Postgres Pro
Downloads
Home   >   mailing lists

Re: Remove superuser() checks from pgstattuple - Mailing list pgsql-hackers

From Stephen Frost
Subject Re: Remove superuser() checks from pgstattuple
Date
Msg-id 20160904154158.GN4028@tamriel.snowman.net
Whole thread Raw
In response to Re: Remove superuser() checks from pgstattuple  (Peter Eisentraut <peter.eisentraut@2ndquadrant.com>)
Responses Re: Remove superuser() checks from pgstattuple  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-hackers
Tree view 
* Peter Eisentraut (peter.eisentraut@2ndquadrant.com) wrote:
> On 8/23/16 5:22 PM, Stephen Frost wrote:
> > Now that we track initial privileges on extension objects and changes to
> > those permissions, we can drop the superuser() checks from the various
> > functions which are part of the pgstattuple extension.
> >
> > Since a pg_upgrade will preserve the version of the extension which
> > existed prior to the upgrade, we can't simply modify the existing
> > functions but instead need to create new functions which remove the
> > checks and update the SQL-level functions to use the new functions
>
> I think this is a good change to pursue, and we'll likely want to do
> more similar changes in contrib.  But I'm worried that what is logically
> a 10-line change will end up a 20 KiB patch every time.

This is primairly due to how we handle new versions of an extension.
Any change to an extension is going to involve a new upgrade script and
the removal of the prior version install script and addition of the new
version install scripts.

> Have we explored other options for addressing the upgrade problems?

We did discuss the upgrade issue and Noah proposed the current approach,
which appears to be the best option.

> Maybe the function could check that non-default privileges have been
> granted?

Simply changing the function to behave differently depending on what
privileges have or havn't been granted doesn't seem like a very good
idea.

Consider an existing installation where the admin tried to grant access
to one of these functions:

GRANT EXECUTE ON pgstattuple_func() TO bob;

This would result in a GRANT to bob explicitly, and the GRANT to public
would still be there also.

Then an upgrade of PG, without upgrading the extension, would lead to
any user being able to execute the function.  An upgrade of the
extension would revoke the GRANT to PUBLIC and, further, would
hopefuflly cause the admin to consider checking the documentation about
the upgrade (which needs to be added; I'll do that).

We also created a new version to add the PARALLEL SAFE markings to the
functions.  In general, I believe it's better to use a new version when
we're making these kinds of changes.

Thanks!

Stephen

pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Re: [PATCH] COPY vs \copy HINT
Next
From: Tom Lane
Date:
Subject: Re: Remove superuser() checks from pgstattuple