public inbox for [email protected]
help / color / mirror / Atom feedFrom: Nathan Bossart <[email protected]>
To: Jeff Davis <[email protected]>
Cc: Corey Huinker <[email protected]>
Cc: Tom Lane <[email protected]>
Cc: Ayush Vatsa <[email protected]>
Cc: Robert Haas <[email protected]>
Cc: David G. Johnston <[email protected]>
Cc: PostgreSQL Hackers <[email protected]>
Subject: Re: Clarification on Role Access Rights to Table Indexes
Date: Tue, 14 Oct 2025 11:05:32 -0500
Message-ID: <aO50zOmoRFnB9_IX@nathan> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
<aNQhuRQfD3PlpeuT@nathan>
<[email protected]>
<[email protected]>
<aOfXNAFkj_EFm-8q@nathan>
<aOgmi6avE6qMw_6t@nathan>
<aOkzoH-pXdBr0ewf@nathan>
<[email protected]>
<aO1TaPd0YesHy5Sn@nathan>
<[email protected]>
Thanks for reviewing.
On Mon, Oct 13, 2025 at 07:23:36PM -0700, Jeff Davis wrote:
> The unlikely scenarios are a bit confusing. I'd probably error for
> either case. Also, the error message on the second scenario is wrong if
> the previous lookup was a table, I think.
Yeah, I think that's a better idea.
> IIUC this is locking before the privilege check. Is there a reason why
> we think this is OK here (and in amcheck_lock_relation_and_check()) but
> not for the stats?
For amcheck, AFAICT there aren't actually any ACL checks within the code
because the function is restricted to superuser by default. For
pg_prewarm, I don't know. You do have to install the extension before
using it, but once installed, it's available to everyone by default. My
guess is that it just hasn't been a problem in the field.
Regardless, fixing the lock-before-privilege-checks behavior doesn't strike
me as a bug, so I think we ought to proceed with something like 0003 for
back-patching purposes and then to rework it further for v19. Does that
sound okay to you?
>> * 0004 is a small patch to teach dblink to use
>> RangeVarGetRelidExtended(). I believe this code predates that
>> function. I don't intend to back-patch this one.
>
> Looks good.
I'm going to go commit this one now to get it out of the way.
--
nathan
view thread (12+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
Subject: Re: Clarification on Role Access Rights to Table Indexes
In-Reply-To: <aO50zOmoRFnB9_IX@nathan>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox