Re: PROPERTY GRAPH pg_dump ACL minimization

From: Ashutosh Bapat <ashutosh(dot)bapat(dot)oss(at)gmail(dot)com>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Noah Misch <noah(at)leadboat(dot)com>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: PROPERTY GRAPH pg_dump ACL minimization
Date: 2026-07-03 10:39:20
Message-ID: CAExHW5va66cEd6uXvj16F0dGRfikWXf7jzRULrqV3OQ99EPsXg@mail.gmail.com
Views: Whole Thread | Raw Message | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Wed, Jul 1, 2026 at 9:51 PM Ashutosh Bapat
<ashutosh(dot)bapat(dot)oss(at)gmail(dot)com> wrote:
>
> I wondered whether we are missing special handling for PROPGRAPH at
> other places. I looked at other places where we handle OBJECT_SEQUENCE
> separately in acl related files. I discovered following missing cases
>
> 1. ExecGrant_Relation: I think we should clip the extra privileges
> with a warning when GRANT ... TABLE syntax is used to grant privileges
> on a property graph, just like sequences. To me it looks like we
> should prohibit GRANT ... TABLE on property graph altogether. But
> haven't done so to keep it in sync with sequences. The backward
> compatibility comment, "For backward compatibility, just ... " should
> not be applicable in case of property graph since we can introduce
> whatever behaviour we expect from GRANT ... TABLE right from the first
> release which introduced property graph. But I am not sure if that's
> the only backward compatibility we are talking about here. Those
> commits go more than a few decades back and commit message itself
> doesn't help me much. Maybe someone with a better historical
> perspective may help. I have also added a test scenario for a
> non-property graph privilege to be added using GRANT ... TABLE syntax.
>

Since property graphs share the namespace with regular tables, I think
GRANT ... TABLE should be supported on property graphs, but restrict
it to only the privileges applicable to property graphs. Done that way
in the attached patch.

> The second change in this function seems necessary but without it, I
> couldn't find a visible bug. Mostly it's masked because the privileges
> available on a table are a superset of privileges available on a
> property graph.
>

This change is needed so that we can provide a correct error message.

Here's a revised patch set.
0010 is your patch without any changes
0011 is my changes described above.

--
Best Wishes,
Ashutosh Bapat

Attachment Content-Type Size
v20260703-0010-Fix-pg_dump-ACL-minimization-for-PROPERTY-.patch text/x-patch 5.4 KB
v20260703-0011-Fix-GRANT-.-TABLE-on-a-property-graph.patch text/x-patch 4.5 KB

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Andrei Lepikhov 2026-07-03 10:53:11 Re: Do not scan index in right table if condition for left join evaluates to false using columns in left table
Previous Message Amit Kapila 2026-07-03 10:15:34 Re: Re-read subscription state after lock in AlterSubscription