Participants
Costa Alexoglou
Costa Alexoglou
Pavel Luzanov
Pavel Luzanov
Attachments
Show all attachments
Thread Outline
#1Costa AlexoglouCosta Alexoglou
Aug 20, 2024
#2Pavel LuzanovPavel Luzanovto Costa Alexoglou (#1)
Aug 21, 2024
#3Pavel LuzanovPavel Luzanovto Pavel Luzanov (#2)
Aug 21, 2024
#4Costa AlexoglouCosta Alexoglouto Pavel Luzanov (#3)
Aug 21, 2024

insufficient privilege with pg_read_all_stats granted

Started by Costa Alexoglouover 1 year ago4 messagesgeneral
Jump to latest
#1Costa Alexoglou
Costa Alexoglou
costa@dbtune.com

Hey folks,

I run PostgreSQL v15.8 (docker official image), and there is an issue when
reading pg_stat_staments table with a result of query most of the times
having `<insufficient privilege>` value.

I have created the user that I use to fetch the data with the following way:
```
CREATE USER abcd WITH NOSUPERUSER NOCREATEROLE NOINHERIT LOGIN;

GRANT pg_read_all_stats, pg_stat_scan_tables, pg_read_all_settings to abcd;

GRANT pg_monitor to abcd;
```

I explicitly gave `pg_read_all_stats` and also called `pg_monitor` just to
be on the safe side, but stil I get the insufficient privilege error.

```
SELECT
r.rolname AS member,
m.rolname AS role
FROM
pg_auth_members am
JOIN
pg_roles r ON r.oid = am.member
JOIN
pg_roles m ON m.oid = am.roleid
WHERE
m.rolname = 'pg_read_all_stats'
AND r.rolname = 'abcd';

member | role
--------+-------------------
abcd | pg_read_all_stats
(1 row)
```

I also tried with PostgreSQL v14.13, and this was not the case, it was
working fine as expected.
Then I tried v16.4 and v17beta3, and I faced the <insufficient privilege>
issue, so I guess something changed v15 onwards?

#2Pavel Luzanov
Pavel Luzanov
p.luzanov@postgrespro.ru
In reply to: Costa Alexoglou (#1)
Re: insufficient privilege with pg_read_all_stats granted

On 20.08.2024 23:50, Costa Alexoglou wrote:

I run PostgreSQL v15.8 (docker official image), and there is an issue
when reading pg_stat_staments table with a result of query most of the
times having `<insufficient privilege>` value.

I have created the user that I use to fetch the data with the
following way:
```
CREATE USER abcd WITH NOSUPERUSER NOCREATEROLE NOINHERIT LOGIN;

GRANT pg_read_all_stats, pg_stat_scan_tables, pg_read_all_settings to
abcd;

I think the problem is in the NOINHERIT attribute for the abcd role.
abcd does not inherit the privileges gained from being included in other roles.

In v15, to see the text of SQL commands in pg_stat_statements, you can either explicitly
switch from abcd role to the pg_read_all_stats role (SET ROLE pg_read_all_stats)
or set the INHERIT attribute for abcd role (alter role abcd inherit).

In v16, you can explicitly specify how to get privileges in the GRANT command:

grant pg_read_all_stats to abcd with inherit true, set false;

I also tried with PostgreSQL v14.13, and this was not the case, it was
working fine as expected.
Then I tried v16.4 and v17beta3, and I faced the <insufficient
privilege> issue, so I guess something changed v15 onwards?

But I don't understand why it worked in v14.
Probablysomethinghas changed, butIcouldn't quicklyfindwhatexactly.

--
Pavel Luzanov
Postgres Professional:https://postgrespro.com

#3Pavel Luzanov
Pavel Luzanov
p.luzanov@postgrespro.ru
In reply to: Pavel Luzanov (#2)
Re: insufficient privilege with pg_read_all_stats granted

On 21.08.2024 10:50, Pavel Luzanov wrote:

But I don't understand why it worked in v14.
Probablysomethinghas changed, butIcouldn't quicklyfindwhatexactly.

Ifoundit.
https://github.com/postgres/postgres/commit/6198420a

--
Pavel Luzanov
Postgres Professional:https://postgrespro.com

#4Costa Alexoglou
Costa Alexoglou
costa@dbtune.com
In reply to: Pavel Luzanov (#3)
Re: insufficient privilege with pg_read_all_stats granted

I think the problem is in the NOINHERIT attribute for the abcd role.

Indeed that is the issue, thanks for helping find this out

Show quoted text
← Back to Topics