Re: allow granting CLUSTER, REFRESH MATERIALIZED VIEW, and REINDEX - Mailing list pgsql-hackers

From Nathan Bossart
Subject Re: allow granting CLUSTER, REFRESH MATERIALIZED VIEW, and REINDEX
Date
Msg-id 20230615041044.GA736001@nathanxps13
Whole thread Raw
In response to Re: allow granting CLUSTER, REFRESH MATERIALIZED VIEW, and REINDEX  (Michael Paquier <michael@paquier.xyz>)
Responses Re: allow granting CLUSTER, REFRESH MATERIALIZED VIEW, and REINDEX
List pgsql-hackers
On Thu, Jun 15, 2023 at 09:46:33AM +0900, Michael Paquier wrote:
> The result after 0001 is applied is that a couple of
> object_ownercheck() calls that existed before ff9618e are removed from
> some ACL checks in the REINDEX, CLUSTER and VACUUM paths.  Is that OK
> for shared relations and shouldn't cluster_is_permitted_for_relation()
> include that?  vacuum_is_permitted_for_relation() is consistent on
> this side.

These object_ownercheck() calls were removed because they were redundant,
as owners have all privileges by default.  Privileges can be revoked from
the owner, so an extra ownership check would effectively bypass the
relation's ACL in that case.  I looked around and didn't see any other
examples of a combined ownership and ACL check like we were doing for
MAINTAIN.  The only thing that gives me pause is that the docs call out
ownership as sufficient for some maintenance commands.  With these patches,
that's only true as long as no one revokes privileges from the owner.  IMO
we should update the docs and leave out the ownership checks since MAINTAIN
is now a grantable privilege like any other.  WDYT?

-- 
Nathan Bossart
Amazon Web Services: https://aws.amazon.com



pgsql-hackers by date:

Previous
From: Vladimir Churyukin
Date:
Subject: Re: Bypassing shared_buffers
Next
From: jian he
Date:
Subject: Re: Do we want a hashset type?