BUG #8315: GRANTS allowed on extension functions, but not dumped by pg_dump
The following bug has been logged on the website:
Bug reference: 8315
Logged by: Jeff Frost
Email address: jeff@pgexperts.com
PostgreSQL version: 9.2.4
Operating system: Scientific Linux 6
Description:
Simple test case:
pgx-test:~ $ createdb permtest
pgx-test:~ $ psql permtest
psql (9.2.4)
Type "help" for help.
permtest=# create extension dblink;
CREATE EXTENSION
permtest=# create role permtestuser with login nosuperuser;
permtest=# grant EXECUTE on FUNCTION dblink(text) to permtestuser;
GRANT
pgx-test:~ $ pg_dump -s permtest | grep GRANT
GRANT ALL ON SCHEMA public TO postgres;
GRANT ALL ON SCHEMA public TO PUBLIC;
I imagine we are expecting people to write security definer wrapper
functions, but if so, we should probably not allow them to grant permissions
on extension functions (and tables?) if we aren't going to preserve them in
the dump.
--
Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-bugs
jeff@pgexperts.com writes:
permtest=# create extension dblink;
CREATE EXTENSION
permtest=# grant EXECUTE on FUNCTION dblink(text) to permtestuser;
GRANT
I see no bug here. This is not different from any other
property-alteration you might do on an extension member object.
We allow that (if you have privileges), but it's up to you to keep it
in sync with the extension definition file.
regards, tom lane
--
Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-bugs
On Jul 18, 2013, at 11:47 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
jeff@pgexperts.com writes:
permtest=# create extension dblink;
CREATE EXTENSION
permtest=# grant EXECUTE on FUNCTION dblink(text) to permtestuser;
GRANTI see no bug here. This is not different from any other
property-alteration you might do on an extension member object.
We allow that (if you have privileges), but it's up to you to keep it
in sync with the extension definition file.
So, perhaps we could warn users on extension property alterations?
Definitely seems like a gotcha.
--
Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-bugs
Import Notes
Reply to msg id not found: WM!df26632198a4334666f3553f00bbd555adce117df8a4ee29454fa0c2945b69816eb8906cdfc61cf2bc1e5ce24bacff11!@asav-2.01.com
Jeff Frost <jeff@pgexperts.com> writes:
On Jul 18, 2013, at 11:47 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
I see no bug here. This is not different from any other
property-alteration you might do on an extension member object.
We allow that (if you have privileges), but it's up to you to keep it
in sync with the extension definition file.
So, perhaps we could warn users on extension property alterations?
Hm, I had thought there already was such a discussion in the docs,
but I can't find it now. Do you want to draft some text?
regards, tom lane
--
Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-bugs