Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1tr5Zg-00EVnP-3H
	for pgsql-hackers@arkaria.postgresql.org; Sun, 09 Mar 2025 01:35:28 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1tr5Ze-00DjyC-P5
	for pgsql-hackers@arkaria.postgresql.org; Sun, 09 Mar 2025 01:35:26 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <nathandbossart@gmail.com>)
	id 1tr5Ze-00Djxu-Ee
	for pgsql-hackers@lists.postgresql.org; Sun, 09 Mar 2025 01:35:26 +0000
Received: from mail-qk1-x72d.google.com ([2607:f8b0:4864:20::72d])
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <nathandbossart@gmail.com>)
	id 1tr5Za-001m00-1w
	for pgsql-hackers@postgresql.org;
	Sun, 09 Mar 2025 01:35:25 +0000
Received: by mail-qk1-x72d.google.com with SMTP id af79cd13be357-7c53b9d66fdso181763585a.3
        for <pgsql-hackers@postgresql.org>; Sat, 08 Mar 2025 17:35:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1741484122; x=1742088922; darn=postgresql.org;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to;
        bh=LY6EET9GgyjvpZuwH1LKEWW+eyi00ek6n/20Yl6LW/M=;
        b=Pk2tLMj/S7XpVjRKp16B3Jo4LMpTLS3EMEmNk2PEqQrHO0TBYwoPvWURm3e6q+BmVP
         oUtgD8j2vlU3XWdzFSWA4p3xfc7KDiPmW6f7j6yEmTGdPaXFDhEVA53E3dU1P3Cb+Pn+
         wpq3OztHLMJU1pTkq851BM7znQHf9KDhwyTMZlK/MAdE7NtrXkQ3JwOB9k3GJTThCz3U
         q7SBLjgbXGH4BMv/qq79vNBozvp0RN0bt/R9YexIhUJZ5z/cKiDVT9iOWKgldhhHL/JZ
         qNKuSVst+3Lm3BHOhWASLccZiYv5rOJUNp/SqtAGs4Qgwd09J0hGveEfw9AjK7b/xQzB
         Zl7A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1741484122; x=1742088922;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=LY6EET9GgyjvpZuwH1LKEWW+eyi00ek6n/20Yl6LW/M=;
        b=eP8ctm8H4eLC9C2Wod25sokgXsUeLWaN5+E78hLHp7D6vI1vEzPrkr6Eji3n1esoIk
         5Pg3iR4BQzd2QJcJaJ4+fAIfSolklDwy1n+Xw5GgoXk+5rcQleGtTacKxvGDkY5jTnLi
         q1V/uYC9QoSkyR9FsmT3qvE6L2x6e7omKgGeEqYV5+biAA/fpHx+93CqwVZnjcl6Njrm
         hkCPJzkmMH9MuAjFxRjouJFCC9eI7K250NmSWrbjonY3m8r/1EQicd+mQJ0GGlsr14XF
         +RbwPtcnAxwGljBKqkF8omxJGrTT95ytI/yCn6ThZHkUorAaSpBqpWrlK7vi6N4leK38
         OFxQ==
X-Forwarded-Encrypted: i=1; AJvYcCWxLzp+Qo4aj9ZgPEtPw3aLKtCvHGQhW3O1WO+nB9YZNhRY3zO0/WcxsCUPT+JbiuyZL47Jh9SUvkDHJAh1@postgresql.org
X-Gm-Message-State: AOJu0Yyjf585cNRUHvupUeppMxMyDqAxcWi7fSpO3zKtjW4BhPKWakwg
	eLPFyauVIC0jiHCf5pzXg5+CZUjIMpLusaS/cdLgOxALsspaRUgI
X-Gm-Gg: ASbGncujMyuKMl7KBZvRBpvaVSWxdH3GYr+aNjYun5SLLqsTyRgMVp+ZdxcQuo0+Y84
	rtzLw89VEiV36aMQRd/qCGAu5Mkv4Ft1OKevOaKCcZRSfpn4JIPKxIrwxjMoo9tFJayOWw5TH6j
	AY+aH7TLSdnGoAeNPjaF+3ZLes86Y6dkjIAoXLiQe/B3vuT9Zh4FSsMQFwUrRwLPOFgGRInTpkd
	MA/FhBPFjJ5Dg9GNm2XRxlts4VbN8EOBvTmGRc9K05BGv1aw3HTsADs423yg7CmEPh+2Eszmf28
	PDhe1JU2Qas9tZh6kpWdz56JR5hNGPgoNCYuOqzGMrJn3ZjD/UXf/GZj57DRqO4+70KEAVFhX8w
	uTCWwFBudcD4h1GV4p4bFtqOqb3LpcuqgCMk=
X-Google-Smtp-Source: AGHT+IE1enFH6Nl+olRxvW7kyQKvl/wZs4P1cl0C87X7pt5BmhnMUWlmyci3JJQULKVTARI8LkTI5A==
X-Received: by 2002:a05:620a:8008:b0:7c0:c0b7:32fa with SMTP id af79cd13be357-7c4e61ce682mr1654973585a.36.1741484121854;
        Sat, 08 Mar 2025 17:35:21 -0800 (PST)
Received: from nathan (162-195-168-172.lightspeed.stlsmo.sbcglobal.net. [162.195.168.172])
        by smtp.gmail.com with ESMTPSA id af79cd13be357-7c3e55207efsm440223185a.98.2025.03.08.17.35.20
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 08 Mar 2025 17:35:21 -0800 (PST)
Date: Sat, 8 Mar 2025 19:35:18 -0600
From: Nathan Bossart <nathandbossart@gmail.com>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Ayush Vatsa <ayushvatsa1810@gmail.com>,
	Robert Haas <robertmhaas@gmail.com>,
	"David G. Johnston" <david.g.johnston@gmail.com>,
	PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Subject: Re: Clarification on Role Access Rights to Table Indexes
Message-ID: <Z8zwVmGzXyDdkAXj@nathan>
References: <CA+Tgmob_W0iq9Kuugra3WYTO2429RMJ_+HkVukrXWOUN81QiEw@mail.gmail.com>
 <1246906.1739896202@sss.pgh.pa.us>
 <CA+TgmoZYM2az+yCWu5DBnV50N_BE9f1r8-Doy6-tZTySeb-s+A@mail.gmail.com>
 <CACX+KaNAbOzePn710EtzH9F5xiUdBC+u59=UMab=Wr8jgDKQtw@mail.gmail.com>
 <Z8dcGMMP3-D5dobY@nathan>
 <CACX+KaO4R9QDxbPSxSB0jNXFsqA6Jf=UPS+tyUvT_YvuP_grVA@mail.gmail.com>
 <Z8yxsm9ZWVkHlPbV@nathan>
 <CACX+KaP+6U9jf=GT4wpR7TvRvSMtTAhz=vP2Zr+ZdUFVZzqNsA@mail.gmail.com>
 <Z8y9RTT-vU6oVI_Y@nathan>
 <149429.1741472260@sss.pgh.pa.us>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <149429.1741472260@sss.pgh.pa.us>
List-Id: <pgsql-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-hackers@lists.postgresql.org>
List-Owner: <mailto:pgsql-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-hackers>
Archived-At: <https://www.postgresql.org/message-id/Z8zwVmGzXyDdkAXj%40nathan>
Precedence: bulk

