Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1wM3ex-002CVU-15
	for pgsql-hackers@arkaria.postgresql.org;
	Sun, 10 May 2026 12:53:27 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1wM3eu-00Eurc-27
	for pgsql-hackers@arkaria.postgresql.org;
	Sun, 10 May 2026 12:53:24 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <andrew@dunslane.net>)
	id 1wM3et-00EurU-3B
	for pgsql-hackers@lists.postgresql.org;
	Sun, 10 May 2026 12:53:24 +0000
Received: from mail-qk1-x72f.google.com ([2607:f8b0:4864:20::72f])
	by makus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.98.2)
	(envelope-from <andrew@dunslane.net>)
	id 1wM3ep-000000017vE-4B57
	for pgsql-hackers@lists.postgresql.org;
	Sun, 10 May 2026 12:53:22 +0000
Received: by mail-qk1-x72f.google.com with SMTP id
 af79cd13be357-900fa9f178dso382867885a.1
        for <pgsql-hackers@lists.postgresql.org>;
 Sun, 10 May 2026 05:53:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=dunslane-net.20251104.gappssmtp.com; s=20251104; t=1778417599;
 x=1779022399; darn=lists.postgresql.org;
        h=content-transfer-encoding:in-reply-to:autocrypt:content-language
         :from:references:cc:to:subject:user-agent:mime-version:date
         :message-id:from:to:cc:subject:date:message-id:reply-to;
        bh=+vYqlGFDJslkIbL+CpFG89NDLl1Xvgw3HkPzdgC+NMc=;
        b=JLc9mfJwwN5xzO9AbUcm/I8Ewr9pgNicmQlC6NxT6rwzfUXpdHH/eJS6E1moSxYDAf
         TPqXaiPO/fihrK7s6cUztH/DWkz6a0obthOy7iatzntOI9CUM45AffCLzJH7Yt2/lbGX
         tzTI4T2MES1ZQkkGGQpd0v6txzjwYBbYT2+3MEk5htc2OVtdGKjBtQa4Lg1XA+DAneKN
         IHvLt7avhrGJtCeIVj91uMN20XqzBxmgaK+YMuNz+LyMJZlcXu42YSihANhiyc8syBfR
         0/4Ey1+BsN4NZUZdU91gKnjABMvQI88QjWUGagrpNZB97doXnrNyN9K8DpiyTaIALIrf
         Qikw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1778417599; x=1779022399;
        h=content-transfer-encoding:in-reply-to:autocrypt:content-language
         :from:references:cc:to:subject:user-agent:mime-version:date
         :message-id:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=+vYqlGFDJslkIbL+CpFG89NDLl1Xvgw3HkPzdgC+NMc=;
        b=MC6Qk8lm3Vbjnbx5/UiwNEogZuGkqJAarKqyZyrODG+LFjuTkI2wZyMJWCA/VbZVkW
         3cfLyaFPgxfR6rFsp4BsJPYJMY32EZR31V4D00AfD47zGrtCR8KEX68YU0kMWoGfwLBx
         aF60dJABZbNyeDTgYxDzgDfHItCRvdFLAZGv++NUdvohUbr0EMdxQTOXKGXjLYR10l6Q
         HphbSAxkx2v2ed1rmYliOfjW/typ2974QFAPoLMuCKVzH2RHZyt2BiQHgqWNdzQddhat
         DGTu03VdhvzempvAN8i92xifIzvbWdB3HLr1YMHY+uDi39dz8jIKLXfri5CPbNxXFkuk
         JMrQ==
X-Gm-Message-State: AOJu0YxyBa3oPN3BvnIX23Prq70zysV8xwBgxOv5SuWxBdIg6m6clERP
	dKWjJeY16tdzNmmIBE4NWP5qQ9valK+OUfRPhYm9K4Mwa7dAPbRZj0DHameg2S0GG0Q=
X-Gm-Gg: Acq92OGAuH1AL3Zakym2twJfnM8jebYND6zeB3zMoT3i0gwZa14bGsvJ2IZAdPF4Gpr
	HVlQxdyEkapTd6WhYjr4UmPi2CP/LY+j/0OSr9tkrc7dgVGYo5636z9b4lyiDGjouJs3KLBPfWP
	ZGyvdkkSmGBGq7S6nV01G/KDWW1xf8gERSm04QYsZRxtO0LCK/N5N8DNuOfqokt4ofjm0+CTQBM
	BVornZ1SJ9UXC037JShlm8z5Mg0pIngl8vL2BzyDjtcOrGf8JVJICjXGmYtzpQ6cskL0yz1jBSW
	nwHdosZgJG8QeEEgQfDnmYLBDWMIo5HRpPm+HMWjIArxwTUNdNz7ywnr+QQDsEJae7vWz6Dnqv9
	cCP+dLgZdjH3Hu1V0L/63I0lrCiib6EZbqxQlHhYt1zOS/cUchrnKWpGPJoCrpFHzbnvO5f3CEJ
	ImslE5xB6b1eDu+SXdwh0vnQQZ0Oh2yQ==
X-Received: by 2002:a05:620a:4707:b0:8cd:9599:b7c7 with SMTP id
