Thread: no mention of GRANT USAGE in postgres_fdw docs
The following documentation comment has been logged on the website: Page: https://www.postgresql.org/docs/12/postgres-fdw.html Description: The documentation page for postgres_fdw <https://www.postgresql.org/docs/current/postgres-fdw.html> gives a nice step by step on what's needed to configure a FOREIGN SERVER. However, one crucial step is missed, and that is that you need to issue GRANT USAGE ON FOREIGN SERVER before you can successfully run step 4, IMPORT FOREIGN SCHEMA. Fortunately, I was able to get help on this from some kind folks in #postgresql on IRC, but the documentation should be updated to include this step. Thanks, --Joe
PG Doc comments form <noreply@postgresql.org> writes: > The documentation page for postgres_fdw > <https://www.postgresql.org/docs/current/postgres-fdw.html> gives a nice > step by step on what's needed to configure a FOREIGN SERVER. However, one > crucial step is missed, and that is that you need to issue GRANT USAGE ON > FOREIGN SERVER before you can successfully run step 4, IMPORT FOREIGN > SCHEMA. That paragraph links to the IMPORT FOREIGN SCHEMA reference page, which says To use IMPORT FOREIGN SCHEMA, the user must have USAGE privilege on the foreign server, as well as CREATE privilege on the target schema. I'm not clear why we should duplicate that information here, especially when we're not duplicating any of the other essential information about how to use IMPORT FOREIGN SCHEMA. Nor does this summary mention the privilege requirements for any of the other commands it suggests using. Is there some reason why this was particularly hard to discover? I'd have expected that you got a reasonably clear permissions- failure error from the IMPORT. If you didn't, maybe there's an opportunity to improve that. regards, tom lane
On Fri, Nov 15, 2019 at 12:05 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
PG Doc comments form <noreply@postgresql.org> writes:
> The documentation page for postgres_fdw
> <https://www.postgresql.org/docs/current/postgres-fdw.html> gives a nice
> step by step on what's needed to configure a FOREIGN SERVER. However, one
> crucial step is missed, and that is that you need to issue GRANT USAGE ON
> FOREIGN SERVER before you can successfully run step 4, IMPORT FOREIGN
> SCHEMA.
That paragraph links to the IMPORT FOREIGN SCHEMA reference page,
which says
To use IMPORT FOREIGN SCHEMA, the user must have USAGE privilege on
the foreign server, as well as CREATE privilege on the target schema.
I'm not clear why we should duplicate that information here, especially
when we're not duplicating any of the other essential information about
how to use IMPORT FOREIGN SCHEMA. Nor does this summary mention the
privilege requirements for any of the other commands it suggests using.
The overview page says: "Create a user mapping, using CREATE USER MAPPING, for each database user you want to allow to access each foreign server." It seems reasonable to add that you need to grant those same users the USAGE privilege on each foreign server as well. The bullet list does seem like it is inclusive of all the major SQL Commands that are needed to make this work and since it doesn't just speak of setting up the owner's permissions mentioning GRANT, while slightly redundant, seems in scope.
David J.
"David G. Johnston" <david.g.johnston@gmail.com> writes:
> On Fri, Nov 15, 2019 at 12:05 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> I'm not clear why we should duplicate that information here, especially
>> when we're not duplicating any of the other essential information about
>> how to use IMPORT FOREIGN SCHEMA. Nor does this summary mention the
>> privilege requirements for any of the other commands it suggests using.
> The overview page says: "Create a user mapping, using CREATE USER MAPPING,
> for each database user you want to allow to access each foreign server."
> It seems reasonable to add that you need to grant those same users the
> USAGE privilege on each foreign server as well.
But you don't necessarily, do you? I think you only need that to
create a foreign table referencing the server, not to use one that
somebody else created. (Too lazy to check the details right now.)
Anyway, my point is that details like this belong in the respective
command man pages. If we were to copy them into postgres-fdw's
summary, we'd never remember to update that if they changed.
regards, tom lane