Greetings,
* Mats Kindahl (mats@timescale.com) wrote:
> On Thu, Apr 22, 2021 at 5:15 PM Stephen Frost <sfrost@snowman.net> wrote:
> > * Mats Kindahl (mats@timescale.com) wrote:
> > > * To be able to read the configuration tables, "reader" need to have
> > > SELECT privileges.
> > >
> > > * Since the new role is added by the user and not by the extension,
> > > the grants have to be dumped as well. Otherwise, a restore of the
> > > data will have wrong privileges.
> > >
> > > * Since new configuration tables could be added by an update of the
> > > extension, it is necessary to make sure that these privileges are
> > > added to new tables when updating. Typically, this means changing
> > > the default privileges on the schema for the configuration files.
> >
> > If the extension is updated, I think it's entirely reasonable to expect
> > an admin to have to go in and update the relevant permissions on any new
> > tables that have come into existance and, as I've said elsewhere, I
> > don't think that schema-level default privs should be applied to tables
> > created by extensions. Sadly, no one else seems to have an opinion
> > regarding that and so there hasn't been a change in that, yet, but
> > that's the source of the issue imv.
>
> That is a different way to solve it, but I think that is a little
> unintuitive. I am actually proposing to still assign default privileges,
> but not add them to initprivs, to make sure that they are treated the same
> way before and after an update.
Yes, I understood your suggestion, but I did, and still do, disagree
with that approach- how is an admin supposed to correctly guess what
permissions would be appropriate for new tables being added during an
upgrade of an extension? Not to mention that extensions routinely get
added to existing schemas and I don't think it's at all obvious to
users that tables, functions, etc, added by an extension into a schema
should get the default privileges for that schema (and that could even
lead to security issues, I suspect...), not to mention that you have to
wonder if the privileges installed by the extension should be applied
*first*, and default privs after, or if the default privileges should
be first and the extension's privileges after. As it's currently the
latter, it's rather complicated as the extension has no idea what to
expect the privileges on the object to be and so how can it sensibly set
privileges on it..?
More and more it looks clear to me that this is really just broken and
we need to stop applying default privs to objects created by extensions.
Thanks,
Stephen
