Thread: pg_dump dumps row level policies on extension tables

pg_dump dumps row level policies on extension tables

From
Pavan Deolasee
Date:
Hi,

I noticed that if a row level policy is defined on an extension
object, even in the extension creation script, pg_dump dumps a
separate CREATE POLICY statement for such policies. That makes the
dump unrestorable because the CREATE EXTENSION and CREATE POLICY then
conflicts.

Here is a simple example. I just abused the pageinspect contrib module
to demonstrate the problem.

```
diff --git a/contrib/pageinspect/pageinspect--1.5.sql
b/contrib/pageinspect/pageinspect--1.5.sql
index 1e40c3c97e..f04d70d1c1 100644
--- a/contrib/pageinspect/pageinspect--1.5.sql
+++ b/contrib/pageinspect/pageinspect--1.5.sql
@@ -277,3 +277,9 @@ CREATE FUNCTION gin_leafpage_items(IN page bytea,
 RETURNS SETOF record
 AS 'MODULE_PATHNAME', 'gin_leafpage_items'
 LANGUAGE C STRICT PARALLEL SAFE;
+
+-- sample table
+CREATE TABLE pf_testtab (a int, b int);
+-- sample policy
+CREATE POLICY p1 ON pf_testtab
+FOR SELECT USING (true);
```

If I now take a dump of a database with pageinspect extension created,
the dump has the following.

```

--
-- Name: pageinspect; Type: EXTENSION; Schema: -; Owner:
--

CREATE EXTENSION IF NOT EXISTS pageinspect WITH SCHEMA public;

--
-- Name: pf_testtab p1; Type: POLICY; Schema: public; Owner: pavan
--

CREATE POLICY p1 ON public.pf_testtab FOR SELECT USING (true);

```

That's a problem. The CREATE POLICY statement fails during restore
because CREATE EXTENSION already creates the policy.

Are we missing recording dependency on extension for row level
policies? Or somehow pg_dump should skip dumping those policies?

Thanks,
Pavan

--
 Pavan Deolasee                   http://www.2ndQuadrant.com/
 PostgreSQL Development, 24x7 Support, Training & Services



Re: pg_dump dumps row level policies on extension tables

From
Masahiko Sawada
Date:
On Tue, 19 May 2020 at 15:31, Pavan Deolasee <pavan.deolasee@gmail.com> wrote:
>
> Hi,
>
> I noticed that if a row level policy is defined on an extension
> object, even in the extension creation script, pg_dump dumps a
> separate CREATE POLICY statement for such policies. That makes the
> dump unrestorable because the CREATE EXTENSION and CREATE POLICY then
> conflicts.
>
> Here is a simple example. I just abused the pageinspect contrib module
> to demonstrate the problem.
>
> ```
> diff --git a/contrib/pageinspect/pageinspect--1.5.sql
> b/contrib/pageinspect/pageinspect--1.5.sql
> index 1e40c3c97e..f04d70d1c1 100644
> --- a/contrib/pageinspect/pageinspect--1.5.sql
> +++ b/contrib/pageinspect/pageinspect--1.5.sql
> @@ -277,3 +277,9 @@ CREATE FUNCTION gin_leafpage_items(IN page bytea,
>  RETURNS SETOF record
>  AS 'MODULE_PATHNAME', 'gin_leafpage_items'
>  LANGUAGE C STRICT PARALLEL SAFE;
> +
> +-- sample table
> +CREATE TABLE pf_testtab (a int, b int);
> +-- sample policy
> +CREATE POLICY p1 ON pf_testtab
> +FOR SELECT USING (true);
> ```
>
> If I now take a dump of a database with pageinspect extension created,
> the dump has the following.
>
> ```
>
> --
> -- Name: pageinspect; Type: EXTENSION; Schema: -; Owner:
> --
>
> CREATE EXTENSION IF NOT EXISTS pageinspect WITH SCHEMA public;
>
> --
> -- Name: pf_testtab p1; Type: POLICY; Schema: public; Owner: pavan
> --
>
> CREATE POLICY p1 ON public.pf_testtab FOR SELECT USING (true);
>
> ```
>
> That's a problem. The CREATE POLICY statement fails during restore
> because CREATE EXTENSION already creates the policy.
>
> Are we missing recording dependency on extension for row level
> policies? Or somehow pg_dump should skip dumping those policies?
>

I think we don't support this case as the comment in
checkExtensionMembership() describes:

    /*
     * In 9.6 and above, mark the member object to have any non-initial ACL,
     * policies, and security labels dumped.
     *
     * Note that any initial ACLs (see pg_init_privs) will be removed when we
     * extract the information about the object.  We don't provide support for
     * initial policies and security labels and it seems unlikely for those to
     * ever exist, but we may have to revisit this later.
     *
     * Prior to 9.6, we do not include any extension member components.
     *
     * In binary upgrades, we still dump all components of the members
     * individually, since the idea is to exactly reproduce the database
     * contents rather than replace the extension contents with something
     * different.
     */

Regards,

-- 
Masahiko Sawada            http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services