BUG #16279: Permissions doc incorrect for pg_buffercache
The following bug has been logged on the website:
Bug reference: 16279
Logged by: Philip Semanchuk
Email address: philip@americanefficient.com
PostgreSQL version: 11.6
Operating system: macOS, also AWS Aurora
Description:
The doc for pg_buffercache says, "By default use is restricted to superusers
and members of the pg_read_all_stats role. Access may be granted to others
using GRANT." (https://www.postgresql.org/docs/11/pgbuffercache.html)
In my experience, users need to be members of pg_monitor, not
pg_read_all_stats. Here's a demo on Postgres 11.6 installed on my Mac.
(Behavior on AWS Aurora Postgres is the same.) 'a_user' is a user with no
special privileges. This first block of SQL shows that a_user can't read
pg_buffercache, as expected.
a_user $ SELECT
r.rolname, r.rolsuper, r.rolinherit, r.rolcreaterole,
r.rolcanlogin, r.rolvaliduntil,
ARRAY(SELECT b.rolname
FROM pg_catalog.pg_auth_members m
JOIN pg_catalog.pg_roles b ON (m.roleid = b.oid)
WHERE m.member = r.oid) as memberof
FROM pg_catalog.pg_roles r
WHERE rolname = current_user
;
rolname | rolsuper | rolinherit | rolcreaterole | rolcanlogin |
rolvaliduntil | memberof
---------+----------+------------+---------------+-------------+---------------+----------
a_user | f | t | f | t |
| {}
(1 row)
a_user $
a_user $ select * from pg_buffercache limit 1;
ERROR: permission denied for view pg_buffercache
In a different session where I'm logged in as superuser, I GRANTed a_user
membership to pg_read_all_stats, but a_user still can't read from
pg_buffercache.
a_user $ SELECT
r.rolname, r.rolsuper, r.rolinherit, r.rolcreaterole,
r.rolcanlogin, r.rolvaliduntil,
ARRAY(SELECT b.rolname
FROM pg_catalog.pg_auth_members m
JOIN pg_catalog.pg_roles b ON (m.roleid = b.oid)
WHERE m.member = r.oid) as memberof
FROM pg_catalog.pg_roles r
WHERE rolname = current_user
;
rolname | rolsuper | rolinherit | rolcreaterole | rolcanlogin |
rolvaliduntil | memberof
---------+----------+------------+---------------+-------------+---------------+---------------------
a_user | f | t | f | t |
| {pg_read_all_stats}
(1 row)
a_user $ select * from pg_buffercache limit 1;
ERROR: permission denied for view pg_buffercache
In my superuser session, I REVOKEd a_user's membership in pg_read_all_stats
and GRANTed membership in pg_monitor, and that enabled access to
pg_buffercache.
a_user $ SELECT
r.rolname, r.rolsuper, r.rolinherit, r.rolcreaterole,
r.rolcanlogin, r.rolvaliduntil,
ARRAY(SELECT b.rolname
FROM pg_catalog.pg_auth_members m
JOIN pg_catalog.pg_roles b ON (m.roleid = b.oid)
WHERE m.member = r.oid) as memberof
FROM pg_catalog.pg_roles r
WHERE rolname = current_user
;
rolname | rolsuper | rolinherit | rolcreaterole | rolcanlogin |
rolvaliduntil | memberof
---------+----------+------------+---------------+-------------+---------------+--------------
a_user | f | t | f | t |
| {pg_monitor}
(1 row)
a_user $
a_user $ select * from pg_buffercache limit 1;
bufferid | relfilenode | reltablespace | reldatabase | relforknumber |
relblocknumber | isdirty | usagecount | pinning_backends
----------+-------------+---------------+-------------+---------------+----------------+---------+------------+------------------
1 | 1262 | 1664 | 0 | 0 |
0 | f | 5 | 0
(1 row)
a_user $
Hello
You are right, in contrib/pg_buffercache/pg_buffercache--1.2--1.3.sql we have
GRANT EXECUTE ON FUNCTION pg_buffercache_pages() TO pg_monitor;
GRANT SELECT ON pg_buffercache TO pg_monitor;
Not pg_read_all_stats. I'm not sure: we need change the extension or fix the documentation? I think pg_read_all_stats would be more appropriate, but we need bump the extension version.
