Re: predefined role(s) for VACUUM and ANALYZE

From: Pavel Luzanov <p(dot)luzanov(at)postgrespro(dot)ru>
To: Andrew Dunstan <andrew(at)dunslane(dot)net>, Nathan Bossart <nathandbossart(at)gmail(dot)com>
Cc: Corey Huinker <corey(dot)huinker(at)gmail(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Stephen Frost <sfrost(at)snowman(dot)net>, Bharath Rupireddy <bharath(dot)rupireddyforpostgres(at)gmail(dot)com>, "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com>, Kyotaro Horiguchi <horikyota(dot)ntt(at)gmail(dot)com>, Michael Paquier <michael(at)paquier(dot)xyz>, Robert Haas <robertmhaas(at)gmail(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: predefined role(s) for VACUUM and ANALYZE
Date: 2022-12-05 20:21:08
Message-ID: a2382acd-e465-85b2-9d8e-f9ed1a5a66e9@postgrespro.ru
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Hello,

While looking into the new feature, I found the following situation with
the \dp command displaying privileges on the system tables:

GRANT VACUUM, ANALYZE ON TABLE pg_type TO alice;

SELECT relacl FROM pg_class WHERE oid = 'pg_type'::regclass;
                           relacl
-------------------------------------------------------------
 {=r/postgres,postgres=arwdDxtvz/postgres,alice=vz/postgres}
(1 row)

But the \dp command does not show the granted privileges:

\dp pg_type
                            Access privileges
 Schema | Name | Type | Access privileges | Column privileges | Policies
--------+------+------+-------------------+-------------------+----------
(0 rows)

The comment in src/bin/psql/describe.c explains the situation:

    /*
     * Unless a schema pattern is specified, we suppress system and temp
     * tables, since they normally aren't very interesting from a
permissions
     * point of view.  You can see 'em by explicit request though, eg
with \z
     * pg_catalog.*
     */

So to see the privileges you have to explicitly specify the schema name:

\dp pg_catalog.pg_type
                                     Access privileges
   Schema   |  Name   | Type  |      Access privileges      | Column
privileges | Policies
------------+---------+-------+-----------------------------+-------------------+----------
 pg_catalog | pg_type | table | =r/postgres +|                   |
            |         |       |
postgres=arwdDxtvz/postgres+|                   |
            |         |       | alice=vz/postgres |                   |
(1 row)

But perhaps this behavior should be reviewed or at least documented?

-----
Pavel Luzanov

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message David Rowley 2022-12-05 21:27:55 Re: [PoC] Reducing planning time when tables have many partitions
Previous Message Vik Fearing 2022-12-05 20:18:57 Re: ANY_VALUE aggregate