Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sgatK-004inM-NT for pgsql-general@arkaria.postgresql.org; Wed, 21 Aug 2024 02:16:06 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1sgatG-005bng-Mh for pgsql-general@arkaria.postgresql.org; Wed, 21 Aug 2024 02:16:03 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sgVo7-003VYu-By for pgsql-general@lists.postgresql.org; Tue, 20 Aug 2024 20:50:23 +0000 Received: from mail-vk1-xa33.google.com ([2607:f8b0:4864:20::a33]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1sgVo5-000clS-4m for pgsql-general@lists.postgresql.org; Tue, 20 Aug 2024 20:50:22 +0000 Received: by mail-vk1-xa33.google.com with SMTP id 71dfb90a1353d-4f511fddfcfso2163612e0c.1 for ; Tue, 20 Aug 2024 13:50:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dbtune.com; s=google; t=1724187020; x=1724791820; darn=lists.postgresql.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=o98LSZyGS41m1O/dBvmOHBdtI2PKX0vbUBPWgyVczag=; b=erH8XgSBdYK9F1a/UY2lcS18cB8Ua7VVomvHRfzLAG/1Bf+JgfV3OkoSnoI4RtHzTM fPFURaeId+9hDNcy+jpg1o5cjcM0toqvIr0jhgRvMxYnrWIk07PlcKQ+rguDNPHZjp2u /1gr1ikt4CySAIHgQarFLyC/TJ0XOJ8sU14282rtZ0jFx9qupp5TuRTvbqIA8ZHUKZ1m 8hI5ac7JgexP5fPeMXeWlI0a4sV16nWn9YAhjBz30x7epH3UgDbvDcNH+gK7lO5pAfHk Phudbk7pP2VvqqJKVsHWezjafrftM/juGPSOFM/1qXfAl/d7zFIcyQBTPmrwx0iae3lv gT0A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724187020; x=1724791820; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=o98LSZyGS41m1O/dBvmOHBdtI2PKX0vbUBPWgyVczag=; b=bsGIeitwus3xA+hcp5BC2+GlCLC22DThtNqEATZ2SkZ8MjCHt2IgZZx21PCoKxEtau gGfitrVbUdYCKBHufKox3WMw/5UpJUOXWSaq33StvuXE805nyd2BPgd1ZbZCPcSYdVb9 NIl9XQDwa1Ys6KB1cU7wwDlS7KOQmRLtkA5HWu+egRuPpsDN4VWxsn8U/ygOLKrennDg tciZJeVDzIeqvzCPJvCr+YwPSn9cQ/KsCOx2fswENn4ZXkQF9A81io8jC8Zna4VSRVv4 ZQTt75ULi7rOVZVDxvgtfb4TsyyYUEMQPneZASTrx1xS0+EwQGIrjZCTMlCOfbW/jiqf 4gPQ== X-Gm-Message-State: AOJu0Yx44JnJQ0UbJsD3kObTgbI4DOgjw/NGwG4JaVaEDOXlnh4wiaJX EQQve+7qTeYjMIP4oQVO3BmlmtUb0UNXsfga/ZoAJ4zM5IjD/wNgTpZP733DBqNjEkLyb1u+0nx yc7FKSFa+eNHIRzEB9qJiyKRNqFx/RGymTrNEUyB+FuV+7+nBeOc= X-Google-Smtp-Source: AGHT+IF9MTNPhcNf+Rw9c/XhbCBUqkPLCj/lrPoMhFY9Wu6zS9HMhKLLgwT/DNLuqBlKph3OL0EHR5QomgDZRVYvtFI= X-Received: by 2002:a05:6122:1d91:b0:4f5:26c6:bf13 with SMTP id 71dfb90a1353d-4fcf39f08a6mr210436e0c.13.1724187019912; Tue, 20 Aug 2024 13:50:19 -0700 (PDT) MIME-Version: 1.0 From: Costa Alexoglou Date: Tue, 20 Aug 2024 22:50:09 +0200 Message-ID: Subject: insufficient privilege with pg_read_all_stats granted To: pgsql-general@lists.postgresql.org Content-Type: multipart/alternative; boundary="000000000000d9487106202392e8" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --000000000000d9487106202392e8 Content-Type: text/plain; charset="UTF-8" Hey folks, I run PostgreSQL v15.8 (docker official image), and there is an issue when reading pg_stat_staments table with a result of query most of the times having `` value. I have created the user that I use to fetch the data with the following way: ``` CREATE USER abcd WITH NOSUPERUSER NOCREATEROLE NOINHERIT LOGIN; GRANT pg_read_all_stats, pg_stat_scan_tables, pg_read_all_settings to abcd; GRANT pg_monitor to abcd; ``` I explicitly gave `pg_read_all_stats` and also called `pg_monitor` just to be on the safe side, but stil I get the insufficient privilege error. ``` SELECT r.rolname AS member, m.rolname AS role FROM pg_auth_members am JOIN pg_roles r ON r.oid = am.member JOIN pg_roles m ON m.oid = am.roleid WHERE m.rolname = 'pg_read_all_stats' AND r.rolname = 'abcd'; member | role --------+------------------- abcd | pg_read_all_stats (1 row) ``` I also tried with PostgreSQL v14.13, and this was not the case, it was working fine as expected. Then I tried v16.4 and v17beta3, and I faced the issue, so I guess something changed v15 onwards? --000000000000d9487106202392e8 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hey folks,

I run PostgreSQL v15.8 (dock= er official image), and there is an issue when reading pg_stat_staments tab= le with a result of query most of the times having `<insufficient privil= ege>` value.

I have created the user that I use to fetch t= he data with the following way:
```
CREATE USER abcd WITH NOSUPERUSER= NOCREATEROLE NOINHERIT LOGIN;

GRANT pg_read_all_stats, pg_stat_scan= _tables, pg_read_all_settings to abcd;

GRANT pg_monitor to abcd;
=
```

I explicitly gave `pg_read_all_stats` and also called= `pg_monitor` just to be on=C2=A0the safe side, but stil I get the insuffic= ient privilege error.

```
SELECT
=C2=A0 =C2= =A0r.rolname AS member,
=C2=A0 =C2=A0m.rolname AS role
FROM
=C2=A0= =C2=A0pg_auth_members am
JOIN
=C2=A0 =C2=A0pg_roles r ON r.oid =3D a= m.member
JOIN
=C2=A0 =C2=A0pg_roles m ON m.oid =3D am.roleid
WHERE=
=C2=A0 =C2=A0m.rolname =3D 'pg_read_all_stats'
=C2=A0 =C2=A0= AND r.rolname =3D 'abcd';

=C2=A0member | =C2=A0 =C2=A0 =C2= =A0 role
--------+-------------------
=C2=A0abcd =C2=A0 | pg_read_all= _stats
(1 row)
```

I also tried w= ith PostgreSQL v14.13, and this was not the case, it was working fine as ex= pected.
Then I tried v16.4 and=C2=A0v17beta3, and I faced the <insuff= icient privilege> issue, so I guess something changed v15 onwards?
=
--000000000000d9487106202392e8--