| From: | Dilip Kumar <dilipbalaut(at)gmail(dot)com> |
|---|---|
| To: | shveta malik <shveta(dot)malik(at)gmail(dot)com> |
| Cc: | Amit Kapila <amit(dot)kapila16(at)gmail(dot)com>, vignesh C <vignesh21(at)gmail(dot)com>, Nisha Moond <nisha(dot)moond412(at)gmail(dot)com>, Peter Smith <smithpb2250(at)gmail(dot)com>, Masahiko Sawada <sawada(dot)mshk(at)gmail(dot)com>, Bharath Rupireddy <bharath(dot)rupireddyforpostgres(at)gmail(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Proposal: Conflict log history table for Logical Replication |
| Date: | 2026-05-04 09:19:08 |
| Message-ID: | CAFiTN-vwQuQ5=rMuNOE16zD6J1_zoyK29sbS807KvJMk+9JP7Q@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Mon, May 4, 2026 at 2:43 PM shveta malik <shveta(dot)malik(at)gmail(dot)com> wrote:
>
> On Mon, May 4, 2026 at 2:37 PM Dilip Kumar <dilipbalaut(at)gmail(dot)com> wrote:
> >
> > On Mon, 4 May 2026 at 11:21 AM, Dilip Kumar <dilipbalaut(at)gmail(dot)com> wrote:
> >>
> >> On Mon, May 4, 2026 at 11:18 AM shveta malik <shveta(dot)malik(at)gmail(dot)com> wrote:
> >> >
> >> > On Sat, May 2, 2026 at 2:40 PM Dilip Kumar <dilipbalaut(at)gmail(dot)com> wrote:
> >> > >
> >> > > On Fri, May 1, 2026 at 7:16 PM Dilip Kumar <dilipbalaut(at)gmail(dot)com> wrote:
> >> > > >
> >> > > > 4. pg_conflict is the catalog schema and as Nisha reported,
> >> > > > non-superusers aren't allowed to access the objects within it. Because
> >> > > > of this, SELECT, DELETE, and TRUNCATE are disallowed even for the
> >> > > > subscription owner if that owner is a non-superuser. I am working on
> >> > > > the fix.
> >> > >
> >> > > While analyzing this, I realized that the schema ACL check happens
> >> > > very early in analyze phase [1]. I'm not sure if we can bypass the
> >> > > subscription owner from this check at that stage without implementing
> >> > > a hacky solution. Another option is to remove restrictions from the
> >> > > pg_conflict schema for all users and keep only table-level
> >> > > restrictions within that schema. I am exploring how to implement this.
> >> >
> >> > Dilip, instead of granting permission (or removing restrictions) on
> >> > the pg_conflict schema to all users, is there a way to grant USAGE on
> >> > the schema only to the subscription owner when the conflict log table
> >> > is created and when the owner is altered for the subscription? I think
> >> > it should resolve the problem in a better way. Thoughts? Let me know
> >> > if I am missing something.
> >>
> >> Yeah I thought about that but when you create a subscription, you
> >> connected using the subscription owner user, who doesn't have the
> >> necessary permission to GRANT usage on pg_conflict schema.
> >
> >
> > After putting more thoughts I think we should be able to execute internal GRAN function which do not checks whether the user has permission to GRANT or not.
> >
>
> I have been trying to find an existing code example that does
> somethign similar, but could not find one. But if you think it is
> feasible and found a way, then it is the reasonable solution here.
Even I am not sure but I am going to experiment with this by calling
ExecGrantStmt_oids() while creating the subscription to see if we can
come up with something reasonable.
--
Regards,
Dilip Kumar
Google
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Evgeny Voropaev | 2026-05-04 09:29:41 | Re: [PATCH] Fix ProcKill lock-group vs procLatch recycle race |
| Previous Message | SATYANARAYANA NARLAPURAM | 2026-05-04 09:17:08 | [Bug]Vacuum full silently NULL out fast default columns |