Strange permission effect depending on DEFERRABILITY
Dear List
The below runs on PostgreSQL 16.4
We are trying to implement a certain operation based on a security
definer function : mariner_update_availability_date
This is supposed to update a table : mariner , which has several other
triggers :
mariner_build_natural_id_tg BEFORE INSERT OR UPDATE ON mariner FOR EACH
ROW EXECUTE FUNCTION mariner_build_natural_id()
mariner_force_integrity_tg AFTER INSERT OR UPDATE ON mariner FOR
EACH ROW EXECUTE FUNCTION mariner_force_integrity()
mariner_manage_past_tg BEFORE UPDATE ON mariner FOR EACH ROW EXECUTE
FUNCTION mariner_manage_past()
mariner_xadmin_prod_tmp_map_ins__crew_tg AFTER INSERT ON mariner FOR
EACH ROW EXECUTE FUNCTION xadmin_prod_tmp_map_ins__crew()
mariner_zb_dbmirror_trig AFTER INSERT OR DELETE OR UPDATE ON mariner
FOR EACH ROW EXECUTE FUNCTION dbmirror_recordchange()
zzzmariner_dmq_tg AFTER INSERT OR DELETE OR UPDATE ON mariner
DEFERRABLE INITIALLY DEFERRED FOR EACH ROW EXECUTE FUNCTION export_dmq()
Yes, for those highly observant veterans, dbmirror_recordchange is
indeed DBMIRROR. And no, we cannot replace it, since this is our own
ultra hacked and customized version, not replaceable by any past,
present (and most likely future) extension.
As you noticed the last trigger is a CONSTRAINT DEFERRABLE trigger. This
function mariner_update_availability_date is supposed to be run by a
user : cbt_results_import strippedof any privileges to the rest of the
system. Here is what we get : when we SET the constraint of the last
trigger to IMMEDIATE, the function runs on behalf of its owner
(postgres) who has all needed privileges (as superuser) to run the
update on mariner table and also run the triggers . However, when we run
with this CONSTRAINT as DEFERRED then it seems to NOT run the last
deferrable trigger as postgres.
postgres@smadb-pgsql16:~$ psql
psql (16.4)
Type "help" for help.
postgres@[local]/dynacom=# set role cbt_results_import ;
SET
postgres@[local]/dynacom=> begin ;
BEGIN
postgres@[local]/dynacom=*> SET CONSTRAINTS zzzmariner_dmq_tg IMMEDIATE;
SET CONSTRAINTS
postgres@[local]/dynacom=*> select
mariner_update_availability_date(13916, '2020-02-28');
mariner_update_availability_date
----------------------------------
(1 row)
postgres@[local]/dynacom=*> commit ;
COMMIT
postgres@[local]/dynacom=> begin ;
BEGIN
postgres@[local]/dynacom=*> SET CONSTRAINTS zzzmariner_dmq_tg DEFERRED;
SET CONSTRAINTS
postgres@[local]/dynacom=*> select
mariner_update_availability_date(13916, '2020-02-28');
mariner_update_availability_date
----------------------------------
(1 row)
postgres@[local]/dynacom=*> commit ;
ERROR: permission denied for table export_dmq
CONTEXT: SQL statement "DELETE FROM export_dmq where id=($1).id and
op='U' and tbl='mariner'"
PL/pgSQL function export_dmq() line 15 at EXECUTE
postgres@[local]/dynacom=>
Is this supposed to be normal? Documented anywhere ?
Thank you
Achilleas Mantzios - cloud <a.mantzios@cloud.gatewaynet.com> writes:
As you noticed the last trigger is a CONSTRAINT DEFERRABLE trigger. This
function mariner_update_availability_date is supposed to be run by a
user : cbt_results_import strippedof any privileges to the rest of the
system. Here is what we get : when we SET the constraint of the last
trigger to IMMEDIATE, the function runs on behalf of its owner
(postgres) who has all needed privileges (as superuser) to run the
update on mariner table and also run the triggers . However, when we run
with this CONSTRAINT as DEFERRED then it seems to NOT run the last
deferrable trigger as postgres.