On Sat, Mar 08, 2025 at 05:17:40PM -0500, Tom Lane wrote:
> It bothers me a bit that this proposes to do something as complicated
> as pg_class_aclcheck on a table we have no lock on.  As you say, the
> lock we hold on the index would prevent DROP TABLE, but that doesn't
> mean we won't have any issues with other DDL on the table.  Still,
> taking a lock would be bad because of the deadlock hazard, and I
> think the potential for conflicts with concurrent DDL is nonzero in
> a lot of other places.  So I don't have any concrete reason to object.
> 
> ReindexIndex() faces this same problem and solves it with some
> very complex code that manages to get the table's lock first.
> But I see that it's also doing pg_class_aclcheck on a table
> it hasn't locked yet, so I don't think that adopting its approach
> would do anything useful for us here.

I noticed that amcheck's bt_index_check_internal() handles this problem,
and I think that approach could be adapted here:

	relkind = get_rel_relkind(relOid);
	if (relkind == RELKIND_INDEX || relkind == RELKIND_PARTITIONED_INDEX)
	{
		permOid = IndexGetRelation(relOid, true);
		if (OidIsValid(permOid))
			LockRelationOid(permOid, AccessShareLock);
		else
			fail = true;
	}
	else
		permOid = relOid;

	rel = relation_open(relOid, AccessShareLock);
	if (fail ||
		(permOid != relOid && permOid != IndexGetRelation(relOid, false)))
		ereport(ERROR,
				(errcode(ERRCODE_UNDEFINED_TABLE),
				 errmsg("could not find parent table of index \"%s\"",
						RelationGetRelationName(rel))));

	aclresult = pg_class_aclcheck(permOid, GetUserId(), ACL_SELECT);
	if (aclresult != ACLCHECK_OK)
		aclcheck_error(aclresult, get_relkind_objtype(rel->rd_rel->relkind), get_rel_name(relOid));

	if (permOid != relOid)
		UnlockRelationOid(permOid, AccessShareLock);

stats_lock_check_privileges() does something similar, but it's not as
cautious about the "heapid != IndexGetRelation(indrelid, false)" race
condition.  Maybe RangeVarCallbackForReindexIndex() should be smarter about
this, too.  That being said, this is a fair amount of complexity to handle
something that is in theory extremely rare...

-- 
nathan