Re: Proposal: Conflict log history table for Logical Replication

On Wed, May 6, 2026 at 10:47 AM Amit Kapila <amit(dot)kapila16(at)gmail(dot)com> wrote:
>
> On Tue, May 5, 2026 at 6:25 PM Dilip Kumar <dilipbalaut(at)gmail(dot)com> wrote:
> >
> > On Tue, May 5, 2026 at 9:37 AM shveta malik <shveta(dot)malik(at)gmail(dot)com> wrote:
> > >
> > > On Tue, May 5, 2026 at 8:26 AM Amit Kapila <amit(dot)kapila16(at)gmail(dot)com> wrote:
> > > >
> > > > On Mon, May 4, 2026 at 6:41 PM Dilip Kumar <dilipbalaut(at)gmail(dot)com> wrote:
> > > > >
> > > > > PFA, poc patch for the same.
> > >
> > > I like the idea of PoC. It simplifies the implementation.
> > >
> > > > >
> > > >
> > > > I know it is POC but I think you need more work to prevent manual
> > > > inserts/updates on conflict tables.
> > > >
> > >
> > > I think CheckValidResultRel() handles it.
> > >
> > > postgres=# insert into pg_conflict.pg_conflict_16391 values (0);
> > > ERROR: cannot modify or insert data into conflict log table "pg_conflict_16391"
> > > DETAIL: Conflict log tables are system-managed and only support
> > > cleanup via DELETE or TRUNCATE
> >
> > I think we can tweak a bit and pg_class_aclmask_ext() we can only
> > allow truncate/delete on pg_conflict and block insert and update, here
> > is the modified version. Please let me know your thoughts.
> >
>
> BTW, I am still getting the same ERROR even after POC. See
> postgres=# insert into pg_conflict.pg_conflict_log_16402 values(NULL);
> ERROR: cannot modify or insert data into conflict log table
> "pg_conflict_log_16402"
> DETAIL: Conflict log tables are system-managed and only support
> cleanup via DELETE or TRUNCATE.

I also see the same behaviour.
~~

One observation for others to review:

As a non super-user which does not have 'pg_create_subscription' privelege:
postgres=> alter table pg_conflict.pg_conflict_16487 add column i int;
ERROR: permission denied for schema pg_conflict
<seems correct, as access is denied at schema level itself>

As a non super-user which has 'pg_create_subscription' privelege, but
does not own the respective sub:
postgres=> alter table pg_conflict.pg_conflict_16487 add column i int;
ERROR: must be owner of table pg_conflict_16487
<Due to 'pg_create_subscription', it seems schema access is provided,
so it goes to check table access now and gives above error. Not sure
about this error, even if the user were the owner, they still wouldn't
be able to perform this operation>

As a non super-user which has 'pg_create_subscription' privilege and
also owns the respective sub:
postgres=> alter table pg_conflict.pg_conflict_16498 add column i int;
ERROR: permission denied: "pg_conflict_16498" is a system catalog
<okay>

As a super-user, the error is same irrespective of fact whether it
actually owns that table or not:
postgres=# alter table pg_conflict.pg_conflict_16487 add column i int;
ERROR: permission denied: "pg_conflict_16487" is a system catalog
<okay>

For second case, not a strong opinion, but can the better error be:
ERROR: permission denied: "pg_conflict_16487" is a system catalog?

I have not analyzed code myself for this yet.

thanks
Shveta