Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uhCiJ-00BhPJ-W8 for pgsql-general@arkaria.postgresql.org; Wed, 30 Jul 2025 19:43:48 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1uhChJ-00CMLG-LF for pgsql-general@arkaria.postgresql.org; Wed, 30 Jul 2025 19:42:45 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uhChI-00CMHn-JL for pgsql-general@lists.postgresql.org; Wed, 30 Jul 2025 19:42:45 +0000 Received: from fout-a6-smtp.messagingengine.com ([103.168.172.149]) by makus.postgresql.org with smtp (Exim 4.96) (envelope-from ) id 1uhChG-001bmv-23 for pgsql-general@lists.postgresql.org; Wed, 30 Jul 2025 19:42:43 +0000 Received: from phl-compute-05.internal (phl-compute-05.phl.internal [10.202.2.45]) by mailfout.phl.internal (Postfix) with ESMTP id 536FBEC1D60; Wed, 30 Jul 2025 15:42:41 -0400 (EDT) Received: from phl-mailfrontend-02 ([10.202.2.163]) by phl-compute-05.internal (MEProxy); Wed, 30 Jul 2025 15:42:41 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aklaver.com; h= cc:cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm2; t=1753904561; x=1753990961; bh=IXsKbEgKiXzpIRPPciMEJ7REOoFPcMbnGTQLgkWrxzc=; b= izW6bulFXXKsyrz+JpEytWUJ5fX5y7d73K0WYIqPLb0P052AJhdwx3mg2A0We9kA DBVpyCgJ7oh5jec2eGMbDlXgbu30nyrdgKc8EhEF+cIuz7k9khqlJiUNZqSnZ7OS kk8aPdcU5pXvlVU/pMCHDXTn+blkN2/b+AvRhpH2DnffSoIPVp1uXUCHEp6Zgmoj u7jsHNas5/2k807ul2yTLs5T3qIkwA6TJJd3RXvoD5djXh3evEwXxGJuSlYzWFsw 6Ir8PJ8LvL/igEXEKhvIMsBiU9mLpOc+HAZqov2LI7PYcDNj/NC1ztaNJjkKqGSY XKcp1JCMe1ztvg8eipnqPQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1753904561; x= 1753990961; bh=IXsKbEgKiXzpIRPPciMEJ7REOoFPcMbnGTQLgkWrxzc=; b=e /MBiFc2H71KA1wazp6ZyaHs+v0cuzXwB8TCsY+cjylNjvPiUbJf3BR1fdS33HVNT K/W4HY8ATEhUeyo9tCvTmIfaE4eSop4Zjn1VKedggXBpsYW1kOUhJBnqWB7QKhYP lhJjlqFPj7NrEXV/iqB4lOUySpzcBP8ryNbEKC6bdakq7WT89OluPBzQHaDgt5yd Hj+J+EvBFGEyzQR/1vfA3Z3sG/CXEJjUGXY7km3alBH3UCoCSTHXyRxOg9o6nLkg 2bQMdY3aRFindAjLaFrSmS5teoQcx40q1nrqe5xsrFflQWzxpVHmEUCIKdT3lFWQ yYIYooD6t08yJLPW2jR+w== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdefgdelkeejlecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpuffrtefokffrpgfnqfghnecuuegr ihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjug hrpefkffggfgfuhffvvehfjggtgfesthekredttddvjeenucfhrhhomheptegurhhirghn ucfmlhgrvhgvrhcuoegrughrihgrnhdrkhhlrghvvghrsegrkhhlrghvvghrrdgtohhmqe enucggtffrrghtthgvrhhnpeegjeekfefhgfdujeehhffhjeekgfehiedvueejjedugffg geegffdthfdtuedtkeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrih hlfhhrohhmpegrughrihgrnhdrkhhlrghvvghrsegrkhhlrghvvghrrdgtohhmpdhnsggp rhgtphhtthhopedvpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopeguuggvvhhivg hnnhgvsehgmhgrihhlrdgtohhmpdhrtghpthhtohepphhgshhqlhdqghgvnhgvrhgrlhes lhhishhtshdrphhoshhtghhrvghsqhhlrdhorhhg X-ME-Proxy: Feedback-ID: i76984098:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 30 Jul 2025 15:42:39 -0400 (EDT) Message-ID: <662792ed-810d-46f1-a0c3-d4b55e5469fc@aklaver.com> Date: Wed, 30 Jul 2025 12:42:39 -0700 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: SET LOCAL ROLE inside SECURITY INVOKER (LANGUAGE plpgsql) function From: Adrian Klaver To: Dominique Devienne Cc: pgsql-general@lists.postgresql.org References: <508f71c4-f1b1-4685-921d-bec8b361be10@aklaver.com> Content-Language: en-US In-Reply-To: <508f71c4-f1b1-4685-921d-bec8b361be10@aklaver.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 7/30/25 09:21, Adrian Klaver wrote: > On 7/30/25 08:47, Dominique Devienne wrote: >> On Wed, Jul 30, 2025 at 5:23 PM Adrian Klaver >> wrote: >>> On 7/30/25 04:37, Dominique Devienne wrote: >>>> Are there special consideration I'm unaware of, regarding SET ROLE >>>> inside routines? >> >>> What is the ROLE that defined the function? >> >> A 3rd role. But does it matter? Given that this is in SECURITY INVOKER >> function? > > My mistake, a BC(Before Coffee) issue. > > >> The function and the table belong to yet another role. >> And when we enter the function, we're yet another one (obviously with >> USAGE+EXECUTE, since could call it). >> But once we SET LOCAL ROLE, the effective permissions used should be >> for :OWNER1 and the inherited :SOWNER. > > Could this be a search_path and/or naming issue, where the table > SchemaMapping appears in more then one schema or different name case? > If the above is not the issue, then a simple test case: grant db_user to app_user with set true, inherit true; -- As db_user create table fnc_set_role_test(id integer, fld1 varchar); insert into fnc_set_role_test values (1, 'test'); CREATE OR REPLACE FUNCTION public.role_set() RETURNS void LANGUAGE plpgsql AS $function$ BEGIN EXECUTE format('SET LOCAL ROLE %I', 'db_user'); raise notice 'CURRENT_USER = %, can DELETE = %', CURRENT_USER, has_table_privilege('fnc_set_role_test', 'DELETE'); DELETE FROM fnc_set_role_test; END; $function$ ; -- As app_user \c - app_user select * from fnc_set_role_test ; select role_set(); NOTICE: CURRENT_USER = db_user, can DELETE = t role_set ---------- (1 row) select * from fnc_set_role_test ; id | fld1 ----+------ (0 rows) My suspicion is that there is a missing piece in your chain of roles. -- Adrian Klaver adrian.klaver@aklaver.com