Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1v1Rt4-008nlq-NE for pgsql-hackers@arkaria.postgresql.org; Wed, 24 Sep 2025 15:58:34 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1v1Rt3-00EA2m-9y for pgsql-hackers@arkaria.postgresql.org; Wed, 24 Sep 2025 15:58:33 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1v1Rt2-00EA2e-Si for pgsql-hackers@lists.postgresql.org; Wed, 24 Sep 2025 15:58:33 +0000 Received: from mail-io1-xd2b.google.com ([2607:f8b0:4864:20::d2b]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1v1Rt0-002Ct2-0z for pgsql-hackers@postgresql.org; Wed, 24 Sep 2025 15:58:31 +0000 Received: by mail-io1-xd2b.google.com with SMTP id ca18e2360f4ac-89366d35b81so2699239f.0 for ; Wed, 24 Sep 2025 08:58:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1758729508; x=1759334308; darn=postgresql.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=Gesm/ZSPXbJ3ThvWXy2anTp4PX9dVhotjpXz8X24zDM=; b=X8PW82U2q3c2k23e7vwbq/oRLq/aaUd0OZUGUV+wn019qLyXzbB0qkvKrTXDFCKNvg bv9xRTSqX0VdoAdKu1TBmHy9VLHoJhvyl1Y9S34vXnnXn3ZJ3Es5GdPIukT2edyb76v7 vS4n4cRGbIVa6VONK5wfNSxohxCQp6RW92S2C/dw/a/VJSSA2RZLtrxrOCevDhw3VeCG bYCmDtIo2buLvs6X17ayJuBxNSXlXEwCBLvrUTjd5FHT0NhM0Zz0HweupPeQTiZ+9yXZ FBep5TAbrNcb5dl+aH8xja0EQi4cfZlbd/ilIGYYNDJmtqFNnE0CnQjNdwALMRBDzvTy /1oQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1758729508; x=1759334308; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Gesm/ZSPXbJ3ThvWXy2anTp4PX9dVhotjpXz8X24zDM=; b=Nj9jHjCEpiAalawt8QA1YBAgmoFoqERF/QwP9FK1JcXIZzoHHCBqKDW5DmtpdqgURh kYraUy0HHlyueS8odrwE6KtmJRb0lIHgqpvT3NO378mPIT/4xFMN6z8KsKOxIi5/F5TI jJkH5nqujSsvDi42BsfMLlHLws3dkDxh/P71/cl+gn75D1xVC6O7ann0SzK17/yrgBTr CFPbHv/SArNB1/d8c4/C3Sv9tRNjFfDBSY5UolR3WtTpSpBRv1QVDAitcQsz+OSNUuCj fqZisx0jb0FxXFMmvCfYtmfBJW+2HIRctKB418DGuaxv5IHd/H8HFCLRdPl9cdX7nN8F OoEA== X-Forwarded-Encrypted: i=1; AJvYcCWz219XRW24rPLR4ZaIq5W4Uz7xzKWHjvJGL27j38+9acBH7iOqp+hlCowVVGFHZ2YZMgoX5XKjzuN/zcTw@postgresql.org X-Gm-Message-State: AOJu0Yxxv3/jRQn1w8sJJe6h0BnDARsboywzexVQf4xlr4Y8pnEQnIIj 7rkrlHsYCQfJVEZeOJ1035Ryal09UJjzAnABf3Et0nveQdti6hNVxaZn X-Gm-Gg: ASbGnctwwwh29urrvHg4OhGLXCZnz8519EYPvoQbCQ3P/OINwhFTSi5d7eLjiRzMp8y cIlBdMrQphhOPPTgxpIyZ19c4cQI53An1YLIWA2b6itOGEFwfWXaK3TiRxFE6XHp+fLrHlI+oP9 7XpFcrthudJFA/cOTmuMRrSG4ZMPJpSuufqkuWPfnGH0mxdi+1r7vF+cm5aLCN2ZhiroaKfmPaP UXKulpTgDOyZbX1XRWkb/jLDsPpRnY/x41J0QhhRU6AR/CL+YnSZymj7JU/V/zlYXiMLvZvaTR7 IMjC2Asy8mn4q8dlSKDwBvnbjCv7KBBCH0NxMarzPp2nST0m1VEn0ub0YbDhLVL6gP4CY/+j+sn RxQi2aNq8cyepdd5iqxIJiZINka10uy8ApEG/XpObSRS/a8u90eXiRxvWQU32GnhpdUsc9MLaZA nSbr/6u78lOoIK X-Google-Smtp-Source: AGHT+IFpegZGS8/kUKTqhHBrEJ4Ja6jiymAwEwzi3KBNdzpPYKbXtqFfFTSm254O50hIa8n9CeITAg== X-Received: by 2002:a05:6e02:4707:b0:425:6f60:5689 with SMTP id e9e14a558f8ab-42595637dd5mr1202145ab.23.1758729508406; Wed, 24 Sep 2025 08:58:28 -0700 (PDT) Received: from nathan (162-195-168-172.lightspeed.stlsmo.sbcglobal.net. [162.195.168.172]) by smtp.gmail.com with ESMTPSA id e9e14a558f8ab-425954d7229sm409975ab.8.2025.09.24.08.58.