwq74r4MFEuAHOA0hZO 5/Bxd+khSf4qpdmfUHI9O0OW5R/6aAOM5gd813rQQ6fiar7TeGQbDm3uNIomHQEB OqF0JL5qJgQsdNjSXLXWkenuZih5KMmC5nSJH3ZJY/CH33BCuICQRqwsM+0eOBp2 dZKsj1SIPFTjGNlYlGUVPn2ss/Wab7jjBIXbsCkhKtB+B70tNyAb1Rp62QHSPriW f6SDWqkESt0hk8REltTl5Q== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1753892470; x= 1753978870; bh=GLo2r6i3fYA00VN1V+CkM19ixTxejnm60kBylsO+Qec=; b=S 05pSSmEu4crqALM1vEMHW/08k1pLdBU5SRchdNn0TXD1B/O0QzJ9AxGQhfpax7eD hOFphA417PCeHaQ00IifZtf2Y/5andXA1HBz0uaD/Bfavrwiz5U7pddPmwCW59D2 dtnfSu+DgWhtT3vTcNZQCzJhK6mUtmgxRY2wVh057G6gnObHJwrzVv9Rv/AamM6+ xLex4qWvcvCizbWNL3ZxGXni3h5/U9ttd7rQik76lZGcAClE+mvvpgEfaf5sOMOx lfZyZZIMlFWkPlVCVwUFWtWcx3QEk3BcHmdDCWY6Eipaf9ONV1e0T1Z6GcjUDWnT lwjOCSO2JoX3CT9BJu0QQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdefgdelkeegtdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpuffrtefokffrpgfnqfghnecuuegr ihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjug hrpefkffggfgfuvfevfhfhjggtgfesthekredttddvjeenucfhrhhomheptegurhhirghn ucfmlhgrvhgvrhcuoegrughrihgrnhdrkhhlrghvvghrsegrkhhlrghvvghrrdgtohhmqe enucggtffrrghtthgvrhhnpeefgeefieeutdfggfetgefgheekjeehteeileeigfetieek jedvieeviefgheevtdenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrih hlfhhrohhmpegrughrihgrnhdrkhhlrghvvghrsegrkhhlrghvvghrrdgtohhmpdhnsggp rhgtphhtthhopedvpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopeguuggvvhhivg hnnhgvsehgmhgrihhlrdgtohhmpdhrtghpthhtohepphhgshhqlhdqghgvnhgvrhgrlhes lhhishhtshdrphhoshhtghhrvghsqhhlrdhorhhg X-ME-Proxy: Feedback-ID: i76984098:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 30 Jul 2025 12:21:09 -0400 (EDT) Message-ID: <508f71c4-f1b1-4685-921d-bec8b361be10@aklaver.com> Date: Wed, 30 Jul 2025 09:21:08 -0700 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: SET LOCAL ROLE inside SECURITY INVOKER (LANGUAGE plpgsql) function To: Dominique Devienne Cc: pgsql-general@lists.postgresql.org References: Content-Language: en-US From: Adrian Klaver In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 7/30/25 08:47, Dominique Devienne wrote: > On Wed, Jul 30, 2025 at 5:23 PM Adrian Klaver wrote: >> On 7/30/25 04:37, Dominique Devienne wrote: >>> Are there special consideration I'm unaware of, regarding SET ROLE >>> inside routines? > >> What is the ROLE that defined the function? > > A 3rd role. But does it matter? Given that this is in SECURITY INVOKER function? My mistake, a BC(Before Coffee) issue. > The function and the table belong to yet another role. > And when we enter the function, we're yet another one (obviously with > USAGE+EXECUTE, since could call it). > But once we SET LOCAL ROLE, the effective permissions used should be > for :OWNER1 and the inherited :SOWNER. Could this be a search_path and/or naming issue, where the table SchemaMapping appears in more then one schema or different name case? -- Adrian Klaver adrian.klaver@aklaver.com