Re: Clarification on Role Access Rights to Table Indexes

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Tom Lane <[email protected]>
To: Ayush Vatsa <[email protected]>
Cc: Robert Haas <[email protected]>
Cc: David G. Johnston <[email protected]>
Cc: PostgreSQL Hackers <[email protected]>
Subject: Re: Clarification on Role Access Rights to Table Indexes
Date: Mon, 17 Feb 2025 17:02:03 -0500
Message-ID: <[email protected]> (raw)
In-Reply-To: <CACX+KaPv4apqG3=Ef+FB9nn4C4cd6Z+604ej0PPOHKExH45u2A@mail.gmail.com>
References: <CACX+KaMz2ZoOojh0nQ6QNBYx8Ak1Dkoko=D4FSb80BYW+o8CHQ@mail.gmail.com>
	<[email protected]>
	<CAKFQuwZ+EsCJHmBVdHeJ2XUWUBSGtN8k2icrX2hrPR=m7sLNGg@mail.gmail.com>
	<[email protected]>
	<CACX+KaMiZaFWVxYzZ_Lw-EBKgiO5GEBHmHREqs=GDpM88hRqdw@mail.gmail.com>
	<[email protected]>
	<CA+TgmobSc_x6thvXZvHoni5Gs5-wsxyTRiOMKoeuX5br0PCtDA@mail.gmail.com>
	<CACX+KaPv4apqG3=Ef+FB9nn4C4cd6Z+604ej0PPOHKExH45u2A@mail.gmail.com>

Ayush Vatsa <[email protected]> writes:
> Thanks Robert for confirming, let me submit a patch to fix the same.

Well, the first thing you need is consensus on what the behavior
should be instead.

I have a very vague recollection that we concluded that SELECT
privilege was a reasonable check because if you have that you
could manually prewarm by reading the table.  That would lead
to the conclusion that the minimal fix is to look at the owning
table's privileges instead of the index's own privileges.

Or we could switch to using ownership, which'd keep the code
simple but some users might complain it's too restrictive.

While I mentioned built-in roles earlier, I now think those mostly
carry more privilege than should be required here, given the analogy
to SELECT.

			regards, tom lane

view thread (15+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected], [email protected]
  Subject: Re: Clarification on Role Access Rights to Table Indexes
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox