Quick Links

Re: Inconsistent behavior of pg_dump/pg_restore on DEFAULT PRIVILEGES

From:	Boris P(dot) Korzun <drtr0jan(at)yandex(dot)ru>
To:	Neil Chen <carpenter(dot)nail(dot)cz(at)gmail(dot)com>
Cc:	"pgsql-bugs(at)lists(dot)postgresql(dot)org" <pgsql-bugs(at)lists(dot)postgresql(dot)org>
Subject:	Re: Inconsistent behavior of pg_dump/pg_restore on DEFAULT PRIVILEGES
Date:	2021-09-21 05:04:58
Message-ID:	8261632200581@mail.yandex.ru
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-bugs pgsql-hackers

<div>Hi Neil,</div><div> </div><div>what about the commit to the upstream?</div><div> </div><div>31.03.2021, 06:02, "Neil Chen" <carpenter(dot)nail(dot)cz(at)gmail(dot)com>:</div><blockquote><div>Greetings,<div> </div><div>I did some research on this bug and found that the reason for the problem is that the pg_dump misjudged the non-global default access privileges when exporting. The details are as follows:</div><blockquote>The default for a global entry is the hard-wired default ACL for the<br />particular object type. The default for non-global entries is an empty<br />ACL. This must be so because global entries replace the hard-wired<br />defaults, while others are added on.</blockquote><div>We can find this description in code comments(src/backend/catalog/aclchk.c:1162). For example, if we log as user postgres, for global entire our default ACL is "{=X/postgres,postgres=X/postgres}", for non-global entire it's "NULL".</div><div> </div><div>Now let's look at a part of the SQL statement used when pg_dump exports the default ACL(it can be found in src/bin/pg_dump/dumputils.c:762):</div><blockquote>(SELECT pg_catalog.array_agg(acl ORDER BY row_n) FROM<br />(SELECT acl, row_n FROM<br />pg_catalog.unnest(coalesce(defaclacl,pg_catalog.acldefault(CASE WHEN defaclobjtype = 'S' THEN 's' ELSE defaclobjtype END::"char",defaclrole)))<br />WITH ORDINALITY AS perm(acl,row_n)<br />WHERE NOT EXISTS (<br />SELECT 1 FROM<br />pg_catalog.unnest(coalesce(pip.initprivs,pg_catalog.acldefault(CASE WHEN defaclobjtype = 'S' THEN 's' ELSE defaclobjtype END::"char",defaclrole)))<br />AS init(init_acl) WHERE acl = init_acl)) as foo) </blockquote><div>It can be seen that when comparing the changes of default ACL, it does not distinguish between global and non-global default ACL. It uses {=X/postgres,postgres=X/postgres} as the non-global default ACL by mistake, resulting in the export error.</div><div> </div><div>Combined with the above research, I gave this patch to fix the bug. Hackers can help to see if this modification is correct. I'm studying how to write test scripts for it...</div><div> </div><div>Thanks.</div><div> </div>--<div><div>There is no royal road to learning.<div>HighGo Software Co.</div></div></div></div></blockquote><div>---</div><div>WBR</div><div>Boris</div>

Attachment	Content-Type	Size
unknown_filename	text/html	2.2 KB

In response to

Re: Inconsistent behavior of pg_dump/pg_restore on DEFAULT PRIVILEGES at 2021-03-31 03:02:00 from Neil Chen

Responses

Re: Inconsistent behavior of pg_dump/pg_restore on DEFAULT PRIVILEGES at 2021-09-22 01:30:50 from Neil Chen

Browse pgsql-bugs by date

	From	Date	Subject
Next Message	Puneet Sharma	2021-09-21 06:04:37	Re: BUG #17189: Index not created when primary key created
Previous Message	Alexander Lakhin	2021-09-21 05:00:01	Re: BUG #17197: Assert failed on inserting index tuples after VACUUM

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Amit Kapila	2021-09-21 05:11:08	Re: row filtering for logical replication
Previous Message	Amul Sul	2021-09-21 05:03:55	Re: Deduplicate code updating ControleFile's DBState.