public inbox for [email protected]
help / color / mirror / Atom feedFrom: Tom Lane <[email protected]>
To: Thomas Nyberg <[email protected]>
Cc: [email protected]
Subject: Re: What permissions are required for e.g. EXPLAIN UPDATE ...
Date: Thu, 04 Apr 2024 14:44:30 -0400
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
Thomas Nyberg <[email protected]> writes:
> Or put another way, does an EXPLAIN UPDATE on a table really require
> UPDATE permissions to run? Why can't it be done without UPDATE
> permissions?
IIRC, the reasoning is this: should you be allowed to run an EXPLAIN
on a table that you have no permissions for at all? We've felt that
the answer to that has to be "no". An example of why not is that
EXPLAIN must take at least a shared lock on the table, which should
not be allowed to someone without any permissions.
Having decided that, the next question is what permissions are enough,
and we've concluded that "the same as it'd take to actually run the
query" is a perfectly appropriate answer. That in turn lets us
decide that "what strength of table lock should be taken?" can be
answered the same for EXPLAIN as for the underlying query. This
simplifies life by not requiring there to be different code paths
for EXPLAIN and normal query running in various places.
regards, tom lane
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: What permissions are required for e.g. EXPLAIN UPDATE ...
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox