Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1v8UjH-001bLL-T2 for pgsql-hackers@arkaria.postgresql.org; Tue, 14 Oct 2025 02:25:36 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1v8UjF-009kFM-Hp for pgsql-hackers@arkaria.postgresql.org; Tue, 14 Oct 2025 02:25:34 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1v8UjF-009kFE-3u for pgsql-hackers@lists.postgresql.org; Tue, 14 Oct 2025 02:25:34 +0000 Received: from mail-pf1-x42e.google.com ([2607:f8b0:4864:20::42e]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1v8UhP-001dFo-1G for pgsql-hackers@postgresql.org; Tue, 14 Oct 2025 02:25:32 +0000 Received: by mail-pf1-x42e.google.com with SMTP id d2e1a72fcca58-77f605f22easo4145511b3a.2 for ; Mon, 13 Oct 2025 19:23:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=j-davis-com.20230601.gappssmtp.com; s=20230601; t=1760408618; x=1761013418; darn=postgresql.org; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:cc:to:from:subject:message-id:from:to:cc:subject :date:message-id:reply-to; bh=/Tq/QReIOgk8Yt0AONDq7/parPoj4o/GnnaI7vxqX28=; b=FI/HwPNEHoRJlz/JJMgxccwVGxEUxOAXeDULMKuVPIfAQClvF/+9jv1bDkHPIxtKra +haa9bASH3cyPQPYRYVWmo9u82UyUB9q+GZK/b25aF6h+DzVRwKRwRomeo8n2r7PHH9g 80LhW0EixU/SDlaaUq2tGiDftjw2t6LWSYFGgS0u8xR2ra952SRWeqZCiYRxt8kBNr7k ePIN5O38Q74kFPoWYxCvOH/+x7xLM1nnHQGTQo9GN3Fm72kXZV5UHd9IFrKNH4GlRwJj tRBKjRKetPLBH7NvICo3wLXZc+m8/80d3G9HIZpps5cNOr/xsOfwYg/FhG5yW0oxoQLq d/gw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760408618; x=1761013418; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:cc:to:from:subject:message-id:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=/Tq/QReIOgk8Yt0AONDq7/parPoj4o/GnnaI7vxqX28=; b=ZqRBWSzxOzNJEJexrwQSpHaVWAcHsT+xBVZDuizrCSf9U5mKWr3OQVbiMDtF6IqGyk F7hNw+b5FAX11t197pSkpgg+AroCaV6Eq+Ni2U9A2hr5ZmMRyGpbJTS3N4WkVHi3Ur4Z 6gI7j8lm/Kvh/8vdKdb++PJgvpMPMG+CY0W2JeB9JORofkthE21l5qEi1cVbFG/scVAY 4ki+AntdGOxcokObuQpDkWGc7jZWEAat144SfQ65ihWUP8D/4N/AbVocjQzboWVAaZW0 GDabJXH6ccs9UBKUkGWtHAjsc8H48+sc+jW9JJTA6Eqcy/+VBDFVojw3LFOw5uIMIHWs lv2w== X-Forwarded-Encrypted: i=1; AJvYcCVz7lzpkPGoBRkZRD+IpvnPw7zfw1Fqexd+JUGiJYGNQR4K5WEVFBySfMoAt85ABsm9l8wPXmDM5x+wXh5m@postgresql.org X-Gm-Message-State: AOJu0YzzfLpb5y8mUS4fv8nFJhHgE90IROMkrkMsIP3T5+y1e+ZXeUUT MA5QozHmCDDeV8OnOlvbc68trll3ONDV/Po4ylMbyRqiASMmiQ++HuNQbwrmzZR+og== X-Gm-Gg: ASbGncvlO0TIkrZR3bStrMTOSKD07OOpjlT/66Qo+zE4L8XskvX+ZgY2K3wtcxpDpF1 bNvtLa7ZAqiUZtj0c3aS2dU+MqAJehdN0o6a4H9RNHSsol0IOQUjQl6XTPOgaiXcjxYLt8On36e cvbfLngpa8VUv1wAEbWCAbL93mnxBw8tGuiwKc6yAmSkP9Ks0Aw36U4ykVrXpiDiYAFLS3rKBiG p2n3m3CrgYgTDsXUbxF6dlvEum2DaWgY4QYAoidZ2E8QoilJut8Z60dhxKrzUIhQU3rFa+lFkmf 3yMH2P9Ud729WpQQU4qkSSHx/xl83+nY4UeufGzrb70Rdni7D9AcJvWbwxk92kRar3pOZU2vJwq Q9TNn2PYcEO35dwQqr9UwEXnbwEjU9BquMxqTFWBIGjo/HwobWwn01VlgkmLDVHA7d2R4feVFyO FcA1IUKtTp X-Google-Smtp-Source: AGHT+IExDn5wqVqHp6lFliV9fzmX2HXeWwwxj3n68/m8EQr3V5CR8f1a34g3cwzO56FimH3xNHb3qg== X-Received: by 2002:a17:902:ce11:b0:27a:6c30:49c with SMTP id d9443c01a7336-2902739a207mr318676995ad.27.1760408618111; Mon, 13 Oct 2025 19:23:38 -0700 (PDT) Received: from jeff-ws-bridge.lan (c-24-7-19-3.hsd1.ca.comcast.net. [24.7.19.3]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-29034de6c07sm147747965ad.1.2025.10.13.19.23.