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Sep 2025 08:58:27 -0700 (PDT) Date: Wed, 24 Sep 2025 10:58:25 -0500 From: Nathan Bossart To: Tom Lane Cc: Ayush Vatsa , Robert Haas , "David G. Johnston" , PostgreSQL Hackers Subject: Re: Clarification on Role Access Rights to Table Indexes Message-ID: References: <149429.1741472260@sss.pgh.pa.us> <279947.1741535285@sss.pgh.pa.us> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="31qWFSWVZhdEZdR9" Content-Disposition: inline In-Reply-To: List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --31qWFSWVZhdEZdR9 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Mon, Mar 10, 2025 at 10:15:19AM -0500, Nathan Bossart wrote: > On Sun, Mar 09, 2025 at 11:48:05AM -0400, Tom Lane wrote: >> Nathan Bossart writes: >>> On Sat, Mar 08, 2025 at 05:17:40PM -0500, Tom Lane wrote: >>>> ReindexIndex() faces this same problem and solves it with some >>>> very complex code that manages to get the table's lock first. >> >>> I noticed that amcheck's bt_index_check_internal() handles this problem, >>> ... >>> stats_lock_check_privileges() does something similar, but it's not as >>> cautious about the "heapid != IndexGetRelation(indrelid, false)" race >>> condition. >> >> Egad, we've already got three inconsistent implementations of this >> functionality? I think the first step must be to unify them into >> a common implementation, if at all possible. > > Agreed. I worry that trying to unify each bespoke implementation into a > single function might result in an unwieldy mess, but I'll give it a > shot... I tried to unify these, but each one seems to be just different enough to make it not worth the trouble. Instead, I took a look at each implementation: * amcheck's amcheck_lock_relation_and_check() seems correct to me. * stats_lock_check_privileges() appears to be missing the second IndexGetRelation() check after locking the table and index, so I added that in 0001. Since this code is new to v18, I proposed to back-patch 0001 there. * RangeVarCallbackForReindexIndex() was checking privileges on the table before locking it, so I reversed it in 0002. Interestingly, this caused test errors because LockRelationOid() checks for invalidation messages, so the pg_class_aclcheck() call started failing with unhelpful errors due to concurrently dropped relations. To deal with that, I switched to pg_class_aclcheck_ext() so that we can handle missing relations. Furthermore, I noticed that this callback seems to assume that as long as the index does not change between calls, its table won't, either. That's probably always true in practice, but even if it's completely true, I see no reason to rely on it. So, I simplified the code to unconditionally unlock any previously-locked table and to lock whatever IndexGetRelation() returns. This could probably be back-patched, but in the absence of any reports or any reproducible bugs, I don't think we should. * 0003 fixes pg_prewarm's privilege checks by following a similar pattern. This probably ought to get back-patched to all supported versions. -- nathan --31qWFSWVZhdEZdR9 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=v3-0001-fix-priv-checks-in-stats-code.patch