Skip site navigation (1) Skip section navigation (2)

Re: ALTER .. OWNER TO error mislabels schema as other object type

From: Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp>
To: Robert Haas <robertmhaas(at)gmail(dot)com>
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: ALTER .. OWNER TO error mislabels schema as other object type
Date: 2013-01-02 15:35:31
Message-ID: CADyhKSXOsX_L0nBNGNk=Jv+zFs4bUv7xoaeMG3ND9rA9Jt6dGw@mail.gmail.com (view raw or flat)
Thread:
Lists: pgsql-hackers
Sorry, I oversight this report.

The reason of this confusing error message is originated by incorrect
aclkind being delivered to aclcheck_error() at AlterObjectOwner_internal().

            /* New owner must have CREATE privilege on namespace */
            if (OidIsValid(namespaceId))
            {
                AclResult   aclresult;

                aclresult = pg_namespace_aclcheck(namespaceId, new_ownerId,
                                                  ACL_CREATE);
                if (aclresult != ACLCHECK_OK)
                    aclcheck_error(aclresult, aclkind,
                                   get_namespace_name(namespaceId));
            }

The supplied aclkind represents the property of the object being re-owned,
not a namespace that owns the target object. So, right approach is to
give ACL_KIND_NAMESPACE being hardwired in this case, as
AlterObjectNamespace_internal() doing.

The attached patch fixes this trouble.

postgres=# create role clerks;
CREATE ROLE
postgres=# create role bob in role clerks;
CREATE ROLE
postgres=# create schema foo;
CREATE SCHEMA
postgres=# grant usage on schema foo to bob, clerks;
GRANT
postgres=# create aggregate
postgres-# foo.sum(basetype=text,sfunc=textcat,stype=text,initcond='');
CREATE AGGREGATE
postgres=# alter aggregate foo.sum(text) owner to bob;
ALTER AGGREGATE
postgres=# set role bob;
SET
postgres=> alter aggregate foo.sum(text) owner to clerks;
ERROR:  permission denied for schema foo

Thanks,

2012/12/20 Robert Haas <robertmhaas(at)gmail(dot)com>:
> This looks busted:
>
> rhaas=# create role clerks;
> CREATE ROLE
> rhaas=# create role bob in role clerks;
> CREATE ROLE
> rhaas=# create schema foo;
> CREATE SCHEMA
> rhaas=# grant usage on schema foo to bob, clerks;
> GRANT
> rhaas=# create aggregate
> foo.sum(basetype=text,sfunc=textcat,stype=text,initcond='');
> CREATE AGGREGATE
> rhaas=# alter aggregate foo.sum(text) owner to bob;
> ALTER AGGREGATE
> rhaas=# set role bob;
> SET
> rhaas=> alter aggregate foo.sum(text) owner to clerks;
> ERROR:  permission denied for function foo
>
> Eh?  There's no function called foo.  There's a schema called foo,
> which seems to be the real problem: clerks needs to have CREATE on foo
> in order for bob to complete the rename.  But somehow the error
> message is confused about what type of object it's dealing with.
>
> [ Credit: The above example is adapted from an EDB-internal regression
> test, the failure of which was what alerted me to this problem. ]
>
> --
> Robert Haas
> EnterpriseDB: http://www.enterprisedb.com
> The Enterprise PostgreSQL Company
>
>
> --
> Sent via pgsql-hackers mailing list (pgsql-hackers(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-hackers



-- 
KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>

Attachment: pgsql-fix-incorrect-aclkind-on-alter-owner.patch
Description: application/octet-stream (630 bytes)

In response to

Responses

pgsql-hackers by date

Next:From: Kohei KaiGaiDate: 2013-01-02 15:48:42
Subject: Re: recent ALTER whatever .. SET SCHEMA refactoring
Previous:From: Marko KreenDate: 2013-01-02 15:27:15
Subject: Re: allowing multiple PQclear() calls

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group