Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rDWcf-002IWW-Jt for pgsql-hackers@arkaria.postgresql.org; Wed, 13 Dec 2023 21:18:29 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1rDWce-00HNhN-4p for pgsql-hackers@arkaria.postgresql.org; Wed, 13 Dec 2023 21:18:28 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rDWcd-00HNgv-RR for pgsql-hackers@lists.postgresql.org; Wed, 13 Dec 2023 21:18:27 +0000 Received: from sss.pgh.pa.us ([68.162.161.243]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rDWca-00Bqyk-Vb for pgsql-hackers@postgresql.org; Wed, 13 Dec 2023 21:18:26 +0000 Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1]) by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 3BDLIMLo2660033; Wed, 13 Dec 2023 16:18:22 -0500 From: Tom Lane To: "Imseih (AWS), Sami" cc: "pgsql-hackers@postgresql.org" Subject: Re: [BUG] autovacuum may skip tables when session_authorization/role is set on database In-reply-to: <4814073F-6387-4873-8B8E-4D6A7390DEC7@amazon.com> References: <4814073F-6387-4873-8B8E-4D6A7390DEC7@amazon.com> Comments: In-reply-to "Imseih (AWS), Sami" message dated "Wed, 13 Dec 2023 20:42:45 +0000" MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <2660031.1702502302.1@sss.pgh.pa.us> Content-Transfer-Encoding: quoted-printable Date: Wed, 13 Dec 2023 16:18:22 -0500 Message-ID: <2660032.1702502302@sss.pgh.pa.us> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk "Imseih (AWS), Sami" writes: > A recent case in the field in which a database session_authorization is > altered to a non-superuser, non-owner of tables via alter database .. se= t session_authorization .. > caused autovacuum to skip tables. That seems like an extremely not-bright idea. What is the actual use case for such a setting? Doesn't it risk security problems? > Attached is a repro and a patch which sets the session user to the BOOTS= TRAP superuser > at the start of the autovac worker. I'm rather unimpressed by this proposal, first because there are probably ten other ways to break autovac with ill-considered settings, and second because if we do want to consider this a supported case, what about other background processes? They'd likely have issues as well. regards, tom lane