Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uhVhJ-000lhu-IC for pgsql-general@arkaria.postgresql.org; Thu, 31 Jul 2025 16:00:01 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1uhVhI-0028Qi-C8 for pgsql-general@arkaria.postgresql.org; Thu, 31 Jul 2025 16:00:00 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uhVhI-0028Qa-1I for pgsql-general@lists.postgresql.org; Thu, 31 Jul 2025 16:00:00 +0000 Received: from mail-lf1-x129.google.com ([2a00:1450:4864:20::129]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1uhVhE-0002Uu-2z for pgsql-general@lists.postgresql.org; Thu, 31 Jul 2025 15:59:58 +0000 Received: by mail-lf1-x129.google.com with SMTP id 2adb3069b0e04-553dceb342fso948641e87.0 for ; Thu, 31 Jul 2025 08:59:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1753977596; x=1754582396; darn=lists.postgresql.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=QVoiBTEDTSgSwY30Udam2HB3fUD8MlwjYf/KpLzH6Mw=; b=DRXtis7wx30UPG5RMYvW3kZ11KAL0DtG+hsD0s5yQO8M6wr/KbwwZTAl9qit6kfXMw PMuFoU8TuhCcyvjk6BK00R+L+ArKO7RGt/h59ljW7iVe4vff4ftXhDvn7Znac0Yu+iDb 5UxOPk8Qs3HuupgWrtNz+fL0bcVRDnbpdGl27fL1l/xpk7ns/ojoivzu6d8O7PWC9VDx 9qKb+2uWgF99Gp9oN+cM9qxDNsm6L9pubQscIKf//1WvaSlquwexnVc5/oHZHPSXAUvS MUUNgIuMl9D7uMKQaq4X3OnX+/L5C7xzNfTysfUs1VBnbJqlYq/NvnxYe5oZZaz+XmNS UxDA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1753977596; x=1754582396; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=QVoiBTEDTSgSwY30Udam2HB3fUD8MlwjYf/KpLzH6Mw=; b=gcvFg8fd+zEeqLaOY+gpeVLqs0rvMKx9XE1dWL9U2DEHf8rNuZJIpozZHyFPpbZ8Pl vHlMrnLxBq5B0a6xi3gIBjSbmAr+3uBg19rJg/kBu1nJ/pgkYO+d5OQK+gyZNd47jIop 2mkhkX3wN+XmzePF6or4JRvDDgNNoyLelHBNAiNiunpRRzDZOJwZSJMondCcVqW6uxVR cBBH+mDfuhV1LuuVgY4GgWt8cBzQk059JQzqZ8NB/2J+V9T3FkoTm6Jjks9i7ghHZKHy 0/HBkzgMLJIOldrl/z9aQZWJT/9dkz8dqzzbYxjJkvK1xcQzW9aS0SvWzr/ceHMDL97R Wm7g== X-Forwarded-Encrypted: i=1; AJvYcCXmBncRD28Lc/FFlEjY4M/m3uqQCONhCIMyyBJ3WPGzUZLKG5oK1KQueS8sHDTv7dTcsVOsorqafaWRzCOs@lists.postgresql.org X-Gm-Message-State: AOJu0Yzt+pBdP03Z0IdImTT2I2WVMFhtbPpw0niDupM8Dyk9TsHuVQAr p5jXcJ3EAdZSZOGOeUCG/c73ZpqQQvhLbvSodQZIYped4ufeU2h2fcz5e+cYbURL1Mm2+Or39wz HSrwukUpB3vDCibgdbMae8PHsayJNsEII5g== X-Gm-Gg: ASbGncv6gsG6lmmOTFTErBqu4Ur8rg41ZrQ5oK4mRPsafTJS7AAf/+cpCp2crJRvq+S 5ho/YwQgTooBEI0tN/kFXsHdgijcVX+cxTCaRraAUn9E6/BAPjqFm8vPAXa2M7xalssUAlL7CCV DDQrLkv81Kc10b1E5nq007n2k3imh/+ZvycBD5srWtoPja3h/gy+c2wG+/vuX9geKgJE5haD3++ QfbvW46mJTVRbW15k2h X-Google-Smtp-Source: AGHT+IHt8Ep9KYPPm650dfpqJEFFukCD0vYHMoNP8qVhNaJI+oFVS3JP8rKYY8Wn2qntOhZmKbRrNBi3qOIYgCyGlcI= X-Received: by 2002:ac2:4e14:0:b0:553:a77f:9c47 with SMTP id 2adb3069b0e04-55b7c084834mr2003532e87.30.1753977595774; Thu, 31 Jul 2025 08:59:55 -0700 (PDT) MIME-Version: 1.0 References: <508f71c4-f1b1-4685-921d-bec8b361be10@aklaver.com> <662792ed-810d-46f1-a0c3-d4b55e5469fc@aklaver.com> <693d1252-89e4-498d-a5a6-5de6524bbb34@dalibo.com> <2071880.1753971113@sss.pgh.pa.us> In-Reply-To: <2071880.1753971113@sss.pgh.pa.us> From: Dominique Devienne Date: Thu, 31 Jul 2025 17:59:42 +0200 X-Gm-Features: Ac12FXwBQflzu5pT4yOl72KeKvYlaQmwQyrZ6eHOagjWDUvkJ3yM1IFxHh8BWso Message-ID: Subject: Re: SET LOCAL ROLE inside SECURITY INVOKER (LANGUAGE plpgsql) function To: Tom Lane Cc: Guillaume Lelarge , pgsql-general@lists.postgresql.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Thu, Jul 31, 2025 at 4:11=E2=80=AFPM Tom Lane wrote: > Dominique Devienne writes: > > On Thu, Jul 31, 2025 at 11:35=E2=80=AFAM Guillaume Lelarge > > wrote: > >> It doesn't lie. The role has DELETE privilege. I guess what it lacks i= s > >> the SELECT privilege. If you do a "DELETE FROM ... WHERE ...", you nee= d > >> the SELECT privilege to perform the WHERE. Without "WHERE ...", it wou= ld > >> work without the SELECT privilege. > > > Right on the money! Merci Guillaume!!! --DD > > So the real problem here is that the "permission denied" error message > doesn't tell you which permission you lack. I think we've had prior > discussions about improving that, but it never got done. Indeed, a hint would have helped I'm sure. But also, it's weird DELETE allows you to delete all rows. Yet prevents you from deleting just one, i.e. a subset. I get it, a WHERE needs to read, so needs SELECT. Still, it obviously tripped me up here. And it's my bad.