Quick Links

Re: BUG #2085: pg_dump incompletely dumps ACLs

From:	Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To:	David J N Begley <d(dot)begley(at)uws(dot)edu(dot)au>
Cc:	Alvaro Herrera <alvherre(at)commandprompt(dot)com>, pgsql-bugs(at)postgresql(dot)org
Subject:	Re: BUG #2085: pg_dump incompletely dumps ACLs
Date:	2005-12-03 19:25:54
Message-ID:	1873.1133637954@sss.pgh.pa.us
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-bugs

David J N Begley <d(dot)begley(at)uws(dot)edu(dot)au> writes:
> I have verified that _no_ GRANT/REVOKE commands are dumped for the database,
> and only some GRANT/REVOKE commands are dumped for "language" objects (see
> below);

The latter is not really a bug. Languages don't currently have owners
(ie there is no owner column in pg_language). For ACL-munging purposes
we act as though the bootstrap superuser owns the language, that is,
that userid is shown as the grantor of privileges. But having a
superuser revoke his own privileges is a no-op, because he's a superuser
and the privileges aren't going to be enforced against him anyway. So
the fact that pg_dump doesn't process that part of the ACL isn't very
meaningful.

Sooner or later we may get around to assigning explicit owners to
languages, but it's not a high-priority problem --- AFAICS the lack
of ownership doesn't create any problems worse than these sorts of
corner-case confusions. It'll always be true that superuserdom is
needed to create a PL, and distinguishing one superuser from another
is not a particularly useful activity in the context of permission
checks ...

I fooled around with having pg_dump explicitly treat the language as
being owned by the bootstrap superuser, and think I may apply the patch
now even though it doesn't really matter, because it does clean up the
output a little bit --- instead of

--
-- Name: pltcl; Type: ACL; Schema: -; Owner:
--

REVOKE ALL ON LANGUAGE pltcl FROM PUBLIC;
SET SESSION AUTHORIZATION postgres;
GRANT ALL ON LANGUAGE pltcl TO postgres;
RESET SESSION AUTHORIZATION;
SET SESSION AUTHORIZATION postgres;
GRANT ALL ON LANGUAGE pltcl TO tgl;
RESET SESSION AUTHORIZATION;

I get

--
-- Name: pltcl; Type: ACL; Schema: -; Owner: postgres
--

REVOKE ALL ON LANGUAGE pltcl FROM PUBLIC;
REVOKE ALL ON LANGUAGE pltcl FROM postgres;
GRANT ALL ON LANGUAGE pltcl TO postgres;
GRANT ALL ON LANGUAGE pltcl TO tgl;

for a pg_language ACL of "{postgres=U/postgres,tgl=U/postgres}".
Avoiding the SET SESSION AUTHORIZATIONs seems like a good idea.

regards, tom lane

In response to

Re: BUG #2085: pg_dump incompletely dumps ACLs at 2005-12-03 16:24:39 from David J N Begley

Responses

Re: BUG #2085: pg_dump incompletely dumps ACLs at 2005-12-04 04:04:07 from David J N Begley

Browse pgsql-bugs by date

	From	Date	Subject
Next Message	Tom Lane	2005-12-03 19:34:29	Re: BUG #2092: No answer to bug reports 1975 and 2055
Previous Message	Dirk Pirschel	2005-12-03 19:19:46	Re: BUG #2092: No answer to bug reports 1975 and 2055