 af79cd13be357-9090ecbdf77mr857811985a.23.1778417598889;
        Sun, 10 May 2026 05:53:18 -0700 (PDT)
Received: from ?IPV6:2605:a601:a6b0:500::1cb? ([2605:a601:a6b0:500::1cb])
        by smtp.googlemail.com with ESMTPSA id
 af79cd13be357-907b87c02fbsm816297085a.25.2026.05.10.05.53.18
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Sun, 10 May 2026 05:53:18 -0700 (PDT)
Message-ID: <06371cc5-1117-459f-88d6-a96ffbc6ac40@dunslane.net>
Date: Sun, 10 May 2026 08:53:17 -0400
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: Fix wrong error message from pg_get_tablespace_ddl()
To: Jim Jones <jim.jones@uni-muenster.de>, Chao Li <li.evan.chao@gmail.com>,
 =?UTF-8?Q?=C3=81lvaro_Herrera?= <alvherre@kurilemu.de>
Cc: PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
References: <af4YmulGI3pq2Rm0@alvherre.pgsql>
 <4B28CBF6-7470-456A-A635-62FE28067AEE@gmail.com>
 <560b391a-2b3a-4009-a90b-b5e5863aa89d@uni-muenster.de>
From: Andrew Dunstan <andrew@dunslane.net>
Content-Language: en-US
Autocrypt: addr=andrew@dunslane.net; keydata=
 xsBNBE7KWFkBCAClridxur2AIc7eW2AR7izbfp3EnNefie2HbLF0izW5Ik5UjX2HBXBx4syI
 gY6b0ugohXrr274+baoAlvSbq6cAoQuEVrk5IZFzt20b1Xkx65FwGSEj526yiKLocqkJceSq
 Xr9xcA5SGY+FZv441chh5SU92v4q6z+6LPpoHOh97ptAVXZYNTtU0LevyvD5lja0TzbvJm6C
 eFXitJfnm1pLEr0DGJCR/iUOl/N62Kh4855zZC7NHIjQHPOvV5Stz/l5ilDhvGVk+xkXFPys
 SjZoUr1rXhYLpiyi5sR0X9FHXT0KnGuz1F5ERO7ZTLSSQ6fJwPj6gOk9K+vvoKvoeql5ABEB
 AAHNJEFuZHJldyBEdW5zdGFuIDxhbmRyZXdAZHVuc2xhbmUubmV0PsLAlwQTAQgAQQIbAwIX
 gAIZAQULCQgHAwUVCgkICwUWAgMBAAIeBRYhBOQ+WEYd/Hy/RGkVpZn6f8tZ/DuBBQJoGNGd
 BQkdEO8nAAoJEJn6f8tZ/DuBq74H/jkTR4Zi3stbw+xC7v2u3QozssK7MYPL2AsVfh7OealS
 h182fiWXpfvmmAB7WUHbhk9GC2RAOnHI/2d2jgKaMLAHsGYOT0YopTVIwRY43fCw/mK67yxc
 wmDcX+zyKfLaivNbf5A7QPLNwda98bEAMSJ8Sn652Uc6cA8t3uKGsVzbRBQOoYzjgvBCfSrE
 9ql3PDNg0l4BfAqabd2f70ZUm9VAMEPrgv/v2xI7M2XiL4g5BVmqLCOwxLM8RMCotCuoweUr
 VO43DeBCIDwLxotMJKvGWDjBzQYlU1NPUAtNcz/gN9ITUe1VUGjyvGj4u1lxBOcQQUw7l1+T
 5moZ4iZxXzvOwE0ETspYWQEIANGc4zQULOxhbqO2dyD51YhqCNRmm9oKWaqf+wmW4tpDe/VV
 cxAnNizd4LWCHfzpb5cHAtGkOPePMfzWVf6nvdF7d3eglbtf59+zG7O7llV0xSSoFiieQBsr
 GvqDInXYX/4mRRXMtyhM353/tixC9RWLs1oofyYmCPPXXY7h9R7en3B8BoVrRFcdzlIY/NFN
 hFGW/9dkEiGjgna2Rk6e15kln4ZvFBWUg23p93w/pqXcxY6+k/8TEk+C4R+M6w7o2PLGOjdZ
 +kPiUcw5H85zf/yZJwQXzisXaNduwWB6Vads9YC9dj6kPR1c4VGRqAaYL++LAEOqrlvm2Tvq
 QqZRtnEAEQEAAcLAfAQYAQgAJgIbDBYhBOQ+WEYd/Hy/RGkVpZn6f8tZ/DuBBQJoGNI2BQkd
 EODdAAoJEJn6f8tZ/DuBfw0IAKTsfD40teP/pp+bsLLMSxPXUYrrprTj7WFB5v61p6dkpSr/
 qXmMlyahdxQFaPmfVgVirB1Vk/kHiWNnnGjfUV9nB2Zg9LI0Xb9/ts3LsUiRWXzG3tkMY6XL
 vsVOxW4XFRND9l2q+WW93aZ1DZl+fqWfYgMvsusFRhmGFOKTRfKPta2Pkv+AhA24N4+PrR5p
 bU4k2MO8PAGiK8eaYKGFG1bHKuAvoDoF7WXJ3FHxuWqLnKEt4dfOLm5pAe3zq1Lt6q8azT9i
 QWGpSAK5vQUWQHBHpiDjdPeqKZ6HiAXIIKfSmb+jrvXBqoP+D6/K7rUjG2aXiRtTIAXms9sm
 VRu7cmw=
In-Reply-To: <560b391a-2b3a-4009-a90b-b5e5863aa89d@uni-muenster.de>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
List-Id: <pgsql-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-hackers@lists.postgresql.org>
List-Owner: <mailto:pgsql-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-hackers>
Archived-At: 
 <https://www.postgresql.org/message-id/06371cc5-1117-459f-88d6-a96ffbc6ac40%40dunslane.net>
Precedence: bulk


