On Thu, 2025-03-06 at 08:49 -0500, Corey Huinker wrote:
> Unless some check was being done by the 'foo.bar'::regclass cast, I
> understand why we should add one.
"For schemas, allows access to objects contained in the schema
(assuming that the objects' own privilege requirements are also met).
Essentially this allows the grantee to “look up” objects within the
schema. Without this permission, it is still possible to see the object
names, e.g., by querying system catalogs. Also, after revoking this
permission, existing sessions might have statements that have
previously performed this lookup, so this is not a completely secure
way to prevent object access."
https://www.postgresql.org/docs/current/ddl-priv.html
The above text indicates that we should do the check, but also that
it's not terribly important for actual security.
> If we do, we'll want to change downgrade the following errors to
> warn+return false:
Perhaps we should consider the schemaname/relname change as one patch,
which maintains relation lookup failures as hard ERRORs, and a
"downgrade errors to warnings" as a separate patch.
> I agree, but the thread conversation had already shifted to doing
> just one single call to pg_stats, so this was just a demonstration.
It's a simple patch and the discussion seems to be shifting toward
parallelism[1] rather than batching[2]. In that case it still seems
like a good change to me, so I'm inclined to commit it after I verify
that it improves performance.
Regards,
Jeff Davis
[1]
https://www.postgresql.org/message-id/714295.1741286854@sss.pgh.pa.us
[2] https://www.postgresql.org/message-id/716907.1741288132@sss.pgh.pa.us
