Clarification on Role Access Rights to Table Indexes

On Monday, February 17, 2025, Ayush Vatsa <ayushvatsa1810@gmail.com> wrote:

postgres=# CREATE ROLE alpha;

CREATE ROLE
postgres=# GRANT SELECT ON pg_class TO alpha;

This is pointless, everyone (i.e. the PUBLIC pseudo-role) can already read
pg_class.

1. Can a role have access rights to a table without having access to its

index?

Roles don’t directly interact with indexes in PostgreSQL so this doesn’t
even make sense. But if you need a yes/no answer, then yes.

3. If no, and the role inherently gets access to the index when granted
access to the table, why
does the pg_prewarm call fail [1] in the above scenario?

[1] https://github.com/postgres/postgres/blob/master/contrib
/pg_prewarm/pg_prewarm.c#L108-L110

It fails because AFAICS there is no way for it to work on an index, only
tables.

David J.

Ayush Vatsa <ayushvatsa1810@gmail.com> writes:

postgres=> SELECT pg_prewarm('pg_class_oid_index');
ERROR: permission denied for index pg_class_oid_index

You'd really have to take that up with the author of pg_prewarm.
It's not apparent to me why checking SQL access permissions is
the right mechanism for limiting use of pg_prewarm. It seems
like ownership of the table would be more appropriate, or maybe
access to one of the built-in roles like pg_maintain.

1. Can a role have access rights to a table without having access to its
index?

Indexes do not have access rights of their own, which is why
access rights are a poor gating mechanism for something that
needs to be applicable to indexes. Ownership could work,
because we make indexes inherit their table's ownership.

regards, tom lane

This is pointless, everyone (i.e. the PUBLIC pseudo-role) can already

read pg_class.
True, Just checked that.

It fails because AFAICS there is no way for it to work on an index, only

tables.
pg_prewarm extension works on index if we have right (SELECT) privileges
postgres=# CREATE TABLE x(id INT);
CREATE TABLE
postgres=# CREATE INDEX idx ON x(id);
CREATE INDEX

postgres=# INSERT INTO x SELECT * FROM generate_series(1,10000);
INSERT 0 10000
postgres=# SELECT pg_prewarm('x');
pg_prewarm
------------
45
(1 row)

postgres=# SELECT pg_prewarm('idx');
pg_prewarm
------------
30
(1 row)

It seems like ownership of the table would be more appropriate, or maybe
access to one of the built-in roles like pg_maintain.

True, adding Robert Haas (author) to this thread for his opinion.

Regards,
Ayush Vatsa
SDE AWS

On Monday, February 17, 2025, Tom Lane <tgl@sss.pgh.pa.us> wrote:

Ayush Vatsa <ayushvatsa1810@gmail.com> writes:

postgres=> SELECT pg_prewarm('pg_class_oid_index');
ERROR: permission denied for index pg_class_oid_index

You'd really have to take that up with the author of pg_prewarm.

This is our contrib module so this seems like the expected place to ask
such a question. It’s neither a bug nor a topic for -hackers. FTR, Robert
Haas is the author from 2013. Not sure he monitors -general though.

David J.

"David G. Johnston" <david.g.johnston@gmail.com> writes:

On Monday, February 17, 2025, Tom Lane <tgl@sss.pgh.pa.us> wrote:

You'd really have to take that up with the author of pg_prewarm.

This is our contrib module so this seems like the expected place to ask
such a question. It’s neither a bug nor a topic for -hackers. FTR, Robert
Haas is the author from 2013. Not sure he monitors -general though.

Ah, you are right, I was thinking it was a third-party extension.

If we're talking about changing the behavior of a contrib module,
I think -hackers would be the appropriate location for that.
And it does seem like this deserves a fresh look. As it stands,
a superuser can prewarm an index (because she bypasses all
privilege checks including this one), but nobody else can.
Seems weird.

regards, tom lane

As it stands, a superuser can prewarm an index (because she bypasses all
privilege checks including this one), but nobody else can.

That's not fully true. Any role can prewarm an index if the role has the
correct privileges.
postgres=# GRANT CREATE ON SCHEMA PUBLIC TO alpha;
GRANT
postgres=# SET ROLE alpha;
SET
postgres=> CREATE TABLE tab(id INT);
CREATE TABLE
postgres=> CREATE INDEX tab_idx ON tab(id);
CREATE INDEX
postgres=> SELECT pg_prewarm('tab_idx');
pg_prewarm
------------
1
(1 row)

Don't know what stopped it from prewarming the catalog table index.
Maybe it's checking who is the owner of the table. Although in code
it's just checking the ACL_SELECT [1]https://github.com/postgres/postgres/blob/master/contrib/pg_prewarm/pg_prewarm.c#L108-L110. I will be debugging more here
and maybe create a patch for the same.

postgres=# RESET ROLE;
RESET
postgres=# CREATE TABLE superuser_tab(id INT);
CREATE TABLE
postgres=# CREATE INDEX idx_superuser_tab ON superuser_tab(id);
CREATE INDEX
postgres=# GRANT SELECT ON superuser_tab TO alpha;
GRANT
postgres=# SET ROLE alpha;
SET
postgres=> SELECT pg_prewarm('superuser_tab');
pg_prewarm
------------
0
(1 row)
postgres=> SELECT pg_prewarm('idx_superuser_tab');
ERROR: permission denied for index idx_superuser_tab

postgres=> RESET ROLE;
RESET
postgres=# ALTER TABLE superuser_tab OWNER TO alpha;
ALTER TABLE
postgres=# SET ROLE alpha;
SET
postgres=> SELECT pg_prewarm('idx_superuser_tab');
pg_prewarm
------------
1
(1 row)

But I agree we should just check the table privileges even in the case of
indexes to decide whether to prewarm or not, as
*indexes don't have any privilegesof their own.*

I think -hackers would be the appropriate location for that.

I am shifting this to -hackers mailing list instead of general.

[1]: https://github.com/postgres/postgres/blob/master/contrib/pg_prewarm/pg_prewarm.c#L108-L110
https://github.com/postgres/postgres/blob/master/contrib/pg_prewarm/pg_prewarm.c#L108-L110

Regards,
Ayush Vatsa
SDE AWS

Ayush Vatsa <ayushvatsa1810@gmail.com> writes:

As it stands, a superuser can prewarm an index (because she bypasses all
privilege checks including this one), but nobody else can.

That's not fully true. Any role can prewarm an index if the role has the
correct privileges.

Ah, right. An index will have null pg_class.relacl, which'll be
interpreted as "owner has all rights", so it will work for the
table owner too. Likely this explains the lack of prior complaints.
It's still a poor design IMO.

regards, tom lane

On Mon, 2025-02-17 at 23:31 +0530, Ayush Vatsa wrote:

postgres=> SELECT pg_prewarm('pg_class_oid_index');
ERROR:  permission denied for index pg_class_oid_index
postgres=> RESET ROLE;
RESET

postgres=# GRANT SELECT ON pg_class_oid_index TO alpha;
ERROR:  "pg_class_oid_index" is an index
Based on this, I have few questions:
1. Can a role have access rights to a table without having access to its index?
2. If yes, how can we explicitly grant access to the index?
3. If no, and the role inherently gets access to the index when granted access to the table, why
does the pg_prewarm call fail [1] in the above scenario?

I have seen a complaint about this bug before:
https://dba.stackexchange.com/a/344603/176905

Yours,
Laurenz Albe

--

*E-Mail Disclaimer*
Der Inhalt dieser E-Mail ist ausschliesslich fuer den
bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat
dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte,
dass jede Form der Kenntnisnahme, Veroeffentlichung, Vervielfaeltigung oder
Weitergabe des Inhalts dieser E-Mail unzulaessig ist. Wir bitten Sie, sich
in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen.

*CONFIDENTIALITY NOTICE & DISCLAIMER
*This message and any attachment are
confidential and may be privileged or otherwise protected from disclosure
and solely for the use of the person(s) or entity to whom it is intended.
If you have received this message in error and are not the intended
recipient, please notify the sender immediately and delete this message and
any attachment from your system. If you are not the intended recipient, be
advised that any use of this message is prohibited and may be unlawful, and
you must not copy this message or attachment or disclose the contents to
any other person.

On Mon, Feb 17, 2025 at 2:57 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:

Ayush Vatsa <ayushvatsa1810@gmail.com> writes:

As it stands, a superuser can prewarm an index (because she bypasses all
privilege checks including this one), but nobody else can.

That's not fully true. Any role can prewarm an index if the role has the
correct privileges.

Ah, right. An index will have null pg_class.relacl, which'll be
interpreted as "owner has all rights", so it will work for the
table owner too. Likely this explains the lack of prior complaints.
It's still a poor design IMO.

I'm not sure if I'd call that a "design". Sounds like I just made a
mistake here.

--
Robert Haas
EDB: http://www.enterprisedb.com

I'm not sure if I'd call that a "design". Sounds like I just made a
mistake here.

Thanks Robert for confirming, let me submit a patch to fix the same.

Regards
Ayush Vatsa
ADE AWS

Ayush Vatsa <ayushvatsa1810@gmail.com> writes:

Thanks Robert for confirming, let me submit a patch to fix the same.

Well, the first thing you need is consensus on what the behavior
should be instead.

I have a very vague recollection that we concluded that SELECT
privilege was a reasonable check because if you have that you
could manually prewarm by reading the table. That would lead
to the conclusion that the minimal fix is to look at the owning
table's privileges instead of the index's own privileges.

Or we could switch to using ownership, which'd keep the code
simple but some users might complain it's too restrictive.

While I mentioned built-in roles earlier, I now think those mostly
carry more privilege than should be required here, given the analogy
to SELECT.

regards, tom lane

On Mon, Feb 17, 2025 at 3:02 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:

Ayush Vatsa <ayushvatsa1810@gmail.com> writes:

Thanks Robert for confirming, let me submit a patch to fix the same.

Well, the first thing you need is consensus on what the behavior
should be instead.

I have a very vague recollection that we concluded that SELECT
privilege was a reasonable check because if you have that you
could manually prewarm by reading the table. That would lead
to the conclusion that the minimal fix is to look at the owning
table's privileges instead of the index's own privileges.

I feel like if you can blow up the cache by loading an entire table into
memory with just select privilege on the table we should be ok with
allowing the same person to name an index on the same table and load it
into the cache too.

David J.

On Mon, Feb 17, 2025 at 5:18 PM David G. Johnston
<david.g.johnston@gmail.com> wrote:

I have a very vague recollection that we concluded that SELECT
privilege was a reasonable check because if you have that you
could manually prewarm by reading the table. That would lead
to the conclusion that the minimal fix is to look at the owning
table's privileges instead of the index's own privileges.

I feel like if you can blow up the cache by loading an entire table into memory with just select privilege on the table we should be ok with allowing the same person to name an index on the same table and load it into the cache too.

+1.

--
Robert Haas
EDB: http://www.enterprisedb.com

Robert Haas <robertmhaas@gmail.com> writes:

On Mon, Feb 17, 2025 at 5:18 PM David G. Johnston
<david.g.johnston@gmail.com> wrote:

I have a very vague recollection that we concluded that SELECT
privilege was a reasonable check because if you have that you
could manually prewarm by reading the table. That would lead
to the conclusion that the minimal fix is to look at the owning
table's privileges instead of the index's own privileges.

I feel like if you can blow up the cache by loading an entire table into memory with just select privilege on the table we should be ok with allowing the same person to name an index on the same table and load it into the cache too.

+1.

Is that a +1 for the specific design of "check SELECT on the index's
table", or just a +1 for changing something here?

regards, tom lane

On Tue, Feb 18, 2025 at 11:02 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:

Is that a +1 for the specific design of "check SELECT on the index's
table", or just a +1 for changing something here?

That is a +1 for the specific design of "check SELECT on the index's
table". I don't want to be closed-minded: if you have some strong
reason for believing that's the wrong thing to do, I'm all ears.
However, I'm presently of the view that it is exactly the right thing
to do, to the point where I don't currently understand why there's
anything to think about here.

--
Robert Haas
EDB: http://www.enterprisedb.com

Robert Haas <robertmhaas@gmail.com> writes:

That is a +1 for the specific design of "check SELECT on the index's
table". I don't want to be closed-minded: if you have some strong
reason for believing that's the wrong thing to do, I'm all ears.
However, I'm presently of the view that it is exactly the right thing
to do, to the point where I don't currently understand why there's
anything to think about here.

I have no objection to it, but I wasn't as entirely convinced
as you are that it's the only plausible answer.

One specific thing I'm slightly worried about is that a naive
implementation would probably cause this function to lock the
table after the index, risking deadlock against queries that
take the locks in the more conventional order. I don't recall
what if anything we've done about that in other places
(-ENOCAFFEINE).

regards, tom lane

On Tue, Feb 18, 2025 at 11:30 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:

I have no objection to it, but I wasn't as entirely convinced
as you are that it's the only plausible answer.

Hmm, OK.

One specific thing I'm slightly worried about is that a naive
implementation would probably cause this function to lock the
table after the index, risking deadlock against queries that
take the locks in the more conventional order. I don't recall
what if anything we've done about that in other places
(-ENOCAFFEINE).

Yeah, that seems like a good thing to worry about from an
implementation point of view but it doesn't seem like a reason to
question the basic design choice. In general, if you can use a table,
you also get to use its indexes, so that interpretation seems natural
to me here, also. Now, if somebody finds a problem with requiring only
SELECT permission, I could see changing the requirements for both
tables and indexes, but I find it harder to imagine that we'd want
those things to work differently from each other. Of course I'm
willing to be convinced that there's a good reason for them to be
different; I just can't currently imagine what it might be.

--
Robert Haas
EDB: http://www.enterprisedb.com

Hello Everyone,
It seems there's a general consensus that we should maintain a
original design to support pg_prewarm, with a minor adjustment:
when querying indexes, we should verify the privileges of the parent table.

I’ve attached a patch for this, which includes some test cases as well.
Let me know if it needs any changes.

Regards,
Ayush Vatsa
SDE AWS

Added the CF entry for the same -
https://commitfest.postgresql.org/patch/5583/

Regards,
Ayush Vatsa
SDE AWS