Re: BUG #19379: Role pg_read_all_data don't allowed read large objects

Hi,

On 2026-01-15 06:36:35 -0700, David G. Johnston wrote:
> On Thursday, January 15, 2026, PG Bug reporting form <noreply(at)postgresql(dot)org>
> wrote:
>
> > The following bug has been logged on the website:
> >
> > Bug reference: 19379
> > Logged by: Misha Shaygu
> > Email address: long76(dot)git(at)mail(dot)ru
> > PostgreSQL version: 17.7
> > Operating system: Kubuntu 24.04
> > Description:
> >
> > My goal: create role for backup any database on server
> >
> > Steps:
> > 1. CREATE USER backup_user;
> > 2. GRANT pg_read_all_data TO backup_user;
> > 3. pg_dump my_db
> > 4. got error to read large object
> >
> > Following by links
> > https://www.postgresql.org/docs/17/predefined-roles.html
> > https://www.postgresql.org/docs/17/lo-implementation.html
> > "SELECT privileges are required to read a large object" and role
> > "pg_read_all_data" grant it, but it don't work!
> >
> > Please fix it, thanks!
> >
>
> The docs you link note that all data is “tables, views, sequences”. Large
> objects are not listed. Maybe that means the name is a bit misleading but
> it’s working as documented.
>
> Likewise, the LO page doesn’t say anything about read all being applicable.

It's not contradicting our docs, but I think it likely still is an
oversight. The goal of pg_read_all_data [1] was to allow running pg_dump
without having to grant granular access, not being able to run pg_dump
successfully due to LOs prevents that.

This doesn't seem like something we're going to fix in a minor version
though...

Greetings,

Andres Freund

[1] http://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=6c3ffd697e2242f5497ea4b40fffc8f6f922ff60
> A commonly requested use-case is to have a role who can run an
> unfettered pg_dump without having to explicitly GRANT that user access
> to all tables, schemas, et al, without that role being a superuser.