regards, Sergei
On Feb 26, 2020, at 12:11 PM, Sergei Kornilov <sk@zsrv.org> wrote:
Hello
You are right, in contrib/pg_buffercache/pg_buffercache--1.2--1.3.sql we have
GRANT EXECUTE ON FUNCTION pg_buffercache_pages() TO pg_monitor;
GRANT SELECT ON pg_buffercache TO pg_monitor;Not pg_read_all_stats. I'm not sure: we need change the extension or fix the documentation? I think pg_read_all_stats would be more appropriate, but we need bump the extension version.
Thanks for exploring and confirming! I agree that pg_read_all_stats would be more appropriate.
Cheers
Philip
Philip Semanchuk <philip@americanefficient.com> writes:
On Feb 26, 2020, at 12:11 PM, Sergei Kornilov <sk@zsrv.org> wrote:
You are right, in contrib/pg_buffercache/pg_buffercache--1.2--1.3.sql we have
GRANT EXECUTE ON FUNCTION pg_buffercache_pages() TO pg_monitor;
GRANT SELECT ON pg_buffercache TO pg_monitor;
Not pg_read_all_stats. I'm not sure: we need change the extension or fix the documentation? I think pg_read_all_stats would be more appropriate, but we need bump the extension version.
Thanks for exploring and confirming! I agree that pg_read_all_stats would be more appropriate.
Looking at the original discussion, it seems clear that the choice of
pg_monitor was intentional; see in particular
/messages/by-id/CA+OCxowV7eL-DS1Hr-h5N7Tr8Gvn5VGW++YJ2yo6wMN9H3n9Gg@mail.gmail.com
So I think the code is correct and the documentation is a typo.
That's a much easier answer to back-patch, as well.
regards, tom lane
On Feb 27, 2020, at 4:31 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
Philip Semanchuk <philip@americanefficient.com> writes:
On Feb 26, 2020, at 12:11 PM, Sergei Kornilov <sk@zsrv.org> wrote:
You are right, in contrib/pg_buffercache/pg_buffercache--1.2--1.3.sql we have
GRANT EXECUTE ON FUNCTION pg_buffercache_pages() TO pg_monitor;
GRANT SELECT ON pg_buffercache TO pg_monitor;
Not pg_read_all_stats. I'm not sure: we need change the extension or fix the documentation? I think pg_read_all_stats would be more appropriate, but we need bump the extension version.Thanks for exploring and confirming! I agree that pg_read_all_stats would be more appropriate.
Looking at the original discussion, it seems clear that the choice of
pg_monitor was intentional; see in particular/messages/by-id/CA+OCxowV7eL-DS1Hr-h5N7Tr8Gvn5VGW++YJ2yo6wMN9H3n9Gg@mail.gmail.com
So I think the code is correct and the documentation is a typo.
That's a much easier answer to back-patch, as well.
Sounds good to me. Thanks for the context!
Cheers
Philip
Philip Semanchuk <philip@americanefficient.com> writes:
On Feb 27, 2020, at 4:31 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
Looking at the original discussion, it seems clear that the choice of
pg_monitor was intentional; see in particular
/messages/by-id/CA+OCxowV7eL-DS1Hr-h5N7Tr8Gvn5VGW++YJ2yo6wMN9H3n9Gg@mail.gmail.com
So I think the code is correct and the documentation is a typo.
That's a much easier answer to back-patch, as well.
Sounds good to me. Thanks for the context!
Re-reading the pg_buffercache documentation, I was reminded that that
view can have a pretty significant performance hit if you've got lots
of shared buffers. So I think being restrictive about it is good
policy, reinforcing the view that the code made the right choice.
I pushed a patch fixing the docs, in v10 and up.
regards, tom lane