| From: | Ashutosh Bapat <ashutosh(dot)bapat(dot)oss(at)gmail(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Noah Misch <noah(at)leadboat(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: PROPERTY GRAPH pg_dump ACL minimization |
| Date: | 2026-07-03 10:39:20 |
| Message-ID: | CAExHW5va66cEd6uXvj16F0dGRfikWXf7jzRULrqV3OQ99EPsXg@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Jul 1, 2026 at 9:51 PM Ashutosh Bapat
<ashutosh(dot)bapat(dot)oss(at)gmail(dot)com> wrote:
>
> I wondered whether we are missing special handling for PROPGRAPH at
> other places. I looked at other places where we handle OBJECT_SEQUENCE
> separately in acl related files. I discovered following missing cases
>
> 1. ExecGrant_Relation: I think we should clip the extra privileges
> with a warning when GRANT ... TABLE syntax is used to grant privileges
> on a property graph, just like sequences. To me it looks like we
> should prohibit GRANT ... TABLE on property graph altogether. But
> haven't done so to keep it in sync with sequences. The backward
> compatibility comment, "For backward compatibility, just ... " should
> not be applicable in case of property graph since we can introduce
> whatever behaviour we expect from GRANT ... TABLE right from the first
> release which introduced property graph. But I am not sure if that's
> the only backward compatibility we are talking about here. Those
> commits go more than a few decades back and commit message itself
> doesn't help me much. Maybe someone with a better historical
> perspective may help. I have also added a test scenario for a
> non-property graph privilege to be added using GRANT ... TABLE syntax.
>
Since property graphs share the namespace with regular tables, I think
GRANT ... TABLE should be supported on property graphs, but restrict
it to only the privileges applicable to property graphs. Done that way
in the attached patch.
> The second change in this function seems necessary but without it, I
> couldn't find a visible bug. Mostly it's masked because the privileges
> available on a table are a superset of privileges available on a
> property graph.
>
This change is needed so that we can provide a correct error message.
Here's a revised patch set.
0010 is your patch without any changes
0011 is my changes described above.
--
Best Wishes,
Ashutosh Bapat
| Attachment | Content-Type | Size |
|---|---|---|
| v20260703-0010-Fix-pg_dump-ACL-minimization-for-PROPERTY-.patch | text/x-patch | 5.4 KB |
| v20260703-0011-Fix-GRANT-.-TABLE-on-a-property-graph.patch | text/x-patch | 4.5 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andrei Lepikhov | 2026-07-03 10:53:11 | Re: Do not scan index in right table if condition for left join evaluates to false using columns in left table |
| Previous Message | Amit Kapila | 2026-07-03 10:15:34 | Re: Re-read subscription state after lock in AlterSubscription |