Request a Demo
Home   >   mailing lists

Clarification on pg_dump behavior for security labels and policies on extension objects - Mailing list pgsql-hackers

From Fujii Masao
Subject Clarification on pg_dump behavior for security labels and policies on extension objects
Date
Msg-id CAHGQGwGUC0yRLAhOSR3S3PDKHKtjYz1uHkYK9=2ogsLfNP--RA@mail.gmail.com
Whole thread Raw
List pgsql-hackers
Tree view 
Hi,

While working on the patch committed at 762faf702c6,
I noticed the following section in the docs:

https://www.postgresql.org/docs/devel/extend-extensions.html
> PostgreSQL does not currently support extension scripts issuing CREATE POLICY
> or SECURITY LABEL statements. These are expected to be set after
> the extension has been created. All RLS policies and security labels on
> extension objects will be included in dumps created by pg_dump.

It seems the last sentence isn't entirely accurate. My quick test (below)
shows that a security label on the pgstattuple function is included
in the dump only when the --binary-upgrade option is used.

Should we update the docs to say something like:

    --------------------
    Note that all RLS policies and security labels on extension objects will
    be included in dumps created by pg_dump only when --binary-upgrade
    option is specified
    --------------------

Or is this a bug - should pg_dump include them even without --binary-upgrade?

For reference, the current behavior comes from checkExtensionMembership()
in pg_dump.c, which skips dumping components like DUMP_COMPONENT_SECLABEL
unless --binary-upgrade is specified.

------------------------
$ psql
=# CREATE EXTENSION dummy_seclabel ;
=# CREATE EXTENSION pgstattuple ;
=# SECURITY LABEL ON FUNCTION pgstattuple(regclass) IS 'classified';
=# \q

$ pg_dump | grep -i "security label"
COMMENT ON EXTENSION dummy_seclabel IS 'Test code for SECURITY LABEL feature';

$ pg_dump --binary-upgrade | grep -i "security label"
COMMENT ON EXTENSION dummy_seclabel IS 'Test code for SECURITY LABEL feature';
-- Name: FUNCTION pgstattuple(reloid regclass, OUT table_len bigint,
OUT tuple_count bigint, OUT tuple_len bigint, OUT tuple_percent double
precision, OUT dead_tuple_count bigint, OUT dead_tuple_len bigint, OUT
dead_tuple_percent double precision, OUT free_space bigint, OUT
free_percent double precision); Type: SECURITY LABEL; Schema: public;
Owner: postgres
SECURITY LABEL FOR dummy ON FUNCTION public.pgstattuple(reloid
regclass, OUT table_len bigint, OUT tuple_count bigint, OUT tuple_len
bigint, OUT tuple_percent double precision, OUT dead_tuple_count
bigint, OUT dead_tuple_len bigint, OUT dead_tuple_percent double
precision, OUT free_space bigint, OUT free_percent double precision)
IS 'classified';
------------------------

Regards,

-- 
Fujii Masao

pgsql-hackers by date:

Previous
From: Álvaro Herrera
Date:
Subject: Re: misleading error message in ProcessUtilitySlow T_CreateStatsStmt
Next
From: jian he
Date:
Subject: Re: Why cannot alter a column's type when it's used by a generated column