On 2026-05-10 Su 7:10 AM, Jim Jones wrote:
> Hi Chao
>
> On 09/05/2026 04:01, Chao Li wrote:
>> Álvaro seems to bring the question to a deeper level, and I feel that 
>> might be worth a dedicated discussion. For example, I am not sure 
>> ACL_CREATE on the tablespace is enough to imply visibility of the 
>> tablespace DDL. My understanding is that CREATE on a tablespace 
>> allows the user to create objects within that tablespace, but it does 
>> not necessarily mean the user is allowed to inspect the definition of 
>> the tablespace itself.
>
>
> Yeah, this is a good point. I don't have a strong opinion about it, 
> but I'd be inclined to simply deny access to the DDL if the user does 
> not have enough privileges -- at least I wouldn't mind seeing an error 
> message in my logs :)
>
>
>> How about keeping the scope of this patch narrow, as only adding a 
>> hint to guide users on how to fix the error if they really need to 
>> view the DDL of the tablespace? I will start a separate thread for 
>> the discussion of the access-checking model.
>>
>> The attached v2 keeps the original error message and adds a hint. I 
>> took Jim’s comment about avoiding hardcoding "pg_tablespace”. And I 
>> also added a hint in pg_get_role_ddl_internal. With v2, the messages 
>> are like:
>> ```
>> evantest=> select * from pg_get_tablespace_ddl('ts1');
>> ERROR:  permission denied for tablespace "ts1"
>> HINT:  Grant SELECT on catalog "pg_tablespace" to read tablespace 
>> properties.
>
>
> I'm not sure that telling unprivileged users to grant themselves 
> access to pg_tablespace is an improvement -- IMO, a HINT here is 
> supposed to be actionable. Perhaps a DETAIL would be a better fit, 
> e.g. "DETAIL:  The function requires SELECT privilege on catalog 
> "pg_tablespace"."
>
> On top of that, I'm also not sure that replacing the aclcheck_error 
> with an ereport just for the hint/detail is an option, since 
> aclcheck_error is supposed to provide "Standardized reporting of 
> aclcheck permissions failures." (from the aclcheck_error header comment)
>
>

I keep coming back to this point: if the user can access pg_tablespace 
they can see the information anyway. This is an informational function, 
and there is no implied guarantee that the user is going to be able to 
run the supplied DDL. I don't think there's anything to do here.


cheers


andrew


--
Andrew Dunstan
EDB: https://www.enterprisedb.com