AFAIR the trigger mechanisms do not change the execution environment.
If they did, then for example a trigger that stuffs CURRENT_USER into
a last_updated_by column would not give the desired results.
I'd suggest marking the problem trigger function as SECURITY DEFINER
if you want it to run as its owner.
regards, tom lane
On 9/9/24 17:21, Tom Lane wrote:
Achilleas Mantzios - cloud<a.mantzios@cloud.gatewaynet.com> writes:
As you noticed the last trigger is a CONSTRAINT DEFERRABLE trigger. This
function mariner_update_availability_date is supposed to be run by a
user : cbt_results_import strippedof any privileges to the rest of the
system. Here is what we get : when we SET the constraint of the last
trigger to IMMEDIATE, the function runs on behalf of its owner
(postgres) who has all needed privileges (as superuser) to run the
update on mariner table and also run the triggers . However, when we run
with this CONSTRAINT as DEFERRED then it seems to NOT run the last
deferrable trigger as postgres.AFAIR the trigger mechanisms do not change the execution environment.
If they did, then for example a trigger that stuffs CURRENT_USER into
a last_updated_by column would not give the desired results.I'd suggest marking the problem trigger function as SECURITY DEFINER
if you want it to run as its owner.
Thank you Tom. With a little bit of debugging is obvious that the last
deferred trigger function runs outside the security environment of the
top SECURITY DEFINER function (naturally), however current_user seems to
be on par with the security definer owner,
cbt_results_import@[local]/dynacom=> begin ;
BEGIN
cbt_results_import@[local]/dynacom=*> SET CONSTRAINTS zzzmariner_dmq_tg
IMMEDIATE;
SET CONSTRAINTS
cbt_results_import@[local]/dynacom=*> select
mariner_update_availability_date(13916, '2020-02-28');
NOTICE: manage past : the current_user is postgres, session_user is
cbt_results_import, system_user id md5:cbt_results_import
NOTICE: manage past : the current_user is postgres, session_user is
cbt_results_import, system_user id md5:cbt_results_import
mariner_update_availability_date
----------------------------------
(1 row)
cbt_results_import@[local]/dynacom=*> commit ;
COMMIT
cbt_results_import@[local]/dynacom=> begin ;
BEGIN
cbt_results_import@[local]/dynacom=*> SET CONSTRAINTS zzzmariner_dmq_tg
DEFERRED;
SET CONSTRAINTS
cbt_results_import@[local]/dynacom=*> select
mariner_update_availability_date(13916, '2020-02-28');
NOTICE: manage past : the current_user is postgres, session_user is
cbt_results_import, system_user id md5:cbt_results_import
mariner_update_availability_date
----------------------------------
(1 row)
cbt_results_import@[local]/dynacom=*> commit ;
NOTICE: manage past : the current_user is cbt_results_import,
session_user is cbt_results_import, system_user id md5:cbt_results_import
ERROR: permission denied for table export_dmq
CONTEXT: SQL statement "DELETE FROM export_dmq where id=($1).id and
op='U' and tbl='mariner'"
PL/pgSQL function export_dmq() line 18 at EXECUTE
Thank you and sorry for missing something so obvious.
Show quoted text
regards, tom lane
On Mon, 2024-09-09 at 16:14 +0300, Achilleas Mantzios - cloud wrote:
The below runs on PostgreSQL 16.4
We are trying to implement a certain operation based on a security definer
function : mariner_update_availability_dateThis is supposed to update a table : mariner , which has several other triggers :
[...]
zzzmariner_dmq_tg AFTER INSERT OR DELETE OR UPDATE ON mariner DEFERRABLE INITIALLY DEFERRED FOR EACH ROW EXECUTE FUNCTION export_dmq()As you noticed the last trigger is a CONSTRAINT DEFERRABLE trigger.
This function mariner_update_availability_date is supposed to be run by a user :
cbt_results_import stripped of any privileges to the rest of the system. Here is
what we get : when we SET the constraint of the last trigger to IMMEDIATE, the
function runs on behalf of its owner (postgres) who has all needed privileges
(as superuser) to run the update on mariner table and also run the triggers .
However, when we run with this CONSTRAINT as DEFERRED then it seems to NOT run
the last deferrable trigger as postgres.
I have proposed a patch that fixes exactly that case:
https://commitfest.postgresql.org/49/4888/
So far, the feedback seems to be that it is not considered a bug.
But that doesn't mean that we cannot change the behavior.
Yours,
Laurenz Albe
On 9/10/24 00:09, Laurenz Albe wrote:
On Mon, 2024-09-09 at 16:14 +0300, Achilleas Mantzios - cloud wrote:
The below runs on PostgreSQL 16.4
We are trying to implement a certain operation based on a security definer
function : mariner_update_availability_dateThis is supposed to update a table : mariner , which has several other triggers :
[...]
zzzmariner_dmq_tg AFTER INSERT OR DELETE OR UPDATE ON mariner DEFERRABLE INITIALLY DEFERRED FOR EACH ROW EXECUTE FUNCTION export_dmq()As you noticed the last trigger is a CONSTRAINT DEFERRABLE trigger.
This function mariner_update_availability_date is supposed to be run by a user :
cbt_results_import stripped of any privileges to the rest of the system. Here is
what we get : when we SET the constraint of the last trigger to IMMEDIATE, the
function runs on behalf of its owner (postgres) who has all needed privileges
(as superuser) to run the update on mariner table and also run the triggers .
However, when we run with this CONSTRAINT as DEFERRED then it seems to NOT run
the last deferrable trigger as postgres.I have proposed a patch that fixes exactly that case:
https://commitfest.postgresql.org/49/4888/So far, the feedback seems to be that it is not considered a bug.
But that doesn't mean that we cannot change the behavior.
Nice work! However I am not sure. What's a trigger owner btw in the
thread :
/messages/by-id/77b89e609f21380785865542609fbc14010021c8.camel@cybertec.at
? Do they mean the table owner? is the trigger creator / owner stored
somewhere ? I dont see it in system tables or the schema dump. Or do
they imply the trigger function owner ?
Maybe controlling the queued and later executed trigger invocations
security context via a new special GUC? such as :
trigger_security_ctx = current_user (default) | table/trigger_owner |
execution_triggered_user
(in every case a SECURITY DEFINER function would override the above setting)
just my 2cents
Show quoted text
Yours,
Laurenz Albe
On Tue, 2024-09-10 at 12:20 +0300, Achilleas Mantzios - cloud wrote:
On 9/10/24 00:09, Laurenz Albe wrote:
On Mon, 2024-09-09 at 16:14 +0300, Achilleas Mantzios - cloud wrote:
The below runs on PostgreSQL 16.4
We are trying to implement a certain operation based on a security definer
function : mariner_update_availability_dateThis is supposed to update a table : mariner , which has several other triggers :
[...]
zzzmariner_dmq_tg AFTER INSERT OR DELETE OR UPDATE ON mariner DEFERRABLE INITIALLY DEFERRED FOR EACH ROW EXECUTE FUNCTION export_dmq()As you noticed the last trigger is a CONSTRAINT DEFERRABLE trigger.
This function mariner_update_availability_date is supposed to be run by a user :
cbt_results_import stripped of any privileges to the rest of the system. Here is
what we get : when we SET the constraint of the last trigger to IMMEDIATE, the
function runs on behalf of its owner (postgres) who has all needed privileges
(as superuser) to run the update on mariner table and also run the triggers .
However, when we run with this CONSTRAINT as DEFERRED then it seems to NOT run
the last deferrable trigger as postgres.I have proposed a patch that fixes exactly that case:
https://commitfest.postgresql.org/49/4888/So far, the feedback seems to be that it is not considered a bug.
But that doesn't mean that we cannot change the behavior.Nice work! However I am not sure. What's a trigger owner btw in the
thread :
? Do they mean the table owner? is the trigger creator / owner stored
somewhere ? I dont see it in system tables or the schema dump. Or do
they imply the trigger function owner ?
The owner of a trigger is always the owner of the table.
Maybe controlling the queued and later executed trigger invocations
security context via a new special GUC? such as :trigger_security_ctx = current_user (default) | table/trigger_owner |
execution_triggered_user(in every case a SECURITY DEFINER function would override the above setting)
The PostgreSQL project has made bad experiences with parameters that change
the semantics of SQL statements, so I think that idea will meet resistance.
Besides, what I am proposing in the patch is not to use the owner of the
table, but the current_user at the time that the trigger is queued.
I had the impression that that is what you are looking for.
Executing as table owner can easily be done with a SECURITY DEFINER function.
Yours,
Laurenz Albe
Στις 10/9/24 20:22, ο/η Laurenz Albe έγραψε:
On Tue, 2024-09-10 at 12:20 +0300, Achilleas Mantzios - cloud wrote:
On 9/10/24 00:09, Laurenz Albe wrote:
On Mon, 2024-09-09 at 16:14 +0300, Achilleas Mantzios - cloud wrote:
The below runs on PostgreSQL 16.4
We are trying to implement a certain operation based on a security definer
function : mariner_update_availability_dateThis is supposed to update a table : mariner , which has several other triggers :
[...]
zzzmariner_dmq_tg AFTER INSERT OR DELETE OR UPDATE ON mariner DEFERRABLE INITIALLY DEFERRED FOR EACH ROW EXECUTE FUNCTION export_dmq()As you noticed the last trigger is a CONSTRAINT DEFERRABLE trigger.
This function mariner_update_availability_date is supposed to be run by a user :
cbt_results_import stripped of any privileges to the rest of the system. Here is
what we get : when we SET the constraint of the last trigger to IMMEDIATE, the
function runs on behalf of its owner (postgres) who has all needed privileges
(as superuser) to run the update on mariner table and also run the triggers .
However, when we run with this CONSTRAINT as DEFERRED then it seems to NOT run
the last deferrable trigger as postgres.I have proposed a patch that fixes exactly that case:
https://commitfest.postgresql.org/49/4888/So far, the feedback seems to be that it is not considered a bug.
But that doesn't mean that we cannot change the behavior.Nice work! However I am not sure. What's a trigger owner btw in the
thread :
? Do they mean the table owner? is the trigger creator / owner stored
somewhere ? I dont see it in system tables or the schema dump. Or do
they imply the trigger function owner ?The owner of a trigger is always the owner of the table.
Thank you.
Maybe controlling the queued and later executed trigger invocations
security context via a new special GUC? such as :trigger_security_ctx = current_user (default) | table/trigger_owner |
execution_triggered_user(in every case a SECURITY DEFINER function would override the above setting)
The PostgreSQL project has made bad experiences with parameters that change
the semantics of SQL statements, so I think that idea will meet resistance.Besides, what I am proposing in the patch is not to use the owner of the
table, but the current_user at the time that the trigger is queued.
Yes, your patch "current_user at the time that the trigger is queued "
is my execution_triggered_user from above. Bad naming from my part.
I had the impression that that is what you are looking for.
To be frank, the current behavior albeit confusing to noobs, (and I have
no excuses here using PostgreSQL since 2001 in this same job) , seems
right to me. So I would welcome some kind of GUC/session-level or
DDL/object-level control but still the current behavior is fine to live
with.
Executing as table owner can easily be done with a SECURITY DEFINER function.
Yours,
Laurenz Albe
--
Achilleas Mantzios
IT DEV - HEAD
IT DEPT
Dynacom Tankers Mgmt (as agents only)