On Thu, Apr 22, 2021 at 5:15 PM Stephen Frost <sfrost@snowman.net> wrote:
Greetings,
* Mats Kindahl (mats@timescale.com) wrote: > * To be able to read the configuration tables, "reader" need to have > SELECT privileges. > > * Since the new role is added by the user and not by the extension, > the grants have to be dumped as well. Otherwise, a restore of the > data will have wrong privileges. > > * Since new configuration tables could be added by an update of the > extension, it is necessary to make sure that these privileges are > added to new tables when updating. Typically, this means changing > the default privileges on the schema for the configuration files.
If the extension is updated, I think it's entirely reasonable to expect an admin to have to go in and update the relevant permissions on any new tables that have come into existance and, as I've said elsewhere, I don't think that schema-level default privs should be applied to tables created by extensions. Sadly, no one else seems to have an opinion regarding that and so there hasn't been a change in that, yet, but that's the source of the issue imv.
That is a different way to solve it, but I think that is a little unintuitive. I am actually proposing to still assign default privileges, but not add them to initprivs, to make sure that they are treated the same way before and after an update.
If you want to comment on that, I'd suggest doing so on that thread: