Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1p5VeZ-0004b8-IG for pgsql-hackers@arkaria.postgresql.org; Wed, 14 Dec 2022 17:34:47 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1p5VeX-00059Q-KF for pgsql-hackers@arkaria.postgresql.org; Wed, 14 Dec 2022 17:34:45 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1p5VeX-00059D-8r for pgsql-hackers@lists.postgresql.org; Wed, 14 Dec 2022 17:34:45 +0000 Received: from mail-pl1-x636.google.com ([2607:f8b0:4864:20::636]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1p5VeQ-0007Eo-Kc for pgsql-hackers@postgresql.org; Wed, 14 Dec 2022 17:34:44 +0000 Received: by mail-pl1-x636.google.com with SMTP id t2so4089286ply.2 for ; Wed, 14 Dec 2022 09:34:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=vLW5JNIrbmc94Zhp8Y3fANqkiY6xOQwex1WkzQOQoSk=; b=ZsBGRN8hpTzjTwBtiG4xeRNuMh7y4t0AehZ2P7oQLgQ7lx7utnmgzBLrUov9thLauM DQystk91X9aNb1i1Ig4hcqQVVLZ64eTYe1zrF5XYix7zLVvT+nLst9tx3VuUy6XQRe1D JQhdydu4BSFPie4WIhbSSnJxhtwK2S6KEFcuJzvFZ8+o/E27gO314vxoUnheO/0LgjtO DKM9XcDQPEshuBqnEfQ/WOUhmtl7jGtpUdHFkdrXCK1XMdN4aNjqvRi40+GNBVerc4m9 8hmDWU7vfWq91EWDD+QuausW5ADdrWCcxcDcU05/HeXd7p/5NTR7/YCi0b1RHFneCVnr oJAA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=vLW5JNIrbmc94Zhp8Y3fANqkiY6xOQwex1WkzQOQoSk=; b=1NrAsENos7RW2v7cJNTouQb/aE0ERpLXVGck8rPLkLvJJVR9GLXEvT6dfceeHhmL2U HpI+DOfBlvh44J7a+tZZuuv7nuZbqeLJvqdPHhpQYA9038vgn63saU7HR3lBdJe5zgWi +5DMMsWOAVgmYBYxhnT2RhtaWxFRJKnPGS5knu3gbesHYLQClwGGgBjnndcPuvsFNYXl V78r0iPUbASarhPNVhq6Dw/M81B8+uOohRcmKZnRKKkL+RHgxnjDyNuTQMQYj2Oe+LTR mLwyVvqpx6je5S6CJpSTn80kL0mYxvl5sG9iY6BA3rHfYAz3O2iinZW9nGK4iMOvupgt ffMQ== X-Gm-Message-State: ANoB5pnaYosz7ifBpfgm57Qqb5PMUfmt1nvS3fD2ksdoLzdygCEiiAKg 8OwG8jzaR2lZZpzPiF6DQgo= X-Google-Smtp-Source: AA0mqf7+sJzWHNjgUxXYn0I9ut0xH7FKTR2P3qguEGgOqo16TZ0JujIcwc3Iy2pmxS33xgIznsHYFg== X-Received: by 2002:a05:6a20:8c01:b0:ad:5cee:4d0 with SMTP id j1-20020a056a208c0100b000ad5cee04d0mr19019575pzh.12.1671039277687; Wed, 14 Dec 2022 09:34:37 -0800 (PST) Received: from nathanxps13 ([50.47.162.83]) by smtp.gmail.com with ESMTPSA id q18-20020a17090ad39200b002191e769546sm1685034pju.4.2022.12.14.09.34.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Dec 2022 09:34:36 -0800 (PST) Date: Wed, 14 Dec 2022 09:34:35 -0800 From: Nathan Bossart To: Robert Haas Cc: Andrew Dunstan , Justin Pryzby , pgsql-hackers@postgresql.org Subject: Re: fix and document CLUSTER privileges Message-ID: <20221214173435.GA690225@nathanxps13> References: <20221207223924.GA4182184@nathanxps13> <20221208022559.GA27893@telsasoft.com> <20221208041313.GA216874@nathanxps13> <20221208181324.GA4385@nathanxps13> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="IS0zKkzwUGydFO0o" Content-Disposition: inline In-Reply-To: List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --IS0zKkzwUGydFO0o Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Dec 08, 2022 at 04:08:40PM -0500, Robert Haas wrote: > On Thu, Dec 8, 2022 at 1:13 PM Nathan Bossart wrote: >> Currently, CLUSTER, REFRESH MATERIALIZED VIEW, and REINDEX (minus REINDEX >> SCHEMA|DATABASE|SYSTEM) require ownership of the relation or superuser. In >> fact, all three use the same RangeVarCallbackOwnsTable() callback function. >> My current thinking is that this is good enough. I don't sense any strong >> demand for allowing database owners to run these commands on all non-shared >> relations, and there's ongoing work to break out the privileges to GRANT >> and predefined roles. > > +1. > > I don't see why being the database owner should give you the right to > run a random subset of commands on any table in the database. Tables > have their own system for access privileges; we should use that, or > extend it as required. Here is a rebased version of the patch. -- Nathan Bossart Amazon Web Services: https://aws.amazon.com --IS0zKkzwUGydFO0o Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="fix_cluster_privs_v2.patch" diff --git a/doc/src/sgml/ref/cluster.sgml b/doc/src/sgml/ref/cluster.sgml index 145101e6a5..d6b2651657 100644 --- a/doc/src/sgml/ref/cluster.sgml +++ b/doc/src/sgml/ref/cluster.sgml @@ -67,7 +67,8 @@ CLUSTER [VERBOSE] - CLUSTER without any parameter reclusters all the + CLUSTER without a + table_name reclusters all the previously-clustered tables in the current database that the calling user owns or has the MAINTAIN privilege for, or all such tables if called by a superuser or a role with privileges of the @@ -134,6 +135,16 @@ CLUSTER [VERBOSE] Notes + + To cluster a table, one must have the MAINTAIN privilege + on the table or be the table's owner, a superuser, or a role with + privileges of the + pg_maintain + role. Database-wide clusters and clusters on partitioned tables will + silently skip over any tables that the calling user does not have + permission to cluster. + + In cases where you are accessing single rows randomly within a table, the actual order of the data in the diff --git a/src/backend/commands/cluster.c b/src/backend/commands/cluster.c index 8966b75bd1..8140a90699 100644 --- a/src/backend/commands/cluster.c +++ b/src/backend/commands/cluster.c @@ -1697,9 +1697,7 @@ get_tables_to_cluster_partitioned(MemoryContext cluster_context, Oid indexOid) /* Silently skip partitions which the user has no access to. */ if (!object_ownercheck(RelationRelationId, relid, GetUserId()) && - pg_class_aclcheck(relid, GetUserId(), ACL_MAINTAIN) != ACLCHECK_OK && - (!object_ownercheck(DatabaseRelationId, MyDatabaseId, GetUserId()) || - IsSharedRelation(relid))) + pg_class_aclcheck(relid, GetUserId(), ACL_MAINTAIN) != ACLCHECK_OK) continue; /* Use a permanent memory context for the result list */ --IS0zKkzwUGydFO0o--