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Oct 2025 19:23:37 -0700 (PDT) Message-ID: Subject: Re: Clarification on Role Access Rights to Table Indexes From: Jeff Davis To: Nathan Bossart , Corey Huinker Cc: Tom Lane , Ayush Vatsa , Robert Haas , "David G. Johnston" , PostgreSQL Hackers Date: Mon, 13 Oct 2025 19:23:36 -0700 In-Reply-To: References: <3432170.1758730414@sss.pgh.pa.us> <8af53c6e8992aa706e63aafe60a3bcf100b524d1.camel@j-davis.com> <7b0e2774cdcc8f522ac82f64a8d7266f353a5094.camel@j-davis.com> <31a67adbb10b85ff7cddeafe75b9f6505c902e57.camel@j-davis.com> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.52.3-0ubuntu1 MIME-Version: 1.0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Mon, 2025-10-13 at 14:30 -0500, Nathan Bossart wrote: > * 0001 moves the code for stats clearing/setting to use > RangeVarGetRelidExtended().=C2=A0 The existing code looks up the relation= , > locks > it, and then checks permissions.=C2=A0 There's no guarantee that the > relation > you looked up didn't concurrently change before locking, and locking > before > privilege checks is troublesome from a DOS perspective.=C2=A0 One downsid= e > of > using RangeVarGetRelidExtended() is that we can't use AccessShareLock > for > regular indexes, but I'm not sure that's really a problem since we're > already using ShareUpdateExclusiveLock for everything else.=C2=A0 The > RangeVarGetRelidExtended() callback is similar to the one modified by > 0002. > This should be back-patched to v18. We tried to match the locking behavior for analyze. Originally, that's because we were using in-place updates, which required those specific kinds of locks. Now that the in-place code is gone, then I think it's OK to use ShareUpdateExclusiveLock for indexes, too, but it is a notable difference in behavior. Including Corey in case he has comments. As for the patch itself, it looks good to me. Stylistically I might have kept the "index_oid" variable, which makes some of the tests a bit clearer, but I don't have a strong opinion. The unlikely scenarios are a bit confusing. I'd probably error for either case. Also, the error message on the second scenario is wrong if the previous lookup was a table, I think. > * 0002 fixes the RangeVarGetRelidExtended() callback for REINDEX > INDEX to > handle unlikely scenarios involving OID reuse (e.g., lookup returns > the > same index OID for a different table).=C2=A0 I did confirm there was a bu= g > here > by concurrently re-creating an index with the same OID for a heap > with a > different OID (via the pg_upgrade support functions).=C2=A0 In previous > versions > of this patch, I tried to fix this by unconditionally unlocking the > heap at > the beginning of the callback, but upon further inspection, I noticed > that > creates deadlock hazards because we might've already locked the > index.=C2=A0 (We > need to lock the heap first.)=C2=A0 In v6, I've just added an ERROR for > these > extremely unlikely scenarios.=C2=A0 I've also replaced all early returns > in this > function with ERRORs (except for the invalid relId case). +1 for throwing errors when we have race conditions combined with name reuse. Looks fine to me. >=20 > * 0003 fixes the privilege checks in pg_prewarm by using a similar > approach > to amcheck_lock_relation_and_check().=C2=A0 This seems correct to me, but > it > does add more locking.=C2=A0 This should be back-patched to v13. IIUC this is locking before the privilege check. Is there a reason why we think this is OK here (and in amcheck_lock_relation_and_check()) but not for the stats? > * 0004 is a small patch to teach dblink to use > RangeVarGetRelidExtended(). > I believe this code predates that function.=C2=A0 I don't intend to back- > patch > this one. Looks good. Regards, Jeff Davis